pam_modules/dial_auth/dial_auth.c

2N/A/*
2N/A * CDDL HEADER START
2N/A *
2N/A * The contents of this file are subject to the terms of the
2N/A * Common Development and Distribution License (the "License").
2N/A * You may not use this file except in compliance with the License.
2N/A *
2N/A * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
2N/A * or http://www.opensolaris.org/os/licensing.
2N/A * See the License for the specific language governing permissions
2N/A * and limitations under the License.
2N/A *
2N/A * When distributing Covered Code, include this CDDL HEADER in each
2N/A * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
2N/A * If applicable, add the following below this CDDL HEADER, with the
2N/A * fields enclosed by brackets "[]" replaced with your own identifying
2N/A * information: Portions Copyright [yyyy] [name of copyright owner]
2N/A *
2N/A * CDDL HEADER END
2N/A */
2N/A/*
2N/A * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
2N/A * Use is subject to license terms.
2N/A */
2N/A
2N/A#pragma ident   "%Z%%M% %I% %E% SMI"
2N/A
2N/A#include <crypt.h>
2N/A#include <pwd.h>
2N/A#include <shadow.h>
2N/A#include <string.h>
2N/A#include <stdlib.h>
2N/A#include <syslog.h>
2N/A#include <security/pam_appl.h>
2N/A#include <security/pam_modules.h>
2N/A#include "../../libpam/pam_impl.h"
2N/A
2N/A#include <libintl.h>
2N/A
2N/A/*
2N/A * Various useful files and string constants
2N/A */
2N/A#define DIAL_FILE   "/etc/dialups"
2N/A#define DPASS_FILE  "/etc/d_passwd"
2N/A#define SHELL       "/usr/bin/sh"
2N/A#define SCPYN(a, b) (void) strncpy(a, b, sizeof (a))
2N/A
2N/A/*
2N/A * pam_sm_authenticate  - This is the top level function in the
2N/A *          module called by pam_auth_port in the framework
2N/A *          Returns: PAM_AUTH_ERR on failure, 0 on success
2N/A */
2N/A/*ARGSUSED*/
2N/Aint
2N/Apam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
2N/A{
2N/A    char    *ttyn, *user;
2N/A    FILE    *fp;
2N/A    char    defpass[30];
2N/A    char    line[80];
2N/A    char    *p1 = NULL, *p2 = NULL;
2N/A    struct passwd   pwd;
2N/A    char    pwd_buffer[1024];
2N/A    char    *password = NULL;
2N/A    int retcode;
2N/A    int i;
2N/A    int debug = 0;
2N/A    int res;
2N/A
2N/A    for (i = 0; i < argc; i++) {
2N/A        if (strcasecmp(argv[i], "debug") == 0)
2N/A            debug = 1;
2N/A        else
2N/A            syslog(LOG_DEBUG, "illegal option %s", argv[i]);
2N/A    }
2N/A
2N/A    if ((retcode = pam_get_user(pamh, &user, NULL))
2N/A                    != PAM_SUCCESS ||
2N/A        (retcode = pam_get_item(pamh, PAM_TTY, (void **)&ttyn))
2N/A                    != PAM_SUCCESS)
2N/A        return (retcode);
2N/A
2N/A    if (debug) {
2N/A        syslog(LOG_DEBUG,
2N/A            "Dialpass authenticate user = %s, ttyn = %s",
2N/A            user ? user : "NULL", ttyn ? ttyn : "NULL");
2N/A    }
2N/A
2N/A    if (ttyn == NULL || *ttyn == '\0') {
2N/A        char *service;
2N/A
2N/A        (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
2N/A        syslog(LOG_ERR, "pam_dial_auth: terminal-device not specified"
2N/A            "by %s, returning %s.", service,
2N/A            pam_strerror(pamh, PAM_SERVICE_ERR));
2N/A        return (PAM_SERVICE_ERR);
2N/A    }
2N/A    if (getpwnam_r(user, &pwd, pwd_buffer, sizeof (pwd_buffer)) == NULL)
2N/A        return (PAM_USER_UNKNOWN);
2N/A
2N/A    if ((fp = fopen(DIAL_FILE, "rF")) == NULL)
2N/A        return (PAM_IGNORE);
2N/A
2N/A    while ((p1 = fgets(line, sizeof (line), fp)) != NULL) {
2N/A        while (*p1 != '\n' && *p1 != ' ' && *p1 != '\t')
2N/A            p1++;
2N/A        *p1 = '\0';
2N/A        if (strcmp(line, ttyn) == 0)
2N/A            break;
2N/A    }
2N/A
2N/A    (void) fclose(fp);
2N/A
2N/A    if ((fp = fopen(DPASS_FILE, "rF")) == NULL) {
2N/A        syslog(LOG_ERR, "pam_dial_auth: %s without %s, returning %s.",
2N/A            DIAL_FILE, DPASS_FILE,
2N/A            pam_strerror(pamh, PAM_SYSTEM_ERR));
2N/A        (void) memset(line, 0, sizeof (line));
2N/A        return (PAM_SYSTEM_ERR);
2N/A    }
2N/A
2N/A    if (p1 == NULL) {
2N/A        (void) fclose(fp);
2N/A        (void) memset(line, 0, sizeof (line));
2N/A        return (PAM_IGNORE);
2N/A    }
2N/A
2N/A    defpass[0] = '\0';
2N/A
2N/A    while ((p1 = fgets(line, sizeof (line)-1, fp)) != NULL) {
2N/A        while (*p1 && *p1 != ':')
2N/A            p1++;
2N/A        *p1++ = '\0';
2N/A        p2 = p1;
2N/A        while (*p1 && *p1 != ':')
2N/A            p1++;
2N/A        *p1 = '\0';
2N/A        if (pwd.pw_shell != NULL && strcmp(pwd.pw_shell, line) == 0)
2N/A            break;
2N/A
2N/A        if (strcmp(SHELL, line) == 0)
2N/A            SCPYN(defpass, p2);
2N/A        p2 = NULL;
2N/A    }
2N/A
2N/A    (void) memset(line, 0, sizeof (line));
2N/A    (void) fclose(fp);
2N/A
2N/A    if (p2 == NULL)
2N/A        p2 = defpass;
2N/A
2N/A    if (*p2 != '\0') {
2N/A        res = __pam_get_authtok(pamh, PAM_PROMPT, PAM_AUTHTOK,
2N/A            dgettext(TEXT_DOMAIN, "Dialup Password: "), &password);
2N/A
2N/A        if (res != PAM_SUCCESS) {
2N/A            return (res);
2N/A        }
2N/A
2N/A        if (strcmp(crypt(password, p2), p2) != 0) {
2N/A            (void) memset(password, 0, strlen(password));
2N/A            free(password);
2N/A            return (PAM_AUTH_ERR);
2N/A        }
2N/A        (void) memset(password, 0, strlen(password));
2N/A        free(password);
2N/A    }
2N/A
2N/A    return (PAM_SUCCESS);
2N/A}
2N/A
2N/A/*
2N/A * dummy pam_sm_setcred - does nothing
2N/A */
2N/A/*ARGSUSED*/
2N/Aint
2N/Apam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
2N/A{
2N/A    return (PAM_IGNORE);
2N/A}