diff options
| author | des <des@FreeBSD.org> | 2002-04-12 22:27:25 +0000 |
|---|---|---|
| committer | des <des@FreeBSD.org> | 2002-04-12 22:27:25 +0000 |
| commit | a8ed91793767918d566bd64b6cd74cf1fbe39aad (patch) | |
| tree | a5f017a5c6844ccb0d325b11f4fffdcba45a78e3 /lib/libpam | |
| parent | cae96c769e0618a9b44c24e2bb32faea58b82379 (diff) | |
| download | FreeBSD-src-a8ed91793767918d566bd64b6cd74cf1fbe39aad.zip FreeBSD-src-a8ed91793767918d566bd64b6cd74cf1fbe39aad.tar.gz | |
Major cleanup:
- add __unused where appropriate
- PAM_RETURN -> return since OpenPAM already logs the return value.
- make PAM_LOG use openpam_log()
- make PAM_VERBOSE_ERROR use openpam_get_option() and check flags
for PAM_SILENT
- remove dummy functions since OpenPAM handles missing service
functions
- fix various warnings
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'lib/libpam')
22 files changed, 499 insertions, 1415 deletions
diff --git a/lib/libpam/libpam/pam_debug_log.c b/lib/libpam/libpam/pam_debug_log.c index 14e9b79..2dfb1ea 100644 --- a/lib/libpam/libpam/pam_debug_log.c +++ b/lib/libpam/libpam/pam_debug_log.c @@ -32,105 +32,31 @@ __FBSDID("$FreeBSD$"); #include <stdio.h> #include <stdlib.h> #include <string.h> -#include <syslog.h> #include <security/pam_appl.h> #include <security/openpam.h> #include <security/pam_mod_misc.h> -#define FMTBUFSIZ 256 - -static char *modulename(const char *); - -/* Log a debug message, including the function name and a - * cleaned up filename. - */ -void -_pam_log(struct options *options, const char *file, const char *function, - const char *format, ...) -{ - va_list ap; - char *fmtbuf, *modname; - - if (pam_test_option(options, PAM_OPT_DEBUG, NULL)) { - modname = modulename(file); - va_start(ap, format); - asprintf(&fmtbuf, "%s: %s: %s", modname, function, format); - vsyslog(LOG_DEBUG, fmtbuf, ap); - free(fmtbuf); - va_end(ap); - } -} - -/* Log a return value, including the function name and a - * cleaned up filename. - */ -void -_pam_log_retval(struct options *options, const char *file, const char *function, - int retval) -{ - char *modname; - - if (pam_test_option(options, PAM_OPT_DEBUG, NULL)) { - modname = modulename(file); - - switch (retval) { - case PAM_SUCCESS: - syslog(LOG_DEBUG, "%s: %s: returning PAM_SUCCESS", - modname, function); - break; - case PAM_AUTH_ERR: - syslog(LOG_DEBUG, "%s: %s: returning PAM_AUTH_ERR", - modname, function); - break; - case PAM_IGNORE: - syslog(LOG_DEBUG, "%s: %s: returning PAM_IGNORE", - modname, function); - break; - case PAM_PERM_DENIED: - syslog(LOG_DEBUG, "%s: %s: returning PAM_PERM_DENIED", - modname, function); - break; - default: - syslog(LOG_DEBUG, "%s: %s: returning (%d)", - modname, function, retval); - } - - free(modname); - } -} - /* Print a verbose error, including the function name and a * cleaned up filename. */ void -_pam_verbose_error(pam_handle_t *pamh, struct options *options, +_pam_verbose_error(pam_handle_t *pamh, int flags, const char *file, const char *function, const char *format, ...) { va_list ap; - char *statusmsg, *fmtbuf, *modname; + char *fmtbuf, *modname, *period; - if (!pam_test_option(options, PAM_OPT_NO_WARN, NULL)) { - modname = modulename(file); + if (!(flags & PAM_SILENT) || !openpam_get_option(pamh, "no_warn")) { + modname = basename(file); + period = strchr(modname, '.'); + if (period == NULL) + period = strchr(modname, '\0'); va_start(ap, format); - asprintf(&fmtbuf, "%s: %s: %s", modname, function, format); - vasprintf(&statusmsg, fmtbuf, ap); - pam_error(pamh, "%s", statusmsg); - free(statusmsg); + asprintf(&fmtbuf, "%.*s: %s: %s", period - modname, modname, + function, format); + pam_verror(pamh, fmtbuf, ap); free(fmtbuf); va_end(ap); } } - -static char * -modulename(const char *file) -{ - char *modname, *period; - - modname = strdup(basename(file)); - period = strchr(modname, '.'); - if (period != NULL) - *period = '\0'; - - return modname; -} diff --git a/lib/libpam/libpam/security/pam_mod_misc.h b/lib/libpam/libpam/security/pam_mod_misc.h index 5a541b2..8e50ff6 100644 --- a/lib/libpam/libpam/security/pam_mod_misc.h +++ b/lib/libpam/libpam/security/pam_mod_misc.h @@ -58,22 +58,17 @@ void pam_std_option(struct options *, struct opttab *, int, const char **); int pam_test_option(struct options *, enum opt, char **); void pam_set_option(struct options *, enum opt); void pam_clear_option(struct options *, enum opt); -void _pam_log(struct options *, const char *, const char *, const char *, ...); -void _pam_log_retval(struct options *, const char *, const char *, int); -void _pam_verbose_error(pam_handle_t *, struct options *, const char *, +void _pam_verbose_error(pam_handle_t *, int, const char *, const char *, const char *, ...); __END_DECLS #define PAM_LOG(args...) \ - _pam_log(&options, __FILE__, __FUNCTION__, ##args) + openpam_log(PAM_LOG_DEBUG, ##args) #define PAM_RETURN(arg) \ - do { \ - _pam_log_retval(&options, __FILE__, __FUNCTION__, arg); \ - return arg; \ - } while (0) + return (arg) #define PAM_VERBOSE_ERROR(args...) \ - _pam_verbose_error(pamh, &options, __FILE__, __FUNCTION__, ##args) + _pam_verbose_error(pamh, flags, __FILE__, __FUNCTION__, ##args) #endif diff --git a/lib/libpam/modules/pam_deny/pam_deny.c b/lib/libpam/modules/pam_deny/pam_deny.c index 02dc8a5..2c91e26 100644 --- a/lib/libpam/modules/pam_deny/pam_deny.c +++ b/lib/libpam/modules/pam_deny/pam_deny.c @@ -36,90 +36,58 @@ __FBSDID("$FreeBSD$"); #include <security/pam_appl.h> #include <security/pam_modules.h> -#include <security/pam_mod_misc.h> PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; + const char *user; + int r; - pam_std_option(&options, NULL, argc, argv); + if ((r = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) + return (r); - PAM_LOG("Options processed"); - - PAM_VERBOSE_ERROR("Unconditional deny"); - - PAM_RETURN(PAM_AUTH_ERR); + return (PAM_AUTH_ERR); } PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_VERBOSE_ERROR("Unconditional deny"); - PAM_RETURN(PAM_CRED_UNAVAIL); + return (PAM_AUTH_ERR); } PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc ,const char **argv) +pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_VERBOSE_ERROR("Unconditional deny"); - - PAM_RETURN(PAM_ACCT_EXPIRED); + return (PAM_AUTH_ERR); } PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - PAM_LOG("Options processed"); - - PAM_VERBOSE_ERROR("Unconditional deny"); - - PAM_RETURN(PAM_PERM_DENIED); + return (PAM_AUTH_ERR); } PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - PAM_VERBOSE_ERROR("Unconditional deny"); - - PAM_RETURN(PAM_SESSION_ERR); + return (PAM_AUTH_ERR); } PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_VERBOSE_ERROR("Unconditional deny"); - PAM_RETURN(PAM_SESSION_ERR); + return (PAM_AUTH_ERR); } PAM_MODULE_ENTRY("pam_deny"); diff --git a/lib/libpam/modules/pam_ftp/pam_ftp.c b/lib/libpam/modules/pam_ftp/pam_ftp.c index e99fbd8..8ad9a5c 100644 --- a/lib/libpam/modules/pam_ftp/pam_ftp.c +++ b/lib/libpam/modules/pam_ftp/pam_ftp.c @@ -48,9 +48,6 @@ __FBSDID("$FreeBSD$"); #include <string.h> #define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD #include <security/pam_appl.h> #include <security/pam_modules.h> @@ -75,7 +72,7 @@ static const char *anonusers[] = {"ftp", "anonymous", NULL}; * Place username in *userret * Return 1 if listed 0 otherwise */ -static int +static int lookup(const char *user, char *list, const char **userret) { int anon, i; @@ -112,8 +109,9 @@ lookup(const char *user, char *list, const char **userret) * If this is the case, set the PAM_RUSER to the entered email address * and succeed, otherwise fail. */ -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const char **argv) +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, + int argc, const char *argv[]) { struct options options; int retval, anon; @@ -126,7 +124,7 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS || user == NULL) - PAM_RETURN(PAM_USER_UNKNOWN); + return (PAM_USER_UNKNOWN); PAM_LOG("Got user: %s", user); @@ -143,7 +141,7 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha if (anon) { retval = pam_set_item(pamh, PAM_USER, (const void *)user); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); prompt = GUEST_PROMPT; PAM_LOG("Doing anonymous"); } @@ -154,7 +152,7 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &token, "%s", prompt); if (retval != PAM_SUCCESS) - PAM_RETURN(PAM_AUTHINFO_UNAVAIL); + return (PAM_AUTHINFO_UNAVAIL); PAM_LOG("Got password"); @@ -192,67 +190,15 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha retval = PAM_AUTH_ERR; } - PAM_RETURN(retval); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, other_options, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); + return (retval); } PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv) +pam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - PAM_RETURN(PAM_IGNORE); + return (PAM_SUCCESS); } PAM_MODULE_ENTRY("pam_ftp"); diff --git a/lib/libpam/modules/pam_kerberosIV/klogin.c b/lib/libpam/modules/pam_kerberosIV/klogin.c index ae51f74..0743e86 100644 --- a/lib/libpam/modules/pam_kerberosIV/klogin.c +++ b/lib/libpam/modules/pam_kerberosIV/klogin.c @@ -52,6 +52,8 @@ static const char sccsid[] = "@(#)klogin.c 8.3 (Berkeley) 4/2/94"; #include <string.h> #include <unistd.h> +#include "klogin.h" + #define INITIAL_TICKET "krbtgt" #define VERIFY_SERVICE "rcmd" @@ -65,14 +67,11 @@ extern char *krbtkfile_env; * 1 if Kerberos failed (try local password in login) */ int -klogin(pw, instance, localhost, password) - struct passwd *pw; - char *instance, *localhost, *password; +klogin(struct passwd *pw, char *instance, char *localhost, const char *password) { int kerror; char realm[REALM_SZ], savehost[MAXHOSTNAMELEN]; char tkt_location[MAXPATHLEN]; - char *krb_get_phost(); extern int noticketsdontcomplain; #ifdef KLOGIN_PARANOID diff --git a/lib/libpam/modules/pam_kerberosIV/klogin.h b/lib/libpam/modules/pam_kerberosIV/klogin.h new file mode 100644 index 0000000..e126a0b --- /dev/null +++ b/lib/libpam/modules/pam_kerberosIV/klogin.h @@ -0,0 +1,5 @@ +/* + * $FreeBSD$ + */ + +int klogin(struct passwd *, char *, char *, const char *); diff --git a/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c b/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c index 71e22c3..40f5a72 100644 --- a/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c +++ b/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c @@ -1,6 +1,13 @@ /*- * Copyright 1998 Juniper Networks, Inc. * All rights reserved. + * Copyright (c) 2002 Networks Associates Technology, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,6 +17,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -38,9 +48,7 @@ __FBSDID("$FreeBSD$"); #include <security/pam_modules.h> #include <security/pam_mod_misc.h> -#define PASSWORD_PROMPT "Password:" - -extern int klogin(struct passwd *, char *, char *, char *); +#include "klogin.h" /* Globals used by klogin.c */ int notickets = 1; @@ -48,9 +56,9 @@ int noticketsdontcomplain = 1; char *krbtkfile_env; PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc __unused, const char *argv[] __unused) { - struct options options; int retval; const char *user; char *principal; @@ -59,47 +67,41 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) char localhost[MAXHOSTNAMELEN + 1]; struct passwd *pwd; - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Got user: %s", user); - retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT, &options); + retval = pam_get_authtok(pamh, PAM_AUTHTOK, &password, NULL); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Got password"); if (gethostname(localhost, sizeof localhost - 1) == -1) - PAM_RETURN(PAM_SYSTEM_ERR); + return (PAM_SYSTEM_ERR); PAM_LOG("Got localhost: %s", localhost); principal = strdup(user); if (principal == NULL) - PAM_RETURN(PAM_BUF_ERR); + return (PAM_BUF_ERR); instance = strchr(principal, '.'); if (instance != NULL) *instance++ = '\0'; else - instance = ""; + instance = strchr(principal, '\0'); PAM_LOG("Got principal.instance: %s.%s", principal, instance); retval = PAM_AUTH_ERR; pwd = getpwnam(user); if (pwd != NULL) { - if (klogin(pwd, instance, localhost, (char *)password) == 0) { - if (!(flags & PAM_SILENT) && notickets && !noticketsdontcomplain) - pam_prompt(pamh, PAM_ERROR_MSG, - "Warning: no Kerberos tickets issued", - NULL); + if (klogin(pwd, instance, localhost, password) == 0) { + if (notickets && !noticketsdontcomplain) + PAM_VERBOSE_ERROR("Warning: no Kerberos tickets issued"); /* * XXX - I think the ticket file isn't supposed to * be created until pam_sm_setcred() is called. @@ -121,19 +123,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) if (retval != PAM_SUCCESS) PAM_VERBOSE_ERROR("Kerberos IV refuses you"); - PAM_RETURN(retval); + return (retval); } PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); } PAM_MODULE_ENTRY("pam_kerberosIV"); diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.c b/lib/libpam/modules/pam_krb5/pam_krb5.c index 396390d..e94152e 100644 --- a/lib/libpam/modules/pam_krb5/pam_krb5.c +++ b/lib/libpam/modules/pam_krb5/pam_krb5.c @@ -4,7 +4,7 @@ * All rights reserved * Copyright (c) 2002 Networks Associates Technology, Inc. * All rights reserved. - * + * * Portions of this software were developed for the FreeBSD Project by * ThinkSec AS and NAI Labs, the Security Research Division of Network * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 @@ -22,13 +22,13 @@ * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. - * + * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE @@ -41,17 +41,17 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * --------------------------------------------------------------------------- - * + * * This software may contain code from Naomaru Itoi: - * + * * PAM-kerberos5 module Copyright notice. * Naomaru Itoi <itoi@eecs.umich.edu>, June 24, 1997. - * + * * ---------------------------------------------------------------------------- * COPYRIGHT (c) 1997 * THE REGENTS OF THE UNIVERSITY OF MICHIGAN * ALL RIGHTS RESERVED - * + * * PERMISSION IS GRANTED TO USE, COPY, CREATE DERIVATIVE WORKS AND REDISTRIBUTE * THIS SOFTWARE AND SUCH DERIVATIVE WORKS FOR ANY PURPOSE, SO LONG AS THE NAME * OF THE UNIVERSITY OF MICHIGAN IS NOT USED IN ANY ADVERTISING OR PUBLICITY @@ -59,7 +59,7 @@ * WRITTEN PRIOR AUTHORIZATION. IF THE ABOVE COPYRIGHT NOTICE OR ANY OTHER * IDENTIFICATION OF THE UNIVERSITY OF MICHIGAN IS INCLUDED IN ANY COPY OF ANY * PORTION OF THIS SOFTWARE, THEN THE DISCLAIMER BELOW MUST ALSO BE INCLUDED. - * + * * THE SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE UNIVERSITY OF * MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND WITHOUT WARRANTY BY THE * UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING @@ -69,19 +69,19 @@ * CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR IN * CONNECTION WITH THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR IS HEREAFTER * ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - * + * * PAM-kerberos5 module is written based on PAM-kerberos4 module * by Derrick J. Brashear and kerberos5-1.0pl1 by M.I.T. kerberos team. * Permission to use, copy, modify, distribute this software is hereby * granted, as long as it is granted by Derrick J. Brashear and - * M.I.T. kerberos team. Followings are their copyright information. + * M.I.T. kerberos team. Followings are their copyright information. * ---------------------------------------------------------------------------- - * + * * This software may contain code from Derrick J. Brashear: - * - * + * + * * Copyright (c) Derrick J. Brashear, 1996. All rights reserved - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -94,13 +94,13 @@ * 3. The name of the author may not be used to endorse or promote * products derived from this software without specific prior * written permission. - * + * * ALTERNATIVELY, this product may be distributed under the terms of * the GNU Public License, in which case the provisions of the GPL are * required INSTEAD OF the above restrictions. (This clause is * necessary due to a potential bad interaction between the GPL and * the restrictions contained in a BSD-style copyright.) - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE @@ -112,23 +112,23 @@ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. - * + * * ---------------------------------------------------------------------------- - * + * * This software may contain code from MIT Kerberos 5: - * + * * Copyright Notice and Legal Administrivia * ---------------------------------------- - * + * * Copyright (C) 1996 by the Massachusetts Institute of Technology. - * + * * All rights reserved. - * + * * Export of this software from the United States of America may require * a specific license from the United States Government. It is the * responsibility of any person or organization contemplating export to * obtain such a license before exporting. - * + * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and * without fee is hereby granted, provided that the above copyright @@ -139,62 +139,62 @@ * permission. M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. - * + * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - * + * * Individual source code files are copyright MIT, Cygnus Support, * OpenVision, Oracle, Sun Soft, and others. - * + * * Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, * and Zephyr are trademarks of the Massachusetts Institute of Technology * (MIT). No commercial use of these trademarks may be made without * prior written permission of MIT. - * + * * "Commercial use" means use of a name in a product or other for-profit * manner. It does NOT prevent a commercial firm from referring to the * MIT trademarks in order to convey information (although in doing so, * recognition of their trademark status should be given). - * + * * The following copyright and permission notice applies to the * OpenVision Kerberos Administration system located in kadmin/create, * kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions * of lib/rpc: - * + * * Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved - * - * WARNING: Retrieving the OpenVision Kerberos Administration system - * source code, as described below, indicates your acceptance of the - * following terms. If you do not agree to the following terms, do not + * + * WARNING: Retrieving the OpenVision Kerberos Administration system + * source code, as described below, indicates your acceptance of the + * following terms. If you do not agree to the following terms, do not * retrieve the OpenVision Kerberos administration system. - * + * * You may freely use and distribute the Source Code and Object Code * compiled from it, with or without modification, but this Source * Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, * INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR * FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER * EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY - * FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF + * FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR - * CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, - * WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE - * CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY + * CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, + * WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE + * CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY * OTHER REASON. - * + * * OpenVision retains all copyrights in the donated Source Code. OpenVision * also retains copyright to derivative works of the Source Code, whether - * created by OpenVision or by a third party. The OpenVision copyright - * notice must be preserved if derivative works are made based on the + * created by OpenVision or by a third party. The OpenVision copyright + * notice must be preserved if derivative works are made based on the * donated Source Code. - * - * OpenVision Technologies, Inc. has donated this Kerberos - * Administration system to MIT for inclusion in the standard - * Kerberos 5 distribution. This donation underscores our - * commitment to continuing Kerberos technology development - * and our gratitude for the valuable work which has been + * + * OpenVision Technologies, Inc. has donated this Kerberos + * Administration system to MIT for inclusion in the standard + * Kerberos 5 distribution. This donation underscores our + * commitment to continuing Kerberos technology development + * and our gratitude for the valuable work which has been * performed by MIT and the Kerberos community. - * + * */ #include <sys/cdefs.h> @@ -216,7 +216,6 @@ __FBSDID("$FreeBSD$"); #define PAM_SM_AUTH #define PAM_SM_ACCOUNT -#define PAM_SM_SESSION #define PAM_SM_PASSWORD #include <security/pam_appl.h> @@ -237,7 +236,13 @@ static void compat_free_data_contents(krb5_context, krb5_data *); #define PASSWORD_PROMPT "Password:" #define NEW_PASSWORD_PROMPT "New Password:" -enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX, PAM_OPT_CCACHE, PAM_OPT_FORWARDABLE, PAM_OPT_NO_CCACHE, PAM_OPT_REUSE_CCACHE }; +enum { + PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX, + PAM_OPT_CCACHE, + PAM_OPT_FORWARDABLE, + PAM_OPT_NO_CCACHE, + PAM_OPT_REUSE_CCACHE +}; static struct opttab other_options[] = { { "auth_as_self", PAM_OPT_AUTH_AS_SELF }, @@ -252,7 +257,8 @@ static struct opttab other_options[] = { * authentication management */ PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, + int argc, const char *argv[]) { krb5_error_code krbret; krb5_context pam_context; @@ -272,13 +278,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char retval = pam_get_user(pamh, &user, USER_PROMPT); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Got user: %s", user); retval = pam_get_item(pamh, PAM_RUSER, (const void **)&sourceuser); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Got ruser: %s", sourceuser); @@ -292,7 +298,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char krbret = krb5_init_context(&pam_context); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); } PAM_LOG("Context initialised"); @@ -479,11 +485,12 @@ cleanup3: if (retval != PAM_SUCCESS) PAM_VERBOSE_ERROR("Kerberos 5 refuses you"); - PAM_RETURN(retval); + return (retval); } PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +pam_sm_setcred(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) { krb5_error_code krbret; @@ -506,30 +513,30 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) PAM_LOG("Options processed"); if (flags & PAM_DELETE_CRED) - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); if (flags & PAM_REFRESH_CRED) - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); if (flags & PAM_REINITIALIZE_CRED) - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); if (!(flags & PAM_ESTABLISH_CRED)) - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); PAM_LOG("Establishing credentials"); /* Get username */ retval = pam_get_item(pamh, PAM_USER, (const void **)&user); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Got user: %s", user); krbret = krb5_init_context(&pam_context); if (krbret != 0) { PAM_LOG("Error krb5_init_context(): %s", error_message(krbret)); - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); } PAM_LOG("Context initialised"); @@ -711,15 +718,16 @@ cleanup3: setegid(egid); PAM_LOG("Done seteuid() & setegid()"); - - PAM_RETURN(retval); + + return (retval); } -/* +/* * account management */ PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, + int argc, const char *argv[]) { krb5_error_code krbret; krb5_context pam_context; @@ -735,20 +743,20 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char ** retval = pam_get_item(pamh, PAM_USER, (const void **)&user); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Got user: %s", user); retval = pam_get_data(pamh, "ccache", (const void **)&ccache); if (retval != PAM_SUCCESS) - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); PAM_LOG("Got ccache"); krbret = krb5_init_context(&pam_context); if (krbret != 0) { PAM_LOG("Error krb5_init_context(): %s", error_message(krbret)); - PAM_RETURN(PAM_PERM_DENIED); + return (PAM_PERM_DENIED); } PAM_LOG("Context initialised"); @@ -774,44 +782,16 @@ cleanup: krb5_free_context(pam_context); PAM_LOG("Done cleanup"); - PAM_RETURN(retval); - -} - -/* - * session management - * - * logging only - */ -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); -} - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); + return (retval); - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); } -/* +/* * password management */ PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +pam_sm_chauthtok(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) { krb5_error_code krbret; krb5_context pam_context; @@ -829,18 +809,18 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) PAM_LOG("Options processed"); if (!(flags & PAM_UPDATE_AUTHTOK)) - PAM_RETURN(PAM_AUTHTOK_ERR); + return (PAM_AUTHTOK_ERR); retval = pam_get_item(pamh, PAM_USER, (const void **)&user); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Got user: %s", user); krbret = krb5_init_context(&pam_context); if (krbret != 0) { PAM_LOG("Error krb5_init_context(): %s", error_message(krbret)); - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); } PAM_LOG("Context initialised"); @@ -941,7 +921,7 @@ cleanup3: PAM_LOG("Done cleanup3"); - PAM_RETURN(retval); + return (retval); } PAM_MODULE_ENTRY("pam_krb5"); @@ -1003,10 +983,10 @@ verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache, phost[BUFSIZ - 1] = '\0'; /* - * Do we have service/<host> keys? - * (use default/configured keytab, kvno IGNORE_VNO to get the - * first match, and ignore enctype.) - */ + * Do we have service/<host> keys? + * (use default/configured keytab, kvno IGNORE_VNO to get the + * first match, and ignore enctype.) + */ retval = krb5_kt_read_service_key(context, NULL, princ, 0, 0, &keyblock); if (retval != 0) diff --git a/lib/libpam/modules/pam_lastlog/pam_lastlog.c b/lib/libpam/modules/pam_lastlog/pam_lastlog.c index 81f94ff..fea8154 100644 --- a/lib/libpam/modules/pam_lastlog/pam_lastlog.c +++ b/lib/libpam/modules/pam_lastlog/pam_lastlog.c @@ -57,69 +57,16 @@ __FBSDID("$FreeBSD$"); #include <unistd.h> #include <utmp.h> -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT #define PAM_SM_SESSION -#define PAM_SM_PASSWORD #include <security/pam_appl.h> #include <security/pam_modules.h> #include <security/pam_mod_misc.h> -extern int login_access(const char *, const char *); - PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) +pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - struct options options; struct passwd *pwd; struct utmp utmp; struct lastlog ll; @@ -127,31 +74,27 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) off_t llpos; int fd, pam_err; - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - pam_err = pam_get_item(pamh, PAM_USER, (const void **)&user); + pam_err = pam_get_user(pamh, &user, NULL); if (pam_err != PAM_SUCCESS) - PAM_RETURN(pam_err); + return (pam_err); if (user == NULL || (pwd = getpwnam(user)) == NULL) - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); PAM_LOG("Got user: %s", user); pam_err = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); if (pam_err != PAM_SUCCESS) - PAM_RETURN(pam_err); - + return (pam_err); + pam_err = pam_get_item(pamh, PAM_TTY, (const void **)&tty); if (pam_err != PAM_SUCCESS) - PAM_RETURN(pam_err); + return (pam_err); if (tty == NULL) - PAM_RETURN(PAM_SERVICE_ERR); - + return (PAM_SERVICE_ERR); + fd = open(_PATH_LASTLOG, O_RDWR|O_CREAT, 0644); if (fd == -1) { syslog(LOG_ERR, "cannot open %s: %m", _PATH_LASTLOG); - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); } /* @@ -175,21 +118,21 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) if (lseek(fd, llpos, L_SET) != llpos) goto file_err; } - + bzero(&ll, sizeof(ll)); time(&ll.ll_time); - + /* note: does not need to be NUL-terminated */ strncpy(ll.ll_line, tty, sizeof(ll.ll_line)); if (rhost != NULL) /* note: does not need to be NUL-terminated */ strncpy(ll.ll_host, rhost, sizeof(ll.ll_host)); - + if (write(fd, (char *)&ll, sizeof(ll)) != sizeof(ll) || close(fd) != 0) goto file_err; PAM_LOG("Login recorded in %s", _PATH_LASTLOG); - + /* * Record session in utmp(5) and wtmp(5). */ @@ -201,25 +144,21 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) strncpy(utmp.ut_host, rhost, sizeof(utmp.ut_host)); (void)strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line)); login(&utmp); - - PAM_RETURN(PAM_IGNORE); - + + return (PAM_IGNORE); + file_err: syslog(LOG_ERR, "%s: %m", _PATH_LASTLOG); close(fd); - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); } PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) +pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); } PAM_MODULE_ENTRY("pam_lastlog"); diff --git a/lib/libpam/modules/pam_login_access/pam_login_access.c b/lib/libpam/modules/pam_login_access/pam_login_access.c index 87cf450..8f8ac54 100644 --- a/lib/libpam/modules/pam_login_access/pam_login_access.c +++ b/lib/libpam/modules/pam_login_access/pam_login_access.c @@ -44,10 +44,7 @@ __FBSDID("$FreeBSD$"); #include <syslog.h> #include <unistd.h> -#define PAM_SM_AUTH #define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD #include <security/pam_appl.h> #include <security/pam_modules.h> @@ -56,57 +53,29 @@ __FBSDID("$FreeBSD$"); #include "pam_login_access.h" PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc ,const char **argv) -{ - struct options options; const char *rhost, *tty, *user; char hostname[MAXHOSTNAMELEN]; int pam_err; - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - pam_err = pam_get_item(pamh, PAM_USER, (const void **)&user); if (pam_err != PAM_SUCCESS) - PAM_RETURN(pam_err); + return (pam_err); if (user == NULL) - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); PAM_LOG("Got user: %s", user); pam_err = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); if (pam_err != PAM_SUCCESS) - PAM_RETURN(pam_err); + return (pam_err); pam_err = pam_get_item(pamh, PAM_TTY, (const void **)&tty); if (pam_err != PAM_SUCCESS) - PAM_RETURN(pam_err); + return (pam_err); gethostname(hostname, sizeof hostname); @@ -114,55 +83,19 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc ,const char ** PAM_LOG("Checking login.access for user %s on tty %s", user, tty); if (login_access(user, tty) != 0) - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); PAM_VERBOSE_ERROR("%s is not allowed to log in on %s", user, tty); } else { PAM_LOG("Checking login.access for user %s from host %s", user, rhost); if (login_access(user, rhost) != 0) - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); PAM_VERBOSE_ERROR("%s is not allowed to log in from %s", user, rhost); } - - PAM_RETURN(PAM_AUTH_ERR); -} - -PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - PAM_RETURN(PAM_IGNORE); + return (PAM_AUTH_ERR); } PAM_MODULE_ENTRY("pam_login_access"); diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.c b/lib/libpam/modules/pam_nologin/pam_nologin.c index 4becc6e..f148be6 100644 --- a/lib/libpam/modules/pam_nologin/pam_nologin.c +++ b/lib/libpam/modules/pam_nologin/pam_nologin.c @@ -47,9 +47,6 @@ __FBSDID("$FreeBSD$"); #include <unistd.h> #define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD #include <security/pam_appl.h> #include <security/pam_modules.h> @@ -60,23 +57,19 @@ __FBSDID("$FreeBSD$"); static char nologin_def[] = NOLOGIN; PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) { login_cap_t *lc; - struct options options; struct passwd *pwd; struct stat st; int retval, fd; const char *user, *nologin; char *mtmp; - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Got user: %s", user); @@ -87,7 +80,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char fd = open(nologin, O_RDONLY, 0); if (fd < 0) - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); PAM_LOG("Opened %s file", NOLOGIN); @@ -100,9 +93,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char else retval = PAM_AUTH_ERR; } - + if (fstat(fd, &st) < 0) - PAM_RETURN(retval); + return (retval); mtmp = malloc(st.st_size + 1); if (mtmp != NULL) { @@ -111,71 +104,19 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char pam_error(pamh, "%s", mtmp, NULL); free(mtmp); } - + if (retval != PAM_SUCCESS) PAM_VERBOSE_ERROR("Administrator refusing you: %s", NOLOGIN); - PAM_RETURN(retval); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); -} - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); + return (retval); } PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - PAM_RETURN(PAM_IGNORE); + return (PAM_SUCCESS); } PAM_MODULE_ENTRY("pam_nologin"); diff --git a/lib/libpam/modules/pam_opie/pam_opie.c b/lib/libpam/modules/pam_opie/pam_opie.c index b4bafc9..e5c1488 100644 --- a/lib/libpam/modules/pam_opie/pam_opie.c +++ b/lib/libpam/modules/pam_opie/pam_opie.c @@ -1,7 +1,7 @@ /*- * Copyright 2000 James Bloom * All rights reserved. - * Based upon code Copyright 1998 Juniper Networks, Inc. + * Based upon code Copyright 1998 Juniper Networks, Inc. * Copyright (c) 2001,2002 Networks Associates Technology, Inc. * All rights reserved. * @@ -46,16 +46,13 @@ __FBSDID("$FreeBSD$"); #include <unistd.h> #define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD #include <security/pam_appl.h> #include <security/pam_modules.h> #include <security/pam_mod_misc.h> enum { - PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX, + PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX, PAM_OPT_NO_FAKE_PROMPTS }; @@ -66,7 +63,8 @@ static struct opttab other_options[] = { }; PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, + int argc, const char *argv[]) { struct opie opie; struct options options; @@ -86,13 +84,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char user = NULL; if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { if ((pwd = getpwnam(getlogin())) == NULL) - PAM_RETURN(PAM_AUTH_ERR); + return (PAM_AUTH_ERR); user = pwd->pw_name; } else { retval = pam_get_user(pamh, (const char **)&user, NULL); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); } PAM_LOG("Got user: %s", user); @@ -110,22 +108,22 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char */ /* XXX generates a const warning because of incorrect prototype */ if (opiechallenge(&opie, (char *)user, challenge) != 0 && - pam_test_option(&options, PAM_OPT_NO_FAKE_PROMPTS, NULL)) - PAM_RETURN(PAM_AUTH_ERR); - + pam_test_option(&options, PAM_OPT_NO_FAKE_PROMPTS, NULL)) + return (PAM_AUTH_ERR); + /* * It doesn't make sense to use a password that has already been * typed in, since we haven't presented the challenge to the user * yet, so clear the stored password. */ pam_set_item(pamh, PAM_AUTHTOK, NULL); - + for (i = 0; i < 2; i++) { snprintf(prompt, sizeof prompt, promptstr[i], challenge); retval = pam_get_authtok(pamh, PAM_AUTHTOK, &response, prompt); if (retval != PAM_SUCCESS) { opieunlock(); - PAM_RETURN(retval); + return (retval); } PAM_LOG("Completed challenge %d: %s", i, response); @@ -147,67 +145,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char * success or lack thereof. */ retval = opieverify(&opie, resp) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR; - PAM_RETURN(retval); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, other_options, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); + return (retval); } PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv) +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - PAM_RETURN(PAM_IGNORE); + return (PAM_SUCCESS); } PAM_MODULE_ENTRY("pam_opie"); diff --git a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c b/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c index 1d559d7..d9499d9 100644 --- a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c +++ b/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c @@ -46,108 +46,49 @@ __FBSDID("$FreeBSD$"); #include <syslog.h> #define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD #include <security/pam_appl.h> #include <security/pam_modules.h> #include <security/pam_mod_misc.h> PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; struct opie opie; struct passwd *pwent; char *luser, *rhost; int r; - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - r = pam_get_item(pamh, PAM_USER, (const void **)&luser); if (r != PAM_SUCCESS) - PAM_RETURN(r); + return (r); if (luser == NULL) - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); pwent = getpwnam(luser); if (pwent == NULL || opielookup(&opie, luser) != 0) - PAM_RETURN(PAM_IGNORE); - + return (PAM_IGNORE); + r = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); if (r != PAM_SUCCESS) - PAM_RETURN(r); - + return (r); + if ((rhost == NULL || opieaccessfile(rhost)) && opiealways(pwent->pw_dir) != 0) - PAM_RETURN(PAM_IGNORE); - - PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess"); - - PAM_RETURN(PAM_AUTH_ERR); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); -} - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); + return (PAM_IGNORE); - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); + PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess"); - PAM_RETURN(PAM_IGNORE); + return (PAM_AUTH_ERR); } PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - PAM_RETURN(PAM_IGNORE); + return (PAM_SUCCESS); } PAM_MODULE_ENTRY("pam_opieaccess"); diff --git a/lib/libpam/modules/pam_permit/pam_permit.c b/lib/libpam/modules/pam_permit/pam_permit.c index 632fbcb..fe0a4ed 100644 --- a/lib/libpam/modules/pam_permit/pam_permit.c +++ b/lib/libpam/modules/pam_permit/pam_permit.c @@ -36,94 +36,58 @@ __FBSDID("$FreeBSD$"); #include <security/pam_appl.h> #include <security/pam_modules.h> -#include <security/pam_mod_misc.h> - -#define NOBODY "nobody" PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - int retval; const char *user; + int r; - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - /* We always need to know who the user is */ - user = NULL; - retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS) - PAM_RETURN(retval); - - PAM_LOG("Got user: %s", user); + if ((r = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) + return (r); - if (user == NULL || *user == '\0') - pam_set_item(pamh, PAM_USER, (const void *)NOBODY); - user = NULL; - - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); } PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); } PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv) +pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); } PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) +pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); } PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) +pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); } PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) +pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); } PAM_MODULE_ENTRY("pam_permit"); diff --git a/lib/libpam/modules/pam_radius/pam_radius.c b/lib/libpam/modules/pam_radius/pam_radius.c index 56eaff4..a6a3074 100644 --- a/lib/libpam/modules/pam_radius/pam_radius.c +++ b/lib/libpam/modules/pam_radius/pam_radius.c @@ -46,15 +46,15 @@ __FBSDID("$FreeBSD$"); #include <unistd.h> #define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD #include <security/pam_appl.h> #include <security/pam_modules.h> #include <security/pam_mod_misc.h> -enum { PAM_OPT_CONF=PAM_OPT_STD_MAX, PAM_OPT_TEMPLATE_USER }; +enum { + PAM_OPT_CONF = PAM_OPT_STD_MAX, + PAM_OPT_TEMPLATE_USER +}; static struct opttab other_options[] = { { "conf", PAM_OPT_CONF }, @@ -83,7 +83,7 @@ build_access_request(struct rad_handle *radh, const char *user, if (rad_create_request(radh, RAD_ACCESS_REQUEST) == -1) { syslog(LOG_CRIT, "rad_create_request: %s", rad_strerror(radh)); - return -1; + return (-1); } if ((user != NULL && rad_put_string(radh, RAD_USER_NAME, user) == -1) || @@ -92,18 +92,18 @@ build_access_request(struct rad_handle *radh, const char *user, (gethostname(host, sizeof host) != -1 && rad_put_string(radh, RAD_NAS_IDENTIFIER, host) == -1)) { syslog(LOG_CRIT, "rad_put_string: %s", rad_strerror(radh)); - return -1; + return (-1); } if (state != NULL && rad_put_attr(radh, RAD_STATE, state, state_len) == -1) { syslog(LOG_CRIT, "rad_put_attr: %s", rad_strerror(radh)); - return -1; + return (-1); } if (rad_put_int(radh, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) == -1) { syslog(LOG_CRIT, "rad_put_int: %s", rad_strerror(radh)); - return -1; + return (-1); } - return 0; + return (0); } static int @@ -120,7 +120,7 @@ do_accept(pam_handle_t *pamh, struct rad_handle *radh) if (s == NULL) { syslog(LOG_CRIT, "rad_cvt_string: out of memory"); - return -1; + return (-1); } pam_set_item(pamh, PAM_USER, s); free(s); @@ -128,9 +128,9 @@ do_accept(pam_handle_t *pamh, struct rad_handle *radh) } if (attrtype == -1) { syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh)); - return -1; + return (-1); } - return 0; + return (0); } static int @@ -164,13 +164,13 @@ do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user) if (num_msgs >= MAX_CHALLENGE_MSGS) { syslog(LOG_CRIT, "Too many RADIUS challenge messages"); - return PAM_SERVICE_ERR; + return (PAM_SERVICE_ERR); } msgs[num_msgs].msg = rad_cvt_string(attrval, attrlen); if (msgs[num_msgs].msg == NULL) { syslog(LOG_CRIT, "rad_cvt_string: out of memory"); - return PAM_SERVICE_ERR; + return (PAM_SERVICE_ERR); } msgs[num_msgs].msg_style = PAM_TEXT_INFO; msg_ptrs[num_msgs] = &msgs[num_msgs]; @@ -180,13 +180,13 @@ do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user) } if (attrtype == -1) { syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh)); - return PAM_SERVICE_ERR; + return (PAM_SERVICE_ERR); } if (num_msgs == 0) { msgs[num_msgs].msg = strdup("(null RADIUS challenge): "); if (msgs[num_msgs].msg == NULL) { syslog(LOG_CRIT, "Out of memory"); - return PAM_SERVICE_ERR; + return (PAM_SERVICE_ERR); } msgs[num_msgs].msg_style = PAM_TEXT_INFO; msg_ptrs[num_msgs] = &msgs[num_msgs]; @@ -195,25 +195,26 @@ do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user) msgs[num_msgs-1].msg_style = PAM_PROMPT_ECHO_ON; if ((retval = pam_get_item(pamh, PAM_CONV, &item)) != PAM_SUCCESS) { syslog(LOG_CRIT, "do_challenge: cannot get PAM_CONV"); - return retval; + return (retval); } conv = (const struct pam_conv *)item; if ((retval = conv->conv(num_msgs, msg_ptrs, &resp, conv->appdata_ptr)) != PAM_SUCCESS) - return retval; + return (retval); if (build_access_request(radh, user, resp[num_msgs-1].resp, state, statelen) == -1) - return PAM_SERVICE_ERR; + return (PAM_SERVICE_ERR); memset(resp[num_msgs-1].resp, 0, strlen(resp[num_msgs-1].resp)); free(resp[num_msgs-1].resp); free(resp); while (num_msgs > 0) free(msgs[--num_msgs].msg); - return PAM_SUCCESS; + return (PAM_SUCCESS); } PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, + int argc, const char *argv[]) { struct options options; struct rad_handle *radh; @@ -233,20 +234,20 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Got user: %s", user); retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Got password"); radh = rad_open(); if (radh == NULL) { syslog(LOG_CRIT, "rad_open failed"); - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); } PAM_LOG("Radius opened"); @@ -254,14 +255,14 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char if (rad_config(radh, conf_file) == -1) { syslog(LOG_ALERT, "rad_config: %s", rad_strerror(radh)); rad_close(radh); - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); } PAM_LOG("Radius config file read"); if (build_access_request(radh, user, pass, NULL, 0) == -1) { rad_close(radh); - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); } PAM_LOG("Radius build access done"); @@ -273,7 +274,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char e = do_accept(pamh, radh); rad_close(radh); if (e == -1) - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); if (template_user != NULL) { PAM_LOG("Trying template user: %s", @@ -288,7 +289,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char retval = pam_get_item(pamh, PAM_USER, (const void **)&tmpuser); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); if (getpwnam(tmpuser) == NULL) { pam_set_item(pamh, PAM_USER, template_user); @@ -296,18 +297,18 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char } } - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); case RAD_ACCESS_REJECT: rad_close(radh); PAM_VERBOSE_ERROR("Radius rejection"); - PAM_RETURN(PAM_AUTH_ERR); + return (PAM_AUTH_ERR); case RAD_ACCESS_CHALLENGE: retval = do_challenge(pamh, radh, user); if (retval != PAM_SUCCESS) { rad_close(radh); - PAM_RETURN(retval); + return (retval); } break; @@ -316,76 +317,24 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char rad_strerror(radh)); rad_close(radh); PAM_VERBOSE_ERROR("Radius failure"); - PAM_RETURN(PAM_AUTHINFO_UNAVAIL); + return (PAM_AUTHINFO_UNAVAIL); default: syslog(LOG_CRIT, "rad_send_request: unexpected return value"); rad_close(radh); PAM_VERBOSE_ERROR("Radius error"); - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); } } } PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); -} - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - PAM_RETURN(PAM_IGNORE); + return (PAM_SUCCESS); } PAM_MODULE_ENTRY("pam_radius"); diff --git a/lib/libpam/modules/pam_rootok/pam_rootok.c b/lib/libpam/modules/pam_rootok/pam_rootok.c index 1134836..16fab1f 100644 --- a/lib/libpam/modules/pam_rootok/pam_rootok.c +++ b/lib/libpam/modules/pam_rootok/pam_rootok.c @@ -43,90 +43,31 @@ __FBSDID("$FreeBSD$"); #include <syslog.h> #define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD #include <security/pam_appl.h> #include <security/pam_modules.h> #include <security/pam_mod_misc.h> PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); if (getuid() == 0) - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); PAM_VERBOSE_ERROR("Refused; not superuser"); PAM_LOG("User is not superuser"); - PAM_RETURN(PAM_AUTH_ERR); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); -} - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); + return (PAM_AUTH_ERR); } PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - PAM_RETURN(PAM_IGNORE); + return (PAM_SUCCESS); } PAM_MODULE_ENTRY("pam_rootok"); diff --git a/lib/libpam/modules/pam_securetty/pam_securetty.c b/lib/libpam/modules/pam_securetty/pam_securetty.c index 93db9c1..5dd7c90 100644 --- a/lib/libpam/modules/pam_securetty/pam_securetty.c +++ b/lib/libpam/modules/pam_securetty/pam_securetty.c @@ -43,10 +43,7 @@ __FBSDID("$FreeBSD$"); #include <ttyent.h> #include <string.h> -#define PAM_SM_AUTH #define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD #include <security/pam_appl.h> #include <security/pam_modules.h> @@ -54,59 +51,30 @@ __FBSDID("$FreeBSD$"); #define TTY_PREFIX "/dev/" -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN -int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); -} - PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv) +pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; struct passwd *pwd; struct ttyent *ty; const char *user, *tty; int pam_err; - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - pam_err = pam_get_user(pamh, &user, NULL); if (pam_err != PAM_SUCCESS) - PAM_RETURN(pam_err); + return (pam_err); if (user == NULL || (pwd = getpwnam(user)) == NULL) - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); PAM_LOG("Got user: %s", user); /* If the user is not root, secure ttys do not apply */ if (pwd->pw_uid != 0) - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); pam_err = pam_get_item(pamh, PAM_TTY, (const void **)&tty); if (pam_err != PAM_SUCCESS) - PAM_RETURN(pam_err); + return (pam_err); PAM_LOG("Got TTY: %s", tty); @@ -118,46 +86,10 @@ pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,cons if (tty != NULL && (ty = getttynam(tty)) != NULL && (ty->ty_status & TTY_SECURE) != 0) - PAM_RETURN(PAM_SUCCESS); - - PAM_VERBOSE_ERROR("Not on secure TTY"); - PAM_RETURN(PAM_AUTH_ERR); -} - -PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); + return (PAM_SUCCESS); - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); + PAM_VERBOSE_ERROR("Not on secure TTY"); + return (PAM_AUTH_ERR); } PAM_MODULE_ENTRY("pam_securetty"); diff --git a/lib/libpam/modules/pam_self/pam_self.c b/lib/libpam/modules/pam_self/pam_self.c index e3252bf..63df46c 100644 --- a/lib/libpam/modules/pam_self/pam_self.c +++ b/lib/libpam/modules/pam_self/pam_self.c @@ -44,112 +44,46 @@ __FBSDID("$FreeBSD$"); #include <syslog.h> #define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD #include <security/pam_appl.h> #include <security/pam_modules.h> #include <security/pam_mod_misc.h> -enum { - PAM_OPT_ALLOW_ROOT = PAM_OPT_STD_MAX, -}; - -static struct opttab other_options[] = { - { "allow_root", PAM_OPT_ALLOW_ROOT }, - { NULL, 0 } -}; +#define OPT_ALLOW_ROOT "allow_root" PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; struct passwd *pwd; const char *luser; int pam_err; uid_t uid; - pam_std_option(&options, other_options, argc, argv); - - PAM_LOG("Options processed"); - pam_err = pam_get_user(pamh, &luser, NULL); if (pam_err != PAM_SUCCESS) - PAM_RETURN(pam_err); + return (pam_err); if (luser == NULL || (pwd = getpwnam(luser)) == NULL) - PAM_RETURN(PAM_AUTH_ERR); + return (PAM_AUTH_ERR); uid = getuid(); - if (uid == 0 && !pam_test_option(&options, PAM_OPT_ALLOW_ROOT, NULL)) - PAM_RETURN(PAM_AUTH_ERR); - - if (uid == (uid_t)pwd->pw_uid) - PAM_RETURN(PAM_SUCCESS); - - PAM_VERBOSE_ERROR("Refused; source and target users differ"); - - PAM_RETURN(PAM_AUTH_ERR); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); -} - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); + if (uid == 0 && !openpam_get_option(pamh, OPT_ALLOW_ROOT)) + return (PAM_AUTH_ERR); - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); + if (uid == (uid_t)pwd->pw_uid) + return (PAM_SUCCESS); - PAM_LOG("Options processed"); + PAM_VERBOSE_ERROR("Refused; source and target users differ"); - PAM_RETURN(PAM_IGNORE); + return (PAM_AUTH_ERR); } PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - PAM_RETURN(PAM_IGNORE); + return (PAM_SUCCESS); } PAM_MODULE_ENTRY("pam_self"); diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.c b/lib/libpam/modules/pam_ssh/pam_ssh.c index 929ff4f..36c86dd 100644 --- a/lib/libpam/modules/pam_ssh/pam_ssh.c +++ b/lib/libpam/modules/pam_ssh/pam_ssh.c @@ -52,13 +52,10 @@ __FBSDID("$FreeBSD$"); #include <unistd.h> #define PAM_SM_AUTH -#define PAM_SM_ACCOUNT #define PAM_SM_SESSION -#define PAM_SM_PASSWORD #include <security/pam_appl.h> #include <security/pam_modules.h> -#include <security/pam_mod_misc.h> #include <security/openpam.h> #include <openssl/dsa.h> @@ -119,8 +116,8 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir, /* locate the user's private key file */ if (!asprintf(&path, "%s/%s", dir, file)) { - openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME); - return PAM_SERVICE_ERR; + openpam_log(PAM_LOG_ERROR, "%m"); + return (PAM_SERVICE_ERR); } /* Try to decrypt the private key with the passphrase provided. If @@ -128,7 +125,7 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir, comment = NULL; if ((retval = openpam_borrow_cred(pamh, user)) != PAM_SUCCESS) - return retval; + return (retval); key = key_load_private(path, pass, &comment); openpam_restore_cred(pamh); free(path); @@ -136,38 +133,38 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir, comment = strdup(file); if (!key) { free(comment); - return PAM_AUTH_ERR; + return (PAM_AUTH_ERR); } /* save the key and comment to pass to ssh-agent in the session phase */ if (!asprintf(&data_name, "ssh_private_key_%d", key_idx)) { - openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME); + openpam_log(PAM_LOG_ERROR, "%m"); free(comment); - return PAM_SERVICE_ERR; + return (PAM_SERVICE_ERR); } retval = pam_set_data(pamh, data_name, key, key_cleanup); free(data_name); if (retval != PAM_SUCCESS) { key_free(key); free(comment); - return retval; + return (retval); } if (!asprintf(&data_name, "ssh_key_comment_%d", key_idx)) { - openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME); + openpam_log(PAM_LOG_ERROR, "%m"); free(comment); - return PAM_SERVICE_ERR; + return (PAM_SERVICE_ERR); } retval = pam_set_data(pamh, data_name, comment, ssh_cleanup); free(data_name); if (retval != PAM_SUCCESS) { free(comment); - return retval; + return (retval); } ++key_idx; - return PAM_SUCCESS; + return (PAM_SUCCESS); } @@ -202,7 +199,7 @@ add_keys(pam_handle_t *pamh) saved = environ; if ((environ = pam_getenvlist(pamh)) == NULL) { environ = saved; - openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME); + openpam_log(PAM_LOG_ERROR, "%m"); return (PAM_BUF_ERR); } ac = ssh_get_authentication_connection(); @@ -212,8 +209,8 @@ add_keys(pam_handle_t *pamh) environ = saved; } if (!ac) { - openpam_log(PAM_LOG_ERROR, "%s: %s: %m", MODULE_NAME, socket); - return PAM_SESSION_ERR; + openpam_log(PAM_LOG_ERROR, "%m"); + return (PAM_SESSION_ERR); } /* hand off each private key to the agent */ @@ -221,18 +218,18 @@ add_keys(pam_handle_t *pamh) final = 0; for (key_idx = 0; ; key_idx++) { if (!asprintf(&data_name, "ssh_private_key_%d", key_idx)) { - openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME); + openpam_log(PAM_LOG_ERROR, "%m"); ssh_close_authentication_connection(ac); - return PAM_SERVICE_ERR; + return (PAM_SERVICE_ERR); } retval = pam_get_data(pamh, data_name, (const void **)&key); free(data_name); if (retval != PAM_SUCCESS) break; if (!asprintf(&data_name, "ssh_key_comment_%d", key_idx)) { - openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME); + openpam_log(PAM_LOG_ERROR, "%m"); ssh_close_authentication_connection(ac); - return PAM_SERVICE_ERR; + return (PAM_SERVICE_ERR); } retval = pam_get_data(pamh, data_name, (const void **)&comment); @@ -245,19 +242,19 @@ add_keys(pam_handle_t *pamh) } ssh_close_authentication_connection(ac); - return final ? PAM_SUCCESS : PAM_SESSION_ERR; + return (final ? PAM_SUCCESS : PAM_SESSION_ERR); } PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, - int argc, const char **argv) + int argc __unused, const char *argv[] __unused) { int authenticated; /* user authenticated? */ char *dotdir; /* .ssh dir name */ char *file; /* current key file */ - char *keyfiles; /* list of key files to add */ - int options; /* options for pam_get_pass() */ + const char *kfspec; /* list of key files to add */ + char *keyfiles; const char *pass; /* passphrase */ const struct passwd *pwent; /* user's passwd entry */ struct passwd *pwent_keep; /* our own copy */ @@ -265,28 +262,27 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, const char *user; /* username */ keyfiles = NULL; - options = 0; - for (; argc; argc--, argv++) - if (strncmp(*argv, OPT_KEYFILES "=", sizeof OPT_KEYFILES) - == 0) { - if (!(keyfiles = strchr(*argv, '=') + 1)) - return PAM_AUTH_ERR; - } else if (strcmp(*argv, OPT_TRY_FIRST_PASS) == 0) - options |= PAM_OPT_TRY_FIRST_PASS; - else if (strcmp(*argv, OPT_USE_FIRST_PASS) == 0) - options |= PAM_OPT_USE_FIRST_PASS; - + if ((kfspec = openpam_get_option(pamh, OPT_KEYFILES)) != NULL) { + if ((kfspec = strchr(kfspec, '=')) == NULL) { + openpam_log(PAM_LOG_ERROR, "invalid keyfile list"); + return (PAM_SERVICE_ERR); + } + ++kfspec; + } else { + kfspec = DEF_KEYFILES; + } if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) - return retval; - if (!((pwent = getpwnam(user)) && pwent->pw_dir)) - return PAM_AUTH_ERR; + return (retval); + if (user == NULL || (pwent = getpwnam(user)) == NULL || + pwent->pw_dir == NULL || pwent->pw_dir[0] == '\0') + return (PAM_AUTH_ERR); /* pass prompt message to application and receive passphrase */ retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NEED_PASSPHRASE); if (retval != PAM_SUCCESS) - return retval; + return (retval); OpenSSL_add_all_algorithms(); /* required for DSA */ @@ -295,50 +291,51 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, session phase */ if (!asprintf(&dotdir, "%s/%s", pwent->pw_dir, SSH_CLIENT_DIR)) { - openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME); - return PAM_SERVICE_ERR; + openpam_log(PAM_LOG_ERROR, "%m"); + return (PAM_SERVICE_ERR); } authenticated = 0; - keyfiles = strdup(keyfiles ? keyfiles : DEF_KEYFILES); + keyfiles = strdup(kfspec); for (file = strtok(keyfiles, SEP_KEYFILES); file; file = strtok(NULL, SEP_KEYFILES)) if (auth_via_key(pamh, file, dotdir, pwent, pass) == PAM_SUCCESS) authenticated++; - free(dotdir); free(keyfiles); + free(dotdir); if (!authenticated) - return PAM_AUTH_ERR; + return (PAM_AUTH_ERR); /* copy the passwd entry (in case successive calls are made) and save it for the session phase */ if (!(pwent_keep = malloc(sizeof *pwent))) { openpam_log(PAM_LOG_ERROR, "%m"); - return PAM_SERVICE_ERR; + return (PAM_SERVICE_ERR); } (void) memcpy(pwent_keep, pwent, sizeof *pwent_keep); if ((retval = pam_set_data(pamh, "ssh_passwd_entry", pwent_keep, ssh_cleanup)) != PAM_SUCCESS) { free(pwent_keep); - return retval; + return (retval); } - return PAM_SUCCESS; + return (PAM_SUCCESS); } PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, - int argc __unused, const char **argv __unused) + int argc __unused, const char *argv[] __unused) { - return PAM_SUCCESS; + + return (PAM_SUCCESS); } PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags __unused, - int argc __unused, const char **argv __unused) + int argc __unused, const char *argv[] __unused) { char *agent_socket; /* agent socket */ char *env_end; /* end of env */ @@ -359,7 +356,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused, /* dump output of ssh-agent in ~/.ssh */ if ((retval = pam_get_data(pamh, "ssh_passwd_entry", (const void **)&pwent)) != PAM_SUCCESS) - return retval; + return (retval); /* * Use reference counts to limit agents to one per user per host. @@ -379,8 +376,8 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused, (void) gethostname(hname, sizeof hname); if (asprintf(&per_agent, "%s/.ssh/agent-%s", pwent->pw_dir, hname) == -1) { - openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME); - return PAM_SERVICE_ERR; + openpam_log(PAM_LOG_ERROR, "%m"); + return (PAM_SERVICE_ERR); } /* save the per-agent filename in case we want to delete it on @@ -389,14 +386,14 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused, if ((retval = pam_set_data(pamh, "ssh_agent_env_agent", per_agent, ssh_cleanup)) != PAM_SUCCESS) { free(per_agent); - return retval; + return (retval); } /* take on the user's privileges for writing files and starting the agent */ if ((retval = openpam_borrow_cred(pamh, pwent)) != PAM_SUCCESS) - return retval; + return (retval); /* Try to create the per-agent file or open it for reading if it exists. If we can't do either, we won't try to link a @@ -416,11 +413,10 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused, env_read = popen(SSH_AGENT, "r"); openpam_restore_cred(pamh); if (!env_read) { - openpam_log(PAM_LOG_ERROR, "%s: %s: %m", MODULE_NAME, - SSH_AGENT); + openpam_log(PAM_LOG_ERROR, "%s: %m", SSH_AGENT); if (env_write >= 0) (void) close(env_write); - return PAM_SESSION_ERR; + return (PAM_SESSION_ERR); } } @@ -451,7 +447,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused, (void) close(env_write); if (agent_socket) free(agent_socket); - return PAM_SERVICE_ERR; + return (PAM_SERVICE_ERR); } *env_value++ = '\0'; @@ -463,7 +459,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused, if (strcmp(&env_string[strlen(env_string) - strlen(ENV_SOCKET_SUFFIX)], ENV_SOCKET_SUFFIX) == 0 && !(agent_socket = strdup(env_value))) { - openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME); + openpam_log(PAM_LOG_ERROR, "%m"); if (start_agent) (void) pclose(env_read); else @@ -472,7 +468,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused, (void) close(env_write); if (agent_socket) free(agent_socket); - return PAM_SERVICE_ERR; + return (PAM_SERVICE_ERR); } else if (strcmp(&env_string[strlen(env_string) - strlen(ENV_PID_SUFFIX)], ENV_PID_SUFFIX) == 0 && ((agent_pid = strdup(env_value)) == NULL || @@ -488,7 +484,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused, free(agent_socket); if (agent_pid) free(agent_pid); - return retval; + return (retval); } } @@ -498,56 +494,54 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused, if (start_agent) { switch (retval = pclose(env_read)) { case -1: - openpam_log(PAM_LOG_ERROR, "%s: %s: %m", MODULE_NAME, - SSH_AGENT); + openpam_log(PAM_LOG_ERROR, "%s: %m", SSH_AGENT); if (agent_socket) free(agent_socket); - return PAM_SESSION_ERR; + return (PAM_SESSION_ERR); case 0: break; case 127: - openpam_log(PAM_LOG_ERROR, "%s: cannot execute %s", - MODULE_NAME, SSH_AGENT); + openpam_log(PAM_LOG_ERROR, "cannot execute %s", + SSH_AGENT); if (agent_socket) free(agent_socket); - return PAM_SESSION_ERR; + return (PAM_SESSION_ERR); default: - openpam_log(PAM_LOG_ERROR, "%s: %s exited %s %d", - MODULE_NAME, + openpam_log(PAM_LOG_ERROR, "%s exited %s %d", SSH_AGENT, WIFSIGNALED(retval) ? "on signal" : "with status", WIFSIGNALED(retval) ? WTERMSIG(retval) : WEXITSTATUS(retval)); if (agent_socket) free(agent_socket); - return PAM_SESSION_ERR; + return (PAM_SESSION_ERR); } } else (void) fclose(env_read); if (!agent_socket) - return PAM_SESSION_ERR; + return (PAM_SESSION_ERR); if (start_agent && (retval = add_keys(pamh)) != PAM_SUCCESS) - return retval; + return (retval); free(agent_socket); /* if we couldn't access the per-agent file, don't link a per-session filename to it */ if (no_link) - return PAM_SUCCESS; + return (PAM_SUCCESS); /* the per-session file contains the display name or tty name as well as the hostname */ if ((retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty)) != PAM_SUCCESS) - return retval; + return (retval); if (asprintf(&per_session, "%s/.ssh/agent-%s-%s", pwent->pw_dir, hname, tty) == -1) { - openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME); - return PAM_SERVICE_ERR; + openpam_log(PAM_LOG_ERROR, "%m"); + return (PAM_SERVICE_ERR); } /* save the per-session filename so we can delete it on session @@ -556,19 +550,19 @@ pam_sm_open_session(pam_handle_t *pamh, int flags __unused, if ((retval = pam_set_data(pamh, "ssh_agent_env_session", per_session, ssh_cleanup)) != PAM_SUCCESS) { free(per_session); - return retval; + return (retval); } (void) unlink(per_session); /* remove cruft */ (void) link(per_agent, per_session); - return PAM_SUCCESS; + return (PAM_SUCCESS); } PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags __unused, - int argc __unused, const char **argv __unused) + int argc __unused, const char *argv[] __unused) { const char *env_file; /* ssh-agent environment */ pid_t pid; /* ssh-agent process id */ @@ -588,7 +582,7 @@ pam_sm_close_session(pam_handle_t *pamh, int flags __unused, (const void **)&env_file)) == PAM_SUCCESS && env_file && stat(env_file, &sb) == 0) { if (sb.st_nlink > 1) - return PAM_SUCCESS; + return (PAM_SUCCESS); (void) unlink(env_file); } @@ -596,35 +590,20 @@ pam_sm_close_session(pam_handle_t *pamh, int flags __unused, if ((retval = pam_get_data(pamh, "ssh_agent_pid", (const void **)&ssh_agent_pid)) != PAM_SUCCESS) - return retval; + return (retval); /* Kill the agent. SSH's ssh-agent does not have a -k option, so just call kill(). */ pid = atoi(ssh_agent_pid); if (pid <= 0) - return PAM_SESSION_ERR; + return (PAM_SESSION_ERR); if (kill(pid, SIGTERM) != 0) { - openpam_log(PAM_LOG_ERROR, "%s: %s: %m", MODULE_NAME, - ssh_agent_pid); - return PAM_SESSION_ERR; + openpam_log(PAM_LOG_ERROR, "%s: %m", ssh_agent_pid); + return (PAM_SESSION_ERR); } - return PAM_SUCCESS; -} - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, - int argc __unused, const char **argv __unused) -{ - return (PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, - int argc __unused, const char **argv __unused) -{ - return (PAM_IGNORE); + return (PAM_SUCCESS); } PAM_MODULE_ENTRY(MODULE_NAME); diff --git a/lib/libpam/modules/pam_tacplus/pam_tacplus.c b/lib/libpam/modules/pam_tacplus/pam_tacplus.c index 9dfe937..19e3185 100644 --- a/lib/libpam/modules/pam_tacplus/pam_tacplus.c +++ b/lib/libpam/modules/pam_tacplus/pam_tacplus.c @@ -47,15 +47,15 @@ __FBSDID("$FreeBSD$"); #include <unistd.h> #define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD #include <security/pam_appl.h> #include <security/pam_modules.h> #include <security/pam_mod_misc.h> -enum { PAM_OPT_CONF=PAM_OPT_STD_MAX, PAM_OPT_TEMPLATE_USER }; +enum { + PAM_OPT_CONF = PAM_OPT_STD_MAX, + PAM_OPT_TEMPLATE_USER +}; static struct opttab other_options[] = { { "conf", PAM_OPT_CONF }, @@ -114,8 +114,8 @@ set_msg(struct tac_handle *tach, const char *msg) } PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, - const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, + int argc, const char *argv[]) { struct options options; int retval; @@ -135,40 +135,40 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, tach = tac_open(); if (tach == NULL) { syslog(LOG_CRIT, "tac_open failed"); - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); } if (tac_config(tach, conf_file) == -1) { syslog(LOG_ALERT, "tac_config: %s", tac_strerror(tach)); tac_close(tach); - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); } if (tac_create_authen(tach, TAC_AUTHEN_LOGIN, TAC_AUTHEN_TYPE_ASCII, TAC_AUTHEN_SVC_LOGIN) == -1) { syslog(LOG_CRIT, "tac_create_authen: %s", tac_strerror(tach)); tac_close(tach); - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); } PAM_LOG("Done tac_open() ... tac_close()"); retval = do_item(pamh, tach, PAM_USER, tac_set_user, "tac_set_user"); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Done user"); retval = do_item(pamh, tach, PAM_TTY, tac_set_port, "tac_set_port"); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Done tty"); retval = do_item(pamh, tach, PAM_RHOST, tac_set_rem_addr, "tac_set_rem_addr"); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); - for ( ; ; ) { + for (;;) { char *srvr_msg; size_t msg_len; const char *user_msg; @@ -181,7 +181,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, syslog(LOG_CRIT, "tac_send_authen: %s", tac_strerror(tach)); tac_close(tach); - PAM_RETURN(PAM_AUTHINFO_UNAVAIL); + return (PAM_AUTHINFO_UNAVAIL); } status = TAC_AUTHEN_STATUS(sflags); if (!TAC_AUTHEN_NOECHO(sflags)) @@ -205,7 +205,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, */ retval = pam_get_item(pamh, PAM_USER, &item); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); user = (const char *)item; if (getpwnam(user) == NULL) { pam_set_item(pamh, PAM_USER, @@ -213,17 +213,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, PAM_LOG("Using template user"); } } - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); case TAC_AUTHEN_STATUS_FAIL: tac_close(tach); PAM_VERBOSE_ERROR("TACACS+ authentication failed"); - PAM_RETURN(PAM_AUTH_ERR); + return (PAM_AUTH_ERR); case TAC_AUTHEN_STATUS_GETUSER: case TAC_AUTHEN_STATUS_GETPASS: if ((srvr_msg = get_msg(tach)) == NULL) - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); if (status == TAC_AUTHEN_STATUS_GETUSER) retval = pam_get_user(pamh, &user_msg, *srvr_msg ? srvr_msg : NULL); @@ -235,30 +235,30 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, if (retval != PAM_SUCCESS) { /* XXX - send a TACACS+ abort packet */ tac_close(tach); - PAM_RETURN(retval); + return (retval); } if (set_msg(tach, user_msg) == -1) - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); break; case TAC_AUTHEN_STATUS_GETDATA: if ((srvr_msg = get_msg(tach)) == NULL) - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); retval = pam_prompt(pamh, pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL) - ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF, + ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF, &data_msg, "%s", *srvr_msg ? srvr_msg : "Data:"); free(srvr_msg); if (retval != PAM_SUCCESS) { /* XXX - send a TACACS+ abort packet */ tac_close(tach); - PAM_RETURN(retval); + return (retval); } retval = set_msg(tach, data_msg); memset(data_msg, 0, strlen(data_msg)); free(data_msg); if (retval == -1) - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); break; case TAC_AUTHEN_STATUS_ERROR: @@ -272,7 +272,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, syslog(LOG_CRIT, "tac_send_authen: server detected error"); tac_close(tach); - PAM_RETURN(PAM_AUTHINFO_UNAVAIL); + return (PAM_AUTHINFO_UNAVAIL); break; case TAC_AUTHEN_STATUS_RESTART: @@ -281,69 +281,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, syslog(LOG_CRIT, "tac_send_authen: unexpected status %#x", status); tac_close(tach); - PAM_RETURN(PAM_AUTHINFO_UNAVAIL); + return (PAM_AUTHINFO_UNAVAIL); } } } PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - PAM_RETURN(PAM_IGNORE); + return (PAM_IGNORE); } PAM_MODULE_ENTRY("pam_tacplus"); diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c index ed74b90..29f22d9 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.c +++ b/lib/libpam/modules/pam_unix/pam_unix.c @@ -69,7 +69,6 @@ __FBSDID("$FreeBSD$"); #define PAM_SM_AUTH #define PAM_SM_ACCOUNT -#define PAM_SM_SESSION #define PAM_SM_PASSWORD #include <security/pam_appl.h> @@ -115,7 +114,8 @@ static int yp_passwd(const char *user, const char *pass); * authentication management */ PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, + int argc, const char *argv[]) { login_cap_t *lc; struct options options; @@ -132,7 +132,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char } else { retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); pwd = getpwnam(user); } @@ -144,7 +144,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char if (realpw[0] == '\0') { if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && pam_test_option(&options, PAM_OPT_NULLOK, NULL)) - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); realpw = "*"; } lc = login_getpwclass(pwd); @@ -157,32 +157,29 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); login_close(lc); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Got password"); if (strcmp(crypt(pass, realpw), realpw) == 0) - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); PAM_VERBOSE_ERROR("UNIX authentication refused"); - PAM_RETURN(PAM_AUTH_ERR); + return (PAM_AUTH_ERR); } PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) +pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, other_options, argc, argv); - - PAM_LOG("Options processed"); - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); } -/* +/* * account management */ PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **argv) +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, + int argc, const char *argv[]) { struct addrinfo hints, *res; struct options options; @@ -200,25 +197,25 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char ** retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); if (user == NULL || (pwd = getpwnam(user)) == NULL) - PAM_RETURN(PAM_SERVICE_ERR); + return (PAM_SERVICE_ERR); PAM_LOG("Got user: %s", user); retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); if (*pwd->pw_passwd == '\0' && (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) return (PAM_NEW_AUTHTOK_REQD); - + lc = login_getpwclass(pwd); if (lc == NULL) { PAM_LOG("Unable to get login class for user %s", user); @@ -234,13 +231,13 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char ** * Check pw_expire before pw_change - no point in letting the * user change the password on an expired account. */ - + if (pwd->pw_expire) { warntime = login_getcaptime(lc, "warnexpire", DEFAULT_WARN, DEFAULT_WARN); if (tp.tv_sec >= pwd->pw_expire) { login_close(lc); - PAM_RETURN(PAM_ACCT_EXPIRED); + return (PAM_ACCT_EXPIRED); } else if (pwd->pw_expire - tp.tv_sec < warntime && (flags & PAM_SILENT) == 0) { pam_error(pamh, "Warning: your account expires on %s", @@ -283,53 +280,25 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char ** /* * Check host / tty / time-of-day restrictions */ - + if (!auth_hostok(lc, rhost, rhostip) || !auth_ttyok(lc, tty) || !auth_timeok(lc, time(NULL))) retval = PAM_AUTH_ERR; - - login_close(lc); - - PAM_RETURN(retval); -} -/* - * session management - * - * logging only - */ -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, other_options, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); -} - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, other_options, argc, argv); - - PAM_LOG("Options processed"); + login_close(lc); - PAM_RETURN(PAM_SUCCESS); + return (retval); } -/* +/* * password management * * standard Unix and NIS password changing */ PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +pam_sm_chauthtok(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) { struct options options; struct passwd *pwd; @@ -346,7 +315,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) else { retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); pwd = getpwnam(user); } @@ -364,13 +333,13 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) * XXX check PAM_DISALLOW_NULL_AUTHTOK */ PAM_LOG("Got password"); - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); } else { retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass, NULL); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Got password"); } encrypted = crypt(pass, pwd->pw_passwd); @@ -379,17 +348,17 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) if (strcmp(encrypted, pwd->pw_passwd) != 0) { pam_set_item(pamh, PAM_OLDAUTHTOK, NULL); - PAM_RETURN(PAM_AUTH_ERR); + return (PAM_AUTH_ERR); } - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); } else if (flags & PAM_UPDATE_AUTHTOK) { PAM_LOG("UPDATE round; checking user password"); retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass, NULL); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); PAM_LOG("Got old password"); @@ -403,7 +372,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) if (retval != PAM_SUCCESS) { PAM_VERBOSE_ERROR("Unable to get new password"); - PAM_RETURN(PAM_PERM_DENIED); + return (PAM_PERM_DENIED); } PAM_LOG("Got new password: %s", new_pass); @@ -411,7 +380,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) #ifdef YP /* If NIS is set in the passwd database, use it */ if ((usrdup = strdup(user)) == NULL) - PAM_RETURN(PAM_BUF_ERR); + return (PAM_BUF_ERR); res = use_yp(usrdup, 0, 0); free(usrdup); if (res == USER_YP_ONLY) { @@ -453,7 +422,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) PAM_LOG("Illegal 'flags'"); } - PAM_RETURN(retval); + return (retval); } /* Mostly stolen from passwd(1)'s local_passwd.c - markm */ @@ -606,7 +575,7 @@ yp_passwd(const char *user __unused, const char *pass) * The yppasswd.x file said `unix authentication required', * so I added it. This is the only reason it is in here. * My yppasswdd doesn't use it, but maybe some others out there - * do. --okir + * do. --okir */ clnt->cl_auth = authunix_create_default(); diff --git a/lib/libpam/modules/pam_wheel/pam_wheel.c b/lib/libpam/modules/pam_wheel/pam_wheel.c index f9d9d21..b4137ae 100644 --- a/lib/libpam/modules/pam_wheel/pam_wheel.c +++ b/lib/libpam/modules/pam_wheel/pam_wheel.c @@ -49,16 +49,18 @@ __FBSDID("$FreeBSD$"); #include <grp.h> #define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD #include <security/pam_appl.h> #include <security/pam_modules.h> #include <security/pam_mod_misc.h> -enum { PAM_OPT_DENY=PAM_OPT_STD_MAX, PAM_OPT_GROUP, PAM_OPT_TRUST, - PAM_OPT_AUTH_AS_SELF, PAM_OPT_NOROOT_OK }; +enum { + PAM_OPT_DENY = PAM_OPT_STD_MAX, + PAM_OPT_GROUP, + PAM_OPT_TRUST, + PAM_OPT_AUTH_AS_SELF, + PAM_OPT_NOROOT_OK +}; static struct opttab other_options[] = { { "deny", PAM_OPT_DENY }, @@ -80,7 +82,8 @@ in_list(char *const *list, const char *member) } PAM_EXTERN int -pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const char **argv) +pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, + int argc, const char *argv[]) { struct options options; struct passwd *pwd; @@ -96,12 +99,12 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha retval = pam_get_user(pamh, &targetuser, NULL); if (retval != PAM_SUCCESS) - PAM_RETURN(retval); + return (retval); pwd = getpwnam(targetuser); if (pwd != NULL) tuid = pwd->pw_uid; else - PAM_RETURN(PAM_AUTH_ERR); + return (PAM_AUTH_ERR); PAM_LOG("Got target user: %s uid: %d", targetuser, tuid); @@ -114,21 +117,21 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha pwd = getpwnam(user); } if (pwd == NULL) - PAM_RETURN(PAM_AUTH_ERR); + return (PAM_AUTH_ERR); PAM_LOG("Got user: %s", user); PAM_LOG("User's primary uid, gid: %d, %d", pwd->pw_uid, pwd->pw_gid); /* Ignore if already uid 0 */ if (pwd->pw_uid == 0) - PAM_RETURN(PAM_IGNORE); + return (PAM_IGNORE); PAM_LOG("Not superuser"); /* If authenticating as something non-superuser, return OK */ if (pam_test_option(&options, PAM_OPT_NOROOT_OK, NULL)) if (tuid != 0) - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); PAM_LOG("Checking group"); @@ -141,10 +144,10 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha if (grp == NULL || grp->gr_mem == NULL) { if (pam_test_option(&options, PAM_OPT_DENY, NULL)) - PAM_RETURN(PAM_IGNORE); + return (PAM_IGNORE); else { PAM_VERBOSE_ERROR("Permission denied"); - PAM_RETURN(PAM_AUTH_ERR); + return (PAM_AUTH_ERR); } } @@ -154,79 +157,27 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha if (pam_test_option(&options, PAM_OPT_DENY, NULL)) { PAM_VERBOSE_ERROR("Member of group %s; denied", grp->gr_name); - PAM_RETURN(PAM_PERM_DENIED); + return (PAM_PERM_DENIED); } if (pam_test_option(&options, PAM_OPT_TRUST, NULL)) - PAM_RETURN(PAM_SUCCESS); - PAM_RETURN(PAM_IGNORE); + return (PAM_SUCCESS); + return (PAM_IGNORE); } if (pam_test_option(&options, PAM_OPT_DENY, NULL)) - PAM_RETURN(PAM_SUCCESS); + return (PAM_SUCCESS); PAM_VERBOSE_ERROR("Not member of group %s; denied", grp->gr_name); - PAM_RETURN(PAM_PERM_DENIED); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, other_options, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_SUCCESS); + return (PAM_PERM_DENIED); } PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv) +pam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) { - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - PAM_RETURN(PAM_IGNORE); + return (PAM_SUCCESS); } PAM_MODULE_ENTRY("pam_wheel"); |
