Attachment #5308 for bug #12776

View | Details | Raw Unified | Return to bug 12776
Collapse All | Expand All

Line 24 Link Here

(-)rlogind/Makefile (+7 lines)
	24	.if defined(NOPAM)
	25	CFLAGS+= -DNO_PAM
	26	.else
	27	DPADD+= ${LIBPAM}
	28	LDADD+= ${MINUSLPAM}
	29	.endif
	30




#ifndef NO_PAM
#include <security/pam_appl.h>
#include <security/pam_misc.h>
#endif


#ifndef NO_PAM
static int auth_pam __P((char *));
#endif


#ifndef NO_PAM
/*
 * Attempt to authenticate the user using PAM.  Returns 0 if the user is
 * authenticated, or 1 if not authenticated.  If some sort of PAM system
 * error occurs (e.g., the "/etc/pam.conf" file is missing) then this
 * function returns -1.  This can be used as an indication that we should
 * fall back to a different authentication mechanism.
 */
static int
auth_pam(char *username)
{
        struct passwd *pawd;
        pam_handle_t *pamh = NULL;
        const char *tmpl_user;  
        const void *item;
        int rval;
        char *tty, *ttyn;
        char hostname[MAXHOSTNAMELEN];
        char tname[sizeof(_PATH_TTY) + 10];
        int e;

        static struct pam_conv conv = { misc_conv, NULL };

        ttyn = ttyname(STDIN_FILENO);

        if (ttyn == NULL || *ttyn == '\0') {
                (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY);
                ttyn = tname;
        }
        if ((tty = strrchr(ttyn, '/')) != NULL)
                ++tty;
        else
                tty = ttyn;

        rval = gethostname(hostname, sizeof(hostname));

        if (rval < 0) {
                syslog(LOG_ERR, "auth_pam: Failed to resolve local hostname");
                return -1;
        }
        if ((e = pam_start("rshd", username, &conv, &pamh)) != PAM_SUCCESS) {
                syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e));
                return -1;
        }
        if ((e = pam_set_item(pamh, PAM_TTY, tty)) != PAM_SUCCESS) {
                syslog(LOG_ERR, "pam_set_item(PAM_TTY): %s",
                    pam_strerror(pamh, e));
                return -1;
        }
        if (hostname != NULL &&
            (e = pam_set_item(pamh, PAM_RHOST, hostname)) != PAM_SUCCESS) {
                syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s",
                    pam_strerror(pamh, e));
                return -1;
        }

        e = pam_authenticate(pamh, 0);

        switch (e) {
        case PAM_SUCCESS:
                /*
                 * With PAM we support the concept of a "template"
                 * user.  The user enters a login name which is
                 * authenticated by PAM, usually via a remote service
                 * such as RADIUS or TACACS+.  If authentication
                 * succeeds, a different but related "template" name
                 * is used for setting the credentials, shell, and
                 * home directory.  The name the user enters need only
                 * exist on the remote authentication server, but the
                 * template name must be present in the local password
                 * database.
                 *
                 * This is supported by two various mechanisms in the
                 * individual modules.  However, from the application's
                 * point of view, the template user is always passed
                 * back as a changed value of the PAM_USER item.
                 */
                if ((e = pam_get_item(pamh, PAM_USER, &item)) ==
                    PAM_SUCCESS) {
                        tmpl_user = (const char *) item;
                        if (strcmp(username, tmpl_user) != 0)
                                pawd = getpwnam(tmpl_user);
                } else
                        syslog(LOG_ERR, "Couldn't get PAM_USER: %s", pam_strerror(pamh, e));
                rval = 0;
                break;

        case PAM_AUTH_ERR:
        case PAM_USER_UNKNOWN:
        case PAM_MAXTRIES:
                rval = 1;
                break;

        default:
                syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e));
                rval = -1;
                break;
        }
        if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
                syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
                rval = -1;
        }
        return rval;
}
#endif 





        int retval;


#ifndef  NO_PAM
         retval = auth_pam(lusername);
 
         if (retval < 0) {
                 syslog(LOG_ERR,"PAM authentication failed");
         }
         else if (retval == 1) {
                 syslog(LOG_ERR,"User %s failed PAM authentication",lusername);
                 exit(1);
         }  
#endif


Line 20 Link Here

(-)rshd/Makefile (+7 lines)
	20	.if defined(NOPAM)
	21	CFLAGS+= -DNO_PAM
	22	.else
	23	DPADD+= ${LIBPAM}
	24	LDADD+= ${MINUSLPAM}
	25	.endif
	26




#ifndef NO_PAM
#include <security/pam_appl.h>
#include <security/pam_misc.h>
#endif


#ifndef NO_PAM
static int auth_pam __P((char *));
#endif


#ifndef NO_PAM
/*              
 * Attempt to authenticate the user using PAM.  Returns 0 if the user is
 * authenticated, or 1 if not authenticated.  If some sort of PAM system
 * error occurs (e.g., the "/etc/pam.conf" file is missing) then this
 * function returns -1.  This can be used as an indication that we should
 * fall back to a different authentication mechanism.
 */
static int       
auth_pam(char *username)       
{
        struct passwd *pawd;
        pam_handle_t *pamh = NULL;
        const char *tmpl_user;
        const void *item;
        int rval;
        char *tty, *ttyn;
        char hostname[MAXHOSTNAMELEN];
        char tname[sizeof(_PATH_TTY) + 10];
        int e;

        static struct pam_conv conv = { misc_conv, NULL };

        ttyn = ttyname(STDIN_FILENO);

        if (ttyn == NULL || *ttyn == '\0') {
                (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY);
                ttyn = tname;
        }
        if ((tty = strrchr(ttyn, '/')) != NULL)
                ++tty;  
        else
                tty = ttyn;

        rval = gethostname(hostname, sizeof(hostname));

        if (rval < 0) { 
                syslog(LOG_ERR, "auth_pam: Failed to resolve local hostname");
                return -1;
        } 
        if ((e = pam_start("rshd", username, &conv, &pamh)) != PAM_SUCCESS) {
                syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e));
                return -1;
        }       
        if ((e = pam_set_item(pamh, PAM_TTY, tty)) != PAM_SUCCESS) {
                syslog(LOG_ERR, "pam_set_item(PAM_TTY): %s",
                    pam_strerror(pamh, e));
                return -1;
        }       
        if (hostname != NULL && 
            (e = pam_set_item(pamh, PAM_RHOST, hostname)) != PAM_SUCCESS) {
                syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s",
                    pam_strerror(pamh, e));
                return -1; 
        }                       

        e = pam_authenticate(pamh, 0);


        switch (e) {            

        case PAM_SUCCESS:
                /*
                 * With PAM we support the concept of a "template"
                 * user.  The user enters a login name which is
                 * authenticated by PAM, usually via a remote service
                 * such as RADIUS or TACACS+.  If authentication
                 * succeeds, a different but related "template" name
                 * is used for setting the credentials, shell, and
                 * home directory.  The name the user enters need only
                 * exist on the remote authentication server, but the
                 * template name must be present in the local password
                 * database.
                 *
                 * This is supported by two various mechanisms in the
                 * individual modules.  However, from the application's
                 * point of view, the template user is always passed
                 * back as a changed value of the PAM_USER item.
                 */
                if ((e = pam_get_item(pamh, PAM_USER, &item)) ==
                    PAM_SUCCESS) {
                        tmpl_user = (const char *) item;
                        if (strcmp(username, tmpl_user) != 0)
                                pawd = getpwnam(tmpl_user);
                } else
                        syslog(LOG_ERR, "Couldn't get PAM_USER: %s", pam_strerror(pamh, e));
                rval = 0;
                break;

        case PAM_AUTH_ERR:
        case PAM_USER_UNKNOWN:
        case PAM_MAXTRIES:
                rval = 1;
                break;

        default:
                syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e));
                rval = -1;
                break;
        }
        if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
                syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
                rval = -1;
        }
        return rval;
}
#endif 


        int retval;


#ifndef  NO_PAM
         retval = auth_pam(locuser);

         if (retval < 0) {
                 syslog(LOG_ERR,"PAM authentication failed");
         }
         else if (retval == 1) {
                 syslog(LOG_ERR,"User %s failed PAM authentication",locuser);
                 exit(1);
         }
#endif

Return to bug 12776

Line 83 Link Here

(-)rlogind/rlogind.c (+131 lines)
		83	#ifndef NO_PAM
		84	#include <security/pam_appl.h>
		85	#include <security/pam_misc.h>
		86	#endif
		87
Line 126 Link Here
		131	#ifndef NO_PAM
		132	static int auth_pam __P((char *));
		133	#endif
		134
Line 199 Link Here
		208	#ifndef NO_PAM
		209	/*
		210	* Attempt to authenticate the user using PAM. Returns 0 if the user is
		211	* authenticated, or 1 if not authenticated. If some sort of PAM system
		212	* error occurs (e.g., the "/etc/pam.conf" file is missing) then this
		213	* function returns -1. This can be used as an indication that we should
		214	* fall back to a different authentication mechanism.
		215	*/
		216	static int
		217	auth_pam(char *username)
		218	{
		219	struct passwd *pawd;
		220	pam_handle_t *pamh = NULL;
		221	const char *tmpl_user;
		222	const void *item;
		223	int rval;
		224	char tty, ttyn;
		225	char hostname[MAXHOSTNAMELEN];
		226	char tname[sizeof(_PATH_TTY) + 10];
		227	int e;
		228
		229	static struct pam_conv conv = { misc_conv, NULL };
		230
		231	ttyn = ttyname(STDIN_FILENO);
		232
		233	if (ttyn == NULL \|\| *ttyn == '\0') {
		234	(void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY);
		235	ttyn = tname;
		236	}
		237	if ((tty = strrchr(ttyn, '/')) != NULL)
		238	++tty;
		239	else
		240	tty = ttyn;
		241
		242	rval = gethostname(hostname, sizeof(hostname));
		243
		244	if (rval < 0) {
		245	syslog(LOG_ERR, "auth_pam: Failed to resolve local hostname");
		246	return -1;
		247	}
		248	if ((e = pam_start("rshd", username, &conv, &pamh)) != PAM_SUCCESS) {
		249	syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e));
		250	return -1;
		251	}
		252	if ((e = pam_set_item(pamh, PAM_TTY, tty)) != PAM_SUCCESS) {
		253	syslog(LOG_ERR, "pam_set_item(PAM_TTY): %s",
		254	pam_strerror(pamh, e));
		255	return -1;
		256	}
		257	if (hostname != NULL &&
		258	(e = pam_set_item(pamh, PAM_RHOST, hostname)) != PAM_SUCCESS) {
		259	syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s",
		260	pam_strerror(pamh, e));
		261	return -1;
		262	}
		263
		264	e = pam_authenticate(pamh, 0);
		265
		266	switch (e) {
		267	case PAM_SUCCESS:
		268	/*
		269	* With PAM we support the concept of a "template"
		270	* user. The user enters a login name which is
		271	* authenticated by PAM, usually via a remote service
272	* such as RADIUS or TACACS+. If authentication
273	* succeeds, a different but related "template" name
274	* is used for setting the credentials, shell, and
275	* home directory. The name the user enters need only
276	* exist on the remote authentication server, but the
277	* template name must be present in the local password
278	* database.
279	*
280	* This is supported by two various mechanisms in the
281	* individual modules. However, from the application's
282	* point of view, the template user is always passed
283	* back as a changed value of the PAM_USER item.
284	*/
285	if ((e = pam_get_item(pamh, PAM_USER, &item)) ==
286	PAM_SUCCESS) {
287	tmpl_user = (const char *) item;
288	if (strcmp(username, tmpl_user) != 0)
289	pawd = getpwnam(tmpl_user);
290	} else
291	syslog(LOG_ERR, "Couldn't get PAM_USER: %s", pam_strerror(pamh, e));
292	rval = 0;
293	break;
294
295	case PAM_AUTH_ERR:
296	case PAM_USER_UNKNOWN:
297	case PAM_MAXTRIES:
298	rval = 1;
299	break;
300
301	default:
302	syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e));
303	rval = -1;
304	break;
305	}
306	if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
307	syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
308	rval = -1;
309	}
310	return rval;
311	}
312	#endif
313
Line 279 Link Here
		394
		395
Line 589 Link Here
		706	int retval;
Line 597 Link Here
		715
		716	#ifndef NO_PAM
		717	retval = auth_pam(lusername);
		718
		719	if (retval < 0) {
		720	syslog(LOG_ERR,"PAM authentication failed");
		721	}
		722	else if (retval == 1) {
		723	syslog(LOG_ERR,"User %s failed PAM authentication",lusername);
		724	exit(1);
		725	}
		726	#endif
		727

Line 83 Link Here

(-)rshd/rshd.c (+130 lines)
		83	#ifndef NO_PAM
		84	#include <security/pam_appl.h>
		85	#include <security/pam_misc.h>
		86	#endif
		87
Line 95 Link Here
		100	#ifndef NO_PAM
		101	static int auth_pam __P((char *));
		102	#endif
		103
Line 198 Link Here
		207	#ifndef NO_PAM
		208	/*
		209	* Attempt to authenticate the user using PAM. Returns 0 if the user is
		210	* authenticated, or 1 if not authenticated. If some sort of PAM system
		211	* error occurs (e.g., the "/etc/pam.conf" file is missing) then this
		212	* function returns -1. This can be used as an indication that we should
		213	* fall back to a different authentication mechanism.
		214	*/
		215	static int
		216	auth_pam(char *username)
		217	{
		218	struct passwd *pawd;
		219	pam_handle_t *pamh = NULL;
		220	const char *tmpl_user;
		221	const void *item;
		222	int rval;
		223	char tty, ttyn;
		224	char hostname[MAXHOSTNAMELEN];
		225	char tname[sizeof(_PATH_TTY) + 10];
		226	int e;
		227
		228	static struct pam_conv conv = { misc_conv, NULL };
		229
		230	ttyn = ttyname(STDIN_FILENO);
		231
		232	if (ttyn == NULL \|\| *ttyn == '\0') {
		233	(void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY);
		234	ttyn = tname;
		235	}
		236	if ((tty = strrchr(ttyn, '/')) != NULL)
		237	++tty;
		238	else
		239	tty = ttyn;
		240
		241	rval = gethostname(hostname, sizeof(hostname));
		242
		243	if (rval < 0) {
		244	syslog(LOG_ERR, "auth_pam: Failed to resolve local hostname");
		245	return -1;
		246	}
		247	if ((e = pam_start("rshd", username, &conv, &pamh)) != PAM_SUCCESS) {
		248	syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e));
		249	return -1;
		250	}
		251	if ((e = pam_set_item(pamh, PAM_TTY, tty)) != PAM_SUCCESS) {
		252	syslog(LOG_ERR, "pam_set_item(PAM_TTY): %s",
		253	pam_strerror(pamh, e));
		254	return -1;
		255	}
		256	if (hostname != NULL &&
		257	(e = pam_set_item(pamh, PAM_RHOST, hostname)) != PAM_SUCCESS) {
		258	syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s",
		259	pam_strerror(pamh, e));
		260	return -1;
		261	}
		262
		263	e = pam_authenticate(pamh, 0);
		264
		265
		266	switch (e) {
		267
		268	case PAM_SUCCESS:
		269	/*
		270	* With PAM we support the concept of a "template"
271	* user. The user enters a login name which is
272	* authenticated by PAM, usually via a remote service
273	* such as RADIUS or TACACS+. If authentication
274	* succeeds, a different but related "template" name
275	* is used for setting the credentials, shell, and
276	* home directory. The name the user enters need only
277	* exist on the remote authentication server, but the
278	* template name must be present in the local password
279	* database.
280	*
281	* This is supported by two various mechanisms in the
282	* individual modules. However, from the application's
283	* point of view, the template user is always passed
284	* back as a changed value of the PAM_USER item.
285	*/
286	if ((e = pam_get_item(pamh, PAM_USER, &item)) ==
287	PAM_SUCCESS) {
288	tmpl_user = (const char *) item;
289	if (strcmp(username, tmpl_user) != 0)
290	pawd = getpwnam(tmpl_user);
291	} else
292	syslog(LOG_ERR, "Couldn't get PAM_USER: %s", pam_strerror(pamh, e));
293	rval = 0;
294	break;
295
296	case PAM_AUTH_ERR:
297	case PAM_USER_UNKNOWN:
298	case PAM_MAXTRIES:
299	rval = 1;
300	break;
301
302	default:
303	syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e));
304	rval = -1;
305	break;
306	}
307	if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
308	syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
309	rval = -1;
310	}
311	return rval;
312	}
313	#endif
314
Line 216 Link Here
		333	int retval;
Line 429 Link Here
		547
		548	#ifndef NO_PAM
		549	retval = auth_pam(locuser);
		550
		551	if (retval < 0) {
		552	syslog(LOG_ERR,"PAM authentication failed");
		553	}
		554	else if (retval == 1) {
		555	syslog(LOG_ERR,"User %s failed PAM authentication",locuser);
		556	exit(1);
		557	}
		558	#endif