Initial import from FreeBSD RELENG_4:

[dragonfly.git] / lib / libpam / modules / pam_krb5 / pam_krb5_pass.c

/*
 * pam_krb5_pass.c
 *
 * PAM password management functions for pam_krb5
 *
 * $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5_pass.c,v 1.1.2.1 2001/06/07 09:37:07 markm Exp $
 */

static const char rcsid[] = "$Id: pam_krb5_pass.c,v 1.3 1999/01/19 23:43:11 fcusack Exp $";

#include <errno.h>
#include <stdio.h>      /* sprintf */
#include <stdlib.h>     /* malloc */
#include <syslog.h>     /* syslog */
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <krb5.h>
#include <com_err.h>
#include "pam_krb5.h"

/* A useful logging macro */
#define DLOG(error_func, error_msg) \
if (debug) \
    syslog(LOG_DEBUG, "pam_krb5: pam_sm_chauthtok(%s %s): %s: %s", \
           service, name, error_func, error_msg)

/* Change a user's password */
int
pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
    krb5_error_code     krbret;
    krb5_context        pam_context;
    krb5_creds          creds;
    krb5_principal      princ;
    krb5_get_init_creds_opt opts;

    int         result_code;
    krb5_data   result_code_string, result_string;

    int         pamret, i;
    char        *name, *service = NULL, *pass = NULL, *pass2;
    char        *princ_name = NULL;
    char        *prompt = NULL;

    int debug = 0;
    int try_first_pass = 0, use_first_pass = 0;

    if (!(flags & PAM_UPDATE_AUTHTOK))
        return PAM_AUTHTOK_ERR;

    for (i = 0; i < argc; i++) {
        if (strcmp(argv[i], "debug") == 0)
            debug = 1;
        else if (strcmp(argv[i], "try_first_pass") == 0)
            try_first_pass = 1;
        else if (strcmp(argv[i], "use_first_pass") == 0)
            use_first_pass = 1;
    }

    /* Get username */
    if ((pam_get_item(pamh, PAM_USER, (const void **) &name)) != 0) {
        return PAM_SERVICE_ERR;
    }

    /* Get service name */
    (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service);
    if (!service)
        service = "unknown";

    DLOG("entry", "");

    if ((krbret = krb5_init_context(&pam_context)) != 0) {
        DLOG("krb5_init_context()", error_message(krbret));
        return PAM_SERVICE_ERR;
    }

    if ((krbret = krb5_init_context(&pam_context)) != 0) {
        DLOG("krb5_init_context()", error_message(krbret));
        return PAM_SERVICE_ERR;
    }
    krb5_get_init_creds_opt_init(&opts);
    memset(&creds, 0, sizeof(krb5_creds));

    /* Get principal name */
    if ((krbret = krb5_parse_name(pam_context, name, &princ)) != 0) {
        DLOG("krb5_parse_name()", error_message(krbret));
        pamret = PAM_USER_UNKNOWN;
        goto cleanup3;
    }

    /* Now convert the principal name into something human readable */
    if ((krbret = krb5_unparse_name(pam_context, princ, &princ_name)) != 0) {
        DLOG("krb5_unparse_name()", error_message(krbret));
        pamret = PAM_SERVICE_ERR;
        goto cleanup2;
    }

    /* Get password */
    prompt = malloc(16 + strlen(princ_name));
    if (!prompt) {
        DLOG("malloc()", "failure");
        pamret = PAM_BUF_ERR;
        goto cleanup2;
    }
    (void) sprintf(prompt, "Password for %s: ", princ_name);

    if (try_first_pass || use_first_pass)
        (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass);

get_pass:
    if (!pass) {
        try_first_pass = 0;
        if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, 
          &pass)) != 0) {
            DLOG("get_user_info()", pam_strerror(pamh, pamret));
            pamret = PAM_SERVICE_ERR;
            goto cleanup2;
        }
        /* We have to free pass. */
        if ((pamret = pam_set_item(pamh, PAM_AUTHTOK, pass)) != 0) {
            DLOG("pam_set_item()", pam_strerror(pamh, pamret));
            free(pass);
            pamret = PAM_SERVICE_ERR;
            goto cleanup2;
        }
        free(pass);
        /* Now we get it back from the library. */
        (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass);
    }

    if ((krbret = krb5_get_init_creds_password(pam_context, &creds, princ, 
      pass, pam_prompter, pamh, 0, "kadmin/changepw", &opts)) != 0) {
        DLOG("krb5_get_init_creds_password()", error_message(krbret));
        if (try_first_pass && krbret == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
            pass = NULL;
            goto get_pass;
        }
        pamret = PAM_AUTH_ERR;
        goto cleanup2;
    }

    /* Now get the new password */
    free(prompt);
    prompt = "Enter new password: ";
    if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass)) 
      != 0) {
        DLOG("get_user_info()", pam_strerror(pamh, pamret));
        prompt = NULL;
        pamret = PAM_SERVICE_ERR;
        goto cleanup;
    }
    prompt = "Enter it again: ";
    if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass2)) 
      != 0) {
        DLOG("get_user_info()", pam_strerror(pamh, pamret));
        prompt = NULL;
        pamret = PAM_SERVICE_ERR;
        goto cleanup;
    }
    prompt = NULL;

    if (strcmp(pass, pass2) != 0) {
        DLOG("strcmp()", "passwords not equal");
        pamret = PAM_AUTHTOK_ERR;
        goto cleanup;
    }

    /* Change it */
    if ((krbret = krb5_change_password(pam_context, &creds, pass,
      &result_code, &result_code_string, &result_string)) != 0) {
        DLOG("krb5_change_password()", error_message(krbret));
        pamret = PAM_AUTHTOK_ERR;
        goto cleanup;
    }
    if (result_code) {
        DLOG("krb5_change_password() (result_code)", "");
        pamret = PAM_AUTHTOK_ERR;
        goto cleanup;
    }

    if (result_string.data)
        free(result_string.data);
    if (result_code_string.data)
        free(result_code_string.data);

cleanup:
    krb5_free_cred_contents(pam_context, &creds);
cleanup2:
    krb5_free_principal(pam_context, princ);
cleanup3:
    if (prompt)
        free(prompt);
    if (princ_name)
        free(princ_name);

    krb5_free_context(pam_context);
    DLOG("exit", pamret ? "failure" : "success");
    return pamret;
}