1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License, Version 1.0 only
6 * (the "License"). You may not use this file except in compliance
7 * with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22 /*
23 * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 */
26
27 #pragma ident "%Z%%M% %I% %E% SMI"
28
29 #include <sys/param.h>
30 #include <security/pam_appl.h>
31 #include <security/pam_modules.h>
32 #include <pwd.h>
33 #include <shadow.h>
34 #include <string.h>
35 #include <rpc/types.h>
36 #include <rpc/auth.h>
37 #include <locale.h>
38 #include <crypt.h>
39 #include <syslog.h>
40
41 extern int ruserok(const char *, int, const char *, const char *);
42
43 /*
44 * pam_sm_authenticate - Checks if the user is allowed remote access
45 */
46 /*ARGSUSED*/
47 int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)48 pam_sm_authenticate(
49 pam_handle_t *pamh,
50 int flags,
51 int argc,
52 const char **argv)
53 {
54 char *host = NULL, *lusername = NULL;
55 struct passwd pwd;
56 char pwd_buffer[1024];
57 int is_superuser;
58 char *rusername;
59 int i;
60 int debug = 0;
61
62 for (i = 0; i < argc; i++) {
63 if (strcasecmp(argv[i], "debug") == 0)
64 debug = 1;
65 else
66 syslog(LOG_DEBUG, "illegal option %s", argv[i]);
67 }
68
69 if (pam_get_item(pamh, PAM_USER, (void **) &lusername) != PAM_SUCCESS)
70 return (PAM_SERVICE_ERR);
71 if (pam_get_item(pamh, PAM_RHOST, (void **) &host) != PAM_SUCCESS)
72 return (PAM_SERVICE_ERR);
73 if (pam_get_item(pamh, PAM_RUSER, (void **)&rusername) != PAM_SUCCESS)
74 return (PAM_SERVICE_ERR);
75
76 if (lusername == NULL || *lusername == '\0')
77 return (PAM_USER_UNKNOWN);
78 if (rusername == NULL || *rusername == '\0')
79 return (PAM_AUTH_ERR);
80 if (host == NULL || *host == '\0')
81 return (PAM_AUTH_ERR);
82
83 if (debug) {
84 syslog(LOG_DEBUG,
85 "rhosts authenticate: user = %s, host = %s",
86 lusername, host);
87 }
88
89 if (getpwnam_r(lusername, &pwd, pwd_buffer, sizeof (pwd_buffer))
90 == NULL)
91 return (PAM_USER_UNKNOWN);
92
93 if (pwd.pw_uid == 0)
94 is_superuser = 1;
95 else
96 is_superuser = 0;
97
98 return (ruserok(host, is_superuser, rusername, lusername)
99 == -1 ? PAM_AUTH_ERR : PAM_SUCCESS);
100
101 }
102
103 /*
104 * dummy pam_sm_setcred - does nothing
105 */
106 /*ARGSUSED*/
107 int
pam_sm_setcred(pam_handle_t * pamh,int flags,int argc,const char ** argv)108 pam_sm_setcred(
109 pam_handle_t *pamh,
110 int flags,
111 int argc,
112 const char **argv)
113 {
114 return (PAM_IGNORE);
115 }
116