1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License, Version 1.0 only
6 * (the "License"). You may not use this file except in compliance
7 * with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22 /*
23 * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 *
26 * Copyright 2023 OmniOS Community Edition (OmniOSce) Association.
27 */
28
29 #include <sys/param.h>
30 #include <security/pam_appl.h>
31 #include <security/pam_modules.h>
32 #include <pwd.h>
33 #include <shadow.h>
34 #include <string.h>
35 #include <rpc/types.h>
36 #include <rpc/auth.h>
37 #include <locale.h>
38 #include <crypt.h>
39 #include <syslog.h>
40
41 extern int ruserok(const char *, int, const char *, const char *);
42
43 /*
44 * pam_sm_authenticate - Checks if the user is allowed remote access
45 */
46 int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)47 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
48 {
49 const char *host = NULL, *lusername = NULL;
50 struct passwd pwd;
51 char pwd_buffer[1024];
52 int is_superuser;
53 const char *rusername;
54 int i;
55 int debug = 0;
56
57 for (i = 0; i < argc; i++) {
58 if (strcasecmp(argv[i], "debug") == 0)
59 debug = 1;
60 else
61 syslog(LOG_DEBUG, "illegal option %s", argv[i]);
62 }
63
64 if (pam_get_item(pamh, PAM_USER, (const void **)&lusername) !=
65 PAM_SUCCESS) {
66 return (PAM_SERVICE_ERR);
67 }
68 if (pam_get_item(pamh, PAM_RHOST, (const void **)&host) != PAM_SUCCESS)
69 return (PAM_SERVICE_ERR);
70 if (pam_get_item(pamh, PAM_RUSER, (const void **)&rusername) !=
71 PAM_SUCCESS) {
72 return (PAM_SERVICE_ERR);
73 }
74
75 if (lusername == NULL || *lusername == '\0')
76 return (PAM_USER_UNKNOWN);
77 if (rusername == NULL || *rusername == '\0')
78 return (PAM_AUTH_ERR);
79 if (host == NULL || *host == '\0')
80 return (PAM_AUTH_ERR);
81
82 if (debug) {
83 syslog(LOG_DEBUG,
84 "rhosts authenticate: user = %s, host = %s",
85 lusername, host);
86 }
87
88 if (getpwnam_r(lusername, &pwd, pwd_buffer, sizeof (pwd_buffer))
89 == NULL)
90 return (PAM_USER_UNKNOWN);
91
92 if (pwd.pw_uid == 0)
93 is_superuser = 1;
94 else
95 is_superuser = 0;
96
97 return (ruserok(host, is_superuser, rusername, lusername)
98 == -1 ? PAM_AUTH_ERR : PAM_SUCCESS);
99
100 }
101
102 /*
103 * dummy pam_sm_setcred - does nothing
104 */
105 /*ARGSUSED*/
106 int
pam_sm_setcred(pam_handle_t * pamh,int flags,int argc,const char ** argv)107 pam_sm_setcred(
108 pam_handle_t *pamh,
109 int flags,
110 int argc,
111 const char **argv)
112 {
113 return (PAM_IGNORE);
114 }
115