diff options
author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2012-11-05 16:28:10 +0100 |
---|---|---|
committer | Alberto Gonzalez Iniesta <agi@inittab.org> | 2012-11-05 16:28:10 +0100 |
commit | d213c4e5576e2fd601679e0d7b2fb1262b807111 (patch) | |
tree | 5f0cc82bd0f11fb13b385417604d04c751245a92 /plugin/auth-pam | |
parent | 79c8d3ef7a938f86472e549ef64e1fb820dc80c4 (diff) | |
parent | 8dd0350e1607aa30f7a043c8d5ec7a7eeb874115 (diff) |
Merge tag 'upstream/2.3_rc1'
Upstream version 2.3_rc1
Diffstat (limited to 'plugin/auth-pam')
-rw-r--r-- | plugin/auth-pam/.svnignore | 1 | ||||
-rwxr-xr-x | plugin/auth-pam/Makefile | 30 | ||||
-rw-r--r-- | plugin/auth-pam/README | 74 | ||||
-rw-r--r-- | plugin/auth-pam/auth-pam.c | 797 | ||||
-rw-r--r-- | plugin/auth-pam/pamdl.c | 180 | ||||
-rw-r--r-- | plugin/auth-pam/pamdl.h | 7 |
6 files changed, 0 insertions, 1089 deletions
diff --git a/plugin/auth-pam/.svnignore b/plugin/auth-pam/.svnignore deleted file mode 100644 index 140f8cf..0000000 --- a/plugin/auth-pam/.svnignore +++ /dev/null @@ -1 +0,0 @@ -*.so diff --git a/plugin/auth-pam/Makefile b/plugin/auth-pam/Makefile deleted file mode 100755 index e69fe3f..0000000 --- a/plugin/auth-pam/Makefile +++ /dev/null @@ -1,30 +0,0 @@ -# -# Build the OpenVPN auth-pam plugin module. -# - -# If PAM modules are not linked against libpam.so, set DLOPEN_PAM to 1. This -# must be done on SUSE 9.1, at least. -DLOPEN_PAM=0 - -ifeq ($(DLOPEN_PAM),1) - LIBPAM=-ldl -else - LIBPAM=-lpam -endif - -# This directory is where we will look for openvpn-plugin.h -INCLUDE=-I../.. - -CC_FLAGS=-O2 -Wall -DDLOPEN_PAM=$(DLOPEN_PAM) - -openvpn-auth-pam.so : auth-pam.o pamdl.o - gcc ${CC_FLAGS} -fPIC -shared -Wl,-soname,openvpn-auth-pam.so -o openvpn-auth-pam.so auth-pam.o pamdl.o -lc $(LIBPAM) - -auth-pam.o : auth-pam.c pamdl.h - gcc ${CC_FLAGS} -fPIC -c ${INCLUDE} auth-pam.c - -pamdl.o : pamdl.c pamdl.h - gcc ${CC_FLAGS} -fPIC -c ${INCLUDE} pamdl.c - -clean : - rm -f *.o *.so diff --git a/plugin/auth-pam/README b/plugin/auth-pam/README deleted file mode 100644 index c957c02..0000000 --- a/plugin/auth-pam/README +++ /dev/null @@ -1,74 +0,0 @@ -openvpn-auth-pam - -SYNOPSIS - -The openvpn-auth-pam module implements username/password -authentication via PAM, and essentially allows any authentication -method supported by PAM (such as LDAP, RADIUS, or Linux Shadow -passwords) to be used with OpenVPN. While PAM supports -username/password authentication, this can be combined with X509 -certificates to provide two indepedent levels of authentication. - -This module uses a split privilege execution model which will -function even if you drop openvpn daemon privileges using the user, -group, or chroot directives. - -BUILD - -To build openvpn-auth-pam, you will need to have the pam-devel -package installed. - -Build with the "make" command. The module will be named -openvpn-auth-pam.so - -USAGE - -To use this plugin module, add to your OpenVPN config file: - - plugin openvpn-auth-pam.so service-type - -The required service-type parameter corresponds to -the PAM service definition file usually found -in /etc/pam.d. - -This plugin also supports the usage of a list of name/value -pairs to answer PAM module queries. - -For example: - - plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD" - -tells auth-pam to (a) use the "login" PAM module, (b) answer a -"login" query with the username given by the OpenVPN client, and -(c) answer a "password" query with the password given by the -OpenVPN client. This provides flexibility in dealing with the different -types of query strings which different PAM modules might generate. -For example, suppose you were using a PAM module called -"test" which queried for "name" rather than "login": - - plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD" - -While "USERNAME" and "PASSWORD" are special strings which substitute -to client-supplied values, it is also possible to name literal values -to use as PAM module query responses. For example, suppose that the -login module queried for a third parameter, "domain" which -is to be answered with the constant value "mydomain.com": - - plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD domain mydomain.com" - -The following OpenVPN directives can also influence -the operation of this plugin: - - client-cert-not-required - username-as-common-name - -Run OpenVPN with --verb 7 or higher to get debugging output from -this plugin, including the list of queries presented by the -underlying PAM module. This is a useful debugging tool to figure -out which queries a given PAM module is making, so that you can -craft the appropriate plugin directive to answer it. - -CAVEATS - -This module will only work on *nix systems which support PAM, -not Windows. diff --git a/plugin/auth-pam/auth-pam.c b/plugin/auth-pam/auth-pam.c deleted file mode 100644 index 0454ee1..0000000 --- a/plugin/auth-pam/auth-pam.c +++ /dev/null @@ -1,797 +0,0 @@ -/* - * OpenVPN -- An application to securely tunnel IP networks - * over a single TCP/UDP port, with support for SSL/TLS-based - * session authentication and key exchange, - * packet encryption, packet authentication, and - * packet compression. - * - * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License version 2 - * as published by the Free Software Foundation. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program (see the file COPYING included with this - * distribution); if not, write to the Free Software Foundation, Inc., - * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - -/* - * OpenVPN plugin module to do PAM authentication using a split - * privilege model. - */ - -#if DLOPEN_PAM -#include <dlfcn.h> -#include "pamdl.h" -#else -#include <security/pam_appl.h> -#endif - -#include <stdio.h> -#include <string.h> -#include <ctype.h> -#include <unistd.h> -#include <stdlib.h> -#include <sys/types.h> -#include <sys/socket.h> -#include <sys/wait.h> -#include <fcntl.h> -#include <signal.h> -#include <syslog.h> - -#include "openvpn-plugin.h" - -#define DEBUG(verb) ((verb) >= 4) - -/* Command codes for foreground -> background communication */ -#define COMMAND_VERIFY 0 -#define COMMAND_EXIT 1 - -/* Response codes for background -> foreground communication */ -#define RESPONSE_INIT_SUCCEEDED 10 -#define RESPONSE_INIT_FAILED 11 -#define RESPONSE_VERIFY_SUCCEEDED 12 -#define RESPONSE_VERIFY_FAILED 13 - -/* - * Plugin state, used by foreground - */ -struct auth_pam_context -{ - /* Foreground's socket to background process */ - int foreground_fd; - - /* Process ID of background process */ - pid_t background_pid; - - /* Verbosity level of OpenVPN */ - int verb; -}; - -/* - * Name/Value pairs for conversation function. - * Special Values: - * - * "USERNAME" -- substitute client-supplied username - * "PASSWORD" -- substitute client-specified password - */ - -#define N_NAME_VALUE 16 - -struct name_value { - const char *name; - const char *value; -}; - -struct name_value_list { - int len; - struct name_value data[N_NAME_VALUE]; -}; - -/* - * Used to pass the username/password - * to the PAM conversation function. - */ -struct user_pass { - int verb; - - char username[128]; - char password[128]; - - const struct name_value_list *name_value_list; -}; - -/* Background process function */ -static void pam_server (int fd, const char *service, int verb, const struct name_value_list *name_value_list); - -/* Read 'tosearch', replace all occurences of 'searchfor' with 'replacewith' and return - * a pointer to the NEW string. Does not modify the input strings. Will not enter an - * infinite loop with clever 'searchfor' and 'replacewith' strings. - * Daniel Johnson - Progman2000@usa.net / djohnson@progman.us - */ -static char * -searchandreplace(const char *tosearch, const char *searchfor, const char *replacewith) -{ - const char *searching=tosearch; - char *scratch; - char temp[strlen(tosearch)*10]; - temp[0]=0; - - if (!tosearch || !searchfor || !replacewith) return 0; - if (!strlen(tosearch) || !strlen(searchfor) || !strlen(replacewith)) return 0; - - scratch = strstr(searching,searchfor); - if (!scratch) return strdup(tosearch); - - while (scratch) { - strncat(temp,searching,scratch-searching); - strcat(temp,replacewith); - - searching=scratch+strlen(searchfor); - scratch = strstr(searching,searchfor); - } - return strdup(temp); -} - -/* - * Given an environmental variable name, search - * the envp array for its value, returning it - * if found or NULL otherwise. - */ -static const char * -get_env (const char *name, const char *envp[]) -{ - if (envp) - { - int i; - const int namelen = strlen (name); - for (i = 0; envp[i]; ++i) - { - if (!strncmp (envp[i], name, namelen)) - { - const char *cp = envp[i] + namelen; - if (*cp == '=') - return cp + 1; - } - } - } - return NULL; -} - -/* - * Return the length of a string array - */ -static int -string_array_len (const char *array[]) -{ - int i = 0; - if (array) - { - while (array[i]) - ++i; - } - return i; -} - -/* - * Socket read/write functions. - */ - -static int -recv_control (int fd) -{ - unsigned char c; - const ssize_t size = read (fd, &c, sizeof (c)); - if (size == sizeof (c)) - return c; - else - { - /*fprintf (stderr, "AUTH-PAM: DEBUG recv_control.read=%d\n", (int)size);*/ - return -1; - } -} - -static int -send_control (int fd, int code) -{ - unsigned char c = (unsigned char) code; - const ssize_t size = write (fd, &c, sizeof (c)); - if (size == sizeof (c)) - return (int) size; - else - return -1; -} - -static int -recv_string (int fd, char *buffer, int len) -{ - if (len > 0) - { - ssize_t size; - memset (buffer, 0, len); - size = read (fd, buffer, len); - buffer[len-1] = 0; - if (size >= 1) - return (int)size; - } - return -1; -} - -static int -send_string (int fd, const char *string) -{ - const int len = strlen (string) + 1; - const ssize_t size = write (fd, string, len); - if (size == len) - return (int) size; - else - return -1; -} - -#ifdef DO_DAEMONIZE - -/* - * Daemonize if "daemon" env var is true. - * Preserve stderr across daemonization if - * "daemon_log_redirect" env var is true. - */ -static void -daemonize (const char *envp[]) -{ - const char *daemon_string = get_env ("daemon", envp); - if (daemon_string && daemon_string[0] == '1') - { - const char *log_redirect = get_env ("daemon_log_redirect", envp); - int fd = -1; - if (log_redirect && log_redirect[0] == '1') - fd = dup (2); - if (daemon (0, 0) < 0) - { - fprintf (stderr, "AUTH-PAM: daemonization failed\n"); - } - else if (fd >= 3) - { - dup2 (fd, 2); - close (fd); - } - } -} - -#endif - -/* - * Close most of parent's fds. - * Keep stdin/stdout/stderr, plus one - * other fd which is presumed to be - * our pipe back to parent. - * Admittedly, a bit of a kludge, - * but posix doesn't give us a kind - * of FD_CLOEXEC which will stop - * fds from crossing a fork(). - */ -static void -close_fds_except (int keep) -{ - int i; - closelog (); - for (i = 3; i <= 100; ++i) - { - if (i != keep) - close (i); - } -} - -/* - * Usually we ignore signals, because our parent will - * deal with them. - */ -static void -set_signals (void) -{ - signal (SIGTERM, SIG_DFL); - - signal (SIGINT, SIG_IGN); - signal (SIGHUP, SIG_IGN); - signal (SIGUSR1, SIG_IGN); - signal (SIGUSR2, SIG_IGN); - signal (SIGPIPE, SIG_IGN); -} - -/* - * Return 1 if query matches match. - */ -static int -name_value_match (const char *query, const char *match) -{ - while (!isalnum (*query)) - { - if (*query == '\0') - return 0; - ++query; - } - return strncasecmp (match, query, strlen (match)) == 0; -} - -OPENVPN_EXPORT openvpn_plugin_handle_t -openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[]) -{ - pid_t pid; - int fd[2]; - - struct auth_pam_context *context; - struct name_value_list name_value_list; - - const int base_parms = 2; - - /* - * Allocate our context - */ - context = (struct auth_pam_context *) calloc (1, sizeof (struct auth_pam_context)); - if (!context) - goto error; - context->foreground_fd = -1; - - /* - * Intercept the --auth-user-pass-verify callback. - */ - *type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY); - - /* - * Make sure we have two string arguments: the first is the .so name, - * the second is the PAM service type. - */ - if (string_array_len (argv) < base_parms) - { - fprintf (stderr, "AUTH-PAM: need PAM service parameter\n"); - goto error; - } - - /* - * See if we have optional name/value pairs to match against - * PAM module queried fields in the conversation function. - */ - name_value_list.len = 0; - if (string_array_len (argv) > base_parms) - { - const int nv_len = string_array_len (argv) - base_parms; - int i; - - if ((nv_len & 1) == 1 || (nv_len / 2) > N_NAME_VALUE) - { - fprintf (stderr, "AUTH-PAM: bad name/value list length\n"); - goto error; - } - - name_value_list.len = nv_len / 2; - for (i = 0; i < name_value_list.len; ++i) - { - const int base = base_parms + i * 2; - name_value_list.data[i].name = argv[base]; - name_value_list.data[i].value = argv[base+1]; - } - } - - /* - * Get verbosity level from environment - */ - { - const char *verb_string = get_env ("verb", envp); - if (verb_string) - context->verb = atoi (verb_string); - } - - /* - * Make a socket for foreground and background processes - * to communicate. - */ - if (socketpair (PF_UNIX, SOCK_DGRAM, 0, fd) == -1) - { - fprintf (stderr, "AUTH-PAM: socketpair call failed\n"); - goto error; - } - - /* - * Fork off the privileged process. It will remain privileged - * even after the foreground process drops its privileges. - */ - pid = fork (); - - if (pid) - { - int status; - - /* - * Foreground Process - */ - - context->background_pid = pid; - - /* close our copy of child's socket */ - close (fd[1]); - - /* don't let future subprocesses inherit child socket */ - if (fcntl (fd[0], F_SETFD, FD_CLOEXEC) < 0) - fprintf (stderr, "AUTH-PAM: Set FD_CLOEXEC flag on socket file descriptor failed\n"); - - /* wait for background child process to initialize */ - status = recv_control (fd[0]); - if (status == RESPONSE_INIT_SUCCEEDED) - { - context->foreground_fd = fd[0]; - return (openvpn_plugin_handle_t) context; - } - } - else - { - /* - * Background Process - */ - - /* close all parent fds except our socket back to parent */ - close_fds_except (fd[1]); - - /* Ignore most signals (the parent will receive them) */ - set_signals (); - -#ifdef DO_DAEMONIZE - /* Daemonize if --daemon option is set. */ - daemonize (envp); -#endif - - /* execute the event loop */ - pam_server (fd[1], argv[1], context->verb, &name_value_list); - - close (fd[1]); - - exit (0); - return 0; /* NOTREACHED */ - } - - error: - if (context) - free (context); - return NULL; -} - -OPENVPN_EXPORT int -openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]) -{ - struct auth_pam_context *context = (struct auth_pam_context *) handle; - - if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY && context->foreground_fd >= 0) - { - /* get username/password from envp string array */ - const char *username = get_env ("username", envp); - const char *password = get_env ("password", envp); - - if (username && strlen (username) > 0 && password) - { - if (send_control (context->foreground_fd, COMMAND_VERIFY) == -1 - || send_string (context->foreground_fd, username) == -1 - || send_string (context->foreground_fd, password) == -1) - { - fprintf (stderr, "AUTH-PAM: Error sending auth info to background process\n"); - } - else - { - const int status = recv_control (context->foreground_fd); - if (status == RESPONSE_VERIFY_SUCCEEDED) - return OPENVPN_PLUGIN_FUNC_SUCCESS; - if (status == -1) - fprintf (stderr, "AUTH-PAM: Error receiving auth confirmation from background process\n"); - } - } - } - return OPENVPN_PLUGIN_FUNC_ERROR; -} - -OPENVPN_EXPORT void -openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle) -{ - struct auth_pam_context *context = (struct auth_pam_context *) handle; - - if (DEBUG (context->verb)) - fprintf (stderr, "AUTH-PAM: close\n"); - - if (context->foreground_fd >= 0) - { - /* tell background process to exit */ - if (send_control (context->foreground_fd, COMMAND_EXIT) == -1) - fprintf (stderr, "AUTH-PAM: Error signaling background process to exit\n"); - - /* wait for background process to exit */ - if (context->background_pid > 0) - waitpid (context->background_pid, NULL, 0); - - close (context->foreground_fd); - context->foreground_fd = -1; - } - - free (context); -} - -OPENVPN_EXPORT void -openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle) -{ - struct auth_pam_context *context = (struct auth_pam_context *) handle; - - /* tell background process to exit */ - if (context && context->foreground_fd >= 0) - { - send_control (context->foreground_fd, COMMAND_EXIT); - close (context->foreground_fd); - context->foreground_fd = -1; - } -} - -/* - * PAM conversation function - */ -static int -my_conv (int n, const struct pam_message **msg_array, - struct pam_response **response_array, void *appdata_ptr) -{ - const struct user_pass *up = ( const struct user_pass *) appdata_ptr; - struct pam_response *aresp; - int i; - int ret = PAM_SUCCESS; - - *response_array = NULL; - - if (n <= 0 || n > PAM_MAX_NUM_MSG) - return (PAM_CONV_ERR); - if ((aresp = calloc (n, sizeof *aresp)) == NULL) - return (PAM_BUF_ERR); - - /* loop through each PAM-module query */ - for (i = 0; i < n; ++i) - { - const struct pam_message *msg = msg_array[i]; - aresp[i].resp_retcode = 0; - aresp[i].resp = NULL; - - if (DEBUG (up->verb)) - { - fprintf (stderr, "AUTH-PAM: BACKGROUND: my_conv[%d] query='%s' style=%d\n", - i, - msg->msg ? msg->msg : "NULL", - msg->msg_style); - } - - if (up->name_value_list && up->name_value_list->len > 0) - { - /* use name/value list match method */ - const struct name_value_list *list = up->name_value_list; - int j; - - /* loop through name/value pairs */ - for (j = 0; j < list->len; ++j) - { - const char *match_name = list->data[j].name; - const char *match_value = list->data[j].value; - - if (name_value_match (msg->msg, match_name)) - { - /* found name/value match */ - aresp[i].resp = NULL; - - if (DEBUG (up->verb)) - fprintf (stderr, "AUTH-PAM: BACKGROUND: name match found, query/match-string ['%s', '%s'] = '%s'\n", - msg->msg, - match_name, - match_value); - - if (strstr(match_value, "USERNAME")) - aresp[i].resp = searchandreplace(match_value, "USERNAME", up->username); - else if (strstr(match_value, "PASSWORD")) - aresp[i].resp = searchandreplace(match_value, "PASSWORD", up->password); - else - aresp[i].resp = strdup (match_value); - - if (aresp[i].resp == NULL) - ret = PAM_CONV_ERR; - break; - } - } - - if (j == list->len) - ret = PAM_CONV_ERR; - } - else - { - /* use PAM_PROMPT_ECHO_x hints */ - switch (msg->msg_style) - { - case PAM_PROMPT_ECHO_OFF: - aresp[i].resp = strdup (up->password); - if (aresp[i].resp == NULL) - ret = PAM_CONV_ERR; - break; - - case PAM_PROMPT_ECHO_ON: - aresp[i].resp = strdup (up->username); - if (aresp[i].resp == NULL) - ret = PAM_CONV_ERR; - break; - - case PAM_ERROR_MSG: - case PAM_TEXT_INFO: - break; - - default: - ret = PAM_CONV_ERR; - break; - } - } - } - - if (ret == PAM_SUCCESS) - *response_array = aresp; - return ret; -} - -/* - * Return 1 if authenticated and 0 if failed. - * Called once for every username/password - * to be authenticated. - */ -static int -pam_auth (const char *service, const struct user_pass *up) -{ - struct pam_conv conv; - pam_handle_t *pamh = NULL; - int status = PAM_SUCCESS; - int ret = 0; - const int name_value_list_provided = (up->name_value_list && up->name_value_list->len > 0); - - /* Initialize PAM */ - conv.conv = my_conv; - conv.appdata_ptr = (void *)up; - status = pam_start (service, name_value_list_provided ? NULL : up->username, &conv, &pamh); - if (status == PAM_SUCCESS) - { - /* Call PAM to verify username/password */ - status = pam_authenticate(pamh, 0); - if (status == PAM_SUCCESS) - status = pam_acct_mgmt (pamh, 0); - if (status == PAM_SUCCESS) - ret = 1; - - /* Output error message if failed */ - if (!ret) - { - fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' failed to authenticate: %s\n", - up->username, - pam_strerror (pamh, status)); - } - - /* Close PAM */ - pam_end (pamh, status); - } - - return ret; -} - -/* - * Background process -- runs with privilege. - */ -static void -pam_server (int fd, const char *service, int verb, const struct name_value_list *name_value_list) -{ - struct user_pass up; - int command; -#if DLOPEN_PAM - static const char pam_so[] = "libpam.so"; -#endif - - /* - * Do initialization - */ - if (DEBUG (verb)) - fprintf (stderr, "AUTH-PAM: BACKGROUND: INIT service='%s'\n", service); - -#if DLOPEN_PAM - /* - * Load PAM shared object - */ - if (!dlopen_pam (pam_so)) - { - fprintf (stderr, "AUTH-PAM: BACKGROUND: could not load PAM lib %s: %s\n", pam_so, dlerror()); - send_control (fd, RESPONSE_INIT_FAILED); - goto done; - } -#endif - - /* - * Tell foreground that we initialized successfully - */ - if (send_control (fd, RESPONSE_INIT_SUCCEEDED) == -1) - { - fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on response socket [1]\n"); - goto done; - } - - /* - * Event loop - */ - while (1) - { - memset (&up, 0, sizeof (up)); - up.verb = verb; - up.name_value_list = name_value_list; - - /* get a command from foreground process */ - command = recv_control (fd); - - if (DEBUG (verb)) - fprintf (stderr, "AUTH-PAM: BACKGROUND: received command code: %d\n", command); - - switch (command) - { - case COMMAND_VERIFY: - if (recv_string (fd, up.username, sizeof (up.username)) == -1 - || recv_string (fd, up.password, sizeof (up.password)) == -1) - { - fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n", - command); - goto done; - } - - if (DEBUG (verb)) - { -#if 0 - fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n", - up.username, up.password); -#else - fprintf (stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username); -#endif - } - - if (pam_auth (service, &up)) /* Succeeded */ - { - if (send_control (fd, RESPONSE_VERIFY_SUCCEEDED) == -1) - { - fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on response socket [2]\n"); - goto done; - } - } - else /* Failed */ - { - if (send_control (fd, RESPONSE_VERIFY_FAILED) == -1) - { - fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on response socket [3]\n"); - goto done; - } - } - break; - - case COMMAND_EXIT: - goto done; - - case -1: - fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel\n"); - goto done; - - default: - fprintf (stderr, "AUTH-PAM: BACKGROUND: unknown command code: code=%d, exiting\n", - command); - goto done; - } - } - done: - -#if DLOPEN_PAM - dlclose_pam (); -#endif - if (DEBUG (verb)) - fprintf (stderr, "AUTH-PAM: BACKGROUND: EXIT\n"); - - return; -} diff --git a/plugin/auth-pam/pamdl.c b/plugin/auth-pam/pamdl.c deleted file mode 100644 index 8636a8e..0000000 --- a/plugin/auth-pam/pamdl.c +++ /dev/null @@ -1,180 +0,0 @@ -#if DLOPEN_PAM -/* - * If you want to dynamically load libpam using dlopen() or something, - * then dlopen( ' this shared object ' ); It takes care of exporting - * the right symbols to any modules loaded by libpam. - * - * Modified by JY for use with openvpn-pam-auth - */ - -#include <stdio.h> -#include <dlfcn.h> -#include <security/pam_appl.h> - -#include "pamdl.h" - -static void *libpam_h = NULL; - -#define RESOLVE_PAM_FUNCTION(x, y, z, err) \ - { \ - union { const void *tpointer; y (*fn) z ; } fptr; \ - fptr.tpointer = dlsym(libpam_h, #x); real_##x = fptr.fn; \ - if (real_##x == NULL) { \ - fprintf (stderr, "PAMDL: unable to resolve '%s': %s\n", #x, dlerror()); \ - return err; \ - } \ - } - -int -dlopen_pam (const char *so) -{ - if (libpam_h == NULL) - { - libpam_h = dlopen(so, RTLD_GLOBAL|RTLD_NOW); - } - return libpam_h != NULL; -} - -void -dlclose_pam (void) -{ - if (libpam_h != NULL) - { - dlclose(libpam_h); - libpam_h = NULL; - } -} - -int pam_start(const char *service_name, const char *user, - const struct pam_conv *pam_conversation, - pam_handle_t **pamh) -{ - int (*real_pam_start)(const char *, const char *, - const struct pam_conv *, - pam_handle_t **); - RESOLVE_PAM_FUNCTION(pam_start, int, (const char *, const char *, - const struct pam_conv *, - pam_handle_t **), PAM_ABORT); - return real_pam_start(service_name, user, pam_conversation, pamh); -} - -int pam_end(pam_handle_t *pamh, int pam_status) -{ - int (*real_pam_end)(pam_handle_t *, int); - RESOLVE_PAM_FUNCTION(pam_end, int, (pam_handle_t *, int), PAM_ABORT); - return real_pam_end(pamh, pam_status); -} - -int pam_set_item(pam_handle_t *pamh, int item_type, const void *item) -{ - int (*real_pam_set_item)(pam_handle_t *, int, const void *); - RESOLVE_PAM_FUNCTION(pam_set_item, int, - (pam_handle_t *, int, const void *), PAM_ABORT); - return real_pam_set_item(pamh, item_type, item); -} - -int pam_get_item(pam_handle_t *pamh, int item_type, const void **item) -{ - int (*real_pam_get_item)(const pam_handle_t *, int, const void **); - RESOLVE_PAM_FUNCTION(pam_get_item, int, - (const pam_handle_t *, int, const void **), - PAM_ABORT); - return real_pam_get_item(pamh, item_type, item); -} - -int pam_fail_delay(pam_handle_t *pamh, unsigned int musec_delay) -{ - int (*real_pam_fail_delay)(pam_handle_t *, unsigned int); - RESOLVE_PAM_FUNCTION(pam_fail_delay, int, (pam_handle_t *, unsigned int), - PAM_ABORT); - return real_pam_fail_delay(pamh, musec_delay); -} - -typedef const char * const_char_pointer; - -const_char_pointer pam_strerror(pam_handle_t *pamh, int errnum) -{ - const_char_pointer (*real_pam_strerror)(pam_handle_t *, int); - RESOLVE_PAM_FUNCTION(pam_strerror, const_char_pointer, - (pam_handle_t *, int), NULL); - return real_pam_strerror(pamh, errnum); -} - -int pam_putenv(pam_handle_t *pamh, const char *name_value) -{ - int (*real_pam_putenv)(pam_handle_t *, const char *); - RESOLVE_PAM_FUNCTION(pam_putenv, int, (pam_handle_t *, const char *), - PAM_ABORT); - return real_pam_putenv(pamh, name_value); -} - -const_char_pointer pam_getenv(pam_handle_t *pamh, const char *name) -{ - const_char_pointer (*real_pam_getenv)(pam_handle_t *, const char *); - RESOLVE_PAM_FUNCTION(pam_getenv, const_char_pointer, - (pam_handle_t *, const char *), NULL); - return real_pam_getenv(pamh, name); -} - -typedef char ** char_ppointer; -char_ppointer pam_getenvlist(pam_handle_t *pamh) -{ - char_ppointer (*real_pam_getenvlist)(pam_handle_t *); - RESOLVE_PAM_FUNCTION(pam_getenvlist, char_ppointer, (pam_handle_t *), - NULL); - return real_pam_getenvlist(pamh); -} - -/* Authentication management */ - -int pam_authenticate(pam_handle_t *pamh, int flags) -{ - int (*real_pam_authenticate)(pam_handle_t *, int); - RESOLVE_PAM_FUNCTION(pam_authenticate, int, (pam_handle_t *, int), - PAM_ABORT); - return real_pam_authenticate(pamh, flags); -} - -int pam_setcred(pam_handle_t *pamh, int flags) -{ - int (*real_pam_setcred)(pam_handle_t *, int); - RESOLVE_PAM_FUNCTION(pam_setcred, int, (pam_handle_t *, int), PAM_ABORT); - return real_pam_setcred(pamh, flags); -} - -/* Account Management API's */ - -int pam_acct_mgmt(pam_handle_t *pamh, int flags) -{ - int (*real_pam_acct_mgmt)(pam_handle_t *, int); - RESOLVE_PAM_FUNCTION(pam_acct_mgmt, int, (pam_handle_t *, int), PAM_ABORT); - return real_pam_acct_mgmt(pamh, flags); -} - -/* Session Management API's */ - -int pam_open_session(pam_handle_t *pamh, int flags) -{ - int (*real_pam_open_session)(pam_handle_t *, int); - RESOLVE_PAM_FUNCTION(pam_open_session, int, (pam_handle_t *, int), - PAM_ABORT); - return real_pam_open_session(pamh, flags); -} - -int pam_close_session(pam_handle_t *pamh, int flags) -{ - int (*real_pam_close_session)(pam_handle_t *, int); - RESOLVE_PAM_FUNCTION(pam_close_session, int, (pam_handle_t *, int), - PAM_ABORT); - return real_pam_close_session(pamh, flags); -} - -/* Password Management API's */ - -int pam_chauthtok(pam_handle_t *pamh, int flags) -{ - int (*real_pam_chauthtok)(pam_handle_t *, int); - RESOLVE_PAM_FUNCTION(pam_chauthtok, int, (pam_handle_t *, int), PAM_ABORT); - return real_pam_chauthtok(pamh, flags); -} -#endif diff --git a/plugin/auth-pam/pamdl.h b/plugin/auth-pam/pamdl.h deleted file mode 100644 index b10b035..0000000 --- a/plugin/auth-pam/pamdl.h +++ /dev/null @@ -1,7 +0,0 @@ -#if DLOPEN_PAM -#include <security/pam_appl.h> - -/* Dynamically load and unload the PAM library */ -int dlopen_pam (const char *so); -void dlclose_pam (void); -#endif |