1397fa725SMark Murray /*- 2397fa725SMark Murray * Copyright (c) 2001 Mark R V Murray 3397fa725SMark Murray * All rights reserved. 4f03a4b81SDag-Erling Smørgrav * Copyright (c) 2001 Networks Associates Technology, Inc. 58d3978c1SDag-Erling Smørgrav * All rights reserved. 68d3978c1SDag-Erling Smørgrav * 78d3978c1SDag-Erling Smørgrav * Portions of this software were developed for the FreeBSD Project by 88d3978c1SDag-Erling Smørgrav * ThinkSec AS and NAI Labs, the Security Research Division of Network 98d3978c1SDag-Erling Smørgrav * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 108d3978c1SDag-Erling Smørgrav * ("CBOSS"), as part of the DARPA CHATS research program. 11397fa725SMark Murray * 12397fa725SMark Murray * Redistribution and use in source and binary forms, with or without 13397fa725SMark Murray * modification, are permitted provided that the following conditions 14397fa725SMark Murray * are met: 15397fa725SMark Murray * 1. Redistributions of source code must retain the above copyright 16397fa725SMark Murray * notice, this list of conditions and the following disclaimer. 17397fa725SMark Murray * 2. Redistributions in binary form must reproduce the above copyright 18397fa725SMark Murray * notice, this list of conditions and the following disclaimer in the 19397fa725SMark Murray * documentation and/or other materials provided with the distribution. 208d3978c1SDag-Erling Smørgrav * 3. The name of the author may not be used to endorse or promote 218d3978c1SDag-Erling Smørgrav * products derived from this software without specific prior written 228d3978c1SDag-Erling Smørgrav * permission. 23397fa725SMark Murray * 24397fa725SMark Murray * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 25397fa725SMark Murray * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26397fa725SMark Murray * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27397fa725SMark Murray * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 28397fa725SMark Murray * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29397fa725SMark Murray * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30397fa725SMark Murray * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31397fa725SMark Murray * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32397fa725SMark Murray * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33397fa725SMark Murray * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34397fa725SMark Murray * SUCH DAMAGE. 35397fa725SMark Murray */ 36397fa725SMark Murray 37ceaf33f5SMatthew Dillon #include <sys/cdefs.h> 38ceaf33f5SMatthew Dillon __FBSDID("$FreeBSD$"); 39ceaf33f5SMatthew Dillon 40397fa725SMark Murray #include <sys/types.h> 41397fa725SMark Murray #include <sys/stat.h> 42397fa725SMark Murray #include <pwd.h> 43397fa725SMark Murray #include <ttyent.h> 44397fa725SMark Murray #include <string.h> 45397fa725SMark Murray 46397fa725SMark Murray #define PAM_SM_AUTH 478d3978c1SDag-Erling Smørgrav #define PAM_SM_ACCOUNT 488d3978c1SDag-Erling Smørgrav #define PAM_SM_SESSION 498d3978c1SDag-Erling Smørgrav #define PAM_SM_PASSWORD 508d3978c1SDag-Erling Smørgrav 518c66575dSDag-Erling Smørgrav #include <security/pam_appl.h> 52397fa725SMark Murray #include <security/pam_modules.h> 538c66575dSDag-Erling Smørgrav #include <security/pam_mod_misc.h> 54397fa725SMark Murray 55397fa725SMark Murray #define TTY_PREFIX "/dev/" 56397fa725SMark Murray 57397fa725SMark Murray PAM_EXTERN int 58ac569969SMark Murray pam_sm_authenticate(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) 59397fa725SMark Murray { 601642eb1aSMark Murray struct options options; 61397fa725SMark Murray 621642eb1aSMark Murray pam_std_option(&options, NULL, argc, argv); 63397fa725SMark Murray 641642eb1aSMark Murray PAM_LOG("Options processed"); 651642eb1aSMark Murray 661642eb1aSMark Murray PAM_RETURN(PAM_IGNORE); 6734beb374SMark Murray } 68397fa725SMark Murray 69397fa725SMark Murray PAM_EXTERN 70397fa725SMark Murray int 71c2065008SMark Murray pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) 72397fa725SMark Murray { 7334beb374SMark Murray struct options options; 7434beb374SMark Murray 7534beb374SMark Murray pam_std_option(&options, NULL, argc, argv); 7634beb374SMark Murray 7734beb374SMark Murray PAM_LOG("Options processed"); 7834beb374SMark Murray 7934beb374SMark Murray PAM_RETURN(PAM_SUCCESS); 80397fa725SMark Murray } 81397fa725SMark Murray 828d3978c1SDag-Erling Smørgrav PAM_EXTERN int 83c2065008SMark Murray pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused, int argc ,const char **argv) 848d3978c1SDag-Erling Smørgrav { 858d3978c1SDag-Erling Smørgrav struct options options; 86a2d20838SDag-Erling Smørgrav struct passwd *pwd; 87a2d20838SDag-Erling Smørgrav struct ttyent *ty; 88a2d20838SDag-Erling Smørgrav const char *user, *tty; 89a2d20838SDag-Erling Smørgrav int pam_err; 908d3978c1SDag-Erling Smørgrav 918d3978c1SDag-Erling Smørgrav pam_std_option(&options, NULL, argc, argv); 928d3978c1SDag-Erling Smørgrav 938d3978c1SDag-Erling Smørgrav PAM_LOG("Options processed"); 948d3978c1SDag-Erling Smørgrav 95a2d20838SDag-Erling Smørgrav pam_err = pam_get_user(pamh, &user, NULL); 96a2d20838SDag-Erling Smørgrav if (pam_err != PAM_SUCCESS) 97a2d20838SDag-Erling Smørgrav PAM_RETURN(pam_err); 98a2d20838SDag-Erling Smørgrav if (user == NULL || (pwd = getpwnam(user)) == NULL) 99a2d20838SDag-Erling Smørgrav PAM_RETURN(PAM_SERVICE_ERR); 100a2d20838SDag-Erling Smørgrav 101a2d20838SDag-Erling Smørgrav PAM_LOG("Got user: %s", user); 102a2d20838SDag-Erling Smørgrav 103a2d20838SDag-Erling Smørgrav /* If the user is not root, secure ttys do not apply */ 104a2d20838SDag-Erling Smørgrav if (pwd->pw_uid != 0) 105a2d20838SDag-Erling Smørgrav PAM_RETURN(PAM_SUCCESS); 106a2d20838SDag-Erling Smørgrav 107a2d20838SDag-Erling Smørgrav pam_err = pam_get_item(pamh, PAM_TTY, (const void **)&tty); 108a2d20838SDag-Erling Smørgrav if (pam_err != PAM_SUCCESS) 109a2d20838SDag-Erling Smørgrav PAM_RETURN(pam_err); 110a2d20838SDag-Erling Smørgrav 111a2d20838SDag-Erling Smørgrav PAM_LOG("Got TTY: %s", tty); 112a2d20838SDag-Erling Smørgrav 113a2d20838SDag-Erling Smørgrav /* Ignore any "/dev/" on the PAM_TTY item */ 114a2d20838SDag-Erling Smørgrav if (tty != NULL && strncmp(TTY_PREFIX, tty, sizeof(TTY_PREFIX)) == 0) { 115a2d20838SDag-Erling Smørgrav PAM_LOG("WARNING: PAM_TTY starts with " TTY_PREFIX); 116a2d20838SDag-Erling Smørgrav tty += sizeof(TTY_PREFIX) - 1; 117a2d20838SDag-Erling Smørgrav } 118a2d20838SDag-Erling Smørgrav 119a2d20838SDag-Erling Smørgrav if (tty != NULL && (ty = getttynam(tty)) != NULL && 120a2d20838SDag-Erling Smørgrav (ty->ty_status & TTY_SECURE) != 0) 121a2d20838SDag-Erling Smørgrav PAM_RETURN(PAM_SUCCESS); 122a2d20838SDag-Erling Smørgrav 123a2d20838SDag-Erling Smørgrav PAM_VERBOSE_ERROR("Not on secure TTY"); 124a2d20838SDag-Erling Smørgrav PAM_RETURN(PAM_AUTH_ERR); 1258d3978c1SDag-Erling Smørgrav } 1268d3978c1SDag-Erling Smørgrav 1278d3978c1SDag-Erling Smørgrav PAM_EXTERN int 128c2065008SMark Murray pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) 1298d3978c1SDag-Erling Smørgrav { 1308d3978c1SDag-Erling Smørgrav struct options options; 1318d3978c1SDag-Erling Smørgrav 1328d3978c1SDag-Erling Smørgrav pam_std_option(&options, NULL, argc, argv); 1338d3978c1SDag-Erling Smørgrav 1348d3978c1SDag-Erling Smørgrav PAM_LOG("Options processed"); 1358d3978c1SDag-Erling Smørgrav 1368d3978c1SDag-Erling Smørgrav PAM_RETURN(PAM_IGNORE); 1378d3978c1SDag-Erling Smørgrav } 1388d3978c1SDag-Erling Smørgrav 1398d3978c1SDag-Erling Smørgrav PAM_EXTERN int 140c2065008SMark Murray pam_sm_open_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) 1418d3978c1SDag-Erling Smørgrav { 1428d3978c1SDag-Erling Smørgrav struct options options; 1438d3978c1SDag-Erling Smørgrav 1448d3978c1SDag-Erling Smørgrav pam_std_option(&options, NULL, argc, argv); 1458d3978c1SDag-Erling Smørgrav 1468d3978c1SDag-Erling Smørgrav PAM_LOG("Options processed"); 1478d3978c1SDag-Erling Smørgrav 1488d3978c1SDag-Erling Smørgrav PAM_RETURN(PAM_IGNORE); 1498d3978c1SDag-Erling Smørgrav } 1508d3978c1SDag-Erling Smørgrav 1518d3978c1SDag-Erling Smørgrav PAM_EXTERN int 152c2065008SMark Murray pam_sm_close_session(pam_handle_t *pamh __unused, int flags __unused, int argc, const char **argv) 1538d3978c1SDag-Erling Smørgrav { 1548d3978c1SDag-Erling Smørgrav struct options options; 1558d3978c1SDag-Erling Smørgrav 1568d3978c1SDag-Erling Smørgrav pam_std_option(&options, NULL, argc, argv); 1578d3978c1SDag-Erling Smørgrav 1588d3978c1SDag-Erling Smørgrav PAM_LOG("Options processed"); 1598d3978c1SDag-Erling Smørgrav 1608d3978c1SDag-Erling Smørgrav PAM_RETURN(PAM_IGNORE); 1618d3978c1SDag-Erling Smørgrav } 1628d3978c1SDag-Erling Smørgrav 163397fa725SMark Murray PAM_MODULE_ENTRY("pam_securetty"); 164