1 /* $OpenBSD: authenticate.c,v 1.18 2009/01/15 13:14:30 millert Exp $ */ 2 3 /*- 4 * Copyright (c) 1997 Berkeley Software Design, Inc. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. All advertising materials mentioning features or use of this software 15 * must display the following acknowledgement: 16 * This product includes software developed by Berkeley Software Design, 17 * Inc. 18 * 4. The name of Berkeley Software Design, Inc. may not be used to endorse 19 * or promote products derived from this software without specific prior 20 * written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * BSDI $From: authenticate.c,v 2.21 1999/09/08 22:33:26 prb Exp $ 35 */ 36 #include <sys/param.h> 37 #include <sys/stat.h> 38 39 #include <ctype.h> 40 #include <err.h> 41 #include <fcntl.h> 42 #include <login_cap.h> 43 #include <paths.h> 44 #include <pwd.h> 45 #include <stdarg.h> 46 #include <stdio.h> 47 #include <stdlib.h> 48 #include <string.h> 49 #include <syslog.h> 50 #include <unistd.h> 51 52 #include <bsd_auth.h> 53 54 static int _auth_checknologin(login_cap_t *, int); 55 56 char * 57 auth_mkvalue(char *value) 58 { 59 char *big, *p; 60 61 big = malloc(strlen(value) * 4 + 1); 62 if (big == NULL) 63 return (NULL); 64 /* 65 * XXX - There should be a more standardized 66 * routine for doing this sort of thing. 67 */ 68 for (p = big; *value; ++value) { 69 switch (*value) { 70 case '\r': 71 *p++ = '\\'; 72 *p++ = 'r'; 73 break; 74 case '\n': 75 *p++ = '\\'; 76 *p++ = 'n'; 77 break; 78 case '\\': 79 *p++ = '\\'; 80 *p++ = *value; 81 break; 82 case '\t': 83 case ' ': 84 if (p == big) 85 *p++ = '\\'; 86 *p++ = *value; 87 break; 88 default: 89 if (!isprint(*value)) { 90 *p++ = '\\'; 91 *p++ = ((*value >> 6) & 0x3) + '0'; 92 *p++ = ((*value >> 3) & 0x7) + '0'; 93 *p++ = ((*value ) & 0x7) + '0'; 94 } else 95 *p++ = *value; 96 break; 97 } 98 } 99 *p = '\0'; 100 return (big); 101 } 102 103 void 104 auth_checknologin(login_cap_t *lc) 105 { 106 if (_auth_checknologin(lc, 1)) 107 exit(1); 108 } 109 110 static int 111 _auth_checknologin(login_cap_t *lc, int print) 112 { 113 struct stat sb; 114 char *nologin; 115 int mustfree; 116 117 if (login_getcapbool(lc, "ignorenologin", 0)) 118 return (0); 119 120 /* 121 * If we fail to get the nologin file due to a database error, 122 * assume there should have been one... 123 */ 124 nologin = login_getcapstr(lc, "nologin", "", NULL); 125 mustfree = nologin && *nologin != '\0'; 126 if (nologin == NULL) 127 goto print_nologin; 128 129 /* First try the nologin file specified in login.conf. */ 130 if (*nologin != '\0' && stat(nologin, &sb) == 0) 131 goto print_nologin; 132 if (mustfree) { 133 free(nologin); 134 mustfree = 0; 135 } 136 137 /* If that doesn't exist try _PATH_NOLOGIN. */ 138 if (stat(_PATH_NOLOGIN, &sb) == 0) { 139 nologin = _PATH_NOLOGIN; 140 goto print_nologin; 141 } 142 143 /* Couldn't stat any nologin files, must be OK to login. */ 144 return (0); 145 146 print_nologin: 147 if (print) { 148 if (!nologin || *nologin == '\0' || auth_cat(nologin) == 0) { 149 puts("Logins are not allowed at this time."); 150 fflush(stdout); 151 } 152 } 153 if (mustfree) 154 free(nologin); 155 return (-1); 156 } 157 158 int 159 auth_cat(char *file) 160 { 161 int fd, nchars; 162 char tbuf[8192]; 163 164 if ((fd = open(file, O_RDONLY, 0)) < 0) 165 return (0); 166 while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) 167 (void)write(fileno(stdout), tbuf, nchars); 168 (void)close(fd); 169 return (1); 170 } 171 172 int 173 auth_approval(auth_session_t *as, login_cap_t *lc, char *name, char *type) 174 { 175 int close_on_exit, close_lc_on_exit, len; 176 struct passwd *pwd; 177 char *approve, *s, path[MAXPATHLEN]; 178 179 pwd = NULL; 180 close_on_exit = as == NULL; 181 close_lc_on_exit = lc == NULL; 182 183 if (as != NULL && name == NULL) 184 name = auth_getitem(as, AUTHV_NAME); 185 186 if (as != NULL) 187 pwd = auth_getpwd(as); 188 189 if (pwd == NULL) { 190 if (name != NULL) 191 pwd = getpwnam(name); 192 else { 193 if ((pwd = getpwuid(getuid())) == NULL) { 194 syslog(LOG_ERR, "no such user id %u", getuid()); 195 _warnx("cannot approve who we don't recognize"); 196 return (0); 197 } 198 name = pwd->pw_name; 199 } 200 } 201 202 if (name == NULL) 203 name = pwd->pw_name; 204 205 if (lc == NULL) { 206 if (strlen(name) >= MAXPATHLEN) { 207 syslog(LOG_ERR, "username to login %.*s...", 208 MAXPATHLEN, name); 209 _warnx("username too long"); 210 return (0); 211 } 212 if (pwd == NULL && (approve = strchr(name, '.')) != NULL) { 213 strlcpy(path, name, sizeof path); 214 path[approve-name] = '\0'; 215 pwd = getpwnam(name); 216 } 217 lc = login_getclass(pwd ? pwd->pw_class : NULL); 218 if (lc == NULL) { 219 _warnx("unable to classify user"); 220 return (0); 221 } 222 } 223 224 if (!type) 225 type = LOGIN_DEFSERVICE; 226 else { 227 if (strncmp(type, "approve-", 8) == 0) 228 type += 8; 229 230 len = snprintf(path, sizeof(path), "approve-%s", type); 231 if (len < 0 || len >= sizeof(path)) { 232 if (close_lc_on_exit) 233 login_close(lc); 234 syslog(LOG_ERR, "approval path too long %.*s...", 235 MAXPATHLEN, type); 236 _warnx("approval script path too long"); 237 return (0); 238 } 239 } 240 241 if ((approve = login_getcapstr(lc, s = path, NULL, NULL)) == NULL) 242 approve = login_getcapstr(lc, s = "approve", NULL, NULL); 243 244 if (approve && approve[0] != '/') { 245 if (close_lc_on_exit) 246 login_close(lc); 247 syslog(LOG_ERR, "Invalid %s script: %s", s, approve); 248 _warnx("invalid path to approval script"); 249 free(approve); 250 return (0); 251 } 252 253 if (as == NULL && (as = auth_open()) == NULL) { 254 if (close_lc_on_exit) 255 login_close(lc); 256 syslog(LOG_ERR, "%m"); 257 _warn(NULL); 258 if (approve) 259 free(approve); 260 return (0); 261 } 262 263 auth_setstate(as, AUTH_OKAY); 264 if (auth_setitem(as, AUTHV_NAME, name) < 0) { 265 syslog(LOG_ERR, "%m"); 266 _warn(NULL); 267 goto out; 268 } 269 if (auth_check_expire(as) < 0) /* is this account expired */ 270 goto out; 271 if (_auth_checknologin(lc, 272 auth_getitem(as, AUTHV_INTERACTIVE) != NULL)) { 273 auth_setstate(as, (auth_getstate(as) & ~AUTH_ALLOW)); 274 goto out; 275 } 276 if (login_getcapbool(lc, "requirehome", 0) && pwd && pwd->pw_dir && 277 pwd->pw_dir[0]) { 278 struct stat sb; 279 280 if (stat(pwd->pw_dir, &sb) < 0 || 281 (sb.st_mode & 0170000) != S_IFDIR || 282 (pwd->pw_uid && sb.st_uid == pwd->pw_uid && 283 (sb.st_mode & S_IXUSR) == 0)) { 284 auth_setstate(as, (auth_getstate(as) & ~AUTH_ALLOW)); 285 goto out; 286 } 287 } 288 if (approve) 289 auth_call(as, approve, strrchr(approve, '/') + 1, name, 290 lc->lc_class, type, (char *)NULL); 291 292 out: 293 if (approve) 294 free(approve); 295 if (close_lc_on_exit) 296 login_close(lc); 297 298 if (close_on_exit) 299 return (auth_close(as)); 300 return (auth_getstate(as) & AUTH_ALLOW); 301 } 302 303 auth_session_t * 304 auth_usercheck(char *name, char *style, char *type, char *password) 305 { 306 char namebuf[MAXLOGNAME + 1 + NAME_MAX + 1]; 307 auth_session_t *as; 308 login_cap_t *lc; 309 struct passwd *pwd; 310 char *slash; 311 312 if (strlcpy(namebuf, name, sizeof(namebuf)) >= sizeof(namebuf)) 313 return (NULL); 314 name = namebuf; 315 316 /* 317 * Split up user:style names if we were not given a style 318 */ 319 if (style == NULL && (style = strchr(name, ':')) != NULL) 320 *style++ = '\0'; 321 322 /* 323 * Cope with user/instance. We are only using this to get 324 * the class so it is okay if we strip a /root instance 325 * The actual login script will pay attention to the instance. 326 */ 327 if ((pwd = getpwnam(name)) == NULL) { 328 if ((slash = strchr(name, '/')) != NULL) { 329 *slash = '\0'; 330 pwd = getpwnam(name); 331 *slash = '/'; 332 } 333 } 334 if ((lc = login_getclass(pwd ? pwd->pw_class : NULL)) == NULL) 335 return (NULL); 336 337 if ((style = login_getstyle(lc, style, type)) == NULL) { 338 login_close(lc); 339 return (NULL); 340 } 341 342 if (password) { 343 if ((as = auth_open()) == NULL) { 344 login_close(lc); 345 return (NULL); 346 } 347 auth_setitem(as, AUTHV_SERVICE, "response"); 348 auth_setdata(as, "", 1); 349 auth_setdata(as, password, strlen(password) + 1); 350 memset(password, 0, strlen(password)); 351 } else 352 as = NULL; 353 as = auth_verify(as, style, name, lc->lc_class, (char *)NULL); 354 login_close(lc); 355 return (as); 356 } 357 358 int 359 auth_userokay(char *name, char *style, char *type, char *password) 360 { 361 auth_session_t *as; 362 363 as = auth_usercheck(name, style, type, password); 364 365 return (as != NULL ? auth_close(as) : 0); 366 } 367 368 auth_session_t * 369 auth_userchallenge(char *name, char *style, char *type, char **challengep) 370 { 371 char namebuf[MAXLOGNAME + 1 + NAME_MAX + 1]; 372 auth_session_t *as; 373 login_cap_t *lc; 374 struct passwd *pwd; 375 char *slash; 376 377 if (strlen(name) >= sizeof(namebuf)) 378 return (NULL); 379 strlcpy(namebuf, name, sizeof namebuf); 380 name = namebuf; 381 382 /* 383 * Split up user:style names if we were not given a style 384 */ 385 if (style == NULL && (style = strchr(name, ':')) != NULL) 386 *style++ = '\0'; 387 388 /* 389 * Cope with user/instance. We are only using this to get 390 * the class so it is okay if we strip a /root instance 391 * The actual login script will pay attention to the instance. 392 */ 393 if ((pwd = getpwnam(name)) == NULL) { 394 if ((slash = strchr(name, '/')) != NULL) { 395 *slash = '\0'; 396 pwd = getpwnam(name); 397 *slash = '/'; 398 } 399 } 400 if ((lc = login_getclass(pwd ? pwd->pw_class : NULL)) == NULL) 401 return (NULL); 402 403 if ((style = login_getstyle(lc, style, type)) == NULL || 404 (as = auth_open()) == NULL) { 405 login_close(lc); 406 return (NULL); 407 } 408 if (auth_setitem(as, AUTHV_STYLE, style) < 0 || 409 auth_setitem(as, AUTHV_NAME, name) < 0 || 410 auth_setitem(as, AUTHV_CLASS, lc->lc_class) < 0) { 411 auth_close(as); 412 login_close(lc); 413 return (NULL); 414 } 415 login_close(lc); 416 *challengep = auth_challenge(as); 417 return (as); 418 } 419 420 int 421 auth_userresponse(auth_session_t *as, char *response, int more) 422 { 423 char path[MAXPATHLEN]; 424 char *style, *name, *challenge, *class; 425 int len; 426 427 if (as == NULL) 428 return (0); 429 430 auth_setstate(as, 0); 431 432 if ((style = auth_getitem(as, AUTHV_STYLE)) == NULL || 433 (name = auth_getitem(as, AUTHV_NAME)) == NULL) { 434 if (more == 0) 435 return (auth_close(as)); 436 return(0); 437 } 438 439 len = snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style); 440 if (len < 0 || len >= sizeof(path)) { 441 if (more == 0) 442 return (auth_close(as)); 443 return (0); 444 } 445 446 challenge = auth_getitem(as, AUTHV_CHALLENGE); 447 class = auth_getitem(as, AUTHV_CLASS); 448 449 if (challenge) 450 auth_setdata(as, challenge, strlen(challenge) + 1); 451 else 452 auth_setdata(as, "", 1); 453 if (response) { 454 auth_setdata(as, response, strlen(response) + 1); 455 memset(response, 0, strlen(response)); 456 } else 457 auth_setdata(as, "", 1); 458 459 auth_call(as, path, style, "-s", "response", name, class, (char *)NULL); 460 461 /* 462 * If they authenticated then make sure they did not expire 463 */ 464 if (auth_getstate(as) & AUTH_ALLOW) 465 auth_check_expire(as); 466 if (more == 0) 467 return (auth_close(as)); 468 return (auth_getstate(as) & AUTH_ALLOW); 469 } 470 471 /* 472 * Authenticate name with the specified style. 473 * If ``as'' is NULL a new session is formed with the default service. 474 * Returns NULL only if ``as'' is NULL and we were unable to allocate 475 * a new session. 476 * 477 * Use auth_close() or auth_getstate() to determine if the authentication 478 * worked. 479 */ 480 auth_session_t * 481 auth_verify(auth_session_t *as, char *style, char *name, ...) 482 { 483 va_list ap; 484 char path[MAXPATHLEN]; 485 486 if ((name == NULL || style == NULL) && as == NULL) 487 return (as); 488 489 if (as == NULL && (as = auth_open()) == NULL) 490 return (NULL); 491 auth_setstate(as, 0); 492 493 if (style != NULL && auth_setitem(as, AUTHV_STYLE, style) < 0) 494 return (as); 495 496 if (name != NULL && auth_setitem(as, AUTHV_NAME, name) < 0) 497 return (as); 498 499 style = auth_getitem(as, AUTHV_STYLE); 500 name = auth_getitem(as, AUTHV_NAME); 501 502 snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style); 503 va_start(ap, name); 504 auth_set_va_list(as, ap); 505 auth_call(as, path, auth_getitem(as, AUTHV_STYLE), "-s", 506 auth_getitem(as, AUTHV_SERVICE), name, (char *)NULL); 507 va_end(ap); 508 return (as); 509 } 510