Major cleanup:
- add __unused where appropriate - PAM_RETURN -> return since OpenPAM already logs the return value. - make PAM_LOG use openpam_log() - make PAM_VERBOSE_ERROR use openpam_get_option() and check flags for PAM_SILENT - remove dummy functions since OpenPAM handles missing service functions - fix various warnings Sponsored by: DARPA, NAI Labs
This commit is contained in:
parent
c8688e3e8c
commit
24fe7ba0d9
@ -32,105 +32,31 @@ __FBSDID("$FreeBSD$");
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <syslog.h>
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/openpam.h>
|
||||
#include <security/pam_mod_misc.h>
|
||||
|
||||
#define FMTBUFSIZ 256
|
||||
|
||||
static char *modulename(const char *);
|
||||
|
||||
/* Log a debug message, including the function name and a
|
||||
* cleaned up filename.
|
||||
*/
|
||||
void
|
||||
_pam_log(struct options *options, const char *file, const char *function,
|
||||
const char *format, ...)
|
||||
{
|
||||
va_list ap;
|
||||
char *fmtbuf, *modname;
|
||||
|
||||
if (pam_test_option(options, PAM_OPT_DEBUG, NULL)) {
|
||||
modname = modulename(file);
|
||||
va_start(ap, format);
|
||||
asprintf(&fmtbuf, "%s: %s: %s", modname, function, format);
|
||||
vsyslog(LOG_DEBUG, fmtbuf, ap);
|
||||
free(fmtbuf);
|
||||
va_end(ap);
|
||||
}
|
||||
}
|
||||
|
||||
/* Log a return value, including the function name and a
|
||||
* cleaned up filename.
|
||||
*/
|
||||
void
|
||||
_pam_log_retval(struct options *options, const char *file, const char *function,
|
||||
int retval)
|
||||
{
|
||||
char *modname;
|
||||
|
||||
if (pam_test_option(options, PAM_OPT_DEBUG, NULL)) {
|
||||
modname = modulename(file);
|
||||
|
||||
switch (retval) {
|
||||
case PAM_SUCCESS:
|
||||
syslog(LOG_DEBUG, "%s: %s: returning PAM_SUCCESS",
|
||||
modname, function);
|
||||
break;
|
||||
case PAM_AUTH_ERR:
|
||||
syslog(LOG_DEBUG, "%s: %s: returning PAM_AUTH_ERR",
|
||||
modname, function);
|
||||
break;
|
||||
case PAM_IGNORE:
|
||||
syslog(LOG_DEBUG, "%s: %s: returning PAM_IGNORE",
|
||||
modname, function);
|
||||
break;
|
||||
case PAM_PERM_DENIED:
|
||||
syslog(LOG_DEBUG, "%s: %s: returning PAM_PERM_DENIED",
|
||||
modname, function);
|
||||
break;
|
||||
default:
|
||||
syslog(LOG_DEBUG, "%s: %s: returning (%d)",
|
||||
modname, function, retval);
|
||||
}
|
||||
|
||||
free(modname);
|
||||
}
|
||||
}
|
||||
|
||||
/* Print a verbose error, including the function name and a
|
||||
* cleaned up filename.
|
||||
*/
|
||||
void
|
||||
_pam_verbose_error(pam_handle_t *pamh, struct options *options,
|
||||
_pam_verbose_error(pam_handle_t *pamh, int flags,
|
||||
const char *file, const char *function, const char *format, ...)
|
||||
{
|
||||
va_list ap;
|
||||
char *statusmsg, *fmtbuf, *modname;
|
||||
char *fmtbuf, *modname, *period;
|
||||
|
||||
if (!pam_test_option(options, PAM_OPT_NO_WARN, NULL)) {
|
||||
modname = modulename(file);
|
||||
if (!(flags & PAM_SILENT) || !openpam_get_option(pamh, "no_warn")) {
|
||||
modname = basename(file);
|
||||
period = strchr(modname, '.');
|
||||
if (period == NULL)
|
||||
period = strchr(modname, '\0');
|
||||
va_start(ap, format);
|
||||
asprintf(&fmtbuf, "%s: %s: %s", modname, function, format);
|
||||
vasprintf(&statusmsg, fmtbuf, ap);
|
||||
pam_error(pamh, "%s", statusmsg);
|
||||
free(statusmsg);
|
||||
asprintf(&fmtbuf, "%.*s: %s: %s", period - modname, modname,
|
||||
function, format);
|
||||
pam_verror(pamh, fmtbuf, ap);
|
||||
free(fmtbuf);
|
||||
va_end(ap);
|
||||
}
|
||||
}
|
||||
|
||||
static char *
|
||||
modulename(const char *file)
|
||||
{
|
||||
char *modname, *period;
|
||||
|
||||
modname = strdup(basename(file));
|
||||
period = strchr(modname, '.');
|
||||
if (period != NULL)
|
||||
*period = '\0';
|
||||
|
||||
return modname;
|
||||
}
|
||||
|
@ -58,22 +58,17 @@ void pam_std_option(struct options *, struct opttab *, int, const char **);
|
||||
int pam_test_option(struct options *, enum opt, char **);
|
||||
void pam_set_option(struct options *, enum opt);
|
||||
void pam_clear_option(struct options *, enum opt);
|
||||
void _pam_log(struct options *, const char *, const char *, const char *, ...);
|
||||
void _pam_log_retval(struct options *, const char *, const char *, int);
|
||||
void _pam_verbose_error(pam_handle_t *, struct options *, const char *,
|
||||
void _pam_verbose_error(pam_handle_t *, int, const char *,
|
||||
const char *, const char *, ...);
|
||||
__END_DECLS
|
||||
|
||||
#define PAM_LOG(args...) \
|
||||
_pam_log(&options, __FILE__, __FUNCTION__, ##args)
|
||||
openpam_log(PAM_LOG_DEBUG, ##args)
|
||||
|
||||
#define PAM_RETURN(arg) \
|
||||
do { \
|
||||
_pam_log_retval(&options, __FILE__, __FUNCTION__, arg); \
|
||||
return arg; \
|
||||
} while (0)
|
||||
return (arg)
|
||||
|
||||
#define PAM_VERBOSE_ERROR(args...) \
|
||||
_pam_verbose_error(pamh, &options, __FILE__, __FUNCTION__, ##args)
|
||||
_pam_verbose_error(pamh, flags, __FILE__, __FUNCTION__, ##args)
|
||||
|
||||
#endif
|
||||
|
@ -36,90 +36,58 @@ __FBSDID("$FreeBSD$");
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_mod_misc.h>
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
const char *user;
|
||||
int r;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
if ((r = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
|
||||
return (r);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_VERBOSE_ERROR("Unconditional deny");
|
||||
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_VERBOSE_ERROR("Unconditional deny");
|
||||
|
||||
PAM_RETURN(PAM_CRED_UNAVAIL);
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc ,const char **argv)
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_VERBOSE_ERROR("Unconditional deny");
|
||||
|
||||
PAM_RETURN(PAM_ACCT_EXPIRED);
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_VERBOSE_ERROR("Unconditional deny");
|
||||
|
||||
PAM_RETURN(PAM_PERM_DENIED);
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_VERBOSE_ERROR("Unconditional deny");
|
||||
|
||||
PAM_RETURN(PAM_SESSION_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_VERBOSE_ERROR("Unconditional deny");
|
||||
|
||||
PAM_RETURN(PAM_SESSION_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_deny");
|
||||
|
@ -48,9 +48,6 @@ __FBSDID("$FreeBSD$");
|
||||
#include <string.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
@ -75,7 +72,7 @@ static const char *anonusers[] = {"ftp", "anonymous", NULL};
|
||||
* Place username in *userret
|
||||
* Return 1 if listed 0 otherwise
|
||||
*/
|
||||
static int
|
||||
static int
|
||||
lookup(const char *user, char *list, const char **userret)
|
||||
{
|
||||
int anon, i;
|
||||
@ -112,8 +109,9 @@ lookup(const char *user, char *list, const char **userret)
|
||||
* If this is the case, set the PAM_RUSER to the entered email address
|
||||
* and succeed, otherwise fail.
|
||||
*/
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const char **argv)
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t * pamh, int flags __unused,
|
||||
int argc, const char *argv[])
|
||||
{
|
||||
struct options options;
|
||||
int retval, anon;
|
||||
@ -126,7 +124,7 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha
|
||||
|
||||
retval = pam_get_user(pamh, &user, NULL);
|
||||
if (retval != PAM_SUCCESS || user == NULL)
|
||||
PAM_RETURN(PAM_USER_UNKNOWN);
|
||||
return (PAM_USER_UNKNOWN);
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
@ -143,7 +141,7 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha
|
||||
if (anon) {
|
||||
retval = pam_set_item(pamh, PAM_USER, (const void *)user);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
prompt = GUEST_PROMPT;
|
||||
PAM_LOG("Doing anonymous");
|
||||
}
|
||||
@ -154,7 +152,7 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha
|
||||
|
||||
retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &token, "%s", prompt);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(PAM_AUTHINFO_UNAVAIL);
|
||||
return (PAM_AUTHINFO_UNAVAIL);
|
||||
|
||||
PAM_LOG("Got password");
|
||||
|
||||
@ -192,67 +190,15 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha
|
||||
retval = PAM_AUTH_ERR;
|
||||
}
|
||||
|
||||
PAM_RETURN(retval);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, other_options, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (retval);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv)
|
||||
pam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_ftp");
|
||||
|
@ -52,6 +52,8 @@ static const char sccsid[] = "@(#)klogin.c 8.3 (Berkeley) 4/2/94";
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "klogin.h"
|
||||
|
||||
#define INITIAL_TICKET "krbtgt"
|
||||
#define VERIFY_SERVICE "rcmd"
|
||||
|
||||
@ -65,14 +67,11 @@ extern char *krbtkfile_env;
|
||||
* 1 if Kerberos failed (try local password in login)
|
||||
*/
|
||||
int
|
||||
klogin(pw, instance, localhost, password)
|
||||
struct passwd *pw;
|
||||
char *instance, *localhost, *password;
|
||||
klogin(struct passwd *pw, char *instance, char *localhost, const char *password)
|
||||
{
|
||||
int kerror;
|
||||
char realm[REALM_SZ], savehost[MAXHOSTNAMELEN];
|
||||
char tkt_location[MAXPATHLEN];
|
||||
char *krb_get_phost();
|
||||
extern int noticketsdontcomplain;
|
||||
|
||||
#ifdef KLOGIN_PARANOID
|
||||
|
5
lib/libpam/modules/pam_kerberosIV/klogin.h
Normal file
5
lib/libpam/modules/pam_kerberosIV/klogin.h
Normal file
@ -0,0 +1,5 @@
|
||||
/*
|
||||
* $FreeBSD$
|
||||
*/
|
||||
|
||||
int klogin(struct passwd *, char *, char *, const char *);
|
@ -1,6 +1,13 @@
|
||||
/*-
|
||||
* Copyright 1998 Juniper Networks, Inc.
|
||||
* All rights reserved.
|
||||
* Copyright (c) 2002 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Portions of this software were developed for the FreeBSD Project by
|
||||
* ThinkSec AS and NAI Labs, the Security Research Division of Network
|
||||
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
* ("CBOSS"), as part of the DARPA CHATS research program.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -10,6 +17,9 @@
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
@ -38,9 +48,7 @@ __FBSDID("$FreeBSD$");
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_mod_misc.h>
|
||||
|
||||
#define PASSWORD_PROMPT "Password:"
|
||||
|
||||
extern int klogin(struct passwd *, char *, char *, char *);
|
||||
#include "klogin.h"
|
||||
|
||||
/* Globals used by klogin.c */
|
||||
int notickets = 1;
|
||||
@ -48,9 +56,9 @@ int noticketsdontcomplain = 1;
|
||||
char *krbtkfile_env;
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
int retval;
|
||||
const char *user;
|
||||
char *principal;
|
||||
@ -59,47 +67,41 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
char localhost[MAXHOSTNAMELEN + 1];
|
||||
struct passwd *pwd;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
retval = pam_get_user(pamh, &user, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT, &options);
|
||||
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &password, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
PAM_LOG("Got password");
|
||||
|
||||
if (gethostname(localhost, sizeof localhost - 1) == -1)
|
||||
PAM_RETURN(PAM_SYSTEM_ERR);
|
||||
return (PAM_SYSTEM_ERR);
|
||||
|
||||
PAM_LOG("Got localhost: %s", localhost);
|
||||
|
||||
principal = strdup(user);
|
||||
if (principal == NULL)
|
||||
PAM_RETURN(PAM_BUF_ERR);
|
||||
return (PAM_BUF_ERR);
|
||||
|
||||
instance = strchr(principal, '.');
|
||||
if (instance != NULL)
|
||||
*instance++ = '\0';
|
||||
else
|
||||
instance = "";
|
||||
instance = strchr(principal, '\0');
|
||||
|
||||
PAM_LOG("Got principal.instance: %s.%s", principal, instance);
|
||||
|
||||
retval = PAM_AUTH_ERR;
|
||||
pwd = getpwnam(user);
|
||||
if (pwd != NULL) {
|
||||
if (klogin(pwd, instance, localhost, (char *)password) == 0) {
|
||||
if (!(flags & PAM_SILENT) && notickets && !noticketsdontcomplain)
|
||||
pam_prompt(pamh, PAM_ERROR_MSG,
|
||||
"Warning: no Kerberos tickets issued",
|
||||
NULL);
|
||||
if (klogin(pwd, instance, localhost, password) == 0) {
|
||||
if (notickets && !noticketsdontcomplain)
|
||||
PAM_VERBOSE_ERROR("Warning: no Kerberos tickets issued");
|
||||
/*
|
||||
* XXX - I think the ticket file isn't supposed to
|
||||
* be created until pam_sm_setcred() is called.
|
||||
@ -121,19 +123,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_VERBOSE_ERROR("Kerberos IV refuses you");
|
||||
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_kerberosIV");
|
||||
|
@ -4,7 +4,7 @@
|
||||
* All rights reserved
|
||||
* Copyright (c) 2002 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
*
|
||||
* Portions of this software were developed for the FreeBSD Project by
|
||||
* ThinkSec AS and NAI Labs, the Security Research Division of Network
|
||||
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
@ -22,13 +22,13 @@
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior
|
||||
* written permission.
|
||||
*
|
||||
*
|
||||
* ALTERNATIVELY, this product may be distributed under the terms of
|
||||
* the GNU Public License, in which case the provisions of the GPL are
|
||||
* required INSTEAD OF the above restrictions. (This clause is
|
||||
* necessary due to a potential bad interaction between the GPL and
|
||||
* the restrictions contained in a BSD-style copyright.)
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
@ -41,17 +41,17 @@
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
* ---------------------------------------------------------------------------
|
||||
*
|
||||
*
|
||||
* This software may contain code from Naomaru Itoi:
|
||||
*
|
||||
*
|
||||
* PAM-kerberos5 module Copyright notice.
|
||||
* Naomaru Itoi <itoi@eecs.umich.edu>, June 24, 1997.
|
||||
*
|
||||
*
|
||||
* ----------------------------------------------------------------------------
|
||||
* COPYRIGHT (c) 1997
|
||||
* THE REGENTS OF THE UNIVERSITY OF MICHIGAN
|
||||
* ALL RIGHTS RESERVED
|
||||
*
|
||||
*
|
||||
* PERMISSION IS GRANTED TO USE, COPY, CREATE DERIVATIVE WORKS AND REDISTRIBUTE
|
||||
* THIS SOFTWARE AND SUCH DERIVATIVE WORKS FOR ANY PURPOSE, SO LONG AS THE NAME
|
||||
* OF THE UNIVERSITY OF MICHIGAN IS NOT USED IN ANY ADVERTISING OR PUBLICITY
|
||||
@ -59,7 +59,7 @@
|
||||
* WRITTEN PRIOR AUTHORIZATION. IF THE ABOVE COPYRIGHT NOTICE OR ANY OTHER
|
||||
* IDENTIFICATION OF THE UNIVERSITY OF MICHIGAN IS INCLUDED IN ANY COPY OF ANY
|
||||
* PORTION OF THIS SOFTWARE, THEN THE DISCLAIMER BELOW MUST ALSO BE INCLUDED.
|
||||
*
|
||||
*
|
||||
* THE SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE UNIVERSITY OF
|
||||
* MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND WITHOUT WARRANTY BY THE
|
||||
* UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
|
||||
@ -69,19 +69,19 @@
|
||||
* CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR IN
|
||||
* CONNECTION WITH THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR IS HEREAFTER
|
||||
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
|
||||
*
|
||||
*
|
||||
* PAM-kerberos5 module is written based on PAM-kerberos4 module
|
||||
* by Derrick J. Brashear and kerberos5-1.0pl1 by M.I.T. kerberos team.
|
||||
* Permission to use, copy, modify, distribute this software is hereby
|
||||
* granted, as long as it is granted by Derrick J. Brashear and
|
||||
* M.I.T. kerberos team. Followings are their copyright information.
|
||||
* M.I.T. kerberos team. Followings are their copyright information.
|
||||
* ----------------------------------------------------------------------------
|
||||
*
|
||||
*
|
||||
* This software may contain code from Derrick J. Brashear:
|
||||
*
|
||||
*
|
||||
*
|
||||
*
|
||||
* Copyright (c) Derrick J. Brashear, 1996. All rights reserved
|
||||
*
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
@ -94,13 +94,13 @@
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior
|
||||
* written permission.
|
||||
*
|
||||
*
|
||||
* ALTERNATIVELY, this product may be distributed under the terms of
|
||||
* the GNU Public License, in which case the provisions of the GPL are
|
||||
* required INSTEAD OF the above restrictions. (This clause is
|
||||
* necessary due to a potential bad interaction between the GPL and
|
||||
* the restrictions contained in a BSD-style copyright.)
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
|
||||
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
||||
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
||||
@ -112,23 +112,23 @@
|
||||
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*
|
||||
*
|
||||
* ----------------------------------------------------------------------------
|
||||
*
|
||||
*
|
||||
* This software may contain code from MIT Kerberos 5:
|
||||
*
|
||||
*
|
||||
* Copyright Notice and Legal Administrivia
|
||||
* ----------------------------------------
|
||||
*
|
||||
*
|
||||
* Copyright (C) 1996 by the Massachusetts Institute of Technology.
|
||||
*
|
||||
*
|
||||
* All rights reserved.
|
||||
*
|
||||
*
|
||||
* Export of this software from the United States of America may require
|
||||
* a specific license from the United States Government. It is the
|
||||
* responsibility of any person or organization contemplating export to
|
||||
* obtain such a license before exporting.
|
||||
*
|
||||
*
|
||||
* WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
|
||||
* distribute this software and its documentation for any purpose and
|
||||
* without fee is hereby granted, provided that the above copyright
|
||||
@ -139,62 +139,62 @@
|
||||
* permission. M.I.T. makes no representations about the suitability of
|
||||
* this software for any purpose. It is provided "as is" without express
|
||||
* or implied warranty.
|
||||
*
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
|
||||
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
|
||||
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
|
||||
*
|
||||
*
|
||||
* Individual source code files are copyright MIT, Cygnus Support,
|
||||
* OpenVision, Oracle, Sun Soft, and others.
|
||||
*
|
||||
*
|
||||
* Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira,
|
||||
* and Zephyr are trademarks of the Massachusetts Institute of Technology
|
||||
* (MIT). No commercial use of these trademarks may be made without
|
||||
* prior written permission of MIT.
|
||||
*
|
||||
*
|
||||
* "Commercial use" means use of a name in a product or other for-profit
|
||||
* manner. It does NOT prevent a commercial firm from referring to the
|
||||
* MIT trademarks in order to convey information (although in doing so,
|
||||
* recognition of their trademark status should be given).
|
||||
*
|
||||
*
|
||||
* The following copyright and permission notice applies to the
|
||||
* OpenVision Kerberos Administration system located in kadmin/create,
|
||||
* kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
|
||||
* of lib/rpc:
|
||||
*
|
||||
*
|
||||
* Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved
|
||||
*
|
||||
* WARNING: Retrieving the OpenVision Kerberos Administration system
|
||||
* source code, as described below, indicates your acceptance of the
|
||||
* following terms. If you do not agree to the following terms, do not
|
||||
*
|
||||
* WARNING: Retrieving the OpenVision Kerberos Administration system
|
||||
* source code, as described below, indicates your acceptance of the
|
||||
* following terms. If you do not agree to the following terms, do not
|
||||
* retrieve the OpenVision Kerberos administration system.
|
||||
*
|
||||
*
|
||||
* You may freely use and distribute the Source Code and Object Code
|
||||
* compiled from it, with or without modification, but this Source
|
||||
* Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY,
|
||||
* INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR
|
||||
* FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER
|
||||
* EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY
|
||||
* FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
|
||||
* FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF
|
||||
* SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR
|
||||
* CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
|
||||
* WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
|
||||
* CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
|
||||
* CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING,
|
||||
* WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE
|
||||
* CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY
|
||||
* OTHER REASON.
|
||||
*
|
||||
*
|
||||
* OpenVision retains all copyrights in the donated Source Code. OpenVision
|
||||
* also retains copyright to derivative works of the Source Code, whether
|
||||
* created by OpenVision or by a third party. The OpenVision copyright
|
||||
* notice must be preserved if derivative works are made based on the
|
||||
* created by OpenVision or by a third party. The OpenVision copyright
|
||||
* notice must be preserved if derivative works are made based on the
|
||||
* donated Source Code.
|
||||
*
|
||||
* OpenVision Technologies, Inc. has donated this Kerberos
|
||||
* Administration system to MIT for inclusion in the standard
|
||||
* Kerberos 5 distribution. This donation underscores our
|
||||
* commitment to continuing Kerberos technology development
|
||||
* and our gratitude for the valuable work which has been
|
||||
*
|
||||
* OpenVision Technologies, Inc. has donated this Kerberos
|
||||
* Administration system to MIT for inclusion in the standard
|
||||
* Kerberos 5 distribution. This donation underscores our
|
||||
* commitment to continuing Kerberos technology development
|
||||
* and our gratitude for the valuable work which has been
|
||||
* performed by MIT and the Kerberos community.
|
||||
*
|
||||
*
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
@ -216,7 +216,6 @@ __FBSDID("$FreeBSD$");
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
@ -237,7 +236,13 @@ static void compat_free_data_contents(krb5_context, krb5_data *);
|
||||
#define PASSWORD_PROMPT "Password:"
|
||||
#define NEW_PASSWORD_PROMPT "New Password:"
|
||||
|
||||
enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX, PAM_OPT_CCACHE, PAM_OPT_FORWARDABLE, PAM_OPT_NO_CCACHE, PAM_OPT_REUSE_CCACHE };
|
||||
enum {
|
||||
PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX,
|
||||
PAM_OPT_CCACHE,
|
||||
PAM_OPT_FORWARDABLE,
|
||||
PAM_OPT_NO_CCACHE,
|
||||
PAM_OPT_REUSE_CCACHE
|
||||
};
|
||||
|
||||
static struct opttab other_options[] = {
|
||||
{ "auth_as_self", PAM_OPT_AUTH_AS_SELF },
|
||||
@ -252,7 +257,8 @@ static struct opttab other_options[] = {
|
||||
* authentication management
|
||||
*/
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
int argc, const char *argv[])
|
||||
{
|
||||
krb5_error_code krbret;
|
||||
krb5_context pam_context;
|
||||
@ -272,13 +278,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
|
||||
retval = pam_get_user(pamh, &user, USER_PROMPT);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
retval = pam_get_item(pamh, PAM_RUSER, (const void **)&sourceuser);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
PAM_LOG("Got ruser: %s", sourceuser);
|
||||
|
||||
@ -292,7 +298,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
krbret = krb5_init_context(&pam_context);
|
||||
if (krbret != 0) {
|
||||
PAM_VERBOSE_ERROR("Kerberos 5 error");
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
|
||||
PAM_LOG("Context initialised");
|
||||
@ -479,11 +485,12 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_VERBOSE_ERROR("Kerberos 5 refuses you");
|
||||
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
pam_sm_setcred(pam_handle_t *pamh, int flags,
|
||||
int argc, const char *argv[])
|
||||
{
|
||||
|
||||
krb5_error_code krbret;
|
||||
@ -506,30 +513,30 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
if (flags & PAM_DELETE_CRED)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
if (flags & PAM_REFRESH_CRED)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
if (flags & PAM_REINITIALIZE_CRED)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
if (!(flags & PAM_ESTABLISH_CRED))
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
|
||||
PAM_LOG("Establishing credentials");
|
||||
|
||||
/* Get username */
|
||||
retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
krbret = krb5_init_context(&pam_context);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_init_context(): %s", error_message(krbret));
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
|
||||
PAM_LOG("Context initialised");
|
||||
@ -711,15 +718,16 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
setegid(egid);
|
||||
|
||||
PAM_LOG("Done seteuid() & setegid()");
|
||||
|
||||
PAM_RETURN(retval);
|
||||
|
||||
return (retval);
|
||||
}
|
||||
|
||||
/*
|
||||
/*
|
||||
* account management
|
||||
*/
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
|
||||
int argc, const char *argv[])
|
||||
{
|
||||
krb5_error_code krbret;
|
||||
krb5_context pam_context;
|
||||
@ -735,20 +743,20 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **
|
||||
|
||||
retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
retval = pam_get_data(pamh, "ccache", (const void **)&ccache);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
PAM_LOG("Got ccache");
|
||||
|
||||
krbret = krb5_init_context(&pam_context);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_init_context(): %s", error_message(krbret));
|
||||
PAM_RETURN(PAM_PERM_DENIED);
|
||||
return (PAM_PERM_DENIED);
|
||||
}
|
||||
|
||||
PAM_LOG("Context initialised");
|
||||
@ -774,44 +782,16 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **
|
||||
krb5_free_context(pam_context);
|
||||
PAM_LOG("Done cleanup");
|
||||
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
}
|
||||
|
||||
/*
|
||||
* session management
|
||||
*
|
||||
* logging only
|
||||
*/
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
/*
|
||||
/*
|
||||
* password management
|
||||
*/
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
||||
int argc, const char *argv[])
|
||||
{
|
||||
krb5_error_code krbret;
|
||||
krb5_context pam_context;
|
||||
@ -829,18 +809,18 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
if (!(flags & PAM_UPDATE_AUTHTOK))
|
||||
PAM_RETURN(PAM_AUTHTOK_ERR);
|
||||
return (PAM_AUTHTOK_ERR);
|
||||
|
||||
retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
krbret = krb5_init_context(&pam_context);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_init_context(): %s", error_message(krbret));
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
|
||||
PAM_LOG("Context initialised");
|
||||
@ -941,7 +921,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
|
||||
PAM_LOG("Done cleanup3");
|
||||
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_krb5");
|
||||
@ -1003,10 +983,10 @@ verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache,
|
||||
phost[BUFSIZ - 1] = '\0';
|
||||
|
||||
/*
|
||||
* Do we have service/<host> keys?
|
||||
* (use default/configured keytab, kvno IGNORE_VNO to get the
|
||||
* first match, and ignore enctype.)
|
||||
*/
|
||||
* Do we have service/<host> keys?
|
||||
* (use default/configured keytab, kvno IGNORE_VNO to get the
|
||||
* first match, and ignore enctype.)
|
||||
*/
|
||||
retval = krb5_kt_read_service_key(context, NULL, princ, 0, 0,
|
||||
&keyblock);
|
||||
if (retval != 0)
|
||||
|
@ -57,69 +57,16 @@ __FBSDID("$FreeBSD$");
|
||||
#include <unistd.h>
|
||||
#include <utmp.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_mod_misc.h>
|
||||
|
||||
extern int login_access(const char *, const char *);
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_open_session(pam_handle_t *pamh, int flags,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
struct passwd *pwd;
|
||||
struct utmp utmp;
|
||||
struct lastlog ll;
|
||||
@ -127,31 +74,27 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
off_t llpos;
|
||||
int fd, pam_err;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
pam_err = pam_get_item(pamh, PAM_USER, (const void **)&user);
|
||||
pam_err = pam_get_user(pamh, &user, NULL);
|
||||
if (pam_err != PAM_SUCCESS)
|
||||
PAM_RETURN(pam_err);
|
||||
return (pam_err);
|
||||
if (user == NULL || (pwd = getpwnam(user)) == NULL)
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
pam_err = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
|
||||
if (pam_err != PAM_SUCCESS)
|
||||
PAM_RETURN(pam_err);
|
||||
|
||||
return (pam_err);
|
||||
|
||||
pam_err = pam_get_item(pamh, PAM_TTY, (const void **)&tty);
|
||||
if (pam_err != PAM_SUCCESS)
|
||||
PAM_RETURN(pam_err);
|
||||
return (pam_err);
|
||||
if (tty == NULL)
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
|
||||
return (PAM_SERVICE_ERR);
|
||||
|
||||
fd = open(_PATH_LASTLOG, O_RDWR|O_CREAT, 0644);
|
||||
if (fd == -1) {
|
||||
syslog(LOG_ERR, "cannot open %s: %m", _PATH_LASTLOG);
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
|
||||
/*
|
||||
@ -175,21 +118,21 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
if (lseek(fd, llpos, L_SET) != llpos)
|
||||
goto file_err;
|
||||
}
|
||||
|
||||
|
||||
bzero(&ll, sizeof(ll));
|
||||
time(&ll.ll_time);
|
||||
|
||||
|
||||
/* note: does not need to be NUL-terminated */
|
||||
strncpy(ll.ll_line, tty, sizeof(ll.ll_line));
|
||||
if (rhost != NULL)
|
||||
/* note: does not need to be NUL-terminated */
|
||||
strncpy(ll.ll_host, rhost, sizeof(ll.ll_host));
|
||||
|
||||
|
||||
if (write(fd, (char *)&ll, sizeof(ll)) != sizeof(ll) || close(fd) != 0)
|
||||
goto file_err;
|
||||
|
||||
PAM_LOG("Login recorded in %s", _PATH_LASTLOG);
|
||||
|
||||
|
||||
/*
|
||||
* Record session in utmp(5) and wtmp(5).
|
||||
*/
|
||||
@ -201,25 +144,21 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
strncpy(utmp.ut_host, rhost, sizeof(utmp.ut_host));
|
||||
(void)strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line));
|
||||
login(&utmp);
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
|
||||
|
||||
return (PAM_IGNORE);
|
||||
|
||||
file_err:
|
||||
syslog(LOG_ERR, "%s: %m", _PATH_LASTLOG);
|
||||
close(fd);
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_lastlog");
|
||||
|
@ -44,10 +44,7 @@ __FBSDID("$FreeBSD$");
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
@ -56,57 +53,29 @@ __FBSDID("$FreeBSD$");
|
||||
#include "pam_login_access.h"
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc ,const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
const char *rhost, *tty, *user;
|
||||
char hostname[MAXHOSTNAMELEN];
|
||||
int pam_err;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
pam_err = pam_get_item(pamh, PAM_USER, (const void **)&user);
|
||||
if (pam_err != PAM_SUCCESS)
|
||||
PAM_RETURN(pam_err);
|
||||
return (pam_err);
|
||||
|
||||
if (user == NULL)
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
pam_err = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
|
||||
if (pam_err != PAM_SUCCESS)
|
||||
PAM_RETURN(pam_err);
|
||||
return (pam_err);
|
||||
|
||||
pam_err = pam_get_item(pamh, PAM_TTY, (const void **)&tty);
|
||||
if (pam_err != PAM_SUCCESS)
|
||||
PAM_RETURN(pam_err);
|
||||
return (pam_err);
|
||||
|
||||
gethostname(hostname, sizeof hostname);
|
||||
|
||||
@ -114,55 +83,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc ,const char **
|
||||
PAM_LOG("Checking login.access for user %s on tty %s",
|
||||
user, tty);
|
||||
if (login_access(user, tty) != 0)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
PAM_VERBOSE_ERROR("%s is not allowed to log in on %s",
|
||||
user, tty);
|
||||
} else {
|
||||
PAM_LOG("Checking login.access for user %s from host %s",
|
||||
user, rhost);
|
||||
if (login_access(user, rhost) != 0)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
PAM_VERBOSE_ERROR("%s is not allowed to log in from %s",
|
||||
user, rhost);
|
||||
}
|
||||
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_login_access");
|
||||
|
@ -47,9 +47,6 @@ __FBSDID("$FreeBSD$");
|
||||
#include <unistd.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
@ -60,23 +57,19 @@ __FBSDID("$FreeBSD$");
|
||||
static char nologin_def[] = NOLOGIN;
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
login_cap_t *lc;
|
||||
struct options options;
|
||||
struct passwd *pwd;
|
||||
struct stat st;
|
||||
int retval, fd;
|
||||
const char *user, *nologin;
|
||||
char *mtmp;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
retval = pam_get_user(pamh, &user, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
@ -87,7 +80,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
|
||||
fd = open(nologin, O_RDONLY, 0);
|
||||
if (fd < 0)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
PAM_LOG("Opened %s file", NOLOGIN);
|
||||
|
||||
@ -100,9 +93,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
else
|
||||
retval = PAM_AUTH_ERR;
|
||||
}
|
||||
|
||||
|
||||
if (fstat(fd, &st) < 0)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
mtmp = malloc(st.st_size + 1);
|
||||
if (mtmp != NULL) {
|
||||
@ -111,71 +104,19 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
pam_error(pamh, "%s", mtmp, NULL);
|
||||
free(mtmp);
|
||||
}
|
||||
|
||||
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_VERBOSE_ERROR("Administrator refusing you: %s", NOLOGIN);
|
||||
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_nologin");
|
||||
|
@ -1,7 +1,7 @@
|
||||
/*-
|
||||
* Copyright 2000 James Bloom
|
||||
* All rights reserved.
|
||||
* Based upon code Copyright 1998 Juniper Networks, Inc.
|
||||
* Based upon code Copyright 1998 Juniper Networks, Inc.
|
||||
* Copyright (c) 2001,2002 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
@ -46,16 +46,13 @@ __FBSDID("$FreeBSD$");
|
||||
#include <unistd.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_mod_misc.h>
|
||||
|
||||
enum {
|
||||
PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX,
|
||||
PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX,
|
||||
PAM_OPT_NO_FAKE_PROMPTS
|
||||
};
|
||||
|
||||
@ -66,7 +63,8 @@ static struct opttab other_options[] = {
|
||||
};
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
int argc, const char *argv[])
|
||||
{
|
||||
struct opie opie;
|
||||
struct options options;
|
||||
@ -86,13 +84,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
user = NULL;
|
||||
if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) {
|
||||
if ((pwd = getpwnam(getlogin())) == NULL)
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
user = pwd->pw_name;
|
||||
}
|
||||
else {
|
||||
retval = pam_get_user(pamh, (const char **)&user, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
}
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
@ -110,22 +108,22 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
*/
|
||||
/* XXX generates a const warning because of incorrect prototype */
|
||||
if (opiechallenge(&opie, (char *)user, challenge) != 0 &&
|
||||
pam_test_option(&options, PAM_OPT_NO_FAKE_PROMPTS, NULL))
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
|
||||
pam_test_option(&options, PAM_OPT_NO_FAKE_PROMPTS, NULL))
|
||||
return (PAM_AUTH_ERR);
|
||||
|
||||
/*
|
||||
* It doesn't make sense to use a password that has already been
|
||||
* typed in, since we haven't presented the challenge to the user
|
||||
* yet, so clear the stored password.
|
||||
*/
|
||||
pam_set_item(pamh, PAM_AUTHTOK, NULL);
|
||||
|
||||
|
||||
for (i = 0; i < 2; i++) {
|
||||
snprintf(prompt, sizeof prompt, promptstr[i], challenge);
|
||||
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &response, prompt);
|
||||
if (retval != PAM_SUCCESS) {
|
||||
opieunlock();
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
}
|
||||
|
||||
PAM_LOG("Completed challenge %d: %s", i, response);
|
||||
@ -147,67 +145,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
* success or lack thereof.
|
||||
*/
|
||||
retval = opieverify(&opie, resp) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR;
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, other_options, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_opie");
|
||||
|
@ -46,108 +46,49 @@ __FBSDID("$FreeBSD$");
|
||||
#include <syslog.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_mod_misc.h>
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
struct opie opie;
|
||||
struct passwd *pwent;
|
||||
char *luser, *rhost;
|
||||
int r;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
r = pam_get_item(pamh, PAM_USER, (const void **)&luser);
|
||||
if (r != PAM_SUCCESS)
|
||||
PAM_RETURN(r);
|
||||
return (r);
|
||||
if (luser == NULL)
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
|
||||
pwent = getpwnam(luser);
|
||||
if (pwent == NULL || opielookup(&opie, luser) != 0)
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
|
||||
return (PAM_IGNORE);
|
||||
|
||||
r = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
|
||||
if (r != PAM_SUCCESS)
|
||||
PAM_RETURN(r);
|
||||
|
||||
return (r);
|
||||
|
||||
if ((rhost == NULL || opieaccessfile(rhost)) &&
|
||||
opiealways(pwent->pw_dir) != 0)
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
|
||||
return (PAM_IGNORE);
|
||||
|
||||
PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess");
|
||||
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_opieaccess");
|
||||
|
@ -36,94 +36,58 @@ __FBSDID("$FreeBSD$");
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_mod_misc.h>
|
||||
|
||||
#define NOBODY "nobody"
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
int retval;
|
||||
const char *user;
|
||||
int r;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
if ((r = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
|
||||
return (r);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
/* We always need to know who the user is */
|
||||
user = NULL;
|
||||
retval = pam_get_user(pamh, &user, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
if (user == NULL || *user == '\0')
|
||||
pam_set_item(pamh, PAM_USER, (const void *)NOBODY);
|
||||
user = NULL;
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv)
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_permit");
|
||||
|
@ -46,15 +46,15 @@ __FBSDID("$FreeBSD$");
|
||||
#include <unistd.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_mod_misc.h>
|
||||
|
||||
enum { PAM_OPT_CONF=PAM_OPT_STD_MAX, PAM_OPT_TEMPLATE_USER };
|
||||
enum {
|
||||
PAM_OPT_CONF = PAM_OPT_STD_MAX,
|
||||
PAM_OPT_TEMPLATE_USER
|
||||
};
|
||||
|
||||
static struct opttab other_options[] = {
|
||||
{ "conf", PAM_OPT_CONF },
|
||||
@ -83,7 +83,7 @@ build_access_request(struct rad_handle *radh, const char *user,
|
||||
|
||||
if (rad_create_request(radh, RAD_ACCESS_REQUEST) == -1) {
|
||||
syslog(LOG_CRIT, "rad_create_request: %s", rad_strerror(radh));
|
||||
return -1;
|
||||
return (-1);
|
||||
}
|
||||
if ((user != NULL &&
|
||||
rad_put_string(radh, RAD_USER_NAME, user) == -1) ||
|
||||
@ -92,18 +92,18 @@ build_access_request(struct rad_handle *radh, const char *user,
|
||||
(gethostname(host, sizeof host) != -1 &&
|
||||
rad_put_string(radh, RAD_NAS_IDENTIFIER, host) == -1)) {
|
||||
syslog(LOG_CRIT, "rad_put_string: %s", rad_strerror(radh));
|
||||
return -1;
|
||||
return (-1);
|
||||
}
|
||||
if (state != NULL && rad_put_attr(radh, RAD_STATE, state,
|
||||
state_len) == -1) {
|
||||
syslog(LOG_CRIT, "rad_put_attr: %s", rad_strerror(radh));
|
||||
return -1;
|
||||
return (-1);
|
||||
}
|
||||
if (rad_put_int(radh, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) == -1) {
|
||||
syslog(LOG_CRIT, "rad_put_int: %s", rad_strerror(radh));
|
||||
return -1;
|
||||
return (-1);
|
||||
}
|
||||
return 0;
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
@ -120,7 +120,7 @@ do_accept(pam_handle_t *pamh, struct rad_handle *radh)
|
||||
if (s == NULL) {
|
||||
syslog(LOG_CRIT,
|
||||
"rad_cvt_string: out of memory");
|
||||
return -1;
|
||||
return (-1);
|
||||
}
|
||||
pam_set_item(pamh, PAM_USER, s);
|
||||
free(s);
|
||||
@ -128,9 +128,9 @@ do_accept(pam_handle_t *pamh, struct rad_handle *radh)
|
||||
}
|
||||
if (attrtype == -1) {
|
||||
syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh));
|
||||
return -1;
|
||||
return (-1);
|
||||
}
|
||||
return 0;
|
||||
return (0);
|
||||
}
|
||||
|
||||
static int
|
||||
@ -164,13 +164,13 @@ do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user)
|
||||
if (num_msgs >= MAX_CHALLENGE_MSGS) {
|
||||
syslog(LOG_CRIT,
|
||||
"Too many RADIUS challenge messages");
|
||||
return PAM_SERVICE_ERR;
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
msgs[num_msgs].msg = rad_cvt_string(attrval, attrlen);
|
||||
if (msgs[num_msgs].msg == NULL) {
|
||||
syslog(LOG_CRIT,
|
||||
"rad_cvt_string: out of memory");
|
||||
return PAM_SERVICE_ERR;
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
msgs[num_msgs].msg_style = PAM_TEXT_INFO;
|
||||
msg_ptrs[num_msgs] = &msgs[num_msgs];
|
||||
@ -180,13 +180,13 @@ do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user)
|
||||
}
|
||||
if (attrtype == -1) {
|
||||
syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh));
|
||||
return PAM_SERVICE_ERR;
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
if (num_msgs == 0) {
|
||||
msgs[num_msgs].msg = strdup("(null RADIUS challenge): ");
|
||||
if (msgs[num_msgs].msg == NULL) {
|
||||
syslog(LOG_CRIT, "Out of memory");
|
||||
return PAM_SERVICE_ERR;
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
msgs[num_msgs].msg_style = PAM_TEXT_INFO;
|
||||
msg_ptrs[num_msgs] = &msgs[num_msgs];
|
||||
@ -195,25 +195,26 @@ do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user)
|
||||
msgs[num_msgs-1].msg_style = PAM_PROMPT_ECHO_ON;
|
||||
if ((retval = pam_get_item(pamh, PAM_CONV, &item)) != PAM_SUCCESS) {
|
||||
syslog(LOG_CRIT, "do_challenge: cannot get PAM_CONV");
|
||||
return retval;
|
||||
return (retval);
|
||||
}
|
||||
conv = (const struct pam_conv *)item;
|
||||
if ((retval = conv->conv(num_msgs, msg_ptrs, &resp,
|
||||
conv->appdata_ptr)) != PAM_SUCCESS)
|
||||
return retval;
|
||||
return (retval);
|
||||
if (build_access_request(radh, user, resp[num_msgs-1].resp, state,
|
||||
statelen) == -1)
|
||||
return PAM_SERVICE_ERR;
|
||||
return (PAM_SERVICE_ERR);
|
||||
memset(resp[num_msgs-1].resp, 0, strlen(resp[num_msgs-1].resp));
|
||||
free(resp[num_msgs-1].resp);
|
||||
free(resp);
|
||||
while (num_msgs > 0)
|
||||
free(msgs[--num_msgs].msg);
|
||||
return PAM_SUCCESS;
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
int argc, const char *argv[])
|
||||
{
|
||||
struct options options;
|
||||
struct rad_handle *radh;
|
||||
@ -233,20 +234,20 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
|
||||
retval = pam_get_user(pamh, &user, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
PAM_LOG("Got password");
|
||||
|
||||
radh = rad_open();
|
||||
if (radh == NULL) {
|
||||
syslog(LOG_CRIT, "rad_open failed");
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
|
||||
PAM_LOG("Radius opened");
|
||||
@ -254,14 +255,14 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
if (rad_config(radh, conf_file) == -1) {
|
||||
syslog(LOG_ALERT, "rad_config: %s", rad_strerror(radh));
|
||||
rad_close(radh);
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
|
||||
PAM_LOG("Radius config file read");
|
||||
|
||||
if (build_access_request(radh, user, pass, NULL, 0) == -1) {
|
||||
rad_close(radh);
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
|
||||
PAM_LOG("Radius build access done");
|
||||
@ -273,7 +274,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
e = do_accept(pamh, radh);
|
||||
rad_close(radh);
|
||||
if (e == -1)
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
if (template_user != NULL) {
|
||||
|
||||
PAM_LOG("Trying template user: %s",
|
||||
@ -288,7 +289,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
retval = pam_get_item(pamh, PAM_USER,
|
||||
(const void **)&tmpuser);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
if (getpwnam(tmpuser) == NULL) {
|
||||
pam_set_item(pamh, PAM_USER,
|
||||
template_user);
|
||||
@ -296,18 +297,18 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
}
|
||||
|
||||
}
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
case RAD_ACCESS_REJECT:
|
||||
rad_close(radh);
|
||||
PAM_VERBOSE_ERROR("Radius rejection");
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
|
||||
case RAD_ACCESS_CHALLENGE:
|
||||
retval = do_challenge(pamh, radh, user);
|
||||
if (retval != PAM_SUCCESS) {
|
||||
rad_close(radh);
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
}
|
||||
break;
|
||||
|
||||
@ -316,76 +317,24 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
rad_strerror(radh));
|
||||
rad_close(radh);
|
||||
PAM_VERBOSE_ERROR("Radius failure");
|
||||
PAM_RETURN(PAM_AUTHINFO_UNAVAIL);
|
||||
return (PAM_AUTHINFO_UNAVAIL);
|
||||
|
||||
default:
|
||||
syslog(LOG_CRIT,
|
||||
"rad_send_request: unexpected return value");
|
||||
rad_close(radh);
|
||||
PAM_VERBOSE_ERROR("Radius error");
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_radius");
|
||||
|
@ -43,90 +43,31 @@ __FBSDID("$FreeBSD$");
|
||||
#include <syslog.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_mod_misc.h>
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
if (getuid() == 0)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
PAM_VERBOSE_ERROR("Refused; not superuser");
|
||||
PAM_LOG("User is not superuser");
|
||||
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_rootok");
|
||||
|
@ -43,10 +43,7 @@ __FBSDID("$FreeBSD$");
|
||||
#include <ttyent.h>
|
||||
#include <string.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
@ -54,59 +51,30 @@ __FBSDID("$FreeBSD$");
|
||||
|
||||
#define TTY_PREFIX "/dev/"
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN
|
||||
int
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv)
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
struct passwd *pwd;
|
||||
struct ttyent *ty;
|
||||
const char *user, *tty;
|
||||
int pam_err;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
pam_err = pam_get_user(pamh, &user, NULL);
|
||||
if (pam_err != PAM_SUCCESS)
|
||||
PAM_RETURN(pam_err);
|
||||
return (pam_err);
|
||||
if (user == NULL || (pwd = getpwnam(user)) == NULL)
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
/* If the user is not root, secure ttys do not apply */
|
||||
if (pwd->pw_uid != 0)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
pam_err = pam_get_item(pamh, PAM_TTY, (const void **)&tty);
|
||||
if (pam_err != PAM_SUCCESS)
|
||||
PAM_RETURN(pam_err);
|
||||
return (pam_err);
|
||||
|
||||
PAM_LOG("Got TTY: %s", tty);
|
||||
|
||||
@ -118,46 +86,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,cons
|
||||
|
||||
if (tty != NULL && (ty = getttynam(tty)) != NULL &&
|
||||
(ty->ty_status & TTY_SECURE) != 0)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
PAM_VERBOSE_ERROR("Not on secure TTY");
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_securetty");
|
||||
|
@ -44,112 +44,46 @@ __FBSDID("$FreeBSD$");
|
||||
#include <syslog.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_mod_misc.h>
|
||||
|
||||
enum {
|
||||
PAM_OPT_ALLOW_ROOT = PAM_OPT_STD_MAX,
|
||||
};
|
||||
|
||||
static struct opttab other_options[] = {
|
||||
{ "allow_root", PAM_OPT_ALLOW_ROOT },
|
||||
{ NULL, 0 }
|
||||
};
|
||||
#define OPT_ALLOW_ROOT "allow_root"
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
struct passwd *pwd;
|
||||
const char *luser;
|
||||
int pam_err;
|
||||
uid_t uid;
|
||||
|
||||
pam_std_option(&options, other_options, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
pam_err = pam_get_user(pamh, &luser, NULL);
|
||||
if (pam_err != PAM_SUCCESS)
|
||||
PAM_RETURN(pam_err);
|
||||
return (pam_err);
|
||||
if (luser == NULL || (pwd = getpwnam(luser)) == NULL)
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
|
||||
uid = getuid();
|
||||
if (uid == 0 && !pam_test_option(&options, PAM_OPT_ALLOW_ROOT, NULL))
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
|
||||
if (uid == 0 && !openpam_get_option(pamh, OPT_ALLOW_ROOT))
|
||||
return (PAM_AUTH_ERR);
|
||||
|
||||
if (uid == (uid_t)pwd->pw_uid)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
PAM_VERBOSE_ERROR("Refused; source and target users differ");
|
||||
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_self");
|
||||
|
@ -52,13 +52,10 @@ __FBSDID("$FreeBSD$");
|
||||
#include <unistd.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_mod_misc.h>
|
||||
#include <security/openpam.h>
|
||||
|
||||
#include <openssl/dsa.h>
|
||||
@ -119,8 +116,8 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
|
||||
/* locate the user's private key file */
|
||||
|
||||
if (!asprintf(&path, "%s/%s", dir, file)) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
|
||||
return PAM_SERVICE_ERR;
|
||||
openpam_log(PAM_LOG_ERROR, "%m");
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
|
||||
/* Try to decrypt the private key with the passphrase provided. If
|
||||
@ -128,7 +125,7 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
|
||||
|
||||
comment = NULL;
|
||||
if ((retval = openpam_borrow_cred(pamh, user)) != PAM_SUCCESS)
|
||||
return retval;
|
||||
return (retval);
|
||||
key = key_load_private(path, pass, &comment);
|
||||
openpam_restore_cred(pamh);
|
||||
free(path);
|
||||
@ -136,38 +133,38 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
|
||||
comment = strdup(file);
|
||||
if (!key) {
|
||||
free(comment);
|
||||
return PAM_AUTH_ERR;
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
/* save the key and comment to pass to ssh-agent in the session
|
||||
phase */
|
||||
|
||||
if (!asprintf(&data_name, "ssh_private_key_%d", key_idx)) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
|
||||
openpam_log(PAM_LOG_ERROR, "%m");
|
||||
free(comment);
|
||||
return PAM_SERVICE_ERR;
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
retval = pam_set_data(pamh, data_name, key, key_cleanup);
|
||||
free(data_name);
|
||||
if (retval != PAM_SUCCESS) {
|
||||
key_free(key);
|
||||
free(comment);
|
||||
return retval;
|
||||
return (retval);
|
||||
}
|
||||
if (!asprintf(&data_name, "ssh_key_comment_%d", key_idx)) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
|
||||
openpam_log(PAM_LOG_ERROR, "%m");
|
||||
free(comment);
|
||||
return PAM_SERVICE_ERR;
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
retval = pam_set_data(pamh, data_name, comment, ssh_cleanup);
|
||||
free(data_name);
|
||||
if (retval != PAM_SUCCESS) {
|
||||
free(comment);
|
||||
return retval;
|
||||
return (retval);
|
||||
}
|
||||
|
||||
++key_idx;
|
||||
return PAM_SUCCESS;
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
|
||||
@ -202,7 +199,7 @@ add_keys(pam_handle_t *pamh)
|
||||
saved = environ;
|
||||
if ((environ = pam_getenvlist(pamh)) == NULL) {
|
||||
environ = saved;
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
|
||||
openpam_log(PAM_LOG_ERROR, "%m");
|
||||
return (PAM_BUF_ERR);
|
||||
}
|
||||
ac = ssh_get_authentication_connection();
|
||||
@ -212,8 +209,8 @@ add_keys(pam_handle_t *pamh)
|
||||
environ = saved;
|
||||
}
|
||||
if (!ac) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %s: %m", MODULE_NAME, socket);
|
||||
return PAM_SESSION_ERR;
|
||||
openpam_log(PAM_LOG_ERROR, "%m");
|
||||
return (PAM_SESSION_ERR);
|
||||
}
|
||||
|
||||
/* hand off each private key to the agent */
|
||||
@ -221,18 +218,18 @@ add_keys(pam_handle_t *pamh)
|
||||
final = 0;
|
||||
for (key_idx = 0; ; key_idx++) {
|
||||
if (!asprintf(&data_name, "ssh_private_key_%d", key_idx)) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
|
||||
openpam_log(PAM_LOG_ERROR, "%m");
|
||||
ssh_close_authentication_connection(ac);
|
||||
return PAM_SERVICE_ERR;
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
retval = pam_get_data(pamh, data_name, (const void **)&key);
|
||||
free(data_name);
|
||||
if (retval != PAM_SUCCESS)
|
||||
break;
|
||||
if (!asprintf(&data_name, "ssh_key_comment_%d", key_idx)) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
|
||||
openpam_log(PAM_LOG_ERROR, "%m");
|
||||
ssh_close_authentication_connection(ac);
|
||||
return PAM_SERVICE_ERR;
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
retval = pam_get_data(pamh, data_name,
|
||||
(const void **)&comment);
|
||||
@ -245,19 +242,19 @@ add_keys(pam_handle_t *pamh)
|
||||
}
|
||||
ssh_close_authentication_connection(ac);
|
||||
|
||||
return final ? PAM_SUCCESS : PAM_SESSION_ERR;
|
||||
return (final ? PAM_SUCCESS : PAM_SESSION_ERR);
|
||||
}
|
||||
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
int argc, const char **argv)
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
int authenticated; /* user authenticated? */
|
||||
char *dotdir; /* .ssh dir name */
|
||||
char *file; /* current key file */
|
||||
char *keyfiles; /* list of key files to add */
|
||||
int options; /* options for pam_get_pass() */
|
||||
const char *kfspec; /* list of key files to add */
|
||||
char *keyfiles;
|
||||
const char *pass; /* passphrase */
|
||||
const struct passwd *pwent; /* user's passwd entry */
|
||||
struct passwd *pwent_keep; /* our own copy */
|
||||
@ -265,28 +262,27 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
const char *user; /* username */
|
||||
|
||||
keyfiles = NULL;
|
||||
options = 0;
|
||||
for (; argc; argc--, argv++)
|
||||
if (strncmp(*argv, OPT_KEYFILES "=", sizeof OPT_KEYFILES)
|
||||
== 0) {
|
||||
if (!(keyfiles = strchr(*argv, '=') + 1))
|
||||
return PAM_AUTH_ERR;
|
||||
} else if (strcmp(*argv, OPT_TRY_FIRST_PASS) == 0)
|
||||
options |= PAM_OPT_TRY_FIRST_PASS;
|
||||
else if (strcmp(*argv, OPT_USE_FIRST_PASS) == 0)
|
||||
options |= PAM_OPT_USE_FIRST_PASS;
|
||||
|
||||
if ((kfspec = openpam_get_option(pamh, OPT_KEYFILES)) != NULL) {
|
||||
if ((kfspec = strchr(kfspec, '=')) == NULL) {
|
||||
openpam_log(PAM_LOG_ERROR, "invalid keyfile list");
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
++kfspec;
|
||||
} else {
|
||||
kfspec = DEF_KEYFILES;
|
||||
}
|
||||
|
||||
if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
|
||||
return retval;
|
||||
if (!((pwent = getpwnam(user)) && pwent->pw_dir))
|
||||
return PAM_AUTH_ERR;
|
||||
return (retval);
|
||||
if (user == NULL || (pwent = getpwnam(user)) == NULL ||
|
||||
pwent->pw_dir == NULL || pwent->pw_dir[0] == '\0')
|
||||
return (PAM_AUTH_ERR);
|
||||
|
||||
/* pass prompt message to application and receive passphrase */
|
||||
|
||||
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NEED_PASSPHRASE);
|
||||
if (retval != PAM_SUCCESS)
|
||||
return retval;
|
||||
return (retval);
|
||||
|
||||
OpenSSL_add_all_algorithms(); /* required for DSA */
|
||||
|
||||
@ -295,50 +291,51 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
session phase */
|
||||
|
||||
if (!asprintf(&dotdir, "%s/%s", pwent->pw_dir, SSH_CLIENT_DIR)) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
|
||||
return PAM_SERVICE_ERR;
|
||||
openpam_log(PAM_LOG_ERROR, "%m");
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
authenticated = 0;
|
||||
keyfiles = strdup(keyfiles ? keyfiles : DEF_KEYFILES);
|
||||
keyfiles = strdup(kfspec);
|
||||
for (file = strtok(keyfiles, SEP_KEYFILES); file;
|
||||
file = strtok(NULL, SEP_KEYFILES))
|
||||
if (auth_via_key(pamh, file, dotdir, pwent, pass) ==
|
||||
PAM_SUCCESS)
|
||||
authenticated++;
|
||||
free(dotdir);
|
||||
free(keyfiles);
|
||||
free(dotdir);
|
||||
if (!authenticated)
|
||||
return PAM_AUTH_ERR;
|
||||
return (PAM_AUTH_ERR);
|
||||
|
||||
/* copy the passwd entry (in case successive calls are made) and
|
||||
save it for the session phase */
|
||||
|
||||
if (!(pwent_keep = malloc(sizeof *pwent))) {
|
||||
openpam_log(PAM_LOG_ERROR, "%m");
|
||||
return PAM_SERVICE_ERR;
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
(void) memcpy(pwent_keep, pwent, sizeof *pwent_keep);
|
||||
if ((retval = pam_set_data(pamh, "ssh_passwd_entry", pwent_keep,
|
||||
ssh_cleanup)) != PAM_SUCCESS) {
|
||||
free(pwent_keep);
|
||||
return retval;
|
||||
return (retval);
|
||||
}
|
||||
|
||||
return PAM_SUCCESS;
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char **argv __unused)
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
return PAM_SUCCESS;
|
||||
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
|
||||
int argc __unused, const char **argv __unused)
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
char *agent_socket; /* agent socket */
|
||||
char *env_end; /* end of env */
|
||||
@ -359,7 +356,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
|
||||
/* dump output of ssh-agent in ~/.ssh */
|
||||
if ((retval = pam_get_data(pamh, "ssh_passwd_entry",
|
||||
(const void **)&pwent)) != PAM_SUCCESS)
|
||||
return retval;
|
||||
return (retval);
|
||||
|
||||
/*
|
||||
* Use reference counts to limit agents to one per user per host.
|
||||
@ -379,8 +376,8 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
|
||||
(void) gethostname(hname, sizeof hname);
|
||||
if (asprintf(&per_agent, "%s/.ssh/agent-%s", pwent->pw_dir, hname)
|
||||
== -1) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
|
||||
return PAM_SERVICE_ERR;
|
||||
openpam_log(PAM_LOG_ERROR, "%m");
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
|
||||
/* save the per-agent filename in case we want to delete it on
|
||||
@ -389,14 +386,14 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
|
||||
if ((retval = pam_set_data(pamh, "ssh_agent_env_agent", per_agent,
|
||||
ssh_cleanup)) != PAM_SUCCESS) {
|
||||
free(per_agent);
|
||||
return retval;
|
||||
return (retval);
|
||||
}
|
||||
|
||||
/* take on the user's privileges for writing files and starting the
|
||||
agent */
|
||||
|
||||
if ((retval = openpam_borrow_cred(pamh, pwent)) != PAM_SUCCESS)
|
||||
return retval;
|
||||
return (retval);
|
||||
|
||||
/* Try to create the per-agent file or open it for reading if it
|
||||
exists. If we can't do either, we won't try to link a
|
||||
@ -416,11 +413,10 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
|
||||
env_read = popen(SSH_AGENT, "r");
|
||||
openpam_restore_cred(pamh);
|
||||
if (!env_read) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %s: %m", MODULE_NAME,
|
||||
SSH_AGENT);
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", SSH_AGENT);
|
||||
if (env_write >= 0)
|
||||
(void) close(env_write);
|
||||
return PAM_SESSION_ERR;
|
||||
return (PAM_SESSION_ERR);
|
||||
}
|
||||
}
|
||||
|
||||
@ -451,7 +447,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
|
||||
(void) close(env_write);
|
||||
if (agent_socket)
|
||||
free(agent_socket);
|
||||
return PAM_SERVICE_ERR;
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
|
||||
*env_value++ = '\0';
|
||||
@ -463,7 +459,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
|
||||
if (strcmp(&env_string[strlen(env_string) -
|
||||
strlen(ENV_SOCKET_SUFFIX)], ENV_SOCKET_SUFFIX) == 0 &&
|
||||
!(agent_socket = strdup(env_value))) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
|
||||
openpam_log(PAM_LOG_ERROR, "%m");
|
||||
if (start_agent)
|
||||
(void) pclose(env_read);
|
||||
else
|
||||
@ -472,7 +468,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
|
||||
(void) close(env_write);
|
||||
if (agent_socket)
|
||||
free(agent_socket);
|
||||
return PAM_SERVICE_ERR;
|
||||
return (PAM_SERVICE_ERR);
|
||||
} else if (strcmp(&env_string[strlen(env_string) -
|
||||
strlen(ENV_PID_SUFFIX)], ENV_PID_SUFFIX) == 0 &&
|
||||
((agent_pid = strdup(env_value)) == NULL ||
|
||||
@ -488,7 +484,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
|
||||
free(agent_socket);
|
||||
if (agent_pid)
|
||||
free(agent_pid);
|
||||
return retval;
|
||||
return (retval);
|
||||
}
|
||||
|
||||
}
|
||||
@ -498,56 +494,54 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
|
||||
if (start_agent) {
|
||||
switch (retval = pclose(env_read)) {
|
||||
case -1:
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %s: %m", MODULE_NAME,
|
||||
SSH_AGENT);
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", SSH_AGENT);
|
||||
if (agent_socket)
|
||||
free(agent_socket);
|
||||
return PAM_SESSION_ERR;
|
||||
return (PAM_SESSION_ERR);
|
||||
case 0:
|
||||
break;
|
||||
case 127:
|
||||
openpam_log(PAM_LOG_ERROR, "%s: cannot execute %s",
|
||||
MODULE_NAME, SSH_AGENT);
|
||||
openpam_log(PAM_LOG_ERROR, "cannot execute %s",
|
||||
SSH_AGENT);
|
||||
if (agent_socket)
|
||||
free(agent_socket);
|
||||
return PAM_SESSION_ERR;
|
||||
return (PAM_SESSION_ERR);
|
||||
default:
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %s exited %s %d",
|
||||
MODULE_NAME,
|
||||
openpam_log(PAM_LOG_ERROR, "%s exited %s %d",
|
||||
SSH_AGENT, WIFSIGNALED(retval) ? "on signal" :
|
||||
"with status", WIFSIGNALED(retval) ?
|
||||
WTERMSIG(retval) : WEXITSTATUS(retval));
|
||||
if (agent_socket)
|
||||
free(agent_socket);
|
||||
return PAM_SESSION_ERR;
|
||||
return (PAM_SESSION_ERR);
|
||||
}
|
||||
} else
|
||||
(void) fclose(env_read);
|
||||
|
||||
if (!agent_socket)
|
||||
return PAM_SESSION_ERR;
|
||||
return (PAM_SESSION_ERR);
|
||||
|
||||
if (start_agent && (retval = add_keys(pamh))
|
||||
!= PAM_SUCCESS)
|
||||
return retval;
|
||||
return (retval);
|
||||
free(agent_socket);
|
||||
|
||||
/* if we couldn't access the per-agent file, don't link a
|
||||
per-session filename to it */
|
||||
|
||||
if (no_link)
|
||||
return PAM_SUCCESS;
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
/* the per-session file contains the display name or tty name as
|
||||
well as the hostname */
|
||||
|
||||
if ((retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty))
|
||||
!= PAM_SUCCESS)
|
||||
return retval;
|
||||
return (retval);
|
||||
if (asprintf(&per_session, "%s/.ssh/agent-%s-%s", pwent->pw_dir,
|
||||
hname, tty) == -1) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
|
||||
return PAM_SERVICE_ERR;
|
||||
openpam_log(PAM_LOG_ERROR, "%m");
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
|
||||
/* save the per-session filename so we can delete it on session
|
||||
@ -556,19 +550,19 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
|
||||
if ((retval = pam_set_data(pamh, "ssh_agent_env_session",
|
||||
per_session, ssh_cleanup)) != PAM_SUCCESS) {
|
||||
free(per_session);
|
||||
return retval;
|
||||
return (retval);
|
||||
}
|
||||
|
||||
(void) unlink(per_session); /* remove cruft */
|
||||
(void) link(per_agent, per_session);
|
||||
|
||||
return PAM_SUCCESS;
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh, int flags __unused,
|
||||
int argc __unused, const char **argv __unused)
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
const char *env_file; /* ssh-agent environment */
|
||||
pid_t pid; /* ssh-agent process id */
|
||||
@ -588,7 +582,7 @@ pam_sm_close_session(pam_handle_t *pamh, int flags __unused,
|
||||
(const void **)&env_file)) == PAM_SUCCESS && env_file &&
|
||||
stat(env_file, &sb) == 0) {
|
||||
if (sb.st_nlink > 1)
|
||||
return PAM_SUCCESS;
|
||||
return (PAM_SUCCESS);
|
||||
(void) unlink(env_file);
|
||||
}
|
||||
|
||||
@ -596,35 +590,20 @@ pam_sm_close_session(pam_handle_t *pamh, int flags __unused,
|
||||
|
||||
if ((retval = pam_get_data(pamh, "ssh_agent_pid",
|
||||
(const void **)&ssh_agent_pid)) != PAM_SUCCESS)
|
||||
return retval;
|
||||
return (retval);
|
||||
|
||||
/* Kill the agent. SSH's ssh-agent does not have a -k option, so
|
||||
just call kill(). */
|
||||
|
||||
pid = atoi(ssh_agent_pid);
|
||||
if (pid <= 0)
|
||||
return PAM_SESSION_ERR;
|
||||
return (PAM_SESSION_ERR);
|
||||
if (kill(pid, SIGTERM) != 0) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %s: %m", MODULE_NAME,
|
||||
ssh_agent_pid);
|
||||
return PAM_SESSION_ERR;
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", ssh_agent_pid);
|
||||
return (PAM_SESSION_ERR);
|
||||
}
|
||||
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char **argv __unused)
|
||||
{
|
||||
return (PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char **argv __unused)
|
||||
{
|
||||
return (PAM_IGNORE);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY(MODULE_NAME);
|
||||
|
@ -47,15 +47,15 @@ __FBSDID("$FreeBSD$");
|
||||
#include <unistd.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_mod_misc.h>
|
||||
|
||||
enum { PAM_OPT_CONF=PAM_OPT_STD_MAX, PAM_OPT_TEMPLATE_USER };
|
||||
enum {
|
||||
PAM_OPT_CONF = PAM_OPT_STD_MAX,
|
||||
PAM_OPT_TEMPLATE_USER
|
||||
};
|
||||
|
||||
static struct opttab other_options[] = {
|
||||
{ "conf", PAM_OPT_CONF },
|
||||
@ -114,8 +114,8 @@ set_msg(struct tac_handle *tach, const char *msg)
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
|
||||
const char **argv)
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
int argc, const char *argv[])
|
||||
{
|
||||
struct options options;
|
||||
int retval;
|
||||
@ -135,40 +135,40 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
|
||||
tach = tac_open();
|
||||
if (tach == NULL) {
|
||||
syslog(LOG_CRIT, "tac_open failed");
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
if (tac_config(tach, conf_file) == -1) {
|
||||
syslog(LOG_ALERT, "tac_config: %s", tac_strerror(tach));
|
||||
tac_close(tach);
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
if (tac_create_authen(tach, TAC_AUTHEN_LOGIN, TAC_AUTHEN_TYPE_ASCII,
|
||||
TAC_AUTHEN_SVC_LOGIN) == -1) {
|
||||
syslog(LOG_CRIT, "tac_create_authen: %s", tac_strerror(tach));
|
||||
tac_close(tach);
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
}
|
||||
|
||||
PAM_LOG("Done tac_open() ... tac_close()");
|
||||
|
||||
retval = do_item(pamh, tach, PAM_USER, tac_set_user, "tac_set_user");
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
PAM_LOG("Done user");
|
||||
|
||||
retval = do_item(pamh, tach, PAM_TTY, tac_set_port, "tac_set_port");
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
PAM_LOG("Done tty");
|
||||
|
||||
retval = do_item(pamh, tach, PAM_RHOST, tac_set_rem_addr,
|
||||
"tac_set_rem_addr");
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
for ( ; ; ) {
|
||||
for (;;) {
|
||||
char *srvr_msg;
|
||||
size_t msg_len;
|
||||
const char *user_msg;
|
||||
@ -181,7 +181,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
|
||||
syslog(LOG_CRIT, "tac_send_authen: %s",
|
||||
tac_strerror(tach));
|
||||
tac_close(tach);
|
||||
PAM_RETURN(PAM_AUTHINFO_UNAVAIL);
|
||||
return (PAM_AUTHINFO_UNAVAIL);
|
||||
}
|
||||
status = TAC_AUTHEN_STATUS(sflags);
|
||||
if (!TAC_AUTHEN_NOECHO(sflags))
|
||||
@ -205,7 +205,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
|
||||
*/
|
||||
retval = pam_get_item(pamh, PAM_USER, &item);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
user = (const char *)item;
|
||||
if (getpwnam(user) == NULL) {
|
||||
pam_set_item(pamh, PAM_USER,
|
||||
@ -213,17 +213,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
|
||||
PAM_LOG("Using template user");
|
||||
}
|
||||
}
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
case TAC_AUTHEN_STATUS_FAIL:
|
||||
tac_close(tach);
|
||||
PAM_VERBOSE_ERROR("TACACS+ authentication failed");
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
|
||||
case TAC_AUTHEN_STATUS_GETUSER:
|
||||
case TAC_AUTHEN_STATUS_GETPASS:
|
||||
if ((srvr_msg = get_msg(tach)) == NULL)
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
if (status == TAC_AUTHEN_STATUS_GETUSER)
|
||||
retval = pam_get_user(pamh, &user_msg,
|
||||
*srvr_msg ? srvr_msg : NULL);
|
||||
@ -235,30 +235,30 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
|
||||
if (retval != PAM_SUCCESS) {
|
||||
/* XXX - send a TACACS+ abort packet */
|
||||
tac_close(tach);
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
}
|
||||
if (set_msg(tach, user_msg) == -1)
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
break;
|
||||
|
||||
case TAC_AUTHEN_STATUS_GETDATA:
|
||||
if ((srvr_msg = get_msg(tach)) == NULL)
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
retval = pam_prompt(pamh,
|
||||
pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL)
|
||||
? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF,
|
||||
? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF,
|
||||
&data_msg, "%s", *srvr_msg ? srvr_msg : "Data:");
|
||||
free(srvr_msg);
|
||||
if (retval != PAM_SUCCESS) {
|
||||
/* XXX - send a TACACS+ abort packet */
|
||||
tac_close(tach);
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
}
|
||||
retval = set_msg(tach, data_msg);
|
||||
memset(data_msg, 0, strlen(data_msg));
|
||||
free(data_msg);
|
||||
if (retval == -1)
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
break;
|
||||
|
||||
case TAC_AUTHEN_STATUS_ERROR:
|
||||
@ -272,7 +272,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
|
||||
syslog(LOG_CRIT,
|
||||
"tac_send_authen: server detected error");
|
||||
tac_close(tach);
|
||||
PAM_RETURN(PAM_AUTHINFO_UNAVAIL);
|
||||
return (PAM_AUTHINFO_UNAVAIL);
|
||||
break;
|
||||
|
||||
case TAC_AUTHEN_STATUS_RESTART:
|
||||
@ -281,69 +281,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
|
||||
syslog(LOG_CRIT,
|
||||
"tac_send_authen: unexpected status %#x", status);
|
||||
tac_close(tach);
|
||||
PAM_RETURN(PAM_AUTHINFO_UNAVAIL);
|
||||
return (PAM_AUTHINFO_UNAVAIL);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
return (PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_tacplus");
|
||||
|
@ -69,7 +69,6 @@ __FBSDID("$FreeBSD$");
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
@ -115,7 +114,8 @@ static int yp_passwd(const char *user, const char *pass);
|
||||
* authentication management
|
||||
*/
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
int argc, const char *argv[])
|
||||
{
|
||||
login_cap_t *lc;
|
||||
struct options options;
|
||||
@ -132,7 +132,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
} else {
|
||||
retval = pam_get_user(pamh, &user, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
pwd = getpwnam(user);
|
||||
}
|
||||
|
||||
@ -144,7 +144,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
if (realpw[0] == '\0') {
|
||||
if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
|
||||
pam_test_option(&options, PAM_OPT_NULLOK, NULL))
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
realpw = "*";
|
||||
}
|
||||
lc = login_getpwclass(pwd);
|
||||
@ -157,32 +157,29 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
|
||||
login_close(lc);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
PAM_LOG("Got password");
|
||||
if (strcmp(crypt(pass, realpw), realpw) == 0)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
PAM_VERBOSE_ERROR("UNIX authentication refused");
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, other_options, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
/*
|
||||
/*
|
||||
* account management
|
||||
*/
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
|
||||
int argc, const char *argv[])
|
||||
{
|
||||
struct addrinfo hints, *res;
|
||||
struct options options;
|
||||
@ -200,25 +197,25 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **
|
||||
|
||||
retval = pam_get_user(pamh, &user, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
if (user == NULL || (pwd = getpwnam(user)) == NULL)
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
return (PAM_SERVICE_ERR);
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
if (*pwd->pw_passwd == '\0' &&
|
||||
(flags & PAM_DISALLOW_NULL_AUTHTOK) != 0)
|
||||
return (PAM_NEW_AUTHTOK_REQD);
|
||||
|
||||
|
||||
lc = login_getpwclass(pwd);
|
||||
if (lc == NULL) {
|
||||
PAM_LOG("Unable to get login class for user %s", user);
|
||||
@ -234,13 +231,13 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **
|
||||
* Check pw_expire before pw_change - no point in letting the
|
||||
* user change the password on an expired account.
|
||||
*/
|
||||
|
||||
|
||||
if (pwd->pw_expire) {
|
||||
warntime = login_getcaptime(lc, "warnexpire",
|
||||
DEFAULT_WARN, DEFAULT_WARN);
|
||||
if (tp.tv_sec >= pwd->pw_expire) {
|
||||
login_close(lc);
|
||||
PAM_RETURN(PAM_ACCT_EXPIRED);
|
||||
return (PAM_ACCT_EXPIRED);
|
||||
} else if (pwd->pw_expire - tp.tv_sec < warntime &&
|
||||
(flags & PAM_SILENT) == 0) {
|
||||
pam_error(pamh, "Warning: your account expires on %s",
|
||||
@ -283,53 +280,25 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **
|
||||
/*
|
||||
* Check host / tty / time-of-day restrictions
|
||||
*/
|
||||
|
||||
|
||||
if (!auth_hostok(lc, rhost, rhostip) ||
|
||||
!auth_ttyok(lc, tty) ||
|
||||
!auth_timeok(lc, time(NULL)))
|
||||
retval = PAM_AUTH_ERR;
|
||||
|
||||
|
||||
login_close(lc);
|
||||
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
}
|
||||
|
||||
/*
|
||||
* session management
|
||||
*
|
||||
* logging only
|
||||
*/
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, other_options, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, other_options, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
/*
|
||||
/*
|
||||
* password management
|
||||
*
|
||||
* standard Unix and NIS password changing
|
||||
*/
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
pam_sm_chauthtok(pam_handle_t *pamh, int flags,
|
||||
int argc, const char *argv[])
|
||||
{
|
||||
struct options options;
|
||||
struct passwd *pwd;
|
||||
@ -346,7 +315,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
else {
|
||||
retval = pam_get_user(pamh, &user, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
pwd = getpwnam(user);
|
||||
}
|
||||
|
||||
@ -364,13 +333,13 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
* XXX check PAM_DISALLOW_NULL_AUTHTOK
|
||||
*/
|
||||
PAM_LOG("Got password");
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
else {
|
||||
retval = pam_get_authtok(pamh,
|
||||
PAM_OLDAUTHTOK, &pass, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
PAM_LOG("Got password");
|
||||
}
|
||||
encrypted = crypt(pass, pwd->pw_passwd);
|
||||
@ -379,17 +348,17 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
|
||||
if (strcmp(encrypted, pwd->pw_passwd) != 0) {
|
||||
pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
else if (flags & PAM_UPDATE_AUTHTOK) {
|
||||
PAM_LOG("UPDATE round; checking user password");
|
||||
|
||||
retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
|
||||
PAM_LOG("Got old password");
|
||||
|
||||
@ -403,7 +372,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
|
||||
if (retval != PAM_SUCCESS) {
|
||||
PAM_VERBOSE_ERROR("Unable to get new password");
|
||||
PAM_RETURN(PAM_PERM_DENIED);
|
||||
return (PAM_PERM_DENIED);
|
||||
}
|
||||
|
||||
PAM_LOG("Got new password: %s", new_pass);
|
||||
@ -411,7 +380,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
#ifdef YP
|
||||
/* If NIS is set in the passwd database, use it */
|
||||
if ((usrdup = strdup(user)) == NULL)
|
||||
PAM_RETURN(PAM_BUF_ERR);
|
||||
return (PAM_BUF_ERR);
|
||||
res = use_yp(usrdup, 0, 0);
|
||||
free(usrdup);
|
||||
if (res == USER_YP_ONLY) {
|
||||
@ -453,7 +422,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
PAM_LOG("Illegal 'flags'");
|
||||
}
|
||||
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
}
|
||||
|
||||
/* Mostly stolen from passwd(1)'s local_passwd.c - markm */
|
||||
@ -606,7 +575,7 @@ yp_passwd(const char *user __unused, const char *pass)
|
||||
* The yppasswd.x file said `unix authentication required',
|
||||
* so I added it. This is the only reason it is in here.
|
||||
* My yppasswdd doesn't use it, but maybe some others out there
|
||||
* do. --okir
|
||||
* do. --okir
|
||||
*/
|
||||
clnt->cl_auth = authunix_create_default();
|
||||
|
||||
|
@ -49,16 +49,18 @@ __FBSDID("$FreeBSD$");
|
||||
#include <grp.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_appl.h>
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_mod_misc.h>
|
||||
|
||||
enum { PAM_OPT_DENY=PAM_OPT_STD_MAX, PAM_OPT_GROUP, PAM_OPT_TRUST,
|
||||
PAM_OPT_AUTH_AS_SELF, PAM_OPT_NOROOT_OK };
|
||||
enum {
|
||||
PAM_OPT_DENY = PAM_OPT_STD_MAX,
|
||||
PAM_OPT_GROUP,
|
||||
PAM_OPT_TRUST,
|
||||
PAM_OPT_AUTH_AS_SELF,
|
||||
PAM_OPT_NOROOT_OK
|
||||
};
|
||||
|
||||
static struct opttab other_options[] = {
|
||||
{ "deny", PAM_OPT_DENY },
|
||||
@ -80,7 +82,8 @@ in_list(char *const *list, const char *member)
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const char **argv)
|
||||
pam_sm_authenticate(pam_handle_t * pamh, int flags __unused,
|
||||
int argc, const char *argv[])
|
||||
{
|
||||
struct options options;
|
||||
struct passwd *pwd;
|
||||
@ -96,12 +99,12 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha
|
||||
|
||||
retval = pam_get_user(pamh, &targetuser, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
return (retval);
|
||||
pwd = getpwnam(targetuser);
|
||||
if (pwd != NULL)
|
||||
tuid = pwd->pw_uid;
|
||||
else
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
|
||||
PAM_LOG("Got target user: %s uid: %d", targetuser, tuid);
|
||||
|
||||
@ -114,21 +117,21 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha
|
||||
pwd = getpwnam(user);
|
||||
}
|
||||
if (pwd == NULL)
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
PAM_LOG("User's primary uid, gid: %d, %d", pwd->pw_uid, pwd->pw_gid);
|
||||
|
||||
/* Ignore if already uid 0 */
|
||||
if (pwd->pw_uid == 0)
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
return (PAM_IGNORE);
|
||||
|
||||
PAM_LOG("Not superuser");
|
||||
|
||||
/* If authenticating as something non-superuser, return OK */
|
||||
if (pam_test_option(&options, PAM_OPT_NOROOT_OK, NULL))
|
||||
if (tuid != 0)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
PAM_LOG("Checking group");
|
||||
|
||||
@ -141,10 +144,10 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha
|
||||
|
||||
if (grp == NULL || grp->gr_mem == NULL) {
|
||||
if (pam_test_option(&options, PAM_OPT_DENY, NULL))
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
return (PAM_IGNORE);
|
||||
else {
|
||||
PAM_VERBOSE_ERROR("Permission denied");
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
return (PAM_AUTH_ERR);
|
||||
}
|
||||
}
|
||||
|
||||
@ -154,79 +157,27 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha
|
||||
if (pam_test_option(&options, PAM_OPT_DENY, NULL)) {
|
||||
PAM_VERBOSE_ERROR("Member of group %s; denied",
|
||||
grp->gr_name);
|
||||
PAM_RETURN(PAM_PERM_DENIED);
|
||||
return (PAM_PERM_DENIED);
|
||||
}
|
||||
if (pam_test_option(&options, PAM_OPT_TRUST, NULL))
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
return (PAM_SUCCESS);
|
||||
return (PAM_IGNORE);
|
||||
}
|
||||
|
||||
if (pam_test_option(&options, PAM_OPT_DENY, NULL))
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
PAM_VERBOSE_ERROR("Not member of group %s; denied", grp->gr_name);
|
||||
|
||||
PAM_RETURN(PAM_PERM_DENIED);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, other_options, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
return (PAM_PERM_DENIED);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv)
|
||||
pam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused,
|
||||
int argc __unused, const char *argv[] __unused)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
return (PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_wheel");
|
||||
|
Loading…
Reference in New Issue
Block a user