2 * rlm_unix.c authentication: Unix user authentication
3 * accounting: Functions to write radwtmp file.
4 * Also contains handler for "Group".
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 * Copyright 2000 The FreeRADIUS server project
23 * Copyright 2000 Jeff Carneal <jeff@apex.net>
24 * Copyright 2000 Alan Curry <pacman@world.std.com>
26 static const char rcsid[] = "$Id$";
29 #include "libradius.h"
47 # include <sys/security.h>
62 static char trans[64] =
63 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
64 #define ENC(c) trans[c]
66 struct unix_instance {
68 const char *passwd_file;
69 const char *shadow_file;
70 const char *group_file;
73 struct pwcache *cache;
76 static CONF_PARSER module_config[] = {
78 * Cache the password by default.
80 { "cache", PW_TYPE_BOOLEAN,
81 offsetof(struct unix_instance,cache_passwd), NULL, "yes" },
82 { "passwd", PW_TYPE_STRING_PTR,
83 offsetof(struct unix_instance,passwd_file), NULL, NULL },
84 { "shadow", PW_TYPE_STRING_PTR,
85 offsetof(struct unix_instance,shadow_file), NULL, NULL },
86 { "group", PW_TYPE_STRING_PTR,
87 offsetof(struct unix_instance,group_file), NULL, NULL },
88 { "radwtmp", PW_TYPE_STRING_PTR,
89 offsetof(struct unix_instance,radwtmp), NULL, "${logdir}/radwtmp" },
90 { "usegroup", PW_TYPE_BOOLEAN,
91 offsetof(struct unix_instance,usegroup), NULL, "no" },
93 { NULL, -1, 0, NULL, NULL } /* end the list */
97 * groupcmp is part of autz. But it uses the data from an auth instance. So
98 * here is where it gets it. By default this will be the first configured
99 * auth instance. That can be changed by putting "usegroup = yes" inside an
100 * auth instance to explicitly bind all Group checks to it.
103 /* binds "Group=" to an instance (a particular passwd file) */
104 static struct unix_instance *group_inst;
106 /* Tells if the above binding was explicit (usegroup=yes specified in config
107 * file) or not ("Group=" was bound to the first instance of rlm_unix */
108 static int group_inst_explicit;
110 struct passwd *fgetpwnam(const char *fname, const char *name) {
111 FILE *file = fopen(fname, "ro");
112 struct passwd *pwd = NULL;
114 if(file == NULL) return NULL;
116 pwd = fgetpwent(file);
121 } while(strcmp(name, pwd->pw_name) != 0);
126 struct passwd *fgetgrnam(const char *fname, const char *name) {
127 FILE *file = fopen(fname, "ro");
128 struct group *grp = NULL;
129 if(file == NULL) return NULL;
131 grp = fgetgrent(file);
136 } while(strcmp(name, grp->gr_name) != 0);
142 * The Group = handler.
144 static int groupcmp(void *instance, VALUE_PAIR *request, VALUE_PAIR *check,
145 VALUE_PAIR *check_pairs, VALUE_PAIR **reply_pairs)
154 check_pairs = check_pairs;
155 reply_pairs = reply_pairs;
158 radlog(L_ERR, "groupcmp: no group list known.");
162 radlog(L_ERR, "group = %s", group_inst->group_file);
164 username = (char *)request->strvalue;
166 if (group_inst->cache_passwd &&
167 (retval = H_groupcmp(group_inst->cache, check, username)) != -2)
170 if ((pwd = fgetpwnam(group_inst->passwd_file, username)) == NULL)
173 if ((grp = fgetgrnam(group_inst->group_file, (char *)check->strvalue)) == NULL)
176 retval = (pwd->pw_gid == grp->gr_gid) ? 0 : -1;
178 for (member = grp->gr_mem; *member && retval; member++) {
179 if (strcmp(*member, pwd->pw_name) == 0)
188 * FIXME: We really should have an 'init' which makes
189 * System auth == Unix
191 static int unix_init(void)
193 /* FIXME - delay these until a group file has been read so we know
194 * groupcmp can actually do something */
195 paircompare_register(PW_GROUP, PW_USER_NAME, groupcmp, NULL);
196 #ifdef PW_GROUP_NAME /* compat */
197 paircompare_register(PW_GROUP_NAME, PW_USER_NAME, groupcmp, NULL);
202 static int unix_instantiate(CONF_SECTION *conf, void **instance)
204 struct unix_instance *inst;
207 * Allocate room for the instance.
209 inst = *instance = rad_malloc(sizeof(struct unix_instance));
212 * Parse the configuration, failing if we can't do so.
214 if (cf_section_parse(conf, inst, module_config) < 0) {
219 if (inst->cache_passwd) {
220 radlog(L_INFO, "HASH: Reinitializing hash structures "
221 "and lists for caching...");
222 if ((inst->cache = unix_buildpwcache(inst->passwd_file,
224 inst->group_file))==NULL)
226 radlog(L_ERR, "HASH: unable to create user "
227 "hash table. disable caching and run debugs");
228 free((char *) inst->passwd_file);
229 free((char *) inst->shadow_file);
230 free((char *) inst->group_file);
231 free((char *) inst->radwtmp);
239 if (inst->usegroup) {
240 if (group_inst_explicit) {
241 radlog(L_ERR, "Only one group list may be active");
244 group_inst_explicit = 1;
246 } else if (!group_inst) {
257 static int unix_detach(void *instance)
259 #define inst ((struct unix_instance *)instance)
260 if (group_inst == inst) {
262 group_inst_explicit = 0;
264 free((char *) inst->passwd_file);
265 free((char *) inst->shadow_file);
266 free((char *) inst->group_file);
267 free((char *) inst->radwtmp);
269 unix_freepwcache(inst->cache);
276 static int unix_destroy(void)
278 paircompare_unregister(PW_GROUP, groupcmp);
280 paircompare_unregister(PW_GROUP_NAME, groupcmp);
287 * Check the users password against the standard UNIX
290 static int unix_authenticate(void *instance, REQUEST *request)
292 #define inst ((struct unix_instance *)instance)
296 char *encrypted_pass;
306 struct pr_passwd *pr_pw;
310 char *progname = "radius";
311 SIAENTITY *ent = NULL;
313 #ifdef HAVE_GETUSERSHELL
318 * We can only authenticate user requests which HAVE
319 * a User-Name attribute.
321 if (!request->username) {
322 radlog(L_AUTH, "rlm_unix: Attribute \"User-Name\" is required for authentication.");
323 return RLM_MODULE_INVALID;
327 * We can only authenticate user requests which HAVE
328 * a Password attribute.
330 if (!request->password) {
331 radlog(L_AUTH, "rlm_unix: Attribute \"Password\" is required for authentication.");
332 return RLM_MODULE_INVALID;
336 * Ensure that we're being passed a plain-text password,
337 * and not anything else.
339 if (request->password->attribute != PW_PASSWORD) {
340 radlog(L_AUTH, "rlm_unix: Attribute \"Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
341 return RLM_MODULE_INVALID;
344 name = (char *)request->username->strvalue;
345 passwd = (char *)request->password->strvalue;
347 if (inst->cache_passwd &&
348 (ret = H_unix_pass(inst->cache, name, passwd, &request->reply->vps)) != -2)
349 return (ret == 0) ? RLM_MODULE_OK : RLM_MODULE_REJECT;
354 if (sia_ses_init (&ent, 1, info, NULL, name, NULL, 0, NULL) !=
356 return RLM_MODULE_NOTFOUND;
357 if ((ret = sia_ses_authent (NULL, passwd, ent)) != SIASUCCESS) {
359 sia_ses_release (&ent);
360 return RLM_MODULE_NOTFOUND;
362 if (sia_ses_estab (NULL, ent) == SIASUCCESS) {
363 sia_ses_release (&ent);
364 return RLM_MODULE_OK;
367 return RLM_MODULE_NOTFOUND;
370 if ((pr_pw = getprpwnam(name)) == NULL)
371 return RLM_MODULE_NOTFOUND;
372 encrypted_pass = pr_pw->ufld.fd_encrypt;
375 * Get encrypted password from password file
377 if ((pwd = getpwnam(name)) == NULL) {
378 return RLM_MODULE_NOTFOUND;
380 encrypted_pass = pwd->pw_passwd;
385 * See if there is a shadow password.
387 if ((spwd = getspnam(name)) != NULL)
389 encrypted_pass = spwd->pw_passwd;
391 encrypted_pass = spwd->sp_pwdp;
393 #endif /* HAVE_GETSPNAM */
397 * Undocumented temporary compatibility for iphil.NET
398 * Users with a certain shell are always denied access.
400 if (strcmp(pwd->pw_shell, DENY_SHELL) == 0) {
401 radlog(L_AUTH, "rlm_unix: [%s]: invalid shell", name);
402 return RLM_MODULE_REJECT;
406 #if HAVE_GETUSERSHELL
408 * Check /etc/shells for a valid shell. If that file
409 * contains /RADIUSD/ANY/SHELL then any shell will do.
411 while ((shell = getusershell()) != NULL) {
412 if (strcmp(shell, pwd->pw_shell) == 0 ||
413 strcmp(shell, "/RADIUSD/ANY/SHELL") == 0) {
419 return RLM_MODULE_REJECT;
422 #if defined(HAVE_GETSPNAM) && !defined(M_UNIX)
424 * Check if password has expired.
426 if (spwd && spwd->sp_expire > 0 &&
427 (request->timestamp / 86400) > spwd->sp_expire) {
428 radlog(L_AUTH, "rlm_unix: [%s]: password has expired", name);
429 return RLM_MODULE_REJECT;
433 #if defined(__FreeBSD__) || defined(bsdi) || defined(_PWF_EXPIRE)
435 * Check if password has expired.
437 if ((pwd->pw_expire > 0) &&
438 (request->timestamp > pwd->pw_expire)) {
439 radlog(L_AUTH, "rlm_unix: [%s]: password has expired", name);
440 return RLM_MODULE_REJECT;
446 * Check if account is locked.
448 if (pr_pw->uflg.fg_lock!=1) {
449 radlog(L_AUTH, "rlm_unix: [%s]: account locked", name);
450 return RLM_MODULE_USERLOCK;
455 * We might have a passwordless account.
457 if (encrypted_pass[0] == 0)
458 return RLM_MODULE_OK;
461 * Check encrypted password.
463 encpw = crypt(passwd, encrypted_pass);
464 if (strcmp(encpw, encrypted_pass))
465 return RLM_MODULE_REJECT;
467 return RLM_MODULE_OK;
473 * UUencode 4 bits base64. We use this to turn a 4 byte field
474 * (an IP address) into 6 bytes of ASCII. This is used for the
475 * wtmp file if we didn't find a short name in the naslist file.
477 static char *uue(void *in)
480 static unsigned char res[7];
481 unsigned char *data = (unsigned char *)in;
483 res[0] = ENC( data[0] >> 2 );
484 res[1] = ENC( ((data[0] << 4) & 060) + ((data[1] >> 4) & 017) );
485 res[2] = ENC( ((data[1] << 2) & 074) + ((data[2] >> 6) & 03) );
486 res[3] = ENC( data[2] & 077 );
488 res[4] = ENC( data[3] >> 2 );
489 res[5] = ENC( (data[3] << 4) & 060 );
492 for(i = 0; i < 6; i++) {
493 if (res[i] == ' ') res[i] = '`';
494 if (res[i] < 32 || res[i] > 127)
495 printf("uue: protocol error ?!\n");
502 * Unix accounting - write a wtmp file.
504 static int unix_accounting(void *instance, REQUEST *request)
516 int framed_address = 0;
520 int nas_port_type = 0;
521 struct unix_instance *inst = (struct unix_instance *) instance;
524 * Which type is this.
526 if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE))==NULL) {
527 radlog(L_ERR, "Accounting: no Accounting-Status-Type record.");
528 return RLM_MODULE_NOOP;
533 * FIXME: handle PW_STATUS_ALIVE like 1.5.4.3 did.
535 if (status != PW_STATUS_START &&
536 status != PW_STATUS_STOP)
537 return RLM_MODULE_NOOP;
540 * We're only interested in accounting messages
541 * with a username in it.
543 if ((vp = pairfind(request->packet->vps, PW_USER_NAME)) == NULL)
544 return RLM_MODULE_NOOP;
546 t = request->timestamp;
547 memset(&ut, 0, sizeof(ut));
550 * First, find the interesting attributes.
552 for (vp = request->packet->vps; vp; vp = vp->next) {
553 switch (vp->attribute) {
555 if (vp->length >= sizeof(ut.ut_name)) {
556 memcpy(ut.ut_name, (char *)vp->strvalue, sizeof(ut.ut_name));
558 strNcpy(ut.ut_name, (char *)vp->strvalue, sizeof(ut.ut_name));
561 case PW_LOGIN_IP_HOST:
562 case PW_FRAMED_IP_ADDRESS:
563 framed_address = vp->lvalue;
565 case PW_FRAMED_PROTOCOL:
566 protocol = vp->lvalue;
568 case PW_NAS_IP_ADDRESS:
569 nas_address = vp->lvalue;
572 nas_port = vp->lvalue;
575 case PW_ACCT_DELAY_TIME:
578 case PW_NAS_PORT_TYPE:
579 nas_port_type = vp->lvalue;
585 * We don't store !root sessions, or sessions
586 * where we didn't see a PW_NAS_PORT_ID.
588 if (strncmp(ut.ut_name, "!root", sizeof(ut.ut_name)) == 0 || !port_seen)
589 return RLM_MODULE_NOOP;
592 * If we didn't find out the NAS address, use the
593 * originator's IP address.
595 if (nas_address == 0)
596 nas_address = request->packet->src_ipaddr;
600 * Linux has a field for the client address.
602 ut.ut_addr = framed_address;
605 * We use the tty field to store the terminal servers' port
606 * and address so that the tty field is unique.
609 if ((cl = nas_find(nas_address)) != NULL)
611 if (s == NULL || s[0] == 0) s = uue(&(nas_address));
612 sprintf(buf, "%03d:%s", nas_port, s);
613 strNcpy(ut.ut_line, buf, sizeof(ut.ut_line));
616 * We store the dynamic IP address in the hostname field.
619 if (framed_address) {
620 ip_ntoa(buf, framed_address);
621 strncpy(ut.ut_host, buf, UT_HOSTSIZE);
625 ut.ut_xtime = t- delay;
627 ut.ut_time = t - delay;
631 * And we can use the ID field to store
634 if (protocol == PW_PPP)
635 strcpy(ut.ut_id, "P");
636 else if (protocol == PW_SLIP)
637 strcpy(ut.ut_id, "S");
639 strcpy(ut.ut_id, "T");
640 ut.ut_type = status == PW_STATUS_STOP ? DEAD_PROCESS : USER_PROCESS;
642 if (status == PW_STATUS_STOP)
646 * Write a RADIUS wtmp log file.
648 * Try to open the file if we can't, we don't write the
649 * wtmp file. If we can try to write. If we fail,
650 * return RLM_MODULE_FAIL ..
652 if ((fp = fopen(inst->radwtmp, "a")) != NULL) {
653 if ((fwrite(&ut, sizeof(ut), 1, fp)) != 1) {
655 return RLM_MODULE_FAIL;
659 return RLM_MODULE_FAIL;
661 return RLM_MODULE_OK;
664 /* globally exported name */
665 module_t rlm_unix = {
667 RLM_TYPE_THREAD_UNSAFE, /* type: reserved */
668 unix_init, /* initialization */
669 unix_instantiate, /* instantiation */
671 unix_authenticate, /* authentication */
672 NULL, /* authorization */
673 NULL, /* preaccounting */
674 unix_accounting, /* accounting */
675 NULL /* checksimul */
677 unix_detach, /* detach */
678 unix_destroy, /* destroy */