1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-24 11:29:10 +00:00

- Avoid using deprecated heimdal functions in pam_krb5.

This commit is contained in:
Stanislav Sedov 2012-03-24 01:02:03 +00:00
parent ba5e340b5f
commit 26ec46c8d6
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=233406
2 changed files with 102 additions and 69 deletions
lib/libpam/modules/pam_krb5

View File

@ -32,8 +32,6 @@ CFLAGS+=-D_FREEFALL_CONFIG
WARNS?= 3
.endif
NO_WERROR= yes
DPADD= ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBROKEN} ${LIBCOM_ERR} ${LIBCRYPT} ${LIBCRYPTO}
LDADD= -lkrb5 -lhx509 -lasn1 -lroken -lcom_err -lcrypt -lcrypto

View File

@ -92,6 +92,13 @@ static void compat_free_data_contents(krb5_context, krb5_data *);
#define PAM_OPT_NO_USER_CHECK "no_user_check"
#define PAM_OPT_REUSE_CCACHE "reuse_ccache"
#define PAM_LOG_KRB5_ERR(ctx, rv, fmt, ...) \
do { \
const char *krb5msg = krb5_get_error_message(ctx, rv); \
PAM_LOG(fmt ": %s", ##__VA_ARGS__, krb5msg); \
krb5_free_error_message(ctx, krb5msg); \
} while (0)
/*
* authentication management
*/
@ -104,7 +111,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
krb5_creds creds;
krb5_principal princ;
krb5_ccache ccache;
krb5_get_init_creds_opt opts;
krb5_get_init_creds_opt *opts;
struct passwd *pwd;
int retval;
const void *ccache_data;
@ -139,13 +146,6 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
PAM_LOG("Context initialised");
krb5_get_init_creds_opt_init(&opts);
if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
krb5_get_init_creds_opt_set_forwardable(&opts, 1);
PAM_LOG("Credentials initialised");
krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE);
if (krbret != 0 && krbret != KRB5_CC_TYPE_EXISTS) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
@ -166,8 +166,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
krbret = krb5_parse_name(pam_context, principal, &princ);
free(principal);
if (krbret != 0) {
PAM_LOG("Error krb5_parse_name(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret, "Error krb5_parse_name()");
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_SERVICE_ERR;
goto cleanup3;
@ -179,8 +178,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
princ_name = NULL;
krbret = krb5_unparse_name(pam_context, princ, &princ_name);
if (krbret != 0) {
PAM_LOG("Error krb5_unparse_name(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_unparse_name()");
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_SERVICE_ERR;
goto cleanup2;
@ -206,8 +205,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
sizeof(luser), luser);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
PAM_LOG("Error krb5_aname_to_localname(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_aname_to_localname()");
retval = PAM_USER_UNKNOWN;
goto cleanup2;
}
@ -228,14 +227,30 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
PAM_LOG("Done getpwnam()");
}
/* Initialize credentials request options. */
krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_get_init_creds_opt_alloc()");
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
krb5_get_init_creds_opt_set_forwardable(opts, 1);
PAM_LOG("Credential options initialised");
/* Get a TGT */
memset(&creds, 0, sizeof(krb5_creds));
krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
pass, NULL, pamh, 0, NULL, &opts);
pass, NULL, pamh, 0, NULL, opts);
krb5_get_init_creds_opt_free(pam_context, opts);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
PAM_LOG("Error krb5_get_init_creds_password(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_get_init_creds_password()");
retval = PAM_AUTH_ERR;
goto cleanup2;
}
@ -243,27 +258,27 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
PAM_LOG("Got TGT");
/* Generate a temporary cache */
krbret = krb5_cc_gen_new(pam_context, &krb5_mcc_ops, &ccache);
krbret = krb5_cc_new_unique(pam_context, krb5_cc_type_memory, NULL, &ccache);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
PAM_LOG("Error krb5_cc_gen_new(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_cc_new_unique()");
retval = PAM_SERVICE_ERR;
goto cleanup;
}
krbret = krb5_cc_initialize(pam_context, ccache, princ);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
PAM_LOG("Error krb5_cc_initialize(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_cc_initialize()");
retval = PAM_SERVICE_ERR;
goto cleanup;
}
krbret = krb5_cc_store_cred(pam_context, ccache, &creds);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
PAM_LOG("Error krb5_cc_store_cred(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_cc_store_cred()");
krb5_cc_destroy(pam_context, ccache);
retval = PAM_SERVICE_ERR;
goto cleanup;
@ -406,8 +421,8 @@ pam_sm_setcred(pam_handle_t *pamh, int flags,
}
krbret = krb5_cc_resolve(pam_context, cache_data, &ccache_temp);
if (krbret != 0) {
PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", (const char *)cache_data,
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_cc_resolve(\"%s\")", (const char *)cache_data);
retval = PAM_SERVICE_ERR;
goto cleanup3;
}
@ -479,22 +494,21 @@ pam_sm_setcred(pam_handle_t *pamh, int flags,
/* Initialize the new ccache */
krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ);
if (krbret != 0) {
PAM_LOG("Error krb5_cc_get_principal(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_cc_get_principal()");
retval = PAM_SERVICE_ERR;
goto cleanup3;
}
krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm);
if (krbret != 0) {
PAM_LOG("Error krb5_cc_resolve(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret, "Error krb5_cc_resolve()");
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
krbret = krb5_cc_initialize(pam_context, ccache_perm, princ);
if (krbret != 0) {
PAM_LOG("Error krb5_cc_initialize(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_cc_initialize()");
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
@ -504,8 +518,8 @@ pam_sm_setcred(pam_handle_t *pamh, int flags,
/* Prepare for iteration over creds */
krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor);
if (krbret != 0) {
PAM_LOG("Error krb5_cc_start_seq_get(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_cc_start_seq_get()");
krb5_cc_destroy(pam_context, ccache_perm);
retval = PAM_SERVICE_ERR;
goto cleanup2;
@ -518,8 +532,8 @@ pam_sm_setcred(pam_handle_t *pamh, int flags,
&cursor, &creds) == 0)) {
krbret = krb5_cc_store_cred(pam_context, ccache_perm, &creds);
if (krbret != 0) {
PAM_LOG("Error krb5_cc_store_cred(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_cc_store_cred()");
krb5_cc_destroy(pam_context, ccache_perm);
krb5_free_cred_contents(pam_context, &creds);
retval = PAM_SERVICE_ERR;
@ -620,8 +634,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
krbret = krb5_cc_resolve(pam_context, (const char *)ccache_name, &ccache);
if (krbret != 0) {
PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", (const char *)ccache_name,
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_cc_resolve(\"%s\")", (const char *)ccache_name);
krb5_free_context(pam_context);
return (PAM_PERM_DENIED);
}
@ -631,8 +645,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
krbret = krb5_cc_get_principal(pam_context, ccache, &princ);
if (krbret != 0) {
PAM_LOG("Error krb5_cc_get_principal(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_cc_get_principal()");
retval = PAM_PERM_DENIED;;
goto cleanup;
}
@ -666,7 +680,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
krb5_context pam_context;
krb5_creds creds;
krb5_principal princ;
krb5_get_init_creds_opt opts;
krb5_get_init_creds_opt *opts;
krb5_data result_code_string, result_string;
int result_code, retval;
const char *pass;
@ -690,15 +704,11 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
PAM_LOG("Context initialised");
krb5_get_init_creds_opt_init(&opts);
PAM_LOG("Credentials options initialised");
/* Get principal name */
krbret = krb5_parse_name(pam_context, (const char *)user, &princ);
if (krbret != 0) {
PAM_LOG("Error krb5_parse_name(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_parse_name()");
retval = PAM_USER_UNKNOWN;
goto cleanup3;
}
@ -707,8 +717,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
princ_name = NULL;
krbret = krb5_unparse_name(pam_context, princ, &princ_name);
if (krbret != 0) {
PAM_LOG("Error krb5_unparse_name(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_unparse_name()");
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
@ -722,12 +732,25 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
PAM_LOG("Got password");
/* Initialize credentials request options. */
krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts);
if (krbret != 0) {
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_get_init_creds_opt_alloc()");
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
PAM_LOG("Credentials options initialised");
memset(&creds, 0, sizeof(krb5_creds));
krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
pass, NULL, pamh, 0, "kadmin/changepw", &opts);
pass, NULL, pamh, 0, "kadmin/changepw", opts);
krb5_get_init_creds_opt_free(pam_context, opts);
if (krbret != 0) {
PAM_LOG("Error krb5_get_init_creds_password(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_get_init_creds_password()");
retval = PAM_AUTH_ERR;
goto cleanup2;
}
@ -752,12 +775,12 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
retval = PAM_BUF_ERR;
goto cleanup;
}
krbret = krb5_change_password(pam_context, &creds, passdup,
krbret = krb5_set_password(pam_context, &creds, passdup, NULL,
&result_code, &result_code_string, &result_string);
free(passdup);
if (krbret != 0) {
PAM_LOG("Error krb5_change_password(): %s",
krb5_get_err_text(pam_context, krbret));
PAM_LOG_KRB5_ERR(pam_context, krbret,
"Error krb5_change_password()");
retval = PAM_AUTHTOK_ERR;
goto cleanup;
}
@ -840,11 +863,14 @@ verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
retval = krb5_sname_to_principal(context, NULL, *service,
KRB5_NT_SRV_HST, &princ);
if (retval != 0) {
if (debug)
if (debug) {
const char *msg = krb5_get_error_message(
context, retval);
syslog(LOG_DEBUG,
"pam_krb5: verify_krb_v5_tgt(): %s: %s",
"krb5_sname_to_principal()",
krb5_get_err_text(context, retval));
"krb5_sname_to_principal()", msg);
krb5_free_error_message(context, msg);
}
return -1;
}
@ -866,11 +892,14 @@ verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
}
if (retval != 0) { /* failed to find key */
/* Keytab or service key does not exist */
if (debug)
if (debug) {
const char *msg = krb5_get_error_message(context,
retval);
syslog(LOG_DEBUG,
"pam_krb5: verify_krb_v5_tgt(): %s: %s",
"krb5_kt_read_service_key()",
krb5_get_err_text(context, retval));
"krb5_kt_read_service_key()", msg);
krb5_free_error_message(context, msg);
}
retval = 0;
goto cleanup;
}
@ -886,11 +915,14 @@ verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
auth_context = NULL; /* setup for rd_req */
}
if (retval) {
if (debug)
if (debug) {
const char *msg = krb5_get_error_message(context,
retval);
syslog(LOG_DEBUG,
"pam_krb5: verify_krb_v5_tgt(): %s: %s",
"krb5_mk_req()",
krb5_get_err_text(context, retval));
"krb5_mk_req()", msg);
krb5_free_error_message(context, msg);
}
retval = -1;
goto cleanup;
}
@ -899,11 +931,14 @@ verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
retval = krb5_rd_req(context, &auth_context, &packet, princ, NULL,
NULL, NULL);
if (retval) {
if (debug)
if (debug) {
const char *msg = krb5_get_error_message(context,
retval);
syslog(LOG_DEBUG,
"pam_krb5: verify_krb_v5_tgt(): %s: %s",
"krb5_rd_req()",
krb5_get_err_text(context, retval));
"krb5_rd_req()", msg);
krb5_free_error_message(context, msg);
}
retval = -1;
}
else