2 * SPDX-License-Identifier: BSD-3-Clause
4 * Copyright 1998 Juniper Networks, Inc.
6 * Copyright (c) 2001-2003 Networks Associates Technology, Inc.
9 * Portions of this software were developed for the FreeBSD Project by
10 * ThinkSec AS and NAI Labs, the Security Research Division of Network
11 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
12 * ("CBOSS"), as part of the DARPA CHATS research program.
14 * Redistribution and use in source and binary forms, with or without
15 * modification, are permitted provided that the following conditions
17 * 1. Redistributions of source code must retain the above copyright
18 * notice, this list of conditions and the following disclaimer.
19 * 2. Redistributions in binary form must reproduce the above copyright
20 * notice, this list of conditions and the following disclaimer in the
21 * documentation and/or other materials provided with the distribution.
22 * 3. The name of the author may not be used to endorse or promote
23 * products derived from this software without specific prior written
26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 * $FreeBSD: head/lib/libpam/modules/pam_tacplus/pam_tacplus.c 326219 2017-11-26 02:00:33Z pfg $
41 #include <sys/param.h>
52 #include <security/pam_appl.h>
53 #include <security/pam_modules.h>
54 #include <security/pam_mod_misc.h>
56 #define PAM_OPT_CONF "conf"
57 #define PAM_OPT_TEMPLATE_USER "template_user"
59 typedef int (*set_func
)(struct tac_handle
*, const char *);
61 static int do_item(pam_handle_t
*, struct tac_handle
*, int,
62 set_func
, const char *);
63 static char *get_msg(struct tac_handle
*);
64 static int set_msg(struct tac_handle
*, const char *);
67 do_item(pam_handle_t
*pamh
, struct tac_handle
*tach
, int item
,
68 set_func func
, const char *funcname
)
73 retval
= pam_get_item(pamh
, item
, &value
);
74 if (retval
!= PAM_SUCCESS
)
76 if (value
!= NULL
&& (*func
)(tach
, (const char *)value
) == -1) {
77 syslog(LOG_CRIT
, "%s: %s", funcname
, tac_strerror(tach
));
79 return PAM_SERVICE_ERR
;
85 get_msg(struct tac_handle
*tach
)
89 msg
= tac_get_msg(tach
);
91 syslog(LOG_CRIT
, "tac_get_msg: %s", tac_strerror(tach
));
99 set_msg(struct tac_handle
*tach
, const char *msg
)
101 if (tac_set_msg(tach
, msg
) == -1) {
102 syslog(LOG_CRIT
, "tac_set_msg: %s", tac_strerror(tach
));
110 pam_sm_authenticate(pam_handle_t
*pamh
, int flags __unused
,
111 int argc __unused
, const char *argv
[] __unused
)
114 struct tac_handle
*tach
;
115 const char *conf_file
, *template_user
;
117 conf_file
= openpam_get_option(pamh
, PAM_OPT_CONF
);
118 template_user
= openpam_get_option(pamh
, PAM_OPT_TEMPLATE_USER
);
122 syslog(LOG_CRIT
, "tac_open failed");
123 return (PAM_SERVICE_ERR
);
125 if (tac_config(tach
, conf_file
) == -1) {
126 syslog(LOG_ALERT
, "tac_config: %s", tac_strerror(tach
));
128 return (PAM_SERVICE_ERR
);
130 if (tac_create_authen(tach
, TAC_AUTHEN_LOGIN
, TAC_AUTHEN_TYPE_ASCII
,
131 TAC_AUTHEN_SVC_LOGIN
) == -1) {
132 syslog(LOG_CRIT
, "tac_create_authen: %s", tac_strerror(tach
));
134 return (PAM_SERVICE_ERR
);
137 PAM_LOG("Done tac_open() ... tac_close()");
139 retval
= do_item(pamh
, tach
, PAM_USER
, tac_set_user
, "tac_set_user");
140 if (retval
!= PAM_SUCCESS
)
143 PAM_LOG("Done user");
145 retval
= do_item(pamh
, tach
, PAM_TTY
, tac_set_port
, "tac_set_port");
146 if (retval
!= PAM_SUCCESS
)
151 retval
= do_item(pamh
, tach
, PAM_RHOST
, tac_set_rem_addr
,
153 if (retval
!= PAM_SUCCESS
)
159 const char *user_msg
;
164 sflags
= tac_send_authen(tach
);
166 syslog(LOG_CRIT
, "tac_send_authen: %s",
169 return (PAM_AUTHINFO_UNAVAIL
);
171 status
= TAC_AUTHEN_STATUS(sflags
);
172 openpam_set_option(pamh
, PAM_OPT_ECHO_PASS
,
173 TAC_AUTHEN_NOECHO(sflags
) ? NULL
: "");
176 case TAC_AUTHEN_STATUS_PASS
:
178 if (template_user
!= NULL
) {
182 PAM_LOG("Trying template user: %s",
186 * If the given user name doesn't exist in
187 * the local password database, change it
188 * to the value given in the "template_user"
191 retval
= pam_get_item(pamh
, PAM_USER
, &item
);
192 if (retval
!= PAM_SUCCESS
)
194 user
= (const char *)item
;
195 if (getpwnam(user
) == NULL
) {
196 pam_set_item(pamh
, PAM_USER
,
198 PAM_LOG("Using template user");
201 return (PAM_SUCCESS
);
203 case TAC_AUTHEN_STATUS_FAIL
:
205 PAM_VERBOSE_ERROR("TACACS+ authentication failed");
206 return (PAM_AUTH_ERR
);
208 case TAC_AUTHEN_STATUS_GETUSER
:
209 case TAC_AUTHEN_STATUS_GETPASS
:
210 if ((srvr_msg
= get_msg(tach
)) == NULL
)
211 return (PAM_SERVICE_ERR
);
212 if (status
== TAC_AUTHEN_STATUS_GETUSER
)
213 retval
= pam_get_user(pamh
, &user_msg
,
214 *srvr_msg
? srvr_msg
: NULL
);
215 else if (status
== TAC_AUTHEN_STATUS_GETPASS
)
216 retval
= pam_get_authtok(pamh
,
217 PAM_AUTHTOK
, &user_msg
,
218 *srvr_msg
? srvr_msg
: "Password:");
220 if (retval
!= PAM_SUCCESS
) {
221 /* XXX - send a TACACS+ abort packet */
225 if (set_msg(tach
, user_msg
) == -1)
226 return (PAM_SERVICE_ERR
);
229 case TAC_AUTHEN_STATUS_GETDATA
:
230 if ((srvr_msg
= get_msg(tach
)) == NULL
)
231 return (PAM_SERVICE_ERR
);
232 retval
= pam_prompt(pamh
,
233 openpam_get_option(pamh
, PAM_OPT_ECHO_PASS
) ?
234 PAM_PROMPT_ECHO_ON
: PAM_PROMPT_ECHO_OFF
,
235 &data_msg
, "%s", *srvr_msg
? srvr_msg
: "Data:");
237 if (retval
!= PAM_SUCCESS
) {
238 /* XXX - send a TACACS+ abort packet */
242 retval
= set_msg(tach
, data_msg
);
243 memset(data_msg
, 0, strlen(data_msg
));
246 return (PAM_SERVICE_ERR
);
249 case TAC_AUTHEN_STATUS_ERROR
:
250 srvr_msg
= (char *)tac_get_data(tach
, &msg_len
);
251 if (srvr_msg
!= NULL
&& msg_len
!= 0) {
252 syslog(LOG_CRIT
, "tac_send_authen:"
253 " server detected error: %s", srvr_msg
);
258 "tac_send_authen: server detected error");
260 return (PAM_AUTHINFO_UNAVAIL
);
263 case TAC_AUTHEN_STATUS_RESTART
:
264 case TAC_AUTHEN_STATUS_FOLLOW
:
267 "tac_send_authen: unexpected status %#x", status
);
269 return (PAM_AUTHINFO_UNAVAIL
);
275 pam_sm_setcred(pam_handle_t
*pamh __unused
, int flags __unused
,
276 int argc __unused
, const char *argv
[] __unused
)
282 PAM_MODULE_ENTRY("pam_tacplus");