mirror of
https://github.com/adulau/ootp.git
synced 2024-11-22 18:17:10 +00:00
368 lines
9.5 KiB
C
368 lines
9.5 KiB
C
|
/*
|
||
|
* Copyright (c) 2005 Mark Fullmer
|
||
|
* Copyright (c) 2009 Mark Fullmer and the Ohio State University
|
||
|
* All rights reserved.
|
||
|
*
|
||
|
* Redistribution and use in source and binary forms, with or without
|
||
|
* modification, are permitted provided that the following conditions
|
||
|
* are met:
|
||
|
* 1. Redistributions of source code must retain the above copyright
|
||
|
* notice, this list of conditions and the following disclaimer.
|
||
|
* 2. Redistributions in binary form must reproduce the above copyright
|
||
|
* notice, this list of conditions and the following disclaimer in the
|
||
|
* documentation and/or other materials provided with the distribution.
|
||
|
*
|
||
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||
|
* SUCH DAMAGE.
|
||
|
*
|
||
|
* $Id: pam_otp.c 13 2009-11-26 16:37:03Z maf $
|
||
|
*/
|
||
|
|
||
|
#include <stdio.h>
|
||
|
#include <syslog.h>
|
||
|
#include <stdlib.h>
|
||
|
#include <string.h>
|
||
|
#include <sys/types.h>
|
||
|
#include <sys/mman.h>
|
||
|
#include <sys/stat.h>
|
||
|
#include <sys/errno.h>
|
||
|
#include <unistd.h>
|
||
|
#include <fcntl.h>
|
||
|
#include <utmp.h>
|
||
|
|
||
|
#include "otplib.h"
|
||
|
#include "xerr.h"
|
||
|
|
||
|
#define PAM_SM_AUTH
|
||
|
#define PAM_SM_ACCOUNT
|
||
|
#define PAM_SM_SESSION
|
||
|
#define PAM_SM_PASSWORD
|
||
|
|
||
|
#ifndef __APPLE__
|
||
|
#include <security/pam_modules.h>
|
||
|
#include <security/pam_appl.h>
|
||
|
#else
|
||
|
#include <pam/pam_modules.h>
|
||
|
#include <pam/pam_appl.h>
|
||
|
#endif
|
||
|
|
||
|
#define _pam_drop(X) \
|
||
|
do { \
|
||
|
if (X) { \
|
||
|
free(X); \
|
||
|
X=NULL; \
|
||
|
} \
|
||
|
} while (0)
|
||
|
|
||
|
#define _pam_overwrite(x) \
|
||
|
do { \
|
||
|
register char *__xx__; \
|
||
|
if ((__xx__=(x))) \
|
||
|
while (*__xx__) \
|
||
|
*__xx__++ = '\0'; \
|
||
|
} while (0)
|
||
|
|
||
|
|
||
|
struct opts {
|
||
|
int debug;
|
||
|
int use_first_pass;
|
||
|
int try_first_pass;
|
||
|
int expose_account;
|
||
|
int display_count;
|
||
|
int allow_inactive;
|
||
|
int require_db_entry;
|
||
|
char *otpdb_fname;
|
||
|
};
|
||
|
|
||
|
int load_opts(struct opts *opts, int argc, const char **argv);
|
||
|
|
||
|
PAM_EXTERN
|
||
|
int pam_sm_authenticate(pam_handle_t *ph, int flags, int argc,
|
||
|
const char **argv)
|
||
|
{
|
||
|
struct pam_message pam_msg;
|
||
|
const struct pam_message *ppam_msg;
|
||
|
struct pam_conv *pam_conv;
|
||
|
struct pam_response *pam_resp;
|
||
|
struct otp_ctx *otpctx;
|
||
|
struct otp_user ou;
|
||
|
struct opts opts;
|
||
|
int r, ret, otpdb_flags;
|
||
|
const char *user;
|
||
|
char message[64];
|
||
|
|
||
|
ppam_msg = &pam_msg;
|
||
|
bzero(&pam_msg, sizeof (pam_msg));
|
||
|
pam_conv = 0L;
|
||
|
pam_resp = 0L;
|
||
|
ret = PAM_SERVICE_ERR;
|
||
|
otpdb_flags = 0;
|
||
|
|
||
|
xerr_setsyslog2(1); /* use syslog for output */
|
||
|
xerr_setid("pam_otp.so");
|
||
|
|
||
|
load_opts(&opts, argc, argv);
|
||
|
|
||
|
if (opts.debug)
|
||
|
otpdb_flags |= OTP_DB_VERBOSE;
|
||
|
|
||
|
/* not supported */
|
||
|
if (opts.use_first_pass || opts.try_first_pass)
|
||
|
xerr_warnx("use/try_first_pass not supported");
|
||
|
|
||
|
if (!(otpctx = otp_db_open(opts.otpdb_fname, otpdb_flags))) {
|
||
|
xerr_warnx("otp_db_open(%s): failed.", opts.otpdb_fname);
|
||
|
return PAM_SERVICE_ERR;
|
||
|
}
|
||
|
|
||
|
/* get the username */
|
||
|
if ((r = pam_get_user(ph, &user, (char*)0L)) != PAM_SUCCESS) {
|
||
|
xerr_warnx("pam_get_user(): %s", pam_strerror(ph, r));
|
||
|
return PAM_SERVICE_ERR;
|
||
|
}
|
||
|
|
||
|
/* username not set or null then give up */
|
||
|
if (!user || *user == '\0')
|
||
|
return PAM_USER_UNKNOWN;
|
||
|
|
||
|
if ((r = otp_user_exists(otpctx, (char*)user)) < 0) {
|
||
|
xerr_warnx("otp_user_exists(%s): failed.", user);
|
||
|
ret = PAM_SERVICE_ERR;
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* if user is not in database then possibly skip (return PAM_SUCCESS)
|
||
|
*
|
||
|
*/
|
||
|
if (r == 1) {
|
||
|
if (!opts.require_db_entry)
|
||
|
ret = PAM_SUCCESS;
|
||
|
else
|
||
|
ret = PAM_AUTH_ERR;
|
||
|
xerr_info("%s: user=%s not in OTP db", pam_strerror(ph, ret), user);
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
/* get otp user record */
|
||
|
if (otp_urec_open(otpctx, (char*)user, &ou, O_RDONLY, FFDB_OP_LOCK_EX) < 0) {
|
||
|
xerr_warnx("otp_urec_open(%s): failed.", user);
|
||
|
ret = PAM_SERVICE_ERR;
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
if (otp_urec_get(otpctx, &ou) < 0) {
|
||
|
xerr_warnx("otp_urec_open(%s): failed.", user);
|
||
|
ret = PAM_SERVICE_ERR;
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
if (otp_urec_close(otpctx, &ou) < 0) {
|
||
|
xerr_warnx("otp_urec_close(%s): failed.", user);
|
||
|
ret = PAM_SERVICE_ERR;
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
/*
|
||
|
* if the user is inactive then either return SUCCESS (allow otp to be
|
||
|
* disabled on a per user basis) or failure.
|
||
|
*
|
||
|
*/
|
||
|
if (ou.status == OTP_STATUS_INACTIVE) {
|
||
|
if (opts.allow_inactive)
|
||
|
ret = PAM_SUCCESS;
|
||
|
else
|
||
|
ret = PAM_AUTH_ERR;
|
||
|
xerr_info("%s: user=%s status=INACTIVE.", pam_strerror(ph, ret), user);
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
/* user can be locked out (disabled) */
|
||
|
if (ou.status == OTP_STATUS_DISABLED) {
|
||
|
ret = PAM_AUTH_ERR;
|
||
|
xerr_info("%s: user=%s status=DISABLED.", pam_strerror(ph, ret), user);
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
/* verify count not at ceiling */
|
||
|
if (ou.count >= ou.count_ceil) {
|
||
|
ret = PAM_AUTH_ERR;
|
||
|
xerr_info("%s: user=%s count>count_ceil.", pam_strerror(ph, ret), user);
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
/* get pointer to application supplied conversation function */
|
||
|
if (pam_get_item(ph, PAM_CONV, (const void**)&pam_conv) != PAM_SUCCESS) {
|
||
|
xerr_warnx("pam_get_item(PAM_CONV): failed.");
|
||
|
ret = PAM_SERVICE_ERR;
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
/* challenge prompt, echo on for reply */
|
||
|
pam_msg.msg_style = PAM_PROMPT_ECHO_ON;
|
||
|
pam_msg.msg = (char *)&message;
|
||
|
|
||
|
/* prompt for challenge with optional count */
|
||
|
if (opts.display_count || (ou.flags & OTP_USER_FLAGS_DSPCNT))
|
||
|
sprintf(message, "HOTP Challenge (%" PRIu64 "): ", ou.count);
|
||
|
else
|
||
|
sprintf(message, "HOTP Challenge: ");
|
||
|
|
||
|
/* use application conversation function to ask for challenge */
|
||
|
if (pam_conv->conv(1, &ppam_msg, &pam_resp, pam_conv->appdata_ptr)
|
||
|
!= PAM_SUCCESS) {
|
||
|
if (pam_resp) {
|
||
|
_pam_overwrite(pam_resp->resp);
|
||
|
_pam_drop(pam_resp->resp);
|
||
|
}
|
||
|
xerr_warnx("conv(message): failed.");
|
||
|
ret = PAM_SERVICE_ERR;
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
if (!pam_resp) {
|
||
|
xerr_warnx("pam_resp is null");
|
||
|
ret = PAM_SERVICE_ERR;
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
if (opts.expose_account)
|
||
|
xerr_info("OTP: user=%s response=%s", user, pam_resp->resp);
|
||
|
|
||
|
if ((r = otp_user_auth(otpctx, (char*)user, pam_resp->resp,
|
||
|
OTP_HOTP_WINDOW)) < 0) {
|
||
|
xerr_warnx("otp_user_auth(): failed.");
|
||
|
ret = PAM_SERVICE_ERR;
|
||
|
goto cleanup;
|
||
|
}
|
||
|
|
||
|
/* free return value from pam_conv->conv */
|
||
|
_pam_overwrite(pam_resp->resp);
|
||
|
_pam_drop(pam_resp);
|
||
|
|
||
|
if (r == OTP_AUTH_PASS)
|
||
|
ret = PAM_SUCCESS;
|
||
|
else
|
||
|
ret = PAM_AUTH_ERR;
|
||
|
|
||
|
|
||
|
cleanup:
|
||
|
|
||
|
if (otp_db_close(otpctx) < 0) {
|
||
|
xerr_warnx("otp_db_close(): failed.");
|
||
|
ret = PAM_SERVICE_ERR;
|
||
|
}
|
||
|
|
||
|
if (opts.debug) {
|
||
|
|
||
|
if (ret == PAM_SUCCESS)
|
||
|
xerr_info("OTP: ret=PAM_SUCCESS");
|
||
|
else if (ret == PAM_AUTH_ERR)
|
||
|
xerr_info("OTP: ret=PAM_AUTH_ERR");
|
||
|
else if (ret == PAM_SERVICE_ERR)
|
||
|
xerr_info("OTP: ret=PAM_SERVICE_ERR");
|
||
|
else
|
||
|
xerr_info("OTP: ret=%d", ret);
|
||
|
|
||
|
} /* opts.debug */
|
||
|
|
||
|
return ret;
|
||
|
|
||
|
}
|
||
|
|
||
|
PAM_EXTERN
|
||
|
int pam_sm_setcred(pam_handle_t *ph,int flags,int argc
|
||
|
,const char **argv)
|
||
|
{ return PAM_SUCCESS; }
|
||
|
|
||
|
PAM_EXTERN
|
||
|
int pam_sm_acct_mgmt(pam_handle_t *ph,int flags,int argc
|
||
|
,const char **argv)
|
||
|
{ return PAM_ACCT_EXPIRED; }
|
||
|
|
||
|
PAM_EXTERN
|
||
|
int pam_sm_chauthtok(pam_handle_t *ph,int flags,int argc
|
||
|
,const char **argv)
|
||
|
{ return PAM_AUTHTOK_ERR; }
|
||
|
|
||
|
PAM_EXTERN
|
||
|
int pam_sm_open_session(pam_handle_t *ph,int flags,int argc
|
||
|
,const char **argv)
|
||
|
{ return PAM_SYSTEM_ERR; }
|
||
|
|
||
|
PAM_EXTERN
|
||
|
int pam_sm_close_session(pam_handle_t *ph,int flags,int argc
|
||
|
,const char **argv)
|
||
|
{ return PAM_SYSTEM_ERR; }
|
||
|
|
||
|
|
||
|
#ifdef PAM_STATIC
|
||
|
|
||
|
/* static module data */
|
||
|
|
||
|
struct pam_module _pam_test_modstruct = {
|
||
|
"pam_test",
|
||
|
pam_sm_authenticate,
|
||
|
pam_sm_setcred,
|
||
|
pam_sm_acct_mgmt,
|
||
|
pam_sm_open_session,
|
||
|
pam_sm_close_session,
|
||
|
pam_sm_chauthtok
|
||
|
};
|
||
|
|
||
|
#endif
|
||
|
|
||
|
int load_opts(struct opts *opts, int argc, const char **argv)
|
||
|
{
|
||
|
int ret = 0;
|
||
|
|
||
|
bzero(opts, sizeof *opts);
|
||
|
opts->otpdb_fname = OTP_DB_FNAME;
|
||
|
|
||
|
/* foreach argument */
|
||
|
while (argc--) {
|
||
|
|
||
|
if (!strcmp(*argv, "debug")) {
|
||
|
opts->debug = 1;
|
||
|
} else if (!strcmp(*argv, "use_first_pass")) {
|
||
|
opts->use_first_pass = 1;
|
||
|
} else if (!strcmp(*argv, "try_first_pass")) {
|
||
|
opts->use_first_pass = 1;
|
||
|
} else if (!strcmp(*argv, "expose_account")) {
|
||
|
opts->expose_account = 1;
|
||
|
} else if (!strcmp(*argv, "display_count")) {
|
||
|
opts->display_count = 1;
|
||
|
} else if (!strcmp(*argv, "allow_inactive")) {
|
||
|
opts->allow_inactive = 1;
|
||
|
} else if (!strcmp(*argv, "require_db_entry")) {
|
||
|
opts->require_db_entry = 1;
|
||
|
} else if (!strncmp(*argv, "otpdb=", 6)) {
|
||
|
opts->otpdb_fname=(char*)(*argv)+6;
|
||
|
} else {
|
||
|
xerr_warnx("Unrecognized argument - %s", argv);
|
||
|
ret = -1;
|
||
|
}
|
||
|
|
||
|
++argv;
|
||
|
}
|
||
|
|
||
|
if (opts->debug) {
|
||
|
xerr_info("use_first_pass=%d, try_first_pass=%d, expose_account=%d, display_count=%d, allow_inactive=%d, require_db_entry=%d, otpdb=%s",
|
||
|
opts->use_first_pass, opts->use_first_pass, opts->expose_account,
|
||
|
opts->display_count, opts->allow_inactive, opts->require_db_entry,
|
||
|
opts->otpdb_fname);
|
||
|
}
|
||
|
|
||
|
return ret;
|
||
|
|
||
|
} /* load_opts */
|