mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-24 11:29:10 +00:00
- Avoid using deprecated heimdal functions in pam_krb5.
This commit is contained in:
parent
ba5e340b5f
commit
26ec46c8d6
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=233406
@ -32,8 +32,6 @@ CFLAGS+=-D_FREEFALL_CONFIG
|
||||
WARNS?= 3
|
||||
.endif
|
||||
|
||||
NO_WERROR= yes
|
||||
|
||||
DPADD= ${LIBKRB5} ${LIBHX509} ${LIBASN1} ${LIBROKEN} ${LIBCOM_ERR} ${LIBCRYPT} ${LIBCRYPTO}
|
||||
LDADD= -lkrb5 -lhx509 -lasn1 -lroken -lcom_err -lcrypt -lcrypto
|
||||
|
||||
|
@ -92,6 +92,13 @@ static void compat_free_data_contents(krb5_context, krb5_data *);
|
||||
#define PAM_OPT_NO_USER_CHECK "no_user_check"
|
||||
#define PAM_OPT_REUSE_CCACHE "reuse_ccache"
|
||||
|
||||
#define PAM_LOG_KRB5_ERR(ctx, rv, fmt, ...) \
|
||||
do { \
|
||||
const char *krb5msg = krb5_get_error_message(ctx, rv); \
|
||||
PAM_LOG(fmt ": %s", ##__VA_ARGS__, krb5msg); \
|
||||
krb5_free_error_message(ctx, krb5msg); \
|
||||
} while (0)
|
||||
|
||||
/*
|
||||
* authentication management
|
||||
*/
|
||||
@ -104,7 +111,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
krb5_creds creds;
|
||||
krb5_principal princ;
|
||||
krb5_ccache ccache;
|
||||
krb5_get_init_creds_opt opts;
|
||||
krb5_get_init_creds_opt *opts;
|
||||
struct passwd *pwd;
|
||||
int retval;
|
||||
const void *ccache_data;
|
||||
@ -139,13 +146,6 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
|
||||
PAM_LOG("Context initialised");
|
||||
|
||||
krb5_get_init_creds_opt_init(&opts);
|
||||
|
||||
if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
|
||||
krb5_get_init_creds_opt_set_forwardable(&opts, 1);
|
||||
|
||||
PAM_LOG("Credentials initialised");
|
||||
|
||||
krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE);
|
||||
if (krbret != 0 && krbret != KRB5_CC_TYPE_EXISTS) {
|
||||
PAM_VERBOSE_ERROR("Kerberos 5 error");
|
||||
@ -166,8 +166,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
krbret = krb5_parse_name(pam_context, principal, &princ);
|
||||
free(principal);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_parse_name(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret, "Error krb5_parse_name()");
|
||||
PAM_VERBOSE_ERROR("Kerberos 5 error");
|
||||
retval = PAM_SERVICE_ERR;
|
||||
goto cleanup3;
|
||||
@ -179,8 +178,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
princ_name = NULL;
|
||||
krbret = krb5_unparse_name(pam_context, princ, &princ_name);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_unparse_name(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_unparse_name()");
|
||||
PAM_VERBOSE_ERROR("Kerberos 5 error");
|
||||
retval = PAM_SERVICE_ERR;
|
||||
goto cleanup2;
|
||||
@ -206,8 +205,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
sizeof(luser), luser);
|
||||
if (krbret != 0) {
|
||||
PAM_VERBOSE_ERROR("Kerberos 5 error");
|
||||
PAM_LOG("Error krb5_aname_to_localname(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_aname_to_localname()");
|
||||
retval = PAM_USER_UNKNOWN;
|
||||
goto cleanup2;
|
||||
}
|
||||
@ -228,14 +227,30 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
PAM_LOG("Done getpwnam()");
|
||||
}
|
||||
|
||||
/* Initialize credentials request options. */
|
||||
krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_get_init_creds_opt_alloc()");
|
||||
PAM_VERBOSE_ERROR("Kerberos 5 error");
|
||||
retval = PAM_SERVICE_ERR;
|
||||
goto cleanup2;
|
||||
}
|
||||
|
||||
if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
|
||||
krb5_get_init_creds_opt_set_forwardable(opts, 1);
|
||||
|
||||
PAM_LOG("Credential options initialised");
|
||||
|
||||
/* Get a TGT */
|
||||
memset(&creds, 0, sizeof(krb5_creds));
|
||||
krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
|
||||
pass, NULL, pamh, 0, NULL, &opts);
|
||||
pass, NULL, pamh, 0, NULL, opts);
|
||||
krb5_get_init_creds_opt_free(pam_context, opts);
|
||||
if (krbret != 0) {
|
||||
PAM_VERBOSE_ERROR("Kerberos 5 error");
|
||||
PAM_LOG("Error krb5_get_init_creds_password(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_get_init_creds_password()");
|
||||
retval = PAM_AUTH_ERR;
|
||||
goto cleanup2;
|
||||
}
|
||||
@ -243,27 +258,27 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
PAM_LOG("Got TGT");
|
||||
|
||||
/* Generate a temporary cache */
|
||||
krbret = krb5_cc_gen_new(pam_context, &krb5_mcc_ops, &ccache);
|
||||
krbret = krb5_cc_new_unique(pam_context, krb5_cc_type_memory, NULL, &ccache);
|
||||
if (krbret != 0) {
|
||||
PAM_VERBOSE_ERROR("Kerberos 5 error");
|
||||
PAM_LOG("Error krb5_cc_gen_new(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_cc_new_unique()");
|
||||
retval = PAM_SERVICE_ERR;
|
||||
goto cleanup;
|
||||
}
|
||||
krbret = krb5_cc_initialize(pam_context, ccache, princ);
|
||||
if (krbret != 0) {
|
||||
PAM_VERBOSE_ERROR("Kerberos 5 error");
|
||||
PAM_LOG("Error krb5_cc_initialize(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_cc_initialize()");
|
||||
retval = PAM_SERVICE_ERR;
|
||||
goto cleanup;
|
||||
}
|
||||
krbret = krb5_cc_store_cred(pam_context, ccache, &creds);
|
||||
if (krbret != 0) {
|
||||
PAM_VERBOSE_ERROR("Kerberos 5 error");
|
||||
PAM_LOG("Error krb5_cc_store_cred(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_cc_store_cred()");
|
||||
krb5_cc_destroy(pam_context, ccache);
|
||||
retval = PAM_SERVICE_ERR;
|
||||
goto cleanup;
|
||||
@ -406,8 +421,8 @@ pam_sm_setcred(pam_handle_t *pamh, int flags,
|
||||
}
|
||||
krbret = krb5_cc_resolve(pam_context, cache_data, &ccache_temp);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", (const char *)cache_data,
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_cc_resolve(\"%s\")", (const char *)cache_data);
|
||||
retval = PAM_SERVICE_ERR;
|
||||
goto cleanup3;
|
||||
}
|
||||
@ -479,22 +494,21 @@ pam_sm_setcred(pam_handle_t *pamh, int flags,
|
||||
/* Initialize the new ccache */
|
||||
krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_cc_get_principal(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_cc_get_principal()");
|
||||
retval = PAM_SERVICE_ERR;
|
||||
goto cleanup3;
|
||||
}
|
||||
krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_cc_resolve(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret, "Error krb5_cc_resolve()");
|
||||
retval = PAM_SERVICE_ERR;
|
||||
goto cleanup2;
|
||||
}
|
||||
krbret = krb5_cc_initialize(pam_context, ccache_perm, princ);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_cc_initialize(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_cc_initialize()");
|
||||
retval = PAM_SERVICE_ERR;
|
||||
goto cleanup2;
|
||||
}
|
||||
@ -504,8 +518,8 @@ pam_sm_setcred(pam_handle_t *pamh, int flags,
|
||||
/* Prepare for iteration over creds */
|
||||
krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_cc_start_seq_get(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_cc_start_seq_get()");
|
||||
krb5_cc_destroy(pam_context, ccache_perm);
|
||||
retval = PAM_SERVICE_ERR;
|
||||
goto cleanup2;
|
||||
@ -518,8 +532,8 @@ pam_sm_setcred(pam_handle_t *pamh, int flags,
|
||||
&cursor, &creds) == 0)) {
|
||||
krbret = krb5_cc_store_cred(pam_context, ccache_perm, &creds);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_cc_store_cred(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_cc_store_cred()");
|
||||
krb5_cc_destroy(pam_context, ccache_perm);
|
||||
krb5_free_cred_contents(pam_context, &creds);
|
||||
retval = PAM_SERVICE_ERR;
|
||||
@ -620,8 +634,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
|
||||
|
||||
krbret = krb5_cc_resolve(pam_context, (const char *)ccache_name, &ccache);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", (const char *)ccache_name,
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_cc_resolve(\"%s\")", (const char *)ccache_name);
|
||||
krb5_free_context(pam_context);
|
||||
return (PAM_PERM_DENIED);
|
||||
}
|
||||
@ -631,8 +645,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
|
||||
|
||||
krbret = krb5_cc_get_principal(pam_context, ccache, &princ);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_cc_get_principal(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_cc_get_principal()");
|
||||
retval = PAM_PERM_DENIED;;
|
||||
goto cleanup;
|
||||
}
|
||||
@ -666,7 +680,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
||||
krb5_context pam_context;
|
||||
krb5_creds creds;
|
||||
krb5_principal princ;
|
||||
krb5_get_init_creds_opt opts;
|
||||
krb5_get_init_creds_opt *opts;
|
||||
krb5_data result_code_string, result_string;
|
||||
int result_code, retval;
|
||||
const char *pass;
|
||||
@ -690,15 +704,11 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
||||
|
||||
PAM_LOG("Context initialised");
|
||||
|
||||
krb5_get_init_creds_opt_init(&opts);
|
||||
|
||||
PAM_LOG("Credentials options initialised");
|
||||
|
||||
/* Get principal name */
|
||||
krbret = krb5_parse_name(pam_context, (const char *)user, &princ);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_parse_name(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_parse_name()");
|
||||
retval = PAM_USER_UNKNOWN;
|
||||
goto cleanup3;
|
||||
}
|
||||
@ -707,8 +717,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
||||
princ_name = NULL;
|
||||
krbret = krb5_unparse_name(pam_context, princ, &princ_name);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_unparse_name(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_unparse_name()");
|
||||
retval = PAM_SERVICE_ERR;
|
||||
goto cleanup2;
|
||||
}
|
||||
@ -722,12 +732,25 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
||||
|
||||
PAM_LOG("Got password");
|
||||
|
||||
/* Initialize credentials request options. */
|
||||
krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_get_init_creds_opt_alloc()");
|
||||
PAM_VERBOSE_ERROR("Kerberos 5 error");
|
||||
retval = PAM_SERVICE_ERR;
|
||||
goto cleanup2;
|
||||
}
|
||||
|
||||
PAM_LOG("Credentials options initialised");
|
||||
|
||||
memset(&creds, 0, sizeof(krb5_creds));
|
||||
krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
|
||||
pass, NULL, pamh, 0, "kadmin/changepw", &opts);
|
||||
pass, NULL, pamh, 0, "kadmin/changepw", opts);
|
||||
krb5_get_init_creds_opt_free(pam_context, opts);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_get_init_creds_password(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_get_init_creds_password()");
|
||||
retval = PAM_AUTH_ERR;
|
||||
goto cleanup2;
|
||||
}
|
||||
@ -752,12 +775,12 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
||||
retval = PAM_BUF_ERR;
|
||||
goto cleanup;
|
||||
}
|
||||
krbret = krb5_change_password(pam_context, &creds, passdup,
|
||||
krbret = krb5_set_password(pam_context, &creds, passdup, NULL,
|
||||
&result_code, &result_code_string, &result_string);
|
||||
free(passdup);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_change_password(): %s",
|
||||
krb5_get_err_text(pam_context, krbret));
|
||||
PAM_LOG_KRB5_ERR(pam_context, krbret,
|
||||
"Error krb5_change_password()");
|
||||
retval = PAM_AUTHTOK_ERR;
|
||||
goto cleanup;
|
||||
}
|
||||
@ -840,11 +863,14 @@ verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
|
||||
retval = krb5_sname_to_principal(context, NULL, *service,
|
||||
KRB5_NT_SRV_HST, &princ);
|
||||
if (retval != 0) {
|
||||
if (debug)
|
||||
if (debug) {
|
||||
const char *msg = krb5_get_error_message(
|
||||
context, retval);
|
||||
syslog(LOG_DEBUG,
|
||||
"pam_krb5: verify_krb_v5_tgt(): %s: %s",
|
||||
"krb5_sname_to_principal()",
|
||||
krb5_get_err_text(context, retval));
|
||||
"krb5_sname_to_principal()", msg);
|
||||
krb5_free_error_message(context, msg);
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
|
||||
@ -866,11 +892,14 @@ verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
|
||||
}
|
||||
if (retval != 0) { /* failed to find key */
|
||||
/* Keytab or service key does not exist */
|
||||
if (debug)
|
||||
if (debug) {
|
||||
const char *msg = krb5_get_error_message(context,
|
||||
retval);
|
||||
syslog(LOG_DEBUG,
|
||||
"pam_krb5: verify_krb_v5_tgt(): %s: %s",
|
||||
"krb5_kt_read_service_key()",
|
||||
krb5_get_err_text(context, retval));
|
||||
"krb5_kt_read_service_key()", msg);
|
||||
krb5_free_error_message(context, msg);
|
||||
}
|
||||
retval = 0;
|
||||
goto cleanup;
|
||||
}
|
||||
@ -886,11 +915,14 @@ verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
|
||||
auth_context = NULL; /* setup for rd_req */
|
||||
}
|
||||
if (retval) {
|
||||
if (debug)
|
||||
if (debug) {
|
||||
const char *msg = krb5_get_error_message(context,
|
||||
retval);
|
||||
syslog(LOG_DEBUG,
|
||||
"pam_krb5: verify_krb_v5_tgt(): %s: %s",
|
||||
"krb5_mk_req()",
|
||||
krb5_get_err_text(context, retval));
|
||||
"krb5_mk_req()", msg);
|
||||
krb5_free_error_message(context, msg);
|
||||
}
|
||||
retval = -1;
|
||||
goto cleanup;
|
||||
}
|
||||
@ -899,11 +931,14 @@ verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
|
||||
retval = krb5_rd_req(context, &auth_context, &packet, princ, NULL,
|
||||
NULL, NULL);
|
||||
if (retval) {
|
||||
if (debug)
|
||||
if (debug) {
|
||||
const char *msg = krb5_get_error_message(context,
|
||||
retval);
|
||||
syslog(LOG_DEBUG,
|
||||
"pam_krb5: verify_krb_v5_tgt(): %s: %s",
|
||||
"krb5_rd_req()",
|
||||
krb5_get_err_text(context, retval));
|
||||
"krb5_rd_req()", msg);
|
||||
krb5_free_error_message(context, msg);
|
||||
}
|
||||
retval = -1;
|
||||
}
|
||||
else
|
||||
|
Loading…
Reference in New Issue
Block a user