1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #ifndef _PAM_IMPL_H 27 #define _PAM_IMPL_H 28 29 #ifdef __cplusplus 30 extern "C" { 31 #endif 32 33 #include <limits.h> 34 #include <shadow.h> 35 #include <sys/types.h> 36 37 #define PAMTXD "SUNW_OST_SYSOSPAM" 38 39 #define PAM_CONFIG "/etc/pam.conf" 40 #define PAM_ISA "/$ISA/" 41 #define PAM_LIB_DIR "/usr/lib/security/" 42 #ifdef _LP64 43 #define PAM_ISA_DIR "/64/" 44 #else /* !_LP64 */ 45 #define PAM_ISA_DIR "/" 46 #endif /* _LP64 */ 47 48 /* Service Module Types */ 49 50 /* 51 * If new service types are added, they should be named in 52 * pam_framework.c::pam_snames[] as well. 53 */ 54 55 #define PAM_ACCOUNT_NAME "account" 56 #define PAM_AUTH_NAME "auth" 57 #define PAM_PASSWORD_NAME "password" 58 #define PAM_SESSION_NAME "session" 59 60 #define PAM_ACCOUNT_MODULE 0 61 #define PAM_AUTH_MODULE 1 62 #define PAM_PASSWORD_MODULE 2 63 #define PAM_SESSION_MODULE 3 64 65 #define PAM_NUM_MODULE_TYPES 4 66 67 /* Control Flags */ 68 69 #define PAM_BINDING_NAME "binding" 70 #define PAM_INCLUDE_NAME "include" 71 #define PAM_OPTIONAL_NAME "optional" 72 #define PAM_REQUIRED_NAME "required" 73 #define PAM_REQUISITE_NAME "requisite" 74 #define PAM_SUFFICIENT_NAME "sufficient" 75 76 #define PAM_BINDING 0x01 77 #define PAM_INCLUDE 0x02 78 #define PAM_OPTIONAL 0x04 79 #define PAM_REQUIRED 0x08 80 #define PAM_REQUISITE 0x10 81 #define PAM_SUFFICIENT 0x20 82 83 #define PAM_REQRD_BIND (PAM_REQUIRED | PAM_BINDING) 84 #define PAM_SUFFI_BIND (PAM_SUFFICIENT | PAM_BINDING) 85 86 /* Function Indicators */ 87 88 #define PAM_AUTHENTICATE 1 89 #define PAM_SETCRED 2 90 #define PAM_ACCT_MGMT 3 91 #define PAM_OPEN_SESSION 4 92 #define PAM_CLOSE_SESSION 5 93 #define PAM_CHAUTHTOK 6 94 95 /* PAM tracing */ 96 97 #define PAM_DEBUG "/etc/pam_debug" 98 #define LOG_PRIORITY "log_priority=" 99 #define LOG_FACILITY "log_facility=" 100 #define DEBUG_FLAGS "debug_flags=" 101 #define PAM_DEBUG_NONE 0x0000 102 #define PAM_DEBUG_DEFAULT 0x0001 103 #define PAM_DEBUG_ITEM 0x0002 104 #define PAM_DEBUG_MODULE 0x0004 105 #define PAM_DEBUG_CONF 0x0008 106 #define PAM_DEBUG_DATA 0x0010 107 #define PAM_DEBUG_CONV 0x0020 108 #define PAM_DEBUG_AUTHTOK 0x8000 109 110 #define PAM_MAX_ITEMS 64 /* Max number of items */ 111 #define PAM_MAX_INCLUDE 32 /* Max include flag recursions */ 112 113 /* authentication module functions */ 114 #define PAM_SM_AUTHENTICATE "pam_sm_authenticate" 115 #define PAM_SM_SETCRED "pam_sm_setcred" 116 117 /* session module functions */ 118 #define PAM_SM_OPEN_SESSION "pam_sm_open_session" 119 #define PAM_SM_CLOSE_SESSION "pam_sm_close_session" 120 121 /* password module functions */ 122 #define PAM_SM_CHAUTHTOK "pam_sm_chauthtok" 123 124 /* account module functions */ 125 #define PAM_SM_ACCT_MGMT "pam_sm_acct_mgmt" 126 127 /* max # of authentication token attributes */ 128 #define PAM_MAX_NUM_ATTR 10 129 130 /* max size (in chars) of an authentication token attribute */ 131 #define PAM_MAX_ATTR_SIZE 80 132 133 /* utility function prototypes */ 134 135 /* source values when calling __pam_get_authtok() */ 136 #define PAM_PROMPT 1 /* prompt user for new password */ 137 #define PAM_HANDLE 2 /* get password from pam handle (item) */ 138 139 #if PASS_MAX >= PAM_MAX_RESP_SIZE 140 #error PASS_MAX > PAM_MAX_RESP_SIZE 141 #endif /* PASS_MAX >= PAM_MAX_RESP_SIZE */ 142 143 extern int 144 __pam_get_authtok(pam_handle_t *pamh, int source, int type, char *prompt, 145 char **authtok); 146 147 extern int 148 __pam_display_msg(pam_handle_t *pamh, int msg_style, int num_msg, 149 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp); 150 151 extern void 152 __pam_log(int priority, const char *format, ...); 153 154 /* file handle for pam.conf */ 155 struct pam_fh { 156 int fconfig; /* file descriptor returned by open() */ 157 char line[256]; 158 size_t bufsize; /* size of the buffer which holds */ 159 /* the content of pam.conf */ 160 char *bufferp; /* used to process data */ 161 char *data; /* contents of pam.conf */ 162 }; 163 164 /* items that can be set/retrieved thru pam_[sg]et_item() */ 165 struct pam_item { 166 void *pi_addr; /* pointer to item */ 167 int pi_size; /* size of item */ 168 }; 169 170 /* module specific data stored in the pam handle */ 171 struct pam_module_data { 172 char *module_data_name; /* unique module data name */ 173 void *data; /* the module specific data */ 174 void (*cleanup)(pam_handle_t *pamh, void *data, int pam_status); 175 struct pam_module_data *next; /* pointer to next module data */ 176 }; 177 178 /* each entry from pam.conf is stored here (in the pam handle) */ 179 typedef struct pamtab { 180 char *pam_service; /* PAM service, e.g. login, rlogin */ 181 int pam_type; /* AUTH, ACCOUNT, PASSWORD, SESSION */ 182 int pam_flag; /* required, optional, sufficient */ 183 int pam_err; /* error if line overflow */ 184 char *module_path; /* module library */ 185 int module_argc; /* module specific options */ 186 char **module_argv; 187 void *function_ptr; /* pointer to struct holding function ptrs */ 188 struct pamtab *next; 189 } pamtab_t; 190 191 /* list of open fd's (modules that were dlopen'd) */ 192 typedef struct fd_list { 193 void *mh; /* module handle */ 194 struct fd_list *next; 195 } fd_list; 196 197 /* list of PAM environment varialbes */ 198 typedef struct env_list { 199 char *name; 200 char *value; 201 struct env_list *next; 202 } env_list; 203 204 /* pam_inmodule values for pam item checking */ 205 #define RW_OK 0 /* Read Write items OK */ 206 #define RO_OK 1 /* Read Only items OK */ 207 #define WO_OK 2 /* Write Only items/data OK */ 208 209 /* the pam handle */ 210 struct pam_handle { 211 struct pam_item ps_item[PAM_MAX_ITEMS]; /* array of PAM items */ 212 int include_depth; 213 int pam_inmodule; /* Protect restricted pam_get_item calls */ 214 char *pam_conf_name[PAM_MAX_INCLUDE+1]; 215 pamtab_t *pam_conf_info[PAM_MAX_INCLUDE+1][PAM_NUM_MODULE_TYPES]; 216 pamtab_t *pam_conf_modulep[PAM_MAX_INCLUDE+1]; 217 struct pam_module_data *ssd; /* module specific data */ 218 fd_list *fd; /* module fd's */ 219 env_list *pam_env; /* environment variables */ 220 }; 221 222 /* 223 * the function_ptr field in pamtab_t 224 * will point to one of these modules 225 */ 226 struct auth_module { 227 int (*pam_sm_authenticate)(pam_handle_t *pamh, int flags, int argc, 228 const char **argv); 229 int (*pam_sm_setcred)(pam_handle_t *pamh, int flags, int argc, 230 const char **argv); 231 }; 232 233 struct password_module { 234 int (*pam_sm_chauthtok)(pam_handle_t *pamh, int flags, int argc, 235 const char **argv); 236 }; 237 238 struct session_module { 239 int (*pam_sm_open_session)(pam_handle_t *pamh, int flags, int argc, 240 const char **argv); 241 int (*pam_sm_close_session)(pam_handle_t *pamh, int flags, int argc, 242 const char **argv); 243 }; 244 245 struct account_module { 246 int (*pam_sm_acct_mgmt)(pam_handle_t *pamh, int flags, int argc, 247 const char **argv); 248 }; 249 250 #ifdef __cplusplus 251 } 252 #endif 253 254 #endif /* _PAM_IMPL_H */ 255