Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src pam_afslog is used in conjunction with pam_krb5 to obtain AF...
details: https://anonhg.NetBSD.org/src/rev/44a79a047d33
branches: trunk
changeset: 584500:44a79a047d33
user: tsarna <tsarna%NetBSD.org@localhost>
date: Wed Sep 21 14:19:08 2005 +0000
description:
pam_afslog is used in conjunction with pam_krb5 to obtain AFS tokens and
create a PAG if necessary.
Especially important for home directories on AFS.
diffstat:
distrib/sets/lists/base/shl.mi | 3 +-
distrib/sets/lists/man/mi | 4 +-
lib/libpam/modules/Makefile | 6 +-
lib/libpam/modules/pam_afslog/Makefile | 16 +++
lib/libpam/modules/pam_afslog/pam_afslog.8 | 81 ++++++++++++++++++
lib/libpam/modules/pam_afslog/pam_afslog.c | 124 +++++++++++++++++++++++++++++
6 files changed, 230 insertions(+), 4 deletions(-)
diffs (296 lines):
diff -r 7fe6e909b64a -r 44a79a047d33 distrib/sets/lists/base/shl.mi
--- a/distrib/sets/lists/base/shl.mi Wed Sep 21 12:46:08 2005 +0000
+++ b/distrib/sets/lists/base/shl.mi Wed Sep 21 14:19:08 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: shl.mi,v 1.321 2005/09/14 18:14:51 elad Exp $
+# $NetBSD: shl.mi,v 1.322 2005/09/21 14:19:08 tsarna Exp $
# Note: libtermcap and libtermlib are hardlinked and share the same version.
./lib/libc.so.12.134 base-sys-shlib
./lib/libcrypt.so.0.2 base-sys-shlib
@@ -84,6 +84,7 @@
./usr/lib/libutil.so.7.7 base-sys-shlib
./usr/lib/libwrap.so.0.2 base-net-shlib
./usr/lib/libz.so.0.4 base-sys-shlib
+./usr/lib/security/pam_afslog.so.0 base-sys-shlib kerberos,pam
./usr/lib/security/pam_chroot.so.0 base-sys-shlib pam
./usr/lib/security/pam_deny.so.0 base-sys-shlib pam
./usr/lib/security/pam_echo.so.0 base-sys-shlib pam
diff -r 7fe6e909b64a -r 44a79a047d33 distrib/sets/lists/man/mi
--- a/distrib/sets/lists/man/mi Wed Sep 21 12:46:08 2005 +0000
+++ b/distrib/sets/lists/man/mi Wed Sep 21 14:19:08 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.827 2005/09/15 15:04:55 nonaka Exp $
+# $NetBSD: mi,v 1.828 2005/09/21 14:19:08 tsarna Exp $
./etc/mtree/set.man man-sys-root
./usr/share/info/am-utils.info man-amd-info info
./usr/share/info/as.info man-computil-info bfd,info
@@ -2008,6 +2008,7 @@
./usr/share/man/cat8/oqmgr.0 man-postfix-catman postfix,.cat
./usr/share/man/cat8/pac.0 man-sysutil-catman .cat
./usr/share/man/cat8/pam.0 man-sysutil-catman .cat
+./usr/share/man/cat8/pam_afslog.0 man-sysutil-catman kerberos,pam,.cat
./usr/share/man/cat8/pam_chroot.0 man-sysutil-catman pam,.cat
./usr/share/man/cat8/pam_deny.0 man-sysutil-catman pam,.cat
./usr/share/man/cat8/pam_echo.0 man-sysutil-catman pam,.cat
@@ -4278,6 +4279,7 @@
./usr/share/man/man8/oqmgr.8 man-postfix-man postfix,.man
./usr/share/man/man8/pac.8 man-sysutil-man .man
./usr/share/man/man8/pam.8 man-sysutil-man .man
+./usr/share/man/man8/pam_afslog.8 man-sysutil-man kerberos,.man,pam
./usr/share/man/man8/pam_chroot.8 man-sysutil-man .man,pam
./usr/share/man/man8/pam_deny.8 man-sysutil-man .man,pam
./usr/share/man/man8/pam_echo.8 man-sysutil-man .man,pam
diff -r 7fe6e909b64a -r 44a79a047d33 lib/libpam/modules/Makefile
--- a/lib/libpam/modules/Makefile Wed Sep 21 12:46:08 2005 +0000
+++ b/lib/libpam/modules/Makefile Wed Sep 21 14:19:08 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.8 2005/02/27 21:01:59 thorpej Exp $
+# $NetBSD: Makefile,v 1.9 2005/09/21 14:19:08 tsarna Exp $
# Copyright 1998 Juniper Networks, Inc.
# All rights reserved.
#
@@ -40,8 +40,10 @@
.endif
.if (${MKKERBEROS} != "no")
-SUBDIR+= pam_krb5 pam_ksu
+SUBDIR+= pam_afslog pam_krb5 pam_ksu
LIBDPLIBS+= krb5 ${LIB_ROOT_DIR}/libkrb5 \
+ kafs ${LIB_ROOT_DIR}/libkafs \
+ krb ${LIB_ROOT_DIR}/libkrb \
asn1 ${LIB_ROOT_DIR}/libasn1 \
roken ${LIB_ROOT_DIR}/libroken \
com_err ${LIB_ROOT_DIR}/libcom_err \
diff -r 7fe6e909b64a -r 44a79a047d33 lib/libpam/modules/pam_afslog/Makefile
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/libpam/modules/pam_afslog/Makefile Wed Sep 21 14:19:08 2005 +0000
@@ -0,0 +1,16 @@
+# $NetBSD: Makefile,v 1.1 2005/09/21 14:19:08 tsarna Exp $
+
+LIB= pam_afslog
+SRCS= pam_afslog.c
+MAN= pam_afslog.8
+
+LIBDPLIBS= krb5 ${LIB_ROOT_DIR}/libkrb5 \
+ kafs ${LIB_ROOT_DIR}/libkafs \
+ krb ${LIB_ROOT_DIR}/libkrb \
+ asn1 ${LIB_ROOT_DIR}/libasn1 \
+ roken ${LIB_ROOT_DIR}/libroken \
+ com_err ${LIB_ROOT_DIR}/libcom_err \
+ crypt ${LIB_ROOT_DIR}/libcrypt \
+ crypto ${LIB_ROOT_DIR}/libcrypto
+
+.include "${.CURDIR}/../mod.mk"
diff -r 7fe6e909b64a -r 44a79a047d33 lib/libpam/modules/pam_afslog/pam_afslog.8
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/libpam/modules/pam_afslog/pam_afslog.8 Wed Sep 21 14:19:08 2005 +0000
@@ -0,0 +1,81 @@
+.\" $NetBSD: pam_afslog.8,v 1.1 2005/09/21 14:19:08 tsarna Exp $
+.\"
+.\" Copyright 2005 Tyler C. Sarna <tsarna%netbsd.org@localhost>
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Tyler C. Sarna
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\" 2. Neither the name of The NetBSD Foundation nor the names of its
+.\" contributors may be used to endorse or promote products derived
+.\" from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd September 20, 2005
+.Dt PAM_AFSLOG 8
+.Os
+.Sh NAME
+.Nm pam_afslog
+.Nd AFS credentials PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_afslog
+.Op Ar arguments
+.Sh DESCRIPTION
+The pam_afslog authentication service module for PAM
+provides functionality for only one PAM category:
+authentication
+.Ar ( module-type
+of
+.Dq Li auth ) .
+.Pp
+The
+.Fn pam_sm_authenticate
+function does nothing and thus the module should be used with an
+.Ar control-flag
+of
+.Dq Li optional.
+.Pp
+The value of the module comes from its
+.Fn pam_sm_setcred
+function.
+If the
+.Ar afslog
+parameter is enabled in
+.Xr krb5.conf 5 ,
+then the module will take Kerberos 5 credentials from the cache created by
+.Xr pam_krb5 8
+and convert them into AFS tokens, after first creating a PAG (Process
+Authentication Group) if necessary.
+.Sh SEE ALSO
+.Xr kafs 3 ,
+.Xr pam.conf 5 ,
+.Xr pam_krb5 8 ,
+.Xr pam 8
+.Sh HISTORY
+The
+.Nm
+module was developed for
+.Nx
+by Tyler C. Sarna.
+The
+.Nm
+module appeared in
+.Nx 4.0 .
diff -r 7fe6e909b64a -r 44a79a047d33 lib/libpam/modules/pam_afslog/pam_afslog.c
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/libpam/modules/pam_afslog/pam_afslog.c Wed Sep 21 14:19:08 2005 +0000
@@ -0,0 +1,124 @@
+/* $NetBSD: pam_afslog.c,v 1.1 2005/09/21 14:19:08 tsarna Exp $ */
+
+/*-
+ * Copyright 2005 Tyler C. Sarna <tsarna%netbsd.org@localhost>
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Tyler C. Sarna
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Neither the name of The NetBSD Foundation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+
+__RCSID("$NetBSD: pam_afslog.c,v 1.1 2005/09/21 14:19:08 tsarna Exp $");
+
+#include <krb5/krb5.h>
+#include <krb5/kafs.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/pam_mod_misc.h>
+
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
+ int argc __unused, const char *argv[] __unused)
+{
+ return PAM_IGNORE;
+}
+
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags,
+ int argc __unused, const char *argv[] __unused)
+{
+ krb5_context ctx;
+ krb5_ccache ccache;
+ krb5_principal principal;
+ krb5_error_code kret;
+ const void *service = NULL;
+ const char *ccname = NULL;
+ int do_afslog = 0, ret = PAM_SUCCESS;
+
+ pam_get_item(pamh, PAM_SERVICE, &service);
+ if (service == NULL)
+ service = "pam_afslog";
+
+ kret = krb5_init_context(&ctx);
+ if (kret != 0) {
+ PAM_LOG("Error: krb5_init_context() failed");
+ ret = PAM_SERVICE_ERR;
+ } else {
+ ccname = pam_getenv(pamh, "KRB5CCNAME");
+ if (ccname)
+ kret = krb5_cc_resolve(ctx, ccname, &ccache);
+ else
+ kret = krb5_cc_default(ctx, &ccache);
+ if (kret != 0) {
+ PAM_LOG("Error: failed to open ccache");
+ ret = PAM_SERVICE_ERR;
+ } else {
+ kret = krb5_cc_get_principal(ctx, ccache, &principal);
+ if (kret != 0) {
+ PAM_LOG("Error: krb5_cc_get_principal() failed");
+ ret = PAM_SERVICE_ERR;
+ } else {
+ krb5_appdefault_boolean(ctx,
+ (const char *)service,
+ krb5_principal_get_realm(
+ ctx, principal),
+ "afslog", FALSE, &do_afslog);
+
+ /* silently bail if not enabled */
+
+ if (do_afslog && k_hasafs()) {
+ switch (flags & ~PAM_SILENT) {
+ case 0:
+ case PAM_ESTABLISH_CRED:
+ k_setpag();
+
+ /* FALLTHROUGH */
+
+ case PAM_REINITIALIZE_CRED:
+ case PAM_REFRESH_CRED:
+ krb5_afslog(ctx, ccache,
+ NULL, NULL);
+ break;
+
+ case PAM_DELETE_CRED:
+ k_unlog();
+ break;
+ }
+ }
+
+ krb5_free_principal(ctx, principal);
+ }
+
+ krb5_cc_close(ctx, ccache);
+ }
+
+ krb5_free_context(ctx);
+ }
+
+ return ret;
+}
+
+PAM_MODULE_ENTRY("pam_afslog");
Home |
Main Index |
Thread Index |
Old Index