summaryrefslogtreecommitdiff
path: root/src/providers/krb5/krb5_auth.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers/krb5/krb5_auth.c')
-rw-r--r--src/providers/krb5/krb5_auth.c58
1 files changed, 23 insertions, 35 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index bd014a49..398f06a8 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -278,12 +278,12 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
struct pam_data *pd, uid_t uid,
int *pam_status, int *dp_err)
{
- char *password = NULL;
+ const char *password = NULL;
errno_t ret;
- password = talloc_strndup(state, pd->authtok, pd->authtok_size);
- if (!password) {
- DEBUG(0, ("Out of memory copying password\n"));
+ ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
+ if (ret != EOK) {
+ DEBUG(0, ("Failed to get password [%d] %s\n", ret, strerror(ret)));
*pam_status = PAM_SYSTEM_ERR;
*dp_err = DP_ERR_OK;
return;
@@ -294,7 +294,7 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
DEBUG(1, ("Offline authentication failed\n"));
*pam_status = cached_login_pam_status(ret);
*dp_err = DP_ERR_OK;
- goto done;
+ return;
}
ret = add_user_to_delayed_online_authentication(krb5_ctx, pd, uid);
@@ -304,12 +304,6 @@ static void krb5_auth_cache_creds(struct krb5_ctx *krb5_ctx,
}
*pam_status = PAM_AUTHINFO_UNAVAIL;
*dp_err = DP_ERR_OFFLINE;
-
-done:
- if (password) {
- for (i = 0; password[i]; i++) password[i] = 0;
- talloc_zfree(password);
- }
}
static errno_t krb5_auth_prepare_ccache_file(struct krb5child_req *kr,
@@ -385,16 +379,9 @@ static errno_t krb5_auth_prepare_ccache_file(struct krb5child_req *kr,
static void krb5_auth_store_creds(struct sysdb_ctx *sysdb, struct pam_data *pd)
{
- TALLOC_CTX *tmp_ctx;
- char *password = NULL;
+ const char *password = NULL;
int ret = EOK;
- tmp_ctx = talloc_new(NULL);
- if (!tmp_ctx) {
- DEBUG(0, ("Out of memory when trying to store credentials\n"));
- return;
- }
-
switch(pd->cmd) {
case SSS_CMD_RENEW:
/* The authtok is set to the credential cache
@@ -404,42 +391,35 @@ static void krb5_auth_store_creds(struct sysdb_ctx *sysdb, struct pam_data *pd)
break;
case SSS_PAM_AUTHENTICATE:
case SSS_PAM_CHAUTHTOK_PRELIM:
- password = talloc_size(tmp_ctx, pd->authtok_size + 1);
- if (password != NULL) {
- memcpy(password, pd->authtok, pd->authtok_size);
- password[pd->authtok_size] = '\0';
- }
+ ret = sss_authtok_get_password(&pd->authtok, &password, NULL);
break;
case SSS_PAM_CHAUTHTOK:
- password = talloc_size(tmp_ctx, pd->newauthtok_size + 1);
- if (password != NULL) {
- memcpy(password, pd->newauthtok, pd->newauthtok_size);
- password[pd->newauthtok_size] = '\0';
- }
+ ret = sss_authtok_get_password(&pd->newauthtok, &password, NULL);
break;
default:
DEBUG(0, ("unsupported PAM command [%d].\n", pd->cmd));
}
+ if (ret != EOK) {
+ DEBUG(0, ("Failed to get password [%d] %s\n", ret, strerror(ret)));
+ /* password caching failures are not fatal errors */
+ return;
+ }
+
if (password == NULL) {
if (pd->cmd != SSS_CMD_RENEW) {
DEBUG(0, ("password not available, offline auth may not work.\n"));
/* password caching failures are not fatal errors */
}
- talloc_zfree(tmp_ctx);
return;
}
- talloc_set_destructor((TALLOC_CTX *)password, password_destructor);
-
ret = sysdb_cache_password(sysdb, pd->user, password);
if (ret) {
DEBUG(2, ("Failed to cache password, offline auth may not work."
" (%d)[%s]!?\n", ret, strerror(ret)));
/* password caching failures are not fatal errors */
}
-
- talloc_zfree(tmp_ctx);
}
/* krb5_auth request */
@@ -504,9 +484,17 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
case SSS_PAM_AUTHENTICATE:
case SSS_CMD_RENEW:
case SSS_PAM_CHAUTHTOK:
+ if (sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+ DEBUG(1, ("Missing authtok for user [%s].\n", pd->user));
+ state->pam_status = PAM_SYSTEM_ERR;
+ state->dp_err = DP_ERR_FATAL;
+ ret = EINVAL;
+ goto done;
+ }
break;
case SSS_PAM_CHAUTHTOK_PRELIM:
- if (pd->priv == 1 && pd->authtok_size == 0) {
+ if (pd->priv == 1 &&
+ sss_authtok_get_type(&pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
DEBUG(4, ("Password reset by root is not supported.\n"));
state->pam_status = PAM_PERM_DENIED;
state->dp_err = DP_ERR_OK;