2 * rlm_unix.c authentication: Unix user authentication
3 * accounting: Functions to write radwtmp file.
4 * Also contains handler for "Group".
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22 * Copyright 2000 The FreeRADIUS server project
23 * Copyright 2000 Jeff Carneal <jeff@apex.net>
24 * Copyright 2000 Alan Curry <pacman@world.std.com>
26 static const char rcsid[] = "$Id$";
29 #include "libradius.h"
35 #include <sys/types.h>
45 # include <sys/security.h>
61 static char trans[64] =
62 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
63 #define ENC(c) trans[c]
65 struct unix_instance {
67 const char *passwd_file;
68 const char *shadow_file;
69 const char *group_file;
72 struct pwcache *cache;
78 static CONF_PARSER module_config[] = {
80 * Cache the password by default.
82 { "cache", PW_TYPE_BOOLEAN,
83 offsetof(struct unix_instance,cache_passwd), NULL, "no" },
84 { "passwd", PW_TYPE_STRING_PTR,
85 offsetof(struct unix_instance,passwd_file), NULL, NULL },
86 { "shadow", PW_TYPE_STRING_PTR,
87 offsetof(struct unix_instance,shadow_file), NULL, NULL },
88 { "group", PW_TYPE_STRING_PTR,
89 offsetof(struct unix_instance,group_file), NULL, NULL },
90 { "radwtmp", PW_TYPE_STRING_PTR,
91 offsetof(struct unix_instance,radwtmp), NULL, "NULL" },
92 { "usegroup", PW_TYPE_BOOLEAN,
93 offsetof(struct unix_instance,usegroup), NULL, "no" },
94 { "cache_reload", PW_TYPE_INTEGER,
95 offsetof(struct unix_instance,cache_reload), NULL, "600" },
97 { NULL, -1, 0, NULL, NULL } /* end the list */
101 * groupcmp is part of autz. But it uses the data from an auth instance. So
102 * here is where it gets it. By default this will be the first configured
103 * auth instance. That can be changed by putting "usegroup = yes" inside an
104 * auth instance to explicitly bind all Group checks to it.
107 /* binds "Group=" to an instance (a particular passwd file) */
108 static struct unix_instance *group_inst;
110 /* Tells if the above binding was explicit (usegroup=yes specified in config
111 * file) or not ("Group=" was bound to the first instance of rlm_unix */
112 static int group_inst_explicit;
116 static inline const char *get_shadow_name(shadow_pwd_t *spwd) {
117 if (spwd == NULL) return NULL;
118 return (spwd->pw_name);
121 static inline const char *get_shadow_encrypted_pwd(shadow_pwd_t *spwd) {
122 if (spwd == NULL) return NULL;
123 return (spwd->pw_passwd);
126 static inline const char *get_shadow_name(shadow_pwd_t *spwd) {
127 if (spwd == NULL) return NULL;
128 return (spwd->sp_namp);
130 static inline const char *get_shadow_encrypted_pwd(shadow_pwd_t *spwd) {
131 if (spwd == NULL) return NULL;
132 return (spwd->sp_pwdp);
135 #endif /* HAVE_GETSPNAM */
137 static struct passwd *fgetpwnam(const char *fname, const char *name) {
138 FILE *file = fopen(fname, "ro");
139 struct passwd *pwd = NULL;
141 if(file == NULL) return NULL;
143 pwd = fgetpwent(file);
148 } while (strcmp(name, pwd->pw_name) != 0);
154 static struct group *fgetgrnam(const char *fname, const char *name) {
155 FILE *file = fopen(fname, "ro");
156 struct group *grp = NULL;
158 if(file == NULL) return NULL;
161 grp = fgetgrent(file);
166 } while(strcmp(name, grp->gr_name) != 0);
173 static shadow_pwd_t *fgetspnam(const char *fname, const char *name) {
174 FILE *file = fopen(fname, "ro");
175 shadow_pwd_t *spwd = NULL;
177 if(file == NULL) return NULL;
179 spwd = fgetspent(file);
184 } while(strcmp(name, get_shadow_name(spwd)) != 0);
192 * The Group = handler.
194 static int groupcmp(void *instance, REQUEST *req, VALUE_PAIR *request,
195 VALUE_PAIR *check, VALUE_PAIR *check_pairs,
196 VALUE_PAIR **reply_pairs)
206 check_pairs = check_pairs;
207 reply_pairs = reply_pairs;
210 radlog(L_ERR, "groupcmp: no group list known.");
215 * No user name, doesn't compare.
217 vp = pairfind(request, PW_STRIPPED_USER_NAME);
219 vp = pairfind(request, PW_USER_NAME);
224 username = (char *)vp->strvalue;
226 if (group_inst->cache_passwd &&
227 (retval = H_groupcmp(group_inst->cache, check, username)) != -2)
230 if (group_inst->passwd_file)
231 pwd = fgetpwnam(group_inst->passwd_file, username);
233 pwd = getpwnam(username);
237 if (group_inst->group_file)
238 grp = fgetgrnam(group_inst->group_file, (char *)check->strvalue);
240 grp = getgrnam((char *)check->strvalue);
244 retval = (pwd->pw_gid == grp->gr_gid) ? 0 : -1;
246 for (member = grp->gr_mem; *member && retval; member++) {
247 if (strcmp(*member, pwd->pw_name) == 0)
256 * FIXME: We really should have an 'init' which makes
257 * System auth == Unix
259 static int unix_init(void)
261 /* FIXME - delay these until a group file has been read so we know
262 * groupcmp can actually do something */
263 paircompare_register(PW_GROUP, PW_USER_NAME, groupcmp, NULL);
264 #ifdef PW_GROUP_NAME /* compat */
265 paircompare_register(PW_GROUP_NAME, PW_USER_NAME, groupcmp, NULL);
270 static int unix_instantiate(CONF_SECTION *conf, void **instance)
272 struct unix_instance *inst;
275 * Allocate room for the instance.
277 inst = *instance = rad_malloc(sizeof(*inst));
281 memset(inst, 0, sizeof(*inst));
284 * Parse the configuration, failing if we can't do so.
286 if (cf_section_parse(conf, inst, module_config) < 0) {
291 if (inst->cache_passwd) {
292 radlog(L_INFO, "HASH: Reinitializing hash structures "
293 "and lists for caching...");
294 if ((inst->cache = unix_buildpwcache(inst->passwd_file,
296 inst->group_file))==NULL)
298 radlog(L_ERR, "HASH: unable to create user "
299 "hash table. disable caching and run debugs");
300 if (inst->passwd_file)
301 free((char *) inst->passwd_file);
302 if (inst->shadow_file)
303 free((char *) inst->shadow_file);
304 if (inst->group_file)
305 free((char *) inst->group_file);
307 free((char *) inst->radwtmp);
312 if (inst->cache_reload) {
313 inst->last_reload = 0;
314 inst->next_reload = time(NULL) + inst->cache_reload;
320 if (inst->usegroup) {
321 if (group_inst_explicit) {
322 radlog(L_ERR, "Only one group list may be active");
325 group_inst_explicit = 1;
327 } else if (!group_inst) {
338 static int unix_detach(void *instance)
340 #define inst ((struct unix_instance *)instance)
341 if (group_inst == inst) {
343 group_inst_explicit = 0;
345 if (inst->passwd_file)
346 free((char *) inst->passwd_file);
347 if (inst->shadow_file)
348 free((char *) inst->shadow_file);
349 if (inst->group_file)
350 free((char *) inst->group_file);
352 free((char *) inst->radwtmp);
354 unix_freepwcache(inst->cache);
361 static int unix_destroy(void)
363 paircompare_unregister(PW_GROUP, groupcmp);
365 paircompare_unregister(PW_GROUP_NAME, groupcmp);
372 * Check the users password against the standard UNIX
375 static int unix_authenticate(void *instance, REQUEST *request)
377 #define inst ((struct unix_instance *)instance)
380 const char *encrypted_pass;
383 shadow_pwd_t *spwd = NULL;
386 struct pr_passwd *pr_pw;
390 char *progname = "radius";
391 SIAENTITY *ent = NULL;
393 #ifdef HAVE_GETUSERSHELL
397 /* See if we should refresh the cache */
398 if (inst->cache && inst->cache_reload
399 && (inst->next_reload < request->timestamp)) {
400 /* Time to refresh, maybe ? */
404 DEBUG2("rlm_users : Time to refresh cache.");
405 /* Check if any of the files has changed */
406 if (inst->passwd_file
407 && (stat(inst->passwd_file, &statbuf) != -1)
408 && (statbuf.st_mtime > inst->last_reload)) {
412 if (inst->shadow_file
413 && (stat(inst->shadow_file, &statbuf) != -1)
414 && (statbuf.st_mtime > inst->last_reload)) {
419 && (stat(inst->group_file, &statbuf) != -1)
420 && (statbuf.st_mtime > inst->last_reload)) {
425 /* Build a new cache to replace old one */
426 struct pwcache *oldcache;
427 struct pwcache *newcache = unix_buildpwcache(
433 oldcache = inst->cache;
434 inst->cache = newcache;
435 unix_freepwcache(oldcache);
437 inst->last_reload = time(NULL);
440 DEBUG2("rlm_users : Files were unchanged. Not reloading.");
443 /* Schedule next refresh */
444 inst->next_reload = time(NULL) + inst->cache_reload;
448 * We can only authenticate user requests which HAVE
449 * a User-Name attribute.
451 if (!request->username) {
452 radlog(L_AUTH, "rlm_unix: Attribute \"User-Name\" is required for authentication.");
453 return RLM_MODULE_INVALID;
457 * We can only authenticate user requests which HAVE
458 * a User-Password attribute.
460 if (!request->password) {
461 radlog(L_AUTH, "rlm_unix: Attribute \"User-Password\" is required for authentication.");
462 return RLM_MODULE_INVALID;
466 * Ensure that we're being passed a plain-text password,
467 * and not anything else.
469 if (request->password->attribute != PW_PASSWORD) {
470 radlog(L_AUTH, "rlm_unix: Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
471 return RLM_MODULE_INVALID;
474 name = (char *)request->username->strvalue;
475 passwd = (char *)request->password->strvalue;
477 if (inst->cache_passwd &&
478 (ret = H_unix_pass(inst->cache, name, passwd, &request->reply->vps)) != -2)
479 return (ret == 0) ? RLM_MODULE_OK : RLM_MODULE_REJECT;
484 if (sia_ses_init (&ent, 1, info, NULL, name, NULL, 0, NULL) !=
486 return RLM_MODULE_NOTFOUND;
487 if ((ret = sia_ses_authent (NULL, passwd, ent)) != SIASUCCESS) {
489 sia_ses_release (&ent);
490 return RLM_MODULE_NOTFOUND;
492 if (sia_ses_estab (NULL, ent) == SIASUCCESS) {
493 sia_ses_release (&ent);
494 return RLM_MODULE_OK;
497 return RLM_MODULE_NOTFOUND;
500 if ((pr_pw = getprpwnam(name)) == NULL)
501 return RLM_MODULE_NOTFOUND;
502 encrypted_pass = pr_pw->ufld.fd_encrypt;
505 * Get encrypted password from password file
507 * If a password file was explicitly specified, use it,
508 * otherwise, use the system routines to read the
509 * system password file
511 if (inst->passwd_file != NULL) {
512 if ((pwd = fgetpwnam(inst->passwd_file, name)) == NULL)
513 return RLM_MODULE_NOTFOUND;
514 } else if ((pwd = getpwnam(name)) == NULL) {
515 return RLM_MODULE_NOTFOUND;
517 encrypted_pass = pwd->pw_passwd;
522 * See if there is a shadow password.
524 * If a shadow file was explicitly specified, use it,
525 * otherwise, use the system routines to read the
526 * system shadow file.
528 * Also, if we explicitly specify the password file,
529 * only query the _system_ shadow file if the encrypted
530 * password from the passwd file is < 10 characters (i.e.
531 * a valid password would never crypt() to it). This will
532 * prevents users from using NULL password fields as things
535 if (inst->shadow_file != NULL) {
536 if ((spwd = fgetspnam(inst->shadow_file, name)) != NULL)
537 encrypted_pass = get_shadow_encrypted_pwd(spwd);
538 } else if ((encrypted_pass == NULL) || (strlen(encrypted_pass) < 10)) {
539 if ((spwd = getspnam(name)) != NULL)
540 encrypted_pass = get_shadow_encrypted_pwd(spwd);
542 #endif /* HAVE_GETSPNAM */
546 * Undocumented temporary compatibility for iphil.NET
547 * Users with a certain shell are always denied access.
549 if (strcmp(pwd->pw_shell, DENY_SHELL) == 0) {
550 radlog(L_AUTH, "rlm_unix: [%s]: invalid shell", name);
551 return RLM_MODULE_REJECT;
555 #ifdef HAVE_GETUSERSHELL
557 * Check /etc/shells for a valid shell. If that file
558 * contains /RADIUSD/ANY/SHELL then any shell will do.
560 while ((shell = getusershell()) != NULL) {
561 if (strcmp(shell, pwd->pw_shell) == 0 ||
562 strcmp(shell, "/RADIUSD/ANY/SHELL") == 0) {
568 radlog(L_AUTH, "rlm_unix: [%s]: invalid shell [%s]",
569 name, pwd->pw_shell);
570 return RLM_MODULE_REJECT;
574 #if defined(HAVE_GETSPNAM) && !defined(M_UNIX)
576 * Check if password has expired.
578 if (spwd && spwd->sp_expire > 0 &&
579 (request->timestamp / 86400) > spwd->sp_expire) {
580 radlog(L_AUTH, "rlm_unix: [%s]: password has expired", name);
581 return RLM_MODULE_REJECT;
585 #if defined(__FreeBSD__) || defined(bsdi) || defined(_PWF_EXPIRE)
587 * Check if password has expired.
589 if ((pwd->pw_expire > 0) &&
590 (request->timestamp > pwd->pw_expire)) {
591 radlog(L_AUTH, "rlm_unix: [%s]: password has expired", name);
592 return RLM_MODULE_REJECT;
598 * Check if account is locked.
600 if (pr_pw->uflg.fg_lock!=1) {
601 radlog(L_AUTH, "rlm_unix: [%s]: account locked", name);
602 return RLM_MODULE_USERLOCK;
607 * We might have a passwordless account.
609 if (encrypted_pass[0] == 0)
610 return RLM_MODULE_OK;
613 * Check encrypted password.
615 if (lrad_crypt_check(passwd, encrypted_pass)) {
616 radlog(L_AUTH, "rlm_unix: [%s]: invalid password", name);
617 return RLM_MODULE_REJECT;
619 return RLM_MODULE_OK;
625 * UUencode 4 bits base64. We use this to turn a 4 byte field
626 * (an IP address) into 6 bytes of ASCII. This is used for the
627 * wtmp file if we didn't find a short name in the naslist file.
629 static char *uue(void *in)
632 static unsigned char res[7];
633 unsigned char *data = (unsigned char *)in;
635 res[0] = ENC( data[0] >> 2 );
636 res[1] = ENC( ((data[0] << 4) & 060) + ((data[1] >> 4) & 017) );
637 res[2] = ENC( ((data[1] << 2) & 074) + ((data[2] >> 6) & 03) );
638 res[3] = ENC( data[2] & 077 );
640 res[4] = ENC( data[3] >> 2 );
641 res[5] = ENC( (data[3] << 4) & 060 );
644 for(i = 0; i < 6; i++) {
645 if (res[i] == ' ') res[i] = '`';
646 if (res[i] < 32 || res[i] > 127)
647 printf("uue: protocol error ?!\n");
654 * Unix accounting - write a wtmp file.
656 static int unix_accounting(void *instance, REQUEST *request)
668 int framed_address = 0;
672 int nas_port_type = 0;
673 struct unix_instance *inst = (struct unix_instance *) instance;
676 * No radwtmp. Don't do anything.
678 if (!inst->radwtmp) {
679 DEBUG2("rlm_unix: No radwtmp file configured. Ignoring accounting request.");
680 return RLM_MODULE_NOOP;
684 * Which type is this.
686 if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE))==NULL) {
687 radlog(L_ERR, "rlm_unix: no Accounting-Status-Type attribute in request.");
688 return RLM_MODULE_NOOP;
693 * FIXME: handle PW_STATUS_ALIVE like 1.5.4.3 did.
695 if (status != PW_STATUS_START &&
696 status != PW_STATUS_STOP)
697 return RLM_MODULE_NOOP;
700 * We're only interested in accounting messages
701 * with a username in it.
703 if ((vp = pairfind(request->packet->vps, PW_USER_NAME)) == NULL)
704 return RLM_MODULE_NOOP;
706 t = request->timestamp;
707 memset(&ut, 0, sizeof(ut));
710 * First, find the interesting attributes.
712 for (vp = request->packet->vps; vp; vp = vp->next) {
713 switch (vp->attribute) {
715 if (vp->length >= sizeof(ut.ut_name)) {
716 memcpy(ut.ut_name, (char *)vp->strvalue, sizeof(ut.ut_name));
718 strNcpy(ut.ut_name, (char *)vp->strvalue, sizeof(ut.ut_name));
721 case PW_LOGIN_IP_HOST:
722 case PW_FRAMED_IP_ADDRESS:
723 framed_address = vp->lvalue;
725 case PW_FRAMED_PROTOCOL:
726 protocol = vp->lvalue;
728 case PW_NAS_IP_ADDRESS:
729 nas_address = vp->lvalue;
732 nas_port = vp->lvalue;
735 case PW_ACCT_DELAY_TIME:
738 case PW_NAS_PORT_TYPE:
739 nas_port_type = vp->lvalue;
745 * We don't store !root sessions, or sessions
746 * where we didn't see a NAS-Port attribute.
748 if (strncmp(ut.ut_name, "!root", sizeof(ut.ut_name)) == 0 || !port_seen)
749 return RLM_MODULE_NOOP;
752 * If we didn't find out the NAS address, use the
753 * originator's IP address.
755 if (nas_address == 0)
756 nas_address = request->packet->src_ipaddr;
760 * Linux has a field for the client address.
762 ut.ut_addr = framed_address;
765 * We use the tty field to store the terminal servers' port
766 * and address so that the tty field is unique.
769 if ((cl = client_find(nas_address)) != NULL)
771 if (s == NULL || s[0] == 0) s = uue(&(nas_address));
772 sprintf(buf, "%03d:%s", nas_port, s);
773 strNcpy(ut.ut_line, buf, sizeof(ut.ut_line));
776 * We store the dynamic IP address in the hostname field.
779 if (framed_address) {
780 ip_ntoa(buf, framed_address);
781 strncpy(ut.ut_host, buf, sizeof(ut.ut_host));
785 ut.ut_xtime = t- delay;
787 ut.ut_time = t - delay;
791 * And we can use the ID field to store
794 if (protocol == PW_PPP)
795 strcpy(ut.ut_id, "P");
796 else if (protocol == PW_SLIP)
797 strcpy(ut.ut_id, "S");
799 strcpy(ut.ut_id, "T");
800 ut.ut_type = status == PW_STATUS_STOP ? DEAD_PROCESS : USER_PROCESS;
802 if (status == PW_STATUS_STOP)
806 * Write a RADIUS wtmp log file.
808 * Try to open the file if we can't, we don't write the
809 * wtmp file. If we can try to write. If we fail,
810 * return RLM_MODULE_FAIL ..
812 if ((fp = fopen(inst->radwtmp, "a")) != NULL) {
813 if ((fwrite(&ut, sizeof(ut), 1, fp)) != 1) {
815 return RLM_MODULE_FAIL;
819 return RLM_MODULE_FAIL;
821 return RLM_MODULE_OK;
824 /* globally exported name */
825 module_t rlm_unix = {
827 RLM_TYPE_THREAD_UNSAFE, /* type: reserved */
828 unix_init, /* initialization */
829 unix_instantiate, /* instantiation */
831 unix_authenticate, /* authentication */
832 NULL, /* authorization */
833 NULL, /* preaccounting */
834 unix_accounting, /* accounting */
835 NULL, /* checksimul */
836 NULL, /* pre-proxy */
837 NULL, /* post-proxy */
840 unix_detach, /* detach */
841 unix_destroy, /* destroy */