mirror of
git://git.gnu.org.ua/pam-modules.git
synced 2025-04-28 17:39:52 +03:00
cf0527845d
(regex): Made const git-svn-id: file:///svnroot/pam-modules/trunk@21 56984be4-0537-0410-a56c-fcb268c96130
306 lines
6.9 KiB
C
306 lines
6.9 KiB
C
/* This file is part of pam-modules.
|
|
* Copyright (C) 2001 Sergey Poznyakoff
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, write to the Free Software
|
|
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
|
|
* MA 02110-1301 USA
|
|
*/
|
|
|
|
#if defined(HAVE_CONFIG_H)
|
|
# include <config.h>
|
|
#endif
|
|
#ifdef HAVE__PAM_ACONF_H
|
|
#include <security/_pam_aconf.h>
|
|
#endif
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <stdarg.h>
|
|
#include <string.h>
|
|
#include <unistd.h>
|
|
#include <ctype.h>
|
|
#include <syslog.h>
|
|
#include <errno.h>
|
|
#include <regex.h>
|
|
|
|
/* indicate the following groups are defined */
|
|
#define PAM_SM_AUTH
|
|
|
|
#ifndef LINUX_PAM
|
|
#include <security/pam_appl.h>
|
|
#endif /* LINUX_PAM */
|
|
#include <security/pam_modules.h>
|
|
|
|
#ifndef PAM_CONV_AGAIN
|
|
# define PAM_CONV_AGAIN PAM_TRY_AGAIN
|
|
#endif
|
|
#ifndef PAM_AUTHTOK_RECOVER_ERR
|
|
# define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
|
|
#endif
|
|
#ifndef PAM_EXTERN
|
|
# define PAM_EXTERN
|
|
#endif
|
|
|
|
#define PAM_OVERWRITE(s) \
|
|
do { \
|
|
register char *p; \
|
|
if ((p = s) != NULL) \
|
|
while (*p) *p++ = 0; \
|
|
} while (0)
|
|
|
|
#define PAM_DROP_REPLY(reply, nrepl) \
|
|
do { \
|
|
int i; \
|
|
for (i=0; i<nrepl; i++) { \
|
|
PAM_OVERWRITE(reply[i].resp); \
|
|
free(reply[i].resp); \
|
|
} \
|
|
if (reply) \
|
|
free(reply); \
|
|
} while (0)
|
|
|
|
static void
|
|
_pam_delete(char *x)
|
|
{
|
|
PAM_OVERWRITE(x);
|
|
free(x);
|
|
}
|
|
|
|
static void
|
|
_cleanup_string(pam_handle_t *pamh, void *x, int error_status)
|
|
{
|
|
_pam_delete(x);
|
|
}
|
|
|
|
/* logging */
|
|
static void
|
|
_pam_vlog(int err, const char *format, va_list args)
|
|
{
|
|
openlog("pam_regex", LOG_CONS|LOG_PID, LOG_AUTH);
|
|
vsyslog(err, format, args);
|
|
closelog();
|
|
}
|
|
|
|
static void
|
|
_pam_log(int err, const char *format, ...)
|
|
{
|
|
va_list args;
|
|
|
|
va_start(args, format);
|
|
_pam_vlog(err, format, args);
|
|
va_end(args);
|
|
}
|
|
|
|
static void
|
|
_pam_debug(char *format, ...)
|
|
{
|
|
va_list args;
|
|
|
|
va_start(args, format);
|
|
_pam_vlog(LOG_DEBUG, format, args);
|
|
va_end(args);
|
|
}
|
|
|
|
#define CNTL_DEBUG 0x0001
|
|
#define CNTL_AUDIT 0x0002
|
|
#define CNTL_AUTHTOK 0x0004
|
|
#define CNTL_WAITDEBUG 0x0008
|
|
#define CNTL_SENSE_DENY 0x0010
|
|
#define CNTL_REGEX_FLAGS 0x0020
|
|
|
|
#define CNTL_DEBUG_LEV() (cntl_flags>>16)
|
|
#define CNTL_SET_DEBUG_LEV(cntl,n) (cntl |= ((n)<<16))
|
|
|
|
static int cntl_flags;
|
|
static const char *regex = NULL;
|
|
static int regex_flags = REG_NOSUB;
|
|
|
|
#define DEBUG(m,c) if (CNTL_DEBUG_LEV()>=(m)) _pam_debug c
|
|
#define AUDIT(c) if (cntl_flags&CNTL_AUDIT) _pam_debug c
|
|
|
|
#define XSTRDUP(s) (s) ? strdup(s) : NULL
|
|
|
|
static void
|
|
make_str(pam_handle_t *pamh, const char *str, const char *name, char **ret)
|
|
{
|
|
int retval;
|
|
char *newstr = XSTRDUP(str);
|
|
|
|
retval = pam_set_data(pamh, name, (void *)newstr, _cleanup_string);
|
|
if (retval != PAM_SUCCESS) {
|
|
_pam_log(LOG_CRIT,
|
|
"can't keep data [%s]: %s",
|
|
name,
|
|
pam_strerror(pamh, retval));
|
|
_pam_delete(newstr);
|
|
} else {
|
|
*ret = newstr;
|
|
newstr = NULL;
|
|
}
|
|
}
|
|
|
|
#define MAKE_STR(pamh, str, var) \
|
|
make_str(pamh,str,#var,&var)
|
|
|
|
static void
|
|
_pam_parse(pam_handle_t *pamh, int argc, const char **argv)
|
|
{
|
|
int ctrl=0;
|
|
|
|
/* step through arguments */
|
|
for (ctrl=0; argc-- > 0; ++argv) {
|
|
|
|
/* generic options */
|
|
|
|
if (!strncmp(*argv,"debug",5)) {
|
|
ctrl |= CNTL_DEBUG;
|
|
if ((*argv)[5] == '=')
|
|
CNTL_SET_DEBUG_LEV(ctrl,atoi(*argv+6));
|
|
else
|
|
CNTL_SET_DEBUG_LEV(ctrl,1);
|
|
} else if (!strcmp(*argv,"audit"))
|
|
ctrl |= CNTL_AUDIT;
|
|
else if (!strcmp(*argv,"waitdebug"))
|
|
ctrl |= CNTL_WAITDEBUG;
|
|
else if (!strcmp(*argv,"use_authtok"))
|
|
ctrl |= CNTL_AUTHTOK;
|
|
else if (!strncmp(*argv,"sense=",6)) {
|
|
if (strcmp(*argv+6,"deny") == 0)
|
|
ctrl |= CNTL_SENSE_DENY;
|
|
else if (strcmp(*argv+6,"allow"))
|
|
_pam_log(LOG_ERR,"unknown sense value: %s",
|
|
*argv+6);
|
|
} else if (!strncmp(*argv,"regex=",6))
|
|
regex = *argv + 6;
|
|
else if (!strcmp(*argv,"extended")) {
|
|
regex_flags |= REG_EXTENDED;
|
|
ctrl |= CNTL_REGEX_FLAGS;
|
|
} else if (!strcmp(*argv,"basic")) {
|
|
regex_flags &= ~REG_EXTENDED;
|
|
ctrl |= CNTL_REGEX_FLAGS;
|
|
} else if (!strcmp(*argv,"icase")) {
|
|
regex_flags |= REG_ICASE;
|
|
ctrl |= CNTL_REGEX_FLAGS;
|
|
} else if (!strcmp(*argv,"case")) {
|
|
regex_flags &= ~REG_ICASE;
|
|
ctrl |= CNTL_REGEX_FLAGS;
|
|
} else {
|
|
_pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
|
|
}
|
|
}
|
|
if (!regex)
|
|
_pam_log(LOG_ERR,"pam_parse: regex not sepcified");
|
|
if (!ctrl & CNTL_REGEX_FLAGS)
|
|
regex_flags |= REG_EXTENDED;
|
|
cntl_flags = ctrl;
|
|
}
|
|
|
|
/*
|
|
* PAM framework looks for these entry-points to pass control to the
|
|
* authentication module.
|
|
*/
|
|
|
|
/* Fun starts here :)
|
|
|
|
* pam_sm_authenticate() performs RADIUS authentication
|
|
*
|
|
*/
|
|
|
|
PAM_EXTERN int
|
|
pam_sm_authenticate(pam_handle_t *pamh,
|
|
int flags,
|
|
int argc,
|
|
const char **argv)
|
|
{
|
|
int retval;
|
|
char *name;
|
|
char *password;
|
|
regex_t rx;
|
|
|
|
_pam_parse(pamh, argc, argv);
|
|
|
|
#ifdef DEBUG_MODE
|
|
if (cntl_flags & CNTL_WAITDEBUG) {
|
|
_pam_log(LOG_CRIT, "WAITING FOR DEBUG AT %s:%d",
|
|
__FILE__, __LINE__);
|
|
retval = 0;
|
|
while (!retval)
|
|
retval=retval;
|
|
}
|
|
#endif
|
|
DEBUG(100,("enter pam_sm_authenticate"));
|
|
|
|
if (!regex)
|
|
return PAM_AUTHINFO_UNAVAIL;
|
|
|
|
for (;;) {
|
|
|
|
/*
|
|
* get username
|
|
*/
|
|
retval = pam_get_user(pamh, (const char**)&name, "login: ");
|
|
if (retval == PAM_SUCCESS) {
|
|
DEBUG(10, ("username [%s] obtained", name));
|
|
} else {
|
|
_pam_log(LOG_NOTICE, "can't get username");
|
|
break;
|
|
}
|
|
|
|
if (regcomp(&rx, regex, regex_flags)) {
|
|
_pam_log(LOG_NOTICE, "can't compile regex: %s", regex);
|
|
retval = PAM_AUTHINFO_UNAVAIL;
|
|
break;
|
|
}
|
|
|
|
retval = regexec(&rx, name, 0, NULL, 0);
|
|
if (retval) {
|
|
DEBUG(1,("%s does not match %s",name,regex));
|
|
}
|
|
if (cntl_flags & CNTL_SENSE_DENY)
|
|
retval = !retval;
|
|
if (retval) {
|
|
_pam_log(LOG_NOTICE, "rejecting %s", name);
|
|
retval = PAM_AUTH_ERR;
|
|
} else
|
|
retval = PAM_SUCCESS;
|
|
break;
|
|
}
|
|
|
|
DEBUG(100,("exit pam_sm_authenticate: %d", retval));
|
|
return retval;
|
|
}
|
|
|
|
PAM_EXTERN int
|
|
pam_sm_setcred(pam_handle_t *pamh,
|
|
int flags,
|
|
int argc,
|
|
const char **argv)
|
|
{
|
|
return PAM_SUCCESS;
|
|
}
|
|
|
|
#ifdef PAM_STATIC
|
|
|
|
struct pam_module _pam_radius_modstruct = {
|
|
"pam_radius", /* name of the module */
|
|
pam_sm_authenticate,
|
|
pam_sm_setcred,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL
|
|
};
|
|
|
|
#endif
|
|
|