xref: /titanic_52/usr/src/lib/libpam/pam_impl.h (revision f841f6ad96ea6675d6c6b35c749eaac601799fdf)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License, Version 1.0 only
6  * (the "License").  You may not use this file except in compliance
7  * with the License.
8  *
9  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10  * or http://www.opensolaris.org/os/licensing.
11  * See the License for the specific language governing permissions
12  * and limitations under the License.
13  *
14  * When distributing Covered Code, include this CDDL HEADER in each
15  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16  * If applicable, add the following below this CDDL HEADER, with the
17  * fields enclosed by brackets "[]" replaced with your own identifying
18  * information: Portions Copyright [yyyy] [name of copyright owner]
19  *
20  * CDDL HEADER END
21  */
22 /*
23  * Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
24  * Use is subject to license terms.
25  */
26 
27 #ifndef	_PAM_IMPL_H
28 #define	_PAM_IMPL_H
29 
30 #pragma ident	"%Z%%M%	%I%	%E% SMI"
31 
32 #ifdef __cplusplus
33 extern "C" {
34 #endif
35 
36 #include <limits.h>
37 #include <shadow.h>
38 #include <sys/types.h>
39 
40 #define	PAMTXD		"SUNW_OST_SYSOSPAM"
41 
42 #define	PAM_CONFIG	"/etc/pam.conf"
43 #define	PAM_ISA		"/$ISA/"
44 #define	PAM_LIB_DIR	"/usr/lib/security/"
45 #ifdef	_LP64
46 #define	PAM_ISA_DIR	"/64/"
47 #else	/* !_LP64 */
48 #define	PAM_ISA_DIR	"/"
49 #endif	/* _LP64 */
50 
51 /* Service Module Types */
52 
53 /*
54  * If new service types are added, they should be named in
55  * pam_framework.c::pam_snames[] as well.
56  */
57 
58 #define	PAM_ACCOUNT_NAME	"account"
59 #define	PAM_AUTH_NAME		"auth"
60 #define	PAM_PASSWORD_NAME	"password"
61 #define	PAM_SESSION_NAME	"session"
62 
63 #define	PAM_ACCOUNT_MODULE	0
64 #define	PAM_AUTH_MODULE		1
65 #define	PAM_PASSWORD_MODULE	2
66 #define	PAM_SESSION_MODULE	3
67 
68 #define	PAM_NUM_MODULE_TYPES	4
69 
70 /* Control Flags */
71 
72 #define	PAM_BINDING_NAME	"binding"
73 #define	PAM_INCLUDE_NAME	"include"
74 #define	PAM_OPTIONAL_NAME	"optional"
75 #define	PAM_REQUIRED_NAME	"required"
76 #define	PAM_REQUISITE_NAME	"requisite"
77 #define	PAM_SUFFICIENT_NAME	"sufficient"
78 
79 #define	PAM_BINDING	0x01
80 #define	PAM_INCLUDE	0x02
81 #define	PAM_OPTIONAL	0x04
82 #define	PAM_REQUIRED	0x08
83 #define	PAM_REQUISITE	0x10
84 #define	PAM_SUFFICIENT	0x20
85 
86 #define	PAM_REQRD_BIND	(PAM_REQUIRED | PAM_BINDING)
87 #define	PAM_SUFFI_BIND	(PAM_SUFFICIENT | PAM_BINDING)
88 
89 /* Function Indicators */
90 
91 #define	PAM_AUTHENTICATE	1
92 #define	PAM_SETCRED		2
93 #define	PAM_ACCT_MGMT		3
94 #define	PAM_OPEN_SESSION	4
95 #define	PAM_CLOSE_SESSION	5
96 #define	PAM_CHAUTHTOK		6
97 
98 /* PAM tracing */
99 
100 #define	PAM_DEBUG	"/etc/pam_debug"
101 #define	LOG_PRIORITY	"log_priority="
102 #define	LOG_FACILITY	"log_facility="
103 #define	DEBUG_FLAGS	"debug_flags="
104 #define	PAM_DEBUG_NONE		0x0000
105 #define	PAM_DEBUG_DEFAULT	0x0001
106 #define	PAM_DEBUG_ITEM		0x0002
107 #define	PAM_DEBUG_MODULE	0x0004
108 #define	PAM_DEBUG_CONF		0x0008
109 #define	PAM_DEBUG_DATA		0x0010
110 #define	PAM_DEBUG_CONV		0x0020
111 #define	PAM_DEBUG_AUTHTOK	0x8000
112 
113 #define	PAM_MAX_ITEMS		64	/* Max number of items */
114 #define	PAM_MAX_INCLUDE		32	/* Max include flag recursions */
115 
116 /* authentication module functions */
117 #define	PAM_SM_AUTHENTICATE	"pam_sm_authenticate"
118 #define	PAM_SM_SETCRED		"pam_sm_setcred"
119 
120 /* session module functions */
121 #define	PAM_SM_OPEN_SESSION	"pam_sm_open_session"
122 #define	PAM_SM_CLOSE_SESSION	"pam_sm_close_session"
123 
124 /* password module functions */
125 #define	PAM_SM_CHAUTHTOK		"pam_sm_chauthtok"
126 
127 /* account module functions */
128 #define	PAM_SM_ACCT_MGMT		"pam_sm_acct_mgmt"
129 
130 /*
131  * Definitions shared by passwd.c and the UNIX module
132  */
133 
134 #define	PAM_REP_DEFAULT	0x0
135 #define	PAM_REP_FILES	0x01
136 #define	PAM_REP_NIS	0x02
137 #define	PAM_REP_NISPLUS	0x04
138 #define	PAM_REP_LDAP	0x10
139 #define	PAM_OPWCMD	0x08	/* for nispasswd, yppasswd */
140 
141 /* max # of authentication token attributes */
142 #define	PAM_MAX_NUM_ATTR	10
143 
144 /* max size (in chars) of an authentication token attribute */
145 #define	PAM_MAX_ATTR_SIZE	80
146 
147 /* utility function prototypes */
148 
149 /* source values when calling __pam_get_authtok() */
150 #define	PAM_PROMPT	1	/* prompt user for new password */
151 #define	PAM_HANDLE	2	/* get password from pam handle (item) */
152 
153 #if	PASS_MAX >= PAM_MAX_RESP_SIZE
154 #error	PASS_MAX > PAM_MAX_RESP_SIZE
155 #endif	/* PASS_MAX >= PAM_MAX_RESP_SIZE */
156 
157 extern int
158 __pam_get_authtok(pam_handle_t *pamh, int source, int type, char *prompt,
159     char **authtok);
160 
161 extern int
162 __pam_display_msg(pam_handle_t *pamh, int msg_style, int num_msg,
163     char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp);
164 
165 extern void
166 __pam_log(int priority, const char *format, ...);
167 
168 /* file handle for pam.conf */
169 struct pam_fh {
170 	int	fconfig;	/* file descriptor returned by open() */
171 	char    line[256];
172 	size_t  bufsize;	/* size of the buffer which holds */
173 				/* the content of pam.conf */
174 	char   *bufferp;	/* used to process data	*/
175 	char   *data;		/* contents of pam.conf	*/
176 };
177 
178 /* items that can be set/retrieved thru pam_[sg]et_item() */
179 struct	pam_item {
180 	void	*pi_addr;	/* pointer to item */
181 	int	pi_size;	/* size of item */
182 };
183 
184 /* module specific data stored in the pam handle */
185 struct pam_module_data {
186 	char *module_data_name;		/* unique module data name */
187 	void *data;			/* the module specific data */
188 	void (*cleanup)(pam_handle_t *pamh, void *data, int pam_status);
189 	struct pam_module_data *next;	/* pointer to next module data */
190 };
191 
192 /* each entry from pam.conf is stored here (in the pam handle) */
193 typedef struct pamtab {
194 	char	*pam_service;	/* PAM service, e.g. login, rlogin */
195 	int	pam_type;	/* AUTH, ACCOUNT, PASSWORD, SESSION */
196 	int	pam_flag;	/* required, optional, sufficient */
197 	char	*module_path;	/* module library */
198 	int	module_argc;	/* module specific options */
199 	char	**module_argv;
200 	void	*function_ptr;	/* pointer to struct holding function ptrs */
201 	struct pamtab *next;
202 } pamtab_t;
203 
204 /* list of open fd's (modules that were dlopen'd) */
205 typedef struct fd_list {
206 	void *mh;		/* module handle */
207 	struct fd_list *next;
208 } fd_list;
209 
210 /* list of PAM environment varialbes */
211 typedef struct env_list {
212 	char *name;
213 	char *value;
214 	struct env_list *next;
215 } env_list;
216 
217 /* pam_inmodule values for pam item checking */
218 #define	RW_OK	0	/* Read Write items OK */
219 #define	RO_OK	1	/* Read Only items OK */
220 #define	WO_OK	2	/* Write Only items/data OK */
221 
222 /* the pam handle */
223 struct pam_handle {
224 	struct  pam_item ps_item[PAM_MAX_ITEMS];	/* array of PAM items */
225 	int	include_depth;
226 	int	pam_inmodule;	/* Protect restricted pam_get_item calls */
227 	char	*pam_conf_name[PAM_MAX_INCLUDE+1];
228 	pamtab_t *pam_conf_info[PAM_MAX_INCLUDE+1][PAM_NUM_MODULE_TYPES];
229 	pamtab_t *pam_conf_modulep[PAM_MAX_INCLUDE+1];
230 	struct	pam_module_data *ssd;		/* module specific data */
231 	fd_list *fd;				/* module fd's */
232 	env_list *pam_env;			/* environment variables */
233 
234 	/*
235 	 * XXX -- Contracted Consolidation Private
236 	 *	  to be eliminated when dtlogin contract is terminated
237 	 * Version number requested by PAM's client
238 	 */
239 	char	*pam_client_message_version_number;
240 };
241 
242 /*
243  * the function_ptr field in pamtab_t
244  * will point to one of these modules
245  */
246 struct auth_module {
247 	int	(*pam_sm_authenticate)(pam_handle_t *pamh, int flags, int argc,
248 		    const char **argv);
249 	int	(*pam_sm_setcred)(pam_handle_t *pamh, int flags, int argc,
250 		    const char **argv);
251 };
252 
253 struct password_module {
254 	int	(*pam_sm_chauthtok)(pam_handle_t *pamh, int flags, int argc,
255 		    const char **argv);
256 };
257 
258 struct session_module {
259 	int	(*pam_sm_open_session)(pam_handle_t *pamh, int flags, int argc,
260 		    const char **argv);
261 	int	(*pam_sm_close_session)(pam_handle_t *pamh, int flags, int argc,
262 		    const char **argv);
263 };
264 
265 struct account_module {
266 	int	(*pam_sm_acct_mgmt)(pam_handle_t *pamh, int flags, int argc,
267 		    const char **argv);
268 };
269 
270 #ifdef __cplusplus
271 }
272 #endif
273 
274 #endif	/* _PAM_IMPL_H */
275