194551Sdes/*- 294551Sdes * Copyright (c) 2002 Danny Braniss 394551Sdes * All rights reserved. 494551Sdes * Copyright (c) 2001,2002 Networks Associates Technology, Inc. 594551Sdes * All rights reserved. 694551Sdes * 794551Sdes * Portions of this software were developed for the FreeBSD Project by 894551Sdes * ThinkSec AS and NAI Labs, the Security Research Division of Network 994551Sdes * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 1094551Sdes * ("CBOSS"), as part of the DARPA CHATS research program. 1194551Sdes * 1294551Sdes * Redistribution and use in source and binary forms, with or without 1394551Sdes * modification, are permitted provided that the following conditions 1494551Sdes * are met: 1594551Sdes * 1. Redistributions of source code must retain the above copyright 1694551Sdes * notice, this list of conditions and the following disclaimer. 1794551Sdes * 2. Redistributions in binary form must reproduce the above copyright 1894551Sdes * notice, this list of conditions and the following disclaimer in the 1994551Sdes * documentation and/or other materials provided with the distribution. 2094551Sdes * 3. The name of the author may not be used to endorse or promote 2194551Sdes * products derived from this software without specific prior written 2294551Sdes * permission. 2394551Sdes * 2494551Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 2594551Sdes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2694551Sdes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2794551Sdes * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2894551Sdes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2994551Sdes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 3094551Sdes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 3194551Sdes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 3294551Sdes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 3394551Sdes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3494551Sdes * SUCH DAMAGE. 3594551Sdes */ 3694551Sdes 3794551Sdes#include <sys/cdefs.h> 3894551Sdes__FBSDID("$FreeBSD$"); 3994551Sdes 4094551Sdes#include <pwd.h> 4194551Sdes#include <stddef.h> 4297244Sdes#include <string.h> 4394551Sdes#include <unistd.h> 4494551Sdes 4594551Sdes#define PAM_SM_AUTH 4694551Sdes#include <security/pam_appl.h> 4794551Sdes#include <security/pam_modules.h> 4894551Sdes#include <security/pam_mod_misc.h> 4994551Sdes 5094551Sdes#define OPT_ALLOW_ROOT "allow_root" 5194551Sdes 5294551SdesPAM_EXTERN int 5394551Sdespam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 5494551Sdes int argc __unused, const char *argv[] __unused) 5594551Sdes{ 5694551Sdes struct passwd *pw; 57123448Sdes const char *user; 58123448Sdes const void *ruser, *rhost; 5994551Sdes int err, superuser; 6094551Sdes 6194551Sdes err = pam_get_user(pamh, &user, NULL); 6294551Sdes if (err != PAM_SUCCESS) 6394551Sdes return (err); 6494551Sdes 6594551Sdes if ((pw = getpwnam(user)) == NULL) 6694551Sdes return (PAM_USER_UNKNOWN); 6794551Sdes if (pw->pw_uid == 0 && 6894551Sdes openpam_get_option(pamh, OPT_ALLOW_ROOT) == NULL) 6994551Sdes return (PAM_AUTH_ERR); 7094551Sdes 71123448Sdes err = pam_get_item(pamh, PAM_RUSER, &ruser); 7294551Sdes if (err != PAM_SUCCESS) 7394551Sdes return (PAM_AUTH_ERR); 7494551Sdes 75123448Sdes err = pam_get_item(pamh, PAM_RHOST, &rhost); 7694551Sdes if (err != PAM_SUCCESS) 7794551Sdes return (PAM_AUTH_ERR); 7894551Sdes 7994551Sdes superuser = (strcmp(user, "root") == 0); 8094551Sdes err = ruserok(rhost, superuser, ruser, user); 8194551Sdes if (err != 0) 8294551Sdes return (PAM_AUTH_ERR); 8394551Sdes 8494551Sdes return (PAM_SUCCESS); 8594551Sdes} 8694551Sdes 8794551SdesPAM_EXTERN int 8894551Sdespam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 8994551Sdes int argc __unused, const char *argv[] __unused) 9094551Sdes{ 9194551Sdes 9294551Sdes return (PAM_SUCCESS); 9394551Sdes} 9494551Sdes 9594551SdesPAM_MODULE_ENTRY("pam_rhosts"); 96