2 * pam.c Functions to access the PAM library. This was taken
3 * from the hacks that miguel a.l. paraz <map@iphil.net>
4 * did on radiusd-cistron-1.5.3 and migrated to a
7 * That, in fact, was again based on the original stuff
8 * from Jeph Blaize <jblaize@kiva.net> done in May 1997.
16 #include <sys/types.h>
17 #include <sys/socket.h>
19 #include <netinet/in.h>
27 #include <security/pam_appl.h>
36 /*************************************************************************
40 * Purpose: Dialogue between RADIUS and PAM modules.
42 * jab - stolen from pop3d
44 * Alan DeKok: modified to use PAM's appdata_ptr, so that we're
45 * multi-threaded safe, and don't have any nasty static
46 * variables hanging around.
48 *************************************************************************/
50 typedef struct my_PAM {
56 static int PAM_conv (int num_msg,
57 const struct pam_message **msg,
58 struct pam_response **resp,
60 int count = 0, replies = 0;
61 struct pam_response *reply = NULL;
62 int size = sizeof(struct pam_response);
63 my_PAM *pam_config = (my_PAM *) appdata_ptr;
65 #define GET_MEM if (reply) realloc(reply, size); else reply = malloc(size); \
66 if (!reply) return PAM_CONV_ERR; \
67 size += sizeof(struct pam_response)
68 #define COPY_STRING(s) ((s) ? strdup(s) : NULL)
70 for (count = 0; count < num_msg; count++) {
71 switch (msg[count]->msg_style) {
72 case PAM_PROMPT_ECHO_ON:
74 reply[replies].resp_retcode = PAM_SUCCESS;
75 reply[replies++].resp = COPY_STRING(pam_config->username);
78 case PAM_PROMPT_ECHO_OFF:
80 reply[replies].resp_retcode = PAM_SUCCESS;
81 reply[replies++].resp = COPY_STRING(pam_config->password);
89 /* Must be an error of some sort... */
91 pam_config->error = 1;
95 if (reply) *resp = reply;
100 /*************************************************************************
104 * Purpose: Check the users password against the standard UNIX
105 * password table + PAM.
108 *************************************************************************/
112 * for most flexibility, passing a pamauth type to this function
113 * allows you to have multiple authentication types (i.e. multiple
114 * files associated with radius in /etc/pam.d)
116 static int pam_pass(const char *name, const char *passwd, const char *pamauth)
118 pam_handle_t *pamh=NULL;
121 struct pam_conv conv;
124 * Initialize the structures.
126 conv.conv = PAM_conv;
127 conv.appdata_ptr = &pam_config;
128 pam_config.username = name;
129 pam_config.password = passwd;
130 pam_config.error = 0;
132 DEBUG("pam_pass: using pamauth string <%s> for pam.conf lookup", pamauth);
133 retval = pam_start(pamauth, name, &conv, &pamh);
134 if (retval != PAM_SUCCESS) {
135 DEBUG("pam_pass: function pam_start FAILED for <%s>. Reason: %s",
136 name, pam_strerror(pamh, retval));
140 retval = pam_authenticate(pamh, 0);
141 if (retval != PAM_SUCCESS) {
142 DEBUG("pam_pass: function pam_authenticate FAILED for <%s>. Reason: %s",
143 name, pam_strerror(pamh, retval));
149 * FreeBSD 3.x doesn't have account and session management
150 * functions in PAM, while 4.0 does.
152 #if !defined(__FreeBSD_version) || (__FreeBSD_version >= 400000)
153 retval = pam_acct_mgmt(pamh, 0);
154 if (retval != PAM_SUCCESS) {
155 DEBUG("pam_pass: function pam_acct_mgmt FAILED for <%s>. Reason: %s",
156 name, pam_strerror(pamh, retval));
162 DEBUG("pam_pass: authentication succeeded for <%s>", name);
167 /* translate between function declarations */
168 static int pam_auth(void *instance, REQUEST *request)
172 const char *pam_auth_string = "radiusd";
177 * We can only authenticate user requests which HAVE
178 * a User-Name attribute.
180 if (!request->username) {
181 radlog(L_AUTH, "rlm_pam: Attribute \"User-Name\" is required for authentication.");
182 return RLM_MODULE_INVALID;
186 * We can only authenticate user requests which HAVE
187 * a Password attribute.
189 if (!request->password) {
190 radlog(L_AUTH, "rlm_pam: Attribute \"Password\" is required for authentication.");
191 return RLM_MODULE_INVALID;
195 * Ensure that we're being passed a plain-text password,
196 * and not anything else.
198 if (request->password->attribute != PW_PASSWORD) {
199 radlog(L_AUTH, "rlm_pam: Attribute \"Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
200 return RLM_MODULE_INVALID;
203 pair = pairfind(request->config_items, PAM_AUTH_ATTR);
204 if (pair) pam_auth_string = (char *)pair->strvalue;
206 r = pam_pass((char *)request->username->strvalue,
207 (char *)request->password->strvalue,
210 return RLM_MODULE_OK;
212 return RLM_MODULE_REJECT;
217 0, /* type: reserved */
218 NULL, /* initialize */
219 NULL, /* instantiation */
220 NULL, /* authorize */
221 pam_auth, /* authenticate */
222 NULL, /* pre-accounting */
223 NULL, /* accounting */