diff options
| author | Mattias Andrée <maandree@operamail.com> | 2013-11-22 09:45:40 +0100 |
|---|---|---|
| committer | Mattias Andrée <maandree@operamail.com> | 2013-11-22 09:45:40 +0100 |
| commit | 4b204339078eb55ba9309f1fd669b1792d6b43c6 (patch) | |
| tree | ee1d4a016b24b92201ceada7c1b991a69d8e8af4 | |
| parent | fix chmod and chown of tty device files (diff) | |
| download | libpassphrase-4b204339078eb55ba9309f1fd669b1792d6b43c6.tar.gz libpassphrase-4b204339078eb55ba9309f1fd669b1792d6b43c6.tar.bz2 libpassphrase-4b204339078eb55ba9309f1fd669b1792d6b43c6.tar.xz | |
add crypt auth module
Signed-off-by: Mattias Andrée <maandree@operamail.com>
| -rw-r--r-- | Makefile | 6 | ||||
| -rw-r--r-- | configurable-definitions | 6 | ||||
| -rw-r--r-- | src/auth.h | 9 | ||||
| -rw-r--r-- | src/auth/crypt.c | 122 | ||||
| -rw-r--r-- | src/auth/crypt.h | 41 | ||||
| -rw-r--r-- | src/cerberus.c | 2 |
6 files changed, 185 insertions, 1 deletions
@@ -26,7 +26,8 @@ PATH = $(_LB):$(_UB):$(_SB) PATH_ROOT = $(_LS):$(_LB):$(_US):$(_UB):$(_SS):$(_SB) auth_none = 0 -auth_pam = 1 +auth_crypt = 1 +auth_pam = 2 H = \# VCS_LEN = $(shell vcs="$(VCS)" ; echo "$${$(H)vcs}") @@ -42,6 +43,9 @@ OPTIMISE = -Os CPPFLAGS = $(EXTRA_CPP_FLAGS) $(STR_CPPFLAGS) $(VRB_CPPFLAGS) CFLAGS = -std=gnu99 -Wall -Wextra LDFLAGS = +ifeq ($(AUTH),crypt) +LDFLAGS += -lcrypt +endif ifeq ($(AUTH),pam) LDFLAGS += -lpam endif diff --git a/configurable-definitions b/configurable-definitions index bbc3135..8d5a946 100644 --- a/configurable-definitions +++ b/configurable-definitions @@ -40,4 +40,10 @@ AUTH (default: pam, type: name) pam -- Pluggable Authentication Module (PAM) none -- Always auto-authenticate + crypt -- Authenticate with crypt and /etc/shadow or /etc/passwd + + +NO_SHADOW (default: undefined, type: #ifdef, required: AUTH=crypt) + + Do not use /etc/shadow (shadow.h) unless HAVE_SHADOW is definied @@ -31,6 +31,15 @@ #elif AUTH == 1 +#include "auth/crypt.h" +#define close_login_session(...) /* do nothing */ +#define initialise_login initialise_crypt +#define authenticate_login authenticate_crypt +#define verify_account(...) /* do nothing */ +#define open_login_session(...) /* do nothing */ + +#elif AUTH == 2 + #include "auth/pam.h" #define close_login_session close_session_pam #define initialise_login initialise_pam diff --git a/src/auth/crypt.c b/src/auth/crypt.c new file mode 100644 index 0000000..27238e2 --- /dev/null +++ b/src/auth/crypt.c @@ -0,0 +1,122 @@ +/** + * cerberus – Minimal login program + * + * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ +#ifndef NO_SHADOW +# ifndef HAVE_SHADOW +# define HAVE_SHADOW +# endif +#endif + +#define _XOPEN_SOURCE +#include <unistd.h> +#include <stdio.h> +#include <sys/types.h> +#include <pwd.h> +#include <string.h> +#ifdef HAVE_SHADOW +#include <shadow.h> +#endif + +#include "../config.h" + +#include "crypt.h" + + +#if !defined(__USE_SVID) && !defined(__USE_MISC) && !defined(__USE_XOPEN_EXTENDED) +#define endpwent() /* do nothing */ +#endif + + +/** + * Function that can be used to read a passphrase from the terminal + */ +static char* (*passphrase_reader)(void) = NULL; + +/** + * The username of the user to log in to + */ +static char* login_username; + + + +/** + * Initialise crypt authentication module + * + * @param remote The remote computer, {@code NULL} for local login + * @param username The username of the user to log in to + * @param reader Function that can be used to read a passphrase from the terminal + */ +void initialise_crypt(char* remote, char* username, char* (*reader)(void)) +{ + (void) remote; + + login_username = username; + passphrase_reader = reader; +} + + +/** + * Perform token authentication + * + * @return Whether the user got automatically authenticated + */ +char authenticate_crypt(void) +{ +#ifdef HAVE_SHADOW + struct spwd* shadow_entry = NULL; +#endif + struct passwd* passwd_entry = NULL; + char* crypted; + char* entered; + +#ifdef HAVE_SHADOW + shadow_entry = getspnam(login_username); + endspent(); + + if (shadow_entry) + crypted = shadow_entry->sp_pwdp; + else + { +#endif + passwd_entry = getpwnam(login_username); + if (passwd_entry) + crypted = passwd_entry->pw_passwd; + else + { + perror("getpwnam"); + endpwent(); + sleep(ERROR_SLEEP); + _exit(1); + } + endpwent(); +#ifdef HAVE_SHADOW + } +#endif + + if (!(crypted && *crypted)) /* empty means that no passphrase is required (not even Enter) */ + return 1; + + entered = crypt(passphrase_reader(), crypted /* salt argument stops parsing when encrypted begins */); + if (entered && !strcmp(entered, crypted)) + return 0; + + printf("Incorrect passphrase\n"); + sleep(FAILURE_SLEEP); + _exit(1); +} + diff --git a/src/auth/crypt.h b/src/auth/crypt.h new file mode 100644 index 0000000..e75c5b5 --- /dev/null +++ b/src/auth/crypt.h @@ -0,0 +1,41 @@ +/** + * cerberus – Minimal login program + * + * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ +#ifndef __CRYPT_H__ +#define __CRYPT_H__ + + +/** + * Initialise crypt authentication module + * + * @param remote The remote computer, {@code NULL} for local login + * @param username The username of the user to log in to + * @param reader Function that can be used to read a passphrase from the terminal + */ +void initialise_crypt(char* remote, char* username, char* (*reader)(void)); + +/** + * Perform token authentication + * + * @return Whether the user got automatically authenticated + */ +char authenticate_crypt(void); + + +#endif + diff --git a/src/cerberus.c b/src/cerberus.c index e52a48f..c555a2b 100644 --- a/src/cerberus.c +++ b/src/cerberus.c @@ -196,6 +196,7 @@ void do_login(int argc, char** argv) #ifdef USE_TTY_GROUP if ((group = getgrnam(TTY_GROUP))) tty_group = group->gr_gid; + endgrent(); #endif secure_tty(tty_group); @@ -223,6 +224,7 @@ void do_login(int argc, char** argv) sleep(ERROR_SLEEP); _exit(1); } + endpwent(); username = entry->pw_name; |