diff options
| author | Lennart Poettering <lennart@poettering.net> | 2003-07-31 12:40:54 +0000 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2003-07-31 12:40:54 +0000 |
| commit | d3ea4ac5edbb0b19e79556447299ca4f21fa5a25 (patch) | |
| tree | efba452826adef82c1f1ccda48c8ca4c9cd4a7d7 /src | |
Moved everything to trunk
git-svn-id: file:///home/lennart/svn/public/pam_dotfile/trunk@13 5391d09e-f7c1-0310-8aa1-84a1c93f5a38
Diffstat (limited to 'src')
| -rw-r--r-- | src/Makefile.am | 41 | ||||
| -rw-r--r-- | src/common.c | 220 | ||||
| -rw-r--r-- | src/common.h | 43 | ||||
| -rw-r--r-- | src/log.c | 48 | ||||
| -rw-r--r-- | src/log.h | 30 | ||||
| -rw-r--r-- | src/md5.c | 381 | ||||
| -rw-r--r-- | src/md5.h | 91 | ||||
| -rw-r--r-- | src/md5util.c | 45 | ||||
| -rw-r--r-- | src/md5util.h | 31 | ||||
| -rw-r--r-- | src/pam-dotfile-gen.c | 280 | ||||
| -rw-r--r-- | src/pam-dotfile-helper.c | 117 | ||||
| -rw-r--r-- | src/pam_dotfile.c | 321 | ||||
| -rw-r--r-- | src/pamtest.c | 66 |
13 files changed, 1714 insertions, 0 deletions
diff --git a/src/Makefile.am b/src/Makefile.am new file mode 100644 index 0000000..2905b7c --- /dev/null +++ b/src/Makefile.am @@ -0,0 +1,41 @@ +# $Id$ +# +# This file is part of pam_dotfile. +# +# pam_dotfile is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# pam_dotfile is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with pam_dotfile; if not, write to the Free Software Foundation, +# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +AM_CFLAGS = -DSBINDIR=\"@sbindir@\" + +moduledir = @PAM_MODDIR@ +module_LTLIBRARIES = pam_dotfile.la + +pam_dotfile_la_SOURCES = pam_dotfile.c md5.c md5util.c md5.h md5util.h log.c log.h common.c common.h +pam_dotfile_la_LDFLAGS = -module -avoid-version +pam_dotfile_la_CFLAGS = $(AM_CFLAGS) + +sbin_PROGRAMS = pam-dotfile-helper +bin_PROGRAMS = pam-dotfile-gen pamtest + +pam_dotfile_gen_SOURCES = pam-dotfile-gen.c md5.c md5.h md5util.c md5util.h +pam_dotfile_gen_CFLAGS = $(AM_CFLAGS) + +pam_dotfile_helper_SOURCES = pam-dotfile-helper.c md5.c md5.h md5util.c md5util.h common.c common.h log.c log.h +pam_dotfile_helper_CFLAGS = $(AM_CFLAGS) + +pamtest_SOURCES = pamtest.c + +install-exec-hook: + chown root $(DESTDIR)$(sbindir)/pam-dotfile-helper + chmod u+s $(DESTDIR)$(sbindir)/pam-dotfile-helper diff --git a/src/common.c b/src/common.c new file mode 100644 index 0000000..da575fe --- /dev/null +++ b/src/common.c @@ -0,0 +1,220 @@ +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include <stdio.h> +#include <limits.h> +#include <errno.h> +#include <string.h> +#include <sys/stat.h> +#include <pwd.h> + +#include "common.h" +#include "md5.h" +#include "md5util.h" +#include "log.h" + +static int _md5_compare(context_t *c, const char *password, const char *ln) { + md5_state_t st; + static md5_byte_t digest[16]; + static char t[33]; +#ifdef COMPAT05 + int olddigest = 0; +#endif + + if (ln[0] == '+') + ln++; + else { +#ifdef COMPAT05 + if (!c->opt_nocompat05) + olddigest = 1; + else { +#endif + logmsg(c, LOG_WARNING, "Authentication failure: pam_dotfile configured whithout compatibility for <= 0.5, but used with <= 0.5 authentication data"); + return PAM_AUTH_ERR; +#ifdef COMPAT05 + } +#endif + } + + if (strlen(ln) != 64) { + logmsg(c, LOG_WARNING, "Authentication failure: broken MD5 digest"); + return PAM_AUTH_ERR; + } + + md5_init(&st); + md5_append(&st, ln, 32); + md5_append(&st, password, strlen(password)); + md5_finish(&st, digest); + +#ifdef COMPAT05 + if (olddigest) + fhex_broken_md5(digest, t); + else +#endif + fhex_md5(digest, t); + + t[32] = 0; + + return strcmp(ln+32, t) ? PAM_AUTH_ERR : PAM_SUCCESS; +} + +static int _check_parent_dirs(const char *base, const char *fn) { + static char p[PATH_MAX]; + static struct stat st; + int size_base; + int retval; + + size_base = snprintf(p, sizeof(p) - 1, "%s", base); + if (size_base >= (sizeof(p) - 1)) + return -1; + + retval = snprintf(&(p[size_base]), sizeof(p) - size_base, "%s", fn); + if (retval >= (sizeof(p) - size_base)) + return -1; + + + for (;;) { + char *slash = strrchr(p, '/'); + + if (slash == p || !slash) + return 0; + + if (slash < &(p[size_base])) + return 0; + + + *slash = 0; + + if (lstat(p, &st) < 0) + return -1; + + if (st.st_mode & 022) + return -1; + } +} + +int user_authentication(context_t *c, const char *username, const char *password) { + struct passwd *pw; + FILE *f; + static char fn[PATH_MAX]; + static char pam_fn[PATH_MAX]; + static struct stat st; + int ret; + + if (!(pw = getpwnam(username))) { + logmsg(c, LOG_WARNING, "Authentication failure: user <%s> not found", username); + return PAM_USER_UNKNOWN; + } + + if (!c->opt_rootok && pw->pw_uid == 0) { + logmsg(c, LOG_WARNING, "Authentication failure: access denied for root"); + return PAM_AUTH_ERR; + } + + logmsg(c, LOG_DEBUG, "Searching file for service %s", c->service); + + snprintf(fn, sizeof(fn), "%s/.pam-%s", pw->pw_dir, c->service); + snprintf(pam_fn, sizeof(fn), "/.pam-%s", c->service); + if (!(f = fopen(fn, "r")) && errno == ENOENT) { + snprintf(fn, sizeof(fn), "%s/.pam/%s", pw->pw_dir, c->service); + snprintf(pam_fn, sizeof(fn), "/.pam/%s", c->service); + if (!(f = fopen(fn, "r")) && errno == ENOENT) { + snprintf(fn, sizeof(fn), "%s/.pam-other", pw->pw_dir); + snprintf(pam_fn, sizeof(fn), "/.pam-other"); + if (!(f = fopen(fn, "r")) && errno == ENOENT) { + snprintf(fn, sizeof(fn), "%s/.pam/other", pw->pw_dir); + snprintf(pam_fn, sizeof(fn), "/.pam/other"); + if (!(f = fopen(fn, "r")) && errno == ENOENT) { + logmsg(c, LOG_WARNING, "Authentication failure: no .pam file in home directory of <%s> existent", username); + return PAM_AUTHINFO_UNAVAIL; + } + } + } + } + + if (!f) { + logmsg(c, LOG_WARNING, "Authentication failure: could not open .pam file in home directory of <%s>", username); + return PAM_AUTH_ERR; + } + + if (lstat(fn, &st) < 0) { + logmsg(c, LOG_ERR, "Could not lstat() file %s: %s", fn, strerror(errno)); + fclose(f); + return PAM_AUTH_ERR; + } + + if (!S_ISREG(st.st_mode)) { + logmsg(c, LOG_ERR, "%s ist not a regular file: %s", fn, strerror(errno)); + fclose(f); + return PAM_AUTH_ERR; + } + + if (fstat(fileno(f), &st) < 0) { + logmsg(c, LOG_ERR, "Could not fstat() file %s: %s", fn, strerror(errno)); + fclose(f); + return PAM_AUTH_ERR; + } + + if (st.st_mode & 0077) { + logmsg(c, LOG_WARNING, "Authentication failure: bad access mode of file %s: %04o, correct is 0600\n", fn, st.st_mode & 07777); + fclose(f); + return PAM_AUTH_ERR; + } + + if (st.st_uid != pw->pw_uid) { + logmsg(c, LOG_WARNING, "Authentication failure: bad owner of file %s: %u, correct is %u\n", fn, st.st_uid, pw->pw_uid); + fclose(f); + return PAM_AUTH_ERR; + } + + if ((c->opt_stat_only_home ? _check_parent_dirs(pw->pw_dir, pam_fn) : _check_parent_dirs("", fn)) < 0) { + logmsg(c, LOG_ERR, "Parent directories of %s must not be group or world writable", fn); + fclose(f); + return PAM_AUTH_ERR; + } + + ret = PAM_AUTH_ERR; + while (!feof(f)) { + static char ln[100]; + int n; + + if (!fgets(ln, sizeof(ln), f)) + break; + + if (ln[0] == 0 || ln[0] == '\n' || ln[0] == '#') + continue; + + if (ln[(n = strlen(ln))-1] == '\n') + ln[n-1] = 0; + + if (!_md5_compare(c, password, ln)) { + ret = PAM_SUCCESS; + break; + } + } + + fclose(f); + + if (ret == PAM_SUCCESS) + logmsg(c, LOG_INFO, "Authentication successful for user <%s>", username); + else + logmsg(c, LOG_WARNING, "Authentication failure: bad password for user <%s>", username); + + return ret; +} diff --git a/src/common.h b/src/common.h new file mode 100644 index 0000000..ef34cf3 --- /dev/null +++ b/src/common.h @@ -0,0 +1,43 @@ +#ifndef foocommonhfoo +#define foocommonhfoo + +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include <security/pam_modules.h> +#include <security/_pam_macros.h> + +typedef struct context { + int opt_debug; + int opt_use_first_pass; + int opt_try_first_pass; + int opt_rootok; + int opt_nullok; + int opt_fork; // 0: auto; 1: fork; -1: nofork; + int opt_no_warn; + int opt_stat_only_home; +#ifdef COMPAT05 + int opt_nocompat05; +#endif + const char *service; +} context_t; + +int user_authentication(context_t *c, const char *username, const char *password); + +#endif diff --git a/src/log.c b/src/log.c new file mode 100644 index 0000000..6edcf06 --- /dev/null +++ b/src/log.c @@ -0,0 +1,48 @@ +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include <syslog.h> +#include <stdarg.h> +#include <stdio.h> + +#include "log.h" + +void logmsg(context_t *c, int level, char *format, ...) { + va_list ap; + va_start(ap, format); + +// vfprintf(stderr, format, ap); +// fprintf(stderr, "\n"); + + if (c->opt_debug || (level != LOG_DEBUG && level != LOG_WARNING) || (level == LOG_WARNING && !c->opt_no_warn)) { + static char ln[256]; + char *p; + + if (c->service) + snprintf(p = ln, sizeof(ln), "%s(pam_dotfile)", c->service); + else + p = "pam_dotfile"; + + openlog(p, LOG_PID, LOG_AUTHPRIV); + vsyslog(level, format, ap); + closelog(); + } + + va_end(ap); +} diff --git a/src/log.h b/src/log.h new file mode 100644 index 0000000..b695b64 --- /dev/null +++ b/src/log.h @@ -0,0 +1,30 @@ +#ifndef foologhfoo +#define foologhfoo + +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include <syslog.h> +#include "common.h" + +void logmsg(context_t *c, int level, char *format, ...); + +#endif + + diff --git a/src/md5.c b/src/md5.c new file mode 100644 index 0000000..2c9c2fc --- /dev/null +++ b/src/md5.c @@ -0,0 +1,381 @@ +/* + Copyright (C) 1999, 2000, 2002 Aladdin Enterprises. All rights reserved. + + This software is provided 'as-is', without any express or implied + warranty. In no event will the authors be held liable for any damages + arising from the use of this software. + + Permission is granted to anyone to use this software for any purpose, + including commercial applications, and to alter it and redistribute it + freely, subject to the following restrictions: + + 1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. + 2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. + 3. This notice may not be removed or altered from any source distribution. + + L. Peter Deutsch + ghost@aladdin.com + + */ +/* $Id$ */ +/* + Independent implementation of MD5 (RFC 1321). + + This code implements the MD5 Algorithm defined in RFC 1321, whose + text is available at + http://www.ietf.org/rfc/rfc1321.txt + The code is derived from the text of the RFC, including the test suite + (section A.5) but excluding the rest of Appendix A. It does not include + any code or documentation that is identified in the RFC as being + copyrighted. + + The original and principal author of md5.c is L. Peter Deutsch + <ghost@aladdin.com>. Other authors are noted in the change history + that follows (in reverse chronological order): + + 2002-04-13 lpd Clarified derivation from RFC 1321; now handles byte order + either statically or dynamically; added missing #include <string.h> + in library. + 2002-03-11 lpd Corrected argument list for main(), and added int return + type, in test program and T value program. + 2002-02-21 lpd Added missing #include <stdio.h> in test program. + 2000-07-03 lpd Patched to eliminate warnings about "constant is + unsigned in ANSI C, signed in traditional"; made test program + self-checking. + 1999-11-04 lpd Edited comments slightly for automatic TOC extraction. + 1999-10-18 lpd Fixed typo in header comment (ansi2knr rather than md5). + 1999-05-03 lpd Original version. + */ + +#include "md5.h" +#include <string.h> + +#undef BYTE_ORDER /* 1 = big-endian, -1 = little-endian, 0 = unknown */ +#ifdef ARCH_IS_BIG_ENDIAN +# define BYTE_ORDER (ARCH_IS_BIG_ENDIAN ? 1 : -1) +#else +# define BYTE_ORDER 0 +#endif + +#define T_MASK ((md5_word_t)~0) +#define T1 /* 0xd76aa478 */ (T_MASK ^ 0x28955b87) +#define T2 /* 0xe8c7b756 */ (T_MASK ^ 0x173848a9) +#define T3 0x242070db +#define T4 /* 0xc1bdceee */ (T_MASK ^ 0x3e423111) +#define T5 /* 0xf57c0faf */ (T_MASK ^ 0x0a83f050) +#define T6 0x4787c62a +#define T7 /* 0xa8304613 */ (T_MASK ^ 0x57cfb9ec) +#define T8 /* 0xfd469501 */ (T_MASK ^ 0x02b96afe) +#define T9 0x698098d8 +#define T10 /* 0x8b44f7af */ (T_MASK ^ 0x74bb0850) +#define T11 /* 0xffff5bb1 */ (T_MASK ^ 0x0000a44e) +#define T12 /* 0x895cd7be */ (T_MASK ^ 0x76a32841) +#define T13 0x6b901122 +#define T14 /* 0xfd987193 */ (T_MASK ^ 0x02678e6c) +#define T15 /* 0xa679438e */ (T_MASK ^ 0x5986bc71) +#define T16 0x49b40821 +#define T17 /* 0xf61e2562 */ (T_MASK ^ 0x09e1da9d) +#define T18 /* 0xc040b340 */ (T_MASK ^ 0x3fbf4cbf) +#define T19 0x265e5a51 +#define T20 /* 0xe9b6c7aa */ (T_MASK ^ 0x16493855) +#define T21 /* 0xd62f105d */ (T_MASK ^ 0x29d0efa2) +#define T22 0x02441453 +#define T23 /* 0xd8a1e681 */ (T_MASK ^ 0x275e197e) +#define T24 /* 0xe7d3fbc8 */ (T_MASK ^ 0x182c0437) +#define T25 0x21e1cde6 +#define T26 /* 0xc33707d6 */ (T_MASK ^ 0x3cc8f829) +#define T27 /* 0xf4d50d87 */ (T_MASK ^ 0x0b2af278) +#define T28 0x455a14ed +#define T29 /* 0xa9e3e905 */ (T_MASK ^ 0x561c16fa) +#define T30 /* 0xfcefa3f8 */ (T_MASK ^ 0x03105c07) +#define T31 0x676f02d9 +#define T32 /* 0x8d2a4c8a */ (T_MASK ^ 0x72d5b375) +#define T33 /* 0xfffa3942 */ (T_MASK ^ 0x0005c6bd) +#define T34 /* 0x8771f681 */ (T_MASK ^ 0x788e097e) +#define T35 0x6d9d6122 +#define T36 /* 0xfde5380c */ (T_MASK ^ 0x021ac7f3) +#define T37 /* 0xa4beea44 */ (T_MASK ^ 0x5b4115bb) +#define T38 0x4bdecfa9 +#define T39 /* 0xf6bb4b60 */ (T_MASK ^ 0x0944b49f) +#define T40 /* 0xbebfbc70 */ (T_MASK ^ 0x4140438f) +#define T41 0x289b7ec6 +#define T42 /* 0xeaa127fa */ (T_MASK ^ 0x155ed805) +#define T43 /* 0xd4ef3085 */ (T_MASK ^ 0x2b10cf7a) +#define T44 0x04881d05 +#define T45 /* 0xd9d4d039 */ (T_MASK ^ 0x262b2fc6) +#define T46 /* 0xe6db99e5 */ (T_MASK ^ 0x1924661a) +#define T47 0x1fa27cf8 +#define T48 /* 0xc4ac5665 */ (T_MASK ^ 0x3b53a99a) +#define T49 /* 0xf4292244 */ (T_MASK ^ 0x0bd6ddbb) +#define T50 0x432aff97 +#define T51 /* 0xab9423a7 */ (T_MASK ^ 0x546bdc58) +#define T52 /* 0xfc93a039 */ (T_MASK ^ 0x036c5fc6) +#define T53 0x655b59c3 +#define T54 /* 0x8f0ccc92 */ (T_MASK ^ 0x70f3336d) +#define T55 /* 0xffeff47d */ (T_MASK ^ 0x00100b82) +#define T56 /* 0x85845dd1 */ (T_MASK ^ 0x7a7ba22e) +#define T57 0x6fa87e4f +#define T58 /* 0xfe2ce6e0 */ (T_MASK ^ 0x01d3191f) +#define T59 /* 0xa3014314 */ (T_MASK ^ 0x5cfebceb) +#define T60 0x4e0811a1 +#define T61 /* 0xf7537e82 */ (T_MASK ^ 0x08ac817d) +#define T62 /* 0xbd3af235 */ (T_MASK ^ 0x42c50dca) +#define T63 0x2ad7d2bb +#define T64 /* 0xeb86d391 */ (T_MASK ^ 0x14792c6e) + + +static void +md5_process(md5_state_t *pms, const md5_byte_t *data /*[64]*/) +{ + md5_word_t + a = pms->abcd[0], b = pms->abcd[1], + c = pms->abcd[2], d = pms->abcd[3]; + md5_word_t t; +#if BYTE_ORDER > 0 + /* Define storage only for big-endian CPUs. */ + md5_word_t X[16]; +#else + /* Define storage for little-endian or both types of CPUs. */ + md5_word_t xbuf[16]; + const md5_word_t *X; +#endif + + { +#if BYTE_ORDER == 0 + /* + * Determine dynamically whether this is a big-endian or + * little-endian machine, since we can use a more efficient + * algorithm on the latter. + */ + static const int w = 1; + + if (*((const md5_byte_t *)&w)) /* dynamic little-endian */ +#endif +#if BYTE_ORDER <= 0 /* little-endian */ + { + /* + * On little-endian machines, we can process properly aligned + * data without copying it. + */ + if (!((data - (const md5_byte_t *)0) & 3)) { + /* data are properly aligned */ + X = (const md5_word_t *)data; + } else { + /* not aligned */ + memcpy(xbuf, data, 64); + X = xbuf; + } + } +#endif +#if BYTE_ORDER == 0 + else /* dynamic big-endian */ +#endif +#if BYTE_ORDER >= 0 /* big-endian */ + { + /* + * On big-endian machines, we must arrange the bytes in the + * right order. + */ + const md5_byte_t *xp = data; + int i; + +# if BYTE_ORDER == 0 + X = xbuf; /* (dynamic only) */ +# else +# define xbuf X /* (static only) */ +# endif + for (i = 0; i < 16; ++i, xp += 4) + xbuf[i] = xp[0] + (xp[1] << 8) + (xp[2] << 16) + (xp[3] << 24); + } +#endif + } + +#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32 - (n)))) + + /* Round 1. */ + /* Let [abcd k s i] denote the operation + a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */ +#define F(x, y, z) (((x) & (y)) | (~(x) & (z))) +#define SET(a, b, c, d, k, s, Ti)\ + t = a + F(b,c,d) + X[k] + Ti;\ + a = ROTATE_LEFT(t, s) + b + /* Do the following 16 operations. */ + SET(a, b, c, d, 0, 7, T1); + SET(d, a, b, c, 1, 12, T2); + SET(c, d, a, b, 2, 17, T3); + SET(b, c, d, a, 3, 22, T4); + SET(a, b, c, d, 4, 7, T5); + SET(d, a, b, c, 5, 12, T6); + SET(c, d, a, b, 6, 17, T7); + SET(b, c, d, a, 7, 22, T8); + SET(a, b, c, d, 8, 7, T9); + SET(d, a, b, c, 9, 12, T10); + SET(c, d, a, b, 10, 17, T11); + SET(b, c, d, a, 11, 22, T12); + SET(a, b, c, d, 12, 7, T13); + SET(d, a, b, c, 13, 12, T14); + SET(c, d, a, b, 14, 17, T15); + SET(b, c, d, a, 15, 22, T16); +#undef SET + + /* Round 2. */ + /* Let [abcd k s i] denote the operation + a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */ +#define G(x, y, z) (((x) & (z)) | ((y) & ~(z))) +#define SET(a, b, c, d, k, s, Ti)\ + t = a + G(b,c,d) + X[k] + Ti;\ + a = ROTATE_LEFT(t, s) + b + /* Do the following 16 operations. */ + SET(a, b, c, d, 1, 5, T17); + SET(d, a, b, c, 6, 9, T18); + SET(c, d, a, b, 11, 14, T19); + SET(b, c, d, a, 0, 20, T20); + SET(a, b, c, d, 5, 5, T21); + SET(d, a, b, c, 10, 9, T22); + SET(c, d, a, b, 15, 14, T23); + SET(b, c, d, a, 4, 20, T24); + SET(a, b, c, d, 9, 5, T25); + SET(d, a, b, c, 14, 9, T26); + SET(c, d, a, b, 3, 14, T27); + SET(b, c, d, a, 8, 20, T28); + SET(a, b, c, d, 13, 5, T29); + SET(d, a, b, c, 2, 9, T30); + SET(c, d, a, b, 7, 14, T31); + SET(b, c, d, a, 12, 20, T32); +#undef SET + + /* Round 3. */ + /* Let [abcd k s t] denote the operation + a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */ +#define H(x, y, z) ((x) ^ (y) ^ (z)) +#define SET(a, b, c, d, k, s, Ti)\ + t = a + H(b,c,d) + X[k] + Ti;\ + a = ROTATE_LEFT(t, s) + b + /* Do the following 16 operations. */ + SET(a, b, c, d, 5, 4, T33); + SET(d, a, b, c, 8, 11, T34); + SET(c, d, a, b, 11, 16, T35); + SET(b, c, d, a, 14, 23, T36); + SET(a, b, c, d, 1, 4, T37); + SET(d, a, b, c, 4, 11, T38); + SET(c, d, a, b, 7, 16, T39); + SET(b, c, d, a, 10, 23, T40); + SET(a, b, c, d, 13, 4, T41); + SET(d, a, b, c, 0, 11, T42); + SET(c, d, a, b, 3, 16, T43); + SET(b, c, d, a, 6, 23, T44); + SET(a, b, c, d, 9, 4, T45); + SET(d, a, b, c, 12, 11, T46); + SET(c, d, a, b, 15, 16, T47); + SET(b, c, d, a, 2, 23, T48); +#undef SET + + /* Round 4. */ + /* Let [abcd k s t] denote the operation + a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */ +#define I(x, y, z) ((y) ^ ((x) | ~(z))) +#define SET(a, b, c, d, k, s, Ti)\ + t = a + I(b,c,d) + X[k] + Ti;\ + a = ROTATE_LEFT(t, s) + b + /* Do the following 16 operations. */ + SET(a, b, c, d, 0, 6, T49); + SET(d, a, b, c, 7, 10, T50); + SET(c, d, a, b, 14, 15, T51); + SET(b, c, d, a, 5, 21, T52); + SET(a, b, c, d, 12, 6, T53); + SET(d, a, b, c, 3, 10, T54); + SET(c, d, a, b, 10, 15, T55); + SET(b, c, d, a, 1, 21, T56); + SET(a, b, c, d, 8, 6, T57); + SET(d, a, b, c, 15, 10, T58); + SET(c, d, a, b, 6, 15, T59); + SET(b, c, d, a, 13, 21, T60); + SET(a, b, c, d, 4, 6, T61); + SET(d, a, b, c, 11, 10, T62); + SET(c, d, a, b, 2, 15, T63); + SET(b, c, d, a, 9, 21, T64); +#undef SET + + /* Then perform the following additions. (That is increment each + of the four registers by the value it had before this block + was started.) */ + pms->abcd[0] += a; + pms->abcd[1] += b; + pms->abcd[2] += c; + pms->abcd[3] += d; +} + +void +md5_init(md5_state_t *pms) +{ + pms->count[0] = pms->count[1] = 0; + pms->abcd[0] = 0x67452301; + pms->abcd[1] = /*0xefcdab89*/ T_MASK ^ 0x10325476; + pms->abcd[2] = /*0x98badcfe*/ T_MASK ^ 0x67452301; + pms->abcd[3] = 0x10325476; +} + +void +md5_append(md5_state_t *pms, const md5_byte_t *data, int nbytes) +{ + const md5_byte_t *p = data; + int left = nbytes; + int offset = (pms->count[0] >> 3) & 63; + md5_word_t nbits = (md5_word_t)(nbytes << 3); + + if (nbytes <= 0) + return; + + /* Update the message length. */ + pms->count[1] += nbytes >> 29; + pms->count[0] += nbits; + if (pms->count[0] < nbits) + pms->count[1]++; + + /* Process an initial partial block. */ + if (offset) { + int copy = (offset + nbytes > 64 ? 64 - offset : nbytes); + + memcpy(pms->buf + offset, p, copy); + if (offset + copy < 64) + return; + p += copy; + left -= copy; + md5_process(pms, pms->buf); + } + + /* Process full blocks. */ + for (; left >= 64; p += 64, left -= 64) + md5_process(pms, p); + + /* Process a final partial block. */ + if (left) + memcpy(pms->buf, p, left); +} + +void +md5_finish(md5_state_t *pms, md5_byte_t digest[16]) +{ + static const md5_byte_t pad[64] = { + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 + }; + md5_byte_t data[8]; + int i; + + /* Save the length before padding. */ + for (i = 0; i < 8; ++i) + data[i] = (md5_byte_t)(pms->count[i >> 2] >> ((i & 3) << 3)); + /* Pad to 56 bytes mod 64. */ + md5_append(pms, pad, ((55 - (pms->count[0] >> 3)) & 63) + 1); + /* Append the length. */ + md5_append(pms, data, 8); + for (i = 0; i < 16; ++i) + digest[i] = (md5_byte_t)(pms->abcd[i >> 2] >> ((i & 3) << 3)); +} diff --git a/src/md5.h b/src/md5.h new file mode 100644 index 0000000..5eb6d6c --- /dev/null +++ b/src/md5.h @@ -0,0 +1,91 @@ +/* + Copyright (C) 1999, 2002 Aladdin Enterprises. All rights reserved. + + This software is provided 'as-is', without any express or implied + warranty. In no event will the authors be held liable for any damages + arising from the use of this software. + + Permission is granted to anyone to use this software for any purpose, + including commercial applications, and to alter it and redistribute it + freely, subject to the following restrictions: + + 1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. + 2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. + 3. This notice may not be removed or altered from any source distribution. + + L. Peter Deutsch + ghost@aladdin.com + + */ +/* $Id$ */ +/* + Independent implementation of MD5 (RFC 1321). + + This code implements the MD5 Algorithm defined in RFC 1321, whose + text is available at + http://www.ietf.org/rfc/rfc1321.txt + The code is derived from the text of the RFC, including the test suite + (section A.5) but excluding the rest of Appendix A. It does not include + any code or documentation that is identified in the RFC as being + copyrighted. + + The original and principal author of md5.h is L. Peter Deutsch + <ghost@aladdin.com>. Other authors are noted in the change history + that follows (in reverse chronological order): + + 2002-04-13 lpd Removed support for non-ANSI compilers; removed + references to Ghostscript; clarified derivation from RFC 1321; + now handles byte order either statically or dynamically. + 1999-11-04 lpd Edited comments slightly for automatic TOC extraction. + 1999-10-18 lpd Fixed typo in header comment (ansi2knr rather than md5); + added conditionalization for C++ compilation from Martin + Purschke <purschke@bnl.gov>. + 1999-05-03 lpd Original version. + */ + +#ifndef md5_INCLUDED +# define md5_INCLUDED + +/* + * This package supports both compile-time and run-time determination of CPU + * byte order. If ARCH_IS_BIG_ENDIAN is defined as 0, the code will be + * compiled to run only on little-endian CPUs; if ARCH_IS_BIG_ENDIAN is + * defined as non-zero, the code will be compiled to run only on big-endian + * CPUs; if ARCH_IS_BIG_ENDIAN is not defined, the code will be compiled to + * run on either big- or little-endian CPUs, but will run slightly less + * efficiently on either one than if ARCH_IS_BIG_ENDIAN is defined. + */ + +typedef unsigned char md5_byte_t; /* 8-bit byte */ +typedef unsigned int md5_word_t; /* 32-bit word */ + +/* Define the state of the MD5 Algorithm. */ +typedef struct md5_state_s { + md5_word_t count[2]; /* message length in bits, lsw first */ + md5_word_t abcd[4]; /* digest buffer */ + md5_byte_t buf[64]; /* accumulate block */ +} md5_state_t; + +#ifdef __cplusplus +extern "C" +{ +#endif + +/* Initialize the algorithm. */ +void md5_init(md5_state_t *pms); + +/* Append a string to the message. */ +void md5_append(md5_state_t *pms, const md5_byte_t *data, int nbytes); + +/* Finish the message and return the digest. */ +void md5_finish(md5_state_t *pms, md5_byte_t digest[16]); + +#ifdef __cplusplus +} /* end extern "C" */ +#endif + +#endif /* md5_INCLUDED */ diff --git a/src/md5util.c b/src/md5util.c new file mode 100644 index 0000000..ec416be --- /dev/null +++ b/src/md5util.c @@ -0,0 +1,45 @@ +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include "md5util.h" + + +#ifdef COMPAT05 + +void fhex_broken(unsigned char *bin, int len, char *txt) { + const static char hex[] = "01234567890abcdef"; + int i; + + for (i = 0; i < len; i++) { + txt[i*2] = hex[bin[i]>>4]; + txt[i*2+1] = hex[bin[i]&0xF]; + } +} + +#endif + +void fhex(unsigned char *bin, int len, char *txt) { + const static char hex[] = "0123456789abcdef"; + int i; + + for (i = 0; i < len; i++) { + txt[i*2] = hex[bin[i]>>4]; + txt[i*2+1] = hex[bin[i]&0xF]; + } +} diff --git a/src/md5util.h b/src/md5util.h new file mode 100644 index 0000000..da6f538 --- /dev/null +++ b/src/md5util.h @@ -0,0 +1,31 @@ +#ifndef foomd5utilhfoo +#define foomd5utilhfoo + +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +void fhex(unsigned char *bin, int len, char *txt); +#define fhex_md5(bin,txt) fhex((bin),16,(txt)) + +#ifdef COMPAT05 +void fhex_broken(unsigned char *bin, int len, char *txt); +#define fhex_broken_md5(bin,txt) fhex_broken((bin),16,(txt)) +#endif + +#endif diff --git a/src/pam-dotfile-gen.c b/src/pam-dotfile-gen.c new file mode 100644 index 0000000..0d10ec3 --- /dev/null +++ b/src/pam-dotfile-gen.c @@ -0,0 +1,280 @@ +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include <string.h> +#include <stdio.h> +#include <stdlib.h> +#include <time.h> +#include <unistd.h> +#include <limits.h> +#include <errno.h> +#include <string.h> +#include <termios.h> +#include <sys/types.h> +#include <sys/stat.h> + +#include "md5.h" +#include "md5util.h" + +#ifdef COMPAT05 +int compat = 0; +#endif + +static void _random(char *r, int l) { + FILE *f; + int b = 0; + + if ((f = fopen("/dev/urandom", "r"))) { + if (fread(r, l, 1, f) == 1) + b = 1; + fclose(f); + } + + if (!b) { + int i; + fprintf(stderr, "WARNING: Could not read /dev/urandom, generating pseudo randomness.\n"); + + for (i = 0; i < l; i++) + r[i] = (unsigned char) rand() & 0xFF; + } +} + +static void _md5_gen(const char *password, FILE *f) { + static unsigned char salt[16]; + static char saltc[33]; + static unsigned char digest[16]; + static char digestc[33]; + md5_state_t t; + + _random(salt, 16); + + fhex(salt, 16, saltc); + saltc[32] = 0; + + md5_init(&t); + md5_append(&t, saltc, 32); + md5_append(&t, password, strlen(password)); + md5_finish(&t, digest); + +#ifdef COMPAT05 + if (compat) + fhex_broken_md5(digest, digestc); + else +#endif + fhex_md5(digest, digestc); + digestc[32] = 0; + +#ifdef COMPAT05 + fprintf(f, "%s%s%s\n", compat ? "" : "+", saltc, digestc); +#else + fprintf(f, "+%s%s\n", saltc, digestc); +#endif +} + +void usage(char *argv0) { + char *p; + + if ((p = strrchr(argv0, '/'))) + p++; + else + p = argv0; + +#ifdef COMPAT05 + printf("%s [-C] [-a <service>] | -h\n" +#else + printf("%s [-a <service>] | -h\n" +#endif + " -a <service> Add a password for the specified service\n" + " -h Show this help\n" +#ifdef COMPAT05 + " -C Enable compatibility with pam_dotfile <= 0.5\n" +#endif + , p); +} + +char *chomp(char *p) { + char *e; + + while ((e = strchr(p, '\n'))) + *e = 0; + + return p; +} + +int set_echo(int fd, int b) { + static struct termios saved; + + if (!b) { + static struct termios t; + + if (tcgetattr(fd, &saved) < 0) { + fprintf(stderr, "tcgetattr(): %s\n", strerror(errno)); + return -1; + } + + t = saved; + t.c_lflag &= ~ECHO; + + if (tcsetattr(fd, TCSANOW, &t) < 0) { + fprintf(stderr, "tcsetattr(): %s\n", strerror(errno)); + return -1; + } + + } else { + if (tcsetattr(fd, TCSANOW, &saved) < 0) { + fprintf(stderr, "tcsetattr(): %s\n", strerror(errno)); + return -1; + } + } + + + return 0; +} + +int add_password(char *p) { + FILE *f = NULL; + static char fn[PATH_MAX]; + static char password1[128], password2[128]; + int r = -1; + int e = 0; + mode_t m; + + if (isatty(STDIN_FILENO)) { + if (set_echo(STDIN_FILENO, 0) < 0) + goto finish; + + e = 1; + } + + snprintf(fn, sizeof(fn), "%s/.pam-%s", getenv("HOME"), p); + + m = umask(0077); + if (!(f = fopen(fn, "a"))) { + umask(m); + fprintf(stderr, "Could not open file <%s> for writing: %s\n", fn, strerror(errno)); + goto finish; + } + umask(m); + + if (isatty(STDIN_FILENO)) { + fputs("Password:", stdout); + fflush(stdout); + } + + if (!fgets(password1, sizeof(password1), stdin)) { + fprintf(stderr, "Failure reading password\n"); + goto finish; + } + + if (isatty(STDIN_FILENO)) { + fputs("\nPlease repeat; password:", stdout); + fflush(stdout); + } + + if (!fgets(password2, sizeof(password2), stdin)) { + fprintf(stderr, "Failure reading password\n"); + goto finish; + } + + if (isatty(STDIN_FILENO)) { + fputs("\n", stdout); + fflush(stdout); + } + + chomp(password1); + chomp(password2); + + if (strcmp(password1, password2)) { + fprintf(stderr, "ERROR: Passwords do not match!\n"); + goto finish; + } + + _md5_gen(password1, f); + + fprintf(stderr, "Password added.\n"); + + r = 0; + +finish: + if (e) + set_echo(STDIN_FILENO, 1); + + if (f) { + fclose(f); + chmod(fn, 0600); + } + + return 0; +} + +int main(int argc, char*argv[]) { + int c; +#ifdef COMPAT05 + const char* argspec = "a:hC"; +#else + const char* argspec = "a:h"; +#endif + char *addp = 0; + + srand(time(NULL)*getpid()); + + + while ((c = getopt(argc, argv, argspec)) > 0) { + + switch (c) { + case 'a' : + addp = optarg; + break; + +#ifdef COMPAT05 + case 'C': + compat = 1; + break; +#endif + + default: + usage(argv[0]); + return 1; + } + } + + + if (addp) + return add_password(addp) < 0 ? 1 : 0; + + for(;;) { + int n; + static char ln[256]; + + if (!fgets(ln, sizeof(ln), stdin)) + break; + + if (ln[0] == 0 || ln[0] == '\n' || ln[0] == '#') { + fputs(ln, stdout); + continue; + } + + if (ln[(n = strlen(ln))-1] == '\n') + ln[n-1] = 0; + + _md5_gen(ln, stdout); + } + + return 0; +} diff --git a/src/pam-dotfile-helper.c b/src/pam-dotfile-helper.c new file mode 100644 index 0000000..04c73de --- /dev/null +++ b/src/pam-dotfile-helper.c @@ -0,0 +1,117 @@ +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include <string.h> +#include <stdio.h> +#include <unistd.h> +#include <signal.h> +#include <pwd.h> + +#include "common.h" +#include "log.h" + +#define DELAY 5 + +int main(int argc, char* argv[]) { + context_t c; + char *username; + static char password[128]; + int r; + + signal(SIGINT, SIG_IGN); + signal(SIGQUIT, SIG_IGN); + signal(SIGHUP, SIG_IGN); + signal(SIGTERM, SIG_IGN); + signal(SIGPIPE, SIG_IGN); + signal(SIGUSR1, SIG_IGN); + signal(SIGUSR2, SIG_IGN); + signal(SIGTSTP, SIG_IGN); + + memset(&c, 0, sizeof(context_t)); + + if (isatty(0) || isatty(1) || isatty(2)) { + int n; + struct passwd *pw; + uid_t uid = getuid(); + + pw = getpwuid(uid); + + fprintf(stderr, "This program is not intended to be run in this way.\n"); + logmsg(&c, LOG_WARNING, "A stupid user (%s; uid=%i) ran pam-dotfile-helper on the command line", pw ? pw->pw_name : "???", uid); + + n = 5; + while ((n = sleep(n)) > 0); + + return 1; + } + + if (argc != 7) { + logmsg(&c, LOG_WARNING, "Invalid invocation"); + return 4; + } + + c.service = argv[1]; + username = argv[2]; + + if (!strcmp(argv[3], "debug")) + c.opt_debug = 1; + + if (!strcmp(argv[4], "no_warn")) + c.opt_no_warn = 1; + + if (!strcmp(argv[5], "stat_only_home")) + c.opt_stat_only_home = 1; + +#ifdef COMPAT05 + if (!strcmp(argv[6], "nocompat05")) + c.opt_nocompat05 = 1; +#endif + + logmsg(&c, LOG_DEBUG, "%s|%s|%s", + c.opt_debug ? "debug" : "nodebug", + c.opt_no_warn ? "no_warn" : "warn" +#ifdef COMPAT05 + ,c.opt_nocompat05 ? "nocompat05" : "compat05" +#endif + ); + + if (geteuid() != 0) { + logmsg(&c, LOG_WARNING, "Not run as root, executable is probably not SETUID?"); + return 4; + } + + logmsg(&c, LOG_DEBUG, "Helper started"); + + if (!fgets(password, sizeof(password), stdin)) { + logmsg(&c, LOG_WARNING, "Failure reading from STDIN"); + return 4; + } + + switch (user_authentication(&c, username, password)) { + case PAM_SUCCESS: r = 0; break; + case PAM_AUTH_ERR: r = 1; break; + case PAM_AUTHINFO_UNAVAIL: r = 2; break; + case PAM_USER_UNKNOWN: r = 3; break; + default: r = 4; break; + } + + logmsg(&c, LOG_DEBUG, "Helper exiting with return value %u", r); + + return r; +} diff --git a/src/pam_dotfile.c b/src/pam_dotfile.c new file mode 100644 index 0000000..edc5230 --- /dev/null +++ b/src/pam_dotfile.c @@ -0,0 +1,321 @@ +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include <stdio.h> +#include <stdarg.h> +#include <pwd.h> +#include <unistd.h> +#include <limits.h> +#include <errno.h> +#include <string.h> +#include <sys/stat.h> +#include <signal.h> +#include <sys/types.h> +#include <sys/wait.h> +#include <fcntl.h> + +#define PAM_SM_AUTH + +#include <security/pam_modules.h> +#include <security/_pam_macros.h> + +#include "md5.h" +#include "md5util.h" +#include "common.h" +#include "log.h" + +#define HELPERTOOL SBINDIR"/pam-dotfile-helper" + +#ifndef PAM_FAIL_DELAY +#define pam_fail_delay(x,y) 0 +#endif + +#define PAM_DOTFILE_DELAY 3000000 + +static void sigchld(int sig) { +} + +static int _fork_authentication(context_t *c, const char *username, const char *password) { + pid_t pid; + int r = PAM_SYSTEM_ERR, p[2]; + struct sigaction sa_save, sa; + + if (pipe(p) < 0) { + logmsg(c, LOG_ERR, "pipe(): %s", strerror(errno)); + return PAM_SYSTEM_ERR; + } + + memset(&sa, 0, sizeof(sa)); + sa.sa_handler = sigchld; + sa.sa_flags = SA_RESTART; + + if (sigaction(SIGCHLD, &sa, &sa_save) < 0) { + logmsg(c, LOG_ERR, "sigaction(): %s", strerror(errno)); + goto finish; + } + + if ((pid = fork()) < 0) { + logmsg(c, LOG_ERR, "fork(): %s", strerror(errno)); + goto finish; + } else if (pid == 0) { + char * const args[] = { + HELPERTOOL, + x_strdup(c->service), + x_strdup(username), + c->opt_debug ? "debug" : "nodebug", + c->opt_no_warn ? "no_warn" : "warn", + c->opt_stat_only_home ? "stat_only_home" : "stat_all", +#ifdef COMPAT05 + c->opt_nocompat05 ? "nocompat05" : "compat05", +#else + "nocompat05", +#endif + NULL + }; + char * envp[] = { NULL }; + + if (p[0] != 0 && dup2(p[0], 0) != 0) { + logmsg(c, LOG_ERR, "dup2(): %s", strerror(errno)); + exit(2); + } + + close(1); + close(2); + close(p[0]); + close(p[1]); + + if (open("/dev/null", O_WRONLY) != 1) { + logmsg(c, LOG_ERR, "open(\"/dev/null\", O_WRONLY): %s", strerror(errno)); + exit(2); + } + + if (open("/dev/null", O_WRONLY) != 2) { + logmsg(c, LOG_ERR, "open(\"/dev/null\", O_WRONLY): %s", strerror(errno)); + exit(2); + } + + execve(HELPERTOOL, args, envp); + + logmsg(c, LOG_ERR, "execve(): %s", strerror(errno)); + + exit(100); + } else if (pid > 0) { + FILE *f; + int r2; + + close(p[0]); + + if (!(f = fdopen(p[1], "w"))) { + logmsg(c, LOG_ERR, "fdopen() failed."); + goto finish; + } else { + fputs(password, f); + fflush(f); + } + + fclose(f); + close(p[1]); + + if (waitpid(pid, &r2, 0) < 0) { + logmsg(c, LOG_ERR, "waitpid(): %s", strerror(errno)); + goto finish; + } else { + if (WIFEXITED(r2)) { + logmsg(c, LOG_DEBUG, "Helper returned %u", WEXITSTATUS(r2)); + + switch (WEXITSTATUS(r2)) { + case 0: r = PAM_SUCCESS; break; + case 1: r = PAM_AUTH_ERR; break; + case 2: r = PAM_AUTHINFO_UNAVAIL; break; + case 3: r = PAM_USER_UNKNOWN; break; + } + } else + logmsg(c, LOG_DEBUG, "Helper failed abnormally"); + } + } + +finish: + + if (sigaction(SIGCHLD, &sa_save, NULL) < 0) { + logmsg(c, LOG_ERR, "sigaction()#2: %s", strerror(errno)); + r = PAM_SYSTEM_ERR; + } + + + return r; +} + +static int _authentication(context_t *c, const char *username, const char *password) { + int b; + + if (!username || !*username) { + logmsg(c, LOG_WARNING, "Authentication failure: null username supplied"); + return PAM_AUTH_ERR; + } + + if (!password || (!c->opt_nullok && !*password)) { + logmsg(c, LOG_WARNING, "Authentication failure: null password supplied"); + return PAM_AUTH_ERR; + } + + b = geteuid() != 0; + + if (b && c->opt_fork < 0) { + logmsg(c, LOG_ERR, "Option <nofork> set and uid != 0, failing"); + return PAM_SYSTEM_ERR; + } + + if (c->opt_fork > 0) + b = 1; + + if (!b) + return user_authentication(c, username, password); + else + return _fork_authentication(c, username, password); +} + +static int _parse_opt(context_t *c, int argc, const char **argv) { + for (; argc; argc--, argv++) { + if (!strcmp(*argv, "debug")) + c->opt_debug = 1; + else if (!strcmp(*argv, "use_first_pass") || !strcmp(*argv, "use_authtok")) + c->opt_use_first_pass = 1; + else if (!strcmp(*argv, "try_first_pass")) + c->opt_try_first_pass = 1; + else if (!strcmp(*argv, "rootok")) + c->opt_rootok = 1; + else if (!strcmp(*argv, "nullok")) + c->opt_nullok = 1; + else if (!strcmp(*argv, "fork")) + c->opt_fork = 1; + else if (!strcmp(*argv, "nofork")) + c->opt_fork = -1; + else if (!strcmp(*argv, "no_warn")) + c->opt_no_warn = 1; + else if (!strcmp(*argv, "stat_only_home")) + c->opt_stat_only_home = 1; +#ifdef COMPAT05 + else if (!strcmp(*argv, "nocompat05")) + c->opt_nocompat05 = 1; +#endif + else + logmsg(c, LOG_WARNING, "Invalid argument <%s>, ignoring", *argv); + } + + return PAM_SUCCESS; +} + +PAM_EXTERN int pam_sm_authenticate(pam_handle_t *ph, int flags, int argc, const char **argv) { + const char *username = NULL, *password = NULL, *service = NULL; + int r; + context_t c; + const struct pam_conv *pc; + static struct pam_message m[1] = { { msg_style: PAM_PROMPT_ECHO_OFF, msg : "Dotfile Password: " } }; + const static struct pam_message* pm[] = { &m[0] }; + struct pam_response *a; + + memset(&c, 0, sizeof(c)); + + if ((r = _parse_opt(&c, argc, argv)) != PAM_SUCCESS) + return r; + + if ((r = pam_get_user(ph, &username, NULL)) != PAM_SUCCESS) { + logmsg(&c, LOG_ERR, "pam_get_user(): %s", pam_strerror(ph, r)); + return r; + } + + if (!username || !*username) { + logmsg(&c, LOG_DEBUG, "Authentication failure: no username supplied"); + return PAM_CRED_INSUFFICIENT; + } + + if ((r = pam_get_item(ph, PAM_SERVICE, (const void**) &service)) != PAM_SUCCESS) { + logmsg(&c, LOG_ERR, "pam_get_item(*, PAM_SERVICE, *): %s", pam_strerror(ph, r)); + return r; + } + + c.service = service; + + if (c.opt_use_first_pass || c.opt_try_first_pass) + if ((r = pam_get_item(ph, PAM_AUTHTOK, (const void**) &password)) != PAM_SUCCESS) { + logmsg(&c, LOG_ERR, "pam_get_item(*, PAM_AUTHTOK, *): %s", pam_strerror(ph, r)); + return r; + } + + if (c.opt_use_first_pass && !password) { + logmsg(&c, LOG_DEBUG, "No password passed in PAM_AUTHTOK."); + return PAM_CRED_INSUFFICIENT; + } + + if (password) { + if ((r = _authentication(&c, username, password)) == PAM_SUCCESS) { + logmsg(&c, LOG_DEBUG, "Authentication with PAM_AUTHTOK sucessful"); + return PAM_SUCCESS; + } else if (r != PAM_AUTH_ERR) { + logmsg(&c, LOG_DEBUG, "Authentication with PAM_AUTHTOK failed (%i): %s", r, pam_strerror(ph, r)); + return r; + } + + logmsg(&c, LOG_DEBUG, "Authentication with PAM_AUTHTOK failed"); + + if (c.opt_use_first_pass) { + pam_fail_delay(ph, PAM_DOTFILE_DELAY); + return PAM_AUTH_ERR; + } + } + + if ((r = pam_get_item(ph, PAM_CONV, (const void**) &pc)) != PAM_SUCCESS) { + logmsg(&c, LOG_ERR, "pam_get_item(*, PAM_CONV, *): %s", pam_strerror(ph, r)); + return r; + } + + if (!pc || !pc->conv) { + logmsg(&c, LOG_ERR, "conv() function invalid"); + return PAM_CONV_ERR; + } + + if ((r = pc->conv(1, pm, &a, pc->appdata_ptr)) != PAM_SUCCESS) { + logmsg(&c, LOG_ERR, "conv(): %s", pam_strerror(ph, r)); + return r; + } + + if (!a->resp) { + logmsg(&c, LOG_ERR, "Got no password."); + return PAM_CRED_INSUFFICIENT; + } + + if ((r = pam_set_item(ph, PAM_AUTHTOK, x_strdup(a->resp))) != PAM_SUCCESS) + return r; + + if ((r = _authentication(&c, username, a->resp)) == PAM_SUCCESS) { + logmsg(&c, LOG_DEBUG, "Authentication with user password sucessful"); + return PAM_SUCCESS; + } else if (r != PAM_AUTH_ERR) { + logmsg(&c, LOG_DEBUG, "Authentication with PAM_AUTHTOK failed (%i): %s", r, pam_strerror(ph, r)); + return r; + } + + logmsg(&c, LOG_DEBUG, "Authentication failed with user password"); + pam_fail_delay(ph, PAM_DOTFILE_DELAY); + return PAM_AUTH_ERR; +} + +PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { + return PAM_SUCCESS; +} diff --git a/src/pamtest.c b/src/pamtest.c new file mode 100644 index 0000000..171e601 --- /dev/null +++ b/src/pamtest.c @@ -0,0 +1,66 @@ +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include <stdio.h> + +#include <security/pam_appl.h> +#include <security/pam_misc.h> + +int main(int argc, char*argv[]) { + static struct pam_conv pc = { misc_conv, NULL }; + pam_handle_t *ph = NULL; + int r, ret; + char *username, *procname, *service; + + if ((procname = strchr(argv[0], '/'))) + procname++; + else + procname = argv[0]; + + if (argc <= 1 || argc > 3) { + fprintf(stderr, "Usage: %s [<service>] [<username>]\n", procname); + exit(1); + } + + service = (argc >= 2) ? argv[1] : procname; + username = (argc == 3) ? argv[2] : NULL; + + if (username) + printf("Trying to authenticate <%s> for service <%s>.\n", username, service); + else + printf("Trying to authenticate for service <%s>.\n", service); + + if ((r = pam_start(service, username, &pc, &ph)) != PAM_SUCCESS) { + fprintf(stderr, "Failure starting pam: %s\n", pam_strerror(ph, r)); + return 1; + } + + if ((r = pam_authenticate(ph, 0)) != PAM_SUCCESS) { + fprintf(stderr, "Failed to authenticate: %s\n", pam_strerror(ph, r)); + ret = 1; + } else { + printf("Authentication successful.\n"); + ret = 0; + } + + if ((r = pam_end(ph, r)) != PAM_SUCCESS) + fprintf(stderr, "Failure shutting down pam: %s\n", pam_strerror(ph, r)); + + return ret; +} |