From 094cd2dbd5e79e8ad607286f8af2ebd27fd8ed7a Mon Sep 17 00:00:00 2001 From: Mattias Andrée Date: Fri, 22 Nov 2013 06:31:37 +0100 Subject: optionally use PAM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mattias Andrée --- Makefile | 24 +++-- configurable-definitions | 24 +++-- src/auth.h | 45 +++++++++ src/auth/pam.c | 258 +++++++++++++++++++++++++++++++++++++++++++++++ src/auth/pam.h | 56 ++++++++++ src/cerberus.c | 12 +-- src/cerberus.h | 2 +- src/pam.c | 258 ----------------------------------------------- src/pam.h | 56 ---------- 9 files changed, 399 insertions(+), 336 deletions(-) create mode 100644 src/auth.h create mode 100644 src/auth/pam.c create mode 100644 src/auth/pam.h delete mode 100644 src/pam.c delete mode 100644 src/pam.h diff --git a/Makefile b/Makefile index 185cc4c..fa4d685 100644 --- a/Makefile +++ b/Makefile @@ -14,6 +14,7 @@ _LS = $(LOCAL_PREFIX)$(SBIN) _US = $(USR_PREFIX)$(SBIN) _SS = $(SBIN) +AUTH = pam TTY_GROUP = tty DEFAULT_HOME = / DEFAULT_SH = sh @@ -24,26 +25,35 @@ VCSA = $(DEV)/vcsa PATH = $(_LB):$(_UB):$(_SB) PATH_ROOT = $(_LS):$(_LB):$(_US):$(_UB):$(_SS):$(_SB) +auth_none = 0 +auth_pam = 1 + H = \# VCS_LEN = $(shell vcs="$(VCS)" ; echo "$${$(H)vcs}") VCSA_LEN = $(shell vcsa="$(VCSA)" ; echo "$${$(H)vcsa}") VCS_VCSA_LEN = $(shell (echo $(VCS_LEN) ; echo $(VCSA_LEN)) | sort -n | tail -n 1) STR_DEFS = TTY_GROUP DEFAULT_HOME DEFAULT_SH DEFAULT_SHELL DEFAULT_TERM PATH PATH_ROOT VCS VCSA -INT_DEFS = VCS_LEN VCSA_LEN VCS_VCSA_LEN +VRB_DEFS = VCS_LEN VCSA_LEN VCS_VCSA_LEN STR_CPPFLAGS = $(foreach D, $(STR_DEFS), -D'$(D)="$($(D))"') -INT_CPPFLAGS = $(foreach D, $(INT_DEFS), -D'$(D)=$($(D))') +VRB_CPPFLAGS = $(foreach D, $(VRB_DEFS), -D'$(D)=$($(D))') -DAUTH=$(auth_$(AUTH)) OPTIMISE = -Os -CPPFLAGS = $(EXTRA_CPP_FLAGS) $(STR_CPPFLAGS) $(INT_CPPFLAGS) -LDFLAGS = -lpam +CPPFLAGS = $(EXTRA_CPP_FLAGS) $(STR_CPPFLAGS) $(VRB_CPPFLAGS) CFLAGS = -std=gnu99 -Wall -Wextra +LDFLAGS = +ifeq ($(AUTH),pam) +LDFLAGS += -lpam +endif CC_FLAGS = $(CPPFLAGS) $(CFLAGS) $(OPTIMISE) LD_FLAGS = $(LDFLAGS) $(CFLAGS) $(OPTIMISE) -SRC = cerberus passphrase quit security login pam +SRC = cerberus passphrase quit security login +ifneq ($(AUTH),none) +SRC += auth/$(AUTH) +endif OBJ = $(foreach S, $(SRC), obj/$(S).o) @@ -56,9 +66,9 @@ bin/cerberus: $(OBJ) $(CC) $(LD_FLAGS) -o "$@" $^ -obj/cerberus.o: $(foreach H, $(SRC), src/$(H).h) +obj/cerberus.o: $(foreach H, $(SRC), src/$(H).h) src/auth.h obj/%.o: src/%.c src/%.h src/config.h - @mkdir -p obj + @mkdir -p "$(shell dirname "$@")" $(CC) $(CC_FLAGS) -o "$@" -c "$<" diff --git a/configurable-definitions b/configurable-definitions index 991f0b5..bbc3135 100644 --- a/configurable-definitions +++ b/configurable-definitions @@ -1,35 +1,43 @@ TTY_PERM (default: 0600, type: int) - Mode for TTY devices + Mode for TTY devices USE_TTY_GROUP (default: undefinied, type: #ifdef) - Use the group tty for group ownership of TTY devices + Use the group tty for group ownership of TTY devices FAILURE_SLEEP (default: 5, type: float) - Number of seconds to sleep on login failure + Number of seconds to sleep on login failure ERROR_SLEEP (default: 2, type: float) - Number of seconds to sleep on error, - so the user has time to read the error message + Number of seconds to sleep on error, + so the user has time to read the error message TIMEOUT_SECONDS (default: 60, type: int) - Number of seconds before timeout when waiting for a passphrase + Number of seconds before timeout when waiting for a passphrase OWN_VCSA (default: undefinied, type: #ifdef) - Take ownership of and change mode of VCSA device + Take ownership of and change mode of VCSA device OWN_VCS (default: undefinied, type: #ifdef) - Take ownership of and change mode of VCS device + Take ownership of and change mode of VCS device + + +AUTH (default: pam, type: name) + + Authentication module. One of: + + pam -- Pluggable Authentication Module (PAM) + none -- Always auto-authenticate diff --git a/src/auth.h b/src/auth.h new file mode 100644 index 0000000..c24a70d --- /dev/null +++ b/src/auth.h @@ -0,0 +1,45 @@ +/** + * cerberus – Minimal login program + * + * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ +#ifndef __AUTH_H__ +#define __AUTH_H__ + + + +#if AUTH == 0 + +#define close_login_session(...) /* do nothing */ +#define initialise_login(...) (void) hostname +#define authenticate_login(...) 1 +#define verify_account(...) /* do nothing */ +#define open_login_session(...) /* do nothing */ + +#elif AUTH == 1 + +#include "auth/pam.h" +#define close_login_session close_session_pam +#define initialise_login initialise_pam +#define authenticate_login authenticate_pam +#define verify_account verify_account_pam +#define open_login_session open_session_pam + +#endif + + +#endif + diff --git a/src/auth/pam.c b/src/auth/pam.c new file mode 100644 index 0000000..e02aed1 --- /dev/null +++ b/src/auth/pam.c @@ -0,0 +1,258 @@ +/** + * cerberus – Minimal login program + * + * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ +#include +#include +#include +#include +#include +#include + +#include "../config.h" + +#include "pam.h" + + +#define __failed(RC) ((RC) != PAM_SUCCESS) + + +void quit_pam(int sig); + +int conv_pam(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr); + + +/** + * Old signal action for SIGHUP + */ +struct sigaction signal_action_hup; + +/** + * Old signal action for SIGTERM + */ +struct sigaction signal_action_term; + +/** + * The process ID of the child process, 0 if none + */ +extern pid_t child_pid; + +/** + * The PAM handle + */ +static pam_handle_t* handle = NULL; + +/** + * The PAM convention + */ +static struct pam_conv conv = { conv_pam, NULL }; + +/** + * Whether the user was auto-authenticated + */ +static char auto_authenticated = 1; + +/** + * Function that can be used to read a passphrase from the terminal + */ +static char* (*passphrase_reader)(void) = NULL; + + +/** + * Exit if a PAM instruction failed + * + * @param rc What the PAM instruction return + */ +static void do_pam(int rc) +{ + if (__failed(rc)) + { + const char* msg = pam_strerror(handle, rc); + if (msg) + fprintf(stderr, "%s\n", msg); + pam_end(handle, rc); + sleep(ERROR_SLEEP); + _exit(1); + } +} + + +/** + * Initialise PAM + * + * @param remote The remote computer, {@code NULL} for local login + * @param username The username of the user to log in to + * @param reader Function that can be used to read a passphrase from the terminal + */ +void initialise_pam(char* remote, char* username, char* (*reader)(void)) +{ + passphrase_reader = reader; + + if (pam_start(remote ? "remote" : "local", username, &conv, &handle) != PAM_SUCCESS) + { + fprintf(stderr, "Cannot initialise PAM\n"); + sleep(ERROR_SLEEP); + _exit(1); + } + + do_pam(pam_set_item(handle, PAM_RHOST, remote ?: "localhost")); + do_pam(pam_set_item(handle, PAM_TTY, ttyname(STDIN_FILENO) ?: "(none)")); +} + + +/** + * Verify that the account may be used + */ +void verify_account_pam(void) +{ + /* FIXME freezes */ + /* + int rc = pam_acct_mgmt(handle, 0); + if (rc == PAM_NEW_AUTHTOK_REQD) + rc = pam_chauthtok(handle, PAM_CHANGE_EXPIRED_AUTHTOK); + do_pam(rc); + */ +} + + +/** + * Open PAM session + */ +void open_session_pam(void) +{ + int rc; + char** env; + struct sigaction signal_action; + + do_pam(pam_setcred(handle, PAM_ESTABLISH_CRED)); + + if (__failed(rc = pam_open_session(handle, 0))) + { + pam_setcred(handle, PAM_DELETE_CRED); + do_pam(rc); + } + + if (__failed(rc = pam_setcred(handle, PAM_REINITIALIZE_CRED))) + { + pam_close_session(handle, 0); + do_pam(rc); + } + + memset(&signal_action, 0, sizeof(signal_action)); + signal_action.sa_handler = SIG_IGN; + sigaction(SIGINT, &signal_action, NULL); + sigaction(SIGHUP, &signal_action, &signal_action_hup); + signal_action.sa_handler = quit_pam; + sigaction(SIGHUP, &signal_action, NULL); + sigaction(SIGTERM, &signal_action, &signal_action_term); + + for (env = pam_getenvlist(handle); env && *env; env++) + if (putenv(*env)) + { + pam_setcred(handle, PAM_DELETE_CRED); + pam_end(handle, pam_close_session(handle, 0)); + sleep(ERROR_SLEEP); + _exit(1); + } +} + + +/** + * Close PAM session + */ +void close_session_pam(void) +{ + sigaction(SIGHUP, &signal_action_hup, NULL); + sigaction(SIGTERM, &signal_action_term, NULL); + + pam_setcred(handle, PAM_DELETE_CRED); + pam_end(handle, pam_close_session(handle, 0)); +} + + +/** + * Signal handler for cleanly exit PAM session + * + * @param sig The received signal + */ +void quit_pam(int sig) +{ + if (child_pid) + kill(-child_pid, sig); + if (sig == SIGTERM) + kill(-child_pid, SIGHUP); + + pam_setcred(handle, PAM_DELETE_CRED); + pam_end(handle, pam_close_session(handle, 0)); + + _exit(sig); +} + + +/** + * Perform token authentication + * + * @return Whether the user got automatically authenticated + */ +char authenticate_pam(void) +{ + int rc; + + if (__failed(rc = pam_authenticate(handle, 0))) + { + printf("Incorrect passphrase\n"); + pam_end(handle, rc); + sleep(FAILURE_SLEEP); + _exit(1); + } + + return auto_authenticated; +} + + +/** + * Callback function for converation between PAM this application + * + * @param num_msg Number of pointers in the array `msg` + * @param msg Message from PAM + * @param resp Pointer to responses to PAM for by index corresponding messages + * @param appdata_ptr (Not used) + * @return `PAM_SUCCESS`, `PAM_CONV_ERR` or `PAM_BUF_ERR` + */ +int conv_pam(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr) +{ + int i; + + (void) appdata_ptr; + + *resp = calloc(num_msg, sizeof(struct pam_response)); + + for (i = 0; i < num_msg; i++) + { + ((*resp) + i)->resp = NULL; + ((*resp) + i)->resp_retcode = 0; + + if ((**(msg + i)).msg_style == PAM_PROMPT_ECHO_OFF) + { + (*resp + i)->resp = passphrase_reader(); + auto_authenticated = 0; + } + } + + return PAM_SUCCESS; +} + diff --git a/src/auth/pam.h b/src/auth/pam.h new file mode 100644 index 0000000..ee766df --- /dev/null +++ b/src/auth/pam.h @@ -0,0 +1,56 @@ +/** + * cerberus – Minimal login program + * + * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ +#ifndef __PAM_H__ +#define __PAM_H__ + + +/** + * Initialise PAM + * + * @param remote The remote computer, {@code NULL} for local login + * @param username The username of the user to log in to + * @param reader Function that can be used to read a passphrase from the terminal + */ +void initialise_pam(char* remote, char* username, char* (*reader)(void)); + +/** + * Verify that the account may be used + */ +void verify_account_pam(void); + +/** + * Open PAM session + */ +void open_session_pam(void); + +/** + * Close PAM session + */ +void close_session_pam(void); + +/** + * Perform token authentication + * + * @return Whether the user got automatically authenticated + */ +char authenticate_pam(void); + + +#endif + diff --git a/src/cerberus.c b/src/cerberus.c index 03a7a75..f20e600 100644 --- a/src/cerberus.c +++ b/src/cerberus.c @@ -67,7 +67,7 @@ int main(int argc, char** argv) chown_tty(0, tty_group, 0); /* Close login session */ - close_session_pam(); + close_login_session(); return 0; } @@ -215,8 +215,8 @@ void do_login(int argc, char** argv) /* Verify passphrase or other token, if -f has not been used */ - initialise_pam(hostname, username, read_passphrase); - if ((skip_auth == 0) && authenticate_pam()) + initialise_login(hostname, username, read_passphrase); + if ((skip_auth == 0) && authenticate_login()) printf("(auto-authenticated)\n"); /* Passphrase entered, turn off timeout */ @@ -236,7 +236,7 @@ void do_login(int argc, char** argv) /* Verify account, such as that it is enabled */ - verify_account_pam(); + verify_account(); /* Partial login */ @@ -244,7 +244,7 @@ void do_login(int argc, char** argv) chdir_home(entry); ensure_shell(entry); set_environ(entry, preserve_env); - open_session_pam(); + open_login_session(); /* Stop signal handling */ @@ -260,7 +260,7 @@ void do_login(int argc, char** argv) if (child_pid == -1) { perror("fork"); - close_session_pam(); + close_login_session(); sleep(ERROR_SLEEP); _exit(1); } diff --git a/src/cerberus.h b/src/cerberus.h index 5c5a240..5851524 100644 --- a/src/cerberus.h +++ b/src/cerberus.h @@ -39,7 +39,7 @@ #include "quit.h" #include "login.h" #include "security.h" -#include "pam.h" +#include "auth.h" #ifndef USE_TTY_GROUP diff --git a/src/pam.c b/src/pam.c deleted file mode 100644 index 288196e..0000000 --- a/src/pam.c +++ /dev/null @@ -1,258 +0,0 @@ -/** - * cerberus – Minimal login program - * - * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ -#include -#include -#include -#include -#include -#include - -#include "config.h" - -#include "pam.h" - - -#define __failed(RC) ((RC) != PAM_SUCCESS) - - -void quit_pam(int sig); - -int conv_pam(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr); - - -/** - * Old signal action for SIGHUP - */ -struct sigaction signal_action_hup; - -/** - * Old signal action for SIGTERM - */ -struct sigaction signal_action_term; - -/** - * The process ID of the child process, 0 if none - */ -extern pid_t child_pid; - -/** - * The PAM handle - */ -static pam_handle_t* handle = NULL; - -/** - * The PAM convention - */ -static struct pam_conv conv = { conv_pam, NULL }; - -/** - * Whether the user was auto-authenticated - */ -static char auto_authenticated = 1; - -/** - * Function that can be used to read a passphrase from the terminal - */ -static char* (*passphrase_reader)(void) = NULL; - - -/** - * Exit if a PAM instruction failed - * - * @param rc What the PAM instruction return - */ -static void do_pam(int rc) -{ - if (__failed(rc)) - { - const char* msg = pam_strerror(handle, rc); - if (msg) - fprintf(stderr, "%s\n", msg); - pam_end(handle, rc); - sleep(ERROR_SLEEP); - _exit(1); - } -} - - -/** - * Initialise PAM - * - * @param remote The remote computer, {@code NULL} for local login - * @param username The username of the user to log in to - * @param reader Function that can be used to read a passphrase from the terminal - */ -void initialise_pam(char* remote, char* username, char* (*reader)(void)) -{ - passphrase_reader = reader; - - if (pam_start(remote ? "remote" : "local", username, &conv, &handle) != PAM_SUCCESS) - { - fprintf(stderr, "Cannot initialise PAM\n"); - sleep(ERROR_SLEEP); - _exit(1); - } - - do_pam(pam_set_item(handle, PAM_RHOST, remote ?: "localhost")); - do_pam(pam_set_item(handle, PAM_TTY, ttyname(STDIN_FILENO) ?: "(none)")); -} - - -/** - * Verify that the account may be used - */ -void verify_account_pam(void) -{ - /* FIXME freezes */ - /* - int rc = pam_acct_mgmt(handle, 0); - if (rc == PAM_NEW_AUTHTOK_REQD) - rc = pam_chauthtok(handle, PAM_CHANGE_EXPIRED_AUTHTOK); - do_pam(rc); - */ -} - - -/** - * Open PAM session - */ -void open_session_pam(void) -{ - int rc; - char** env; - struct sigaction signal_action; - - do_pam(pam_setcred(handle, PAM_ESTABLISH_CRED)); - - if (__failed(rc = pam_open_session(handle, 0))) - { - pam_setcred(handle, PAM_DELETE_CRED); - do_pam(rc); - } - - if (__failed(rc = pam_setcred(handle, PAM_REINITIALIZE_CRED))) - { - pam_close_session(handle, 0); - do_pam(rc); - } - - memset(&signal_action, 0, sizeof(signal_action)); - signal_action.sa_handler = SIG_IGN; - sigaction(SIGINT, &signal_action, NULL); - sigaction(SIGHUP, &signal_action, &signal_action_hup); - signal_action.sa_handler = quit_pam; - sigaction(SIGHUP, &signal_action, NULL); - sigaction(SIGTERM, &signal_action, &signal_action_term); - - for (env = pam_getenvlist(handle); env && *env; env++) - if (putenv(*env)) - { - pam_setcred(handle, PAM_DELETE_CRED); - pam_end(handle, pam_close_session(handle, 0)); - sleep(ERROR_SLEEP); - _exit(1); - } -} - - -/** - * Close PAM session - */ -void close_session_pam(void) -{ - sigaction(SIGHUP, &signal_action_hup, NULL); - sigaction(SIGTERM, &signal_action_term, NULL); - - pam_setcred(handle, PAM_DELETE_CRED); - pam_end(handle, pam_close_session(handle, 0)); -} - - -/** - * Signal handler for cleanly exit PAM session - * - * @param sig The received signal - */ -void quit_pam(int sig) -{ - if (child_pid) - kill(-child_pid, sig); - if (sig == SIGTERM) - kill(-child_pid, SIGHUP); - - pam_setcred(handle, PAM_DELETE_CRED); - pam_end(handle, pam_close_session(handle, 0)); - - _exit(sig); -} - - -/** - * Perform token authentication - * - * @return Whether the user got automatically authenticated - */ -char authenticate_pam(void) -{ - int rc; - - if (__failed(rc = pam_authenticate(handle, 0))) - { - printf("Incorrect passphrase\n"); - pam_end(handle, rc); - sleep(FAILURE_SLEEP); - _exit(1); - } - - return auto_authenticated; -} - - -/** - * Callback function for converation between PAM this application - * - * @param num_msg Number of pointers in the array `msg` - * @param msg Message from PAM - * @param resp Pointer to responses to PAM for by index corresponding messages - * @param appdata_ptr (Not used) - * @return `PAM_SUCCESS`, `PAM_CONV_ERR` or `PAM_BUF_ERR` - */ -int conv_pam(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr) -{ - int i; - - (void) appdata_ptr; - - *resp = calloc(num_msg, sizeof(struct pam_response)); - - for (i = 0; i < num_msg; i++) - { - ((*resp) + i)->resp = NULL; - ((*resp) + i)->resp_retcode = 0; - - if ((**(msg + i)).msg_style == PAM_PROMPT_ECHO_OFF) - { - (*resp + i)->resp = passphrase_reader(); - auto_authenticated = 0; - } - } - - return PAM_SUCCESS; -} - diff --git a/src/pam.h b/src/pam.h deleted file mode 100644 index ee766df..0000000 --- a/src/pam.h +++ /dev/null @@ -1,56 +0,0 @@ -/** - * cerberus – Minimal login program - * - * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) - * - * This program is free software: you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation, either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program. If not, see . - */ -#ifndef __PAM_H__ -#define __PAM_H__ - - -/** - * Initialise PAM - * - * @param remote The remote computer, {@code NULL} for local login - * @param username The username of the user to log in to - * @param reader Function that can be used to read a passphrase from the terminal - */ -void initialise_pam(char* remote, char* username, char* (*reader)(void)); - -/** - * Verify that the account may be used - */ -void verify_account_pam(void); - -/** - * Open PAM session - */ -void open_session_pam(void); - -/** - * Close PAM session - */ -void close_session_pam(void); - -/** - * Perform token authentication - * - * @return Whether the user got automatically authenticated - */ -char authenticate_pam(void); - - -#endif - -- cgit v1.2.3-70-g09d2