krb5_auth.c revision 8f4aaae28c88c707853f8f28d8babc4efe0c1bf6
/*
SSSD
Kerberos 5 Backend Module
Authors:
Sumit Bose <sbose@redhat.com>
Copyright (C) 2009 Red Hat
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <errno.h>
#include <pwd.h>
#include <security/pam_modules.h>
#include "util/find_uid.h"
#include "providers/child_common.h"
#include "providers/krb5/krb5_auth.h"
#include "providers/krb5/krb5_utils.h"
#ifndef SSSD_LIBEXEC_PATH
#error "SSSD_LIBEXEC_PATH not defined"
#else
#endif
{
int ret;
const char *dummy;
char *env;
return ENOMEM;
}
goto done;
}
goto done;
}
}
goto done;
}
goto done;
}
}
goto done;
}
goto done;
}
}
done:
return ret;
}
bool *result)
{
int ret;
const char *filename;
bool active;
*result = false;
return EINVAL;
}
offset = 5;
}
if (filename[0] != '/') {
return EINVAL;
}
return errno;
return EINVAL;
}
filename));
return EINVAL;
}
}
return ret;
}
if (!active) {
} else {
*result = true;
}
return EOK;
}
struct krb5_save_ccname_state {
struct tevent_context *ev;
struct sysdb_handle *handle;
struct sss_domain_info *domain;
const char *name;
struct sysdb_attrs *attrs;
};
struct tevent_context *ev,
struct sss_domain_info *domain,
const char *name,
const char *ccname)
{
struct tevent_req *req;
struct tevent_req *subreq;
struct krb5_save_ccname_state *state;
int ret;
return NULL;
}
return NULL;
}
goto failed;
}
goto failed;
}
return req;
return NULL;
}
{
struct tevent_req);
struct krb5_save_ccname_state);
int ret;
return;
}
return;
}
}
{
struct tevent_req);
struct krb5_save_ccname_state);
int ret;
return;
}
return;
}
return;
}
{
return EOK;
}
{
const char *keytab;
return EINVAL;
}
return ENOMEM;
}
}
return ENOMEM;
}
rp = 0;
}
return EOK;
}
{
case SSS_PAM_AUTHENTICATE:
struct krb5_ctx);
break;
case SSS_PAM_CHAUTHTOK:
case SSS_PAM_CHAUTHTOK_PRELIM:
struct krb5_ctx);
break;
default:
return NULL;
}
}
struct tevent_timer *te,
{
int ret;
return;
}
if (ret == -1) {
}
}
{
tv = tevent_timeval_current();
0);
return ENOMEM;
}
return EOK;
}
static int krb5_cleanup(void *ptr)
{
return EOK;
}
{
goto failed;
}
goto failed;
}
kr->is_offline = false;
kr->active_ccache_present = true;
return EOK;
return err;
}
{
int pipefd_to_child[2];
int pipefd_from_child[2];
int ret;
if (ret == -1) {
return err;
}
if (ret == -1) {
return err;
}
if (pid == 0) { /* child */
/* We need to keep the root privileges to read the keytab file if
* validation is enabled, otherwise we can drop them here and run
* krb5_child with user privileges.
* If authtok_size is zero we are offline and want to create an empty
* ccache file. In this case we can drop the privileges, too. */
return ret;
}
}
return err;
}
} else if (pid > 0) { /* parent */
close(pipefd_to_child[0]);
}
} else { /* error */
return err;
}
return EOK;
}
struct handle_child_state {
struct tevent_context *ev;
struct krb5child_req *kr;
};
struct tevent_context *ev,
struct krb5child_req *kr)
{
struct handle_child_state *state;
int ret;
return NULL;
}
goto fail;
}
goto fail;
}
if (!subreq) {
goto fail;
}
return req;
fail:
return req;
}
{
struct tevent_req);
struct handle_child_state);
int ret;
return;
}
if (!subreq) {
return;
}
}
{
struct tevent_req);
struct handle_child_state);
int ret;
return;
}
return;
}
{
struct handle_child_state);
return EOK;
}
{
const char **attrs;
int pam_status = PAM_SYSTEM_ERR;
int dp_err = DP_ERR_FATAL;
int ret;
case SSS_PAM_AUTHENTICATE:
case SSS_PAM_CHAUTHTOK:
case SSS_PAM_CHAUTHTOK_PRELIM:
break;
case SSS_PAM_ACCT_MGMT:
case SSS_PAM_SETCRED:
case SSS_PAM_OPEN_SESSION:
case SSS_PAM_CLOSE_SESSION:
goto done;
break;
default:
goto done;
}
goto done;
}
goto done;
}
if (ret) {
goto done;
}
return;
done:
}
{
struct tevent_req *req;
int ret;
int pam_status = PAM_SYSTEM_ERR;
int dp_err = DP_ERR_FATAL;
const char *ccache_file = NULL;
const char *realm;
goto failed;
}
if (err != LDB_SUCCESS) {
goto failed;
}
goto failed;
}
case 0:
goto failed;
break;
case 1:
/* NOTE: this is a hack, works only in some environments */
goto failed;
}
}
NULL);
}
goto failed;
}
goto failed;
}
NULL);
if (ccache_file != NULL) {
goto failed;
}
&kr->valid_tgt_present);
if (kerr != 0) {
goto failed;
}
} else {
kr->active_ccache_present = false;
kr->valid_tgt_present = false;
}
break;
default:
goto failed;
break;
}
goto failed;
}
return;
}
{
struct krb5child_req);
int ret;
int pam_status = PAM_SYSTEM_ERR;
int dp_err = DP_ERR_FATAL;
char *msg;
if (ret) {
/* all servers have been tried and none
* was found good, setting offline,
* but we still have to call the child to setup
* the ccache file. */
kr->is_offline = true;
}
!kr->valid_tgt_present) ||
offset = 5;
}
goto done;
}
goto done;
}
}
);
goto done;
}
}
kr->is_offline = true;
if (kr->valid_tgt_present) {
goto done;
}
}
goto done;
}
pd->authtok_size = 0;
if (kr->active_ccache_present) {
goto done;
}
return;
}
}
goto done;
}
return;
done:
}
{
struct krb5child_req);
int ret;
int p;
int pam_status = PAM_SYSTEM_ERR;
int dp_err = DP_ERR_FATAL;
goto done;
}
goto done;
}
p=0;
p += sizeof(int32_t);
p += sizeof(int32_t);
p += sizeof(int32_t);
*msg_len));
goto done;
}
pam_status = *msg_status;
}
goto done;
} else {
}
goto done;
}
goto done;
}
} else {
&buf[p]));
goto done;
}
if (*msg_status == PAM_AUTHINFO_UNAVAIL) {
}
kr->is_offline = true;
}
struct sysdb_attrs *attrs;
goto done;
}
goto done;
}
return;
done:
}
{
struct krb5child_req);
int pam_status = PAM_SYSTEM_ERR;
int dp_err = DP_ERR_FATAL;
int ret;
goto failed;
}
}
goto failed;
}
if (kr->is_offline) {
goto failed;
}
/* password caching failures are not fatal errors */
case SSS_PAM_AUTHENTICATE:
case SSS_PAM_CHAUTHTOK_PRELIM:
}
break;
case SSS_PAM_CHAUTHTOK:
}
break;
default:
}
DEBUG(0, ("password not available, offline auth may not work.\n"));
goto failed;
}
password);
goto failed;
}
return;
}
}
{
int ret;
/* password caching failures are not fatal errors */
/* so we just log it any return */
if (ret) {
}
}
{
}