/*
+ *
* Copyright (c) 1990,1993 Regents of The University of Michigan.
* Copyright (c) 1999 Adrian Sun (asun@u.washington.edu)
* All Rights Reserved. See COPYRIGHT.
#ifdef HAVE_CONFIG_H
#include "config.h"
-#endif
+#endif /* HAVE_CONFIG_H */
-#ifdef USE_PAM
#include <stdio.h>
#include <stdlib.h>
+#ifdef HAVE_UNISTD_H
#include <unistd.h>
+#endif /* HAVE_UNISTD_H */
#include <string.h>
-#include <syslog.h>
-
+#ifdef HAVE_SECURITY_PAM_APPL_H
#include <security/pam_appl.h>
+#endif
+#ifdef HAVE_PAM_PAM_APPL_H
+#include <pam/pam_appl.h>
+#endif
+#include <arpa/inet.h>
#include <atalk/afp.h>
#include <atalk/uam.h>
+#include <atalk/util.h>
+#include <atalk/logger.h>
+#include <atalk/compat.h>
#define PASSWDLEN 8
+#ifndef MIN
+#define MIN(a,b) ((a) < (b) ? (a) : (b))
+#endif /* MIN */
+
+
/* Static variables used to communicate between the conversation function
* and the server_login function
*/
static pam_handle_t *pamh = NULL;
-static char *hostname;
+static const char *hostname;
static char *PAM_username;
static char *PAM_password;
+/*XXX in etc/papd/file.h */
+struct papfile;
+extern UAM_MODULE_EXPORT void append(struct papfile *, const char *, int);
+
/* PAM conversation function
* Here we assume (for now, at least) that echo on means login name, and
* echo off means password.
*/
static int PAM_conv (int num_msg,
+#ifdef LINUX
const struct pam_message **msg,
+#else
+ struct pam_message **msg,
+#endif
struct pam_response **resp,
- void *appdata_ptr)
+ void *appdata_ptr _U_)
{
struct pam_response *reply;
int count;
case PAM_TEXT_INFO:
#ifdef PAM_BINARY_PROMPT
case PAM_BINARY_PROMPT:
-#endif
+#endif /* PAM_BINARY_PROMPT */
/* ignore it... */
break;
case PAM_ERROR_MSG:
NULL
};
-
-/* cleartxt login */
-static int pam_login(void *obj, struct passwd **uam_pwd,
- char *ibuf, int ibuflen,
- char *rbuf, int *rbuflen)
+static int login(void *obj, char *username, int ulen, struct passwd **uam_pwd,
+ char *ibuf, size_t ibuflen _U_,
+ char *rbuf _U_, size_t *rbuflen _U_)
{
struct passwd *pwd;
- char *username;
- int err, len, ulen, PAM_error;
-
- *rbuflen = 0;
-
- if (uam_afpserver_option(obj, UAM_OPTION_USERNAME,
- (void *) &username, &ulen) < 0)
- return AFPERR_MISC;
+ int err, PAM_error;
- if (uam_afpserver_option(obj, UAM_OPTION_HOSTNAME,
+ if (uam_afpserver_option(obj, UAM_OPTION_CLIENTNAME,
(void *) &hostname, NULL) < 0)
- return AFPERR_MISC;
-
- len = (unsigned char) *ibuf++;
- if ( len > ulen ) {
- return( AFPERR_PARAM );
+ {
+ LOG(log_info, logtype_uams, "uams_pam.c :PAM: unable to retrieve client hostname");
+ hostname = NULL;
}
-
- memcpy(username, ibuf, len );
- ibuf += len;
- username[ len ] = '\0';
- if ((unsigned long) ibuf & 1) /* pad character */
- ++ibuf;
+
ibuf[ PASSWDLEN ] = '\0';
- if (( pwd = uam_getname(username, ulen)) == NULL ) {
- return AFPERR_PARAM;
+ if (( pwd = uam_getname(obj, username, ulen)) == NULL ) {
+ return AFPERR_NOTAUTH;
}
- syslog(LOG_INFO, "cleartext login: %s", username);
+ LOG(log_info, logtype_uams, "cleartext login: %s", username);
PAM_username = username;
PAM_password = ibuf; /* Set these things up for the conv function */
PAM_error = pam_acct_mgmt(pamh, 0);
if (PAM_error != PAM_SUCCESS) {
- if (PAM_error == PAM_ACCT_EXPIRED)
+ if (PAM_error == PAM_NEW_AUTHTOK_REQD) /* Password change required */
err = AFPERR_PWDEXPR;
#ifdef PAM_AUTHTOKEN_REQD
else if (PAM_error == PAM_AUTHTOKEN_REQD)
err = AFPERR_PWDCHNG;
-#endif
- goto login_err;
+#endif /* PAM_AUTHTOKEN_REQD */
+ else
+ goto login_err;
}
#ifndef PAM_CRED_ESTABLISH
#define PAM_CRED_ESTABLISH PAM_ESTABLISH_CRED
-#endif
+#endif /* PAM_CRED_ESTABLISH */
PAM_error = pam_setcred(pamh, PAM_CRED_ESTABLISH);
if (PAM_error != PAM_SUCCESS)
goto login_err;
goto login_err;
*uam_pwd = pwd;
+
+ if (err == AFPERR_PWDEXPR)
+ return err;
+
return AFP_OK;
login_err:
return err;
}
+/* --------------------------
+ cleartxt login
+*/
+static int pam_login(void *obj, struct passwd **uam_pwd,
+ char *ibuf, size_t ibuflen,
+ char *rbuf, size_t *rbuflen)
+{
+ char *username;
+ size_t len, ulen;
+
+ *rbuflen = 0;
+
+ if (uam_afpserver_option(obj, UAM_OPTION_USERNAME, (void *) &username, &ulen) < 0) {
+ return AFPERR_MISC;
+ }
+
+ len = (unsigned char) *ibuf++;
+ if ( len > ulen ) {
+ return( AFPERR_PARAM );
+ }
+
+ memcpy(username, ibuf, len );
+ ibuf += len;
+
+ username[ len ] = '\0';
+
+ if ((unsigned long) ibuf & 1) /* pad character */
+ ++ibuf;
+ return (login(obj, username, ulen, uam_pwd, ibuf, ibuflen, rbuf, rbuflen));
+}
+
+/* ----------------------------- */
+static int pam_login_ext(void *obj, char *uname, struct passwd **uam_pwd,
+ char *ibuf, size_t ibuflen,
+ char *rbuf, size_t *rbuflen)
+{
+ char *username;
+ size_t len, ulen;
+ uint16_t temp16;
+
+ *rbuflen = 0;
+
+ if (uam_afpserver_option(obj, UAM_OPTION_USERNAME, (void *) &username, &ulen) < 0)
+ return AFPERR_MISC;
+
+ if (*uname != 3)
+ return AFPERR_PARAM;
+ uname++;
+ memcpy(&temp16, uname, sizeof(temp16));
+ len = ntohs(temp16);
+
+ if (!len || len > ulen ) {
+ return( AFPERR_PARAM );
+ }
+ memcpy(username, uname +2, len );
+ username[ len ] = '\0';
+
+ return (login(obj, username, ulen, uam_pwd, ibuf, ibuflen, rbuf, rbuflen));
+}
+
/* logout */
-static void pam_logout() {
+static void pam_logout(void) {
pam_close_session(pamh, 0);
pam_end(pamh, 0);
pamh = NULL;
}
/* change passwd */
-static int pam_changepw(void *obj, char *username,
- struct passwd *pwd, char *ibuf, int ibuflen,
- char *rbuf, int *rbuflen)
+static int pam_changepw(void *obj _U_, char *username,
+ struct passwd *pwd _U_, char *ibuf, size_t ibuflen _U_,
+ char *rbuf _U_, size_t *rbuflen _U_)
{
char pw[PASSWDLEN + 1];
pam_handle_t *lpamh;
/* Printer ClearTxtUAM login */
-int pam_printer(start, stop, username, out)
- char *start, *stop, *username;
- struct papfile *out;
+static int pam_printer(char *start, char *stop, char *username, struct papfile *out)
{
int PAM_error;
char *data, *p, *q;
char password[PASSWDLEN + 1] = "\0";
static const char *loginok = "0\r";
+ struct passwd *pwd;
data = (char *)malloc(stop - start + 1);
- strncpy(data, start, stop - start + 1);
+ if (!data) {
+ LOG(log_info, logtype_uams,"Bad Login ClearTxtUAM: malloc");
+ return(-1);
+ }
+
+ strlcpy(data, start, stop - start + 1);
/* We are looking for the following format in data:
* (username) (password)
/* Parse input for username in () */
if ((p = strchr(data, '(' )) == NULL) {
- syslog(LOG_INFO,"Bad Login ClearTxtUAM: username not found in string");
+ LOG(log_info, logtype_uams,"Bad Login ClearTxtUAM: username not found in string");
free(data);
return(-1);
}
p++;
- if ((q = strstr(data, ") (" )) == NULL) {
- syslog(LOG_INFO,"Bad Login ClearTxtUAM: username not found in string");
+ if ((q = strstr(p, ") (" )) == NULL) {
+ LOG(log_info, logtype_uams,"Bad Login ClearTxtUAM: username not found in string");
free(data);
return(-1);
}
- strncpy(username, p, q - p);
+ memcpy(username, p, MIN(UAM_USERNAMELEN, q - p) );
/* Parse input for password in next () */
p = q + 3;
- if ((q = strrchr(data, ')' )) == NULL) {
- syslog(LOG_INFO,"Bad Login ClearTxtUAM: password not found in string");
+ if ((q = strrchr(p, ')' )) == NULL) {
+ LOG(log_info, logtype_uams,"Bad Login ClearTxtUAM: password not found in string");
free(data);
return(-1);
}
- strncpy(password, p, q - p);
+ memcpy(password, p, MIN(PASSWDLEN, (q - p)) );
/* Done copying username and password, clean up */
free(data);
+ if (( pwd = uam_getname(NULL, username, strlen(username))) == NULL ) {
+ LOG(log_info, logtype_uams, "Bad Login ClearTxtUAM: ( %s ) not found ",
+ username);
+ return(-1);
+ }
+
+ if (uam_checkuser(pwd) < 0) {
+ /* syslog of error happens in uam_checkuser */
+ return(-1);
+ }
+
PAM_username = username;
PAM_password = password;
PAM_error = pam_start("netatalk", username, &PAM_conversation,
&pamh);
if (PAM_error != PAM_SUCCESS) {
- syslog(LOG_INFO, "Bad Login ClearTxtUAM: %s: %s",
+ LOG(log_info, logtype_uams, "Bad Login ClearTxtUAM: %s: %s",
username, pam_strerror(pamh, PAM_error));
pam_end(pamh, PAM_error);
pamh = NULL;
pam_set_item(pamh, PAM_RHOST, hostname);
PAM_error = pam_authenticate(pamh,0);
if (PAM_error != PAM_SUCCESS) {
- syslog(LOG_INFO, "Bad Login ClearTxtUAM: %s: %s",
+ LOG(log_info, logtype_uams, "Bad Login ClearTxtUAM: %s: %s",
username, pam_strerror(pamh, PAM_error));
pam_end(pamh, PAM_error);
pamh = NULL;
PAM_error = pam_acct_mgmt(pamh, 0);
if (PAM_error != PAM_SUCCESS) {
- syslog(LOG_INFO, "Bad Login ClearTxtUAM: %s: %s",
+ LOG(log_info, logtype_uams, "Bad Login ClearTxtUAM: %s: %s",
username, pam_strerror(pamh, PAM_error));
pam_end(pamh, PAM_error);
pamh = NULL;
PAM_error = pam_open_session(pamh, 0);
if (PAM_error != PAM_SUCCESS) {
- syslog(LOG_INFO, "Bad Login ClearTxtUAM: %s: %s",
+ LOG(log_info, logtype_uams, "Bad Login ClearTxtUAM: %s: %s",
username, pam_strerror(pamh, PAM_error));
pam_end(pamh, PAM_error);
pamh = NULL;
/* Login successful, but no need to hang onto it,
so logout immediately */
append(out, loginok, strlen(loginok));
- syslog(LOG_INFO, "Login ClearTxtUAM: %s", username);
+ LOG(log_info, logtype_uams, "Login ClearTxtUAM: %s", username);
pam_close_session(pamh, 0);
pam_end(pamh, 0);
pamh = NULL;
static int uam_setup(const char *path)
{
- if (uam_register(UAM_SERVER_LOGIN, path, "Cleartxt Passwrd",
- pam_login, NULL, pam_logout) < 0)
+ if (uam_register(UAM_SERVER_LOGIN_EXT, path, "Cleartxt Passwrd",
+ pam_login, NULL, pam_logout, pam_login_ext) < 0)
return -1;
if (uam_register(UAM_SERVER_CHANGEPW, path, "Cleartxt Passwrd",
uam_setup, uam_cleanup
};
-#endif /* USE_PAM */
+UAM_MODULE_EXPORT struct uam_export uams_pam = {
+ UAM_MODULE_SERVER,
+ UAM_MODULE_VERSION,
+ uam_setup, uam_cleanup
+};