+/*
+ * pam_krb5auto - Gets initial credentials non-interactively
+ * Copyright (C) 2004 Fredrik Tolf (fredrik@dolda2000.com)
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdarg.h>
#include <malloc.h>
+#include <syslog.h>
#include <krb5.h>
#include <pwd.h>
#include <errno.h>
krb5_creds initcreds;
int hascreds;
uid_t uid;
+ gid_t gid;
};
static void log(int prio, char *format, ...)
{
int i;
struct options *opts;
+ const char *p;
+ int unit;
opts = malloc(sizeof(*opts));
memset(opts, 0, sizeof(*opts));
opts->instance = strdup(argv[i] + 9);
if(!strncmp(argv[i], "keytab=", 7))
opts->keytab = strdup(argv[i] + 7);
- if(!strncmp(argv[i], "renew=", 6))
- opts->renewable = atoi(argv[i] + 6);
+ if(!strncmp(argv[i], "renew=", 6)) {
+ p = argv[i] + strlen(argv[i]) - 1;
+ unit = 1;
+ if((*p >= 'a') && (*p <= 'z')) {
+ if(*p == 'm')
+ unit = 60;
+ else if(*p == 'h')
+ unit = 3600;
+ else if(*p == 'd')
+ unit = 86400;
+ else
+ unit = 1;
+ }
+ opts->renewable = atoi(argv[i] + 6) * unit;
+ }
if(!strcmp(argv[i], "forwardable"))
opts->forwardable = 1;
if(!strcmp(argv[i], "debug"))
return(NULL);
}
data->uid = pwent->pw_uid;
+ data->gid = pwent->pw_gid;
if((ret = krb5_init_context(&data->ctx)) != 0) {
log(LOG_CRIT, "could not create krb5 context: %s", error_message(ret));
freedata(data);
if(opts->debug)
log(LOG_DEBUG, "got creds successfully");
snprintf(buf, sizeof(buf), "KRB5CCNAME=FILE:/tmp/krb5cc_%i_XXXXXX", data->uid);
- ccname = buf + sizeof("KRB5CCNAME=");
- filename = ccname + sizeof("FILE:");
+ ccname = buf + sizeof("KRB5CCNAME=") - 1;
+ filename = ccname + sizeof("FILE:") - 1;
if((fd = mkstemp(filename)) < 0) {
log(LOG_ERR, "could not create tempfile for credentials cache: %s", strerror(errno));
ret = PAM_SERVICE_ERR;
ret = PAM_SERVICE_ERR;
goto out;
}
+ chown(filename, data->uid, data->gid);
pam_putenv(pamh, strdup(buf));
if(opts->debug)
log(LOG_DEBUG, "successfully initialized ccache");