pam_modules/rhosts_auth/rhosts_auth.c

/*
 * CDDL HEADER START
 *
 * The contents of this file are subject to the terms of the
 * Common Development and Distribution License, Version 1.0 only
 * (the "License").  You may not use this file except in compliance
 * with the License.
 *
 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 * or http://www.opensolaris.org/os/licensing.
 * See the License for the specific language governing permissions
 * and limitations under the License.
 *
 * When distributing Covered Code, include this CDDL HEADER in each
 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
 * If applicable, add the following below this CDDL HEADER, with the
 * fields enclosed by brackets "[]" replaced with your own identifying
 * information: Portions Copyright [yyyy] [name of copyright owner]
 *
 * CDDL HEADER END
 */
/*
 * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
 * Use is subject to license terms.
 */

#pragma ident   "%Z%%M% %I% %E% SMI"

#include <sys/param.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <pwd.h>
#include <shadow.h>
#include <string.h>
#include <rpc/types.h>
#include <rpc/auth.h>
#include <locale.h>
#include <crypt.h>
#include <syslog.h>

extern int ruserok(const char *, int, const char *, const char *);

/*
 * pam_sm_authenticate  - Checks if the user is allowed remote access
 */
/*ARGSUSED*/
int
pam_sm_authenticate(
    pam_handle_t    *pamh,
    int flags,
    int argc,
    const char  **argv)
{
    char *host = NULL, *lusername = NULL;
    struct passwd pwd;
    char pwd_buffer[1024];
    int is_superuser;
    char    *rusername;
    int i;
    int debug = 0;

    for (i = 0; i < argc; i++) {
        if (strcasecmp(argv[i], "debug") == 0)
            debug = 1;
        else
            syslog(LOG_DEBUG, "illegal option %s", argv[i]);
    }

    if (pam_get_item(pamh, PAM_USER, (void **) &lusername) != PAM_SUCCESS)
        return (PAM_SERVICE_ERR);
    if (pam_get_item(pamh, PAM_RHOST, (void **) &host) != PAM_SUCCESS)
        return (PAM_SERVICE_ERR);
    if (pam_get_item(pamh, PAM_RUSER, (void **)&rusername) != PAM_SUCCESS)
        return (PAM_SERVICE_ERR);

    if (lusername == NULL || *lusername == '\0')
        return (PAM_USER_UNKNOWN);
    if (rusername == NULL || *rusername == '\0')
        return (PAM_AUTH_ERR);
    if (host == NULL || *host == '\0')
        return (PAM_AUTH_ERR);

    if (debug) {
        syslog(LOG_DEBUG,
            "rhosts authenticate: user = %s, host = %s",
            lusername, host);
    }

    if (getpwnam_r(lusername, &pwd, pwd_buffer, sizeof (pwd_buffer))
                                == NULL)
        return (PAM_USER_UNKNOWN);

    if (pwd.pw_uid == 0)
        is_superuser = 1;
    else
        is_superuser = 0;

    return (ruserok(host, is_superuser, rusername, lusername)
        == -1 ? PAM_AUTH_ERR : PAM_SUCCESS);

}

/*
 * dummy pam_sm_setcred - does nothing
 */
/*ARGSUSED*/
int
pam_sm_setcred(
    pam_handle_t    *pamh,
    int flags,
    int argc,
    const char  **argv)
{
    return (PAM_IGNORE);
}