From owner-freebsd-audit Mon Nov 26 8:45:52 2001 Delivered-To: freebsd-audit@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 799D437B417; Mon, 26 Nov 2001 08:44:51 -0800 (PST) Received: by flood.ping.uio.no (Postfix, from userid 2602) id F0CD414C52; Mon, 26 Nov 2001 17:44:46 +0100 (CET) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: audit@freebsd.org Cc: markm@freebsd.org Subject: PAM module patch for review From: Dag-Erling Smorgrav Date: 26 Nov 2001 17:44:46 +0100 Message-ID: Lines: 28 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=-=-= Attached. Not as much as I'd like - I did absolutely zip on PAM last week - but better than nothing, and I'll try to pick up the pace a bit. Summary of changes: - Dummy facilities as previously discussed; they all return PAM_IGNORE, which is possibly wrong for at least some of them, but I'll take a closer look at each of them and tweak them later as I gain more experience with PAM. - New pam_self(8) module with man page. - New pam_ssh(8) man page. - Ndditions to the pam_unix(8) man page. - Some minor style(9) fixes. I'm going to continue cleaning up the module man pages and tweak the dummy facilities a bit. DES -- Dag-Erling Smorgrav - des@ofug.org --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=pam-modules.diff Index: Makefile =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/Makefile,v retrieving revision 1.14 diff -u -r1.14 Makefile --- Makefile 2 Aug 2001 19:01:02 -0000 1.14 +++ Makefile 19 Nov 2001 16:12:27 -0000 @@ -38,6 +38,7 @@ SUBDIR+= pam_radius SUBDIR+= pam_rootok SUBDIR+= pam_securetty +SUBDIR+= pam_self .if !defined(NOCRYPT) && !defined(NO_OPENSSL) && !defined(NO_OPENSSH) SUBDIR+= pam_ssh .endif Index: pam_deny/pam_deny.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_deny/pam_deny.c,v retrieving revision 1.3 diff -u -r1.3 pam_deny.c --- pam_deny/pam_deny.c 30 Sep 2001 22:10:59 -0000 1.3 +++ pam_deny/pam_deny.c 19 Nov 2001 14:52:41 -0000 @@ -1,6 +1,13 @@ /*- * Copyright 2001 Mark R V Murray * All rights reserved. + * Copyright (c) 2001 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,6 +17,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE Index: pam_ftp/pam_ftp.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_ftp/pam_ftp.c,v retrieving revision 1.4 diff -u -r1.4 pam_ftp.c --- pam_ftp/pam_ftp.c 30 Sep 2001 22:10:59 -0000 1.4 +++ pam_ftp/pam_ftp.c 19 Nov 2001 14:53:54 -0000 @@ -1,6 +1,13 @@ /*- * Copyright (c) 2001 Mark R V Murray * All rights reserved. + * Copyright (c) 2001 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,6 +17,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -40,6 +50,10 @@ #include #define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + #include #include @@ -80,8 +94,7 @@ } locallist = NULL; } - } - else { + } else { for (i = 0; anonusers[i] != NULL; i++) { if (strcmp(anonusers[i], user) == 0) { *userret = anonusers[0]; @@ -131,8 +144,7 @@ PAM_RETURN(retval); prompt = GUEST_PROMPT; PAM_LOG("Doing anonymous"); - } - else { + } else { prompt = PROMPT; PAM_LOG("Doing non-anonymous"); } @@ -158,16 +170,14 @@ } } } - } - else + } else PAM_LOG("Ignoring supplied password structure"); PAM_LOG("Done anonymous"); retval = PAM_SUCCESS; - } - else { + } else { pam_set_item(pamh, PAM_AUTHTOK, token); PAM_VERBOSE_ERROR("Anonymous module reject"); @@ -190,6 +200,54 @@ PAM_LOG("Options processed"); PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); } PAM_MODULE_ENTRY("pam_ftp"); Index: pam_nologin/pam_nologin.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_nologin/pam_nologin.c,v retrieving revision 1.4 diff -u -r1.4 pam_nologin.c --- pam_nologin/pam_nologin.c 30 Sep 2001 22:11:01 -0000 1.4 +++ pam_nologin/pam_nologin.c 19 Nov 2001 14:53:13 -0000 @@ -1,6 +1,13 @@ /*- * Copyright 2001 Mark R V Murray * All rights reserved. + * Copyright (c) 2001 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,6 +17,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -27,8 +37,6 @@ #include __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_nologin/pam_nologin.c,v 1.4 2001/09/30 22:11:01 dillon Exp $"); -#define PAM_SM_AUTH - #include #include #include @@ -38,6 +46,11 @@ #include #include +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + #include #include #include "pam_mod_misc.h" @@ -113,6 +126,54 @@ PAM_LOG("Options processed"); PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); } PAM_MODULE_ENTRY("pam_nologin"); Index: pam_opie/pam_opie.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.c,v retrieving revision 1.6 diff -u -r1.6 pam_opie.c --- pam_opie/pam_opie.c 30 Sep 2001 22:11:01 -0000 1.6 +++ pam_opie/pam_opie.c 19 Nov 2001 14:53:46 -0000 @@ -1,7 +1,14 @@ /*- * Copyright 2000 James Bloom * All rights reserved. - * Based upon code Copyright 1998 Juniper Networks, Inc. + * Based upon code Copyright 1998 Juniper Networks, Inc. + * Copyright (c) 2001 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -11,6 +18,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -36,6 +46,10 @@ #include #define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + #include #include "pam_mod_misc.h" @@ -77,8 +91,7 @@ if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { pwd = getpwnam(getlogin()); user = pwd->pw_name; - } - else { + } else { retval = pam_get_user(pamh, (const char **)&user, NULL); if (retval != PAM_SUCCESS) PAM_RETURN(retval); @@ -133,6 +146,54 @@ PAM_LOG("Options processed"); PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); } PAM_MODULE_ENTRY("pam_opie"); Index: pam_permit/pam_permit.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_permit/pam_permit.c,v retrieving revision 1.2 diff -u -r1.2 pam_permit.c --- pam_permit/pam_permit.c 30 Sep 2001 22:11:02 -0000 1.2 +++ pam_permit/pam_permit.c 19 Nov 2001 14:53:42 -0000 @@ -1,6 +1,13 @@ /*- * Copyright 2001 Mark R V Murray * All rights reserved. + * Copyright (c) 2001 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,6 +17,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE Index: pam_radius/pam_radius.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_radius/pam_radius.c,v retrieving revision 1.5 diff -u -r1.5 pam_radius.c --- pam_radius/pam_radius.c 30 Sep 2001 22:11:02 -0000 1.5 +++ pam_radius/pam_radius.c 19 Nov 2001 14:53:24 -0000 @@ -1,6 +1,13 @@ /*- * Copyright 1998 Juniper Networks, Inc. * All rights reserved. + * Copyright (c) 2001 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,6 +17,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -36,6 +46,10 @@ #include #define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + #include #include "pam_mod_misc.h" @@ -252,7 +266,7 @@ PAM_LOG("Radius build access done"); - for ( ; ; ) { + for (;;) { switch (rad_send_request(radh)) { case RAD_ACCESS_ACCEPT: @@ -324,6 +338,54 @@ PAM_LOG("Options processed"); PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); } PAM_MODULE_ENTRY("pam_radius"); Index: pam_rootok/pam_rootok.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_rootok/pam_rootok.c,v retrieving revision 1.3 diff -u -r1.3 pam_rootok.c --- pam_rootok/pam_rootok.c 30 Sep 2001 22:11:03 -0000 1.3 +++ pam_rootok/pam_rootok.c 19 Nov 2001 14:34:34 -0000 @@ -1,6 +1,13 @@ /*- * Copyright (c) 2001 Mark R V Murray * All rights reserved. + * Copyright (c) 2001 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,6 +17,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -33,6 +43,9 @@ #include #define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD #include #include @@ -65,6 +78,54 @@ PAM_LOG("Options processed"); PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); } PAM_MODULE_ENTRY("pam_rootok"); Index: pam_securetty/pam_securetty.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_securetty/pam_securetty.c,v retrieving revision 1.4 diff -u -r1.4 pam_securetty.c --- pam_securetty/pam_securetty.c 30 Sep 2001 22:11:03 -0000 1.4 +++ pam_securetty/pam_securetty.c 19 Nov 2001 14:35:24 -0000 @@ -1,6 +1,13 @@ /*- * Copyright (c) 2001 Mark R V Murray * All rights reserved. + * Copyright (c) 2001 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,6 +17,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -34,6 +44,10 @@ #include #define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + #include #include @@ -102,6 +116,54 @@ PAM_LOG("Options processed"); PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); } PAM_MODULE_ENTRY("pam_securetty"); Index: pam_self/Makefile =================================================================== RCS file: pam_self/Makefile diff -N pam_self/Makefile --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ pam_self/Makefile 19 Nov 2001 16:22:31 -0000 @@ -0,0 +1,32 @@ +# Copyright 2001 Mark R V Murray +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ + +LIB= pam_self +SHLIB_NAME= pam_self.so +SRCS= pam_self.c +MAN= pam_self.8 + +.include Index: pam_self/pam_self.8 =================================================================== RCS file: pam_self/pam_self.8 diff -N pam_self/pam_self.8 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ pam_self/pam_self.8 19 Nov 2001 16:21:40 -0000 @@ -0,0 +1,82 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" Copyright (c) 2001 Networks Associates Technologies, Inc. +.\" All rights reserved. +.\" +.\" Portions of this software were developed for the FreeBSD Project by +.\" ThinkSec AS and NAI Labs, the Security Research Division of Network +.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 +.\" ("CBOSS"), as part of the DARPA CHATS research program. +.\" +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote +.\" products derived from this software without specific prior written +.\" permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd July 8, 2001 +.Dt PAM_SELF 8 +.Os +.Sh NAME +.Nm pam_self +.Nd Self PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_self +.Op Ar options +.Sh DESCRIPTION +The Self authentication service module for PAM, +.Nm +provides functionality for only one PAM category: +authentication. +In terms of the +.Ar module-type +parameter, this is the +.Dq Li auth +feature. +It also provides a null function for session management. +.Ss Self Authentication Module +The Self authentication component +.Pq Fn pam_sm_authenticate , +returns success if and only if the source and target user names are +identical. +.Pp +The following options may be passed to the authentication module: +.Bl -tag -width ".Cm no_warn" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.It Cm no_warn +suppress warning messages to the user. +These messages include reasons why the user's authentication attempt +was declined. +.El +.Sh SEE ALSO +.Xr getuid 2 , +.Xr pam.conf 5 , +.Xr pam 8 Index: pam_self/pam_self.c =================================================================== RCS file: pam_self/pam_self.c diff -N pam_self/pam_self.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ pam_self/pam_self.c 19 Nov 2001 16:22:46 -0000 @@ -0,0 +1,142 @@ +/*- + * Copyright (c) 2001 Mark R V Murray + * All rights reserved. + * Copyright (c) 2001 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include +__FBSDID("$FreeBSD$"); + +#define _BSD_SOURCE + +#include +#include + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + +#include +#include + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + const char *luser, *ruser; + int r; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + r = pam_get_item(pamh, PAM_USER, (const void **)&luser); + if (r != PAM_SUCCESS) + PAM_RETURN(r); + if (luser == NULL) + PAM_RETURN(PAM_USER_UNKNOWN); + + r = pam_get_item(pamh, PAM_RUSER, (const void **)&ruser); + if (r != PAM_SUCCESS) + PAM_RETURN(r); + + if (strcmp(luser, ruser) == 0) + PAM_RETURN(PAM_SUCCESS); + + PAM_VERBOSE_ERROR("Refused; source and target users differ"); + + PAM_RETURN(PAM_AUTH_ERR); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_MODULE_ENTRY("pam_self"); Index: pam_ssh/Makefile =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_ssh/Makefile,v retrieving revision 1.6 diff -u -r1.6 Makefile --- pam_ssh/Makefile 4 Aug 2001 21:51:14 -0000 1.6 +++ pam_ssh/Makefile 26 Nov 2001 16:09:24 -0000 @@ -10,5 +10,6 @@ DPADD= ${LIBCRYPTO} ${LIBCRYPT} ${LIBUTIL} ${LIBZ} LDADD= -L${.OBJDIR}/../../../../secure/lib/libssh -lssh -lcrypto \ -lcrypt -lutil -lz +MAN= pam_ssh.8 .include Index: pam_ssh/pam_ssh.8 =================================================================== RCS file: pam_ssh/pam_ssh.8 diff -N pam_ssh/pam_ssh.8 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ pam_ssh/pam_ssh.8 26 Nov 2001 16:32:31 -0000 @@ -0,0 +1,148 @@ +.\" Copyright (c) 2001 Mark R V Murray +.\" All rights reserved. +.\" Copyright (c) 2001 Networks Associates Technologies, Inc. +.\" All rights reserved. +.\" +.\" This software was developed for the FreeBSD Project by ThinkSec AS and +.\" NAI Labs, the Security Research Division of Network Associates, Inc. +.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the +.\" DARPA CHATS research program. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote +.\" products derived from this software without specific prior written +.\" permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd November 26, 2001 +.Dt PAM_SSH 8 +.Os +.Sh NAME +.Nm pam_ssh +.Nd SSH PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_ssh +.Op Ar options +.Sh DESCRIPTION +The +SSH +authentication service module for PAM, +.Nm +provides functionality for two PAM categories: +authentication +and session management. +In terms of the +.Ar module-type +parameter, they are the +.Dq Li auth +and +.Dq Li session +features. +It also provides null functions for the remaining categories. +.Ss SSH Authentication Module +The +SSH +authentication component +provides a function to verify the identity of a user +.Pq Fn pam_sm_authenticate , +by prompting the user for a passphrase and verifying that it can +decrypt the target user's SSH key using that passphrase. +.Pp +The following options may be passed to the authentication module: +.Bl -tag -width ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.It Cm use_first_pass +If the authentication module +is not the first in the stack, +and a previous module +obtained the user's password, +that password is used +to authenticate the user. +If this fails, +the authentication module returns failure +without prompting the user for a password. +This option has no effect +if the authentication module +is the first in the stack, +or if no previous modules +obtained the user's password. +.It Cm try_first_pass +This option is similar to the +.Cm use_first_pass +option, +except that if the previously obtained password fails, +the user is prompted for another password. +.El +.Ss SSH Session Management Module +The +.Ux +session management component +provides functions to initiate +.Pq Fn pam_sm_open_session +and terminate +.Pq Fn pam_sm_close_session +sessions. +The +.Fn pam_sm_open_session +function starts an SSH agent, +passing it any private keys it decrypted +during the authentication phase, +and sets the environment variables +the agent specifies. +The +.Fn pam_sm_close_session +function kills the previously started SSH agent +by sending it a +.Dv SIGTERM . +.Pp +The following options may be passed to the session management module: +.Bl -tag -width ".Cm use_first_pass" +.It Cm debug +.Xr syslog 3 +debugging information at +.Dv LOG_DEBUG +level. +.El +.Sh FILES +.Bl -tag -width ".Pa $HOME/.ssh2/id_dsa_*" -compact +.It Pa $HOME/.ssh/identity +SSH1/OpenSSH RSA key. +.It Pa $HOME/.ssh/id_dsa +OpenSSH DSA key. +.It Pa $HOME/.ssh2/id_rsa_* +SSH2 RSA keys. +.It Pa $HOME/.ssh2/id_dsa_* +SSH2 DSA keys. +.El +.Sh SEE ALSO +.Xr pam 8 , +.Xr pam.conf 5 , +.Xr ssh-agent 1 , +.Xr syslog 3 Index: pam_ssh/pam_ssh.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_ssh/pam_ssh.c,v retrieving revision 1.17 diff -u -r1.17 pam_ssh.c --- pam_ssh/pam_ssh.c 30 Sep 2001 22:11:04 -0000 1.17 +++ pam_ssh/pam_ssh.c 19 Nov 2001 14:37:03 -0000 @@ -1,6 +1,13 @@ /*- * Copyright (c) 1999, 2000 Andrew J. Korty * All rights reserved. + * Copyright (c) 2001 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,6 +17,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -41,7 +51,10 @@ #include #define PAM_SM_AUTH -#define PAM_SM_SESSION +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + #include #include @@ -281,6 +294,29 @@ PAM_RETURN(PAM_SUCCESS); } +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} typedef AuthenticationConnection AC; @@ -332,8 +368,7 @@ syslog(LOG_CRIT, "%s: %m", MODULE_NAME); PAM_RETURN(PAM_SERVICE_ERR); } - } - else if (asprintf(&env_file, "%s/.ssh/agent-%s", pwd->pw_dir, + } else if (asprintf(&env_file, "%s/.ssh/agent-%s", pwd->pw_dir, tty) == -1) { syslog(LOG_CRIT, "%s: %m", MODULE_NAME); PAM_RETURN(PAM_SERVICE_ERR); @@ -401,8 +436,7 @@ syslog(LOG_CRIT, "%s: %m", MODULE_NAME); PAM_RETURN(PAM_SERVICE_ERR); } - } - else if (strcmp(&env_string[strlen(env_string) - + } else if (strcmp(&env_string[strlen(env_string) - strlen(ENV_PID_SUFFIX)], ENV_PID_SUFFIX) == 0) { retval = pam_set_data(pamh, "ssh_agent_pid", env_value, ssh_cleanup); Index: pam_tacplus/pam_tacplus.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_tacplus/pam_tacplus.c,v retrieving revision 1.5 diff -u -r1.5 pam_tacplus.c --- pam_tacplus/pam_tacplus.c 30 Sep 2001 22:11:05 -0000 1.5 +++ pam_tacplus/pam_tacplus.c 19 Nov 2001 14:41:03 -0000 @@ -1,6 +1,13 @@ /*- * Copyright 1998 Juniper Networks, Inc. * All rights reserved. + * Copyright (c) 2001 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,6 +17,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -37,6 +47,10 @@ #include #define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + #include #include "pam_mod_misc.h" @@ -276,7 +290,61 @@ PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { - return PAM_SUCCESS; + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); } PAM_MODULE_ENTRY("pam_tacplus"); Index: pam_unix/pam_unix.8 =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_unix/pam_unix.8,v retrieving revision 1.5 diff -u -r1.5 pam_unix.8 --- pam_unix/pam_unix.8 26 Aug 2001 17:41:13 -0000 1.5 +++ pam_unix/pam_unix.8 26 Nov 2001 16:34:06 -0000 @@ -1,5 +1,12 @@ .\" Copyright (c) 2001 Mark R V Murray .\" All rights reserved. +.\" Copyright (c) 2001 Networks Associates Technologies, Inc. +.\" All rights reserved. +.\" +.\" This software was developed for the FreeBSD Project by ThinkSec AS and +.\" NAI Labs, the Security Research Division of Network Associates, Inc. +.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the +.\" DARPA CHATS research program. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -9,6 +16,9 @@ .\" 2. Redistributions in binary form must reproduce the above copyright .\" notice, this list of conditions and the following disclaimer in the .\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote +.\" products derived from this software without specific prior written +.\" permission. .\" .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -24,7 +34,7 @@ .\" .\" $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.8,v 1.5 2001/08/26 17:41:13 markm Exp $ .\" -.Dd July 7, 2001 +.Dd November 26, 2001 .Dt PAM_UNIX 8 .Os .Sh NAME @@ -111,6 +121,17 @@ then this option will forgo password prompting, and silently allow authentication to succeed. +.It Cm local_pass +Use only the local password database, +even if NIS is in use. +This will cause an authentication failure +if the system is configured +to only use NIS. +.It Cm nis_pass +Use only the NIS password database. +This will cause an authentication failure +if the system is not configured +to use NIS. .El .Ss Ux Ss Account Management Module The @@ -169,10 +190,13 @@ password database. .El .Sh SEE ALSO -.Xr passwd 1 , -.Xr getlogin 2 , .Xr crypt 3 , -.Xr syslog 3 , +.Xr getlogin 2 , +.Xr getpwent 3 , +.Xr nsswitch.conf 5 , +.Xr pam 8 , .Xr pam.conf 5 , +.Xr passwd 1 , .Xr passwd 5 , -.Xr pam 8 +.Xr syslog 3 , +.Xr nis 4 Index: pam_unix/pam_unix.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_unix/pam_unix.c,v retrieving revision 1.11 diff -u -r1.11 pam_unix.c --- pam_unix/pam_unix.c 25 Oct 2001 15:51:50 -0000 1.11 +++ pam_unix/pam_unix.c 19 Nov 2001 14:53:10 -0000 @@ -1,6 +1,13 @@ /*- * Copyright 1998 Juniper Networks, Inc. * All rights reserved. + * Copyright (c) 2001 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,6 +17,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -135,8 +145,7 @@ */ PAM_LOG("No password, and null password OK"); PAM_RETURN(PAM_SUCCESS); - } - else { + } else { retval = pam_get_pass(pamh, &pass, password_prompt, &options); if (retval != PAM_SUCCESS) @@ -152,8 +161,7 @@ retval = strcmp(encrypted, pwd->pw_passwd) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR; - } - else { + } else { PAM_LOG("Doing dummy authentication"); @@ -334,8 +342,7 @@ */ PAM_LOG("No password, and null password OK"); PAM_RETURN(PAM_SUCCESS); - } - else { + } else { retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT_EXPIRED, &options); if (retval != PAM_SUCCESS) @@ -366,8 +373,7 @@ PAM_LOG("Voided old password"); PAM_RETURN(PAM_SUCCESS); - } - else if (flags & PAM_UPDATE_AUTHTOK) { + } else if (flags & PAM_UPDATE_AUTHTOK) { PAM_LOG("UPDATE round; checking user password"); retval = pam_get_item(pamh, PAM_OLDAUTHTOK, @@ -399,8 +405,7 @@ if (strcmp(new_pass, new_pass_) == 0) { got = 1; break; - } - else + } else PAM_VERBOSE_ERROR("Password mismatch"); } } @@ -427,8 +432,7 @@ retval = PAM_PERM_DENIED; PAM_LOG("Unknown local user: %s", user); } - } - else if (res == USER_LOCAL_ONLY) { + } else if (res == USER_LOCAL_ONLY) { if (!pam_test_option(&options, PAM_OPT_NIS_PASS, NULL)) retval = local_passwd(user, new_pass); else { @@ -436,14 +440,12 @@ retval = PAM_PERM_DENIED; PAM_LOG("Unknown NIS user: %s", user); } - } - else if (res == USER_YP_AND_LOCAL) { + } else if (res == USER_YP_AND_LOCAL) { if (pam_test_option(&options, PAM_OPT_NIS_PASS, NULL)) retval = yp_passwd(user, new_pass); else retval = local_passwd(user, new_pass); - } - else + } else retval = PAM_ABORT; /* Bad juju */ #else retval = local_passwd(user, new_pass); @@ -452,8 +454,7 @@ /* XXX wipe the mem as well */ pass = NULL; new_pass = NULL; - } - else { + } else { /* Very bad juju */ retval = PAM_ABORT; PAM_LOG("Illegal 'flags'"); @@ -620,8 +621,7 @@ master, clnt_spcreateerror("")); return PAM_ABORT; } - } - else { + } else { if ((clnt = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp")) == NULL) { syslog(LOG_ERR, Index: pam_wheel/pam_wheel.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_wheel/pam_wheel.c,v retrieving revision 1.6 diff -u -r1.6 pam_wheel.c --- pam_wheel/pam_wheel.c 30 Sep 2001 22:11:06 -0000 1.6 +++ pam_wheel/pam_wheel.c 19 Nov 2001 14:53:08 -0000 @@ -1,6 +1,13 @@ /*- * Copyright (c) 2001 Mark R V Murray * All rights reserved. + * Copyright (c) 2001 Networks Associates Technologies, Inc. + * All rights reserved. + * + * Portions of this software were developed for the FreeBSD Project by + * ThinkSec AS and NAI Labs, the Security Research Division of Network + * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 + * ("CBOSS"), as part of the DARPA CHATS research program. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -10,6 +17,9 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior written + * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -39,6 +49,10 @@ #include #define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + #include #include @@ -93,8 +107,7 @@ if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { pwd = getpwnam(getlogin()); user = strdup(pwd->pw_name); - } - else { + } else { user = targetuser; pwd = getpwnam(user); } @@ -120,8 +133,7 @@ if (!pam_test_option(&options, PAM_OPT_GROUP, &use_group)) { if ((grp = getgrnam("wheel")) == NULL) grp = getgrgid(0); - } - else + } else grp = getgrnam(use_group); if (grp == NULL || grp->gr_mem == NULL) { @@ -164,6 +176,54 @@ PAM_LOG("Options processed"); PAM_RETURN(PAM_SUCCESS); +} + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct options options; + + pam_std_option(&options, NULL, argc, argv); + + PAM_LOG("Options processed"); + + PAM_RETURN(PAM_IGNORE); } PAM_MODULE_ENTRY("pam_wheel"); --=-=-=-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message