diff options
author | Seraphim Mellos <mellos@ceid.upatras.gr> | 2008-06-12 12:52:18 +0300 |
---|---|---|
committer | Seraphim Mellos <mellos@ceid.upatras.gr> | 2008-06-12 12:52:18 +0300 |
commit | dd4fb86dfa472c40f13c077c5a457b60106f4264 (patch) | |
tree | 29645a459afb1db1b000ad54fbc71d2d2fbd4198 | |
parent | Continued work on pam_sm_acct_mgmt (diff) | |
download | openpam-modules-dd4fb86dfa472c40f13c077c5a457b60106f4264.tar.gz openpam-modules-dd4fb86dfa472c40f13c077c5a457b60106f4264.tar.bz2 openpam-modules-dd4fb86dfa472c40f13c077c5a457b60106f4264.zip |
Added pam_mod_misc.h as a test
-rwxr-xr-x | include/pam_mod_misc.h | 33 | ||||
-rwxr-xr-x | include/pam_mod_misc.h~ | 56 | ||||
-rw-r--r-- | src/pam_unix/pam_unix.c~ | 226 | ||||
-rw-r--r-- | src/pam_unix/pam_unix.o | bin | 0 -> 5188 bytes | |||
-rwxr-xr-x | src/pam_unix/pam_unix.so.1 | bin | 0 -> 9153 bytes |
5 files changed, 315 insertions, 0 deletions
diff --git a/include/pam_mod_misc.h b/include/pam_mod_misc.h new file mode 100755 index 0000000..b1609fc --- /dev/null +++ b/include/pam_mod_misc.h @@ -0,0 +1,33 @@ +#ifndef PAM_MOD_MISC_H +#define PAM_MOD_MISC_H + +/* + * All of this file has been taken from freebsd-lib and has been slightly + * modified to avoid any problems when used on Linux machines. It provides + * an easier logging interface and some additional options for OpenPAM. + */ + +#ifndef __linux__ +# include <sys/cdefs.h> +#endif + + +/* + * Common option names + */ +#define PAM_OPT_NULLOK "nullok" +#define PAM_OPT_AUTH_AS_SELF "auth_as_self" +#define PAM_OPT_ECHO_PASS "echo_pass" +#define PAM_OPT_DEBUG "debug" + + +#define PAM_LOG(...) \ + openpam_log(PAM_LOG_DEBUG, __VA_ARGS__) + +#define PAM_RETURN(arg) \ + return (arg) + +#define PAM_VERBOSE_ERROR(...) \ + _pam_verbose_error(pamh, flags, __FILE__, __FUNCTION__, __VA_ARGS__) + +#endif diff --git a/include/pam_mod_misc.h~ b/include/pam_mod_misc.h~ new file mode 100755 index 0000000..7576989 --- /dev/null +++ b/include/pam_mod_misc.h~ @@ -0,0 +1,56 @@ +/*- + * Copyright 1998 Juniper Networks, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libpam/libpam/security/pam_mod_misc.h,v 1.12 2003/05/31 16:56:35 des Exp $ + */ + +#ifndef PAM_MOD_MISC_H +#define PAM_MOD_MISC_H + +#include <sys/cdefs.h> + +/* + * Common option names + */ +#define PAM_OPT_NULLOK "nullok" +#define PAM_OPT_AUTH_AS_SELF "auth_as_self" +#define PAM_OPT_ECHO_PASS "echo_pass" +#define PAM_OPT_DEBUG "debug" + +__BEGIN_DECLS +void _pam_verbose_error(pam_handle_t *, int, const char *, + const char *, const char *, ...); +__END_DECLS + +#define PAM_LOG(...) \ + openpam_log(PAM_LOG_DEBUG, __VA_ARGS__) + +#define PAM_RETURN(arg) \ + return (arg) + +#define PAM_VERBOSE_ERROR(...) \ + _pam_verbose_error(pamh, flags, __FILE__, __FUNCTION__, __VA_ARGS__) + +#endif diff --git a/src/pam_unix/pam_unix.c~ b/src/pam_unix/pam_unix.c~ new file mode 100644 index 0000000..598ab02 --- /dev/null +++ b/src/pam_unix/pam_unix.c~ @@ -0,0 +1,226 @@ + +/* #include <pwd.h> */ +#include <netdb.h> +#include <shadow.h> +#include <sys/types.h> +#include <unistd.h> + +#define PAM_OPT_NULLOK "nullok" +#define PAM_OPT_AUTH_AS_SELF "auth_as_self" +#define PAM_OPT_ECHO_PASS "echo_pass" +#define PAM_OPT_DEBUG "debug" + + + +#ifndef MAXHOSTNAMELEN +# define MAXHOSTNAMELEN 256 +#endif + + +#ifndef __linux__ +#include <login_cap.h> +#endif + +#include <security/pam_modules.h> +#include <security/pam_appl.h> + + + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc , const char **argv ) { + +#ifndef __linux__ + login_cap_t *lc; +#endif + struct spwd *pwd; + const char *pass, *crypt_pass, *user; + int pam_err; + + /* identify user */ + + if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { + pwd = getspnam(getlogin()); + } else { + if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) + return (pam_err); + + pwd = getspnam(user); + } + + /* get password */ + + if (pwd != NULL) { + pass = pwd->sp_pwdp; + if (pass[0] == '\0') { + if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && + openpam_get_option(pamh, PAM_OPT_NULLOK)) + return (PAM_SUCCESS); + + pass = "*"; + } +#ifndef __linux__ + lc = login_getpwclass(pwd); +#endif + } else { + pass = "*"; +#ifndef __linux__ + lc = login_getpwclass(NULL); +#endif + } + +#ifndef __linux__ + prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); + pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); + login_close(lc); +#else + pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **) &pass, NULL); +#endif + + if (pam_err == PAM_CONV_ERR) + return (pam_err); + if (pam_err != PAM_SUCCESS) + return (PAM_AUTH_ERR); + + /* check shadow */ + + crypt_pass = crypt(pass, pwd->sp_pwdp); + if ( strcmp(crypt_pass, pwd->sp_pwdp) != 0 ) + pam_err = PAM_AUTH_ERR; + else + pam_err = PAM_SUCCESS; + + return (pam_err); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh , int flags , + int argc , const char *argv[] ) { + + /* + * This functions takes care of renewing/initializing + * user credentials as well as gid/uids. Someday, it + * will be completed. For now, it's not very urgent. + */ + + return (PAM_SUCCESS); +} + + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , + int argc , const char *argv[] ) { + + + +#ifndef __linux__ + login_cap_t *lc; +#endif + + struct spwd *pwd; + int pam_err; + const char *user; + time_t curtime; + +#ifndef __linux__ + const void *rhost, *tty; + char rhostip[MAXHOSTNAMELEN] = ""; +#endif + + /* Sanity checks for uname,pwd,tty,host etc */ + + pam_err = pam_get_user(pamh, &user, NULL); + + if (pam_err != PAM_SUCCESS) + return (pam_err); + + if (user == NULL || (pwd = getspnam(user)) == NULL) + return (PAM_SERVICE_ERR); +#ifndef __linux__ + + /* + * tty/host info are provided by login classes + * and cannot be used out of the box under Linux + * for sanity checking (BSD only). May need to + * be ported/rewritten to work on Linux as well. + * Time will tell... + */ + pam_err = pam_get_item(pamh, PAM_RHOST, &rhost); + + if (pam_err != PAM_SUCCESS) + return (pam_err); + + pam_err = pam_get_item(pamh, PAM_TTY, &tty); + + if (pam_err != PAM_SUCCESS) + return (pam_err); +#endif + if (*pwd->sp_pwdp == '\0' && + (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) + return (PAM_NEW_AUTHTOK_REQD); + +#ifndef __linux__ + lc = login_getpwclass(pwd); + + if (lc == NULL) { + return (PAM_SERVICE_ERR); + + } +#endif + /* Check if pw_lstchg or pw_expire is set */ + + if (pwd->sp_lstchg || pwd->sp_expire) + curtime = time(NULL) / (60 * 60 * 24); + if (pwd->sp_expire) { + if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) { +#ifndef __linux__ + login_close(lc); +#endif + return (PAM_ACCT_EXPIRED); + } else if ( ( pwd->sp_expire - curtime < pwd->sp_warn) ) { +// pam_error(pamh, "Warning: your account expires on %s", +// ctime(&pwd->pw_expire)); + } + } + + if (pwd->sp_lstchg == 0 ) { + return (PAM_NEW_AUTHTOK_REQD) + } + + /* check all other possibilities (mostly stolen from pam_tcb) */ + + if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) && + (pwd->sp_max != -1) && (pwd->sp_inact != -1) && + (pwd->sp_lstchg != 0)) + return (PAM_ACCT_EXPIRED); + + if (((pwd->sp_lstchg + pwd->sp_max) < curtime) && + (pwd->sp_max != -1)) + return (PAM_ACCT_EXPIRED); + + if ((curtime - pwd->sp_lstchg > pwd->sp_max) + && (curtime - pwd->sp_lstchg > pwd->sp_inact) + && (curtime - pwd->sp_lstchg > pwd->sp_max + pwd->sp_inact) + && (pwd->sp_max != -1) && (pwd->sp_inact != -1)) + return (PAM_ACCT_EXPIRED); + + pam_err = (PAM_SUCCESS); + +#ifndef __linux__ + + /* validate tty/host/time */ + + if (!auth_hostok(lc, rhost, rhostip) || + !auth_ttyok(lc, tty) || + !auth_timeok(lc, time(NULL))) + pam_err = PAM_AUTH_ERR; + + + login_close(lc); +#endif + + return (pam_err); + +} + + diff --git a/src/pam_unix/pam_unix.o b/src/pam_unix/pam_unix.o Binary files differnew file mode 100644 index 0000000..15ea754 --- /dev/null +++ b/src/pam_unix/pam_unix.o diff --git a/src/pam_unix/pam_unix.so.1 b/src/pam_unix/pam_unix.so.1 Binary files differnew file mode 100755 index 0000000..7d4bc44 --- /dev/null +++ b/src/pam_unix/pam_unix.so.1 |