diff options
| author | semery <none@none> | 2007-01-08 22:48:10 -0800 |
|---|---|---|
| committer | semery <none@none> | 2007-01-08 22:48:10 -0800 |
| commit | 3bfb48feb84bb78924286a801c68f80198912fa7 (patch) | |
| tree | 2eb676597d732d4f08c1f4525422532bc9937c5e /usr/src/lib/pam_modules/krb5 | |
| parent | 3adfa9cd8a85081d32de7091fd58369411b3dade (diff) | |
| download | illumos-joyent-3bfb48feb84bb78924286a801c68f80198912fa7.tar.gz | |
6266812 pam_krb5 and pam_krb5_migrate localize their syslog messages
6430941 pam_krb5 pam_sm_setcred can cause /tmp/krb5cc_<PAM_USER> to be owned by euid rather than PAM_USER
6484675 pam_krb5(5) needs some cleanup
6499804 pam_krb5 account management should not return success if user is not defined in kerberos realm
6507080 autofs no longer passing credential information in upcalls
Diffstat (limited to 'usr/src/lib/pam_modules/krb5')
| -rw-r--r-- | usr/src/lib/pam_modules/krb5/krb5_acct_mgmt.c | 90 | ||||
| -rw-r--r-- | usr/src/lib/pam_modules/krb5/krb5_authenticate.c | 134 | ||||
| -rw-r--r-- | usr/src/lib/pam_modules/krb5/krb5_password.c | 62 | ||||
| -rw-r--r-- | usr/src/lib/pam_modules/krb5/krb5_setcred.c | 133 | ||||
| -rw-r--r-- | usr/src/lib/pam_modules/krb5/utils.c | 24 | ||||
| -rw-r--r-- | usr/src/lib/pam_modules/krb5/utils.h | 8 |
6 files changed, 231 insertions, 220 deletions
diff --git a/usr/src/lib/pam_modules/krb5/krb5_acct_mgmt.c b/usr/src/lib/pam_modules/krb5/krb5_acct_mgmt.c index 1397fe8f49..d838613187 100644 --- a/usr/src/lib/pam_modules/krb5/krb5_acct_mgmt.c +++ b/usr/src/lib/pam_modules/krb5/krb5_acct_mgmt.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -89,7 +88,7 @@ fetch_princ_entry( krb5_free_principal(context, princ); krb5_free_context(context); if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): fetch_princ_entry: pwlen=0"); return (PAM_AUTH_ERR); } @@ -103,10 +102,9 @@ fetch_princ_entry( params.realm = admin_realm; if (kadm5_get_cpw_host_srv_name(context, admin_realm, &cpw_service)) { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (acct): unable to get host based " - "service name for realm '%s'"), + "service name for realm '%s'", admin_realm); krb5_free_principal(context, princ); krb5_free_context(context); @@ -118,7 +116,7 @@ fetch_princ_entry( KADM5_API_VERSION_2, &server_handle); if (code != 0) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): fetch_princ_entry: " "init_with_pw failed: code = %d", code); krb5_free_principal(context, princ); @@ -129,7 +127,7 @@ fetch_princ_entry( if (_kadm5_get_kpasswd_protocol(server_handle) != KRB5_CHGPWD_RPCSEC) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): fetch_princ_entry: " "non-RPCSEC_GSS chpw server, can't get " "princ entry"); @@ -154,9 +152,8 @@ fetch_princ_entry( (void) kadm5_destroy(server_handle); krb5_free_principal(context, princ); krb5_free_context(context); - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, - "PAM-KRB5 (acct): krb5_timeofday fail: code=%d"), + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (acct): krb5_timeofday fail: code=%d", code); return (PAM_SYSTEM_ERR); } @@ -194,7 +191,7 @@ exp_warn( char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE]; if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): exp_warn start: user = '%s'", user ? user : "<null>"); @@ -207,14 +204,14 @@ exp_warn( if ((err = fetch_princ_entry(user, password, &prent, &now, debug)) != PAM_SUCCESS) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): exp_warn: fetch_pr failed %d", err); goto out; } if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): exp_warn: fetch_princ success:" " princ exp=%ld pw_exp = %ld, now =%ld, days=%ld", prent.princ_expire_time, @@ -252,7 +249,7 @@ exp_warn( out: if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): exp_warn end: err = %d", err); return (err); @@ -295,18 +292,19 @@ pam_sm_acct_mgmt( nowarn = 1; flags = flags | PAM_SILENT; } else { - syslog(LOG_ERR, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (acct): illegal option %s", argv[i]); } } if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): debug=%d, nowarn=%d", debug, nowarn); - err = pam_get_item(pamh, PAM_REPOSITORY, (void **)&rep_data); + (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&rep_data); + if (rep_data != NULL) { /* * If the repository is not ours, @@ -314,7 +312,8 @@ pam_sm_acct_mgmt( */ if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) { if (debug) - syslog(LOG_DEBUG, "PAM-KRB5 (acct): wrong" + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (acct): wrong" "repository found (%s), returning " "PAM_IGNORE", rep_data->type); return (PAM_IGNORE); @@ -323,16 +322,9 @@ pam_sm_acct_mgmt( /* get user name */ - if ((err = pam_get_item(pamh, PAM_USER, (void **) &user)) - != PAM_SUCCESS) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, - "PAM-KRB5 (acct):" - " get user failed: err=%d"), - err); - goto out; - } + (void) pam_get_item(pamh, PAM_USER, (void **) &user); - if (user == NULL) { + if (user == NULL || *user == '\0') { err = PAM_USER_UNKNOWN; goto out; } @@ -342,9 +334,8 @@ pam_sm_acct_mgmt( (const void **)&userdata); if (err != PAM_SUCCESS) { if (debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, - "PAM-KRB5 (acct): " - "no module data for KRB5_AUTOMIGRATE_DATA")); + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): " + "no module data for KRB5_AUTOMIGRATE_DATA"); } else { /* * We try and reauthenticate, since this user has a @@ -357,9 +348,9 @@ pam_sm_acct_mgmt( (const char **)argv); else if (debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): PAM_USER %s" - "does not match user %s from pam_get_data()"), + "does not match user %s from pam_get_data()", user, (char *)userdata); } @@ -375,15 +366,14 @@ pam_sm_acct_mgmt( * was instantiated (normal for auth 'acceptor') */ if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): no module data"); err = PAM_IGNORE; goto out; } else { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (acct): get module" - " data failed: err=%d"), + " data failed: err=%d", err); } goto out; @@ -397,13 +387,25 @@ pam_sm_acct_mgmt( */ if (kmd->auth_status == PAM_IGNORE) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): kmd auth_status is IGNORE"); err = PAM_IGNORE; goto out; } /* + * auth mod set status to user_unknown, most likely cuz user is + * not a kerberos user. + */ + if (kmd->auth_status == PAM_USER_UNKNOWN) { + if (debug) + syslog(LOG_DEBUG, + "PAM-KRB5 (acct): kmd auth_status is USER UNKNOWN"); + err = PAM_USER_UNKNOWN; + goto out; + } + + /* * age_status will be set to PAM_NEW_AUTHTOK_REQD in pam_krb5's * 'auth' if the user's key/pw has expired and needs to be changed */ @@ -424,12 +426,14 @@ pam_sm_acct_mgmt( (void) exp_warn(pamh, user, kmd->password, debug); } - /* everything a-ok */ - err = PAM_SUCCESS; + /* + * Here we return any errors during the auth pass, if any. + */ + err = kmd->auth_status; out: if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (acct): end: %s", pam_strerror(pamh, err)); return (err); diff --git a/usr/src/lib/pam_modules/krb5/krb5_authenticate.c b/usr/src/lib/pam_modules/krb5/krb5_authenticate.c index 8894197d73..aec4b426b7 100644 --- a/usr/src/lib/pam_modules/krb5/krb5_authenticate.c +++ b/usr/src/lib/pam_modules/krb5/krb5_authenticate.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -111,15 +111,15 @@ pam_sm_authenticate( } else if (strcmp(argv[i], "err_on_exp") == 0) { err_on_exp = 1; } else { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, - "PAM-KRB5 (auth) unrecognized option %s"), + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (auth) unrecognized option %s", argv[i]); } } if (flags & PAM_SILENT) warn = 0; if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): pam_sm_authenticate flags=%d", flags); @@ -127,8 +127,8 @@ pam_sm_authenticate( if (user == NULL || *user == '\0') { if (debug) - syslog(LOG_DEBUG, "PAM-KRB5 (auth): user empty " - "or null"); + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (auth): user empty or null"); return (PAM_USER_UNKNOWN); } @@ -142,7 +142,7 @@ pam_sm_authenticate( */ err = pam_get_data(pamh, KRB5_DATA, (const void**)&kmd); if (!(err == PAM_SUCCESS || err == PAM_NO_MODULE_DATA)) - return (PAM_AUTH_ERR); + return (PAM_SYSTEM_ERR); if (kmd == NULL) { kmd = calloc(1, sizeof (krb5_module_data_t)); @@ -182,6 +182,11 @@ pam_sm_authenticate( } } + if ((kmd->user = strdup(user)) == NULL) { + result = PAM_BUF_ERR; + goto out; + } + kmd->auth_status = PAM_AUTH_ERR; kmd->debug = debug; kmd->warn = warn; @@ -204,7 +209,8 @@ pam_sm_authenticate( if (rep_data != NULL) { if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) { if (debug) - syslog(LOG_DEBUG, "PAM-KRB5 (auth): wrong" + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (auth): wrong" "repository found (%s), returning " "PAM_IGNORE", rep_data->type); return (PAM_IGNORE); @@ -217,7 +223,7 @@ pam_sm_authenticate( krb5_data->principal != NULL && strlen(krb5_data->principal)) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): Principal " "%s already authenticated", krb5_data->principal); @@ -237,7 +243,7 @@ pam_sm_authenticate( if ((strcmp(user, ROOT_UNAME) == 0) && key_in_keytab(user, debug)) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): " "key for '%s' in keytab, returning IGNORE", user); result = PAM_IGNORE; @@ -251,7 +257,7 @@ pam_sm_authenticate( out: if (kmd) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): pam_sm_auth finalize" " ccname env, result =%d, env ='%s'," " age = %d, status = %d", @@ -272,10 +278,9 @@ out: if ((result = pam_putenv(pamh, kmd->env)) != PAM_SUCCESS) { /* should not happen but... */ - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (auth):" - " pam_putenv failed: result: %d"), + " pam_putenv failed: result: %d", result); goto cleanupccname; } @@ -291,7 +296,7 @@ out: } if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): end: %s", pam_strerror(pamh, result)); return (result); @@ -330,7 +335,7 @@ attempt_krb5_auth( int result = PAM_AUTH_ERR; if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): attempt_krb5_auth: start: user='%s'", user ? user : "<null>"); @@ -338,9 +343,9 @@ attempt_krb5_auth( /* need to free context with krb5_free_context */ if (code = krb5_init_context(&kmd->kcontext)) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (auth): Error initializing " - "krb5: %s"), + "krb5: %s", error_message(code)); return (PAM_SYSTEM_ERR); } @@ -354,14 +359,17 @@ attempt_krb5_auth( if ((code = krb5_parse_name(kmd->kcontext, kuser, &me)) != 0) { krb5_free_context(kmd->kcontext); kmd->kcontext = NULL; - return (PAM_AUTH_ERR); + return (PAM_SYSTEM_ERR); } /* call krb5_free_cred_contents() on error */ my_creds = &kmd->initcreds; - if ((code = krb5_copy_principal(kmd->kcontext, me, &my_creds->client))) - goto out_err; + if ((code = + krb5_copy_principal(kmd->kcontext, me, &my_creds->client))) { + result = PAM_SYSTEM_ERR; + goto out_err; + } if (code = krb5_build_principal_ext(kmd->kcontext, &server, krb5_princ_realm(kmd->kcontext, me)->length, @@ -369,23 +377,26 @@ attempt_krb5_auth( tgtname.length, tgtname.data, krb5_princ_realm(kmd->kcontext, me)->length, krb5_princ_realm(kmd->kcontext, me)->data, 0)) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, - "PAM-KRB5 (auth): attempt_krb5_auth: " - "krb5_build_princ_ext failed: %s"), - error_message(code)); + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (auth): attempt_krb5_auth: " + "krb5_build_princ_ext failed: %s", + error_message(code)); + result = PAM_SYSTEM_ERR; goto out; } if (code = krb5_copy_principal(kmd->kcontext, server, &my_creds->server)) { + result = PAM_SYSTEM_ERR; goto out_err; } if (code = krb5_timeofday(kmd->kcontext, &now)) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, - "PAM-KRB5 (auth): attempt_krb5_auth: " - "krb5_timeofday failed: %s"), - error_message(code)); + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (auth): attempt_krb5_auth: " + "krb5_timeofday failed: %s", + error_message(code)); + result = PAM_SYSTEM_ERR; goto out; } @@ -415,10 +426,9 @@ attempt_krb5_auth( if (renew_timeval) { code = krb5_string_to_deltat(renew_timeval, &rlife); if (code != 0 || rlife == 0 || rlife > krb5_max_duration) { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (auth): Bad max_renewable_life " - " value '%s' in Kerberos config file"), + " value '%s' in Kerberos config file", renew_timeval); result = PAM_SYSTEM_ERR; goto out; @@ -428,9 +438,8 @@ attempt_krb5_auth( code = krb5_string_to_deltat(life_timeval, &lifetime); if (code != 0 || lifetime == 0 || lifetime > krb5_max_duration) { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, "PAM-KRB5 (auth): Bad " - "lifetime value '%s' in Kerberos config file"), + __pam_log(LOG_AUTH | LOG_ERR, + "lifetime value '%s' in Kerberos config file", life_timeval); result = PAM_SYSTEM_ERR; goto out; @@ -449,30 +458,30 @@ attempt_krb5_auth( if (proxiable_flag) { /* Set in config file */ if (kmd->debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): Proxiable tickets " - "requested")); + "requested"); krb5_get_init_creds_opt_set_proxiable(&opts, TRUE); } if (forwardable_flag) { if (kmd->debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): Forwardable tickets " - "requested")); + "requested"); krb5_get_init_creds_opt_set_forwardable(&opts, TRUE); } if (renewable_flag) { if (kmd->debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): Renewable tickets " - "requested")); + "requested"); krb5_get_init_creds_opt_set_renew_life(&opts, rlife); } if (no_address_flag) { if (kmd->debug) - syslog(LOG_DEBUG, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): Addressless tickets " - "requested")); + "requested"); krb5_get_init_creds_opt_set_address_list(&opts, NULL); } @@ -496,7 +505,7 @@ attempt_krb5_auth( } if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): attempt_krb5_auth: " "krb5_get_init_creds_password returns: %s", code == 0 ? "SUCCESS" : error_message(code)); @@ -542,29 +551,26 @@ attempt_krb5_auth( switch (code) { case KRB5_KT_NOTFOUND: - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (auth): " "krb5_verify_init_creds failed:" " Key table entry \"host/%s\"" - " not found in %s"), + " not found in %s", fqdn, kt_name); break; case ENOENT: - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (auth): " "krb5_verify_init_creds failed:" " Keytab file \"%s\"" - " does not exist.\n"), + " does not exist.\n", kt_name); break; default: - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (auth): " "krb5_verify_init_creds failed:" - " %s"), + " %s", error_message(code)); break; } @@ -583,7 +589,8 @@ attempt_krb5_auth( result = PAM_USER_UNKNOWN; if (kmd->debug) - syslog(LOG_DEBUG, "PAM-KRB5 (auth): attempt_krb5_auth:" + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (auth): attempt_krb5_auth:" " User is not part of the local Kerberos" " realm: %s", error_message(code)); break; @@ -607,7 +614,7 @@ attempt_krb5_auth( code = krb5_verifypw(kuser, *krb5_pass, kmd->debug); if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): attempt_krb5_auth: " "verifypw %d", code); @@ -621,7 +628,8 @@ attempt_krb5_auth( default: result = PAM_SYSTEM_ERR; if (kmd->debug) - syslog(LOG_DEBUG, "PAM-KRB5 (auth): error %d - %s", + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (auth): error %d - %s", code, error_message(code)); break; } @@ -636,7 +644,7 @@ attempt_krb5_auth( * use in acct_mgmt */ if (!(kmd->password = strdup(*krb5_pass))) { - syslog(LOG_ERR, "Cannot strdup password"); + __pam_log(LOG_AUTH | LOG_ERR, "Cannot strdup password"); result = PAM_BUF_ERR; goto out_err; } @@ -648,7 +656,7 @@ out_err: /* jump (or reach) here if error and cred cache has been init */ if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): clearing initcreds in " "pam_authenticate()"); @@ -666,7 +674,7 @@ out: } if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (auth): attempt_krb5_auth returning %d", result); @@ -683,9 +691,8 @@ krb5_cleanup(pam_handle_t *pamh, void *data, int pam_status) return; if (kmd->debug) { - syslog(LOG_DEBUG, - dgettext(TEXT_DOMAIN, - "PAM-KRB5 (auth): krb5_cleanup auth_status = %d"), + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (auth): krb5_cleanup auth_status = %d", kmd->auth_status); } @@ -702,6 +709,9 @@ krb5_cleanup(pam_handle_t *pamh, void *data, int pam_status) free(kmd->password); } + if (kmd->user != NULL) + free(kmd->user); + if ((pam_status != PAM_SUCCESS) || (kmd->auth_status != PAM_SUCCESS)) { krb5_free_cred_contents(kmd->kcontext, &kmd->initcreds); diff --git a/usr/src/lib/pam_modules/krb5/krb5_password.c b/usr/src/lib/pam_modules/krb5/krb5_password.c index aa5bc598d2..6281bab567 100644 --- a/usr/src/lib/pam_modules/krb5/krb5_password.c +++ b/usr/src/lib/pam_modules/krb5/krb5_password.c @@ -19,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2006 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -66,7 +66,7 @@ set_ccname( int result; if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): password: finalize" " ccname env, login_result =%d, env ='%s'", login_result, kmd->env ? kmd->env : "<null>"); @@ -82,10 +82,9 @@ set_ccname( if ((result = pam_putenv(pamh, kmd->env)) != PAM_SUCCESS) { /* should not happen but... */ - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (password):" - " pam_putenv failed: result: %d"), + " pam_putenv failed: result: %d", result); goto cleanupccname; } @@ -126,7 +125,7 @@ get_set_creds( */ login_result = attempt_krb5_auth(kmd, user, &newpass, 0); if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): get_set_creds: login_result= %d", login_result); /* @@ -170,14 +169,13 @@ pam_sm_chauthtok( if (strcmp(argv[i], "debug") == 0) debug = 1; else - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, - "PAM-KRB5 (password): illegal option %s"), + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (password): illegal option %s", argv[i]); } if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): start: flags = %x", flags); @@ -186,7 +184,8 @@ pam_sm_chauthtok( if (rep_data != NULL) { if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) { if (debug) - syslog(LOG_DEBUG, "PAM-KRB5 (auth): wrong" + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (auth): wrong" "repository found (%s), returning " "PAM_IGNORE", rep_data->type); return (PAM_IGNORE); @@ -196,15 +195,15 @@ pam_sm_chauthtok( if (flags & PAM_PRELIM_CHECK) { /* Nothing to do here */ if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): prelim check"); return (PAM_IGNORE); } /* make sure PAM framework is telling us to update passwords */ if (!(flags & PAM_UPDATE_AUTHTOK)) { - syslog(LOG_ERR, dgettext(TEXT_DOMAIN, - "PAM-KRB5 (password): bad flags: %d"), + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (password): bad flags: %d", flags); return (PAM_SYSTEM_ERR); } @@ -213,7 +212,7 @@ pam_sm_chauthtok( if ((err = pam_get_data(pamh, KRB5_DATA, (const void **)&kmd)) != PAM_SUCCESS) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): get mod data failed %d", err); kmd = NULL; @@ -223,7 +222,7 @@ pam_sm_chauthtok( /* let's make sure we know the krb5 pw has expired */ if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): kmd age status %d", kmd ? kmd->age_status : -99); @@ -233,13 +232,14 @@ pam_sm_chauthtok( (void) pam_get_item(pamh, PAM_USER, (void **)&user); - if (user == NULL || user == '\0') { - syslog(LOG_ERR, "PAM-KRB5 (password): username is empty"); + if (user == NULL || *user == '\0') { + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (password): username is empty"); return (PAM_USER_UNKNOWN); } if (!get_pw_uid(user, &pw_uid)) { - syslog(LOG_ERR, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (password): can't get uid for %s", user); return (PAM_USER_UNKNOWN); } @@ -251,7 +251,7 @@ pam_sm_chauthtok( if ((strcmp(user, ROOT_UNAME) == 0) && key_in_keytab(user, debug)) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): " "key for '%s' in keytab, returning IGNORE", user); result = PAM_IGNORE; @@ -270,7 +270,8 @@ pam_sm_chauthtok( result = krb5_verifypw(user, oldpass, debug); if (debug) - syslog(LOG_DEBUG, "PAM-KRB5 (password): verifypw %d", result); + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (password): verifypw %d", result); /* * If it's a bad password or general failure, we are done. @@ -292,7 +293,8 @@ pam_sm_chauthtok( out: if (debug) - syslog(LOG_DEBUG, "PAM-KRB5 (password): out: returns %d", + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (password): out: returns %d", result); return (result); @@ -345,10 +347,9 @@ krb5_verifypw( if (kadm5_get_cpw_host_srv_name(context, admin_realm, &cpw_service)) { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (password): unable to get host based " - "service name for realm %s\n"), + "service name for realm %s\n", admin_realm); krb5_free_principal(context, princ); return (3); @@ -359,7 +360,7 @@ krb5_verifypw( KADM5_API_VERSION_2, &server_handle); if (code != 0) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5: krb5_verifypw: init_with_pw" " failed: (%s)", error_message(code)); krb5_free_principal(context, princ); @@ -441,10 +442,9 @@ krb5_changepw( if (kadm5_get_cpw_host_srv_name(context, admin_realm, &cpw_service)) { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (password):unable to get host based " - "service name for realm %s\n"), + "service name for realm %s\n", admin_realm); return (PAM_SYSTEM_ERR); } @@ -455,7 +455,7 @@ krb5_changepw( free(cpw_service); if (code != 0) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): changepw: " "init_with_pw failed: (%s)", error_message(code)); krb5_free_principal(context, princ); @@ -485,7 +485,7 @@ krb5_changepw( (void) kadm5_destroy(server_handle); if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (password): changepw: end %d", code); if (code != 0) diff --git a/usr/src/lib/pam_modules/krb5/krb5_setcred.c b/usr/src/lib/pam_modules/krb5/krb5_setcred.c index 9715b94a03..962af0255f 100644 --- a/usr/src/lib/pam_modules/krb5/krb5_setcred.c +++ b/usr/src/lib/pam_modules/krb5/krb5_setcred.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -76,7 +75,7 @@ pam_sm_setcred( int err = 0; int debug = 0; krb5_module_data_t *kmd = NULL; - char *user; + char *user = NULL; int result; krb5_repository_data_t *krb5_data = NULL; pam_repository_t *rep_data = NULL; @@ -89,7 +88,7 @@ pam_sm_setcred( } if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): start: nowarn = %d, flags = 0x%x", flags & PAM_SILENT ? 1 : 0, flags); @@ -100,23 +99,20 @@ pam_sm_setcred( !(flags & PAM_REFRESH_CRED) && !(flags & PAM_DELETE_CRED) && !(flags & PAM_SILENT)) { - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, - "PAM-KRB5 (setcred): illegal flag %d"), flags); + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (setcred): illegal flag %d", flags); err = PAM_SYSTEM_ERR; goto out; } - err = pam_get_item(pamh, PAM_USER, (void**) &user); - if (err != PAM_SUCCESS) - return (err); + (void) pam_get_item(pamh, PAM_USER, (void**) &user); - if (user == NULL || !user[0]) - return (PAM_AUTH_ERR); + if (user == NULL || *user == '\0') + return (PAM_USER_UNKNOWN); if (pam_get_data(pamh, KRB5_DATA, (const void**)&kmd) != PAM_SUCCESS) { if (debug) { - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): kmd get failed, kmd=0x%p", kmd); } @@ -126,7 +122,7 @@ pam_sm_setcred( * or for PAM_DELETE_CRED */ if (flags & (PAM_REFRESH_CRED|PAM_DELETE_CRED)) { - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): inst kmd structure"); kmd = calloc(1, sizeof (krb5_module_data_t)); @@ -149,7 +145,7 @@ pam_sm_setcred( } else { /* pam_get_data success */ if (kmd == NULL) { if (debug) { - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): kmd structure" " gotten but is NULL for user %s", user); } @@ -158,7 +154,7 @@ pam_sm_setcred( } if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): kmd auth_status: %s", pam_strerror(pamh, kmd->auth_status)); @@ -173,7 +169,6 @@ pam_sm_setcred( kmd->debug = debug; - /* * User must have passed pam_authenticate() * in order to use PAM_ESTABLISH_CRED or PAM_REINITIALIZE_CRED @@ -181,7 +176,7 @@ pam_sm_setcred( if ((flags & (PAM_ESTABLISH_CRED|PAM_REINITIALIZE_CRED)) && (kmd->auth_status != PAM_SUCCESS)) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): unable to " "setcreds, not authenticated!"); return (PAM_CRED_UNAVAIL); @@ -195,19 +190,27 @@ pam_sm_setcred( * leaks. */ if (kmd->kcontext != NULL && kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): kcontext != NULL, " "possible memory leak."); /* + * Use the authenticated and validated user, if applicable. + */ + if (kmd->user != NULL) + user = kmd->user; + + /* * If auth was short-circuited we will not have anything to * renew, so just return here. */ - err = pam_get_item(pamh, PAM_REPOSITORY, (void **)&rep_data); + (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&rep_data); + if (rep_data != NULL) { if (strcmp(rep_data->type, KRB5_REPOSITORY_NAME) != 0) { if (debug) - syslog(LOG_DEBUG, "PAM-KRB5 (setcred): wrong" + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5 (setcred): wrong" "repository found (%s), returning " "PAM_IGNORE", rep_data->type); return (PAM_IGNORE); @@ -220,7 +223,7 @@ pam_sm_setcred( krb5_data->principal != NULL && strlen(krb5_data->principal)) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): " "Principal %s already " "authenticated, " @@ -244,8 +247,8 @@ pam_sm_setcred( err = attempt_refresh_cred(kmd, user, PAM_ESTABLISH_CRED); } - if (err) - syslog(LOG_ERR, + if (err != PAM_SUCCESS) + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (setcred): pam_setcred failed " "for %s (%s).", user, pam_strerror(pamh, err)); @@ -263,10 +266,8 @@ out: /* * 'kmd' is not freed here, it is handled in krb5_cleanup */ - - if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): end: %s", pam_strerror(pamh, err)); return (err); @@ -291,7 +292,7 @@ attempt_refresh_cred( /* User must have passed pam_authenticate() */ if (kmd->auth_status != PAM_SUCCESS) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): unable to " "setcreds, not authenticated!"); return (PAM_CRED_UNAVAIL); @@ -300,14 +301,14 @@ attempt_refresh_cred( /* Create a new context here. */ if (krb5_init_context(&kmd->kcontext) != 0) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): unable to " "initialize krb5 context"); return (PAM_SYSTEM_ERR); } if (krb5_cc_default(kmd->kcontext, &kmd->ccache) != 0) { - return (PAM_CRED_ERR); + return (PAM_SYSTEM_ERR); } if ((code = get_kmd_kuser(kmd->kcontext, (const char *)user, kuser, @@ -316,7 +317,7 @@ attempt_refresh_cred( } if (krb5_parse_name(kmd->kcontext, kuser, &me) != 0) { - return (PAM_CRED_ERR); + return (PAM_SYSTEM_ERR); } if (code = krb5_build_principal_ext(kmd->kcontext, &server, @@ -325,19 +326,20 @@ attempt_refresh_cred( tgtname.length, tgtname.data, krb5_princ_realm(kmd->kcontext, me)->length, krb5_princ_realm(kmd->kcontext, me)->data, 0)) { - code = PAM_CRED_ERR; - goto out; + krb5_free_principal(kmd->kcontext, me); + return (PAM_SYSTEM_ERR); } code = krb5_renew_tgt(kmd, me, server, flag); -out: - if (server) - krb5_free_principal(kmd->kcontext, server); - if (me) - krb5_free_principal(kmd->kcontext, me); + krb5_free_principal(kmd->kcontext, server); + krb5_free_principal(kmd->kcontext, me); if (code) { + if (kmd->debug) + __pam_log(LOG_AUTH | LOG_DEBUG, + "PAM-KRB5(setcred): krb5_renew_tgt() " + "failed: %s", error_message((errcode_t)code)); return (PAM_CRED_ERR); } else { return (PAM_SUCCESS); @@ -375,19 +377,17 @@ krb5_renew_tgt( if ((flag != PAM_REFRESH_CRED) && (flag != PAM_REINITIALIZE_CRED) && (flag != PAM_ESTABLISH_CRED)) - return (PAM_SYSTEM_ERR); + return (KRB5KRB_ERR_GENERIC); /* this is needed only for the ktkt_warnd */ - if (krb5_unparse_name(kmd->kcontext, me, &client_name) != 0) { - krb5_free_principal(kmd->kcontext, me); - return (PAM_CRED_ERR); - } + if ((retval = krb5_unparse_name(kmd->kcontext, me, &client_name)) != 0) + return (retval); (void) memset((char *)credsp, 0, sizeof (krb5_creds)); if ((retval = krb5_copy_principal(kmd->kcontext, server, &credsp->server))) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): krb5_copy_principal " "failed: %s", error_message((errcode_t)retval)); @@ -398,10 +398,9 @@ krb5_renew_tgt( retval = krb5_cc_get_principal(kmd->kcontext, kmd->ccache, &credsp->client); if (retval && (kmd->debug)) - syslog(LOG_DEBUG, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): User not in cred " - "cache (%s)"), error_message((errcode_t)retval)); + "cache (%s)", error_message((errcode_t)retval)); if ((retval == KRB5_FCC_NOFILE) && (flag & (PAM_ESTABLISH_CRED|PAM_REINITIALIZE_CRED))) { @@ -411,14 +410,14 @@ krb5_renew_tgt( */ if ((retval = krb5_cc_initialize(kmd->kcontext, kmd->ccache, me)) != 0) { - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): krb5_cc_initialize " "failed: %s", error_message((errcode_t)retval)); goto cleanup_creds; } else if ((retval = krb5_cc_store_cred(kmd->kcontext, kmd->ccache, &my_creds)) != 0) { - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): krb5_cc_store_cred " "failed: %s", error_message((errcode_t)retval)); @@ -430,10 +429,9 @@ krb5_renew_tgt( * This might be due to permission error on the cache, * or maybe we are looking in the wrong cache file! */ - syslog(LOG_ERR, - dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (setcred): Cannot find creds" - " for %s (%s)"), + " for %s (%s)", client_name ? client_name : "(unknown)", error_message((errcode_t)retval)); @@ -449,7 +447,7 @@ krb5_renew_tgt( if ((retval = krb5_get_credentials_renew(kmd->kcontext, 0, kmd->ccache, &creds, &credsp))) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): krb5_get_credentials", "_renew(reinitialize) failed: %s", error_message((errcode_t)retval)); @@ -547,7 +545,7 @@ krb5_renew_tgt( (retval = krb5_get_credentials_renew(kmd->kcontext, 0, kmd->ccache, &creds, &credsp))) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): krb5_get_credentials" "_renew(update) failed: %s", error_message((errcode_t)retval)); @@ -585,7 +583,7 @@ krb5_renew_tgt( fetched = fetched->next; if (retval) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5(setcred): krb5_cc_store_cred() " "failed: %s", error_message((errcode_t)retval)); @@ -624,22 +622,23 @@ cleanup_creds: if (get_pw_uid(username, &uuid) == 0 || get_pw_gid(username, &ugid) == 0) { - syslog(LOG_ERR, "PAM-KRB5 (setcred): Unable to " + __pam_log(LOG_AUTH | LOG_ERR, + "PAM-KRB5 (setcred): Unable to " "find matching uid/gid pair for user `%s'", username); - return (PAM_SYSTEM_ERR); + return (KRB5KRB_ERR_GENERIC); } if (!(filepath = strchr(kmd->env, ':')) || !(filepath+1)) { - syslog(LOG_ERR, + __pam_log(LOG_AUTH | LOG_ERR, "PAM-KRB5 (setcred): Invalid pathname " "for credential cache of user `%s'", username); - return (PAM_SYSTEM_ERR); + return (KRB5KRB_ERR_GENERIC); } if (chown(filepath+1, uuid, ugid)) { if (kmd->debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): chown to user " "`%s' failed for FILE=%s", username, filepath); @@ -652,9 +651,9 @@ cleanup_creds: kwarn_del_warning(client_name); if (kwarn_add_warning(client_name, creds.times.endtime) != 0) { - syslog(LOG_NOTICE, dgettext(TEXT_DOMAIN, + __pam_log(LOG_AUTH | LOG_NOTICE, "PAM-KRB5 (auth): kwarn_add_warning" - " failed: ktkt_warnd(1M) down?")); + " failed: ktkt_warnd(1M) down?"); } } } @@ -687,15 +686,15 @@ static int attempt_delete_initcred(krb5_module_data_t *kmd) { if (kmd == NULL) - return (0); + return (PAM_SUCCESS); if (kmd->debug) { - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (setcred): deleting user's " "credentials (initcreds)"); } krb5_free_cred_contents(kmd->kcontext, &kmd->initcreds); (void) memset((char *)&kmd->initcreds, 0, sizeof (krb5_creds)); kmd->auth_status = PAM_AUTHINFO_UNAVAIL; - return (0); + return (PAM_SUCCESS); } diff --git a/usr/src/lib/pam_modules/krb5/utils.c b/usr/src/lib/pam_modules/krb5/utils.c index 18c3a8f155..360f71686c 100644 --- a/usr/src/lib/pam_modules/krb5/utils.c +++ b/usr/src/lib/pam_modules/krb5/utils.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -99,7 +98,6 @@ get_pw_gid(char *user, gid_t *gid) * procedure as for server principals and lowercase the domainname. * * Returns: - * PAM_AUTH_ERR - if local host name is not found * PAM_BUF_ERR - if there is an error from krb5_sname_to_principal(), * or krb5_unparse_name() * 0 - if there was no error @@ -157,7 +155,7 @@ key_in_keytab(const char *user, int debug) if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): start for user '%s'", whoami, user ? user : "<null>"); @@ -167,7 +165,7 @@ key_in_keytab(const char *user, int debug) /* need to free context with krb5_free_context */ if (code = krb5_init_context(&kcontext)) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): Error initializing " "krb5: %s", whoami, error_message(code)); @@ -182,7 +180,7 @@ key_in_keytab(const char *user, int debug) /* need to free princ with krb5_free_principal */ if ((code = krb5_parse_name(kcontext, kuser, &princ)) != 0) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): can't parse name (%s)", whoami, error_message(code)); goto out; @@ -191,7 +189,7 @@ key_in_keytab(const char *user, int debug) /* need to close keytab handle with krb5_kt_close */ if ((code = krb5_kt_default(kcontext, &kt_handle))) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): krb5_kt_default failed (%s)", whoami, error_message(code)); goto out; @@ -201,20 +199,20 @@ key_in_keytab(const char *user, int debug) if (code != 0) { if (code == ENOENT) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): " "Keytab does not exist", whoami); } else if (code == KRB5_KT_NOTFOUND) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): " "No entry for principal " "'%s' exists in keytab", whoami, kuser); } else { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): " "krb5_kt_get_entry failed (%s)", whoami, error_message(code)); @@ -222,7 +220,7 @@ key_in_keytab(const char *user, int debug) } else { /* Key found in keytab, return success */ (void) krb5_kt_free_entry(kcontext, &kt_ent); if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "PAM-KRB5 (%s): " "keytab entry for '%s' found", whoami, user); diff --git a/usr/src/lib/pam_modules/krb5/utils.h b/usr/src/lib/pam_modules/krb5/utils.h index f9959cb102..a976a5ced6 100644 --- a/usr/src/lib/pam_modules/krb5/utils.h +++ b/usr/src/lib/pam_modules/krb5/utils.h @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,7 +19,7 @@ * CDDL HEADER END */ /* - * Copyright 2004 Sun Microsystems, Inc. All rights reserved. + * Copyright 2007 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ @@ -42,6 +41,7 @@ extern "C" { #define ROOT_UNAME "root" typedef struct { + char *user; int debug; int warn; int err_on_exp; |