* principal. Return the Kerberos status code.
*/
retval = krb5_get_init_creds_password(ctx->context, creds, princ,
- (char *) pass, pamk5_prompter_krb5, args, 0,
- (char *) service, opts);
+ (char *) pass, pamk5_prompter_krb5,
+ args, 0, (char *) service, opts);
if (retval != 0) {
putil_debug_krb5(args, retval, "alternate authentication failed");
krb5_free_principal(ctx->context, princ);
}
retval = krb5_parse_name(ctx->context, name, &princ);
if (retval != 0) {
- putil_err_krb5(args, retval,
- "cannot parse mapped principal name %s", mapped);
+ putil_err_krb5(args, retval, "cannot parse mapped principal name %s",
+ mapped);
goto done;
}
retval = krb5_unparse_name(ctx->context, princ, &mapped);
if (strcmp(authed, mapped) == 0)
status = PAM_SUCCESS;
else {
- putil_debug(args, "mapped user %s does not match principal %s",
- mapped, authed);
+ putil_debug(args, "mapped user %s does not match principal %s", mapped,
+ authed);
status = PAM_AUTH_ERR;
}
* the appropriate internal functions. This interface is used by both the
* authentication and the password groups.
*
- * Copyright 2005, 2006, 2007, 2008, 2009, 2010, 2014, 2015, 2017
+ * Copyright 2005-2010, 2014-2015, 2017, 2020
* Russ Allbery <eagle@eyrie.org>
- * Copyright 2010, 2011, 2012, 2014
+ * Copyright 2010-2012, 2014
* The Board of Trustees of the Leland Stanford Junior University
* Copyright 2005 Andres Salomon <dilinger@debian.org>
- * Copyright 1999, 2000 Frank Cusack <fcusack@fcusack.com>
+ * Copyright 1999-2000 Frank Cusack <fcusack@fcusack.com>
*
* See LICENSE for licensing terms.
*/
#include <errno.h>
#ifdef HAVE_HX509_ERR_H
-# include <hx509_err.h>
+# include <hx509_err.h>
#endif
#include <pwd.h>
#include <sys/stat.h>
* This will cause the right thing to happen with the logic around PKINIT.
*/
#ifndef HX509_PKCS11_NO_TOKEN
-# define HX509_PKCS11_NO_TOKEN 0
+# define HX509_PKCS11_NO_TOKEN 0
#endif
#ifndef HX509_PKCS11_NO_SLOT
-# define HX509_PKCS11_NO_SLOT 0
+# define HX509_PKCS11_NO_SLOT 0
#endif
char *user_realm;
char *user = ctx->name;
char *newuser = NULL;
- char kuser[65] = ""; /* MAX_USERNAME == 65 (MIT Kerberos 1.4.1). */
+ char kuser[65] = ""; /* MAX_USERNAME == 65 (MIT Kerberos 1.4.1). */
krb5_error_code k5_errno;
int retval;
if (config->forwardable)
krb5_get_init_creds_opt_set_forwardable(opts, 1);
if (config->ticket_lifetime != 0)
- krb5_get_init_creds_opt_set_tkt_life(opts, config->ticket_lifetime);
+ krb5_get_init_creds_opt_set_tkt_life(opts,
+ config->ticket_lifetime);
if (config->renew_lifetime != 0)
krb5_get_init_creds_opt_set_renew_life(opts,
config->renew_lifetime);
- krb5_get_init_creds_opt_set_change_password_prompt(opts,
- (config->defer_pwchange || config->fail_pwchange) ? 0 : 1);
+ krb5_get_init_creds_opt_set_change_password_prompt(
+ opts, (config->defer_pwchange || config->fail_pwchange) ? 0 : 1);
} else {
krb5_get_init_creds_opt_set_forwardable(opts, 0);
krb5_get_init_creds_opt_set_proxiable(opts, 0);
*value = '\0';
value++;
}
- krb5_get_init_creds_opt_set_pa(c, opts,
- name, (value != NULL) ? value : "yes");
+ krb5_get_init_creds_opt_set_pa(
+ c, opts, name, (value != NULL) ? value : "yes");
if (value != NULL)
value[-1] = save;
}
maybe_retrieve_password(struct pam_args *args, int authtok, const char **pass)
{
int status;
- const bool try = args->config->try_first_pass;
+ const bool try_first = args->config->try_first_pass;
const bool use = args->config->use_first_pass;
const bool force = args->config->force_first_pass;
*pass = NULL;
- if (!try && !use && !force)
+ if (!try_first && !use && !force)
return PAM_SUCCESS;
status = pam_get_item(args->pamh, authtok, (PAM_CONST void **) pass);
if (*pass != NULL && **pass == '\0') {
/* Do the authentication. */
retval = krb5_get_init_creds_password(ctx->context, creds, ctx->princ,
- (char *) pass, pamk5_prompter_krb5, args, 0,
- (char *) service, opts);
+ (char *) pass, pamk5_prompter_krb5,
+ args, 0, (char *) service, opts);
/*
* Heimdal may return an expired key error even if the password is
retval = krb5_get_init_creds_opt_alloc(ctx->context, &heimdal_opts);
if (retval == 0) {
set_credential_options(args, opts, 1);
- retval = krb5_get_init_creds_password(ctx->context, creds,
- ctx->princ, (char *) pass, pamk5_prompter_krb5, args,
- 0, (char *) "kadmin/changepw", heimdal_opts);
+ retval = krb5_get_init_creds_password(
+ ctx->context, creds, ctx->princ, (char *) pass,
+ pamk5_prompter_krb5, args, 0, (char *) "kadmin/changepw",
+ heimdal_opts);
krb5_get_init_creds_opt_free(ctx->context, heimdal_opts);
}
if (retval == 0) {
if (pwd == NULL || filename == NULL || access(filename, R_OK) != 0) {
free(filename);
return krb5_get_init_creds_password(ctx->context, creds, ctx->princ,
- (char *) pass, pamk5_prompter_krb5, args, 0,
- (char *) service, opts);
+ (char *) pass, pamk5_prompter_krb5,
+ args, 0, (char *) service, opts);
}
/*
if (service == NULL)
putil_debug(args, "attempting authentication as %s", line);
else
- putil_debug(args, "attempting authentication as %s for %s",
- line, service);
- retval = krb5_get_init_creds_password(ctx->context, creds, princ,
- (char *) pass, pamk5_prompter_krb5, args, 0,
- (char *) service, opts);
+ putil_debug(args, "attempting authentication as %s for %s", line,
+ service);
+ retval = krb5_get_init_creds_password(
+ ctx->context, creds, princ, (char *) pass, pamk5_prompter_krb5,
+ args, 0, (char *) service, opts);
/*
* If that worked, update ctx->princ and return success. Otherwise,
if (retval != 0)
return retval;
set_credential_options(args, opts, service != NULL);
- retval = krb5_get_init_creds_opt_set_pkinit(ctx->context, opts,
- ctx->princ, args->config->pkinit_user,
- args->config->pkinit_anchors, NULL, NULL, 0,
- pamk5_prompter_krb5, args, NULL);
+ retval = krb5_get_init_creds_opt_set_pkinit(
+ ctx->context, opts, ctx->princ, args->config->pkinit_user,
+ args->config->pkinit_anchors, NULL, NULL, 0, pamk5_prompter_krb5, args,
+ NULL);
if (retval != 0)
goto done;
/* Finally, do the actual work and return the results. */
- retval = krb5_get_init_creds_password(ctx->context, *creds, ctx->princ,
- NULL, NULL, args, 0, (char *) service, opts);
+ retval =
+ krb5_get_init_creds_password(ctx->context, *creds, ctx->princ, NULL,
+ NULL, args, 0, (char *) service, opts);
done:
krb5_get_init_creds_opt_free(ctx->context, opts);
#ifdef HAVE_HX509_ERR_H
switch (retval) {
-# ifdef HX509_PKCS11_PIN_LOCKED
+# ifdef HX509_PKCS11_PIN_LOCKED
case HX509_PKCS11_PIN_LOCKED:
message = "PKINIT failed: user PIN locked";
break;
-# endif
-# ifdef HX509_PKCS11_PIN_EXPIRED
+# endif
+# ifdef HX509_PKCS11_PIN_EXPIRED
case HX509_PKCS11_PIN_EXPIRED:
message = "PKINIT failed: user PIN expired";
break;
-# endif
-# ifdef HX509_PKCS11_PIN_INCORRECT
+# endif
+# ifdef HX509_PKCS11_PIN_INCORRECT
case HX509_PKCS11_PIN_INCORRECT:
message = "PKINIT failed: user PIN incorrect";
break;
-# endif
-# ifdef HX509_PKCS11_PIN_NOT_INITIALIZED
+# endif
+# ifdef HX509_PKCS11_PIN_NOT_INITIALIZED
case HX509_PKCS11_PIN_NOT_INITIALIZED:
message = "PKINIT fialed: user PIN not initialized";
break;
-# endif
+# endif
default:
message = "PKINIT failed";
break;
|| retval == KRB5_GET_IN_TKT_LOOP
|| retval == KRB5_BAD_ENCTYPE));
-verify: UNUSED
+verify:
+ UNUSED
/*
* If we think we succeeded, whether through the regular path or via
* PKINIT, try to verify the credentials. Don't do this if we're
/* Temporary backward compatibility. */
if (args->config->use_authtok && !args->config->force_first_pass) {
putil_err(args, "use_authtok option in authentication group should"
- " be changed to force_first_pass");
+ " be changed to force_first_pass");
args->config->force_first_pass = true;
}
ctx->expired = 1;
pamret = PAM_SUCCESS;
} else if (args->config->force_pwchange) {
- pam_syslog(args->pamh, LOG_INFO, "user %s password expired,"
- " forcing password change", ctx->name);
+ pam_syslog(args->pamh, LOG_INFO,
+ "user %s password expired, forcing password change",
+ ctx->name);
pamk5_conv(args, "Password expired. You must change it now.",
PAM_TEXT_INFO, NULL);
pamret = pam_get_item(args->pamh, PAM_AUTHTOK,
pamret = pamk5_cache_mkstemp(args, cache_name);
if (pamret != PAM_SUCCESS)
goto done;
- pamret = pamk5_cache_init(args, cache_name, creds,
- &args->config->ctx->cache);
+ pamret =
+ pamk5_cache_init(args, cache_name, creds, &args->config->ctx->cache);
if (pamret != PAM_SUCCESS)
goto done;
putil_debug(args, "temporarily storing credentials in %s", cache_name);
*
* Written by Russ Allbery <eagle@eyrie.org>
* Contributions from Sam Hartman and Yair Yarom
- * Copyright 2017 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2017, 2020 Russ Allbery <eagle@eyrie.org>
* Copyright 2010, 2012
* The Board of Trustees of the Leland Stanford Junior University
*
putil_debug_krb5(args, retval, "cannot find realm for anonymous FAST");
return retval;
}
- retval = krb5_build_principal_ext(c, &princ, (unsigned int) strlen(realm),
- realm, strlen(KRB5_WELLKNOWN_NAME), KRB5_WELLKNOWN_NAME,
- strlen(KRB5_ANON_NAME), KRB5_ANON_NAME, NULL);
+ retval = krb5_build_principal_ext(
+ c, &princ, (unsigned int) strlen(realm), realm,
+ strlen(KRB5_WELLKNOWN_NAME), KRB5_WELLKNOWN_NAME,
+ strlen(KRB5_ANON_NAME), KRB5_ANON_NAME, NULL);
if (retval != 0) {
krb5_free_default_realm(c, realm);
putil_debug_krb5(args, retval, "cannot create anonymous principal");
}
retval = krb5_cc_resolve(c, name, ccache);
if (retval != 0) {
- putil_err_krb5(args, retval, "cannot create anonymous FAST credential"
- " cache %s", name);
+ putil_err_krb5(args, retval,
+ "cannot create anonymous FAST credential cache %s",
+ name);
goto done;
}
}
krb5_get_init_creds_opt_set_anonymous(opts, 1);
krb5_get_init_creds_opt_set_tkt_life(opts, 60);
-# ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_OUT_CCACHE
+# ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_OUT_CCACHE
krb5_get_init_creds_opt_set_out_ccache(c, opts, *ccache);
-# endif
+# endif
retval = krb5_get_init_creds_password(c, &creds, princ, NULL, NULL, NULL,
0, NULL, opts);
if (retval != 0) {
- putil_debug_krb5(args, retval, "cannot obtain anonymous credentials"
- " for FAST");
+ putil_debug_krb5(args, retval,
+ "cannot obtain anonymous credentials for FAST");
goto done;
}
creds_valid = true;
* credentials when initializing the ticket cache, since the realm will
* not match the realm of our input principal.
*/
-# ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_OUT_CCACHE
+# ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_OUT_CCACHE
retval = krb5_cc_initialize(c, *ccache, creds.client);
if (retval != 0) {
putil_err_krb5(args, retval, "cannot initialize FAST ticket cache");
putil_err_krb5(args, retval, "cannot store FAST credentials");
goto done;
}
-# endif /* !HAVE_KRB5_GET_INIT_CREDS_OPT_SET_OUT_CCACHE */
+# endif /* !HAVE_KRB5_GET_INIT_CREDS_OPT_SET_OUT_CCACHE */
- done:
+done:
if (retval != 0 && *ccache != NULL) {
krb5_cc_destroy(c, *ccache);
*ccache = NULL;
krb5_free_cred_contents(c, &creds);
return retval;
}
-#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ANONYMOUS */
+#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_ANONYMOUS */
/*
}
retval = krb5_cc_get_principal(c, ccache, &princ);
if (retval != 0) {
- putil_debug_krb5(args, retval, "failed to get principal from FAST"
- " ccache %s", cache);
+ putil_debug_krb5(args, retval,
+ "failed to get principal from FAST"
+ " ccache %s",
+ cache);
krb5_cc_close(c, ccache);
return NULL;
} else {
}
retval = krb5_cc_get_full_name(c, ccache, &cache);
if (retval != 0) {
- putil_debug_krb5(args, retval, "cannot get name of anonymous FAST"
+ putil_debug_krb5(args, retval,
+ "cannot get name of anonymous FAST"
" credential cache");
krb5_cc_destroy(c, ccache);
return NULL;
struct vector;
/* Used for unused parameters to silence gcc warnings. */
-#define UNUSED __attribute__((__unused__))
+#define UNUSED __attribute__((__unused__))
/*
* An authentication context, including all the data we want to preserve
* as the first argument to most internal functions.
*/
struct context {
- char *name; /* Username being authenticated. */
- krb5_context context; /* Kerberos context. */
- krb5_ccache cache; /* Active credential cache, if any. */
- krb5_principal princ; /* Principal being authenticated. */
- int expired; /* If set, account was expired. */
- int dont_destroy_cache; /* If set, don't destroy cache on shutdown. */
- int initialized; /* If set, ticket cache initialized. */
- krb5_creds *creds; /* Credentials for password changing. */
- krb5_ccache fast_cache; /* Temporary credential cache for FAST. */
+ char *name; /* Username being authenticated. */
+ krb5_context context; /* Kerberos context. */
+ krb5_ccache cache; /* Active credential cache, if any. */
+ krb5_principal princ; /* Principal being authenticated. */
+ int expired; /* If set, account was expired. */
+ int dont_destroy_cache; /* If set, don't destroy cache on shutdown. */
+ int initialized; /* If set, ticket cache initialized. */
+ krb5_creds *creds; /* Credentials for password changing. */
+ krb5_ccache fast_cache; /* Temporary credential cache for FAST. */
};
/*
*/
struct pam_config {
/* Authorization. */
- char *alt_auth_map; /* An sprintf pattern to map principals. */
- bool force_alt_auth; /* Alt principal must be used if it exists. */
- bool ignore_k5login; /* Don't check .k5login files. */
- bool ignore_root; /* Skip authentication for root. */
- long minimum_uid; /* Ignore users below this UID. */
- bool only_alt_auth; /* Alt principal must be used. */
- bool search_k5login; /* Try password with each line of .k5login. */
+ char *alt_auth_map; /* An sprintf pattern to map principals. */
+ bool force_alt_auth; /* Alt principal must be used if it exists. */
+ bool ignore_k5login; /* Don't check .k5login files. */
+ bool ignore_root; /* Skip authentication for root. */
+ long minimum_uid; /* Ignore users below this UID. */
+ bool only_alt_auth; /* Alt principal must be used. */
+ bool search_k5login; /* Try password with each line of .k5login. */
/* Kerberos behavior. */
- char *fast_ccache; /* Cache containing armor ticket. */
- bool anon_fast; /* sets up an anonymous fast armor cache */
- bool forwardable; /* Obtain forwardable tickets. */
- char *keytab; /* Keytab for credential validation. */
- char *realm; /* Default realm for Kerberos. */
- krb5_deltat renew_lifetime; /* Renewable lifetime of credentials. */
+ char *fast_ccache; /* Cache containing armor ticket. */
+ bool anon_fast; /* sets up an anonymous fast armor cache */
+ bool forwardable; /* Obtain forwardable tickets. */
+ char *keytab; /* Keytab for credential validation. */
+ char *realm; /* Default realm for Kerberos. */
+ krb5_deltat renew_lifetime; /* Renewable lifetime of credentials. */
krb5_deltat ticket_lifetime; /* Lifetime of credentials. */
- char *user_realm; /* Default realm for user principals. */
+ char *user_realm; /* Default realm for user principals. */
/* PAM behavior. */
- bool clear_on_fail; /* Delete saved password on change failure. */
- bool debug; /* Log debugging information. */
- bool defer_pwchange; /* Defer expired account fail to account. */
- bool fail_pwchange; /* Treat expired password as auth failure. */
- bool force_pwchange; /* Change expired passwords in auth. */
- bool no_update_user; /* Don't update PAM_USER with local name. */
- bool silent; /* Suppress text and errors (PAM_SILENT). */
- char *trace; /* File name for trace logging. */
+ bool clear_on_fail; /* Delete saved password on change failure. */
+ bool debug; /* Log debugging information. */
+ bool defer_pwchange; /* Defer expired account fail to account. */
+ bool fail_pwchange; /* Treat expired password as auth failure. */
+ bool force_pwchange; /* Change expired passwords in auth. */
+ bool no_update_user; /* Don't update PAM_USER with local name. */
+ bool silent; /* Suppress text and errors (PAM_SILENT). */
+ char *trace; /* File name for trace logging. */
/* PKINIT. */
char *pkinit_anchors; /* Trusted certificates, usually per realm. */
bool use_pkinit; /* Require PKINIT. */
/* Prompting. */
- char *banner; /* Addition to password changing prompts. */
- bool expose_account; /* Display principal in password prompts. */
- bool force_first_pass; /* Require a previous password be stored. */
- bool no_prompt; /* Let Kerberos handle password prompting. */
- bool prompt_principal; /* Prompt for the Kerberos principal. */
- bool try_first_pass; /* Try the previously entered password. */
- bool use_authtok; /* Use the stored new password for changes. */
- bool use_first_pass; /* Always use the previous password. */
+ char *banner; /* Addition to password changing prompts. */
+ bool expose_account; /* Display principal in password prompts. */
+ bool force_first_pass; /* Require a previous password be stored. */
+ bool no_prompt; /* Let Kerberos handle password prompting. */
+ bool prompt_principal; /* Prompt for the Kerberos principal. */
+ bool try_first_pass; /* Try the previously entered password. */
+ bool use_authtok; /* Use the stored new password for changes. */
+ bool use_first_pass; /* Always use the previous password. */
/* Ticket caches. */
- char *ccache; /* Path to write ticket cache to. */
- char *ccache_dir; /* Directory for ticket cache. */
- bool no_ccache; /* Don't create a ticket cache. */
- bool retain_after_close; /* Don't destroy the cache on session end. */
+ char *ccache; /* Path to write ticket cache to. */
+ char *ccache_dir; /* Directory for ticket cache. */
+ bool no_ccache; /* Don't create a ticket cache. */
+ bool retain_after_close; /* Don't destroy the cache on session end. */
/* The authentication context, which bundles together Kerberos data. */
struct context *ctx;
* If possible, the initial credentials are verified by checking them against
* the local system key.
*/
-int pamk5_password_auth(struct pam_args *, const char *service,
- krb5_creds **);
+int pamk5_password_auth(struct pam_args *, const char *service, krb5_creds **);
/*
* Prompt the user for a new password, twice so that they can confirm. Sets
int pamk5_get_password(struct pam_args *, const char *, char **);
/* Prompting function for the Kerberos libraries. */
-krb5_error_code pamk5_prompter_krb5(krb5_context, void *data,
- const char *name, const char *banner,
- int, krb5_prompt *);
+krb5_error_code pamk5_prompter_krb5(krb5_context, void *data, const char *name,
+ const char *banner, int, krb5_prompt *);
/* Check the user with krb5_kuserok or the configured equivalent. */
int pamk5_authorized(struct pam_args *);
* internal functions. Retrieves configuration information from krb5.conf and
* parses the PAM configuration.
*
- * Copyright 2011, 2012
+ * Copyright 2005-2010, 2014, 2020 Russ Allbery <eagle@eyrie.org>
+ * Copyright 2011-2012
* The Board of Trustees of the Leland Stanford Junior University
- * Copyright 2005, 2006, 2007, 2008, 2009, 2010, 2014
- * Russ Allbery <eagle@eyrie.org>
* Copyright 2005 Andres Salomon <dilinger@debian.org>
- * Copyright 1999, 2000 Frank Cusack <fcusack@fcusack.com>
+ * Copyright 1999-2000 Frank Cusack <fcusack@fcusack.com>
*
* See LICENSE for licensing terms.
*/
/* Our option definition. Must be sorted. */
#define K(name) (#name), offsetof(struct pam_config, name)
+/* clang-format off */
static const struct option options[] = {
{ K(alt_auth_map), true, STRING (NULL) },
{ K(anon_fast), true, BOOL (false) },
{ K(use_pkinit), true, BOOL (false) },
{ K(user_realm), true, STRING (NULL) },
};
+/* clang-format on */
static const size_t optlen = sizeof(options) / sizeof(options[0]);
struct pam_config *config = NULL;
args = putil_args_new(pamh, flags);
- if (args == NULL)
+ if (args == NULL) {
return NULL;
+ }
config = calloc(1, sizeof(struct pam_config));
- if (config == NULL)
+ if (config == NULL) {
goto nomem;
+ }
args->config = config;
/*
putil_args_free(args);
return NULL;
}
- if (!putil_args_krb5(args, "pam", options, optlen))
+ if (!putil_args_krb5(args, "pam", options, optlen)) {
goto fail;
- if (!putil_args_parse(args, argc, argv, options, optlen))
+ }
+ if (!putil_args_parse(args, argc, argv, options, optlen)) {
goto fail;
- if (config->debug)
+ }
+ if (config->debug) {
args->debug = true;
- if (config->silent)
+ }
+ if (config->silent) {
args->silent = true;
+ }
/* An empty banner should be treated the same as not having one. */
if (config->banner != NULL && config->banner[0] == '\0') {
* which isn't the password they'll use (that's the whole point of
* search_k5login).
*/
- if (config->search_k5login)
+ if (config->search_k5login) {
config->expose_account = 0;
+ }
/* UIDs are unsigned on some systems. */
- if (config->minimum_uid < 0)
+ if (config->minimum_uid < 0) {
config->minimum_uid = 0;
+ }
/*
* Warn if PKINIT options were set and PKINIT isn't supported. The MIT
* method (krb5_get_init_creds_opt_set_pa) can't support use_pkinit.
*/
#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT
-# ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PA
- if (config->try_pkinit)
+# ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PA
+ if (config->try_pkinit) {
putil_err(args, "try_pkinit requested but PKINIT not available");
-# endif
- if (config->use_pkinit)
+ }
+# endif
+ if (config->use_pkinit) {
putil_err(args, "use_pkinit requested but PKINIT not available or"
- " cannot be enforced");
+ " cannot be enforced");
+ }
#endif
/* Warn if the FAST option was set and FAST isn't supported. */
#ifndef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_FAST_CCACHE_NAME
- if (config->fast_ccache || config->anon_fast)
+ if (config->fast_ccache || config->anon_fast) {
putil_err(args, "fast_ccache or anon_fast requested but FAST not"
- " supported by Kerberos libraries");
+ " supported by Kerberos libraries");
+ }
#endif
/* If tracing was requested enable it if possible. */
config->trace);
}
#else
- if (config->trace != NULL)
+ if (config->trace != NULL) {
putil_err(args, "trace logging requested but not supported");
+ }
#endif
return args;
* principal for Heimdal. So we're stuck with an #ifdef.
*/
#ifdef HAVE_KRB5_MIT
- retval = krb5_set_password(ctx->context, ctx->creds, (char *) pass,
- NULL, &result_code, &result_code_string, &result_string);
+ retval =
+ krb5_set_password(ctx->context, ctx->creds, (char *) pass, NULL,
+ &result_code, &result_code_string, &result_string);
#else
- retval = krb5_set_password(ctx->context, ctx->creds, (char *) pass,
- ctx->princ, &result_code, &result_code_string,
- &result_string);
+ retval =
+ krb5_set_password(ctx->context, ctx->creds, (char *) pass, ctx->princ,
+ &result_code, &result_code_string, &result_string);
#endif
/* Everything from here on is just handling diagnostics and output. */
putil_debug(args, "krb5_change_password: %s",
(char *) result_code_string.data);
retval = PAM_AUTHTOK_ERR;
- status = asprintf(&output, "%.*s%s%.*s",
- (int) result_code_string.length,
- (char *) result_code_string.data,
- result_string.length == 0 ? "" : ": ",
- (int) result_string.length,
- (char *) result_string.data);
+ status =
+ asprintf(&output, "%.*s%s%.*s", (int) result_code_string.length,
+ (char *) result_code_string.data,
+ result_string.length == 0 ? "" : ": ",
+ (int) result_string.length, (char *) result_string.data);
if (status < 0)
putil_crit(args, "asprintf failed: %s", strerror(errno));
else {
if (retval < 0)
goto fail;
} else {
- retval = asprintf(&prompt, "%s%s%s password: ", prefix, bspace,
- banner);
+ retval =
+ asprintf(&prompt, "%s%s%s password: ", prefix, bspace, banner);
if (retval < 0)
goto fail;
}
return PAM_SUCCESS;
pamret = pam_get_item(args->pamh, PAM_CONV, (PAM_CONST void **) &conv);
if (pamret != PAM_SUCCESS)
- return pamret;
+ return pamret;
if (conv->conv == NULL)
return PAM_CONV_ERR;
pmsg = &msg;
msg.msg = (PAM_CONST char *) message;
pamret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr);
if (pamret != PAM_SUCCESS)
- return pamret;
+ return pamret;
/*
* Only expect a response for PAM_PROMPT_ECHO_OFF or PAM_PROMPT_ECHO_ON
*/
want_reply = (type == PAM_PROMPT_ECHO_OFF || type == PAM_PROMPT_ECHO_ON);
if (resp == NULL || resp->resp == NULL)
- pamret = want_reply ? PAM_CONV_ERR : PAM_SUCCESS;
+ pamret = want_reply ? PAM_CONV_ERR : PAM_SUCCESS;
else if (want_reply && response != NULL) {
*response = resp->resp;
pamret = PAM_SUCCESS;
* colon and space already and only adding it if there is not.
*/
len = strlen(prompts[i].prompt);
- has_colon = (len > 2
- && prompts[i].prompt[len - 1] == ' '
+ has_colon = (len > 2 && prompts[i].prompt[len - 1] == ' '
&& prompts[i].prompt[len - 2] == ':');
status = asprintf((char **) &msg[pam_prompts]->msg, "%s%s",
prompts[i].prompt, has_colon ? "" : ": ");
if (status < 0)
goto cleanup;
assert(pam_prompts < total_prompts);
- msg[pam_prompts]->msg_style = prompts[i].hidden ? PAM_PROMPT_ECHO_OFF
- : PAM_PROMPT_ECHO_ON;
+ msg[pam_prompts]->msg_style =
+ prompts[i].hidden ? PAM_PROMPT_ECHO_OFF : PAM_PROMPT_ECHO_ON;
pam_prompts++;
}
/* Call into the application conversation function. */
pamret = conv->conv(pam_prompts, (PAM_CONST struct pam_message **) msg,
&resp, conv->appdata_ptr);
- if (pamret != 0)
+ if (pamret != 0)
goto cleanup;
if (resp == NULL)
goto cleanup;
#define PAM_SM_SESSION
#include <config.h>
-#include <portable/system.h>
#include <portable/pam.h>
+#include <portable/system.h>
#include <internal.h>
#include <pam-util/args.h>
* here, since many applications don't call pam_acct_mgmt.
*/
PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
- const char **argv)
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct pam_args *args;
int pamret;
* The main PAM interface for opening a session.
*/
PAM_EXTERN int
-pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
- const char **argv)
+pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct pam_args *args;
int pamret;
status = krb5_cc_store_cred(ctx->context, *cache, &creds);
krb5_free_cred_contents(ctx->context, &creds);
if (status != 0) {
- putil_err_krb5(args, status, "cannot store additional credentials"
- " in %s", ccname);
+ putil_err_krb5(args, status,
+ "cannot store additional credentials"
+ " in %s",
+ ccname);
pamret = PAM_SERVICE_ERR;
goto done;
}
tmpname = pamk5_get_krb5ccname(args, "PAM_KRB5CCNAME");
if (tmpname == NULL) {
putil_debug(args, "unable to get PAM_KRB5CCNAME, assuming"
- " non-Kerberos login");
+ " non-Kerberos login");
pamret = PAM_IGNORE;
goto fail;
}
*/
if (getuid() != geteuid() || getgid() != getegid()) {
putil_err(args, "credential reinitialization in a setuid context"
- " ignored");
+ " ignored");
pamret = PAM_SUCCESS;
goto done;
}
status = chown(cache_name, uid, gid);
if (status == -1) {
putil_crit(args, "chown of ticket cache failed: %s", strerror(errno));
- pamret = PAM_SERVICE_ERR;
+ pamret = PAM_SERVICE_ERR;
goto done;
}
pamret = pamk5_set_krb5ccname(args, cache_name, "KRB5CCNAME");
krb5_error_code retval;
int status;
struct passwd *pwd;
- char kuser[65]; /* MAX_USERNAME == 65 (MIT Kerberos 1.4.1). */
+ char kuser[65]; /* MAX_USERNAME == 65 (MIT Kerberos 1.4.1). */
if (args == NULL || args->config == NULL || args->config->ctx == NULL
|| args->config->ctx->context == NULL)
is_string(config->extra[0], principal, "...and matches our principal");
/* Retrieve the krbtgt for the realm and check properties. */
- code = krb5_build_principal_ext(ctx, &tgtprinc,
- (unsigned int) strlen(extra->realm), extra->realm,
- KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME,
- strlen(extra->realm), extra->realm, NULL);
+ code = krb5_build_principal_ext(
+ ctx, &tgtprinc, (unsigned int) strlen(extra->realm), extra->realm,
+ KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, strlen(extra->realm), extra->realm,
+ NULL);
if (code != 0)
bail("cannot create krbtgt principal name");
memset(&in, 0, sizeof(in));
memset(&out, 0, sizeof(out));
in.server = tgtprinc;
in.client = princ;
- code = krb5_cc_retrieve_cred(ctx, ccache, KRB5_TC_MATCH_SRV_NAMEONLY,
- &in, &out);
+ code = krb5_cc_retrieve_cred(ctx, ccache, KRB5_TC_MATCH_SRV_NAMEONLY, &in,
+ &out);
is_int(0, code, "able to get krbtgt credentials");
ok(out.times.endtime > time(NULL) + 30 * 60, "...good for 30 minutes");
krb5_free_cred_contents(ctx, &out);
* was introduced at the same time.
*/
#ifdef HAVE_KRB5_HEIMDAL
-# ifdef HAVE_KRB5_PRINCIPAL_SET_COMP_STRING
+# ifdef HAVE_KRB5_PRINCIPAL_SET_COMP_STRING
run_script("data/scripts/expired/basic-heimdal", &config);
config.newpass = krbconf->password;
config.password = newpass;
kerberos_expire_password(krbconf->userprinc, now);
run_script("data/scripts/expired/basic-heimdal-debug", &config);
-# else
+# else
run_script("data/scripts/expired/basic-heimdal-old", &config);
config.newpass = krbconf->password;
config.password = newpass;
kerberos_expire_password(krbconf->userprinc, now);
run_script("data/scripts/expired/basic-heimdal-old-debug", &config);
-# endif
+# endif
#else
run_script("data/scripts/expired/basic-mit", &config);
config.newpass = krbconf->password;
* implementation of krb5_get_init_creds_opt_set_change_password_prompt is
* incomplete. See <https://github.com/heimdal/heimdal/issues/322>.
*/
-# ifdef HAVE_KRB5_HEIMDAL
+# ifdef HAVE_KRB5_HEIMDAL
skip_block(2, "deferring password changes broken in Heimdal");
-# else
+# else
config.newpass = newpass;
config.password = krbconf->password;
config.authtok = krbconf->password;
config.authtok = newpass;
kerberos_expire_password(krbconf->userprinc, now);
run_script("data/scripts/expired/defer-mit-debug", &config);
-# endif
+# endif
#else /* !HAVE_KRB5_GET_INIT_CREDS_OPT_SET_CHANGE_PASSWORD_PROMPT */
retval = krb5_get_default_realm(ctx, &realm);
if (retval != 0)
bail("cannot get default realm");
- retval = krb5_build_principal_ext(ctx, &princ,
- (unsigned int) strlen(realm), realm,
- strlen(KRB5_WELLKNOWN_NAME), KRB5_WELLKNOWN_NAME,
- strlen(KRB5_ANON_NAME), KRB5_ANON_NAME, NULL);
+ retval = krb5_build_principal_ext(
+ ctx, &princ, (unsigned int) strlen(realm), realm,
+ strlen(KRB5_WELLKNOWN_NAME), KRB5_WELLKNOWN_NAME,
+ strlen(KRB5_ANON_NAME), KRB5_ANON_NAME, NULL);
if (retval != 0)
bail("cannot construct anonymous principal");
krb5_free_default_realm(ctx, realm);
bail("cannot create credential options");
krb5_get_init_creds_opt_set_anonymous(opts, 1);
krb5_get_init_creds_opt_set_tkt_life(opts, 60);
- retval = krb5_get_init_creds_password(ctx, &creds, princ, NULL, NULL,
- NULL, 0, NULL, opts);
+ retval = krb5_get_init_creds_password(ctx, &creds, princ, NULL, NULL, NULL,
+ 0, NULL, opts);
/* Clean up. */
if (princ != NULL)