2 * auth.c User authentication.
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
20 * Copyright 2000 The FreeRADIUS server project
21 * Copyright 2000 Miquel von Smoorenburg <miquels@cistron.nl>
22 * Copyright 2000 Jeff Carneal <jeff@apex.net>
24 static const char rcsid[] = "$Id$";
27 #include "libradius.h"
38 # include <sys/security.h>
43 # include <netinet/in.h>
50 * Return a short string showing the terminal server, port
51 * and calling station ID.
53 char *auth_name(char *buf, size_t buflen, REQUEST *request, int do_cli)
59 if ((cli = pairfind(request->packet->vps, PW_CALLING_STATION_ID)) == NULL)
61 if ((pair = pairfind(request->packet->vps, PW_NAS_PORT_ID)) != NULL)
64 snprintf(buf, buflen, "from nas %.128s port %d%s%.128s",
65 nas_name2(request->packet), port,
66 (do_cli ? " cli " : ""), (do_cli ? (char *)cli->strvalue : ""));
73 * Check if account has expired, and if user may login now.
75 static int check_expiration(REQUEST *request)
78 VALUE_PAIR *check_item = request->config_items;
81 while (result == 0 && check_item != NULL) {
84 * Check expiration date if we are doing password aging.
86 if (check_item->attribute == PW_EXPIRATION) {
88 * Has this user's password expired?
90 * If so, remove ALL reply attributes,
91 * and add our own Reply-Message, saying
92 * why they're being rejected.
94 if (check_item->lvalue < (unsigned) time(NULL)) {
98 vp = pairmake("Reply-Message",
99 "Password Has Expired\r\n",
101 pairfree(&request->reply->vps);
102 request->reply->vps = vp;
106 check_item = check_item->next;
113 * Make sure user/pass are clean
116 static int rad_authlog(const char *msg, REQUEST *request, int goodpass) {
118 char clean_password[1024];
119 char clean_username[1024];
122 if (!mainconfig.log_auth)
126 * Clean up the username
128 if (!request->username) {
129 DEBUG2("rad_authlog: no username found");
133 if (request->username->strvalue) {
134 librad_safeprint((char *)request->username->strvalue,
135 request->username->length,
136 clean_username, sizeof(clean_username));
138 strcpy(clean_username, "<No Username>");
142 * Clean up the password
144 if (mainconfig.log_auth_badpass || mainconfig.log_auth_goodpass) {
145 if (!request->password) {
146 DEBUG2("rad_authlog: no password found");
150 if (request->password->attribute == PW_CHAP_PASSWORD) {
151 strcpy(clean_password, "<CHAP-Password>");
153 if (request->username->strvalue) {
154 librad_safeprint((char *)request->password->strvalue,
155 request->password->length,
156 clean_password, sizeof(clean_password));
158 strcpy(clean_password, "<No Password>");
164 radlog(L_AUTH, "%s: [%s%s%s] (%s)",
167 mainconfig.log_auth_goodpass ? "/" : "",
168 mainconfig.log_auth_goodpass ? clean_password : "",
169 auth_name(buf, sizeof(buf), request, 1));
171 radlog(L_AUTH, "%s: [%s%s%s] (%s)",
174 mainconfig.log_auth_badpass ? "/" : "",
175 mainconfig.log_auth_badpass ? clean_password : "",
176 auth_name(buf, sizeof(buf), request, 1));
187 * -2 Rejected (Auth-Type = Reject, send Port-Message back)
188 * 1 End check & return, don't reply
190 * NOTE: NOT the same as the RLM_ values !
192 int rad_check_password(REQUEST *request)
194 VALUE_PAIR *auth_type_pair;
195 VALUE_PAIR *cur_config_item;
196 VALUE_PAIR *password_pair;
197 VALUE_PAIR *auth_item;
198 char string[MAX_STRING_LEN];
201 int auth_type_count = 0;
205 * Look for matching check items. We skip the whole lot
206 * if the authentication type is PW_AUTHTYPE_ACCEPT or
207 * PW_AUTHTYPE_REJECT.
209 cur_config_item = request->config_items;
210 while(((auth_type_pair = pairfind(cur_config_item, PW_AUTHTYPE))) != NULL) {
211 auth_type = auth_type_pair->lvalue;
214 DEBUG2(" rad_check_password: Found auth-type %d", auth_type);
215 cur_config_item = auth_type_pair->next;
217 if (auth_type == PW_AUTHTYPE_REJECT) {
218 DEBUG2(" rad_check_password: Auth-Type = Reject, rejecting user");
223 if((auth_type_count>1) && (debug_flag)) {
224 radlog(L_ERR, "Warning: Found %d auth-types on request for user '%s'",
225 auth_type_count, request->username->strvalue);
229 * This means we have a proxy reply or an accept
230 * and it wasn't rejected in the above loop. So
231 * that means it is accepted and we do no further
234 if ((auth_type == PW_AUTHTYPE_ACCEPT) || (request->proxy)) {
235 DEBUG2(" rad_check_password: Auth-Type = Accept, accepting the user");
240 * Find the password sent by the user. It SHOULD be there,
241 * if it's not authentication fails.
243 * FIXME: add MS-CHAP support ?
245 auth_item = request->password;
246 if (auth_item == NULL) {
247 DEBUG2(" auth: No password in the request");
252 * Find the password from the users file.
254 if ((password_pair = pairfind(request->config_items, PW_CRYPT_PASSWORD)) != NULL)
255 auth_type = PW_AUTHTYPE_CRYPT;
257 password_pair = pairfind(request->config_items, PW_PASSWORD);
260 * For backward compatibility, we check the
261 * password to see if it is the magic value
262 * UNIX if auth_type was not set.
266 !strcmp((char *)password_pair->strvalue, "UNIX"))
267 auth_type = PW_AUTHTYPE_SYSTEM;
268 else if(password_pair &&
269 !strcmp((char *)password_pair->strvalue,"PAM"))
270 auth_type = PW_AUTHTYPE_PAM;
272 auth_type = PW_AUTHTYPE_LOCAL;
276 case PW_AUTHTYPE_CRYPT:
277 DEBUG2(" auth: Crypt");
278 if (password_pair == NULL) {
279 result = auth_item->strvalue ? -1 : 0;
282 if (strcmp((char *)password_pair->strvalue,
283 crypt((char *)auth_item->strvalue,
284 (char *)password_pair->strvalue)) != 0)
287 case PW_AUTHTYPE_LOCAL:
288 DEBUG2(" auth: Local");
290 * Local password is just plain text.
292 if (auth_item->attribute != PW_CHAP_PASSWORD) {
295 * Plain text password.
297 if (password_pair == NULL ||
298 strcmp((char *)password_pair->strvalue,
299 (char *)auth_item->strvalue)!=0)
305 * CHAP - calculate MD5 sum over CHAP-ID,
306 * plain-text password and the Chap-Challenge.
307 * Compare to Chap-Response (strvalue + 1).
309 if (password_pair == NULL) {
313 rad_chap_encode(request->packet, string,
314 auth_item->strvalue[0], password_pair);
319 if (memcmp(string + 1, auth_item->strvalue + 1,
320 CHAP_VALUE_LENGTH) != 0)
325 dict_valbyattr(PW_AUTHTYPE, auth_type)->name);
327 * See if there is a module that handles
328 * this type, and turn the RLM_ return
329 * status into the values as defined at
330 * the top of this function.
332 result = module_authenticate(auth_type, request);
335 * An authentication module FAIL
336 * return code, or any return code that
337 * is not expected from authentication,
338 * is the same as an explicit REJECT!
340 case RLM_MODULE_FAIL:
341 case RLM_MODULE_REJECT:
342 case RLM_MODULE_USERLOCK:
343 case RLM_MODULE_INVALID:
344 case RLM_MODULE_NOTFOUND:
345 case RLM_MODULE_NOOP:
346 case RLM_MODULE_UPDATED:
352 case RLM_MODULE_HANDLED:
363 * Process and reply to an authentication request
365 * The return value of this function isn't actually used right now, so
366 * it's not entirely clear if it is returning the right things. --Pac.
368 int rad_authenticate(REQUEST *request)
370 VALUE_PAIR *namepair;
371 VALUE_PAIR *check_item;
372 VALUE_PAIR *reply_item;
373 VALUE_PAIR *auth_item;
376 char umsg[MAX_STRING_LEN + 1];
377 const char *user_msg = NULL;
378 const char *password;
381 int seen_callback_id;
383 char buf[1024], logstr[1024];
388 * Free any pre-existing configuration items.
390 * This should ONLY be happening for proxy replies.
392 if ((request->proxy_reply) && (request->config_items)) {
393 pairfree(&request->config_items);
397 * If this request got proxied to another server,
398 * AND it was an authentication request, then we need
399 * to add an initial Auth-Type: Auth-Accept for success,
400 * Auth-Reject for fail. We also need to add the reply
401 * pairs from the server to the initial reply.
403 if ((request->proxy_reply) &&
404 (request->packet->code == PW_AUTHENTICATION_REQUEST)) {
405 tmp = paircreate(PW_AUTHTYPE, PW_TYPE_INTEGER);
407 radlog(L_ERR|L_CONS, "no memory");
412 * Reply of ACCEPT means accept, ALL other
413 * replies mean reject. This is fail-safe.
415 if (request->proxy_reply->code == PW_AUTHENTICATION_ACK)
416 tmp->lvalue = PW_AUTHTYPE_ACCEPT;
418 tmp->lvalue = PW_AUTHTYPE_REJECT;
419 pairadd(&request->config_items, tmp);
422 * Initialize our reply to the user, by taking
423 * the reply attributes from the proxy.
425 if (request->proxy_reply->vps) {
426 request->reply->vps = request->proxy_reply->vps;
427 request->proxy_reply->vps = NULL;
431 * If it's an Access-Reject, then do NOT do any
432 * authorization or authentication. They're being
433 * rejected, so we minimize the amount of work
434 * done by the server, by rejecting them here.
436 if (request->proxy_reply->code != PW_AUTHENTICATION_ACK) {
437 request->reply->code = PW_AUTHENTICATION_REJECT;
438 return RLM_MODULE_REJECT;
443 * Get the username from the request.
445 * Note that namepair MAY be NULL, in which case there
446 * is no User-Name attribute in the request.
448 namepair = request->username;
451 * Discover which password we want to use.
453 if ((auth_item = rad_getpass(request)) != NULL) {
454 password = (const char *)auth_item->strvalue;
458 * Maybe there's a CHAP-Password?
460 if (auth_item == NULL) {
461 if ((auth_item = pairfind(request->packet->vps,
462 PW_CHAP_PASSWORD)) != NULL) {
463 password = "<CHAP-PASSWORD>";
467 * No password we recognize.
469 password = "<NO-PASSWORD>";
472 request->password = auth_item;
475 * Get the user's authorization information from the database
477 r = module_authorize(request);
478 if (r != RLM_MODULE_NOTFOUND &&
479 r != RLM_MODULE_NOOP &&
480 r != RLM_MODULE_OK &&
481 r != RLM_MODULE_UPDATED) {
482 if (r != RLM_MODULE_FAIL && r != RLM_MODULE_HANDLED) {
483 rad_authlog("Invalid user", request, 0);
484 request->reply->code = PW_AUTHENTICATION_REJECT;
486 pairfree(&request->reply->vps);
487 request->reply->vps = NULL;
492 * If we haven't already proxied the packet, then check
493 * to see if we should. Maybe one of the authorize
494 * modules has decided that a proxy should be used. If
495 * so, get out of here and send the packet.
497 if ((request->proxy == NULL) &&
498 (pairfind(request->config_items, PW_PROXY_TO_REALM) != NULL)) {
499 return RLM_MODULE_OK;
503 * Perhaps there is a Stripped-User-Name now.
505 namepair = request->username;
511 if ((result = check_expiration(request)) < 0)
513 result = rad_check_password(request);
516 return RLM_MODULE_HANDLED;
521 * Failed to validate the user.
523 * We PRESUME that the code which failed will clean up
524 * request->reply->vps, to be ONLY the reply items it
525 * wants to send back.
529 DEBUG2(" auth: Failed to validate the user.");
530 request->reply->code = PW_AUTHENTICATION_REJECT;
532 rad_authlog("Login incorrect", request, 0);
534 /* double check: maybe the secret is wrong? */
535 if (debug_flag > 1) {
538 p = auth_item->strvalue;
541 log_debug(" WARNING: Unprintable characters in the password.\n Double-check the shared secret on the server and the NAS!");
550 (check_item = pairfind(request->config_items, PW_SIMULTANEOUS_USE)) != NULL) {
552 * User authenticated O.K. Now we have to check
553 * for the Simultaneous-Use parameter.
556 (r = radutmp_checksimul((char *)namepair->strvalue,
557 request->packet->vps, check_item->lvalue)) != 0) {
559 if (check_item->lvalue > 1) {
561 "\r\nYou are already logged in %d times - access denied\r\n\n",
562 (int)check_item->lvalue);
566 "\r\nYou are already logged in - access denied\r\n\n";
569 request->reply->code = PW_AUTHENTICATION_REJECT;
572 * They're trying to log in too many times.
573 * Remove ALL reply attributes.
575 pairfree(&request->reply->vps);
576 tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
577 request->reply->vps = tmp;
579 strcpy(logstr, "Multiple logins");
580 sprintf(logstr, "%s (max %d) %s", logstr, check_item->lvalue,
581 r == 2 ? "[MPP attempt]" : "");
582 rad_authlog(logstr, request, 1);
589 (check_item = pairfind(request->config_items, PW_LOGIN_TIME)) != NULL) {
592 * Authentication is OK. Now see if this
593 * user may login at this time of the day.
595 r = timestr_match((char *)check_item->strvalue,
598 * Session-Timeout needs to be at least
599 * 60 seconds, some terminal servers
600 * ignore smaller values.
604 * User called outside allowed time interval.
608 "You are calling outside your allowed timespan\r\n";
610 request->reply->code = PW_AUTHENTICATION_REJECT;
611 pairfree(&request->reply->vps);
613 tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
614 request->reply->vps = tmp;
616 strcpy(logstr, "Outside allowed timespan");
617 sprintf(logstr, "%s (time allowed %s)", logstr,
618 check_item->strvalue);
619 rad_authlog(logstr, request, 1);
624 * User is allowed, but set Session-Timeout.
626 if ((reply_item = pairfind(request->reply->vps,
627 PW_SESSION_TIMEOUT)) != NULL) {
628 if (reply_item->lvalue > (unsigned) r)
629 reply_item->lvalue = r;
631 if ((reply_item = paircreate(
633 PW_TYPE_INTEGER)) == NULL) {
634 radlog(L_ERR|L_CONS, "no memory");
637 reply_item->lvalue = r;
638 pairadd(&request->reply->vps, reply_item);
644 * Result should be >= 0 here - if not, we return.
647 return RLM_MODULE_OK;
651 * We might need this later. The 'password' string
652 * is NOT used anywhere below here, except for logging,
653 * so it should be safe...
655 if (auth_item->attribute == PW_CHAP_PASSWORD) {
656 password = "CHAP-Password";
660 * Add the port number to the Framed-IP-Address if
661 * vp->addport is set, or if the Add-Port-To-IP-Address
664 * FIXME: This doesn't work because PW_ADD_PORT_TO_IP_ADDRESS
665 * is never added to the request pairs!
667 if ((tmp = pairfind(request->reply->vps,
668 PW_FRAMED_IP_ADDRESS)) != NULL) {
672 * Find the NAS port ID.
674 if ((tmp = pairfind(request->packet->vps,
675 PW_NAS_PORT_ID)) != NULL)
676 nas_port = tmp->lvalue;
678 if((tmp2 = pairfind(request->reply->vps,
679 PW_ADD_PORT_TO_IP_ADDRESS)) != NULL) {
680 if (tmp->addport || (tmp2 && tmp2->lvalue)) {
681 tmp->lvalue = htonl(ntohl(tmp->lvalue) + nas_port);
684 pairdelete(&request->reply->vps,
685 PW_ADD_PORT_TO_IP_ADDRESS);
690 * See if we need to execute a program.
691 * FIXME: somehow cache this info, and only execute the
692 * program when we receive an Accounting-START packet.
693 * Only at that time we know dynamic IP etc.
697 if ((auth_item = pairfind(request->reply->vps, PW_EXEC_PROGRAM)) != NULL) {
699 exec_program = strdup((char *)auth_item->strvalue);
700 pairdelete(&request->reply->vps, PW_EXEC_PROGRAM);
702 if ((auth_item = pairfind(request->reply->vps, PW_EXEC_PROGRAM_WAIT)) != NULL) {
704 exec_program = strdup((char *)auth_item->strvalue);
705 pairdelete(&request->reply->vps, PW_EXEC_PROGRAM_WAIT);
709 * Hack - allow % expansion in certain value strings.
710 * This is nice for certain Exec-Program programs.
712 seen_callback_id = 0;
713 if ((auth_item = pairfind(request->reply->vps, PW_CALLBACK_ID)) != NULL) {
714 seen_callback_id = 1;
715 radius_xlat2(buf, sizeof(auth_item->strvalue),
716 (char *)auth_item->strvalue, request);
717 strNcpy((char *)auth_item->strvalue, buf,
718 sizeof(auth_item->strvalue));
719 auth_item->length = strlen((char *)auth_item->strvalue);
724 * If we want to exec a program, but wait for it,
725 * do it first before sending the reply.
727 if (exec_program && exec_wait) {
728 if (radius_exec_program(exec_program, request,
729 exec_wait, &user_msg) != 0) {
731 * Error. radius_exec_program() returns -1 on
732 * fork/exec errors, or >0 if the exec'ed program
733 * had a non-zero exit status.
735 if (user_msg == NULL)
736 user_msg = "\r\nAccess denied (external check failed).";
738 request->reply->code = PW_AUTHENTICATION_REJECT;
739 pairfree(&request->reply->vps);
740 tmp = pairmake("Reply-Message", user_msg, T_OP_SET);
741 request->reply->vps = tmp;
743 rad_authlog("Login incorrect (external check failed)",
746 return RLM_MODULE_OK;
751 * Delete "normal" A/V pairs when using callback.
753 * FIXME: This is stupid. The portmaster should accept
754 * these settings instead of insisting on using a
757 * FIXME2: Move this into the above exec thingy?
758 * (if you knew how I use the exec_wait, you'd understand).
760 if (seen_callback_id) {
761 pairdelete(&request->reply->vps, PW_FRAMED_PROTOCOL);
762 pairdelete(&request->reply->vps, PW_FRAMED_IP_ADDRESS);
763 pairdelete(&request->reply->vps, PW_FRAMED_IP_NETMASK);
764 pairdelete(&request->reply->vps, PW_FRAMED_ROUTE);
765 pairdelete(&request->reply->vps, PW_FRAMED_MTU);
766 pairdelete(&request->reply->vps, PW_FRAMED_COMPRESSION);
767 pairdelete(&request->reply->vps, PW_FILTER_ID);
768 pairdelete(&request->reply->vps, PW_PORT_LIMIT);
769 pairdelete(&request->reply->vps, PW_CALLBACK_NUMBER);
773 * Filter (possibly multiple) Reply-Message attributes
774 * through radius_xlat2, modifying them in place.
776 if (user_msg == NULL) {
777 reply_item = pairfind(request->reply->vps, PW_REPLY_MESSAGE);
779 radius_xlat2(buf, sizeof(reply_item->strvalue),
780 (char *)reply_item->strvalue, request);
781 strNcpy((char *)reply_item->strvalue, buf,
782 sizeof(reply_item->strvalue));
783 reply_item->length = strlen((char *)reply_item->strvalue);
785 reply_item = pairfind(reply_item->next, PW_REPLY_MESSAGE);
789 request->reply->code = PW_AUTHENTICATION_ACK;
791 rad_authlog("Login OK", request, 1);
792 if (exec_program && !exec_wait) {
794 * No need to check the exit status here.
796 radius_exec_program(exec_program, request, exec_wait, NULL);
799 if (exec_program) free(exec_program);
800 return RLM_MODULE_OK;
805 * These definitions are local, and shouldn't be used by anyone else.
811 * Find the password pair, decode pass if
812 * needed, and return the value pair. If
813 * not found, return NULL
815 VALUE_PAIR *rad_getpass(REQUEST *request) {
816 VALUE_PAIR *auth_item;
819 * First, look up the password in the request header.
821 auth_item = request->password;
824 * It's there, but it's not a clear-text password.
827 if (auth_item->attribute != PW_PASSWORD) {
832 * Go find the request password.
834 auth_item = pairfind(request->packet->vps, PW_PASSWORD);
840 * Save the found password for later.
842 request->password = auth_item;
847 * If we proxied already, it's been decoded
848 * Or if the decoded flag is set...just return
850 if ((request->proxy != NULL) ||
851 (auth_item->lvalue == PW_DECODED)) {
856 * If we get here, we have to decode the password.
858 rad_pwdecode((char *)auth_item->strvalue,
859 auth_item->length, request->secret,
860 (char *)request->packet->vector);
863 * Set lvalue to PW_DECODED so we know not to
864 * decode next time we get here
866 auth_item->lvalue = PW_DECODED;
868 /* ignore more than one trailing '\0' */
869 auth_item->length = strlen(auth_item->strvalue);