diff options
Diffstat (limited to '')
-rw-r--r-- | src/auth.h | 54 | ||||
-rw-r--r-- | src/auth/crypt.c | 122 | ||||
-rw-r--r-- | src/auth/crypt.h | 41 | ||||
-rw-r--r-- | src/auth/pam.c | 258 | ||||
-rw-r--r-- | src/auth/pam.h | 56 |
5 files changed, 0 insertions, 531 deletions
diff --git a/src/auth.h b/src/auth.h deleted file mode 100644 index 3851b95..0000000 --- a/src/auth.h +++ /dev/null @@ -1,54 +0,0 @@ -/** - * cerberus – Minimal login program - * - * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - */ -#ifndef __AUTH_H__ -#define __AUTH_H__ - - - -#if AUTH == 0 - -#define close_login_session(...) /* do nothing */ -#define initialise_login(...) (void) hostname -#define authenticate_login(...) 1 -#define verify_account(...) /* do nothing */ -#define open_login_session(...) /* do nothing */ - -#elif AUTH == 1 - -#include "auth/crypt.h" -#define close_login_session(...) /* do nothing */ -#define initialise_login initialise_crypt -#define authenticate_login authenticate_crypt -#define verify_account(...) /* do nothing */ -#define open_login_session(...) /* do nothing */ - -#elif AUTH == 2 - -#include "auth/pam.h" -#define close_login_session close_session_pam -#define initialise_login initialise_pam -#define authenticate_login authenticate_pam -#define verify_account verify_account_pam -#define open_login_session open_session_pam - -#endif - - -#endif - diff --git a/src/auth/crypt.c b/src/auth/crypt.c deleted file mode 100644 index 27238e2..0000000 --- a/src/auth/crypt.c +++ /dev/null @@ -1,122 +0,0 @@ -/** - * cerberus – Minimal login program - * - * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - */ -#ifndef NO_SHADOW -# ifndef HAVE_SHADOW -# define HAVE_SHADOW -# endif -#endif - -#define _XOPEN_SOURCE -#include <unistd.h> -#include <stdio.h> -#include <sys/types.h> -#include <pwd.h> -#include <string.h> -#ifdef HAVE_SHADOW -#include <shadow.h> -#endif - -#include "../config.h" - -#include "crypt.h" - - -#if !defined(__USE_SVID) && !defined(__USE_MISC) && !defined(__USE_XOPEN_EXTENDED) -#define endpwent() /* do nothing */ -#endif - - -/** - * Function that can be used to read a passphrase from the terminal - */ -static char* (*passphrase_reader)(void) = NULL; - -/** - * The username of the user to log in to - */ -static char* login_username; - - - -/** - * Initialise crypt authentication module - * - * @param remote The remote computer, {@code NULL} for local login - * @param username The username of the user to log in to - * @param reader Function that can be used to read a passphrase from the terminal - */ -void initialise_crypt(char* remote, char* username, char* (*reader)(void)) -{ - (void) remote; - - login_username = username; - passphrase_reader = reader; -} - - -/** - * Perform token authentication - * - * @return Whether the user got automatically authenticated - */ -char authenticate_crypt(void) -{ -#ifdef HAVE_SHADOW - struct spwd* shadow_entry = NULL; -#endif - struct passwd* passwd_entry = NULL; - char* crypted; - char* entered; - -#ifdef HAVE_SHADOW - shadow_entry = getspnam(login_username); - endspent(); - - if (shadow_entry) - crypted = shadow_entry->sp_pwdp; - else - { -#endif - passwd_entry = getpwnam(login_username); - if (passwd_entry) - crypted = passwd_entry->pw_passwd; - else - { - perror("getpwnam"); - endpwent(); - sleep(ERROR_SLEEP); - _exit(1); - } - endpwent(); -#ifdef HAVE_SHADOW - } -#endif - - if (!(crypted && *crypted)) /* empty means that no passphrase is required (not even Enter) */ - return 1; - - entered = crypt(passphrase_reader(), crypted /* salt argument stops parsing when encrypted begins */); - if (entered && !strcmp(entered, crypted)) - return 0; - - printf("Incorrect passphrase\n"); - sleep(FAILURE_SLEEP); - _exit(1); -} - diff --git a/src/auth/crypt.h b/src/auth/crypt.h deleted file mode 100644 index e75c5b5..0000000 --- a/src/auth/crypt.h +++ /dev/null @@ -1,41 +0,0 @@ -/** - * cerberus – Minimal login program - * - * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - */ -#ifndef __CRYPT_H__ -#define __CRYPT_H__ - - -/** - * Initialise crypt authentication module - * - * @param remote The remote computer, {@code NULL} for local login - * @param username The username of the user to log in to - * @param reader Function that can be used to read a passphrase from the terminal - */ -void initialise_crypt(char* remote, char* username, char* (*reader)(void)); - -/** - * Perform token authentication - * - * @return Whether the user got automatically authenticated - */ -char authenticate_crypt(void); - - -#endif - diff --git a/src/auth/pam.c b/src/auth/pam.c deleted file mode 100644 index e02aed1..0000000 --- a/src/auth/pam.c +++ /dev/null @@ -1,258 +0,0 @@ -/** - * cerberus – Minimal login program - * - * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - */ -#include <stdio.h> -#include <unistd.h> -#include <signal.h> -#include <string.h> -#include <security/pam_appl.h> -#include <security/pam_misc.h> - -#include "../config.h" - -#include "pam.h" - - -#define __failed(RC) ((RC) != PAM_SUCCESS) - - -void quit_pam(int sig); - -int conv_pam(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr); - - -/** - * Old signal action for SIGHUP - */ -struct sigaction signal_action_hup; - -/** - * Old signal action for SIGTERM - */ -struct sigaction signal_action_term; - -/** - * The process ID of the child process, 0 if none - */ -extern pid_t child_pid; - -/** - * The PAM handle - */ -static pam_handle_t* handle = NULL; - -/** - * The PAM convention - */ -static struct pam_conv conv = { conv_pam, NULL }; - -/** - * Whether the user was auto-authenticated - */ -static char auto_authenticated = 1; - -/** - * Function that can be used to read a passphrase from the terminal - */ -static char* (*passphrase_reader)(void) = NULL; - - -/** - * Exit if a PAM instruction failed - * - * @param rc What the PAM instruction return - */ -static void do_pam(int rc) -{ - if (__failed(rc)) - { - const char* msg = pam_strerror(handle, rc); - if (msg) - fprintf(stderr, "%s\n", msg); - pam_end(handle, rc); - sleep(ERROR_SLEEP); - _exit(1); - } -} - - -/** - * Initialise PAM - * - * @param remote The remote computer, {@code NULL} for local login - * @param username The username of the user to log in to - * @param reader Function that can be used to read a passphrase from the terminal - */ -void initialise_pam(char* remote, char* username, char* (*reader)(void)) -{ - passphrase_reader = reader; - - if (pam_start(remote ? "remote" : "local", username, &conv, &handle) != PAM_SUCCESS) - { - fprintf(stderr, "Cannot initialise PAM\n"); - sleep(ERROR_SLEEP); - _exit(1); - } - - do_pam(pam_set_item(handle, PAM_RHOST, remote ?: "localhost")); - do_pam(pam_set_item(handle, PAM_TTY, ttyname(STDIN_FILENO) ?: "(none)")); -} - - -/** - * Verify that the account may be used - */ -void verify_account_pam(void) -{ - /* FIXME freezes */ - /* - int rc = pam_acct_mgmt(handle, 0); - if (rc == PAM_NEW_AUTHTOK_REQD) - rc = pam_chauthtok(handle, PAM_CHANGE_EXPIRED_AUTHTOK); - do_pam(rc); - */ -} - - -/** - * Open PAM session - */ -void open_session_pam(void) -{ - int rc; - char** env; - struct sigaction signal_action; - - do_pam(pam_setcred(handle, PAM_ESTABLISH_CRED)); - - if (__failed(rc = pam_open_session(handle, 0))) - { - pam_setcred(handle, PAM_DELETE_CRED); - do_pam(rc); - } - - if (__failed(rc = pam_setcred(handle, PAM_REINITIALIZE_CRED))) - { - pam_close_session(handle, 0); - do_pam(rc); - } - - memset(&signal_action, 0, sizeof(signal_action)); - signal_action.sa_handler = SIG_IGN; - sigaction(SIGINT, &signal_action, NULL); - sigaction(SIGHUP, &signal_action, &signal_action_hup); - signal_action.sa_handler = quit_pam; - sigaction(SIGHUP, &signal_action, NULL); - sigaction(SIGTERM, &signal_action, &signal_action_term); - - for (env = pam_getenvlist(handle); env && *env; env++) - if (putenv(*env)) - { - pam_setcred(handle, PAM_DELETE_CRED); - pam_end(handle, pam_close_session(handle, 0)); - sleep(ERROR_SLEEP); - _exit(1); - } -} - - -/** - * Close PAM session - */ -void close_session_pam(void) -{ - sigaction(SIGHUP, &signal_action_hup, NULL); - sigaction(SIGTERM, &signal_action_term, NULL); - - pam_setcred(handle, PAM_DELETE_CRED); - pam_end(handle, pam_close_session(handle, 0)); -} - - -/** - * Signal handler for cleanly exit PAM session - * - * @param sig The received signal - */ -void quit_pam(int sig) -{ - if (child_pid) - kill(-child_pid, sig); - if (sig == SIGTERM) - kill(-child_pid, SIGHUP); - - pam_setcred(handle, PAM_DELETE_CRED); - pam_end(handle, pam_close_session(handle, 0)); - - _exit(sig); -} - - -/** - * Perform token authentication - * - * @return Whether the user got automatically authenticated - */ -char authenticate_pam(void) -{ - int rc; - - if (__failed(rc = pam_authenticate(handle, 0))) - { - printf("Incorrect passphrase\n"); - pam_end(handle, rc); - sleep(FAILURE_SLEEP); - _exit(1); - } - - return auto_authenticated; -} - - -/** - * Callback function for converation between PAM this application - * - * @param num_msg Number of pointers in the array `msg` - * @param msg Message from PAM - * @param resp Pointer to responses to PAM for by index corresponding messages - * @param appdata_ptr (Not used) - * @return `PAM_SUCCESS`, `PAM_CONV_ERR` or `PAM_BUF_ERR` - */ -int conv_pam(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr) -{ - int i; - - (void) appdata_ptr; - - *resp = calloc(num_msg, sizeof(struct pam_response)); - - for (i = 0; i < num_msg; i++) - { - ((*resp) + i)->resp = NULL; - ((*resp) + i)->resp_retcode = 0; - - if ((**(msg + i)).msg_style == PAM_PROMPT_ECHO_OFF) - { - (*resp + i)->resp = passphrase_reader(); - auto_authenticated = 0; - } - } - - return PAM_SUCCESS; -} - diff --git a/src/auth/pam.h b/src/auth/pam.h deleted file mode 100644 index ee766df..0000000 --- a/src/auth/pam.h +++ /dev/null @@ -1,56 +0,0 @@ -/** - * cerberus – Minimal login program - * - * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see <http://www.gnu.org/licenses/>. - */ -#ifndef __PAM_H__ -#define __PAM_H__ - - -/** - * Initialise PAM - * - * @param remote The remote computer, {@code NULL} for local login - * @param username The username of the user to log in to - * @param reader Function that can be used to read a passphrase from the terminal - */ -void initialise_pam(char* remote, char* username, char* (*reader)(void)); - -/** - * Verify that the account may be used - */ -void verify_account_pam(void); - -/** - * Open PAM session - */ -void open_session_pam(void); - -/** - * Close PAM session - */ -void close_session_pam(void); - -/** - * Perform token authentication - * - * @return Whether the user got automatically authenticated - */ -char authenticate_pam(void); - - -#endif - |