6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
20 * Copyright 2000 The FreeRADIUS server project
21 * FIXME add copyrights
24 #include <freeradius-devel/autoconf.h>
26 #include <sys/types.h>
38 #include <freeradius-devel/radiusd.h>
39 #include <freeradius-devel/radutmp.h>
40 #include <freeradius-devel/modules.h>
41 #include <freeradius-devel/rad_assert.h>
43 #define LOCK_LEN sizeof(struct radutmp)
45 static const char porttypes[] = "ASITX";
48 * used for caching radutmp lookups in the accounting component. The
49 * session (checksimul) component doesn't use it, but probably should.
51 typedef struct nas_port {
55 struct nas_port *next;
58 typedef struct rlm_radutmp_t {
59 NAS_PORT *nas_port_list;
68 static const CONF_PARSER module_config[] = {
69 { "filename", PW_TYPE_STRING_PTR,
70 offsetof(rlm_radutmp_t,filename), NULL, RADUTMP },
71 { "username", PW_TYPE_STRING_PTR,
72 offsetof(rlm_radutmp_t,username), NULL, "%{User-Name}"},
73 { "case_sensitive", PW_TYPE_BOOLEAN,
74 offsetof(rlm_radutmp_t,case_sensitive), NULL, "yes"},
75 { "check_with_nas", PW_TYPE_BOOLEAN,
76 offsetof(rlm_radutmp_t,check_nas), NULL, "yes"},
77 { "perm", PW_TYPE_INTEGER,
78 offsetof(rlm_radutmp_t,permission), NULL, "0644" },
79 { "callerid", PW_TYPE_BOOLEAN,
80 offsetof(rlm_radutmp_t,callerid_ok), NULL, "no" },
81 { NULL, -1, 0, NULL, NULL } /* end the list */
84 static int radutmp_instantiate(CONF_SECTION *conf, void **instance)
88 inst = rad_malloc(sizeof(*inst));
92 memset(inst, 0, sizeof(*inst));
94 if (cf_section_parse(conf, inst, module_config)) {
99 inst->nas_port_list = NULL;
108 static int radutmp_detach(void *instance)
111 rlm_radutmp_t *inst = instance;
113 for (p = inst->nas_port_list ; p ; p=next) {
117 if (inst->filename) free(inst->filename);
118 if (inst->username) free(inst->username);
124 * Zap all users on a NAS from the radutmp file.
126 static int radutmp_zap(rlm_radutmp_t *inst,
127 const char *filename,
134 if (t == 0) time(&t);
136 fd = open(filename, O_RDWR);
138 radlog(L_ERR, "rlm_radutmp: Error accessing file %s: %s",
139 filename, strerror(errno));
140 return RLM_MODULE_FAIL;
144 * Lock the utmp file, prefer lockf() over flock().
146 rad_lockfd(fd, LOCK_LEN);
149 * Find the entry for this NAS / portno combination.
151 while (read(fd, &u, sizeof(u)) == sizeof(u)) {
152 if ((nasaddr != 0 && nasaddr != u.nas_address) ||
158 if (lseek(fd, -(off_t)sizeof(u), SEEK_CUR) < 0) {
159 radlog(L_ERR, "rlm_radutmp: radutmp_zap: negative lseek!");
160 lseek(fd, (off_t)0, SEEK_SET);
164 write(fd, &u, sizeof(u));
166 close(fd); /* and implicitely release the locks */
172 * Lookup a NAS_PORT in the nas_port_list
174 static NAS_PORT *nas_port_find(NAS_PORT *nas_port_list, uint32_t nasaddr, unsigned int port)
178 for(cl = nas_port_list; cl; cl = cl->next)
179 if (nasaddr == cl->nasaddr &&
187 * Store logins in the RADIUS utmp file.
189 static int radutmp_accounting(void *instance, REQUEST *request)
191 struct radutmp ut, u;
194 uint32_t nas_address = 0;
195 uint32_t framed_address = 0;
199 int just_an_update = 0;
201 int nas_port_type = 0;
203 rlm_radutmp_t *inst = instance;
206 char ip_name[32]; /* 255.255.255.255 */
211 if (request->packet->src_ipaddr.af != AF_INET) {
212 DEBUG("rlm_radutmp: IPv6 not supported!");
213 return RLM_MODULE_NOOP;
217 * Which type is this.
219 if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE)) == NULL) {
220 radlog(L_ERR, "rlm_radutmp: No Accounting-Status-Type record.");
221 return RLM_MODULE_NOOP;
226 * Look for weird reboot packets.
228 * ComOS (up to and including 3.5.1b20) does not send
229 * standard PW_STATUS_ACCOUNTING_XXX messages.
231 * Check for: o no Acct-Session-Time, or time of 0
232 * o Acct-Session-Id of "00000000".
234 * We could also check for NAS-Port, that attribute
235 * should NOT be present (but we don't right now).
237 if ((status != PW_STATUS_ACCOUNTING_ON) &&
238 (status != PW_STATUS_ACCOUNTING_OFF)) do {
242 if ((vp = pairfind(request->packet->vps, PW_ACCT_SESSION_TIME))
243 == NULL || vp->lvalue == 0)
245 if ((vp = pairfind(request->packet->vps, PW_ACCT_SESSION_ID))
246 != NULL && vp->length == 8 &&
247 memcmp(vp->vp_strvalue, "00000000", 8) == 0)
249 if (check1 == 0 || check2 == 0) {
250 #if 0 /* Cisco sometimes sends START records without username. */
251 radlog(L_ERR, "rlm_radutmp: no username in record");
252 return RLM_MODULE_FAIL;
257 radlog(L_INFO, "rlm_radutmp: converting reboot records.");
258 if (status == PW_STATUS_STOP)
259 status = PW_STATUS_ACCOUNTING_OFF;
260 if (status == PW_STATUS_START)
261 status = PW_STATUS_ACCOUNTING_ON;
265 memset(&ut, 0, sizeof(ut));
269 * First, find the interesting attributes.
271 for (vp = request->packet->vps; vp; vp = vp->next) {
272 switch (vp->attribute) {
273 case PW_LOGIN_IP_HOST:
274 case PW_FRAMED_IP_ADDRESS:
275 framed_address = vp->lvalue;
276 ut.framed_address = vp->lvalue;
278 case PW_FRAMED_PROTOCOL:
279 protocol = vp->lvalue;
281 case PW_NAS_IP_ADDRESS:
282 nas_address = vp->lvalue;
283 ut.nas_address = vp->lvalue;
286 ut.nas_port = vp->lvalue;
289 case PW_ACCT_DELAY_TIME:
290 ut.delay = vp->lvalue;
292 case PW_ACCT_SESSION_ID:
294 * If length > 8, only store the
297 off = vp->length - sizeof(ut.session_id);
299 * Ascend is br0ken - it adds a \0
300 * to the end of any string.
303 if (vp->length > 0 &&
304 vp->vp_strvalue[vp->length - 1] == 0)
306 if (off < 0) off = 0;
307 memcpy(ut.session_id, vp->vp_strvalue + off,
308 sizeof(ut.session_id));
310 case PW_NAS_PORT_TYPE:
312 ut.porttype = porttypes[vp->lvalue];
313 nas_port_type = vp->lvalue;
315 case PW_CALLING_STATION_ID:
316 if(inst->callerid_ok)
317 strNcpy(ut.caller_id,
318 (char *)vp->vp_strvalue,
319 sizeof(ut.caller_id));
325 * If we didn't find out the NAS address, use the
326 * originator's IP address.
328 if (nas_address == 0) {
329 nas_address = request->packet->src_ipaddr.ipaddr.ip4addr.s_addr;
330 ut.nas_address = nas_address;
331 nas = client_name_old(&request->packet->src_ipaddr); /* MUST be a valid client */
333 } else if (request->packet->src_ipaddr.ipaddr.ip4addr.s_addr == nas_address) { /* might be a client, might not be. */
337 * Hack like 'client_name()', but with sane
340 cl = client_find_old(&request->packet->src_ipaddr);
341 if (!cl) rad_assert(0 == 1); /* WTF? */
342 if (cl->shortname && cl->shortname[0]) {
349 * The NAS isn't a client, it's behind
350 * a proxy server. In that case, just
351 * get the IP address.
353 nas = ip_ntoa(ip_name, nas_address);
357 * Set the protocol field.
359 if (protocol == PW_PPP)
361 else if (protocol == PW_SLIP)
365 ut.time = t - ut.delay;
368 * Get the utmp filename, via xlat.
370 radius_xlat(filename, sizeof(filename), inst->filename, request, NULL);
373 * See if this was a reboot.
375 * Hmm... we may not want to zap all of the users when
376 * the NAS comes up, because of issues with receiving
377 * UDP packets out of order.
379 if (status == PW_STATUS_ACCOUNTING_ON && nas_address) {
380 radlog(L_INFO, "rlm_radutmp: NAS %s restarted (Accounting-On packet seen)",
382 radutmp_zap(inst, filename, nas_address, ut.time);
383 return RLM_MODULE_OK;
386 if (status == PW_STATUS_ACCOUNTING_OFF && nas_address) {
387 radlog(L_INFO, "rlm_radutmp: NAS %s rebooted (Accounting-Off packet seen)",
389 radutmp_zap(inst, filename, nas_address, ut.time);
390 return RLM_MODULE_OK;
394 * If we don't know this type of entry pretend we succeeded.
396 if (status != PW_STATUS_START &&
397 status != PW_STATUS_STOP &&
398 status != PW_STATUS_ALIVE) {
399 radlog(L_ERR, "rlm_radutmp: NAS %s port %u unknown packet type %d)",
400 nas, ut.nas_port, status);
401 return RLM_MODULE_NOOP;
405 * Translate the User-Name attribute, or whatever else
406 * they told us to use.
409 radius_xlat(buffer, sizeof(buffer), inst->username, request, NULL);
412 * Copy the previous translated user name.
414 strncpy(ut.login, buffer, RUT_NAMESIZE);
417 * Perhaps we don't want to store this record into
418 * radutmp. We skip records:
420 * - without a NAS-Port (telnet / tcp access)
421 * - with the username "!root" (console admin login)
424 DEBUG2(" rlm_radutmp: No NAS-Port seen. Cannot do anything.");
425 DEBUG2(" rlm_radumtp: WARNING: checkrad will probably not work!");
426 return RLM_MODULE_NOOP;
429 if (strncmp(ut.login, "!root", RUT_NAMESIZE) == 0) {
430 DEBUG2(" rlm_radutmp: Not recording administrative user");
432 return RLM_MODULE_NOOP;
436 * Enter into the radutmp file.
438 fd = open(filename, O_RDWR|O_CREAT, inst->permission);
440 radlog(L_ERR, "rlm_radutmp: Error accessing file %s: %s",
441 filename, strerror(errno));
442 return RLM_MODULE_FAIL;
446 * Lock the utmp file, prefer lockf() over flock().
448 rad_lockfd(fd, LOCK_LEN);
451 * Find the entry for this NAS / portno combination.
453 if ((cache = nas_port_find(inst->nas_port_list, ut.nas_address,
454 ut.nas_port)) != NULL) {
455 lseek(fd, (off_t)cache->offset, SEEK_SET);
460 while (read(fd, &u, sizeof(u)) == sizeof(u)) {
462 if (u.nas_address != ut.nas_address ||
463 u.nas_port != ut.nas_port)
467 * Don't compare stop records to unused entries.
469 if (status == PW_STATUS_STOP &&
474 if (status == PW_STATUS_STOP &&
475 strncmp(ut.session_id, u.session_id,
476 sizeof(u.session_id)) != 0) {
478 * Don't complain if this is not a
479 * login record (some clients can
480 * send _only_ logout records).
482 if (u.type == P_LOGIN)
483 radlog(L_ERR, "rlm_radutmp: Logout entry for NAS %s port %u has wrong ID",
489 if (status == PW_STATUS_START &&
490 strncmp(ut.session_id, u.session_id,
491 sizeof(u.session_id)) == 0 &&
493 if (u.type == P_LOGIN) {
494 radlog(L_INFO, "rlm_radutmp: Login entry for NAS %s port %u duplicate",
499 radlog(L_ERR, "rlm_radutmp: Login entry for NAS %s port %u wrong order",
506 * FIXME: the ALIVE record could need
507 * some more checking, but anyway I'd
508 * rather rewrite this mess -- miquels.
510 if (status == PW_STATUS_ALIVE &&
511 strncmp(ut.session_id, u.session_id,
512 sizeof(u.session_id)) == 0 &&
515 * Keep the original login time.
522 if (lseek(fd, -(off_t)sizeof(u), SEEK_CUR) < 0) {
523 radlog(L_ERR, "rlm_radutmp: negative lseek!");
524 lseek(fd, (off_t)0, SEEK_SET);
530 } /* read the file until we find a match */
533 * Found the entry, do start/update it with
534 * the information from the packet.
536 if (r >= 0 && (status == PW_STATUS_START ||
537 status == PW_STATUS_ALIVE)) {
539 * Remember where the entry was, because it's
540 * easier than searching through the entire file.
543 cache = rad_malloc(sizeof(NAS_PORT));
544 cache->nasaddr = ut.nas_address;
545 cache->port = ut.nas_port;
547 cache->next = inst->nas_port_list;
548 inst->nas_port_list = cache;
552 write(fd, &ut, sizeof(u));
556 * The user has logged off, delete the entry by
557 * re-writing it in place.
559 if (status == PW_STATUS_STOP) {
564 write(fd, &u, sizeof(u));
566 radlog(L_ERR, "rlm_radutmp: Logout for NAS %s port %u, but no Login record",
571 close(fd); /* and implicitely release the locks */
573 return RLM_MODULE_OK;
577 * See if a user is already logged in. Sets request->simul_count to the
578 * current session count for this user and sets request->simul_mpp to 2
579 * if it looks like a multilink attempt based on the requested IP
580 * address, otherwise leaves request->simul_mpp alone.
582 * Check twice. If on the first pass the user exceeds his
583 * max. number of logins, do a second pass and validate all
584 * logins by querying the terminal server (using eg. SNMP).
586 static int radutmp_checksimul(void *instance, REQUEST *request)
592 char *call_num = NULL;
594 rlm_radutmp_t *inst = instance;
599 * Get the filename, via xlat.
601 radius_xlat(filename, sizeof(filename), inst->filename, request, NULL);
603 if ((fd = open(filename, O_RDWR)) < 0) {
605 * If the file doesn't exist, then no users
608 if (errno == ENOENT) {
609 request->simul_count=0;
610 return RLM_MODULE_OK;
614 * Error accessing the file.
616 radlog(L_ERR, "rlm_radumtp: Error accessing file %s: %s",
617 filename, strerror(errno));
618 return RLM_MODULE_FAIL;
622 radius_xlat(login, sizeof(login), inst->username, request, NULL);
624 return RLM_MODULE_NOOP;
628 * WTF? This is probably wrong... we probably want to
629 * be able to check users across multiple session accounting
632 request->simul_count = 0;
635 * Loop over utmp, counting how many people MAY be logged in.
637 while (read(fd, &u, sizeof(u)) == sizeof(u)) {
638 if (((strncmp(login, u.login, RUT_NAMESIZE) == 0) ||
639 (!inst->case_sensitive &&
640 (strncasecmp(login, u.login, RUT_NAMESIZE) == 0))) &&
641 (u.type == P_LOGIN)) {
642 ++request->simul_count;
647 * The number of users logged in is OK,
648 * OR, we've been told to not check the NAS.
650 if ((request->simul_count < request->simul_max) ||
653 return RLM_MODULE_OK;
655 lseek(fd, (off_t)0, SEEK_SET);
658 * Setup some stuff, like for MPP detection.
660 if ((vp = pairfind(request->packet->vps, PW_FRAMED_IP_ADDRESS)) != NULL)
662 if ((vp = pairfind(request->packet->vps, PW_CALLING_STATION_ID)) != NULL)
663 call_num = vp->vp_strvalue;
666 * lock the file while reading/writing.
668 rad_lockfd(fd, LOCK_LEN);
671 * FIXME: If we get a 'Start' for a user/nas/port which is
672 * listed, but for which we did NOT get a 'Stop', then
673 * it's not a duplicate session. This happens with
674 * static IP's like DSL.
676 request->simul_count = 0;
677 while (read(fd, &u, sizeof(u)) == sizeof(u)) {
678 if (((strncmp(login, u.login, RUT_NAMESIZE) == 0) ||
679 (!inst->case_sensitive &&
680 (strncasecmp(login, u.login, RUT_NAMESIZE) == 0))) &&
681 (u.type == P_LOGIN)) {
682 char session_id[sizeof(u.session_id) + 1];
683 char utmp_login[sizeof(u.login) + 1];
685 strNcpy(session_id, u.session_id, sizeof(session_id));
688 * The login name MAY fill the whole field,
689 * and thus won't be zero-filled.
691 * Note that we take the user name from
692 * the utmp file, as that's the canonical
693 * form. The 'login' variable may contain
694 * a string which is an upper/lowercase
695 * version of u.login. When we call the
696 * routine to check the terminal server,
697 * the NAS may be case sensitive.
699 * e.g. We ask if "bob" is using a port,
700 * and the NAS says "no", because "BOB"
703 strNcpy(utmp_login, u.login, sizeof(u.login));
706 * rad_check_ts may take seconds
707 * to return, and we don't want
708 * to block everyone else while
709 * that's happening. */
710 rad_unlockfd(fd, LOCK_LEN);
711 rcode = rad_check_ts(u.nas_address, u.nas_port,
712 utmp_login, session_id);
713 rad_lockfd(fd, LOCK_LEN);
717 * Stale record - zap it.
719 session_zap(request, u.nas_address,
720 u.nas_port, login, session_id,
721 u.framed_address, u.proto,0);
723 else if (rcode == 1) {
725 * User is still logged in.
727 ++request->simul_count;
730 * Does it look like a MPP attempt?
732 if (strchr("SCPA", u.proto) &&
733 ipno && u.framed_address == ipno)
734 request->simul_mpp = 2;
735 else if (strchr("SCPA", u.proto) && call_num &&
736 !strncmp(u.caller_id,call_num,16))
737 request->simul_mpp = 2;
741 * Failed to check the terminal
742 * server for duplicate logins:
746 radlog(L_ERR, "rlm_radutmp: Failed to check the terminal server for user '%s'.", utmp_login);
747 return RLM_MODULE_FAIL;
751 close(fd); /* and implicitely release the locks */
753 return RLM_MODULE_OK;
756 /* globally exported name */
757 module_t rlm_radutmp = {
760 0, /* type: reserved */
761 radutmp_instantiate, /* instantiation */
762 radutmp_detach, /* detach */
764 NULL, /* authentication */
765 NULL, /* authorization */
766 NULL, /* preaccounting */
767 radutmp_accounting, /* accounting */
768 radutmp_checksimul, /* checksimul */
769 NULL, /* pre-proxy */
770 NULL, /* post-proxy */