2 * rlm_unix.c authentication: Unix user authentication
3 * accounting: Functions to write radwtmp file.
4 * Also contains handler for "Group".
9 static const char rcsid[] = "$Id$";
12 #include "libradius.h"
14 /***********************************************************************
15 * Copyright (C) 2000 The FreeRADIUS server project.
17 * This program is is free software; you can redistribute it and/or modify
18 * it under the terms of the GNU General Public License, version 2 if the
19 * License as published by the Free Software Foundation.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, write to the Free Software
28 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 ***********************************************************************/
51 # include <sys/security.h>
61 static char trans[64] =
62 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
63 #define ENC(c) trans[c]
65 struct unix_instance {
67 const char *passwd_file;
68 const char *shadow_file;
69 const char *group_file;
72 struct pwcache *cache;
75 static struct unix_instance config;
77 static CONF_PARSER module_config[] = {
79 * Cache the password by default.
81 { "cache", PW_TYPE_BOOLEAN, &config.cache_passwd, "yes" },
82 { "passwd", PW_TYPE_STRING_PTR, &config.passwd_file, NULL },
83 { "shadow", PW_TYPE_STRING_PTR, &config.shadow_file, NULL },
84 { "group", PW_TYPE_STRING_PTR, &config.group_file, NULL },
85 { "radwtmp", PW_TYPE_STRING_PTR, &config.radwtmp, "${logdir}/radwtmp" },
86 { "usegroup", PW_TYPE_BOOLEAN, &config.usegroup, "no" },
88 { NULL, -1, NULL, NULL } /* end the list */
92 * groupcmp is part of autz. But it uses the data from an auth instance. So
93 * here is where it gets it. By default this will be the first configured
94 * auth instance. That can be changed by putting "usegroup = yes" inside an
95 * auth instance to explicitly bind all Group checks to it.
98 /* binds "Group=" to an instance (a particular passwd file) */
99 static struct unix_instance *group_inst;
101 /* Tells if the above binding was explicit (usegroup=yes specified in config
102 * file) or not ("Group=" was bound to the first instance of rlm_unix */
103 static int group_inst_explicit;
106 * The Group = handler.
108 static int groupcmp(void *instance, VALUE_PAIR *request, VALUE_PAIR *check,
109 VALUE_PAIR *check_pairs, VALUE_PAIR **reply_pairs)
118 check_pairs = check_pairs;
119 reply_pairs = reply_pairs;
122 radlog(L_ERR, "groupcmp: no group list known.");
126 username = (char *)request->strvalue;
128 if (group_inst->cache_passwd &&
129 (retval = H_groupcmp(group_inst->cache, check, username)) != -2)
132 if ((pwd = getpwnam(username)) == NULL)
135 if ((grp = getgrnam((char *)check->strvalue)) == NULL)
138 retval = (pwd->pw_gid == grp->gr_gid) ? 0 : -1;
140 for (member = grp->gr_mem; *member && retval; member++) {
141 if (strcmp(*member, pwd->pw_name) == 0)
150 * FIXME: We really should have an 'init' which makes
151 * System auth == Unix
153 static int unix_init(void)
155 /* FIXME - delay these until a group file has been read so we know
156 * groupcmp can actually do something */
157 paircompare_register(PW_GROUP, PW_USER_NAME, groupcmp, NULL);
158 #ifdef PW_GROUP_NAME /* compat */
159 paircompare_register(PW_GROUP_NAME, PW_USER_NAME, groupcmp, NULL);
164 static int unix_instantiate(CONF_SECTION *conf, void **instance)
166 struct unix_instance *inst;
169 * Parse the configuration, failing if we can't do so.
171 if (cf_section_parse(conf, module_config) < 0) {
176 * Allocate room for the instance.
178 inst = *instance = malloc(sizeof(struct unix_instance));
184 * Copy the configuration into the instance data
186 inst->cache_passwd = config.cache_passwd;
187 inst->passwd_file = config.passwd_file;
188 inst->shadow_file = config.shadow_file;
189 inst->group_file = config.group_file;
190 inst->radwtmp = config.radwtmp;
191 inst->usegroup = config.usegroup;
192 config.passwd_file = NULL;
193 config.shadow_file = NULL;
194 config.group_file = NULL;
195 config.radwtmp = NULL;
197 if (inst->cache_passwd) {
198 radlog(L_INFO, "HASH: Reinitializing hash structures "
199 "and lists for caching...");
200 if ((inst->cache = unix_buildpwcache(inst->passwd_file,
201 inst->shadow_file))==NULL)
203 radlog(L_ERR, "HASH: unable to create user "
204 "hash table. disable caching and run debugs");
210 if (inst->usegroup) {
211 if (group_inst_explicit) {
212 radlog(L_ERR, "Only one group list may be active");
215 group_inst_explicit = 1;
217 } else if (!group_inst) {
228 static int unix_detach(void *instance)
230 #define inst ((struct unix_instance *)instance)
231 if (group_inst == inst) {
233 group_inst_explicit = 0;
235 free((char *) inst->passwd_file);
236 free((char *) inst->shadow_file);
237 free((char *) inst->group_file);
238 free((char *) inst->radwtmp);
240 unix_freepwcache(inst->cache);
247 static int unix_destroy(void)
249 paircompare_unregister(PW_GROUP, groupcmp);
251 paircompare_unregister(PW_GROUP_NAME, groupcmp);
258 * Check the users password against the standard UNIX
261 static int unix_authenticate(void *instance, REQUEST *request)
263 #define inst ((struct unix_instance *)instance)
267 char *encrypted_pass;
277 struct pr_passwd *pr_pw;
279 #ifdef HAVE_GETUSERSHELL
284 * We can only authenticate user requests which HAVE
285 * a User-Name attribute.
287 if (!request->username) {
288 radlog(L_AUTH, "rlm_unix: Attribute \"User-Name\" is required for authentication.");
289 return RLM_MODULE_INVALID;
293 * We can only authenticate user requests which HAVE
294 * a Password attribute.
296 if (!request->password) {
297 radlog(L_AUTH, "rlm_unix: Attribute \"Password\" is required for authentication.");
298 return RLM_MODULE_INVALID;
302 * Ensure that we're being passed a plain-text password,
303 * and not anything else.
305 if (request->password->attribute != PW_PASSWORD) {
306 radlog(L_AUTH, "rlm_unix: Attribute \"Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
307 return RLM_MODULE_INVALID;
310 name = (char *)request->username->strvalue;
311 passwd = (char *)request->password->strvalue;
313 if (inst->cache_passwd &&
314 (ret = H_unix_pass(inst->cache, name, passwd, &request->reply->vps)) != -2)
315 return (ret == 0) ? RLM_MODULE_OK : RLM_MODULE_REJECT;
318 if ((pr_pw = getprpwnam(name)) == NULL)
319 return RLM_MODULE_NOTFOUND;
320 encrypted_pass = pr_pw->ufld.fd_encrypt;
323 * Get encrypted password from password file
325 if ((pwd = getpwnam(name)) == NULL) {
326 return RLM_MODULE_NOTFOUND;
328 encrypted_pass = pwd->pw_passwd;
333 * See if there is a shadow password.
335 if ((spwd = getspnam(name)) != NULL)
337 encrypted_pass = spwd->pw_passwd;
339 encrypted_pass = spwd->sp_pwdp;
341 #endif /* HAVE_GETSPNAM */
345 * Undocumented temporary compatibility for iphil.NET
346 * Users with a certain shell are always denied access.
348 if (strcmp(pwd->pw_shell, DENY_SHELL) == 0) {
349 radlog(L_AUTH, "rlm_unix: [%s]: invalid shell", name);
350 return RLM_MODULE_REJECT;
354 #if HAVE_GETUSERSHELL
356 * Check /etc/shells for a valid shell. If that file
357 * contains /RADIUSD/ANY/SHELL then any shell will do.
359 while ((shell = getusershell()) != NULL) {
360 if (strcmp(shell, pwd->pw_shell) == 0 ||
361 strcmp(shell, "/RADIUSD/ANY/SHELL") == 0) {
367 return RLM_MODULE_REJECT;
370 #if defined(HAVE_GETSPNAM) && !defined(M_UNIX)
372 * Check if password has expired.
374 if (spwd && spwd->sp_expire > 0 &&
375 (request->timestamp / 86400) > spwd->sp_expire) {
376 radlog(L_AUTH, "rlm_unix: [%s]: password has expired", name);
377 return RLM_MODULE_REJECT;
381 #if defined(__FreeBSD__) || defined(bsdi) || defined(_PWF_EXPIRE)
383 * Check if password has expired.
385 if ((pwd->pw_expire > 0) &&
386 (request->timestamp > pwd->pw_expire)) {
387 radlog(L_AUTH, "rlm_unix: [%s]: password has expired", name);
388 return RLM_MODULE_REJECT;
394 * Check if account is locked.
396 if (pr_pw->uflg.fg_lock!=1) {
397 radlog(L_AUTH, "rlm_unix: [%s]: account locked", name);
398 return RLM_MODULE_USERLOCK;
403 * We might have a passwordless account.
405 if (encrypted_pass[0] == 0)
406 return RLM_MODULE_OK;
409 * Check encrypted password.
411 encpw = crypt(passwd, encrypted_pass);
412 if (strcmp(encpw, encrypted_pass))
413 return RLM_MODULE_REJECT;
415 return RLM_MODULE_OK;
420 * UUencode 4 bits base64. We use this to turn a 4 byte field
421 * (an IP address) into 6 bytes of ASCII. This is used for the
422 * wtmp file if we didn't find a short name in the naslist file.
424 static char *uue(void *in)
427 static unsigned char res[7];
428 unsigned char *data = (unsigned char *)in;
430 res[0] = ENC( data[0] >> 2 );
431 res[1] = ENC( ((data[0] << 4) & 060) + ((data[1] >> 4) & 017) );
432 res[2] = ENC( ((data[1] << 2) & 074) + ((data[2] >> 6) & 03) );
433 res[3] = ENC( data[2] & 077 );
435 res[4] = ENC( data[3] >> 2 );
436 res[5] = ENC( (data[3] << 4) & 060 );
439 for(i = 0; i < 6; i++) {
440 if (res[i] == ' ') res[i] = '`';
441 if (res[i] < 32 || res[i] > 127)
442 printf("uue: protocol error ?!\n");
449 * Unix accounting - write a wtmp file.
451 static int unix_accounting(void *instance, REQUEST *request)
463 int framed_address = 0;
467 int nas_port_type = 0;
468 struct unix_instance *inst = (struct unix_instance *) instance;
471 * Which type is this.
473 if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE))==NULL) {
474 radlog(L_ERR, "Accounting: no Accounting-Status-Type record.");
475 return RLM_MODULE_NOOP;
480 * FIXME: handle PW_STATUS_ALIVE like 1.5.4.3 did.
482 if (status != PW_STATUS_START &&
483 status != PW_STATUS_STOP)
484 return RLM_MODULE_NOOP;
487 * We're only interested in accounting messages
488 * with a username in it.
490 if ((vp = pairfind(request->packet->vps, PW_USER_NAME)) == NULL)
491 return RLM_MODULE_NOOP;
493 t = request->timestamp;
494 memset(&ut, 0, sizeof(ut));
497 * First, find the interesting attributes.
499 for (vp = request->packet->vps; vp; vp = vp->next) {
500 switch (vp->attribute) {
502 strNcpy(ut.ut_name, (char *)vp->strvalue, sizeof(ut.ut_name));
504 case PW_LOGIN_IP_HOST:
505 case PW_FRAMED_IP_ADDRESS:
506 framed_address = vp->lvalue;
508 case PW_FRAMED_PROTOCOL:
509 protocol = vp->lvalue;
511 case PW_NAS_IP_ADDRESS:
512 nas_address = vp->lvalue;
515 nas_port = vp->lvalue;
518 case PW_ACCT_DELAY_TIME:
521 case PW_NAS_PORT_TYPE:
522 nas_port_type = vp->lvalue;
528 * We don't store !root sessions, or sessions
529 * where we didn't see a PW_NAS_PORT_ID.
531 if (strncmp(ut.ut_name, "!root", sizeof(ut.ut_name)) == 0 || !port_seen)
532 return RLM_MODULE_NOOP;
535 * If we didn't find out the NAS address, use the
536 * originator's IP address.
538 if (nas_address == 0)
539 nas_address = request->packet->src_ipaddr;
543 * Linux has a field for the client address.
545 ut.ut_addr = framed_address;
548 * We use the tty field to store the terminal servers' port
549 * and address so that the tty field is unique.
552 if ((cl = nas_find(nas_address)) != NULL)
554 if (s == NULL || s[0] == 0) s = uue(&(nas_address));
555 sprintf(buf, "%03d:%s", nas_port, s);
556 strNcpy(ut.ut_line, buf, sizeof(ut.ut_line));
559 * We store the dynamic IP address in the hostname field.
562 if (framed_address) {
563 ip_ntoa(buf, framed_address);
564 strncpy(ut.ut_host, buf, UT_HOSTSIZE);
568 ut.ut_xtime = t- delay;
570 ut.ut_time = t - delay;
574 * And we can use the ID field to store
577 if (protocol == PW_PPP)
578 strcpy(ut.ut_id, "P");
579 else if (protocol == PW_SLIP)
580 strcpy(ut.ut_id, "S");
582 strcpy(ut.ut_id, "T");
583 ut.ut_type = status == PW_STATUS_STOP ? DEAD_PROCESS : USER_PROCESS;
585 if (status == PW_STATUS_STOP)
589 * Write a RADIUS wtmp log file.
590 * FIXME: return correct error.
591 * Check if file is there. If not, we don't write the
592 * wtmp file. If it is, we try to write. If we fail,
593 * return RLM_MODULE_FAIL ..
595 if ((fp = fopen(inst->radwtmp, "a")) != NULL) {
596 fwrite(&ut, sizeof(ut), 1, fp);
600 return RLM_MODULE_OK;
603 /* globally exported name */
604 module_t rlm_unix = {
606 0, /* type: reserved */
607 unix_init, /* initialization */
608 unix_instantiate, /* instantiation */
609 NULL, /* authorization */
610 unix_authenticate, /* authentication */
611 NULL, /* preaccounting */
612 unix_accounting, /* accounting */
613 NULL, /* checksimul */
614 unix_detach, /* detach */
615 unix_destroy, /* destroy */