1 /* $OpenBSD: authenticate.c,v 1.14 2005/06/26 16:39:14 millert Exp $ */
2
3 /*-
4 * Copyright (c) 1997 Berkeley Software Design, Inc. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 * notice, this list of conditions and the following disclaimer in the
13 * documentation and/or other materials provided with the distribution.
14 * 3. All advertising materials mentioning features or use of this software
15 * must display the following acknowledgement:
16 * This product includes software developed by Berkeley Software Design,
17 * Inc.
18 * 4. The name of Berkeley Software Design, Inc. may not be used to endorse
19 * or promote products derived from this software without specific prior
20 * written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 * BSDI $From: authenticate.c,v 2.21 1999/09/08 22:33:26 prb Exp $
35 */
36 #include <sys/param.h>
37 #include <sys/stat.h>
38
39 #include <ctype.h>
40 #include <err.h>
41 #include <fcntl.h>
42 #include <login_cap.h>
43 #include <paths.h>
44 #include <pwd.h>
45 #include <stdarg.h>
46 #include <stdio.h>
47 #include <stdlib.h>
48 #include <string.h>
49 #include <syslog.h>
50 #include <unistd.h>
51
52 #include <bsd_auth.h>
53
54 static int _auth_checknologin(login_cap_t *, int);
55
56 char *
auth_mkvalue(char * value)57 auth_mkvalue(char *value)
58 {
59 char *big, *p;
60
61 big = malloc(strlen(value) * 4 + 1);
62 if (big == NULL)
63 return (NULL);
64 /*
65 * XXX - There should be a more standardized
66 * routine for doing this sort of thing.
67 */
68 for (p = big; *value; ++value) {
69 switch (*value) {
70 case '\r':
71 *p++ = '\\';
72 *p++ = 'r';
73 break;
74 case '\n':
75 *p++ = '\\';
76 *p++ = 'n';
77 break;
78 case '\\':
79 *p++ = '\\';
80 *p++ = *value;
81 break;
82 case '\t':
83 case ' ':
84 if (p == big)
85 *p++ = '\\';
86 *p++ = *value;
87 break;
88 default:
89 if (!isprint(*value)) {
90 *p++ = '\\';
91 *p++ = ((*value >> 6) & 0x3) + '0';
92 *p++ = ((*value >> 3) & 0x7) + '0';
93 *p++ = ((*value ) & 0x7) + '0';
94 } else
95 *p++ = *value;
96 break;
97 }
98 }
99 *p = '\0';
100 return (big);
101 }
102
103 void
auth_checknologin(login_cap_t * lc)104 auth_checknologin(login_cap_t *lc)
105 {
106 if (_auth_checknologin(lc, 1))
107 exit(1);
108 }
109
110 static int
_auth_checknologin(login_cap_t * lc,int print)111 _auth_checknologin(login_cap_t *lc, int print)
112 {
113 struct stat sb;
114 char *nologin;
115 int mustfree;
116
117 if (login_getcapbool(lc, "ignorenologin", 0))
118 return (0);
119
120 /*
121 * If we fail to get the nologin file due to a database error,
122 * assume there should have been one...
123 */
124 nologin = login_getcapstr(lc, "nologin", "", NULL);
125 mustfree = nologin && *nologin != '\0';
126 if (nologin == NULL)
127 goto print_nologin;
128
129 /* First try the nologin file specified in login.conf. */
130 if (*nologin != '\0' && stat(nologin, &sb) == 0)
131 goto print_nologin;
132 if (mustfree) {
133 free(nologin);
134 mustfree = 0;
135 }
136
137 /* If that doesn't exist try _PATH_NOLOGIN. */
138 if (stat(_PATH_NOLOGIN, &sb) == 0) {
139 nologin = _PATH_NOLOGIN;
140 goto print_nologin;
141 }
142
143 /* Couldn't stat any nologin files, must be OK to login. */
144 return (0);
145
146 print_nologin:
147 if (print) {
148 if (!nologin || *nologin == '\0' || auth_cat(nologin) == 0) {
149 puts("Logins are not allowed at this time.");
150 fflush(stdout);
151 }
152 }
153 if (mustfree)
154 free(nologin);
155 return (-1);
156 }
157
158 int
auth_cat(char * file)159 auth_cat(char *file)
160 {
161 int fd, nchars;
162 char tbuf[8192];
163
164 if ((fd = open(file, O_RDONLY, 0)) < 0)
165 return (0);
166 while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)
167 (void)write(fileno(stdout), tbuf, nchars);
168 (void)close(fd);
169 return (1);
170 }
171
172 int
auth_approval(auth_session_t * as,login_cap_t * lc,char * name,char * type)173 auth_approval(auth_session_t *as, login_cap_t *lc, char *name, char *type)
174 {
175 int close_on_exit, close_lc_on_exit;
176 struct passwd *pwd;
177 char *approve, *s, path[MAXPATHLEN];
178
179 pwd = NULL;
180 close_on_exit = as == NULL;
181 close_lc_on_exit = lc == NULL;
182
183 if (as != NULL && name == NULL)
184 name = auth_getitem(as, AUTHV_NAME);
185
186 if (as != NULL)
187 pwd = auth_getpwd(as);
188
189 if (pwd == NULL) {
190 if (name != NULL)
191 pwd = getpwnam(name);
192 else {
193 if ((pwd = getpwuid(getuid())) == NULL) {
194 syslog(LOG_ERR, "no such user id %u", getuid());
195 _warnx("cannot approve who we don't recognize");
196 return (0);
197 }
198 name = pwd->pw_name;
199 }
200 }
201
202 if (name == NULL)
203 name = pwd->pw_name;
204
205 if (lc == NULL) {
206 if (strlen(name) >= MAXPATHLEN) {
207 syslog(LOG_ERR, "username to login %.*s...",
208 MAXPATHLEN, name);
209 _warnx("username too long");
210 return (0);
211 }
212 if (pwd == NULL && (approve = strchr(name, '.')) != NULL) {
213 strlcpy(path, name, sizeof path);
214 path[approve-name] = '\0';
215 pwd = getpwnam(name);
216 }
217 lc = login_getclass(pwd ? pwd->pw_class : NULL);
218 if (lc == NULL) {
219 _warnx("unable to classify user");
220 return (0);
221 }
222 }
223
224 if (!type)
225 type = LOGIN_DEFSERVICE;
226 else {
227 if (strncmp(type, "approve-", 8) == 0)
228 type += 8;
229
230 snprintf(path, sizeof(path), "approve-%s", type);
231 }
232
233 if ((approve = login_getcapstr(lc, s = path, NULL, NULL)) == NULL)
234 approve = login_getcapstr(lc, s = "approve", NULL, NULL);
235
236 if (approve && approve[0] != '/') {
237 if (close_lc_on_exit)
238 login_close(lc);
239 syslog(LOG_ERR, "Invalid %s script: %s", s, approve);
240 _warnx("invalid path to approval script");
241 free(approve);
242 return (0);
243 }
244
245 if (as == NULL && (as = auth_open()) == NULL) {
246 if (close_lc_on_exit)
247 login_close(lc);
248 syslog(LOG_ERR, "%m");
249 _warn(NULL);
250 if (approve)
251 free(approve);
252 return (0);
253 }
254
255 auth_setstate(as, AUTH_OKAY);
256 if (auth_setitem(as, AUTHV_NAME, name) < 0) {
257 syslog(LOG_ERR, "%m");
258 _warn(NULL);
259 goto out;
260 }
261 if (auth_check_expire(as) < 0) /* is this account expired */
262 goto out;
263 if (_auth_checknologin(lc,
264 auth_getitem(as, AUTHV_INTERACTIVE) != NULL)) {
265 auth_setstate(as, (auth_getstate(as) & ~AUTH_ALLOW));
266 goto out;
267 }
268 if (login_getcapbool(lc, "requirehome", 0) && pwd && pwd->pw_dir &&
269 pwd->pw_dir[0]) {
270 struct stat sb;
271
272 if (stat(pwd->pw_dir, &sb) < 0 ||
273 (sb.st_mode & 0170000) != S_IFDIR ||
274 (pwd->pw_uid && sb.st_uid == pwd->pw_uid &&
275 (sb.st_mode & S_IXUSR) == 0)) {
276 auth_setstate(as, (auth_getstate(as) & ~AUTH_ALLOW));
277 goto out;
278 }
279 }
280 if (approve)
281 auth_call(as, approve, strrchr(approve, '/') + 1, name,
282 lc->lc_class, type, (char *)NULL);
283
284 out:
285 if (approve)
286 free(approve);
287 if (close_lc_on_exit)
288 login_close(lc);
289
290 if (close_on_exit)
291 return (auth_close(as));
292 return (auth_getstate(as) & AUTH_ALLOW);
293 }
294
295 auth_session_t *
auth_usercheck(char * name,char * style,char * type,char * password)296 auth_usercheck(char *name, char *style, char *type, char *password)
297 {
298 char namebuf[MAXLOGNAME + 1 + NAME_MAX + 1];
299 auth_session_t *as;
300 login_cap_t *lc;
301 struct passwd *pwd;
302 char *sep, save;
303
304 if (strlen(name) >= sizeof(namebuf))
305 return (NULL);
306 strlcpy(namebuf, name, sizeof namebuf);
307 name = namebuf;
308
309 /*
310 * Split up user:style names if we were not given a style
311 */
312 if (style == NULL && (style = strchr(name, ':')) != NULL)
313 *style++ = '\0';
314
315 /*
316 * Cope with user[./]instance. We are only using this to get
317 * the class so it is okay if we strip a root instance
318 * The actual login script will pay attention to the instance.
319 */
320 if ((pwd = getpwnam(name)) == NULL) {
321 if ((sep = strpbrk(name, "./")) != NULL) {
322 save = *sep;
323 *sep = '\0';
324 pwd = getpwnam(name);
325 *sep = save;
326 }
327 }
328 if ((lc = login_getclass(pwd ? pwd->pw_class : NULL)) == NULL)
329 return (NULL);
330
331 if ((style = login_getstyle(lc, style, type)) == NULL) {
332 login_close(lc);
333 return (NULL);
334 }
335
336 if (password) {
337 if ((as = auth_open()) == NULL) {
338 login_close(lc);
339 return (NULL);
340 }
341 auth_setitem(as, AUTHV_SERVICE, "response");
342 auth_setdata(as, "", 1);
343 auth_setdata(as, password, strlen(password) + 1);
344 } else
345 as = NULL;
346 as = auth_verify(as, style, name, lc->lc_class, (char *)NULL);
347 login_close(lc);
348 return (as);
349 }
350
351 int
auth_userokay(char * name,char * style,char * type,char * password)352 auth_userokay(char *name, char *style, char *type, char *password)
353 {
354 auth_session_t *as;
355
356 as = auth_usercheck(name, style, type, password);
357
358 return (as != NULL ? auth_close(as) : 0);
359 }
360
361 auth_session_t *
auth_userchallenge(char * name,char * style,char * type,char ** challengep)362 auth_userchallenge(char *name, char *style, char *type, char **challengep)
363 {
364 char namebuf[MAXLOGNAME + 1 + NAME_MAX + 1];
365 auth_session_t *as;
366 login_cap_t *lc;
367 struct passwd *pwd;
368 char *sep, save;
369
370 if (strlen(name) >= sizeof(namebuf))
371 return (NULL);
372 strlcpy(namebuf, name, sizeof namebuf);
373 name = namebuf;
374
375 /*
376 * Split up user:style names if we were not given a style
377 */
378 if (style == NULL && (style = strchr(name, ':')) != NULL)
379 *style++ = '\0';
380
381 /*
382 * Cope with user[./]instance. We are only using this to get
383 * the class so it is okay if we strip a root instance
384 * The actual login script will pay attention to the instance.
385 */
386 if ((pwd = getpwnam(name)) == NULL) {
387 if ((sep = strpbrk(name, "./")) != NULL) {
388 save = *sep;
389 *sep = '\0';
390 pwd = getpwnam(name);
391 *sep = save;
392 }
393 }
394 if ((lc = login_getclass(pwd ? pwd->pw_class : NULL)) == NULL)
395 return (NULL);
396
397 if ((style = login_getstyle(lc, style, type)) == NULL ||
398 (as = auth_open()) == NULL) {
399 login_close(lc);
400 return (NULL);
401 }
402 if (auth_setitem(as, AUTHV_STYLE, style) < 0 ||
403 auth_setitem(as, AUTHV_NAME, name) < 0 ||
404 auth_setitem(as, AUTHV_CLASS, lc->lc_class) < 0) {
405 auth_close(as);
406 login_close(lc);
407 return (NULL);
408 }
409 login_close(lc);
410 *challengep = auth_challenge(as);
411 return (as);
412 }
413
414 int
auth_userresponse(auth_session_t * as,char * response,int more)415 auth_userresponse(auth_session_t *as, char *response, int more)
416 {
417 char path[MAXPATHLEN];
418 char *style, *name, *challenge, *class;
419
420 if (as == NULL)
421 return (0);
422
423 auth_setstate(as, 0);
424
425 if ((style = auth_getitem(as, AUTHV_STYLE)) == NULL ||
426 (name = auth_getitem(as, AUTHV_NAME)) == NULL) {
427 if (more == 0)
428 return (auth_close(as));
429 return(0);
430 }
431 challenge = auth_getitem(as, AUTHV_CHALLENGE);
432 class = auth_getitem(as, AUTHV_CLASS);
433
434 if (challenge)
435 auth_setdata(as, challenge, strlen(challenge) + 1);
436 else
437 auth_setdata(as, "", 1);
438 if (response)
439 auth_setdata(as, response, strlen(response) + 1);
440 else
441 auth_setdata(as, "", 1);
442
443 snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style);
444
445 auth_call(as, path, style, "-s", "response", name, class, (char *)NULL);
446
447 /*
448 * If they authenticated then make sure they did not expire
449 */
450 if (auth_getstate(as) & AUTH_ALLOW)
451 auth_check_expire(as);
452 if (more == 0)
453 return (auth_close(as));
454 return (auth_getstate(as) & AUTH_ALLOW);
455 }
456
457 /*
458 * Authenticate name with the specified style.
459 * If ``as'' is NULL a new session is formed with the default service.
460 * Returns NULL only if ``as'' is NULL and we were unable to allocate
461 * a new session.
462 *
463 * Use auth_close() or auth_getstate() to determine if the authentication
464 * worked.
465 */
466 auth_session_t *
auth_verify(auth_session_t * as,char * style,char * name,...)467 auth_verify(auth_session_t *as, char *style, char *name, ...)
468 {
469 va_list ap;
470 char path[MAXPATHLEN];
471
472 if ((name == NULL || style == NULL) && as == NULL)
473 return (as);
474
475 if (as == NULL && (as = auth_open()) == NULL)
476 return (NULL);
477 auth_setstate(as, 0);
478
479 if (style != NULL && auth_setitem(as, AUTHV_STYLE, style) < 0)
480 return (as);
481
482 if (name != NULL && auth_setitem(as, AUTHV_NAME, name) < 0)
483 return (as);
484
485 style = auth_getitem(as, AUTHV_STYLE);
486 name = auth_getitem(as, AUTHV_NAME);
487
488 snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style);
489 va_start(ap, name);
490 auth_set_va_list(as, ap);
491 auth_call(as, path, auth_getitem(as, AUTHV_STYLE), "-s",
492 auth_getitem(as, AUTHV_SERVICE), name, (char *)NULL);
493 va_end(ap);
494 return (as);
495 }
496