xref: /illumos-gate/usr/src/lib/pam_modules/rhosts_auth/rhosts_auth.c (revision 0250c53ad267726f2438e3c6556199a0bbf588a2) 
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  *
26  * Copyright 2023 OmniOS Community Edition (OmniOSce) Association.
27  */
28 
29 #include <sys/param.h>
30 #include <security/pam_appl.h>
31 #include <security/pam_modules.h>
32 #include <pwd.h>
33 #include <shadow.h>
34 #include <string.h>
35 #include <rpc/types.h>
36 #include <rpc/auth.h>
37 #include <locale.h>
38 #include <crypt.h>
39 #include <syslog.h>
40 
41 extern int ruserok(const char *, int, const char *, const char *);
42 
43 /*
44  * pam_sm_authenticate	- Checks if the user is allowed remote access
45  */
46 int
47 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
48 {
49 	const char *host = NULL, *lusername = NULL;
50 	struct passwd pwd;
51 	char pwd_buffer[1024];
52 	int is_superuser;
53 	const char *rusername;
54 	int i;
55 	int debug = 0;
56 
57 	for (i = 0; i < argc; i++) {
58 		if (strcasecmp(argv[i], "debug") == 0)
59 			debug = 1;
60 		else
61 			syslog(LOG_DEBUG, "illegal option %s", argv[i]);
62 	}
63 
64 	if (pam_get_item(pamh, PAM_USER, (const void **)&lusername) !=
65 	    PAM_SUCCESS) {
66 		return (PAM_SERVICE_ERR);
67 	}
68 	if (pam_get_item(pamh, PAM_RHOST, (const void **)&host) != PAM_SUCCESS)
69 		return (PAM_SERVICE_ERR);
70 	if (pam_get_item(pamh, PAM_RUSER, (const void **)&rusername) !=
71 	    PAM_SUCCESS) {
72 		return (PAM_SERVICE_ERR);
73 	}
74 
75 	if (lusername == NULL || *lusername == '\0')
76 		return (PAM_USER_UNKNOWN);
77 	if (rusername == NULL || *rusername == '\0')
78 		return (PAM_AUTH_ERR);
79 	if (host == NULL || *host == '\0')
80 		return (PAM_AUTH_ERR);
81 
82 	if (debug) {
83 		syslog(LOG_DEBUG,
84 			"rhosts authenticate: user = %s, host = %s",
85 			lusername, host);
86 	}
87 
88 	if (getpwnam_r(lusername, &pwd, pwd_buffer, sizeof (pwd_buffer))
89 								== NULL)
90 		return (PAM_USER_UNKNOWN);
91 
92 	if (pwd.pw_uid == 0)
93 		is_superuser = 1;
94 	else
95 		is_superuser = 0;
96 
97 	return (ruserok(host, is_superuser, rusername, lusername)
98 		== -1 ? PAM_AUTH_ERR : PAM_SUCCESS);
99 
100 }
101 
102 /*
103  * dummy pam_sm_setcred - does nothing
104  */
105 /*ARGSUSED*/
106 int
107 pam_sm_setcred(
108 	pam_handle_t	*pamh,
109 	int	flags,
110 	int	argc,
111 	const char	**argv)
112 {
113 	return (PAM_IGNORE);
114 }
115