2N/A * The contents of this file are subject to the terms of the 2N/A * Common Development and Distribution License (the "License"). 2N/A * You may not use this file except in compliance with the License. 2N/A * See the License for the specific language governing permissions 2N/A * and limitations under the License. 2N/A * When distributing Covered Code, include this CDDL HEADER in each 2N/A * If applicable, add the following below this CDDL HEADER, with the 2N/A * fields enclosed by brackets "[]" replaced with your own identifying 2N/A * information: Portions Copyright [yyyy] [name of copyright owner] 2N/A * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved. 2N/A * pam_sm_authenticate - Authenticate user 2N/A /* return an error on password expire */ 2N/A "PAM-KRB5 (auth) unrecognized option %s",
argv[i]);
2N/A "PAM-KRB5 (auth): pam_sm_authenticate flags=%d",
2N/A * pam_get_data could fail if we are being called for the first time 2N/A * or if the module is not found, PAM_NO_MODULE_DATA is not an error 2N/A * If pam_krb5 was stacked higher in the auth stack and did PKINIT 2N/A * preauth sucessfully then this instance is a fallback to password 2N/A * based preauth and should just return PAM_IGNORE. 2N/A * The else clause is handled further down. 2N/A * pam_krb5 has been stacked > 2 times in the auth 2N/A * stack. Clear out the current kmd and proceed as if 2N/A * this is the first time pam_krb5 auth has been called. 2N/A "PAM-KRB5 (auth): stacked more than" 2N/A " two times, clearing kmd");
2N/A * The previous instance of pam_krb5 succeeded and this 2N/A * instance was a fall back in case it didn't succeed so 2N/A "PAM-KRB5 (auth): PKINIT succeeded " 2N/A "earlier so returning PAM_IGNORE");
2N/A * If doing PKINIT it is okay to prompt for the user 2N/A "PAM-KRB5 (auth): get user failed: " 2N/A "PAM-KRB5 (auth): user empty or null");
2N/A /* make sure a password entry exists for this user */ 2N/A /* we MUST copy this to the heap for the putenv to work! */ 2N/A * For apps that already did krb5 auth exchange... 2N/A * Now that we've created the kmd structure, we can 2N/A * return SUCCESS. 'kmd' may be needed later by other 2N/A * PAM functions, thats why we wait until this point to 2N/A "PAM-KRB5 (auth): wrong" 2N/A "repository found (%s), returning " 2N/A "PAM-KRB5 (auth): Principal " 2N/A "%s already authenticated",
2N/A * if root key exists in the keytab, it's a random key so no 2N/A * need to prompt for pw and we just return IGNORE. 2N/A * note we don't need to force a prompt for pw as authtok_get 2N/A * is required to be stacked above this module. 2N/A "key for '%s' in keytab, returning IGNORE",
user);
2N/A "PAM-KRB5 (auth): pam_sm_auth finalize" 2N/A " ccname env, result =%d, env ='%s'," 2N/A " age = %d, status = %d",
2N/A * Put ccname into the pamh so that login 2N/A * apps can pick this up when they run 2N/A /* should not happen but... */ 2N/A " pam_putenv failed: result: %d",
2N/A /* for lack of a Solaris unputenv() */ 2N/A * Because this function should never be used for password prompts, 2N/A * disallow password prompts. 2N/A /* convert krb prompt style to PAM style */ 2N/A * krb expects the prompting function to append ": " to the 2N/A * Call PAM conv function to display the prompt. 2N/A /* convert PAM response to krb prompt reply format */ 2N/A "Reply too long: "));
2N/A * newline must be replaced with \0 terminator 2N/A /* NULL terminator should not be counted */ 2N/A /* 0 out sensitive data before free() */ 2N/A * "result" should not be assigned PAM_SUCCESS unless 2N/A * authentication has succeeded and there are no other errors. 2N/A * "code" is sometimes used for PAM codes, sometimes for krb5 2N/A * codes. Be careful. 2N/A "PAM-KRB5 (auth): attempt_krb5_auth: start: user='%s'",
2N/A /* need to free context with krb5_free_context */ 2N/A "PAM-KRB5 (auth): Error initializing " 2N/A /* get_kmd_kuser returns proper PAM error statuses */ 2N/A /* call krb5_free_cred_contents() on error */ 2N/A "PAM-KRB5 (auth): attempt_krb5_auth: " 2N/A "krb5_build_princ_ext failed: %s",
2N/A "PAM-KRB5 (auth): attempt_krb5_auth: " 2N/A "krb5_timeofday failed: %s",
2N/A * set the values for lifetime and rlife to be the maximum 2N/A * Let us get the values for various options 2N/A * from Kerberos configuration file 2N/A "PAM-KRB5 (auth): Bad max_renewable_life " 2N/A " value '%s' in Kerberos config file",
2N/A "lifetime value '%s' in Kerberos config file",
2N/A /* start timer when request gets to KDC */ 2N/A "Error allocating gic opts: %s",
2N/A "PAM-KRB5 (auth): Proxiable tickets " 2N/A "PAM-KRB5 (auth): Forwardable tickets " 2N/A "PAM-KRB5 (auth): Renewable tickets " 2N/A "PAM-KRB5 (auth): Addressless tickets " 2N/A * mech_krb5 interprets empty passwords as NULL passwords and tries to 2N/A * read a password from stdin. Since we are in pam this is bad and 2N/A * should not be allowed. 2N/A * Note, the logic now is that if the preauth_type is PKINIT then 2N/A * provide a proper PAMcentric prompt function that the underlying 2N/A * PKINIT preauth plugin will use to prompt for the PIN. 2N/A * Note: we want to limit preauth types to just those for PKINIT 2N/A * but krb5_get_init_creds() doesn't support that at this point. 2N/A * Instead we rely on pam_krb5_prompter() to limit prompts to 2N/A * non-password types. So all we can do here is set the preauth 2N/A * list so krb5_get_init_creds() will try that first. 2N/A /* treat the krb5_pass as a PIN */ 2N/A NULL,
/* defaults to krbtgt@REALM */ 2N/A * Do password based preauths 2N/A * See earlier PKINIT comment. We are doing something similar 2N/A * here but we do not pass in a prompter (we assume 2N/A * pam_authtok_get has already prompted for that). 2N/A * Note, do not specify use of KRB5_PADATA_ENC_TIMESTAMP here 2N/A * because we don't know what enctypes the client princ has; we 2N/A * need the KDC to tell us that. 2N/A * We call our own private version of gic_pwd, because 2N/A * expiration, that is found in the as_reply. The 2N/A * "prompter" interface is not granular enough for PAM 2N/A NULL,
/* defaults to krbtgt@REALM */ 2N/A "PAM-KRB5 (auth): attempt_krb5_auth: " 2N/A "krb5_get_init_creds_password returns: %s",
2N/A /* got a tgt, let's verify it */ 2N/A * Give a better error message when the 2N/A * keytable entry isn't found or the keytab 2N/A * file cannot be found. 2N/A "krb5_verify_init_creds failed:" 2N/A " Key table entry \"host/%s\"" 2N/A "krb5_verify_init_creds failed:" 2N/A " Keytab file \"%s\"" 2N/A " does not exist.\n",
2N/A "krb5_verify_init_creds failed:" 2N/A * Since this principal is not part of the local 2N/A * Kerberos realm, we just return PAM_USER_UNKNOWN. 2N/A "PAM-KRB5 (auth): attempt_krb5_auth:" 2N/A " User is not part of the local Kerberos" 2N/A * We could be trying the password from a previous 2N/A * pam authentication module, but we don't want to 2N/A * generate an error if the unix password is different 2N/A * than the Kerberos password... 2N/A * Request a tik for changepw service and it will tell 2N/A * us if pw is good or not. If PKINIT is being done it 2N/A * is possible that *krb5_pass may be NULL so check for 2N/A * that. If that is the case this function will return 2N/A "attempt_krb5_auth: " 2N/A * pw is good, set age status for 2N/A "PAM-KRB5 (auth): error %d - %s",
2N/A * success for the entered pw or PKINIT succeeded. 2N/A * we can't rely on the pw in PAM_AUTHTOK 2N/A * to be the (correct) krb5 one so 2N/A * store krb5 pw in module data for 2N/A * use in acct_mgmt. Note that *krb5_pass may be NULL if we're 2N/A "Cannot strdup password");
2N/A /* jump (or reach) here if error and cred cache has been init */ 2N/A "PAM-KRB5 (auth): clearing initcreds in " 2N/A "pam_authenticate()");
2N/A * clientp or serverp could be NULL in certain error cases in this 2N/A * function. mycreds->[client|server] could also be NULL in case 2N/A * of error in this function, see out_err above. The pointers clientp 2N/A * and serverp reference the input argument in my_creds for 2N/A * get_init_creds and must be freed if the input argument does not 2N/A * match the output argument, which occurs during a successful call 2N/A * to get_init_creds. 2N/A "PAM-KRB5 (auth): attempt_krb5_auth returning %d",
2N/A "PAM-KRB5 (auth): krb5_cleanup auth_status = %d",
2N/A * Apps could be calling pam_end here, so we should always clean 2N/A * up regardless of success or failure here.