static void do_cred_warn(void *pamh) { char messages[1][PAM_MAX_MSG_SIZE]; sprintf(messages[0], PAM_MSG(pamh, 30, "warning: Unable to obtain DCE credentials.\n")); (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages, NULL); }
/* * pam_krb5 acct_mgmt * * we do * - check if pw expired (flag set in auth) * - warn user if pw is set to expire * * notes * - we require the auth module to have already run (sets module data) * - we don't worry about an expired princ cuz if that's the case, * auth would have failed */ int pam_sm_acct_mgmt( pam_handle_t *pamh, int flags, int argc, const char **argv) { char *user = NULL; char *userdata = NULL; int err; int i; krb5_module_data_t *kmd = NULL; char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE]; int debug = 0; /* pam.conf entry option */ int nowarn = 0; /* pam.conf entry option, no expire warnings */ pam_repository_t *rep_data = NULL; for (i = 0; i < argc; i++) { if (strcasecmp(argv[i], "debug") == 0) debug = 1; else if (strcasecmp(argv[i], "nowarn") == 0) { nowarn = 1; flags = flags | PAM_SILENT; } else { __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (acct): illegal option %s", argv[i]); } } if (debug) __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): debug=%d, nowarn=%d", debug, nowarn); (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&rep_data); if (rep_data != NULL) { /* * If the repository is not ours, * return PAM_IGNORE. */ if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) { if (debug) __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): wrong" "repository found (%s), returning " "PAM_IGNORE", rep_data->type); return (PAM_IGNORE); } } /* get user name */ (void) pam_get_item(pamh, PAM_USER, (void **) &user); if (user == NULL || *user == '\0') { err = PAM_USER_UNKNOWN; goto out; } /* get pam_krb5_migrate specific data */ err = pam_get_data(pamh, KRB5_AUTOMIGRATE_DATA, (const void **)&userdata); if (err != PAM_SUCCESS) { if (debug) __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): " "no module data for KRB5_AUTOMIGRATE_DATA"); } else { /* * We try and reauthenticate, since this user has a * newly created krb5 principal via the pam_krb5_migrate * auth module. That way, this new user will have fresh * creds (assuming pam_sm_authenticate() succeeds). */ if (strcmp(user, userdata) == 0) (void) pam_sm_authenticate(pamh, flags, argc, (const char **)argv); else if (debug) __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): PAM_USER %s" "does not match user %s from pam_get_data()", user, (char *)userdata); } /* get krb5 module data */ if ((err = pam_get_data(pamh, KRB5_DATA, (const void **)&kmd)) != PAM_SUCCESS) { if (err == PAM_NO_MODULE_DATA) { /* * pam_auth never called (possible config * error; no pam_krb5 auth entry in pam.conf), */ if (debug) { __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): no module data"); } err = PAM_IGNORE; goto out; } else { __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (acct): get module" " data failed: err=%d", err); } goto out; } debug = debug || kmd->debug; /* * auth mod set status to ignore, most likely cuz root key is * in keytab, so skip other checks and return ignore */ if (kmd->auth_status == PAM_IGNORE) { if (debug) __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): kmd auth_status is IGNORE"); err = PAM_IGNORE; goto out; } /* * If there is no Kerberos related user and there is authentication * data, this means that while the user has successfully passed * authentication, Kerberos is not the account authority because there * is no valid Kerberos principal. PAM_IGNORE is returned since * Kerberos is not authoritative for this user. Other modules in the * account stack will need to determine the success or failure for this * user. */ if (kmd->auth_status == PAM_USER_UNKNOWN) { if (debug) syslog(LOG_DEBUG, "PAM-KRB5 (acct): kmd auth_status is USER UNKNOWN"); err = PAM_IGNORE; goto out; } /* * age_status will be set to PAM_NEW_AUTHTOK_REQD in pam_krb5's * 'auth' if the user's key/pw has expired and needs to be changed */ if (kmd->age_status == PAM_NEW_AUTHTOK_REQD) { if (!nowarn) { (void) snprintf(messages[0], sizeof (messages[0]), dgettext(TEXT_DOMAIN, "Your Kerberos password has expired.\n")); (void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1, messages, NULL); } err = PAM_NEW_AUTHTOK_REQD; goto out; } if (kmd->auth_status == PAM_SUCCESS && !(flags & PAM_SILENT) && !nowarn && kmd->password) { /* if we fail, let it slide, it's only a warning brah */ (void) exp_warn(pamh, user, kmd, debug); } /* * If Kerberos is treated as optional in the PAM stack, it is possible * that there is a KRB5_DATA item and a non-Kerberos account authority. * In that case, PAM_IGNORE is returned. */ err = kmd->auth_status != PAM_SUCCESS ? PAM_IGNORE : kmd->auth_status; out: if (debug) __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): end: %s", pam_strerror(pamh, err)); return (err); }
/* * exp_warn * * Warn the user if their pw is set to expire. * * We first check to see if the KDC had set any account or password * expiration information in the key expiration field. If this was * not set then we must assume that the KDC could be broken and revert * to fetching pw/account expiration information from kadm. We can not * determine the difference between broken KDCs that do not send key-exp * vs. principals that do not have an expiration policy. The up-shot * is that pam_krb5 will probably not be stacked for acct mgmt if the * environment does not have an exp policy, avoiding the second exchange * using the kadm protocol. */ static int exp_warn( pam_handle_t *pamh, char *user, krb5_module_data_t *kmd, int debug) { int err; kadm5_principal_ent_rec prent; krb5_timestamp now, days, expiration; char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], *password; krb5_error_code code; if (debug) __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): exp_warn start: user = '******'", user ? user : "******"); password = kmd->password; if (!pamh || !user || !password) { err = PAM_SERVICE_ERR; goto exit; } /* * If we error out from krb5_init_secure_context, then just set error * code, check to see about debug message and exit out of routine as the * context could not possibly have been setup. */ if (code = krb5_init_secure_context(&kmd->kcontext)) { err = PAM_SYSTEM_ERR; if (debug) __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (acct): " "krb5_init_secure_context failed: code=%d", code); goto exit; } if (code = krb5_timeofday(kmd->kcontext, &now)) { err = PAM_SYSTEM_ERR; if (debug) __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (acct): krb5_timeofday failed: code=%d", code); goto out; } if (kmd->expiration != 0) { expiration = kmd->expiration; } else { (void) memset(&prent, 0, sizeof (prent)); if ((err = fetch_princ_entry(kmd, user, &prent, debug)) != PAM_SUCCESS) { if (debug) __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): exp_warn: fetch_pr failed %d", err); goto out; } if (prent.princ_expire_time != 0 && prent.pw_expiration != 0) expiration = min(prent.princ_expire_time, prent.pw_expiration); else expiration = prent.princ_expire_time ? prent.princ_expire_time : prent.pw_expiration; } if (debug) __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): exp_warn: " "princ/pw_exp exp=%ld, now =%ld, days=%ld", expiration, now, expiration > 0 ? ((expiration - now) / DAY) : 0); /* warn user if principal's pw is set to expire */ if (expiration > 0) { days = (expiration - now) / DAY; if (days <= 0) (void) snprintf(messages[0], sizeof (messages[0]), dgettext(TEXT_DOMAIN, "Your Kerberos account/password will expire " "within 24 hours.\n")); else if (days == 1) (void) snprintf(messages[0], sizeof (messages[0]), dgettext(TEXT_DOMAIN, "Your Kerberos account/password will expire " "in 1 day.\n")); else (void) snprintf(messages[0], sizeof (messages[0]), dgettext(TEXT_DOMAIN, "Your Kerberos account/password will expire in " "%d days.\n"), (int)days); (void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1, messages, NULL); } /* things went smooth */ err = PAM_SUCCESS; out: if (kmd->kcontext) { krb5_free_context(kmd->kcontext); kmd->kcontext = NULL; } exit: if (debug) __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): exp_warn end: err = %d", err); return (err); }
static void display_msgs(pam_handle_t *pamh, int msg_style, int nmsg, char msgs[][PAM_MAX_MSG_SIZE]) { (void) __pam_display_msg(pamh, msg_style, nmsg, msgs, NULL); }