From 1324e3deb9c9197e7d69099fb8758c7d54d0f5be Mon Sep 17 00:00:00 2001 From: ru Date: Thu, 12 Oct 2000 07:18:20 +0000 Subject: Removed broken PAM support from rshd(8) and rlogind(8). rshd does not allocate a pty(4) so it is not suitable at all for interactive PAM modules. rlogind calls login(1) which is already PAM enabled. Approved by: markm --- libexec/rlogind/Makefile | 8 --- libexec/rlogind/auth_pam.c | 142 --------------------------------------------- libexec/rlogind/rlogind.c | 24 -------- libexec/rshd/Makefile | 11 +--- libexec/rshd/rshd.c | 18 ------ 5 files changed, 1 insertion(+), 202 deletions(-) delete mode 100644 libexec/rlogind/auth_pam.c (limited to 'libexec') diff --git a/libexec/rlogind/Makefile b/libexec/rlogind/Makefile index f22df18..5cb2e96 100644 --- a/libexec/rlogind/Makefile +++ b/libexec/rlogind/Makefile @@ -8,12 +8,4 @@ DPADD= ${LIBUTIL} LDADD= -lutil CFLAGS+= -Wall -DINET6 -.if defined(NOPAM) -CFLAGS+= -DNO_PAM -.else -SRCS+= auth_pam.c -DPADD+= ${LIBPAM} -LDADD+= ${MINUSLPAM} -.endif - .include diff --git a/libexec/rlogind/auth_pam.c b/libexec/rlogind/auth_pam.c deleted file mode 100644 index e452107..0000000 --- a/libexec/rlogind/auth_pam.c +++ /dev/null @@ -1,142 +0,0 @@ -/*- - * Copyright (c) 1999 John Polstra - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD$ - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -/* - * Attempt to authenticate the user using PAM. Returns 0 if the user is - * authenticated, or 1 if not authenticated. If some sort of PAM system - * error occurs (e.g., the "/etc/pam.conf" file is missing) then this - * function returns -1. This can be used as an indication that we should - * fall back to a different authentication mechanism. - */ - -int -auth_pam(char *username) -{ - struct passwd *pawd; - pam_handle_t *pamh = NULL; - const char *tmpl_user; - const void *item; - int rval; - char *tty, *ttyn; - char hostname[MAXHOSTNAMELEN]; - char tname[sizeof(_PATH_TTY) + 10]; - int e; - - static struct pam_conv conv = { misc_conv, NULL }; - - ttyn = ttyname(STDIN_FILENO); - - if (ttyn == NULL || *ttyn == '\0') { - (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY); - ttyn = tname; - } - if ((tty = strrchr(ttyn, '/')) != NULL) - ++tty; - else - tty = ttyn; - - rval = gethostname(hostname, sizeof(hostname)); - - if (rval < 0) { - syslog(LOG_ERR, "auth_pam: Failed to resolve local hostname"); - return -1; - } - if ((e = pam_start("rshd", username, &conv, &pamh)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e)); - return -1; - } - if ((e = pam_set_item(pamh, PAM_TTY, tty)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_set_item(PAM_TTY): %s", - pam_strerror(pamh, e)); - return -1; - } - if (hostname != NULL && - (e = pam_set_item(pamh,PAM_RHOST, hostname)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s", - pam_strerror(pamh, e)); - return -1; - } - - e = pam_authenticate(pamh, 0); - - switch (e) { - case PAM_SUCCESS: - /* - * With PAM we support the concept of a "template" - * user. The user enters a login name which is - * authenticated by PAM, usually via a remote service - * such as RADIUS or TACACS+. If authentication - * succeeds, a different but related "template" name - * is used for setting the credentials, shell, and - * home directory. The name the user enters need only - * exist on the remote authentication server, but the - * template name must be present in the local password - * database. - * - * This is supported by two various mechanisms in the - * individual modules. However, from the application's - * point of view, the template user is always passed - * back as a changed value of the PAM_USER item. - */ - if ((e = pam_get_item(pamh, PAM_USER, &item)) == - PAM_SUCCESS) { - tmpl_user = (const char *) item; - if (strcmp(username, tmpl_user) != 0) - pawd = getpwnam(tmpl_user); - } else - syslog(LOG_ERR, "Couldn't get PAM_USER: %s", pam_strerror(pamh, e)); - rval = 0; - break; - - case PAM_AUTH_ERR: - case PAM_USER_UNKNOWN: - case PAM_MAXTRIES: - rval = 1; - break; - - default: - syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e)); - rval = -1; - break; - } - if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); - rval = -1; - } - return rval; -} diff --git a/libexec/rlogind/rlogind.c b/libexec/rlogind/rlogind.c index eec34e7..46833a6 100644 --- a/libexec/rlogind/rlogind.c +++ b/libexec/rlogind/rlogind.c @@ -80,10 +80,6 @@ static const char rcsid[] = #include #include "pathnames.h" -#ifndef NO_PAM -#include -#include -#endif #ifndef TIOCPKT_WINDOW #define TIOCPKT_WINDOW 0x80 @@ -131,9 +127,6 @@ void setup_term __P((int)); int do_krb_login __P((struct sockaddr_in *)); void usage __P((void)); -#ifndef NO_PAM -extern int auth_pam __P((char *)); -#endif int main(argc, argv) @@ -570,28 +563,11 @@ int do_rlogin(dest) union sockunion *dest; { -#ifndef NO_PAM - int retval; -#endif getstr(rusername, sizeof(rusername), "remuser too long"); getstr(lusername, sizeof(lusername), "locuser too long"); getstr(term+ENVSIZE, sizeof(term)-ENVSIZE, "Terminal type too long"); -#ifndef NO_PAM - retval = auth_pam(lusername); - - if (retval) { - if (retval == -1) { - syslog(LOG_ERR, "PAM authentication failed"); - } - else { - syslog(LOG_ERR, - "User %s failed PAM authentication", lusername); - exit(1); - } - } -#endif pwd = getpwnam(lusername); if (pwd == NULL) return (-1); diff --git a/libexec/rshd/Makefile b/libexec/rshd/Makefile index b54f763..2e40e4f 100644 --- a/libexec/rshd/Makefile +++ b/libexec/rshd/Makefile @@ -5,14 +5,7 @@ PROG= rshd SRCS= rshd.c MAN8= rshd.8 -.if defined(NOPAM) -CFLAGS+= -DNO_PAM -.else -#CFLAGS+= -DCRYPT -DNO_PAM -SRCS+= auth_pam.c -DPADD+= ${LIBPAM} -LDADD+= ${MINUSLPAM} -.endif +#CFLAGS+= -DCRYPT # For login_cap handling CFLAGS+=-DLOGIN_CAP -Wall @@ -23,5 +16,3 @@ LDADD+= -lutil CFLAGS+= -DINET6 .include - -.PATH: ${.CURDIR}/../rlogind diff --git a/libexec/rshd/rshd.c b/libexec/rshd/rshd.c index 374d137..27f992e 100644 --- a/libexec/rshd/rshd.c +++ b/libexec/rshd/rshd.c @@ -113,9 +113,6 @@ int local_domain __P((char *)); char *topdomain __P((char *)); void usage __P((void)); -#ifndef NO_PAM -extern int auth_pam __P((char *)); -#endif #define OPTIONS "alnDL" @@ -216,7 +213,6 @@ doit(fromp) char fromhost[2 * MAXHOSTNAMELEN + 1]; char numericname[INET6_ADDRSTRLEN]; int af = fromp->su_family, err; - int retval; #ifdef CRYPT int rc; int pv1[2], pv2[2]; @@ -382,20 +378,6 @@ doit(fromp) pwd->pw_dir = "/"; } -#ifndef NO_PAM - retval = auth_pam(locuser); - - if (retval) { - if (retval == -1) { - syslog(LOG_ERR,"PAM authentication failed"); - } - else { - syslog(LOG_ERR, - "User %s failed PAM authentication", locuser); - exit(1); - } - } -#endif if (errorstr || (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || -- cgit v1.1