krb5_auth.h revision d3dca30d3a6feba062d0299718d1a9fcdc8b9d17
2665d7759e63acff0bcd4135678f2cc6f2041d46Christian Maeder/*
9658657e918981d91c8647ed8c220464f10a6235Christian Maeder SSSD
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder
e6d40133bc9f858308654afb1262b8b483ec5922Till Mossakowski Kerberos Backend, private header file
d5fe06af711a6912ae028ebf873eada4ee8733f8Christian Maeder
98890889ffb2e8f6f722b00e265a211f13b5a861Corneliu-Claudiu Prodescu Authors:
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder Sumit Bose <sbose@redhat.com>
3f69b6948966979163bdfe8331c38833d5d90ecdChristian Maeder
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder Copyright (C) 2009 Red Hat
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder
e6d40133bc9f858308654afb1262b8b483ec5922Till Mossakowski This program is free software; you can redistribute it and/or modify
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder it under the terms of the GNU General Public License as published by
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder the Free Software Foundation; either version 3 of the License, or
bdeddba30d29f413af1e1ae6b6bab275c017bd98Christian Maeder (at your option) any later version.
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder
63719301448519453f66383f4e583d9fd5b89ecbChristian Maeder This program is distributed in the hope that it will be useful,
ae35311385999d91f812155fe99439724d54063bChristian Maeder but WITHOUT ANY WARRANTY; without even the implied warranty of
46b207daf66b64930a59f3615c8b127aac0b8e43Christian Maeder MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
3143271856dbf456bd7acc1c07193173f886d986Christian Maeder GNU General Public License for more details.
ab9b86500ed66416e1a7c01be54491ed72c7d633Christian Maeder
ab9b86500ed66416e1a7c01be54491ed72c7d633Christian Maeder You should have received a copy of the GNU General Public License
78e7910c3360f74f1db172d63d20bb07c64e56e3Christian Maeder along with this program. If not, see <http://www.gnu.org/licenses/>.
47d6bc7bc9a708427f96be8d805f712697ad3d9eChristian Maeder*/
f9e0b18852b238ddb649d341194e05d7200d1bbeChristian Maeder
697e63e30aa3c309a1ef1f9357745111f8dfc5a9Christian Maeder#ifndef __KRB5_AUTH_H__
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder#define __KRB5_AUTH_H__
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder
ad270004874ce1d0697fb30d7309f180553bb315Christian Maeder#include <pcre.h>
38824a7dba4f7d82532afec67e0b594a5af5d76bChristian Maeder
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder#include "util/sss_krb5.h"
46b1095ba983ce859e17c2a12f48b50583b7150cChristian Maeder#include "providers/dp_backend.h"
411392046c2ba1752cde81eaa92a95a2c28b672dChristian Maeder#include "util/child_common.h"
f8cc2399c16fcda7e3bf9d901a0de0cc8a455f86Ewaryst Schulz#include "providers/krb5/krb5_common.h"
78e7910c3360f74f1db172d63d20bb07c64e56e3Christian Maeder
78e7910c3360f74f1db172d63d20bb07c64e56e3Christian Maeder#define CCACHE_ENV_NAME "KRB5CCNAME"
46b207daf66b64930a59f3615c8b127aac0b8e43Christian Maeder
46b1095ba983ce859e17c2a12f48b50583b7150cChristian Maeder#define ILLEGAL_PATH_PATTERN "//|/\\./|/\\.\\./"
46b1095ba983ce859e17c2a12f48b50583b7150cChristian Maeder
48a98aa04f4c2c1f5f8f79c007e1ff95e699b31aFlorian Mossakowskistruct krb5child_req {
c8a9d35be2207e0d4fbd26a2411e1ba17e3e4c96Christian Maeder struct pam_data *pd;
c2257f94016aeb9e5c3ff3d4d675a81f8f873f0dChristian Maeder struct krb5_ctx *krb5_ctx;
3986813db69106b9bb1b62faa77532af42512a0cChristian Maeder
3986813db69106b9bb1b62faa77532af42512a0cChristian Maeder struct sss_krb5_cc_be *cc_be;
3986813db69106b9bb1b62faa77532af42512a0cChristian Maeder const char *ccname;
596a8e9039bd2f42c09cc0da4a57c8073f96fbddChristian Maeder const char *old_ccname;
596a8e9039bd2f42c09cc0da4a57c8073f96fbddChristian Maeder const char *homedir;
596a8e9039bd2f42c09cc0da4a57c8073f96fbddChristian Maeder const char *upn;
46b1095ba983ce859e17c2a12f48b50583b7150cChristian Maeder uid_t uid;
e982190515f83fe6615436530ebe89bb320770d6Christian Maeder gid_t gid;
ab9b86500ed66416e1a7c01be54491ed72c7d633Christian Maeder bool is_offline;
f04e8f3ff56405901be968fd4c6e9769239f1a9bKlaus Luettich struct fo_server *srv;
08d506ebb78da1e8656a73a349492e042f4c9f72Christian Maeder struct fo_server *kpasswd_srv;
d27d203b3f42f0e0ecea00e3f19f55f66045bd96Christian Maeder bool active_ccache_present;
46b1095ba983ce859e17c2a12f48b50583b7150cChristian Maeder bool valid_tgt_present;
38824a7dba4f7d82532afec67e0b594a5af5d76bChristian Maeder bool run_as_user;
38824a7dba4f7d82532afec67e0b594a5af5d76bChristian Maeder bool upn_from_different_realm;
38824a7dba4f7d82532afec67e0b594a5af5d76bChristian Maeder};
ec351e60425e2f99448cb44e933d3828f8025dddChristian Maeder
56440c7ae61e7277a3494452d0165ee52e677b29Christian Maedererrno_t krb5_setup(TALLOC_CTX *mem_ctx, struct pam_data *pd,
56440c7ae61e7277a3494452d0165ee52e677b29Christian Maeder struct krb5_ctx *krb5_ctx, struct krb5child_req **krb5_req);
ec351e60425e2f99448cb44e933d3828f8025dddChristian Maeder
ec351e60425e2f99448cb44e933d3828f8025dddChristian Maedervoid krb5_pam_handler(struct be_req *be_req);
56440c7ae61e7277a3494452d0165ee52e677b29Christian Maeder
9603ad7198b72e812688ad7970e4eac4b553837aKlaus Luettichstruct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
1842453990fed8a1bd7a5ac792d7982c1d2bfcd5Christian Maeder struct tevent_context *ev,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder struct be_ctx *be_ctx,
2dcec0e101ddd4169f5323462911e988337c2deeChristian Maeder struct pam_data *pd,
0b73fd9cab131c1b25b542007c98b5f8717b1d36Klaus Luettich struct krb5_ctx *krb5_ctx);
9f08800df9da91d444560875167fbf7acb8396edChristian Maederint krb5_auth_recv(struct tevent_req *req, int *pam_status, int *dp_err);
333780eae2be9f20fe46dedbf5eb46ffa0cbfd02Christian Maedervoid krb5_auth_done(struct tevent_req *req);
ec25781c1180ea07f66b48c34f93cf5634e9277cChristian Maeder
46b1095ba983ce859e17c2a12f48b50583b7150cChristian Maederstruct tevent_req *handle_child_send(TALLOC_CTX *mem_ctx,
64c2422e1ba0691556a6639e959820add102315cChristian Maeder struct tevent_context *ev,
938677803842b384a91fef21f58f86b8e3188b43Ewaryst Schulz struct krb5child_req *kr);
4c8d3c5a9e938633f6147b5a595b9b93bfca99e6Christian Maederint handle_child_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
b53688bfed888214b485cf76439d57262d80e0a7Christian Maeder uint8_t **buf, ssize_t *len);
63da71bfb4226f504944b293fb77177ebcaea7d4Ewaryst Schulz
63da71bfb4226f504944b293fb77177ebcaea7d4Ewaryst Schulzstruct krb5_child_response {
f8cc2399c16fcda7e3bf9d901a0de0cc8a455f86Ewaryst Schulz int32_t msg_status;
b83ff3749d99d03b641adee264b781039a551addChristian Maeder struct tgt_times tgtt;
63719301448519453f66383f4e583d9fd5b89ecbChristian Maeder char *ccname;
63719301448519453f66383f4e583d9fd5b89ecbChristian Maeder char *correct_upn;
c2257f94016aeb9e5c3ff3d4d675a81f8f873f0dChristian Maeder};
c2257f94016aeb9e5c3ff3d4d675a81f8f873f0dChristian Maeder
0850c3e5fb6285405ebaeb5aa433985203ac892dEwaryst Schulzerrno_t
bdf2e01977470bedcb4425e2dadabc9e9f6ba149Ewaryst Schulzparse_krb5_child_response(TALLOC_CTX *mem_ctx, uint8_t *buf, ssize_t len,
bdf2e01977470bedcb4425e2dadabc9e9f6ba149Ewaryst Schulz struct pam_data *pd, int pwd_exp_warning,
bdf2e01977470bedcb4425e2dadabc9e9f6ba149Ewaryst Schulz struct krb5_child_response **_res);
0850c3e5fb6285405ebaeb5aa433985203ac892dEwaryst Schulz
bdf2e01977470bedcb4425e2dadabc9e9f6ba149Ewaryst Schulzerrno_t add_user_to_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
bdf2e01977470bedcb4425e2dadabc9e9f6ba149Ewaryst Schulz struct pam_data *pd,
938677803842b384a91fef21f58f86b8e3188b43Ewaryst Schulz uid_t uid);
0850c3e5fb6285405ebaeb5aa433985203ac892dEwaryst Schulzerrno_t init_delayed_online_authentication(struct krb5_ctx *krb5_ctx,
e49fd57c63845c7806860a9736ad09f6d44dbaedChristian Maeder struct be_ctx *be_ctx,
4067eba4f5605d9569d78085deb1a27f08ac34e2Christian Maeder struct tevent_context *ev);
63719301448519453f66383f4e583d9fd5b89ecbChristian Maeder
bbba6dd86153aacb0f662b182b128df0eb09fd54Christian Maedererrno_t init_renew_tgt(struct krb5_ctx *krb5_ctx, struct be_ctx *be_ctx,
bbba6dd86153aacb0f662b182b128df0eb09fd54Christian Maeder struct tevent_context *ev, time_t renew_intv);
4067eba4f5605d9569d78085deb1a27f08ac34e2Christian Maedererrno_t add_tgt_to_renew_table(struct krb5_ctx *krb5_ctx, const char *ccfile,
63719301448519453f66383f4e583d9fd5b89ecbChristian Maeder struct tgt_times *tgtt, struct pam_data *pd,
a43c1a7fa08c12524415386aa13a566cc9e53a4fChristian Maeder const char *upn);
a43c1a7fa08c12524415386aa13a566cc9e53a4fChristian Maeder
72079df98b3cb7cc1fd82a0a24984893dcd05ecaEwaryst Schulz/* krb5_access.c */
5ca1fe655d7d4e35e59a082b5955b306643329d0Ewaryst Schulzstruct tevent_req *krb5_access_send(TALLOC_CTX *mem_ctx,
5f2c34b8971f9ca7e63364b69e167851d001168eEwaryst Schulz struct tevent_context *ev,
5f2c34b8971f9ca7e63364b69e167851d001168eEwaryst Schulz struct be_ctx *be_ctx,
bdf2e01977470bedcb4425e2dadabc9e9f6ba149Ewaryst Schulz struct pam_data *pd,
0850c3e5fb6285405ebaeb5aa433985203ac892dEwaryst Schulz struct krb5_ctx *krb5_ctx);
5f2c34b8971f9ca7e63364b69e167851d001168eEwaryst Schulzint krb5_access_recv(struct tevent_req *req, bool *access_allowed);
63719301448519453f66383f4e583d9fd5b89ecbChristian Maeder
9b3aefff51492156e8e7f7f6a57986dac35a55fcChristian Maeder/* krb5_wait_queue.c */
ce900a84ed9d9882c64fccbd6300f6b0d67efa82Christian Maedererrno_t add_to_wait_queue(struct be_req *be_req, struct pam_data *pd,
48a98aa04f4c2c1f5f8f79c007e1ff95e699b31aFlorian Mossakowski struct krb5_ctx *krb5_ctx);
e49fd57c63845c7806860a9736ad09f6d44dbaedChristian Maedervoid check_wait_queue(struct krb5_ctx *krb5_ctx, char *username);
4067eba4f5605d9569d78085deb1a27f08ac34e2Christian Maeder#endif /* __KRB5_AUTH_H__ */
63719301448519453f66383f4e583d9fd5b89ecbChristian Maeder