1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License, Version 1.0 only
6 * (the "License"). You may not use this file except in compliance
7 * with the License.
8 *
9 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10 * or http://www.opensolaris.org/os/licensing.
11 * See the License for the specific language governing permissions
12 * and limitations under the License.
13 *
14 * When distributing Covered Code, include this CDDL HEADER in each
15 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16 * If applicable, add the following below this CDDL HEADER, with the
17 * fields enclosed by brackets "[]" replaced with your own identifying
18 * information: Portions Copyright [yyyy] [name of copyright owner]
19 *
20 * CDDL HEADER END
21 */
22 /*
23 * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 */
26
27 #include <security/pam_appl.h>
28 #include <security/pam_modules.h>
29 #include <string.h>
30 #include <stdio.h>
31 #include <stdlib.h>
32 #include <sys/types.h>
33 #include <pwd.h>
34 #include <syslog.h>
35 #include <libintl.h>
36
37 #include "sample_utils.h"
38
39 /*
40 *
41 * Sample module for pam_sm_authenticate.
42 *
43 * options -
44 *
45 * debug
46 * use_first_pass
47 * try_first_pass
48 * first_pass_good (first password is always good when used with use/try)
49 * first_pass_bad (first password is always bad when used with use/try)
50 * pass=foobar (set good password to "foobar". default good password
51 * is test)
52 * always_fail always return PAM_AUTH_ERR
53 * always_succeed always return PAM_SUCCESS
54 * always_ignore
55 *
56 *
57 */
58
59 /*
60 * pam_sm_authenticate - Authenticate user
61 */
62 /*ARGSUSED*/
63 int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)64 pam_sm_authenticate(
65 pam_handle_t *pamh,
66 int flags,
67 int argc,
68 const char **argv)
69 {
70 char *user;
71 struct pam_conv *pam_convp;
72 int err, result = PAM_AUTH_ERR;
73 struct pam_response *ret_resp = (struct pam_response *)0;
74 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
75 int debug = 0;
76 int try_first_pass = 0;
77 int use_first_pass = 0;
78 int first_pass_good = 0;
79 int first_pass_bad = 0;
80 int i, num_msg;
81 char *firstpass, *password;
82 char the_password[64];
83
84 if (debug)
85 syslog(LOG_DEBUG, "Sample Authentication\n");
86
87 (void) strcpy(the_password, "test");
88
89 for (i = 0; i < argc; i++) {
90 if (strcmp(argv[i], "debug") == 0)
91 debug = 1;
92 else if (strcmp(argv[i], "try_first_pass") == 0)
93 try_first_pass = 1;
94 else if (strcmp(argv[i], "first_pass_good") == 0)
95 first_pass_good = 1;
96 else if (strcmp(argv[i], "first_pass_bad") == 0)
97 first_pass_bad = 1;
98 else if (strcmp(argv[i], "use_first_pass") == 0)
99 use_first_pass = 1;
100 else if (strcmp(argv[i], "always_fail") == 0)
101 return (PAM_AUTH_ERR);
102 else if (strcmp(argv[i], "always_succeed") == 0)
103 return (PAM_SUCCESS);
104 else if (strcmp(argv[i], "always_ignore") == 0)
105 return (PAM_IGNORE);
106 else if (sscanf(argv[i], "pass=%64s", the_password) == 1) {
107 /*EMPTY*/;
108 }
109 else
110 syslog(LOG_DEBUG, "illegal scheme option %s", argv[i]);
111 }
112
113 err = pam_get_user(pamh, &user, NULL);
114 if (err != PAM_SUCCESS)
115 return (err);
116
117 err = pam_get_item(pamh, PAM_CONV, (void**) &pam_convp);
118 if (err != PAM_SUCCESS)
119 return (err);
120
121 (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &firstpass);
122
123 if (firstpass && (use_first_pass || try_first_pass)) {
124
125 if ((first_pass_good ||
126 strncmp(firstpass, the_password,
127 strlen(the_password)) == 0) &&
128 !first_pass_bad) {
129 result = PAM_SUCCESS;
130 goto out;
131 }
132 if (use_first_pass) goto out;
133 }
134
135 /*
136 * Get the password from the user
137 */
138 if (firstpass) {
139 (void) snprintf(messages[0], sizeof (messages[0]),
140 dgettext(TEXT_DOMAIN, "TEST Password: "));
141 } else {
142 (void) snprintf(messages[0], sizeof (messages[0]),
143 dgettext(TEXT_DOMAIN, "Password: "));
144 }
145 num_msg = 1;
146 err = __get_authtok(pam_convp->conv,
147 num_msg, messages, NULL, &ret_resp);
148
149 if (err != PAM_SUCCESS) {
150 result = err;
151 goto out;
152 }
153
154 password = ret_resp->resp;
155
156 if (password == NULL) {
157 result = PAM_AUTH_ERR;
158 goto out;
159 }
160
161 /* one last ditch attempt to "login" to TEST */
162
163 if (strncmp(password, the_password, strlen(the_password)) == 0) {
164 result = PAM_SUCCESS;
165 if (firstpass == NULL) {
166 /* this is the first password, stash it away */
167 (void) pam_set_item(pamh, PAM_AUTHTOK, password);
168 }
169 }
170
171 out:
172 if (num_msg > 0) {
173 if (ret_resp != 0) {
174 if (ret_resp->resp != 0) {
175 /* avoid leaving password cleartext around */
176 (void) memset(ret_resp->resp, 0,
177 strlen(ret_resp->resp));
178 }
179 __free_resp(num_msg, ret_resp);
180 ret_resp = 0;
181 }
182 }
183
184 return (result);
185 }
186