2 * Copyright (c) 2000 Damien Miller. All rights reserved.
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38 #define NEW_AUTHTOK_MSG \
39 "Warning: Your password has expired, please change it now"
41 static int do_pam_conversation(int num_msg, const struct pam_message **msg,
42 struct pam_response **resp, void *appdata_ptr);
44 /* module-local variables */
45 static struct pam_conv conv = {
49 static char *pam_msg = NULL;
50 static pam_handle_t *pamh = NULL;
51 static const char *pampasswd = NULL;
53 /* states for do_pam_conversation() */
54 enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN;
55 /* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */
56 static int password_change_required = 0;
57 /* remember whether the last pam_authenticate() succeeded or not */
58 static int was_authenticated = 0;
60 /* accessor which allows us to switch conversation structs according to
61 * the authentication method being used */
62 void pam_set_conv(struct pam_conv *conv)
64 pam_set_item(pamh, PAM_CONV, conv);
67 /* start an authentication run */
68 int do_pam_authenticate(int flags)
70 int retval = pam_authenticate(pamh, flags);
71 was_authenticated = (retval == PAM_SUCCESS);
76 * PAM conversation function.
77 * There are two states this can run in.
79 * INITIAL_LOGIN mode simply feeds the password from the client into
80 * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output
81 * messages with into pam_msg. This is used during initial
82 * authentication to bypass the normal PAM password prompt.
84 * OTHER mode handles PAM_PROMPT_ECHO_OFF with read_passphrase(prompt, 1)
85 * and outputs messages to stderr. This mode is used if pam_chauthtok()
86 * is called to update expired passwords.
88 static int do_pam_conversation(int num_msg, const struct pam_message **msg,
89 struct pam_response **resp, void *appdata_ptr)
91 struct pam_response *reply;
95 /* PAM will free this later */
96 reply = malloc(num_msg * sizeof(*reply));
100 for (count = 0; count < num_msg; count++) {
101 if (pamstate == INITIAL_LOGIN) {
103 * We can't use stdio yet, queue messages for
106 switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
107 case PAM_PROMPT_ECHO_ON:
110 case PAM_PROMPT_ECHO_OFF:
111 if (pampasswd == NULL) {
115 reply[count].resp = xstrdup(pampasswd);
116 reply[count].resp_retcode = PAM_SUCCESS;
120 if ((*msg)[count].msg != NULL) {
121 message_cat(&pam_msg,
122 PAM_MSG_MEMBER(msg, count, msg));
124 reply[count].resp = xstrdup("");
125 reply[count].resp_retcode = PAM_SUCCESS;
133 * stdio is connected, so interact directly
135 switch(PAM_MSG_MEMBER(msg, count, msg_style)) {
136 case PAM_PROMPT_ECHO_ON:
137 fputs(PAM_MSG_MEMBER(msg, count, msg), stderr);
138 fgets(buf, sizeof(buf), stdin);
139 reply[count].resp = xstrdup(buf);
140 reply[count].resp_retcode = PAM_SUCCESS;
142 case PAM_PROMPT_ECHO_OFF:
143 reply[count].resp = xstrdup(
144 read_passphrase(PAM_MSG_MEMBER(msg, count,
146 reply[count].resp_retcode = PAM_SUCCESS;
150 if ((*msg)[count].msg != NULL)
151 fprintf(stderr, "%s\n",
152 PAM_MSG_MEMBER(msg, count, msg));
153 reply[count].resp = xstrdup("");
154 reply[count].resp_retcode = PAM_SUCCESS;
168 /* Called at exit to cleanly shutdown PAM */
169 void pam_cleanup_proc(void *context)
174 pam_retval = pam_close_session(pamh, 0);
175 if (pam_retval != PAM_SUCCESS)
176 log("Cannot close PAM session[%d]: %.200s",
177 pam_retval, PAM_STRERROR(pamh, pam_retval));
179 pam_retval = pam_setcred(pamh, PAM_DELETE_CRED);
180 if (pam_retval != PAM_SUCCESS)
181 debug("Cannot delete credentials[%d]: %.200s",
182 pam_retval, PAM_STRERROR(pamh, pam_retval));
184 pam_retval = pam_end(pamh, pam_retval);
185 if (pam_retval != PAM_SUCCESS)
186 log("Cannot release PAM authentication[%d]: %.200s",
187 pam_retval, PAM_STRERROR(pamh, pam_retval));
191 /* Attempt password authentation using PAM */
192 int auth_pam_password(struct passwd *pw, const char *password)
194 extern ServerOptions options;
199 /* deny if no user. */
202 if (pw->pw_uid == 0 && options.permit_root_login == 2)
204 if (*password == '\0' && options.permit_empty_passwd == 0)
207 pampasswd = password;
209 pamstate = INITIAL_LOGIN;
210 pam_retval = do_pam_authenticate(0);
211 if (pam_retval == PAM_SUCCESS) {
212 debug("PAM Password authentication accepted for "
213 "user \"%.100s\"", pw->pw_name);
216 debug("PAM Password authentication for \"%.100s\" "
217 "failed[%d]: %s", pw->pw_name, pam_retval,
218 PAM_STRERROR(pamh, pam_retval));
223 /* Do account management using PAM */
224 int do_pam_account(char *username, char *remote_user)
227 extern ServerOptions options;
231 debug("PAM setting rhost to \"%.200s\"",
232 get_canonical_hostname(options.reverse_mapping_check));
233 pam_retval = pam_set_item(pamh, PAM_RHOST,
234 get_canonical_hostname(options.reverse_mapping_check));
235 if (pam_retval != PAM_SUCCESS)
236 fatal("PAM set rhost failed[%d]: %.200s", pam_retval,
237 PAM_STRERROR(pamh, pam_retval));
239 debug("PAM setting ruser to \"%.200s\"", remote_user);
240 pam_retval = pam_set_item(pamh, PAM_RUSER, remote_user);
241 if (pam_retval != PAM_SUCCESS)
242 fatal("PAM set ruser failed[%d]: %.200s", pam_retval,
243 PAM_STRERROR(pamh, pam_retval));
246 pam_retval = pam_acct_mgmt(pamh, 0);
247 switch (pam_retval) {
249 /* This is what we want */
251 case PAM_NEW_AUTHTOK_REQD:
252 message_cat(&pam_msg, NEW_AUTHTOK_MSG);
253 /* flag that password change is necessary */
254 password_change_required = 1;
257 log("PAM rejected by account configuration[%d]: "
258 "%.200s", pam_retval, PAM_STRERROR(pamh,
266 /* Do PAM-specific session initialisation */
267 void do_pam_session(char *username, const char *ttyname)
271 if (ttyname != NULL) {
272 debug("PAM setting tty to \"%.200s\"", ttyname);
273 pam_retval = pam_set_item(pamh, PAM_TTY, ttyname);
274 if (pam_retval != PAM_SUCCESS)
275 fatal("PAM set tty failed[%d]: %.200s",
276 pam_retval, PAM_STRERROR(pamh, pam_retval));
279 pam_retval = pam_open_session(pamh, 0);
280 if (pam_retval != PAM_SUCCESS)
281 fatal("PAM session setup failed[%d]: %.200s",
282 pam_retval, PAM_STRERROR(pamh, pam_retval));
285 /* Set PAM credentials */
286 void do_pam_setcred(void)
290 debug("PAM establishing creds");
291 pam_retval = pam_setcred(pamh, PAM_ESTABLISH_CRED);
292 if (pam_retval != PAM_SUCCESS) {
293 if (was_authenticated)
294 fatal("PAM setcred failed[%d]: %.200s",
295 pam_retval, PAM_STRERROR(pamh, pam_retval));
297 debug("PAM setcred failed[%d]: %.200s",
298 pam_retval, PAM_STRERROR(pamh, pam_retval));
302 /* accessor function for file scope static variable */
303 int pam_password_change_required(void)
305 return password_change_required;
309 * Have user change authentication token if pam_acct_mgmt() indicated
310 * it was expired. This needs to be called after an interactive
311 * session is established and the user's pty is connected to
312 * stdin/stout/stderr.
314 void do_pam_chauthtok(void)
318 if (password_change_required) {
320 /* XXX: should we really loop forever? */
322 pam_retval = pam_chauthtok(pamh,
323 PAM_CHANGE_EXPIRED_AUTHTOK);
324 if (pam_retval != PAM_SUCCESS)
325 log("PAM pam_chauthtok failed[%d]: %.200s",
326 pam_retval, PAM_STRERROR(pamh, pam_retval));
327 } while (pam_retval != PAM_SUCCESS);
331 /* Cleanly shutdown PAM */
332 void finish_pam(void)
334 pam_cleanup_proc(NULL);
335 fatal_remove_cleanup(&pam_cleanup_proc, NULL);
338 /* Start PAM authentication for specified account */
339 void start_pam(const char *user)
343 debug("Starting up PAM with username \"%.200s\"", user);
345 pam_retval = pam_start(SSHD_PAM_SERVICE, user, &conv, &pamh);
347 if (pam_retval != PAM_SUCCESS)
348 fatal("PAM initialisation failed[%d]: %.200s",
349 pam_retval, PAM_STRERROR(pamh, pam_retval));
350 #ifdef PAM_TTY_KLUDGE
352 * Some PAM modules (e.g. pam_time) require a TTY to operate,
353 * and will fail in various stupid ways if they don't get one.
354 * sshd doesn't set the tty until too late in the auth process and may
355 * not even need one (for tty-less connections)
356 * Kludge: Set a fake PAM_TTY
358 pam_retval = pam_set_item(pamh, PAM_TTY, "ssh");
359 if (pam_retval != PAM_SUCCESS)
360 fatal("PAM set tty failed[%d]: %.200s",
361 pam_retval, PAM_STRERROR(pamh, pam_retval));
362 #endif /* PAM_TTY_KLUDGE */
364 fatal_add_cleanup(&pam_cleanup_proc, NULL);
367 /* Return list of PAM enviornment strings */
368 char **fetch_pam_environment(void)
370 #ifdef HAVE_PAM_GETENVLIST
371 return(pam_getenvlist(pamh));
372 #else /* HAVE_PAM_GETENVLIST */
374 #endif /* HAVE_PAM_GETENVLIST */
377 /* Print any messages that have been generated during authentication */
378 /* or account checking to stderr */
379 void print_pam_messages(void)
382 fputs(pam_msg, stderr);
385 /* Append a message to buffer */
386 void message_cat(char **p, const char *a)
394 size_t len = strlen(*p);
396 *p = xrealloc(*p, new_len + len + 2);
399 *p = cp = xmalloc(new_len + 2);
401 memcpy(cp, a, new_len);
403 cp[new_len + 1] = '\0';