2N/A/*
2N/A * CDDL HEADER START
2N/A *
2N/A * The contents of this file are subject to the terms of the
2N/A * Common Development and Distribution License, Version 1.0 only
2N/A * (the "License"). You may not use this file except in compliance
2N/A * with the License.
2N/A *
2N/A * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
2N/A * or http://www.opensolaris.org/os/licensing.
2N/A * See the License for the specific language governing permissions
2N/A * and limitations under the License.
2N/A *
2N/A * When distributing Covered Code, include this CDDL HEADER in each
2N/A * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
2N/A * If applicable, add the following below this CDDL HEADER, with the
2N/A * fields enclosed by brackets "[]" replaced with your own identifying
2N/A * information: Portions Copyright [yyyy] [name of copyright owner]
2N/A *
2N/A * CDDL HEADER END
2N/A */
2N/A/*
2N/A * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
2N/A * Use is subject to license terms.
2N/A */
2N/A
2N/A#pragma ident "%Z%%M% %I% %E% SMI"
2N/A
2N/A#include <security/pam_appl.h>
2N/A#include <security/pam_modules.h>
2N/A#include <string.h>
2N/A#include <stdio.h>
2N/A#include <stdlib.h>
2N/A#include <sys/types.h>
2N/A#include <pwd.h>
2N/A#include <syslog.h>
2N/A#include <libintl.h>
2N/A
2N/A#include "sample_utils.h"
2N/A
2N/A/*
2N/A *
2N/A * Sample module for pam_sm_authenticate.
2N/A *
2N/A * options -
2N/A *
2N/A * debug
2N/A * use_first_pass
2N/A * try_first_pass
2N/A * first_pass_good (first password is always good when used with use/try)
2N/A * first_pass_bad (first password is always bad when used with use/try)
2N/A * pass=foobar (set good password to "foobar". default good password
2N/A * is test)
2N/A * always_fail always return PAM_AUTH_ERR
2N/A * always_succeed always return PAM_SUCCESS
2N/A * always_ignore
2N/A *
2N/A *
2N/A */
2N/A
2N/A/*
2N/A * pam_sm_authenticate - Authenticate user
2N/A */
2N/A/*ARGSUSED*/
2N/Aint
2N/Apam_sm_authenticate(
2N/A pam_handle_t *pamh,
2N/A int flags,
2N/A int argc,
2N/A const char **argv)
2N/A{
2N/A char *user;
2N/A struct pam_conv *pam_convp;
2N/A int err, result = PAM_AUTH_ERR;
2N/A struct pam_response *ret_resp = (struct pam_response *)0;
2N/A char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
2N/A int debug = 0;
2N/A int try_first_pass = 0;
2N/A int use_first_pass = 0;
2N/A int first_pass_good = 0;
2N/A int first_pass_bad = 0;
2N/A int i, num_msg;
2N/A char *firstpass, *password;
2N/A char the_password[64];
2N/A
2N/A if (debug)
2N/A syslog(LOG_DEBUG, "Sample Authentication\n");
2N/A
2N/A (void) strcpy(the_password, "test");
2N/A
2N/A for (i = 0; i < argc; i++) {
2N/A if (strcmp(argv[i], "debug") == 0)
2N/A debug = 1;
2N/A else if (strcmp(argv[i], "try_first_pass") == 0)
2N/A try_first_pass = 1;
2N/A else if (strcmp(argv[i], "first_pass_good") == 0)
2N/A first_pass_good = 1;
2N/A else if (strcmp(argv[i], "first_pass_bad") == 0)
2N/A first_pass_bad = 1;
2N/A else if (strcmp(argv[i], "use_first_pass") == 0)
2N/A use_first_pass = 1;
2N/A else if (strcmp(argv[i], "always_fail") == 0)
2N/A return (PAM_AUTH_ERR);
2N/A else if (strcmp(argv[i], "always_succeed") == 0)
2N/A return (PAM_SUCCESS);
2N/A else if (strcmp(argv[i], "always_ignore") == 0)
2N/A return (PAM_IGNORE);
2N/A else if (sscanf(argv[i], "pass=%64s", the_password) == 1) {
2N/A /*EMPTY*/;
2N/A }
2N/A else
2N/A syslog(LOG_DEBUG, "illegal scheme option %s", argv[i]);
2N/A }
2N/A
2N/A err = pam_get_user(pamh, &user, NULL);
2N/A if (err != PAM_SUCCESS)
2N/A return (err);
2N/A
2N/A err = pam_get_item(pamh, PAM_CONV, (void**) &pam_convp);
2N/A if (err != PAM_SUCCESS)
2N/A return (err);
2N/A
2N/A (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &firstpass);
2N/A
2N/A if (firstpass && (use_first_pass || try_first_pass)) {
2N/A
2N/A if ((first_pass_good ||
2N/A strncmp(firstpass, the_password,
2N/A strlen(the_password)) == 0) &&
2N/A !first_pass_bad) {
2N/A result = PAM_SUCCESS;
2N/A goto out;
2N/A }
2N/A if (use_first_pass) goto out;
2N/A }
2N/A
2N/A /*
2N/A * Get the password from the user
2N/A */
2N/A if (firstpass) {
2N/A (void) snprintf(messages[0], sizeof (messages[0]),
2N/A dgettext(TEXT_DOMAIN, "TEST Password: "));
2N/A } else {
2N/A (void) snprintf(messages[0], sizeof (messages[0]),
2N/A dgettext(TEXT_DOMAIN, "Password: "));
2N/A }
2N/A num_msg = 1;
2N/A err = __get_authtok(pam_convp->conv,
2N/A num_msg, messages, NULL, &ret_resp);
2N/A
2N/A if (err != PAM_SUCCESS) {
2N/A result = err;
2N/A goto out;
2N/A }
2N/A
2N/A password = ret_resp->resp;
2N/A
2N/A if (password == NULL) {
2N/A result = PAM_AUTH_ERR;
2N/A goto out;
2N/A }
2N/A
2N/A /* one last ditch attempt to "login" to TEST */
2N/A
2N/A if (strncmp(password, the_password, strlen(the_password)) == 0) {
2N/A result = PAM_SUCCESS;
2N/A if (firstpass == NULL) {
2N/A /* this is the first password, stash it away */
2N/A (void) pam_set_item(pamh, PAM_AUTHTOK, password);
2N/A }
2N/A }
2N/A
2N/Aout:
2N/A if (num_msg > 0) {
2N/A if (ret_resp != 0) {
2N/A if (ret_resp->resp != 0) {
2N/A /* avoid leaving password cleartext around */
2N/A (void) memset(ret_resp->resp, 0,
2N/A strlen(ret_resp->resp));
2N/A }
2N/A __free_resp(num_msg, ret_resp);
2N/A ret_resp = 0;
2N/A }
2N/A }
2N/A
2N/A return (result);
2N/A}