1*0Sstevel@tonic-gate /*
2*0Sstevel@tonic-gate  * CDDL HEADER START
3*0Sstevel@tonic-gate  *
4*0Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
5*0Sstevel@tonic-gate  * Common Development and Distribution License, Version 1.0 only
6*0Sstevel@tonic-gate  * (the "License").  You may not use this file except in compliance
7*0Sstevel@tonic-gate  * with the License.
8*0Sstevel@tonic-gate  *
9*0Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
10*0Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
11*0Sstevel@tonic-gate  * See the License for the specific language governing permissions
12*0Sstevel@tonic-gate  * and limitations under the License.
13*0Sstevel@tonic-gate  *
14*0Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
15*0Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
16*0Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
17*0Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
18*0Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
19*0Sstevel@tonic-gate  *
20*0Sstevel@tonic-gate  * CDDL HEADER END
21*0Sstevel@tonic-gate  */
22*0Sstevel@tonic-gate /*
23*0Sstevel@tonic-gate  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
24*0Sstevel@tonic-gate  * Use is subject to license terms.
25*0Sstevel@tonic-gate  */
26*0Sstevel@tonic-gate 
27*0Sstevel@tonic-gate #pragma ident	"%Z%%M%	%I%	%E% SMI"
28*0Sstevel@tonic-gate 
29*0Sstevel@tonic-gate #include <sys/param.h>
30*0Sstevel@tonic-gate #include <security/pam_appl.h>
31*0Sstevel@tonic-gate #include <security/pam_modules.h>
32*0Sstevel@tonic-gate #include <pwd.h>
33*0Sstevel@tonic-gate #include <shadow.h>
34*0Sstevel@tonic-gate #include <string.h>
35*0Sstevel@tonic-gate #include <rpc/types.h>
36*0Sstevel@tonic-gate #include <rpc/auth.h>
37*0Sstevel@tonic-gate #include <locale.h>
38*0Sstevel@tonic-gate #include <crypt.h>
39*0Sstevel@tonic-gate #include <syslog.h>
40*0Sstevel@tonic-gate 
41*0Sstevel@tonic-gate extern int ruserok(const char *, int, const char *, const char *);
42*0Sstevel@tonic-gate 
43*0Sstevel@tonic-gate /*
44*0Sstevel@tonic-gate  * pam_sm_authenticate	- Checks if the user is allowed remote access
45*0Sstevel@tonic-gate  */
46*0Sstevel@tonic-gate /*ARGSUSED*/
47*0Sstevel@tonic-gate int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)48*0Sstevel@tonic-gate pam_sm_authenticate(
49*0Sstevel@tonic-gate 	pam_handle_t	*pamh,
50*0Sstevel@tonic-gate 	int	flags,
51*0Sstevel@tonic-gate 	int	argc,
52*0Sstevel@tonic-gate 	const char	**argv)
53*0Sstevel@tonic-gate {
54*0Sstevel@tonic-gate 	char *host = NULL, *lusername = NULL;
55*0Sstevel@tonic-gate 	struct passwd pwd;
56*0Sstevel@tonic-gate 	char pwd_buffer[1024];
57*0Sstevel@tonic-gate 	int	is_superuser;
58*0Sstevel@tonic-gate 	char	*rusername;
59*0Sstevel@tonic-gate 	int	i;
60*0Sstevel@tonic-gate 	int	debug = 0;
61*0Sstevel@tonic-gate 
62*0Sstevel@tonic-gate 	for (i = 0; i < argc; i++) {
63*0Sstevel@tonic-gate 		if (strcasecmp(argv[i], "debug") == 0)
64*0Sstevel@tonic-gate 			debug = 1;
65*0Sstevel@tonic-gate 		else
66*0Sstevel@tonic-gate 			syslog(LOG_DEBUG, "illegal option %s", argv[i]);
67*0Sstevel@tonic-gate 	}
68*0Sstevel@tonic-gate 
69*0Sstevel@tonic-gate 	if (pam_get_item(pamh, PAM_USER, (void **) &lusername) != PAM_SUCCESS)
70*0Sstevel@tonic-gate 		return (PAM_SERVICE_ERR);
71*0Sstevel@tonic-gate 	if (pam_get_item(pamh, PAM_RHOST, (void **) &host) != PAM_SUCCESS)
72*0Sstevel@tonic-gate 		return (PAM_SERVICE_ERR);
73*0Sstevel@tonic-gate 	if (pam_get_item(pamh, PAM_RUSER, (void **)&rusername) != PAM_SUCCESS)
74*0Sstevel@tonic-gate 		return (PAM_SERVICE_ERR);
75*0Sstevel@tonic-gate 
76*0Sstevel@tonic-gate 	if (lusername == NULL || *lusername == '\0')
77*0Sstevel@tonic-gate 		return (PAM_USER_UNKNOWN);
78*0Sstevel@tonic-gate 	if (rusername == NULL || *rusername == '\0')
79*0Sstevel@tonic-gate 		return (PAM_AUTH_ERR);
80*0Sstevel@tonic-gate 	if (host == NULL || *host == '\0')
81*0Sstevel@tonic-gate 		return (PAM_AUTH_ERR);
82*0Sstevel@tonic-gate 
83*0Sstevel@tonic-gate 	if (debug) {
84*0Sstevel@tonic-gate 		syslog(LOG_DEBUG,
85*0Sstevel@tonic-gate 			"rhosts authenticate: user = %s, host = %s",
86*0Sstevel@tonic-gate 			lusername, host);
87*0Sstevel@tonic-gate 	}
88*0Sstevel@tonic-gate 
89*0Sstevel@tonic-gate 	if (getpwnam_r(lusername, &pwd, pwd_buffer, sizeof (pwd_buffer))
90*0Sstevel@tonic-gate 								== NULL)
91*0Sstevel@tonic-gate 		return (PAM_USER_UNKNOWN);
92*0Sstevel@tonic-gate 
93*0Sstevel@tonic-gate 	if (pwd.pw_uid == 0)
94*0Sstevel@tonic-gate 		is_superuser = 1;
95*0Sstevel@tonic-gate 	else
96*0Sstevel@tonic-gate 		is_superuser = 0;
97*0Sstevel@tonic-gate 
98*0Sstevel@tonic-gate 	return (ruserok(host, is_superuser, rusername, lusername)
99*0Sstevel@tonic-gate 		== -1 ? PAM_AUTH_ERR : PAM_SUCCESS);
100*0Sstevel@tonic-gate 
101*0Sstevel@tonic-gate }
102*0Sstevel@tonic-gate 
103*0Sstevel@tonic-gate /*
104*0Sstevel@tonic-gate  * dummy pam_sm_setcred - does nothing
105*0Sstevel@tonic-gate  */
106*0Sstevel@tonic-gate /*ARGSUSED*/
107*0Sstevel@tonic-gate int
pam_sm_setcred(pam_handle_t * pamh,int flags,int argc,const char ** argv)108*0Sstevel@tonic-gate pam_sm_setcred(
109*0Sstevel@tonic-gate 	pam_handle_t	*pamh,
110*0Sstevel@tonic-gate 	int	flags,
111*0Sstevel@tonic-gate 	int	argc,
112*0Sstevel@tonic-gate 	const char	**argv)
113*0Sstevel@tonic-gate {
114*0Sstevel@tonic-gate 	return (PAM_IGNORE);
115*0Sstevel@tonic-gate }
116