Add PKCS methods

pull/1/head
Timothy Pearson 9 years ago
parent 30b251b05b
commit c6eab472be

@ -21,6 +21,7 @@
#include <sys/types.h> #include <sys/types.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <sys/socket.h> #include <sys/socket.h>
#include <dirent.h>
#include <netdb.h> #include <netdb.h>
#include <pwd.h> #include <pwd.h>
@ -37,6 +38,7 @@
#include <tdesu/process.h> #include <tdesu/process.h>
#include <ksslcertificate.h> #include <ksslcertificate.h>
#include <krfcdate.h> #include <krfcdate.h>
#include <tdecryptographiccarddevice.h>
#include <ldap.h> #include <ldap.h>
#include <sasl/sasl.h> #include <sasl/sasl.h>
@ -66,6 +68,11 @@
#define PAMD_COMMON_AUTH "common-auth" #define PAMD_COMMON_AUTH "common-auth"
#define PAMD_COMMON_SESSION "common-session" #define PAMD_COMMON_SESSION "common-session"
#define PAMD_PKCS11_CONFIG_DIRECTORY "/etc/pam_pkcs11/"
#define PAMD_PKCS11_CONFIG_FILE "pam_pkcs11.conf"
#define PAMD_PKCS11_CERT_REHASH_COMMAND "pkcs11_make_hash_link"
#define LDAP_FILE "/etc/ldap/ldap.conf" #define LDAP_FILE "/etc/ldap/ldap.conf"
#define LDAP_SECONDARY_FILE "/etc/ldap.conf" #define LDAP_SECONDARY_FILE "/etc/ldap.conf"
#define LDAP_TERTIARY_FILE "/etc/libnss-ldap.conf" #define LDAP_TERTIARY_FILE "/etc/libnss-ldap.conf"
@ -4559,6 +4566,8 @@ LDAPClientRealmConfig LDAPManager::loadClientRealmConfig(KSimpleConfig* config,
clientRealmConfig.passwordHash = config->readEntry("ConnectionPasswordHash", "exop"); clientRealmConfig.passwordHash = config->readEntry("ConnectionPasswordHash", "exop");
clientRealmConfig.ignoredUsers = config->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST); clientRealmConfig.ignoredUsers = config->readEntry("ConnectionIgnoredUsers", DEFAULT_IGNORED_USERS_LIST);
clientRealmConfig.pamConfig.enable_pkcs11_login = config->readBoolEntry("EnablePKCS11Login", false);
clientRealmConfig.pamConfig.pkcs11_login_card_slot = config->readNumEntry("PKCS11LoginCardSlot", 0);
clientRealmConfig.pamConfig.enable_cached_credentials = config->readBoolEntry("EnableCachedCredentials", true); clientRealmConfig.pamConfig.enable_cached_credentials = config->readBoolEntry("EnableCachedCredentials", true);
clientRealmConfig.pamConfig.autocreate_user_directories_enable = config->readBoolEntry("EnableAutoUserDir", true); clientRealmConfig.pamConfig.autocreate_user_directories_enable = config->readBoolEntry("EnableAutoUserDir", true);
clientRealmConfig.pamConfig.autocreate_user_directories_umask = config->readNumEntry("AutoUserDirUmask", 0022); clientRealmConfig.pamConfig.autocreate_user_directories_umask = config->readNumEntry("AutoUserDirUmask", 0022);
@ -4589,6 +4598,8 @@ int LDAPManager::saveClientRealmConfig(LDAPClientRealmConfig clientRealmConfig,
config->writeEntry("ConnectionPasswordHash", clientRealmConfig.passwordHash); config->writeEntry("ConnectionPasswordHash", clientRealmConfig.passwordHash);
config->writeEntry("ConnectionIgnoredUsers", clientRealmConfig.ignoredUsers); config->writeEntry("ConnectionIgnoredUsers", clientRealmConfig.ignoredUsers);
config->writeEntry("EnablePKCS11Login", clientRealmConfig.pamConfig.enable_pkcs11_login);
config->writeEntry("PKCS11LoginCardSlot", clientRealmConfig.pamConfig.pkcs11_login_card_slot);
config->writeEntry("EnableCachedCredentials", clientRealmConfig.pamConfig.enable_cached_credentials); config->writeEntry("EnableCachedCredentials", clientRealmConfig.pamConfig.enable_cached_credentials);
config->writeEntry("EnableAutoUserDir", clientRealmConfig.pamConfig.autocreate_user_directories_enable); config->writeEntry("EnableAutoUserDir", clientRealmConfig.pamConfig.autocreate_user_directories_enable);
config->writeEntry("AutoUserDirUmask", clientRealmConfig.pamConfig.autocreate_user_directories_umask); config->writeEntry("AutoUserDirUmask", clientRealmConfig.pamConfig.autocreate_user_directories_umask);
@ -4685,6 +4696,37 @@ int LDAPManager::writeNSSwitchFile(TQString *errstr) {
return 0; return 0;
} }
int LDAPManager::rehashClientPKCSCertificates(TQString *errstr) {
// Save the original working directory
DIR* original_cwd = opendir(".");
// Change working directory to root certificate directory
if (chdir(KERBEROS_PKI_PUBLICDIR) < 0) {
if (errstr) {
*errstr = i18n("Could not change working directory to '%1'").arg(KERBEROS_PKI_PUBLICDIR);
}
return 1;
}
// Rehash certificates
if (system(PAMD_PKCS11_CERT_REHASH_COMMAND) < 0) {
if (errstr) {
*errstr = i18n("Could not rehash certificates in directory '%1'").arg(KERBEROS_PKI_PUBLICDIR);
}
return 1;
}
// Restore the original working directory
if (original_cwd) {
if (fchdir(dirfd(original_cwd)) < 0) {
// ERROR
}
closedir(original_cwd);
}
return 0;
}
int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) { int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT); TQFile file(PAMD_DIRECTORY PAMD_COMMON_ACCOUNT);
if (file.open(IO_WriteOnly)) { if (file.open(IO_WriteOnly)) {
@ -4713,11 +4755,17 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
stream << "# All changes will be lost!\n"; stream << "# All changes will be lost!\n";
stream << "\n"; stream << "\n";
stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n"; stream << "auth [default=ignore success=ignore] pam_mount.so" << "\n";
stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n"; stream << "auth [success=done new_authtok_reqd=done default=ignore] pam_unix.so nullok try_first_pass" << "\n";
stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
if (pamConfig.enable_cached_credentials) { if (pamConfig.enable_cached_credentials) {
stream << "auth [default=2 success=done] pam_ccreds.so action=validate use_first_pass" << "\n"; stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n"; stream << "auth [default=1 success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
stream << "auth [default=ignore success=done new_authtok_reqd=done] pam_ccreds.so action=store use_first_pass" << "\n";
}
else {
stream << "auth [default=ignore success=done new_authtok_reqd=done service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
}
if (pamConfig.enable_pkcs11_login) {
stream << "auth [default=ignore success=done new_authtok_reqd=done] pam_pkcs11.so" << "\n";
} }
stream << "auth required pam_deny.so" << "\n"; stream << "auth required pam_deny.so" << "\n";
@ -4765,6 +4813,56 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
} }
} }
if (pamConfig.enable_pkcs11_login) {
TQFile file4(PAMD_PKCS11_CONFIG_DIRECTORY PAMD_PKCS11_CONFIG_FILE);
if (file4.open(IO_WriteOnly)) {
TQTextStream stream( &file4 );
stream << "# This file was automatically generated by TDE\n";
stream << "# All changes will be lost!\n";
stream << "\n";
stream << "pam_pkcs11 {" << "\n";
stream << " nullok = true;" << "\n";
stream << " debug = false;" << "\n";
stream << " use_first_pass = true;" << "\n";
stream << " try_first_pass = false;" << "\n";
stream << " use_authtok = false;" << "\n";
stream << " use_pkcs11_module = opensc;" << "\n";
stream << " pkcs11_module opensc {" << "\n";
stream << " module = " << TDECryptographicCardDevice::pkcsProviderLibrary() << ";" << "\n";
stream << " description = \"OpenSC PKCS#11 module\";" << "\n";
stream << " slot_num = \"" << pamConfig.pkcs11_login_card_slot << "\";" << "\n";
stream << " ca_dir = " KERBEROS_PKI_PUBLICDIR ";" << "\n";
stream << " crl_dir = " KERBEROS_PKI_PUBLICDIR ";" << "\n";
stream << " support_threads = false;" << "\n";
stream << " cert_policy = ca,crl_auto,signature;" << "\n";
stream << " token_type = \"Smart card\";" << "\n";
stream << " }" << "\n";
stream << " use_mappers = cn;" << "\n";
stream << " mapper cn {" << "\n";
stream << " debug = false;" << "\n";
stream << " module = internal;" << "\n";
stream << " ignorecase = true;" << "\n";
stream << " mapfile = \"none\";" << "\n";
stream << " }" << "\n";
stream << "}" << "\n";
file4.close();
}
else {
if (errstr) {
*errstr = i18n("Could not open file '%1' for writing").arg(file4.name());
}
}
// Rehash PKCS certificates
if (rehashClientPKCSCertificates() != 0) {
if (errstr) {
*errstr = i18n("Could not rehash PKCS certificates");
}
}
}
return 0; return 0;
} }
@ -5374,6 +5472,8 @@ LDAPCertConfig::~LDAPCertConfig() {
} }
LDAPPamConfig::LDAPPamConfig() { LDAPPamConfig::LDAPPamConfig() {
enable_pkcs11_login = false;
pkcs11_login_card_slot = 0;
enable_cached_credentials = true; enable_cached_credentials = true;
autocreate_user_directories_enable = true; autocreate_user_directories_enable = true;
autocreate_user_directories_umask = 0; autocreate_user_directories_umask = 0;

@ -239,6 +239,8 @@ class LDAPPamConfig
~LDAPPamConfig(); ~LDAPPamConfig();
public: public:
bool enable_pkcs11_login;
int pkcs11_login_card_slot;
bool enable_cached_credentials; bool enable_cached_credentials;
bool autocreate_user_directories_enable; bool autocreate_user_directories_enable;
mode_t autocreate_user_directories_umask; mode_t autocreate_user_directories_umask;
@ -579,6 +581,7 @@ class LDAPManager : public TQObject {
static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr=0); static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, TQString *errstr=0);
static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile=TQString::null, TQString caRootCertFile=TQString::null, TQString caRootDatabaseFile=TQString::null, TQString *errstr=0); static int writeOpenSSLConfigurationFile(LDAPRealmConfig realmcfg, LDAPUserInfo user, TQString opensslConfigFile, TQString caRootKeyFile=TQString::null, TQString caRootCertFile=TQString::null, TQString caRootDatabaseFile=TQString::null, TQString *errstr=0);
static int writeClientCronFiles(TQString *errstr=0); static int writeClientCronFiles(TQString *errstr=0);
static int rehashClientPKCSCertificates(TQString *errstr=0);
static int writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr=0); static int writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr=0);
static int bondRealm(TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0); static int bondRealm(TQString adminUserName, const char * adminPassword, TQString adminRealm, TQString *errstr=0);

Loading…
Cancel
Save