]>
Commit | Line | Data |
---|---|---|
a5c9cd31 | 1 | /* |
09564242 | 2 | * Copyright (c) 2000 Damien Miller. All rights reserved. |
3 | * | |
4 | * Redistribution and use in source and binary forms, with or without | |
5 | * modification, are permitted provided that the following conditions | |
6 | * are met: | |
7 | * 1. Redistributions of source code must retain the above copyright | |
8 | * notice, this list of conditions and the following disclaimer. | |
9 | * 2. Redistributions in binary form must reproduce the above copyright | |
10 | * notice, this list of conditions and the following disclaimer in the | |
11 | * documentation and/or other materials provided with the distribution. | |
12 | * 3. All advertising materials mentioning features or use of this software | |
13 | * must display the following acknowledgement: | |
14 | * This product includes software developed by Markus Friedl. | |
15 | * 4. The name of the author may not be used to endorse or promote products | |
16 | * derived from this software without specific prior written permission. | |
17 | * | |
18 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR | |
19 | * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES | |
20 | * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. | |
21 | * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, | |
22 | * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT | |
23 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | |
24 | * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | |
25 | * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | |
26 | * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | |
27 | * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | |
a5c9cd31 | 28 | */ |
29 | ||
30 | #include "includes.h" | |
31 | ||
32 | #ifdef USE_PAM | |
33 | #include "ssh.h" | |
34 | #include "xmalloc.h" | |
35 | #include "servconf.h" | |
36 | ||
37 | RCSID("$Id$"); | |
38 | ||
5daf7064 | 39 | #define NEW_AUTHTOK_MSG \ |
40 | "Warning: You password has expired, please change it now" | |
41 | ||
a5c9cd31 | 42 | /* Callbacks */ |
43 | static int pamconv(int num_msg, const struct pam_message **msg, | |
44 | struct pam_response **resp, void *appdata_ptr); | |
45 | void pam_cleanup_proc(void *context); | |
5daf7064 | 46 | void pam_msg_cat(const char *msg); |
a5c9cd31 | 47 | |
48 | /* module-local variables */ | |
49 | static struct pam_conv conv = { | |
50 | pamconv, | |
51 | NULL | |
52 | }; | |
53 | static struct pam_handle_t *pamh = NULL; | |
54 | static const char *pampasswd = NULL; | |
5daf7064 | 55 | static char *pam_msg = NULL; |
a5c9cd31 | 56 | |
57 | /* PAM conversation function. This is really a kludge to get the password */ | |
58 | /* into PAM and to pick up any messages generated by PAM into pamconv_msg */ | |
59 | static int pamconv(int num_msg, const struct pam_message **msg, | |
60 | struct pam_response **resp, void *appdata_ptr) | |
61 | { | |
62 | struct pam_response *reply; | |
63 | int count; | |
a5c9cd31 | 64 | |
65 | /* PAM will free this later */ | |
66 | reply = malloc(num_msg * sizeof(*reply)); | |
67 | if (reply == NULL) | |
68 | return PAM_CONV_ERR; | |
69 | ||
70 | for(count = 0; count < num_msg; count++) { | |
71 | switch (msg[count]->msg_style) { | |
72 | case PAM_PROMPT_ECHO_OFF: | |
73 | if (pampasswd == NULL) { | |
74 | free(reply); | |
75 | return PAM_CONV_ERR; | |
76 | } | |
77 | reply[count].resp_retcode = PAM_SUCCESS; | |
78 | reply[count].resp = xstrdup(pampasswd); | |
79 | break; | |
a5c9cd31 | 80 | case PAM_TEXT_INFO: |
81 | reply[count].resp_retcode = PAM_SUCCESS; | |
82 | reply[count].resp = xstrdup(""); | |
83 | ||
5daf7064 | 84 | if (msg[count]->msg != NULL) |
85 | pam_msg_cat(msg[count]->msg); | |
a5c9cd31 | 86 | |
a5c9cd31 | 87 | break; |
a5c9cd31 | 88 | default: |
89 | free(reply); | |
90 | return PAM_CONV_ERR; | |
91 | } | |
92 | } | |
93 | ||
94 | *resp = reply; | |
95 | ||
96 | return PAM_SUCCESS; | |
97 | } | |
98 | ||
99 | /* Called at exit to cleanly shutdown PAM */ | |
100 | void pam_cleanup_proc(void *context) | |
101 | { | |
102 | int pam_retval; | |
103 | ||
104 | if (pamh != NULL) | |
105 | { | |
106 | pam_retval = pam_close_session((pam_handle_t *)pamh, 0); | |
107 | if (pam_retval != PAM_SUCCESS) { | |
108 | log("Cannot close PAM session: %.200s", | |
5daf7064 | 109 | PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); |
a5c9cd31 | 110 | } |
111 | ||
112 | pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_DELETE_CRED); | |
113 | if (pam_retval != PAM_SUCCESS) { | |
114 | log("Cannot delete credentials: %.200s", | |
5daf7064 | 115 | PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); |
a5c9cd31 | 116 | } |
117 | ||
118 | pam_retval = pam_end((pam_handle_t *)pamh, pam_retval); | |
119 | if (pam_retval != PAM_SUCCESS) { | |
120 | log("Cannot release PAM authentication: %.200s", | |
5daf7064 | 121 | PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); |
a5c9cd31 | 122 | } |
123 | } | |
124 | } | |
125 | ||
126 | /* Attempt password authentation using PAM */ | |
127 | int auth_pam_password(struct passwd *pw, const char *password) | |
128 | { | |
129 | extern ServerOptions options; | |
130 | int pam_retval; | |
131 | ||
132 | /* deny if no user. */ | |
133 | if (pw == NULL) | |
134 | return 0; | |
135 | if (pw->pw_uid == 0 && options.permit_root_login == 2) | |
136 | return 0; | |
137 | if (*password == '\0' && options.permit_empty_passwd == 0) | |
138 | return 0; | |
139 | ||
140 | pampasswd = password; | |
141 | ||
142 | pam_retval = pam_authenticate((pam_handle_t *)pamh, 0); | |
143 | if (pam_retval == PAM_SUCCESS) { | |
5daf7064 | 144 | debug("PAM Password authentication accepted for user \"%.100s\"", |
145 | pw->pw_name); | |
a5c9cd31 | 146 | return 1; |
147 | } else { | |
148 | debug("PAM Password authentication for \"%.100s\" failed: %s", | |
149 | pw->pw_name, PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); | |
150 | return 0; | |
151 | } | |
152 | } | |
153 | ||
154 | /* Do account management using PAM */ | |
155 | int do_pam_account(char *username, char *remote_user) | |
156 | { | |
157 | int pam_retval; | |
5daf7064 | 158 | |
a5c9cd31 | 159 | debug("PAM setting rhost to \"%.200s\"", get_canonical_hostname()); |
160 | pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RHOST, | |
161 | get_canonical_hostname()); | |
162 | if (pam_retval != PAM_SUCCESS) { | |
5daf7064 | 163 | fatal("PAM set rhost failed: %.200s", |
164 | PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); | |
a5c9cd31 | 165 | } |
166 | ||
167 | if (remote_user != NULL) { | |
168 | debug("PAM setting ruser to \"%.200s\"", remote_user); | |
169 | pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_RUSER, remote_user); | |
170 | if (pam_retval != PAM_SUCCESS) { | |
5daf7064 | 171 | fatal("PAM set ruser failed: %.200s", |
172 | PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); | |
a5c9cd31 | 173 | } |
174 | } | |
175 | ||
176 | pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0); | |
5daf7064 | 177 | switch (pam_retval) { |
178 | case PAM_SUCCESS: | |
179 | /* This is what we want */ | |
180 | break; | |
181 | case PAM_NEW_AUTHTOK_REQD: | |
182 | pam_msg_cat(NEW_AUTHTOK_MSG); | |
183 | break; | |
184 | default: | |
185 | log("PAM rejected by account configuration: %.200s", | |
186 | PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); | |
187 | return(0); | |
a5c9cd31 | 188 | } |
189 | ||
190 | return(1); | |
191 | } | |
192 | ||
193 | /* Do PAM-specific session initialisation */ | |
fd094f49 | 194 | void do_pam_session(char *username, const char *ttyname) |
a5c9cd31 | 195 | { |
196 | int pam_retval; | |
197 | ||
198 | if (ttyname != NULL) { | |
199 | debug("PAM setting tty to \"%.200s\"", ttyname); | |
200 | pam_retval = pam_set_item((pam_handle_t *)pamh, PAM_TTY, ttyname); | |
5daf7064 | 201 | if (pam_retval != PAM_SUCCESS) { |
202 | fatal("PAM set tty failed: %.200s", | |
203 | PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); | |
204 | } | |
a5c9cd31 | 205 | } |
206 | ||
207 | pam_retval = pam_open_session((pam_handle_t *)pamh, 0); | |
5daf7064 | 208 | if (pam_retval != PAM_SUCCESS) { |
209 | fatal("PAM session setup failed: %.200s", | |
210 | PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); | |
211 | } | |
a5c9cd31 | 212 | } |
213 | ||
214 | /* Set PAM credentials */ | |
215 | void do_pam_setcred() | |
216 | { | |
217 | int pam_retval; | |
218 | ||
219 | debug("PAM establishing creds"); | |
220 | pam_retval = pam_setcred((pam_handle_t *)pamh, PAM_ESTABLISH_CRED); | |
5daf7064 | 221 | if (pam_retval != PAM_SUCCESS) { |
222 | fatal("PAM setcred failed: %.200s", | |
223 | PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); | |
224 | } | |
a5c9cd31 | 225 | } |
226 | ||
227 | /* Cleanly shutdown PAM */ | |
228 | void finish_pam(void) | |
229 | { | |
230 | pam_cleanup_proc(NULL); | |
231 | fatal_remove_cleanup(&pam_cleanup_proc, NULL); | |
232 | } | |
233 | ||
234 | /* Start PAM authentication for specified account */ | |
235 | void start_pam(struct passwd *pw) | |
236 | { | |
237 | int pam_retval; | |
238 | ||
239 | debug("Starting up PAM with username \"%.200s\"", pw->pw_name); | |
240 | ||
4e577b89 | 241 | pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, |
242 | (pam_handle_t**)&pamh); | |
a5c9cd31 | 243 | |
5daf7064 | 244 | if (pam_retval != PAM_SUCCESS) { |
245 | fatal("PAM initialisation failed: %.200s", | |
246 | PAM_STRERROR((pam_handle_t *)pamh, pam_retval)); | |
247 | } | |
248 | ||
a5c9cd31 | 249 | fatal_add_cleanup(&pam_cleanup_proc, NULL); |
250 | } | |
251 | ||
252 | /* Return list of PAM enviornment strings */ | |
253 | char **fetch_pam_environment(void) | |
254 | { | |
2b763e31 | 255 | #ifdef HAVE_PAM_GETENVLIST |
a5c9cd31 | 256 | return(pam_getenvlist((pam_handle_t *)pamh)); |
2b763e31 | 257 | #else /* HAVE_PAM_GETENVLIST */ |
258 | return(NULL); | |
259 | #endif /* HAVE_PAM_GETENVLIST */ | |
a5c9cd31 | 260 | } |
261 | ||
262 | /* Print any messages that have been generated during authentication */ | |
263 | /* or account checking to stderr */ | |
264 | void print_pam_messages(void) | |
265 | { | |
5daf7064 | 266 | if (pam_msg != NULL) |
267 | fprintf(stderr, pam_msg); | |
268 | } | |
269 | ||
270 | /* Append a message to the PAM message buffer */ | |
271 | void pam_msg_cat(const char *msg) | |
272 | { | |
273 | char *p; | |
274 | size_t new_msg_len; | |
275 | size_t pam_msg_len; | |
276 | ||
277 | new_msg_len = strlen(msg); | |
278 | ||
279 | if (pam_msg) { | |
280 | pam_msg_len = strlen(pam_msg); | |
281 | pam_msg = xrealloc(pam_msg, new_msg_len + pam_msg_len + 2); | |
282 | p = pam_msg + pam_msg_len; | |
283 | } else { | |
284 | pam_msg = p = xmalloc(new_msg_len + 2); | |
285 | } | |
286 | ||
287 | memcpy(p, msg, new_msg_len); | |
288 | p[new_msg_len] = '\n'; | |
289 | p[new_msg_len + 1] = '\0'; | |
a5c9cd31 | 290 | } |
291 | ||
292 | #endif /* USE_PAM */ |