oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

remove libauth since either is krb4 only, or non longer existing operating systems

Browse Source
This commit is contained in:
Love Hornquist Astrand
2010-11-20 14:56:11 -08:00
parent 6920fbbef1
commit 663548b9e5
23 changed files with 1 additions and 2531 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
configure.ac
View File

@@ -584,10 +584,6 @@ AC_CONFIG_FILES(Makefile \
include/kadm5/Makefile \
lib/Makefile \
base/Makefile \
lib/auth/Makefile \
lib/auth/afskauthlib/Makefile \
lib/auth/pam/Makefile \
lib/auth/sia/Makefile \
lib/asn1/Makefile \
lib/com_err/Makefile \
lib/hcrypto/Makefile \

3
lib/Makefile.am
View File

@@ -40,5 +40,4 @@ SUBDIRS = \
hdb \
kadm5 \
$(dir_otp) \
$(dir_dce) \
auth
$(dir_dce)

206
lib/auth/ChangeLog
View File

@@ -1,206 +0,0 @@
2007-12-14 Love Hörnquist Åstrand <lha@it.su.se>
* sia/Makefile.am: One EXTRA_DIST is enought, from dave love.
* pam/Makefile.am: Add SRCS to EXTRA_DIST
* afskauthlib/Makefile.am: SRCS
2006-10-22 Love Hörnquist Åstrand <lha@it.su.se>
* pam/Makefile.am: use libtool to build binaries
2005-05-02 Dave Love <fx@gnu.org>
* afskauthlib/Makefile.am (afskauthlib.so): Use libtool.
(.c.o): Use CC (like SIA module), not COMPILE.
2005-04-19 Love Hörnquist Åstrand <lha@it.su.se>
* sia/sia.c: fix getpw*_r calls, they return 0 even when the entry
isn't found and instead make it with setting return pointer to
NULL. From Luke Mewburn <lukem@NetBSD.org>
2004-09-08 Johan Danielsson <joda@pdc.kth.se>
* afskauthlib/verify.c: use krb5_appdefault_boolean instead of
krb5_config_get_bool
2003-09-23 Love Hörnquist Åstrand <lha@it.su.se>
* sia/sia.c: Add support for AFS when using Kerberos 5, From:
Sergio.Gelato@astro.su.se
2003-07-07 Love Hörnquist Åstrand <lha@it.su.se>
* pam/Makefile.am: XXX inline COMPILE since automake wont add it
* afskauthlib/verify.c (verify_krb5): use krb5_cc_clear_mcred
2003-05-08 Love Hörnquist Åstrand <lha@it.su.se>
* sia/Makefile.am: inline COMPILE since (modern) automake doesn't
add it by itself for some reason
2003-04-30 Love Hörnquist Åstrand <lha@it.su.se>
* afskauthlib/Makefile.am: always includes kafs now that its built
2003-03-27 Love Hörnquist Åstrand <lha@it.su.se>
* sia/Makefile.am: libkafs is always built now, lets include it
2002-05-19 Johan Danielsson <joda@pdc.kth.se>
* pam/Makefile.am: set SUFFIXES with +=
2001-10-27 Assar Westerlund <assar@sics.se>
* pam/Makefile.am: actually build the pam module
2001-09-18 Johan Danielsson <joda@pdc.kth.se>
* sia/Makefile.am: also don't compress krb5 library, at least
siacfg fails with compressed libraries
2001-09-13 Assar Westerlund <assar@sics.se>
* sia/sia.c: move krb5_error_code inside a ifdef KRB5
* sia/sia_locl.h: move roken.h earlier to grab definition of
socklen_t
2001-08-28 Johan Danielsson <joda@pdc.kth.se>
* sia/krb5_matrix.conf: athena -> heimdal
2001-07-17 Assar Westerlund <assar@sics.se>
* sia/Makefile.am: use make-rpath to sort rpath arguments
2001-07-15 Assar Westerlund <assar@sics.se>
* afskauthlib/Makefile.am: use LIB_des, so that we link with
libcrypto/libdes from krb4
2001-07-12 Assar Westerlund <assar@sics.se>
* sia/Makefile.am: use $(CC) instead of ld for linking
2001-07-06 Assar Westerlund <assar@sics.se>
* sia/Makefile.am: use LDFLAGS, and conditional libdes
2001-03-06 Assar Westerlund <assar@sics.se>
* sia/Makefile.am: make sure of using -rpath and not -R when
calling ld
2001-02-15 Assar Westerlund <assar@sics.se>
* pam/pam.c (psyslog): do not log to console
2001-01-29 Assar Westerlund <assar@sics.se>
* sia/Makefile.am (libsia_krb5.so): actually run ld in the case
shared library case
2000-12-31 Assar Westerlund <assar@sics.se>
* sia/sia.c (siad_ses_init): handle krb5_init_context failure
consistently
* afskauthlib/verify.c (verify_krb5): handle krb5_init_context
failure consistently
2000-11-30 Johan Danielsson <joda@pdc.kth.se>
* afskauthlib/Makefile.am: use libtool
* afskauthlib/Makefile.am: work with krb4 only
2000-07-30 Johan Danielsson <joda@pdc.kth.se>
* sia/Makefile.am: don't compress library, since 5.0 seems to have
a problem with this
2000-07-02 Assar Westerlund <assar@sics.se>
* afskauthlib/verify.c: fixes for pag setting
1999-12-30 Assar Westerlund <assar@sics.se>
* sia/Makefile.am: try to link with shared libraries if we don't
find any static ones
1999-12-20 Johan Danielsson <joda@pdc.kth.se>
* sia/sia.c: don't use string concatenation with TKT_ROOT
1999-11-15 Assar Westerlund <assar@sics.se>
* */lib/Makefile.in: set LIBNAME. From Enrico Scholz
<Enrico.Scholz@informatik.tu-chemnitz.de>
1999-10-17 Assar Westerlund <assar@sics.se>
* afskauthlib/verify.c (verify_krb5): need realm for v5 -> v4
1999-10-03 Assar Westerlund <assar@sics.se>
* afskauthlib/verify.c (verify_krb5): update to new
krb524_convert_creds_kdc
1999-09-28 Assar Westerlund <assar@sics.se>
* sia/sia.c (doauth): use krb5_get_local_realms and
krb5_verify_user_lrealm
* afskauthlib/verify.c (verify_krb5): remove krb5_kuserok. use
krb5_verify_user_lrealm
1999-08-27 Johan Danielsson <joda@pdc.kth.se>
* pam/Makefile.in: link with res_search/dn_expand libraries
1999-08-11 Johan Danielsson <joda@pdc.kth.se>
* afskauthlib/verify.c: make this compile w/o krb4
1999-08-04 Assar Westerlund <assar@sics.se>
* afskauthlib/verify.c: incorporate patches from Miroslav Ruda
<ruda@ics.muni.cz>
Thu Apr 8 14:35:34 1999 Johan Danielsson <joda@hella.pdc.kth.se>
* sia/sia.c: remove definition of KRB_VERIFY_USER (moved to
config.h)
* sia/Makefile.am: make it build w/o krb4
* afskauthlib/verify.c: add krb5 support
* afskauthlib/Makefile.am: build afskauthlib.so
Wed Apr 7 14:06:22 1999 Johan Danielsson <joda@hella.pdc.kth.se>
* sia/sia.c: make it compile w/o krb4
* sia/Makefile.am: make it compile w/o krb4
Thu Apr 1 18:09:23 1999 Johan Danielsson <joda@hella.pdc.kth.se>
* sia/sia_locl.h: POSIX_GETPWNAM_R is defined in config.h
Sun Mar 21 14:08:30 1999 Johan Danielsson <joda@hella.pdc.kth.se>
* sia/Makefile.in: add posix_getpw.c
* sia/Makefile.am: makefile for sia
* sia/posix_getpw.c: move from sia.c
* sia/sia_locl.h: merge with krb5 version
* sia/sia.c: merge with krb5 version
* sia/sia5.c: remove unused variables

6
lib/auth/Makefile.am
View File

@@ -1,6 +0,0 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
SUBDIRS = @LIB_AUTH_SUBDIRS@
DIST_SUBDIRS = afskauthlib pam sia

35
lib/auth/NTMakefile
View File

@@ -1,35 +0,0 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=lib\auth
!include ../../windows/NTMakefile.w32

51
lib/auth/afskauthlib/Makefile.am
View File

@@ -1,51 +0,0 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += $(INCLUDE_krb4)
DEFS = @DEFS@
foodir = $(libdir)
foo_DATA = afskauthlib.so
SUFFIXES += .c .o
SRCS = verify.c
OBJS = verify.o
CLEANFILES = $(foo_DATA) $(OBJS) so_locations
afskauthlib.so: $(OBJS)
$(LIBTOOL) --mode=link $(CC) -shared -o $@ $(OBJS) $(L) $(LDFLAGS)
.c.o:
$(CC) $(DEFS) $(DEFAULT_AM_CPPFLAGS) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) \
-c `test -f '$<' || echo '$(srcdir)/'`$<
KAFS = $(top_builddir)/lib/kafs/libkafs.la
if KRB5
L = \
$(KAFS) \
$(top_builddir)/lib/krb5/libkrb5.la \
$(top_builddir)/lib/asn1/libasn1.la \
$(LIB_krb4) \
$(LIB_hcrypto) \
$(top_builddir)/lib/roken/libroken.la \
-lc
else
L = \
$(KAFS) \
$(LIB_krb4) \
$(LIB_hcrypto) \
$(top_builddir)/lib/roken/libroken.la \
-lc
endif
$(OBJS): $(top_builddir)/include/config.h
EXTRA_DIST = $(SRCS)

35
lib/auth/afskauthlib/NTMakefile
View File

@@ -1,35 +0,0 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=lib\auth\afskauthlib
!include ../../../windows/NTMakefile.w32

307
lib/auth/afskauthlib/verify.c
View File

@@ -1,307 +0,0 @@
/*
* Copyright (c) 1995-2004 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include <config.h>
RCSID("$Id$");
#endif
#include <unistd.h>
#include <sys/types.h>
#include <pwd.h>
#ifdef KRB5
#include <krb5.h>
#endif
#ifdef KRB4
#include <krb.h>
#include <kafs.h>
#endif
#include <roken.h>
#ifdef KRB5
static char krb5ccname[128];
#endif
#ifdef KRB4
static char krbtkfile[128];
#endif
/*
In some cases is afs_gettktstring called twice (once before
afs_verify and once after afs_verify).
In some cases (rlogin with access allowed via .rhosts)
afs_verify is not called!
So we can't rely on correct value in krbtkfile in some
cases!
*/
static int correct_tkfilename=0;
static int pag_set=0;
#ifdef KRB4
static void
set_krbtkfile(uid_t uid)
{
snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid);
krb_set_tkt_string (krbtkfile);
correct_tkfilename = 1;
}
#endif
/* XXX this has to be the default cache name, since the KRB5CCNAME
* environment variable isn't exported by login/xdm
*/
#ifdef KRB5
static void
set_krb5ccname(uid_t uid)
{
snprintf (krb5ccname, sizeof(krb5ccname), "FILE:/tmp/krb5cc_%d", uid);
#ifdef KRB4
snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid);
#endif
correct_tkfilename = 1;
}
#endif
static void
set_spec_krbtkfile(void)
{
int fd;
#ifdef KRB4
snprintf (krbtkfile, sizeof(krbtkfile), "%s_XXXXXX", TKT_ROOT);
fd = mkstemp(krbtkfile);
close(fd);
unlink(krbtkfile);
krb_set_tkt_string (krbtkfile);
#endif
#ifdef KRB5
snprintf(krb5ccname, sizeof(krb5ccname),"FILE:/tmp/krb5cc_XXXXXX");
fd=mkstemp(krb5ccname+5);
close(fd);
unlink(krb5ccname+5);
#endif
}
#ifdef KRB5
static int
verify_krb5(struct passwd *pwd,
char *password,
int32_t *exp,
int quiet)
{
krb5_context context;
krb5_error_code ret;
krb5_ccache ccache;
krb5_principal principal;
ret = krb5_init_context(&context);
if (ret) {
syslog(LOG_AUTH|LOG_DEBUG, "krb5_init_context failed: %d", ret);
goto out;
}
ret = krb5_parse_name (context, pwd->pw_name, &principal);
if (ret) {
syslog(LOG_AUTH|LOG_DEBUG, "krb5_parse_name: %s",
krb5_get_err_text(context, ret));
goto out;
}
set_krb5ccname(pwd->pw_uid);
ret = krb5_cc_resolve(context, krb5ccname, &ccache);
if(ret) {
syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_resolve: %s",
krb5_get_err_text(context, ret));
goto out;
}
ret = krb5_verify_user_lrealm(context,
principal,
ccache,
password,
TRUE,
NULL);
if(ret) {
syslog(LOG_AUTH|LOG_DEBUG, "krb5_verify_user: %s",
krb5_get_err_text(context, ret));
goto out;
}
if(chown(krb5_cc_get_name(context, ccache), pwd->pw_uid, pwd->pw_gid)) {
syslog(LOG_AUTH|LOG_DEBUG, "chown: %s",
krb5_get_err_text(context, errno));
goto out;
}
#ifdef KRB4
{
krb5_realm realm = NULL;
krb5_boolean get_v4_tgt;
krb5_get_default_realm(context, &realm);
krb5_appdefault_boolean(context, "afskauthlib",
realm,
"krb4_get_tickets", FALSE, &get_v4_tgt);
if (get_v4_tgt) {
CREDENTIALS c;
krb5_creds mcred, cred;
krb5_cc_clear_mcred(&mcred);
krb5_make_principal(context, &mcred.server, realm,
"krbtgt",
realm,
NULL);
ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred);
if(ret == 0) {
ret = krb524_convert_creds_kdc_ccache(context, ccache, &cred, &c);
if(ret)
krb5_warn(context, ret, "converting creds");
else {
set_krbtkfile(pwd->pw_uid);
tf_setup(&c, c.pname, c.pinst);
}
memset(&c, 0, sizeof(c));
krb5_free_cred_contents(context, &cred);
} else
syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_retrieve_cred: %s",
krb5_get_err_text(context, ret));
krb5_free_principal(context, mcred.server);
}
free (realm);
if (!pag_set && k_hasafs()) {
k_setpag();
pag_set = 1;
}
if (pag_set)
krb5_afslog_uid_home(context, ccache, NULL, NULL,
pwd->pw_uid, pwd->pw_dir);
}
#endif
out:
if(ret && !quiet)
printf ("%s\n", krb5_get_err_text (context, ret));
return ret;
}
#endif
#ifdef KRB4
static int
verify_krb4(struct passwd *pwd,
char *password,
int32_t *exp,
int quiet)
{
int ret = 1;
char lrealm[REALM_SZ];
if (krb_get_lrealm (lrealm, 1) != KFAILURE) {
set_krbtkfile(pwd->pw_uid);
ret = krb_verify_user (pwd->pw_name, "", lrealm, password,
KRB_VERIFY_SECURE, NULL);
if (ret == KSUCCESS) {
if (!pag_set && k_hasafs()) {
k_setpag ();
pag_set = 1;
}
if (pag_set)
krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir);
} else if (!quiet)
printf ("%s\n", krb_get_err_text (ret));
}
return ret;
}
#endif
int
afs_verify(char *name,
char *password,
int32_t *exp,
int quiet)
{
int ret = 1;
struct passwd *pwd = k_getpwnam (name);
if(pwd == NULL)
return 1;
if (!pag_set && k_hasafs()) {
k_setpag();
pag_set=1;
}
if (ret)
ret = unix_verify_user (name, password);
#ifdef KRB5
if (ret)
ret = verify_krb5(pwd, password, exp, quiet);
#endif
#ifdef KRB4
if(ret)
ret = verify_krb4(pwd, password, exp, quiet);
#endif
return ret;
}
char *
afs_gettktstring (void)
{
char *ptr;
struct passwd *pwd;
if (!correct_tkfilename) {
ptr = getenv("LOGNAME");
if (ptr != NULL && ((pwd = getpwnam(ptr)) != NULL)) {
set_krb5ccname(pwd->pw_uid);
#ifdef KRB4
set_krbtkfile(pwd->pw_uid);
if (!pag_set && k_hasafs()) {
k_setpag();
pag_set=1;
}
#endif
} else {
set_spec_krbtkfile();
}
}
#ifdef KRB5
esetenv("KRB5CCNAME",krb5ccname,1);
#endif
#ifdef KRB4
esetenv("KRBTKFILE",krbtkfile,1);
return krbtkfile;
#else
return "";
#endif
}

69
lib/auth/pam/Makefile.am
View File

@@ -1,69 +0,0 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += $(INCLUDE_krb4)
WFLAGS += $(WFLAGS_NOIMPLICITINT)
DEFS = @DEFS@
## this is horribly ugly, but automake/libtool doesn't allow us to
## unconditionally build shared libraries, and it does not allow us to
## link with non-installed libraries
if KRB4
KAFS=$(top_builddir)/lib/kafs/.libs/libkafs.a
KAFS_S=$(top_builddir)/lib/kafs/.libs/libkafs.so
L = \
$(KAFS) \
$(top_builddir)/lib/krb/.libs/libkrb.a \
$(LIB_hcrypto_a) \
$(top_builddir)/lib/roken/.libs/libroken.a \
-lc
L_shared = \
$(KAFS_S) \
$(top_builddir)/lib/krb/.libs/libkrb.so \
$(LIB_hcrypto_so) \
$(top_builddir)/lib/roken/.libs/libroken.so \
$(LIB_getpwnam_r) \
-lc
MOD = pam_krb4.so
endif
foodir = $(libdir)
foo_DATA = $(MOD)
LDFLAGS = @LDFLAGS@
SRCS = pam.c
OBJS = pam.o
pam_krb4.so: $(OBJS)
@if test -f $(top_builddir)/lib/krb/.libs/libkrb.a; then \
echo "$(LIBTOOL) --mode=link --tag=CC $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L)"; \
$(LIBTOOL) --mode=link --tag=CC $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L); \
elif test -f $(top_builddir)/lib/krb/.libs/libkrb.so; then \
echo "$(LIBTOOL) --mode=link --tag=CC $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared)"; \
$(LIBTOOL) --mode=link --tag=CC $(CC) -shared -o $@ $(LDFLAGS) $(OBJS) $(L_shared); \
else \
echo "missing libraries"; exit 1; \
fi
CLEANFILES = $(MOD) $(OBJS)
SUFFIXES += .c .o
# XXX inline COMPILE since automake wont add it
.c.o:
$(LIBTOOL) --mode=compile --tag=CC $(CC) \
$(DEFS) $(DEFAULT_AM_CPPFLAGS) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) \
-c `test -f '$<' || echo '$(srcdir)/'`$<
EXTRA_DIST = pam.conf.add $(SRCS)

35
lib/auth/pam/NTMakefile
View File

@@ -1,35 +0,0 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=lib\auth\pam
!include ../../../windows/NTMakefile.w32

443
lib/auth/pam/pam.c
View File

@@ -1,443 +0,0 @@
/*
* Copyright (c) 1995 - 2001 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_CONFIG_H
#include<config.h>
RCSID("$Id$");
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <pwd.h>
#include <unistd.h>
#include <sys/types.h>
#include <syslog.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#ifndef PAM_AUTHTOK_RECOVERY_ERR /* Fix linsux typo. */
#define PAM_AUTHTOK_RECOVERY_ERR PAM_AUTHTOK_RECOVER_ERR
#endif
#include <netinet/in.h>
#include <krb.h>
#include <kafs.h>
#if 0
/* Debugging PAM modules is a royal pain, truss helps. */
#define DEBUG(msg) (access(msg " at line", __LINE__))
#endif
static void
psyslog(int level, const char *format, ...)
{
va_list args;
va_start(args, format);
openlog("pam_krb4", LOG_PID, LOG_AUTH);
vsyslog(level, format, args);
va_end(args);
closelog();
}
enum {
KRB4_DEBUG,
KRB4_USE_FIRST_PASS,
KRB4_TRY_FIRST_PASS,
KRB4_IGNORE_ROOT,
KRB4_NO_VERIFY,
KRB4_REAFSLOG,
KRB4_CTRLS /* Number of ctrl arguments defined. */
};
#define KRB4_DEFAULTS 0
static int ctrl_flags = KRB4_DEFAULTS;
#define ctrl_on(x) (krb4_args[x].flag & ctrl_flags)
#define ctrl_off(x) (!ctrl_on(x))
typedef struct
{
const char *token;
unsigned int flag;
} krb4_ctrls_t;
static krb4_ctrls_t krb4_args[KRB4_CTRLS] =
{
/* KRB4_DEBUG */ { "debug", 0x01 },
/* KRB4_USE_FIRST_PASS */ { "use_first_pass", 0x02 },
/* KRB4_TRY_FIRST_PASS */ { "try_first_pass", 0x04 },
/* KRB4_IGNORE_ROOT */ { "ignore_root", 0x08 },
/* KRB4_NO_VERIFY */ { "no_verify", 0x10 },
/* KRB4_REAFSLOG */ { "reafslog", 0x20 },
};
static void
parse_ctrl(int argc, const char **argv)
{
int i, j;
ctrl_flags = KRB4_DEFAULTS;
for (i = 0; i < argc; i++)
{
for (j = 0; j < KRB4_CTRLS; j++)
if (strcmp(argv[i], krb4_args[j].token) == 0)
break;
if (j >= KRB4_CTRLS)
psyslog(LOG_ALERT, "unrecognized option [%s]", *argv);
else
ctrl_flags |= krb4_args[j].flag;
}
}
static void
pdeb(const char *format, ...)
{
va_list args;
if (ctrl_off(KRB4_DEBUG))
return;
va_start(args, format);
openlog("pam_krb4", LOG_PID, LOG_AUTH);
vsyslog(LOG_DEBUG, format, args);
va_end(args);
closelog();
}
#define ENTRY(func) pdeb("%s() flags = %d ruid = %d euid = %d", func, flags, getuid(), geteuid())
static void
set_tkt_string(uid_t uid)
{
char buf[128];
snprintf(buf, sizeof(buf), "%s%u", TKT_ROOT, (unsigned)uid);
krb_set_tkt_string(buf);
#if 0
/* pam_set_data+pam_get_data are not guaranteed to work, grr. */
pam_set_data(pamh, "KRBTKFILE", strdup(t), cleanup);
if (pam_get_data(pamh, "KRBTKFILE", (const void**)&tkt) == PAM_SUCCESS)
{
pam_putenv(pamh, var);
}
#endif
/* We don't want to inherit this variable.
* If we still do, it must have a sane value. */
if (getenv("KRBTKFILE") != 0)
{
char *var = malloc(sizeof(buf));
snprintf(var, sizeof(buf), "KRBTKFILE=%s", tkt_string());
putenv(var);
/* free(var); XXX */
}
}
static int
verify_pass(pam_handle_t *pamh,
const char *name,
const char *inst,
const char *pass)
{
char realm[REALM_SZ];
int ret, krb_verify, old_euid, old_ruid;
krb_get_lrealm(realm, 1);
if (ctrl_on(KRB4_NO_VERIFY))
krb_verify = KRB_VERIFY_SECURE_FAIL;
else
krb_verify = KRB_VERIFY_SECURE;
old_ruid = getuid();
old_euid = geteuid();
setreuid(0, 0);
ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL);
pdeb("krb_verify_user(`%s', `%s', `%s', pw, %d, NULL) returns %s",
name, inst, realm, krb_verify,
krb_get_err_text(ret));
setreuid(old_ruid, old_euid);
if (getuid() != old_ruid || geteuid() != old_euid)
{
psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
old_ruid, old_euid, __LINE__);
exit(1);
}
switch(ret) {
case KSUCCESS:
return PAM_SUCCESS;
case KDC_PR_UNKNOWN:
return PAM_USER_UNKNOWN;
case SKDC_CANT:
case SKDC_RETRY:
case RD_AP_TIME:
return PAM_AUTHINFO_UNAVAIL;
default:
return PAM_AUTH_ERR;
}
}
static int
krb4_auth(pam_handle_t *pamh,
int flags,
const char *name,
const char *inst,
struct pam_conv *conv)
{
struct pam_response *resp;
char prompt[128];
struct pam_message msg, *pmsg = &msg;
int ret;
if (ctrl_on(KRB4_TRY_FIRST_PASS) || ctrl_on(KRB4_USE_FIRST_PASS))
{
char *pass = 0;
ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass);
if (ret != PAM_SUCCESS)
{
psyslog(LOG_ERR , "pam_get_item returned error to get-password");
return ret;
}
else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS)
return PAM_SUCCESS;
else if (ctrl_on(KRB4_USE_FIRST_PASS))
return PAM_AUTHTOK_RECOVERY_ERR; /* Wrong password! */
else
/* We tried the first password but it didn't work, cont. */;
}
msg.msg_style = PAM_PROMPT_ECHO_OFF;
if (*inst == 0)
snprintf(prompt, sizeof(prompt), "%s's Password: ", name);
else
snprintf(prompt, sizeof(prompt), "%s.%s's Password: ", name, inst);
msg.msg = prompt;
ret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr);
if (ret != PAM_SUCCESS)
return ret;
ret = verify_pass(pamh, name, inst, resp->resp);
if (ret == PAM_SUCCESS)
{
memset(resp->resp, 0, strlen(resp->resp)); /* Erase password! */
free(resp->resp);
free(resp);
}
else
{
pam_set_item(pamh, PAM_AUTHTOK, resp->resp); /* Save password. */
/* free(resp->resp); XXX */
/* free(resp); XXX */
}
return ret;
}
int
pam_sm_authenticate(pam_handle_t *pamh,
int flags,
int argc,
const char **argv)
{
char *user;
int ret;
struct pam_conv *conv;
struct passwd *pw;
uid_t uid = -1;
const char *name, *inst;
char realm[REALM_SZ];
realm[0] = 0;
parse_ctrl(argc, argv);
ENTRY("pam_sm_authenticate");
ret = pam_get_user(pamh, &user, "login: ");
if (ret != PAM_SUCCESS)
return ret;
if (ctrl_on(KRB4_IGNORE_ROOT) && strcmp(user, "root") == 0)
return PAM_AUTHINFO_UNAVAIL;
ret = pam_get_item(pamh, PAM_CONV, (void*)&conv);
if (ret != PAM_SUCCESS)
return ret;
pw = getpwnam(user);
if (pw != 0)
{
uid = pw->pw_uid;
set_tkt_string(uid);
}
if (strcmp(user, "root") == 0 && getuid() != 0)
{
pw = getpwuid(getuid());
if (pw != 0)
{
name = strdup(pw->pw_name);
inst = "root";
}
}
else
{
name = user;
inst = "";
}
ret = krb4_auth(pamh, flags, name, inst, conv);
/*
* The realm was lost inside krb_verify_user() so we can't simply do
* a krb_kuserok() when inst != "".
*/
if (ret == PAM_SUCCESS && inst[0] != 0)
{
uid_t old_euid = geteuid();
uid_t old_ruid = getuid();
setreuid(0, 0); /* To read ticket file. */
if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS)
ret = PAM_SERVICE_ERR;
else if (krb_kuserok(name, inst, realm, user) != KSUCCESS)
{
setreuid(0, uid); /* To read ~/.klogin. */
if (krb_kuserok(name, inst, realm, user) != KSUCCESS)
ret = PAM_PERM_DENIED;
}
if (ret != PAM_SUCCESS)
{
dest_tkt(); /* Passwd known, ok to kill ticket. */
psyslog(LOG_NOTICE,
"%s.%s@%s is not allowed to log in as %s",
name, inst, realm, user);
}
setreuid(old_ruid, old_euid);
if (getuid() != old_ruid || geteuid() != old_euid)
{
psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d",
old_ruid, old_euid, __LINE__);
exit(1);
}
}
if (ret == PAM_SUCCESS)
{
psyslog(LOG_INFO,
"%s.%s@%s authenticated as user %s",
name, inst, realm, user);
if (chown(tkt_string(), uid, -1) == -1)
{
dest_tkt();
psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid);
exit(1);
}
}
/*
* Kludge alert!!! Sun dtlogin unlock screen fails to call
* pam_setcred(3) with PAM_REFRESH_CRED after a successful
* authentication attempt, sic.
*
* This hack is designed as a workaround to that problem.
*/
if (ctrl_on(KRB4_REAFSLOG))
if (ret == PAM_SUCCESS)
pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv);
return ret;
}
int
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
parse_ctrl(argc, argv);
ENTRY("pam_sm_setcred");
switch (flags & ~PAM_SILENT) {
case 0:
case PAM_ESTABLISH_CRED:
if (k_hasafs())
k_setpag();
/* Fall through, fill PAG with credentials below. */
case PAM_REINITIALIZE_CRED:
case PAM_REFRESH_CRED:
if (k_hasafs())
{
void *user = 0;
if (pam_get_item(pamh, PAM_USER, &user) == PAM_SUCCESS)
{
struct passwd *pw = getpwnam((char *)user);
if (pw != 0)
krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0,
pw->pw_uid, pw->pw_dir);
}
}
break;
case PAM_DELETE_CRED:
dest_tkt();
if (k_hasafs())
k_unlog();
break;
default:
psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags);
break;
}
return PAM_SUCCESS;
}
int
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
parse_ctrl(argc, argv);
ENTRY("pam_sm_open_session");
return PAM_SUCCESS;
}
int
pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv)
{
parse_ctrl(argc, argv);
ENTRY("pam_sm_close_session");
/* This isn't really kosher, but it's handy. */
pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv);
return PAM_SUCCESS;
}

97
lib/auth/pam/pam.conf.add
View File

@@ -1,97 +0,0 @@
To enable PAM in dtlogin and /bin/login under SunOS 5.6 apply this patch:
--- /etc/pam.conf.DIST Mon Jul 20 15:37:46 1998
+++ /etc/pam.conf Tue Feb 15 19:39:12 2000
@@ -4,15 +4,19 @@
#
# Authentication management
#
+login auth sufficient /usr/athena/lib/pam_krb4.so
login auth required /usr/lib/security/pam_unix.so.1
login auth required /usr/lib/security/pam_dial_auth.so.1
#
rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
rlogin auth required /usr/lib/security/pam_unix.so.1
#
+dtlogin auth sufficient /usr/athena/lib/pam_krb4.so
dtlogin auth required /usr/lib/security/pam_unix.so.1
#
rsh auth required /usr/lib/security/pam_rhosts_auth.so.1
+# Reafslog is for dtlogin lock display
+other auth sufficient /usr/athena/lib/pam_krb4.so reafslog
other auth required /usr/lib/security/pam_unix.so.1
#
# Account management
@@ -24,6 +28,8 @@
#
# Session management
#
+dtlogin session required /usr/athena/lib/pam_krb4.so
+login session required /usr/athena/lib/pam_krb4.so
other session required /usr/lib/security/pam_unix.so.1
#
# Password management
---------------------------------------------------------------------------
To enable PAM in /bin/login and xdm under Red Hat 6.? apply these patches:
--- /etc/pam.d/login~ Tue Dec 7 12:01:35 1999
+++ /etc/pam.d/login Wed May 31 16:27:55 2000
@@ -1,9 +1,12 @@
#%PAM-1.0
+# Updated to work with kerberos
+auth sufficient /usr/athena/lib/pam_krb4.so.1.0.1
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so nullok use_authtok md5 shadow
+session required /usr/athena/lib/pam_krb4.so.1.0.1
session required /lib/security/pam_pwdb.so
session optional /lib/security/pam_console.so
--- /etc/pam.d/xdm~ Wed May 31 16:33:54 2000
+++ /etc/pam.d/xdm Wed May 31 16:28:29 2000
@@ -1,8 +1,11 @@
#%PAM-1.0
+# Updated to work with kerberos
+auth sufficient /usr/athena/lib/pam_krb4.so.1.0.1
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
+session required /usr/athena/lib/pam_krb4.so.1.0.1
session required /lib/security/pam_pwdb.so
session optional /lib/security/pam_console.so
--- /etc/pam.d/gdm~ Wed May 31 16:33:54 2000
+++ /etc/pam.d/gdm Wed May 31 16:34:28 2000
@@ -1,8 +1,11 @@
#%PAM-1.0
+# Updated to work with kerberos
+auth sufficient /usr/athena/lib/pam_krb4.so.1.0.1
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
+session required /usr/athena/lib/pam_krb4.so.1.0.1
session required /lib/security/pam_pwdb.so
session optional /lib/security/pam_console.so
--------------------------------------------------------------------------
This stuff may work under some other system.
# To get this to work, you will have to add entries to /etc/pam.conf
#
# To make login kerberos-aware, you might change pam.conf to look
# like:
# login authorization
login auth sufficient /lib/security/pam_krb4.so
login auth required /lib/security/pam_securetty.so
login auth required /lib/security/pam_unix_auth.so
login account required /lib/security/pam_unix_acct.so
login password required /lib/security/pam_unix_passwd.so
login session required /lib/security/pam_krb4.so
login session required /lib/security/pam_unix_session.so

116
lib/auth/sia/Makefile.am
View File

@@ -1,116 +0,0 @@
# $Id$
include $(top_srcdir)/Makefile.am.common
AM_CPPFLAGS += $(INCLUDE_krb4)
WFLAGS += $(WFLAGS_NOIMPLICITINT)
DEFS = @DEFS@
## this is horribly ugly, but automake/libtool doesn't allow us to
## unconditionally build shared libraries, and it does not allow us to
## link with non-installed libraries
KAFS=$(top_builddir)/lib/kafs/.libs/libkafs.a
KAFS_S=$(top_builddir)/lib/kafs/.libs/libkafs.so
if KRB5
L = \
$(KAFS) \
$(top_builddir)/lib/krb5/.libs/libkrb5.a \
$(top_builddir)/lib/asn1/.libs/libasn1.a \
$(LIB_krb4) \
$(LIB_hcrypto_a) \
$(LIB_com_err_a) \
$(top_builddir)/lib/roken/.libs/libroken.a \
$(LIB_getpwnam_r) \
-lc
L_shared = \
$(KAFS_S) \
$(top_builddir)/lib/krb5/.libs/libkrb5.so \
$(top_builddir)/lib/asn1/.libs/libasn1.so \
$(LIB_krb4) \
$(LIB_hcrypto_so) \
$(LIB_com_err_so) \
$(top_builddir)/lib/roken/.libs/libroken.so \
$(LIB_getpwnam_r) \
-lc
MOD = libsia_krb5.so
else
L = \
$(KAFS) \
$(top_builddir)/lib/kadm/.libs/libkadm.a \
$(top_builddir)/lib/krb/.libs/libkrb.a \
$(LIB_hcrypto_a) \
$(top_builddir)/lib/com_err/.libs/libcom_err.a \
$(top_builddir)/lib/roken/.libs/libroken.a \
$(LIB_getpwnam_r) \
-lc
L_shared = \
$(KAFS_S) \
$(top_builddir)/lib/kadm/.libs/libkadm.so \
$(top_builddir)/lib/krb/.libs/libkrb.so \
$(LIB_hcrypto_so) \
$(top_builddir)/lib/com_err/.libs/libcom_err.so \
$(top_builddir)/lib/roken/.libs/libroken.so \
$(LIB_getpwnam_r) \
-lc
MOD = libsia_krb4.so
endif
foodir = $(libdir)
foo_DATA = $(MOD)
LDFLAGS = @LDFLAGS@ -rpath $(libdir) -Wl,-hidden -Wl,-exported_symbol -Wl,siad_\*
SRCS = sia.c posix_getpw.c sia_locl.h
OBJS = sia.o posix_getpw.o
libsia_krb5.so: $(OBJS)
@if test -f $(top_builddir)/lib/krb5/.libs/libkrb5.a; then \
echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`"; \
$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`; \
elif test -f $(top_builddir)/lib/krb5/.libs/libkrb5.so; then \
echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`"; \
$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`; \
else \
echo "missing libraries"; exit 1; \
fi
ostrip -x $@
libsia_krb4.so: $(OBJS)
@if test -f $(top_builddir)/lib/krb/.libs/libkrb.a; then \
echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`"; \
$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L)`; \
elif test -f $(top_builddir)/lib/krb/.libs/libkrb.so; then \
echo "$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`"; \
$(CC) -shared -o $@ `$(SHELL) $(srcdir)/make-rpath $(LDFLAGS) $(OBJS) $(L_shared)`; \
else \
echo "missing libraries"; exit 1; \
fi
ostrip -x $@
CLEANFILES = $(MOD) $(OBJS) so_locations
SUFFIXES += .c .o
# XXX inline COMPILE since automake wont add it
.c.o:
$(CC) $(DEFS) $(DEFAULT_AM_CPPFLAGS) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) \
-c `test -f '$<' || echo '$(srcdir)/'`$<
EXTRA_DIST = sia.c sia_locl.h posix_getpw.c \
krb4_matrix.conf krb4+c2_matrix.conf \
krb5_matrix.conf krb5+c2_matrix.conf \
security.patch \
make-rpath $(SRCS)

35
lib/auth/sia/NTMakefile
View File

@@ -1,35 +0,0 @@
########################################################################
#
# Copyright (c) 2009, Secure Endpoints Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# - Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# - Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
RELDIR=lib\auth\sia
!include ../../../windows/NTMakefile.w32

58
lib/auth/sia/krb4+c2_matrix.conf
View File

@@ -1,58 +0,0 @@
# Copyright (c) 1998 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
# $Id$
# sia matrix configuration file (Kerberos 4 + C2)
siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
siad_chk_invoker=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_estab=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_suauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_reauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_chg_finger=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_chg_password=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_chg_shell=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_getpwent=(BSD,libc.so)
siad_getpwuid=(BSD,libc.so)
siad_getpwnam=(BSD,libc.so)
siad_setpwent=(BSD,libc.so)
siad_endpwent=(BSD,libc.so)
siad_getgrent=(BSD,libc.so)
siad_getgrgid=(BSD,libc.so)
siad_getgrnam=(BSD,libc.so)
siad_setgrent=(BSD,libc.so)
siad_endgrent=(BSD,libc.so)
siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so)

59
lib/auth/sia/krb4_matrix.conf
View File

@@ -1,59 +0,0 @@
# Copyright (c) 1998 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden).
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# 3. Neither the name of the Institute nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
# $Id$
# sia matrix configuration file (Kerberos 4 + BSD)
siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
siad_chk_invoker=(BSD,libc.so)
siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so)
siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
siad_ses_estab=(BSD,libc.so)
siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
siad_ses_suauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
siad_ses_reauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
siad_chg_finger=(BSD,libc.so)
siad_chg_password=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
siad_chg_shell=(BSD,libc.so)
siad_getpwent=(BSD,libc.so)
siad_getpwuid=(BSD,libc.so)
siad_getpwnam=(BSD,libc.so)
siad_setpwent=(BSD,libc.so)
siad_endpwent=(BSD,libc.so)
siad_getgrent=(BSD,libc.so)
siad_getgrgid=(BSD,libc.so)
siad_getgrnam=(BSD,libc.so)
siad_setgrent=(BSD,libc.so)
siad_endgrent=(BSD,libc.so)
siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)
siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so)

27
lib/auth/sia/krb5+c2_matrix.conf
View File

@@ -1,27 +0,0 @@
# $Id$
# sia matrix configuration file (Kerberos 5 + C2)
siad_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so)
siad_chk_invoker=(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_authent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_estab=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_launch=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_suauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_ses_reauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_chg_finger=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_chg_password=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_chg_shell=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_getpwent=(BSD,libc.so)
siad_getpwuid=(BSD,libc.so)
siad_getpwnam=(BSD,libc.so)
siad_setpwent=(BSD,libc.so)
siad_endpwent=(BSD,libc.so)
siad_getgrent=(BSD,libc.so)
siad_getgrgid=(BSD,libc.so)
siad_getgrnam=(BSD,libc.so)
siad_setgrent=(BSD,libc.so)
siad_endgrent=(BSD,libc.so)
siad_ses_release=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)
siad_chk_user=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so)

27
lib/auth/sia/krb5_matrix.conf
View File

@@ -1,27 +0,0 @@
# $Id$
# sia matrix configuration file (Kerberos 5 + BSD)
siad_init=(KRB5,/usr/heimdal/lib/libsia_krb5.so)(BSD,libc.so)
siad_chk_invoker=(BSD,libc.so)
siad_ses_init=(KRB5,/usr/heimdal/lib/libsia_krb5.so)
siad_ses_authent=(KRB5,/usr/heimdal/lib/libsia_krb5.so)(BSD,libc.so)
siad_ses_estab=(BSD,libc.so)
siad_ses_launch=(KRB5,/usr/heimdal/lib/libsia_krb5.so)(BSD,libc.so)
siad_ses_suauthent=(KRB5,/usr/heimdal/lib/libsia_krb5.so)(BSD,libc.so)
siad_ses_reauthent=(BSD,libc.so)
siad_chg_finger=(BSD,libc.so)
siad_chg_password=(BSD,libc.so)
siad_chg_shell=(BSD,libc.so)
siad_getpwent=(BSD,libc.so)
siad_getpwuid=(BSD,libc.so)
siad_getpwnam=(BSD,libc.so)
siad_setpwent=(BSD,libc.so)
siad_endpwent=(BSD,libc.so)
siad_getgrent=(BSD,libc.so)
siad_getgrgid=(BSD,libc.so)
siad_getgrnam=(BSD,libc.so)
siad_setgrent=(BSD,libc.so)
siad_endgrent=(BSD,libc.so)
siad_ses_release=(KRB5,/usr/heimdal/lib/libsia_krb5.so)(BSD,libc.so)
siad_chk_user=(BSD,libc.so)

34
lib/auth/sia/make-rpath
View File

@@ -1,34 +0,0 @@
#!/bin/sh
# $Id$
rlist=
rest=
while test $# -gt 0; do
case $1 in
-R|-rpath)
if test "$rlist"; then
rlist="${rlist}:$2"
else
rlist="$2"
fi
shift 2
;;
-R*)
d=`echo $1 | sed 's,^-R,,'`
if test "$rlist"; then
rlist="${rlist}:${d}"
else
rlist="${d}"
fi
shift
;;
*)
rest="${rest} $1"
shift
;;
esac
done
rpath=
if test "$rlist"; then
rpath="-rpath $rlist "
fi
echo "${rpath}${rest}"

78
lib/auth/sia/posix_getpw.c
View File

@@ -1,78 +0,0 @@
/*
* Copyright (c) 1999 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of KTH nor the names of its contributors may be
* used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
#include "sia_locl.h"
RCSID("$Id$");
#ifndef POSIX_GETPWNAM_R
/*
* These functions translate from the old Digital UNIX 3.x interface
* to POSIX.1c.
*/
int
posix_getpwnam_r(const char *name, struct passwd *pwd,
char *buffer, int len, struct passwd **result)
{
int ret = getpwnam_r(name, pwd, buffer, len);
if(ret == 0)
*result = pwd;
else{
*result = NULL;
ret = _Geterrno();
if(ret == 0){
ret = ERANGE;
_Seterrno(ret);
}
}
return ret;
}
int
posix_getpwuid_r(uid_t uid, struct passwd *pwd,
char *buffer, int len, struct passwd **result)
{
int ret = getpwuid_r(uid, pwd, buffer, len);
if(ret == 0)
*result = pwd;
else{
*result = NULL;
ret = _Geterrno();
if(ret == 0){
ret = ERANGE;
_Seterrno(ret);
}
}
return ret;
}
#endif /* POSIX_GETPWNAM_R */

11
lib/auth/sia/security.patch
View File

@@ -1,11 +0,0 @@
--- /sbin/init.d/security~ Tue Aug 20 22:44:09 1996
+++ /sbin/init.d/security Fri Nov 1 14:52:56 1996
@@ -49,7 +49,7 @@
SECURITY=BASE
fi
;;
- BASE)
+ BASE|KRB4)
;;
*)
echo "security configuration set to default (BASE)."

703
lib/auth/sia/sia.c
View File

@@ -1,703 +0,0 @@
/*
* Copyright (c) 1995-2001 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include "sia_locl.h"
RCSID("$Id$");
int
siad_init(void)
{
return SIADSUCCESS;
}
int
siad_chk_invoker(void)
{
SIA_DEBUG(("DEBUG", "siad_chk_invoker"));
return SIADFAIL;
}
int
siad_ses_init(SIAENTITY *entity, int pkgind)
{
struct state *s = malloc(sizeof(*s));
SIA_DEBUG(("DEBUG", "siad_ses_init"));
if(s == NULL)
return SIADFAIL;
memset(s, 0, sizeof(*s));
#ifdef SIA_KRB5
{
krb5_error_code ret;
ret = krb5_init_context(&s->context);
if (ret)
return SIADFAIL;
}
#endif
entity->mech[pkgind] = (int*)s;
return SIADSUCCESS;
}
static int
setup_name(SIAENTITY *e, prompt_t *p)
{
SIA_DEBUG(("DEBUG", "setup_name"));
e->name = malloc(SIANAMEMIN + 1);
if(e->name == NULL){
SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIANAMEMIN+1));
return SIADFAIL;
}
p->prompt = (unsigned char*)"login: ";
p->result = (unsigned char*)e->name;
p->min_result_length = 1;
p->max_result_length = SIANAMEMIN;
p->control_flags = 0;
return SIADSUCCESS;
}
static int
setup_password(SIAENTITY *e, prompt_t *p)
{
SIA_DEBUG(("DEBUG", "setup_password"));
e->password = malloc(SIAMXPASSWORD + 1);
if(e->password == NULL){
SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIAMXPASSWORD+1));
return SIADFAIL;
}
p->prompt = (unsigned char*)"Password: ";
p->result = (unsigned char*)e->password;
p->min_result_length = 0;
p->max_result_length = SIAMXPASSWORD;
p->control_flags = SIARESINVIS;
return SIADSUCCESS;
}
static int
doauth(SIAENTITY *entity, int pkgind, char *name)
{
struct passwd pw, *pwd;
char pwbuf[1024];
struct state *s = (struct state*)entity->mech[pkgind];
#ifdef SIA_KRB5
krb5_realm *realms, *r;
krb5_principal principal;
krb5_ccache ccache;
krb5_error_code ret;
#endif
#ifdef SIA_KRB4
char realm[REALM_SZ];
char *toname, *toinst;
int ret;
struct passwd fpw, *fpwd;
char fpwbuf[1024];
int secure;
#endif
if(getpwnam_r(name, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0 || pwd == NULL){
SIA_DEBUG(("DEBUG", "failed to getpwnam(%s)", name));
return SIADFAIL;
}
#ifdef SIA_KRB5
ret = krb5_get_default_realms(s->context, &realms);
for (r = realms; *r != NULL; ++r) {
krb5_make_principal (s->context, &principal, *r, entity->name, NULL);
if(krb5_kuserok(s->context, principal, entity->name))
break;
}
krb5_free_host_realm (s->context, realms);
if (*r == NULL)
return SIADFAIL;
sprintf(s->ticket, "FILE:/tmp/krb5_cc%d_%d", pwd->pw_uid, getpid());
ret = krb5_cc_resolve(s->context, s->ticket, &ccache);
if(ret)
return SIADFAIL;
#endif
#ifdef SIA_KRB4
snprintf(s->ticket, sizeof(s->ticket),
"%s%u_%u", TKT_ROOT, (unsigned)pwd->pw_uid, (unsigned)getpid());
krb_get_lrealm(realm, 1);
toname = name;
toinst = "";
if(entity->authtype == SIA_A_SUAUTH){
uid_t ouid;
#ifdef HAVE_SIAENTITY_OUID
ouid = entity->ouid;
#else
ouid = getuid();
#endif
if(getpwuid_r(ouid, &fpw, fpwbuf, sizeof(fpwbuf), &fpwd) != 0 || fpwd == NULL){
SIA_DEBUG(("DEBUG", "failed to getpwuid(%u)", ouid));
return SIADFAIL;
}
snprintf(s->ticket, sizeof(s->ticket), "%s_%s_to_%s_%d",
TKT_ROOT, fpwd->pw_name, pwd->pw_name, getpid());
if(strcmp(pwd->pw_name, "root") == 0){
toname = fpwd->pw_name;
toinst = pwd->pw_name;
}
}
if(entity->authtype == SIA_A_REAUTH)
snprintf(s->ticket, sizeof(s->ticket), "%s", tkt_string());
krb_set_tkt_string(s->ticket);
setuid(0); /* XXX fix for fix in tf_util.c */
if(krb_kuserok(toname, toinst, realm, name)){
SIA_DEBUG(("DEBUG", "%s.%s@%s is not allowed to login as %s",
toname, toinst, realm, name));
return SIADFAIL;
}
#endif
#ifdef SIA_KRB5
ret = krb5_verify_user_lrealm(s->context, principal, ccache,
entity->password, 1, NULL);
if(ret){
/* if this is most likely a local user (such as
root), just silently return failure when the
principal doesn't exist */
if(ret != KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN &&
ret != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
SIALOG("WARNING", "krb5_verify_user(%s): %s",
entity->name, error_message(ret));
return SIADFAIL;
}
#endif
#ifdef SIA_KRB4
if (getuid () == 0)
secure = KRB_VERIFY_SECURE;
else
secure = KRB_VERIFY_NOT_SECURE;
ret = krb_verify_user(toname, toinst, realm,
entity->password, secure, NULL);
if(ret){
SIA_DEBUG(("DEBUG", "krb_verify_user: %s", krb_get_err_text(ret)));
if(ret != KDC_PR_UNKNOWN)
/* since this is most likely a local user (such as
root), just silently return failure when the
principal doesn't exist */
SIALOG("WARNING", "krb_verify_user(%s.%s): %s",
toname, toinst, krb_get_err_text(ret));
return SIADFAIL;
}
#endif
if(sia_make_entity_pwd(pwd, entity) == SIAFAIL)
return SIADFAIL;
s->valid = 1;
return SIADSUCCESS;
}
static int
common_auth(sia_collect_func_t *collect,
SIAENTITY *entity,
int siastat,
int pkgind)
{
prompt_t prompts[2], *pr;
char *name;
SIA_DEBUG(("DEBUG", "common_auth"));
if((siastat == SIADSUCCESS) && (geteuid() == 0))
return SIADSUCCESS;
if(entity == NULL) {
SIA_DEBUG(("DEBUG", "entity == NULL"));
return SIADFAIL | SIADSTOP;
}
name = entity->name;
if(entity->acctname)
name = entity->acctname;
if((collect != NULL) && entity->colinput) {
int num;
pr = prompts;
if(name == NULL){
if(setup_name(entity, pr) != SIADSUCCESS)
return SIADFAIL;
pr++;
}
if(entity->password == NULL){
if(setup_password(entity, pr) != SIADSUCCESS)
return SIADFAIL;
pr++;
}
num = pr - prompts;
if(num == 1){
if((*collect)(240, SIAONELINER, (unsigned char*)"", num,
prompts) != SIACOLSUCCESS){
SIA_DEBUG(("DEBUG", "collect failed"));
return SIADFAIL | SIADSTOP;
}
} else if(num > 0){
if((*collect)(0, SIAFORM, (unsigned char*)"", num,
prompts) != SIACOLSUCCESS){
SIA_DEBUG(("DEBUG", "collect failed"));
return SIADFAIL | SIADSTOP;
}
}
}
if(name == NULL)
name = entity->name;
if(name == NULL || name[0] == '\0'){
SIA_DEBUG(("DEBUG", "name is null"));
return SIADFAIL;
}
if(entity->password == NULL || strlen(entity->password) > SIAMXPASSWORD){
SIA_DEBUG(("DEBUG", "entity->password is null"));
return SIADFAIL;
}
return doauth(entity, pkgind, name);
}
int
siad_ses_authent(sia_collect_func_t *collect,
SIAENTITY *entity,
int siastat,
int pkgind)
{
SIA_DEBUG(("DEBUG", "siad_ses_authent"));
return common_auth(collect, entity, siastat, pkgind);
}
int
siad_ses_estab(sia_collect_func_t *collect,
SIAENTITY *entity, int pkgind)
{
SIA_DEBUG(("DEBUG", "siad_ses_estab"));
return SIADFAIL;
}
int
siad_ses_launch(sia_collect_func_t *collect,
SIAENTITY *entity,
int pkgind)
{
static char env[MaxPathLen];
struct state *s = (struct state*)entity->mech[pkgind];
SIA_DEBUG(("DEBUG", "siad_ses_launch"));
if(s->valid){
#ifdef SIA_KRB5
chown(s->ticket + sizeof("FILE:") - 1,
entity->pwd->pw_uid,
entity->pwd->pw_gid);
snprintf(env, sizeof(env), "KRB5CCNAME=%s", s->ticket);
#endif
#ifdef SIA_KRB4
chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid);
snprintf(env, sizeof(env), "KRBTKFILE=%s", s->ticket);
#endif
putenv(env);
}
#ifdef SIA_KRB5
if (k_hasafs()) {
char cell[64];
krb5_ccache ccache;
if(krb5_cc_resolve(s->context, s->ticket, &ccache) == 0) {
k_setpag();
if(k_afs_cell_of_file(entity->pwd->pw_dir, cell, sizeof(cell)) == 0)
krb5_afslog(s->context, ccache, cell, 0);
krb5_afslog_home(s->context, ccache, 0, 0, entity->pwd->pw_dir);
}
}
#endif
#ifdef SIA_KRB4
if (k_hasafs()) {
char cell[64];
k_setpag();
if(k_afs_cell_of_file(entity->pwd->pw_dir, cell, sizeof(cell)) == 0)
krb_afslog(cell, 0);
krb_afslog_home(0, 0, entity->pwd->pw_dir);
}
#endif
return SIADSUCCESS;
}
int
siad_ses_release(SIAENTITY *entity, int pkgind)
{
SIA_DEBUG(("DEBUG", "siad_ses_release"));
if(entity->mech[pkgind]){
#ifdef SIA_KRB5
struct state *s = (struct state*)entity->mech[pkgind];
krb5_free_context(s->context);
#endif
free(entity->mech[pkgind]);
}
return SIADSUCCESS;
}
int
siad_ses_suauthent(sia_collect_func_t *collect,
SIAENTITY *entity,
int siastat,
int pkgind)
{
SIA_DEBUG(("DEBUG", "siad_ses_suauth"));
if(geteuid() != 0)
return SIADFAIL;
if(entity->name == NULL)
return SIADFAIL;
if(entity->name[0] == '\0') {
free(entity->name);
entity->name = strdup("root");
if (entity->name == NULL)
return SIADFAIL;
}
return common_auth(collect, entity, siastat, pkgind);
}
int
siad_ses_reauthent (sia_collect_func_t *collect,
SIAENTITY *entity,
int siastat,
int pkgind)
{
int ret;
SIA_DEBUG(("DEBUG", "siad_ses_reauthent"));
if(entity == NULL || entity->name == NULL)
return SIADFAIL;
ret = common_auth(collect, entity, siastat, pkgind);
if((ret & SIADSUCCESS)){
/* launch isn't (always?) called when doing reauth, so we must
duplicate some code here... */
struct state *s = (struct state*)entity->mech[pkgind];
chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid);
#ifdef SIA_KRB5
if (k_hasafs()) {
char cell[64];
krb5_ccache ccache;
if(krb5_cc_resolve(s->context, s->ticket, &ccache) == 0) {
k_setpag();
if(k_afs_cell_of_file(entity->pwd->pw_dir,
cell, sizeof(cell)) == 0)
krb5_afslog(s->context, ccache, cell, 0);
krb5_afslog_home(s->context, ccache, 0, 0, entity->pwd->pw_dir);
}
}
#endif
#ifdef SIA_KRB4
if(k_hasafs()) {
char cell[64];
if(k_afs_cell_of_file(entity->pwd->pw_dir,
cell, sizeof(cell)) == 0)
krb_afslog(cell, 0);
krb_afslog_home(0, 0, entity->pwd->pw_dir);
}
#endif
}
return ret;
}
int
siad_chg_finger (sia_collect_func_t *collect,
const char *username,
int argc,
char *argv[])
{
SIA_DEBUG(("DEBUG", "siad_chg_finger"));
return SIADFAIL;
}
#ifdef SIA_KRB5
int
siad_chg_password (sia_collect_func_t *collect,
const char *username,
int argc,
char *argv[])
{
return SIADFAIL;
}
#endif
#ifdef SIA_KRB4
static void
sia_message(sia_collect_func_t *collect, int rendition,
const char *title, const char *message)
{
prompt_t prompt;
prompt.prompt = (unsigned char*)message;
(*collect)(0, rendition, (unsigned char*)title, 1, &prompt);
}
static int
init_change(sia_collect_func_t *collect, krb_principal *princ)
{
prompt_t prompt;
char old_pw[MAX_KPW_LEN+1];
char *msg;
char tktstring[128];
int ret;
SIA_DEBUG(("DEBUG", "init_change"));
prompt.prompt = (unsigned char*)"Old password: ";
prompt.result = (unsigned char*)old_pw;
prompt.min_result_length = 0;
prompt.max_result_length = sizeof(old_pw) - 1;
prompt.control_flags = SIARESINVIS;
asprintf(&msg, "Changing password for %s", krb_unparse_name(princ));
if(msg == NULL){
SIA_DEBUG(("DEBUG", "out of memory"));
return SIADFAIL;
}
ret = (*collect)(60, SIAONELINER, (unsigned char*)msg, 1, &prompt);
free(msg);
SIA_DEBUG(("DEBUG", "ret = %d", ret));
if(ret != SIACOLSUCCESS)
return SIADFAIL;
snprintf(tktstring, sizeof(tktstring),
"%s_cpw_%u", TKT_ROOT, (unsigned)getpid());
krb_set_tkt_string(tktstring);
ret = krb_get_pw_in_tkt(princ->name, princ->instance, princ->realm,
PWSERV_NAME, KADM_SINST, 1, old_pw);
if (ret != KSUCCESS) {
SIA_DEBUG(("DEBUG", "krb_get_pw_in_tkt: %s", krb_get_err_text(ret)));
if (ret == INTK_BADPW)
sia_message(collect, SIAWARNING, "", "Incorrect old password.");
else
sia_message(collect, SIAWARNING, "", "Kerberos error.");
memset(old_pw, 0, sizeof(old_pw));
return SIADFAIL;
}
if(chown(tktstring, getuid(), -1) < 0){
dest_tkt();
return SIADFAIL;
}
memset(old_pw, 0, sizeof(old_pw));
return SIADSUCCESS;
}
int
siad_chg_password (sia_collect_func_t *collect,
const char *username,
int argc,
char *argv[])
{
prompt_t prompts[2];
krb_principal princ;
int ret;
char new_pw1[MAX_KPW_LEN+1];
char new_pw2[MAX_KPW_LEN+1];
static struct et_list *et_list;
setprogname(argv[0]);
SIA_DEBUG(("DEBUG", "siad_chg_password"));
if(collect == NULL)
return SIADFAIL;
if(username == NULL)
username = getlogin();
ret = krb_parse_name(username, &princ);
if(ret)
return SIADFAIL;
if(princ.realm[0] == '\0')
krb_get_lrealm(princ.realm, 1);
if(et_list == NULL) {
initialize_kadm_error_table_r(&et_list);
initialize_krb_error_table_r(&et_list);
}
ret = init_change(collect, &princ);
if(ret != SIADSUCCESS)
return ret;
again:
prompts[0].prompt = (unsigned char*)"New password: ";
prompts[0].result = (unsigned char*)new_pw1;
prompts[0].min_result_length = MIN_KPW_LEN;
prompts[0].max_result_length = sizeof(new_pw1) - 1;
prompts[0].control_flags = SIARESINVIS;
prompts[1].prompt = (unsigned char*)"Verify new password: ";
prompts[1].result = (unsigned char*)new_pw2;
prompts[1].min_result_length = MIN_KPW_LEN;
prompts[1].max_result_length = sizeof(new_pw2) - 1;
prompts[1].control_flags = SIARESINVIS;
if((*collect)(120, SIAFORM, (unsigned char*)"", 2, prompts) !=
SIACOLSUCCESS) {
dest_tkt();
return SIADFAIL;
}
if(strcmp(new_pw1, new_pw2) != 0){
sia_message(collect, SIAWARNING, "", "Password mismatch.");
goto again;
}
ret = kadm_check_pw(new_pw1);
if(ret) {
sia_message(collect, SIAWARNING, "", com_right(et_list, ret));
goto again;
}
memset(new_pw2, 0, sizeof(new_pw2));
ret = kadm_init_link (PWSERV_NAME, KRB_MASTER, princ.realm);
if (ret != KADM_SUCCESS)
sia_message(collect, SIAWARNING, "Error initing kadmin connection",
com_right(et_list, ret));
else {
des_cblock newkey;
char *pw_msg; /* message from server */
des_string_to_key(new_pw1, &newkey);
ret = kadm_change_pw_plain((unsigned char*)&newkey, new_pw1, &pw_msg);
memset(newkey, 0, sizeof(newkey));
if (ret == KADM_INSECURE_PW)
sia_message(collect, SIAWARNING, "Insecure password", pw_msg);
else if (ret != KADM_SUCCESS)
sia_message(collect, SIAWARNING, "Error changing password",
com_right(et_list, ret));
}
memset(new_pw1, 0, sizeof(new_pw1));
if (ret != KADM_SUCCESS)
sia_message(collect, SIAWARNING, "", "Password NOT changed.");
else
sia_message(collect, SIAINFO, "", "Password changed.");
dest_tkt();
if(ret)
return SIADFAIL;
return SIADSUCCESS;
}
#endif
int
siad_chg_shell (sia_collect_func_t *collect,
const char *username,
int argc,
char *argv[])
{
return SIADFAIL;
}
int
siad_getpwent(struct passwd *result,
char *buf,
int bufsize,
struct sia_context *context)
{
return SIADFAIL;
}
int
siad_getpwuid (uid_t uid,
struct passwd *result,
char *buf,
int bufsize,
struct sia_context *context)
{
return SIADFAIL;
}
int
siad_getpwnam (const char *name,
struct passwd *result,
char *buf,
int bufsize,
struct sia_context *context)
{
return SIADFAIL;
}
int
siad_setpwent (struct sia_context *context)
{
return SIADFAIL;
}
int
siad_endpwent (struct sia_context *context)
{
return SIADFAIL;
}
int
siad_getgrent(struct group *result,
char *buf,
int bufsize,
struct sia_context *context)
{
return SIADFAIL;
}
int
siad_getgrgid (gid_t gid,
struct group *result,
char *buf,
int bufsize,
struct sia_context *context)
{
return SIADFAIL;
}
int
siad_getgrnam (const char *name,
struct group *result,
char *buf,
int bufsize,
struct sia_context *context)
{
return SIADFAIL;
}
int
siad_setgrent (struct sia_context *context)
{
return SIADFAIL;
}
int
siad_endgrent (struct sia_context *context)
{
return SIADFAIL;
}
int
siad_chk_user (const char *logname, int checkflag)
{
if(checkflag != CHGPASSWD)
return SIADFAIL;
return SIADSUCCESS;
}

93
lib/auth/sia/sia_locl.h
View File

@@ -1,93 +0,0 @@
/*
* Copyright (c) 1999 - 2001 Kungliga Tekniska Högskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. Neither the name of KTH nor the names of its contributors may be
* used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY
* EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
* BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */
/* $Id$ */
#ifndef __sia_locl_h__
#define __sia_locl_h__
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
#include <ctype.h>
#include <stdio.h>
#include <string.h>
#include <siad.h>
#include <pwd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <roken.h>
#ifdef KRB5
#define SIA_KRB5
#elif defined(KRB4)
#define SIA_KRB4
#endif
#ifdef SIA_KRB5
#include <krb5.h>
#include <com_err.h>
#endif
#ifdef SIA_KRB4
#include <krb.h>
#include <krb_err.h>
#include <kadm.h>
#include <kadm_err.h>
#endif
#ifdef KRB4
#include <kafs.h>
#endif
#ifndef POSIX_GETPWNAM_R
#define getpwnam_r posix_getpwnam_r
#define getpwuid_r posix_getpwuid_r
#endif /* POSIX_GETPWNAM_R */
#ifndef DEBUG
#define SIA_DEBUG(X)
#else
#define SIA_DEBUG(X) SIALOG X
#endif
struct state{
#ifdef SIA_KRB5
krb5_context context;
krb5_auth_context auth_context;
#endif
char ticket[MaxPathLen];
int valid;
};
#endif /* __sia_locl_h__ */