2 * rlm_unix.c authentication: Unix user authentication
3 * accounting: Functions to write radwtmp file.
4 * Also contains handler for "Group".
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
22 * Copyright 2000,2006 The FreeRADIUS server project
23 * Copyright 2000 Jeff Carneal <jeff@apex.net>
24 * Copyright 2000 Alan Curry <pacman@world.std.com>
27 #include <freeradius-devel/ident.h>
30 #include <freeradius-devel/autoconf.h>
36 #include <sys/types.h>
46 # include <sys/security.h>
55 #include <freeradius-devel/radiusd.h>
56 #include <freeradius-devel/modules.h>
57 #include <freeradius-devel/sysutmp.h>
59 static char trans[64] =
60 "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
61 #define ENC(c) trans[c]
63 struct unix_instance {
67 static const CONF_PARSER module_config[] = {
68 { "radwtmp", PW_TYPE_STRING_PTR,
69 offsetof(struct unix_instance,radwtmp), NULL, "NULL" },
71 { NULL, -1, 0, NULL, NULL } /* end the list */
76 * The Group = handler.
78 static int groupcmp(void *instance, UNUSED REQUEST *req, VALUE_PAIR *request,
79 VALUE_PAIR *check, VALUE_PAIR *check_pairs,
80 VALUE_PAIR **reply_pairs)
90 check_pairs = check_pairs;
91 reply_pairs = reply_pairs;
94 * No user name, doesn't compare.
96 vp = pairfind(request, PW_STRIPPED_USER_NAME);
98 vp = pairfind(request, PW_USER_NAME);
103 username = (char *)vp->vp_strvalue;
105 pwd = getpwnam(username);
109 grp = getgrnam((char *)check->vp_strvalue);
113 retval = (pwd->pw_gid == grp->gr_gid) ? 0 : -1;
115 for (member = grp->gr_mem; *member && retval; member++) {
116 if (strcmp(*member, pwd->pw_name) == 0)
127 static int unix_detach(void *instance)
129 #define inst ((struct unix_instance *)instance)
133 paircompare_unregister(PW_GROUP, groupcmp);
135 paircompare_unregister(PW_GROUP_NAME, groupcmp);
145 static int unix_instantiate(CONF_SECTION *conf, void **instance)
147 struct unix_instance *inst;
150 * Allocate room for the instance.
152 inst = *instance = rad_malloc(sizeof(*inst));
156 memset(inst, 0, sizeof(*inst));
159 * Parse the configuration, failing if we can't do so.
161 if (cf_section_parse(conf, inst, module_config) < 0) {
166 /* FIXME - delay these until a group file has been read so we know
167 * groupcmp can actually do something */
168 paircompare_register(PW_GROUP, PW_USER_NAME, groupcmp, NULL);
169 #ifdef PW_GROUP_NAME /* compat */
170 paircompare_register(PW_GROUP_NAME, PW_USER_NAME, groupcmp, NULL);
180 * Pull the users password from where-ever, and add it to
183 static int unix_getpw(UNUSED void *instance, REQUEST *request,
184 VALUE_PAIR **vp_list)
187 const char *encrypted_pass;
189 struct spwd *spwd = NULL;
192 struct pr_passwd *pr_pw;
196 #ifdef HAVE_GETUSERSHELL
202 * We can only authenticate user requests which HAVE
203 * a User-Name attribute.
205 if (!request->username) {
206 return RLM_MODULE_NOOP;
209 name = (char *)request->username->vp_strvalue;
210 encrypted_pass = NULL;
213 if ((pr_pw = getprpwnam(name)) == NULL)
214 return RLM_MODULE_NOTFOUND;
215 encrypted_pass = pr_pw->ufld.fd_encrypt;
218 * Check if account is locked.
220 if (pr_pw->uflg.fg_lock!=1) {
221 radlog(L_AUTH, "rlm_unix: [%s]: account locked", name);
222 return RLM_MODULE_USERLOCK;
225 if ((pwd = getpwnam(name)) == NULL) {
226 return RLM_MODULE_NOTFOUND;
228 encrypted_pass = pwd->pw_passwd;
233 * See if there is a shadow password.
235 * Only query the _system_ shadow file if the encrypted
236 * password from the passwd file is < 10 characters (i.e.
237 * a valid password would never crypt() to it). This will
238 * prevents users from using NULL password fields as things
241 if ((encrypted_pass == NULL) || (strlen(encrypted_pass) < 10)) {
242 if ((spwd = getspnam(name)) == NULL) {
243 return RLM_MODULE_NOTFOUND;
245 encrypted_pass = spwd->sp_pwdp;
247 #endif /* HAVE_GETSPNAM */
250 * These require 'pwd != NULL', which isn't true on OSFC2
255 * Users with a particular shell are denied access
257 if (strcmp(pwd->pw_shell, DENY_SHELL) == 0) {
258 radlog(L_AUTH, "rlm_unix: [%s]: invalid shell", name);
259 return RLM_MODULE_REJECT;
263 #ifdef HAVE_GETUSERSHELL
265 * Check /etc/shells for a valid shell. If that file
266 * contains /RADIUSD/ANY/SHELL then any shell will do.
268 while ((shell = getusershell()) != NULL) {
269 if (strcmp(shell, pwd->pw_shell) == 0 ||
270 strcmp(shell, "/RADIUSD/ANY/SHELL") == 0) {
276 radlog(L_AUTH, "rlm_unix: [%s]: invalid shell [%s]",
277 name, pwd->pw_shell);
278 return RLM_MODULE_REJECT;
283 #if defined(HAVE_GETSPNAM) && !defined(M_UNIX)
285 * Check if password has expired.
287 if (spwd && spwd->sp_expire > 0 &&
288 (request->timestamp / 86400) > spwd->sp_expire) {
289 radlog(L_AUTH, "rlm_unix: [%s]: password has expired", name);
290 return RLM_MODULE_REJECT;
294 #if defined(__FreeBSD__) || defined(bsdi) || defined(_PWF_EXPIRE)
296 * Check if password has expired.
298 if ((pwd->pw_expire > 0) &&
299 (request->timestamp > pwd->pw_expire)) {
300 radlog(L_AUTH, "rlm_unix: [%s]: password has expired", name);
301 return RLM_MODULE_REJECT;
306 * We might have a passwordless account.
308 * FIXME: Maybe add Auth-Type := Accept?
310 if (encrypted_pass[0] == 0)
311 return RLM_MODULE_NOOP;
313 vp = pairmake("Crypt-Password", encrypted_pass, T_OP_SET);
314 if (!vp) return RLM_MODULE_FAIL;
316 pairmove(vp_list, &vp);
317 pairfree(&vp); /* might not be NULL; */
319 return RLM_MODULE_UPDATED;
324 * Pull the users password from where-ever, and add it to
327 static int unix_authorize(void *instance, REQUEST *request)
329 return unix_getpw(instance, request, &request->config_items);
333 * Pull the users password from where-ever, and add it to
336 static int unix_authenticate(void *instance, REQUEST *request)
340 char *progname = "radius";
341 SIAENTITY *ent = NULL;
345 if (sia_ses_init (&ent, 1, info, NULL, name, NULL, 0, NULL) !=
347 return RLM_MODULE_NOTFOUND;
348 if ((ret = sia_ses_authent (NULL, passwd, ent)) != SIASUCCESS) {
350 sia_ses_release (&ent);
351 return RLM_MODULE_NOTFOUND;
353 if (sia_ses_estab (NULL, ent) != SIASUCCESS) {
354 sia_ses_release (&ent);
355 return RLM_MODULE_NOTFOUND;
359 VALUE_PAIR *vp = NULL;
361 if (!request->password ||
362 (request->password->attribute != PW_USER_PASSWORD)) {
363 radlog(L_AUTH, "rlm_unix: Attribute \"User-Password\" is required for authentication.");
364 return RLM_MODULE_INVALID;
367 rcode = unix_getpw(instance, request, &vp);
368 if (rcode != RLM_MODULE_UPDATED) return rcode;
373 if (lrad_crypt_check((char *) request->password->vp_strvalue,
374 (char *) vp->vp_strvalue) != 0) {
375 radlog(L_AUTH, "rlm_unix: [%s]: invalid password",
376 request->username->vp_strvalue);
377 return RLM_MODULE_REJECT;
381 return RLM_MODULE_OK;
386 * UUencode 4 bits base64. We use this to turn a 4 byte field
387 * (an IP address) into 6 bytes of ASCII. This is used for the
388 * wtmp file if we didn't find a short name in the naslist file.
390 static char *uue(void *in)
393 static unsigned char res[7];
394 unsigned char *data = (unsigned char *)in;
396 res[0] = ENC( data[0] >> 2 );
397 res[1] = ENC( ((data[0] << 4) & 060) + ((data[1] >> 4) & 017) );
398 res[2] = ENC( ((data[1] << 2) & 074) + ((data[2] >> 6) & 03) );
399 res[3] = ENC( data[2] & 077 );
401 res[4] = ENC( data[3] >> 2 );
402 res[5] = ENC( (data[3] << 4) & 060 );
405 for(i = 0; i < 6; i++) {
406 if (res[i] == ' ') res[i] = '`';
407 if (res[i] < 32 || res[i] > 127)
408 printf("uue: protocol error ?!\n");
415 * Unix accounting - write a wtmp file.
417 static int unix_accounting(void *instance, REQUEST *request)
428 int framed_address = 0;
432 int nas_port_type = 0;
433 struct unix_instance *inst = (struct unix_instance *) instance;
436 * No radwtmp. Don't do anything.
438 if (!inst->radwtmp) {
439 DEBUG2("rlm_unix: No radwtmp file configured. Ignoring accounting request.");
440 return RLM_MODULE_NOOP;
443 if (request->packet->src_ipaddr.af != AF_INET) {
444 DEBUG2("rlm_unix: IPv6 is not supported!");
445 return RLM_MODULE_NOOP;
449 * Which type is this.
451 if ((vp = pairfind(request->packet->vps, PW_ACCT_STATUS_TYPE))==NULL) {
452 radlog(L_ERR, "rlm_unix: no Accounting-Status-Type attribute in request.");
453 return RLM_MODULE_NOOP;
458 * FIXME: handle PW_STATUS_ALIVE like 1.5.4.3 did.
460 if (status != PW_STATUS_START &&
461 status != PW_STATUS_STOP)
462 return RLM_MODULE_NOOP;
465 * We're only interested in accounting messages
466 * with a username in it.
468 if ((vp = pairfind(request->packet->vps, PW_USER_NAME)) == NULL)
469 return RLM_MODULE_NOOP;
471 t = request->timestamp;
472 memset(&ut, 0, sizeof(ut));
475 * First, find the interesting attributes.
477 for (vp = request->packet->vps; vp; vp = vp->next) {
478 switch (vp->attribute) {
480 if (vp->length >= sizeof(ut.ut_name)) {
481 memcpy(ut.ut_name, (char *)vp->vp_strvalue, sizeof(ut.ut_name));
483 strlcpy(ut.ut_name, (char *)vp->vp_strvalue, sizeof(ut.ut_name));
486 case PW_LOGIN_IP_HOST:
487 case PW_FRAMED_IP_ADDRESS:
488 framed_address = vp->lvalue;
490 case PW_FRAMED_PROTOCOL:
491 protocol = vp->lvalue;
493 case PW_NAS_IP_ADDRESS:
494 nas_address = vp->lvalue;
497 nas_port = vp->lvalue;
500 case PW_ACCT_DELAY_TIME:
503 case PW_NAS_PORT_TYPE:
504 nas_port_type = vp->lvalue;
510 * We don't store !root sessions, or sessions
511 * where we didn't see a NAS-Port attribute.
513 if (strncmp(ut.ut_name, "!root", sizeof(ut.ut_name)) == 0 || !port_seen)
514 return RLM_MODULE_NOOP;
519 * If we didn't find out the NAS address, use the
520 * originator's IP address.
522 if (nas_address == 0) {
524 nas_address = request->packet->src_ipaddr.ipaddr.ip4addr.s_addr;
526 if ((cl = client_find_old(&request->packet->src_ipaddr)) != NULL)
529 if (!s || s[0] == 0) s = uue(&(nas_address));
533 * Linux has a field for the client address.
535 ut.ut_addr = framed_address;
538 * We use the tty field to store the terminal servers' port
539 * and address so that the tty field is unique.
541 sprintf(buf, "%03d:%s", nas_port, s);
542 strlcpy(ut.ut_line, buf, sizeof(ut.ut_line));
545 * We store the dynamic IP address in the hostname field.
548 if (framed_address) {
549 ip_ntoa(buf, framed_address);
550 strlcpy(ut.ut_host, buf, sizeof(ut.ut_host));
554 ut.ut_xtime = t- delay;
556 ut.ut_time = t - delay;
560 * And we can use the ID field to store
563 if (protocol == PW_PPP)
564 strcpy(ut.ut_id, "P");
565 else if (protocol == PW_SLIP)
566 strcpy(ut.ut_id, "S");
568 strcpy(ut.ut_id, "T");
569 ut.ut_type = status == PW_STATUS_STOP ? DEAD_PROCESS : USER_PROCESS;
571 if (status == PW_STATUS_STOP)
575 * Write a RADIUS wtmp log file.
577 * Try to open the file if we can't, we don't write the
578 * wtmp file. If we can try to write. If we fail,
579 * return RLM_MODULE_FAIL ..
581 if ((fp = fopen(inst->radwtmp, "a")) != NULL) {
582 if ((fwrite(&ut, sizeof(ut), 1, fp)) != 1) {
584 return RLM_MODULE_FAIL;
588 return RLM_MODULE_FAIL;
590 return RLM_MODULE_OK;
593 /* globally exported name */
594 module_t rlm_unix = {
597 RLM_TYPE_THREAD_UNSAFE, /* type */
598 unix_instantiate, /* instantiation */
599 unix_detach, /* detach */
601 unix_authenticate, /* authentication */
602 unix_authorize, /* authorization */
603 NULL, /* preaccounting */
604 unix_accounting, /* accounting */
605 NULL, /* checksimul */
606 NULL, /* pre-proxy */
607 NULL, /* post-proxy */