authenticate.c revision 1.10 
1/*	$OpenBSD: authenticate.c,v 1.10 2002/05/24 21:22:37 deraadt Exp $	*/
2
3/*-
4 * Copyright (c) 1997 Berkeley Software Design, Inc. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 * 3. All advertising materials mentioning features or use of this software
15 *    must display the following acknowledgement:
16 *	This product includes software developed by Berkeley Software Design,
17 *	Inc.
18 * 4. The name of Berkeley Software Design, Inc.  may not be used to endorse
19 *    or promote products derived from this software without specific prior
20 *    written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND
23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 * ARE DISCLAIMED.  IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE
26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 * SUCH DAMAGE.
33 *
34 *	BSDI $From: authenticate.c,v 2.21 1999/09/08 22:33:26 prb Exp $
35 */
36#include <sys/param.h>
37#include <sys/stat.h>
38
39#include <ctype.h>
40#include <err.h>
41#include <fcntl.h>
42#include <login_cap.h>
43#include <paths.h>
44#include <pwd.h>
45#include <stdarg.h>
46#include <stdio.h>
47#include <stdlib.h>
48#include <string.h>
49#include <syslog.h>
50#include <unistd.h>
51
52#include <bsd_auth.h>
53
54static int _auth_checknologin(login_cap_t *, int);
55
56char *
57auth_mkvalue(char *value)
58{
59	char *big, *p;
60
61	big = malloc(strlen(value) * 4 + 1);
62	if (big == NULL)
63		return (NULL);
64	/*
65	 * XXX - There should be a more standardized
66	 * routine for doing this sort of thing.
67	 */
68	for (p = big; *value; ++value) {
69		switch (*value) {
70		case '\r':
71			*p++ = '\\';
72			*p++ = 'r';
73			break;
74		case '\n':
75			*p++ = '\\';
76			*p++ = 'n';
77			break;
78		case '\\':
79			*p++ = '\\';
80			*p++ = *value;
81			break;
82		case '\t':
83		case ' ':
84			if (p == big)
85				*p++ = '\\';
86			*p++ = *value;
87			break;
88		default:
89			if (!isprint(*value)) {
90				*p++ = '\\';
91				*p++ = ((*value >> 6) & 0x3) + '0';
92				*p++ = ((*value >> 3) & 0x7) + '0';
93				*p++ = ((*value     ) & 0x7) + '0';
94			} else
95				*p++ = *value;
96			break;
97		}
98	}
99	*p = '\0';
100	return (big);
101}
102
103void
104auth_checknologin(login_cap_t *lc)
105{
106	if (_auth_checknologin(lc, 1))
107		exit(1);
108}
109
110static int
111_auth_checknologin(login_cap_t *lc, int print)
112{
113	struct stat sb;
114	char *nologin;
115	int mustfree;
116
117	if (login_getcapbool(lc, "ignorenologin", 0))
118		return (0);
119
120	/*
121	 * If we fail to get the nologin file due to a database error,
122	 * assume there should have been one...
123	 */
124	nologin = login_getcapstr(lc, "nologin", "", NULL);
125	mustfree = nologin && *nologin != '\0';
126	if (nologin == NULL)
127		goto print_nologin;
128
129	/* First try the nologin file specified in login.conf. */
130	if (*nologin != '\0' && stat(nologin, &sb) == 0)
131		goto print_nologin;
132	if (mustfree)
133		free(nologin);
134
135	/* If that doesn't exist try _PATH_NOLOGIN. */
136	if (stat(_PATH_NOLOGIN, &sb) == 0) {
137		nologin = _PATH_NOLOGIN;
138		goto print_nologin;
139	}
140
141	/* Couldn't stat any nologin files, must be OK to login. */
142	return (0);
143
144print_nologin:
145	if (print) {
146		if (!nologin || *nologin == '\0' || auth_cat(nologin) == 0) {
147			puts("Logins are not allowed at this time.");
148			fflush(stdout);
149		}
150	}
151	if (mustfree)
152		free(nologin);
153	return (-1);
154}
155
156int
157auth_cat(char *file)
158{
159	int fd, nchars;
160	char tbuf[8192];
161
162	if ((fd = open(file, O_RDONLY, 0)) < 0)
163		return (0);
164	while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)
165		(void)write(fileno(stdout), tbuf, nchars);
166	(void)close(fd);
167	return (1);
168}
169
170int
171auth_approval(auth_session_t *as, login_cap_t *lc, char *name, char *type)
172{
173	int close_on_exit, close_lc_on_exit;
174	struct passwd *pwd;
175	char *approve, *s, path[MAXPATHLEN];
176
177	pwd = NULL;
178	close_on_exit = as == NULL;
179	close_lc_on_exit = lc == NULL;
180
181	if (as != NULL && name == NULL)
182		name = auth_getitem(as, AUTHV_NAME);
183
184	if (as != NULL)
185		pwd = auth_getpwd(as);
186
187	if (pwd == NULL) {
188		if (name != NULL)
189			pwd = getpwnam(name);
190		else {
191			if ((pwd = getpwuid(getuid())) == NULL) {
192				syslog(LOG_ERR, "no such user id %d", getuid());
193				_warnx("cannot approve who we don't recognize");
194				return (0);
195			}
196			name = pwd->pw_name;
197		}
198	}
199
200	if (name == NULL)
201		name = pwd->pw_name;
202
203	if (lc == NULL) {
204		if (strlen(name) >= MAXPATHLEN) {
205			syslog(LOG_ERR, "username to login %.*s...",
206			    MAXPATHLEN, name);
207			_warnx("username too long");
208			return (0);
209		}
210		if (pwd == NULL && (approve = strchr(name, '.')) != NULL) {
211			strlcpy(path, name, sizeof path);
212			path[approve-name] = '\0';
213			pwd = getpwnam(name);
214		}
215		lc = login_getclass(pwd ? pwd->pw_class : NULL);
216		if (lc == NULL) {
217			_warnx("unable to classify user");
218			return (0);
219		}
220	}
221
222	if (!type)
223		type = LOGIN_DEFSERVICE;
224	else {
225		if (strncmp(type, "approve-", 8) == 0)
226			type += 8;
227
228		snprintf(path, sizeof(path), "approve-%s", type);
229	}
230
231	if ((approve = login_getcapstr(lc, s = path, NULL, NULL)) == NULL)
232		approve = login_getcapstr(lc, s = "approve", NULL, NULL);
233
234	if (approve && approve[0] != '/') {
235		if (close_lc_on_exit)
236			login_close(lc);
237		syslog(LOG_ERR, "Invalid %s script: %s", s, approve);
238		_warnx("invalid path to approval script");
239               free(approve);
240		return (0);
241	}
242
243	if (as == NULL && (as = auth_open()) == NULL) {
244		if (close_lc_on_exit)
245			login_close(lc);
246		syslog(LOG_ERR, "%m");
247		_warn(NULL);
248               if (approve)
249                       free(approve);
250		return (0);
251	}
252
253	auth_setstate(as, AUTH_OKAY);
254	if (auth_setitem(as, AUTHV_NAME, name) < 0) {
255		syslog(LOG_ERR, "%m");
256		_warn(NULL);
257		goto out;
258	}
259	if (auth_check_expire(as) < 0)	/* is this account expired */
260		goto out;
261	if (_auth_checknologin(lc,
262	    auth_getitem(as, AUTHV_INTERACTIVE) != NULL)) {
263		auth_setstate(as, (auth_getstate(as) & ~AUTH_ALLOW));
264		goto out;
265	}
266	if (login_getcapbool(lc, "requirehome", 0) && pwd && pwd->pw_dir &&
267	    pwd->pw_dir[0]) {
268		struct stat sb;
269
270		if (stat(pwd->pw_dir, &sb) < 0 ||
271		    (sb.st_mode & 0170000) != S_IFDIR ||
272		    (pwd->pw_uid && sb.st_uid == pwd->pw_uid &&
273		     (sb.st_mode & S_IXUSR) == 0)) {
274			auth_setstate(as, (auth_getstate(as) & ~AUTH_ALLOW));
275			goto out;
276		}
277	}
278	if (approve)
279	    auth_call(as, approve, strrchr(approve, '/') + 1, name,
280		lc->lc_class, type, 0);
281
282out:
283       if (approve)
284               free(approve);
285	if (close_lc_on_exit)
286		login_close(lc);
287
288	if (close_on_exit)
289		return (auth_close(as));
290	return (auth_getstate(as) & AUTH_ALLOW);
291}
292
293auth_session_t *
294auth_usercheck(char *name, char *style, char *type, char *password)
295{
296	char namebuf[MAXLOGNAME + 1 + NAME_MAX + 1];
297	auth_session_t *as;
298	login_cap_t *lc;
299	struct passwd *pwd;
300	char *sep, save;
301
302	if (strlen(name) >= sizeof(namebuf))
303		return (NULL);
304	strlcpy(namebuf, name, sizeof namebuf);
305	name = namebuf;
306
307	/*
308	 * Split up user:style names if we were not given a style
309	 */
310	if (style == NULL && (style = strchr(name, ':')) != NULL)
311		*style++ = '\0';
312
313	/*
314	 * Cope with user[./]instance.  We are only using this to get
315	 * the class so it is okay if we strip a root instance
316	 * The actual login script will pay attention to the instance.
317	 */
318	if ((pwd = getpwnam(name)) == NULL) {
319		if ((sep = strpbrk(name, "./")) != NULL) {
320			save = *sep;
321			*sep = '\0';
322			pwd = getpwnam(name);
323			*sep = save;
324		}
325	}
326	if ((lc = login_getclass(pwd ? pwd->pw_class : NULL)) == NULL)
327		return (NULL);
328
329	if ((style = login_getstyle(lc, style, type)) == NULL) {
330		login_close(lc);
331		return (NULL);
332	}
333
334	if (password) {
335		if ((as = auth_open()) == NULL) {
336			login_close(lc);
337			return (NULL);
338		}
339		auth_setitem(as, AUTHV_SERVICE, "response");
340		auth_setdata(as, "", 1);
341		auth_setdata(as, password, strlen(password) + 1);
342	} else
343		as = NULL;
344	as = auth_verify(as, style, name, lc->lc_class, NULL);
345	login_close(lc);
346	return (as);
347}
348
349int
350auth_userokay(char *name, char *style, char *type, char *password)
351{
352	auth_session_t *as;
353
354	as = auth_usercheck(name, style, type, password);
355
356	return (as != NULL ? auth_close(as) : 0);
357}
358
359auth_session_t *
360auth_userchallenge(char *name, char *style, char *type, char **challengep)
361{
362	char namebuf[MAXLOGNAME + 1 + NAME_MAX + 1];
363	auth_session_t *as;
364	login_cap_t *lc;
365	struct passwd *pwd;
366	char *sep, save;
367
368	if (strlen(name) >= sizeof(namebuf))
369		return (NULL);
370	strlcpy(namebuf, name, sizeof namebuf);
371	name = namebuf;
372
373	/*
374	 * Split up user:style names if we were not given a style
375	 */
376	if (style == NULL && (style = strchr(name, ':')) != NULL)
377		*style++ = '\0';
378
379	/*
380	 * Cope with user[./]instance.  We are only using this to get
381	 * the class so it is okay if we strip a root instance
382	 * The actual login script will pay attention to the instance.
383	 */
384	if ((pwd = getpwnam(name)) == NULL) {
385		if ((sep = strpbrk(name, "./")) != NULL) {
386			save = *sep;
387			*sep = '\0';
388			pwd = getpwnam(name);
389			*sep = save;
390		}
391	}
392	if ((lc = login_getclass(pwd ? pwd->pw_class : NULL)) == NULL)
393		return (NULL);
394
395	if ((style = login_getstyle(lc, style, type)) == NULL ||
396	    (as = auth_open()) == NULL) {
397		login_close(lc);
398		return (NULL);
399	}
400	if (auth_setitem(as, AUTHV_STYLE, style) < 0 ||
401	    auth_setitem(as, AUTHV_NAME, name) < 0 ||
402	    auth_setitem(as, AUTHV_CLASS, lc->lc_class) < 0) {
403		auth_close(as);
404		login_close(lc);
405		return (NULL);
406	}
407	login_close(lc);
408	*challengep = auth_challenge(as);
409	return (as);
410}
411
412int
413auth_userresponse(auth_session_t *as, char *response, int more)
414{
415	char path[MAXPATHLEN];
416	char *style, *name, *challenge, *class;
417
418	if (as == NULL)
419		return (0);
420
421	auth_setstate(as, 0);
422
423	if ((style = auth_getitem(as, AUTHV_STYLE)) == NULL ||
424	    (name = auth_getitem(as, AUTHV_NAME)) == NULL) {
425		if (more == 0)
426			return (auth_close(as));
427		return(0);
428	}
429	challenge = auth_getitem(as, AUTHV_CHALLENGE);
430	class = auth_getitem(as, AUTHV_CLASS);
431
432	if (challenge)
433		auth_setdata(as, challenge, strlen(challenge) + 1);
434	else
435		auth_setdata(as, "", 1);
436	if (response)
437		auth_setdata(as, response, strlen(response) + 1);
438	else
439		auth_setdata(as, "", 1);
440
441	snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style);
442
443	auth_call(as, path, style, "-s", "response", name, class, NULL);
444
445	/*
446	 * If they authenticated then make sure they did not expire
447	 */
448	if (auth_getstate(as) & AUTH_ALLOW)
449		auth_check_expire(as);
450	if (more == 0)
451		return (auth_close(as));
452	return (auth_getstate(as) & AUTH_ALLOW);
453}
454
455/*
456 * Authenticate name with the specified style.
457 * If ``as'' is NULL a new session is formed with the default service.
458 * Returns NULL only if ``as'' is NULL and we were unable to allocate
459 * a new session.
460 *
461 * Use auth_close() or auth_getstate() to determine if the authentication
462 * worked.
463 */
464auth_session_t *
465auth_verify(auth_session_t *as, char *style, char *name, ...)
466{
467	va_list ap;
468	char path[MAXPATHLEN];
469
470	if ((name == NULL || style == NULL) && as == NULL)
471		return (as);
472
473	if (as == NULL && (as = auth_open()) == NULL)
474		return (NULL);
475	auth_setstate(as, 0);
476
477	if (style != NULL && auth_setitem(as, AUTHV_STYLE, style) < 0)
478		return (as);
479
480	if (name != NULL && auth_setitem(as, AUTHV_NAME, name) < 0)
481		return (as);
482
483	style = auth_getitem(as, AUTHV_STYLE);
484	name = auth_getitem(as, AUTHV_NAME);
485
486	snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style);
487	va_start(ap, name);
488	auth_set_va_list(as, ap);
489	auth_call(as, path, auth_getitem(as, AUTHV_STYLE), "-s",
490	    auth_getitem(as, AUTHV_SERVICE), name, NULL);
491	return (as);
492}
493