 @@ -1,14 +1,14 @@
-/*	$NetBSD: pam_krb5.c,v 1.26 2013/12/28 18:04:03 christos Exp $	*/
+/*	$NetBSD: pam_krb5.c,v 1.26.18.1 2023/06/21 22:04:13 martin Exp $	*/
 /*-
  * This pam_krb5 module contains code that is:
  *   Copyright (c) Derrick J. Brashear, 1996. All rights reserved.
  *   Copyright (c) Frank Cusack, 1999-2001. All rights reserved.
  *   Copyright (c) Jacques A. Vidrine, 2000-2001. All rights reserved.
  *   Copyright (c) Nicolas Williams, 2001. All rights reserved.
  *   Copyright (c) Perot Systems Corporation, 2001. All rights reserved.
  *   Copyright (c) Mark R V Murray, 2001.  All rights reserved.
  *   Copyright (c) Networks Associates Technology, Inc., 2002-2005.
  *       All rights reserved.
+ *
  * Portions of this software were developed for the FreeBSD Project by
 @@ -43,27 +43,27 @@
  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
  */
 #include <sys/cdefs.h>
 #ifdef __FreeBSD__
 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.c,v 1.22 2005/01/24 16:49:50 rwatson Exp $");
 #else
-__RCSID("$NetBSD: pam_krb5.c,v 1.26 2013/12/28 18:04:03 christos Exp $");
+__RCSID("$NetBSD: pam_krb5.c,v 1.26.18.1 2023/06/21 22:04:13 martin Exp $");
 #endif
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <errno.h>
 #include <limits.h>
 #include <pwd.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <syslog.h>
 #include <unistd.h>
 @@ -75,51 +75,62 @@ __RCSID("$NetBSD: pam_krb5.c,v 1.26 2013
 #define	PAM_SM_ACCOUNT
 #define	PAM_SM_PASSWORD
 #include <security/pam_appl.h>
 #include <security/pam_modules.h>
 #include <security/pam_mod_misc.h>
 #include <security/openpam.h>
 #define	COMPAT_HEIMDAL
 /* #define	COMPAT_MIT */
 static void	log_krb5(krb5_context, krb5_error_code, struct syslog_data *,
     const char *, ...) __printflike(4, 5);
-static int	verify_krb_v5_tgt(krb5_context, krb5_ccache, char *, int);
+static int	verify_krb_v5_tgt_begin(krb5_context, char *, int,
     const char **, krb5_principal *, char[static BUFSIZ], struct syslog_data *);
 static int	verify_krb_v5_tgt(krb5_context, krb5_ccache, char *, int,
     const char *, krb5_principal, char[static BUFSIZ], struct syslog_data *);
 static void	verify_krb_v5_tgt_cleanup(krb5_context, int,
     const char *, krb5_principal, char[static BUFSIZ], struct syslog_data *);
 static void	cleanup_cache(pam_handle_t *, void *, int);
 static const	char *compat_princ_component(krb5_context, krb5_principal, int);
 static void	compat_free_data_contents(krb5_context, krb5_data *);
 #define USER_PROMPT		"Username: "
 #define PASSWORD_PROMPT		"%s's password:"
 #define NEW_PASSWORD_PROMPT	"New Password:"
 #define PAM_OPT_CCACHE		"ccache"
 #define PAM_OPT_DEBUG		"debug"
 #define PAM_OPT_FORWARDABLE	"forwardable"
 #define PAM_OPT_RENEWABLE	"renewable"
 #define PAM_OPT_NO_CCACHE	"no_ccache"
 #define PAM_OPT_REUSE_CCACHE	"reuse_ccache"
 #define PAM_OPT_ALLOW_KDC_SPOOF	"allow_kdc_spoof"
 /*
  * authentication management
  */
 PAM_EXTERN int
 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
     int argc __unused, const char *argv[] __unused)
+{
 	krb5_error_code krbret;
 	krb5_context pam_context;
 	int debug;
 	const char *auth_service;
 	krb5_principal auth_princ;
 	char auth_phost[BUFSIZ];
 	struct syslog_data auth_data = SYSLOG_DATA_INIT;
 	krb5_creds creds;
 	krb5_principal princ;
 	krb5_ccache ccache;
 	krb5_get_init_creds_opt *opts = NULL;
 	struct passwd *pwd, pwres;
 	int retval;
 	const void *ccache_data;
 	const char *user, *pass;
 	const void *sourceuser, *service;
 	char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
 	char password_prompt[80];
 	char pwbuf[1024];
 	const char *rtime;
 @@ -134,38 +145,66 @@ pam_sm_authenticate(pam_handle_t *pamh,
 	retval = pam_get_item(pamh, PAM_RUSER, &sourceuser);
 	if (retval != PAM_SUCCESS)
 		return (retval);
 	PAM_LOG("Got ruser: %s", (const char *)sourceuser);
 	service = NULL;
 	pam_get_item(pamh, PAM_SERVICE, &service);
 	if (service == NULL)
 		service = "unknown";
 	PAM_LOG("Got service: %s", (const char *)service);
 	if ((srvdup = strdup(service)) == NULL) {
 		retval = PAM_BUF_ERR;
 		goto cleanup6;
+	}
 	krbret = krb5_init_context(&pam_context);
 	if (krbret != 0) {
 		PAM_VERBOSE_ERROR("Kerberos 5 error");
-		return (PAM_SERVICE_ERR);
+		retval = PAM_SERVICE_ERR;
 		goto cleanup5;
+	}
 	PAM_LOG("Context initialised");
 	debug = openpam_get_option(pamh, PAM_OPT_DEBUG) ? 1 : 0;
 	krbret = verify_krb_v5_tgt_begin(pam_context, srvdup, debug,
 	    &auth_service, &auth_princ, auth_phost, &auth_data);
 	if (krbret != 0) {	/* failed to find key */
 		/* Keytab or service key does not exist */
 		if (debug)
 			log_krb5(pam_context, krbret, &auth_data,
 			    "pam_krb5: verify_krb_v5_tgt: "
 			    "krb5_kt_read_service_key");
 		/*
 		 * Give up now because we can't authenticate the KDC
 		 * with a keytab, unless the administrator asked to
 		 * have the traditional behaviour of being vulnerable
 		 * to spoofed KDCs.
 		 */
 		if (!openpam_get_option(pamh, PAM_OPT_ALLOW_KDC_SPOOF)) {
 			retval = PAM_SERVICE_ERR;
 			goto cleanup4;
+		}
+	}
 	krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts);
 	if (krbret != 0) {
 		PAM_VERBOSE_ERROR("Kerberos 5 error");
-		return (PAM_SERVICE_ERR);
+		retval = PAM_SERVICE_ERR;
 		goto cleanup4;
+	}
 	if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
 		krb5_get_init_creds_opt_set_forwardable(opts, 1);
 	if ((rtime = openpam_get_option(pamh, PAM_OPT_RENEWABLE)) != NULL) {
 		krb5_deltat renew;
 		char rbuf[80], *rp;
 		if (*rtime) {
 			(void)strlcpy(rbuf, rtime, sizeof(rbuf));
 			rtime = rbuf;
 			for (rp = rbuf; *rp; rp++)
 @@ -289,32 +328,29 @@ pam_sm_authenticate(pam_handle_t *pamh,
+	}
 	krbret = krb5_cc_store_cred(pam_context, ccache, &creds);
 	if (krbret != 0) {
 		PAM_VERBOSE_ERROR("Kerberos 5 error");
 		log_krb5(pam_context, krbret, NULL, "krb5_cc_store_cred");
 		krb5_cc_destroy(pam_context, ccache);
 		retval = PAM_SERVICE_ERR;
 		goto cleanup;
+	}
 	PAM_LOG("Credentials stashed");
 	/* Verify them */
 	if ((srvdup = strdup(service)) == NULL) {
 		retval = PAM_BUF_ERR;
 		goto cleanup;
 	krbret = verify_krb_v5_tgt(pam_context, ccache, srvdup,
-	    openpam_get_option(pamh, PAM_OPT_DEBUG) ? 1 : 0);
+	    debug,
 	    auth_service, auth_princ, auth_phost, &auth_data);
 	free(srvdup);
 	if (krbret == -1) {
 		PAM_VERBOSE_ERROR("Kerberos 5 error");
 		krb5_cc_destroy(pam_context, ccache);
 		retval = PAM_AUTH_ERR;
 		goto cleanup;
+	}
 	PAM_LOG("Credentials stash verified");
 	retval = pam_get_data(pamh, "ccache", &ccache_data);
 	if (retval == PAM_SUCCESS) {
 		krb5_cc_destroy(pam_context, ccache);
 @@ -344,31 +380,36 @@ pam_sm_authenticate(pam_handle_t *pamh,
 cleanup:
 	krb5_free_cred_contents(pam_context, &creds);
 	PAM_LOG("Done cleanup");
 cleanup2:
 	krb5_free_principal(pam_context, princ);
 	PAM_LOG("Done cleanup2");
 cleanup3:
 	if (princ_name)
 		free(princ_name);
 	if (opts)
 		krb5_get_init_creds_opt_free(pam_context, opts);
 cleanup4:
 	verify_krb_v5_tgt_cleanup(pam_context, debug,
 	    auth_service, auth_princ, auth_phost, &auth_data);
 	krb5_free_context(pam_context);
 cleanup5:
 	free(srvdup);
-	PAM_LOG("Done cleanup3");
+	PAM_LOG("Done cleanup5");
 cleanup6:
 	if (retval != PAM_SUCCESS)
 		PAM_VERBOSE_ERROR("Kerberos 5 refuses you");
 	return (retval);
+}
 PAM_EXTERN int
 pam_sm_setcred(pam_handle_t *pamh, int flags,
     int argc __unused, const char *argv[] __unused)
+{
 	krb5_error_code krbret;
 	krb5_context pam_context;
 @@ -874,140 +915,156 @@ log_krb5(krb5_context ctx, krb5_error_co
 /*
  * This routine with some modification is from the MIT V5B6 appl/bsd/login.c
  * Modified by Sam Hartman <hartmans@mit.edu> to support PAM services
  * for Debian.
+ *
  * Verify the Kerberos ticket-granting ticket just retrieved for the
  * user.  If the Kerberos server doesn't respond, assume the user is
  * trying to fake us out (since we DID just get a TGT from what is
  * supposedly our KDC).  If the host/<host> service is unknown (i.e.,
  * the local keytab doesn't have it), and we cannot find another
  * service we do have, let her in.
+ *
- * Returns 1 for confirmation, -1 for failure, 0 for uncertainty.
+ * - verify_krb_v5_tgt_begin returns a krb5 error code.
  * - verify_krb_v5_tgt returns 0 on success, -1 on failure.
  */
 /* ARGSUSED */
 static int
-verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
+verify_krb_v5_tgt_begin(krb5_context context, char *pam_service, int debug,
-    char *pam_service, int debug)
+    const char **servicep, krb5_principal *princp, char phost[static BUFSIZ],
     struct syslog_data *datap)
+{
 	krb5_error_code retval;
 	krb5_principal princ;
 	krb5_keyblock *keyblock;
 	krb5_data packet;
 	krb5_auth_context auth_context = NULL;
 	char phost[BUFSIZ];
 	const char *services[3], **service;
 	struct syslog_data data = SYSLOG_DATA_INIT;
-	packet.data = 0;
+	*servicep = NULL;
 	if (debug)
-		openlog_r("pam_krb5", LOG_PID, LOG_AUTHPRIV, &data);
+		openlog_r("pam_krb5", LOG_PID, LOG_AUTHPRIV, datap);
 	/* If possible we want to try and verify the ticket we have
 	 * received against a keytab.  We will try multiple service
 	 * principals, including at least the host principal and the PAM
 	 * service principal.  The host principal is preferred because access
 	 * to that key is generally sufficient to compromise root, while the
 	 * service key for this PAM service may be less carefully guarded.
 	 * It is important to check the keytab first before the KDC so we do
 	 * not get spoofed by a fake KDC.
 	 */
 	services[0] = "host";
 	services[1] = pam_service;
 	services[2] = NULL;
 	keyblock = 0;
 	retval = -1;
 	for (service = &services[0]; *service != NULL; service++) {
 		retval = krb5_sname_to_principal(context, NULL, *service,
 		    KRB5_NT_SRV_HST, &princ);
 		if (retval != 0 && debug)
-			log_krb5(context, retval, &data,
+			log_krb5(context, retval, datap,
 			    "pam_krb5: verify_krb_v5_tgt: "
 			    "krb5_sname_to_principal");
 		if (retval != 0)
-			return -1;
+			return (retval);
 		/* Extract the name directly. */
 		strncpy(phost, compat_princ_component(context, princ, 1),
 		    BUFSIZ);
 		phost[BUFSIZ - 1] = '\0';
 		/*
 		 * Do we have service/<host> keys?
 		 * (use default/configured keytab, kvno IGNORE_VNO to get the
 		 * first match, and ignore enctype.)
 		 */
 		retval = krb5_kt_read_service_key(context, NULL, princ, 0, 0,
 		    &keyblock);
 		if (retval != 0)
 			continue;
 		break;
+	}
 	if (retval != 0) {	/* failed to find key */
 		/* Keytab or service key does not exist */
 		if (debug)
 			log_krb5(context, retval, &data,
 			    "pam_krb5: verify_krb_v5_tgt: "
 			    "krb5_kt_read_service_key");
 		retval = 0;
 		goto cleanup;
 	if (keyblock)
 		krb5_free_keyblock(context, keyblock);
 	return (retval);
+}
 static int
 verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
     char *pam_service, int debug,
     const char *service, krb5_principal princ, char phost[static BUFSIZ],
     struct syslog_data *datap)
+{
 	krb5_error_code retval;
 	krb5_auth_context auth_context = NULL;
 	krb5_data packet;
 	if (service == NULL)
 		return (0);	/* uncertain, can't authenticate KDC */
 	packet.data = 0;
 	/* Talk to the kdc and construct the ticket. */
 	auth_context = NULL;
-	retval = krb5_mk_req(context, &auth_context, 0, *service, phost,
+	retval = krb5_mk_req(context, &auth_context, 0, service, phost,
 		NULL, ccache, &packet);
 	if (auth_context) {
 		krb5_auth_con_free(context, auth_context);
 		auth_context = NULL;	/* setup for rd_req */
+	}
 	if (retval) {
 		if (debug)
-			log_krb5(context, retval, &data,
+			log_krb5(context, retval, datap,
 			    "pam_krb5: verify_krb_v5_tgt: "
 			    "krb5_mk_req");
 		retval = -1;
 		goto cleanup;
+	}
 	/* Try to use the ticket. */
 	retval = krb5_rd_req(context, &auth_context, &packet, princ, NULL,
 	    NULL, NULL);
 	if (retval) {
 		if (debug)
-			log_krb5(context, retval, &data,
+			log_krb5(context, retval, datap,
 			    "pam_krb5: verify_krb_v5_tgt: "
 			    "krb5_rd_req");
 		retval = -1;
+	}
 	else
 		retval = 1;
 cleanup:
 	if (debug)
 		closelog_r(&data);
 	if (packet.data)
 		compat_free_data_contents(context, &packet);
 	if (auth_context) {
 		krb5_auth_con_free(context, auth_context);
 		auth_context = NULL;	/* setup for rd_req */
+	}
-	krb5_free_principal(context, princ);
+	return (retval);
 	return retval;
 static void
 verify_krb_v5_tgt_cleanup(krb5_context context, int debug,
     const char *service, krb5_principal princ, char phost[static BUFSIZ],
     struct syslog_data *datap)
+{
 	if (service)
 		krb5_free_principal(context, princ);
 	if (debug)
 		closelog_r(datap);
+}
 /* Free the memory for cache_name. Called by pam_end() */
 /* ARGSUSED */
 static void
 cleanup_cache(pam_handle_t *pamh __unused, void *data, int pam_end_status __unused)
+{
 	krb5_context pam_context;
 	krb5_ccache ccache;
 	krb5_error_code krbret;
 	if (krb5_init_context(&pam_context))
 		return;

 @@ -1,14 +1,14 @@
-.\" $NetBSD: pam_krb5.8,v 1.11 2008/12/02 22:52:06 reed Exp $
+.\" $NetBSD: pam_krb5.8,v 1.11.40.1 2023/06/21 22:04:13 martin Exp $
 .\" $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.8,v 1.6 2001/11/24 23:41:32 dd Exp $
 .\"
 .\" Copyright (c) Frank Cusack, 1999-2001. All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
 .\" are met:
 .\" 1. Redistributions of source code must retain the above copyright
 .\"    notices, and the entire permission notice in its entirety,
 .\"    including the disclaimer of warranties.
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
 @@ -132,26 +132,41 @@ is not a recommendation to use the modul
 Use
 .Ar name
 as the credentials cache.
 .Ar name
 must be in the form
 .Ar type : Ns Ar residual .
 The special tokens
 .Ql %u ,
 to designate the decimal UID of the user;
 and
 .Ql %p ,
 to designate the current process ID; can be used in
 .Ar name .
 .It Cm allow_kdc_spoof
 Allow
 .Nm
 to succeed even if there is no host or service key available in a
 keytab to authenticate the Kerberos KDC's ticket.
 If there is no such key, for example on a host with no keytabs,
 .Nm
 will fail immediately without prompting the user.
 .Pp
 .Sy Warning :
 If the host has not been configured with a keytab from the KDC, setting
 this option makes it vulnerable to malicious KDCs, e.g. via DNS
 flooding, because
 .Nm
 has no way to distinguish the legitimate KDC from a spoofed KDC.
 .El
 .Ss Kerberos 5 Account Management Module
 The Kerberos 5 account management component
 provides a function to perform account management,
 .Fn pam_sm_acct_mgmt .
 The function verifies that the authenticated principal is allowed
 to login to the local user account by calling
 .Fn krb5_kuserok
 (which checks the user's
 .Pa .k5login
 file).
 .Ss Kerberos 5 Password Management Module
 The Kerberos 5 password management component