Date: Mon, 21 Jan 2002 13:28:46 +0000 From: Mark Murray <mark@grondar.za> To: Dag-Erling Smorgrav <des@ofug.org> Cc: "Andrey A. Chernov" <ache@nagual.pp.ru>, current@FreeBSD.ORG Subject: Re: Step5, pam_opie OPIE auth fix for review Message-ID: <200201211328.g0LDSlt39059@grimreaper.grondar.org> In-Reply-To: <xzp4rlfzwbf.fsf@flood.ping.uio.no> ; from Dag-Erling Smorgrav <des@ofug.org> "21 Jan 2002 14:07:48 %2B0100." References: <xzp4rlfzwbf.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
This is looking good!
Please keep a close eye on style (there is at least one assignment in
an if () statement that needs to move out. :-)
M
> --=-=-=
>
> Dag-Erling Smorgrav <des@ofug.org> writes:
> > Umm, you can't use opiechallenge() for that. You're not supposed to
> > call opiechallenge() without also calling opieverify() (plus, I think
> > opiechallenge() "consumes" a challenge). Use opielookup() instead.
>
> Even better, opie_haskey() (which is a wrapper around opielookup()).
> New patch attached.
>
> DES
> --
> Dag-Erling Smorgrav - des@ofug.org
>
>
> --=-=-=
> Content-Type: text/x-patch
> Content-Disposition: attachment; filename=pam_opieaccess.diff
>
> Index: Makefile
> ===================================================================
> RCS file: /home/ncvs/src/lib/libpam/modules/Makefile,v
> retrieving revision 1.15
> diff -u -r1.15 Makefile
> --- Makefile 5 Dec 2001 15:55:14 -0000 1.15
> +++ Makefile 21 Jan 2002 00:46:54 -0000
> @@ -34,6 +34,7 @@
> .endif
> SUBDIR+= pam_nologin
> SUBDIR+= pam_opie
> +SUBDIR+= pam_opieaccess
> SUBDIR+= pam_permit
> SUBDIR+= pam_radius
> SUBDIR+= pam_rootok
> Index: pam_opie/pam_opie.8
> ===================================================================
> RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.8,v
> retrieving revision 1.4
> diff -u -r1.4 pam_opie.8
> --- pam_opie/pam_opie.8 14 Jul 2001 08:38:24 -0000 1.4
> +++ pam_opie/pam_opie.8 21 Jan 2002 01:18:58 -0000
> @@ -1,5 +1,13 @@
> .\" Copyright (c) 2001 Mark R V Murray
> .\" All rights reserved.
> +.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
> +.\" All rights reserved.
> +.\"
> +.\" Portions of this software were developed for the FreeBSD Project by
> +.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
> +.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
> +.\" ("CBOSS"), as part of the DARPA CHATS research program.
> +.\"
> .\"
> .\" Redistribution and use in source and binary forms, with or without
> .\" modification, are permitted provided that the following conditions
> @@ -9,6 +17,9 @@
> .\" 2. Redistributions in binary form must reproduce the above copyright
> .\" notice, this list of conditions and the following disclaimer in the
> .\" documentation and/or other materials provided with the distribution.
> +.\" 3. The name of the author may not be used to endorse or promote
> +.\" products derived from this software without specific prior written
> +.\" permission.
> .\"
> .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
> .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> @@ -47,6 +58,13 @@
> .Dq Li auth
> feature.
> It also provides a null function for session management.
> +.Pp
> +Note that this module does not enforce
> +.Xr opieaccess 5
> +checks.
> +There is a separate module,
> +.Xr pam_opieaccess 8 ,
> +for this purpose.
> .Ss OPIE Authentication Module
> The OPIE authentication component
> provides functions to verify the identity of a user
> Index: pam_opieaccess/Makefile
> ===================================================================
> RCS file: pam_opieaccess/Makefile
> diff -N pam_opieaccess/Makefile
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ pam_opieaccess/Makefile 21 Jan 2002 00:53:49 -0000
> @@ -0,0 +1,10 @@
> +# $FreeBSD$
> +
> +LIB= pam_opieaccess
> +SHLIB_NAME= ${LIB}.so
> +SRCS= ${LIB}.c
> +DPADD= ${LIBOPIE}
> +LDADD= -lopie
> +MAN= pam_opieaccess.8
> +
> +.include <bsd.lib.mk>
> Index: pam_opieaccess/pam_opieaccess.8
> ===================================================================
> RCS file: pam_opieaccess/pam_opieaccess.8
> diff -N pam_opieaccess/pam_opieaccess.8
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ pam_opieaccess/pam_opieaccess.8 21 Jan 2002 13:07:06 -0000
> @@ -0,0 +1,116 @@
> +.\" Copyright (c) 2001 Mark R V Murray
> +.\" All rights reserved.
> +.\" Copyright (c) 2002 Networks Associates Technologies, Inc.
> +.\" All rights reserved.
> +.\"
> +.\" Portions of this software were developed for the FreeBSD Project by
> +.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
> +.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
> +.\" ("CBOSS"), as part of the DARPA CHATS research program.
> +.\"
> +.\"
> +.\" Redistribution and use in source and binary forms, with or without
> +.\" modification, are permitted provided that the following conditions
> +.\" are met:
> +.\" 1. Redistributions of source code must retain the above copyright
> +.\" notice, this list of conditions and the following disclaimer.
> +.\" 2. Redistributions in binary form must reproduce the above copyright
> +.\" notice, this list of conditions and the following disclaimer in the
> +.\" documentation and/or other materials provided with the distribution.
> +.\" 3. The name of the author may not be used to endorse or promote
> +.\" products derived from this software without specific prior written
> +.\" permission.
> +.\"
> +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
> +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
> +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
> +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
> +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
> +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
> +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
> +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> +.\" SUCH DAMAGE.
> +.\"
> +.\" $FreeBSD$
> +.\"
> +.Dd January 21, 2002
> +.Dt PAM_OPIEACCESS 8
> +.Os
> +.Sh NAME
> +.Nm pam_opieaccess
> +.Nd OPIEAccess PAM module
> +.Sh SYNOPSIS
> +.Op Ar service-name
> +.Ar module-type
> +.Ar control-flag
> +.Pa pam_self
> +.Op Ar options
> +.Sh DESCRIPTION
> +The
> +.Nm
> +module is used in conjunction with the
> +.Xr pam_opie 8
> +PAM module to ascertain that authentication can proceed by other means
> +(such as the
> +.Xr pam_unix 8
> +module) even if OPIE authentication failed.
> +To properly use this module,
> +.Xr pam_opie 8
> +should be marked
> +.Dq Li sufficient ,
> +and
> +.Nm
> +should be listed right below it and marked
> +.Dq Li requisite .
> +.Pp
> +The
> +.Nm
> +module provides functionality for only one PAM category:
> +authentication.
> +In terms of the
> +.Ar module-type
> +parameter, this is the
> +.Dq Li auth
> +feature.
> +It also provides null functions for the remaining module types.
> +.Ss OPIEAccess Authentication Module
> +The authentication component
> +.Pq Fn pam_sm_authenticate ,
> +returns
> +.Dv PAM_IGNORE
> +in two cases:
> +.Bl -enum
> +.It
> +The user does not have OPIE enabled.
> +.It
> +The user has OPIE enabled, and the remote host is listed as a trusted
> +host in
> +.Pa /etc/opieaccess ,
> +and the user does not have a file named
> +.Pa opiealways
> +in his home directory.
> +.El
> +.Pp
> +Otherwise, it returns
> +.Dv PAM_AUTH_ERR .
> +.Pp
> +The following options may be passed to the authentication module:
> +.Bl -tag -width ".Cm no_warn"
> +.It Cm debug
> +.Xr syslog 3
> +debugging information at
> +.Dv LOG_DEBUG
> +level.
> +.It Cm no_warn
> +suppress warning messages to the user.
> +These messages include reasons why the user's authentication attempt
> +was declined.
> +.El
> +.Sh SEE ALSO
> +.Xr opie 4 ,
> +.Xr opieaccess 5 ,
> +.Xr pam_opie 8 ,
> +.Xr pam.conf 5 ,
> +.Xr pam 8
> Index: pam_opieaccess/pam_opieaccess.c
> ===================================================================
> RCS file: pam_opieaccess/pam_opieaccess.c
> diff -N pam_opieaccess/pam_opieaccess.c
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ pam_opieaccess/pam_opieaccess.c 21 Jan 2002 12:59:31 -0000
> @@ -0,0 +1,153 @@
> +/*-
> + * Copyright (c) 2002 Networks Associates Technologies, Inc.
> + * All rights reserved.
> + *
> + * This software was developed for the FreeBSD Project by ThinkSec AS and
> + * NAI Labs, the Security Research Division of Network Associates, Inc.
> + * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
> + * DARPA CHATS research program.
> + *
> + * Redistribution and use in source and binary forms, with or without
> + * modification, are permitted provided that the following conditions
> + * are met:
> + * 1. Redistributions of source code must retain the above copyright
> + * notice, this list of conditions and the following disclaimer.
> + * 2. Redistributions in binary form must reproduce the above copyright
> + * notice, this list of conditions and the following disclaimer in the
> + * documentation and/or other materials provided with the distribution.
> + * 3. The name of the author may not be used to endorse or promote
> + * products derived from this software without specific prior written
> + * permission.
> + *
> + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
> + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
> + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
> + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
> + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
> + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
> + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
> + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
> + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
> + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
> + * SUCH DAMAGE.
> + *
> + * $FreeBSD$
> + */
> +
> +#include <sys/cdefs.h>
> +__FBSDID("$FreeBSD$");
> +
> +#define _BSD_SOURCE
> +
> +#include <opie.h>
> +#include <pwd.h>
> +#include <unistd.h>
> +#include <syslog.h>
> +
> +#define PAM_SM_AUTH
> +#define PAM_SM_ACCOUNT
> +#define PAM_SM_SESSION
> +#define PAM_SM_PASSWORD
> +
> +#include <security/pam_modules.h>
> +#include <pam_mod_misc.h>
> +
> +PAM_EXTERN int
> +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
> +{
> + struct options options;
> + struct passwd *pwent;
> + char *luser, *rhost;
> + int r;
> +
> + pam_std_option(&options, NULL, argc, argv);
> +
> + PAM_LOG("Options processed");
> +
> + r = pam_get_item(pamh, PAM_USER, (const void **)&luser);
> + if (r != PAM_SUCCESS)
> + PAM_RETURN(r);
> + if (luser == NULL)
> + PAM_RETURN(PAM_SERVICE_ERR);
> +
> + if ((pwent = getpwnam(luser)) == NULL)
> + PAM_RETURN(PAM_USER_UNKNOWN);
> +
> + if (opie_haskey(luser) != 0)
> + PAM_RETURN(PAM_IGNORE);
> +
> + r = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
> + if (r != PAM_SUCCESS)
> + PAM_RETURN(r);
> + if (rhost == NULL)
> + PAM_RETURN(PAM_SERVICE_ERR);
> +
> + if (opieaccessfile(rhost) && opiealways(pwent->pw_dir) != 0)
> + PAM_RETURN(PAM_IGNORE);
> +
> + PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess");
> +
> + PAM_RETURN(PAM_AUTH_ERR);
> +}
> +
> +PAM_EXTERN int
> +pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
> +{
> + struct options options;
> +
> + pam_std_option(&options, NULL, argc, argv);
> +
> + PAM_LOG("Options processed");
> +
> + PAM_RETURN(PAM_SUCCESS);
> +}
> +
> +PAM_EXTERN int
> +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv)
> +{
> + struct options options;
> +
> + pam_std_option(&options, NULL, argc, argv);
> +
> + PAM_LOG("Options processed");
> +
> + PAM_RETURN(PAM_IGNORE);
> +}
> +
> +PAM_EXTERN int
> +pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
> +{
> + struct options options;
> +
> + pam_std_option(&options, NULL, argc, argv);
> +
> + PAM_LOG("Options processed");
> +
> + PAM_RETURN(PAM_IGNORE);
> +}
> +
> +PAM_EXTERN int
> +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
> +{
> + struct options options;
> +
> + pam_std_option(&options, NULL, argc, argv);
> +
> + PAM_LOG("Options processed");
> +
> + PAM_RETURN(PAM_IGNORE);
> +}
> +
> +PAM_EXTERN int
> +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
> +{
> + struct options options;
> +
> + pam_std_option(&options, NULL, argc, argv);
> +
> + PAM_LOG("Options processed");
> +
> + PAM_RETURN(PAM_IGNORE);
> +}
> +
> +PAM_MODULE_ENTRY("pam_opieaccess");
>
> --=-=-=--
--
o Mark Murray
\_ FreeBSD Services Limited
O.\_ Warning: this .sig is umop ap!sdn
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200201211328.g0LDSlt39059>