1 /* $OpenBSD: authenticate.c,v 1.5 2001/07/09 06:57:42 deraadt Exp $ */ 2 3 /*- 4 * Copyright (c) 1997 Berkeley Software Design, Inc. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. All advertising materials mentioning features or use of this software 15 * must display the following acknowledgement: 16 * This product includes software developed by Berkeley Software Design, 17 * Inc. 18 * 4. The name of Berkeley Software Design, Inc. may not be used to endorse 19 * or promote products derived from this software without specific prior 20 * written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND 23 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25 * ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE 26 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 * 34 * BSDI $From: authenticate.c,v 2.21 1999/09/08 22:33:26 prb Exp $ 35 */ 36 #include <sys/param.h> 37 #include <sys/stat.h> 38 39 #include <ctype.h> 40 #include <err.h> 41 #include <fcntl.h> 42 #include <login_cap.h> 43 #include <paths.h> 44 #include <pwd.h> 45 #include <stdarg.h> 46 #include <stdio.h> 47 #include <stdlib.h> 48 #include <string.h> 49 #include <syslog.h> 50 #include <unistd.h> 51 52 #include <bsd_auth.h> 53 54 static int _auth_checknologin(login_cap_t *, int); 55 56 char * 57 auth_mkvalue(char *value) 58 { 59 char *big, *p; 60 61 big = malloc(strlen(value) * 4 + 1); 62 if (big == NULL) 63 return (NULL); 64 /* 65 * XXX - There should be a more standardized 66 * routine for doing this sort of thing. 67 */ 68 for (p = big; *value; ++value) { 69 switch (*value) { 70 case '\r': 71 *p++ = '\\'; 72 *p++ = 'r'; 73 break; 74 case '\n': 75 *p++ = '\\'; 76 *p++ = 'n'; 77 break; 78 case '\\': 79 *p++ = '\\'; 80 *p++ = *value; 81 break; 82 case '\t': 83 case ' ': 84 if (p == big) 85 *p++ = '\\'; 86 *p++ = *value; 87 break; 88 default: 89 if (!isprint(*value)) { 90 *p++ = '\\'; 91 *p++ = ((*value >> 6) & 0x3) + '0'; 92 *p++ = ((*value >> 3) & 0x7) + '0'; 93 *p++ = ((*value ) & 0x7) + '0'; 94 } else 95 *p++ = *value; 96 break; 97 } 98 } 99 *p = '\0'; 100 return (big); 101 } 102 103 void 104 auth_checknologin(login_cap_t *lc) 105 { 106 if (_auth_checknologin(lc, 1)) 107 exit(1); 108 } 109 110 static int 111 _auth_checknologin(login_cap_t *lc, int print) 112 { 113 struct stat sb; 114 char *nologin; 115 116 /* 117 * If we fail to get the nologin file due to a database error, 118 * assume there should have been one... 119 */ 120 if ((nologin = login_getcapstr(lc, "nologin", "", NULL)) == NULL) { 121 if (print) { 122 printf("Logins are not allowed at this time.\n"); 123 fflush(stdout); 124 } 125 return (-1); 126 } 127 if (*nologin && stat(nologin, &sb) >= 0) { 128 if (print && auth_cat(nologin) == 0) { 129 printf("Logins are not allowed at this time.\n"); 130 fflush(stdout); 131 } 132 return (-1); 133 } 134 135 if (login_getcapbool(lc, "ignorenologin", 0)) 136 return(0); 137 138 if (stat(_PATH_NOLOGIN, &sb) >= 0) { 139 if (print && auth_cat(_PATH_NOLOGIN) == 0) { 140 printf("Logins are not allowed at this time.\n"); 141 fflush(stdout); 142 } 143 return (-1); 144 } 145 return(0); 146 } 147 148 int 149 auth_cat(char *file) 150 { 151 int fd, nchars; 152 char tbuf[8192]; 153 154 if ((fd = open(file, O_RDONLY, 0)) < 0) 155 return (0); 156 while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) 157 (void)write(fileno(stdout), tbuf, nchars); 158 (void)close(fd); 159 return (1); 160 } 161 162 int 163 auth_approval(auth_session_t *as, login_cap_t *lc, char *name, char *type) 164 { 165 int close_on_exit, close_lc_on_exit; 166 struct passwd *pwd; 167 char *approve, *s, path[MAXPATHLEN]; 168 169 pwd = NULL; 170 close_on_exit = as == NULL; 171 close_lc_on_exit = lc == NULL; 172 173 if (as != NULL && name == NULL) 174 name = auth_getitem(as, AUTHV_NAME); 175 176 if (as != NULL) 177 pwd = auth_getpwd(as); 178 179 if (pwd == NULL) { 180 if (name != NULL) 181 pwd = getpwnam(name); 182 else { 183 if ((pwd = getpwuid(getuid())) == NULL) { 184 syslog(LOG_ERR, "no such user id %d", getuid()); 185 _warnx("cannot approve who we don't recognize"); 186 return (0); 187 } 188 name = pwd->pw_name; 189 } 190 } 191 192 if (name == NULL) 193 name = pwd->pw_name; 194 195 if (lc == NULL) { 196 if (strlen(name) >= MAXPATHLEN) { 197 syslog(LOG_ERR, "username to login %.*s...", 198 MAXPATHLEN, name); 199 _warnx("username too long"); 200 return (0); 201 } 202 if (pwd == NULL && (approve = strchr(name, '.')) != NULL) { 203 strcpy(path, name); 204 path[approve-name] = '\0'; 205 pwd = getpwnam(name); 206 } 207 lc = login_getclass(pwd ? pwd->pw_class : NULL); 208 if (lc == NULL) { 209 _warnx("unable to classify user"); 210 return (0); 211 } 212 } 213 214 if (!type) 215 type = LOGIN_DEFSERVICE; 216 else { 217 if (strncmp(type, "approve-", 8) == 0) 218 type += 8; 219 220 snprintf(path, sizeof(path), "approve-%s", type); 221 } 222 223 if ((approve = login_getcapstr(lc, s = path, NULL, NULL)) == NULL) 224 approve = login_getcapstr(lc, s = "approve", NULL, NULL); 225 226 if (approve && approve[0] != '/') { 227 if (close_lc_on_exit) 228 login_close(lc); 229 syslog(LOG_ERR, "Invalid %s script: %s", s, approve); 230 _warnx("invalid path to approval script"); 231 return (0); 232 } 233 234 if (as == NULL && (as = auth_open()) == NULL) { 235 if (close_lc_on_exit) 236 login_close(lc); 237 syslog(LOG_ERR, "%m"); 238 _warn(NULL); 239 return (0); 240 } 241 242 auth_setstate(as, AUTH_OKAY); 243 if (auth_setitem(as, AUTHV_NAME, name) < 0) { 244 syslog(LOG_ERR, "%m"); 245 _warn(NULL); 246 goto out; 247 } 248 if (auth_check_expire(as)) /* is this account expired */ 249 goto out; 250 if (_auth_checknologin(lc, 251 auth_getitem(as, AUTHV_INTERACTIVE) != NULL)) { 252 auth_setstate(as, (auth_getstate(as) & ~AUTH_ALLOW)); 253 goto out; 254 } 255 if (login_getcapbool(lc, "requirehome", 0) && pwd && pwd->pw_dir && 256 pwd->pw_dir[0]) { 257 struct stat sb; 258 259 if (stat(pwd->pw_dir, &sb) < 0 || 260 (sb.st_mode & 0170000) != S_IFDIR || 261 (pwd->pw_uid && sb.st_uid == pwd->pw_uid && 262 (sb.st_mode & S_IXUSR) == 0)) { 263 auth_setstate(as, (auth_getstate(as) & ~AUTH_ALLOW)); 264 goto out; 265 } 266 } 267 if (approve) 268 auth_call(as, approve, strrchr(approve, '/') + 1, name, 269 lc->lc_class, type, 0); 270 271 out: 272 if (close_lc_on_exit) 273 login_close(lc); 274 275 if (close_on_exit) 276 return (auth_close(as)); 277 return (auth_getstate(as) & AUTH_ALLOW); 278 } 279 280 auth_session_t * 281 auth_usercheck(char *name, char *style, char *type, char *password) 282 { 283 char namebuf[MAXLOGNAME + 1 + NAME_MAX + 1]; 284 auth_session_t *as; 285 login_cap_t *lc; 286 struct passwd *pwd; 287 char *sep, save; 288 289 if (strlen(name) >= sizeof(namebuf)) 290 return (NULL); 291 strcpy(namebuf, name); 292 name = namebuf; 293 294 /* 295 * Split up user:style names if we were not given a style 296 */ 297 if (style == NULL && (style = strchr(name, ':')) != NULL) 298 *style++ = '\0'; 299 300 /* 301 * Cope with user[./]instance. We are only using this to get 302 * the class so it is okay if we strip a root instance 303 * The actual login script will pay attention to the instance. 304 */ 305 if ((pwd = getpwnam(name)) == NULL) { 306 if ((sep = strpbrk(name, "./")) != NULL) { 307 save = *sep; 308 *sep = '\0'; 309 pwd = getpwnam(name); 310 *sep = save; 311 } 312 } 313 if ((lc = login_getclass(pwd ? pwd->pw_class : NULL)) == NULL) 314 return (NULL); 315 316 if ((style = login_getstyle(lc, style, type)) == NULL) { 317 login_close(lc); 318 return (NULL); 319 } 320 321 if (password) { 322 if ((as = auth_open()) == NULL) { 323 login_close(lc); 324 return (NULL); 325 } 326 auth_setitem(as, AUTHV_SERVICE, "response"); 327 auth_setdata(as, "", 1); 328 auth_setdata(as, password, strlen(password) + 1); 329 } else 330 as = NULL; 331 as = auth_verify(as, style, name, lc->lc_class, NULL); 332 login_close(lc); 333 return (as); 334 } 335 336 int 337 auth_userokay(char *name, char *style, char *type, char *password) 338 { 339 auth_session_t *as; 340 341 as = auth_usercheck(name, style, type, password); 342 343 return (as != NULL ? auth_close(as) : 0); 344 } 345 346 auth_session_t * 347 auth_userchallenge(char *name, char *style, char *type, char **challengep) 348 { 349 char namebuf[MAXLOGNAME + 1 + NAME_MAX + 1]; 350 auth_session_t *as; 351 login_cap_t *lc; 352 struct passwd *pwd; 353 char *sep, save; 354 355 if (strlen(name) >= sizeof(namebuf)) 356 return (NULL); 357 strcpy(namebuf, name); 358 name = namebuf; 359 360 /* 361 * Split up user:style names if we were not given a style 362 */ 363 if (style == NULL && (style = strchr(name, ':')) != NULL) 364 *style++ = '\0'; 365 366 /* 367 * Cope with user[./]instance. We are only using this to get 368 * the class so it is okay if we strip a root instance 369 * The actual login script will pay attention to the instance. 370 */ 371 if ((pwd = getpwnam(name)) == NULL) { 372 if ((sep = strpbrk(name, "./")) != NULL) { 373 save = *sep; 374 *sep = '\0'; 375 pwd = getpwnam(name); 376 *sep = save; 377 } 378 } 379 if ((lc = login_getclass(pwd ? pwd->pw_class : NULL)) == NULL) 380 return (NULL); 381 382 if ((style = login_getstyle(lc, style, type)) == NULL || 383 (as = auth_open()) == NULL) { 384 login_close(lc); 385 return (NULL); 386 } 387 if (auth_setitem(as, AUTHV_STYLE, style) < 0 || 388 auth_setitem(as, AUTHV_NAME, name) < 0 || 389 auth_setitem(as, AUTHV_CLASS, lc->lc_class) < 0) { 390 auth_close(as); 391 login_close(lc); 392 return (NULL); 393 } 394 login_close(lc); 395 *challengep = auth_challenge(as); 396 return (as); 397 } 398 399 int 400 auth_userresponse(auth_session_t *as, char *response, int more) 401 { 402 char path[MAXPATHLEN]; 403 char *style, *name, *challenge, *class; 404 405 if (as == NULL) 406 return (0); 407 408 auth_setstate(as, 0); 409 410 if ((style = auth_getitem(as, AUTHV_STYLE)) == NULL || 411 (name = auth_getitem(as, AUTHV_NAME)) == NULL) { 412 if (more == 0) 413 return (auth_close(as)); 414 return(0); 415 } 416 challenge = auth_getitem(as, AUTHV_CHALLENGE); 417 class = auth_getitem(as, AUTHV_CLASS); 418 419 if (challenge) 420 auth_setdata(as, challenge, strlen(challenge) + 1); 421 else 422 auth_setdata(as, "", 1); 423 if (response) 424 auth_setdata(as, response, strlen(response) + 1); 425 else 426 auth_setdata(as, "", 1); 427 428 snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style); 429 430 auth_call(as, path, style, "-s", "response", name, class, NULL); 431 432 /* 433 * If they authenticated then make sure they did not expire 434 */ 435 if (auth_getstate(as) & AUTH_ALLOW) 436 auth_check_expire(as); 437 if (more == 0) 438 return (auth_close(as)); 439 return (auth_getstate(as) & AUTH_ALLOW); 440 } 441 442 /* 443 * Authenticate name with the specified style. 444 * If ``as'' is NULL a new session is formed with the default service. 445 * Returns NULL only if ``as'' is NULL and we were unable to allocate 446 * a new session. 447 * 448 * Use auth_close() or auth_getstate() to determine if the authentication 449 * worked. 450 */ 451 auth_session_t * 452 auth_verify(auth_session_t *as, char *style, char *name, ...) 453 { 454 va_list ap; 455 char path[MAXPATHLEN]; 456 457 if ((name == NULL || style == NULL) && as == NULL) 458 return (as); 459 460 if (as == NULL && (as = auth_open()) == NULL) 461 return (NULL); 462 auth_setstate(as, 0); 463 464 if (style != NULL && auth_setitem(as, AUTHV_STYLE, style) < 0) 465 return (as); 466 467 if (name != NULL && auth_setitem(as, AUTHV_NAME, name) < 0) 468 return (as); 469 470 style = auth_getitem(as, AUTHV_STYLE); 471 name = auth_getitem(as, AUTHV_NAME); 472 473 snprintf(path, sizeof(path), _PATH_AUTHPROG "%s", style); 474 va_start(ap, name); 475 auth_set_va_list(as, ap); 476 auth_call(as, path, auth_getitem(as, AUTHV_STYLE), "-s", 477 auth_getitem(as, AUTHV_SERVICE), name, NULL); 478 return (as); 479 } 480