1 /* $NetBSD: pamtest.c,v 1.4 2013/12/27 20:10:20 christos Exp $ */ 2 3 /*- 4 * Copyright (c) 2011 Dag-Erling Smørgrav 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. The name of the author may not be used to endorse or promote 16 * products derived from this software without specific prior written 17 * permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * 31 * Id: pamtest.c 685 2013-07-11 16:33:34Z des 32 */ 33 34 #ifdef HAVE_CONFIG_H 35 # include "config.h" 36 #endif 37 38 #include <err.h> 39 #include <limits.h> 40 #include <pwd.h> 41 #include <stdarg.h> 42 #include <stdio.h> 43 #include <stdlib.h> 44 #include <string.h> 45 #include <unistd.h> 46 47 #include <security/pam_appl.h> 48 #include <security/openpam.h> /* for openpam_ttyconv() */ 49 50 /* OpenPAM internals */ 51 extern const char *pam_item_name[PAM_NUM_ITEMS]; 52 extern int openpam_debug; 53 54 static pam_handle_t *pamh; 55 static struct pam_conv pamc; 56 57 static int silent; 58 static int verbose; 59 60 static void pt_verbose(const char *, ...) 61 OPENPAM_FORMAT ((__printf__, 1, 2)); 62 static void pt_error(int, const char *, ...) 63 OPENPAM_FORMAT ((__printf__, 2, 3)); 64 65 /* 66 * Print an information message if -v was specified at least once 67 */ 68 static void 69 pt_verbose(const char *fmt, ...) 70 { 71 va_list ap; 72 73 if (verbose) { 74 va_start(ap, fmt); 75 vfprintf(stderr, fmt, ap); 76 va_end(ap); 77 fprintf(stderr, "\n"); 78 } 79 } 80 81 /* 82 * Print an error message 83 */ 84 static void 85 pt_error(int e, const char *fmt, ...) 86 { 87 va_list ap; 88 89 if (e == PAM_SUCCESS && !verbose) 90 return; 91 va_start(ap, fmt); 92 vfprintf(stderr, fmt, ap); 93 va_end(ap); 94 fprintf(stderr, ": %s\n", pam_strerror(NULL, e)); 95 } 96 97 /* 98 * Wrapper for pam_start(3) 99 */ 100 static int 101 pt_start(const char *service, const char *user) 102 { 103 int pame; 104 105 pamc.conv = &openpam_ttyconv; 106 pt_verbose("pam_start(%s, %s)", service, user); 107 if ((pame = pam_start(service, user, &pamc, &pamh)) != PAM_SUCCESS) 108 pt_error(pame, "pam_start(%s)", service); 109 return (pame); 110 } 111 112 /* 113 * Wrapper for pam_authenticate(3) 114 */ 115 static int 116 pt_authenticate(int flags) 117 { 118 int pame; 119 120 flags |= silent; 121 pt_verbose("pam_authenticate()"); 122 if ((pame = pam_authenticate(pamh, flags)) != PAM_SUCCESS) 123 pt_error(pame, "pam_authenticate()"); 124 return (pame); 125 } 126 127 /* 128 * Wrapper for pam_acct_mgmt(3) 129 */ 130 static int 131 pt_acct_mgmt(int flags) 132 { 133 int pame; 134 135 flags |= silent; 136 pt_verbose("pam_acct_mgmt()"); 137 if ((pame = pam_acct_mgmt(pamh, flags)) != PAM_SUCCESS) 138 pt_error(pame, "pam_acct_mgmt()"); 139 return (pame); 140 } 141 142 /* 143 * Wrapper for pam_chauthtok(3) 144 */ 145 static int 146 pt_chauthtok(int flags) 147 { 148 int pame; 149 150 flags |= silent; 151 pt_verbose("pam_chauthtok()"); 152 if ((pame = pam_chauthtok(pamh, flags)) != PAM_SUCCESS) 153 pt_error(pame, "pam_chauthtok()"); 154 return (pame); 155 } 156 157 /* 158 * Wrapper for pam_setcred(3) 159 */ 160 static int 161 pt_setcred(int flags) 162 { 163 int pame; 164 165 flags |= silent; 166 pt_verbose("pam_setcred()"); 167 if ((pame = pam_setcred(pamh, flags)) != PAM_SUCCESS) 168 pt_error(pame, "pam_setcred()"); 169 return (pame); 170 } 171 172 /* 173 * Wrapper for pam_open_session(3) 174 */ 175 static int 176 pt_open_session(int flags) 177 { 178 int pame; 179 180 flags |= silent; 181 pt_verbose("pam_open_session()"); 182 if ((pame = pam_open_session(pamh, flags)) != PAM_SUCCESS) 183 pt_error(pame, "pam_open_session()"); 184 return (pame); 185 } 186 187 /* 188 * Wrapper for pam_close_session(3) 189 */ 190 static int 191 pt_close_session(int flags) 192 { 193 int pame; 194 195 flags |= silent; 196 pt_verbose("pam_close_session()"); 197 if ((pame = pam_close_session(pamh, flags)) != PAM_SUCCESS) 198 pt_error(pame, "pam_close_session()"); 199 return (pame); 200 } 201 202 /* 203 * Wrapper for pam_set_item(3) 204 */ 205 static int 206 pt_set_item(int item, const char *p) 207 { 208 int pame; 209 210 switch (item) { 211 case PAM_SERVICE: 212 case PAM_USER: 213 case PAM_AUTHTOK: 214 case PAM_OLDAUTHTOK: 215 case PAM_TTY: 216 case PAM_RHOST: 217 case PAM_RUSER: 218 case PAM_USER_PROMPT: 219 case PAM_AUTHTOK_PROMPT: 220 case PAM_OLDAUTHTOK_PROMPT: 221 case PAM_HOST: 222 pt_verbose("setting %s to %s", pam_item_name[item], p); 223 break; 224 default: 225 pt_verbose("setting %s", pam_item_name[item]); 226 break; 227 } 228 if ((pame = pam_set_item(pamh, item, p)) != PAM_SUCCESS) 229 pt_error(pame, "pam_set_item(%s)", pam_item_name[item]); 230 return (pame); 231 } 232 233 /* 234 * Wrapper for pam_end(3) 235 */ 236 static int 237 pt_end(int pame) 238 { 239 240 if (pamh != NULL && (pame = pam_end(pamh, pame)) != PAM_SUCCESS) 241 /* can't happen */ 242 pt_error(pame, "pam_end()"); 243 return (pame); 244 } 245 246 /* 247 * Retrieve and list the PAM environment variables 248 */ 249 static int 250 pt_listenv(void) 251 { 252 char **pam_envlist, **pam_env; 253 254 if ((pam_envlist = pam_getenvlist(pamh)) == NULL || 255 *pam_envlist == NULL) { 256 pt_verbose("no environment variables."); 257 } else { 258 pt_verbose("environment variables:"); 259 for (pam_env = pam_envlist; *pam_env != NULL; ++pam_env) { 260 printf(" %s\n", *pam_env); 261 free(*pam_env); 262 } 263 } 264 free(pam_envlist); 265 return (PAM_SUCCESS); 266 } 267 268 /* 269 * Print usage string and exit 270 */ 271 static void 272 usage(void) 273 { 274 275 fprintf(stderr, "usage: pamtest %s service command ...\n", 276 "[-dkMPsv] [-H rhost] [-h host] [-t tty] [-U ruser] [-u user]"); 277 exit(1); 278 } 279 280 /* 281 * Handle an option that takes an int argument and can be used only once 282 */ 283 static void 284 opt_num_once(int opt, long *num, const char *arg) 285 { 286 char *end; 287 long l; 288 289 l = strtol(arg, &end, 0); 290 if (end == optarg || *end != '\0') { 291 fprintf(stderr, 292 "The -%c option expects a numeric argument\n", opt); 293 usage(); 294 } 295 *num = l; 296 } 297 298 /* 299 * Handle an option that takes a string argument and can be used only once 300 */ 301 static void 302 opt_str_once(int opt, const char **p, const char *arg) 303 { 304 305 if (*p != NULL) { 306 fprintf(stderr, "The -%c option can only be used once\n", opt); 307 usage(); 308 } 309 *p = arg; 310 } 311 312 /* 313 * Entry point 314 */ 315 int 316 main(int argc, char *argv[]) 317 { 318 char hostname[1024]; 319 const char *rhost = NULL; 320 const char *host = NULL; 321 const char *ruser = NULL; 322 const char *user = NULL; 323 const char *service = NULL; 324 const char *tty = NULL; 325 long timeout = 0; 326 int keepatit = 0; 327 int pame; 328 int opt; 329 330 while ((opt = getopt(argc, argv, "dH:h:kMPsT:t:U:u:v")) != -1) 331 switch (opt) { 332 case 'd': 333 openpam_debug++; 334 break; 335 case 'H': 336 opt_str_once(opt, &rhost, optarg); 337 break; 338 case 'h': 339 opt_str_once(opt, &host, optarg); 340 break; 341 case 'k': 342 keepatit = 1; 343 break; 344 case 'M': 345 openpam_set_feature(OPENPAM_RESTRICT_MODULE_NAME, 0); 346 openpam_set_feature(OPENPAM_VERIFY_MODULE_FILE, 0); 347 break; 348 case 'P': 349 openpam_set_feature(OPENPAM_RESTRICT_SERVICE_NAME, 0); 350 openpam_set_feature(OPENPAM_VERIFY_POLICY_FILE, 0); 351 break; 352 case 's': 353 silent = PAM_SILENT; 354 break; 355 case 'T': 356 opt_num_once(opt, &timeout, optarg); 357 if (timeout < 0 || timeout > INT_MAX) { 358 fprintf(stderr, 359 "Invalid conversation timeout\n"); 360 usage(); 361 } 362 openpam_ttyconv_timeout = (int)timeout; 363 break; 364 case 't': 365 opt_str_once(opt, &tty, optarg); 366 break; 367 case 'U': 368 opt_str_once(opt, &ruser, optarg); 369 break; 370 case 'u': 371 opt_str_once(opt, &user, optarg); 372 break; 373 case 'v': 374 verbose++; 375 break; 376 default: 377 usage(); 378 } 379 380 argc -= optind; 381 argv += optind; 382 383 if (argc < 1) 384 usage(); 385 386 service = *argv; 387 --argc; 388 ++argv; 389 390 /* defaults */ 391 if (service == NULL) 392 service = "pamtest"; 393 if (rhost == NULL) { 394 if (gethostname(hostname, sizeof(hostname)) == -1) 395 err(1, "gethostname()"); 396 rhost = hostname; 397 } 398 if (tty == NULL) 399 tty = ttyname(STDERR_FILENO); 400 if (user == NULL) 401 user = getlogin(); 402 if (ruser == NULL) 403 ruser = user; 404 405 /* initialize PAM */ 406 if ((pame = pt_start(service, user)) != PAM_SUCCESS) 407 goto end; 408 409 /* 410 * pam_start(3) sets this to the machine's hostname, but we allow 411 * the user to override it. 412 */ 413 if (host != NULL) 414 if ((pame = pt_set_item(PAM_HOST, host)) != PAM_SUCCESS) 415 goto end; 416 417 /* 418 * The remote host / user / tty are usually set by the 419 * application. 420 */ 421 if ((pame = pt_set_item(PAM_RHOST, rhost)) != PAM_SUCCESS || 422 (pame = pt_set_item(PAM_RUSER, ruser)) != PAM_SUCCESS || 423 (pame = pt_set_item(PAM_TTY, tty)) != PAM_SUCCESS) 424 goto end; 425 426 while (argc > 0) { 427 if (strcmp(*argv, "listenv") == 0 || 428 strcmp(*argv, "env") == 0) { 429 pame = pt_listenv(); 430 } else if (strcmp(*argv, "authenticate") == 0 || 431 strcmp(*argv, "auth") == 0) { 432 pame = pt_authenticate(0); 433 } else if (strcmp(*argv, "acct_mgmt") == 0 || 434 strcmp(*argv, "account") == 0) { 435 pame = pt_acct_mgmt(0); 436 } else if (strcmp(*argv, "chauthtok") == 0 || 437 strcmp(*argv, "change") == 0) { 438 pame = pt_chauthtok(PAM_CHANGE_EXPIRED_AUTHTOK); 439 } else if (strcmp(*argv, "forcechauthtok") == 0 || 440 strcmp(*argv, "forcechange") == 0) { 441 pame = pt_chauthtok(0); 442 } else if (strcmp(*argv, "setcred") == 0 || 443 strcmp(*argv, "establish_cred") == 0) { 444 pame = pt_setcred(PAM_ESTABLISH_CRED); 445 } else if (strcmp(*argv, "open_session") == 0 || 446 strcmp(*argv, "open") == 0) { 447 pame = pt_open_session(0); 448 } else if (strcmp(*argv, "close_session") == 0 || 449 strcmp(*argv, "close") == 0) { 450 pame = pt_close_session(0); 451 } else if (strcmp(*argv, "unsetcred") == 0 || 452 strcmp(*argv, "delete_cred") == 0) { 453 pame = pt_setcred(PAM_DELETE_CRED); 454 } else { 455 warnx("unknown primitive: %s", *argv); 456 pame = PAM_SYSTEM_ERR; 457 } 458 if (pame != PAM_SUCCESS && !keepatit) { 459 warnx("test aborted"); 460 break; 461 } 462 --argc; 463 ++argv; 464 } 465 466 end: 467 (void)pt_end(pame); 468 exit(pame == PAM_SUCCESS ? 0 : 1); 469 } 470