diff options
author | Ruslan Ermilov <ru@FreeBSD.org> | 2000-10-12 07:18:20 +0000 |
---|---|---|
committer | Ruslan Ermilov <ru@FreeBSD.org> | 2000-10-12 07:18:20 +0000 |
commit | 6f1214d91833ea199c7b4bc7a12e2bd944f6e90b (patch) | |
tree | eb16892761afe09f2a52ed641538476139ab7854 /libexec/rlogind | |
parent | 80e3ea20974d1c10df69c86f56557e83bd986b89 (diff) | |
download | src-6f1214d91833ea199c7b4bc7a12e2bd944f6e90b.tar.gz src-6f1214d91833ea199c7b4bc7a12e2bd944f6e90b.zip |
Notes
Diffstat (limited to 'libexec/rlogind')
-rw-r--r-- | libexec/rlogind/Makefile | 8 | ||||
-rw-r--r-- | libexec/rlogind/auth_pam.c | 142 | ||||
-rw-r--r-- | libexec/rlogind/rlogind.c | 24 |
3 files changed, 0 insertions, 174 deletions
diff --git a/libexec/rlogind/Makefile b/libexec/rlogind/Makefile index f22df18a1bf8..5cb2e96b9531 100644 --- a/libexec/rlogind/Makefile +++ b/libexec/rlogind/Makefile @@ -8,12 +8,4 @@ DPADD= ${LIBUTIL} LDADD= -lutil CFLAGS+= -Wall -DINET6 -.if defined(NOPAM) -CFLAGS+= -DNO_PAM -.else -SRCS+= auth_pam.c -DPADD+= ${LIBPAM} -LDADD+= ${MINUSLPAM} -.endif - .include <bsd.prog.mk> diff --git a/libexec/rlogind/auth_pam.c b/libexec/rlogind/auth_pam.c deleted file mode 100644 index e45210783ed8..000000000000 --- a/libexec/rlogind/auth_pam.c +++ /dev/null @@ -1,142 +0,0 @@ -/*- - * Copyright (c) 1999 John Polstra - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * $FreeBSD$ - */ - -#include <sys/param.h> -#include <sys/types.h> -#include <security/pam_appl.h> -#include <security/pam_misc.h> -#include <paths.h> -#include <pwd.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> - -/* - * Attempt to authenticate the user using PAM. Returns 0 if the user is - * authenticated, or 1 if not authenticated. If some sort of PAM system - * error occurs (e.g., the "/etc/pam.conf" file is missing) then this - * function returns -1. This can be used as an indication that we should - * fall back to a different authentication mechanism. - */ - -int -auth_pam(char *username) -{ - struct passwd *pawd; - pam_handle_t *pamh = NULL; - const char *tmpl_user; - const void *item; - int rval; - char *tty, *ttyn; - char hostname[MAXHOSTNAMELEN]; - char tname[sizeof(_PATH_TTY) + 10]; - int e; - - static struct pam_conv conv = { misc_conv, NULL }; - - ttyn = ttyname(STDIN_FILENO); - - if (ttyn == NULL || *ttyn == '\0') { - (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY); - ttyn = tname; - } - if ((tty = strrchr(ttyn, '/')) != NULL) - ++tty; - else - tty = ttyn; - - rval = gethostname(hostname, sizeof(hostname)); - - if (rval < 0) { - syslog(LOG_ERR, "auth_pam: Failed to resolve local hostname"); - return -1; - } - if ((e = pam_start("rshd", username, &conv, &pamh)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e)); - return -1; - } - if ((e = pam_set_item(pamh, PAM_TTY, tty)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_set_item(PAM_TTY): %s", - pam_strerror(pamh, e)); - return -1; - } - if (hostname != NULL && - (e = pam_set_item(pamh,PAM_RHOST, hostname)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s", - pam_strerror(pamh, e)); - return -1; - } - - e = pam_authenticate(pamh, 0); - - switch (e) { - case PAM_SUCCESS: - /* - * With PAM we support the concept of a "template" - * user. The user enters a login name which is - * authenticated by PAM, usually via a remote service - * such as RADIUS or TACACS+. If authentication - * succeeds, a different but related "template" name - * is used for setting the credentials, shell, and - * home directory. The name the user enters need only - * exist on the remote authentication server, but the - * template name must be present in the local password - * database. - * - * This is supported by two various mechanisms in the - * individual modules. However, from the application's - * point of view, the template user is always passed - * back as a changed value of the PAM_USER item. - */ - if ((e = pam_get_item(pamh, PAM_USER, &item)) == - PAM_SUCCESS) { - tmpl_user = (const char *) item; - if (strcmp(username, tmpl_user) != 0) - pawd = getpwnam(tmpl_user); - } else - syslog(LOG_ERR, "Couldn't get PAM_USER: %s", pam_strerror(pamh, e)); - rval = 0; - break; - - case PAM_AUTH_ERR: - case PAM_USER_UNKNOWN: - case PAM_MAXTRIES: - rval = 1; - break; - - default: - syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e)); - rval = -1; - break; - } - if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); - rval = -1; - } - return rval; -} diff --git a/libexec/rlogind/rlogind.c b/libexec/rlogind/rlogind.c index eec34e752579..46833a6b3592 100644 --- a/libexec/rlogind/rlogind.c +++ b/libexec/rlogind/rlogind.c @@ -80,10 +80,6 @@ static const char rcsid[] = #include <unistd.h> #include "pathnames.h" -#ifndef NO_PAM -#include <security/pam_appl.h> -#include <security/pam_misc.h> -#endif #ifndef TIOCPKT_WINDOW #define TIOCPKT_WINDOW 0x80 @@ -131,9 +127,6 @@ void setup_term __P((int)); int do_krb_login __P((struct sockaddr_in *)); void usage __P((void)); -#ifndef NO_PAM -extern int auth_pam __P((char *)); -#endif int main(argc, argv) @@ -570,28 +563,11 @@ int do_rlogin(dest) union sockunion *dest; { -#ifndef NO_PAM - int retval; -#endif getstr(rusername, sizeof(rusername), "remuser too long"); getstr(lusername, sizeof(lusername), "locuser too long"); getstr(term+ENVSIZE, sizeof(term)-ENVSIZE, "Terminal type too long"); -#ifndef NO_PAM - retval = auth_pam(lusername); - - if (retval) { - if (retval == -1) { - syslog(LOG_ERR, "PAM authentication failed"); - } - else { - syslog(LOG_ERR, - "User %s failed PAM authentication", lusername); - exit(1); - } - } -#endif pwd = getpwnam(lusername); if (pwd == NULL) return (-1); |