*
* Version: $Id$
*
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ *
+ * Copyright 2000 The FreeRADIUS server project
+ * Copyright 1997 Jeph Blaize <jblaize@kiva.net>
+ * Copyright 1999 miguel a.l. paraz <map@iphil.net>
*/
-#include "autoconf.h"
+#include <freeradius-devel/autoconf.h>
+
+#include "config.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#ifdef HAVE_SECURITY_PAM_APPL_H
#include <security/pam_appl.h>
+#endif
-#if HAVE_MALLOC_H
-# include <malloc.h>
+#ifdef HAVE_PAM_PAM_APPL_H
+#include <pam/pam_appl.h>
#endif
-#include "radiusd.h"
-#include "modules.h"
+
+#ifdef HAVE_SYSLOG_H
+#include <syslog.h>
+#endif
+
+#include <freeradius-devel/radiusd.h>
+#include <freeradius-devel/modules.h>
+
+typedef struct rlm_pam_t {
+ const char *pam_auth_name;
+} rlm_pam_t;
+
+static const CONF_PARSER module_config[] = {
+ { "pam_auth", PW_TYPE_STRING_PTR, offsetof(rlm_pam_t,pam_auth_name),
+ NULL, "radiusd" },
+ { NULL, -1, 0, NULL, NULL }
+};
+
+/*
+ * (Re-)read radiusd.conf into memory.
+ */
+static int pam_instantiate(CONF_SECTION *conf, void **instance)
+{
+ rlm_pam_t *data;
+
+ data = rad_malloc(sizeof(*data));
+ if (!data) {
+ return -1;
+ }
+ memset(data, 0, sizeof(*data));
+
+ if (cf_section_parse(conf, data, module_config) < 0) {
+ free(data);
+ return -1;
+ }
+
+ *instance = data;
+ return 0;
+}
+
+/*
+ * Clean up.
+ */
+static int pam_detach(void *instance)
+{
+ rlm_pam_t *data = (rlm_pam_t *) instance;
+
+ free((char *) data->pam_auth_name);
+ free((char *) data);
+ return 0;
+}
/*************************************************************************
*
const struct pam_message **msg,
struct pam_response **resp,
void *appdata_ptr) {
- int count = 0, replies = 0;
- struct pam_response *reply = NULL;
- int size = sizeof(struct pam_response);
+ int count;
+ struct pam_response *reply;
my_PAM *pam_config = (my_PAM *) appdata_ptr;
-
-#define GET_MEM if (reply) realloc(reply, size); else reply = malloc(size); \
- if (!reply) return PAM_CONV_ERR; \
- size += sizeof(struct pam_response)
+
+/* strdup(NULL) doesn't work on some platforms */
#define COPY_STRING(s) ((s) ? strdup(s) : NULL)
-
+
+ reply = rad_malloc(num_msg * sizeof(struct pam_response));
+ memset(reply, 0, num_msg * sizeof(struct pam_response));
for (count = 0; count < num_msg; count++) {
switch (msg[count]->msg_style) {
case PAM_PROMPT_ECHO_ON:
- GET_MEM;
- reply[replies].resp_retcode = PAM_SUCCESS;
- reply[replies++].resp = COPY_STRING(pam_config->username);
- /* PAM frees resp */
+ reply[count].resp_retcode = PAM_SUCCESS;
+ reply[count].resp = COPY_STRING(pam_config->username);
break;
case PAM_PROMPT_ECHO_OFF:
- GET_MEM;
- reply[replies].resp_retcode = PAM_SUCCESS;
- reply[replies++].resp = COPY_STRING(pam_config->password);
- /* PAM frees resp */
+ reply[count].resp_retcode = PAM_SUCCESS;
+ reply[count].resp = COPY_STRING(pam_config->password);
break;
case PAM_TEXT_INFO:
/* ignore it... */
case PAM_ERROR_MSG:
default:
/* Must be an error of some sort... */
- free (reply);
+ for (count = 0; count < num_msg; count++) {
+ if (reply[count].resp) {
+ /* could be a password, let's be sanitary */
+ memset(reply[count].resp, 0, strlen(reply[count].resp));
+ free(reply[count].resp);
+ }
+ }
+ free(reply);
pam_config->error = 1;
return PAM_CONV_ERR;
}
}
- if (reply) *resp = reply;
+ *resp = reply;
+ /* PAM frees reply (including reply[].resp) */
return PAM_SUCCESS;
}
*************************************************************************/
/* cjd 19980706
- *
+ *
* for most flexibility, passing a pamauth type to this function
* allows you to have multiple authentication types (i.e. multiple
* files associated with radius in /etc/pam.d)
if (retval != PAM_SUCCESS) {
DEBUG("pam_pass: function pam_authenticate FAILED for <%s>. Reason: %s",
name, pam_strerror(pamh, retval));
- pam_end(pamh, 0);
+ pam_end(pamh, retval);
return -1;
}
if (retval != PAM_SUCCESS) {
DEBUG("pam_pass: function pam_acct_mgmt FAILED for <%s>. Reason: %s",
name, pam_strerror(pamh, retval));
- pam_end(pamh, 0);
+ pam_end(pamh, retval);
return -1;
}
#endif
DEBUG("pam_pass: authentication succeeded for <%s>", name);
- pam_end(pamh, 0);
+ pam_end(pamh, retval);
return 0;
}
{
int r;
VALUE_PAIR *pair;
- const char *pam_auth_string = "radiusd";
+ rlm_pam_t *data = (rlm_pam_t *) instance;
- instance = instance;
+ const char *pam_auth_string = data->pam_auth_name;
/*
* We can only authenticate user requests which HAVE
/*
* We can only authenticate user requests which HAVE
- * a Password attribute.
+ * a User-Password attribute.
*/
if (!request->password) {
- radlog(L_AUTH, "rlm_pam: Attribute \"Password\" is required for authentication.");
+ radlog(L_AUTH, "rlm_pam: Attribute \"User-Password\" is required for authentication.");
return RLM_MODULE_INVALID;
}
* and not anything else.
*/
if (request->password->attribute != PW_PASSWORD) {
- radlog(L_AUTH, "rlm_pam: Attribute \"Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
+ radlog(L_AUTH, "rlm_pam: Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
return RLM_MODULE_INVALID;
}
+ /*
+ * Let the 'users' file over-ride the PAM auth name string,
+ * for backwards compatibility.
+ */
pair = pairfind(request->config_items, PAM_AUTH_ATTR);
- if (pair) pam_auth_string = (char *)pair->strvalue;
+ if (pair) pam_auth_string = (char *)pair->vp_strvalue;
- r = pam_pass((char *)request->username->strvalue,
- (char *)request->password->strvalue,
+ r = pam_pass((char *)request->username->vp_strvalue,
+ (char *)request->password->vp_strvalue,
pam_auth_string);
+
+#ifdef HAVE_SYSLOG_H
+ if (!strcmp(radlog_dir, "syslog")) {
+ openlog(progname, LOG_PID, mainconfig.syslog_facility);
+ }
+#endif
+
if (r == 0) {
return RLM_MODULE_OK;
}
}
module_t rlm_pam = {
- "Pam",
- 0, /* type: reserved */
- NULL, /* initialize */
- NULL, /* instantiation */
- NULL, /* authorize */
- pam_auth, /* authenticate */
- NULL, /* pre-accounting */
- NULL, /* accounting */
- NULL, /* detach */
- NULL, /* destroy */
+ RLM_MODULE_INIT,
+ "pam",
+ RLM_TYPE_THREAD_UNSAFE, /* The PAM libraries are not thread-safe */
+ pam_instantiate, /* instantiation */
+ pam_detach, /* detach */
+ {
+ pam_auth, /* authenticate */
+ NULL, /* authorize */
+ NULL, /* pre-accounting */
+ NULL, /* accounting */
+ NULL, /* checksimul */
+ NULL, /* pre-proxy */
+ NULL, /* post-proxy */
+ NULL /* post-auth */
+ },
};