#!/bin/bash
#
# Usage: PAMKerberos { enable | disable }
#
# This script is not meant to be used directly by users. This script
# is intended to be called by KerberosSettings command.
#
# This script will enable/disable kerberos authentication for the following PAM files:
# /etc/pam.d/sshd
# /etc/pam.d/wbem
# /etc/pam.d/ipauth
# /etc/pam.d/common-auth

TMPFILE=/tmp/pamd.tmp
SSHD_FILE=/etc/pam.d/sshd
WBEM_FILE=/etc/pam.d/wbem
IPAUTH_FILE=/etc/pam.d/ipauth
COMMON_FILE=/etc/pam.d/common-auth

ISLDAP="no"

pam_krb5_on()
{

/usr/bin/grep -q pam_krb5.so ${1}
if [ $? -eq 0 ];then
	return
fi


#----------------------------------------------------
# pam_unix_acct.so is replaced by pam_nologin.so
#
pamfile=`/usr/bin/basename ${1}`
/usr/bin/grep -q pam_ldap ${1}
	if  [ $? -eq 0 ];then
	ISLDAP="yes"
fi
lookformodule=""
if [ "${pamfile}" = "sshd" ];then
	lookformodule="pam_nologin.so"
        fac="auth"
elif [ "${pamfile}" = "ipauth" ];then
	lookformodule="pam_nologin.so"
        fac="auth"
elif [ "${pamfile}" = "wbem" ];then
	lookformodule="pam_unix_auth.so"
        fac="auth"
else
	echo "Bad pam config file name ${pamfile}"
	exit 1
fi
while read line
do
    module=`echo ${line} | awk '{print $3}'`
    if [ -n "${module}" ];then
		module=`/usr/bin/basename "${module}"`
    fi
    if [ "${module}" = "pam_ldap.so" ]; then
	# We are adding kerberos if ldap was previously 
	# sufficient it now becomes required and kerberos
	# will be required.
        control=`echo ${line} | /usr/bin/awk '{print $2}'`
        if [ "${control}" = "required" ];then
       		 echo "auth sufficient /lib/security/pam_ldap.so use_first_pass config=/etc/openldap/ldap.conf" >>${TMPFILE} 
	fi
	continue
    fi
    if [ "${module}" = "pam_unix_auth.so" ];then
        control=`echo ${line} | /usr/bin/awk '{print $2}'`
        if [ "${control}" = "required" ];then
           echo "auth sufficient /lib/security/pam_unix_auth.so" >>${TMPFILE}
        else
           echo ${line} >>${TMPFILE}
        fi
        if [ "${pamfile}" = "wbem" ]; then        
	    echo "auth required /lib/security/pam_krb5.so search_k5login use_first_pass use_authtok" >>${TMPFILE}
        fi
    elif [ "${module}" = "${lookformodule}" ];then
	facility=`echo ${line} | /usr/bin/awk '{print $1}'`
	if [ "${facility}" = "${fac}" ];then
		echo "auth required /lib/security/pam_krb5.so search_k5login use_first_pass use_authtok" >>${TMPFILE}
		echo ${line} >>${TMPFILE}
	fi
     else
		echo ${line} >>${TMPFILE}
     fi
done <<EOF
`cat ${1}`
EOF
}

pam_krb5_off()
{

/usr/bin/grep -q pam_krb5.so ${1}
if [ $? -ne 0 ];then
	return
fi

pamfile=`/usr/bin/basename ${1}`
while read line
do
	module=`echo ${line} | awk '{print $3}'`
	if [ -n "${module}" ];then
		module=`/usr/bin/basename "${module}"`
	fi
        if [ "${module}" = "pam_ldap.so" ]; then
	# We are removing kerberos if ldap was previously 
	# sufficient it now becomes required
           control=`echo ${line} | /usr/bin/awk '{print $2}'`
           if [ "${control}" = "sufficient" ];then
       		 echo "auth required /lib/security/pam_ldap.so use_first_pass config=/etc/openldap/ldap.conf" >>${TMPFILE} 
	   fi
	   continue
        fi
        if [ "${module}" = "pam_unix_auth.so" ];then
                control=`echo ${line} | /usr/bin/awk '{print $2}'`
                if [ "${control}" = "sufficient" ];then
                                echo "auth required /lib/security/pam_unix_auth.so" >>${TMPFILE}
                else
                        echo ${line} >>${TMPFILE}
                fi
	elif [ "${module}" = "pam_krb5.so" ];then
			# do nothing; delete this line from the file.
			echo "" >/dev/null
	else
		echo ${line} >>${TMPFILE}
	fi
done <<EOF
`cat "${1}"`
EOF
}

common_auth()
{
if [ "${1}" = "on" ];then
while read line
do
	module=`echo ${line} | awk '{print $3}'`
	if [ -n "${module}" ];then
		module=`/usr/bin/basename "${module}"`
	fi
	if [ "${module}" = "pam_unix_auth.so" ];then
	    # If there is no ldap then change sufficient to required
	    # for local authentication
	    if [ "$ISLDAP" = "no" ];then
		control=`echo ${line} | /usr/bin/awk '{print $2}'`
		if [ "${control}" = "required" ];then
			echo "auth sufficient /lib/security/pam_unix_auth.so" >>${TMPFILE}
		else
			echo ${line} >>${TMPFILE}
		fi
	    fi
	else
		echo ${line} >>${TMPFILE}
	fi
done <<EOF
`cat ${COMMON_FILE}`
EOF
return
fi

if [ "${1}" = "off" ];then
/usr/bin/grep -q pam_ldap ${SSHD_FILE}
	if  [ $? -eq 0 ];then
	ISLDAP="yes"
fi
while read line
do
	module=`echo ${line} | awk '{print $3}'`
	if [ -n "${module}" ];then
		module=`/usr/bin/basename "${module}"`
	fi
	if [ "${module}" = "pam_unix_auth.so" ];then
		control=`echo ${line} | /usr/bin/awk '{print $2}'`
		if [ "${control}" = "sufficient" ];then
			echo "auth required /lib/security/pam_unix_auth.so" >>${TMPFILE}
		else
			echo ${line} >>${TMPFILE}
		fi
	else
		echo ${line} >>${TMPFILE}
	fi
done <<EOF
`cat ${COMMON_FILE}`
EOF
return
fi

echo "common_auth invalid parameter!"
exit 1
}

/bin/rm -f ${TMPFILE}

if [ "${1}" = "enable" ];then
	# if ldap is configured, then change to common-auth has already been made.
	if [ "$ISLDAP" = "no" ];then
		common_auth on
		if [ -f ${TMPFILE} ];then
			/bin/mv -f ${TMPFILE} ${COMMON_FILE}
		fi
	fi
	pam_krb5_on ${SSHD_FILE}
	if [ -f ${TMPFILE} ];then
		/bin/mv -f ${TMPFILE} ${SSHD_FILE}
	fi
	pam_krb5_on ${WBEM_FILE}
	if [ -f ${TMPFILE} ];then
		/bin/mv -f ${TMPFILE} ${WBEM_FILE}
	fi
	pam_krb5_on ${IPAUTH_FILE}
	if [ -f ${TMPFILE} ];then
		/bin/mv -f ${TMPFILE} ${IPAUTH_FILE}
	fi
elif [ "${1}" = "disable" ];then
	# if ldap is configured, then do not make change to common-auth
	if [ "$ISLDAP" = "no" ];then
		common_auth off
		if [ -f ${TMPFILE} ];then
			/bin/mv -f ${TMPFILE} ${COMMON_FILE}
		fi
	fi
	pam_krb5_off ${WBEM_FILE}
	if [ -f ${TMPFILE} ];then
		/bin/mv -f ${TMPFILE} ${WBEM_FILE}
	fi
	pam_krb5_off ${SSHD_FILE}
	if [ -f ${TMPFILE} ];then
		/bin/mv -f ${TMPFILE} ${SSHD_FILE}
	fi
	pam_krb5_off ${IPAUTH_FILE}
	if [ -f ${TMPFILE} ];then
		/bin/mv -f ${TMPFILE} ${IPAUTH_FILE}
	fi
else
	echo "Invalid argument ${1}."
	exit 1
fi

exit 0

