From 88dfad04754b515a37f4e9e42d148dcbb94385e1 Mon Sep 17 00:00:00 2001 From: markm Date: Mon, 9 Jul 2001 18:20:51 +0000 Subject: Clean up (and in some cases write) the PAM mudules, using o The new options-processing API o The new DEBUG-logging API Add man(1) pages for ALL modules. MDOC-Police welcome to check this. Audit, clean up while I'm here. --- .../pam_cleartext_pass_ok/pam_cleartext_pass_ok.c | 12 +- lib/libpam/modules/pam_deny/Makefile | 3 +- lib/libpam/modules/pam_deny/pam_deny.8 | 75 +++++++++++ lib/libpam/modules/pam_deny/pam_deny.c | 109 +++++++++++++++ lib/libpam/modules/pam_ftp/Makefile | 1 + lib/libpam/modules/pam_ftp/pam_ftp.8 | 92 +++++++++++++ lib/libpam/modules/pam_ftp/pam_ftp.c | 74 ++++++----- lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c | 60 +++++---- lib/libpam/modules/pam_nologin/Makefile | 3 +- lib/libpam/modules/pam_nologin/pam_nologin.8 | 77 +++++++++++ lib/libpam/modules/pam_nologin/pam_nologin.c | 115 ++++++++++++++++ lib/libpam/modules/pam_opie/Makefile | 1 + lib/libpam/modules/pam_opie/pam_opie.8 | 91 +++++++++++++ lib/libpam/modules/pam_opie/pam_opie.c | 95 +++++++------ lib/libpam/modules/pam_permit/Makefile | 3 +- lib/libpam/modules/pam_permit/pam_permit.8 | 74 +++++++++++ lib/libpam/modules/pam_permit/pam_permit.c | 126 ++++++++++++++++++ lib/libpam/modules/pam_radius/pam_radius.8 | 11 +- lib/libpam/modules/pam_radius/pam_radius.c | 109 ++++++++------- lib/libpam/modules/pam_rootok/Makefile | 3 +- lib/libpam/modules/pam_rootok/pam_rootok.8 | 70 ++++++++++ lib/libpam/modules/pam_rootok/pam_rootok.c | 64 +++++++++ lib/libpam/modules/pam_securetty/Makefile | 1 + lib/libpam/modules/pam_securetty/pam_securetty.8 | 82 ++++++++++++ lib/libpam/modules/pam_securetty/pam_securetty.c | 43 +++--- lib/libpam/modules/pam_ssh/pam_ssh.8 | 148 +++++++++++++++++++++ lib/libpam/modules/pam_tacplus/Makefile | 1 + lib/libpam/modules/pam_tacplus/pam_tacplus.8 | 128 ++++++++++++++++++ lib/libpam/modules/pam_tacplus/pam_tacplus.c | 128 ++++++++++-------- lib/libpam/modules/pam_unix/Makefile | 1 + lib/libpam/modules/pam_unix/pam_unix.8 | 148 +++++++++++++++++++++ lib/libpam/modules/pam_unix/pam_unix.c | 106 ++++++++++----- lib/libpam/modules/pam_wheel/Makefile | 3 +- lib/libpam/modules/pam_wheel/pam_wheel.8 | 94 +++++++++++++ lib/libpam/modules/pam_wheel/pam_wheel.c | 145 ++++++++++++++++++++ 35 files changed, 2030 insertions(+), 266 deletions(-) create mode 100644 lib/libpam/modules/pam_deny/pam_deny.8 create mode 100644 lib/libpam/modules/pam_deny/pam_deny.c create mode 100644 lib/libpam/modules/pam_ftp/pam_ftp.8 create mode 100644 lib/libpam/modules/pam_nologin/pam_nologin.8 create mode 100644 lib/libpam/modules/pam_nologin/pam_nologin.c create mode 100644 lib/libpam/modules/pam_opie/pam_opie.8 create mode 100644 lib/libpam/modules/pam_permit/pam_permit.8 create mode 100644 lib/libpam/modules/pam_permit/pam_permit.c create mode 100644 lib/libpam/modules/pam_rootok/pam_rootok.8 create mode 100644 lib/libpam/modules/pam_rootok/pam_rootok.c create mode 100644 lib/libpam/modules/pam_securetty/pam_securetty.8 create mode 100644 lib/libpam/modules/pam_ssh/pam_ssh.8 create mode 100644 lib/libpam/modules/pam_tacplus/pam_tacplus.8 create mode 100644 lib/libpam/modules/pam_unix/pam_unix.8 create mode 100644 lib/libpam/modules/pam_wheel/pam_wheel.8 create mode 100644 lib/libpam/modules/pam_wheel/pam_wheel.c (limited to 'lib/libpam') diff --git a/lib/libpam/modules/pam_cleartext_pass_ok/pam_cleartext_pass_ok.c b/lib/libpam/modules/pam_cleartext_pass_ok/pam_cleartext_pass_ok.c index 437225c..b3562f5 100644 --- a/lib/libpam/modules/pam_cleartext_pass_ok/pam_cleartext_pass_ok.c +++ b/lib/libpam/modules/pam_cleartext_pass_ok/pam_cleartext_pass_ok.c @@ -33,8 +33,7 @@ #include PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { int retval; const void *item; @@ -42,12 +41,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char *tty; const char *rhost; - if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) + retval = pam_get_user(pamh, &user, NULL); + if (retval != PAM_SUCCESS) return retval; - if ((retval = pam_get_item(pamh, PAM_TTY, &item)) != PAM_SUCCESS) + retval = pam_get_item(pamh, PAM_TTY, &item); + if (retval != PAM_SUCCESS) return retval; tty = (const char *)item; - if ((retval = pam_get_item(pamh, PAM_RHOST, &item)) != PAM_SUCCESS) + retval = pam_get_item(pamh, PAM_RHOST, &item); + if (retval != PAM_SUCCESS) return retval; rhost = (const char *)item; /* diff --git a/lib/libpam/modules/pam_deny/Makefile b/lib/libpam/modules/pam_deny/Makefile index f3dfad3..9e07378 100644 --- a/lib/libpam/modules/pam_deny/Makefile +++ b/lib/libpam/modules/pam_deny/Makefile @@ -27,7 +27,6 @@ LIB= pam_deny SHLIB_NAME= pam_deny.so SRCS= pam_deny.c +MAN= pam_deny.8 .include - -.PATH: ${PAMDIR}/modules/pam_deny diff --git a/lib/libpam/modules/pam_deny/pam_deny.8 b/lib/libpam/modules/pam_deny/pam_deny.8 new file mode 100644 index 0000000..ed35bc5 --- /dev/null +++ b/lib/libpam/modules/pam_deny/pam_deny.8 @@ -0,0 +1,75 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 7, 2001 +.Dt PAM_DENY 8 +.Os +.Sh NAME +.Nm pam_deny +.Nd Deny PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_deny +.Op Ar options +.Sh DESCRIPTION +The Deny authentication service module for PAM, +.Nm +provides functionality for all the PAM categories: +authentication, +account management, +session management and +password management. +In terms of the +.Ar module-type +parameter, these are the +.Dv auth , +.Dv account , +.Dv session +and +.Dv password +features. +.Pp +The Deny module +will universally deny all requests. +It is primarily of use during testing, +and to +.Dq null-out +unwanted functionality. +.Pp +The following options may be passed to the module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.El +.Sh SEE ALSO +.Xr syslog 3 , +.Xr pam.conf 5 , +.Xr pam 8 diff --git a/lib/libpam/modules/pam_deny/pam_deny.c b/lib/libpam/modules/pam_deny/pam_deny.c new file mode 100644 index 0000000..9cbb8f0 --- /dev/null +++ b/lib/libpam/modules/pam_deny/pam_deny.c @@ -0,0 +1,109 @@ +/*- + * Copyright 2001 Mark R V Murray + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + +#include +#include "pam_mod_misc.h" + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_AUTH_ERR); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_CRED_UNAVAIL); +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_ACCT_EXPIRED); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_AUTHTOK_ERR); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_SYSTEM_ERR); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_SYSTEM_ERR); +} + +PAM_MODULE_ENTRY("pam_deny"); diff --git a/lib/libpam/modules/pam_ftp/Makefile b/lib/libpam/modules/pam_ftp/Makefile index 17f8a0f..78717d4 100644 --- a/lib/libpam/modules/pam_ftp/Makefile +++ b/lib/libpam/modules/pam_ftp/Makefile @@ -27,5 +27,6 @@ LIB= pam_ftp SHLIB_NAME= pam_ftp.so SRCS= pam_ftp.c +MAN= pam_ftp.8 .include diff --git a/lib/libpam/modules/pam_ftp/pam_ftp.8 b/lib/libpam/modules/pam_ftp/pam_ftp.8 new file mode 100644 index 0000000..423564b --- /dev/null +++ b/lib/libpam/modules/pam_ftp/pam_ftp.8 @@ -0,0 +1,92 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 8, 2001 +.Dt PAM_FTP 8 +.Os +.Sh NAME +.Nm pam_ftp +.Nd FTP PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_ftp +.Op Ar options +.Sh DESCRIPTION +The FTP authentication service module for PAM, +.Nm +provides functionality for only one PAM category: +authentication. +In terms of the +.Ar module-type +parameter, this is the +.Dv auth +feature. +It also provides a null function for session management. +.Ss FTP Authentication Module +The FTP authentication component +.Pq Fn pam_sm_authenticate , +authenticates the anonymous user +.Pq usually Do anonymous Dc or Do ftp Dc +usually by simply requesting an email address as a password. +The supplied email address is broken up +into its username and host parts, +and these are assigned to the +.Dv PAM_RUSER +and +.Dv PAM_RHOST +facilities respectively. +.Pp +This module is intended for the +.Xr ftpd 8 +service. +.Pp +The following options may be passed to the authentication module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.It Cm no_anon +Disallow anonymous access. +.It Cm ignore +Ingnore the password supplied, +and do not use its constituent parts +.Pq username and hostname +as +.Dv PAM_RUSER +and +.Dv PAM_RHOST +respectively. +.El +.Sh SEE ALSO +.Xr ftp 1 , +.Xr syslog 3 , +.Xr pam.conf 5 , +.Xr ftpd 8 , +.Xr pam 8 diff --git a/lib/libpam/modules/pam_ftp/pam_ftp.c b/lib/libpam/modules/pam_ftp/pam_ftp.c index 673f73c..df63c6a 100644 --- a/lib/libpam/modules/pam_ftp/pam_ftp.c +++ b/lib/libpam/modules/pam_ftp/pam_ftp.c @@ -26,11 +26,8 @@ * $FreeBSD$ */ -#define PLEASE_ENTER_PASSWORD "Password required for %s." -#define GUEST_LOGIN_PROMPT "Guest login ok, send your e-mail address as password." - -/* the following is a password that "can't be correct" */ -#define BLOCK_PASSWORD "\177BAD PASSWPRD\177" +#define PROMPT "OINK Password required for %s." +#define GUEST_PROMPT "TWEET Guest login ok, send your e-mail address as password." #include @@ -41,20 +38,23 @@ #include #include -/* here, we make a definition for the externally accessible function in this - * file (this definition is required for static a module but strongly - * encouraged generally) it is used to instruct the modules include file to - * define the function prototypes. */ - #define PAM_SM_AUTH #include #include #include +enum { PAM_OPT_NO_ANON=PAM_OPT_STD_MAX, PAM_OPT_IGNORE }; + +static struct opttab other_options[] = { + { "no_anon", PAM_OPT_NO_ANON }, + { "ignore", PAM_OPT_IGNORE }, + { NULL, 0 } +}; + static int converse(pam_handle_t *pamh, int nargs, struct pam_message **message, - struct pam_response **response) + struct pam_response **response) { struct pam_conv *conv; int retval; @@ -103,8 +103,6 @@ lookup(const char *name, char *list, const char **user) return anon; } -/* --- authentication management functions (only) --- */ - /* Check if the user name is 'ftp' or 'anonymous'. * If this is the case, set the PAM_RUSER to the entered email address * and succeed, otherwise fail. @@ -112,47 +110,52 @@ lookup(const char *name, char *list, const char **user) PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) { + struct options options; struct pam_message msg[1], *mesg[1]; struct pam_response *resp; - int retval, anon, options, i; - const char *user, *token; + int retval, anon; char *users, *context, *prompt; + const char *user, *token; users = prompt = NULL; - options = 0; - for (i = 0; i < argc; i++) - pam_std_option(&options, argv[i]); + pam_std_option(&options, other_options, argc, argv); + + PAM_LOG("Options processed"); retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS || user == NULL) - return PAM_USER_UNKNOWN; + PAM_RETURN(PAM_USER_UNKNOWN); anon = 0; - if (!(options & PAM_OPT_NO_ANON)) + if (!pam_test_option(&options, PAM_OPT_NO_ANON, NULL)) anon = lookup(user, users, &user); if (anon) { retval = pam_set_item(pamh, PAM_USER, (const void *)user); if (retval != PAM_SUCCESS || user == NULL) - return PAM_USER_UNKNOWN; + PAM_RETURN(PAM_USER_UNKNOWN); } + PAM_LOG("Got user: %s", user); + /* Require an email address for user's password. */ if (!anon) { - prompt = malloc(strlen(PLEASE_ENTER_PASSWORD) + strlen(user)); + prompt = malloc(strlen(PROMPT) + strlen(user)); if (prompt == NULL) - return PAM_BUF_ERR; + PAM_RETURN(PAM_BUF_ERR); else { - sprintf(prompt, PLEASE_ENTER_PASSWORD, user); + sprintf(prompt, PROMPT, user); msg[0].msg = prompt; } } else - msg[0].msg = GUEST_LOGIN_PROMPT; + msg[0].msg = GUEST_PROMPT; msg[0].msg_style = PAM_PROMPT_ECHO_OFF; mesg[0] = &msg[0]; + PAM_LOG("Sent prompt"); + resp = NULL; retval = converse(pamh, 1, mesg, &resp); if (prompt) { @@ -160,15 +163,19 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) _pam_drop(prompt); } + PAM_LOG("Done conversation 1"); + if (retval != PAM_SUCCESS) { if (resp != NULL) _pam_drop_reply(resp, 1); - return retval == PAM_CONV_AGAIN - ? PAM_INCOMPLETE : PAM_AUTHINFO_UNAVAIL; + PAM_RETURN(retval == PAM_CONV_AGAIN + ? PAM_INCOMPLETE : PAM_AUTHINFO_UNAVAIL); } + PAM_LOG("Done conversation 2"); + if (anon) { - if (!(options & PAM_OPT_IGNORE)) { + if (!pam_test_option(&options, PAM_OPT_IGNORE, NULL)) { token = strtok_r(resp->resp, "@", &context); pam_set_item(pamh, PAM_RUSER, token); @@ -178,16 +185,21 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) } } retval = PAM_SUCCESS; + + PAM_LOG("Done anonymous"); + } else { pam_set_item(pamh, PAM_AUTHTOK, resp->resp); retval = PAM_AUTH_ERR; + + PAM_LOG("Done non-anonymous"); } if (resp) - _pam_drop_reply(resp, i); + _pam_drop_reply(resp, 1); - return retval; + PAM_RETURN(retval); } PAM_EXTERN int @@ -196,6 +208,4 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv) return PAM_IGNORE; } -/* end of module definition */ - PAM_MODULE_ENTRY("pam_ftp"); diff --git a/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c b/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c index 403f8d6..bf7a451 100644 --- a/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c +++ b/lib/libpam/modules/pam_kerberosIV/pam_kerberosIV.c @@ -47,9 +47,9 @@ int noticketsdontcomplain = 1; char *krbtkfile_env; PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { + struct options options; int retval; const char *user; char *principal; @@ -57,40 +57,46 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char *password; char localhost[MAXHOSTNAMELEN + 1]; struct passwd *pwd; - int options; - int i; - options = 0; - for (i = 0; i < argc; i++) - pam_std_option(&options, argv[i]); - if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) + pam_std_option(&options, NULL, argc, argv); + retval = pam_get_user(pamh, &user, NULL); + if (retval != PAM_SUCCESS) return retval; - if ((retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT, - options)) != PAM_SUCCESS) + + retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT, &options); + if (retval != PAM_SUCCESS) return retval; + if (gethostname(localhost, sizeof localhost - 1) == -1) return PAM_SYSTEM_ERR; - if ((principal = strdup(user)) == NULL) + + principal = strdup(user); + if (principal == NULL) return PAM_BUF_ERR; - if ((instance = strchr(principal, '.')) != NULL) + + instance = strchr(principal, '.'); + if (instance != NULL) *instance++ = '\0'; else instance = ""; - if ((pwd = getpwnam(user)) != NULL && - klogin(pwd, instance, localhost, (char *)password) == 0) { - if (!(flags & PAM_SILENT) && notickets && - !noticketsdontcomplain) - pam_prompt(pamh, PAM_ERROR_MSG, - "Warning: no Kerberos tickets issued", NULL); - /* - * XXX - I think the ticket file really isn't supposed to - * be even created until pam_sm_setcred() is called. - */ - if (krbtkfile_env != NULL) - setenv("KRBTKFILE", krbtkfile_env, 1); - retval = PAM_SUCCESS; - } else - retval = PAM_AUTH_ERR; + + retval = PAM_AUTH_ERR; + pwd = getpwnam(user); + if (pwd != NULL) { + if (klogin(pwd, instance, localhost, (char *)password) == 0) { + if (!(flags & PAM_SILENT) && notickets && !noticketsdontcomplain) + pam_prompt(pamh, PAM_ERROR_MSG, + "Warning: no Kerberos tickets issued", + NULL); + /* + * XXX - I think the ticket file isn't supposed to + * be created until pam_sm_setcred() is called. + */ + if (krbtkfile_env != NULL) + setenv("KRBTKFILE", krbtkfile_env, 1); + retval = PAM_SUCCESS; + } + } /* * The PAM infrastructure will obliterate the cleartext * password before returning to the application. diff --git a/lib/libpam/modules/pam_nologin/Makefile b/lib/libpam/modules/pam_nologin/Makefile index db23a3d..bc18408 100644 --- a/lib/libpam/modules/pam_nologin/Makefile +++ b/lib/libpam/modules/pam_nologin/Makefile @@ -27,7 +27,6 @@ LIB= pam_nologin SHLIB_NAME= pam_nologin.so SRCS= pam_nologin.c +MAN= pam_nologin.8 .include - -.PATH: ${PAMDIR}/modules/pam_nologin diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.8 b/lib/libpam/modules/pam_nologin/pam_nologin.8 new file mode 100644 index 0000000..dd39981 --- /dev/null +++ b/lib/libpam/modules/pam_nologin/pam_nologin.8 @@ -0,0 +1,77 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 8, 2001 +.Dt PAM_NOLOGIN 8 +.Os +.Sh NAME +.Nm pam_nologin +.Nd NoLogin PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_nologin +.Op Ar options +.Sh DESCRIPTION +The NoLogin authentication service module for PAM, +.Nm +provides functionality for only one PAM category: +authentication. +In terms of the +.Ar module-type +parameter, this is the +.Dv auth +feature. +It also provides a null function for session management. +.Ss NoLogin Authentication Module +The NoLogin authentication component +.Pq Fn pam_sm_authenticate , +always returns success for the superuser, +and returns success for all other users +if the file +.Pa /var/run/nologin +does not exist. +If +.Pa /var/run/nologin +does exist, +then its contents are echoed +to non-superusers +before failure is returned. +.Pp +The following options may be passed to the authentication module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.El +.Sh SEE ALSO +.Xr syslog 3 , +.Xr nologin 5 , +.Xr pam.conf 5 , +.Xr pam 8 diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.c b/lib/libpam/modules/pam_nologin/pam_nologin.c new file mode 100644 index 0000000..4a56342 --- /dev/null +++ b/lib/libpam/modules/pam_nologin/pam_nologin.c @@ -0,0 +1,115 @@ +/*- + * Copyright 2001 Mark R V Murray + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#define PAM_SM_AUTH + +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include "pam_mod_misc.h" + +#define NOLOGIN "/var/run/nologin" + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + struct pam_conv *conv; + struct pam_message message, *pmessage; + struct pam_response *resp; + struct passwd *user_pwd; + struct stat st; + int retval, fd; + const char *user; + char *mtmp; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + retval = pam_get_user(pamh, &user, NULL); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + + PAM_LOG("Got user: %s", user); + + fd = open(NOLOGIN, O_RDONLY, 0); + if (fd < 0) + PAM_RETURN(PAM_SUCCESS); + + PAM_LOG("Opened %s file", NOLOGIN); + + user_pwd = getpwnam(user); + if (user_pwd && user_pwd->pw_uid == 0) { + message.msg_style = PAM_TEXT_INFO; + retval = PAM_SUCCESS; + } + else { + message.msg_style = PAM_ERROR_MSG; + if (!user_pwd) + retval = PAM_USER_UNKNOWN; + else + retval = PAM_AUTH_ERR; + } + + if (fstat(fd, &st) < 0) + PAM_RETURN(retval); + message.msg = mtmp = malloc(st.st_size + 1); + if (!message.msg) + PAM_RETURN(retval); + + read(fd, mtmp, st.st_size); + mtmp[st.st_size] = '\0'; + + pmessage = &message; + resp = NULL; + pam_get_item(pamh, PAM_CONV, (const void **)&conv); + conv->conv(1, (const struct pam_message **)&pmessage, &resp, + conv->appdata_ptr); + + free(mtmp); + if (resp) + _pam_drop_reply(resp, 1); + + PAM_RETURN(retval); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return PAM_SUCCESS; +} + +PAM_MODULE_ENTRY("pam_nologin"); diff --git a/lib/libpam/modules/pam_opie/Makefile b/lib/libpam/modules/pam_opie/Makefile index 7d14ccf..704f2f6 100644 --- a/lib/libpam/modules/pam_opie/Makefile +++ b/lib/libpam/modules/pam_opie/Makefile @@ -30,5 +30,6 @@ SHLIB_NAME= pam_opie.so SRCS= pam_opie.c DPADD= ${LIBOPIE} LDADD= -lopie +MAN= pam_opie.8 .include diff --git a/lib/libpam/modules/pam_opie/pam_opie.8 b/lib/libpam/modules/pam_opie/pam_opie.8 new file mode 100644 index 0000000..9f00a90 --- /dev/null +++ b/lib/libpam/modules/pam_opie/pam_opie.8 @@ -0,0 +1,91 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 7, 2001 +.Dt PAM_OPIE 8 +.Os +.Sh NAME +.Nm pam_opie +.Nd OPIE PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_opie +.Op Ar options +.Sh DESCRIPTION +The OPIE authentication service module for PAM, +.Nm +provides functionality for only one PAM category: +that of authentication. +In terms of the +.Ar module-type +parameter, this is the +.Dv auth +feature. +It also provides a null function for session management. +.Ss OPIE Authentication Module +The OPIE authentication component +provides functions to verify the identity of a user +.Pq Fn pam_sm_authenticate , +which obtains the relevant +.Xr opie 4 +credentials. +It provides the user with an OPIE challenge, +and verifies that this is correct with +.Xr opiechallenge 3 . +.Pp +The following options may be passed to the authentication module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.It Cm auth_as_self +This option will require the user +to authenticate themself as the user +given by +.Fn getuid 2 , +not as the account they are attempting to access. +This is primarily for services like +.Xr su 1 , +where the user's ability to retype +their own password +might be deemed sufficient. +.El +.Sh FILES +.Bl -tag -xwidth ".Pa /etc/opiekeys" -compact +.It Pa /etc/opiekeys +default OPIE password database. +.El +.Sh SEE ALSO +.Xr passwd 1 , +.Xr opiechallenge 3 , +.Xr opie 4 , +.Xr syslog 3 , +.Xr pam.conf 5 , +.Xr pam 8 diff --git a/lib/libpam/modules/pam_opie/pam_opie.c b/lib/libpam/modules/pam_opie/pam_opie.c index fa00bf8..566a694 100644 --- a/lib/libpam/modules/pam_opie/pam_opie.c +++ b/lib/libpam/modules/pam_opie/pam_opie.c @@ -27,77 +27,98 @@ * $FreeBSD$ */ -#include /* XXX */ - +#include +#include +#include #include #include -#include +#include #define PAM_SM_AUTH #include - #include "pam_mod_misc.h" +enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX }; + +static struct opttab other_options[] = { + { "auth_as_self", PAM_OPT_AUTH_AS_SELF }, + { NULL, 0 } +}; + PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { - int retval; - const char *user; - const char *response; struct opie opie; + struct options options; + struct passwd *pwd; + int retval, i; + char *(promptstr[]) = { "%s\nPassword: ", "%s\nPassword [echo on]: "}; char challenge[OPIE_CHALLENGE_MAX]; char prompt[OPIE_CHALLENGE_MAX+22]; - char resp_buf[OPIE_SECRET_MAX]; - int options; - int i; + char resp[OPIE_SECRET_MAX]; + const char *user; + const char *response; + + pam_std_option(&options, other_options, argc, argv); + + PAM_LOG("Options processed"); - user = NULL; - options = 0; - for (i = 0; i < argc; i++) - pam_std_option(&options, argv[i]); /* * It doesn't make sense to use a password that has already been * typed in, since we haven't presented the challenge to the user * yet. */ - options &= ~(PAM_OPT_USE_FIRST_PASS | PAM_OPT_TRY_FIRST_PASS); - if ((retval = pam_get_user(pamh, (const char **)&user, NULL)) - != PAM_SUCCESS) - return retval; + if (pam_test_option(&options, PAM_OPT_USE_FIRST_PASS, NULL) || + pam_test_option(&options, PAM_OPT_TRY_FIRST_PASS, NULL)) + PAM_RETURN(PAM_AUTH_ERR); + + user = NULL; + if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { + pwd = getpwuid(getuid()); + user = pwd->pw_name; + } + else { + retval = pam_get_user(pamh, (const char **)&user, NULL); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + } + + PAM_LOG("Got user: %s", user); + /* * Don't call the OPIE atexit() handler when our program exits, * since the module has been unloaded and we will SEGV. */ opiedisableaeh(); - if (opiechallenge(&opie, (char *)user, challenge) != 0) - return PAM_AUTH_ERR; - snprintf(prompt, sizeof prompt, "%s\nPassword: ", challenge); - if ((retval = pam_get_pass(pamh, &response, prompt, options)) != - PAM_SUCCESS) { - opieunlock(); - return retval; - } - if (response[0] == '\0' && !(options & PAM_OPT_ECHO_PASS)) { - options |= PAM_OPT_ECHO_PASS; - snprintf(prompt, sizeof prompt, - "%s\nPassword [echo on]: ", challenge); - if ((retval = pam_get_pass(pamh, &response, prompt, - options)) != PAM_SUCCESS) { + opiechallenge(&opie, (char *)user, challenge); + for (i = 0; i < 2; i++) { + snprintf(prompt, sizeof prompt, promptstr[i], challenge); + retval = pam_get_pass(pamh, &response, prompt, &options); + if (retval != PAM_SUCCESS) { opieunlock(); - return retval; + PAM_RETURN(retval); } + + PAM_LOG("Completed challenge %d: %s", i, response); + + if (response[0] != '\0') + break; + + /* Second time round, echo the password */ + pam_set_option(&options, PAM_OPT_ECHO_PASS); } + /* We have to copy the response, because opieverify mucks with it. */ - snprintf(resp_buf, sizeof resp_buf, "%s", response); + snprintf(resp, sizeof resp, "%s", response); + /* * Opieverify is supposed to return -1 only if an error occurs. * But it returns -1 even if the response string isn't in the form * it expects. Thus we can't log an error and can only check for * success or lack thereof. */ - return opieverify(&opie, resp_buf) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR; + PAM_RETURN(opieverify(&opie, resp) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR); } PAM_EXTERN int diff --git a/lib/libpam/modules/pam_permit/Makefile b/lib/libpam/modules/pam_permit/Makefile index e1b717d..6d797b4 100644 --- a/lib/libpam/modules/pam_permit/Makefile +++ b/lib/libpam/modules/pam_permit/Makefile @@ -27,7 +27,6 @@ LIB= pam_permit SHLIB_NAME= pam_permit.so SRCS= pam_permit.c +MAN= pam_permit.8 .include - -.PATH: ${PAMDIR}/modules/pam_permit diff --git a/lib/libpam/modules/pam_permit/pam_permit.8 b/lib/libpam/modules/pam_permit/pam_permit.8 new file mode 100644 index 0000000..f396fe7 --- /dev/null +++ b/lib/libpam/modules/pam_permit/pam_permit.8 @@ -0,0 +1,74 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 7, 2001 +.Dt PAM_PERMIT 8 +.Os +.Sh NAME +.Nm pam_permit +.Nd Promiscuous PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_permit +.Op Ar options +.Sh DESCRIPTION +The Promiscuous authentication service module for PAM, +.Nm +provides functionality for all the PAM categories: +authentication, +account management, +session management and +password management. +In terms of the +.Ar module-type +parameter, these are the +.Dv auth , +.Dv account , +.Dv session +and +.Dv password +features. +.Pp +The Promiscuous module +will universally allow all requests. +It is primarily of use during testing, +and to silence +.Dq noisy +PAM-enabled applications. +.Pp +The following options may be passed to the module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.Sh SEE ALSO +.Xr syslog 3 , +.Xr pam.conf 5 , +.Xr pam 8 diff --git a/lib/libpam/modules/pam_permit/pam_permit.c b/lib/libpam/modules/pam_permit/pam_permit.c new file mode 100644 index 0000000..b02306c --- /dev/null +++ b/lib/libpam/modules/pam_permit/pam_permit.c @@ -0,0 +1,126 @@ +/*- + * Copyright 2001 Mark R V Murray + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + +#include +#include +#include "pam_mod_misc.h" + +#define NOBODY "nobody" + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + int retval; + const char *user; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + /* We always need to know who the user is */ + user = NULL; + retval = pam_get_user(pamh, &user, NULL); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + + PAM_LOG("Got user: %s", user); + + if (user == NULL || *user == '\0') + pam_set_item(pamh, PAM_USER, (const void *)NOBODY); + user = NULL; + + PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_SUCCESS); +} + +PAM_MODULE_ENTRY("pam_permit"); diff --git a/lib/libpam/modules/pam_radius/pam_radius.8 b/lib/libpam/modules/pam_radius/pam_radius.8 index c5053fe..abe0095 100644 --- a/lib/libpam/modules/pam_radius/pam_radius.8 +++ b/lib/libpam/modules/pam_radius/pam_radius.8 @@ -45,12 +45,11 @@ .Nm pam_radius .Nd RADIUS authentication PAM module .Sh SYNOPSIS -.Nm pam_radius.so -.Op Cm use_first_pass -.Op Cm try_first_pass -.Op Cm echo_pass -.Op Cm conf Ns No = Ns Ar pathname -.Op Cm template_user Ns No = Ns Ar username +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_radius +.Op Ar options .Sh DESCRIPTION The .Nm diff --git a/lib/libpam/modules/pam_radius/pam_radius.c b/lib/libpam/modules/pam_radius/pam_radius.c index c04d8f2..781e1d4 100644 --- a/lib/libpam/modules/pam_radius/pam_radius.c +++ b/lib/libpam/modules/pam_radius/pam_radius.c @@ -39,12 +39,16 @@ #include "pam_mod_misc.h" -#define MAX_CHALLENGE_MSGS 10 -#define PASSWORD_PROMPT "RADIUS password:" +enum { PAM_OPT_CONF=PAM_OPT_STD_MAX, PAM_OPT_TEMPLATE_USER }; -/* Option names, including the "=" sign. */ -#define OPT_CONF "conf=" -#define OPT_TMPL "template_user=" +static struct opttab other_options[] = { + { "conf", PAM_OPT_CONF }, + { "template_user", PAM_OPT_TEMPLATE_USER }, + { NULL, 0 } +}; + +#define MAX_CHALLENGE_MSGS 10 +#define PASSWORD_PROMPT "RADIUS password:" static int build_access_request(struct rad_handle *, const char *, const char *, const void *, size_t); @@ -194,48 +198,59 @@ do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user) } PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { + struct options options; struct rad_handle *radh; - const char *user; - const char *pass; - const char *conf_file = NULL; - const char *template_user = NULL; - int options = 0; + const char *user, *tmpuser, *pass; + char *conf_file, *template_user; int retval; - int i; int e; - for (i = 0; i < argc; i++) { - size_t len; + pam_std_option(&options, other_options, argc, argv); - pam_std_option(&options, argv[i]); - if (strncmp(argv[i], OPT_CONF, (len = strlen(OPT_CONF))) == 0) - conf_file = argv[i] + len; - else if (strncmp(argv[i], OPT_TMPL, - (len = strlen(OPT_TMPL))) == 0) - template_user = argv[i] + len; - } - if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) - return retval; - if ((retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, - options)) != PAM_SUCCESS) - return retval; + PAM_LOG("Options processed"); + + conf_file = NULL; + pam_test_option(&options, PAM_OPT_CONF, &conf_file); + template_user = NULL; + pam_test_option(&options, PAM_OPT_TEMPLATE_USER, &template_user); + + retval = pam_get_user(pamh, &user, NULL); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); - if ((radh = rad_open()) == NULL) { + PAM_LOG("Got user: %s", user); + + retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, &options); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + + PAM_LOG("Got password"); + + radh = rad_open(); + if (radh == NULL) { syslog(LOG_CRIT, "rad_open failed"); - return PAM_SERVICE_ERR; + PAM_RETURN(PAM_SERVICE_ERR); } + + PAM_LOG("Radius opened"); + if (rad_config(radh, conf_file) == -1) { syslog(LOG_ALERT, "rad_config: %s", rad_strerror(radh)); rad_close(radh); - return PAM_SERVICE_ERR; + PAM_RETURN(PAM_SERVICE_ERR); } + + PAM_LOG("Radius config file read"); + if (build_access_request(radh, user, pass, NULL, 0) == -1) { rad_close(radh); - return PAM_SERVICE_ERR; + PAM_RETURN(PAM_SERVICE_ERR); } + + PAM_LOG("Radius build access done"); + for ( ; ; ) { switch (rad_send_request(radh)) { @@ -243,10 +258,11 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, e = do_accept(pamh, radh); rad_close(radh); if (e == -1) - return PAM_SERVICE_ERR; + PAM_RETURN(PAM_SERVICE_ERR); if (template_user != NULL) { - const void *item; - const char *user; + + PAM_LOG("Trying template user: %s", + template_user); /* * If the given user name doesn't exist in @@ -254,25 +270,28 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, * to the value given in the "template_user" * option. */ - retval = pam_get_item(pamh, PAM_USER, &item); + retval = pam_get_item(pamh, PAM_USER, + (void *)&tmpuser); if (retval != PAM_SUCCESS) - return retval; - user = (const char *)item; - if (getpwnam(user) == NULL) + PAM_RETURN(retval); + if (getpwnam(tmpuser) == NULL) { pam_set_item(pamh, PAM_USER, template_user); + PAM_LOG("Using template user"); + } + } - return PAM_SUCCESS; + PAM_RETURN(PAM_SUCCESS); case RAD_ACCESS_REJECT: rad_close(radh); - return PAM_AUTH_ERR; + PAM_RETURN(PAM_AUTH_ERR); case RAD_ACCESS_CHALLENGE: - if ((retval = do_challenge(pamh, radh, user)) != - PAM_SUCCESS) { + retval = do_challenge(pamh, radh, user); + if (retval != PAM_SUCCESS) { rad_close(radh); - return retval; + PAM_RETURN(retval); } break; @@ -280,13 +299,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, syslog(LOG_CRIT, "rad_send_request: %s", rad_strerror(radh)); rad_close(radh); - return PAM_AUTHINFO_UNAVAIL; + PAM_RETURN(PAM_AUTHINFO_UNAVAIL); default: syslog(LOG_CRIT, "rad_send_request: unexpected return value"); rad_close(radh); - return PAM_SERVICE_ERR; + PAM_RETURN(PAM_SERVICE_ERR); } } } diff --git a/lib/libpam/modules/pam_rootok/Makefile b/lib/libpam/modules/pam_rootok/Makefile index 8d9bf06..948c0299 100644 --- a/lib/libpam/modules/pam_rootok/Makefile +++ b/lib/libpam/modules/pam_rootok/Makefile @@ -27,7 +27,6 @@ LIB= pam_rootok SHLIB_NAME= pam_rootok.so SRCS= pam_rootok.c +MAN= pam_rootok.8 .include - -.PATH: ${PAMDIR}/modules/pam_rootok diff --git a/lib/libpam/modules/pam_rootok/pam_rootok.8 b/lib/libpam/modules/pam_rootok/pam_rootok.8 new file mode 100644 index 0000000..805fc6c --- /dev/null +++ b/lib/libpam/modules/pam_rootok/pam_rootok.8 @@ -0,0 +1,70 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 8, 2001 +.Dt PAM_ROOTOK 8 +.Os +.Sh NAME +.Nm pam_rootok +.Nd RootOK PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_rootok +.Op Ar options +.Sh DESCRIPTION +The RootOK authentication service module for PAM, +.Nm +provides functionality for only one PAM category: +authentication. +In terms of the +.Ar module-type +parameter, this is the +.Dv auth +feature. +It also provides a null function for session management. +.Ss RootOK Authentication Module +The RootOK authentication component +.Pq Fn pam_sm_authenticate , +always returns success for the superuser; +.Em ie, +if +.Xr getuid 2 +returns 0. +.Pp +The following options may be passed to the authentication module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.El +.Sh SEE ALSO +.Xr getuid 2 , +.Xr pam.conf 5 , +.Xr pam 8 diff --git a/lib/libpam/modules/pam_rootok/pam_rootok.c b/lib/libpam/modules/pam_rootok/pam_rootok.c new file mode 100644 index 0000000..71478a1 --- /dev/null +++ b/lib/libpam/modules/pam_rootok/pam_rootok.c @@ -0,0 +1,64 @@ +/*- + * Copyright (c) 2001 Mark R V Murray + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#define _BSD_SOURCE + +#include +#include + +#define PAM_SM_AUTH + +#include +#include + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + uid_t uid; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + uid = getuid(); + if (uid == 0) + PAM_RETURN(PAM_SUCCESS); + + PAM_LOG("User is not root"); + + PAM_RETURN(PAM_AUTH_ERR); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return PAM_SUCCESS; +} + +PAM_MODULE_ENTRY("pam_rootok"); diff --git a/lib/libpam/modules/pam_securetty/Makefile b/lib/libpam/modules/pam_securetty/Makefile index 1bf77db..764dfb0 100644 --- a/lib/libpam/modules/pam_securetty/Makefile +++ b/lib/libpam/modules/pam_securetty/Makefile @@ -27,5 +27,6 @@ LIB= pam_securetty SHLIB_NAME= pam_securetty.so SRCS= pam_securetty.c +MAN= pam_securetty.8 .include diff --git a/lib/libpam/modules/pam_securetty/pam_securetty.8 b/lib/libpam/modules/pam_securetty/pam_securetty.8 new file mode 100644 index 0000000..33267a3 --- /dev/null +++ b/lib/libpam/modules/pam_securetty/pam_securetty.8 @@ -0,0 +1,82 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 8, 2001 +.Dt PAM_SECURETTY 8 +.Os +.Sh NAME +.Nm pam_securetty +.Nd SecureTTY PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_securetty +.Op Ar options +.Sh DESCRIPTION +The SecureTTY authentication service module for PAM, +.Nm +provides functionality for only one PAM category: +authentication. +In terms of the +.Ar module-type +parameter, this is the +.Dv auth +feature. +It also provides a null function for session management. +.Ss SecureTTY Authentication Module +The SecureTTY authentication component +.Pq Fn pam_sm_authenticate , +returns success if the user is attempting to authenticate as superuser, +and the process is attached to a secure TTY. +Alternatively, +if the user is not authenticating as superuser, +the module always returns success. +.Pp +A TTY is defined as secure if its entry is fetchable from +.Pa /etc/ttys +by +.Xr getttynam 3 +(see +.Xr ttys 5 ) , +and the entry (a struct ttyent) has the +.Dv TTY_SECURE +flag set. +.Pp +The following options may be passed to the authentication module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.El +.Sh SEE ALSO +.Xr getttyynam 3 , +.Xr syslog 3 , +.Xr ttys 5 , +.Xr pam.conf 5 , +.Xr pam 8 diff --git a/lib/libpam/modules/pam_securetty/pam_securetty.c b/lib/libpam/modules/pam_securetty/pam_securetty.c index fe04b3c..aecabce 100644 --- a/lib/libpam/modules/pam_securetty/pam_securetty.c +++ b/lib/libpam/modules/pam_securetty/pam_securetty.c @@ -41,42 +41,51 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) { - struct ttyent *ttyfileinfo; - struct passwd *user_pwd; - int i, options, retval; - const char *username, *ttyname; + struct options options; + struct ttyent *ttyfileinfo; + struct passwd *user_pwd; + int retval; + const char *user, *ttyname; - options = 0; - for (i = 0; i < argc; i++) - pam_std_option(&options, argv[i]); + pam_std_option(&options, NULL, argc, argv); - retval = pam_get_user(pamh, &username, NULL); + PAM_LOG("Options processed"); + + retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) - return retval; + PAM_RETURN(retval); + + PAM_LOG("Got user: %s", user); retval = pam_get_item(pamh, PAM_TTY, (const void **)&ttyname); if (retval != PAM_SUCCESS) - return retval; + PAM_RETURN(retval); + + PAM_LOG("Got TTY: %s", ttyname); /* Ignore any "/dev/" on the PAM_TTY item */ if (strncmp(TTY_PREFIX, ttyname, sizeof(TTY_PREFIX) - 1) == 0) ttyname += sizeof(TTY_PREFIX) - 1; /* If the user is not root, secure ttys do not apply */ - user_pwd = getpwnam(username); + user_pwd = getpwnam(user); if (user_pwd == NULL) - return PAM_IGNORE; + PAM_RETURN(PAM_IGNORE); else if (user_pwd->pw_uid != 0) - return PAM_SUCCESS; + PAM_RETURN(PAM_SUCCESS); + + PAM_LOG("User is not root"); ttyfileinfo = getttynam(ttyname); if (ttyfileinfo == NULL) - return PAM_SERVICE_ERR; + PAM_RETURN(PAM_SERVICE_ERR); + + PAM_LOG("Got ttyfileinfo"); if (ttyfileinfo->ty_status & TTY_SECURE) - return PAM_SUCCESS; + PAM_RETURN(PAM_SUCCESS); else - return PAM_PERM_DENIED; + PAM_RETURN(PAM_PERM_DENIED); } PAM_EXTERN @@ -86,6 +95,4 @@ pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv) return PAM_SUCCESS; } -/* end of module definition */ - PAM_MODULE_ENTRY("pam_securetty"); diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.8 b/lib/libpam/modules/pam_ssh/pam_ssh.8 new file mode 100644 index 0000000..ad4323c --- /dev/null +++ b/lib/libpam/modules/pam_ssh/pam_ssh.8 @@ -0,0 +1,148 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 7, 2001 +.Dt PAM_UNIX 8 +.Os +.Sh NAME +.Nm pam_unix +.Nd UNIX PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_unix +.Op Ar options +.Sh DESCRIPTION +The +.Ux +authentication service module for PAM, +.Nm +provides functionality for two PAM categories: +authentication +and account management. +In terms of the +.Ar module-type +parameter, they are the +.Dv auth +and +.Dv account +features. +It also provides a null function for session management. +.Ss Ux Authentication Module +The +.Ux +authentication component +provides functions to verify the identity of a user +.Pq Fn pam_sm_authenticate , +which obtains the relevant +.Xr passwd 5 +entry. +It prompts the user for a password +and verifies that this is correct with +.Xr crypt 3 . +.Pp +The following options may be passed to the authentication module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.It Cm use_first_pass +If the authentication module +is not the first in the stack, +and a previous module +obtained the user's password, +that password is used +to authenticate the user. +If this fails, +the authentication module returns failure +without prompting the user for a password. +This option has no effect +if the authentication module +is the first in the stack, +or if no previous modules +obtained the user's password. +.It Cm try_first_pass +This option is similar to the +.Cm use_first_pass +option, +except that if the previously obtained password fails, +the user is prompted for another password. +.It Cm auth_as_self +This option will require the user +to authenticate themself as the user +given by +.Fn getuid 2 , +not as the account they are attempting to access. +This is primarily for services like +.Xr su 1 , +where the user's ability to retype +their own password +might be deemed sufficient. +.It Cm nullok +If the password database +has no password +for the entity being authenticated, +then this option +will forgo password prompting, +and silently allow authentication to succeed. +.El +.Ss Ux Account Management Module +The +.Ux +account management component +provides a function to perform account management, +.Fn pam_sm_acct_mgmt . +The function verifies +that the authenticated user +is allowed to login to the local user account +by checking the password expiry date. +.Pp +The following options may be passed to the management module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.El +.Sh FILES +.Bl -tag -xwidth ".Pa /etc/master.passwd" -compact +.It Pa /etc/master.passwd +default +.Ux +password database. +.El +.Sh SEE ALSO +.Xr passwd 1 , +.Xr getuid 2 , +.Xr crypt 3 , +.Xr passwd 5 , +.Xr syslog 3 , +.Xr pam.conf 5 , +.Xr pam 8 diff --git a/lib/libpam/modules/pam_tacplus/Makefile b/lib/libpam/modules/pam_tacplus/Makefile index e324a30..0d6daaa 100644 --- a/lib/libpam/modules/pam_tacplus/Makefile +++ b/lib/libpam/modules/pam_tacplus/Makefile @@ -29,5 +29,6 @@ SHLIB_NAME= pam_tacplus.so SRCS= pam_tacplus.c DPADD= ${LIBTACPLUS} LDADD= -ltacplus +MAN= pam_tacplus.8 .include diff --git a/lib/libpam/modules/pam_tacplus/pam_tacplus.8 b/lib/libpam/modules/pam_tacplus/pam_tacplus.8 new file mode 100644 index 0000000..67ec965 --- /dev/null +++ b/lib/libpam/modules/pam_tacplus/pam_tacplus.8 @@ -0,0 +1,128 @@ +.\" Copyright (c) 1999 +.\" Andrzej Bialecki . All rights reserved. +.\" +.\" Copyright (c) 1992, 1993, 1994 +.\" The Regents of the University of California. All rights reserved. +.\" All rights reserved. +.\" +.\" This code is derived from software donated to Berkeley by +.\" Jan-Simon Pendry. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd August 2, 1999 +.Dt PAM_TACPLUS 8 +.Os FreeBSD +.Sh NAME +.Nm pam_tacplus +.Nd TACACS+ authentication PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_tacplus +.Op Ar options +.Sh DESCRIPTION +The +.Nm +module provides authentication services based +upon the TACACS+ protocol +for the PAM (Pluggable Authentication Module) framework. +.Pp +The +.Nm +module accepts these optional parameters: +.Bl -tag -width Fl +.It Cm use_first_pass +causes +.Nm +to use a previously entered password instead of prompting for a new one. +If no password has been entered then authentication fails. +.It Cm try_first_pass +causes +.Nm +to use a previously entered password, if one is available. If no +password has been entered, +.Nm +prompts for one as usual. +.It Cm echo_pass +causes echoing to be left on if +.Nm +prompts for a password. +.It Cm conf Ns No = Ns Ar pathname +specifies a non-standard location for the TACACS+ client configuration file +(normally located in /etc/tacplus.conf). +.It Cm template_user Ns No = Ns Ar username +specifies a user whose +.Xr passwd 5 +entry will be used as a template to create the session environment +if the supplied username doesn't exist in local password database. +The user +will be authenticated with the supplied username and password, but his +credentials to the system will be presented as the ones for +.Ar username , +i.e., his login class, home directory, resource limits, etc. will be set to ones +defined for +.Ar username . +.Pp +If this option is omitted, and there is no username +in the system databases equal to the supplied one (as determined by call to +.Xr getpwnam 3 ) , +the authentication will fail. +.El +.Sh FILES +.Bl -tag -width /etc/tacplus.conf -compact +.It Pa /etc/tacplus.conf +The standard TACACS+ client configuration file for +.Nm +.El +.Sh SEE ALSO +.Xr passwd 5 , +.Xr tacplus.conf 5 , +.Xr pam 8 +.Sh HISTORY +The +.Nm +module first appeared in +.Fx 3.1 . +.Sh AUTHORS +.An -nosplit +The +.Nm +manual page was written by +.An Andrzej Bialecki Aq abial@FreeBSD.org +and adapted to TACACS+ from RADIUS by +.An Mark R V Murray Aq markm@FreeBSD.org . +.Pp +The +.Nm +module was written by +.An John D. Polstra Aq jdp@FreeBSD.org . diff --git a/lib/libpam/modules/pam_tacplus/pam_tacplus.c b/lib/libpam/modules/pam_tacplus/pam_tacplus.c index 0820071..786d303 100644 --- a/lib/libpam/modules/pam_tacplus/pam_tacplus.c +++ b/lib/libpam/modules/pam_tacplus/pam_tacplus.c @@ -40,9 +40,13 @@ #include "pam_mod_misc.h" -/* Option names, including the "=" sign. */ -#define OPT_CONF "conf=" -#define OPT_TMPL "template_user=" +enum { PAM_OPT_CONF=PAM_OPT_STD_MAX, PAM_OPT_TEMPLATE_USER }; + +static struct opttab other_options[] = { + { "conf", PAM_OPT_CONF }, + { "template_user", PAM_OPT_TEMPLATE_USER }, + { NULL, 0 } +}; typedef int (*set_func)(struct tac_handle *, const char *); @@ -58,7 +62,8 @@ do_item(pam_handle_t *pamh, struct tac_handle *tach, int item, int retval; const void *value; - if ((retval = pam_get_item(pamh, item, &value)) != PAM_SUCCESS) + retval = pam_get_item(pamh, item, &value); + if (retval != PAM_SUCCESS) return retval; if (value != NULL && (*func)(tach, (const char *)value) == -1) { syslog(LOG_CRIT, "%s: %s", funcname, tac_strerror(tach)); @@ -73,7 +78,8 @@ get_msg(struct tac_handle *tach) { char *msg; - if ((msg = tac_get_msg(tach)) == NULL) { + msg = tac_get_msg(tach); + if (msg == NULL) { syslog(LOG_CRIT, "tac_get_msg: %s", tac_strerror(tach)); tac_close(tach); return NULL; @@ -96,48 +102,57 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { + struct options options; int retval; struct tac_handle *tach; - const char *conf_file = NULL; - const char *template_user = NULL; - int options = 0; - int i; - - for (i = 0; i < argc; i++) { - size_t len; - - pam_std_option(&options, argv[i]); - if (strncmp(argv[i], OPT_CONF, (len = strlen(OPT_CONF))) == 0) - conf_file = argv[i] + len; - else if (strncmp(argv[i], OPT_TMPL, - (len = strlen(OPT_TMPL))) == 0) - template_user = argv[i] + len; - } + char *conf_file; + char *template_user; + + pam_std_option(&options, other_options, argc, argv); + + PAM_LOG("Options processed"); + + conf_file = NULL; + pam_test_option(&options, PAM_OPT_CONF, &conf_file); + template_user = NULL; + pam_test_option(&options, PAM_OPT_TEMPLATE_USER, &template_user); - if ((tach = tac_open()) == NULL) { + tach = tac_open(); + if (tach == NULL) { syslog(LOG_CRIT, "tac_open failed"); - return PAM_SERVICE_ERR; + PAM_RETURN(PAM_SERVICE_ERR); } if (tac_config(tach, conf_file) == -1) { syslog(LOG_ALERT, "tac_config: %s", tac_strerror(tach)); tac_close(tach); - return PAM_SERVICE_ERR; + PAM_RETURN(PAM_SERVICE_ERR); } if (tac_create_authen(tach, TAC_AUTHEN_LOGIN, TAC_AUTHEN_TYPE_ASCII, TAC_AUTHEN_SVC_LOGIN) == -1) { syslog(LOG_CRIT, "tac_create_authen: %s", tac_strerror(tach)); tac_close(tach); - return PAM_SERVICE_ERR; + PAM_RETURN(PAM_SERVICE_ERR); } - if ((retval = do_item(pamh, tach, PAM_USER, - tac_set_user, "tac_set_user")) != PAM_SUCCESS) - return retval; - if ((retval = do_item(pamh, tach, PAM_TTY, - tac_set_port, "tac_set_port")) != PAM_SUCCESS) - return retval; - if ((retval = do_item(pamh, tach, PAM_RHOST, - tac_set_rem_addr, "tac_set_rem_addr")) != PAM_SUCCESS) - return retval; + + PAM_LOG("Done tac_open() ... tac_close()"); + + retval = do_item(pamh, tach, PAM_USER, tac_set_user, "tac_set_user"); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + + PAM_LOG("Done user"); + + retval = do_item(pamh, tach, PAM_TTY, tac_set_port, "tac_set_port"); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + + PAM_LOG("Done tty"); + + retval = do_item(pamh, tach, PAM_RHOST, tac_set_rem_addr, + "tac_set_rem_addr"); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + for ( ; ; ) { char *srvr_msg; size_t msg_len; @@ -145,16 +160,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, char *data_msg; int sflags; int status; - int echo; - if ((sflags = tac_send_authen(tach)) == -1) { + sflags = tac_send_authen(tach); + if (sflags == -1) { syslog(LOG_CRIT, "tac_send_authen: %s", tac_strerror(tach)); tac_close(tach); - return PAM_AUTHINFO_UNAVAIL; + PAM_RETURN(PAM_AUTHINFO_UNAVAIL); } status = TAC_AUTHEN_STATUS(sflags); - echo = TAC_AUTHEN_NOECHO(sflags) ? 0 : PAM_OPT_ECHO_PASS; + if (!TAC_AUTHEN_NOECHO(sflags)) + pam_set_option(&options, PAM_OPT_ECHO_PASS); switch (status) { case TAC_AUTHEN_STATUS_PASS: @@ -163,6 +179,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const void *item; const char *user; + PAM_LOG("Trying template user: %s", + template_user); + /* * If the given user name doesn't exist in * the local password database, change it @@ -171,58 +190,60 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, */ retval = pam_get_item(pamh, PAM_USER, &item); if (retval != PAM_SUCCESS) - return retval; + PAM_RETURN(retval); user = (const char *)item; - if (getpwnam(user) == NULL) + if (getpwnam(user) == NULL) { pam_set_item(pamh, PAM_USER, template_user); + PAM_LOG("Using template user"); + } } - return PAM_SUCCESS; + PAM_RETURN(PAM_SUCCESS); case TAC_AUTHEN_STATUS_FAIL: tac_close(tach); - return PAM_AUTH_ERR; + PAM_RETURN(PAM_AUTH_ERR); case TAC_AUTHEN_STATUS_GETUSER: case TAC_AUTHEN_STATUS_GETPASS: if ((srvr_msg = get_msg(tach)) == NULL) - return PAM_SERVICE_ERR; + PAM_RETURN(PAM_SERVICE_ERR); if (status == TAC_AUTHEN_STATUS_GETUSER) retval = pam_get_user(pamh, &user_msg, srvr_msg[0] != '\0' ? srvr_msg : NULL); else if (status == TAC_AUTHEN_STATUS_GETPASS) retval = pam_get_pass(pamh, &user_msg, srvr_msg[0] != '\0' ? srvr_msg : - "Password:", options | echo); + "Password:", &options); free(srvr_msg); if (retval != PAM_SUCCESS) { /* XXX - send a TACACS+ abort packet */ tac_close(tach); - return retval; + PAM_RETURN(retval); } if (set_msg(tach, user_msg) == -1) - return PAM_SERVICE_ERR; + PAM_RETURN(PAM_SERVICE_ERR); break; case TAC_AUTHEN_STATUS_GETDATA: if ((srvr_msg = get_msg(tach)) == NULL) - return PAM_SERVICE_ERR; + PAM_RETURN(PAM_SERVICE_ERR); retval = pam_prompt(pamh, - (options|echo) & PAM_OPT_ECHO_PASS ? - PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF, + pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL) + ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF, srvr_msg[0] != '\0' ? srvr_msg : "Data:", &data_msg); free(srvr_msg); if (retval != PAM_SUCCESS) { /* XXX - send a TACACS+ abort packet */ tac_close(tach); - return retval; + PAM_RETURN(retval); } retval = set_msg(tach, data_msg); memset(data_msg, 0, strlen(data_msg)); free(data_msg); if (retval == -1) - return PAM_SERVICE_ERR; + PAM_RETURN(PAM_SERVICE_ERR); break; case TAC_AUTHEN_STATUS_ERROR: @@ -231,11 +252,12 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, syslog(LOG_CRIT, "tac_send_authen:" " server detected error: %s", srvr_msg); free(srvr_msg); - } else + } + else syslog(LOG_CRIT, "tac_send_authen: server detected error"); tac_close(tach); - return PAM_AUTHINFO_UNAVAIL; + PAM_RETURN(PAM_AUTHINFO_UNAVAIL); break; case TAC_AUTHEN_STATUS_RESTART: @@ -244,7 +266,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, syslog(LOG_CRIT, "tac_send_authen: unexpected status %#x", status); tac_close(tach); - return PAM_AUTHINFO_UNAVAIL; + PAM_RETURN(PAM_AUTHINFO_UNAVAIL); } } } diff --git a/lib/libpam/modules/pam_unix/Makefile b/lib/libpam/modules/pam_unix/Makefile index 048fade..b2d928c 100644 --- a/lib/libpam/modules/pam_unix/Makefile +++ b/lib/libpam/modules/pam_unix/Makefile @@ -29,5 +29,6 @@ SHLIB_NAME= pam_unix.so SRCS= pam_unix.c DPADD= ${LIBUTIL} ${LIBCRYPT} LDADD= -lutil -lcrypt +MAN= pam_unix.8 .include diff --git a/lib/libpam/modules/pam_unix/pam_unix.8 b/lib/libpam/modules/pam_unix/pam_unix.8 new file mode 100644 index 0000000..ad4323c --- /dev/null +++ b/lib/libpam/modules/pam_unix/pam_unix.8 @@ -0,0 +1,148 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 7, 2001 +.Dt PAM_UNIX 8 +.Os +.Sh NAME +.Nm pam_unix +.Nd UNIX PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_unix +.Op Ar options +.Sh DESCRIPTION +The +.Ux +authentication service module for PAM, +.Nm +provides functionality for two PAM categories: +authentication +and account management. +In terms of the +.Ar module-type +parameter, they are the +.Dv auth +and +.Dv account +features. +It also provides a null function for session management. +.Ss Ux Authentication Module +The +.Ux +authentication component +provides functions to verify the identity of a user +.Pq Fn pam_sm_authenticate , +which obtains the relevant +.Xr passwd 5 +entry. +It prompts the user for a password +and verifies that this is correct with +.Xr crypt 3 . +.Pp +The following options may be passed to the authentication module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.It Cm use_first_pass +If the authentication module +is not the first in the stack, +and a previous module +obtained the user's password, +that password is used +to authenticate the user. +If this fails, +the authentication module returns failure +without prompting the user for a password. +This option has no effect +if the authentication module +is the first in the stack, +or if no previous modules +obtained the user's password. +.It Cm try_first_pass +This option is similar to the +.Cm use_first_pass +option, +except that if the previously obtained password fails, +the user is prompted for another password. +.It Cm auth_as_self +This option will require the user +to authenticate themself as the user +given by +.Fn getuid 2 , +not as the account they are attempting to access. +This is primarily for services like +.Xr su 1 , +where the user's ability to retype +their own password +might be deemed sufficient. +.It Cm nullok +If the password database +has no password +for the entity being authenticated, +then this option +will forgo password prompting, +and silently allow authentication to succeed. +.El +.Ss Ux Account Management Module +The +.Ux +account management component +provides a function to perform account management, +.Fn pam_sm_acct_mgmt . +The function verifies +that the authenticated user +is allowed to login to the local user account +by checking the password expiry date. +.Pp +The following options may be passed to the management module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.El +.Sh FILES +.Bl -tag -xwidth ".Pa /etc/master.passwd" -compact +.It Pa /etc/master.passwd +default +.Ux +password database. +.El +.Sh SEE ALSO +.Xr passwd 1 , +.Xr getuid 2 , +.Xr crypt 3 , +.Xr passwd 5 , +.Xr syslog 3 , +.Xr pam.conf 5 , +.Xr pam 8 diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c index cc97ad9..61c462c 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.c +++ b/lib/libpam/modules/pam_unix/pam_unix.c @@ -42,64 +42,96 @@ #include "pam_mod_misc.h" #define PASSWORD_PROMPT "Password:" +#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ + +enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX, PAM_OPT_NULLOK }; + +static struct opttab other_options[] = { + { "auth_as_self", PAM_OPT_AUTH_AS_SELF }, + { "nullok", PAM_OPT_NULLOK }, + { NULL, 0 } +}; /* * authentication management */ PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { - int retval; - const char *user; - const char *password; + struct options options; struct passwd *pwd; + int retval; + const char *password, *user; char *encrypted; - int options; - int i; - options = 0; - for (i = 0; i < argc; i++) - pam_std_option(&options, argv[i]); - if (options & PAM_OPT_AUTH_AS_SELF) + pam_std_option(&options, other_options, argc, argv); + + PAM_LOG("Options processed"); + + if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) pwd = getpwuid(getuid()); else { - if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) - return retval; + retval = pam_get_user(pamh, &user, NULL); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); pwd = getpwnam(user); } + + PAM_LOG("Got user: %s", user); + if (pwd != NULL) { - if (pwd->pw_passwd[0] == '\0' && (options & PAM_OPT_NULLOK)) + + PAM_LOG("Doing real authentication"); + + if (pwd->pw_passwd[0] == '\0' + && pam_test_option(&options, PAM_OPT_NULLOK, NULL)) { /* * No password case. XXX Are we giving too much away * by not prompting for a password? */ - return PAM_SUCCESS; + PAM_LOG("No password, and null password OK"); + PAM_RETURN(PAM_SUCCESS); + } else { - if ((retval = pam_get_pass(pamh, &password, - PASSWORD_PROMPT, options)) != PAM_SUCCESS) - return retval; + retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT, + &options); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + PAM_LOG("Got password"); } encrypted = crypt(password, pwd->pw_passwd); if (password[0] == '\0' && pwd->pw_passwd[0] != '\0') encrypted = ":"; + PAM_LOG("Encrypted passwords are: %s & %s", encrypted, + pwd->pw_passwd); + retval = strcmp(encrypted, pwd->pw_passwd) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR; - } else { + } + else { + + PAM_LOG("Doing dummy authentication"); + /* - * User unknown. Encrypt anyway so that it takes the - * same amount of time. + * User unknown. + * Encrypt a dummy password so as to not give away too much. */ + retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT, + &options); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + PAM_LOG("Got password"); crypt(password, "xx"); retval = PAM_AUTH_ERR; } + /* * The PAM infrastructure will obliterate the cleartext * password before returning to the application. */ - return retval; + PAM_RETURN(retval); } PAM_EXTERN int @@ -114,24 +146,31 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) * check pw_change and pw_expire fields */ PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, - int argc, const char **argv) +int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) { - const char *user; + struct options options; struct passwd *pw; struct timeval tp; + login_cap_t *lc; time_t warntime; - login_cap_t *lc = NULL; - char buf[128]; int retval; + const char *user; + char buf[128]; + + pam_std_option(&options, other_options, argc, argv); + + PAM_LOG("Options processed"); retval = pam_get_item(pamh, PAM_USER, (const void **)&user); if (retval != PAM_SUCCESS || user == NULL) /* some implementations return PAM_SUCCESS here */ - return PAM_USER_UNKNOWN; + PAM_RETURN(PAM_USER_UNKNOWN); - if ((pw = getpwnam(user)) == NULL) - return PAM_USER_UNKNOWN; + pw = getpwnam(user); + if (pw == NULL) + PAM_RETURN(PAM_USER_UNKNOWN); + + PAM_LOG("Got user: %s", user); retval = PAM_SUCCESS; lc = login_getpwclass(pw); @@ -139,11 +178,11 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, if (pw->pw_change || pw->pw_expire) gettimeofday(&tp, NULL); -#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ - warntime = login_getcaptime(lc, "warnpassword", DEFAULT_WARN, DEFAULT_WARN); + PAM_LOG("Got login_cap"); + if (pw->pw_change) { if (tp.tv_sec >= pw->pw_change) /* some implementations return PAM_AUTHTOK_EXPIRED */ @@ -171,7 +210,8 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, } login_close(lc); - return retval; + + PAM_RETURN(retval); } PAM_MODULE_ENTRY("pam_unix"); diff --git a/lib/libpam/modules/pam_wheel/Makefile b/lib/libpam/modules/pam_wheel/Makefile index d211df6..b889a18 100644 --- a/lib/libpam/modules/pam_wheel/Makefile +++ b/lib/libpam/modules/pam_wheel/Makefile @@ -27,7 +27,6 @@ LIB= pam_wheel SHLIB_NAME= pam_wheel.so SRCS= pam_wheel.c +MAN= pam_wheel.8 .include - -.PATH: ${PAMDIR}/modules/pam_wheel diff --git a/lib/libpam/modules/pam_wheel/pam_wheel.8 b/lib/libpam/modules/pam_wheel/pam_wheel.8 new file mode 100644 index 0000000..c493f89 --- /dev/null +++ b/lib/libpam/modules/pam_wheel/pam_wheel.8 @@ -0,0 +1,94 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 8, 2001 +.Dt PAM_WHEEL 8 +.Os +.Sh NAME +.Nm pam_wheel +.Nd Wheel PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_wheel +.Op Ar options +.Sh DESCRIPTION +The Wheel authentication service module for PAM, +.Nm +provides functionality for only one PAM category: +authentication. +In terms of the +.Ar module-type +parameter, this is the +.Dv auth +feature. +It also provides a null function for session management. +.Ss Wheel Authentication Module +The Wheel authentication component +.Pq Fn pam_sm_authenticate , +permit authentication to members of a group, +which defaults to +.Dv wheel. +.Em ie, +if +.Xr getuid 2 +returns 0. +.Pp +The following options may be passed to the authentication module: +.Bl -tag -xwidth ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.It Cm use_uid +check for wheel membership against +the current uid +.Pq given by Fn getuid . +.It Cm trust +return +.Dv PAM_SUCCESS +instead of +.Dv PAM_IGNORE +if the user is a member of the group (default is +.Dv wheel ). +.It Cm deny +invert the operation +if is a member of the +.Pq default Dv wheel ) +group. +.Pq return failure instead of success. +mainly of use with the ``group=foo'' option. +.It Cm group=foo +checking for membership of group ``foo'' +instead of the default group +.Dv wheel. +.El +.Sh SEE ALSO +.Xr group 5 , +.Xr pam.conf 5 , +.Xr pam 8 diff --git a/lib/libpam/modules/pam_wheel/pam_wheel.c b/lib/libpam/modules/pam_wheel/pam_wheel.c new file mode 100644 index 0000000..e5005e3 --- /dev/null +++ b/lib/libpam/modules/pam_wheel/pam_wheel.c @@ -0,0 +1,145 @@ +/*- + * Copyright (c) 2001 Mark R V Murray + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#define _BSD_SOURCE + +#include +#include +#include +#include +#include +#include +#include +#include + +#define PAM_SM_AUTH +#include +#include + +enum { PAM_OPT_DENY=PAM_OPT_STD_MAX, PAM_OPT_GROUP, PAM_OPT_TRUST, + PAM_OPT_USE_UID }; + +static struct opttab other_options[] = { + { "deny", PAM_OPT_DENY }, + { "group", PAM_OPT_GROUP }, + { "trust", PAM_OPT_TRUST }, + { "use_uid", PAM_OPT_USE_UID }, + { NULL, 0 } +}; + +/* Is member in list? */ +static int +in_list(char *const *list, const char *member) +{ + for (; *list; list++) + if (strcmp(*list, member) == 0) + return 1; + return 0; +} + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) +{ + struct options options; + struct passwd *pwd, *temppwd; + struct group *grp; + int retval; + const char *user; + char *fromsu, *use_group; + + pam_std_option(&options, other_options, argc, argv); + + PAM_LOG("Options processed"); + + retval = pam_get_user(pamh, &user, NULL); + if (retval != PAM_SUCCESS) + PAM_RETURN(retval); + + pwd = getpwnam(user); + if (!pwd) + PAM_RETURN(PAM_USER_UNKNOWN); + + PAM_LOG("Got user: %s", user); + + /* Ignore if already uid 0 */ + if (pwd->pw_uid) + PAM_RETURN(PAM_IGNORE); + + PAM_LOG("Not superuser"); + + if (pam_test_option(&options, PAM_OPT_USE_UID, NULL)) { + temppwd = getpwuid(getuid()); + if (temppwd == NULL) + PAM_RETURN(PAM_SERVICE_ERR); + fromsu = temppwd->pw_name; + } + else { + fromsu = getlogin(); + if (!fromsu) + PAM_RETURN(PAM_SERVICE_ERR); + } + + PAM_LOG("Got fromsu: %s", fromsu); + + if (!pam_test_option(&options, PAM_OPT_GROUP, &use_group)) { + if ((grp = getgrnam("wheel")) == NULL) + grp = getgrgid(0); + } + else + grp = getgrnam(use_group); + + if (grp == NULL || grp->gr_mem == NULL) { + if (pam_test_option(&options, PAM_OPT_DENY, NULL)) + PAM_RETURN(PAM_IGNORE); + else + PAM_RETURN(PAM_AUTH_ERR); + } + + PAM_LOG("Got group: %s", grp->gr_name); + + if (in_list(grp->gr_mem, fromsu)) { + if (pam_test_option(&options, PAM_OPT_DENY, NULL)) + PAM_RETURN(PAM_PERM_DENIED); + if (pam_test_option(&options, PAM_OPT_TRUST, NULL)) + PAM_RETURN(PAM_SUCCESS); + PAM_RETURN(PAM_IGNORE); + } + + if (pam_test_option(&options, PAM_OPT_DENY, NULL)) + PAM_RETURN(PAM_SUCCESS); + + PAM_RETURN(PAM_PERM_DENIED); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t * pamh, int flags, int argc, const char **argv) +{ + return PAM_SUCCESS; +} + +PAM_MODULE_ENTRY("pam_wheel"); -- cgit v1.1