1d462d392SDag-Erling Smørgrav /*- 2*5e53a4f9SPedro F. Giffuni * SPDX-License-Identifier: BSD-3-Clause 3*5e53a4f9SPedro F. Giffuni * 4d462d392SDag-Erling Smørgrav * Copyright (c) 2003 Networks Associates Technology, Inc. 5d462d392SDag-Erling Smørgrav * All rights reserved. 6d462d392SDag-Erling Smørgrav * 7d462d392SDag-Erling Smørgrav * Portions of this software were developed for the FreeBSD Project by 8d462d392SDag-Erling Smørgrav * ThinkSec AS and NAI Labs, the Security Research Division of Network 9d462d392SDag-Erling Smørgrav * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 10d462d392SDag-Erling Smørgrav * ("CBOSS"), as part of the DARPA CHATS research program. 11d462d392SDag-Erling Smørgrav * 12d462d392SDag-Erling Smørgrav * Redistribution and use in source and binary forms, with or without 13d462d392SDag-Erling Smørgrav * modification, are permitted provided that the following conditions 14d462d392SDag-Erling Smørgrav * are met: 15d462d392SDag-Erling Smørgrav * 1. Redistributions of source code must retain the above copyright 16d462d392SDag-Erling Smørgrav * notice, this list of conditions and the following disclaimer. 17d462d392SDag-Erling Smørgrav * 2. Redistributions in binary form must reproduce the above copyright 18d462d392SDag-Erling Smørgrav * notice, this list of conditions and the following disclaimer in the 19d462d392SDag-Erling Smørgrav * documentation and/or other materials provided with the distribution. 20d462d392SDag-Erling Smørgrav * 3. The name of the author may not be used to endorse or promote 21d462d392SDag-Erling Smørgrav * products derived from this software without specific prior written 22d462d392SDag-Erling Smørgrav * permission. 23d462d392SDag-Erling Smørgrav * 24d462d392SDag-Erling Smørgrav * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 25d462d392SDag-Erling Smørgrav * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26d462d392SDag-Erling Smørgrav * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27d462d392SDag-Erling Smørgrav * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 28d462d392SDag-Erling Smørgrav * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29d462d392SDag-Erling Smørgrav * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30d462d392SDag-Erling Smørgrav * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31d462d392SDag-Erling Smørgrav * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32d462d392SDag-Erling Smørgrav * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33d462d392SDag-Erling Smørgrav * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34d462d392SDag-Erling Smørgrav * SUCH DAMAGE. 35d462d392SDag-Erling Smørgrav */ 36d462d392SDag-Erling Smørgrav 37d462d392SDag-Erling Smørgrav #include <sys/cdefs.h> 38d462d392SDag-Erling Smørgrav __FBSDID("$FreeBSD$"); 39d462d392SDag-Erling Smørgrav 40d462d392SDag-Erling Smørgrav #include <string.h> 41d462d392SDag-Erling Smørgrav 42d462d392SDag-Erling Smørgrav #define PAM_SM_AUTH 43d462d392SDag-Erling Smørgrav 44d462d392SDag-Erling Smørgrav #include <security/pam_appl.h> 45d462d392SDag-Erling Smørgrav #include <security/pam_modules.h> 46d462d392SDag-Erling Smørgrav #include <security/openpam.h> 47d462d392SDag-Erling Smørgrav 48d462d392SDag-Erling Smørgrav #define DEFAULT_GUESTS "guest" 49d462d392SDag-Erling Smørgrav 50d462d392SDag-Erling Smørgrav static int 51d462d392SDag-Erling Smørgrav lookup(const char *str, const char *list) 52d462d392SDag-Erling Smørgrav { 53d462d392SDag-Erling Smørgrav const char *next; 54d462d392SDag-Erling Smørgrav size_t len; 55d462d392SDag-Erling Smørgrav 56d462d392SDag-Erling Smørgrav len = strlen(str); 57d462d392SDag-Erling Smørgrav while (*list != '\0') { 58d462d392SDag-Erling Smørgrav while (*list == ',') 59d462d392SDag-Erling Smørgrav ++list; 60d462d392SDag-Erling Smørgrav if ((next = strchr(list, ',')) == NULL) 61d462d392SDag-Erling Smørgrav next = strchr(list, '\0'); 62d462d392SDag-Erling Smørgrav if (next - list == (ptrdiff_t)len && 63d462d392SDag-Erling Smørgrav strncmp(list, str, len) == 0) 64d462d392SDag-Erling Smørgrav return (1); 65d462d392SDag-Erling Smørgrav list = next; 66d462d392SDag-Erling Smørgrav } 67d462d392SDag-Erling Smørgrav return (0); 68d462d392SDag-Erling Smørgrav } 69d462d392SDag-Erling Smørgrav 70d462d392SDag-Erling Smørgrav PAM_EXTERN int 71d462d392SDag-Erling Smørgrav pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 72d462d392SDag-Erling Smørgrav int argc __unused, const char *argv[] __unused) 73d462d392SDag-Erling Smørgrav { 74d462d392SDag-Erling Smørgrav const char *authtok, *guests, *user; 75d462d392SDag-Erling Smørgrav int err, is_guest; 76d462d392SDag-Erling Smørgrav 77d462d392SDag-Erling Smørgrav /* get target account */ 78d462d392SDag-Erling Smørgrav if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL) 79d462d392SDag-Erling Smørgrav return (PAM_AUTH_ERR); 80d462d392SDag-Erling Smørgrav 81d462d392SDag-Erling Smørgrav /* get list of guest logins */ 82d462d392SDag-Erling Smørgrav if ((guests = openpam_get_option(pamh, "guests")) == NULL) 83d462d392SDag-Erling Smørgrav guests = DEFAULT_GUESTS; 84d462d392SDag-Erling Smørgrav 85d462d392SDag-Erling Smørgrav /* check if the target account is on the list */ 86d462d392SDag-Erling Smørgrav is_guest = lookup(user, guests); 87d462d392SDag-Erling Smørgrav 88d462d392SDag-Erling Smørgrav /* check password */ 89d462d392SDag-Erling Smørgrav if (!openpam_get_option(pamh, "nopass")) { 90d462d392SDag-Erling Smørgrav err = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL); 91d462d392SDag-Erling Smørgrav if (err != PAM_SUCCESS) 92d462d392SDag-Erling Smørgrav return (err); 93d462d392SDag-Erling Smørgrav if (openpam_get_option(pamh, "pass_is_user") && 94d462d392SDag-Erling Smørgrav strcmp(user, authtok) != 0) 95d462d392SDag-Erling Smørgrav return (PAM_AUTH_ERR); 96d462d392SDag-Erling Smørgrav if (openpam_get_option(pamh, "pass_as_ruser")) 97d462d392SDag-Erling Smørgrav pam_set_item(pamh, PAM_RUSER, authtok); 98d462d392SDag-Erling Smørgrav } 99d462d392SDag-Erling Smørgrav 100d462d392SDag-Erling Smørgrav /* done */ 101d462d392SDag-Erling Smørgrav if (is_guest) { 102d462d392SDag-Erling Smørgrav pam_setenv(pamh, "GUEST", user, 1); 103d462d392SDag-Erling Smørgrav return (PAM_SUCCESS); 104d462d392SDag-Erling Smørgrav } 105d462d392SDag-Erling Smørgrav return (PAM_AUTH_ERR); 106d462d392SDag-Erling Smørgrav } 107d462d392SDag-Erling Smørgrav 108d462d392SDag-Erling Smørgrav PAM_EXTERN int 109d462d392SDag-Erling Smørgrav pam_sm_setcred(pam_handle_t * pamh __unused, int flags __unused, 110d462d392SDag-Erling Smørgrav int argc __unused, const char *argv[] __unused) 111d462d392SDag-Erling Smørgrav { 112d462d392SDag-Erling Smørgrav 113d462d392SDag-Erling Smørgrav return (PAM_SUCCESS); 114d462d392SDag-Erling Smørgrav } 115d462d392SDag-Erling Smørgrav 116d462d392SDag-Erling Smørgrav PAM_MODULE_ENTRY("pam_guest"); 117