xref: /titanic_52/usr/src/lib/libpam/pam_impl.h (revision 7bc7346c0c75ced7da727f63c2772fd53809244d)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #ifndef	_PAM_IMPL_H
27 #define	_PAM_IMPL_H
28 
29 #pragma ident	"%Z%%M%	%I%	%E% SMI"
30 
31 #ifdef __cplusplus
32 extern "C" {
33 #endif
34 
35 #include <limits.h>
36 #include <shadow.h>
37 #include <sys/types.h>
38 
39 #define	PAMTXD		"SUNW_OST_SYSOSPAM"
40 
41 #define	PAM_CONFIG	"/etc/pam.conf"
42 #define	PAM_ISA		"/$ISA/"
43 #define	PAM_LIB_DIR	"/usr/lib/security/"
44 #ifdef	_LP64
45 #define	PAM_ISA_DIR	"/64/"
46 #else	/* !_LP64 */
47 #define	PAM_ISA_DIR	"/"
48 #endif	/* _LP64 */
49 
50 /* Service Module Types */
51 
52 /*
53  * If new service types are added, they should be named in
54  * pam_framework.c::pam_snames[] as well.
55  */
56 
57 #define	PAM_ACCOUNT_NAME	"account"
58 #define	PAM_AUTH_NAME		"auth"
59 #define	PAM_PASSWORD_NAME	"password"
60 #define	PAM_SESSION_NAME	"session"
61 
62 #define	PAM_ACCOUNT_MODULE	0
63 #define	PAM_AUTH_MODULE		1
64 #define	PAM_PASSWORD_MODULE	2
65 #define	PAM_SESSION_MODULE	3
66 
67 #define	PAM_NUM_MODULE_TYPES	4
68 
69 /* Control Flags */
70 
71 #define	PAM_BINDING_NAME	"binding"
72 #define	PAM_INCLUDE_NAME	"include"
73 #define	PAM_OPTIONAL_NAME	"optional"
74 #define	PAM_REQUIRED_NAME	"required"
75 #define	PAM_REQUISITE_NAME	"requisite"
76 #define	PAM_SUFFICIENT_NAME	"sufficient"
77 
78 #define	PAM_BINDING	0x01
79 #define	PAM_INCLUDE	0x02
80 #define	PAM_OPTIONAL	0x04
81 #define	PAM_REQUIRED	0x08
82 #define	PAM_REQUISITE	0x10
83 #define	PAM_SUFFICIENT	0x20
84 
85 #define	PAM_REQRD_BIND	(PAM_REQUIRED | PAM_BINDING)
86 #define	PAM_SUFFI_BIND	(PAM_SUFFICIENT | PAM_BINDING)
87 
88 /* Function Indicators */
89 
90 #define	PAM_AUTHENTICATE	1
91 #define	PAM_SETCRED		2
92 #define	PAM_ACCT_MGMT		3
93 #define	PAM_OPEN_SESSION	4
94 #define	PAM_CLOSE_SESSION	5
95 #define	PAM_CHAUTHTOK		6
96 
97 /* PAM tracing */
98 
99 #define	PAM_DEBUG	"/etc/pam_debug"
100 #define	LOG_PRIORITY	"log_priority="
101 #define	LOG_FACILITY	"log_facility="
102 #define	DEBUG_FLAGS	"debug_flags="
103 #define	PAM_DEBUG_NONE		0x0000
104 #define	PAM_DEBUG_DEFAULT	0x0001
105 #define	PAM_DEBUG_ITEM		0x0002
106 #define	PAM_DEBUG_MODULE	0x0004
107 #define	PAM_DEBUG_CONF		0x0008
108 #define	PAM_DEBUG_DATA		0x0010
109 #define	PAM_DEBUG_CONV		0x0020
110 #define	PAM_DEBUG_AUTHTOK	0x8000
111 
112 #define	PAM_MAX_ITEMS		64	/* Max number of items */
113 #define	PAM_MAX_INCLUDE		32	/* Max include flag recursions */
114 
115 /* authentication module functions */
116 #define	PAM_SM_AUTHENTICATE	"pam_sm_authenticate"
117 #define	PAM_SM_SETCRED		"pam_sm_setcred"
118 
119 /* session module functions */
120 #define	PAM_SM_OPEN_SESSION	"pam_sm_open_session"
121 #define	PAM_SM_CLOSE_SESSION	"pam_sm_close_session"
122 
123 /* password module functions */
124 #define	PAM_SM_CHAUTHTOK		"pam_sm_chauthtok"
125 
126 /* account module functions */
127 #define	PAM_SM_ACCT_MGMT		"pam_sm_acct_mgmt"
128 
129 /*
130  * Definitions shared by passwd.c and the UNIX module
131  */
132 
133 #define	PAM_REP_DEFAULT	0x0
134 #define	PAM_REP_FILES	0x01
135 #define	PAM_REP_NIS	0x02
136 #define	PAM_REP_NISPLUS	0x04
137 #define	PAM_REP_LDAP	0x10
138 #define	PAM_OPWCMD	0x08	/* for nispasswd, yppasswd */
139 
140 /* max # of authentication token attributes */
141 #define	PAM_MAX_NUM_ATTR	10
142 
143 /* max size (in chars) of an authentication token attribute */
144 #define	PAM_MAX_ATTR_SIZE	80
145 
146 /* utility function prototypes */
147 
148 /* source values when calling __pam_get_authtok() */
149 #define	PAM_PROMPT	1	/* prompt user for new password */
150 #define	PAM_HANDLE	2	/* get password from pam handle (item) */
151 
152 #if	PASS_MAX >= PAM_MAX_RESP_SIZE
153 #error	PASS_MAX > PAM_MAX_RESP_SIZE
154 #endif	/* PASS_MAX >= PAM_MAX_RESP_SIZE */
155 
156 extern int
157 __pam_get_authtok(pam_handle_t *pamh, int source, int type, char *prompt,
158     char **authtok);
159 
160 extern int
161 __pam_display_msg(pam_handle_t *pamh, int msg_style, int num_msg,
162     char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp);
163 
164 extern void
165 __pam_log(int priority, const char *format, ...);
166 
167 /* file handle for pam.conf */
168 struct pam_fh {
169 	int	fconfig;	/* file descriptor returned by open() */
170 	char    line[256];
171 	size_t  bufsize;	/* size of the buffer which holds */
172 				/* the content of pam.conf */
173 	char   *bufferp;	/* used to process data	*/
174 	char   *data;		/* contents of pam.conf	*/
175 };
176 
177 /* items that can be set/retrieved thru pam_[sg]et_item() */
178 struct	pam_item {
179 	void	*pi_addr;	/* pointer to item */
180 	int	pi_size;	/* size of item */
181 };
182 
183 /* module specific data stored in the pam handle */
184 struct pam_module_data {
185 	char *module_data_name;		/* unique module data name */
186 	void *data;			/* the module specific data */
187 	void (*cleanup)(pam_handle_t *pamh, void *data, int pam_status);
188 	struct pam_module_data *next;	/* pointer to next module data */
189 };
190 
191 /* each entry from pam.conf is stored here (in the pam handle) */
192 typedef struct pamtab {
193 	char	*pam_service;	/* PAM service, e.g. login, rlogin */
194 	int	pam_type;	/* AUTH, ACCOUNT, PASSWORD, SESSION */
195 	int	pam_flag;	/* required, optional, sufficient */
196 	int	pam_err;	/* error if line overflow */
197 	char	*module_path;	/* module library */
198 	int	module_argc;	/* module specific options */
199 	char	**module_argv;
200 	void	*function_ptr;	/* pointer to struct holding function ptrs */
201 	struct pamtab *next;
202 } pamtab_t;
203 
204 /* list of open fd's (modules that were dlopen'd) */
205 typedef struct fd_list {
206 	void *mh;		/* module handle */
207 	struct fd_list *next;
208 } fd_list;
209 
210 /* list of PAM environment varialbes */
211 typedef struct env_list {
212 	char *name;
213 	char *value;
214 	struct env_list *next;
215 } env_list;
216 
217 /* pam_inmodule values for pam item checking */
218 #define	RW_OK	0	/* Read Write items OK */
219 #define	RO_OK	1	/* Read Only items OK */
220 #define	WO_OK	2	/* Write Only items/data OK */
221 
222 /* the pam handle */
223 struct pam_handle {
224 	struct  pam_item ps_item[PAM_MAX_ITEMS];	/* array of PAM items */
225 	int	include_depth;
226 	int	pam_inmodule;	/* Protect restricted pam_get_item calls */
227 	char	*pam_conf_name[PAM_MAX_INCLUDE+1];
228 	pamtab_t *pam_conf_info[PAM_MAX_INCLUDE+1][PAM_NUM_MODULE_TYPES];
229 	pamtab_t *pam_conf_modulep[PAM_MAX_INCLUDE+1];
230 	struct	pam_module_data *ssd;		/* module specific data */
231 	fd_list *fd;				/* module fd's */
232 	env_list *pam_env;			/* environment variables */
233 
234 	/*
235 	 * XXX -- Contracted Consolidation Private
236 	 *	  to be eliminated when dtlogin contract is terminated
237 	 * Version number requested by PAM's client
238 	 */
239 	char	*pam_client_message_version_number;
240 };
241 
242 /*
243  * the function_ptr field in pamtab_t
244  * will point to one of these modules
245  */
246 struct auth_module {
247 	int	(*pam_sm_authenticate)(pam_handle_t *pamh, int flags, int argc,
248 		    const char **argv);
249 	int	(*pam_sm_setcred)(pam_handle_t *pamh, int flags, int argc,
250 		    const char **argv);
251 };
252 
253 struct password_module {
254 	int	(*pam_sm_chauthtok)(pam_handle_t *pamh, int flags, int argc,
255 		    const char **argv);
256 };
257 
258 struct session_module {
259 	int	(*pam_sm_open_session)(pam_handle_t *pamh, int flags, int argc,
260 		    const char **argv);
261 	int	(*pam_sm_close_session)(pam_handle_t *pamh, int flags, int argc,
262 		    const char **argv);
263 };
264 
265 struct account_module {
266 	int	(*pam_sm_acct_mgmt)(pam_handle_t *pamh, int flags, int argc,
267 		    const char **argv);
268 };
269 
270 #ifdef __cplusplus
271 }
272 #endif
273 
274 #endif	/* _PAM_IMPL_H */
275