/*
pam.c - pam module functions
Copyright (C) 2009 Howard Chu
Copyright (C) 2009 Arthur de Jong
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301 USA
*/
/*
WARNING: this code is under development and the details of the protocol
may change between releases.
*/
#include "config.h"
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <syslog.h>
#include "nss/common.h"
#include "compat/attrs.h"
/* these are defined (before including pam_modules.h) for staticly linking */
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
#define PAM_SM_SESSION
#define PAM_SM_PASSWORD
#ifndef HAVE_PAM_PAM_MODULES_H
#include <security/pam_modules.h>
#else
#include <pam/pam_modules.h>
#endif
#define CONST_ARG const
#define IGNORE_UNKNOWN 1
#define IGNORE_UNAVAIL 2
#define PLD_CTX "PAM_LDAPD_CTX"
#define NSS2PAM_RC(rc,ignore,ok) \
switch(rc) { \
case NSS_STATUS_SUCCESS: \
rc = ok; break; \
case NSS_STATUS_UNAVAIL: \
rc = (ignore & IGNORE_UNAVAIL) ? PAM_IGNORE : PAM_AUTHINFO_UNAVAIL; \
break; \
case NSS_STATUS_NOTFOUND: \
rc = (ignore & IGNORE_UNKNOWN) ? PAM_IGNORE: PAM_USER_UNKNOWN; \
break; \
default: \
rc = PAM_SYSTEM_ERR; break; \
}
typedef struct pld_ctx {
char *user;
char *dn;
char *tmpluser;
char *authzmsg;
char *oldpw;
int authok;
int authz;
int sessid;
char buf[1024];
} pld_ctx;
static int nslcd2pam_rc(int rc)
{
#define map(i) case NSLCD_##i : rc = i; break
switch(rc) {
map(PAM_SUCCESS);
map(PAM_PERM_DENIED);
map(PAM_AUTH_ERR);
map(PAM_CRED_INSUFFICIENT);
map(PAM_AUTHINFO_UNAVAIL);
map(PAM_USER_UNKNOWN);
map(PAM_MAXTRIES);
map(PAM_NEW_AUTHTOK_REQD);
map(PAM_ACCT_EXPIRED);
map(PAM_SESSION_ERR);
map(PAM_AUTHTOK_DISABLE_AGING);
map(PAM_IGNORE);
map(PAM_ABORT);
default: rc = PAM_ABORT; break;
}
return rc;
}
static void pam_clr_ctx(
pld_ctx *ctx)
{
if (ctx->user) {
free(ctx->user);
ctx->user = NULL;
}
if (ctx->oldpw) {
memset(ctx->oldpw,0,strlen(ctx->oldpw));
free(ctx->oldpw);
ctx->oldpw = NULL;
}
ctx->dn = NULL;
ctx->tmpluser = NULL;
ctx->authzmsg = NULL;
ctx->authok = 0;
ctx->authz = 0;
}
static void pam_del_ctx(
pam_handle_t *UNUSED(pamh), void *data, int UNUSED(err))
{
pld_ctx *ctx = data;
pam_clr_ctx(ctx);
free(ctx);
}
static int pam_get_ctx(
pam_handle_t *pamh, const char *user, pld_ctx **pctx)
{
pld_ctx *ctx = NULL;
int rc;
if (pam_get_data(pamh, PLD_CTX, (CONST_ARG void **)&ctx) == PAM_SUCCESS) {
if (ctx->user && strcmp(ctx->user, user)) {
pam_clr_ctx(ctx);
}
rc = PAM_SUCCESS;
}
if (!ctx) {
ctx = calloc(1, sizeof(*ctx));
if (!ctx)
return PAM_BUF_ERR;
rc = pam_set_data(pamh, PLD_CTX, ctx, pam_del_ctx);
if (rc != PAM_SUCCESS)
pam_del_ctx(pamh, ctx, 0);
}
if (rc == PAM_SUCCESS)
*pctx = ctx;
return rc;
}
static int pam_get_authtok(
pam_handle_t *pamh, int flags, char *prompt1, char *prompt2, char **pwd)
{
int rc;
char *p;
struct pam_message msg[1], *pmsg[1];
struct pam_response *resp;
struct pam_conv *conv;
*pwd = NULL;
rc = pam_get_item (pamh, PAM_CONV, (CONST_ARG void **) &conv);
if (rc == PAM_SUCCESS) {
pmsg[0] = &msg[0];
msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
msg[0].msg = prompt1;
resp = NULL;
rc = conv->conv (1,
(CONST_ARG struct pam_message **) pmsg,
&resp, conv->appdata_ptr);
} else {
return rc;
}
if (resp != NULL) {
if ((flags & PAM_DISALLOW_NULL_AUTHTOK) && resp[0].resp == NULL)
{
free (resp);
return PAM_AUTH_ERR;
}
p = resp[0].resp;
resp[0].resp = NULL;
free (resp);
} else {
return PAM_CONV_ERR;
}
if (prompt2) {
msg[0].msg = prompt2;
resp = NULL;
rc = conv->conv (1,
(CONST_ARG struct pam_message **) pmsg,
&resp, conv->appdata_ptr);
if (resp && resp[0].resp && !strcmp(resp[0].resp, p))
rc = PAM_SUCCESS;
else
rc = PAM_AUTHTOK_RECOVERY_ERR;
if (resp) {
if (resp[0].resp) {
(void) memset(resp[0].resp, 0, strlen(resp[0].resp));
free(resp[0].resp);
}
free(resp);
}
}
if (rc == PAM_SUCCESS)
*pwd = p;
else if (p) {
memset(p, 0, strlen(p));
free(p);
}
return rc;
}
static enum nss_status pam_read_authc(
TFILE *fp,pld_ctx *ctx,int *errnop)
{
char *buffer = ctx->buf;
size_t buflen = sizeof(ctx->buf);
size_t bufptr = 0;
int32_t tmpint32;
READ_STRING_BUF(fp,ctx->tmpluser);
READ_STRING_BUF(fp,ctx->dn);
READ_INT32(fp,ctx->authok);
READ_INT32(fp,ctx->authz);
READ_STRING_BUF(fp,ctx->authzmsg);
ctx->authok = nslcd2pam_rc(ctx->authok);
ctx->authz = nslcd2pam_rc(ctx->authz);
return NSS_STATUS_SUCCESS;
}
static enum nss_status pam_do_authc(
pld_ctx *ctx, const char *user, const char *svc,const char *pwd,int *errnop)
{
NSS_BYGEN(NSLCD_ACTION_PAM_AUTHC,
WRITE_STRING(fp,user);
WRITE_STRING(fp,ctx->dn);
WRITE_STRING(fp,svc);
WRITE_STRING(fp,pwd),
pam_read_authc(fp,ctx,errnop));
}
#define USE_FIRST 1
#define TRY_FIRST 2
#define USE_TOKEN 4
int pam_sm_authenticate(
pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int err, rc;
const char *username, *svc;
char *p = NULL;
int first_pass = 0, ignore_flags = 0;
int i;
pld_ctx *ctx;
for (i = 0; i < argc; i++) {
if (!strcmp (argv[i], "use_first_pass"))
first_pass |= USE_FIRST;
else if (!strcmp (argv[i], "try_first_pass"))
first_pass |= TRY_FIRST;
else if (!strcmp (argv[i], "ignore_unknown_user"))
ignore_flags |= IGNORE_UNKNOWN;
else if (!strcmp (argv[i], "ignore_authinfo_unavail"))
ignore_flags |= IGNORE_UNAVAIL;
else if (!strcmp (argv[i], "no_warn"))
;
else if (!strcmp (argv[i], "debug"))
;
else
syslog (LOG_ERR, "illegal option %s", argv[i]);
}
rc = pam_get_user (pamh, (CONST_ARG char **) &username, NULL);
if (rc != PAM_SUCCESS)
return rc;
rc = pam_get_ctx(pamh, username, &ctx);
if (rc != PAM_SUCCESS)
return rc;
rc = pam_get_item (pamh, PAM_SERVICE, (CONST_ARG void **) &svc);
if (rc != PAM_SUCCESS)
return rc;
for (i=0;i<2;i++) {
if (!first_pass) {
rc = pam_get_authtok(pamh, flags, i ? "LDAP Password: " :
"Password: ", NULL, &p);
i = 2;
if (rc == PAM_SUCCESS) {
pam_set_item(pamh, PAM_AUTHTOK, p);
memset(p, 0, strlen(p));
free(p);
} else {
break;
}
}
rc = pam_get_item (pamh, PAM_AUTHTOK, (CONST_ARG void **) &p);
if (rc == PAM_SUCCESS) {
rc = pam_do_authc(ctx, username, svc, p, &err);
NSS2PAM_RC(rc, ignore_flags, ctx->authok);
}
if (rc == PAM_SUCCESS || (first_pass & USE_FIRST)) {
break;
}
first_pass = 0;
}
if (rc == PAM_SUCCESS) {
ctx->user = strdup(username);
if (ctx->authz == PAM_NEW_AUTHTOK_REQD)
ctx->oldpw = strdup(p);
}
/* update caller's idea of the user name */
if ( (rc==PAM_SUCCESS) && ctx->tmpluser && ctx->tmpluser[0] &&
(strcmp(ctx->tmpluser,username)!=0) ) {
rc = pam_set_item(pamh, PAM_USER, ctx->tmpluser);
}
return rc;
}
int pam_sm_setcred(
pam_handle_t *pamh, int flags, int argc, const char **argv)
{
return PAM_SUCCESS;
}
static int
pam_warn(
struct pam_conv *aconv, const char *message, int style, int no_warn)
{
struct pam_message msg, *pmsg;
struct pam_response *resp;
if (no_warn)
return PAM_SUCCESS;
pmsg = &msg;
msg.msg_style = style;
msg.msg = (char *) message;
resp = NULL;
return aconv->conv (1,
(CONST_ARG struct pam_message **) &pmsg,
&resp, aconv->appdata_ptr);
}
static enum nss_status pam_read_authz(
TFILE *fp,pld_ctx *ctx,int *errnop)
{
char *buffer = ctx->buf;
size_t buflen = sizeof(ctx->buf);
size_t bufptr = 0;
int32_t tmpint32;
READ_STRING_BUF(fp,ctx->tmpluser);
READ_STRING_BUF(fp,ctx->dn);
READ_INT32(fp,ctx->authz);
READ_STRING_BUF(fp,ctx->authzmsg);
ctx->authz = nslcd2pam_rc(ctx->authz);
return NSS_STATUS_SUCCESS;
}
static enum nss_status pam_do_authz(
pld_ctx *ctx,const char *username,const char *svc,int *errnop)
{
NSS_BYGEN(NSLCD_ACTION_PAM_AUTHZ,
WRITE_STRING(fp,username);
WRITE_STRING(fp,ctx->dn);
WRITE_STRING(fp,svc),
pam_read_authz(fp,ctx,errnop));
}
int pam_sm_acct_mgmt(
pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int rc, err;
const char *username, *svc;
int no_warn = 0, ignore_flags = 0;
int i;
struct pam_conv *appconv;
pld_ctx *ctx = NULL, ctx2;
for (i = 0; i < argc; i++)
{
if (!strcmp (argv[i], "use_first_pass"))
;
else if (!strcmp (argv[i], "try_first_pass"))
;
else if (!strcmp (argv[i], "no_warn"))
no_warn = 1;
else if (!strcmp (argv[i], "ignore_unknown_user"))
ignore_flags |= IGNORE_UNKNOWN;
else if (!strcmp (argv[i], "ignore_authinfo_unavail"))
ignore_flags |= IGNORE_UNAVAIL;
else if (!strcmp (argv[i], "debug"))
;
else
syslog (LOG_ERR, "illegal option %s", argv[i]);
}
if (flags & PAM_SILENT)
no_warn = 1;
rc = pam_get_item (pamh, PAM_CONV, (CONST_ARG void **) &appconv);
if (rc != PAM_SUCCESS)
return rc;
rc = pam_get_user (pamh, (CONST_ARG char **) &username, NULL);
if (rc != PAM_SUCCESS)
return rc;
if (username == NULL)
return PAM_USER_UNKNOWN;
rc = pam_get_ctx(pamh, username, &ctx);
if (rc != PAM_SUCCESS)
return rc;
rc = pam_get_item (pamh, PAM_SERVICE, (CONST_ARG void **) &svc);
if (rc != PAM_SUCCESS)
return rc;
ctx2.dn = ctx->dn;
ctx2.user = ctx->user;
rc = pam_do_authz(&ctx2, username, svc, &err);
NSS2PAM_RC(rc, ignore_flags, PAM_SUCCESS);
if (rc != PAM_SUCCESS) {
if (rc != PAM_IGNORE)
pam_warn(appconv, "LDAP authorization failed", PAM_ERROR_MSG, no_warn);
} else {
if (ctx2.authzmsg && ctx2.authzmsg[0])
pam_warn(appconv, ctx2.authzmsg, PAM_TEXT_INFO, no_warn);
if (ctx2.authz == PAM_SUCCESS) {
rc = ctx->authz;
if (ctx->authzmsg && ctx->authzmsg[0])
pam_warn(appconv, ctx->authzmsg, PAM_TEXT_INFO, no_warn);
}
}
/* update caller's idea of the user name */
if ( (rc==PAM_SUCCESS) && ctx->tmpluser && ctx->tmpluser[0] &&
(strcmp(ctx->tmpluser,username)!=0) ) {
rc = pam_set_item(pamh, PAM_USER, ctx->tmpluser);
}
return rc;
}
static enum nss_status pam_read_sess(
TFILE *fp,pld_ctx *ctx,int *errnop)
{
int tmpint32;
READ_INT32(fp,ctx->sessid);
return NSS_STATUS_SUCCESS;
}
static enum nss_status pam_do_sess(
pam_handle_t *pamh,pld_ctx *ctx,int action,int *errnop)
{
const char *svc = NULL, *tty = NULL, *rhost = NULL, *ruser = NULL;
pam_get_item (pamh, PAM_SERVICE, (CONST_ARG void **) &svc);
pam_get_item (pamh, PAM_TTY, (CONST_ARG void **) &tty);
pam_get_item (pamh, PAM_RHOST, (CONST_ARG void **) &rhost);
pam_get_item (pamh, PAM_RUSER, (CONST_ARG void **) &ruser);
{
NSS_BYGEN(action,
WRITE_STRING(fp,ctx->user);
WRITE_STRING(fp,ctx->dn);
WRITE_STRING(fp,svc);
WRITE_STRING(fp,tty);
WRITE_STRING(fp,rhost);
WRITE_STRING(fp,ruser);
WRITE_INT32(fp,ctx->sessid),
pam_read_sess(fp,ctx,errnop));
}
}
static int pam_sm_session(
pam_handle_t *pamh, int flags, int argc, const char **argv,
int action, int *no_warn)
{
int rc, err;
const char *username;
int ignore_flags = 0;
int i, success = PAM_SUCCESS;
pld_ctx *ctx = NULL;
for (i = 0; i < argc; i++)
{
if (!strcmp (argv[i], "use_first_pass"))
;
else if (!strcmp (argv[i], "try_first_pass"))
;
else if (!strcmp (argv[i], "no_warn"))
*no_warn = 1;
else if (!strcmp (argv[i], "ignore_unknown_user"))
ignore_flags |= IGNORE_UNKNOWN;
else if (!strcmp (argv[i], "ignore_authinfo_unavail"))
ignore_flags |= IGNORE_UNAVAIL;
else if (!strcmp (argv[i], "debug"))
;
else
syslog (LOG_ERR, "illegal option %s", argv[i]);
}
if (flags & PAM_SILENT)
*no_warn = 1;
rc = pam_get_user (pamh, (CONST_ARG char **) &username, NULL);
if (rc != PAM_SUCCESS)
return rc;
if (username == NULL)
return PAM_USER_UNKNOWN;
rc = pam_get_ctx(pamh, username, &ctx);
if (rc != PAM_SUCCESS)
return rc;
rc = pam_do_sess(pamh, ctx, action, &err);
NSS2PAM_RC(rc, ignore_flags, PAM_SUCCESS);
return rc;
}
int pam_sm_open_session(
pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int rc, no_warn = 0;
struct pam_conv *appconv;
rc = pam_get_item (pamh, PAM_CONV, (CONST_ARG void **) &appconv);
if (rc != PAM_SUCCESS)
return rc;
rc = pam_sm_session(pamh,flags,argc,argv,NSLCD_ACTION_PAM_SESS_O,&no_warn);
if (rc != PAM_SUCCESS && rc != PAM_IGNORE)
pam_warn(appconv, "LDAP open_session failed", PAM_ERROR_MSG, no_warn);
return rc;
}
int pam_sm_close_session(
pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int rc, no_warn = 0;;
struct pam_conv *appconv;
rc = pam_get_item (pamh, PAM_CONV, (CONST_ARG void **) &appconv);
if (rc != PAM_SUCCESS)
return rc;
rc = pam_sm_session(pamh,flags,argc,argv,NSLCD_ACTION_PAM_SESS_C,&no_warn);
if (rc != PAM_SUCCESS && rc != PAM_IGNORE)
pam_warn(appconv, "LDAP close_session failed", PAM_ERROR_MSG, no_warn);
return rc;
}
static enum nss_status pam_read_pwmod(
TFILE *fp,pld_ctx *ctx,int *errnop)
{
char *buffer = ctx->buf, *user;
size_t buflen = sizeof(ctx->buf);
size_t bufptr = 0;
int32_t tmpint32;
READ_STRING_BUF(fp,ctx->tmpluser);
READ_STRING_BUF(fp,ctx->dn);
READ_INT32(fp,ctx->authz);
READ_STRING_BUF(fp,ctx->authzmsg);
ctx->authz = nslcd2pam_rc(ctx->authz);
return NSS_STATUS_SUCCESS;
}
static enum nss_status pam_do_pwmod(
pld_ctx *ctx, const char *user, const char *svc,
const char *oldpw, const char *newpw, int *errnop)
{
NSS_BYGEN(NSLCD_ACTION_PAM_PWMOD,
WRITE_STRING(fp,user);
WRITE_STRING(fp,ctx->dn);
WRITE_STRING(fp,svc);
WRITE_STRING(fp,oldpw);
WRITE_STRING(fp,newpw),
pam_read_pwmod(fp,ctx,errnop));
}
int pam_sm_chauthtok(
pam_handle_t *pamh, int flags, int argc, const char **argv)
{
int rc, err;
const char *username, *p = NULL, *q = NULL, *svc;
int first_pass = 0, no_warn = 0, ignore_flags = 0;
int i, success = PAM_SUCCESS;
struct pam_conv *appconv;
pld_ctx *ctx = NULL;
for (i = 0; i < argc; i++)
{
if (!strcmp (argv[i], "use_first_pass"))
first_pass |= USE_FIRST;
else if (!strcmp (argv[i], "try_first_pass"))
first_pass |= TRY_FIRST;
else if (!strcmp (argv[i], "use_authtok"))
first_pass |= USE_TOKEN;
else if (!strcmp (argv[i], "no_warn"))
no_warn = 1;
else if (!strcmp (argv[i], "ignore_unknown_user"))
ignore_flags |= IGNORE_UNKNOWN;
else if (!strcmp (argv[i], "ignore_authinfo_unavail"))
ignore_flags |= IGNORE_UNAVAIL;
else if (!strcmp (argv[i], "debug"))
;
else
syslog (LOG_ERR, "illegal option %s", argv[i]);
}
if (flags & PAM_SILENT)
no_warn = 1;
rc = pam_get_item (pamh, PAM_CONV, (CONST_ARG void **) &appconv);
if (rc != PAM_SUCCESS)
return rc;
rc = pam_get_user (pamh, (CONST_ARG char **) &username, NULL);
if (rc != PAM_SUCCESS)
return rc;
if (username == NULL)
return PAM_USER_UNKNOWN;
rc = pam_get_ctx(pamh, username, &ctx);
if (rc != PAM_SUCCESS)
return rc;
rc = pam_get_item (pamh, PAM_SERVICE, (CONST_ARG void **) &svc);
if (rc != PAM_SUCCESS)
return rc;
if (flags & PAM_PRELIM_CHECK) {
if (getuid()) {
if (!first_pass) {
rc = pam_get_authtok(pamh, flags, "(current) LDAP Password: ",
NULL, &p);
if (rc == PAM_SUCCESS) {
pam_set_item(pamh, PAM_OLDAUTHTOK, p);
memset(p, 0, strlen(p));
free(p);
}
}
rc = pam_get_item(pamh, PAM_OLDAUTHTOK, &p);
if (rc) return rc;
} else {
rc = PAM_SUCCESS;
}
if (!ctx->dn) {
rc = pam_do_pwmod(ctx, username, svc, p, NULL, &err);
NSS2PAM_RC(rc, ignore_flags, PAM_SUCCESS);
}
return rc;
}
rc = pam_get_item(pamh, PAM_OLDAUTHTOK, &p);
if (rc) return rc;
if (!p)
p = ctx->oldpw;
if (first_pass) {
rc = pam_get_item(pamh, PAM_AUTHTOK, &q);
if ((rc != PAM_SUCCESS || !q) && (first_pass & (USE_FIRST|USE_TOKEN))) {
if (rc == PAM_SUCCESS)
rc = PAM_AUTHTOK_RECOVERY_ERR;
return rc;
}
}
if (!q) {
rc = pam_get_authtok(pamh, flags, "Enter new LDAP Password: ",
"Retype new LDAP Password: ", &q);
if (rc == PAM_SUCCESS) {
pam_set_item(pamh, PAM_AUTHTOK, q);
memset(q, 0, strlen(q));
free(q);
rc = pam_get_item(pamh, PAM_AUTHTOK, &q);
}
if (rc != PAM_SUCCESS)
return rc;
}
rc = pam_do_pwmod(ctx, username, svc, p, q, &err);
p = NULL; q = NULL;
NSS2PAM_RC(rc, ignore_flags, PAM_SUCCESS);
if (rc == PAM_SUCCESS) {
rc = ctx->authz;
if (rc != PAM_SUCCESS)
pam_warn(appconv, ctx->authzmsg, PAM_ERROR_MSG, no_warn);
} else if (rc != PAM_IGNORE)
pam_warn(appconv, "LDAP pwmod failed", PAM_ERROR_MSG, no_warn);
return rc;
}
#ifdef PAM_STATIC
struct pam_module _pam_ldap_modstruct = {
"pam_ldap",
pam_sm_authenticate,
pam_sm_setcred,
pam_sm_acct_mgmt,
pam_sm_open_session,
pam_sm_close_session,
pam_sm_chauthtok
};
#endif /* PAM_STATIC */