freebsd-dev/libexec/lukemftpd/pamize.h

154 lines
3.8 KiB
C
Raw Normal View History

/* $FreeBSD$ */
#ifdef USE_PAM
/*
* the following code is stolen from imap-uw PAM authentication module and
* login.c
*/
#define COPY_STRING(s) (s ? strdup(s) : NULL)
struct cred_t {
const char *uname; /* user name */
const char *pass; /* password */
};
typedef struct cred_t cred_t;
static int
auth_conv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata)
{
int i;
cred_t *cred = (cred_t *) appdata;
struct pam_response *reply;
reply = calloc(num_msg, sizeof *reply);
if (reply == NULL)
return PAM_BUF_ERR;
for (i = 0; i < num_msg; i++) {
switch (msg[i]->msg_style) {
case PAM_PROMPT_ECHO_ON: /* assume want user name */
reply[i].resp_retcode = PAM_SUCCESS;
reply[i].resp = COPY_STRING(cred->uname);
/* PAM frees resp. */
break;
case PAM_PROMPT_ECHO_OFF: /* assume want password */
reply[i].resp_retcode = PAM_SUCCESS;
reply[i].resp = COPY_STRING(cred->pass);
/* PAM frees resp. */
break;
case PAM_TEXT_INFO:
case PAM_ERROR_MSG:
reply[i].resp_retcode = PAM_SUCCESS;
reply[i].resp = NULL;
break;
default: /* unknown message style */
free(reply);
return PAM_CONV_ERR;
}
}
*resp = reply;
return PAM_SUCCESS;
}
/*
* Attempt to authenticate the user using PAM. Returns 0 if the user is
* authenticated, or 1 if not authenticated. If some sort of PAM system
* error occurs (e.g., the "/etc/pam.conf" file is missing) then this
* function returns -1. This can be used as an indication that we should
* fall back to a different authentication mechanism.
*/
static int
auth_pam(struct passwd **ppw, const char *pass)
{
pam_handle_t *pamh = NULL;
const char *tmpl_user;
const void *item;
int rval;
int e;
cred_t auth_cred = { (*ppw)->pw_name, pass };
struct pam_conv conv = { &auth_conv, &auth_cred };
e = pam_start("ftpd", (*ppw)->pw_name, &conv, &pamh);
if (e != PAM_SUCCESS) {
syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e));
return -1;
}
e = pam_set_item(pamh, PAM_RHOST, remotehost);
if (e != PAM_SUCCESS) {
syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s",
pam_strerror(pamh, e));
return -1;
}
e = pam_authenticate(pamh, 0);
switch (e) {
case PAM_SUCCESS:
/*
* With PAM we support the concept of a "template"
* user. The user enters a login name which is
* authenticated by PAM, usually via a remote service
* such as RADIUS or TACACS+. If authentication
* succeeds, a different but related "template" name
* is used for setting the credentials, shell, and
* home directory. The name the user enters need only
* exist on the remote authentication server, but the
* template name must be present in the local password
* database.
*
* This is supported by two various mechanisms in the
* individual modules. However, from the application's
* point of view, the template user is always passed
* back as a changed value of the PAM_USER item.
*/
if ((e = pam_get_item(pamh, PAM_USER, &item)) ==
PAM_SUCCESS) {
tmpl_user = (const char *) item;
if (strcmp((*ppw)->pw_name, tmpl_user) != 0)
*ppw = getpwnam(tmpl_user);
} else
syslog(LOG_ERR, "Couldn't get PAM_USER: %s",
pam_strerror(pamh, e));
rval = 0;
break;
case PAM_AUTH_ERR:
case PAM_USER_UNKNOWN:
case PAM_MAXTRIES:
rval = 1;
break;
default:
syslog(LOG_ERR, "pam_authenticate: %s", pam_strerror(pamh, e));
rval = -1;
break;
}
if (rval == 0) {
e = pam_acct_mgmt(pamh, 0);
if (e == PAM_NEW_AUTHTOK_REQD) {
e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
if (e != PAM_SUCCESS) {
syslog(LOG_ERR, "pam_chauthtok: %s",
pam_strerror(pamh, e));
rval = 1;
}
} else if (e != PAM_SUCCESS) {
rval = 1;
}
}
if (rval != 0) {
if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
}
pamh = NULL;
}
return rval;
}
#endif /* USE_PAM */