2N/A * The contents of this file are subject to the terms of the 2N/A * Common Development and Distribution License (the "License"). 2N/A * You may not use this file except in compliance with the License. 2N/A * See the License for the specific language governing permissions 2N/A * and limitations under the License. 2N/A * When distributing Covered Code, include this CDDL HEADER in each 2N/A * If applicable, add the following below this CDDL HEADER, with the 2N/A * fields enclosed by brackets "[]" replaced with your own identifying 2N/A * information: Portions Copyright [yyyy] [name of copyright owner] 2N/A * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved. 2N/A * int msg(pamh, ...) 2N/A * display message to the user 2N/A * Get the secret key for the given netname, key length, and algorithm 2N/A * type and send it to keyserv if the given pw decrypts it. Update the 2N/A * following counter args as necessary: get_seckey_cnt, good_pw_cnt, and 2N/A * Returns 0 on malloc failure, else 1. 2N/A /* password does decrypt secret key */ 2N/A "get_and_set_seckey: could not " 2N/A "set secret key for keytype " 2N/A "Password does not " 2N/A "decrypt secret key (type = %d-%d) " 2N/A "could not get secret key for keytype %d-%d",
2N/A * int establish_key(pamh, flags, debug, netname) 2N/A * This routine establishes the Secure RPC Credentials for the 2N/A * user specified in PAM_USER, using the password in PAM_AUTHTOK. 2N/A * Establishing RPC credentials is considered a "helper" function for the PAM 2N/A * stack so we should only return failures or PAM_IGNORE. Returning PAM_SUCCESS 2N/A * may short circuit the stack and circumvent later critical checks. 2N/A * we are called from pam_sm_setcred: 2N/A * 1. if we are root (uid == 0), we do nothing and return 2N/A * 2. else, we try to establish credentials. 2N/A * We return framework errors as appropriate such as PAM_USER_UNKNOWN, 2N/A * PAM_BUF_ERR, PAM_PERM_DENIED. 2N/A * If we succeed in establishing credentials we return PAM_IGNORE. 2N/A * If we fail to establish credentials then we return: 2N/A * - PAM_SERVICE_ERR (credentials needed) or PAM_SYSTEM_ERR 2N/A * (credentials not needed) if netname could not be created; 2N/A * - PAM_AUTH_ERR (credentials needed) or PAM_IGNORE (credentials 2N/A * not needed) if no credentials were retrieved; 2N/A * - PAM_AUTH_ERR if the password didn't decrypt the cred; 2N/A * - PAM_SYSTEM_ERR if the cred's could not be stored. 2N/A * This routine returns the user's netname in "netname". 2N/A * All tools--but the PAM stack--currently use getpass() to obtain 2N/A * the user's secure RPC password. We must make sure we don't use more than 2N/A * the first des_block (eight) characters of whatever is handed down to us. 2N/A * Therefore, we use a local variable "short_pass" to hold those 8 char's. 2N/A * We don't set credentials when root logs in. 2N/A /* passwd can be NULL (no passwd or su as root) */ 2N/A break;
/* fall through to AUTH_DES below */ 2N/A /* fall through to AUTH_DES below */ 2N/A * No usable mechs found in security congifuration file thus 2N/A * fallback to AUTH_DES compat. 2N/A "found. Trying AUTH_DES.");
2N/A * We always perform AUTH_DES for the benefit of services like NFS 2N/A * that may depend on the classic des 192bit key being set. 2N/A /* Credentials have been successfully established, return PAM_IGNORE */ 2N/A * If we are authenticating we attempt to establish credentials 2N/A * where appropriate. Failure to do so is only an error if we 2N/A * definitely needed them. Thus always return PAM_IGNORE 2N/A * if we are authenticating and credentials were not needed. 2N/A * Revoke NFS DES credentials. 2N/A * NFS may not be installed so we need to deal with SIGSYS 2N/A * when we call _nfssys(); we thus call _nfssys() in a separate thread that 2N/A * is created specifically for this call. The thread specific signalmask 2N/A * is set to ignore SIGSYS. After the call to _nfssys(), the thread 2N/A "pam_dhkeys: user NULL or empty in remove_key()");
2N/A "removing root credentials would" 2N/A " break the rpc services that"));
2N/A "use secure rpc on this host!"));
2N/A "root may use keylogout -f to do" 2N/A " this (at your own risk)!"));
2N/A /* Retrieve user's uid/gid from the password repository */ 2N/A "Warning: NFS credentials not destroyed"));
2N/A /* Check for invalid flags */ 2N/A /* doesn't apply to UNIX */ 2N/A /* Some diagnostics */ 2N/A "Password does not decrypt any secret " 2N/A "Could not set secret key(s) for %s. " 2N/A /* Not having credentials set is not an error... */