authenticate.c revision 1.10
1/* $OpenBSD: authenticate.c,v 1.10 2002/05/24 21:22:37 deraadt Exp $ */ 2 3/*- 4 * Copyright (c) 1997 Berkeley Software Design, Inc. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. All advertising materials mentioning features or use of this software 15 * must display the following acknowledgement: 16 * This product includes software developed by Berkeley Software Design, 17 * Inc. 18 * 4. The name of Berkeley Software Design, Inc. may not be used to endorse 19 * or promote products derived from this software without specific prior 20 * written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * BSDI $From: authenticate.c,v 2.21 1999/09/08 22:33:26 prb Exp $ 35 */ 36#include <sys/param.h> 37#include <sys/stat.h> 38 39#include <ctype.h> 40#include <err.h> 41#include <fcntl.h> 42#include <login_cap.h> 43#include <paths.h> 44#include <pwd.h> 45#include <stdarg.h> 46#include <stdio.h> 47#include <stdlib.h> 48#include <string.h> 49#include <syslog.h> 50#include <unistd.h> 51 52#include <bsd_auth.h> 53 54static int _auth_checknologin(login_cap_t *, int); 55 56char * 57auth_mkvalue(char *value) 58{ 59 char *big, *p; 60 61 big = malloc(strlen(value) * 4 + 1); 62 if (big == NULL) 63 return (NULL); 64 /* 65 * XXX - There should be a more standardized 66 * routine for doing this sort of thing. 67 */ 68 for (p = big; *value; ++value) { 69 switch (*value) { 70 case '\r': 71 *p++ = '\\'; 72 *p++ = 'r'; 73 break; 74 case '\n': 75 *p++ = '\\'; 76 *p++ = 'n'; 77 break; 78 case '\\': 79 *p++ = '\\'; 80 *p++ = *value; 81 break; 82 case '\t': 83 case ' ': 84 if (p == big) 85 *p++ = '\\'; 86 *p++ = *value; 87 break; 88 default: 89 if (!isprint(*value)) { 90 *p++ = '\\'; 91 *p++ = ((*value >> 6) & 0x3) + '0'; 92 *p++ = ((*value >> 3) & 0x7) + '0'; 93 *p++ = ((*value ) & 0x7) + '0'; 94 } else 95 *p++ = *value; 96 break; 97 } 98 } 99 *p = '\0'; 100 return (big); 101} 102 103void 104auth_checknologin(login_cap_t *lc) 105{ 106 if (_auth_checknologin(lc, 1)) 107 exit(1); 108} 109 110static int 111_auth_checknologin(login_cap_t *lc, int print) 112{ 113 struct stat sb; 114 char *nologin; 115 int mustfree; 116 117 if (login_getcapbool(lc, "ignorenologin", 0)) 118 return (0); 119 120 /* 121 * If we fail to get the nologin file due to a database error, 122 * assume there should have been one... 123 */ 124 nologin = login_getcapstr(lc, "nologin", "", NULL); 125 mustfree = nologin && *nologin != '\0'; 126 if (nologin == NULL) 127 goto print_nologin; 128 129 /* First try the nologin file specified in login.conf. */ 130 if (*nologin != '\0' && stat(nologin, &sb) == 0) 131 goto print_nologin; 132 if (mustfree) 133 free(nologin); 134 135 /* If that doesn't exist try _PATH_NOLOGIN. */ 136 if (stat(_PATH_NOLOGIN, &sb) == 0) { 137 nologin = _PATH_NOLOGIN; 138 goto print_nologin; 139 } 140 141 /* Couldn't stat any nologin files, must be OK to login. */ 142 return (0); 143 144print_nologin: 145 if (print) { 146 if (!nologin || *nologin == '\0' || auth_cat(nologin) == 0) { 147 puts("Logins are not allowed at this time."); 148 fflush(stdout); 149 } 150 } 151 if (mustfree) 152 free(nologin); 153 return (-1); 154} 155 156int 157auth_cat(char *file) 158{ 159 int fd, nchars; 160 char tbuf[8192]; 161 162 if ((fd = open(file, O_RDONLY, 0)) < 0) 163 return (0); 164 while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) 165 (void)write(fileno(stdout), tbuf, nchars); 166 (void)close(fd); 167 return (1); 168} 169 170int 171auth_approval(auth_session_t *as, login_cap_t *lc, char *name, char *type) 172{ 173 int close_on_exit, close_lc_on_exit; 174 struct passwd *pwd; 175 char *approve, *s, path[MAXPATHLEN]; 176 177 pwd = NULL; 178 close_on_exit = as == NULL; 179 close_lc_on_exit = lc == NULL; 180 181 if (as != NULL && name == NULL) 182 name = auth_getitem(as, AUTHV_NAME); 183 184 if (as != NULL) 185 pwd = auth_getpwd(as); 186 187 if (pwd == NULL) { 188 if (name != NULL) 189 pwd = getpwnam(name); 190 else { 191 if ((pwd = getpwuid(getuid())) == NULL) { 192 syslog(LOG_ERR, "no such user id %d", getuid()); 193 _warnx("cannot approve who we don't recognize"); 194 return (0); 195 } 196 name = pwd->pw_name; 197 } 198 } 199 200 if (name == NULL) 201 name = pwd->pw_name; 202 203 if (lc == NULL) { 204 if (strlen(name) >= MAXPATHLEN) { 205 syslog(LOG_ERR, "username to login %.*s...", 206 MAXPATHLEN, name); 207 _warnx("username too long"); 208 return (0); 209 } 210 if (pwd == NULL && (approve = strchr(name, '.')) != NULL) { 211 strlcpy(path, name, sizeof path); 212 path[approve-name] = '\0'; 213 pwd = getpwnam(name); 214 } 215 lc = login_getclass(pwd ? pwd->pw_class : NULL); 216 if (lc == NULL) { 217 _warnx("unable to classify user"); 218 return (0); 219 } 220 } 221 222 if (!type) 223 type = LOGIN_DEFSERVICE; 224 else { 225 if (strncmp(type, "approve-", 8) == 0) 226 type += 8; 227 228 snprintf(path, sizeof(path), "approve-%s", type); 229 } 230 231 if ((approve = login_getcapstr(lc, s = path, NULL, NULL)) == NULL) 232 approve = login_getcapstr(lc, s = "approve", NULL, NULL); 233 234 if (approve && approve[0] != '/') { 235 if (close_lc_on_exit) 236 login_close(lc); 237 syslog(LOG_ERR, "Invalid %s script: %s", s, approve); 238 _warnx("invalid path to approval script"); 239 free(approve); 240 return (0); 241 } 242 243 if (as == NULL && (as = auth_open()) == NULL) { 244 if (close_lc_on_exit) 245 login_close(lc); 246 syslog(LOG_ERR, "%m"); 247 _warn(NULL); 248 if (approve) 249 free(approve); 250 return (0); 251 } 252 253 auth_setstate(as, AUTH_OKAY); 254 if (auth_setitem(as, AUTHV_NAME, name) < 0) { 255 syslog(LOG_ERR, "%m"); 256 _warn(NULL); 257 goto out; 258 } 259 if (auth_check_expire(as) < 0) /* is this account expired */ 260 goto out; 261 if (_auth_checknologin(lc, 262 auth_getitem(as, AUTHV_INTERACTIVE) != NULL)) { 263 auth_setstate(as, (auth_getstate(as) & ~AUTH_ALLOW)); 264 goto out; 265 } 266 if (login_getcapbool(lc, "requirehome", 0) && pwd && pwd->pw_dir && 267 pwd->pw_dir[0]) { 268 struct stat sb; 269 270 if (stat(pwd->pw_dir, &sb) < 0 || 271 (sb.st_mode & 0170000) != S_IFDIR || 272 (pwd->pw_uid && sb.st_uid == pwd->pw_uid && 273 (sb.st_mode & S_IXUSR) == 0)) { 274 auth_setstate(as, (auth_getstate(as) & ~AUTH_ALLOW)); 275 goto out; 276 } 277 } 278 if (approve) 279 auth_call(as, approve, strrchr(approve, '/') + 1, name, 280 lc->lc_class, type, 0); 281 282out: 283 if (approve) 284 free(approve); 285 if (close_lc_on_exit) 286 login_close(lc); 287 288 if (close_on_exit) 289 return (auth_close(as)); 290 return (auth_getstate(as) & AUTH_ALLOW); 291} 292 293auth_session_t * 294auth_usercheck(char *name, char *style, char *type, char *password) 295{ 296 char namebuf[MAXLOGNAME + 1 + NAME_MAX + 1]; 297 auth_session_t *as; 298 login_cap_t *lc; 299 struct passwd *pwd; 300 char *sep, save; 301 302 if (strlen(name) >= sizeof(namebuf)) 303 return (NULL); 304 strlcpy(namebuf, name, sizeof namebuf); 305 name = namebuf; 306 307 /* 308 * Split up user:style names if we were not given a style 309 */ 310 if (style == NULL && (style = strchr(name, ':')) != NULL) 311 *style++ = '\0'; 312 313 /* 314 * Cope with user[./]instance. We are only using this to get 315 * the class so it is okay if we strip a root instance 316 * The actual login script will pay attention to the instance. 317 */ 318 if ((pwd = getpwnam(name)) == NULL) { 319 if ((sep = strpbrk(name, "./")) != NULL) { 320 save = *sep; 321 *sep = '\0'; 322 pwd = getpwnam(name); 323 *sep = save; 324 } 325 } 326 if ((lc = login_getclass(pwd ? pwd->pw_class : NULL)) == NULL) 327 return (NULL); 328 329 if ((style = login_getstyle(lc, style, type)) == NULL) { 330 login_close(lc); 331 return (NULL); 332 } 333 334 if (password) { 335 if ((as = auth_open()) == NULL) { 336 login_close(lc); 337 return (NULL); 338 } 339 auth_setitem(as, AUTHV_SERVICE, "response"); 340 auth_setdata(as, "", 1); 341 auth_setdata(as, password, strlen(password) + 1); 342 } else 343 as = NULL; 344 as = auth_verify(as, style, name, lc->lc_class, NULL); 345 login_close(lc); 346 return (as); 347} 348 349int 350auth_userokay(char *name, char *style, char *type, char *password) 351{ 352 auth_session_t *as; 353 354 as = auth_usercheck(name, style, type, password); 355 356 return (as != NULL ? auth_close(as) : 0); 357} 358 359auth_session_t * 360auth_userchallenge(char *name, char *style, char *type, char **challengep) 361{ 362 char namebuf[MAXLOGNAME + 1 + NAME_MAX + 1]; 363 auth_session_t *as; 364 login_cap_t *lc; 365 struct passwd *pwd; 366 char *sep, save; 367 368 if (strlen(name) >= sizeof(namebuf)) 369 return (NULL); 370 strlcpy(namebuf, name, sizeof namebuf); 371 name = namebuf; 372 373 /* 374 * Split up user:style names if we were not given a style 375 */ 376 if (style == NULL && (style = strchr(name, ':')) != NULL) 377 *style++ = '\0'; 378 379 /* 380 * Cope with user[./]instance. We are only using this to get 381 * the class so it is okay if we strip a root instance 382 * The actual login script will pay attention to the instance. 383 */ 384 if ((pwd = getpwnam(name)) == NULL) { 385 if ((sep = strpbrk(name, "./")) != NULL) { 386 save = *sep; 387 *sep = '\0'; 388 pwd = getpwnam(name); 389 *sep = save; 390 } 391 } 392 if ((lc = login_getclass(pwd ? pwd->pw_class : NULL)) == NULL) 393 return (NULL); 394 395 if ((style = login_getstyle(lc, style, type)) == NULL || 396 (as = auth_open()) == NULL) { 397 login_close(lc); 398 return (NULL); 399 } 400 if (auth_setitem(as, AUTHV_STYLE, style) < 0 || 401 auth_setitem(as, AUTHV_NAME, name) < 0 || 402 auth_setitem(as, AUTHV_CLASS, lc->lc_class) < 0) { 403 auth_close(as); 404 login_close(lc); 405 return (NULL); 406 } 407 login_close(lc); 408 *challengep = auth_challenge(as); 409 return (as); 410} 411 412int 413auth_userresponse(auth_session_t *as, char *response, int more) 414{ 415 char path[MAXPATHLEN]; 416 char *style, *name, *challenge, *class; 417 418 if (as == NULL) 419 return (0); 420 421 auth_setstate(as, 0); 422 423 if ((style = auth_getitem(as, AUTHV_STYLE)) == NULL || 424 (name = auth_getitem(as, AUTHV_NAME)) == NULL) { 425 if (more == 0) 426 return (auth_close(as)); 427 return(0); 428 } 429 challenge = auth_getitem(as, AUTHV_CHALLENGE); 430 class = auth_getitem(as, AUTHV_CLASS); 431 432 if (challenge) 433 auth_setdata(as, challenge, strlen(challenge) + 1); 434 else 435 auth_setdata(as, "", 1); 436 if (response) 437 auth_setdata(as, response, strlen(response) + 1); 438 else 439 auth_setdata(as, "", 1); 440 441 snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style); 442 443 auth_call(as, path, style, "-s", "response", name, class, NULL); 444 445 /* 446 * If they authenticated then make sure they did not expire 447 */ 448 if (auth_getstate(as) & AUTH_ALLOW) 449 auth_check_expire(as); 450 if (more == 0) 451 return (auth_close(as)); 452 return (auth_getstate(as) & AUTH_ALLOW); 453} 454 455/* 456 * Authenticate name with the specified style. 457 * If ``as'' is NULL a new session is formed with the default service. 458 * Returns NULL only if ``as'' is NULL and we were unable to allocate 459 * a new session. 460 * 461 * Use auth_close() or auth_getstate() to determine if the authentication 462 * worked. 463 */ 464auth_session_t * 465auth_verify(auth_session_t *as, char *style, char *name, ...) 466{ 467 va_list ap; 468 char path[MAXPATHLEN]; 469 470 if ((name == NULL || style == NULL) && as == NULL) 471 return (as); 472 473 if (as == NULL && (as = auth_open()) == NULL) 474 return (NULL); 475 auth_setstate(as, 0); 476 477 if (style != NULL && auth_setitem(as, AUTHV_STYLE, style) < 0) 478 return (as); 479 480 if (name != NULL && auth_setitem(as, AUTHV_NAME, name) < 0) 481 return (as); 482 483 style = auth_getitem(as, AUTHV_STYLE); 484 name = auth_getitem(as, AUTHV_NAME); 485 486 snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style); 487 va_start(ap, name); 488 auth_set_va_list(as, ap); 489 auth_call(as, path, auth_getitem(as, AUTHV_STYLE), "-s", 490 auth_getitem(as, AUTHV_SERVICE), name, NULL); 491 return (as); 492} 493