2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
10 /* AFS SIA mechanism library.
14 #include <afsconfig.h>
15 #include <afs/param.h>
21 #include <sys/types.h>
27 #include <afs/com_err.h>
29 #include <afs/cellconfig.h>
31 #include <afs/kautils.h>
38 /* afs_sia_log logs to the standard sialog. */
40 afs_sia_log(char *fmt, ...)
44 sia_log("AFS", fmt, args);
48 #if defined(AFS_KERBEROS_ENV)
49 extern char *ktc_tkt_string();
52 /* afs_siad_debug gives more detailed debugging information for AFS
53 * than I want to put into the regular sialog.
57 #define DEBUG_FILE "/var/adm/afssialog"
58 /* Modify VERS to ensure you're testing with the current libafssiad.so.
59 * To make SIA recognize a new library, touch /etc/sia/matrix.conf.
63 afs_siad_debug(char *fmt, ...)
72 /* Only print if file exists. */
73 if (stat(DEBUG_FILE, &sbuf) < 0)
76 if ((fp = fopen(DEBUG_FILE, "a")) == NULL)
83 fprintf(fp, "%s %s: ", VERS, when);
85 vfprintf(fp, fmt, args);
93 /* siad_init - Once per reboot processing goes here. */
100 /* malloc any needed space required over the authentication session here. */
102 siad_ses_init(SIAENTITY * entity, int pkgind)
107 /* We set the pwd entry in siad_ses_authent if we succeed in authenticating.
108 * Otherwise the BSD mechanism will incur a core dump.
111 siad_ses_estab(sia_collect_func_t * collect, SIAENTITY * entity, int pkgind)
117 siad_ses_launch(sia_collect_func_t * collect, SIAENTITY * entity, int pkgind)
122 /* Free up space malloc'd in siad_ses_init() */
124 siad_ses_release(SIAENTITY * entity, int pkgind)
130 siad_get_groups(struct sia_context *context, const char *username,
131 gid_t * buf, int *numgroups, int maxgroups)
133 afs_siad_debug("siad_get_groups returning failure.\n");
137 /* Print the reason we failed to authenticate. */
139 afs_siad_authent_print_reason(sia_collect_func_t * collect, char *reason)
141 unsigned char err_msg[128];
144 (void)sprintf(err_msg, "Unable to authenticate to AFS because %s",
146 sia_warning(collect, err_msg);
150 /* afs_siad_get_name_password
152 * Common code for siad_ses_authent and siad_ses_reauthent. Gather name and
153 * password if required.
156 * collect - prompt collection function.
157 * entity - SIA entity
158 * got_pass - set to 1 if we gather'd the password ourselves.
162 * SIADFAIL - failed to malloc, calling routine should return SIADFAIL.
163 * SIADSUCESS - name and password have been collected (maybe not by us).
164 * SIADFAIL | SIADSTOP - calling routine should return.
167 afs_siad_get_name_password(sia_collect_func_t * collect, SIAENTITY * entity,
173 struct prompt_t prompts[2];
178 if ((!entity->name) || (!(*entity->name))) {
179 entity->name = malloc(SIANAMEMIN + 1);
180 if (entity->name == NULL) {
182 ("afs_siad_get_name_password: failed to malloc name.\n");
186 *(entity->name) = '\0';
189 if ((!entity->password) || (!(*entity->password))) {
190 entity->password = malloc(SIAMXPASSWORD + 1);
191 if (entity->password == NULL) {
193 ("afs_siad_get_name_password: failed to malloc password.\n");
197 *(entity->password) = '\0';
201 if (need_name || need_pass) {
202 if (!collect || !entity->colinput) {
207 prompts[0].prompt = (unsigned char *)"login: ";
208 prompts[0].result = (unsigned char *)entity->name;
209 prompts[0].min_result_length = 1;
210 prompts[0].max_result_length = SIANAMEMIN;
211 prompts[0].control_flags = SIAPRINTABLE;
215 prompts[n_prompts].prompt = (unsigned char *)"Password:";
216 prompts[n_prompts].result = (unsigned char *)entity->password;
217 prompts[n_prompts].min_result_length = 0;
218 prompts[n_prompts].max_result_length = SIAMXPASSWORD;
219 prompts[n_prompts].control_flags = SIARESINVIS;
224 (*collect) (0, SIAFORM, (uchar_t *) "", n_prompts, prompts);
226 code = (*collect) (240, SIAONELINER, (uchar_t *) "", 1, prompts);
227 if (code != SIACOLSUCCESS) {
228 code = SIADFAIL | SIADSTOP;
232 *got_pass = need_pass;
238 entity->name = (char *)0;
241 free(entity->password);
242 entity->password = (char *)0;
249 * Authenticate user for AFS.
251 * Rules on when to authenticate, from the AFS SysAdmin Guide:
252 * 1) If no entry in password file, try the authentication.
253 * 2) If '*' in password file, don't attempt to authenticate.
254 * NOTE: If enhanced security is turned on, '*' means to check the data base
255 * for the encrypted password.
256 * 3) If passwd field is not 13 characters long, try AFS authentication.
257 * 4) If passwd field is 13 characters, try to authenticate.
259 * 1) Don't try to authenticate if '*' in password field.
260 * 2) Use "Entry AFS Password" if password field is not 13 charaters long.
261 * This really isn't possible if the CDE login is being used since it
262 * prints it's own prompts.
264 * This is an integrated login environement. So I do not print any AFS
265 * specific login messages.
267 * entityhdl->colinput == 1 means the collect function can be used to prompt
268 * for input. If it's 0, then it can only be used to print messages.
269 * For this case, one also has to test for a non-null collect function.
271 * DCE, AFS, BSD is the proper order to do the authentication. Generally
272 * speaking AFS should come just before BSD which is last. The reason is that
273 * if some other mechanism succeeds in authenticating it will probably want to
274 * set the entity->pwd field to something other than /etc/passwd.
277 siad_ses_authent(sia_collect_func_t * collect, SIAENTITY * entity,
278 int siastat, int pkgind)
282 char *reason; /* returned by authenticate. */
283 int password_expires = -1;
284 struct passwd *pwd = (struct passwd *)0;
285 extern struct passwd *getpwnam();
287 code = afs_siad_get_name_password(collect, entity, &got_pass);
288 if (code != SIADSUCCESS)
291 pwd = getpwnam(entity->name);
293 /* Only authenticate if user is in /etc/passwd. */
297 if ((pwd->pw_passwd[0] == '*') && (pwd->pw_passwd[1] == '\0')) {
298 afs_siad_debug("siad_ses_authent: refusing to authenticate\n");
303 code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION | KA_USERAUTH_DOSETPAG, entity->name, (char *)0, /* instance */
304 (char *)0, /* realm */
305 entity->password, 0, /* lifetime */
306 &password_expires, 0 /* spare2 */ ,
310 afs_siad_debug("siad_sis_authent: auth1 failure: %s\n", reason);
319 entity->pwd = (struct passwd *)malloc(sizeof(struct passwd));
324 memset((void *)entity->pwd, '\0', sizeof(struct passwd));
325 if (sia_make_entity_pwd(pwd, entity) != SIASUCCESS) {
326 afs_siad_debug("siad_ses_authent: Can't set pwd into entity.\n");
332 /* Set PASSWORD_EXPIRES env variable if necessary */
333 if (password_expires >= 0 && password_expires < 255) {
335 sprintf(sbuffer, "%d", password_expires);
336 (void)setenv("PASSWORD_EXPIRES", sbuffer, 1);
338 #if defined(AFS_KERBEROS_ENV)
340 if (chown(ktc_tkt_string(), pwd->pw_uid, pwd->pw_gid) < 0)
341 afs_siad_debug("siad_ses_authent fails - krb chown.\n");
345 afs_siad_debug("siad_ses_authent returning success.\n");
346 afs_sia_log("siad_ses_authent returning success.\n");
350 afs_sia_log("siad_ses_authent fails, code=%d.\n", code);
351 afs_siad_debug("siad_ses_authent fails, code=%d.\n", code);
357 /* siad_ses_reauthent.
358 * Used for such things as as locking/unlocking terminal. This implies
359 * authenticate, but do not set a pag. The oher differences is that we
360 * accept vouching from other mechanism.
362 * Note the dtsession collects the password itself and will always pass it
363 * in. Also, colinput is typically false in this case as well as collect
367 siad_ses_reauthent(sia_collect_func_t * collect, SIAENTITY * entity,
368 int siastat, int pkgind)
372 char *reason; /* returned by authenticate. */
373 struct passwd *pwd = (struct passwd *)0;
374 extern struct passwd *getpwnam();
376 if (siastat == SIADSUCCESS)
379 code = afs_siad_get_name_password(collect, entity, &got_pass);
380 if (code != SIADSUCCESS)
383 pwd = getpwnam(entity->name);
389 code = ka_VerifyUserPassword(KA_USERAUTH_VERSION, entity->name, (char *)0, /* instance */
390 (char *)0, /* realm */
391 entity->password, 0 /* spare2 */ ,
395 afs_siad_debug("siad_sis_reauthent: auth failure: %s\n", reason);
404 entity->pwd = (struct passwd *)malloc(sizeof(struct passwd));
409 memset((void *)entity->pwd, '\0', sizeof(struct passwd));
410 if (sia_make_entity_pwd(pwd, entity) != SIASUCCESS) {
412 ("siad_ses_reauthent: Can't set pwd into entity.\n");
418 afs_siad_debug("siad_ses_reauthent returning success.\n");
419 afs_sia_log("siad_ses_reauthent returning success.\n");
423 afs_sia_log("siad_ses_reauthent fails, code=%d.\n", code);
424 afs_siad_debug("siad_ses_reauthent fails, code=%d.\n", code);
429 siad_chk_invoker(void)
431 afs_siad_debug("siad_chk_invoker returning failure.\n");
436 siad_ses_suauthent(sia_collect_func_t * collect, SIAENTITY * entity,
437 int siastat, int pkgind)
439 afs_siad_debug("siad_ses_suauthent returning failure.\n");
445 siad_chg_finger(sia_collect_func_t * collect, const char *username, int argc,
448 afs_siad_debug("siad_chg_finger returning failure.\n");
453 siad_chg_password(sia_collect_func_t * collect, const char *username,
454 int argc, char *argv[])
456 afs_siad_debug("siad_chg_passwd returning failure.\n");
461 siad_chg_shell(sia_collect_func_t * collect, const char *username, int argc,
464 afs_siad_debug("siad_chg_shell returning failure.\n");
469 siad_getpwent(struct passwd *result, char *buf, int bufsize,
470 struct sia_context *context)
472 afs_siad_debug("siad_getpwent returning failure.\n");
477 siad_getpwuid(uid_t uid, struct passwd *result, char *buf, int bufsize,
478 struct sia_context *context)
481 afs_siad_debug("siad_getpwuid returning failure.\n");
486 siad_getpwnam(const char *name, struct passwd *result, char *buf, int bufsize,
487 struct sia_context *context)
489 afs_siad_debug("siad_ses_getpwnam returning failure.\n");
494 siad_setpwent(struct sia_context *context)
496 afs_siad_debug("siad_ses_setpwent returning failure.\n");
501 siad_endpwent(struct sia_context *context)
503 afs_siad_debug("siad_ses_endpwent returning failure.\n");
508 siad_getgrent(struct group *result, char *buf, int bufsize,
509 struct sia_context *context)
511 afs_siad_debug("siad_ses_getgrent returning failure.\n");
516 siad_getgrgid(gid_t gid, struct group *result, char *buf, int bufsize,
517 struct sia_context *context)
519 afs_siad_debug("siad_ses_getgrgid returning failure.\n");
524 siad_getgrnam(const char *name, struct group *result, char *buf, int bufsize,
525 struct sia_context *context)
527 afs_siad_debug("siad_ses_getgrnam returning failure.\n");
532 siad_setgrent(struct sia_context *context)
534 afs_siad_debug("siad_ses_setgrent returning failure.\n");
539 siad_endgrent(struct sia_context *context)
541 afs_siad_debug("siad_ses_endgrent returning failure.\n");
546 siad_chk_user(const char *logname, int checkflag)
548 afs_siad_debug("siad_ses_chk_user returning success.\n");
554 /* These are not in the current implementation. */
556 siad_ses_toggle_privs(SIAENTITY * entity, int pkgind, int elevate)
558 afs_siad_debug("siad_ses_toggle_privs.\n");
564 siad_ses_update_audit_record(SIAENTITY * entity, int pkgind, int event,
565 char *tokenp, char **datap, int *used,
568 afs_siad_debug("siad_ses_update_audit_record.\n");