/* * Pam routine to set KRB5CCNAME to force Solaris to * use session based caches */ #define DEBLOG(A,B) \ if (debug) \ syslog(LOG_NOTICE,"pam_krb5_ccache:%d %s:%s", __LINE__, A, B) #include #include #include #include #include int do_krb5_ccache_routine(pam_handle_t *pamh, int flags, int argc, const char **argv); /***************************************************************/ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { int debug = 0; int i; int ret; int do_krb5_ccache= 0; for (i = 0; i < argc; i++) { if (strcmp(argv[i], "debug") == 0) { debug++; } else if (strcmp(argv[i], "force") == 0) { do_krb5_ccache = 1; } } #ifdef DEBUG fprintf(stderr,"pam_sm_authenticate flag=%d\n",flags); #endif DEBLOG("pam_sm_authenticate","called"); if (debug) { if (pam_getenv(pamh,"KRB5CCNAME")) DEBLOG("pam_getenv KRB5CCNAME", pam_getenv(pamh,"KRB5CCNAME")); if (getenv("KRB5CCNAME")) DEBLOG("getenv KRB5CCNAME", getenv("KRB5CCNAME")); } if (do_krb5_ccache) { ret = do_krb5_ccache_routine(pamh, flags, argc, argv); if (ret == PAM_SUCCESS) { ret = PAM_IGNORE; /* we did not really authenticate */ } } else { ret = PAM_IGNORE; } return ret; } /***************************************************************/ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) { int debug = 0; int i; int ret; int do_krb5_ccache = 1; /* default if called do it */ for (i = 0; i < argc; i++) { if (strcmp(argv[i], "debug") == 0) { debug++; } } #ifdef DEBUG fprintf(stderr,"pam_sm_account flag=%d\n",flags); #endif DEBLOG("pam_sm_account","called"); if (debug) { if (pam_getenv(pamh,"KRB5CCNAME")) DEBLOG("pam_getenv KRB5CCNAME", pam_getenv(pamh,"KRB5CCNAME")); if (getenv("KRB5CCNAME")) DEBLOG("getenv KRB5CCNAME", getenv("KRB5CCNAME")); } if (do_krb5_ccache) { ret = do_krb5_ccache_routine(pamh, flags, argc, argv); if (ret == PAM_SUCCESS) { ret = PAM_IGNORE; /* we did not really authenticate */ } } else { ret = PAM_IGNORE; } return ret; } /********************************************************/ int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { int debug = 0; int ret; int i; int do_krb5_ccache = 1; /* default to doing the cache stuff */ for (i = 0; i < argc; i++) { if (strcmp(argv[i], "debug") == 0) { debug++; } else if (strcmp(argv[i], "force" ) == 0) { do_krb5_ccache = 0; /* authenticate would have done this */ } } DEBLOG("pam_sm_setcred", "called"); if (debug) { if (pam_getenv(pamh,"KRB5CCNAME")) DEBLOG("pam_getenv KRB5CCNAME", pam_getenv(pamh,"KRB5CCNAME")); if (getenv("KRB5CCNAME")) DEBLOG("getenv KRB5CCNAME", getenv("KRB5CCNAME")); } if (do_krb5_ccache) { ret = do_krb5_ccache_routine(pamh, flags, argc, argv); } else { ret = PAM_SUCCESS; } return ret; } /********************************************************/ int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { int debug = 0; int i; int ret; int do_krb5_ccache = 0; #ifdef DEBUG fprintf(stderr,"pam_sm_open_session flag=%d\n",flags); #endif for (i = 0; i < argc; i++) { if (strcmp(argv[i], "debug") == 0) { debug++; } if (strcmp(argv[i], "force") == 0) { do_krb5_ccache = 1; } } DEBLOG("pam_sm_open_session", "called"); if (debug) { if (pam_getenv(pamh,"KRB5CCNAME")) DEBLOG("pam_getenv KRB5CCNAME", pam_getenv(pamh,"KRB5CCNAME")); if (getenv("KRB5CCNAME")) DEBLOG("getenv KRB5CCNAME", getenv("KRB5CCNAME")); } if (do_krb5_ccache) { ret = do_krb5_ccache_routine(pamh, flags, argc, argv); } else { ret = PAM_SUCCESS; } return ret; } /********************************************************/ int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { int debug = 0; int ret; int i; int clean = 0; char * cache_name = NULL; for (i = 0; i < argc; i++) { if (strcmp(argv[i], "debug") == 0) { debug++; } else if (strcmp(argv[i], "clean") == 0) { clean = 1; } } if (debug) { if (pam_getenv(pamh,"KRB5CCNAME")) DEBLOG("pam_getenv KRB5CCNAME", pam_getenv(pamh,"KRB5CCNAME")); if (getenv("KRB5CCNAME")) DEBLOG("getenv KRB5CCNAME", getenv("KRB5CCNAME")); } if (clean) { if ((cache_name = getenv("KRB5CCNAME")) || (cache_name = pam_getenv(pamh,"KRB5CCNAME"))) { if (!strncmp(cache_name, "FILE:", 5)) { cache_name = cache_name + 5; } remove(cache_name); DEBLOG("remvoing ccache" ,cache_name); } } DEBLOG("pam_sm_close_session", "called"); return PAM_SUCCESS; } /********************************************************/ int do_krb5_ccache_routine(pam_handle_t *pamh, int flags, int argc, const char **argv) { int debug = 0; int set_pag = 1; int i; int ret; char * username = NULL; char ** env; char * pgm_name = NULL; struct passwd *pw = NULL; char *p; char *q; char *cache_name = NULL; char cache_name_buf[1024]; char cache_name_env_buf[2048]; char *hpenv_path = "PATH=/krb5/sbin:/usr/bin:/bin"; char *hpenv[] = {0,0,0}; #ifdef DEBUG fprintf(stderr,"do_krb5_ccache_routine flag=%d\n",flags); #endif for (i = 0; i < argc; i++) { if (strcmp(argv[i], "debug") == 0) { debug++; } else if (strncmp(argv[i], "ccache=", 7) == 0) { cache_name = &argv[i][7]; /* save for later */ } } DEBLOG("do_krb5_ccache_routine", "called"); #if 0 if (!(flags & PAM_ESTABLISH_CRED)) { ret = PAM_SUCCESS; DEBLOG("do_krb5_ccache_routine", "no PAM_ESTABLISH_CRED"); goto err; } #endif if (pam_get_item(pamh, PAM_USER, (void **) &username)) { ret = PAM_SERVICE_ERR; goto err; } if (strncmp(username,"root",4) == 0) { ret = PAM_IGNORE; /* no tokens for root */ DEBLOG("do_krb5_ccache_routine ignoring ",username); goto err; } DEBLOG("do_krb5_ccache_routine user", username); if (!(pw = getpwnam(username))) { ret = PAM_IGNORE; DEBLOG("do_krb5_ccache_routine" , "user not known"); goto err; } /* HP does not have the pam_env routines */ /* will look for ccache as set in krb5 pam routines */ /* Get the cache name */ if (!cache_name) { cache_name = "FILE:/tmp/krb5cc_%u"; } strcpy(cache_name_env_buf,"KRB5CCNAME="); p = cache_name_env_buf + strlen(cache_name_env_buf); q = cache_name; /* convert %u and %p */ while (*q) { if (*q == '%') { q++; if (*q == 'u') { sprintf(p, "%ld", pw->pw_uid); p += strlen(p); } else if (*q == 'n') { sprintf(p, "%s", username); p += strlen(p); } else if (*q == 'p') { sprintf(p, "%ld", getpid()); p += strlen(p); } else { /* Not a special token */ *p++ = '%'; q--; } q++; } else { *p++ = *q++; } } #ifdef DEBUG fprintf(stderr,"do_krb5_ccache_routine pid=%d uid=%d euid=%d\n", getpid(),getuid(),geteuid()); fprintf(stderr,"do_krb5_ccache_routine, pw_dir=%s\n", pw->pw_dir); fprintf(stderr,"do_krb5_ccache_routine Kenv=%s\n", pam_getenv(pamh,"KRB5CCNAME")? pam_getenv(pamh,"KRB5CCNAME"):"(none)"); #endif if (debug) { if (pam_getenv(pamh,"KRB5CCNAME")) DEBLOG("pam_getenv KRB5CCNAME", pam_getenv(pamh,"KRB5CCNAME")); if (getenv("KRB5CCNAME")) DEBLOG("getenv KRB5CCNAME", getenv("KRB5CCNAME")); } DEBLOG("do_krb5_ccache_routine","calling get_krb5_ccache_token"); pam_putenv(pamh, cache_name_env_buf); putenv(cache_name_env_buf); if (debug) { if (pam_getenv(pamh,"KRB5CCNAME")) DEBLOG("pam_getenv KRB5CCNAME", pam_getenv(pamh,"KRB5CCNAME")); if (getenv("KRB5CCNAME")) DEBLOG("getenv KRB5CCNAME", getenv("KRB5CCNAME")); } ret = PAM_SUCCESS; err: return ret; }