aboutsummaryrefslogtreecommitdiffstats
path: root/src/auth
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/auth.h54
-rw-r--r--src/auth/crypt.c122
-rw-r--r--src/auth/crypt.h41
-rw-r--r--src/auth/pam.c258
-rw-r--r--src/auth/pam.h56
5 files changed, 0 insertions, 531 deletions
diff --git a/src/auth.h b/src/auth.h
deleted file mode 100644
index 3851b95..0000000
--- a/src/auth.h
+++ /dev/null
@@ -1,54 +0,0 @@
-/**
- * cerberus – Minimal login program
- *
- * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org)
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-#ifndef __AUTH_H__
-#define __AUTH_H__
-
-
-
-#if AUTH == 0
-
-#define close_login_session(...) /* do nothing */
-#define initialise_login(...) (void) hostname
-#define authenticate_login(...) 1
-#define verify_account(...) /* do nothing */
-#define open_login_session(...) /* do nothing */
-
-#elif AUTH == 1
-
-#include "auth/crypt.h"
-#define close_login_session(...) /* do nothing */
-#define initialise_login initialise_crypt
-#define authenticate_login authenticate_crypt
-#define verify_account(...) /* do nothing */
-#define open_login_session(...) /* do nothing */
-
-#elif AUTH == 2
-
-#include "auth/pam.h"
-#define close_login_session close_session_pam
-#define initialise_login initialise_pam
-#define authenticate_login authenticate_pam
-#define verify_account verify_account_pam
-#define open_login_session open_session_pam
-
-#endif
-
-
-#endif
-
diff --git a/src/auth/crypt.c b/src/auth/crypt.c
deleted file mode 100644
index 27238e2..0000000
--- a/src/auth/crypt.c
+++ /dev/null
@@ -1,122 +0,0 @@
-/**
- * cerberus – Minimal login program
- *
- * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org)
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-#ifndef NO_SHADOW
-# ifndef HAVE_SHADOW
-# define HAVE_SHADOW
-# endif
-#endif
-
-#define _XOPEN_SOURCE
-#include <unistd.h>
-#include <stdio.h>
-#include <sys/types.h>
-#include <pwd.h>
-#include <string.h>
-#ifdef HAVE_SHADOW
-#include <shadow.h>
-#endif
-
-#include "../config.h"
-
-#include "crypt.h"
-
-
-#if !defined(__USE_SVID) && !defined(__USE_MISC) && !defined(__USE_XOPEN_EXTENDED)
-#define endpwent() /* do nothing */
-#endif
-
-
-/**
- * Function that can be used to read a passphrase from the terminal
- */
-static char* (*passphrase_reader)(void) = NULL;
-
-/**
- * The username of the user to log in to
- */
-static char* login_username;
-
-
-
-/**
- * Initialise crypt authentication module
- *
- * @param remote The remote computer, {@code NULL} for local login
- * @param username The username of the user to log in to
- * @param reader Function that can be used to read a passphrase from the terminal
- */
-void initialise_crypt(char* remote, char* username, char* (*reader)(void))
-{
- (void) remote;
-
- login_username = username;
- passphrase_reader = reader;
-}
-
-
-/**
- * Perform token authentication
- *
- * @return Whether the user got automatically authenticated
- */
-char authenticate_crypt(void)
-{
-#ifdef HAVE_SHADOW
- struct spwd* shadow_entry = NULL;
-#endif
- struct passwd* passwd_entry = NULL;
- char* crypted;
- char* entered;
-
-#ifdef HAVE_SHADOW
- shadow_entry = getspnam(login_username);
- endspent();
-
- if (shadow_entry)
- crypted = shadow_entry->sp_pwdp;
- else
- {
-#endif
- passwd_entry = getpwnam(login_username);
- if (passwd_entry)
- crypted = passwd_entry->pw_passwd;
- else
- {
- perror("getpwnam");
- endpwent();
- sleep(ERROR_SLEEP);
- _exit(1);
- }
- endpwent();
-#ifdef HAVE_SHADOW
- }
-#endif
-
- if (!(crypted && *crypted)) /* empty means that no passphrase is required (not even Enter) */
- return 1;
-
- entered = crypt(passphrase_reader(), crypted /* salt argument stops parsing when encrypted begins */);
- if (entered && !strcmp(entered, crypted))
- return 0;
-
- printf("Incorrect passphrase\n");
- sleep(FAILURE_SLEEP);
- _exit(1);
-}
-
diff --git a/src/auth/crypt.h b/src/auth/crypt.h
deleted file mode 100644
index e75c5b5..0000000
--- a/src/auth/crypt.h
+++ /dev/null
@@ -1,41 +0,0 @@
-/**
- * cerberus – Minimal login program
- *
- * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org)
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-#ifndef __CRYPT_H__
-#define __CRYPT_H__
-
-
-/**
- * Initialise crypt authentication module
- *
- * @param remote The remote computer, {@code NULL} for local login
- * @param username The username of the user to log in to
- * @param reader Function that can be used to read a passphrase from the terminal
- */
-void initialise_crypt(char* remote, char* username, char* (*reader)(void));
-
-/**
- * Perform token authentication
- *
- * @return Whether the user got automatically authenticated
- */
-char authenticate_crypt(void);
-
-
-#endif
-
diff --git a/src/auth/pam.c b/src/auth/pam.c
deleted file mode 100644
index e02aed1..0000000
--- a/src/auth/pam.c
+++ /dev/null
@@ -1,258 +0,0 @@
-/**
- * cerberus – Minimal login program
- *
- * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org)
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-#include <stdio.h>
-#include <unistd.h>
-#include <signal.h>
-#include <string.h>
-#include <security/pam_appl.h>
-#include <security/pam_misc.h>
-
-#include "../config.h"
-
-#include "pam.h"
-
-
-#define __failed(RC) ((RC) != PAM_SUCCESS)
-
-
-void quit_pam(int sig);
-
-int conv_pam(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr);
-
-
-/**
- * Old signal action for SIGHUP
- */
-struct sigaction signal_action_hup;
-
-/**
- * Old signal action for SIGTERM
- */
-struct sigaction signal_action_term;
-
-/**
- * The process ID of the child process, 0 if none
- */
-extern pid_t child_pid;
-
-/**
- * The PAM handle
- */
-static pam_handle_t* handle = NULL;
-
-/**
- * The PAM convention
- */
-static struct pam_conv conv = { conv_pam, NULL };
-
-/**
- * Whether the user was auto-authenticated
- */
-static char auto_authenticated = 1;
-
-/**
- * Function that can be used to read a passphrase from the terminal
- */
-static char* (*passphrase_reader)(void) = NULL;
-
-
-/**
- * Exit if a PAM instruction failed
- *
- * @param rc What the PAM instruction return
- */
-static void do_pam(int rc)
-{
- if (__failed(rc))
- {
- const char* msg = pam_strerror(handle, rc);
- if (msg)
- fprintf(stderr, "%s\n", msg);
- pam_end(handle, rc);
- sleep(ERROR_SLEEP);
- _exit(1);
- }
-}
-
-
-/**
- * Initialise PAM
- *
- * @param remote The remote computer, {@code NULL} for local login
- * @param username The username of the user to log in to
- * @param reader Function that can be used to read a passphrase from the terminal
- */
-void initialise_pam(char* remote, char* username, char* (*reader)(void))
-{
- passphrase_reader = reader;
-
- if (pam_start(remote ? "remote" : "local", username, &conv, &handle) != PAM_SUCCESS)
- {
- fprintf(stderr, "Cannot initialise PAM\n");
- sleep(ERROR_SLEEP);
- _exit(1);
- }
-
- do_pam(pam_set_item(handle, PAM_RHOST, remote ?: "localhost"));
- do_pam(pam_set_item(handle, PAM_TTY, ttyname(STDIN_FILENO) ?: "(none)"));
-}
-
-
-/**
- * Verify that the account may be used
- */
-void verify_account_pam(void)
-{
- /* FIXME freezes */
- /*
- int rc = pam_acct_mgmt(handle, 0);
- if (rc == PAM_NEW_AUTHTOK_REQD)
- rc = pam_chauthtok(handle, PAM_CHANGE_EXPIRED_AUTHTOK);
- do_pam(rc);
- */
-}
-
-
-/**
- * Open PAM session
- */
-void open_session_pam(void)
-{
- int rc;
- char** env;
- struct sigaction signal_action;
-
- do_pam(pam_setcred(handle, PAM_ESTABLISH_CRED));
-
- if (__failed(rc = pam_open_session(handle, 0)))
- {
- pam_setcred(handle, PAM_DELETE_CRED);
- do_pam(rc);
- }
-
- if (__failed(rc = pam_setcred(handle, PAM_REINITIALIZE_CRED)))
- {
- pam_close_session(handle, 0);
- do_pam(rc);
- }
-
- memset(&signal_action, 0, sizeof(signal_action));
- signal_action.sa_handler = SIG_IGN;
- sigaction(SIGINT, &signal_action, NULL);
- sigaction(SIGHUP, &signal_action, &signal_action_hup);
- signal_action.sa_handler = quit_pam;
- sigaction(SIGHUP, &signal_action, NULL);
- sigaction(SIGTERM, &signal_action, &signal_action_term);
-
- for (env = pam_getenvlist(handle); env && *env; env++)
- if (putenv(*env))
- {
- pam_setcred(handle, PAM_DELETE_CRED);
- pam_end(handle, pam_close_session(handle, 0));
- sleep(ERROR_SLEEP);
- _exit(1);
- }
-}
-
-
-/**
- * Close PAM session
- */
-void close_session_pam(void)
-{
- sigaction(SIGHUP, &signal_action_hup, NULL);
- sigaction(SIGTERM, &signal_action_term, NULL);
-
- pam_setcred(handle, PAM_DELETE_CRED);
- pam_end(handle, pam_close_session(handle, 0));
-}
-
-
-/**
- * Signal handler for cleanly exit PAM session
- *
- * @param sig The received signal
- */
-void quit_pam(int sig)
-{
- if (child_pid)
- kill(-child_pid, sig);
- if (sig == SIGTERM)
- kill(-child_pid, SIGHUP);
-
- pam_setcred(handle, PAM_DELETE_CRED);
- pam_end(handle, pam_close_session(handle, 0));
-
- _exit(sig);
-}
-
-
-/**
- * Perform token authentication
- *
- * @return Whether the user got automatically authenticated
- */
-char authenticate_pam(void)
-{
- int rc;
-
- if (__failed(rc = pam_authenticate(handle, 0)))
- {
- printf("Incorrect passphrase\n");
- pam_end(handle, rc);
- sleep(FAILURE_SLEEP);
- _exit(1);
- }
-
- return auto_authenticated;
-}
-
-
-/**
- * Callback function for converation between PAM this application
- *
- * @param num_msg Number of pointers in the array `msg`
- * @param msg Message from PAM
- * @param resp Pointer to responses to PAM for by index corresponding messages
- * @param appdata_ptr (Not used)
- * @return `PAM_SUCCESS`, `PAM_CONV_ERR` or `PAM_BUF_ERR`
- */
-int conv_pam(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr)
-{
- int i;
-
- (void) appdata_ptr;
-
- *resp = calloc(num_msg, sizeof(struct pam_response));
-
- for (i = 0; i < num_msg; i++)
- {
- ((*resp) + i)->resp = NULL;
- ((*resp) + i)->resp_retcode = 0;
-
- if ((**(msg + i)).msg_style == PAM_PROMPT_ECHO_OFF)
- {
- (*resp + i)->resp = passphrase_reader();
- auto_authenticated = 0;
- }
- }
-
- return PAM_SUCCESS;
-}
-
diff --git a/src/auth/pam.h b/src/auth/pam.h
deleted file mode 100644
index ee766df..0000000
--- a/src/auth/pam.h
+++ /dev/null
@@ -1,56 +0,0 @@
-/**
- * cerberus – Minimal login program
- *
- * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org)
- *
- * This program is free software: you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program. If not, see <http://www.gnu.org/licenses/>.
- */
-#ifndef __PAM_H__
-#define __PAM_H__
-
-
-/**
- * Initialise PAM
- *
- * @param remote The remote computer, {@code NULL} for local login
- * @param username The username of the user to log in to
- * @param reader Function that can be used to read a passphrase from the terminal
- */
-void initialise_pam(char* remote, char* username, char* (*reader)(void));
-
-/**
- * Verify that the account may be used
- */
-void verify_account_pam(void);
-
-/**
- * Open PAM session
- */
-void open_session_pam(void);
-
-/**
- * Close PAM session
- */
-void close_session_pam(void);
-
-/**
- * Perform token authentication
- *
- * @return Whether the user got automatically authenticated
- */
-char authenticate_pam(void);
-
-
-#endif
-