10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * CDDL HEADER START
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * The contents of this file are subject to the terms of the
5*1914Scasper * Common Development and Distribution License (the "License").
6*1914Scasper * You may not use this file except in compliance with the License.
70Sstevel@tonic-gate *
80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
100Sstevel@tonic-gate * See the License for the specific language governing permissions
110Sstevel@tonic-gate * and limitations under the License.
120Sstevel@tonic-gate *
130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
180Sstevel@tonic-gate *
190Sstevel@tonic-gate * CDDL HEADER END
200Sstevel@tonic-gate */
210Sstevel@tonic-gate /*
22*1914Scasper * Copyright 2006 Sun Microsystems, Inc. All rights reserved.
230Sstevel@tonic-gate * Use is subject to license terms.
240Sstevel@tonic-gate */
250Sstevel@tonic-gate
260Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI"
270Sstevel@tonic-gate
280Sstevel@tonic-gate #include <crypt.h>
290Sstevel@tonic-gate #include <pwd.h>
300Sstevel@tonic-gate #include <shadow.h>
310Sstevel@tonic-gate #include <string.h>
320Sstevel@tonic-gate #include <stdlib.h>
330Sstevel@tonic-gate #include <syslog.h>
340Sstevel@tonic-gate #include <security/pam_appl.h>
350Sstevel@tonic-gate #include <security/pam_modules.h>
360Sstevel@tonic-gate #include "../../libpam/pam_impl.h"
370Sstevel@tonic-gate
380Sstevel@tonic-gate #include <libintl.h>
390Sstevel@tonic-gate
400Sstevel@tonic-gate /*
410Sstevel@tonic-gate * Various useful files and string constants
420Sstevel@tonic-gate */
430Sstevel@tonic-gate #define DIAL_FILE "/etc/dialups"
440Sstevel@tonic-gate #define DPASS_FILE "/etc/d_passwd"
450Sstevel@tonic-gate #define SHELL "/usr/bin/sh"
460Sstevel@tonic-gate #define SCPYN(a, b) (void) strncpy(a, b, sizeof (a))
470Sstevel@tonic-gate
480Sstevel@tonic-gate /*
490Sstevel@tonic-gate * pam_sm_authenticate - This is the top level function in the
500Sstevel@tonic-gate * module called by pam_auth_port in the framework
510Sstevel@tonic-gate * Returns: PAM_AUTH_ERR on failure, 0 on success
520Sstevel@tonic-gate */
530Sstevel@tonic-gate /*ARGSUSED*/
540Sstevel@tonic-gate int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)550Sstevel@tonic-gate pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
560Sstevel@tonic-gate {
570Sstevel@tonic-gate char *ttyn, *user;
580Sstevel@tonic-gate FILE *fp;
590Sstevel@tonic-gate char defpass[30];
600Sstevel@tonic-gate char line[80];
610Sstevel@tonic-gate char *p1 = NULL, *p2 = NULL;
620Sstevel@tonic-gate struct passwd pwd;
630Sstevel@tonic-gate char pwd_buffer[1024];
640Sstevel@tonic-gate char *password = NULL;
650Sstevel@tonic-gate int retcode;
660Sstevel@tonic-gate int i;
670Sstevel@tonic-gate int debug = 0;
680Sstevel@tonic-gate int res;
690Sstevel@tonic-gate
700Sstevel@tonic-gate for (i = 0; i < argc; i++) {
710Sstevel@tonic-gate if (strcasecmp(argv[i], "debug") == 0)
720Sstevel@tonic-gate debug = 1;
730Sstevel@tonic-gate else
740Sstevel@tonic-gate syslog(LOG_DEBUG, "illegal option %s", argv[i]);
750Sstevel@tonic-gate }
760Sstevel@tonic-gate
770Sstevel@tonic-gate if ((retcode = pam_get_user(pamh, &user, NULL))
780Sstevel@tonic-gate != PAM_SUCCESS ||
790Sstevel@tonic-gate (retcode = pam_get_item(pamh, PAM_TTY, (void **)&ttyn))
800Sstevel@tonic-gate != PAM_SUCCESS)
810Sstevel@tonic-gate return (retcode);
820Sstevel@tonic-gate
830Sstevel@tonic-gate if (debug) {
840Sstevel@tonic-gate syslog(LOG_DEBUG,
850Sstevel@tonic-gate "Dialpass authenticate user = %s, ttyn = %s",
860Sstevel@tonic-gate user ? user : "NULL", ttyn ? ttyn : "NULL");
870Sstevel@tonic-gate }
880Sstevel@tonic-gate
890Sstevel@tonic-gate if (ttyn == NULL || *ttyn == '\0') {
900Sstevel@tonic-gate char *service;
910Sstevel@tonic-gate
920Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
930Sstevel@tonic-gate syslog(LOG_ERR, "pam_dial_auth: terminal-device not specified"
940Sstevel@tonic-gate "by %s, returning %s.", service,
950Sstevel@tonic-gate pam_strerror(pamh, PAM_SERVICE_ERR));
960Sstevel@tonic-gate return (PAM_SERVICE_ERR);
970Sstevel@tonic-gate }
980Sstevel@tonic-gate if (getpwnam_r(user, &pwd, pwd_buffer, sizeof (pwd_buffer)) == NULL)
990Sstevel@tonic-gate return (PAM_USER_UNKNOWN);
1000Sstevel@tonic-gate
101*1914Scasper if ((fp = fopen(DIAL_FILE, "rF")) == NULL)
1020Sstevel@tonic-gate return (PAM_IGNORE);
1030Sstevel@tonic-gate
1040Sstevel@tonic-gate while ((p1 = fgets(line, sizeof (line), fp)) != NULL) {
1050Sstevel@tonic-gate while (*p1 != '\n' && *p1 != ' ' && *p1 != '\t')
1060Sstevel@tonic-gate p1++;
1070Sstevel@tonic-gate *p1 = '\0';
1080Sstevel@tonic-gate if (strcmp(line, ttyn) == 0)
1090Sstevel@tonic-gate break;
1100Sstevel@tonic-gate }
1110Sstevel@tonic-gate
1120Sstevel@tonic-gate (void) fclose(fp);
1130Sstevel@tonic-gate
114*1914Scasper if ((fp = fopen(DPASS_FILE, "rF")) == NULL) {
1150Sstevel@tonic-gate syslog(LOG_ERR, "pam_dial_auth: %s without %s, returning %s.",
1160Sstevel@tonic-gate DIAL_FILE, DPASS_FILE,
1170Sstevel@tonic-gate pam_strerror(pamh, PAM_SYSTEM_ERR));
1180Sstevel@tonic-gate (void) memset(line, 0, sizeof (line));
1190Sstevel@tonic-gate return (PAM_SYSTEM_ERR);
1200Sstevel@tonic-gate }
1210Sstevel@tonic-gate
1220Sstevel@tonic-gate if (p1 == NULL) {
1230Sstevel@tonic-gate (void) fclose(fp);
1240Sstevel@tonic-gate (void) memset(line, 0, sizeof (line));
1250Sstevel@tonic-gate return (PAM_IGNORE);
1260Sstevel@tonic-gate }
1270Sstevel@tonic-gate
1280Sstevel@tonic-gate defpass[0] = '\0';
1290Sstevel@tonic-gate
1300Sstevel@tonic-gate while ((p1 = fgets(line, sizeof (line)-1, fp)) != NULL) {
1310Sstevel@tonic-gate while (*p1 && *p1 != ':')
1320Sstevel@tonic-gate p1++;
1330Sstevel@tonic-gate *p1++ = '\0';
1340Sstevel@tonic-gate p2 = p1;
1350Sstevel@tonic-gate while (*p1 && *p1 != ':')
1360Sstevel@tonic-gate p1++;
1370Sstevel@tonic-gate *p1 = '\0';
1380Sstevel@tonic-gate if (pwd.pw_shell != NULL && strcmp(pwd.pw_shell, line) == 0)
1390Sstevel@tonic-gate break;
1400Sstevel@tonic-gate
1410Sstevel@tonic-gate if (strcmp(SHELL, line) == 0)
1420Sstevel@tonic-gate SCPYN(defpass, p2);
1430Sstevel@tonic-gate p2 = NULL;
1440Sstevel@tonic-gate }
1450Sstevel@tonic-gate
1460Sstevel@tonic-gate (void) memset(line, 0, sizeof (line));
1470Sstevel@tonic-gate (void) fclose(fp);
1480Sstevel@tonic-gate
1490Sstevel@tonic-gate if (p2 == NULL)
1500Sstevel@tonic-gate p2 = defpass;
1510Sstevel@tonic-gate
1520Sstevel@tonic-gate if (*p2 != '\0') {
1530Sstevel@tonic-gate res = __pam_get_authtok(pamh, PAM_PROMPT, PAM_AUTHTOK,
1540Sstevel@tonic-gate dgettext(TEXT_DOMAIN, "Dialup Password: "), &password);
1550Sstevel@tonic-gate
1560Sstevel@tonic-gate if (res != PAM_SUCCESS) {
1570Sstevel@tonic-gate return (res);
1580Sstevel@tonic-gate }
1590Sstevel@tonic-gate
1600Sstevel@tonic-gate if (strcmp(crypt(password, p2), p2) != 0) {
1610Sstevel@tonic-gate (void) memset(password, 0, strlen(password));
1620Sstevel@tonic-gate free(password);
1630Sstevel@tonic-gate return (PAM_AUTH_ERR);
1640Sstevel@tonic-gate }
1650Sstevel@tonic-gate (void) memset(password, 0, strlen(password));
1660Sstevel@tonic-gate free(password);
1670Sstevel@tonic-gate }
1680Sstevel@tonic-gate
1690Sstevel@tonic-gate return (PAM_SUCCESS);
1700Sstevel@tonic-gate }
1710Sstevel@tonic-gate
1720Sstevel@tonic-gate /*
1730Sstevel@tonic-gate * dummy pam_sm_setcred - does nothing
1740Sstevel@tonic-gate */
1750Sstevel@tonic-gate /*ARGSUSED*/
1760Sstevel@tonic-gate int
pam_sm_setcred(pam_handle_t * pamh,int flags,int argc,const char ** argv)1770Sstevel@tonic-gate pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
1780Sstevel@tonic-gate {
1790Sstevel@tonic-gate return (PAM_IGNORE);
1800Sstevel@tonic-gate }
181