diff options
Diffstat (limited to 'lib/libpam/modules/pam_ftp')
| -rw-r--r-- | lib/libpam/modules/pam_ftp/Makefile | 1 | ||||
| -rw-r--r-- | lib/libpam/modules/pam_ftp/pam_ftp.8 | 92 | ||||
| -rw-r--r-- | lib/libpam/modules/pam_ftp/pam_ftp.c | 74 |
3 files changed, 135 insertions, 32 deletions
diff --git a/lib/libpam/modules/pam_ftp/Makefile b/lib/libpam/modules/pam_ftp/Makefile index 17f8a0f..78717d4 100644 --- a/lib/libpam/modules/pam_ftp/Makefile +++ b/lib/libpam/modules/pam_ftp/Makefile @@ -27,5 +27,6 @@ LIB= pam_ftp SHLIB_NAME= pam_ftp.so SRCS= pam_ftp.c +MAN= pam_ftp.8 .include <bsd.lib.mk> diff --git a/lib/libpam/modules/pam_ftp/pam_ftp.8 b/lib/libpam/modules/pam_ftp/pam_ftp.8 new file mode 100644 index 0000000..423564b --- /dev/null +++ b/lib/libpam/modules/pam_ftp/pam_ftp.8 @@ -0,0 +1,92 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 8, 2001 +.Dt PAM_FTP 8 +.Os +.Sh NAME +.Nm pam_ftp +.Nd FTP PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_ftp +.Op Ar options +.Sh DESCRIPTION +The FTP authentication service module for PAM, +.Nm +provides functionality for only one PAM category: +authentication. +In terms of the +.Ar module-type +parameter, this is the +.Dv auth +feature. +It also provides a null function for session management. +.Ss FTP Authentication Module +The FTP authentication component +.Pq Fn pam_sm_authenticate , +authenticates the anonymous user +.Pq usually Do anonymous Dc or Do ftp Dc +usually by simply requesting an email address as a password. +The supplied email address is broken up +into its username and host parts, +and these are assigned to the +.Dv PAM_RUSER +and +.Dv PAM_RHOST +facilities respectively. +.Pp +This module is intended for the +.Xr ftpd 8 +service. +.Pp +The following options may be passed to the authentication module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.It Cm no_anon +Disallow anonymous access. +.It Cm ignore +Ingnore the password supplied, +and do not use its constituent parts +.Pq username and hostname +as +.Dv PAM_RUSER +and +.Dv PAM_RHOST +respectively. +.El +.Sh SEE ALSO +.Xr ftp 1 , +.Xr syslog 3 , +.Xr pam.conf 5 , +.Xr ftpd 8 , +.Xr pam 8 diff --git a/lib/libpam/modules/pam_ftp/pam_ftp.c b/lib/libpam/modules/pam_ftp/pam_ftp.c index 673f73c..df63c6a 100644 --- a/lib/libpam/modules/pam_ftp/pam_ftp.c +++ b/lib/libpam/modules/pam_ftp/pam_ftp.c @@ -26,11 +26,8 @@ * $FreeBSD$ */ -#define PLEASE_ENTER_PASSWORD "Password required for %s." -#define GUEST_LOGIN_PROMPT "Guest login ok, send your e-mail address as password." - -/* the following is a password that "can't be correct" */ -#define BLOCK_PASSWORD "\177BAD PASSWPRD\177" +#define PROMPT "OINK Password required for %s." +#define GUEST_PROMPT "TWEET Guest login ok, send your e-mail address as password." #include <security/_pam_aconf.h> @@ -41,20 +38,23 @@ #include <stdarg.h> #include <string.h> -/* here, we make a definition for the externally accessible function in this - * file (this definition is required for static a module but strongly - * encouraged generally) it is used to instruct the modules include file to - * define the function prototypes. */ - #define PAM_SM_AUTH #include <security/pam_modules.h> #include <pam_mod_misc.h> #include <security/_pam_macros.h> +enum { PAM_OPT_NO_ANON=PAM_OPT_STD_MAX, PAM_OPT_IGNORE }; + +static struct opttab other_options[] = { + { "no_anon", PAM_OPT_NO_ANON }, + { "ignore", PAM_OPT_IGNORE }, + { NULL, 0 } +}; + static int converse(pam_handle_t *pamh, int nargs, struct pam_message **message, - struct pam_response **response) + struct pam_response **response) { struct pam_conv *conv; int retval; @@ -103,8 +103,6 @@ lookup(const char *name, char *list, const char **user) return anon; } -/* --- authentication management functions (only) --- */ - /* Check if the user name is 'ftp' or 'anonymous'. * If this is the case, set the PAM_RUSER to the entered email address * and succeed, otherwise fail. @@ -112,47 +110,52 @@ lookup(const char *name, char *list, const char **user) PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) { + struct options options; struct pam_message msg[1], *mesg[1]; struct pam_response *resp; - int retval, anon, options, i; - const char *user, *token; + int retval, anon; char *users, *context, *prompt; + const char *user, *token; users = prompt = NULL; - options = 0; - for (i = 0; i < argc; i++) - pam_std_option(&options, argv[i]); + pam_std_option(&options, other_options, argc, argv); + + PAM_LOG("Options processed"); retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS || user == NULL) - return PAM_USER_UNKNOWN; + PAM_RETURN(PAM_USER_UNKNOWN); anon = 0; - if (!(options & PAM_OPT_NO_ANON)) + if (!pam_test_option(&options, PAM_OPT_NO_ANON, NULL)) anon = lookup(user, users, &user); if (anon) { retval = pam_set_item(pamh, PAM_USER, (const void *)user); if (retval != PAM_SUCCESS || user == NULL) - return PAM_USER_UNKNOWN; + PAM_RETURN(PAM_USER_UNKNOWN); } + PAM_LOG("Got user: %s", user); + /* Require an email address for user's password. */ if (!anon) { - prompt = malloc(strlen(PLEASE_ENTER_PASSWORD) + strlen(user)); + prompt = malloc(strlen(PROMPT) + strlen(user)); if (prompt == NULL) - return PAM_BUF_ERR; + PAM_RETURN(PAM_BUF_ERR); else { - sprintf(prompt, PLEASE_ENTER_PASSWORD, user); + sprintf(prompt, PROMPT, user); msg[0].msg = prompt; } } else - msg[0].msg = GUEST_LOGIN_PROMPT; + msg[0].msg = GUEST_PROMPT; msg[0].msg_style = PAM_PROMPT_ECHO_OFF; mesg[0] = &msg[0]; + PAM_LOG("Sent prompt"); + resp = NULL; retval = converse(pamh, 1, mesg, &resp); if (prompt) { @@ -160,15 +163,19 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) _pam_drop(prompt); } + PAM_LOG("Done conversation 1"); + if (retval != PAM_SUCCESS) { if (resp != NULL) _pam_drop_reply(resp, 1); - return retval == PAM_CONV_AGAIN - ? PAM_INCOMPLETE : PAM_AUTHINFO_UNAVAIL; + PAM_RETURN(retval == PAM_CONV_AGAIN + ? PAM_INCOMPLETE : PAM_AUTHINFO_UNAVAIL); } + PAM_LOG("Done conversation 2"); + if (anon) { - if (!(options & PAM_OPT_IGNORE)) { + if (!pam_test_option(&options, PAM_OPT_IGNORE, NULL)) { token = strtok_r(resp->resp, "@", &context); pam_set_item(pamh, PAM_RUSER, token); @@ -178,16 +185,21 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) } } retval = PAM_SUCCESS; + + PAM_LOG("Done anonymous"); + } else { pam_set_item(pamh, PAM_AUTHTOK, resp->resp); retval = PAM_AUTH_ERR; + + PAM_LOG("Done non-anonymous"); } if (resp) - _pam_drop_reply(resp, i); + _pam_drop_reply(resp, 1); - return retval; + PAM_RETURN(retval); } PAM_EXTERN int @@ -196,6 +208,4 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv) return PAM_IGNORE; } -/* end of module definition */ - PAM_MODULE_ENTRY("pam_ftp"); |
