2 * pam.c Functions to access the PAM library. This was taken
3 * from the hacks that miguel a.l. paraz <map@iphil.net>
4 * did on radiusd-cistron-1.5.3 and migrated to a
7 * That, in fact, was again based on the original stuff
8 * from Jeph Blaize <jblaize@kiva.net> done in May 1997.
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
26 * Copyright 2000,2006 The FreeRADIUS server project
27 * Copyright 1997 Jeph Blaize <jblaize@kiva.net>
28 * Copyright 1999 miguel a.l. paraz <map@iphil.net>
31 #include <freeradius-devel/ident.h>
34 #include <freeradius-devel/autoconf.h>
42 #ifdef HAVE_SECURITY_PAM_APPL_H
43 #include <security/pam_appl.h>
46 #ifdef HAVE_PAM_PAM_APPL_H
47 #include <pam/pam_appl.h>
55 #include <freeradius-devel/radiusd.h>
56 #include <freeradius-devel/modules.h>
58 typedef struct rlm_pam_t {
59 const char *pam_auth_name;
62 static const CONF_PARSER module_config[] = {
63 { "pam_auth", PW_TYPE_STRING_PTR, offsetof(rlm_pam_t,pam_auth_name),
65 { NULL, -1, 0, NULL, NULL }
69 * (Re-)read radiusd.conf into memory.
71 static int pam_instantiate(CONF_SECTION *conf, void **instance)
75 data = rad_malloc(sizeof(*data));
79 memset(data, 0, sizeof(*data));
81 if (cf_section_parse(conf, data, module_config) < 0) {
93 static int pam_detach(void *instance)
95 rlm_pam_t *data = (rlm_pam_t *) instance;
101 /*************************************************************************
105 * Purpose: Dialogue between RADIUS and PAM modules.
107 * jab - stolen from pop3d
109 * Alan DeKok: modified to use PAM's appdata_ptr, so that we're
110 * multi-threaded safe, and don't have any nasty static
111 * variables hanging around.
113 *************************************************************************/
115 typedef struct my_PAM {
116 const char *username;
117 const char *password;
121 static int PAM_conv (int num_msg,
122 const struct pam_message **msg,
123 struct pam_response **resp,
126 struct pam_response *reply;
127 my_PAM *pam_config = (my_PAM *) appdata_ptr;
129 /* strdup(NULL) doesn't work on some platforms */
130 #define COPY_STRING(s) ((s) ? strdup(s) : NULL)
132 reply = rad_malloc(num_msg * sizeof(struct pam_response));
133 memset(reply, 0, num_msg * sizeof(struct pam_response));
134 for (count = 0; count < num_msg; count++) {
135 switch (msg[count]->msg_style) {
136 case PAM_PROMPT_ECHO_ON:
137 reply[count].resp_retcode = PAM_SUCCESS;
138 reply[count].resp = COPY_STRING(pam_config->username);
140 case PAM_PROMPT_ECHO_OFF:
141 reply[count].resp_retcode = PAM_SUCCESS;
142 reply[count].resp = COPY_STRING(pam_config->password);
149 /* Must be an error of some sort... */
150 for (count = 0; count < num_msg; count++) {
151 if (reply[count].resp) {
152 /* could be a password, let's be sanitary */
153 memset(reply[count].resp, 0, strlen(reply[count].resp));
154 free(reply[count].resp);
158 pam_config->error = 1;
163 /* PAM frees reply (including reply[].resp) */
168 /*************************************************************************
172 * Purpose: Check the users password against the standard UNIX
173 * password table + PAM.
176 *************************************************************************/
180 * for most flexibility, passing a pamauth type to this function
181 * allows you to have multiple authentication types (i.e. multiple
182 * files associated with radius in /etc/pam.d)
184 static int pam_pass(const char *name, const char *passwd, const char *pamauth)
186 pam_handle_t *pamh=NULL;
189 struct pam_conv conv;
192 * Initialize the structures.
194 conv.conv = PAM_conv;
195 conv.appdata_ptr = &pam_config;
196 pam_config.username = name;
197 pam_config.password = passwd;
198 pam_config.error = 0;
200 DEBUG("pam_pass: using pamauth string <%s> for pam.conf lookup", pamauth);
201 retval = pam_start(pamauth, name, &conv, &pamh);
202 if (retval != PAM_SUCCESS) {
203 DEBUG("pam_pass: function pam_start FAILED for <%s>. Reason: %s",
204 name, pam_strerror(pamh, retval));
208 retval = pam_authenticate(pamh, 0);
209 if (retval != PAM_SUCCESS) {
210 DEBUG("pam_pass: function pam_authenticate FAILED for <%s>. Reason: %s",
211 name, pam_strerror(pamh, retval));
212 pam_end(pamh, retval);
217 * FreeBSD 3.x doesn't have account and session management
218 * functions in PAM, while 4.0 does.
220 #if !defined(__FreeBSD_version) || (__FreeBSD_version >= 400000)
221 retval = pam_acct_mgmt(pamh, 0);
222 if (retval != PAM_SUCCESS) {
223 DEBUG("pam_pass: function pam_acct_mgmt FAILED for <%s>. Reason: %s",
224 name, pam_strerror(pamh, retval));
225 pam_end(pamh, retval);
230 DEBUG("pam_pass: authentication succeeded for <%s>", name);
231 pam_end(pamh, retval);
235 /* translate between function declarations */
236 static int pam_auth(void *instance, REQUEST *request)
240 rlm_pam_t *data = (rlm_pam_t *) instance;
242 const char *pam_auth_string = data->pam_auth_name;
245 * We can only authenticate user requests which HAVE
246 * a User-Name attribute.
248 if (!request->username) {
249 radlog(L_AUTH, "rlm_pam: Attribute \"User-Name\" is required for authentication.");
250 return RLM_MODULE_INVALID;
254 * We can only authenticate user requests which HAVE
255 * a User-Password attribute.
257 if (!request->password) {
258 radlog(L_AUTH, "rlm_pam: Attribute \"User-Password\" is required for authentication.");
259 return RLM_MODULE_INVALID;
263 * Ensure that we're being passed a plain-text password,
264 * and not anything else.
266 if (request->password->attribute != PW_USER_PASSWORD) {
267 radlog(L_AUTH, "rlm_pam: Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
268 return RLM_MODULE_INVALID;
272 * Let the 'users' file over-ride the PAM auth name string,
273 * for backwards compatibility.
275 pair = pairfind(request->config_items, PAM_AUTH_ATTR);
276 if (pair) pam_auth_string = (char *)pair->vp_strvalue;
278 r = pam_pass((char *)request->username->vp_strvalue,
279 (char *)request->password->vp_strvalue,
283 if (!strcmp(radlog_dir, "syslog")) {
284 openlog(progname, LOG_PID, mainconfig.syslog_facility);
289 return RLM_MODULE_OK;
291 return RLM_MODULE_REJECT;
297 RLM_TYPE_THREAD_UNSAFE, /* The PAM libraries are not thread-safe */
298 pam_instantiate, /* instantiation */
299 pam_detach, /* detach */
301 pam_auth, /* authenticate */
302 NULL, /* authorize */
303 NULL, /* pre-accounting */
304 NULL, /* accounting */
305 NULL, /* checksimul */
306 NULL, /* pre-proxy */
307 NULL, /* post-proxy */