Module Name: src
Committed By: elric
Date: Sun Apr 24 18:48:05 UTC 2011
Modified Files:
src/lib/libpam/modules/pam_krb5: pam_krb5.c
Log Message:
Remove use of functions marked as deprecated in Heimdal.
To generate a diff of this commit:
cvs rdiff -u -r1.23 -r1.24 src/lib/libpam/modules/pam_krb5/pam_krb5.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/lib/libpam/modules/pam_krb5/pam_krb5.c
diff -u src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.23 src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.24
--- src/lib/libpam/modules/pam_krb5/pam_krb5.c:1.23 Sat Apr 2 10:22:09 2011
+++ src/lib/libpam/modules/pam_krb5/pam_krb5.c Sun Apr 24 18:48:04 2011
@@ -1,4 +1,4 @@
-/* $NetBSD: pam_krb5.c,v 1.23 2011/04/02 10:22:09 mbalmer Exp $ */
+/* $NetBSD: pam_krb5.c,v 1.24 2011/04/24 18:48:04 elric Exp $ */
/*-
* This pam_krb5 module contains code that is:
@@ -53,7 +53,7 @@
#ifdef __FreeBSD__
__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.22 2005/01/24 16:49:50 rwatson Exp $");
#else
-__RCSID("$NetBSD: pam_krb5.c,v 1.23 2011/04/02 10:22:09 mbalmer Exp $");
+__RCSID("$NetBSD: pam_krb5.c,v 1.24 2011/04/24 18:48:04 elric Exp $");
#endif
#include <sys/types.h>
@@ -83,6 +83,7 @@
#define COMPAT_HEIMDAL
/* #define COMPAT_MIT */
+static void log_krb5(krb5_context, const char *, krb5_error_code);
static int verify_krb_v5_tgt(krb5_context, krb5_ccache, char *, int);
static void cleanup_cache(pam_handle_t *, void *, int);
static const char *compat_princ_component(krb5_context, krb5_principal, int);
@@ -111,7 +112,7 @@
krb5_creds creds;
krb5_principal princ;
krb5_ccache ccache;
- krb5_get_init_creds_opt opts;
+ krb5_get_init_creds_opt *opts = NULL;
struct passwd *pwd, pwres;
int retval;
const void *ccache_data;
@@ -150,10 +151,14 @@
PAM_LOG("Context initialised");
- krb5_get_init_creds_opt_init(&opts);
+ krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts);
+ if (krbret != 0) {
+ PAM_VERBOSE_ERROR("Kerberos 5 error");
+ return (PAM_SERVICE_ERR);
+ }
if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
- krb5_get_init_creds_opt_set_forwardable(&opts, 1);
+ krb5_get_init_creds_opt_set_forwardable(opts, 1);
if ((rtime = openpam_get_option(pamh, PAM_OPT_RENEWABLE)) != NULL) {
krb5_deltat renew;
@@ -169,7 +174,7 @@
else
rtime = "1 month";
renew = parse_time(rtime, "s");
- krb5_get_init_creds_opt_set_renew_life(&opts, renew);
+ krb5_get_init_creds_opt_set_renew_life(opts, renew);
}
@@ -196,8 +201,7 @@
krbret = krb5_parse_name(pam_context, principal, &princ);
free(principal);
if (krbret != 0) {
- PAM_LOG("Error krb5_parse_name(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context, "Error krb5_parse_name(): %s", krbret);
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_SERVICE_ERR;
goto cleanup3;
@@ -208,8 +212,7 @@
/* Now convert the principal name into something human readable */
krbret = krb5_unparse_name(pam_context, princ, &princ_name);
if (krbret != 0) {
- PAM_LOG("Error krb5_unparse_name(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context, "Error krb5_unparse_name(): %s", krbret);
PAM_VERBOSE_ERROR("Kerberos 5 error");
retval = PAM_SERVICE_ERR;
goto cleanup2;
@@ -233,8 +236,8 @@
sizeof(luser), luser);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
- PAM_LOG("Error krb5_aname_to_localname(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context,
+ "Error krb5_aname_to_localname(): %s", krbret);
retval = PAM_USER_UNKNOWN;
goto cleanup2;
}
@@ -257,11 +260,11 @@
/* Get a TGT */
memset(&creds, 0, sizeof(krb5_creds));
krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
- pass, NULL, pamh, 0, NULL, &opts);
+ pass, NULL, pamh, 0, NULL, opts);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
- PAM_LOG("Error krb5_get_init_creds_password(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context,
+ "Error krb5_get_init_creds_password(): %s", krbret);
retval = PAM_AUTH_ERR;
goto cleanup2;
}
@@ -269,27 +272,24 @@
PAM_LOG("Got TGT");
/* Generate a temporary cache */
- krbret = krb5_cc_gen_new(pam_context, &krb5_mcc_ops, &ccache);
+ krbret = krb5_cc_new_unique(pam_context, "MEMORY", NULL, &ccache);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
- PAM_LOG("Error krb5_cc_gen_new(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context, "Error krb5_cc_gen_new(): %s", krbret);
retval = PAM_SERVICE_ERR;
goto cleanup;
}
krbret = krb5_cc_initialize(pam_context, ccache, princ);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
- PAM_LOG("Error krb5_cc_initialize(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context, "Error krb5_cc_initialize(): %s", krbret);
retval = PAM_SERVICE_ERR;
goto cleanup;
}
krbret = krb5_cc_store_cred(pam_context, ccache, &creds);
if (krbret != 0) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
- PAM_LOG("Error krb5_cc_store_cred(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context, "Error krb5_cc_store_cred(): %s", krbret);
krb5_cc_destroy(pam_context, ccache);
retval = PAM_SERVICE_ERR;
goto cleanup;
@@ -351,6 +351,9 @@
if (princ_name)
free(princ_name);
+ if (opts)
+ krb5_get_init_creds_opt_free(pam_context, opts);
+
krb5_free_context(pam_context);
PAM_LOG("Done cleanup3");
@@ -379,6 +382,7 @@
const void *cache_data;
char *cache_name_buf = NULL, *p, *cache_name_buf2 = NULL;
char pwbuf[1024];
+ const char *errtxt;
uid_t euid;
gid_t egid;
@@ -423,8 +427,15 @@
}
krbret = krb5_cc_resolve(pam_context, cache_data, &ccache_temp);
if (krbret != 0) {
- PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", (const char *)cache_data,
- krb5_get_err_text(pam_context, krbret));
+ errtxt = krb5_get_error_message(pam_context, krbret);
+ if (errtxt != NULL) {
+ PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s",
+ (const char *)cache_data, errtxt);
+ krb5_free_error_message(pam_context, errtxt);
+ } else {
+ PAM_LOG("Error krb5_cc_resolve(\"%s\"): %d",
+ (const char *)cache_data, krbret);
+ }
retval = PAM_SERVICE_ERR;
goto cleanup3;
}
@@ -503,23 +514,21 @@
/* Initialize the new ccache */
krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ);
if (krbret != 0) {
- PAM_LOG("Error krb5_cc_get_principal(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context, "Error krb5_cc_get_principal(): %s",
+ krbret);
retval = PAM_SERVICE_ERR;
goto cleanup3;
}
krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm);
if (krbret != 0) {
- PAM_LOG("Error krb5_cc_resolve(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context, "Error krb5_cc_resolve(): %s", krbret);
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
krbret = krb5_cc_initialize(pam_context, ccache_perm, princ);
if (krbret != 0) {
- PAM_LOG("Error krb5_cc_initialize(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context, "Error krb5_cc_initialize(): %s", krbret);
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
@@ -529,8 +538,8 @@
/* Prepare for iteration over creds */
krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor);
if (krbret != 0) {
- PAM_LOG("Error krb5_cc_start_seq_get(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context, "Error krb5_cc_start_seq_get(): %s",
+ krbret);
krb5_cc_destroy(pam_context, ccache_perm);
retval = PAM_SERVICE_ERR;
goto cleanup2;
@@ -544,8 +553,8 @@
krbret = krb5_cc_store_cred(pam_context, ccache_perm, &creds);
if (krbret != 0) {
- PAM_LOG("Error krb5_cc_store_cred(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context, "Error krb5_cc_store_cred(): %s",
+ krbret);
krb5_cc_destroy(pam_context, ccache_perm);
krb5_free_cred_contents(pam_context, &creds);
retval = PAM_SERVICE_ERR;
@@ -627,6 +636,7 @@
int retval;
const void *user;
const void *ccache_name;
+ const char *errtxt;
retval = pam_get_item(pamh, PAM_USER, &user);
if (retval != PAM_SUCCESS)
@@ -650,8 +660,15 @@
krbret = krb5_cc_resolve(pam_context, (const char *)ccache_name, &ccache);
if (krbret != 0) {
- PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s", (const char *)ccache_name,
- krb5_get_err_text(pam_context, krbret));
+ errtxt = krb5_get_error_message(pam_context, krbret);
+ if (errtxt != NULL) {
+ PAM_LOG("Error krb5_cc_resolve(\"%s\"): %s",
+ (const char *)ccache_name, errtxt);
+ krb5_free_error_message(pam_context, errtxt);
+ } else {
+ PAM_LOG("Error krb5_cc_resolve(\"%s\"): %d",
+ (const char *)ccache_name, krbret);
+ }
krb5_free_context(pam_context);
return (PAM_PERM_DENIED);
}
@@ -661,8 +678,8 @@
krbret = krb5_cc_get_principal(pam_context, ccache, &princ);
if (krbret != 0) {
- PAM_LOG("Error krb5_cc_get_principal(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context, "Error krb5_cc_get_principal(): %s",
+ krbret);
retval = PAM_PERM_DENIED;;
goto cleanup;
}
@@ -696,13 +713,14 @@
krb5_context pam_context;
krb5_creds creds;
krb5_principal princ;
- krb5_get_init_creds_opt opts;
+ krb5_get_init_creds_opt *opts;
krb5_data result_code_string, result_string;
int result_code, retval;
const char *pass;
const void *user;
char *princ_name, *passdup;
char password_prompt[80];
+ const char *errtxt;
princ_name = NULL;
if (flags & PAM_PRELIM_CHECK) {
@@ -729,19 +747,22 @@
PAM_LOG("Context initialised");
- krb5_get_init_creds_opt_init(&opts);
+ krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts);
+ if (krbret != 0) {
+ PAM_LOG("Error krb5_init_context() failed");
+ return (PAM_SERVICE_ERR);
+ }
- krb5_get_init_creds_opt_set_tkt_life(&opts, 300);
- krb5_get_init_creds_opt_set_forwardable(&opts, FALSE);
- krb5_get_init_creds_opt_set_proxiable(&opts, FALSE);
+ krb5_get_init_creds_opt_set_tkt_life(opts, 300);
+ krb5_get_init_creds_opt_set_forwardable(opts, FALSE);
+ krb5_get_init_creds_opt_set_proxiable(opts, FALSE);
PAM_LOG("Credentials options initialised");
/* Get principal name */
krbret = krb5_parse_name(pam_context, (const char *)user, &princ);
if (krbret != 0) {
- PAM_LOG("Error krb5_parse_name(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context, "Error krb5_parse_name(): %s", krbret);
retval = PAM_USER_UNKNOWN;
goto cleanup3;
}
@@ -749,8 +770,7 @@
/* Now convert the principal name into something human readable */
krbret = krb5_unparse_name(pam_context, princ, &princ_name);
if (krbret != 0) {
- PAM_LOG("Error krb5_unparse_name(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context, "Error krb5_unparse_name(): %s", krbret);
retval = PAM_SERVICE_ERR;
goto cleanup2;
}
@@ -768,10 +788,10 @@
memset(&creds, 0, sizeof(krb5_creds));
krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
- pass, NULL, pamh, 0, "kadmin/changepw", &opts);
+ pass, NULL, pamh, 0, "kadmin/changepw", opts);
if (krbret != 0) {
- PAM_LOG("Error krb5_get_init_creds_password(): %s",
- krb5_get_err_text(pam_context, krbret));
+ log_krb5(pam_context,
+ "Error krb5_get_init_creds_password(): %s", krbret);
retval = PAM_AUTH_ERR;
goto cleanup2;
}
@@ -800,12 +820,17 @@
krb5_data_zero(&result_code_string);
krb5_data_zero(&result_string);
- krbret = krb5_change_password(pam_context, &creds, passdup,
+ krbret = krb5_set_password(pam_context, &creds, passdup, princ,
&result_code, &result_code_string, &result_string);
free(passdup);
if (krbret != 0) {
- pam_error(pamh, "Unable to set password: %s",
- krb5_get_err_text(pam_context, krbret));
+ errtxt = krb5_get_error_message(pam_context, krbret);
+ if (errtxt != NULL) {
+ pam_error(pamh, "Unable to set password: %s", errtxt);
+ krb5_free_error_message(pam_context, errtxt);
+ } else {
+ pam_error(pamh, "Unable to set password: %d", krbret);
+ }
retval = PAM_AUTHTOK_ERR;
goto cleanup;
}
@@ -833,6 +858,9 @@
if (princ_name)
free(princ_name);
+ if (opts)
+ krb5_get_init_creds_opt_free(pam_context, opts);
+
krb5_free_context(pam_context);
PAM_LOG("Done cleanup3");
@@ -842,6 +870,20 @@
PAM_MODULE_ENTRY("pam_krb5");
+static void
+log_krb5(krb5_context ctx, const char *fmt, krb5_error_code err)
+{
+ const char *errtxt;
+
+ errtxt = krb5_get_error_message(ctx, err);
+ if (errtxt != NULL) {
+ PAM_LOG(fmt, errtxt);
+ krb5_free_error_message(ctx, errtxt);
+ } else {
+ PAM_LOG(fmt, "unknown");
+ }
+}
+
/*
* This routine with some modification is from the MIT V5B6 appl/bsd/login.c
* Modified by Sam Hartman <[email protected]> to support PAM services
@@ -869,6 +911,7 @@
char phost[BUFSIZ];
const char *services[3], **service;
struct syslog_data data = SYSLOG_DATA_INIT;
+ const char *errtxt;
packet.data = 0;
@@ -892,14 +935,22 @@
for (service = &services[0]; *service != NULL; service++) {
retval = krb5_sname_to_principal(context, NULL, *service,
KRB5_NT_SRV_HST, &princ);
- if (retval != 0) {
- if (debug)
+ if (retval != 0 && debug) {
+ errtxt = krb5_get_error_message(context,
+ retval);
+ if (errtxt != NULL) {
syslog_r(LOG_DEBUG, &data,
"pam_krb5: verify_krb_v5_tgt(): %s: %s",
- "krb5_sname_to_principal()",
- krb5_get_err_text(context, retval));
- return -1;
+ "krb5_sname_to_principal()", errtxt);
+ krb5_free_error_message(context, errtxt);
+ } else {
+ syslog_r(LOG_DEBUG, &data,
+ "pam_krb5: verify_krb_v5_tgt(): %s: %d",
+ "krb5_sname_to_principal()", retval);
+ }
}
+ if (retval != 0)
+ return -1;
/* Extract the name directly. */
strncpy(phost, compat_princ_component(context, princ, 1),
@@ -919,11 +970,19 @@
}
if (retval != 0) { /* failed to find key */
/* Keytab or service key does not exist */
- if (debug)
- syslog_r(LOG_DEBUG, &data,
- "pam_krb5: verify_krb_v5_tgt(): %s: %s",
- "krb5_kt_read_service_key()",
- krb5_get_err_text(context, retval));
+ if (debug) {
+ errtxt = krb5_get_error_message(context, retval);
+ if (errtxt != NULL) {
+ syslog_r(LOG_DEBUG, &data,
+ "pam_krb5: verify_krb_v5_tgt(): %s: %s",
+ "krb5_kt_read_service_key()", errtxt);
+ krb5_free_error_message(context, errtxt);
+ } else {
+ syslog_r(LOG_DEBUG, &data,
+ "pam_krb5: verify_krb_v5_tgt(): %s: %d",
+ "krb5_kt_read_service_key()", retval);
+ }
+ }
retval = 0;
goto cleanup;
}
@@ -939,11 +998,19 @@
auth_context = NULL; /* setup for rd_req */
}
if (retval) {
- if (debug)
- syslog_r(LOG_DEBUG, &data,
- "pam_krb5: verify_krb_v5_tgt(): %s: %s",
- "krb5_mk_req()",
- krb5_get_err_text(context, retval));
+ if (debug) {
+ errtxt = krb5_get_error_message(context, retval);
+ if (errtxt != NULL) {
+ syslog_r(LOG_DEBUG, &data,
+ "pam_krb5: verify_krb_v5_tgt(): %s: %s",
+ "krb5_mk_req()", errtxt);
+ krb5_free_error_message(context, errtxt);
+ } else {
+ syslog_r(LOG_DEBUG, &data,
+ "pam_krb5: verify_krb_v5_tgt(): %s: %d",
+ "krb5_mk_req()", retval);
+ }
+ }
retval = -1;
goto cleanup;
}
@@ -952,11 +1019,19 @@
retval = krb5_rd_req(context, &auth_context, &packet, princ, NULL,
NULL, NULL);
if (retval) {
- if (debug)
- syslog_r(LOG_DEBUG, &data,
- "pam_krb5: verify_krb_v5_tgt(): %s: %s",
- "krb5_rd_req()",
- krb5_get_err_text(context, retval));
+ if (debug) {
+ errtxt = krb5_get_error_message(context, retval);
+ if (errtxt != NULL) {
+ syslog_r(LOG_DEBUG, &data,
+ "pam_krb5: verify_krb_v5_tgt(): %s: %s",
+ "krb5_rd_req()", errtxt);
+ krb5_free_error_message(context, errtxt);
+ } else {
+ syslog_r(LOG_DEBUG, &data,
+ "pam_krb5: verify_krb_v5_tgt(): %s: %d",
+ "krb5_rd_req()", retval);
+ }
+ }
retval = -1;
}
else
