~ubuntu-branches/ubuntu/trusty/libpam-tacplus/trusty

« back to all changes in this revision

Viewing changes to support.c

Committer: Bazaar Package Importer
Author(s): Jeroen Nijhof
Date: 2011-09-05 16:01:00 UTC
Revision ID: james.westby@ubuntu.com-20110905160100-7o4aqefbiflj4232

Tags: upstream-1.3.5

Import upstream version 1.3.5

files added:

AUTHORS

COPYING

ChangeLog

INSTALL

Makefile.am

Makefile.in

NEWS

README

aclocal.m4

config

config.h.in

config/config.guess

config/config.sub

config/depcomp

config/install-sh

config/ltmain.sh

config/missing

configure

configure.ac

libtac

libtac/include

libtac/include/cdefs.h

libtac/include/libtac.h

libtac/include/tacplus.h

libtac/lib

libtac/lib/acct_r.c

libtac/lib/acct_s.c

libtac/lib/attrib.c

libtac/lib/authen_r.c

libtac/lib/authen_s.c

libtac/lib/author_r.c

libtac/lib/author_s.c

libtac/lib/connect.c

libtac/lib/cont_s.c

libtac/lib/crypt.c

libtac/lib/hdr_check.c

libtac/lib/header.c

libtac/lib/magic.c

libtac/lib/magic.h

libtac/lib/md5.c

libtac/lib/md5.h

libtac/lib/messages.c

libtac/lib/messages.h

libtac/lib/read_wait.c

libtac/lib/version.c

libtac/lib/xalloc.c

libtac/lib/xalloc.h

pam_tacplus.c

pam_tacplus.h

pam_tacplus.spec

pam_tacplus.spec.in

sample.pam

support.c

support.h

Show diffs side-by-side

added added

removed removed

support.c

/* support.c - support functions for pam_tacplus.c

* Jeroen Nijhof <jeroen@nijhofnet.nl>

* This program is free software; you can redistribute it and/or modify

* it under the terms of the GNU General Public License as published by

* the Free Software Foundation; either version 2 of the License, or

* (at your option) any later version.

* This program is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

* GNU General Public License for more details.

* You should have received a copy of the GNU General Public License

* along with this program - see the file COPYING.

* See `CHANGES' file for revision history.

#define PAM_SM_AUTH

#define PAM_SM_ACCOUNT

#define PAM_SM_SESSION

/* #define PAM_SM_PASSWORD */

#ifndef __linux__

#include <security/pam_appl.h>

#endif

#include <security/pam_modules.h>

#include "pam_tacplus.h"

#include "tacplus.h"

#include "libtac.h"

struct addrinfo *tac_srv[TAC_PLUS_MAXSERVERS];

int tac_srv_no = 0;

char *tac_srv_key[TAC_PLUS_MAXSERVERS];

int tac_srv_key_no = 0;

char *tac_service = NULL;

char *tac_protocol = NULL;

char *tac_prompt = NULL;

/* libtac */

extern char *tac_login;

extern int tac_encryption;

extern int tac_timeout;

#ifndef xcalloc

void *_xcalloc (size_t size) {

if (val == 0) {

syslog (LOG_ERR, "xcalloc: calloc(1,%u) failed", (unsigned) size);

exit (1);

}

return val;

}

#else

#define _xcalloc xcalloc

#endif

void _pam_log(int err, const char *format,...) {

char msg[256];

va_list args;

va_start(args, format);

vsnprintf(msg, sizeof(msg), format, args);

openlog("PAM-tacplus", LOG_PID, LOG_AUTH);

syslog(err, "%s", msg);

va_end(args);

closelog();

}

char *_pam_get_user(pam_handle_t *pamh) {

int retval;

char *user;

retval = pam_get_user(pamh, (void *)&user, "Username: ");

if (retval != PAM_SUCCESS || user == NULL || *user == '\0') {

_pam_log(LOG_ERR, "unable to obtain username");

user = NULL;

}

return user;

}

char *_pam_get_terminal(pam_handle_t *pamh) {

int retval;

char *tty;

retval = pam_get_item(pamh, PAM_TTY, (void *)&tty);

if (retval != PAM_SUCCESS || tty == NULL || *tty == '\0') {

tty = ttyname(STDIN_FILENO);

if(tty == NULL || *tty == '\0')

tty = "unknown";

}

return tty;

}

char *_pam_get_rhost(pam_handle_t *pamh) {

100

int retval;

101

char *rhost;

102

103

retval = pam_get_item(pamh, PAM_RHOST, (void *)&rhost);

104

if (retval != PAM_SUCCESS || rhost == NULL || *rhost == '\0') {

105

rhost = "unknown";

106

}

107

return rhost;

108

}

109

110

/* stolen from pam_stress */

111

int converse(pam_handle_t * pamh, int nargs

112

,struct pam_message **message

113

,struct pam_response **response) {

114

115

int retval;

116

struct pam_conv *conv;

117

118

if ((retval = pam_get_item (pamh, PAM_CONV, (void *)&conv)) == PAM_SUCCESS) {

119

#if (defined(__linux__) || defined(__NetBSD__))

120

retval = conv->conv (nargs, (const struct pam_message **) message,

121

#else

122

retval = conv->conv (nargs, (struct pam_message **) message,

123

#endif

124

response, conv->appdata_ptr);

125

if (retval != PAM_SUCCESS) {

126

_pam_log(LOG_ERR, "(pam_tacplus) converse returned %d", retval);

127

_pam_log(LOG_ERR, "that is: %s", pam_strerror (pamh, retval));

128

}

129

} else {

130

_pam_log (LOG_ERR, "(pam_tacplus) converse failed to get pam_conv");

131

}

132

133

return retval;

134

}

135

136

/* stolen from pam_stress */

137

int tacacs_get_password (pam_handle_t * pamh, int flags

138

,int ctrl, char **password) {

139

140

char *pass = NULL;

141

struct pam_message msg[1], *pmsg[1];

142

struct pam_response *resp;

143

int retval;

144

145

if (ctrl & PAM_TAC_DEBUG)

146

syslog (LOG_DEBUG, "%s: called", __FUNCTION__);

147

148

/* set up conversation call */

149

pmsg[0] = &msg[0];

150

msg[0].msg_style = PAM_PROMPT_ECHO_OFF;

151

152

if (!tac_prompt) {

153

msg[0].msg = "Password: ";

154

} else {

155

msg[0].msg = tac_prompt;

156

}

157

resp = NULL;

158

159

if ((retval = converse (pamh, 1, pmsg, &resp)) != PAM_SUCCESS)

160

return retval;

161

162

if (resp) {

163

if ((resp[0].resp == NULL) && (ctrl & PAM_TAC_DEBUG))

164

_pam_log (LOG_DEBUG, "pam_sm_authenticate: NULL authtok given");

165

pass = resp[0].resp; /* remember this! */

166

resp[0].resp = NULL;

167

} else if (ctrl & PAM_TAC_DEBUG) {

168

_pam_log (LOG_DEBUG, "pam_sm_authenticate: no error reported");

169

_pam_log (LOG_DEBUG, "getting password, but NULL returned!?");

170

return PAM_CONV_ERR;

171

}

172

173

free(resp);

174

resp = NULL;

175

176

*password = pass; /* this *MUST* be free()'d by this module */

177

178

if(ctrl & PAM_TAC_DEBUG)

179

syslog(LOG_DEBUG, "%s: obtained password", __FUNCTION__);

180

181

return PAM_SUCCESS;

182

}

183

184

int _pam_parse (int argc, const char **argv) {

185

int ctrl = 0;

186

187

/* otherwise the list will grow with each call */

188

tac_srv_no = tac_srv_key_no = 0;

189

tac_encryption = 0;

190

191

for (ctrl = 0; argc-- > 0; ++argv) {

192

if (!strcmp (*argv, "debug")) { /* all */

193

ctrl |= PAM_TAC_DEBUG;

194

} else if (!strncmp (*argv, "service=", 8)) { /* author & acct */

195

tac_service = (char *) _xcalloc (strlen (*argv + 8) + 1);

196

strcpy (tac_service, *argv + 8);

197

} else if (!strncmp (*argv, "protocol=", 9)) { /* author & acct */

198

tac_protocol = (char *) _xcalloc (strlen (*argv + 9) + 1);

199

strcpy (tac_protocol, *argv + 9);

200

} else if (!strncmp (*argv, "prompt=", 7)) { /* authentication */

201

tac_prompt = (char *) _xcalloc (strlen (*argv + 7) + 1);

202

strcpy (tac_prompt, *argv + 7);

203

// Replace _ with space

204

int chr;

205

for (chr = 0; chr < strlen(tac_prompt); chr++) {

206

if (tac_prompt[chr] == '_') {

207

tac_prompt[chr] = ' ';

208

}

209

}

210

} else if (!strcmp (*argv, "acct_all")) {

211

ctrl |= PAM_TAC_ACCT;

212

} else if (!strncmp (*argv, "server=", 7)) { /* authen & acct */

213

if(tac_srv_no < TAC_PLUS_MAXSERVERS) {

214

struct addrinfo hints, *servers, *server;

215

int rv;

216

217

memset(&hints, 0, sizeof hints);

218

hints.ai_family = AF_UNSPEC; // use IPv4 or IPv6, whichever

219

hints.ai_socktype = SOCK_STREAM;

220

if ((rv = getaddrinfo(*argv + 7, "49", &hints, &servers)) == 0) {

221

for(server = servers; server != NULL; server = server->ai_next) {

222

tac_srv[tac_srv_no] = server;

223

tac_srv_no++;

224

}

225

} else {

226

_pam_log (LOG_ERR,

227

"skip invalid server: %s (getaddrinfo: %s)",

228

*argv + 7, gai_strerror(rv));

229

}

230

} else {

231

_pam_log(LOG_ERR, "maximum number of servers (%d) exceeded, skipping",

232

TAC_PLUS_MAXSERVERS);

233

}

234

} else if (!strncmp (*argv, "secret=", 7)) {

235

tac_encryption = 1;

236

if(tac_srv_key_no < TAC_PLUS_MAXSERVERS) {

237

tac_srv_key[tac_srv_key_no] = (char *) _xcalloc (strlen (*argv + 7) + 1);

238

strcpy (tac_srv_key[tac_srv_key_no], *argv + 7);

239

tac_srv_key_no++;

240

} else {

241

_pam_log(LOG_ERR, "maximum number of secrets (%d) exceeded, skipping",

242

TAC_PLUS_MAXSERVERS);

243

}

244

} else if (!strncmp (*argv, "timeout=", 8)) {

245

tac_timeout = atoi(*argv + 8);

246

} else if (!strncmp (*argv, "login=", 6)) {

247

tac_login = (char *) _xcalloc (strlen (*argv + 6) + 1);

248

strcpy (tac_login, *argv + 6);

249

} else {

250

_pam_log (LOG_WARNING, "unrecognized option: %s", *argv);

251

}

252

}

253

254

if (tac_srv_key_no == 0) {

255

tac_srv_key[0] = "";

256

tac_srv_key_no++;

257

}

258

for (;tac_srv_key_no < tac_srv_no;tac_srv_key_no++) {

259

tac_srv_key[tac_srv_key_no] = tac_srv_key[0];

260

}

261

262

return ctrl;

263

} /* _pam_parse */

264

Older »