ootp/otp-pam/pam_otp.c

367 lines
9.5 KiB
C

/*
* Copyright (c) 2005 Mark Fullmer
* Copyright (c) 2009 Mark Fullmer and the Ohio State University
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: pam_otp.c 13 2009-11-26 16:37:03Z maf $
*/
#include <stdio.h>
#include <syslog.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <sys/errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <utmp.h>
#include "otplib.h"
#include "xerr.h"
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
#define PAM_SM_SESSION
#define PAM_SM_PASSWORD
#ifndef __APPLE__
#include <security/pam_modules.h>
#include <security/pam_appl.h>
#else
#include <pam/pam_modules.h>
#include <pam/pam_appl.h>
#endif
#define _pam_drop(X) \
do { \
if (X) { \
free(X); \
X=NULL; \
} \
} while (0)
#define _pam_overwrite(x) \
do { \
register char *__xx__; \
if ((__xx__=(x))) \
while (*__xx__) \
*__xx__++ = '\0'; \
} while (0)
struct opts {
int debug;
int use_first_pass;
int try_first_pass;
int expose_account;
int display_count;
int allow_inactive;
int require_db_entry;
char *otpdb_fname;
};
int load_opts(struct opts *opts, int argc, const char **argv);
PAM_EXTERN
int pam_sm_authenticate(pam_handle_t *ph, int flags, int argc,
const char **argv)
{
struct pam_message pam_msg;
const struct pam_message *ppam_msg;
struct pam_conv *pam_conv;
struct pam_response *pam_resp;
struct otp_ctx *otpctx;
struct otp_user ou;
struct opts opts;
int r, ret, otpdb_flags;
const char *user;
char message[64];
ppam_msg = &pam_msg;
bzero(&pam_msg, sizeof (pam_msg));
pam_conv = 0L;
pam_resp = 0L;
ret = PAM_SERVICE_ERR;
otpdb_flags = 0;
xerr_setsyslog2(1); /* use syslog for output */
xerr_setid("pam_otp.so");
load_opts(&opts, argc, argv);
if (opts.debug)
otpdb_flags |= OTP_DB_VERBOSE;
/* not supported */
if (opts.use_first_pass || opts.try_first_pass)
xerr_warnx("use/try_first_pass not supported");
if (!(otpctx = otp_db_open(opts.otpdb_fname, otpdb_flags))) {
xerr_warnx("otp_db_open(%s): failed.", opts.otpdb_fname);
return PAM_SERVICE_ERR;
}
/* get the username */
if ((r = pam_get_user(ph, &user, (char*)0L)) != PAM_SUCCESS) {
xerr_warnx("pam_get_user(): %s", pam_strerror(ph, r));
return PAM_SERVICE_ERR;
}
/* username not set or null then give up */
if (!user || *user == '\0')
return PAM_USER_UNKNOWN;
if ((r = otp_user_exists(otpctx, (char*)user)) < 0) {
xerr_warnx("otp_user_exists(%s): failed.", user);
ret = PAM_SERVICE_ERR;
goto cleanup;
}
/*
* if user is not in database then possibly skip (return PAM_SUCCESS)
*
*/
if (r == 1) {
if (!opts.require_db_entry)
ret = PAM_SUCCESS;
else
ret = PAM_AUTH_ERR;
xerr_info("%s: user=%s not in OTP db", pam_strerror(ph, ret), user);
goto cleanup;
}
/* get otp user record */
if (otp_urec_open(otpctx, (char*)user, &ou, O_RDONLY, FFDB_OP_LOCK_EX) < 0) {
xerr_warnx("otp_urec_open(%s): failed.", user);
ret = PAM_SERVICE_ERR;
goto cleanup;
}
if (otp_urec_get(otpctx, &ou) < 0) {
xerr_warnx("otp_urec_open(%s): failed.", user);
ret = PAM_SERVICE_ERR;
goto cleanup;
}
if (otp_urec_close(otpctx, &ou) < 0) {
xerr_warnx("otp_urec_close(%s): failed.", user);
ret = PAM_SERVICE_ERR;
goto cleanup;
}
/*
* if the user is inactive then either return SUCCESS (allow otp to be
* disabled on a per user basis) or failure.
*
*/
if (ou.status == OTP_STATUS_INACTIVE) {
if (opts.allow_inactive)
ret = PAM_SUCCESS;
else
ret = PAM_AUTH_ERR;
xerr_info("%s: user=%s status=INACTIVE.", pam_strerror(ph, ret), user);
goto cleanup;
}
/* user can be locked out (disabled) */
if (ou.status == OTP_STATUS_DISABLED) {
ret = PAM_AUTH_ERR;
xerr_info("%s: user=%s status=DISABLED.", pam_strerror(ph, ret), user);
goto cleanup;
}
/* verify count not at ceiling */
if (ou.count >= ou.count_ceil) {
ret = PAM_AUTH_ERR;
xerr_info("%s: user=%s count>count_ceil.", pam_strerror(ph, ret), user);
goto cleanup;
}
/* get pointer to application supplied conversation function */
if (pam_get_item(ph, PAM_CONV, (const void**)&pam_conv) != PAM_SUCCESS) {
xerr_warnx("pam_get_item(PAM_CONV): failed.");
ret = PAM_SERVICE_ERR;
goto cleanup;
}
/* challenge prompt, echo on for reply */
pam_msg.msg_style = PAM_PROMPT_ECHO_ON;
pam_msg.msg = (char *)&message;
/* prompt for challenge with optional count */
if (opts.display_count || (ou.flags & OTP_USER_FLAGS_DSPCNT))
sprintf(message, "HOTP Challenge (%" PRIu64 "): ", ou.count);
else
sprintf(message, "HOTP Challenge: ");
/* use application conversation function to ask for challenge */
if (pam_conv->conv(1, &ppam_msg, &pam_resp, pam_conv->appdata_ptr)
!= PAM_SUCCESS) {
if (pam_resp) {
_pam_overwrite(pam_resp->resp);
_pam_drop(pam_resp->resp);
}
xerr_warnx("conv(message): failed.");
ret = PAM_SERVICE_ERR;
goto cleanup;
}
if (!pam_resp) {
xerr_warnx("pam_resp is null");
ret = PAM_SERVICE_ERR;
goto cleanup;
}
if (opts.expose_account)
xerr_info("OTP: user=%s response=%s", user, pam_resp->resp);
if ((r = otp_user_auth(otpctx, (char*)user, pam_resp->resp,
OTP_HOTP_WINDOW)) < 0) {
xerr_warnx("otp_user_auth(): failed.");
ret = PAM_SERVICE_ERR;
goto cleanup;
}
/* free return value from pam_conv->conv */
_pam_overwrite(pam_resp->resp);
_pam_drop(pam_resp);
if (r == OTP_AUTH_PASS)
ret = PAM_SUCCESS;
else
ret = PAM_AUTH_ERR;
cleanup:
if (otp_db_close(otpctx) < 0) {
xerr_warnx("otp_db_close(): failed.");
ret = PAM_SERVICE_ERR;
}
if (opts.debug) {
if (ret == PAM_SUCCESS)
xerr_info("OTP: ret=PAM_SUCCESS");
else if (ret == PAM_AUTH_ERR)
xerr_info("OTP: ret=PAM_AUTH_ERR");
else if (ret == PAM_SERVICE_ERR)
xerr_info("OTP: ret=PAM_SERVICE_ERR");
else
xerr_info("OTP: ret=%d", ret);
} /* opts.debug */
return ret;
}
PAM_EXTERN
int pam_sm_setcred(pam_handle_t *ph,int flags,int argc
,const char **argv)
{ return PAM_SUCCESS; }
PAM_EXTERN
int pam_sm_acct_mgmt(pam_handle_t *ph,int flags,int argc
,const char **argv)
{ return PAM_ACCT_EXPIRED; }
PAM_EXTERN
int pam_sm_chauthtok(pam_handle_t *ph,int flags,int argc
,const char **argv)
{ return PAM_AUTHTOK_ERR; }
PAM_EXTERN
int pam_sm_open_session(pam_handle_t *ph,int flags,int argc
,const char **argv)
{ return PAM_SYSTEM_ERR; }
PAM_EXTERN
int pam_sm_close_session(pam_handle_t *ph,int flags,int argc
,const char **argv)
{ return PAM_SYSTEM_ERR; }
#ifdef PAM_STATIC
/* static module data */
struct pam_module _pam_test_modstruct = {
"pam_test",
pam_sm_authenticate,
pam_sm_setcred,
pam_sm_acct_mgmt,
pam_sm_open_session,
pam_sm_close_session,
pam_sm_chauthtok
};
#endif
int load_opts(struct opts *opts, int argc, const char **argv)
{
int ret = 0;
bzero(opts, sizeof *opts);
opts->otpdb_fname = OTP_DB_FNAME;
/* foreach argument */
while (argc--) {
if (!strcmp(*argv, "debug")) {
opts->debug = 1;
} else if (!strcmp(*argv, "use_first_pass")) {
opts->use_first_pass = 1;
} else if (!strcmp(*argv, "try_first_pass")) {
opts->use_first_pass = 1;
} else if (!strcmp(*argv, "expose_account")) {
opts->expose_account = 1;
} else if (!strcmp(*argv, "display_count")) {
opts->display_count = 1;
} else if (!strcmp(*argv, "allow_inactive")) {
opts->allow_inactive = 1;
} else if (!strcmp(*argv, "require_db_entry")) {
opts->require_db_entry = 1;
} else if (!strncmp(*argv, "otpdb=", 6)) {
opts->otpdb_fname=(char*)(*argv)+6;
} else {
xerr_warnx("Unrecognized argument - %s", argv);
ret = -1;
}
++argv;
}
if (opts->debug) {
xerr_info("use_first_pass=%d, try_first_pass=%d, expose_account=%d, display_count=%d, allow_inactive=%d, require_db_entry=%d, otpdb=%s",
opts->use_first_pass, opts->use_first_pass, opts->expose_account,
opts->display_count, opts->allow_inactive, opts->require_db_entry,
opts->otpdb_fname);
}
return ret;
} /* load_opts */