From: Joerg Sonnenberger Date: Wed, 13 Jul 2005 12:34:22 +0000 (+0000) Subject: Switch to OpenPAM. The PAM modules are now installed in /usr/lib/security X-Git-Tag: v2.0.1~6628 X-Git-Url: https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff_plain/61be715af7d4b6c96a9edb5824decb9aa6563757 Switch to OpenPAM. The PAM modules are now installed in /usr/lib/security and versioned, programs using LinuxPAM continue to work for that reason. --- diff --git a/Makefile.inc1 b/Makefile.inc1 index 722a43f3bc..e4e8cf2912 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -1,6 +1,6 @@ # # $FreeBSD: src/Makefile.inc1,v 1.141.2.62 2003/04/06 19:54:00 dwmalone Exp $ -# $DragonFly: src/Makefile.inc1,v 1.72 2005/07/07 11:49:55 corecode Exp $ +# $DragonFly: src/Makefile.inc1,v 1.73 2005/07/13 12:34:21 joerg Exp $ # # Make command line options: # -DMAKE_KERBEROS5 to build Kerberos5 @@ -909,7 +909,7 @@ _generic_libs+= kerberos5/lib _prebuild_libs+= lib/libcom_err lib/libcrypt lib/libmd \ lib/libncurses/libncurses lib/libopie lib/libradius \ - lib/libskey lib/libtacplus lib/libz lib/msun + lib/libskey lib/libtacplus lib/libz lib/msun lib/libpam lib/libopie__L lib/libradius__L lib/libtacplus__L: lib/libmd__L lib/libskey__L: lib/libcrypt__L lib/libmd__L diff --git a/lib/Makefile b/lib/Makefile index 4bed380abf..c149c59813 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -1,6 +1,6 @@ # @(#)Makefile 8.1 (Berkeley) 6/4/93 # $FreeBSD: src/lib/Makefile,v 1.107.2.16 2002/10/10 19:24:35 kbyanc Exp $ -# $DragonFly: src/lib/Makefile,v 1.21 2005/05/02 20:19:12 dillon Exp $ +# $DragonFly: src/lib/Makefile,v 1.22 2005/07/13 12:34:21 joerg Exp $ # To satisfy shared library or ELF linkage when only the libraries being # built are visible: @@ -28,7 +28,7 @@ SUBDIR= ${_csu} csu/common libarchive libcom_err libcrypt msun libmd \ ${_libmilter} ${_libncp} libnetgraph libopie libpam \ libpcap libposix1e librpcsvc ${_libsm} ${_libsmb} ${_libsmdb} \ ${_libsmutil} libstand libtelnet libthread_xu libusbhid ${_libvgl} \ - libwrap libxpg4 liby libz i18n_module libc_rtld + libwrap libxpg4 liby libz i18n_module pam_module libc_rtld .if exists(${.CURDIR}/compat/${MACHINE_ARCH}/Makefile) SUBDIR+= compat/${MACHINE_ARCH} diff --git a/lib/libpam/Makefile b/lib/libpam/Makefile index 9db2ca009f..7425adfa6c 100644 --- a/lib/libpam/Makefile +++ b/lib/libpam/Makefile @@ -1,32 +1,52 @@ -# Copyright 1998 Juniper Networks, Inc. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD: src/lib/libpam/Makefile,v 1.2 1999/01/20 21:55:21 jdp Exp $ -# $DragonFly: src/lib/libpam/Makefile,v 1.2 2003/06/17 04:26:50 dillon Exp $ - -# The modules must be built first, because they are built into the -# static version of libpam. -SUBDIR+= modules libpam - -.include +# $DragonFly: src/lib/libpam/Makefile,v 1.3 2005/07/13 12:34:21 joerg Exp $ + +LIB= pam +WARNS?= 6 + +SRCDIR= ${.CURDIR}/../../contrib/openpam +CONTRIBDIR= ${SRCDIR}/lib +PATCHES!= echo ${.CURDIR}/patches/*.patch + +MODULE_DIR= /usr/lib/security + +CFLAGS+= -DOPENPAM_MODULES_DIR='"${MODULE_DIR}"' +CFLAGS+= -DLIB_MAJ=${MODULE_SHLIB_MAJOR} +CFLAGS+= -I${SRCDIR}/lib + +SRCS= openpam_borrow_cred.c openpam_configure.c openpam_dispatch.c +SRCS+= openpam_dynamic.c openpam_findenv.c openpam_free_data.c +SRCS+= openpam_free_envlist.c openpam_get_option.c openpam_load.c +SRCS+= openpam_log.c openpam_nullconv.c openpam_readline.c +SRCS+= openpam_restore_cred.c openpam_set_option.c openpam_static.c +SRCS+= openpam_ttyconv.c pam_acct_mgmt.c pam_authenticate.c +SRCS+= pam_chauthtok.c pam_close_session.c pam_end.c pam_error.c +SRCS+= pam_get_authtok.c pam_get_data.c pam_get_item.c pam_get_user.c +SRCS+= pam_getenv.c pam_getenvlist.c pam_info.c pam_open_session.c +SRCS+= pam_prompt.c pam_putenv.c pam_set_data.c pam_set_item.c pam_setcred.c +SRCS+= pam_setenv.c pam_start.c pam_strerror.c pam_verror.c pam_vinfo.c +SRCS+= pam_vprompt.c +SRCS+= pam_debug_log.c +SRCS+= ${PATCHES} + +PAMINCS= openpam.h openpam_version.h pam_appl.h pam_constants.h +PAMINCS+= pam_modules.h pam_types.h +INCS= ${PAMINCS:S;^;${SRCDIR}/include/security/;} pam_mod_misc.h +INCSDIR= ${INCLUDEDIR}/security + +MAN= openpam.3 openpam_borrow_cred.3 openpam_free_data.3 +MAN+= openpam_free_envlist.3 openpam_get_option.3 openpam_log.3 +MAN+= openpam_nullconv.3 openpam_readline.3 openpam_restore_cred.3 +MAN+= openpam_set_option.3 openpam_ttyconv.3 pam.3 pam_acct_mgmt.3 +MAN+= pam_authenticate.3 pam_chauthtok.3 pam_close_session.3 pam_conv.3 +MAN+= pam_end.3 pam_error.3 pam_get_authtok.3 pam_get_data.3 pam_get_item.3 +MAN+= pam_get_user.3 pam_getenv.3 pam_getenvlist.3 pam_info.3 +MAN+= pam_open_session.3 pam_prompt.3 pam_putenv.3 pam_set_data.3 +MAN+= pam_set_item.3 pam_setcred.3 pam_setenv.3 pam_sm_acct_mgmt.3 +MAN+= pam_sm_authenticate.3 pam_sm_chauthtok.3 pam_sm_close_session.3 +MAN+= pam_sm_open_session.3 pam_sm_setcred.3 pam_start.3 pam_strerror.3 +MAN+= pam_verror.3 pam_vinfo.3 pam_vprompt.3 pam.conf.5 + +.PATH: ${SRCDIR}/lib ${SRCDIR}/doc/man + +.include "../pam_module/Makefile.shlib" +.include diff --git a/lib/libpam/Makefile.inc b/lib/libpam/Makefile.inc deleted file mode 100644 index 523654574e..0000000000 --- a/lib/libpam/Makefile.inc +++ /dev/null @@ -1,28 +0,0 @@ -# Copyright 1998 Juniper Networks, Inc. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD: src/lib/libpam/Makefile.inc,v 1.1.1.1 1998/11/18 01:44:37 jdp Exp $ -# $DragonFly: src/lib/libpam/Attic/Makefile.inc,v 1.3 2005/04/21 13:42:34 joerg Exp $ - -SHLIB_MAJOR= 2 diff --git a/lib/libpam/libpam/Makefile b/lib/libpam/libpam/Makefile deleted file mode 100644 index da745b6e4e..0000000000 --- a/lib/libpam/libpam/Makefile +++ /dev/null @@ -1,100 +0,0 @@ -# Copyright 1998 Juniper Networks, Inc. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD: src/lib/libpam/libpam/Makefile,v 1.12.2.12 2002/07/22 14:21:49 ru Exp $ -# $DragonFly: src/lib/libpam/libpam/Attic/Makefile,v 1.6 2004/12/20 18:02:19 dillon Exp $ - -PAMDIR= ${.CURDIR}/../../../contrib/libpam -MODOBJDIR= ../modules - -.PATH: ${PAMDIR}/libpam ${PAMDIR}/libpam_misc ${PAMDIR}/doc/man - -LIB= pam -CFLAGS+= -I${PAMDIR}/libpam/include -I${.CURDIR} -CFLAGS+= -DDEFAULT_MODULE_PATH=\"${SHLIBDIR}/\" -NOPROFILE= yes - -# Files from ${PAMDIR}/libpam: -SRCS= pam_account.c pam_auth.c pam_data.c pam_delay.c \ - pam_dispatch.c pam_end.c pam_env.c pam_handlers.c \ - pam_item.c pam_log.c pam_misc.c pam_password.c \ - pam_second.c pam_session.c pam_start.c \ - pam_strerror.c -HDRS1= _pam_compat.h _pam_macros.h _pam_types.h \ - pam_appl.h pam_malloc.h pam_modules.h -MAN+= pam_authenticate.3 pam_chauthtok.3 pam_fail_delay.3 \ - pam_open_session.3 pam_setcred.3 pam_start.3 \ - pam_strerror.3 -MLINKS+= pam_open_session.3 pam_close_session.3 \ - pam_start.3 pam_end.3 -MAN+= pam.8 -MLINKS+= pam.8 pam.conf.5 pam.8 pam.d.5 - -# Files from ${PAMDIR}/libpam_misc: -SRCS+= help_env.c misc_conv.c xstrdup.c -HDRS2= pam_misc.h - -# Files from ${.CURDIR}: -SRCS+= pam_debug_log.c pam_get_pass.c pam_prompt.c pam_std_option.c -SRCS+= openpam_borrow_cred.c openpam_restore_cred.c -HDRS3= security/pam_mod_misc.h -MAN+= pam_set_item.3 -MLINKS+= pam_set_item.3 pam_get_item.3 - -# Static PAM modules: -STATIC_MODULES+= ${MODOBJDIR}/pam_cleartext_pass_ok/libpam_cleartext_pass_ok.a -STATIC_MODULES+= ${MODOBJDIR}/pam_deny/libpam_deny.a -.if defined(MAKE_KERBEROS5__) && !defined(NOCRYPT) && !defined(NO_OPENSSL) -STATIC_MODULES+= ${MODOBJDIR}/pam_kerberos5/libpam_kerberos5.a -.endif -STATIC_MODULES+= ${MODOBJDIR}/pam_opie/libpam_opie.a -STATIC_MODULES+= ${MODOBJDIR}/pam_permit/libpam_permit.a -STATIC_MODULES+= ${MODOBJDIR}/pam_radius/libpam_radius.a -STATIC_MODULES+= ${MODOBJDIR}/pam_skey/libpam_skey.a -STATIC_MODULES+= ${MODOBJDIR}/pam_tacplus/libpam_tacplus.a -STATIC_MODULES+= ${MODOBJDIR}/pam_unix/libpam_unix.a - -STATICOBJS+= pam_static_modules.o -CLEANFILES+= pam_static.o - -# doesn't work, bsd.lib.mk already has an _EXTRADEPEND for the .So files. -#_EXTRADEPEND: pam_static.c -# ${MKDEPCMD} -f ${DEPENDFILE} -a ${MKDEP} \ -# ${CFLAGS:M-nostdinc*} ${CFLAGS:M-[BID]*} \ -# ${.ALLSRC} - -CLEANFILES+= _pam_static_modules.o - -pam_static_modules.o: pam_static.o _pam_static_modules.o - ${LD} -o ${.TARGET} -r ${.ALLSRC} - -_pam_static_modules.o: ${STATIC_MODULES} - ${LD} -o ${.TARGET} -r --whole-archive ${.ALLSRC} - -# Headers -INCS= ${HDRS1:S;^;${PAMDIR}/libpam/include/security/;} \ - ${HDRS2} ${HDRS3} -INCSDIR= ${INCLUDEDIR}/security - -.include diff --git a/lib/libpam/libpam/openpam_borrow_cred.c b/lib/libpam/libpam/openpam_borrow_cred.c deleted file mode 100644 index b0387641c1..0000000000 --- a/lib/libpam/libpam/openpam_borrow_cred.c +++ /dev/null @@ -1,116 +0,0 @@ -/*- - * Copyright (c) 2002 Networks Associates Technology, Inc. - * All rights reserved. - * - * This software was developed for the FreeBSD Project by ThinkSec AS and - * Network Associates Laboratories, the Security Research Division of - * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 - * ("CBOSS"), as part of the DARPA CHATS research program. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $P4: //depot/projects/openpam/lib/openpam_borrow_cred.c#2 $ - * $FreeBSD: src/lib/libpam/libpam/openpam_borrow_cred.c,v 1.1.2.3 2002/07/03 21:45:44 des Exp $ - * $DragonFly: src/lib/libpam/libpam/Attic/openpam_borrow_cred.c,v 1.2 2003/06/17 04:26:50 dillon Exp $ - */ - -#include - -#include -#include -#include - -#include - -#include - -static void -openpam_free_data(pam_handle_t *pamh, void *data, int status) -{ - /* silence compiler warnings */ - pamh = pamh; - status = status; - free(data); -} - -/* - * OpenPAM extension - * - * Temporarily borrow user credentials - */ - -int -openpam_borrow_cred(pam_handle_t *pamh, - const struct passwd *pwd) -{ - struct pam_saved_cred *scred; - int r; - - if (geteuid() != 0) - return (PAM_PERM_DENIED); - scred = calloc(1, sizeof *scred); - if (scred == NULL) - return (PAM_BUF_ERR); - scred->euid = geteuid(); - scred->egid = getegid(); - r = getgroups(NGROUPS_MAX, scred->groups); - if (r == -1) { - free(scred); - return (PAM_SYSTEM_ERR); - } - scred->ngroups = r; - r = pam_set_data(pamh, PAM_SAVED_CRED, scred, &openpam_free_data); - if (r != PAM_SUCCESS) { - free(scred); - return (r); - } - if (initgroups(pwd->pw_name, pwd->pw_gid) == -1 || - setegid(pwd->pw_gid) == -1 || seteuid(pwd->pw_uid) == -1) { - openpam_restore_cred(pamh); - return (PAM_SYSTEM_ERR); - } - return (PAM_SUCCESS); -} - -/* - * Error codes: - * - * =pam_set_data - * PAM_SYSTEM_ERR - * PAM_BUF_ERR - * PAM_PERM_DENIED - */ - -/** - * The =openpam_borrow_cred function saves the current credentials and - * switches to those of the user specified by its =pwd argument. The - * affected credentials are the effective UID, the effective GID, and the - * group access list. The original credentials can be restored using - * =openpam_restore_cred. - * - * >setegid - * >seteuid - * >setgroups - */ diff --git a/lib/libpam/libpam/openpam_restore_cred.c b/lib/libpam/libpam/openpam_restore_cred.c deleted file mode 100644 index 7c8a30d776..0000000000 --- a/lib/libpam/libpam/openpam_restore_cred.c +++ /dev/null @@ -1,88 +0,0 @@ -/*- - * Copyright (c) 2002 Networks Associates Technology, Inc. - * All rights reserved. - * - * This software was developed for the FreeBSD Project by ThinkSec AS and - * Network Associates Laboratories, the Security Research Division of - * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 - * ("CBOSS"), as part of the DARPA CHATS research program. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $P4: //depot/projects/openpam/lib/openpam_restore_cred.c#2 $ - * $FreeBSD: src/lib/libpam/libpam/openpam_restore_cred.c,v 1.1.2.3 2002/07/03 21:45:44 des Exp $ - * $DragonFly: src/lib/libpam/libpam/Attic/openpam_restore_cred.c,v 1.2 2003/06/17 04:26:50 dillon Exp $ - */ - -#include - -#include -#include -#include - -#include - -#include - -/* - * OpenPAM extension - * - * Restore credentials - */ - -int -openpam_restore_cred(pam_handle_t *pamh) -{ - struct pam_saved_cred *scred; - int r; - - r = pam_get_data(pamh, PAM_SAVED_CRED, (const void **)&scred); - if (r != PAM_SUCCESS) - return (r); - if (scred == NULL) - return (PAM_SYSTEM_ERR); - if (seteuid(scred->euid) == -1 || - setgroups(scred->ngroups, scred->groups) == -1 || - setegid(scred->egid) == -1) - return (PAM_SYSTEM_ERR); - pam_set_data(pamh, PAM_SAVED_CRED, NULL, NULL); - return (PAM_SUCCESS); -} - -/* - * Error codes: - * - * =pam_get_data - * PAM_SYSTEM_ERR - */ - -/** - * The =openpam_restore_cred function restores the credentials saved by - * =openpam_borrow_cred. - * - * >setegid - * >seteuid - * >setgroups - */ diff --git a/lib/libpam/libpam/pam_debug_log.c b/lib/libpam/libpam/pam_debug_log.c deleted file mode 100644 index e1d9a5de6d..0000000000 --- a/lib/libpam/libpam/pam_debug_log.c +++ /dev/null @@ -1,135 +0,0 @@ -/*- - * Copyright 2001 Mark R V Murray - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD: src/lib/libpam/libpam/pam_debug_log.c,v 1.8.2.2 2002/07/03 21:45:44 des Exp $ - * $DragonFly: src/lib/libpam/libpam/Attic/pam_debug_log.c,v 1.2 2003/06/17 04:26:50 dillon Exp $ - */ - -#include -#include -#include -#include -#include -#include - -#include -#include - -#define FMTBUFSIZ 256 - -static char *modulename(const char *); - -/* Log a debug message, including the function name and a - * cleaned up filename. - */ -void -_pam_log(struct options *options, const char *file, const char *function, - const char *format, ...) -{ - va_list ap; - char *fmtbuf, *modname; - - if (pam_test_option(options, PAM_OPT_DEBUG, NULL)) { - modname = modulename(file); - va_start(ap, format); - asprintf(&fmtbuf, "%s: %s: %s", modname, function, format); - vsyslog(LOG_DEBUG, fmtbuf, ap); - free(fmtbuf); - va_end(ap); - } -} - -/* Log a return value, including the function name and a - * cleaned up filename. - */ -void -_pam_log_retval(struct options *options, const char *file, const char *function, - int retval) -{ - char *modname; - - if (pam_test_option(options, PAM_OPT_DEBUG, NULL)) { - modname = modulename(file); - - switch (retval) { - case PAM_SUCCESS: - syslog(LOG_DEBUG, "%s: %s: returning PAM_SUCCESS", - modname, function); - break; - case PAM_AUTH_ERR: - syslog(LOG_DEBUG, "%s: %s: returning PAM_AUTH_ERR", - modname, function); - break; - case PAM_IGNORE: - syslog(LOG_DEBUG, "%s: %s: returning PAM_IGNORE", - modname, function); - break; - case PAM_PERM_DENIED: - syslog(LOG_DEBUG, "%s: %s: returning PAM_PERM_DENIED", - modname, function); - break; - default: - syslog(LOG_DEBUG, "%s: %s: returning (%d)", - modname, function, retval); - } - - free(modname); - } -} - -/* Print a verbose error, including the function name and a - * cleaned up filename. - */ -void -_pam_verbose_error(pam_handle_t *pamh, struct options *options, - const char *file, const char *function, const char *format, ...) -{ - va_list ap; - char *statusmsg, *fmtbuf, *modname; - - if (!pam_test_option(options, PAM_OPT_NO_WARN, NULL)) { - modname = modulename(file); - va_start(ap, format); - asprintf(&fmtbuf, "%s: %s: %s", modname, function, format); - vasprintf(&statusmsg, fmtbuf, ap); - pam_prompt(pamh, PAM_ERROR_MSG, statusmsg, NULL); - free(statusmsg); - free(fmtbuf); - va_end(ap); - } -} - -static char * -modulename(const char *file) -{ - char *modname, *period; - - modname = strdup(basename(file)); - period = strchr(modname, '.'); - if (period != NULL) - *period = '\0'; - - return modname; -} diff --git a/lib/libpam/libpam/pam_get_pass.c b/lib/libpam/libpam/pam_get_pass.c deleted file mode 100644 index b69cac8b2f..0000000000 --- a/lib/libpam/libpam/pam_get_pass.c +++ /dev/null @@ -1,99 +0,0 @@ -/*- - * Copyright 1998 Juniper Networks, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD: src/lib/libpam/libpam/pam_get_pass.c,v 1.1.1.1.6.3 2002/07/04 13:05:34 des Exp $ - * $DragonFly: src/lib/libpam/libpam/Attic/pam_get_pass.c,v 1.2 2003/06/17 04:26:50 dillon Exp $ - */ - -#include -#include -#include -#include -#include - -static int pam_conv_pass(pam_handle_t *, const char *, struct options *); - -static int -pam_conv_pass(pam_handle_t *pamh, const char *prompt, struct options *options) -{ - const struct pam_conv *conv; - struct pam_message msg; - const struct pam_message *msgs[1]; - struct pam_response *resp; - const void *item; - int retval; - - retval = pam_get_item(pamh, PAM_CONV, &item); - if (retval != PAM_SUCCESS) - return retval; - conv = (const struct pam_conv *)item; - msg.msg_style = pam_test_option(options, PAM_OPT_ECHO_PASS, NULL) ? - PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF; - msg.msg = prompt; - msgs[0] = &msg; - retval = conv->conv(1, msgs, &resp, conv->appdata_ptr); - if (retval != PAM_SUCCESS) - return retval; - retval = pam_set_item(pamh, PAM_AUTHTOK, resp[0].resp); - if (retval != PAM_SUCCESS) - return retval; - memset(resp[0].resp, 0, strlen(resp[0].resp)); - free(resp[0].resp); - free(resp); - return PAM_SUCCESS; -} - -int -pam_get_pass(pam_handle_t *pamh, const char **passp, const char *prompt, - struct options *options) -{ - int retval; - const void *item = NULL; - - /* - * Grab the already-entered password if we might want to use it. - */ - if (pam_test_option(options, PAM_OPT_TRY_FIRST_PASS, NULL) || - pam_test_option(options, PAM_OPT_USE_FIRST_PASS, NULL)) { - retval = pam_get_item(pamh, PAM_AUTHTOK, &item); - if (retval != PAM_SUCCESS) - return retval; - } - - if (item == NULL) { - /* The user hasn't entered a password yet. */ - if (pam_test_option(options, PAM_OPT_USE_FIRST_PASS, NULL)) - return PAM_AUTH_ERR; - /* Use the conversation function to get a password. */ - retval = pam_conv_pass(pamh, prompt, options); - if (retval != PAM_SUCCESS) - return retval; - retval = pam_get_item(pamh, PAM_AUTHTOK, &item); - if (retval != PAM_SUCCESS) - return retval; - } - *passp = (const char *)item; - return PAM_SUCCESS; -} diff --git a/lib/libpam/libpam/pam_set_item.3 b/lib/libpam/libpam/pam_set_item.3 deleted file mode 100644 index c7c9fd9cff..0000000000 --- a/lib/libpam/libpam/pam_set_item.3 +++ /dev/null @@ -1,157 +0,0 @@ -.\"- -.\" Copyright (c) 2001 Networks Associates Technologies, Inc. -.\" All rights reserved. -.\" -.\" This software was developed for the FreeBSD Project by ThinkSec AS and -.\" NAI Labs, the Security Research Division of Network Associates, Inc. -.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the -.\" DARPA CHATS research program. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. The name of the author may not be used to endorse or promote products -.\" derived from this software without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD: src/lib/libpam/libpam/pam_set_item.3,v 1.2.2.2 2002/01/09 14:35:51 ru Exp $ -.\" $DragonFly: src/lib/libpam/libpam/Attic/pam_set_item.3,v 1.2 2003/06/17 04:26:50 dillon Exp $ -.\" -.Dd November 27, 2001 -.Dt PAM_SET_ITEM 3 -.Os -.Sh NAME -.Nm pam_set_item , -.Nm pam_get_item -.Nd setting authentication parameters -.Sh LIBRARY -.Lb libpam -.Sh SYNOPSIS -.In security/pam_modules.h -.Ft int -.Fn pam_set_item "pam_handle_t *pamh" "int type" "const void *item" -.Ft int -.Fn pam_get_item "const pam_handle_t *pamh" "int type" "const void **item" -.Sh DESCRIPTION -The -.Fn pam_set_item -and -.Fn pam_get_item -allow applications and modules to store and retrieve a variety of -authentication parameters, or -.Dq items . -Each item is identified by an integer constant. -The following items are defined: -.Bl -tag -width ".Dv PAM_USER_PROMPT" -.It Dv PAM_SERVICE -(string) -The name of the requesting service. -.It Dv PAM_USER -(string) -The name of the user the application wants to authenticate. -.It Dv PAM_USER_PROMPT -(string) -The string which will be used to prompt the user for an authentication -token. -.It Dv PAM_TTY -(string) -The name of the current terminal (for terminal-oriented applications) -or display (for X11 applications). -.It Dv PAM_RUSER -(string) -The name of the requesting user. -.It Dv PAM_RHOST -(string) -The name of the host the requesting user is logging in from. -.It Dv PAM_AUTHTOK -(opaque) -The current authentication token. -This item is only accessible from PAM modules. -.It Dv PAM_OLDAUTHTOK -(opaque) -The expired authentication token. -This item is only accessible from PAM modules. -.It Dv PAM_CONV -.Pq Vt "struct pam_conv" -The current conversation function. -The -.Vt pam_conv -structure is defined as follows: -.Bd -literal -struct pam_conv { - int (*conv)(int num_msg, - const struct pam_message **msg, - struct pam_response **resp, - void *appdata_ptr); - void *appdata_ptr; -}; -.Ed -.It Dv PAM_FAIL_DELAY -.Pq Vt delay_fn -A pointer to a callback function that should be called when a module -wants to introduce a delay after a failed authentication to discourage -brute-force attacks. -.El -.Sh RETURN VALUES -The -.Fn pam_set_item -and -.Fn pam_get_item -functions return one of the following values: -.Bl -tag -width ".Dv PAM_SYSTEM_ERR" -.It Dv PAM_SUCCESS -The operation succeeded. -.It Dv PAM_SYSTEM_ERR -The -.Fa pamh -argument was invalid. -.It Dv PAM_BUF_ERR -A call to -.Xr malloc 3 -failed, or the -.Fa item -argument to -.Fn pam_get_item -was -.Dv NULL . -.It Dv PAM_BAD_ITEM -The specified -.Fa item -does not exist or is not accessible to the caller. -.El -.Pp -The -.Xr pam_strerror 3 -function can be used to translate these return codes to descriptive -messages. -.Sh SEE ALSO -.Xr pam_start 3 , -.Xr pam_strerror 3 , -.Xr pam 8 -.Sh STANDARDS -.Rs -.%T "DCE-RFC 86.0" -.%D "October 1995" -.Re -.Pp -Note: the -.Dv PAM_USER_PROMPT -and -.Dv PAM_FAIL_DELAY -items are non-standard extensions. diff --git a/lib/libpam/libpam/pam_std_option.c b/lib/libpam/libpam/pam_std_option.c deleted file mode 100644 index 73cb7a6b40..0000000000 --- a/lib/libpam/libpam/pam_std_option.c +++ /dev/null @@ -1,178 +0,0 @@ -/*- - * Copyright 1998 Juniper Networks, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD: src/lib/libpam/libpam/pam_std_option.c,v 1.1.1.1.6.4 2002/07/03 21:45:44 des Exp $ - * $DragonFly: src/lib/libpam/libpam/Attic/pam_std_option.c,v 1.2 2003/06/17 04:26:50 dillon Exp $ - */ - -#include -#include -#include - -#include -#include - -/* Everyone has to have these options. It is not an error to - * specify them and then not use them. - */ -struct opttab std_options[PAM_MAX_OPTIONS] = { - { "debug", PAM_OPT_DEBUG }, - { "no_warn", PAM_OPT_NO_WARN }, - { "echo_pass", PAM_OPT_ECHO_PASS }, - { "use_first_pass", PAM_OPT_USE_FIRST_PASS }, - { "try_first_pass", PAM_OPT_TRY_FIRST_PASS }, - { "use_mapped_pass", PAM_OPT_USE_MAPPED_PASS }, - { "try_mapped_pass", PAM_OPT_TRY_MAPPED_PASS }, - { "expose_account", PAM_OPT_EXPOSE_ACCOUNT }, - { NULL, 0 } -}; - -/* Populate the options structure, syslogging all errors */ -void -pam_std_option(struct options *options, struct opttab other_options[], - int argc, const char *argv[]) -{ - struct opttab *oo; - int i, j, std, extra, arglen, found; - - std = 1; - extra = 1; - oo = other_options; - for (i = 0; i < PAM_MAX_OPTIONS; i++) { - if (std && std_options[i].name == NULL) - std = 0; - else if (extra && (oo == NULL || oo->name == NULL)) - extra = 0; - - if (std) - options->opt[i].name = std_options[i].name; - else if (extra) { - if (oo->value != i) - syslog(LOG_DEBUG, "Extra option fault: %d %d", - oo->value, i); - options->opt[i].name = oo->name; - oo++; - } - else - options->opt[i].name = NULL; - - options->opt[i].bool = 0; - options->opt[i].arg = NULL; - } - - for (j = 0; j < argc; j++) { -#ifdef DEBUG - syslog(LOG_DEBUG, "Doing arg %s", argv[j]); -#endif - found = 0; - for (i = 0; i < PAM_MAX_OPTIONS; i++) { - if (options->opt[i].name == NULL) - break; - arglen = strlen(options->opt[i].name); - if (strcmp(argv[j], options->opt[i].name) == 0) { - options->opt[i].bool = 1; - found = 1; - break; - } - else if (strncmp(argv[j], options->opt[i].name, arglen) - == 0 && argv[j][arglen] == '=') { - options->opt[i].bool = 1; - options->opt[i].arg - = strdup(&argv[j][arglen + 1]); - found = 1; - break; - } - } - if (!found) - syslog(LOG_WARNING, "PAM option: %s invalid", argv[j]); - } -} - -/* Test if option is set in options */ -int -pam_test_option(struct options *options, enum opt option, char **arg) -{ - if (arg != NULL) - *arg = options->opt[option].arg; - return options->opt[option].bool; -} - -/* Set option in options, errors to syslog */ -void -pam_set_option(struct options *options, enum opt option) -{ - if (option < PAM_OPT_STD_MAX) - options->opt[option].bool = 1; -#ifdef DEBUG - else - syslog(LOG_DEBUG, "PAM options: attempt to set option %d", - option); -#endif -} - -/* Clear option in options, errors to syslog */ -void -pam_clear_option(struct options *options, enum opt option) -{ - if (option < PAM_OPT_STD_MAX) - options->opt[option].bool = 0; -#ifdef DEBUG - else - syslog(LOG_DEBUG, "PAM options: attempt to clear option %d", - option); -#endif -} - -#ifdef DEBUG1 -enum { PAM_OPT_FOO=PAM_OPT_STD_MAX, PAM_OPT_BAR, PAM_OPT_BAZ, PAM_OPT_QUX }; - -struct opttab other_options[] = { - { "foo", PAM_OPT_FOO }, - { "bar", PAM_OPT_BAR }, - { "baz", PAM_OPT_BAZ }, - { "qux", PAM_OPT_QUX }, - { NULL, 0 } -}; - -int -main(int argc, const char *argv[]) -{ - struct options options; - int i, opt; - char *arg; - - pam_std_option(&options, other_options, argc, argv); - for (i = 0; i < PAM_MAX_OPTIONS; i++) { - opt = pam_test_option(&options, i, &arg); - if (opt) { - if (arg == NULL) - printf("%d []\n", i); - else - printf("%d [%s]\n", i, arg); - } - } - return 0; -} -#endif diff --git a/lib/libpam/libpam/security/pam_mod_misc.h b/lib/libpam/libpam/security/pam_mod_misc.h deleted file mode 100644 index 8648ca7004..0000000000 --- a/lib/libpam/libpam/security/pam_mod_misc.h +++ /dev/null @@ -1,88 +0,0 @@ -/*- - * Copyright 1998 Juniper Networks, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD: src/lib/libpam/libpam/security/pam_mod_misc.h,v 1.10.2.2 2002/07/03 21:45:44 des Exp $ - * $DragonFly: src/lib/libpam/libpam/security/Attic/pam_mod_misc.h,v 1.3 2005/02/17 13:59:35 joerg Exp $ - */ - -#ifndef PAM_MOD_MISC_H -#define PAM_MOD_MISC_H - -#include - -/* Standard options - */ -enum opt { PAM_OPT_DEBUG, PAM_OPT_NO_WARN, PAM_OPT_ECHO_PASS, - PAM_OPT_USE_FIRST_PASS, PAM_OPT_TRY_FIRST_PASS, PAM_OPT_USE_MAPPED_PASS, - PAM_OPT_TRY_MAPPED_PASS, PAM_OPT_EXPOSE_ACCOUNT, - PAM_OPT_STD_MAX /* XXX */ }; - -#define PAM_MAX_OPTIONS 32 - -struct opttab { - const char *name; - int value; -}; - -struct options { - struct { - const char *name; - int bool; - char *arg; - } opt[PAM_MAX_OPTIONS]; -}; - -__BEGIN_DECLS -int pam_get_pass(pam_handle_t *, const char **, const char *, struct options *); -int pam_prompt(pam_handle_t *, int, const char *, char **); -void pam_std_option(struct options *, struct opttab *, int, const char **); -int pam_test_option(struct options *, enum opt, char **); -void pam_set_option(struct options *, enum opt); -void pam_clear_option(struct options *, enum opt); -__END_DECLS - -#define PAM_LOG(args...) \ - _pam_log(&options, __FILE__, __func__, ##args) - -#define PAM_RETURN(arg) \ - do { \ - _pam_log_retval(&options, __FILE__, __func__, arg); \ - return arg; \ - } while (0) - -#define PAM_VERBOSE_ERROR(args...) \ - _pam_verbose_error(pamh, &options, __FILE__, __func__, ##args) - -#ifdef NGROUPS_MAX -#define PAM_SAVED_CRED "pam_saved_cred" -struct pam_saved_cred { - uid_t euid; - gid_t egid; - gid_t groups[NGROUPS_MAX]; - int ngroups; -}; -#endif - -#endif diff --git a/lib/libpam/modules/Makefile b/lib/libpam/modules/Makefile deleted file mode 100644 index 4b651903d5..0000000000 --- a/lib/libpam/modules/Makefile +++ /dev/null @@ -1,44 +0,0 @@ -# Copyright 1998 Juniper Networks, Inc. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD: src/lib/libpam/modules/Makefile,v 1.8.2.8 2002/07/03 21:35:18 des Exp $ -# $DragonFly: src/lib/libpam/modules/Attic/Makefile,v 1.3 2003/08/05 07:45:41 asmodai Exp $ - -SUBDIR+= pam_cleartext_pass_ok -SUBDIR+= pam_deny -.if defined(MAKE_KERBEROS5) && !defined(NOCRYPT) && !defined(NO_OPENSSL) -SUBDIR+= pam_krb5 -.endif -SUBDIR+= pam_opie -SUBDIR+= pam_opieaccess -SUBDIR+= pam_permit -SUBDIR+= pam_radius -SUBDIR+= pam_skey -.if !defined(NOCRYPT) && !defined(NO_OPENSSL) && !defined(NO_OPENSSH) -SUBDIR+= pam_ssh -.endif -SUBDIR+= pam_tacplus -SUBDIR+= pam_unix - -.include diff --git a/lib/libpam/modules/Makefile.inc b/lib/libpam/modules/Makefile.inc deleted file mode 100644 index bf0b83ae59..0000000000 --- a/lib/libpam/modules/Makefile.inc +++ /dev/null @@ -1,7 +0,0 @@ -# $FreeBSD: src/lib/libpam/modules/Makefile.inc,v 1.5.2.4 2002/07/19 18:46:30 ru Exp $ -# $DragonFly: src/lib/libpam/modules/Attic/Makefile.inc,v 1.2 2003/06/17 04:26:50 dillon Exp $ - -PAMDIR= ${.CURDIR}/../../../../contrib/libpam -SHLIB_NAME= ${LIB}.so -NOINSTALLLIB= yes -NOPROFILE= yes diff --git a/lib/libpam/modules/pam_cleartext_pass_ok/Makefile b/lib/libpam/modules/pam_cleartext_pass_ok/Makefile deleted file mode 100644 index 74163ca883..0000000000 --- a/lib/libpam/modules/pam_cleartext_pass_ok/Makefile +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright 1998 Juniper Networks, Inc. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD: src/lib/libpam/modules/pam_cleartext_pass_ok/Makefile,v 1.2.6.6 2002/07/03 21:41:29 des Exp $ -# $DragonFly: src/lib/libpam/modules/pam_cleartext_pass_ok/Attic/Makefile,v 1.2 2003/06/17 04:26:50 dillon Exp $ - - -LIB= pam_cleartext_pass_ok -SRCS= pam_cleartext_pass_ok.c -CFLAGS+= -I${PAMDIR}/libpam/include -CFLAGS+= -Wall -DPADD= ${LIBSKEY} -LDADD= -lskey - -.include diff --git a/lib/libpam/modules/pam_cleartext_pass_ok/pam_cleartext_pass_ok.c b/lib/libpam/modules/pam_cleartext_pass_ok/pam_cleartext_pass_ok.c deleted file mode 100644 index 8e1349cc46..0000000000 --- a/lib/libpam/modules/pam_cleartext_pass_ok/pam_cleartext_pass_ok.c +++ /dev/null @@ -1,68 +0,0 @@ -/*- - * Copyright 1998 Juniper Networks, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD: src/lib/libpam/modules/pam_cleartext_pass_ok/pam_cleartext_pass_ok.c,v 1.2 1999/01/20 21:55:24 jdp Exp $ - * $DragonFly: src/lib/libpam/modules/pam_cleartext_pass_ok/Attic/pam_cleartext_pass_ok.c,v 1.2 2003/06/17 04:26:50 dillon Exp $ - */ - -#include -#include - -#define PAM_SM_AUTH -#include - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - int retval; - const void *item; - const char *user; - const char *tty; - const char *rhost; - - if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) - return retval; - if ((retval = pam_get_item(pamh, PAM_TTY, &item)) != PAM_SUCCESS) - return retval; - tty = (const char *)item; - if ((retval = pam_get_item(pamh, PAM_RHOST, &item)) != PAM_SUCCESS) - return retval; - rhost = (const char *)item; - /* - * The cast in the next statement is necessary only because the - * declaration of skeyaccess is wrong. - */ - return skeyaccess((char *)user, tty, rhost, NULL) ? - PAM_SUCCESS : PAM_AUTH_ERR; -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - return PAM_SUCCESS; -} - -PAM_MODULE_ENTRY("pam_cleartext_pass_ok"); diff --git a/lib/libpam/modules/pam_deny/Makefile b/lib/libpam/modules/pam_deny/Makefile deleted file mode 100644 index c0a322b28e..0000000000 --- a/lib/libpam/modules/pam_deny/Makefile +++ /dev/null @@ -1,36 +0,0 @@ -# Copyright 1999 Max Khon. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD: src/lib/libpam/modules/pam_deny/Makefile,v 1.1.4.5 2002/07/03 23:04:11 des Exp $ -# $DragonFly: src/lib/libpam/modules/pam_deny/Attic/Makefile,v 1.2 2003/06/17 04:26:50 dillon Exp $ - - -LIB= pam_deny -SRCS= pam_deny.c -CFLAGS+= -Wall -CFLAGS+= -I${PAMDIR}/libpam/include - -.include - -.PATH: ${PAMDIR}/modules/pam_deny diff --git a/lib/libpam/modules/pam_krb5/COPYRIGHT b/lib/libpam/modules/pam_krb5/COPYRIGHT deleted file mode 100644 index 94d5f586b2..0000000000 --- a/lib/libpam/modules/pam_krb5/COPYRIGHT +++ /dev/null @@ -1,196 +0,0 @@ -pam_krb5: - -$FreeBSD: src/lib/libpam/modules/pam_krb5/COPYRIGHT,v 1.1.2.1 2001/06/07 09:37:05 markm Exp $ -$DragonFly: src/lib/libpam/modules/pam_krb5/Attic/COPYRIGHT,v 1.2 2003/06/17 04:26:50 dillon Exp $ - -Copyright (c) Frank Cusack, 1999-2000. -fcusack@fcusack.com -All rights reserved - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: -1. Redistributions of source code must retain the above copyright - notice, and the entire permission notice in its entirety, - including the disclaimer of warranties. -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. -3. The name of the author may not be used to endorse or promote - products derived from this software without specific prior - written permission. - -ALTERNATIVELY, this product may be distributed under the terms of -the GNU Public License, in which case the provisions of the GPL are -required INSTEAD OF the above restrictions. (This clause is -necessary due to a potential bad interaction between the GPL and -the restrictions contained in a BSD-style copyright.) - -THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -OF THE POSSIBILITY OF SUCH DAMAGE. - ---------------------------------------------------------------------------- - -This software may contain code from Naomaru Itoi: - -PAM-kerberos5 module Copyright notice. -Naomaru Itoi , June 24, 1997. - ----------------------------------------------------------------------------- -COPYRIGHT (c) 1997 -THE REGENTS OF THE UNIVERSITY OF MICHIGAN -ALL RIGHTS RESERVED - -PERMISSION IS GRANTED TO USE, COPY, CREATE DERIVATIVE WORKS AND REDISTRIBUTE -THIS SOFTWARE AND SUCH DERIVATIVE WORKS FOR ANY PURPOSE, SO LONG AS THE NAME -OF THE UNIVERSITY OF MICHIGAN IS NOT USED IN ANY ADVERTISING OR PUBLICITY -PERTAINING TO THE USE OR DISTRIBUTION OF THIS SOFTWARE WITHOUT SPECIFIC, -WRITTEN PRIOR AUTHORIZATION. IF THE ABOVE COPYRIGHT NOTICE OR ANY OTHER -IDENTIFICATION OF THE UNIVERSITY OF MICHIGAN IS INCLUDED IN ANY COPY OF ANY -PORTION OF THIS SOFTWARE, THEN THE DISCLAIMER BELOW MUST ALSO BE INCLUDED. - -THE SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE UNIVERSITY OF -MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND WITHOUT WARRANTY BY THE -UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING -WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABITILY AND FITNESS FOR A -PARTICULAR PURPOSE. THE REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE -LIABLE FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR -CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR IN -CONNECTION WITH THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR IS HEREAFTER -ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - -PAM-kerberos5 module is written based on PAM-kerberos4 module -by Derrick J. Brashear and kerberos5-1.0pl1 by M.I.T. kerberos team. -Permission to use, copy, modify, distribute this software is hereby -granted, as long as it is granted by Derrick J. Brashear and -M.I.T. kerberos team. Followings are their copyright information. ----------------------------------------------------------------------------- - -This software may contain code from Derrick J. Brashear: - - -Copyright (c) Derrick J. Brashear, 1996. All rights reserved - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met: -1. Redistributions of source code must retain the above copyright - notice, and the entire permission notice in its entirety, - including the disclaimer of warranties. -2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. -3. The name of the author may not be used to endorse or promote - products derived from this software without specific prior - written permission. - -ALTERNATIVELY, this product may be distributed under the terms of -the GNU Public License, in which case the provisions of the GPL are -required INSTEAD OF the above restrictions. (This clause is -necessary due to a potential bad interaction between the GPL and -the restrictions contained in a BSD-style copyright.) - -THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED -WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, -INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -OF THE POSSIBILITY OF SUCH DAMAGE. - ----------------------------------------------------------------------------- - -This software may contain code from MIT Kerberos 5: - -Copyright Notice and Legal Administrivia ----------------------------------------- - -Copyright (C) 1996 by the Massachusetts Institute of Technology. - -All rights reserved. - -Export of this software from the United States of America may require -a specific license from the United States Government. It is the -responsibility of any person or organization contemplating export to -obtain such a license before exporting. - -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty. - -THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR -IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - -Individual source code files are copyright MIT, Cygnus Support, -OpenVision, Oracle, Sun Soft, and others. - -Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, -and Zephyr are trademarks of the Massachusetts Institute of Technology -(MIT). No commercial use of these trademarks may be made without -prior written permission of MIT. - -"Commercial use" means use of a name in a product or other for-profit -manner. It does NOT prevent a commercial firm from referring to the -MIT trademarks in order to convey information (although in doing so, -recognition of their trademark status should be given). - -The following copyright and permission notice applies to the -OpenVision Kerberos Administration system located in kadmin/create, -kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions -of lib/rpc: - - Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved - - WARNING: Retrieving the OpenVision Kerberos Administration system - source code, as described below, indicates your acceptance of the - following terms. If you do not agree to the following terms, do not - retrieve the OpenVision Kerberos administration system. - - You may freely use and distribute the Source Code and Object Code - compiled from it, with or without modification, but this Source - Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, - INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR - FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER - EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY - FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR - CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, - WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE - CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY - OTHER REASON. - - OpenVision retains all copyrights in the donated Source Code. OpenVision - also retains copyright to derivative works of the Source Code, whether - created by OpenVision or by a third party. The OpenVision copyright - notice must be preserved if derivative works are made based on the - donated Source Code. - - OpenVision Technologies, Inc. has donated this Kerberos - Administration system to MIT for inclusion in the standard - Kerberos 5 distribution. This donation underscores our - commitment to continuing Kerberos technology development - and our gratitude for the valuable work which has been - performed by MIT and the Kerberos community. - - diff --git a/lib/libpam/modules/pam_krb5/Makefile b/lib/libpam/modules/pam_krb5/Makefile deleted file mode 100644 index bee6645ec5..0000000000 --- a/lib/libpam/modules/pam_krb5/Makefile +++ /dev/null @@ -1,41 +0,0 @@ -# Copyright 2001 FreeBSD, Inc. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD: src/lib/libpam/modules/pam_krb5/Makefile,v 1.2.2.5 2002/07/23 09:29:53 ru Exp $ -# $DragonFly: src/lib/libpam/modules/pam_krb5/Attic/Makefile,v 1.2 2003/06/17 04:26:50 dillon Exp $ - - -LIB= pam_krb5 -SRCS= pam_krb5_auth.c pam_krb5_pass.c pam_krb5_acct.c \ - pam_krb5_sess.c support.c compat_heimdal.c -CFLAGS+= -Wall -CFLAGS+= -I${PAMDIR}/libpam/include -CFLAGS+= -I${.CURDIR}/../../libpam -DPADD= ${LIBKRB5} ${LIBGSSAPI} ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} \ - ${LIBCOM_ERR} ${LIBROKEN} -LDADD= -lkrb5 -lgssapi -lasn1 -lcrypto -lcrypt -lcom_err \ - -lroken -MAN= pam_krb5.8 - -.include diff --git a/lib/libpam/modules/pam_krb5/README b/lib/libpam/modules/pam_krb5/README deleted file mode 100644 index 0b4b5acb0c..0000000000 --- a/lib/libpam/modules/pam_krb5/README +++ /dev/null @@ -1,73 +0,0 @@ -$FreeBSD: src/lib/libpam/modules/pam_krb5/README,v 1.1.2.2 2001/07/29 18:57:30 markm Exp $ -$DragonFly: src/lib/libpam/modules/pam_krb5/Attic/README,v 1.2 2003/06/17 04:26:50 dillon Exp $ - -This is the README for pam_krb5, a PAM module which support Kerberos 5 -authentication. - -This software is Copyright (c) 1999-2000 Frank Cusack. -All Rights Reserved. - -See the COPYRIGHT file, included with this distribution, for copyright -and redistribution information. - -Author: -Frank Cusack - - - -I. Kerberos notes - -This PAM module requires the MIT 1.1+ release of Kerberos, or the Cygnus -CNS distribution. It has not been tested against heimdal or any other -Kerberos distributions. - -Unlike other PAM Kerberos 5 modules out there, this one does not -use any private Kerberos interfaces. Thus, you need only the -header files and libraries that are part of the Kerberos distribution. - - -II. OS notes - -This software has been tested against Solaris 2.6. It should compile -against Linux (distributions?) with minimal (if any) changes. Reports -of OS [in]compatibilities are welcomed. - -dtlogin on Solaris doesn't support xrealm logins (probably a good thing). - -III. PAM notes/open issues - -auth module: -When is pam_sm_setcred() ever called with flags other than PAM_ESTABLISH_CRED? -It would be fairly easy to support PAM_DELETE_CRED. - -acct module: -I believe this to be complete. - -session module: -This is complete (both functions just return success). - -passwd module: -When is pam_sm_chauthtok() ever called with flags other than -PAM_UPDATE_AUTHTOK? - - -IV. Usage - -Simply change /etc/pam.conf to include this module. Make sure to include -the acct category whenever you use the auth category, or .k5login will -not get checked. - -You probably want to make this module "sufficient", before your unix -(or other) module(s). - - -V. Acknowledgements - -Thanks to Naomaru Itoi , -Curtis King , and Derrick Brashear , -all of whom have written and made available Kerberos 4/5 modules. -Although no code in this module is directly from these author's modules, -(except the get_user_info() routine in support.c; derived from whichever -of these authors originally wrote the first module the other 2 copied from), -it was extremely helpful to look over their code which aided in my design. - diff --git a/lib/libpam/modules/pam_krb5/TODO b/lib/libpam/modules/pam_krb5/TODO deleted file mode 100644 index a7ec5e8c5b..0000000000 --- a/lib/libpam/modules/pam_krb5/TODO +++ /dev/null @@ -1,17 +0,0 @@ -$FreeBSD: src/lib/libpam/modules/pam_krb5/TODO,v 1.1.2.1 2001/06/07 09:37:07 markm Exp $ -$DragonFly: src/lib/libpam/modules/pam_krb5/Attic/TODO,v 1.2 2003/06/17 04:26:50 dillon Exp $ - -Things for 1.1, in no particular order: - -Check against Solaris 7, Solaris 8 beta. Check SEAM compatibility. -Check against Linux (Redhat, others?). -Check against HPUX. -Fix PAM flags checking. -Add more debugging for successful calls. -Move "entry" debugging up. -Check bounds on str* calls. [paranoia] - -Get defaults from krb5.conf? -** Allow no-xrealm, this module typically used for local login ** -** Add notes about runtime text relocation on Solaris ** - diff --git a/lib/libpam/modules/pam_krb5/compat_heimdal.c b/lib/libpam/modules/pam_krb5/compat_heimdal.c deleted file mode 100644 index 6d21d398cb..0000000000 --- a/lib/libpam/modules/pam_krb5/compat_heimdal.c +++ /dev/null @@ -1,134 +0,0 @@ -/* - * compat_heimdal.c - * - * Heimdal compatibility layer. - * - * $FreeBSD: src/lib/libpam/modules/pam_krb5/compat_heimdal.c,v 1.1.2.2 2001/07/29 18:57:30 markm Exp $ - * $DragonFly: src/lib/libpam/modules/pam_krb5/Attic/compat_heimdal.c,v 1.4 2004/10/25 19:38:45 drhodus Exp $ - */ - -#include -#include -#include -#include - -#include -#include -#include -#include "pam_krb5.h" - -const char * -compat_princ_component(krb5_context context, krb5_principal princ, int n) -{ - return princ->name.name_string.val[n]; -} - -void -compat_free_data_contents(krb5_context context, krb5_data *data) -{ - krb5_xfree(data->data); -} - -static krb5_error_code -heimdal_pam_prompter(krb5_context context, void *data, const char *name, - const char *banner, int num_prompts, krb5_prompt prompts[]) -{ - int pam_prompts = num_prompts; - int pamret, i; - - struct pam_message *msg; - struct pam_response *resp = NULL; - struct pam_conv *conv; - pam_handle_t *pamh = (pam_handle_t *) data; - - if ((pamret = pam_get_item(pamh, PAM_CONV, (const void **) &conv)) != 0) - return KRB5KRB_ERR_GENERIC; - - if (banner) - pam_prompts++; - - msg = calloc(sizeof(struct pam_message) * pam_prompts, 1); - if (!msg) - return ENOMEM; - - /* Now use pam_prompts as an index */ - pam_prompts = 0; - - if (banner) { - msg[pam_prompts].msg = malloc(strlen(banner) + 1); - if (!msg[pam_prompts].msg) - goto cleanup; - strcpy((char *) msg[pam_prompts].msg, banner); - msg[pam_prompts].msg_style = PAM_TEXT_INFO; - pam_prompts++; - } - - for (i = 0; i < num_prompts; i++) { - msg[pam_prompts].msg = malloc(strlen(prompts[i].prompt) + 3); - if (!msg[pam_prompts].msg) - goto cleanup; - sprintf((char *) msg[pam_prompts].msg, "%s: ", prompts[i].prompt); - msg[pam_prompts].msg_style = prompts[i].hidden ? PAM_PROMPT_ECHO_OFF - : PAM_PROMPT_ECHO_ON; - pam_prompts++; - } - - if ((pamret = conv->conv(pam_prompts, (const struct pam_message **) &msg, - &resp, conv->appdata_ptr)) != 0) - goto cleanup; - - if (!resp) - goto cleanup; - - /* Reuse pam_prompts as a starting index */ - pam_prompts = 0; - if (banner) - pam_prompts++; - - for (i = 0; i < num_prompts; i++, pam_prompts++) { - int len; - if (!resp[pam_prompts].resp) { - pamret = PAM_AUTH_ERR; - goto cleanup; - } - len = strlen(resp[pam_prompts].resp); /* Help out the compiler */ - if (len > prompts[i].reply->length) { - pamret = PAM_AUTH_ERR; - goto cleanup; - } - memcpy(prompts[i].reply->data, resp[pam_prompts].resp, len); - prompts[i].reply->length = len; - } - -cleanup: - /* pam_prompts is correct at this point */ - - for (i = 0; i < pam_prompts; i++) { - if (msg[i].msg) - free((char *) msg[i].msg); - } - free(msg); - - if (resp) { - for (i = 0; i < pam_prompts; i++) { - /* - * Note that PAM is underspecified wrt free()'ing resp[i].resp. - * It's not clear if I should free it, or if the application - * has to. Therefore most (all?) apps won't free() it, and I - * can't either, as I am not sure it was malloc()'d. All PAM - * implementations I've seen leak memory here. Not so bad, IFF - * you fork/exec for each PAM authentication (as is typical). - */ -#if 0 - if (resp[i].resp) - free(resp[i].resp); -#endif /* 0 */ - } - /* This does not lose resp[i].resp if the application saved a copy. */ - free(resp); - } - - return (pamret ? KRB5KRB_ERR_GENERIC : 0); -} - -krb5_prompter_fct pam_prompter = heimdal_pam_prompter; diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.8 b/lib/libpam/modules/pam_krb5/pam_krb5.8 deleted file mode 100644 index e27804892d..0000000000 --- a/lib/libpam/modules/pam_krb5/pam_krb5.8 +++ /dev/null @@ -1,213 +0,0 @@ -.\" -.\" $Id: pam_krb5.5,v 1.5 2000/01/05 00:59:56 fcusack Exp $ -.\" $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.8,v 1.1.2.3 2001/12/17 10:08:31 ru Exp $ -.\" $DragonFly: src/lib/libpam/modules/pam_krb5/Attic/pam_krb5.8,v 1.2 2003/06/17 04:26:50 dillon Exp $ -.Dd January 15, 1999 -.Dt PAM_KRB5 8 -.Os -.Sh NAME -.Nm pam_krb5 -.Nd Kerberos 5 PAM module -.Sh SYNOPSIS -.Pa /usr/lib/pam_krb5.so -.Sh DESCRIPTION -The Kerberos 5 service module for PAM, typically -.Pa /usr/lib/pam_krb5.so , -provides functionality for three PAM categories: -authentication, -account management, -and password management. -It also provides null functions for session management. -The -.Pa pam_krb5.so -module is a shared object -that can be dynamically loaded to provide -the necessary functionality upon demand. -Its path is specified in the -PAM configuration file. -.Ss Kerberos 5 Authentication Module -The Kerberos 5 authentication component -provides functions to verify the identity of a user -.Pq Fn pam_sm_authenticate -and to set user specific credentials -.Pq Fn pam_sm_setcred . -.Fn pam_sm_authenticate -converts the supplied username into a Kerberos principal, -by appending the default local realm name. -It also supports usernames with explicit realm names. -If a realm name is supplied, then upon a successful return, it -changes the username by mapping the principal name into a local username -(calling -.Fn krb5_aname_to_localname ) . -This typically just means -the realm name is stripped. -.Pp -It prompts the user for a password and obtains a new Kerberos TGT for -the principal. -The TGT is verified by obtaining a service -ticket for the local host. -.Pp -When prompting for the current password, the authentication -module will use the prompt -.Dq Li "Password for :" . -.Pp -The -.Fn pam_sm_setcred -function stores the newly acquired credentials in a credentials cache, -and sets the environment variable -.Ev KRB5CCNAME -appropriately. -The credentials cache should be destroyed by the user at logout with -.Xr kdestroy 1 . -.Pp -The following options may be passed to the authentication module: -.Bl -tag -width ".Cm use_first_pass" -.It Cm debug -.Xr syslog 3 -debugging information at -.Dv LOG_DEBUG -level. -.It Cm use_first_pass -If the authentication module is not the first in the stack, -and a previous module obtained the user's password, that password is -used to authenticate the user. -If this fails, the authentication -module returns failure without prompting the user for a password. -This option has no effect if the authentication module is -the first in the stack, or if no previous modules obtained the -user's password. -.It Cm try_first_pass -This option is similar to the -.Cm use_first_pass -option, except that if the previously obtained password fails, the -user is prompted for another password. -.It Cm forwardable -Obtain forwardable Kerberos credentials for the user. -.It Cm no_ccache -Do not save the obtained credentials in a credentials cache. -This is a -useful option if the authentication module is used for services such -as ftp or pop, where the user would not be able to destroy them. -[This -is not a recommendation to use the module for those services.] -.It Cm ccache Ns = Ns Ar name -Use -.Ar name -as the credentials cache. -.Ar name -must be in the form -.Ar type : Ns Ar residual . -The special tokens -.Ql %u , -to designate the decimal UID of the user; -and -.Ql %p , -to designate the current process ID; can be used in -.Ar name . -.El -.Ss Kerberos 5 Account Management Module -The Kerberos 5 account management component -provides a function to perform account management, -.Fn pam_sm_acct_mgmt . -The function verifies that the authenticated principal is allowed -to login to the local user account by calling -.Fn krb5_kuserok -(which checks the user's -.Pa .k5login -file). -.Ss Kerberos 5 Password Management Module -The Kerberos 5 password management component -provides a function to change passwords -.Pq Fn pam_sm_chauthtok . -The username supplied (the -user running the -.Xr passwd 1 -command, or the username given as an argument) is mapped into -a Kerberos principal name, using the same technique as in -the authentication module. -Note that if a realm name was -explicitly supplied during authentication, but not during -a password change, the mapping -done by the password management module may not result in the -same principal as was used for authentication. -.Pp -Unlike when -changing a -.Ux -password, the password management module will -allow any user to change any principal's password (if the user knows -the principal's old password, of course). -Also unlike -.Ux , -root -is always prompted for the principal's old password. -.Pp -The password management module uses the same heuristics as -.Xr kpasswd 1 -to determine how to contact the Kerberos password server. -.Pp -The following options may be passed to the password management -module: -.Bl -tag -width ".Cm use_first_pass" -.It Cm debug -.Xr syslog 3 -debugging information at -.Dv LOG_DEBUG -level. -.It Cm use_first_pass -If the password management module is not the first in the stack, -and a previous module obtained the user's old password, that password is -used to authenticate the user. -If this fails, the password -management -module returns failure without prompting the user for the old password. -If successful, the new password entered to the previous module is also -used as the new Kerberos password. -If the new password fails, -the password management module returns failure without -prompting the user for a new password. -.It Cm try_first_pass -This option is similar to the -.Cm use_first_pass -option, except that if the previously obtained old or new passwords fail, -the user is prompted for them. -.El -.Ss Kerberos 5 Session Management Module -The Kerberos 5 session management component -provides functions to initiate -.Pq Fn pam_sm_open_session -and terminate -.Pq Fn pam_sm_close_session -sessions. -Since session management is not defined under Kerberos 5, -both of these functions simply return success. -They are provided -only because of the naming conventions for PAM modules. -.Sh ENVIRONMENT -.Bl -tag -width "KRB5CCNAME" -.It Ev KRB5CCNAME -Location of the credentials cache. -.El -.Sh FILES -.Bl -tag -width ".Pa /tmp/krb5cc_ Ns Ar uid" -compact -.It Pa /tmp/krb5cc_ Ns Ar uid -default credentials cache -.Ar ( uid -is the decimal UID of the user). -.It Pa $HOME/.k5login -file containing Kerberos principals that are allowed access. -.El -.Sh SEE ALSO -.Xr kdestroy 1 , -.Xr passwd 1 , -.Xr syslog 3 , -.Xr pam.conf 5 , -.Xr pam 8 -.Sh NOTES -Applications should not call -.Fn pam_authenticate -more than once between calls to -.Fn pam_start -and -.Fn pam_end -when using the Kerberos 5 PAM module. diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.h b/lib/libpam/modules/pam_krb5/pam_krb5.h deleted file mode 100644 index 2515486a7b..0000000000 --- a/lib/libpam/modules/pam_krb5/pam_krb5.h +++ /dev/null @@ -1,22 +0,0 @@ -/* - * pam_krb5.h - * - * $Id: pam_krb5.h,v 1.5 1999/01/19 23:43:10 fcusack Exp $ - * $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5.h,v 1.1.2.2 2001/07/29 18:57:30 markm Exp $ - * $DragonFly: src/lib/libpam/modules/pam_krb5/Attic/pam_krb5.h,v 1.2 2003/06/17 04:26:50 dillon Exp $ - */ - -int get_user_info(pam_handle_t *, char *, int, char **); -int verify_krb_v5_tgt(krb5_context, krb5_ccache, char *, int); -void cleanup_cache(pam_handle_t *, void *, int); - -krb5_prompter_fct pam_prompter; - -const char *compat_princ_component(krb5_context, krb5_principal, int); -void compat_free_data_contents(krb5_context, krb5_data *); - -#ifndef ENCTYPE_DES_CBC_MD5 -#define ENCTYPE_DES_CBC_MD5 ETYPE_DES_CBC_MD5 -#endif - - diff --git a/lib/libpam/modules/pam_krb5/pam_krb5_acct.c b/lib/libpam/modules/pam_krb5/pam_krb5_acct.c deleted file mode 100644 index 2b56e48814..0000000000 --- a/lib/libpam/modules/pam_krb5/pam_krb5_acct.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * pam_krb5_acct.c - * - * PAM account management functions for pam_krb5 - * - * $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5_acct.c,v 1.1.2.1 2001/06/07 09:37:07 markm Exp $ - * $DragonFly: src/lib/libpam/modules/pam_krb5/Attic/pam_krb5_acct.c,v 1.3 2004/01/23 14:37:01 joerg Exp $ - */ - -static const char rcsid[] = "$Id: pam_krb5_acct.c,v 1.3 1999/01/19 21:26:44 fcusack Exp $"; - -#include -#include /* syslog */ -#include -#include -#include -#include -#include "pam_krb5.h" - -/* A useful logging macro */ -#define DLOG(error_func, error_msg) \ -if (debug) \ - syslog(LOG_DEBUG, "pam_krb5: pam_sm_acct_mgmt(%s %s): %s: %s", \ - service, name, error_func, error_msg) - -/* Check authorization of user */ -int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - krb5_error_code krbret; - krb5_context pam_context; - krb5_ccache ccache; - krb5_principal princ; - - char *service, *name; - int debug = 0; - int i, pamret; - - for (i = 0; i < argc; i++) { - if (strcmp(argv[i], "debug") == 0) - debug = 1; - } - - /* Get username */ - if (pam_get_item(pamh, PAM_USER, (const void **) &name)) { - return PAM_PERM_DENIED;; - } - - /* Get service name */ - (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service); - if (!service) - service = "unknown"; - - DLOG("entry", ""); - - if (pam_get_data(pamh, "ccache", (const void **) &ccache)) { - /* User did not use krb5 to login */ - DLOG("ccache", "not found"); - return PAM_SUCCESS; - } - - if ((krbret = krb5_init_context(&pam_context)) != 0) { - DLOG("krb5_init_context()", error_message(krbret)); - return PAM_PERM_DENIED;; - } - - if ((krbret = krb5_cc_get_principal(pam_context, ccache, &princ)) != 0) { - DLOG("krb5_cc_get_principal()", error_message(krbret)); - pamret = PAM_PERM_DENIED;; - goto cleanup; - } - - if (krb5_kuserok(pam_context, princ, name)) - pamret = PAM_SUCCESS; - else - pamret = PAM_PERM_DENIED; - krb5_free_principal(pam_context, princ); - -cleanup: - krb5_free_context(pam_context); - DLOG("exit", pamret ? "failure" : "success"); - return pamret; - -} - diff --git a/lib/libpam/modules/pam_krb5/pam_krb5_auth.c b/lib/libpam/modules/pam_krb5/pam_krb5_auth.c deleted file mode 100644 index 458fb2fb5f..0000000000 --- a/lib/libpam/modules/pam_krb5/pam_krb5_auth.c +++ /dev/null @@ -1,474 +0,0 @@ -/* - * pam_krb5_auth.c - * - * PAM authentication management functions for pam_krb5 - * - * $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5_auth.c,v 1.1.2.2 2001/07/29 18:57:30 markm Exp $ - * $DragonFly: src/lib/libpam/modules/pam_krb5/Attic/pam_krb5_auth.c,v 1.3 2004/01/23 14:37:01 joerg Exp $ - */ - -static const char rcsid[] = "$Id: pam_krb5_auth.c,v 1.18 2000/01/04 08:44:08 fcusack Exp $"; - -#include -#include -#include -#include /* PATH_MAX */ -#include /* getpwnam */ -#include /* tmpnam */ -#include /* malloc */ -#include /* strchr */ -#include /* syslog */ -#include /* chown */ - -#include -#include - -#include -#include -#include "pam_krb5.h" - -/* A useful logging macro */ -#define DLOG(error_func, error_msg) \ -if (debug) \ - syslog(LOG_DEBUG, "pam_krb5: pam_sm_authenticate(%s %s): %s: %s", \ - service, name, error_func, error_msg) - -/* Authenticate a user via krb5 */ -int -pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - krb5_error_code krbret; - krb5_context pam_context; - krb5_creds creds; - krb5_principal princ; - krb5_ccache ccache, ccache_check; - krb5_get_init_creds_opt opts; - - int pamret, i; - const char *name; - char *princ_name = NULL; - char *pass = NULL, *service = NULL; - char *prompt = NULL; - char cache_name[L_tmpnam + 8]; - char lname[64]; /* local acct name */ - struct passwd *pw; - - int debug = 0, try_first_pass = 0, use_first_pass = 0; - int forwardable = 0, reuse_ccache = 0, no_ccache = 0; - - for (i = 0; i < argc; i++) { - if (strcmp(argv[i], "debug") == 0) - debug = 1; - else if (strcmp(argv[i], "try_first_pass") == 0) - try_first_pass = 1; - else if (strcmp(argv[i], "use_first_pass") == 0) - use_first_pass = 1; - else if (strcmp(argv[i], "forwardable") == 0) - forwardable = 1; - else if (strcmp(argv[i], "reuse_ccache") == 0) - reuse_ccache = 1; - else if (strcmp(argv[i], "no_ccache") == 0) - no_ccache = 1; - } - - /* Get username */ - if ((pamret = pam_get_user(pamh, &name, "login: ")) != PAM_SUCCESS) { - return PAM_SERVICE_ERR; - } - - /* Get service name */ - (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service); - if (!service) - service = "unknown"; - - DLOG("entry", ""); - - if ((krbret = krb5_init_context(&pam_context)) != 0) { - DLOG("krb5_init_context()", error_message(krbret)); - return PAM_SERVICE_ERR; - } - krb5_get_init_creds_opt_init(&opts); - memset(&creds, 0, sizeof(krb5_creds)); - memset(cache_name, 0, sizeof(cache_name)); - memset(lname, 0, sizeof(lname)); - - if (forwardable) - krb5_get_init_creds_opt_set_forwardable(&opts, 1); - - /* For CNS */ - if ((krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE)) != 0) { - /* Solaris dtlogin doesn't call pam_end() on failure */ - if (krbret != KRB5_CC_TYPE_EXISTS) { - DLOG("krb5_cc_register()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup3; - } - } - - /* Get principal name */ - if ((krbret = krb5_parse_name(pam_context, name, &princ)) != 0) { - DLOG("krb5_parse_name()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup3; - } - - /* Now convert the principal name into something human readable */ - if ((krbret = krb5_unparse_name(pam_context, princ, &princ_name)) != 0) { - DLOG("krb5_unparse_name()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - - /* Get password */ - prompt = malloc(16 + strlen(princ_name)); - if (!prompt) { - DLOG("malloc()", "failure"); - pamret = PAM_BUF_ERR; - goto cleanup2; - } - (void) sprintf(prompt, "Password for %s: ", princ_name); - - if (try_first_pass || use_first_pass) - (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); - -get_pass: - if (!pass) { - try_first_pass = 0; - if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, - &pass)) != 0) { - DLOG("get_user_info()", pam_strerror(pamh, pamret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - /* We have to free pass. */ - if ((pamret = pam_set_item(pamh, PAM_AUTHTOK, pass)) != 0) { - DLOG("pam_set_item()", pam_strerror(pamh, pamret)); - free(pass); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - free(pass); - /* Now we get it back from the library. */ - (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); - } - - /* Verify the local user exists (AFTER getting the password) */ - if (strchr(name, '@')) { - /* get a local account name for this principal */ - if ((krbret = krb5_aname_to_localname(pam_context, princ, - sizeof(lname), lname)) != 0) { - DLOG("krb5_aname_to_localname()", error_message(krbret)); - pamret = PAM_USER_UNKNOWN; - goto cleanup2; - } - DLOG("changing PAM_USER to", lname); - if ((pamret = pam_set_item(pamh, PAM_USER, lname)) != 0) { - DLOG("pam_set_item()", pam_strerror(pamh, pamret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - if ((pamret = pam_get_item(pamh, PAM_USER, (const void **) &name) - != 0)) { - DLOG("pam_get_item()", pam_strerror(pamh, pamret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - } - pw = getpwnam(name); - if (!pw) { - DLOG("getpwnam()", lname); - pamret = PAM_USER_UNKNOWN; - goto cleanup2; - } - - /* Get a TGT */ - if ((krbret = krb5_get_init_creds_password(pam_context, &creds, princ, - pass, pam_prompter, pamh, 0, NULL, &opts)) != 0) { - DLOG("krb5_get_init_creds_password()", error_message(krbret)); - if (try_first_pass && krbret == KRB5KRB_AP_ERR_BAD_INTEGRITY) { - pass = NULL; - goto get_pass; - } - pamret = PAM_AUTH_ERR; - goto cleanup2; - } - - /* Generate a unique cache_name */ - strcpy(cache_name, "MEMORY:"); - (void) tmpnam(&cache_name[7]); - - if ((krbret = krb5_cc_resolve(pam_context, cache_name, &ccache)) != 0) { - DLOG("krb5_cc_resolve()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup; - } - if ((krbret = krb5_cc_initialize(pam_context, ccache, princ)) != 0) { - DLOG("krb5_cc_initialize()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup; - } - if ((krbret = krb5_cc_store_cred(pam_context, ccache, &creds)) != 0) { - DLOG("krb5_cc_store_cred()", error_message(krbret)); - (void) krb5_cc_destroy(pam_context, ccache); - pamret = PAM_SERVICE_ERR; - goto cleanup; - } - - /* Verify it */ - if (verify_krb_v5_tgt(pam_context, ccache, service, debug) == -1) { - (void) krb5_cc_destroy(pam_context, ccache); - pamret = PAM_AUTH_ERR; - goto cleanup; - } - - /* A successful authentication, store ccache for sm_setcred() */ - if (!pam_get_data(pamh, "ccache", (const void **) &ccache_check)) { - DLOG("pam_get_data()", "ccache data already present"); - (void) krb5_cc_destroy(pam_context, ccache); - pamret = PAM_AUTH_ERR; - goto cleanup; - } - if ((pamret = pam_set_data(pamh, "ccache", ccache, cleanup_cache)) != 0) { - DLOG("pam_set_data()", pam_strerror(pamh, pamret)); - (void) krb5_cc_destroy(pam_context, ccache); - pamret = PAM_SERVICE_ERR; - goto cleanup; - } - -cleanup: - krb5_free_cred_contents(pam_context, &creds); -cleanup2: - krb5_free_principal(pam_context, princ); -cleanup3: - if (prompt) - free(prompt); - if (princ_name) - free(princ_name); - - krb5_free_context(pam_context); - DLOG("exit", pamret ? "failure" : "success"); - return pamret; -} - - - -/* redefine this for pam_sm_setcred() */ -#undef DLOG -#define DLOG(error_func, error_msg) \ -if (debug) \ - syslog(LOG_DEBUG, "pam_krb5: pam_sm_setcred(%s %s): %s: %s", \ - service, name, error_func, error_msg) - -/* Called after a successful authentication. Set user credentials. */ -int -pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - - krb5_error_code krbret; - krb5_context pam_context; - krb5_principal princ; - krb5_creds creds; - krb5_ccache ccache_temp, ccache_perm; - krb5_cc_cursor cursor; - - int i, pamret; - char *name, *service = NULL; - char *cache_name = NULL, *cache_env_name; - struct passwd *pw = NULL; - - int debug = 0; - uid_t euid; - gid_t egid; - - if (flags == PAM_REINITIALIZE_CRED) - return PAM_SUCCESS; /* XXX Incorrect behavior */ - - if (flags != PAM_ESTABLISH_CRED) - return PAM_SERVICE_ERR; - - for (i = 0; i < argc; i++) { - if (strcmp(argv[i], "debug") == 0) - debug = 1; - else if (strcmp(argv[i], "no_ccache") == 0) - return PAM_SUCCESS; - else if (strstr(argv[i], "ccache=") == argv[i]) - cache_name = (char *) &argv[i][7]; /* save for later */ - } - - /* Get username */ - if (pam_get_item(pamh, PAM_USER, (const void **) &name)) { - return PAM_SERVICE_ERR; - } - - /* Get service name */ - (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service); - if (!service) - service = "unknown"; - - DLOG("entry", ""); - - if ((krbret = krb5_init_context(&pam_context)) != 0) { - DLOG("krb5_init_context()", error_message(krbret)); - return PAM_SERVICE_ERR; - } - - euid = geteuid(); /* Usually 0 */ - egid = getegid(); - - /* Retrieve the cache name */ - if ((pamret = pam_get_data(pamh, "ccache", (const void **) &ccache_temp)) - != 0) { - DLOG("pam_get_data()", pam_strerror(pamh, pamret)); - pamret = PAM_CRED_UNAVAIL; - goto cleanup3; - } - - /* Get the uid. This should exist. */ - pw = getpwnam(name); - if (!pw) { - DLOG("getpwnam()", name); - pamret = PAM_USER_UNKNOWN; - goto cleanup3; - } - - /* Avoid following a symlink as root */ - if (setegid(pw->pw_gid)) { - DLOG("setegid()", name); /* XXX should really log group name or id */ - pamret = PAM_SERVICE_ERR; - goto cleanup3; - } - if (seteuid(pw->pw_uid)) { - DLOG("seteuid()", name); - pamret = PAM_SERVICE_ERR; - goto cleanup3; - } - - /* Get the cache name */ - if (!cache_name) { - cache_name = malloc(64); /* plenty big */ - if (!cache_name) { - DLOG("malloc()", "failure"); - pamret = PAM_BUF_ERR; - goto cleanup3; - } - sprintf(cache_name, "FILE:/tmp/krb5cc_%d", pw->pw_uid); - } else { - /* cache_name was supplied */ - char *p = calloc(PATH_MAX + 10, 1); /* should be plenty */ - char *q = cache_name; - if (!p) { - DLOG("malloc()", "failure"); - pamret = PAM_BUF_ERR; - goto cleanup3; - } - cache_name = p; - - /* convert %u and %p */ - while (*q) { - if (*q == '%') { - q++; - if (*q == 'u') { - sprintf(p, "%d", pw->pw_uid); - p += strlen(p); - } else if (*q == 'p') { - sprintf(p, "%d", getpid()); - p += strlen(p); - } else { - /* Not a special token */ - *p++ = '%'; - q--; - } - q++; - } else { - *p++ = *q++; - } - } - } - - /* Initialize the new ccache */ - if ((krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ)) - != 0) { - DLOG("krb5_cc_get_principal()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup3; - } - if ((krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm)) - != 0) { - DLOG("krb5_cc_resolve()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - if ((krbret = krb5_cc_initialize(pam_context, ccache_perm, princ)) != 0) { - DLOG("krb5_cc_initialize()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - - /* Prepare for iteration over creds */ - if ((krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor)) - != 0) { - DLOG("krb5_cc_start_seq_get()", error_message(krbret)); - (void) krb5_cc_destroy(pam_context, ccache_perm); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - - /* Copy the creds (should be two of them) */ - while ((krbret = krb5_cc_next_cred(pam_context, ccache_temp, - &cursor, &creds) == 0)) { - if ((krbret = krb5_cc_store_cred(pam_context, ccache_perm, - &creds)) != 0) { - DLOG("krb5_cc_store_cred()", error_message(krbret)); - (void) krb5_cc_destroy(pam_context, ccache_perm); - krb5_free_cred_contents(pam_context, &creds); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - krb5_free_cred_contents(pam_context, &creds); - } - (void) krb5_cc_end_seq_get(pam_context, ccache_temp, &cursor); - - if (strstr(cache_name, "FILE:") == cache_name) { - if (chown(&cache_name[5], pw->pw_uid, pw->pw_gid) == -1) { - DLOG("chown()", strerror(errno)); - (void) krb5_cc_destroy(pam_context, ccache_perm); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - if (chmod(&cache_name[5], (S_IRUSR|S_IWUSR)) == -1) { - DLOG("chmod()", strerror(errno)); - (void) krb5_cc_destroy(pam_context, ccache_perm); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - } - (void) krb5_cc_close(pam_context, ccache_perm); - - cache_env_name = malloc(strlen(cache_name) + 12); - if (!cache_env_name) { - DLOG("malloc()", "failure"); - (void) krb5_cc_destroy(pam_context, ccache_perm); - pamret = PAM_BUF_ERR; - goto cleanup2; - } - - sprintf(cache_env_name, "KRB5CCNAME=%s", cache_name); - if ((pamret = pam_putenv(pamh, cache_env_name)) != 0) { - DLOG("pam_putenv()", pam_strerror(pamh, pamret)); - (void) krb5_cc_destroy(pam_context, ccache_perm); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - -cleanup2: - krb5_free_principal(pam_context, princ); -cleanup3: - krb5_free_context(pam_context); - DLOG("exit", pamret ? "failure" : "success"); - (void) seteuid(euid); - (void) setegid(egid); - return pamret; -} - diff --git a/lib/libpam/modules/pam_krb5/pam_krb5_pass.c b/lib/libpam/modules/pam_krb5/pam_krb5_pass.c deleted file mode 100644 index 509b524fb5..0000000000 --- a/lib/libpam/modules/pam_krb5/pam_krb5_pass.c +++ /dev/null @@ -1,202 +0,0 @@ -/* - * pam_krb5_pass.c - * - * PAM password management functions for pam_krb5 - * - * $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5_pass.c,v 1.1.2.1 2001/06/07 09:37:07 markm Exp $ - * $DragonFly: src/lib/libpam/modules/pam_krb5/Attic/pam_krb5_pass.c,v 1.3 2004/01/23 14:37:01 joerg Exp $ - */ - -static const char rcsid[] = "$Id: pam_krb5_pass.c,v 1.3 1999/01/19 23:43:11 fcusack Exp $"; - -#include -#include /* sprintf */ -#include /* malloc */ -#include /* syslog */ -#include -#include -#include -#include -#include -#include "pam_krb5.h" - -/* A useful logging macro */ -#define DLOG(error_func, error_msg) \ -if (debug) \ - syslog(LOG_DEBUG, "pam_krb5: pam_sm_chauthtok(%s %s): %s: %s", \ - service, name, error_func, error_msg) - -/* Change a user's password */ -int -pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - krb5_error_code krbret; - krb5_context pam_context; - krb5_creds creds; - krb5_principal princ; - krb5_get_init_creds_opt opts; - - int result_code; - krb5_data result_code_string, result_string; - - int pamret, i; - char *name, *service = NULL, *pass = NULL, *pass2; - char *princ_name = NULL; - char *prompt = NULL; - - int debug = 0; - int try_first_pass = 0, use_first_pass = 0; - - if (!(flags & PAM_UPDATE_AUTHTOK)) - return PAM_AUTHTOK_ERR; - - for (i = 0; i < argc; i++) { - if (strcmp(argv[i], "debug") == 0) - debug = 1; - else if (strcmp(argv[i], "try_first_pass") == 0) - try_first_pass = 1; - else if (strcmp(argv[i], "use_first_pass") == 0) - use_first_pass = 1; - } - - /* Get username */ - if ((pam_get_item(pamh, PAM_USER, (const void **) &name)) != 0) { - return PAM_SERVICE_ERR; - } - - /* Get service name */ - (void) pam_get_item(pamh, PAM_SERVICE, (const void **) &service); - if (!service) - service = "unknown"; - - DLOG("entry", ""); - - if ((krbret = krb5_init_context(&pam_context)) != 0) { - DLOG("krb5_init_context()", error_message(krbret)); - return PAM_SERVICE_ERR; - } - - if ((krbret = krb5_init_context(&pam_context)) != 0) { - DLOG("krb5_init_context()", error_message(krbret)); - return PAM_SERVICE_ERR; - } - krb5_get_init_creds_opt_init(&opts); - memset(&creds, 0, sizeof(krb5_creds)); - - /* Get principal name */ - if ((krbret = krb5_parse_name(pam_context, name, &princ)) != 0) { - DLOG("krb5_parse_name()", error_message(krbret)); - pamret = PAM_USER_UNKNOWN; - goto cleanup3; - } - - /* Now convert the principal name into something human readable */ - if ((krbret = krb5_unparse_name(pam_context, princ, &princ_name)) != 0) { - DLOG("krb5_unparse_name()", error_message(krbret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - - /* Get password */ - prompt = malloc(16 + strlen(princ_name)); - if (!prompt) { - DLOG("malloc()", "failure"); - pamret = PAM_BUF_ERR; - goto cleanup2; - } - (void) sprintf(prompt, "Password for %s: ", princ_name); - - if (try_first_pass || use_first_pass) - (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); - -get_pass: - if (!pass) { - try_first_pass = 0; - if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, - &pass)) != 0) { - DLOG("get_user_info()", pam_strerror(pamh, pamret)); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - /* We have to free pass. */ - if ((pamret = pam_set_item(pamh, PAM_AUTHTOK, pass)) != 0) { - DLOG("pam_set_item()", pam_strerror(pamh, pamret)); - free(pass); - pamret = PAM_SERVICE_ERR; - goto cleanup2; - } - free(pass); - /* Now we get it back from the library. */ - (void) pam_get_item(pamh, PAM_AUTHTOK, (const void **) &pass); - } - - if ((krbret = krb5_get_init_creds_password(pam_context, &creds, princ, - pass, pam_prompter, pamh, 0, "kadmin/changepw", &opts)) != 0) { - DLOG("krb5_get_init_creds_password()", error_message(krbret)); - if (try_first_pass && krbret == KRB5KRB_AP_ERR_BAD_INTEGRITY) { - pass = NULL; - goto get_pass; - } - pamret = PAM_AUTH_ERR; - goto cleanup2; - } - - /* Now get the new password */ - free(prompt); - prompt = "Enter new password: "; - if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass)) - != 0) { - DLOG("get_user_info()", pam_strerror(pamh, pamret)); - prompt = NULL; - pamret = PAM_SERVICE_ERR; - goto cleanup; - } - prompt = "Enter it again: "; - if ((pamret = get_user_info(pamh, prompt, PAM_PROMPT_ECHO_OFF, &pass2)) - != 0) { - DLOG("get_user_info()", pam_strerror(pamh, pamret)); - prompt = NULL; - pamret = PAM_SERVICE_ERR; - goto cleanup; - } - prompt = NULL; - - if (strcmp(pass, pass2) != 0) { - DLOG("strcmp()", "passwords not equal"); - pamret = PAM_AUTHTOK_ERR; - goto cleanup; - } - - /* Change it */ - if ((krbret = krb5_change_password(pam_context, &creds, pass, - &result_code, &result_code_string, &result_string)) != 0) { - DLOG("krb5_change_password()", error_message(krbret)); - pamret = PAM_AUTHTOK_ERR; - goto cleanup; - } - if (result_code) { - DLOG("krb5_change_password() (result_code)", ""); - pamret = PAM_AUTHTOK_ERR; - goto cleanup; - } - - if (result_string.data) - free(result_string.data); - if (result_code_string.data) - free(result_code_string.data); - -cleanup: - krb5_free_cred_contents(pam_context, &creds); -cleanup2: - krb5_free_principal(pam_context, princ); -cleanup3: - if (prompt) - free(prompt); - if (princ_name) - free(princ_name); - - krb5_free_context(pam_context); - DLOG("exit", pamret ? "failure" : "success"); - return pamret; -} - diff --git a/lib/libpam/modules/pam_krb5/pam_krb5_sess.c b/lib/libpam/modules/pam_krb5/pam_krb5_sess.c deleted file mode 100644 index 6c6937c176..0000000000 --- a/lib/libpam/modules/pam_krb5/pam_krb5_sess.c +++ /dev/null @@ -1,29 +0,0 @@ -/* - * pam_krb5_sess.c - * - * PAM session management functions for pam_krb5 - * (null functions) - * - * $FreeBSD: src/lib/libpam/modules/pam_krb5/pam_krb5_sess.c,v 1.1.2.1 2001/06/07 09:37:07 markm Exp $ - * $DragonFly: src/lib/libpam/modules/pam_krb5/Attic/pam_krb5_sess.c,v 1.2 2003/06/17 04:26:50 dillon Exp $ - */ - -static const char rcsid[] = "$Id: pam_krb5_sess.c,v 1.3 1999/01/19 20:49:44 fcusack Exp $"; - -#include -#include - -/* Initiate session management */ -int -pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - return PAM_SUCCESS; -} - - -/* Terminate session management */ -int -pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - return PAM_SUCCESS; -} diff --git a/lib/libpam/modules/pam_krb5/support.c b/lib/libpam/modules/pam_krb5/support.c deleted file mode 100644 index d107bdce73..0000000000 --- a/lib/libpam/modules/pam_krb5/support.c +++ /dev/null @@ -1,186 +0,0 @@ -/* - * support.c - * - * Support functions for pam_krb5 - * - * $FreeBSD: src/lib/libpam/modules/pam_krb5/support.c,v 1.1.2.1 2001/06/07 09:37:07 markm Exp $ - * $DragonFly: src/lib/libpam/modules/pam_krb5/Attic/support.c,v 1.2 2003/06/17 04:26:50 dillon Exp $ - */ - -static const char rcsid[] = "$Id: support.c,v 1.8 2000/01/04 09:50:03 fcusack Exp $"; - -#include -#include /* BUFSIZ */ -#include /* malloc */ -#include /* strncpy */ -#include /* syslog */ -#include -#include -#include -#include -#include "pam_krb5.h" - -/* - * Get info from the user. Disallow null responses (regardless of flags). - * response gets allocated and filled in on successful return. Caller - * is responsible for freeing it. - */ -int -get_user_info(pam_handle_t *pamh, char *prompt, int type, char **response) -{ - int pamret; - struct pam_message msg; - const struct pam_message *pmsg; - struct pam_response *resp = NULL; - struct pam_conv *conv; - - if ((pamret = pam_get_item(pamh, PAM_CONV, (const void **) &conv)) != 0) - return pamret; - - /* set up conversation call */ - pmsg = &msg; - msg.msg_style = type; - msg.msg = prompt; - - if ((pamret = conv->conv(1, &pmsg, &resp, conv->appdata_ptr)) != 0) - return pamret; - - /* Caller should ignore errors for non-response conversations */ - if (!resp) - return PAM_CONV_ERR; - - if (!(resp->resp && resp->resp[0])) { - free(resp); - return PAM_AUTH_ERR; - } - - *response = resp->resp; - free(resp); - return pamret; -} - -/* - * This routine with some modification is from the MIT V5B6 appl/bsd/login.c - * Modified by Sam Hartman to support PAM services - * for Debian. - * - * Verify the Kerberos ticket-granting ticket just retrieved for the - * user. If the Kerberos server doesn't respond, assume the user is - * trying to fake us out (since we DID just get a TGT from what is - * supposedly our KDC). If the host/ service is unknown (i.e., - * the local keytab doesn't have it), and we cannot find another - * service we do have, let her in. - * - * Returns 1 for confirmation, -1 for failure, 0 for uncertainty. - */ -int -verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache, - char * pam_service, int debug) -{ - char phost[BUFSIZ]; - char *services [3]; - char **service; - krb5_error_code retval = -1; - krb5_principal princ; - krb5_keyblock * keyblock = 0; - krb5_data packet; - krb5_auth_context auth_context = NULL; - - packet.data = 0; - - /* - * If possible we want to try and verify the ticket we have - * received against a keytab. We will try multiple service - * principals, including at least the host principal and the PAM - * service principal. The host principal is preferred because access - * to that key is generally sufficient to compromise root, while the - * service key for this PAM service may be less carefully guarded. - * It is important to check the keytab first before the KDC so we do - * not get spoofed by a fake KDC.*/ - services [0] = "host"; - services [1] = pam_service; - services [2] = NULL; - for ( service = &services[0]; *service != NULL; service++ ) { - if ((retval = krb5_sname_to_principal(context, NULL, *service, KRB5_NT_SRV_HST, - &princ)) != 0) { - if (debug) - syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", - "krb5_sname_to_principal()", error_message(retval)); - return -1; - } - - /* Extract the name directly. */ - strncpy(phost, compat_princ_component(context, princ, 1), BUFSIZ); - phost[BUFSIZ - 1] = '\0'; - - /* - * Do we have service/ keys? - * (use default/configured keytab, kvno IGNORE_VNO to get the - * first match, and ignore enctype.) - */ - if ((retval = krb5_kt_read_service_key(context, NULL, princ, 0, - 0, &keyblock)) != 0) - continue; - break; - } - if (retval != 0 ) { /* failed to find key */ - /* Keytab or service key does not exist */ - if (debug) - syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", - "krb5_kt_read_service_key()", error_message(retval)); - retval = 0; - goto cleanup; - } - if (keyblock) - krb5_free_keyblock(context, keyblock); - - /* Talk to the kdc and construct the ticket. */ - retval = krb5_mk_req(context, &auth_context, 0, *service, phost, - NULL, ccache, &packet); - if (auth_context) { - krb5_auth_con_free(context, auth_context); - auth_context = NULL; /* setup for rd_req */ - } - if (retval) { - if (debug) - syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", - "krb5_mk_req()", error_message(retval)); - retval = -1; - goto cleanup; - } - - /* Try to use the ticket. */ - retval = krb5_rd_req(context, &auth_context, &packet, princ, - NULL, NULL, NULL); - if (retval) { - if (debug) - syslog(LOG_DEBUG, "pam_krb5: verify_krb_v5_tgt(): %s: %s", - "krb5_rd_req()", error_message(retval)); - retval = -1; - } else { - retval = 1; - } - -cleanup: - if (packet.data) - compat_free_data_contents(context, &packet); - krb5_free_principal(context, princ); - return retval; - -} - - -/* Free the memory for cache_name. Called by pam_end() */ -void -cleanup_cache(pam_handle_t *pamh, void *data, int pam_end_status) -{ - krb5_context pam_context; - krb5_ccache ccache; - - if (krb5_init_context(&pam_context)) - return; - - ccache = (krb5_ccache) data; - (void) krb5_cc_destroy(pam_context, ccache); - krb5_free_context(pam_context); -} diff --git a/lib/libpam/modules/pam_opie/Makefile b/lib/libpam/modules/pam_opie/Makefile deleted file mode 100644 index 315c2b5a08..0000000000 --- a/lib/libpam/modules/pam_opie/Makefile +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright 2000 James Bloom -# All rights reserved. -# Based upon code Copyright 1998 Juniper Networks, Inc. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD: src/lib/libpam/modules/pam_opie/Makefile,v 1.1.2.4 2002/07/03 21:41:30 des Exp $ -# $DragonFly: src/lib/libpam/modules/pam_opie/Attic/Makefile,v 1.2 2003/06/17 04:26:50 dillon Exp $ - -LIB= pam_opie -SRCS= pam_opie.c -DPADD= ${LIBOPIE} -LDADD= -lopie -MAN= pam_opie.8 - -.include diff --git a/lib/libpam/modules/pam_opie/pam_opie.8 b/lib/libpam/modules/pam_opie/pam_opie.8 deleted file mode 100644 index 1c2ce4b8d1..0000000000 --- a/lib/libpam/modules/pam_opie/pam_opie.8 +++ /dev/null @@ -1,124 +0,0 @@ -.\" Copyright (c) 2001 Mark R V Murray -.\" All rights reserved. -.\" Copyright (c) 2002 Networks Associates Technology, Inc. -.\" All rights reserved. -.\" -.\" Portions of this software were developed for the FreeBSD Project by -.\" ThinkSec AS and NAI Labs, the Security Research Division of Network -.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 -.\" ("CBOSS"), as part of the DARPA CHATS research program. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. The name of the author may not be used to endorse or promote -.\" products derived from this software without specific prior written -.\" permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD: src/lib/libpam/modules/pam_opie/pam_opie.8,v 1.8.2.2 2002/12/29 16:35:36 schweikh Exp $ -.\" $DragonFly: src/lib/libpam/modules/pam_opie/Attic/pam_opie.8,v 1.2 2003/06/17 04:26:50 dillon Exp $ -.\" -.Dd July 7, 2001 -.Dt PAM_OPIE 8 -.Os -.Sh NAME -.Nm pam_opie -.Nd OPIE PAM module -.Sh SYNOPSIS -.Op Ar service-name -.Ar module-type -.Ar control-flag -.Pa pam_opie -.Op Ar options -.Sh DESCRIPTION -The OPIE authentication service module for PAM, -.Nm -provides functionality for only one PAM category: -that of authentication. -In terms of the -.Ar module-type -parameter, this is the -.Dq Li auth -feature. -It also provides a null function for session management. -.Pp -Note that this module does not enforce -.Xr opieaccess 5 -checks. -There is a separate module, -.Xr pam_opieaccess 8 , -for this purpose. -.Ss OPIE Authentication Module -The OPIE authentication component -provides functions to verify the identity of a user -.Pq Fn pam_sm_authenticate , -which obtains the relevant -.Xr opie 4 -credentials. -It provides the user with an OPIE challenge, -and verifies that this is correct with -.Xr opiechallenge 3 . -.Pp -The following options may be passed to the authentication module: -.Bl -tag -width ".Cm auth_as_self" -.It Cm debug -.Xr syslog 3 -debugging information at -.Dv LOG_DEBUG -level. -.It Cm auth_as_self -This option will require the user -to authenticate himself as the user -given by -.Xr getlogin 2 , -not as the account they are attempting to access. -This is primarily for services like -.Xr su 1 , -where the user's ability to retype -their own password -might be deemed sufficient. -.It Cm no_fake_prompts -Do not generate fake challenges for users who do not have an OPIE key. -Note that this can leak information to a hypothetical attacker about -who uses OPIE and who does not, but it can be useful on systems where -some users want to use OPIE but most do not. -.El -.Pp -Note that -.Nm -ignores the standard options -.Cm try_first_pass -and -.Cm use_first_pass , -since a challenge must be generated before the user can submit a valid -response. -.Sh FILES -.Bl -tag -width ".Pa /etc/opiekeys" -compact -.It Pa /etc/opiekeys -default OPIE password database. -.El -.Sh SEE ALSO -.Xr passwd 1 , -.Xr getlogin 2 , -.Xr opiechallenge 3 , -.Xr syslog 3 , -.Xr opie 4 , -.Xr pam.conf 5 , -.Xr pam 8 diff --git a/lib/libpam/modules/pam_opie/pam_opie.c b/lib/libpam/modules/pam_opie/pam_opie.c deleted file mode 100644 index d550e9472d..0000000000 --- a/lib/libpam/modules/pam_opie/pam_opie.c +++ /dev/null @@ -1,166 +0,0 @@ -/*- - * Copyright 2000 James Bloom - * All rights reserved. - * Based upon code Copyright 1998 Juniper Networks, Inc. - * Copyright (c) 2001,2002 Networks Associates Technology, Inc. - * All rights reserved. - * - * Portions of this software were developed for the FreeBSD Project by - * ThinkSec AS and NAI Labs, the Security Research Division of Network - * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 - * ("CBOSS"), as part of the DARPA CHATS research program. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD: src/lib/libpam/modules/pam_opie/pam_opie.c,v 1.1.2.2 2003/02/10 12:15:30 des Exp $ - * $DragonFly: src/lib/libpam/modules/pam_opie/Attic/pam_opie.c,v 1.2 2003/06/17 04:26:50 dillon Exp $ - */ - -#include -#include -#include -#include -#include -#include - -#define PAM_SM_AUTH - -#include -#include -#include - -enum { - PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX, - PAM_OPT_NO_FAKE_PROMPTS -}; - -static struct opttab other_options[] = { - { "auth_as_self", PAM_OPT_AUTH_AS_SELF }, - { "no_fake_prompts", PAM_OPT_NO_FAKE_PROMPTS }, - { NULL, 0 } -}; - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, - int argc, const char *argv[]) -{ - struct opie opie; - struct options options; - struct passwd *pwd; - int retval, i, echo; - const char *(promptstr[]) = { "%s\nPassword: ", "%s\nPassword [echo on]: "}; - char challenge[OPIE_CHALLENGE_MAX]; - char prompt[OPIE_CHALLENGE_MAX+22]; - char resp[OPIE_SECRET_MAX]; - char *user; - const char *response; - - pam_std_option(&options, other_options, argc, argv); - - PAM_LOG("Options processed"); - - user = NULL; - if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { - if ((pwd = getpwnam(getlogin())) == NULL) - return (PAM_AUTH_ERR); - user = pwd->pw_name; - } - else { - retval = pam_get_user(pamh, (const char **)&user, NULL); - if (retval != PAM_SUCCESS) - return (retval); - } - - PAM_LOG("Got user: %s", user); - - /* - * Don't call the OPIE atexit() handler when our program exits, - * since the module has been unloaded and we will SEGV. - */ - opiedisableaeh(); - - /* - * If the no_fake_prompts option was given, and the user - * doesn't have an OPIE key, just fail rather than present the - * user with a bogus OPIE challenge. - */ - /* XXX generates a const warning because of incorrect prototype */ - if (opiechallenge(&opie, (char *)user, challenge) != 0 && - pam_test_option(&options, PAM_OPT_NO_FAKE_PROMPTS, NULL)) - return (PAM_AUTH_ERR); - - /* - * It doesn't make sense to use a password that has already been - * typed in, since we haven't presented the challenge to the user - * yet, so clear the stored password. - */ - pam_set_item(pamh, PAM_AUTHTOK, NULL); - - echo = pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL); - - for (i = 0; i < 2; i++) { - snprintf(prompt, sizeof prompt, promptstr[i], challenge); - retval = pam_get_pass(pamh, &response, prompt, &options); - if (retval != PAM_SUCCESS) { - if (!echo) - pam_clear_option(&options, PAM_OPT_ECHO_PASS); - opieunlock(); - return (retval); - } - - PAM_LOG("Completed challenge %d: %s", i, response); - - if (response[0] != '\0') - break; - - /* Second time round, echo the password */ - pam_set_option(&options, PAM_OPT_ECHO_PASS); - } - - if (!echo) - pam_clear_option(&options, PAM_OPT_ECHO_PASS); - - /* We have to copy the response, because opieverify mucks with it. */ - strlcpy(resp, response, sizeof (resp)); - - /* - * Opieverify is supposed to return -1 only if an error occurs. - * But it returns -1 even if the response string isn't in the form - * it expects. Thus we can't log an error and can only check for - * success or lack thereof. - */ - retval = opieverify(&opie, resp) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR; - return (retval); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, - int argc __unused, const char *argv[] __unused) -{ - - return (PAM_SUCCESS); -} - -PAM_MODULE_ENTRY("pam_opie"); diff --git a/lib/libpam/modules/pam_opieaccess/Makefile b/lib/libpam/modules/pam_opieaccess/Makefile deleted file mode 100644 index 1047566e03..0000000000 --- a/lib/libpam/modules/pam_opieaccess/Makefile +++ /dev/null @@ -1,10 +0,0 @@ -# $FreeBSD: src/lib/libpam/modules/pam_opieaccess/Makefile,v 1.3.2.1 2002/07/03 21:41:30 des Exp $ -# $DragonFly: src/lib/libpam/modules/pam_opieaccess/Attic/Makefile,v 1.2 2003/06/17 04:26:50 dillon Exp $ - -LIB= pam_opieaccess -SRCS= ${LIB}.c -DPADD= ${LIBOPIE} -LDADD= -lopie -MAN= pam_opieaccess.8 - -.include diff --git a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.8 b/lib/libpam/modules/pam_opieaccess/pam_opieaccess.8 deleted file mode 100644 index 5bb510dc73..0000000000 --- a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.8 +++ /dev/null @@ -1,126 +0,0 @@ -.\" Copyright (c) 2001 Mark R V Murray -.\" All rights reserved. -.\" Copyright (c) 2002 Networks Associates Technology, Inc. -.\" All rights reserved. -.\" -.\" Portions of this software were developed for the FreeBSD Project by -.\" ThinkSec AS and NAI Labs, the Security Research Division of Network -.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 -.\" ("CBOSS"), as part of the DARPA CHATS research program. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. The name of the author may not be used to endorse or promote -.\" products derived from this software without specific prior written -.\" permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD: src/lib/libpam/modules/pam_opieaccess/pam_opieaccess.8,v 1.5.2.1 2002/07/03 21:41:30 des Exp $ -.\" $DragonFly: src/lib/libpam/modules/pam_opieaccess/Attic/pam_opieaccess.8,v 1.2 2003/06/17 04:26:50 dillon Exp $ -.\" -.Dd January 21, 2002 -.Dt PAM_OPIEACCESS 8 -.Os -.Sh NAME -.Nm pam_opieaccess -.Nd OPIEAccess PAM module -.Sh SYNOPSIS -.Op Ar service-name -.Ar module-type -.Ar control-flag -.Pa pam_opieaccess -.Op Ar options -.Sh DESCRIPTION -The -.Nm -module is used in conjunction with the -.Xr pam_opie 8 -PAM module to ascertain that authentication can proceed by other means -(such as the -.Xr pam_unix 8 -module) even if OPIE authentication failed. -To properly use this module, -.Xr pam_opie 8 -should be marked -.Dq Li sufficient , -and -.Nm -should be listed right below it and marked -.Dq Li requisite . -.Pp -The -.Nm -module provides functionality for only one PAM category: -authentication. -In terms of the -.Ar module-type -parameter, this is the -.Dq Li auth -feature. -It also provides null functions for the remaining module types. -.Ss OPIEAccess Authentication Module -The authentication component -.Pq Fn pam_sm_authenticate , -returns -.Dv PAM_SUCCESS -in two cases: -.Bl -enum -.It -The user does not have OPIE enabled. -.It -The user has OPIE enabled, and the remote host is listed as a trusted -host in -.Pa /etc/opieaccess , -and the user does not have a file named -.Pa opiealways -in his home directory. -.El -.Pp -Otherwise, it returns -.Dv PAM_AUTH_ERR . -.Pp -The following options may be passed to the authentication module: -.Bl -tag -width ".Cm no_warn" -.It Cm debug -.Xr syslog 3 -debugging information at -.Dv LOG_DEBUG -level. -.It Cm no_warn -suppress warning messages to the user. -These messages include reasons why the user's authentication attempt -was declined. -.El -.Sh SEE ALSO -.Xr opie 4 , -.Xr opieaccess 5 , -.Xr pam.conf 5 , -.Xr pam 8 , -.Xr pam_opie 8 -.Sh AUTHORS -The -.Nm -module and this manual page were developed for the -.Fx -Project by -ThinkSec AS and NAI Labs, the Security Research Division of Network -Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 -.Pq Dq CBOSS , -as part of the DARPA CHATS research program. diff --git a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c b/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c deleted file mode 100644 index 008d368cba..0000000000 --- a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c +++ /dev/null @@ -1,98 +0,0 @@ -/*- - * Copyright (c) 2002 Networks Associates Technology, Inc. - * All rights reserved. - * - * This software was developed for the FreeBSD Project by ThinkSec AS and - * NAI Labs, the Security Research Division of Network Associates, Inc. - * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the - * DARPA CHATS research program. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD: src/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c,v 1.10.2.2 2002/07/06 14:11:26 des Exp $ - * $DragonFly: src/lib/libpam/modules/pam_opieaccess/Attic/pam_opieaccess.c,v 1.2 2003/06/17 04:26:50 dillon Exp $ - * $FreeBSD: src/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c,v 1.10.2.2 2002/07/06 14:11:26 des Exp $ - */ - -#define _BSD_SOURCE - -#include -#include -#include -#include -#include - -#define PAM_SM_AUTH - -#include -#include -#include - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, - int argc __unused, const char *argv[] __unused) -{ - struct options options; - struct opie opie; - struct passwd *pwent; - char *luser, *rhost; - int r; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - r = pam_get_item(pamh, PAM_USER, (const void **)&luser); - if (r != PAM_SUCCESS) - return (r); - if (luser == NULL) - return (PAM_SERVICE_ERR); - - pwent = getpwnam(luser); - if (pwent == NULL || opielookup(&opie, luser) != 0) - return (PAM_SUCCESS); - - r = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); - if (r != PAM_SUCCESS) - return (r); - - if ((rhost == NULL || opieaccessfile(rhost)) && - opiealways(pwent->pw_dir) != 0) - return (PAM_SUCCESS); - - PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess"); - - return (PAM_AUTH_ERR); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, - int argc __unused, const char *argv[] __unused) -{ - - return (PAM_SUCCESS); -} - -PAM_MODULE_ENTRY("pam_opieaccess"); diff --git a/lib/libpam/modules/pam_permit/Makefile b/lib/libpam/modules/pam_permit/Makefile deleted file mode 100644 index 81ed22f4af..0000000000 --- a/lib/libpam/modules/pam_permit/Makefile +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 1999 Max Khon. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD: src/lib/libpam/modules/pam_permit/Makefile,v 1.1.4.5 2002/07/03 23:04:11 des Exp $ -# $DragonFly: src/lib/libpam/modules/pam_permit/Attic/Makefile,v 1.2 2003/06/17 04:26:50 dillon Exp $ - - -LIB= pam_permit -SRCS= pam_permit.c -CFLAGS+= -Wall -CFLAGS+= -I${PAMDIR}/libpam/include -CFLAGS+= -I${.CURDIR}/../../libpam - -.include - -.PATH: ${PAMDIR}/modules/pam_permit diff --git a/lib/libpam/modules/pam_radius/Makefile b/lib/libpam/modules/pam_radius/Makefile deleted file mode 100644 index 65b025cf6b..0000000000 --- a/lib/libpam/modules/pam_radius/Makefile +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 1998 Juniper Networks, Inc. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD: src/lib/libpam/modules/pam_radius/Makefile,v 1.4.2.5 2002/07/03 21:41:30 des Exp $ -# $DragonFly: src/lib/libpam/modules/pam_radius/Attic/Makefile,v 1.2 2003/06/17 04:26:50 dillon Exp $ - -LIB= pam_radius -SRCS= pam_radius.c -DPADD= ${LIBRADIUS} -LDADD= -lradius -MAN= pam_radius.8 - -.include diff --git a/lib/libpam/modules/pam_radius/pam_radius.8 b/lib/libpam/modules/pam_radius/pam_radius.8 deleted file mode 100644 index 3196b16ab0..0000000000 --- a/lib/libpam/modules/pam_radius/pam_radius.8 +++ /dev/null @@ -1,134 +0,0 @@ -.\" Copyright (c) 1999 -.\" Andrzej Bialecki . All rights reserved. -.\" -.\" Copyright (c) 1992, 1993, 1994 -.\" The Regents of the University of California. All rights reserved. -.\" All rights reserved. -.\" -.\" This code is derived from software donated to Berkeley by -.\" Jan-Simon Pendry. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by the University of -.\" California, Berkeley and its contributors. -.\" 4. Neither the name of the University nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD: src/lib/libpam/modules/pam_radius/pam_radius.8,v 1.3.2.8 2003/04/08 13:20:23 sobomax Exp $ -.\" $DragonFly: src/lib/libpam/modules/pam_radius/Attic/pam_radius.8,v 1.2 2003/06/17 04:26:50 dillon Exp $ -.\" -.Dd October 28, 2002 -.Dt PAM_RADIUS 8 -.Os -.Sh NAME -.Nm pam_radius -.Nd RADIUS authentication PAM module -.Sh SYNOPSIS -.Op Ar service-name -.Ar module-type -.Ar control-flag -.Pa pam_radius -.Op Ar options -.Sh DESCRIPTION -The -.Nm -module provides authentication services based -upon the RADIUS (Remote Authentication Dial In User Service) protocol -for the PAM (Pluggable Authentication Module) framework. -.Pp -The -.Nm -module accepts these optional parameters: -.Bl -tag -width Fl -.It Cm use_first_pass -causes -.Nm -to use a previously entered password instead of prompting for a new one. -If no password has been entered then authentication fails. -.It Cm try_first_pass -causes -.Nm -to use a previously entered password, if one is available. If no -password has been entered, -.Nm -prompts for one as usual. -.It Cm echo_pass -causes echoing to be left on if -.Nm -prompts for a password. -.It Cm conf Ns = Ns Ar pathname -specifies a non-standard location for the RADIUS client configuration file -(normally located in -.Pa /etc/radius.conf ) . -.It Cm nas_id Ns No = Ns Ar identifier -specifies a NAS identifier to send instead of the hostname. -.It Cm template_user Ns No = Ns Ar username -specifies a user whose -.Xr passwd 5 -entry will be used as a template to create the session environment -if the supplied username doesn't exist in local password database. -The user -will be authenticated with the supplied username and password, but his -credentials to the system will be presented as the ones for -.Ar username , -i.e., his login class, home directory, resource limits, etc. will be set to ones -defined for -.Ar username . -.Pp -If this option is omitted, and there is no username -in the system databases equal to the supplied one (as determined by call to -.Xr getpwnam 3 ) , -the authentication will fail. -.El -.Sh FILES -.Bl -tag -width /etc/radius.conf -compact -.It Pa /etc/radius.conf -The standard RADIUS client configuration file for -.Nm -.El -.Sh SEE ALSO -.Xr passwd 5 , -.Xr radius.conf 5 , -.Xr pam 8 -.Sh HISTORY -The -.Nm -module first appeared in -.Fx 3.1 . -The -.Nm -manual page first appeared in -.Fx 3.3 . -.Sh AUTHORS -.An -nosplit -The -.Nm -manual page was written by -.An Andrzej Bialecki Aq abial@FreeBSD.org . -.Pp -The -.Nm -module was written by -.An John D. Polstra Aq jdp@FreeBSD.org . diff --git a/lib/libpam/modules/pam_radius/pam_radius.c b/lib/libpam/modules/pam_radius/pam_radius.c deleted file mode 100644 index cc1d28b4c9..0000000000 --- a/lib/libpam/modules/pam_radius/pam_radius.c +++ /dev/null @@ -1,346 +0,0 @@ -/*- - * Copyright 1998 Juniper Networks, Inc. - * All rights reserved. - * Copyright (c) 2001,2002 Networks Associates Technology, Inc. - * All rights reserved. - * - * Portions of this software were developed for the FreeBSD Project by - * ThinkSec AS and NAI Labs, the Security Research Division of Network - * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 - * ("CBOSS"), as part of the DARPA CHATS research program. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD: src/lib/libpam/modules/pam_radius/pam_radius.c,v 1.2.6.2 2003/04/08 13:20:23 sobomax Exp $ - * $DragonFly: src/lib/libpam/modules/pam_radius/Attic/pam_radius.c,v 1.2 2003/06/17 04:26:50 dillon Exp $ - */ - -#include -#include -#include -#include -#include -#include -#include - -#define PAM_SM_AUTH - -#include -#include -#include - -enum { - PAM_OPT_CONF = PAM_OPT_STD_MAX, - PAM_OPT_TEMPLATE_USER, - PAM_OPT_NAS_ID -}; - -static struct opttab other_options[] = { - { "conf", PAM_OPT_CONF }, - { "template_user", PAM_OPT_TEMPLATE_USER }, - { "nas_id", PAM_OPT_NAS_ID }, - { NULL, 0 } -}; - -#define MAX_CHALLENGE_MSGS 10 -#define PASSWORD_PROMPT "RADIUS Password:" - -static int build_access_request(struct rad_handle *, const char *, - const char *, const char *, const void *, size_t); -static int do_accept(pam_handle_t *, struct rad_handle *); -static int do_challenge(pam_handle_t *, struct rad_handle *, - const char *); - -/* - * Construct an access request, but don't send it. Returns 0 on success, - * -1 on failure. - */ -static int -build_access_request(struct rad_handle *radh, const char *user, - const char *pass, const char *nas_id, const void *state, size_t state_len) -{ - char host[MAXHOSTNAMELEN]; - - if (rad_create_request(radh, RAD_ACCESS_REQUEST) == -1) { - syslog(LOG_CRIT, "rad_create_request: %s", rad_strerror(radh)); - return (-1); - } - if (nas_id == NULL && gethostname(host, sizeof host) != -1) - nas_id = host; - if ((user != NULL && - rad_put_string(radh, RAD_USER_NAME, user) == -1) || - (pass != NULL && - rad_put_string(radh, RAD_USER_PASSWORD, pass) == -1) || - (nas_id != NULL && - rad_put_string(radh, RAD_NAS_IDENTIFIER, nas_id) == -1)) { - syslog(LOG_CRIT, "rad_put_string: %s", rad_strerror(radh)); - return (-1); - } - if (state != NULL && rad_put_attr(radh, RAD_STATE, state, - state_len) == -1) { - syslog(LOG_CRIT, "rad_put_attr: %s", rad_strerror(radh)); - return (-1); - } - if (rad_put_int(radh, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) == -1) { - syslog(LOG_CRIT, "rad_put_int: %s", rad_strerror(radh)); - return (-1); - } - return (0); -} - -static int -do_accept(pam_handle_t *pamh, struct rad_handle *radh) -{ - int attrtype; - const void *attrval; - size_t attrlen; - char *s; - - while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) { - if (attrtype == RAD_USER_NAME) { - s = rad_cvt_string(attrval, attrlen); - if (s == NULL) { - syslog(LOG_CRIT, - "rad_cvt_string: out of memory"); - return (-1); - } - pam_set_item(pamh, PAM_USER, s); - free(s); - } - } - if (attrtype == -1) { - syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh)); - return (-1); - } - return (0); -} - -static int -do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user) -{ - int retval; - int attrtype; - const void *attrval; - size_t attrlen; - const void *state; - size_t statelen; - struct pam_message msgs[MAX_CHALLENGE_MSGS]; - const struct pam_message *msg_ptrs[MAX_CHALLENGE_MSGS]; - struct pam_response *resp; - int num_msgs; - const void *item; - const struct pam_conv *conv; - - state = NULL; - statelen = 0; - num_msgs = 0; - while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) { - switch (attrtype) { - - case RAD_STATE: - state = attrval; - statelen = attrlen; - break; - - case RAD_REPLY_MESSAGE: - if (num_msgs >= MAX_CHALLENGE_MSGS) { - syslog(LOG_CRIT, - "Too many RADIUS challenge messages"); - return (PAM_SERVICE_ERR); - } - msgs[num_msgs].msg = rad_cvt_string(attrval, attrlen); - if (msgs[num_msgs].msg == NULL) { - syslog(LOG_CRIT, - "rad_cvt_string: out of memory"); - return (PAM_SERVICE_ERR); - } - msgs[num_msgs].msg_style = PAM_TEXT_INFO; - msg_ptrs[num_msgs] = &msgs[num_msgs]; - num_msgs++; - break; - } - } - if (attrtype == -1) { - syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh)); - return (PAM_SERVICE_ERR); - } - if (num_msgs == 0) { - msgs[num_msgs].msg = strdup("(null RADIUS challenge): "); - if (msgs[num_msgs].msg == NULL) { - syslog(LOG_CRIT, "Out of memory"); - return (PAM_SERVICE_ERR); - } - msgs[num_msgs].msg_style = PAM_TEXT_INFO; - msg_ptrs[num_msgs] = &msgs[num_msgs]; - num_msgs++; - } - msgs[num_msgs-1].msg_style = PAM_PROMPT_ECHO_ON; - if ((retval = pam_get_item(pamh, PAM_CONV, &item)) != PAM_SUCCESS) { - syslog(LOG_CRIT, "do_challenge: cannot get PAM_CONV"); - return (retval); - } - conv = (const struct pam_conv *)item; - if ((retval = conv->conv(num_msgs, msg_ptrs, &resp, - conv->appdata_ptr)) != PAM_SUCCESS) - return (retval); - if (build_access_request(radh, user, resp[num_msgs-1].resp, NULL, - state, statelen) == -1) - return (PAM_SERVICE_ERR); - memset(resp[num_msgs-1].resp, 0, strlen(resp[num_msgs-1].resp)); - free(resp[num_msgs-1].resp); - free(resp); - while (num_msgs > 0) - free(msgs[--num_msgs].msg); - return (PAM_SUCCESS); -} - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, - int argc, const char *argv[]) -{ - struct options options; - struct rad_handle *radh; - const char *user, *tmpuser, *pass; - char *conf_file, *template_user, *nas_id; - int retval; - int e; - - pam_std_option(&options, other_options, argc, argv); - - PAM_LOG("Options processed"); - - conf_file = NULL; - pam_test_option(&options, PAM_OPT_CONF, &conf_file); - template_user = NULL; - pam_test_option(&options, PAM_OPT_TEMPLATE_USER, &template_user); - nas_id = NULL; - pam_test_option(&options, PAM_OPT_NAS_ID, &nas_id); - - retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS) - return (retval); - - PAM_LOG("Got user: %s", user); - - retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, &options); - if (retval != PAM_SUCCESS) - return (retval); - - PAM_LOG("Got password"); - - radh = rad_open(); - if (radh == NULL) { - syslog(LOG_CRIT, "rad_open failed"); - return (PAM_SERVICE_ERR); - } - - PAM_LOG("Radius opened"); - - if (rad_config(radh, conf_file) == -1) { - syslog(LOG_ALERT, "rad_config: %s", rad_strerror(radh)); - rad_close(radh); - return (PAM_SERVICE_ERR); - } - - PAM_LOG("Radius config file read"); - - if (build_access_request(radh, user, pass, nas_id, NULL, 0) == -1) { - rad_close(radh); - return (PAM_SERVICE_ERR); - } - - PAM_LOG("Radius build access done"); - - for (;;) { - switch (rad_send_request(radh)) { - - case RAD_ACCESS_ACCEPT: - e = do_accept(pamh, radh); - rad_close(radh); - if (e == -1) - return (PAM_SERVICE_ERR); - if (template_user != NULL) { - - PAM_LOG("Trying template user: %s", - template_user); - - /* - * If the given user name doesn't exist in - * the local password database, change it - * to the value given in the "template_user" - * option. - */ - retval = pam_get_item(pamh, PAM_USER, - (const void **)&tmpuser); - if (retval != PAM_SUCCESS) - return (retval); - if (getpwnam(tmpuser) == NULL) { - pam_set_item(pamh, PAM_USER, - template_user); - PAM_LOG("Using template user"); - } - - } - return (PAM_SUCCESS); - - case RAD_ACCESS_REJECT: - rad_close(radh); - PAM_VERBOSE_ERROR("Radius rejection"); - return (PAM_AUTH_ERR); - - case RAD_ACCESS_CHALLENGE: - retval = do_challenge(pamh, radh, user); - if (retval != PAM_SUCCESS) { - rad_close(radh); - return (retval); - } - break; - - case -1: - syslog(LOG_CRIT, "rad_send_request: %s", - rad_strerror(radh)); - rad_close(radh); - PAM_VERBOSE_ERROR("Radius failure"); - return (PAM_AUTHINFO_UNAVAIL); - - default: - syslog(LOG_CRIT, - "rad_send_request: unexpected return value"); - rad_close(radh); - PAM_VERBOSE_ERROR("Radius error"); - return (PAM_SERVICE_ERR); - } - } -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, - int argc __unused, const char *argv[] __unused) -{ - - return (PAM_SUCCESS); -} - -PAM_MODULE_ENTRY("pam_radius"); diff --git a/lib/libpam/modules/pam_skey/Makefile b/lib/libpam/modules/pam_skey/Makefile deleted file mode 100644 index d7bc991c63..0000000000 --- a/lib/libpam/modules/pam_skey/Makefile +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 1998 Juniper Networks, Inc. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD: src/lib/libpam/modules/pam_skey/Makefile,v 1.2.6.4 2002/07/03 21:41:30 des Exp $ -# $DragonFly: src/lib/libpam/modules/pam_skey/Attic/Makefile,v 1.2 2003/06/17 04:26:50 dillon Exp $ - - -LIB= pam_skey -SRCS= pam_skey.c -CFLAGS+= -Wall -CFLAGS+= -I${PAMDIR}/libpam/include -CFLAGS+= -I${.CURDIR}/../../libpam -DPADD+= ${LIBSKEY} -LDADD+= -lskey - -.include diff --git a/lib/libpam/modules/pam_skey/pam_skey.c b/lib/libpam/modules/pam_skey/pam_skey.c deleted file mode 100644 index f7e9cf5d93..0000000000 --- a/lib/libpam/modules/pam_skey/pam_skey.c +++ /dev/null @@ -1,120 +0,0 @@ -/*- - * Copyright 1998 Juniper Networks, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD: src/lib/libpam/modules/pam_skey/pam_skey.c,v 1.2.6.2 2003/02/10 12:15:30 des Exp $ - * $DragonFly: src/lib/libpam/modules/pam_skey/Attic/pam_skey.c,v 1.2 2003/06/17 04:26:50 dillon Exp $ - */ - -#include /* XXX */ - -#include -#include -#include - -#define PAM_SM_AUTH -#include -#include -#include - -enum { - PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX, - PAM_OPT_NO_FAKE_PROMPTS -}; - -static struct opttab other_options[] = { - { "auth_as_self", PAM_OPT_AUTH_AS_SELF }, - { "no_fake_prompts", PAM_OPT_NO_FAKE_PROMPTS }, - { NULL, 0 } -}; - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - int retval; - const char *user; - const char *response; - struct skey skey; - char challenge[128]; - char prompt[128]; - char resp_buf[128]; - struct options options; - int e; - - pam_std_option(&options, other_options, argc, argv); - /* - * It doesn't make sense to use a password that has already been - * typed in, since we haven't presented the challenge to the user - * yet. - */ - pam_clear_option(&options, PAM_OPT_USE_FIRST_PASS); - pam_clear_option(&options, PAM_OPT_TRY_FIRST_PASS); - if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) - return retval; - if (skeyinfo(&skey, user, challenge) != 0) - return PAM_AUTH_ERR; - snprintf(prompt, sizeof prompt, "%s\nPassword: ", challenge); - if ((retval = pam_get_pass(pamh, &response, prompt, &options)) != - PAM_SUCCESS) - return retval; - if (response[0] == '\0' && - !pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL)) { - pam_set_option(&options, PAM_OPT_ECHO_PASS); - snprintf(prompt, sizeof prompt, - "%s\nPassword [echo on]: ", challenge); - retval = pam_get_pass(pamh, &response, prompt, &options); - pam_clear_option(&options, PAM_OPT_ECHO_PASS); - if (retval != PAM_SUCCESS) - return retval; - } - /* - * Skeyinfo closed the database file, so we have to call skeylookup - * to open it again. - */ - if ((e = skeylookup(&skey, user)) != 0) { - if (e == -1) { - syslog(LOG_ERR, "Error opening S/Key database"); - return PAM_SERVICE_ERR; - } else - return PAM_AUTH_ERR; - } - /* We have to copy the response, because skeyverify mucks with it. */ - snprintf(resp_buf, sizeof resp_buf, "%s", response); - /* - * Skeyverify is supposed to return -1 only if an error occurs. - * But it returns -1 even if the response string isn't in the form - * it expects. Thus we can't log an error and can only check for - * success or lack thereof. - */ - return skeyverify(&skey, resp_buf) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR; -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - return PAM_SUCCESS; -} - -PAM_MODULE_ENTRY("pam_skey"); diff --git a/lib/libpam/modules/pam_ssh/Makefile b/lib/libpam/modules/pam_ssh/Makefile deleted file mode 100644 index d12996f371..0000000000 --- a/lib/libpam/modules/pam_ssh/Makefile +++ /dev/null @@ -1,14 +0,0 @@ -# PAM module for SSH -# $FreeBSD: src/lib/libpam/modules/pam_ssh/Makefile,v 1.2.2.5 2002/07/03 21:41:30 des Exp $ -# $DragonFly: src/lib/libpam/modules/pam_ssh/Attic/Makefile,v 1.4 2004/08/30 21:59:58 geekgod Exp $ - -SSHSRC= ${.CURDIR}/../../../../crypto/openssh-3.9p1 - -LIB= pam_ssh -SRCS= pam_ssh.c -CFLAGS+= -I${SSHSRC} -D__dead=__dead2 -DPADD= ${LIBSSH} ${LIBCRYPTO} ${LIBCRYPT} ${LIBUTIL} -LDADD= -lssh -lcrypto -lcrypt -lutil -MAN= pam_ssh.8 - -.include diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.8 b/lib/libpam/modules/pam_ssh/pam_ssh.8 deleted file mode 100644 index dad44a6da4..0000000000 --- a/lib/libpam/modules/pam_ssh/pam_ssh.8 +++ /dev/null @@ -1,149 +0,0 @@ -.\" Copyright (c) 2001 Mark R V Murray -.\" All rights reserved. -.\" Copyright (c) 2001 Networks Associates Technology, Inc. -.\" All rights reserved. -.\" -.\" This software was developed for the FreeBSD Project by ThinkSec AS and -.\" NAI Labs, the Security Research Division of Network Associates, Inc. -.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the -.\" DARPA CHATS research program. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. The name of the author may not be used to endorse or promote -.\" products derived from this software without specific prior written -.\" permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.8,v 1.8.2.2 2002/07/03 21:41:30 des Exp $ -.\" $DragonFly: src/lib/libpam/modules/pam_ssh/Attic/pam_ssh.8,v 1.2 2003/06/17 04:26:50 dillon Exp $ -.\" -.Dd November 26, 2001 -.Dt PAM_SSH 8 -.Os -.Sh NAME -.Nm pam_ssh -.Nd SSH PAM module -.Sh SYNOPSIS -.Op Ar service-name -.Ar module-type -.Ar control-flag -.Pa pam_ssh -.Op Ar options -.Sh DESCRIPTION -The -SSH -authentication service module for PAM, -.Nm -provides functionality for two PAM categories: -authentication -and session management. -In terms of the -.Ar module-type -parameter, they are the -.Dq Li auth -and -.Dq Li session -features. -It also provides null functions for the remaining categories. -.Ss SSH Authentication Module -The -SSH -authentication component -provides a function to verify the identity of a user -.Pq Fn pam_sm_authenticate , -by prompting the user for a passphrase and verifying that it can -decrypt the target user's SSH key using that passphrase. -.Pp -The following options may be passed to the authentication module: -.Bl -tag -width ".Cm use_first_pass" -.It Cm debug -.Xr syslog 3 -debugging information at -.Dv LOG_DEBUG -level. -.It Cm use_first_pass -If the authentication module -is not the first in the stack, -and a previous module -obtained the user's password, -that password is used -to authenticate the user. -If this fails, -the authentication module returns failure -without prompting the user for a password. -This option has no effect -if the authentication module -is the first in the stack, -or if no previous modules -obtained the user's password. -.It Cm try_first_pass -This option is similar to the -.Cm use_first_pass -option, -except that if the previously obtained password fails, -the user is prompted for another password. -.El -.Ss SSH Session Management Module -The -SSH -session management component -provides functions to initiate -.Pq Fn pam_sm_open_session -and terminate -.Pq Fn pam_sm_close_session -sessions. -The -.Fn pam_sm_open_session -function starts an SSH agent, -passing it any private keys it decrypted -during the authentication phase, -and sets the environment variables -the agent specifies. -The -.Fn pam_sm_close_session -function kills the previously started SSH agent -by sending it a -.Dv SIGTERM . -.Pp -The following options may be passed to the session management module: -.Bl -tag -width ".Cm use_first_pass" -.It Cm debug -.Xr syslog 3 -debugging information at -.Dv LOG_DEBUG -level. -.El -.Sh FILES -.Bl -tag -width ".Pa $HOME/.ssh2/id_dsa_*" -compact -.It Pa $HOME/.ssh/identity -SSH1/OpenSSH RSA key. -.It Pa $HOME/.ssh/id_dsa -OpenSSH DSA key. -.It Pa $HOME/.ssh2/id_rsa_* -SSH2 RSA keys. -.It Pa $HOME/.ssh2/id_dsa_* -SSH2 DSA keys. -.El -.Sh SEE ALSO -.Xr ssh-agent 1 , -.Xr syslog 3 , -.Xr pam.conf 5 , -.Xr pam 8 diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.c b/lib/libpam/modules/pam_ssh/pam_ssh.c deleted file mode 100644 index 89a92c233d..0000000000 --- a/lib/libpam/modules/pam_ssh/pam_ssh.c +++ /dev/null @@ -1,619 +0,0 @@ -/*- - * Copyright (c) 1999, 2000 Andrew J. Korty - * All rights reserved. - * Copyright (c) 2001,2002 Networks Associates Technology, Inc. - * All rights reserved. - * - * Portions of this software were developed for the FreeBSD Project by - * ThinkSec AS and NAI Labs, the Security Research Division of Network - * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 - * ("CBOSS"), as part of the DARPA CHATS research program. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $Id: pam_ssh.c,v 1.23 2001/08/20 01:44:02 akorty Exp $ - * $FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.c,v 1.28.2.4 2002/07/12 09:24:56 des Exp $ - * $DragonFly: src/lib/libpam/modules/pam_ssh/Attic/pam_ssh.c,v 1.2 2003/06/17 04:26:50 dillon Exp $ - */ - -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -#define PAM_SM_AUTH -#define PAM_SM_SESSION - -#include -#include -#include - -#include -#include - -#include "key.h" -#include "authfd.h" -#include "authfile.h" -#include "log.h" -#include "pam_ssh.h" - -enum { - PAM_OPT_KEYFILES = PAM_OPT_STD_MAX -}; - -static struct opttab other_options[] = { - { "keyfiles", PAM_OPT_KEYFILES }, - { NULL, 0 } -}; - -static void key_cleanup(pam_handle_t *, void *, int); -static void ssh_cleanup(pam_handle_t *, void *, int); - -/* - * Generic cleanup function for OpenSSH "Key" type. - */ - -static void -key_cleanup(pam_handle_t *pamh __unused, void *data, int err __unused) -{ - if (data) - key_free(data); -} - - -/* - * Generic PAM cleanup function for this module. - */ - -static void -ssh_cleanup(pam_handle_t *pamh __unused, void *data, int err __unused) -{ - if (data) - free(data); -} - - -/* - * Authenticate a user's key by trying to decrypt it with the password - * provided. The key and its comment are then stored for later - * retrieval by the session phase. An increasing index is embedded in - * the PAM variable names so this function may be called multiple times - * for multiple keys. - */ - -static int -auth_via_key(pam_handle_t *pamh, const char *file, const char *dir, - const struct passwd *user, const char *pass, struct options *options) -{ - char *comment; /* private key comment */ - char *data_name; /* PAM state */ - static int key_idx = 0; /* for saved keys */ - Key *key; /* user's key */ - char *path; /* to key files */ - int retval; /* from calls */ - - /* locate the user's private key file */ - - if (!asprintf(&path, "%s/%s", dir, file)) { - PAM_LOG( "%m"); - return (PAM_SERVICE_ERR); - } - - /* Try to decrypt the private key with the passphrase provided. If - success, the user is authenticated. */ - - comment = NULL; - if ((retval = openpam_borrow_cred(pamh, user)) != PAM_SUCCESS) - return (retval); - key = key_load_private(path, pass, &comment); - openpam_restore_cred(pamh); - free(path); - if (!comment) - comment = strdup(file); - if (!key) { - free(comment); - return (PAM_AUTH_ERR); - } - - /* save the key and comment to pass to ssh-agent in the session - phase */ - - if (!asprintf(&data_name, "ssh_private_key_%d", key_idx)) { - PAM_LOG( "%m"); - free(comment); - return (PAM_SERVICE_ERR); - } - retval = pam_set_data(pamh, data_name, key, key_cleanup); - free(data_name); - if (retval != PAM_SUCCESS) { - key_free(key); - free(comment); - return (retval); - } - if (!asprintf(&data_name, "ssh_key_comment_%d", key_idx)) { - PAM_LOG( "%m"); - free(comment); - return (PAM_SERVICE_ERR); - } - retval = pam_set_data(pamh, data_name, comment, ssh_cleanup); - free(data_name); - if (retval != PAM_SUCCESS) { - free(comment); - return (retval); - } - - ++key_idx; - return (PAM_SUCCESS); -} - - -/* - * Add the keys stored by auth_via_key() to the agent connected to the - * socket provided. - */ - -static int -add_keys(pam_handle_t *pamh, struct options *options) -{ - AuthenticationConnection *ac; /* connection to ssh-agent */ - char *comment; /* private key comment */ - char *data_name; /* PAM state */ - int final; /* final return value */ - int key_idx; /* for saved keys */ - Key *key; /* user's private key */ - int retval; /* from calls */ - - /* - * Connect to the agent. - * - * XXX Because ssh_get_authentication_connection() gets the - * XXX agent parameters from the environment, we have to - * XXX temporarily replace the environment with the PAM - * XXX environment list. This is a hack. - */ - { - extern char **environ; - char **saved, **evp; - - saved = environ; - if ((environ = pam_getenvlist(pamh)) == NULL) { - environ = saved; - PAM_LOG( "%m"); - return (PAM_BUF_ERR); - } - ac = ssh_get_authentication_connection(); - for (evp = environ; *evp; evp++) - free(*evp); - free(environ); - environ = saved; - } - if (!ac) { - PAM_LOG( "%m"); - return (PAM_SESSION_ERR); - } - - /* hand off each private key to the agent */ - - final = 0; - for (key_idx = 0; ; key_idx++) { - if (!asprintf(&data_name, "ssh_private_key_%d", key_idx)) { - PAM_LOG( "%m"); - ssh_close_authentication_connection(ac); - return (PAM_SERVICE_ERR); - } - retval = pam_get_data(pamh, data_name, (const void **)&key); - free(data_name); - if (retval != PAM_SUCCESS) - break; - if (!asprintf(&data_name, "ssh_key_comment_%d", key_idx)) { - PAM_LOG( "%m"); - ssh_close_authentication_connection(ac); - return (PAM_SERVICE_ERR); - } - retval = pam_get_data(pamh, data_name, - (const void **)&comment); - free(data_name); - if (retval != PAM_SUCCESS) - break; - retval = ssh_add_identity(ac, key, comment); - if (!final) - final = retval; - } - ssh_close_authentication_connection(ac); - - return (final ? PAM_SUCCESS : PAM_SESSION_ERR); -} - - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, - int argc __unused, const char *argv[] __unused) -{ - struct options options; - int authenticated; /* user authenticated? */ - char *dotdir; /* .ssh dir name */ - char *file; /* current key file */ - char *kfspec; /* list of key files to add */ - char *keyfiles; - const char *pass; /* passphrase */ - const struct passwd *pwent; /* user's passwd entry */ - struct passwd *pwent_keep; /* our own copy */ - int retval; /* from calls */ - const char *user; /* username */ - - pam_std_option(&options, other_options, argc, argv); - - if (!pam_test_option(&options, PAM_OPT_KEYFILES, &kfspec)) { - kfspec = DEF_KEYFILES; - } - - if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) - return (retval); - if (user == NULL || (pwent = getpwnam(user)) == NULL || - pwent->pw_dir == NULL || pwent->pw_dir[0] == '\0') - return (PAM_AUTH_ERR); - - /* pass prompt message to application and receive passphrase */ - - retval = pam_get_pass(pamh, &pass, NEED_PASSPHRASE, &options); - if (retval != PAM_SUCCESS) - return (retval); - - OpenSSL_add_all_algorithms(); /* required for DSA */ - - /* any key will authenticate us, but if we can decrypt all of the - specified keys, we'll do so here so we can cache them in the - session phase */ - - if (!asprintf(&dotdir, "%s/%s", pwent->pw_dir, SSH_CLIENT_DIR)) { - PAM_LOG( "%m"); - return (PAM_SERVICE_ERR); - } - authenticated = 0; - keyfiles = strdup(kfspec); - for (file = strtok(keyfiles, SEP_KEYFILES); file; - file = strtok(NULL, SEP_KEYFILES)) - if (auth_via_key(pamh, file, dotdir, pwent, pass, &options) == - PAM_SUCCESS) - authenticated++; - free(keyfiles); - free(dotdir); - if (!authenticated) - return (PAM_AUTH_ERR); - - /* copy the passwd entry (in case successive calls are made) and - save it for the session phase */ - - if (!(pwent_keep = malloc(sizeof *pwent))) { - PAM_LOG( "%m"); - return (PAM_SERVICE_ERR); - } - (void) memcpy(pwent_keep, pwent, sizeof *pwent_keep); - if ((retval = pam_set_data(pamh, "ssh_passwd_entry", pwent_keep, - ssh_cleanup)) != PAM_SUCCESS) { - free(pwent_keep); - return (retval); - } - - return (PAM_SUCCESS); -} - - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, - int argc __unused, const char *argv[] __unused) -{ - - return (PAM_SUCCESS); -} - - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh, int flags __unused, - int argc __unused, const char *argv[] __unused) -{ - struct options options; - char *agent_socket; /* agent socket */ - char *env_end; /* end of env */ - FILE *env_read; /* env data source */ - char env_string[BUFSIZ]; /* environment string */ - char *env_value; /* envariable value */ - int env_write; /* env file descriptor */ - char hname[MAXHOSTNAMELEN]; /* local hostname */ - int no_link; /* link per-agent file? */ - char *per_agent; /* to store env */ - char *per_session; /* per-session filename */ - char *agent_pid; /* agent pid */ - const struct passwd *pwent; /* user's passwd entry */ - int retval; /* from calls */ - int start_agent; /* start agent? */ - const char *tty; /* tty or display name */ - - pam_std_option(&options, other_options, argc, argv); - - /* dump output of ssh-agent in ~/.ssh */ - if ((retval = pam_get_data(pamh, "ssh_passwd_entry", - (const void **)&pwent)) != PAM_SUCCESS) - return (retval); - - /* - * Use reference counts to limit agents to one per user per host. - * - * Technique: Create an environment file containing - * information about the agent. Only one file is created, but - * it may be given many names. One name is given for the - * agent itself, agent-. Another name is given for each - * session, agent-- or agent--. We - * delete the per-session filename on session close, and when - * the link count goes to unity on the per-agent file, we - * delete the file and kill the agent. - */ - - /* the per-agent file contains just the hostname */ - - (void) gethostname(hname, sizeof hname); - if (asprintf(&per_agent, "%s/.ssh/agent-%s", pwent->pw_dir, hname) - == -1) { - PAM_LOG( "%m"); - return (PAM_SERVICE_ERR); - } - - /* save the per-agent filename in case we want to delete it on - session close */ - - if ((retval = pam_set_data(pamh, "ssh_agent_env_agent", per_agent, - ssh_cleanup)) != PAM_SUCCESS) { - free(per_agent); - return (retval); - } - - /* take on the user's privileges for writing files and starting the - agent */ - - if ((retval = openpam_borrow_cred(pamh, pwent)) != PAM_SUCCESS) - return (retval); - - /* Try to create the per-agent file or open it for reading if it - exists. If we can't do either, we won't try to link a - per-session filename later. Start the agent if we can't open - the file for reading. */ - - env_write = no_link = 0; - env_read = NULL; - if ((env_write = open(per_agent, O_CREAT | O_EXCL | O_WRONLY, - S_IRUSR)) < 0 && !(env_read = fopen(per_agent, "r"))) - no_link = 1; - if (env_read) { - start_agent = 0; - openpam_restore_cred(pamh); - } else { - start_agent = 1; - env_read = popen(SSH_AGENT, "r"); - openpam_restore_cred(pamh); - if (!env_read) { - PAM_LOG( "%s: %m", SSH_AGENT); - if (env_write >= 0) - (void) close(env_write); - return (PAM_SESSION_ERR); - } - } - - /* save environment for application with pam_putenv() */ - - agent_socket = NULL; - while (fgets(env_string, sizeof env_string, env_read)) { - - /* parse environment definitions */ - - if (env_write >= 0) - (void) write(env_write, env_string, - strlen(env_string)); - if (!(env_value = strchr(env_string, '=')) || - !(env_end = strchr(env_value, ';'))) - continue; - *env_end = '\0'; - - /* pass to the application */ - - if (!((retval = pam_putenv(pamh, env_string)) == - PAM_SUCCESS)) { - if (start_agent) - (void) pclose(env_read); - else - (void) fclose(env_read); - if (env_write >= 0) - (void) close(env_write); - if (agent_socket) - free(agent_socket); - return (PAM_SERVICE_ERR); - } - - *env_value++ = '\0'; - - /* save the agent socket so we can connect to it and add - the keys as well as the PID so we can kill the agent on - session close. */ - - if (strcmp(&env_string[strlen(env_string) - - strlen(ENV_SOCKET_SUFFIX)], ENV_SOCKET_SUFFIX) == 0 && - !(agent_socket = strdup(env_value))) { - PAM_LOG( "%m"); - if (start_agent) - (void) pclose(env_read); - else - (void) fclose(env_read); - if (env_write >= 0) - (void) close(env_write); - if (agent_socket) - free(agent_socket); - return (PAM_SERVICE_ERR); - } else if (strcmp(&env_string[strlen(env_string) - - strlen(ENV_PID_SUFFIX)], ENV_PID_SUFFIX) == 0 && - ((agent_pid = strdup(env_value)) == NULL || - (retval = pam_set_data(pamh, "ssh_agent_pid", - agent_pid, ssh_cleanup)) != PAM_SUCCESS)) { - if (start_agent) - (void) pclose(env_read); - else - (void) fclose(env_read); - if (env_write >= 0) - (void) close(env_write); - if (agent_socket) - free(agent_socket); - if (agent_pid) - free(agent_pid); - return (retval); - } - - } - if (env_write >= 0) - (void) close(env_write); - - if (start_agent) { - switch (retval = pclose(env_read)) { - case -1: - PAM_LOG( "%s: %m", SSH_AGENT); - if (agent_socket) - free(agent_socket); - return (PAM_SESSION_ERR); - case 0: - break; - case 127: - PAM_LOG( "cannot execute %s", - SSH_AGENT); - if (agent_socket) - free(agent_socket); - return (PAM_SESSION_ERR); - default: - PAM_LOG( "%s exited %s %d", - SSH_AGENT, WIFSIGNALED(retval) ? "on signal" : - "with status", WIFSIGNALED(retval) ? - WTERMSIG(retval) : WEXITSTATUS(retval)); - if (agent_socket) - free(agent_socket); - return (PAM_SESSION_ERR); - } - } else - (void) fclose(env_read); - - if (!agent_socket) - return (PAM_SESSION_ERR); - - if (start_agent && (retval = add_keys(pamh, &options)) - != PAM_SUCCESS) - return (retval); - free(agent_socket); - - /* if we couldn't access the per-agent file, don't link a - per-session filename to it */ - - if (no_link) - return (PAM_SUCCESS); - - /* the per-session file contains the display name or tty name as - well as the hostname */ - - if ((retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty)) - != PAM_SUCCESS) - return (retval); - if (asprintf(&per_session, "%s/.ssh/agent-%s-%s", pwent->pw_dir, - hname, tty) == -1) { - PAM_LOG( "%m"); - return (PAM_SERVICE_ERR); - } - - /* save the per-session filename so we can delete it on session - close */ - - if ((retval = pam_set_data(pamh, "ssh_agent_env_session", - per_session, ssh_cleanup)) != PAM_SUCCESS) { - free(per_session); - return (retval); - } - - (void) unlink(per_session); /* remove cruft */ - (void) link(per_agent, per_session); - - return (PAM_SUCCESS); -} - - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh, int flags __unused, - int argc __unused, const char *argv[] __unused) -{ - struct options options; - const char *env_file; /* ssh-agent environment */ - pid_t pid; /* ssh-agent process id */ - int retval; /* from calls */ - const char *ssh_agent_pid; /* ssh-agent pid string */ - struct stat sb; /* to check st_nlink */ - - pam_std_option(&options, other_options, argc, argv); - - if ((retval = pam_get_data(pamh, "ssh_agent_env_session", - (const void **)&env_file)) == PAM_SUCCESS && env_file) - (void) unlink(env_file); - - /* Retrieve per-agent filename and check link count. If it's - greater than unity, other sessions are still using this - agent. */ - - if ((retval = pam_get_data(pamh, "ssh_agent_env_agent", - (const void **)&env_file)) == PAM_SUCCESS && env_file && - stat(env_file, &sb) == 0) { - if (sb.st_nlink > 1) - return (PAM_SUCCESS); - (void) unlink(env_file); - } - - /* retrieve the agent's process id */ - - if ((retval = pam_get_data(pamh, "ssh_agent_pid", - (const void **)&ssh_agent_pid)) != PAM_SUCCESS) - return (retval); - - /* Kill the agent. SSH's ssh-agent does not have a -k option, so - just call kill(). */ - - pid = atoi(ssh_agent_pid); - if (pid <= 0) - return (PAM_SESSION_ERR); - if (kill(pid, SIGTERM) != 0) { - PAM_LOG( "%s: %m", ssh_agent_pid); - return (PAM_SESSION_ERR); - } - - return (PAM_SUCCESS); -} - -PAM_MODULE_ENTRY(MODULE_NAME); diff --git a/lib/libpam/modules/pam_tacplus/Makefile b/lib/libpam/modules/pam_tacplus/Makefile deleted file mode 100644 index b75671211d..0000000000 --- a/lib/libpam/modules/pam_tacplus/Makefile +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 1998 Juniper Networks, Inc. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD: src/lib/libpam/modules/pam_tacplus/Makefile,v 1.2.6.4 2002/07/03 21:41:31 des Exp $ -# $DragonFly: src/lib/libpam/modules/pam_tacplus/Attic/Makefile,v 1.2 2003/06/17 04:26:51 dillon Exp $ - -LIB= pam_tacplus -SRCS= pam_tacplus.c -DPADD= ${LIBTACPLUS} -LDADD= -ltacplus -MAN= pam_tacplus.8 - -.include diff --git a/lib/libpam/modules/pam_tacplus/pam_tacplus.8 b/lib/libpam/modules/pam_tacplus/pam_tacplus.8 deleted file mode 100644 index a3178f2ba0..0000000000 --- a/lib/libpam/modules/pam_tacplus/pam_tacplus.8 +++ /dev/null @@ -1,131 +0,0 @@ -.\" Copyright (c) 1999 -.\" Andrzej Bialecki . All rights reserved. -.\" -.\" Copyright (c) 1992, 1993, 1994 -.\" The Regents of the University of California. All rights reserved. -.\" All rights reserved. -.\" -.\" This code is derived from software donated to Berkeley by -.\" Jan-Simon Pendry. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. All advertising materials mentioning features or use of this software -.\" must display the following acknowledgement: -.\" This product includes software developed by the University of -.\" California, Berkeley and its contributors. -.\" 4. Neither the name of the University nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD: src/lib/libpam/modules/pam_tacplus/pam_tacplus.8,v 1.3.2.1 2002/07/03 21:41:31 des Exp $ -.\" $DragonFly: src/lib/libpam/modules/pam_tacplus/Attic/pam_tacplus.8,v 1.2 2003/06/17 04:26:51 dillon Exp $ -.\" -.Dd August 2, 1999 -.Dt PAM_TACPLUS 8 -.Os -.Sh NAME -.Nm pam_tacplus -.Nd TACACS+ authentication PAM module -.Sh SYNOPSIS -.Op Ar service-name -.Ar module-type -.Ar control-flag -.Pa pam_tacplus -.Op Ar options -.Sh DESCRIPTION -The -.Nm -module provides authentication services based -upon the TACACS+ protocol -for the PAM (Pluggable Authentication Module) framework. -.Pp -The -.Nm -module accepts these optional parameters: -.Bl -tag -width ".Cm use_first_pass" -.It Cm use_first_pass -causes -.Nm -to use a previously entered password instead of prompting for a new one. -If no password has been entered then authentication fails. -.It Cm try_first_pass -causes -.Nm -to use a previously entered password, if one is available. -If no -password has been entered, -.Nm -prompts for one as usual. -.It Cm echo_pass -causes echoing to be left on if -.Nm -prompts for a password. -.It Cm conf Ns = Ns Ar pathname -specifies a non-standard location for the TACACS+ client configuration file -(normally located in -.Pa /etc/tacplus.conf ) . -.It Cm template_user Ns = Ns Ar username -specifies a user whose -.Xr passwd 5 -entry will be used as a template to create the session environment -if the supplied username does not exist in local password database. -The user -will be authenticated with the supplied username and password, but his -credentials to the system will be presented as the ones for -.Ar username , -i.e., his login class, home directory, resource limits, etc. will be set to ones -defined for -.Ar username . -.Pp -If this option is omitted, and there is no username -in the system databases equal to the supplied one (as determined by call to -.Xr getpwnam 3 ) , -the authentication will fail. -.El -.Sh FILES -.Bl -tag -width /etc/tacplus.conf -compact -.It Pa /etc/tacplus.conf -The standard TACACS+ client configuration file for -.Nm -.El -.Sh SEE ALSO -.Xr passwd 5 , -.Xr tacplus.conf 5 , -.Xr pam 8 -.Sh HISTORY -The -.Nm -module first appeared in -.Fx 3.1 . -.Sh AUTHORS -.An -nosplit -The -.Nm -manual page was written by -.An Andrzej Bialecki Aq abial@FreeBSD.org -and adapted to TACACS+ from RADIUS by -.An Mark R V Murray Aq markm@FreeBSD.org . -.Pp -The -.Nm -module was written by -.An John D. Polstra Aq jdp@FreeBSD.org . diff --git a/lib/libpam/modules/pam_tacplus/pam_tacplus.c b/lib/libpam/modules/pam_tacplus/pam_tacplus.c deleted file mode 100644 index 7427f5af47..0000000000 --- a/lib/libpam/modules/pam_tacplus/pam_tacplus.c +++ /dev/null @@ -1,350 +0,0 @@ -/*- - * Copyright 1998 Juniper Networks, Inc. - * All rights reserved. - * Copyright (c) 2001 Networks Associates Technology, Inc. - * All rights reserved. - * - * Portions of this software were developed for the FreeBSD Project by - * ThinkSec AS and NAI Labs, the Security Research Division of Network - * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 - * ("CBOSS"), as part of the DARPA CHATS research program. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD: src/lib/libpam/modules/pam_tacplus/pam_tacplus.c,v 1.2.6.1 2002/07/03 21:41:31 des Exp $ - * $DragonFly: src/lib/libpam/modules/pam_tacplus/Attic/pam_tacplus.c,v 1.2 2003/06/17 04:26:51 dillon Exp $ - */ - -#include - -#include -#include -#include -#include -#include -#include - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - -#include -#include -#include - -enum { PAM_OPT_CONF=PAM_OPT_STD_MAX, PAM_OPT_TEMPLATE_USER }; - -static struct opttab other_options[] = { - { "conf", PAM_OPT_CONF }, - { "template_user", PAM_OPT_TEMPLATE_USER }, - { NULL, 0 } -}; - -typedef int (*set_func)(struct tac_handle *, const char *); - -static int do_item(pam_handle_t *, struct tac_handle *, int, - set_func, const char *); -static char *get_msg(struct tac_handle *); -static int set_msg(struct tac_handle *, const char *); - -static int -do_item(pam_handle_t *pamh, struct tac_handle *tach, int item, - set_func func, const char *funcname) -{ - int retval; - const void *value; - - retval = pam_get_item(pamh, item, &value); - if (retval != PAM_SUCCESS) - return retval; - if (value != NULL && (*func)(tach, (const char *)value) == -1) { - syslog(LOG_CRIT, "%s: %s", funcname, tac_strerror(tach)); - tac_close(tach); - return PAM_SERVICE_ERR; - } - return PAM_SUCCESS; -} - -static char * -get_msg(struct tac_handle *tach) -{ - char *msg; - - msg = tac_get_msg(tach); - if (msg == NULL) { - syslog(LOG_CRIT, "tac_get_msg: %s", tac_strerror(tach)); - tac_close(tach); - return NULL; - } - return msg; -} - -static int -set_msg(struct tac_handle *tach, const char *msg) -{ - if (tac_set_msg(tach, msg) == -1) { - syslog(LOG_CRIT, "tac_set_msg: %s", tac_strerror(tach)); - tac_close(tach); - return -1; - } - return 0; -} - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, - const char **argv) -{ - struct options options; - int retval; - struct tac_handle *tach; - char *conf_file; - char *template_user; - - pam_std_option(&options, other_options, argc, argv); - - PAM_LOG("Options processed"); - - conf_file = NULL; - pam_test_option(&options, PAM_OPT_CONF, &conf_file); - template_user = NULL; - pam_test_option(&options, PAM_OPT_TEMPLATE_USER, &template_user); - - tach = tac_open(); - if (tach == NULL) { - syslog(LOG_CRIT, "tac_open failed"); - PAM_RETURN(PAM_SERVICE_ERR); - } - if (tac_config(tach, conf_file) == -1) { - syslog(LOG_ALERT, "tac_config: %s", tac_strerror(tach)); - tac_close(tach); - PAM_RETURN(PAM_SERVICE_ERR); - } - if (tac_create_authen(tach, TAC_AUTHEN_LOGIN, TAC_AUTHEN_TYPE_ASCII, - TAC_AUTHEN_SVC_LOGIN) == -1) { - syslog(LOG_CRIT, "tac_create_authen: %s", tac_strerror(tach)); - tac_close(tach); - PAM_RETURN(PAM_SERVICE_ERR); - } - - PAM_LOG("Done tac_open() ... tac_close()"); - - retval = do_item(pamh, tach, PAM_USER, tac_set_user, "tac_set_user"); - if (retval != PAM_SUCCESS) - PAM_RETURN(retval); - - PAM_LOG("Done user"); - - retval = do_item(pamh, tach, PAM_TTY, tac_set_port, "tac_set_port"); - if (retval != PAM_SUCCESS) - PAM_RETURN(retval); - - PAM_LOG("Done tty"); - - retval = do_item(pamh, tach, PAM_RHOST, tac_set_rem_addr, - "tac_set_rem_addr"); - if (retval != PAM_SUCCESS) - PAM_RETURN(retval); - - for ( ; ; ) { - char *srvr_msg; - size_t msg_len; - const char *user_msg; - char *data_msg; - int sflags; - int status; - - sflags = tac_send_authen(tach); - if (sflags == -1) { - syslog(LOG_CRIT, "tac_send_authen: %s", - tac_strerror(tach)); - tac_close(tach); - PAM_RETURN(PAM_AUTHINFO_UNAVAIL); - } - status = TAC_AUTHEN_STATUS(sflags); - if (!TAC_AUTHEN_NOECHO(sflags)) - pam_set_option(&options, PAM_OPT_ECHO_PASS); - switch (status) { - - case TAC_AUTHEN_STATUS_PASS: - tac_close(tach); - if (template_user != NULL) { - const void *item; - const char *user; - - PAM_LOG("Trying template user: %s", - template_user); - - /* - * If the given user name doesn't exist in - * the local password database, change it - * to the value given in the "template_user" - * option. - */ - retval = pam_get_item(pamh, PAM_USER, &item); - if (retval != PAM_SUCCESS) - PAM_RETURN(retval); - user = (const char *)item; - if (getpwnam(user) == NULL) { - pam_set_item(pamh, PAM_USER, - template_user); - PAM_LOG("Using template user"); - } - } - PAM_RETURN(PAM_SUCCESS); - - case TAC_AUTHEN_STATUS_FAIL: - tac_close(tach); - PAM_VERBOSE_ERROR("TACACS+ authentication failed"); - PAM_RETURN(PAM_AUTH_ERR); - - case TAC_AUTHEN_STATUS_GETUSER: - case TAC_AUTHEN_STATUS_GETPASS: - if ((srvr_msg = get_msg(tach)) == NULL) - PAM_RETURN(PAM_SERVICE_ERR); - if (status == TAC_AUTHEN_STATUS_GETUSER) - retval = pam_get_user(pamh, &user_msg, - srvr_msg[0] != '\0' ? srvr_msg : NULL); - else if (status == TAC_AUTHEN_STATUS_GETPASS) - retval = pam_get_pass(pamh, &user_msg, - srvr_msg[0] != '\0' ? srvr_msg : - "Password:", &options); - free(srvr_msg); - if (retval != PAM_SUCCESS) { - /* XXX - send a TACACS+ abort packet */ - tac_close(tach); - PAM_RETURN(retval); - } - if (set_msg(tach, user_msg) == -1) - PAM_RETURN(PAM_SERVICE_ERR); - break; - - case TAC_AUTHEN_STATUS_GETDATA: - if ((srvr_msg = get_msg(tach)) == NULL) - PAM_RETURN(PAM_SERVICE_ERR); - retval = pam_prompt(pamh, - pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL) - ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF, - srvr_msg[0] != '\0' ? srvr_msg : "Data:", - &data_msg); - free(srvr_msg); - if (retval != PAM_SUCCESS) { - /* XXX - send a TACACS+ abort packet */ - tac_close(tach); - PAM_RETURN(retval); - } - retval = set_msg(tach, data_msg); - memset(data_msg, 0, strlen(data_msg)); - free(data_msg); - if (retval == -1) - PAM_RETURN(PAM_SERVICE_ERR); - break; - - case TAC_AUTHEN_STATUS_ERROR: - srvr_msg = (char *)tac_get_data(tach, &msg_len); - if (srvr_msg != NULL && msg_len != 0) { - syslog(LOG_CRIT, "tac_send_authen:" - " server detected error: %s", srvr_msg); - free(srvr_msg); - } - else - syslog(LOG_CRIT, - "tac_send_authen: server detected error"); - tac_close(tach); - PAM_RETURN(PAM_AUTHINFO_UNAVAIL); - break; - - case TAC_AUTHEN_STATUS_RESTART: - case TAC_AUTHEN_STATUS_FOLLOW: - default: - syslog(LOG_CRIT, - "tac_send_authen: unexpected status %#x", status); - tac_close(tach); - PAM_RETURN(PAM_AUTHINFO_UNAVAIL); - } - } -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_EXTERN int -pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) -{ - struct options options; - - pam_std_option(&options, NULL, argc, argv); - - PAM_LOG("Options processed"); - - PAM_RETURN(PAM_IGNORE); -} - -PAM_MODULE_ENTRY("pam_tacplus"); diff --git a/lib/libpam/modules/pam_unix/Makefile b/lib/libpam/modules/pam_unix/Makefile deleted file mode 100644 index 75ad165ab0..0000000000 --- a/lib/libpam/modules/pam_unix/Makefile +++ /dev/null @@ -1,37 +0,0 @@ -# Copyright 1998 Juniper Networks, Inc. -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD: src/lib/libpam/modules/pam_unix/Makefile,v 1.4.2.4 2002/07/03 21:41:31 des Exp $ -# $DragonFly: src/lib/libpam/modules/pam_unix/Attic/Makefile,v 1.2 2003/06/17 04:26:51 dillon Exp $ - - -LIB= pam_unix -SRCS= pam_unix.c -CFLAGS+= -Wall -CFLAGS+= -I${PAMDIR}/libpam/include -CFLAGS+= -I${.CURDIR}/../../libpam -DPADD+= ${LIBUTIL} ${LIBCRYPT} -LDADD+= -lutil -lcrypt - -.include diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c deleted file mode 100644 index 1cbac81ef0..0000000000 --- a/lib/libpam/modules/pam_unix/pam_unix.c +++ /dev/null @@ -1,172 +0,0 @@ -/*- - * Copyright 1998 Juniper Networks, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.4.2.4 2002/08/02 10:14:18 des Exp $ - * $DragonFly: src/lib/libpam/modules/pam_unix/Attic/pam_unix.c,v 1.2 2003/06/17 04:26:51 dillon Exp $ - */ - -#include -#include -#include -#include -#include -#include -#include -#include - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#include - -#include - -#define PASSWORD_PROMPT "Password:" - -enum { - PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX, - PAM_OPT_NULLOK -}; - -static struct opttab other_options[] = { - { "auth_as_self", PAM_OPT_AUTH_AS_SELF }, - { "nullok", PAM_OPT_NULLOK }, - { NULL, 0 } -}; - -/* - * authentication management - */ - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, - const char **argv) -{ - int retval; - const char *user; - const char *password, *realpw; - struct passwd *pwd; - struct options options; - - pam_std_option(&options, other_options, argc, argv); - if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { - pwd = getpwnam(getlogin()); - } else { - retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS) - return retval; - pwd = getpwnam(user); - } - if (pwd != NULL) { - realpw = pwd->pw_passwd; - if (realpw[0] == '\0') { - if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && - pam_test_option(&options, PAM_OPT_NULLOK, NULL)) - return PAM_SUCCESS; - realpw = "*"; - } - } else { - realpw = "*"; - } - if ((retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT, - &options)) != PAM_SUCCESS) - return retval; - if (strcmp(crypt(password, realpw), realpw) == 0) - return PAM_SUCCESS; - return PAM_AUTH_ERR; -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) -{ - return PAM_SUCCESS; -} - -/* - * account management - * - * check pw_change and pw_expire fields - */ -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - const char *user; - struct passwd *pw; - struct timeval tp; - time_t warntime; - login_cap_t *lc = NULL; - char buf[128]; - int retval; - - retval = pam_get_item(pamh, PAM_USER, (const void **)&user); - if (retval != PAM_SUCCESS || user == NULL) - /* some implementations return PAM_SUCCESS here */ - return PAM_USER_UNKNOWN; - - if ((pw = getpwnam(user)) == NULL) - return PAM_USER_UNKNOWN; - - retval = PAM_SUCCESS; - lc = login_getpwclass(pw); - - if (pw->pw_change || pw->pw_expire) - gettimeofday(&tp, NULL); - -#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ - - warntime = login_getcaptime(lc, "warnpassword", DEFAULT_WARN, - DEFAULT_WARN); - - if (pw->pw_change) { - if (tp.tv_sec >= pw->pw_change) - /* some implementations return PAM_AUTHTOK_EXPIRED */ - retval = PAM_NEW_AUTHTOK_REQD; - else if (pw->pw_change - tp.tv_sec < warntime) { - snprintf(buf, sizeof(buf), - "Warning: your password expires on %s", - ctime(&pw->pw_change)); - pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL); - } - } - - warntime = login_getcaptime(lc, "warnexpire", DEFAULT_WARN, - DEFAULT_WARN); - - if (pw->pw_expire) { - if (tp.tv_sec >= pw->pw_expire) - retval = PAM_ACCT_EXPIRED; - else if (pw->pw_expire - tp.tv_sec < warntime) { - snprintf(buf, sizeof(buf), - "Warning: your account expires on %s", - ctime(&pw->pw_expire)); - pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL); - } - } - - login_close(lc); - return retval; -} - -PAM_MODULE_ENTRY("pam_unix"); diff --git a/lib/libpam/libpam/pam_prompt.c b/lib/libpam/pam_debug_log.c similarity index 56% rename from lib/libpam/libpam/pam_prompt.c rename to lib/libpam/pam_debug_log.c index f0bf4d9a12..46846bf29c 100644 --- a/lib/libpam/libpam/pam_prompt.c +++ b/lib/libpam/pam_debug_log.c @@ -1,5 +1,5 @@ /*- - * Copyright 1998 Juniper Networks, Inc. + * Copyright 2001 Mark R V Murray * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -23,41 +23,40 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/lib/libpam/libpam/pam_prompt.c,v 1.1.1.1.6.2 2002/07/03 21:45:44 des Exp $ - * $DragonFly: src/lib/libpam/libpam/Attic/pam_prompt.c,v 1.2 2003/06/17 04:26:50 dillon Exp $ + * $FreeBSD: src/lib/libpam/libpam/pam_debug_log.c,v 1.8 2002/04/14 16:44:04 des Exp $ + * $DragonFly: src/lib/libpam/pam_debug_log.c,v 1.1 2005/07/13 12:34:21 joerg Exp $ */ -#include +#include +#include +#include +#include +#include + +#include +#include #include -/* - * Do a simple conversation which can consist of a message and/or a user - * response. +/* Print a verbose error, including the function name and a + * cleaned up filename. */ -int -pam_prompt(pam_handle_t *pamh, int style, const char *prompt, char **user_msg) +void +_pam_verbose_error(pam_handle_t *pamh, int flags, + const char *file, const char *function, const char *format, ...) { - int retval; - const void *item; - const struct pam_conv *conv; - struct pam_message msg; - const struct pam_message *msgs[1]; - struct pam_response *resp; + va_list ap; + char *fmtbuf, *modname, *period; - if ((retval = pam_get_item(pamh, PAM_CONV, &item)) != - PAM_SUCCESS) - return retval; - conv = (const struct pam_conv *)item; - msg.msg_style = style; - msg.msg = prompt != NULL ? prompt : ""; - msgs[0] = &msg; - if ((retval = conv->conv(1, msgs, &resp, conv->appdata_ptr)) != - PAM_SUCCESS) - return retval; - if (user_msg != NULL) - *user_msg = resp[0].resp; - else if (resp[0].resp != NULL) - free(resp[0].resp); - free(resp); - return PAM_SUCCESS; + if (!(flags & PAM_SILENT) && !openpam_get_option(pamh, "no_warn")) { + modname = basename(file); + period = strchr(modname, '.'); + if (period == NULL) + period = strchr(modname, '\0'); + va_start(ap, format); + asprintf(&fmtbuf, "%.*s: %s: %s\n", (int)(period - modname), + modname, function, format); + pam_verror(pamh, fmtbuf, ap); + free(fmtbuf); + va_end(ap); + } } diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.h b/lib/libpam/pam_mod_misc.h similarity index 62% rename from lib/libpam/modules/pam_ssh/pam_ssh.h rename to lib/libpam/pam_mod_misc.h index e777126fb8..b13686d258 100644 --- a/lib/libpam/modules/pam_ssh/pam_ssh.h +++ b/lib/libpam/pam_mod_misc.h @@ -1,5 +1,5 @@ /*- - * Copyright (c) 1999, 2000 Andrew J. Korty + * Copyright 1998 Juniper Networks, Inc. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -23,24 +23,35 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/lib/libpam/modules/pam_ssh/pam_ssh.h,v 1.1.2.2 2002/07/03 21:41:30 des Exp $ - * $DragonFly: src/lib/libpam/modules/pam_ssh/Attic/pam_ssh.h,v 1.2 2003/06/17 04:26:51 dillon Exp $ - * + * $FreeBSD: src/lib/libpam/libpam/security/pam_mod_misc.h,v 1.12 2003/05/31 16:56:35 des Exp $ + * $DragonFly: src/lib/libpam/pam_mod_misc.h,v 1.1 2005/07/13 12:34:21 joerg Exp $ */ -#define SSH_CLIENT_DIR ".ssh" +#ifndef PAM_MOD_MISC_H +#define PAM_MOD_MISC_H + +#include + +/* + * Common option names + */ +#define PAM_OPT_NULLOK "nullok" +#define PAM_OPT_AUTH_AS_SELF "auth_as_self" +#define PAM_OPT_ECHO_PASS "echo_pass" +#define PAM_OPT_DEBUG "debug" -#define MODULE_NAME "pam_ssh" -#define NEED_PASSPHRASE "SSH passphrase: " -#define SSH_AGENT "ssh-agent" +__BEGIN_DECLS +void _pam_verbose_error(pam_handle_t *, int, const char *, + const char *, const char *, ...); +__END_DECLS -#define ENV_PID_SUFFIX "_AGENT_PID" -#define ENV_SOCKET_SUFFIX "_AUTH_SOCK" +#define PAM_LOG(...) \ + openpam_log(PAM_LOG_DEBUG, __VA_ARGS__) -#define DEF_KEYFILES "id_dsa,id_rsa,identity" +#define PAM_RETURN(arg) \ + return (arg) -#define OPT_KEYFILES "keyfiles" -#define OPT_TRY_FIRST_PASS "try_first_pass" -#define OPT_USE_FIRST_PASS "use_first_pass" +#define PAM_VERBOSE_ERROR(...) \ + _pam_verbose_error(pamh, flags, __FILE__, __FUNCTION__, __VA_ARGS__) -#define SEP_KEYFILES "," +#endif diff --git a/lib/libpam/patches/openpam_configure.c.patch b/lib/libpam/patches/openpam_configure.c.patch new file mode 100644 index 0000000000..7830fe8643 --- /dev/null +++ b/lib/libpam/patches/openpam_configure.c.patch @@ -0,0 +1,14 @@ +$DragonFly: src/lib/libpam/patches/openpam_configure.c.patch,v 1.1 2005/07/13 12:34:21 joerg Exp $ + +--- openpam_configure.c.orig 2005-07-07 19:43:40.000000000 +0200 ++++ openpam_configure.c 2005-07-07 19:44:09.000000000 +0200 +@@ -69,7 +69,8 @@ + match_word(const char *str, const char *word) + { + +- while (*str && tolower(*str) == tolower(*word)) ++ while (*str && ++ tolower((unsigned char)*str) == tolower((unsigned char)*word)) + ++str, ++word; + return (*str == ' ' && *word == '\0'); + } diff --git a/lib/libpam/patches/openpam_ttyconv.c.patch b/lib/libpam/patches/openpam_ttyconv.c.patch new file mode 100644 index 0000000000..bbe461021f --- /dev/null +++ b/lib/libpam/patches/openpam_ttyconv.c.patch @@ -0,0 +1,13 @@ +$DragonFly: src/lib/libpam/patches/openpam_ttyconv.c.patch,v 1.1 2005/07/13 12:34:21 joerg Exp $ + +--- openpam_ttyconv.c.orig 2005-07-07 19:46:23.000000000 +0200 ++++ openpam_ttyconv.c 2005-07-07 19:46:26.000000000 +0200 +@@ -65,7 +65,7 @@ + char buf[PAM_MAX_RESP_SIZE]; + struct sigaction action, saved_action; + sigset_t saved_sigset, sigset; +- unsigned int saved_alarm; ++ unsigned int saved_alarm = 0; + int eof, error, fd; + size_t len; + char *retval; diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c index 4287ddb916..035335a3aa 100644 --- a/usr.bin/login/login.c +++ b/usr.bin/login/login.c @@ -32,7 +32,7 @@ * * @(#)login.c 8.4 (Berkeley) 4/2/94 * $FreeBSD: src/usr.bin/login/login.c,v 1.51.2.15 2003/04/29 14:10:41 des Exp $ - * $DragonFly: src/usr.bin/login/login.c,v 1.4 2003/11/03 19:31:30 eirikn Exp $ + * $DragonFly: src/usr.bin/login/login.c,v 1.5 2005/07/13 12:34:22 joerg Exp $ */ #if 0 @@ -76,7 +76,8 @@ static char copyright[] = #ifdef USE_PAM #include -#include +#include +#include #include #endif /* USE_PAM */ @@ -634,7 +635,7 @@ main(int argc, char **argv) PAM_END; exit(0); } else { - if ((e = pam_end(pamh, PAM_DATA_SILENT)) != PAM_SUCCESS) + if ((e = pam_end(pamh, PAM_SILENT)) != PAM_SUCCESS) syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); } @@ -764,7 +765,9 @@ auth_pam(void) const void *item; int rval; int e; - static struct pam_conv conv = { misc_conv, NULL }; + static struct pam_conv conv; + + conv.conv = &openpam_ttyconv; if ((e = pam_start("login", username, &conv, &pamh)) != PAM_SUCCESS) { syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e));