d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Clean up (and in some cases write) the PAM mudules, using

Browse Source 
o The new options-processing API
o The new DEBUG-logging API

Add man(1) pages for ALL modules. MDOC-Police welcome
to check this.

Audit, clean up while I'm here.
This commit is contained in:
Mark Murray 2001-07-09 18:20:51 +00:00
parent 5d87b61e6f
commit 1642eb1a52
35 changed files with 2028 additions and 264 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/libpam/modules/pam_cleartext_pass_ok/pam_cleartext_pass_ok.c
View File

@ -33,8 +33,7 @@
#include <security/pam_modules.h>
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int retval;
const void *item;
@ -42,12 +41,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char *tty;
const char *rhost;
if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
return retval;
if ((retval = pam_get_item(pamh, PAM_TTY, &item)) != PAM_SUCCESS)
retval = pam_get_item(pamh, PAM_TTY, &item);
if (retval != PAM_SUCCESS)
return retval;
tty = (const char *)item;
if ((retval = pam_get_item(pamh, PAM_RHOST, &item)) != PAM_SUCCESS)
retval = pam_get_item(pamh, PAM_RHOST, &item);
if (retval != PAM_SUCCESS)
return retval;
rhost = (const char *)item;
/*

3
lib/libpam/modules/pam_deny/Makefile
View File

@ -27,7 +27,6 @@
LIB= pam_deny
SHLIB_NAME= pam_deny.so
SRCS= pam_deny.c
MAN= pam_deny.8
.include <bsd.lib.mk>
.PATH: ${PAMDIR}/modules/pam_deny

75
lib/libpam/modules/pam_deny/pam_deny.8 Normal file
View File

@ -0,0 +1,75 @@
.\" Copyright (c) 2001 Mark R V Murray
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd July 7, 2001
.Dt PAM_DENY 8
.Os
.Sh NAME
.Nm pam_deny
.Nd Deny PAM module
.Sh SYNOPSIS
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Pa pam_deny
.Op Ar options
.Sh DESCRIPTION
The Deny authentication service module for PAM,
.Nm
provides functionality for all the PAM categories:
authentication,
account management,
session management and
password management.
In terms of the
.Ar module-type
parameter, these are the
.Dv auth ,
.Dv account ,
.Dv session
and
.Dv password
features.
.Pp
The Deny module
will universally deny all requests.
It is primarily of use during testing,
and to
.Dq null-out
unwanted functionality.
.Pp
The following options may be passed to the module:
.Bl -tag -xwidth ".Cm use_first_pass"
.It Cm debug
.Xr syslog 3
debugging information at
.Dv LOG_DEBUG
level.
.El
.Sh SEE ALSO
.Xr syslog 3 ,
.Xr pam.conf 5 ,
.Xr pam 8

109
lib/libpam/modules/pam_deny/pam_deny.c Normal file
View File

@ -0,0 +1,109 @@
/*-
* Copyright 2001 Mark R V Murray
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
#define PAM_SM_SESSION
#define PAM_SM_PASSWORD
#include <security/pam_modules.h>
#include "pam_mod_misc.h"
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
pam_std_option(&options, NULL, argc, argv);
PAM_LOG("Options processed");
PAM_RETURN(PAM_AUTH_ERR);
}
PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
pam_std_option(&options, NULL, argc, argv);
PAM_LOG("Options processed");
PAM_RETURN(PAM_CRED_UNAVAIL);
}
PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv)
{
struct options options;
pam_std_option(&options, NULL, argc, argv);
PAM_LOG("Options processed");
PAM_RETURN(PAM_ACCT_EXPIRED);
}
PAM_EXTERN int
pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
pam_std_option(&options, NULL, argc, argv);
PAM_LOG("Options processed");
PAM_RETURN(PAM_AUTHTOK_ERR);
}
PAM_EXTERN int
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
pam_std_option(&options, NULL, argc, argv);
PAM_LOG("Options processed");
PAM_RETURN(PAM_SYSTEM_ERR);
}
PAM_EXTERN int
pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
pam_std_option(&options, NULL, argc, argv);
PAM_LOG("Options processed");
PAM_RETURN(PAM_SYSTEM_ERR);
}
PAM_MODULE_ENTRY("pam_deny");

1
lib/libpam/modules/pam_ftp/Makefile
View File

@ -27,5 +27,6 @@
LIB= pam_ftp
SHLIB_NAME= pam_ftp.so
SRCS= pam_ftp.c
MAN= pam_ftp.8
.include <bsd.lib.mk>

92
lib/libpam/modules/pam_ftp/pam_ftp.8 Normal file
View File

@ -0,0 +1,92 @@
.\" Copyright (c) 2001 Mark R V Murray
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd July 8, 2001
.Dt PAM_FTP 8
.Os
.Sh NAME
.Nm pam_ftp
.Nd FTP PAM module
.Sh SYNOPSIS
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Pa pam_ftp
.Op Ar options
.Sh DESCRIPTION
The FTP authentication service module for PAM,
.Nm
provides functionality for only one PAM category:
authentication.
In terms of the
.Ar module-type
parameter, this is the
.Dv auth
feature.
It also provides a null function for session management.
.Ss FTP Authentication Module
The FTP authentication component
.Pq Fn pam_sm_authenticate ,
authenticates the anonymous user
.Pq usually Do anonymous Dc or Do ftp Dc
usually by simply requesting an email address as a password.
The supplied email address is broken up
into its username and host parts,
and these are assigned to the
.Dv PAM_RUSER
and
.Dv PAM_RHOST
facilities respectively.
.Pp
This module is intended for the
.Xr ftpd 8
service.
.Pp
The following options may be passed to the authentication module:
.Bl -tag -xwidth ".Cm use_first_pass"
.It Cm debug
.Xr syslog 3
debugging information at
.Dv LOG_DEBUG
level.
.It Cm no_anon
Disallow anonymous access.
.It Cm ignore
Ingnore the password supplied,
and do not use its constituent parts
.Pq username and hostname
as
.Dv PAM_RUSER
and
.Dv PAM_RHOST
respectively.
.El
.Sh SEE ALSO
.Xr ftp 1 ,
.Xr syslog 3 ,
.Xr pam.conf 5 ,
.Xr ftpd 8 ,
.Xr pam 8

74
lib/libpam/modules/pam_ftp/pam_ftp.c
View File

@ -26,11 +26,8 @@
* $FreeBSD$
*/
#define PLEASE_ENTER_PASSWORD "Password required for %s."
#define GUEST_LOGIN_PROMPT "Guest login ok, send your e-mail address as password."
/* the following is a password that "can't be correct" */
#define BLOCK_PASSWORD "\177BAD PASSWPRD\177"
#define PROMPT "OINK Password required for %s."
#define GUEST_PROMPT "TWEET Guest login ok, send your e-mail address as password."
#include <security/_pam_aconf.h>
@ -41,20 +38,23 @@
#include <stdarg.h>
#include <string.h>
/* here, we make a definition for the externally accessible function in this
* file (this definition is required for static a module but strongly
* encouraged generally) it is used to instruct the modules include file to
* define the function prototypes. */
#define PAM_SM_AUTH
#include <security/pam_modules.h>
#include <pam_mod_misc.h>
#include <security/_pam_macros.h>
enum { PAM_OPT_NO_ANON=PAM_OPT_STD_MAX, PAM_OPT_IGNORE };
static struct opttab other_options[] = {
{ "no_anon", PAM_OPT_NO_ANON },
{ "ignore", PAM_OPT_IGNORE },
{ NULL, 0 }
};
static int
converse(pam_handle_t *pamh, int nargs, struct pam_message **message,
struct pam_response **response)
struct pam_response **response)
{
struct pam_conv *conv;
int retval;
@ -103,8 +103,6 @@ lookup(const char *name, char *list, const char **user)
return anon;
}
/* --- authentication management functions (only) --- */
/* Check if the user name is 'ftp' or 'anonymous'.
* If this is the case, set the PAM_RUSER to the entered email address
* and succeed, otherwise fail.
@ -112,47 +110,52 @@ lookup(const char *name, char *list, const char **user)
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
{
struct options options;
struct pam_message msg[1], *mesg[1];
struct pam_response *resp;
int retval, anon, options, i;
const char *user, *token;
int retval, anon;
char *users, *context, *prompt;
const char *user, *token;
users = prompt = NULL;
options = 0;
for (i = 0; i < argc; i++)
pam_std_option(&options, argv[i]);
pam_std_option(&options, other_options, argc, argv);
PAM_LOG("Options processed");
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS || user == NULL)
return PAM_USER_UNKNOWN;
PAM_RETURN(PAM_USER_UNKNOWN);
anon = 0;
if (!(options & PAM_OPT_NO_ANON))
if (!pam_test_option(&options, PAM_OPT_NO_ANON, NULL))
anon = lookup(user, users, &user);
if (anon) {
retval = pam_set_item(pamh, PAM_USER, (const void *)user);
if (retval != PAM_SUCCESS || user == NULL)
return PAM_USER_UNKNOWN;
PAM_RETURN(PAM_USER_UNKNOWN);
}
PAM_LOG("Got user: %s", user);
/* Require an email address for user's password. */
if (!anon) {
prompt = malloc(strlen(PLEASE_ENTER_PASSWORD) + strlen(user));
prompt = malloc(strlen(PROMPT) + strlen(user));
if (prompt == NULL)
return PAM_BUF_ERR;
PAM_RETURN(PAM_BUF_ERR);
else {
sprintf(prompt, PLEASE_ENTER_PASSWORD, user);
sprintf(prompt, PROMPT, user);
msg[0].msg = prompt;
}
}
else
msg[0].msg = GUEST_LOGIN_PROMPT;
msg[0].msg = GUEST_PROMPT;
msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
mesg[0] = &msg[0];
PAM_LOG("Sent prompt");
resp = NULL;
retval = converse(pamh, 1, mesg, &resp);
if (prompt) {
@ -160,15 +163,19 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
_pam_drop(prompt);
}
PAM_LOG("Done conversation 1");
if (retval != PAM_SUCCESS) {
if (resp != NULL)
_pam_drop_reply(resp, 1);
return retval == PAM_CONV_AGAIN
? PAM_INCOMPLETE : PAM_AUTHINFO_UNAVAIL;
PAM_RETURN(retval == PAM_CONV_AGAIN
? PAM_INCOMPLETE : PAM_AUTHINFO_UNAVAIL);
}
PAM_LOG("Done conversation 2");
if (anon) {
if (!(options & PAM_OPT_IGNORE)) {
if (!pam_test_option(&options, PAM_OPT_IGNORE, NULL)) {
token = strtok_r(resp->resp, "@", &context);
pam_set_item(pamh, PAM_RUSER, token);
@ -178,16 +185,21 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
}
}
retval = PAM_SUCCESS;
PAM_LOG("Done anonymous");
}
else {
pam_set_item(pamh, PAM_AUTHTOK, resp->resp);
retval = PAM_AUTH_ERR;
PAM_LOG("Done non-anonymous");
}
if (resp)
_pam_drop_reply(resp, i);
_pam_drop_reply(resp, 1);
return retval;
PAM_RETURN(retval);
}
PAM_EXTERN int
@ -196,6 +208,4 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
return PAM_IGNORE;
}
/* end of module definition */
PAM_MODULE_ENTRY("pam_ftp");

60
lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c
View File

@ -47,9 +47,9 @@ int noticketsdontcomplain = 1;
char *krbtkfile_env;
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
int retval;
const char *user;
char *principal;
@ -57,40 +57,46 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char *password;
char localhost[MAXHOSTNAMELEN + 1];
struct passwd *pwd;
int options;
int i;
options = 0;
for (i = 0; i < argc; i++)
pam_std_option(&options, argv[i]);
if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
pam_std_option(&options, NULL, argc, argv);
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
return retval;
if ((retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT,
options)) != PAM_SUCCESS)
retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT, &options);
if (retval != PAM_SUCCESS)
return retval;
if (gethostname(localhost, sizeof localhost - 1) == -1)
return PAM_SYSTEM_ERR;
if ((principal = strdup(user)) == NULL)
principal = strdup(user);
if (principal == NULL)
return PAM_BUF_ERR;
if ((instance = strchr(principal, '.')) != NULL)
instance = strchr(principal, '.');
if (instance != NULL)
*instance++ = '\0';
else
instance = "";
if ((pwd = getpwnam(user)) != NULL &&
klogin(pwd, instance, localhost, (char *)password) == 0) {
if (!(flags & PAM_SILENT) && notickets &&
!noticketsdontcomplain)
pam_prompt(pamh, PAM_ERROR_MSG,
"Warning: no Kerberos tickets issued", NULL);
/*
* XXX - I think the ticket file really isn't supposed to
* be even created until pam_sm_setcred() is called.
*/
if (krbtkfile_env != NULL)
setenv("KRBTKFILE", krbtkfile_env, 1);
retval = PAM_SUCCESS;
} else
retval = PAM_AUTH_ERR;
retval = PAM_AUTH_ERR;
pwd = getpwnam(user);
if (pwd != NULL) {
if (klogin(pwd, instance, localhost, (char *)password) == 0) {
if (!(flags & PAM_SILENT) && notickets && !noticketsdontcomplain)
pam_prompt(pamh, PAM_ERROR_MSG,
"Warning: no Kerberos tickets issued",
NULL);
/*
* XXX - I think the ticket file isn't supposed to
* be created until pam_sm_setcred() is called.
*/
if (krbtkfile_env != NULL)
setenv("KRBTKFILE", krbtkfile_env, 1);
retval = PAM_SUCCESS;
}
}
/*
* The PAM infrastructure will obliterate the cleartext
* password before returning to the application.

3
lib/libpam/modules/pam_nologin/Makefile
View File

@ -27,7 +27,6 @@
LIB= pam_nologin
SHLIB_NAME= pam_nologin.so
SRCS= pam_nologin.c
MAN= pam_nologin.8
.include <bsd.lib.mk>
.PATH: ${PAMDIR}/modules/pam_nologin

77
lib/libpam/modules/pam_nologin/pam_nologin.8 Normal file
View File

@ -0,0 +1,77 @@
.\" Copyright (c) 2001 Mark R V Murray
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd July 8, 2001
.Dt PAM_NOLOGIN 8
.Os
.Sh NAME
.Nm pam_nologin
.Nd NoLogin PAM module
.Sh SYNOPSIS
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Pa pam_nologin
.Op Ar options
.Sh DESCRIPTION
The NoLogin authentication service module for PAM,
.Nm
provides functionality for only one PAM category:
authentication.
In terms of the
.Ar module-type
parameter, this is the
.Dv auth
feature.
It also provides a null function for session management.
.Ss NoLogin Authentication Module
The NoLogin authentication component
.Pq Fn pam_sm_authenticate ,
always returns success for the superuser,
and returns success for all other users
if the file
.Pa /var/run/nologin
does not exist.
If
.Pa /var/run/nologin
does exist,
then its contents are echoed
to non-superusers
before failure is returned.
.Pp
The following options may be passed to the authentication module:
.Bl -tag -xwidth ".Cm use_first_pass"
.It Cm debug
.Xr syslog 3
debugging information at
.Dv LOG_DEBUG
level.
.El
.Sh SEE ALSO
.Xr syslog 3 ,
.Xr nologin 5 ,
.Xr pam.conf 5 ,
.Xr pam 8

115
lib/libpam/modules/pam_nologin/pam_nologin.c Normal file
View File

@ -0,0 +1,115 @@
/*-
* Copyright 2001 Mark R V Murray
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#define PAM_SM_AUTH
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <pwd.h>
#include <security/_pam_macros.h>
#include <security/pam_modules.h>
#include "pam_mod_misc.h"
#define NOLOGIN "/var/run/nologin"
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
struct pam_conv *conv;
struct pam_message message, *pmessage;
struct pam_response *resp;
struct passwd *user_pwd;
struct stat st;
int retval, fd;
const char *user;
char *mtmp;
pam_std_option(&options, NULL, argc, argv);
PAM_LOG("Options processed");
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Got user: %s", user);
fd = open(NOLOGIN, O_RDONLY, 0);
if (fd < 0)
PAM_RETURN(PAM_SUCCESS);
PAM_LOG("Opened %s file", NOLOGIN);
user_pwd = getpwnam(user);
if (user_pwd && user_pwd->pw_uid == 0) {
message.msg_style = PAM_TEXT_INFO;
retval = PAM_SUCCESS;
}
else {
message.msg_style = PAM_ERROR_MSG;
if (!user_pwd)
retval = PAM_USER_UNKNOWN;
else
retval = PAM_AUTH_ERR;
}
if (fstat(fd, &st) < 0)
PAM_RETURN(retval);
message.msg = mtmp = malloc(st.st_size + 1);
if (!message.msg)
PAM_RETURN(retval);
read(fd, mtmp, st.st_size);
mtmp[st.st_size] = '\0';
pmessage = &message;
resp = NULL;
pam_get_item(pamh, PAM_CONV, (const void **)&conv);
conv->conv(1, (const struct pam_message **)&pmessage, &resp,
conv->appdata_ptr);
free(mtmp);
if (resp)
_pam_drop_reply(resp, 1);
PAM_RETURN(retval);
}
PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
return PAM_SUCCESS;
}
PAM_MODULE_ENTRY("pam_nologin");

1
lib/libpam/modules/pam_opie/Makefile
View File

@ -30,5 +30,6 @@ SHLIB_NAME= pam_opie.so
SRCS= pam_opie.c
DPADD= ${LIBOPIE}
LDADD= -lopie
MAN= pam_opie.8
.include <bsd.lib.mk>

91
lib/libpam/modules/pam_opie/pam_opie.8 Normal file
View File

@ -0,0 +1,91 @@
.\" Copyright (c) 2001 Mark R V Murray
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd July 7, 2001
.Dt PAM_OPIE 8
.Os
.Sh NAME
.Nm pam_opie
.Nd OPIE PAM module
.Sh SYNOPSIS
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Pa pam_opie
.Op Ar options
.Sh DESCRIPTION
The OPIE authentication service module for PAM,
.Nm
provides functionality for only one PAM category:
that of authentication.
In terms of the
.Ar module-type
parameter, this is the
.Dv auth
feature.
It also provides a null function for session management.
.Ss OPIE Authentication Module
The OPIE authentication component
provides functions to verify the identity of a user
.Pq Fn pam_sm_authenticate ,
which obtains the relevant
.Xr opie 4
credentials.
It provides the user with an OPIE challenge,
and verifies that this is correct with
.Xr opiechallenge 3 .
.Pp
The following options may be passed to the authentication module:
.Bl -tag -xwidth ".Cm use_first_pass"
.It Cm debug
.Xr syslog 3
debugging information at
.Dv LOG_DEBUG
level.
.It Cm auth_as_self
This option will require the user
to authenticate themself as the user
given by
.Fn getuid 2 ,
not as the account they are attempting to access.
This is primarily for services like
.Xr su 1 ,
where the user's ability to retype
their own password
might be deemed sufficient.
.El
.Sh FILES
.Bl -tag -xwidth ".Pa /etc/opiekeys" -compact
.It Pa /etc/opiekeys
default OPIE password database.
.El
.Sh SEE ALSO
.Xr passwd 1 ,
.Xr opiechallenge 3 ,
.Xr opie 4 ,
.Xr syslog 3 ,
.Xr pam.conf 5 ,
.Xr pam 8

95
lib/libpam/modules/pam_opie/pam_opie.c
View File

@ -27,77 +27,98 @@
* $FreeBSD$
*/
#include <syslog.h> /* XXX */
#include <sys/types.h>
#include <opie.h>
#include <pwd.h>
#include <stdio.h>
#include <string.h>
#include <opie.h>
#include <unistd.h>
#define PAM_SM_AUTH
#include <security/pam_modules.h>
#include "pam_mod_misc.h"
enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX };
static struct opttab other_options[] = {
{ "auth_as_self", PAM_OPT_AUTH_AS_SELF },
{ NULL, 0 }
};
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int retval;
const char *user;
const char *response;
struct opie opie;
struct options options;
struct passwd *pwd;
int retval, i;
char *(promptstr[]) = { "%s\nPassword: ", "%s\nPassword [echo on]: "};
char challenge[OPIE_CHALLENGE_MAX];
char prompt[OPIE_CHALLENGE_MAX+22];
char resp_buf[OPIE_SECRET_MAX];
int options;
int i;
char resp[OPIE_SECRET_MAX];
const char *user;
const char *response;
pam_std_option(&options, other_options, argc, argv);
PAM_LOG("Options processed");
user = NULL;
options = 0;
for (i = 0; i < argc; i++)
pam_std_option(&options, argv[i]);
/*
* It doesn't make sense to use a password that has already been
* typed in, since we haven't presented the challenge to the user
* yet.
*/
options &= ~(PAM_OPT_USE_FIRST_PASS | PAM_OPT_TRY_FIRST_PASS);
if ((retval = pam_get_user(pamh, (const char **)&user, NULL))
!= PAM_SUCCESS)
return retval;
if (pam_test_option(&options, PAM_OPT_USE_FIRST_PASS, NULL) ||
pam_test_option(&options, PAM_OPT_TRY_FIRST_PASS, NULL))
PAM_RETURN(PAM_AUTH_ERR);
user = NULL;
if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) {
pwd = getpwuid(getuid());
user = pwd->pw_name;
}
else {
retval = pam_get_user(pamh, (const char **)&user, NULL);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
}
PAM_LOG("Got user: %s", user);
/*
* Don't call the OPIE atexit() handler when our program exits,
* since the module has been unloaded and we will SEGV.
*/
opiedisableaeh();
if (opiechallenge(&opie, (char *)user, challenge) != 0)
return PAM_AUTH_ERR;
snprintf(prompt, sizeof prompt, "%s\nPassword: ", challenge);
if ((retval = pam_get_pass(pamh, &response, prompt, options)) !=
PAM_SUCCESS) {
opieunlock();
return retval;
}
if (response[0] == '\0' && !(options & PAM_OPT_ECHO_PASS)) {
options |= PAM_OPT_ECHO_PASS;
snprintf(prompt, sizeof prompt,
"%s\nPassword [echo on]: ", challenge);
if ((retval = pam_get_pass(pamh, &response, prompt,
options)) != PAM_SUCCESS) {
opiechallenge(&opie, (char *)user, challenge);
for (i = 0; i < 2; i++) {
snprintf(prompt, sizeof prompt, promptstr[i], challenge);
retval = pam_get_pass(pamh, &response, prompt, &options);
if (retval != PAM_SUCCESS) {
opieunlock();
return retval;
PAM_RETURN(retval);
}
PAM_LOG("Completed challenge %d: %s", i, response);
if (response[0] != '\0')
break;
/* Second time round, echo the password */
pam_set_option(&options, PAM_OPT_ECHO_PASS);
}
/* We have to copy the response, because opieverify mucks with it. */
snprintf(resp_buf, sizeof resp_buf, "%s", response);
snprintf(resp, sizeof resp, "%s", response);
/*
* Opieverify is supposed to return -1 only if an error occurs.
* But it returns -1 even if the response string isn't in the form
* it expects. Thus we can't log an error and can only check for
* success or lack thereof.
*/
return opieverify(&opie, resp_buf) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR;
PAM_RETURN(opieverify(&opie, resp) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR);
}
PAM_EXTERN int

3
lib/libpam/modules/pam_permit/Makefile
View File

@ -27,7 +27,6 @@
LIB= pam_permit
SHLIB_NAME= pam_permit.so
SRCS= pam_permit.c
MAN= pam_permit.8
.include <bsd.lib.mk>
.PATH: ${PAMDIR}/modules/pam_permit

74
lib/libpam/modules/pam_permit/pam_permit.8 Normal file
View File

@ -0,0 +1,74 @@
.\" Copyright (c) 2001 Mark R V Murray
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd July 7, 2001
.Dt PAM_PERMIT 8
.Os
.Sh NAME
.Nm pam_permit
.Nd Promiscuous PAM module
.Sh SYNOPSIS
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Pa pam_permit
.Op Ar options
.Sh DESCRIPTION
The Promiscuous authentication service module for PAM,
.Nm
provides functionality for all the PAM categories:
authentication,
account management,
session management and
password management.
In terms of the
.Ar module-type
parameter, these are the
.Dv auth ,
.Dv account ,
.Dv session
and
.Dv password
features.
.Pp
The Promiscuous module
will universally allow all requests.
It is primarily of use during testing,
and to silence
.Dq noisy
PAM-enabled applications.
.Pp
The following options may be passed to the module:
.Bl -tag -xwidth ".Cm use_first_pass"
.It Cm debug
.Xr syslog 3
debugging information at
.Dv LOG_DEBUG
level.
.Sh SEE ALSO
.Xr syslog 3 ,
.Xr pam.conf 5 ,
.Xr pam 8

126
lib/libpam/modules/pam_permit/pam_permit.c Normal file
View File

@ -0,0 +1,126 @@
/*-
* Copyright 2001 Mark R V Murray
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
#define PAM_SM_SESSION
#define PAM_SM_PASSWORD
#include <security/pam_modules.h>
#include <security/_pam_macros.h>
#include "pam_mod_misc.h"
#define NOBODY "nobody"
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
int retval;
const char *user;
pam_std_option(&options, NULL, argc, argv);
PAM_LOG("Options processed");
/* We always need to know who the user is */
user = NULL;
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Got user: %s", user);
if (user == NULL || *user == '\0')
pam_set_item(pamh, PAM_USER, (const void *)NOBODY);
user = NULL;
PAM_RETURN(PAM_SUCCESS);
}
PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
pam_std_option(&options, NULL, argc, argv);
PAM_LOG("Options processed");
PAM_RETURN(PAM_SUCCESS);
}
PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv)
{
struct options options;
pam_std_option(&options, NULL, argc, argv);
PAM_LOG("Options processed");
PAM_RETURN(PAM_SUCCESS);
}
PAM_EXTERN int
pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
pam_std_option(&options, NULL, argc, argv);
PAM_LOG("Options processed");
PAM_RETURN(PAM_SUCCESS);
}
PAM_EXTERN int
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
pam_std_option(&options, NULL, argc, argv);
PAM_LOG("Options processed");
PAM_RETURN(PAM_SUCCESS);
}
PAM_EXTERN int
pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
pam_std_option(&options, NULL, argc, argv);
PAM_LOG("Options processed");
PAM_RETURN(PAM_SUCCESS);
}
PAM_MODULE_ENTRY("pam_permit");

11
lib/libpam/modules/pam_radius/pam_radius.8
View File

@ -45,12 +45,11 @@
.Nm pam_radius
.Nd RADIUS authentication PAM module
.Sh SYNOPSIS
.Nm pam_radius.so
.Op Cm use_first_pass
.Op Cm try_first_pass
.Op Cm echo_pass
.Op Cm conf Ns No = Ns Ar pathname
.Op Cm template_user Ns No = Ns Ar username
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Pa pam_radius
.Op Ar options
.Sh DESCRIPTION
The
.Nm

109
lib/libpam/modules/pam_radius/pam_radius.c
View File

@ -39,12 +39,16 @@
#include "pam_mod_misc.h"
#define MAX_CHALLENGE_MSGS 10
#define PASSWORD_PROMPT "RADIUS password:"
enum { PAM_OPT_CONF=PAM_OPT_STD_MAX, PAM_OPT_TEMPLATE_USER };
/* Option names, including the "=" sign. */
#define OPT_CONF "conf="
#define OPT_TMPL "template_user="
static struct opttab other_options[] = {
{ "conf", PAM_OPT_CONF },
{ "template_user", PAM_OPT_TEMPLATE_USER },
{ NULL, 0 }
};
#define MAX_CHALLENGE_MSGS 10
#define PASSWORD_PROMPT "RADIUS password:"
static int build_access_request(struct rad_handle *, const char *,
const char *, const void *, size_t);
@ -194,48 +198,59 @@ do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user)
}
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
struct rad_handle *radh;
const char *user;
const char *pass;
const char *conf_file = NULL;
const char *template_user = NULL;
int options = 0;
const char *user, *tmpuser, *pass;
char *conf_file, *template_user;
int retval;
int i;
int e;
for (i = 0; i < argc; i++) {
size_t len;
pam_std_option(&options, other_options, argc, argv);
pam_std_option(&options, argv[i]);
if (strncmp(argv[i], OPT_CONF, (len = strlen(OPT_CONF))) == 0)
conf_file = argv[i] + len;
else if (strncmp(argv[i], OPT_TMPL,
(len = strlen(OPT_TMPL))) == 0)
template_user = argv[i] + len;
}
if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
return retval;
if ((retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT,
options)) != PAM_SUCCESS)
return retval;
PAM_LOG("Options processed");
if ((radh = rad_open()) == NULL) {
conf_file = NULL;
pam_test_option(&options, PAM_OPT_CONF, &conf_file);
template_user = NULL;
pam_test_option(&options, PAM_OPT_TEMPLATE_USER, &template_user);
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Got user: %s", user);
retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, &options);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Got password");
radh = rad_open();
if (radh == NULL) {
syslog(LOG_CRIT, "rad_open failed");
return PAM_SERVICE_ERR;
PAM_RETURN(PAM_SERVICE_ERR);
}
PAM_LOG("Radius opened");
if (rad_config(radh, conf_file) == -1) {
syslog(LOG_ALERT, "rad_config: %s", rad_strerror(radh));
rad_close(radh);
return PAM_SERVICE_ERR;
PAM_RETURN(PAM_SERVICE_ERR);
}
PAM_LOG("Radius config file read");
if (build_access_request(radh, user, pass, NULL, 0) == -1) {
rad_close(radh);
return PAM_SERVICE_ERR;
PAM_RETURN(PAM_SERVICE_ERR);
}
PAM_LOG("Radius build access done");
for ( ; ; ) {
switch (rad_send_request(radh)) {
@ -243,10 +258,11 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
e = do_accept(pamh, radh);
rad_close(radh);
if (e == -1)
return PAM_SERVICE_ERR;
PAM_RETURN(PAM_SERVICE_ERR);
if (template_user != NULL) {
const void *item;
const char *user;
PAM_LOG("Trying template user: %s",
template_user);
/*
* If the given user name doesn't exist in
@ -254,25 +270,28 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
* to the value given in the "template_user"
* option.
*/
retval = pam_get_item(pamh, PAM_USER, &item);
retval = pam_get_item(pamh, PAM_USER,
(void *)&tmpuser);
if (retval != PAM_SUCCESS)
return retval;
user = (const char *)item;
if (getpwnam(user) == NULL)
PAM_RETURN(retval);
if (getpwnam(tmpuser) == NULL) {
pam_set_item(pamh, PAM_USER,
template_user);
PAM_LOG("Using template user");
}
}
return PAM_SUCCESS;
PAM_RETURN(PAM_SUCCESS);
case RAD_ACCESS_REJECT:
rad_close(radh);
return PAM_AUTH_ERR;
PAM_RETURN(PAM_AUTH_ERR);
case RAD_ACCESS_CHALLENGE:
if ((retval = do_challenge(pamh, radh, user)) !=
PAM_SUCCESS) {
retval = do_challenge(pamh, radh, user);
if (retval != PAM_SUCCESS) {
rad_close(radh);
return retval;
PAM_RETURN(retval);
}
break;
@ -280,13 +299,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
syslog(LOG_CRIT, "rad_send_request: %s",
rad_strerror(radh));
rad_close(radh);
return PAM_AUTHINFO_UNAVAIL;
PAM_RETURN(PAM_AUTHINFO_UNAVAIL);
default:
syslog(LOG_CRIT,
"rad_send_request: unexpected return value");
rad_close(radh);
return PAM_SERVICE_ERR;
PAM_RETURN(PAM_SERVICE_ERR);
}
}
}

3
lib/libpam/modules/pam_rootok/Makefile
View File

@ -27,7 +27,6 @@
LIB= pam_rootok
SHLIB_NAME= pam_rootok.so
SRCS= pam_rootok.c
MAN= pam_rootok.8
.include <bsd.lib.mk>
.PATH: ${PAMDIR}/modules/pam_rootok

70
lib/libpam/modules/pam_rootok/pam_rootok.8 Normal file
View File

@ -0,0 +1,70 @@
.\" Copyright (c) 2001 Mark R V Murray
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd July 8, 2001
.Dt PAM_ROOTOK 8
.Os
.Sh NAME
.Nm pam_rootok
.Nd RootOK PAM module
.Sh SYNOPSIS
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Pa pam_rootok
.Op Ar options
.Sh DESCRIPTION
The RootOK authentication service module for PAM,
.Nm
provides functionality for only one PAM category:
authentication.
In terms of the
.Ar module-type
parameter, this is the
.Dv auth
feature.
It also provides a null function for session management.
.Ss RootOK Authentication Module
The RootOK authentication component
.Pq Fn pam_sm_authenticate ,
always returns success for the superuser;
.Em ie,
if
.Xr getuid 2
returns 0.
.Pp
The following options may be passed to the authentication module:
.Bl -tag -xwidth ".Cm use_first_pass"
.It Cm debug
.Xr syslog 3
debugging information at
.Dv LOG_DEBUG
level.
.El
.Sh SEE ALSO
.Xr getuid 2 ,
.Xr pam.conf 5 ,
.Xr pam 8

64
lib/libpam/modules/pam_rootok/pam_rootok.c Normal file
View File

@ -0,0 +1,64 @@
/*-
* Copyright (c) 2001 Mark R V Murray
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#define _BSD_SOURCE
#include <unistd.h>
#include <syslog.h>
#define PAM_SM_AUTH
#include <security/pam_modules.h>
#include <pam_mod_misc.h>
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
uid_t uid;
pam_std_option(&options, NULL, argc, argv);
PAM_LOG("Options processed");
uid = getuid();
if (uid == 0)
PAM_RETURN(PAM_SUCCESS);
PAM_LOG("User is not root");
PAM_RETURN(PAM_AUTH_ERR);
}
PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
return PAM_SUCCESS;
}
PAM_MODULE_ENTRY("pam_rootok");

1
lib/libpam/modules/pam_securetty/Makefile
View File

@ -27,5 +27,6 @@
LIB= pam_securetty
SHLIB_NAME= pam_securetty.so
SRCS= pam_securetty.c
MAN= pam_securetty.8
.include <bsd.lib.mk>

82
lib/libpam/modules/pam_securetty/pam_securetty.8 Normal file
View File

@ -0,0 +1,82 @@
.\" Copyright (c) 2001 Mark R V Murray
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd July 8, 2001
.Dt PAM_SECURETTY 8
.Os
.Sh NAME
.Nm pam_securetty
.Nd SecureTTY PAM module
.Sh SYNOPSIS
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Pa pam_securetty
.Op Ar options
.Sh DESCRIPTION
The SecureTTY authentication service module for PAM,
.Nm
provides functionality for only one PAM category:
authentication.
In terms of the
.Ar module-type
parameter, this is the
.Dv auth
feature.
It also provides a null function for session management.
.Ss SecureTTY Authentication Module
The SecureTTY authentication component
.Pq Fn pam_sm_authenticate ,
returns success if the user is attempting to authenticate as superuser,
and the process is attached to a secure TTY.
Alternatively,
if the user is not authenticating as superuser,
the module always returns success.
.Pp
A TTY is defined as secure if its entry is fetchable from
.Pa /etc/ttys
by
.Xr getttynam 3
(see
.Xr ttys 5 ) ,
and the entry (a struct ttyent) has the
.Dv TTY_SECURE
flag set.
.Pp
The following options may be passed to the authentication module:
.Bl -tag -xwidth ".Cm use_first_pass"
.It Cm debug
.Xr syslog 3
debugging information at
.Dv LOG_DEBUG
level.
.El
.Sh SEE ALSO
.Xr getttyynam 3 ,
.Xr syslog 3 ,
.Xr ttys 5 ,
.Xr pam.conf 5 ,
.Xr pam 8

43
lib/libpam/modules/pam_securetty/pam_securetty.c
View File

@ -41,42 +41,51 @@
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
{
struct ttyent *ttyfileinfo;
struct passwd *user_pwd;
int i, options, retval;
const char *username, *ttyname;
struct options options;
struct ttyent *ttyfileinfo;
struct passwd *user_pwd;
int retval;
const char *user, *ttyname;
options = 0;
for (i = 0; i < argc; i++)
pam_std_option(&options, argv[i]);
pam_std_option(&options, NULL, argc, argv);
retval = pam_get_user(pamh, &username, NULL);
PAM_LOG("Options processed");
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
return retval;
PAM_RETURN(retval);
PAM_LOG("Got user: %s", user);
retval = pam_get_item(pamh, PAM_TTY, (const void **)&ttyname);
if (retval != PAM_SUCCESS)
return retval;
PAM_RETURN(retval);
PAM_LOG("Got TTY: %s", ttyname);
/* Ignore any "/dev/" on the PAM_TTY item */
if (strncmp(TTY_PREFIX, ttyname, sizeof(TTY_PREFIX) - 1) == 0)
ttyname += sizeof(TTY_PREFIX) - 1;
/* If the user is not root, secure ttys do not apply */
user_pwd = getpwnam(username);
user_pwd = getpwnam(user);
if (user_pwd == NULL)
return PAM_IGNORE;
PAM_RETURN(PAM_IGNORE);
else if (user_pwd->pw_uid != 0)
return PAM_SUCCESS;
PAM_RETURN(PAM_SUCCESS);
PAM_LOG("User is not root");
ttyfileinfo = getttynam(ttyname);
if (ttyfileinfo == NULL)
return PAM_SERVICE_ERR;
PAM_RETURN(PAM_SERVICE_ERR);
PAM_LOG("Got ttyfileinfo");
if (ttyfileinfo->ty_status & TTY_SECURE)
return PAM_SUCCESS;
PAM_RETURN(PAM_SUCCESS);
else
return PAM_PERM_DENIED;
PAM_RETURN(PAM_PERM_DENIED);
}
PAM_EXTERN
@ -86,6 +95,4 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
return PAM_SUCCESS;
}
/* end of module definition */
PAM_MODULE_ENTRY("pam_securetty");

148
lib/libpam/modules/pam_ssh/pam_ssh.8 Normal file
View File

@ -0,0 +1,148 @@
.\" Copyright (c) 2001 Mark R V Murray
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd July 7, 2001
.Dt PAM_UNIX 8
.Os
.Sh NAME
.Nm pam_unix
.Nd UNIX PAM module
.Sh SYNOPSIS
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Pa pam_unix
.Op Ar options
.Sh DESCRIPTION
The
.Ux
authentication service module for PAM,
.Nm
provides functionality for two PAM categories:
authentication
and account management.
In terms of the
.Ar module-type
parameter, they are the
.Dv auth
and
.Dv account
features.
It also provides a null function for session management.
.Ss Ux Authentication Module
The
.Ux
authentication component
provides functions to verify the identity of a user
.Pq Fn pam_sm_authenticate ,
which obtains the relevant
.Xr passwd 5
entry.
It prompts the user for a password
and verifies that this is correct with
.Xr crypt 3 .
.Pp
The following options may be passed to the authentication module:
.Bl -tag -xwidth ".Cm use_first_pass"
.It Cm debug
.Xr syslog 3
debugging information at
.Dv LOG_DEBUG
level.
.It Cm use_first_pass
If the authentication module
is not the first in the stack,
and a previous module
obtained the user's password,
that password is used
to authenticate the user.
If this fails,
the authentication module returns failure
without prompting the user for a password.
This option has no effect
if the authentication module
is the first in the stack,
or if no previous modules
obtained the user's password.
.It Cm try_first_pass
This option is similar to the
.Cm use_first_pass
option,
except that if the previously obtained password fails,
the user is prompted for another password.
.It Cm auth_as_self
This option will require the user
to authenticate themself as the user
given by
.Fn getuid 2 ,
not as the account they are attempting to access.
This is primarily for services like
.Xr su 1 ,
where the user's ability to retype
their own password
might be deemed sufficient.
.It Cm nullok
If the password database
has no password
for the entity being authenticated,
then this option
will forgo password prompting,
and silently allow authentication to succeed.
.El
.Ss Ux Account Management Module
The
.Ux
account management component
provides a function to perform account management,
.Fn pam_sm_acct_mgmt .
The function verifies
that the authenticated user
is allowed to login to the local user account
by checking the password expiry date.
.Pp
The following options may be passed to the management module:
.Bl -tag -xwidth ".Cm use_first_pass"
.It Cm debug
.Xr syslog 3
debugging information at
.Dv LOG_DEBUG
level.
.El
.Sh FILES
.Bl -tag -xwidth ".Pa /etc/master.passwd" -compact
.It Pa /etc/master.passwd
default
.Ux
password database.
.El
.Sh SEE ALSO
.Xr passwd 1 ,
.Xr getuid 2 ,
.Xr crypt 3 ,
.Xr passwd 5 ,
.Xr syslog 3 ,
.Xr pam.conf 5 ,
.Xr pam 8

1
lib/libpam/modules/pam_tacplus/Makefile
View File

@ -29,5 +29,6 @@ SHLIB_NAME= pam_tacplus.so
SRCS= pam_tacplus.c
DPADD= ${LIBTACPLUS}
LDADD= -ltacplus
MAN= pam_tacplus.8
.include <bsd.lib.mk>

128
lib/libpam/modules/pam_tacplus/pam_tacplus.8 Normal file
View File

@ -0,0 +1,128 @@
.\" Copyright (c) 1999
.\" Andrzej Bialecki <abial@FreeBSD.org>. All rights reserved.
.\"
.\" Copyright (c) 1992, 1993, 1994
.\" The Regents of the University of California. All rights reserved.
.\" All rights reserved.
.\"
.\" This code is derived from software donated to Berkeley by
.\" Jan-Simon Pendry.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\" This product includes software developed by the University of
.\" California, Berkeley and its contributors.
.\" 4. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd August 2, 1999
.Dt PAM_TACPLUS 8
.Os FreeBSD
.Sh NAME
.Nm pam_tacplus
.Nd TACACS+ authentication PAM module
.Sh SYNOPSIS
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Pa pam_tacplus
.Op Ar options
.Sh DESCRIPTION
The
.Nm
module provides authentication services based
upon the TACACS+ protocol
for the PAM (Pluggable Authentication Module) framework.
.Pp
The
.Nm
module accepts these optional parameters:
.Bl -tag -width Fl
.It Cm use_first_pass
causes
.Nm
to use a previously entered password instead of prompting for a new one.
If no password has been entered then authentication fails.
.It Cm try_first_pass
causes
.Nm
to use a previously entered password, if one is available. If no
password has been entered,
.Nm
prompts for one as usual.
.It Cm echo_pass
causes echoing to be left on if
.Nm
prompts for a password.
.It Cm conf Ns No = Ns Ar pathname
specifies a non-standard location for the TACACS+ client configuration file
(normally located in /etc/tacplus.conf).
.It Cm template_user Ns No = Ns Ar username
specifies a user whose
.Xr passwd 5
entry will be used as a template to create the session environment
if the supplied username doesn't exist in local password database.
The user
will be authenticated with the supplied username and password, but his
credentials to the system will be presented as the ones for
.Ar username ,
i.e., his login class, home directory, resource limits, etc. will be set to ones
defined for
.Ar username .
.Pp
If this option is omitted, and there is no username
in the system databases equal to the supplied one (as determined by call to
.Xr getpwnam 3 ) ,
the authentication will fail.
.El
.Sh FILES
.Bl -tag -width /etc/tacplus.conf -compact
.It Pa /etc/tacplus.conf
The standard TACACS+ client configuration file for
.Nm
.El
.Sh SEE ALSO
.Xr passwd 5 ,
.Xr tacplus.conf 5 ,
.Xr pam 8
.Sh HISTORY
The
.Nm
module first appeared in
.Fx 3.1 .
.Sh AUTHORS
.An -nosplit
The
.Nm
manual page was written by
.An Andrzej Bialecki Aq abial@FreeBSD.org
and adapted to TACACS+ from RADIUS by
.An Mark R V Murray Aq markm@FreeBSD.org .
.Pp
The
.Nm
module was written by
.An John D. Polstra Aq jdp@FreeBSD.org .

124
lib/libpam/modules/pam_tacplus/pam_tacplus.c
View File

@ -40,9 +40,13 @@
#include "pam_mod_misc.h"
/* Option names, including the "=" sign. */
#define OPT_CONF "conf="
#define OPT_TMPL "template_user="
enum { PAM_OPT_CONF=PAM_OPT_STD_MAX, PAM_OPT_TEMPLATE_USER };
static struct opttab other_options[] = {
{ "conf", PAM_OPT_CONF },
{ "template_user", PAM_OPT_TEMPLATE_USER },
{ NULL, 0 }
};
typedef int (*set_func)(struct tac_handle *, const char *);
@ -58,7 +62,8 @@ do_item(pam_handle_t *pamh, struct tac_handle *tach, int item,
int retval;
const void *value;
if ((retval = pam_get_item(pamh, item, &value)) != PAM_SUCCESS)
retval = pam_get_item(pamh, item, &value);
if (retval != PAM_SUCCESS)
return retval;
if (value != NULL && (*func)(tach, (const char *)value) == -1) {
syslog(LOG_CRIT, "%s: %s", funcname, tac_strerror(tach));
@ -73,7 +78,8 @@ get_msg(struct tac_handle *tach)
{
char *msg;
if ((msg = tac_get_msg(tach)) == NULL) {
msg = tac_get_msg(tach);
if (msg == NULL) {
syslog(LOG_CRIT, "tac_get_msg: %s", tac_strerror(tach));
tac_close(tach);
return NULL;
@ -96,48 +102,57 @@ PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
{
struct options options;
int retval;
struct tac_handle *tach;
const char *conf_file = NULL;
const char *template_user = NULL;
int options = 0;
int i;
char *conf_file;
char *template_user;
for (i = 0; i < argc; i++) {
size_t len;
pam_std_option(&options, other_options, argc, argv);
pam_std_option(&options, argv[i]);
if (strncmp(argv[i], OPT_CONF, (len = strlen(OPT_CONF))) == 0)
conf_file = argv[i] + len;
else if (strncmp(argv[i], OPT_TMPL,
(len = strlen(OPT_TMPL))) == 0)
template_user = argv[i] + len;
}
PAM_LOG("Options processed");
if ((tach = tac_open()) == NULL) {
conf_file = NULL;
pam_test_option(&options, PAM_OPT_CONF, &conf_file);
template_user = NULL;
pam_test_option(&options, PAM_OPT_TEMPLATE_USER, &template_user);
tach = tac_open();
if (tach == NULL) {
syslog(LOG_CRIT, "tac_open failed");
return PAM_SERVICE_ERR;
PAM_RETURN(PAM_SERVICE_ERR);
}
if (tac_config(tach, conf_file) == -1) {
syslog(LOG_ALERT, "tac_config: %s", tac_strerror(tach));
tac_close(tach);
return PAM_SERVICE_ERR;
PAM_RETURN(PAM_SERVICE_ERR);
}
if (tac_create_authen(tach, TAC_AUTHEN_LOGIN, TAC_AUTHEN_TYPE_ASCII,
TAC_AUTHEN_SVC_LOGIN) == -1) {
syslog(LOG_CRIT, "tac_create_authen: %s", tac_strerror(tach));
tac_close(tach);
return PAM_SERVICE_ERR;
PAM_RETURN(PAM_SERVICE_ERR);
}
if ((retval = do_item(pamh, tach, PAM_USER,
tac_set_user, "tac_set_user")) != PAM_SUCCESS)
return retval;
if ((retval = do_item(pamh, tach, PAM_TTY,
tac_set_port, "tac_set_port")) != PAM_SUCCESS)
return retval;
if ((retval = do_item(pamh, tach, PAM_RHOST,
tac_set_rem_addr, "tac_set_rem_addr")) != PAM_SUCCESS)
return retval;
PAM_LOG("Done tac_open() ... tac_close()");
retval = do_item(pamh, tach, PAM_USER, tac_set_user, "tac_set_user");
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Done user");
retval = do_item(pamh, tach, PAM_TTY, tac_set_port, "tac_set_port");
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Done tty");
retval = do_item(pamh, tach, PAM_RHOST, tac_set_rem_addr,
"tac_set_rem_addr");
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
for ( ; ; ) {
char *srvr_msg;
size_t msg_len;
@ -145,16 +160,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
char *data_msg;
int sflags;
int status;
int echo;
if ((sflags = tac_send_authen(tach)) == -1) {
sflags = tac_send_authen(tach);
if (sflags == -1) {
syslog(LOG_CRIT, "tac_send_authen: %s",
tac_strerror(tach));
tac_close(tach);
return PAM_AUTHINFO_UNAVAIL;
PAM_RETURN(PAM_AUTHINFO_UNAVAIL);
}
status = TAC_AUTHEN_STATUS(sflags);
echo = TAC_AUTHEN_NOECHO(sflags) ? 0 : PAM_OPT_ECHO_PASS;
if (!TAC_AUTHEN_NOECHO(sflags))
pam_set_option(&options, PAM_OPT_ECHO_PASS);
switch (status) {
case TAC_AUTHEN_STATUS_PASS:
@ -163,6 +179,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const void *item;
const char *user;
PAM_LOG("Trying template user: %s",
template_user);
/*
* If the given user name doesn't exist in
* the local password database, change it
@ -171,58 +190,60 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
*/
retval = pam_get_item(pamh, PAM_USER, &item);
if (retval != PAM_SUCCESS)
return retval;
PAM_RETURN(retval);
user = (const char *)item;
if (getpwnam(user) == NULL)
if (getpwnam(user) == NULL) {
pam_set_item(pamh, PAM_USER,
template_user);
PAM_LOG("Using template user");
}
}
return PAM_SUCCESS;
PAM_RETURN(PAM_SUCCESS);
case TAC_AUTHEN_STATUS_FAIL:
tac_close(tach);
return PAM_AUTH_ERR;
PAM_RETURN(PAM_AUTH_ERR);
case TAC_AUTHEN_STATUS_GETUSER:
case TAC_AUTHEN_STATUS_GETPASS:
if ((srvr_msg = get_msg(tach)) == NULL)
return PAM_SERVICE_ERR;
PAM_RETURN(PAM_SERVICE_ERR);
if (status == TAC_AUTHEN_STATUS_GETUSER)
retval = pam_get_user(pamh, &user_msg,
srvr_msg[0] != '\0' ? srvr_msg : NULL);
else if (status == TAC_AUTHEN_STATUS_GETPASS)
retval = pam_get_pass(pamh, &user_msg,
srvr_msg[0] != '\0' ? srvr_msg :
"Password:", options | echo);
"Password:", &options);
free(srvr_msg);
if (retval != PAM_SUCCESS) {
/* XXX - send a TACACS+ abort packet */
tac_close(tach);
return retval;
PAM_RETURN(retval);
}
if (set_msg(tach, user_msg) == -1)
return PAM_SERVICE_ERR;
PAM_RETURN(PAM_SERVICE_ERR);
break;
case TAC_AUTHEN_STATUS_GETDATA:
if ((srvr_msg = get_msg(tach)) == NULL)
return PAM_SERVICE_ERR;
PAM_RETURN(PAM_SERVICE_ERR);
retval = pam_prompt(pamh,
(options|echo) & PAM_OPT_ECHO_PASS ?
PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF,
pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL)
? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF,
srvr_msg[0] != '\0' ? srvr_msg : "Data:",
&data_msg);
free(srvr_msg);
if (retval != PAM_SUCCESS) {
/* XXX - send a TACACS+ abort packet */
tac_close(tach);
return retval;
PAM_RETURN(retval);
}
retval = set_msg(tach, data_msg);
memset(data_msg, 0, strlen(data_msg));
free(data_msg);
if (retval == -1)
return PAM_SERVICE_ERR;
PAM_RETURN(PAM_SERVICE_ERR);
break;
case TAC_AUTHEN_STATUS_ERROR:
@ -231,11 +252,12 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
syslog(LOG_CRIT, "tac_send_authen:"
" server detected error: %s", srvr_msg);
free(srvr_msg);
} else
}
else
syslog(LOG_CRIT,
"tac_send_authen: server detected error");
tac_close(tach);
return PAM_AUTHINFO_UNAVAIL;
PAM_RETURN(PAM_AUTHINFO_UNAVAIL);
break;
case TAC_AUTHEN_STATUS_RESTART:
@ -244,7 +266,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
syslog(LOG_CRIT,
"tac_send_authen: unexpected status %#x", status);
tac_close(tach);
return PAM_AUTHINFO_UNAVAIL;
PAM_RETURN(PAM_AUTHINFO_UNAVAIL);
}
}
}

1
lib/libpam/modules/pam_unix/Makefile
View File

@ -29,5 +29,6 @@ SHLIB_NAME= pam_unix.so
SRCS= pam_unix.c
DPADD= ${LIBUTIL} ${LIBCRYPT}
LDADD= -lutil -lcrypt
MAN= pam_unix.8
.include <bsd.lib.mk>

148
lib/libpam/modules/pam_unix/pam_unix.8 Normal file
View File

@ -0,0 +1,148 @@
.\" Copyright (c) 2001 Mark R V Murray
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd July 7, 2001
.Dt PAM_UNIX 8
.Os
.Sh NAME
.Nm pam_unix
.Nd UNIX PAM module
.Sh SYNOPSIS
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Pa pam_unix
.Op Ar options
.Sh DESCRIPTION
The
.Ux
authentication service module for PAM,
.Nm
provides functionality for two PAM categories:
authentication
and account management.
In terms of the
.Ar module-type
parameter, they are the
.Dv auth
and
.Dv account
features.
It also provides a null function for session management.
.Ss Ux Authentication Module
The
.Ux
authentication component
provides functions to verify the identity of a user
.Pq Fn pam_sm_authenticate ,
which obtains the relevant
.Xr passwd 5
entry.
It prompts the user for a password
and verifies that this is correct with
.Xr crypt 3 .
.Pp
The following options may be passed to the authentication module:
.Bl -tag -xwidth ".Cm use_first_pass"
.It Cm debug
.Xr syslog 3
debugging information at
.Dv LOG_DEBUG
level.
.It Cm use_first_pass
If the authentication module
is not the first in the stack,
and a previous module
obtained the user's password,
that password is used
to authenticate the user.
If this fails,
the authentication module returns failure
without prompting the user for a password.
This option has no effect
if the authentication module
is the first in the stack,
or if no previous modules
obtained the user's password.
.It Cm try_first_pass
This option is similar to the
.Cm use_first_pass
option,
except that if the previously obtained password fails,
the user is prompted for another password.
.It Cm auth_as_self
This option will require the user
to authenticate themself as the user
given by
.Fn getuid 2 ,
not as the account they are attempting to access.
This is primarily for services like
.Xr su 1 ,
where the user's ability to retype
their own password
might be deemed sufficient.
.It Cm nullok
If the password database
has no password
for the entity being authenticated,
then this option
will forgo password prompting,
and silently allow authentication to succeed.
.El
.Ss Ux Account Management Module
The
.Ux
account management component
provides a function to perform account management,
.Fn pam_sm_acct_mgmt .
The function verifies
that the authenticated user
is allowed to login to the local user account
by checking the password expiry date.
.Pp
The following options may be passed to the management module:
.Bl -tag -xwidth ".Cm use_first_pass"
.It Cm debug
.Xr syslog 3
debugging information at
.Dv LOG_DEBUG
level.
.El
.Sh FILES
.Bl -tag -xwidth ".Pa /etc/master.passwd" -compact
.It Pa /etc/master.passwd
default
.Ux
password database.
.El
.Sh SEE ALSO
.Xr passwd 1 ,
.Xr getuid 2 ,
.Xr crypt 3 ,
.Xr passwd 5 ,
.Xr syslog 3 ,
.Xr pam.conf 5 ,
.Xr pam 8

106
lib/libpam/modules/pam_unix/pam_unix.c
View File

@ -42,64 +42,96 @@
#include "pam_mod_misc.h"
#define PASSWORD_PROMPT "Password:"
#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX, PAM_OPT_NULLOK };
static struct opttab other_options[] = {
{ "auth_as_self", PAM_OPT_AUTH_AS_SELF },
{ "nullok", PAM_OPT_NULLOK },
{ NULL, 0 }
};
/*
* authentication management
*/
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int retval;
const char *user;
const char *password;
struct options options;
struct passwd *pwd;
int retval;
const char *password, *user;
char *encrypted;
int options;
int i;
options = 0;
for (i = 0; i < argc; i++)
pam_std_option(&options, argv[i]);
if (options & PAM_OPT_AUTH_AS_SELF)
pam_std_option(&options, other_options, argc, argv);
PAM_LOG("Options processed");
if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL))
pwd = getpwuid(getuid());
else {
if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
return retval;
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
pwd = getpwnam(user);
}
PAM_LOG("Got user: %s", user);
if (pwd != NULL) {
if (pwd->pw_passwd[0] == '\0' && (options & PAM_OPT_NULLOK))
PAM_LOG("Doing real authentication");
if (pwd->pw_passwd[0] == '\0'
&& pam_test_option(&options, PAM_OPT_NULLOK, NULL)) {
/*
* No password case. XXX Are we giving too much away
* by not prompting for a password?
*/
return PAM_SUCCESS;
PAM_LOG("No password, and null password OK");
PAM_RETURN(PAM_SUCCESS);
}
else {
if ((retval = pam_get_pass(pamh, &password,
PASSWORD_PROMPT, options)) != PAM_SUCCESS)
return retval;
retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT,
&options);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Got password");
}
encrypted = crypt(password, pwd->pw_passwd);
if (password[0] == '\0' && pwd->pw_passwd[0] != '\0')
encrypted = ":";
PAM_LOG("Encrypted passwords are: %s & %s", encrypted,
pwd->pw_passwd);
retval = strcmp(encrypted, pwd->pw_passwd) == 0 ?
PAM_SUCCESS : PAM_AUTH_ERR;
} else {
}
else {
PAM_LOG("Doing dummy authentication");
/*
* User unknown. Encrypt anyway so that it takes the
* same amount of time.
* User unknown.
* Encrypt a dummy password so as to not give away too much.
*/
retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT,
&options);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Got password");
crypt(password, "xx");
retval = PAM_AUTH_ERR;
}
/*
* The PAM infrastructure will obliterate the cleartext
* password before returning to the application.
*/
return retval;
PAM_RETURN(retval);
}
PAM_EXTERN int
@ -114,24 +146,31 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
* check pw_change and pw_expire fields
*/
PAM_EXTERN
int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
int argc, const char **argv)
int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
const char *user;
struct options options;
struct passwd *pw;
struct timeval tp;
login_cap_t *lc;
time_t warntime;
login_cap_t *lc = NULL;
char buf[128];
int retval;
const char *user;
char buf[128];
pam_std_option(&options, other_options, argc, argv);
PAM_LOG("Options processed");
retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
if (retval != PAM_SUCCESS || user == NULL)
/* some implementations return PAM_SUCCESS here */
return PAM_USER_UNKNOWN;
PAM_RETURN(PAM_USER_UNKNOWN);
if ((pw = getpwnam(user)) == NULL)
return PAM_USER_UNKNOWN;
pw = getpwnam(user);
if (pw == NULL)
PAM_RETURN(PAM_USER_UNKNOWN);
PAM_LOG("Got user: %s", user);
retval = PAM_SUCCESS;
lc = login_getpwclass(pw);
@ -139,11 +178,11 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
if (pw->pw_change || pw->pw_expire)
gettimeofday(&tp, NULL);
#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
warntime = login_getcaptime(lc, "warnpassword", DEFAULT_WARN,
DEFAULT_WARN);
PAM_LOG("Got login_cap");
if (pw->pw_change) {
if (tp.tv_sec >= pw->pw_change)
/* some implementations return PAM_AUTHTOK_EXPIRED */
@ -171,7 +210,8 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
}
login_close(lc);
return retval;
PAM_RETURN(retval);
}
PAM_MODULE_ENTRY("pam_unix");

3
lib/libpam/modules/pam_wheel/Makefile
View File

@ -27,7 +27,6 @@
LIB= pam_wheel
SHLIB_NAME= pam_wheel.so
SRCS= pam_wheel.c
MAN= pam_wheel.8
.include <bsd.lib.mk>
.PATH: ${PAMDIR}/modules/pam_wheel

94
lib/libpam/modules/pam_wheel/pam_wheel.8 Normal file
View File

@ -0,0 +1,94 @@
.\" Copyright (c) 2001 Mark R V Murray
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd July 8, 2001
.Dt PAM_WHEEL 8
.Os
.Sh NAME
.Nm pam_wheel
.Nd Wheel PAM module
.Sh SYNOPSIS
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Pa pam_wheel
.Op Ar options
.Sh DESCRIPTION
The Wheel authentication service module for PAM,
.Nm
provides functionality for only one PAM category:
authentication.
In terms of the
.Ar module-type
parameter, this is the
.Dv auth
feature.
It also provides a null function for session management.
.Ss Wheel Authentication Module
The Wheel authentication component
.Pq Fn pam_sm_authenticate ,
permit authentication to members of a group,
which defaults to
.Dv wheel.
.Em ie,
if
.Xr getuid 2
returns 0.
.Pp
The following options may be passed to the authentication module:
.Bl -tag -xwidth ".Cm use_first_pass"
.It Cm debug
.Xr syslog 3
debugging information at
.Dv LOG_DEBUG
level.
.It Cm use_uid
check for wheel membership against
the current uid
.Pq given by Fn getuid .
.It Cm trust
return
.Dv PAM_SUCCESS
instead of
.Dv PAM_IGNORE
if the user is a member of the group (default is
.Dv wheel ).
.It Cm deny
invert the operation
if is a member of the
.Pq default Dv wheel )
group.
.Pq return failure instead of success.
mainly of use with the ``group=foo'' option.
.It Cm group=foo
checking for membership of group ``foo''
instead of the default group
.Dv wheel.
.El
.Sh SEE ALSO
.Xr group 5 ,
.Xr pam.conf 5 ,
.Xr pam 8

145
lib/libpam/modules/pam_wheel/pam_wheel.c Normal file
View File

@ -0,0 +1,145 @@
/*-
* Copyright (c) 2001 Mark R V Murray
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#define _BSD_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <syslog.h>
#include <stdarg.h>
#include <sys/types.h>
#include <pwd.h>
#include <grp.h>
#define PAM_SM_AUTH
#include <security/pam_modules.h>
#include <pam_mod_misc.h>
enum { PAM_OPT_DENY=PAM_OPT_STD_MAX, PAM_OPT_GROUP, PAM_OPT_TRUST,
PAM_OPT_USE_UID };
static struct opttab other_options[] = {
{ "deny", PAM_OPT_DENY },
{ "group", PAM_OPT_GROUP },
{ "trust", PAM_OPT_TRUST },
{ "use_uid", PAM_OPT_USE_UID },
{ NULL, 0 }
};
/* Is member in list? */
static int
in_list(char *const *list, const char *member)
{
for (; *list; list++)
if (strcmp(*list, member) == 0)
return 1;
return 0;
}
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
{
struct options options;
struct passwd *pwd, *temppwd;
struct group *grp;
int retval;
const char *user;
char *fromsu, *use_group;
pam_std_option(&options, other_options, argc, argv);
PAM_LOG("Options processed");
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
pwd = getpwnam(user);
if (!pwd)
PAM_RETURN(PAM_USER_UNKNOWN);
PAM_LOG("Got user: %s", user);
/* Ignore if already uid 0 */
if (pwd->pw_uid)
PAM_RETURN(PAM_IGNORE);
PAM_LOG("Not superuser");
if (pam_test_option(&options, PAM_OPT_USE_UID, NULL)) {
temppwd = getpwuid(getuid());
if (temppwd == NULL)
PAM_RETURN(PAM_SERVICE_ERR);
fromsu = temppwd->pw_name;
}
else {
fromsu = getlogin();
if (!fromsu)
PAM_RETURN(PAM_SERVICE_ERR);
}
PAM_LOG("Got fromsu: %s", fromsu);
if (!pam_test_option(&options, PAM_OPT_GROUP, &use_group)) {
if ((grp = getgrnam("wheel")) == NULL)
grp = getgrgid(0);
}
else
grp = getgrnam(use_group);
if (grp == NULL || grp->gr_mem == NULL) {
if (pam_test_option(&options, PAM_OPT_DENY, NULL))
PAM_RETURN(PAM_IGNORE);
else
PAM_RETURN(PAM_AUTH_ERR);
}
PAM_LOG("Got group: %s", grp->gr_name);
if (in_list(grp->gr_mem, fromsu)) {
if (pam_test_option(&options, PAM_OPT_DENY, NULL))
PAM_RETURN(PAM_PERM_DENIED);
if (pam_test_option(&options, PAM_OPT_TRUST, NULL))
PAM_RETURN(PAM_SUCCESS);
PAM_RETURN(PAM_IGNORE);
}
if (pam_test_option(&options, PAM_OPT_DENY, NULL))
PAM_RETURN(PAM_SUCCESS);
PAM_RETURN(PAM_PERM_DENIED);
}
PAM_EXTERN int
pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv)
{
return PAM_SUCCESS;
}
PAM_MODULE_ENTRY("pam_wheel");