int
pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv)
{
parse_ctrl(argc, argv);
ENTRY("pam_sm_close_session");
/* This isn't really kosher, but it's handy. */
pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv);
return PAM_SUCCESS;
}
int
pam_sm_authenticate(pam_handle_t *pamh,
int flags,
int argc,
const char **argv)
{
char *user;
int ret;
struct pam_conv *conv;
struct passwd *pw;
uid_t uid = -1;
const char *name, *inst;
char realm[REALM_SZ];
realm[0] = 0;
parse_ctrl(argc, argv);
ENTRY("pam_sm_authenticate");
ret = pam_get_user(pamh, &user, "login: "******"root") == 0)
return PAM_AUTHINFO_UNAVAIL;
ret = pam_get_item(pamh, PAM_CONV, (void*)&conv);
if (ret != PAM_SUCCESS)
return ret;
pw = getpwnam(user);
if (pw != 0)
{
uid = pw->pw_uid;
set_tkt_string(uid);
}
if (strcmp(user, "root") == 0 && getuid() != 0)
{
pw = getpwuid(getuid());
if (pw != 0)
{
name = strdup(pw->pw_name);
inst = "root";
}
}
else
{
name = user;
inst = "";
}
ret = krb4_auth(pamh, flags, name, inst, conv);
/*
* The realm was lost inside krb_verify_user() so we can't simply do
* a krb_kuserok() when inst != "".
*/
if (ret == PAM_SUCCESS && inst[0] != 0)
{
uid_t old_euid = geteuid();
uid_t old_ruid = getuid();
setreuid(0, 0); /* To read ticket file. */
if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS)
ret = PAM_SERVICE_ERR;
else if (krb_kuserok(name, inst, realm, user) != KSUCCESS)
{
setreuid(0, uid); /* To read ~/.klogin. */
if (krb_kuserok(name, inst, realm, user) != KSUCCESS)
ret = PAM_PERM_DENIED;
}
if (ret != PAM_SUCCESS)
{
dest_tkt(); /* Passwd known, ok to kill ticket. */
psyslog(LOG_NOTICE,
"%s.%s@%s is not allowed to log in as %s",
name, inst, realm, user);
}
setreuid(old_ruid, old_euid);
if (getuid() != old_ruid || geteuid() != old_euid)
{
psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
old_ruid, old_euid, __LINE__);
exit(1);
}
}
if (ret == PAM_SUCCESS)
{
psyslog(LOG_INFO,
"%s.%s@%s authenticated as user %s",
name, inst, realm, user);
if (chown(tkt_string(), uid, -1) == -1)
{
dest_tkt();
psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid);
exit(1);
}
}
/*
* Kludge alert!!! Sun dtlogin unlock screen fails to call
* pam_setcred(3) with PAM_REFRESH_CRED after a successful
* authentication attempt, sic.
*
* This hack is designed as a workaround to that problem.
*/
if (ctrl_on(KRB4_REAFSLOG))
if (ret == PAM_SUCCESS)
pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv);
return ret;
}
int
main(int argc, char **argv)
{
int i, ret, abi_flag, pargc;
const char *user, *service, *authtok, *old_authtok, **pargv;
char **envlist;
struct passwd *pwd;
struct pam_conv conv;
pam_handle_t *pamh;
if (argc < 2) {
fprintf(stderr, "Usage: %s [flags]\n"
"\t--debug\n"
"\t--toggle-abi\n"
"\t--setservice SERVICE\n"
"\t--setuser USER\n"
"\t--setauthtok AUTHTOK\n"
"\t--setoldauthtok OLD_AUTHTOK\n"
"\t--restart\n"
"\t--run [cmd]\n"
"\t--auth [args...]\n"
"\t--open-session [args...]\n"
"\t--setcred-establish [args...]\n"
"\t--setcred-reinitialize [args...]\n"
"\t--setcred-delete [args...]\n"
"\t--close-session [args...]\n"
"\t--acct-mgmt [args...]\n"
"\t--chauthtok-prelim [args...]\n"
"\t--chauthtok-update [args...]\n",
argv[0]);
return 1;
}
pwd = getpwuid(getuid());
if (pwd == NULL) {
fprintf(stderr, "Unable to determine name of current user!\n");
return 1;
}
user = pwd->pw_name;
service = "login";
authtok = NULL;
old_authtok = NULL;
ret = 0;
pamh = NULL;
memset(&conv, 0, sizeof(conv));
conv.conv = local_conv;
abi_flag = 0;
conv.appdata_ptr = &abi_flag;
pargc = 0;
pargv = NULL;
for (i = 1; i < argc; i++) {
fflush(stdout);
if (strcmp(argv[i], "--debug") == 0) {
log_options.debug++;
continue;
}
if (strcmp(argv[i], "--toggle-abi") == 0) {
abi_flag = !abi_flag;
continue;
}
if (strcmp(argv[i], "--setservice") == 0) {
service = argv[i + 1];
i++;
continue;
}
if (strcmp(argv[i], "--setuser") == 0) {
user = argv[i + 1];
i++;
continue;
}
if (strcmp(argv[i], "--setauthtok") == 0) {
authtok = argv[i + 1];
i++;
continue;
}
if (strcmp(argv[i], "--setoldauthtok") == 0) {
old_authtok = argv[i + 1];
i++;
continue;
}
if (pamh == NULL) {
ret = pam_start(service, user, &conv, &pamh);
printf("start: %d\n", ret);
#ifdef __LINUX_PAM__
/* Linux-PAM *actively* tries to break us. */
((struct linux_pam_handle*)pamh)->caller = 1;
#endif
if (authtok != NULL) {
ret = pam_set_item(pamh, PAM_AUTHTOK, authtok);
printf("set authtok: %d%s %s\n", ret,
ret ? ":" : "",
ret ? pam_strerror(pamh, ret) : "");
}
if (old_authtok != NULL) {
ret = pam_set_item(pamh, PAM_OLDAUTHTOK,
old_authtok);
printf("set old authtok: %d%s %s\n", ret,
ret ? ":" : "",
ret ? pam_strerror(pamh, ret) : "");
}
}
if (strcmp(argv[i], "--restart") == 0) {
#ifdef __LINUX_PAM__
/* Linux-PAM *actively* tries to break us. */
((struct linux_pam_handle*)pamh)->caller = 2;
#endif
ret = pam_end(pamh, 0);
printf("end: %d\n", ret);
pamh = NULL;
ret = pam_start(service, user, &conv, &pamh);
printf("start: %d\n", ret);
#ifdef __LINUX_PAM__
/* Linux-PAM *actively* tries to break us. */
((struct linux_pam_handle*)pamh)->caller = 1;
#endif
continue;
}
if (strcmp(argv[i], "--auth") == 0) {
i += gather_args(argc, argv, i + 1, &pargc, &pargv);
ret = pam_sm_authenticate(pamh, 0, pargc, pargv);
free_args(&pargc, &pargv);
printf("authenticate: %d%s %s\n", ret,
ret ? ":" : "",
ret ? pam_strerror(pamh, ret) : "");
continue;
}
if (strcmp(argv[i], "--run") == 0) {
envlist = pam_getenvlist(pamh);
if (envlist != NULL) {
while (*envlist != NULL) {
putenv(*envlist);
envlist++;
}
}
ret = system(argv[i + 1]);
printf("run(\"%s\"): %d%s %s\n", argv[i + 1],
WEXITSTATUS(ret),
WEXITSTATUS(ret) ? ":" : "",
WEXITSTATUS(ret) ?
strerror(WEXITSTATUS(ret)) :
"");
i++;
continue;
}
if (strcmp(argv[i], "--open-session") == 0) {
i += gather_args(argc, argv, i + 1, &pargc, &pargv);
ret = pam_sm_open_session(pamh, 0, pargc, pargv);
free_args(&pargc, &pargv);
printf("open session: %d%s %s\n", ret,
ret ? ":" : "",
ret ? pam_strerror(pamh, ret) : "");
continue;
}
if (strcmp(argv[i], "--setcred-establish") == 0) {
i += gather_args(argc, argv, i + 1, &pargc, &pargv);
ret = pam_sm_setcred(pamh, PAM_ESTABLISH_CRED,
pargc, pargv);
free_args(&pargc, &pargv);
printf("setcred: %d%s %s\n", ret,
ret ? ":" : "",
ret ? pam_strerror(pamh, ret) : "");
continue;
}
if (strcmp(argv[i], "--setcred-reinitialize") == 0) {
i += gather_args(argc, argv, i + 1, &pargc, &pargv);
ret = pam_sm_setcred(pamh, PAM_REINITIALIZE_CRED,
pargc, pargv);
free_args(&pargc, &pargv);
printf("setcred: %d%s %s\n", ret,
ret ? ":" : "",
ret ? pam_strerror(pamh, ret) : "");
continue;
}
if (strcmp(argv[i], "--setcred-delete") == 0) {
i += gather_args(argc, argv, i + 1, &pargc, &pargv);
ret = pam_sm_setcred(pamh, PAM_DELETE_CRED,
pargc, pargv);
free_args(&pargc, &pargv);
printf("setcred: %d%s %s\n", ret,
ret ? ":" : "",
ret ? pam_strerror(pamh, ret) : "");
continue;
}
if (strcmp(argv[i], "--close-session") == 0) {
i += gather_args(argc, argv, i + 1, &pargc, &pargv);
ret = pam_sm_close_session(pamh, 0, pargc, pargv);
free_args(&pargc, &pargv);
printf("close session: %d%s %s\n", ret,
ret ? ":" : "",
ret ? pam_strerror(pamh, ret) : "");
continue;
}
if (strcmp(argv[i], "--acct-mgmt") == 0) {
i += gather_args(argc, argv, i + 1, &pargc, &pargv);
ret = pam_sm_acct_mgmt(pamh, 0, pargc, pargv);
free_args(&pargc, &pargv);
printf("acct mgmt: %d%s %s\n", ret,
ret ? ":" : "",
ret ? pam_strerror(pamh, ret) : "");
continue;
}
if (strcmp(argv[i], "--chauthtok-prelim") == 0) {
i += gather_args(argc, argv, i + 1, &pargc, &pargv);
ret = pam_sm_chauthtok(pamh, PAM_PRELIM_CHECK,
pargc, pargv);
free_args(&pargc, &pargv);
printf("chauthtok-prelim: %d%s %s\n", ret,
ret ? ":" : "",
ret ? pam_strerror(pamh, ret) : "");
continue;
}
if (strcmp(argv[i], "--chauthtok-update") == 0) {
i += gather_args(argc, argv, i + 1, &pargc, &pargv);
ret = pam_sm_chauthtok(pamh, PAM_UPDATE_AUTHTOK,
pargc, pargv);
free_args(&pargc, &pargv);
printf("chauthtok-update: %d%s %s\n", ret,
ret ? ":" : "",
ret ? pam_strerror(pamh, ret) : "");
continue;
}
fprintf(stderr, "Unrecognized argument: %s\n", argv[i]);
break;
}
if (pamh != NULL) {
#ifdef __LINUX_PAM__
/* Linux-PAM *actively* tries to break us. */
((struct linux_pam_handle*)pamh)->caller = 2;
#endif
ret = pam_end(pamh, 0);
printf("end: %d\n", ret);
pamh = NULL;
}
return ret;
}