1*7c478bd9Sstevel@tonic-gate /*
2*7c478bd9Sstevel@tonic-gate * CDDL HEADER START
3*7c478bd9Sstevel@tonic-gate *
4*7c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the
5*7c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only
6*7c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance
7*7c478bd9Sstevel@tonic-gate * with the License.
8*7c478bd9Sstevel@tonic-gate *
9*7c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10*7c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
11*7c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions
12*7c478bd9Sstevel@tonic-gate * and limitations under the License.
13*7c478bd9Sstevel@tonic-gate *
14*7c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
15*7c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16*7c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
17*7c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
18*7c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
19*7c478bd9Sstevel@tonic-gate *
20*7c478bd9Sstevel@tonic-gate * CDDL HEADER END
21*7c478bd9Sstevel@tonic-gate */
22*7c478bd9Sstevel@tonic-gate /*
23*7c478bd9Sstevel@tonic-gate * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
24*7c478bd9Sstevel@tonic-gate * Use is subject to license terms.
25*7c478bd9Sstevel@tonic-gate */
26*7c478bd9Sstevel@tonic-gate
27*7c478bd9Sstevel@tonic-gate #include <security/pam_appl.h>
28*7c478bd9Sstevel@tonic-gate #include <security/pam_modules.h>
29*7c478bd9Sstevel@tonic-gate #include <string.h>
30*7c478bd9Sstevel@tonic-gate #include <stdio.h>
31*7c478bd9Sstevel@tonic-gate #include <stdlib.h>
32*7c478bd9Sstevel@tonic-gate #include <sys/types.h>
33*7c478bd9Sstevel@tonic-gate #include <pwd.h>
34*7c478bd9Sstevel@tonic-gate #include <syslog.h>
35*7c478bd9Sstevel@tonic-gate #include <libintl.h>
36*7c478bd9Sstevel@tonic-gate
37*7c478bd9Sstevel@tonic-gate #include "sample_utils.h"
38*7c478bd9Sstevel@tonic-gate
39*7c478bd9Sstevel@tonic-gate /*
40*7c478bd9Sstevel@tonic-gate *
41*7c478bd9Sstevel@tonic-gate * Sample module for pam_sm_authenticate.
42*7c478bd9Sstevel@tonic-gate *
43*7c478bd9Sstevel@tonic-gate * options -
44*7c478bd9Sstevel@tonic-gate *
45*7c478bd9Sstevel@tonic-gate * debug
46*7c478bd9Sstevel@tonic-gate * use_first_pass
47*7c478bd9Sstevel@tonic-gate * try_first_pass
48*7c478bd9Sstevel@tonic-gate * first_pass_good (first password is always good when used with use/try)
49*7c478bd9Sstevel@tonic-gate * first_pass_bad (first password is always bad when used with use/try)
50*7c478bd9Sstevel@tonic-gate * pass=foobar (set good password to "foobar". default good password
51*7c478bd9Sstevel@tonic-gate * is test)
52*7c478bd9Sstevel@tonic-gate * always_fail always return PAM_AUTH_ERR
53*7c478bd9Sstevel@tonic-gate * always_succeed always return PAM_SUCCESS
54*7c478bd9Sstevel@tonic-gate * always_ignore
55*7c478bd9Sstevel@tonic-gate *
56*7c478bd9Sstevel@tonic-gate *
57*7c478bd9Sstevel@tonic-gate */
58*7c478bd9Sstevel@tonic-gate
59*7c478bd9Sstevel@tonic-gate /*
60*7c478bd9Sstevel@tonic-gate * pam_sm_authenticate - Authenticate user
61*7c478bd9Sstevel@tonic-gate */
62*7c478bd9Sstevel@tonic-gate /*ARGSUSED*/
63*7c478bd9Sstevel@tonic-gate int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)64*7c478bd9Sstevel@tonic-gate pam_sm_authenticate(
65*7c478bd9Sstevel@tonic-gate pam_handle_t *pamh,
66*7c478bd9Sstevel@tonic-gate int flags,
67*7c478bd9Sstevel@tonic-gate int argc,
68*7c478bd9Sstevel@tonic-gate const char **argv)
69*7c478bd9Sstevel@tonic-gate {
70*7c478bd9Sstevel@tonic-gate char *user;
71*7c478bd9Sstevel@tonic-gate struct pam_conv *pam_convp;
72*7c478bd9Sstevel@tonic-gate int err, result = PAM_AUTH_ERR;
73*7c478bd9Sstevel@tonic-gate struct pam_response *ret_resp = (struct pam_response *)0;
74*7c478bd9Sstevel@tonic-gate char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
75*7c478bd9Sstevel@tonic-gate int debug = 0;
76*7c478bd9Sstevel@tonic-gate int try_first_pass = 0;
77*7c478bd9Sstevel@tonic-gate int use_first_pass = 0;
78*7c478bd9Sstevel@tonic-gate int first_pass_good = 0;
79*7c478bd9Sstevel@tonic-gate int first_pass_bad = 0;
80*7c478bd9Sstevel@tonic-gate int i, num_msg;
81*7c478bd9Sstevel@tonic-gate char *firstpass, *password;
82*7c478bd9Sstevel@tonic-gate char the_password[64];
83*7c478bd9Sstevel@tonic-gate
84*7c478bd9Sstevel@tonic-gate if (debug)
85*7c478bd9Sstevel@tonic-gate syslog(LOG_DEBUG, "Sample Authentication\n");
86*7c478bd9Sstevel@tonic-gate
87*7c478bd9Sstevel@tonic-gate (void) strcpy(the_password, "test");
88*7c478bd9Sstevel@tonic-gate
89*7c478bd9Sstevel@tonic-gate for (i = 0; i < argc; i++) {
90*7c478bd9Sstevel@tonic-gate if (strcmp(argv[i], "debug") == 0)
91*7c478bd9Sstevel@tonic-gate debug = 1;
92*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "try_first_pass") == 0)
93*7c478bd9Sstevel@tonic-gate try_first_pass = 1;
94*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "first_pass_good") == 0)
95*7c478bd9Sstevel@tonic-gate first_pass_good = 1;
96*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "first_pass_bad") == 0)
97*7c478bd9Sstevel@tonic-gate first_pass_bad = 1;
98*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "use_first_pass") == 0)
99*7c478bd9Sstevel@tonic-gate use_first_pass = 1;
100*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "always_fail") == 0)
101*7c478bd9Sstevel@tonic-gate return (PAM_AUTH_ERR);
102*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "always_succeed") == 0)
103*7c478bd9Sstevel@tonic-gate return (PAM_SUCCESS);
104*7c478bd9Sstevel@tonic-gate else if (strcmp(argv[i], "always_ignore") == 0)
105*7c478bd9Sstevel@tonic-gate return (PAM_IGNORE);
106*7c478bd9Sstevel@tonic-gate else if (sscanf(argv[i], "pass=%64s", the_password) == 1) {
107*7c478bd9Sstevel@tonic-gate /*EMPTY*/;
108*7c478bd9Sstevel@tonic-gate }
109*7c478bd9Sstevel@tonic-gate else
110*7c478bd9Sstevel@tonic-gate syslog(LOG_DEBUG, "illegal scheme option %s", argv[i]);
111*7c478bd9Sstevel@tonic-gate }
112*7c478bd9Sstevel@tonic-gate
113*7c478bd9Sstevel@tonic-gate err = pam_get_user(pamh, &user, NULL);
114*7c478bd9Sstevel@tonic-gate if (err != PAM_SUCCESS)
115*7c478bd9Sstevel@tonic-gate return (err);
116*7c478bd9Sstevel@tonic-gate
117*7c478bd9Sstevel@tonic-gate err = pam_get_item(pamh, PAM_CONV, (void**) &pam_convp);
118*7c478bd9Sstevel@tonic-gate if (err != PAM_SUCCESS)
119*7c478bd9Sstevel@tonic-gate return (err);
120*7c478bd9Sstevel@tonic-gate
121*7c478bd9Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_AUTHTOK, (void **) &firstpass);
122*7c478bd9Sstevel@tonic-gate
123*7c478bd9Sstevel@tonic-gate if (firstpass && (use_first_pass || try_first_pass)) {
124*7c478bd9Sstevel@tonic-gate
125*7c478bd9Sstevel@tonic-gate if ((first_pass_good ||
126*7c478bd9Sstevel@tonic-gate strncmp(firstpass, the_password,
127*7c478bd9Sstevel@tonic-gate strlen(the_password)) == 0) &&
128*7c478bd9Sstevel@tonic-gate !first_pass_bad) {
129*7c478bd9Sstevel@tonic-gate result = PAM_SUCCESS;
130*7c478bd9Sstevel@tonic-gate goto out;
131*7c478bd9Sstevel@tonic-gate }
132*7c478bd9Sstevel@tonic-gate if (use_first_pass) goto out;
133*7c478bd9Sstevel@tonic-gate }
134*7c478bd9Sstevel@tonic-gate
135*7c478bd9Sstevel@tonic-gate /*
136*7c478bd9Sstevel@tonic-gate * Get the password from the user
137*7c478bd9Sstevel@tonic-gate */
138*7c478bd9Sstevel@tonic-gate if (firstpass) {
139*7c478bd9Sstevel@tonic-gate (void) snprintf(messages[0], sizeof (messages[0]),
140*7c478bd9Sstevel@tonic-gate dgettext(TEXT_DOMAIN, "TEST Password: "));
141*7c478bd9Sstevel@tonic-gate } else {
142*7c478bd9Sstevel@tonic-gate (void) snprintf(messages[0], sizeof (messages[0]),
143*7c478bd9Sstevel@tonic-gate dgettext(TEXT_DOMAIN, "Password: "));
144*7c478bd9Sstevel@tonic-gate }
145*7c478bd9Sstevel@tonic-gate num_msg = 1;
146*7c478bd9Sstevel@tonic-gate err = __get_authtok(pam_convp->conv,
147*7c478bd9Sstevel@tonic-gate num_msg, messages, NULL, &ret_resp);
148*7c478bd9Sstevel@tonic-gate
149*7c478bd9Sstevel@tonic-gate if (err != PAM_SUCCESS) {
150*7c478bd9Sstevel@tonic-gate result = err;
151*7c478bd9Sstevel@tonic-gate goto out;
152*7c478bd9Sstevel@tonic-gate }
153*7c478bd9Sstevel@tonic-gate
154*7c478bd9Sstevel@tonic-gate password = ret_resp->resp;
155*7c478bd9Sstevel@tonic-gate
156*7c478bd9Sstevel@tonic-gate if (password == NULL) {
157*7c478bd9Sstevel@tonic-gate result = PAM_AUTH_ERR;
158*7c478bd9Sstevel@tonic-gate goto out;
159*7c478bd9Sstevel@tonic-gate }
160*7c478bd9Sstevel@tonic-gate
161*7c478bd9Sstevel@tonic-gate /* one last ditch attempt to "login" to TEST */
162*7c478bd9Sstevel@tonic-gate
163*7c478bd9Sstevel@tonic-gate if (strncmp(password, the_password, strlen(the_password)) == 0) {
164*7c478bd9Sstevel@tonic-gate result = PAM_SUCCESS;
165*7c478bd9Sstevel@tonic-gate if (firstpass == NULL) {
166*7c478bd9Sstevel@tonic-gate /* this is the first password, stash it away */
167*7c478bd9Sstevel@tonic-gate (void) pam_set_item(pamh, PAM_AUTHTOK, password);
168*7c478bd9Sstevel@tonic-gate }
169*7c478bd9Sstevel@tonic-gate }
170*7c478bd9Sstevel@tonic-gate
171*7c478bd9Sstevel@tonic-gate out:
172*7c478bd9Sstevel@tonic-gate if (num_msg > 0) {
173*7c478bd9Sstevel@tonic-gate if (ret_resp != 0) {
174*7c478bd9Sstevel@tonic-gate if (ret_resp->resp != 0) {
175*7c478bd9Sstevel@tonic-gate /* avoid leaving password cleartext around */
176*7c478bd9Sstevel@tonic-gate (void) memset(ret_resp->resp, 0,
177*7c478bd9Sstevel@tonic-gate strlen(ret_resp->resp));
178*7c478bd9Sstevel@tonic-gate }
179*7c478bd9Sstevel@tonic-gate __free_resp(num_msg, ret_resp);
180*7c478bd9Sstevel@tonic-gate ret_resp = 0;
181*7c478bd9Sstevel@tonic-gate }
182*7c478bd9Sstevel@tonic-gate }
183*7c478bd9Sstevel@tonic-gate
184*7c478bd9Sstevel@tonic-gate return (result);
185*7c478bd9Sstevel@tonic-gate }
186