diff options
| author |   Seraphim Mellos <mellos@ceid.upatras.gr> | 2008-06-15 11:36:46 +0300 |
|---|---|---|
| committer | Seraphim Mellos <mellos@ceid.upatras.gr> | 2008-06-15 11:36:46 +0300 |
| commit | 1bdbf53a2a3fda4108634267acf4b801867e50be (patch) | |
| tree | b5e6e3722a1525cee464cb32b7b909f52c790ea1 /modules | |
| parent | Added log messages and restructured base dir organization (diff) | |
| download | openpam-modules-1bdbf53a2a3fda4108634267acf4b801867e50be.tar.gz openpam-modules-1bdbf53a2a3fda4108634267acf4b801867e50be.tar.bz2 openpam-modules-1bdbf53a2a3fda4108634267acf4b801867e50be.zip | |
Started work on Makefiles
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/pam_nologin/pam_nologin.c | 0 | ||||
| -rw-r--r-- | modules/pam_rootok/pam_rootok.c | 0 | ||||
| -rw-r--r-- | modules/pam_securetty/pam_securetty.c | 0 | ||||
| -rw-r--r-- | modules/pam_shells/pam_shells.c | 0 | ||||
| -rw-r--r-- | modules/pam_unix/Makefile | 42 | ||||
| -rw-r--r-- | modules/pam_unix/Makefile~ | 41 | ||||
| -rw-r--r-- | modules/pam_unix/pam_unix.c | 257 | ||||
| -rw-r--r-- | modules/pam_unix/pam_unix.c~ | 257 | ||||
| -rw-r--r-- | modules/pam_wheel/pam_wheel.c | 0 |
9 files changed, 597 insertions, 0 deletions
diff --git a/modules/pam_nologin/pam_nologin.c b/modules/pam_nologin/pam_nologin.c new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/modules/pam_nologin/pam_nologin.c diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/modules/pam_rootok/pam_rootok.c diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/modules/pam_securetty/pam_securetty.c diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/modules/pam_shells/pam_shells.c diff --git a/modules/pam_unix/Makefile b/modules/pam_unix/Makefile new file mode 100644 index 0000000..314c0e0 --- /dev/null +++ b/modules/pam_unix/Makefile @@ -0,0 +1,42 @@ +# +## Copyright (c) 2008 by Seraphim Mellos. See LICENSE. +# + +include ../../Make.defs + +TITLE = pam_unix +PAM_SO_SUFFIX = +LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX) +SHLIBMODE = 755 +MAN8 = $(TITLE).8 +MANMODE = 644 +#SECUREDIR = /lib/security +#MANDIR = /usr/share/man +#DESTDIR = + + + +PROJ = $(LIBSHARED) +OBJS = pam_unix.c + +all: + case "`uname -s`" in \ + Linux) $(MAKE) -I$(INCDIR) CFLAGS="$(CFLAGS) -DHAVE_SHADOW" \ + -L$(LDDIR) LDFLAGS="$(LDFLAGS)" LDLIBS="$(LDLIBS)" \ + $(PROJ);;\ + FreeBSD) echo "Not yet supported.";;\ + *) echo "OS not supported.";;\ + esac + +$(LIBSHARED): $(OBJS) $(MAP) + $(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED) + +.c.o: + $(CC) $(CFLAGS) -c $*.c + + +clean: + $(RM) $(PROJ) *.o + + + diff --git a/modules/pam_unix/Makefile~ b/modules/pam_unix/Makefile~ new file mode 100644 index 0000000..1d449ed --- /dev/null +++ b/modules/pam_unix/Makefile~ @@ -0,0 +1,41 @@ +# +## Copyright (c) 2008 by Seraphim Mellos. See LICENSE. +# + +include ../../Makefile +TITLE = pam_unix +PAM_SO_SUFFIX = +LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX) +SHLIBMODE = 755 +MAN8 = $(TITLE).8 +MANMODE = 644 +#SECUREDIR = /lib/security +#MANDIR = /usr/share/man +#DESTDIR = + + + +PROJ = $(LIBSHARED) +OBJS = pam_unix.c + +all: + case "`uname -s`" in \ + Linux) $(MAKE) -I$(INCDIR) CFLAGS="$(CFLAGS) -DHAVE_SHADOW" \ + -L$(LDDIR) LDFLAGS="$(LDFLAGS)" LDLIBS="$(LDLIBS)" \ + $(PROJ);;\ + FreeBSD) echo "Not yet supported.";;\ + *) echo "OS not supported.";;\ + esac + +$(LIBSHARED): $(OBJS) $(MAP) + $(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED) + +.c.o: + $(CC) $(CFLAGS) -c $*.c + + +clean: + $(RM) $(PROJ) *.o + + + diff --git a/modules/pam_unix/pam_unix.c b/modules/pam_unix/pam_unix.c new file mode 100644 index 0000000..7a8aca3 --- /dev/null +++ b/modules/pam_unix/pam_unix.c @@ -0,0 +1,257 @@ +/* #include <pwd.h> */ +#include <netdb.h> +#include <shadow.h> +#include <sys/types.h> +#include <unistd.h> + + +#ifndef MAXHOSTNAMELEN +# define MAXHOSTNAMELEN 256 +#endif + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_PASSWORD + +#ifndef __linux__ +#include <login_cap.h> +#endif + + +#include <security/pam_modules.h> +#include <security/pam_appl.h> +#include <pam_mod_misc.h> + +/* + * User authentication + */ + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc , const char **argv ) { + +#ifndef __linux__ + login_cap_t *lc; +#endif + struct spwd *pwd; + const char *pass, *crypt_pass, *user; + int pam_err; + + /* identify user */ + + if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { + PAM_LOG("Authenticating as self."); + pwd = getspnam(getlogin()); + } else { + if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { + PAM_ERROR("Authenticating with uname %s failed.", user); + return (pam_err); + } + + pwd = getspnam(user); + } + + PAM_LOG("Authenticating user: %s", user); + + /* get password */ + + if (pwd != NULL) { + PAM_LOG("Doing real authentication"); + pass = pwd->sp_pwdp; + if (pass[0] == '\0') { + if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && + openpam_get_option(pamh, PAM_OPT_NULLOK)){ + PAM_ERROR("Authentication failed. Empty passwd not allowed."); + return (PAM_SUCCESS); + } + + pass = "*"; + } +#ifndef __linux__ + lc = login_getpwclass(pwd); +#endif + } else { + PAM_LOG("Doing dummy authentication."); + pass = "*"; +#ifndef __linux__ + lc = login_getpwclass(NULL); +#endif + } + +#ifndef __linux__ + prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); + pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); + login_close(lc); +#else + pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **) &pass, NULL); +#endif + PAM_LOG("Got password for user %s", user); + + if (pam_err == PAM_CONV_ERR) + return (pam_err); + if (pam_err != PAM_SUCCESS) + return (PAM_AUTH_ERR); + + /* check shadow */ + + crypt_pass = crypt(pass, pwd->sp_pwdp); + if ( strcmp(crypt_pass, pwd->sp_pwdp) != 0 ) { + PAM_ERROR("Wrong password. Authentication failed."); + pam_err = PAM_AUTH_ERR; + } else { + PAM_LOG("Authentication completed succesfully."); + pam_err = PAM_SUCCESS; + } + + return (pam_err); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh , int flags , + int argc , const char *argv[] ) { + + /* + * This functions takes care of renewing/initializing + * user credentials as well as gid/uids. Someday, it + * will be completed. For now, it's not very urgent. + */ + + return (PAM_SUCCESS); +} + + +/* + * Account Management + */ + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , + int argc , const char *argv[] ) { + + + +#ifndef __linux__ + login_cap_t *lc; +#endif + + struct spwd *pwd; + int pam_err; + const char *user; + time_t curtime; + +#ifndef __linux__ + const void *rhost, *tty; + char rhostip[MAXHOSTNAMELEN] = ""; +#endif + + /* Sanity checks for uname,pwd,tty,host etc */ + + pam_err = pam_get_user(pamh, &user, NULL); + + if (pam_err != PAM_SUCCESS) + return (pam_err); + + if (user == NULL || (pwd = getspnam(user)) == NULL) + return (PAM_SERVICE_ERR); +#ifndef __linux__ + + /* + * tty/host info are provided by login classes + * and cannot be used out of the box under Linux + * for sanity checking (BSD only). May need to + * be ported/rewritten to work on Linux as well. + * Time will tell... + */ + pam_err = pam_get_item(pamh, PAM_RHOST, &rhost); + + if (pam_err != PAM_SUCCESS) + return (pam_err); + + pam_err = pam_get_item(pamh, PAM_TTY, &tty); + + if (pam_err != PAM_SUCCESS) + return (pam_err); +#endif + if (*pwd->sp_pwdp == '\0' && + (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) + return (PAM_NEW_AUTHTOK_REQD); + +#ifndef __linux__ + lc = login_getpwclass(pwd); + + if (lc == NULL) { + return (PAM_SERVICE_ERR); + + } +#endif + /* Check if pw_lstchg or pw_expire is set */ + + if (pwd->sp_lstchg || pwd->sp_expire) + curtime = time(NULL) / (60 * 60 * 24); + if (pwd->sp_expire) { + if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) { +#ifndef __linux__ + login_close(lc); +#endif + return (PAM_ACCT_EXPIRED); + } else if ( ( pwd->sp_expire - curtime < pwd->sp_warn) ) { +// pam_error(pamh, "Warning: your account expires on %s", +// ctime(&pwd->pw_expire)); + } + } + + if (pwd->sp_lstchg == 0 ) { + return (PAM_NEW_AUTHTOK_REQD); + } + + /* check all other possibilities (mostly stolen from pam_tcb) */ + + if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) && + (pwd->sp_max != -1) && (pwd->sp_inact != -1) && + (pwd->sp_lstchg != 0)) + return (PAM_ACCT_EXPIRED); + + if (((pwd->sp_lstchg + pwd->sp_max) < curtime) && + (pwd->sp_max != -1)) + return (PAM_ACCT_EXPIRED); + + if ((curtime - pwd->sp_lstchg > pwd->sp_max) + && (curtime - pwd->sp_lstchg > pwd->sp_inact) + && (curtime - pwd->sp_lstchg > pwd->sp_max + pwd->sp_inact) + && (pwd->sp_max != -1) && (pwd->sp_inact != -1)) + return (PAM_ACCT_EXPIRED); + + pam_err = (PAM_SUCCESS); + +#ifndef __linux__ + + /* validate tty/host/time */ + + if (!auth_hostok(lc, rhost, rhostip) || + !auth_ttyok(lc, tty) || + !auth_timeok(lc, time(NULL))) + pam_err = PAM_AUTH_ERR; + + + login_close(lc); +#endif + + return (pam_err); + +} + +/* + * Password Management + */ + +PAM_EXTERN int +pam_sm_chautok(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) +{ + + + +} + + +PAM_MODULE_ENTRY("pam_unix") diff --git a/modules/pam_unix/pam_unix.c~ b/modules/pam_unix/pam_unix.c~ new file mode 100644 index 0000000..c65ec10 --- /dev/null +++ b/modules/pam_unix/pam_unix.c~ @@ -0,0 +1,257 @@ +/* #include <pwd.h> */ +#include <netdb.h> +#include <shadow.h> +#include <sys/types.h> +#include <unistd.h> + + +#ifndef MAXHOSTNAMELEN +# define MAXHOSTNAMELEN 256 +#endif + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_PASSWORD + +#ifndef __linux__ +#include <login_cap.h> +#endif + + +#include <security/pam_modules.h> +#include <security/pam_appl.h> +#include <pam_mod_misc.h> + +/* + * User authentication + */ + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc , const char **argv ) { + +#ifndef __linux__ + login_cap_t *lc; +#endif + struct spwd *pwd; + const char *pass, *crypt_pass, *user; + int pam_err; + + /* identify user */ + + if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { + PAM_LOG("Authenticating as self."); + pwd = getspnam(getlogin()); + } else { + if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { + PAM_ERROR("Authenticating with uname %s failed.", user); + return (pam_err); + } + + pwd = getspnam(user); + } + + PAM_LOG("Authenticating user: %s", user); + + /* get password */ + + if (pwd != NULL) { + PAM_LOG("Doing real authentication"); + pass = pwd->sp_pwdp; + if (pass[0] == '\0') { + if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && + openpam_get_option(pamh, PAM_OPT_NULLOK)){ + PAM_ERROR("Authentication failed. Empty passwd not allowed"); + return (PAM_SUCCESS); + } + + pass = "*"; + } +#ifndef __linux__ + lc = login_getpwclass(pwd); +#endif + } else { + PAM_LOG("Doing dummy authentication"); + pass = "*"; +#ifndef __linux__ + lc = login_getpwclass(NULL); +#endif + } + +#ifndef __linux__ + prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); + pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); + login_close(lc); +#else + pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **) &pass, NULL); +#endif + PAM_LOG("Got password for user %s", user); + + if (pam_err == PAM_CONV_ERR) + return (pam_err); + if (pam_err != PAM_SUCCESS) + return (PAM_AUTH_ERR); + + /* check shadow */ + + crypt_pass = crypt(pass, pwd->sp_pwdp); + if ( strcmp(crypt_pass, pwd->sp_pwdp) != 0 ) { + PAM_ERROR("Wrong password. Authentication failed."); + pam_err = PAM_AUTH_ERR; + } else { + PAM_LOG("Authentication completed succesfully"); + pam_err = PAM_SUCCESS; + } + + return (pam_err); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh , int flags , + int argc , const char *argv[] ) { + + /* + * This functions takes care of renewing/initializing + * user credentials as well as gid/uids. Someday, it + * will be completed. For now, it's not very urgent. + */ + + return (PAM_SUCCESS); +} + + +/* + * Account Management + */ + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , + int argc , const char *argv[] ) { + + + +#ifndef __linux__ + login_cap_t *lc; +#endif + + struct spwd *pwd; + int pam_err; + const char *user; + time_t curtime; + +#ifndef __linux__ + const void *rhost, *tty; + char rhostip[MAXHOSTNAMELEN] = ""; +#endif + + /* Sanity checks for uname,pwd,tty,host etc */ + + pam_err = pam_get_user(pamh, &user, NULL); + + if (pam_err != PAM_SUCCESS) + return (pam_err); + + if (user == NULL || (pwd = getspnam(user)) == NULL) + return (PAM_SERVICE_ERR); +#ifndef __linux__ + + /* + * tty/host info are provided by login classes + * and cannot be used out of the box under Linux + * for sanity checking (BSD only). May need to + * be ported/rewritten to work on Linux as well. + * Time will tell... + */ + pam_err = pam_get_item(pamh, PAM_RHOST, &rhost); + + if (pam_err != PAM_SUCCESS) + return (pam_err); + + pam_err = pam_get_item(pamh, PAM_TTY, &tty); + + if (pam_err != PAM_SUCCESS) + return (pam_err); +#endif + if (*pwd->sp_pwdp == '\0' && + (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) + return (PAM_NEW_AUTHTOK_REQD); + +#ifndef __linux__ + lc = login_getpwclass(pwd); + + if (lc == NULL) { + return (PAM_SERVICE_ERR); + + } +#endif + /* Check if pw_lstchg or pw_expire is set */ + + if (pwd->sp_lstchg || pwd->sp_expire) + curtime = time(NULL) / (60 * 60 * 24); + if (pwd->sp_expire) { + if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) { +#ifndef __linux__ + login_close(lc); +#endif + return (PAM_ACCT_EXPIRED); + } else if ( ( pwd->sp_expire - curtime < pwd->sp_warn) ) { +// pam_error(pamh, "Warning: your account expires on %s", +// ctime(&pwd->pw_expire)); + } + } + + if (pwd->sp_lstchg == 0 ) { + return (PAM_NEW_AUTHTOK_REQD); + } + + /* check all other possibilities (mostly stolen from pam_tcb) */ + + if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) && + (pwd->sp_max != -1) && (pwd->sp_inact != -1) && + (pwd->sp_lstchg != 0)) + return (PAM_ACCT_EXPIRED); + + if (((pwd->sp_lstchg + pwd->sp_max) < curtime) && + (pwd->sp_max != -1)) + return (PAM_ACCT_EXPIRED); + + if ((curtime - pwd->sp_lstchg > pwd->sp_max) + && (curtime - pwd->sp_lstchg > pwd->sp_inact) + && (curtime - pwd->sp_lstchg > pwd->sp_max + pwd->sp_inact) + && (pwd->sp_max != -1) && (pwd->sp_inact != -1)) + return (PAM_ACCT_EXPIRED); + + pam_err = (PAM_SUCCESS); + +#ifndef __linux__ + + /* validate tty/host/time */ + + if (!auth_hostok(lc, rhost, rhostip) || + !auth_ttyok(lc, tty) || + !auth_timeok(lc, time(NULL))) + pam_err = PAM_AUTH_ERR; + + + login_close(lc); +#endif + + return (pam_err); + +} + +/* + * Password Management + */ + +PAM_EXTERN int +pam_sm_chautok(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) +{ + + + +} + + +PAM_MODULE_ENTRY("pam_unix") diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/modules/pam_wheel/pam_wheel.c |