19a10bb17SJohn Polstra /*- 29a10bb17SJohn Polstra * Copyright 1998 Juniper Networks, Inc. 39a10bb17SJohn Polstra * All rights reserved. 49a10bb17SJohn Polstra * 59a10bb17SJohn Polstra * Redistribution and use in source and binary forms, with or without 69a10bb17SJohn Polstra * modification, are permitted provided that the following conditions 79a10bb17SJohn Polstra * are met: 89a10bb17SJohn Polstra * 1. Redistributions of source code must retain the above copyright 99a10bb17SJohn Polstra * notice, this list of conditions and the following disclaimer. 109a10bb17SJohn Polstra * 2. Redistributions in binary form must reproduce the above copyright 119a10bb17SJohn Polstra * notice, this list of conditions and the following disclaimer in the 129a10bb17SJohn Polstra * documentation and/or other materials provided with the distribution. 139a10bb17SJohn Polstra * 149a10bb17SJohn Polstra * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 159a10bb17SJohn Polstra * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 169a10bb17SJohn Polstra * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 179a10bb17SJohn Polstra * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 189a10bb17SJohn Polstra * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 199a10bb17SJohn Polstra * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 209a10bb17SJohn Polstra * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 219a10bb17SJohn Polstra * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 229a10bb17SJohn Polstra * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 239a10bb17SJohn Polstra * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 249a10bb17SJohn Polstra * SUCH DAMAGE. 259a10bb17SJohn Polstra * 269a10bb17SJohn Polstra * $FreeBSD$ 279a10bb17SJohn Polstra */ 289a10bb17SJohn Polstra 299a10bb17SJohn Polstra #include <sys/param.h> 309a10bb17SJohn Polstra #include <pwd.h> 319a10bb17SJohn Polstra #include <radlib.h> 329a10bb17SJohn Polstra #include <stdlib.h> 339a10bb17SJohn Polstra #include <string.h> 349a10bb17SJohn Polstra #include <syslog.h> 359a10bb17SJohn Polstra #include <unistd.h> 369a10bb17SJohn Polstra 379a10bb17SJohn Polstra #define PAM_SM_AUTH 389a10bb17SJohn Polstra #include <security/pam_modules.h> 399a10bb17SJohn Polstra 409a10bb17SJohn Polstra #include "pam_mod_misc.h" 419a10bb17SJohn Polstra 429a10bb17SJohn Polstra #define MAX_CHALLENGE_MSGS 10 439a10bb17SJohn Polstra #define PASSWORD_PROMPT "RADIUS password:" 449a10bb17SJohn Polstra 459a10bb17SJohn Polstra /* Option names, including the "=" sign. */ 469a10bb17SJohn Polstra #define OPT_CONF "conf=" 479a10bb17SJohn Polstra #define OPT_TMPL "template_user=" 489a10bb17SJohn Polstra 499a10bb17SJohn Polstra static int build_access_request(struct rad_handle *, const char *, 509a10bb17SJohn Polstra const char *, const void *, size_t); 519a10bb17SJohn Polstra static int do_accept(pam_handle_t *, struct rad_handle *); 529a10bb17SJohn Polstra static int do_challenge(pam_handle_t *, struct rad_handle *, 539a10bb17SJohn Polstra const char *); 549a10bb17SJohn Polstra 559a10bb17SJohn Polstra /* 569a10bb17SJohn Polstra * Construct an access request, but don't send it. Returns 0 on success, 579a10bb17SJohn Polstra * -1 on failure. 589a10bb17SJohn Polstra */ 599a10bb17SJohn Polstra static int 609a10bb17SJohn Polstra build_access_request(struct rad_handle *radh, const char *user, 619a10bb17SJohn Polstra const char *pass, const void *state, size_t state_len) 629a10bb17SJohn Polstra { 639a10bb17SJohn Polstra char host[MAXHOSTNAMELEN]; 649a10bb17SJohn Polstra 659a10bb17SJohn Polstra if (rad_create_request(radh, RAD_ACCESS_REQUEST) == -1) { 669a10bb17SJohn Polstra syslog(LOG_CRIT, "rad_create_request: %s", rad_strerror(radh)); 679a10bb17SJohn Polstra return -1; 689a10bb17SJohn Polstra } 699a10bb17SJohn Polstra if ((user != NULL && 709a10bb17SJohn Polstra rad_put_string(radh, RAD_USER_NAME, user) == -1) || 719a10bb17SJohn Polstra (pass != NULL && 729a10bb17SJohn Polstra rad_put_string(radh, RAD_USER_PASSWORD, pass) == -1) || 739a10bb17SJohn Polstra (gethostname(host, sizeof host) != -1 && 749a10bb17SJohn Polstra rad_put_string(radh, RAD_NAS_IDENTIFIER, host) == -1)) { 759a10bb17SJohn Polstra syslog(LOG_CRIT, "rad_put_string: %s", rad_strerror(radh)); 769a10bb17SJohn Polstra return -1; 779a10bb17SJohn Polstra } 789a10bb17SJohn Polstra if (state != NULL && rad_put_attr(radh, RAD_STATE, state, 799a10bb17SJohn Polstra state_len) == -1) { 809a10bb17SJohn Polstra syslog(LOG_CRIT, "rad_put_attr: %s", rad_strerror(radh)); 819a10bb17SJohn Polstra return -1; 829a10bb17SJohn Polstra } 839a10bb17SJohn Polstra if (rad_put_int(radh, RAD_SERVICE_TYPE, RAD_AUTHENTICATE_ONLY) == -1) { 849a10bb17SJohn Polstra syslog(LOG_CRIT, "rad_put_int: %s", rad_strerror(radh)); 859a10bb17SJohn Polstra return -1; 869a10bb17SJohn Polstra } 879a10bb17SJohn Polstra return 0; 889a10bb17SJohn Polstra } 899a10bb17SJohn Polstra 909a10bb17SJohn Polstra static int 919a10bb17SJohn Polstra do_accept(pam_handle_t *pamh, struct rad_handle *radh) 929a10bb17SJohn Polstra { 939a10bb17SJohn Polstra int attrtype; 949a10bb17SJohn Polstra const void *attrval; 959a10bb17SJohn Polstra size_t attrlen; 969a10bb17SJohn Polstra char *s; 979a10bb17SJohn Polstra 989a10bb17SJohn Polstra while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) { 999a10bb17SJohn Polstra if (attrtype == RAD_USER_NAME) { 1009a10bb17SJohn Polstra s = rad_cvt_string(attrval, attrlen); 1019a10bb17SJohn Polstra if (s == NULL) { 1029a10bb17SJohn Polstra syslog(LOG_CRIT, 1039a10bb17SJohn Polstra "rad_cvt_string: out of memory"); 1049a10bb17SJohn Polstra return -1; 1059a10bb17SJohn Polstra } 1069a10bb17SJohn Polstra pam_set_item(pamh, PAM_USER, s); 1079a10bb17SJohn Polstra free(s); 1089a10bb17SJohn Polstra } 1099a10bb17SJohn Polstra } 1109a10bb17SJohn Polstra if (attrtype == -1) { 1119a10bb17SJohn Polstra syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh)); 1129a10bb17SJohn Polstra return -1; 1139a10bb17SJohn Polstra } 1149a10bb17SJohn Polstra return 0; 1159a10bb17SJohn Polstra } 1169a10bb17SJohn Polstra 1179a10bb17SJohn Polstra static int 1189a10bb17SJohn Polstra do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user) 1199a10bb17SJohn Polstra { 1209a10bb17SJohn Polstra int retval; 1219a10bb17SJohn Polstra int attrtype; 1229a10bb17SJohn Polstra const void *attrval; 1239a10bb17SJohn Polstra size_t attrlen; 1249a10bb17SJohn Polstra const void *state; 1259a10bb17SJohn Polstra size_t statelen; 1269a10bb17SJohn Polstra struct pam_message msgs[MAX_CHALLENGE_MSGS]; 1279a10bb17SJohn Polstra const struct pam_message *msg_ptrs[MAX_CHALLENGE_MSGS]; 1289a10bb17SJohn Polstra struct pam_response *resp; 1299a10bb17SJohn Polstra int num_msgs; 1309a10bb17SJohn Polstra const void *item; 1319a10bb17SJohn Polstra const struct pam_conv *conv; 1329a10bb17SJohn Polstra 1339a10bb17SJohn Polstra state = NULL; 1349a10bb17SJohn Polstra statelen = 0; 1359a10bb17SJohn Polstra num_msgs = 0; 1369a10bb17SJohn Polstra while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) { 1379a10bb17SJohn Polstra switch (attrtype) { 1389a10bb17SJohn Polstra 1399a10bb17SJohn Polstra case RAD_STATE: 1409a10bb17SJohn Polstra state = attrval; 1419a10bb17SJohn Polstra statelen = attrlen; 1429a10bb17SJohn Polstra break; 1439a10bb17SJohn Polstra 1449a10bb17SJohn Polstra case RAD_REPLY_MESSAGE: 1459a10bb17SJohn Polstra if (num_msgs >= MAX_CHALLENGE_MSGS) { 1469a10bb17SJohn Polstra syslog(LOG_CRIT, 1479a10bb17SJohn Polstra "Too many RADIUS challenge messages"); 1489a10bb17SJohn Polstra return PAM_SERVICE_ERR; 1499a10bb17SJohn Polstra } 1509a10bb17SJohn Polstra msgs[num_msgs].msg = rad_cvt_string(attrval, attrlen); 1519a10bb17SJohn Polstra if (msgs[num_msgs].msg == NULL) { 1529a10bb17SJohn Polstra syslog(LOG_CRIT, 1539a10bb17SJohn Polstra "rad_cvt_string: out of memory"); 1549a10bb17SJohn Polstra return PAM_SERVICE_ERR; 1559a10bb17SJohn Polstra } 1569a10bb17SJohn Polstra msgs[num_msgs].msg_style = PAM_TEXT_INFO; 1579a10bb17SJohn Polstra msg_ptrs[num_msgs] = &msgs[num_msgs]; 1589a10bb17SJohn Polstra num_msgs++; 1599a10bb17SJohn Polstra break; 1609a10bb17SJohn Polstra } 1619a10bb17SJohn Polstra } 1629a10bb17SJohn Polstra if (attrtype == -1) { 1639a10bb17SJohn Polstra syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh)); 1649a10bb17SJohn Polstra return PAM_SERVICE_ERR; 1659a10bb17SJohn Polstra } 1669a10bb17SJohn Polstra if (num_msgs == 0) { 1679a10bb17SJohn Polstra msgs[num_msgs].msg = strdup("(null RADIUS challenge): "); 1689a10bb17SJohn Polstra if (msgs[num_msgs].msg == NULL) { 1699a10bb17SJohn Polstra syslog(LOG_CRIT, "Out of memory"); 1709a10bb17SJohn Polstra return PAM_SERVICE_ERR; 1719a10bb17SJohn Polstra } 1729a10bb17SJohn Polstra msgs[num_msgs].msg_style = PAM_TEXT_INFO; 1739a10bb17SJohn Polstra msg_ptrs[num_msgs] = &msgs[num_msgs]; 1749a10bb17SJohn Polstra num_msgs++; 1759a10bb17SJohn Polstra } 1769a10bb17SJohn Polstra msgs[num_msgs-1].msg_style = PAM_PROMPT_ECHO_ON; 1779a10bb17SJohn Polstra if ((retval = pam_get_item(pamh, PAM_CONV, &item)) != PAM_SUCCESS) { 1789a10bb17SJohn Polstra syslog(LOG_CRIT, "do_challenge: cannot get PAM_CONV"); 1799a10bb17SJohn Polstra return retval; 1809a10bb17SJohn Polstra } 1819a10bb17SJohn Polstra conv = (const struct pam_conv *)item; 1829a10bb17SJohn Polstra if ((retval = conv->conv(num_msgs, msg_ptrs, &resp, 1839a10bb17SJohn Polstra conv->appdata_ptr)) != PAM_SUCCESS) 1849a10bb17SJohn Polstra return retval; 1859a10bb17SJohn Polstra if (build_access_request(radh, user, resp[num_msgs-1].resp, state, 1869a10bb17SJohn Polstra statelen) == -1) 1879a10bb17SJohn Polstra return PAM_SERVICE_ERR; 1889a10bb17SJohn Polstra memset(resp[num_msgs-1].resp, 0, strlen(resp[num_msgs-1].resp)); 1899a10bb17SJohn Polstra free(resp[num_msgs-1].resp); 1909a10bb17SJohn Polstra free(resp); 1919a10bb17SJohn Polstra while (num_msgs > 0) 1929a10bb17SJohn Polstra free((void *)msgs[--num_msgs].msg); 1939a10bb17SJohn Polstra return PAM_SUCCESS; 1949a10bb17SJohn Polstra } 1959a10bb17SJohn Polstra 1969a10bb17SJohn Polstra PAM_EXTERN int 1979a10bb17SJohn Polstra pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, 1989a10bb17SJohn Polstra const char **argv) 1999a10bb17SJohn Polstra { 2009a10bb17SJohn Polstra struct rad_handle *radh; 2019a10bb17SJohn Polstra const char *user; 2029a10bb17SJohn Polstra const char *pass; 2039a10bb17SJohn Polstra const char *conf_file = NULL; 2049a10bb17SJohn Polstra const char *template_user = NULL; 2059a10bb17SJohn Polstra int options = 0; 2069a10bb17SJohn Polstra int retval; 2079a10bb17SJohn Polstra int i; 2089a10bb17SJohn Polstra int e; 2099a10bb17SJohn Polstra 2109a10bb17SJohn Polstra for (i = 0; i < argc; i++) { 2119a10bb17SJohn Polstra size_t len; 2129a10bb17SJohn Polstra 2139a10bb17SJohn Polstra pam_std_option(&options, argv[i]); 2149a10bb17SJohn Polstra if (strncmp(argv[i], OPT_CONF, (len = strlen(OPT_CONF))) == 0) 2159a10bb17SJohn Polstra conf_file = argv[i] + len; 2169a10bb17SJohn Polstra else if (strncmp(argv[i], OPT_TMPL, 2179a10bb17SJohn Polstra (len = strlen(OPT_TMPL))) == 0) 2189a10bb17SJohn Polstra template_user = argv[i] + len; 2199a10bb17SJohn Polstra } 2209a10bb17SJohn Polstra if ((retval = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) 2219a10bb17SJohn Polstra return retval; 2229a10bb17SJohn Polstra if ((retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, 2239a10bb17SJohn Polstra options)) != PAM_SUCCESS) 2249a10bb17SJohn Polstra return retval; 2259a10bb17SJohn Polstra 2269a10bb17SJohn Polstra if ((radh = rad_open()) == NULL) { 2279a10bb17SJohn Polstra syslog(LOG_CRIT, "rad_open failed"); 2289a10bb17SJohn Polstra return PAM_SERVICE_ERR; 2299a10bb17SJohn Polstra } 2309a10bb17SJohn Polstra if (rad_config(radh, conf_file) == -1) { 2319a10bb17SJohn Polstra syslog(LOG_ALERT, "rad_config: %s", rad_strerror(radh)); 2329a10bb17SJohn Polstra rad_close(radh); 2339a10bb17SJohn Polstra return PAM_SERVICE_ERR; 2349a10bb17SJohn Polstra } 2359a10bb17SJohn Polstra if (build_access_request(radh, user, pass, NULL, 0) == -1) { 2369a10bb17SJohn Polstra rad_close(radh); 2379a10bb17SJohn Polstra return PAM_SERVICE_ERR; 2389a10bb17SJohn Polstra } 2399a10bb17SJohn Polstra for ( ; ; ) { 2409a10bb17SJohn Polstra switch (rad_send_request(radh)) { 2419a10bb17SJohn Polstra 2429a10bb17SJohn Polstra case RAD_ACCESS_ACCEPT: 2439a10bb17SJohn Polstra e = do_accept(pamh, radh); 2449a10bb17SJohn Polstra rad_close(radh); 2459a10bb17SJohn Polstra if (e == -1) 2469a10bb17SJohn Polstra return PAM_SERVICE_ERR; 2479a10bb17SJohn Polstra if (template_user != NULL) { 2489a10bb17SJohn Polstra const void *item; 2499a10bb17SJohn Polstra const char *user; 2509a10bb17SJohn Polstra 2519a10bb17SJohn Polstra /* 2529a10bb17SJohn Polstra * If the given user name doesn't exist in 2539a10bb17SJohn Polstra * the local password database, change it 2549a10bb17SJohn Polstra * to the value given in the "template_user" 2559a10bb17SJohn Polstra * option. 2569a10bb17SJohn Polstra */ 2579a10bb17SJohn Polstra retval = pam_get_item(pamh, PAM_USER, &item); 2589a10bb17SJohn Polstra if (retval != PAM_SUCCESS) 2599a10bb17SJohn Polstra return retval; 2609a10bb17SJohn Polstra user = (const char *)item; 2619a10bb17SJohn Polstra if (getpwnam(user) == NULL) 2629a10bb17SJohn Polstra pam_set_item(pamh, PAM_USER, 2639a10bb17SJohn Polstra template_user); 2649a10bb17SJohn Polstra } 2659a10bb17SJohn Polstra return PAM_SUCCESS; 2669a10bb17SJohn Polstra 2679a10bb17SJohn Polstra case RAD_ACCESS_REJECT: 2689a10bb17SJohn Polstra rad_close(radh); 2699a10bb17SJohn Polstra return PAM_AUTH_ERR; 2709a10bb17SJohn Polstra 2719a10bb17SJohn Polstra case RAD_ACCESS_CHALLENGE: 2729a10bb17SJohn Polstra if ((retval = do_challenge(pamh, radh, user)) != 2739a10bb17SJohn Polstra PAM_SUCCESS) { 2749a10bb17SJohn Polstra rad_close(radh); 2759a10bb17SJohn Polstra return retval; 2769a10bb17SJohn Polstra } 2779a10bb17SJohn Polstra break; 2789a10bb17SJohn Polstra 2799a10bb17SJohn Polstra case -1: 2809a10bb17SJohn Polstra syslog(LOG_CRIT, "rad_send_request: %s", 2819a10bb17SJohn Polstra rad_strerror(radh)); 2829a10bb17SJohn Polstra rad_close(radh); 2839a10bb17SJohn Polstra return PAM_AUTHINFO_UNAVAIL; 2849a10bb17SJohn Polstra 2859a10bb17SJohn Polstra default: 2869a10bb17SJohn Polstra syslog(LOG_CRIT, 2879a10bb17SJohn Polstra "rad_send_request: unexpected return value"); 2889a10bb17SJohn Polstra rad_close(radh); 2899a10bb17SJohn Polstra return PAM_SERVICE_ERR; 2909a10bb17SJohn Polstra } 2919a10bb17SJohn Polstra } 2929a10bb17SJohn Polstra } 2939a10bb17SJohn Polstra 2949a10bb17SJohn Polstra PAM_EXTERN int 2959a10bb17SJohn Polstra pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) 2969a10bb17SJohn Polstra { 2979a10bb17SJohn Polstra return PAM_SUCCESS; 2989a10bb17SJohn Polstra } 299