/* * pam_sm_setcred */ int pam_sm_setcred( pam_handle_t *pamh, int flags, int argc, const char **argv) { int debug = 0; int warn = 1; int i; dce_module_data_t *dsd; error_status_t st; int err; for (i = 0; i < argc; i++) { if (strcmp(argv[i], "debug") == 0) debug = 1; if (strcmp(argv[i], "nowarn") == 0) warn = 0; } if (flags & PAM_SILENT) warn = 0; if (debug) syslog(LOG_DEBUG, "DCE pam_setcred"); if (pam_get_data(pamh, DCE_DATA, (void**)&dsd) != PAM_SUCCESS || dsd == NULL) { if (flags & PAM_DELETE_CRED) { sec_login_handle_t context; /* attempt to get current context and purge */ sec_login_get_current_context(&context, &st); if (st == error_status_ok) { sec_login_purge_context(&context, &st); } return (st == error_status_ok ? PAM_SUCCESS : PAM_CRED_UNAVAIL); } if (warn) do_cred_warn(pamh); return (PAM_IGNORE); /* since pam_auth was never called */ } if (dsd->auth_status != PAM_SUCCESS) return (dsd->auth_status); if (flags & PAM_DELETE_CRED) { (void) sec_login_purge_context(dsd->login_context, &st); if (debug) { dce_error_string_t text; syslog(LOG_DEBUG, "PAM: DCE sec_login_purge_context: %s", get_dce_error_message(st, text)); } } else { if (dsd->auth_src == sec_login_auth_src_local) { /* we can't set_context on locally authenticated */ /* contexts */ st = sec_login_s_auth_local; } else { (void) sec_login_set_context(dsd->login_context, &st); } if (debug) { dce_error_string_t text; syslog(LOG_DEBUG, "PAM: DCE sec_login_set_context: %s", get_dce_error_message(st, text)); } } /* might want an option to return success even if set_context failed */ if (st == error_status_ok) { return (PAM_SUCCESS); } else { if (warn) do_cred_warn(pamh); if (debug) syslog(LOG_DEBUG, "Can't set user login context"); return (PAM_CRED_ERR); } }
/******************************************************************* check on a DCE/DFS authentication ********************************************************************/ static BOOL dfs_auth(char *user, char *password) { error_status_t err; int err2; int prterr; signed32 expire_time, current_time; boolean32 password_reset; struct passwd *pw; sec_passwd_rec_t passwd_rec; sec_login_auth_src_t auth_src = sec_login_auth_src_network; unsigned char dce_errstr[dce_c_error_string_len]; gid_t egid; if (dcelogin_atmost_once) return (False); #ifdef HAVE_CRYPT /* * We only go for a DCE login context if the given password * matches that stored in the local password file.. * Assumes local passwd file is kept in sync w/ DCE RGY! */ if (strcmp((char *)crypt(password, this_salt), this_crypted)) { return (False); } #endif sec_login_get_current_context(&my_dce_sec_context, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr)); return (False); } sec_login_certify_identity(my_dce_sec_context, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr)); return (False); } sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr)); return (False); } time(¤t_time); if (expire_time < (current_time + 60)) { struct passwd *pw; sec_passwd_rec_t *key; sec_login_get_pwent(my_dce_sec_context, (sec_login_passwd_t *) & pw, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); return (False); } sec_login_refresh_identity(my_dce_sec_context, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't refresh identity. %s\n", dce_errstr)); return (False); } sec_key_mgmt_get_key(rpc_c_authn_dce_secret, NULL, (unsigned char *)pw->pw_name, sec_c_key_version_none, (void **)&key, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get key for %s. %s\n", pw->pw_name, dce_errstr)); return (False); } sec_login_valid_and_cert_ident(my_dce_sec_context, key, &password_reset, &auth_src, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't validate and certify identity for %s. %s\n", pw->pw_name, dce_errstr)); } sec_key_mgmt_free_key(key, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't free key.\n", dce_errstr)); } } if (sec_login_setup_identity((unsigned char *)user, sec_login_no_flags, &my_dce_sec_context, &err) == 0) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE Setup Identity for %s failed: %s\n", user, dce_errstr)); return (False); } sec_login_get_pwent(my_dce_sec_context, (sec_login_passwd_t *) & pw, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); return (False); } sec_login_purge_context(&my_dce_sec_context, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't purge context. %s\n", dce_errstr)); return (False); } /* * NB. I'd like to change these to call something like change_to_user() * instead but currently we don't have a connection * context to become the correct user. This is already * fairly platform specific code however, so I think * this should be ok. I have added code to go * back to being root on error though. JRA. */ egid = getegid(); set_effective_gid(pw->pw_gid); set_effective_uid(pw->pw_uid); if (sec_login_setup_identity((unsigned char *)user, sec_login_no_flags, &my_dce_sec_context, &err) == 0) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE Setup Identity for %s failed: %s\n", user, dce_errstr)); goto err; } sec_login_get_pwent(my_dce_sec_context, (sec_login_passwd_t *) & pw, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); goto err; } passwd_rec.version_number = sec_passwd_c_version_none; passwd_rec.pepper = NULL; passwd_rec.key.key_type = sec_passwd_plain; passwd_rec.key.tagged_union.plain = (idl_char *) password; sec_login_validate_identity(my_dce_sec_context, &passwd_rec, &password_reset, &auth_src, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE Identity Validation failed for principal %s: %s\n", user, dce_errstr)); goto err; } sec_login_certify_identity(my_dce_sec_context, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE certify identity failed: %s\n", dce_errstr)); goto err; } if (auth_src != sec_login_auth_src_network) { DEBUG(0, ("DCE context has no network credentials.\n")); } sec_login_set_context(my_dce_sec_context, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE login failed for principal %s, cant set context: %s\n", user, dce_errstr)); sec_login_purge_context(&my_dce_sec_context, &err); goto err; } sec_login_get_pwent(my_dce_sec_context, (sec_login_passwd_t *) & pw, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr)); goto err; } DEBUG(0, ("DCE login succeeded for principal %s on pid %d\n", user, sys_getpid())); DEBUG(3, ("DCE principal: %s\n" " uid: %d\n" " gid: %d\n", pw->pw_name, pw->pw_uid, pw->pw_gid)); DEBUG(3, (" info: %s\n" " dir: %s\n" " shell: %s\n", pw->pw_gecos, pw->pw_dir, pw->pw_shell)); sec_login_get_expiration(my_dce_sec_context, &expire_time, &err); if (err != error_status_ok) { dce_error_inq_text(err, dce_errstr, &err2); DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr)); goto err; } set_effective_uid(0); set_effective_gid(0); DEBUG(0, ("DCE context expires: %s", asctime(localtime(&expire_time)))); dcelogin_atmost_once = 1; return (True); err: /* Go back to root, JRA. */ set_effective_uid(0); set_effective_gid(egid); return (False); }