release/src/router/dropbear/svr-authpam.c

   1 /*
   2  * Dropbear SSH
   3  *
   4  * Copyright (c) 2004 Martin Carlsson
   5  * Portions (c) 2004 Matt Johnston
   6  * All rights reserved.
   7  *
   8  * Permission is hereby granted, free of charge, to any person obtaining a copy
   9  * of this software and associated documentation files (the "Software"), to deal
  10  * in the Software without restriction, including without limitation the rights
  11  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  12  * copies of the Software, and to permit persons to whom the Software is
  13  * furnished to do so, subject to the following conditions:
  14  *
  15  * The above copyright notice and this permission notice shall be included in
  16  * all copies or substantial portions of the Software.
  17  *
  18  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  19  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  20  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  21  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  22  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  23  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  24  * SOFTWARE. */
  25
  26 /* Validates a user password using PAM */
  27
  28 #include "includes.h"
  29 #include "session.h"
  30 #include "buffer.h"
  31 #include "dbutil.h"
  32 #include "auth.h"
  33
  34 #ifdef ENABLE_SVR_PAM_AUTH
  35
  36 #if defined(HAVE_SECURITY_PAM_APPL_H)
  37 #include <security/pam_appl.h>
  38 #elif defined (HAVE_PAM_PAM_APPL_H)
  39 #include <pam/pam_appl.h>
  40 #endif
  41
  42 struct UserDataS {
  43         char* user;
  44         char* passwd;
  45 };
  46
  47 /* PAM conversation function - for now we only handle one message */
  48 int
  49 pamConvFunc(int num_msg,
  50                 const struct pam_message **msg,
  51                 struct pam_response **respp,
  52                 void *appdata_ptr) {
  53
  54         int rc = PAM_SUCCESS;
  55         struct pam_response* resp = NULL;
  56         struct UserDataS* userDatap = (struct UserDataS*) appdata_ptr;
  57         unsigned int msg_len = 0;
  58         unsigned int i = 0;
  59         char * compare_message = NULL;
  60
  61         TRACE(("enter pamConvFunc"))
  62
  63         if (num_msg != 1) {
  64                 /* If you're getting here - Dropbear probably can't support your pam
  65                  * modules. This whole file is a bit of a hack around lack of
  66                  * asynchronocity in PAM anyway. */
  67                 dropbear_log(LOG_INFO, "pamConvFunc() called with >1 messages: not supported.");
  68                 return PAM_CONV_ERR;
  69         }
  70
  71         /* make a copy we can strip */
  72         compare_message = m_strdup((*msg)->msg);
  73
  74         /* Make the string lowercase. */
  75         msg_len = strlen(compare_message);
  76         for (i = 0; i < msg_len; i++) {
  77                 compare_message[i] = tolower(compare_message[i]);
  78         }
  79
  80         /* If the string ends with ": ", remove the space.
  81            ie "login: " vs "login:" */
  82         if (msg_len > 2
  83                         && compare_message[msg_len-2] == ':'
  84                         && compare_message[msg_len-1] == ' ') {
  85                 compare_message[msg_len-1] = '\0';
  86         }
  87
  88         switch((*msg)->msg_style) {
  89
  90                 case PAM_PROMPT_ECHO_OFF:
  91
  92                         if (!(strcmp(compare_message, "password:") == 0)) {
  93                                 /* We don't recognise the prompt as asking for a password,
  94                                    so can't handle it. Add more above as required for
  95                                    different pam modules/implementations. If you need
  96                                    to add an entry here please mail the Dropbear developer */
  97                                 dropbear_log(LOG_NOTICE, "PAM unknown prompt '%s' (no echo)",
  98                                                 compare_message);
  99                                 rc = PAM_CONV_ERR;
 100                                 break;
 101                         }
 102
 103                         /* You have to read the PAM module-writers' docs (do we look like
 104                          * module writers? no.) to find out that the module will
 105                          * free the pam_response and its resp element - ie we _must_ malloc
 106                          * it here */
 107                         resp = (struct pam_response*) m_malloc(sizeof(struct pam_response));
 108                         memset(resp, 0, sizeof(struct pam_response));
 109
 110                         resp->resp = m_strdup(userDatap->passwd);
 111                         m_burn(userDatap->passwd, strlen(userDatap->passwd));
 112                         (*respp) = resp;
 113                         break;
 114
 115
 116                 case PAM_PROMPT_ECHO_ON:
 117
 118                         if (!(
 119                                 (strcmp(compare_message, "login:" ) == 0)
 120                                 || (strcmp(compare_message, "please enter username:") == 0)
 121                                 || (strcmp(compare_message, "username:") == 0)
 122                                 )) {
 123                                 /* We don't recognise the prompt as asking for a username,
 124                                    so can't handle it. Add more above as required for
 125                                    different pam modules/implementations. If you need
 126                                    to add an entry here please mail the Dropbear developer */
 127                                 dropbear_log(LOG_NOTICE, "PAM unknown prompt '%s' (with echo)",
 128                                                 compare_message);
 129                                 rc = PAM_CONV_ERR;
 130                                 break;
 131                         }
 132
 133                         /* You have to read the PAM module-writers' docs (do we look like
 134                          * module writers? no.) to find out that the module will
 135                          * free the pam_response and its resp element - ie we _must_ malloc
 136                          * it here */
 137                         resp = (struct pam_response*) m_malloc(sizeof(struct pam_response));
 138                         memset(resp, 0, sizeof(struct pam_response));
 139
 140                         resp->resp = m_strdup(userDatap->user);
 141                         TRACE(("userDatap->user='%s'", userDatap->user))
 142                         (*respp) = resp;
 143                         break;
 144
 145                 default:
 146                         TRACE(("Unknown message type"))
 147                         rc = PAM_CONV_ERR;
 148                         break;
 149         }
 150
 151         m_free(compare_message);
 152         TRACE(("leave pamConvFunc, rc %d", rc))
 153
 154         return rc;
 155 }
 156
 157 /* Process a password auth request, sending success or failure messages as
 158  * appropriate. To the client it looks like it's doing normal password auth (as
 159  * opposed to keyboard-interactive or something), so the pam module has to be
 160  * fairly standard (ie just "what's your username, what's your password, OK").
 161  *
 162  * Keyboard interactive would be a lot nicer, but since PAM is synchronous, it
 163  * gets very messy trying to send the interactive challenges, and read the
 164  * interactive responses, over the network. */
 165 void svr_auth_pam() {
 166
 167         struct UserDataS userData = {NULL, NULL};
 168         struct pam_conv pamConv = {
 169                 pamConvFunc,
 170                 &userData /* submitted to pamvConvFunc as appdata_ptr */
 171         };
 172
 173         pam_handle_t* pamHandlep = NULL;
 174
 175         unsigned char * password = NULL;
 176         unsigned int passwordlen;
 177
 178         int rc = PAM_SUCCESS;
 179         unsigned char changepw;
 180
 181         /* check if client wants to change password */
 182         changepw = buf_getbool(ses.payload);
 183         if (changepw) {
 184                 /* not implemented by this server */
 185                 send_msg_userauth_failure(0, 1);
 186                 goto cleanup;
 187         }
 188
 189         password = buf_getstring(ses.payload, &passwordlen);
 190
 191         /* used to pass data to the PAM conversation function - don't bother with
 192          * strdup() etc since these are touched only by our own conversation
 193          * function (above) which takes care of it */
 194         userData.user = ses.authstate.pw_name;
 195         userData.passwd = password;
 196
 197         /* Init pam */
 198         if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) {
 199                 dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s\n",
 200                                 rc, pam_strerror(pamHandlep, rc));
 201                 goto cleanup;
 202         }
 203
 204         /* just to set it to something */
 205         if ((rc = pam_set_item(pamHandlep, PAM_TTY, "ssh") != PAM_SUCCESS)) {
 206                 dropbear_log(LOG_WARNING, "pam_set_item() failed, rc=%d, %s\n",
 207                                 rc, pam_strerror(pamHandlep, rc));
 208                 goto cleanup;
 209         }
 210
 211 #ifdef HAVE_PAM_FAIL_DELAY
 212         /* We have our own random delay code already, disable PAM's */
 213         (void) pam_fail_delay(pamHandlep, 0 /* musec_delay */);
 214 #endif
 215
 216         /* (void) pam_set_item(pamHandlep, PAM_FAIL_DELAY, (void*) pamDelayFunc); */
 217
 218         if ((rc = pam_authenticate(pamHandlep, 0)) != PAM_SUCCESS) {
 219                 dropbear_log(LOG_WARNING, "pam_authenticate() failed, rc=%d, %s\n",
 220                                 rc, pam_strerror(pamHandlep, rc));
 221                 dropbear_log(LOG_WARNING,
 222                                 "Bad PAM password attempt for '%s' from %s",
 223                                 ses.authstate.pw_name,
 224                                 svr_ses.addrstring);
 225                 send_msg_userauth_failure(0, 1);
 226                 goto cleanup;
 227         }
 228
 229         if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) {
 230                 dropbear_log(LOG_WARNING, "pam_acct_mgmt() failed, rc=%d, %s\n",
 231                                 rc, pam_strerror(pamHandlep, rc));
 232                 dropbear_log(LOG_WARNING,
 233                                 "Bad PAM password attempt for '%s' from %s",
 234                                 ses.authstate.pw_name,
 235                                 svr_ses.addrstring);
 236                 send_msg_userauth_failure(0, 1);
 237                 goto cleanup;
 238         }
 239
 240         /* successful authentication */
 241         dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s",
 242                         ses.authstate.pw_name,
 243                         svr_ses.addrstring);
 244         send_msg_userauth_success();
 245
 246 cleanup:
 247         if (password != NULL) {
 248                 m_burn(password, passwordlen);
 249                 m_free(password);
 250         }
 251         if (pamHandlep != NULL) {
 252                 TRACE(("pam_end"))
 253                 (void) pam_end(pamHandlep, 0 /* pam_status */);
 254         }
 255 }
 256
 257 #endif /* ENABLE_SVR_PAM_AUTH */