1*7c478bd9Sstevel@tonic-gate /* 2*7c478bd9Sstevel@tonic-gate * CDDL HEADER START 3*7c478bd9Sstevel@tonic-gate * 4*7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 5*7c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 6*7c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 7*7c478bd9Sstevel@tonic-gate * with the License. 8*7c478bd9Sstevel@tonic-gate * 9*7c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 10*7c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 11*7c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 12*7c478bd9Sstevel@tonic-gate * and limitations under the License. 13*7c478bd9Sstevel@tonic-gate * 14*7c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 15*7c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 16*7c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 17*7c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 18*7c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 19*7c478bd9Sstevel@tonic-gate * 20*7c478bd9Sstevel@tonic-gate * CDDL HEADER END 21*7c478bd9Sstevel@tonic-gate */ 22*7c478bd9Sstevel@tonic-gate /* 23*7c478bd9Sstevel@tonic-gate * Copyright 2003 Sun Microsystems, Inc. All rights reserved. 24*7c478bd9Sstevel@tonic-gate * Use is subject to license terms. 25*7c478bd9Sstevel@tonic-gate */ 26*7c478bd9Sstevel@tonic-gate 27*7c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 28*7c478bd9Sstevel@tonic-gate 29*7c478bd9Sstevel@tonic-gate #include <security/pam_appl.h> 30*7c478bd9Sstevel@tonic-gate #include <security/pam_modules.h> 31*7c478bd9Sstevel@tonic-gate #include <string.h> 32*7c478bd9Sstevel@tonic-gate #include <stdio.h> 33*7c478bd9Sstevel@tonic-gate #include <stdlib.h> 34*7c478bd9Sstevel@tonic-gate #include <sys/types.h> 35*7c478bd9Sstevel@tonic-gate #include <pwd.h> 36*7c478bd9Sstevel@tonic-gate #include <syslog.h> 37*7c478bd9Sstevel@tonic-gate #include <libintl.h> 38*7c478bd9Sstevel@tonic-gate 39*7c478bd9Sstevel@tonic-gate #include "sample_utils.h" 40*7c478bd9Sstevel@tonic-gate 41*7c478bd9Sstevel@tonic-gate /* 42*7c478bd9Sstevel@tonic-gate * 43*7c478bd9Sstevel@tonic-gate * Sample module for pam_sm_authenticate. 44*7c478bd9Sstevel@tonic-gate * 45*7c478bd9Sstevel@tonic-gate * options - 46*7c478bd9Sstevel@tonic-gate * 47*7c478bd9Sstevel@tonic-gate * debug 48*7c478bd9Sstevel@tonic-gate * use_first_pass 49*7c478bd9Sstevel@tonic-gate * try_first_pass 50*7c478bd9Sstevel@tonic-gate * first_pass_good (first password is always good when used with use/try) 51*7c478bd9Sstevel@tonic-gate * first_pass_bad (first password is always bad when used with use/try) 52*7c478bd9Sstevel@tonic-gate * pass=foobar (set good password to "foobar". default good password 53*7c478bd9Sstevel@tonic-gate * is test) 54*7c478bd9Sstevel@tonic-gate * always_fail always return PAM_AUTH_ERR 55*7c478bd9Sstevel@tonic-gate * always_succeed always return PAM_SUCCESS 56*7c478bd9Sstevel@tonic-gate * always_ignore 57*7c478bd9Sstevel@tonic-gate * 58*7c478bd9Sstevel@tonic-gate * 59*7c478bd9Sstevel@tonic-gate */ 60*7c478bd9Sstevel@tonic-gate 61*7c478bd9Sstevel@tonic-gate /* 62*7c478bd9Sstevel@tonic-gate * pam_sm_authenticate - Authenticate user 63*7c478bd9Sstevel@tonic-gate */ 64*7c478bd9Sstevel@tonic-gate /*ARGSUSED*/ 65*7c478bd9Sstevel@tonic-gate int 66*7c478bd9Sstevel@tonic-gate pam_sm_authenticate( 67*7c478bd9Sstevel@tonic-gate pam_handle_t *pamh, 68*7c478bd9Sstevel@tonic-gate int flags, 69*7c478bd9Sstevel@tonic-gate int argc, 70*7c478bd9Sstevel@tonic-gate const char **argv) 71*7c478bd9Sstevel@tonic-gate { 72*7c478bd9Sstevel@tonic-gate char *user; 73*7c478bd9Sstevel@tonic-gate struct pam_conv *pam_convp; 74*7c478bd9Sstevel@tonic-gate int err, result = PAM_AUTH_ERR; 75*7c478bd9Sstevel@tonic-gate struct pam_response *ret_resp = (struct pam_response *)0; 76*7c478bd9Sstevel@tonic-gate char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE]; 77*7c478bd9Sstevel@tonic-gate int debug = 0; 78*7c478bd9Sstevel@tonic-gate int try_first_pass = 0; 79*7c478bd9Sstevel@tonic-gate int use_first_pass = 0; 80*7c478bd9Sstevel@tonic-gate int first_pass_good = 0; 81*7c478bd9Sstevel@tonic-gate int first_pass_bad = 0; 82*7c478bd9Sstevel@tonic-gate int i, num_msg; 83*7c478bd9Sstevel@tonic-gate char *firstpass, *password; 84*7c478bd9Sstevel@tonic-gate char the_password[64]; 85*7c478bd9Sstevel@tonic-gate 86*7c478bd9Sstevel@tonic-gate if (debug) 87*7c478bd9Sstevel@tonic-gate syslog(LOG_DEBUG, "Sample Authentication\n"); 88*7c478bd9Sstevel@tonic-gate 89*7c478bd9Sstevel@tonic-gate (void) strcpy(the_password, "test"); 90*7c478bd9Sstevel@tonic-gate 91*7c478bd9Sstevel@tonic-gate for (i = 0; i < argc; i++) { 92*7c478bd9Sstevel@tonic-gate if (strcmp(argv[i], "debug") == 0) 93*7c478bd9Sstevel@tonic-gate debug = 1; 94*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "try_first_pass") == 0) 95*7c478bd9Sstevel@tonic-gate try_first_pass = 1; 96*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "first_pass_good") == 0) 97*7c478bd9Sstevel@tonic-gate first_pass_good = 1; 98*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "first_pass_bad") == 0) 99*7c478bd9Sstevel@tonic-gate first_pass_bad = 1; 100*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "use_first_pass") == 0) 101*7c478bd9Sstevel@tonic-gate use_first_pass = 1; 102*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "always_fail") == 0) 103*7c478bd9Sstevel@tonic-gate return (PAM_AUTH_ERR); 104*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "always_succeed") == 0) 105*7c478bd9Sstevel@tonic-gate return (PAM_SUCCESS); 106*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "always_ignore") == 0) 107*7c478bd9Sstevel@tonic-gate return (PAM_IGNORE); 108*7c478bd9Sstevel@tonic-gate else if (sscanf(argv[i], "pass=%64s", the_password) == 1) { 109*7c478bd9Sstevel@tonic-gate /*EMPTY*/; 110*7c478bd9Sstevel@tonic-gate } 111*7c478bd9Sstevel@tonic-gate else 112*7c478bd9Sstevel@tonic-gate syslog(LOG_DEBUG, "illegal scheme option %s", argv[i]); 113*7c478bd9Sstevel@tonic-gate } 114*7c478bd9Sstevel@tonic-gate 115*7c478bd9Sstevel@tonic-gate err = pam_get_user(pamh, &user, NULL); 116*7c478bd9Sstevel@tonic-gate if (err != PAM_SUCCESS) 117*7c478bd9Sstevel@tonic-gate return (err); 118*7c478bd9Sstevel@tonic-gate 119*7c478bd9Sstevel@tonic-gate err = pam_get_item(pamh, PAM_CONV, (void**) &pam_convp); 120*7c478bd9Sstevel@tonic-gate if (err != PAM_SUCCESS) 121*7c478bd9Sstevel@tonic-gate return (err); 122*7c478bd9Sstevel@tonic-gate 123*7c478bd9Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &firstpass); 124*7c478bd9Sstevel@tonic-gate 125*7c478bd9Sstevel@tonic-gate if (firstpass && (use_first_pass || try_first_pass)) { 126*7c478bd9Sstevel@tonic-gate 127*7c478bd9Sstevel@tonic-gate if ((first_pass_good || 128*7c478bd9Sstevel@tonic-gate strncmp(firstpass, the_password, 129*7c478bd9Sstevel@tonic-gate strlen(the_password)) == 0) && 130*7c478bd9Sstevel@tonic-gate !first_pass_bad) { 131*7c478bd9Sstevel@tonic-gate result = PAM_SUCCESS; 132*7c478bd9Sstevel@tonic-gate goto out; 133*7c478bd9Sstevel@tonic-gate } 134*7c478bd9Sstevel@tonic-gate if (use_first_pass) goto out; 135*7c478bd9Sstevel@tonic-gate } 136*7c478bd9Sstevel@tonic-gate 137*7c478bd9Sstevel@tonic-gate /* 138*7c478bd9Sstevel@tonic-gate * Get the password from the user 139*7c478bd9Sstevel@tonic-gate */ 140*7c478bd9Sstevel@tonic-gate if (firstpass) { 141*7c478bd9Sstevel@tonic-gate (void) snprintf(messages[0], sizeof (messages[0]), 142*7c478bd9Sstevel@tonic-gate dgettext(TEXT_DOMAIN, "TEST Password: ")); 143*7c478bd9Sstevel@tonic-gate } else { 144*7c478bd9Sstevel@tonic-gate (void) snprintf(messages[0], sizeof (messages[0]), 145*7c478bd9Sstevel@tonic-gate dgettext(TEXT_DOMAIN, "Password: ")); 146*7c478bd9Sstevel@tonic-gate } 147*7c478bd9Sstevel@tonic-gate num_msg = 1; 148*7c478bd9Sstevel@tonic-gate err = __get_authtok(pam_convp->conv, 149*7c478bd9Sstevel@tonic-gate num_msg, messages, NULL, &ret_resp); 150*7c478bd9Sstevel@tonic-gate 151*7c478bd9Sstevel@tonic-gate if (err != PAM_SUCCESS) { 152*7c478bd9Sstevel@tonic-gate result = err; 153*7c478bd9Sstevel@tonic-gate goto out; 154*7c478bd9Sstevel@tonic-gate } 155*7c478bd9Sstevel@tonic-gate 156*7c478bd9Sstevel@tonic-gate password = ret_resp->resp; 157*7c478bd9Sstevel@tonic-gate 158*7c478bd9Sstevel@tonic-gate if (password == NULL) { 159*7c478bd9Sstevel@tonic-gate result = PAM_AUTH_ERR; 160*7c478bd9Sstevel@tonic-gate goto out; 161*7c478bd9Sstevel@tonic-gate } 162*7c478bd9Sstevel@tonic-gate 163*7c478bd9Sstevel@tonic-gate /* one last ditch attempt to "login" to TEST */ 164*7c478bd9Sstevel@tonic-gate 165*7c478bd9Sstevel@tonic-gate if (strncmp(password, the_password, strlen(the_password)) == 0) { 166*7c478bd9Sstevel@tonic-gate result = PAM_SUCCESS; 167*7c478bd9Sstevel@tonic-gate if (firstpass == NULL) { 168*7c478bd9Sstevel@tonic-gate /* this is the first password, stash it away */ 169*7c478bd9Sstevel@tonic-gate (void) pam_set_item(pamh, PAM_AUTHTOK, password); 170*7c478bd9Sstevel@tonic-gate } 171*7c478bd9Sstevel@tonic-gate } 172*7c478bd9Sstevel@tonic-gate 173*7c478bd9Sstevel@tonic-gate out: 174*7c478bd9Sstevel@tonic-gate if (num_msg > 0) { 175*7c478bd9Sstevel@tonic-gate if (ret_resp != 0) { 176*7c478bd9Sstevel@tonic-gate if (ret_resp->resp != 0) { 177*7c478bd9Sstevel@tonic-gate /* avoid leaving password cleartext around */ 178*7c478bd9Sstevel@tonic-gate (void) memset(ret_resp->resp, 0, 179*7c478bd9Sstevel@tonic-gate strlen(ret_resp->resp)); 180*7c478bd9Sstevel@tonic-gate } 181*7c478bd9Sstevel@tonic-gate __free_resp(num_msg, ret_resp); 182*7c478bd9Sstevel@tonic-gate ret_resp = 0; 183*7c478bd9Sstevel@tonic-gate } 184*7c478bd9Sstevel@tonic-gate } 185*7c478bd9Sstevel@tonic-gate 186*7c478bd9Sstevel@tonic-gate return (result); 187*7c478bd9Sstevel@tonic-gate } 188