diff options
Diffstat (limited to 'src/plugins/auth-pam')
| -rw-r--r-- | src/plugins/auth-pam/Makefile.am | 27 | ||||
| -rw-r--r-- | src/plugins/auth-pam/Makefile.in | 619 | ||||
| -rw-r--r-- | src/plugins/auth-pam/README.auth-pam | 74 | ||||
| -rw-r--r-- | src/plugins/auth-pam/auth-pam.c | 806 | ||||
| -rw-r--r-- | src/plugins/auth-pam/auth-pam.exports | 4 | ||||
| -rw-r--r-- | src/plugins/auth-pam/pamdl.c | 184 | ||||
| -rw-r--r-- | src/plugins/auth-pam/pamdl.h | 5 |
7 files changed, 1719 insertions, 0 deletions
diff --git a/src/plugins/auth-pam/Makefile.am b/src/plugins/auth-pam/Makefile.am new file mode 100644 index 0000000..701a749 --- /dev/null +++ b/src/plugins/auth-pam/Makefile.am @@ -0,0 +1,27 @@ +# +# OpenVPN (TM) PAM Auth Plugin -- OpenVPN Plugin +# +# Copyright (C) 2012 Alon Bar-Lev <alon.barlev@gmail.com> +# + +MAINTAINERCLEANFILES = \ + $(srcdir)/Makefile.in + +AM_CFLAGS = \ + -I$(top_srcdir)/include + $(PLUGIN_AUTH_PAM_CFLAGS) + +if ENABLE_PLUGIN_AUTH_PAM +plugin_LTLIBRARIES = openvpn-plugin-auth-pam.la +dist_doc_DATA = README.auth-pam +endif + +openvpn_plugin_auth_pam_la_SOURCES = \ + auth-pam.c \ + pamdl.c pamdl.h \ + auth-pam.exports +openvpn_plugin_auth_pam_la_LIBADD = \ + $(PLUGIN_AUTH_PAM_LIBS) +openvpn_plugin_auth_pam_la_LDFLAGS = $(AM_LDFLAGS) \ + -export-symbols "$(srcdir)/auth-pam.exports" \ + -module -shared -avoid-version -no-undefined diff --git a/src/plugins/auth-pam/Makefile.in b/src/plugins/auth-pam/Makefile.in new file mode 100644 index 0000000..49e4063 --- /dev/null +++ b/src/plugins/auth-pam/Makefile.in @@ -0,0 +1,619 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# OpenVPN (TM) PAM Auth Plugin -- OpenVPN Plugin +# +# Copyright (C) 2012 Alon Bar-Lev <alon.barlev@gmail.com> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/plugins/auth-pam +DIST_COMMON = $(am__dist_doc_DATA_DIST) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_emptyarray.m4 \ + $(top_srcdir)/m4/ax_socklen_t.m4 \ + $(top_srcdir)/m4/ax_varargs.m4 $(top_srcdir)/m4/libtool.m4 \ + $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ + $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ + $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/version.m4 \ + $(top_srcdir)/compat.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(docdir)" +LTLIBRARIES = $(plugin_LTLIBRARIES) +am__DEPENDENCIES_1 = +openvpn_plugin_auth_pam_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am_openvpn_plugin_auth_pam_la_OBJECTS = auth-pam.lo pamdl.lo +openvpn_plugin_auth_pam_la_OBJECTS = \ + $(am_openvpn_plugin_auth_pam_la_OBJECTS) +openvpn_plugin_auth_pam_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(openvpn_plugin_auth_pam_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@ENABLE_PLUGIN_AUTH_PAM_TRUE@am_openvpn_plugin_auth_pam_la_rpath = \ +@ENABLE_PLUGIN_AUTH_PAM_TRUE@ -rpath $(plugindir) +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(openvpn_plugin_auth_pam_la_SOURCES) +DIST_SOURCES = $(openvpn_plugin_auth_pam_la_SOURCES) +am__dist_doc_DATA_DIST = README.auth-pam +DATA = $(dist_doc_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AS = @AS@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DL_LIBS = @DL_LIBS@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GIT = @GIT@ +GREP = @GREP@ +IFCONFIG = @IFCONFIG@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +IPROUTE = @IPROUTE@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LIBOBJS = @LIBOBJS@ +LIBPAM_CFLAGS = @LIBPAM_CFLAGS@ +LIBPAM_LIBS = @LIBPAM_LIBS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LZO_CFLAGS = @LZO_CFLAGS@ +LZO_LIBS = @LZO_LIBS@ +MAKEINFO = @MAKEINFO@ +MAN2HTML = @MAN2HTML@ +MKDIR_P = @MKDIR_P@ +NETSTAT = @NETSTAT@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OPENSSL_CRYPTO_CFLAGS = @OPENSSL_CRYPTO_CFLAGS@ +OPENSSL_CRYPTO_LIBS = @OPENSSL_CRYPTO_LIBS@ +OPENSSL_SSL_CFLAGS = @OPENSSL_SSL_CFLAGS@ +OPENSSL_SSL_LIBS = @OPENSSL_SSL_LIBS@ +OPTIONAL_CRYPTO_CFLAGS = @OPTIONAL_CRYPTO_CFLAGS@ +OPTIONAL_CRYPTO_LIBS = @OPTIONAL_CRYPTO_LIBS@ +OPTIONAL_DL_LIBS = @OPTIONAL_DL_LIBS@ +OPTIONAL_LZO_CFLAGS = @OPTIONAL_LZO_CFLAGS@ +OPTIONAL_LZO_LIBS = @OPTIONAL_LZO_LIBS@ +OPTIONAL_PKCS11_HELPER_CFLAGS = @OPTIONAL_PKCS11_HELPER_CFLAGS@ +OPTIONAL_PKCS11_HELPER_LIBS = @OPTIONAL_PKCS11_HELPER_LIBS@ +OPTIONAL_SELINUX_LIBS = @OPTIONAL_SELINUX_LIBS@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PKCS11_HELPER_CFLAGS = @PKCS11_HELPER_CFLAGS@ +PKCS11_HELPER_LIBS = @PKCS11_HELPER_LIBS@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_AUTH_PAM_CFLAGS = @PLUGIN_AUTH_PAM_CFLAGS@ +PLUGIN_AUTH_PAM_LIBS = @PLUGIN_AUTH_PAM_LIBS@ +POLARSSL_CFLAGS = @POLARSSL_CFLAGS@ +POLARSSL_LIBS = @POLARSSL_LIBS@ +RANLIB = @RANLIB@ +RC = @RC@ +ROUTE = @ROUTE@ +SED = @SED@ +SELINUX_LIBS = @SELINUX_LIBS@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKETS_LIBS = @SOCKETS_LIBS@ +STRIP = @STRIP@ +TAP_CFLAGS = @TAP_CFLAGS@ +TAP_WIN_COMPONENT_ID = @TAP_WIN_COMPONENT_ID@ +TAP_WIN_MIN_MAJOR = @TAP_WIN_MIN_MAJOR@ +TAP_WIN_MIN_MINOR = @TAP_WIN_MIN_MINOR@ +VERSION = @VERSION@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +plugindir = @plugindir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sampledir = @sampledir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +MAINTAINERCLEANFILES = \ + $(srcdir)/Makefile.in + +AM_CFLAGS = \ + -I$(top_srcdir)/include + +@ENABLE_PLUGIN_AUTH_PAM_TRUE@plugin_LTLIBRARIES = openvpn-plugin-auth-pam.la +@ENABLE_PLUGIN_AUTH_PAM_TRUE@dist_doc_DATA = README.auth-pam +openvpn_plugin_auth_pam_la_SOURCES = \ + auth-pam.c \ + pamdl.c pamdl.h \ + auth-pam.exports + +openvpn_plugin_auth_pam_la_LIBADD = \ + $(PLUGIN_AUTH_PAM_LIBS) + +openvpn_plugin_auth_pam_la_LDFLAGS = $(AM_LDFLAGS) \ + -export-symbols "$(srcdir)/auth-pam.exports" \ + -module -shared -avoid-version -no-undefined + +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/plugins/auth-pam/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/plugins/auth-pam/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +openvpn-plugin-auth-pam.la: $(openvpn_plugin_auth_pam_la_OBJECTS) $(openvpn_plugin_auth_pam_la_DEPENDENCIES) + $(openvpn_plugin_auth_pam_la_LINK) $(am_openvpn_plugin_auth_pam_la_rpath) $(openvpn_plugin_auth_pam_la_OBJECTS) $(openvpn_plugin_auth_pam_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth-pam.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pamdl.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-dist_docDATA: $(dist_doc_DATA) + @$(NORMAL_INSTALL) + test -z "$(docdir)" || $(MKDIR_P) "$(DESTDIR)$(docdir)" + @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(docdir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(docdir)" || exit $$?; \ + done + +uninstall-dist_docDATA: + @$(NORMAL_UNINSTALL) + @list='$(dist_doc_DATA)'; test -n "$(docdir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + test -n "$$files" || exit 0; \ + echo " ( cd '$(DESTDIR)$(docdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(docdir)" && rm -f $$files + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(plugindir)" "$(DESTDIR)$(docdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." + -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) +clean: clean-am + +clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-dist_docDATA install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-dist_docDATA uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-pluginLTLIBRARIES ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am \ + install-dist_docDATA install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-dist_docDATA uninstall-pluginLTLIBRARIES + + $(PLUGIN_AUTH_PAM_CFLAGS) + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/plugins/auth-pam/README.auth-pam b/src/plugins/auth-pam/README.auth-pam new file mode 100644 index 0000000..e123690 --- /dev/null +++ b/src/plugins/auth-pam/README.auth-pam @@ -0,0 +1,74 @@ +openvpn-auth-pam + +SYNOPSIS + +The openvpn-auth-pam module implements username/password +authentication via PAM, and essentially allows any authentication +method supported by PAM (such as LDAP, RADIUS, or Linux Shadow +passwords) to be used with OpenVPN. While PAM supports +username/password authentication, this can be combined with X509 +certificates to provide two indepedent levels of authentication. + +This module uses a split privilege execution model which will +function even if you drop openvpn daemon privileges using the user, +group, or chroot directives. + +BUILD + +To build openvpn-auth-pam, you will need to have the pam-devel +package installed. + +Build with the "make" command. The module will be named +openvpn-auth-pam.so + +USAGE + +To use this plugin module, add to your OpenVPN config file: + + plugin openvpn-auth-pam.so service-type + +The required service-type parameter corresponds to +the PAM service definition file usually found +in /etc/pam.d. + +This plugin also supports the usage of a list of name/value +pairs to answer PAM module queries. + +For example: + + plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD" + +tells auth-pam to (a) use the "login" PAM module, (b) answer a +"login" query with the username given by the OpenVPN client, and +(c) answer a "password" query with the password given by the +OpenVPN client. This provides flexibility in dealing with the different +types of query strings which different PAM modules might generate. +For example, suppose you were using a PAM module called +"test" which queried for "name" rather than "login": + + plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD" + +While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute +to client-supplied values, it is also possible to name literal values +to use as PAM module query responses. For example, suppose that the +login module queried for a third parameter, "domain" which +is to be answered with the constant value "mydomain.com": + + plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD domain mydomain.com" + +The following OpenVPN directives can also influence +the operation of this plugin: + + client-cert-not-required + username-as-common-name + +Run OpenVPN with --verb 7 or higher to get debugging output from +this plugin, including the list of queries presented by the +underlying PAM module. This is a useful debugging tool to figure +out which queries a given PAM module is making, so that you can +craft the appropriate plugin directive to answer it. + +CAVEATS + +This module will only work on *nix systems which support PAM, +not Windows. diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c new file mode 100644 index 0000000..bd71792 --- /dev/null +++ b/src/plugins/auth-pam/auth-pam.c @@ -0,0 +1,806 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/* + * OpenVPN plugin module to do PAM authentication using a split + * privilege model. + */ +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#include <security/pam_appl.h> + +#ifdef USE_PAM_DLOPEN +#include "pamdl.h" +#endif + +#include <stdio.h> +#include <string.h> +#include <ctype.h> +#include <unistd.h> +#include <stdlib.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <sys/wait.h> +#include <fcntl.h> +#include <signal.h> +#include <syslog.h> + +#include <openvpn-plugin.h> + +#define DEBUG(verb) ((verb) >= 4) + +/* Command codes for foreground -> background communication */ +#define COMMAND_VERIFY 0 +#define COMMAND_EXIT 1 + +/* Response codes for background -> foreground communication */ +#define RESPONSE_INIT_SUCCEEDED 10 +#define RESPONSE_INIT_FAILED 11 +#define RESPONSE_VERIFY_SUCCEEDED 12 +#define RESPONSE_VERIFY_FAILED 13 + +/* + * Plugin state, used by foreground + */ +struct auth_pam_context +{ + /* Foreground's socket to background process */ + int foreground_fd; + + /* Process ID of background process */ + pid_t background_pid; + + /* Verbosity level of OpenVPN */ + int verb; +}; + +/* + * Name/Value pairs for conversation function. + * Special Values: + * + * "USERNAME" -- substitute client-supplied username + * "PASSWORD" -- substitute client-specified password + * "COMMONNAME" -- substitute client certificate common name + */ + +#define N_NAME_VALUE 16 + +struct name_value { + const char *name; + const char *value; +}; + +struct name_value_list { + int len; + struct name_value data[N_NAME_VALUE]; +}; + +/* + * Used to pass the username/password + * to the PAM conversation function. + */ +struct user_pass { + int verb; + + char username[128]; + char password[128]; + char common_name[128]; + + const struct name_value_list *name_value_list; +}; + +/* Background process function */ +static void pam_server (int fd, const char *service, int verb, const struct name_value_list *name_value_list); + +/* Read 'tosearch', replace all occurences of 'searchfor' with 'replacewith' and return + * a pointer to the NEW string. Does not modify the input strings. Will not enter an + * infinite loop with clever 'searchfor' and 'replacewith' strings. + * Daniel Johnson - Progman2000@usa.net / djohnson@progman.us + */ +static char * +searchandreplace(const char *tosearch, const char *searchfor, const char *replacewith) +{ + const char *searching=tosearch; + char *scratch; + char temp[strlen(tosearch)*10]; + temp[0]=0; + + if (!tosearch || !searchfor || !replacewith) return 0; + if (!strlen(tosearch) || !strlen(searchfor) || !strlen(replacewith)) return 0; + + scratch = strstr(searching,searchfor); + if (!scratch) return strdup(tosearch); + + while (scratch) { + strncat(temp,searching,scratch-searching); + strcat(temp,replacewith); + + searching=scratch+strlen(searchfor); + scratch = strstr(searching,searchfor); + } + return strdup(temp); +} + +/* + * Given an environmental variable name, search + * the envp array for its value, returning it + * if found or NULL otherwise. + */ +static const char * +get_env (const char *name, const char *envp[]) +{ + if (envp) + { + int i; + const int namelen = strlen (name); + for (i = 0; envp[i]; ++i) + { + if (!strncmp (envp[i], name, namelen)) + { + const char *cp = envp[i] + namelen; + if (*cp == '=') + return cp + 1; + } + } + } + return NULL; +} + +/* + * Return the length of a string array + */ +static int +string_array_len (const char *array[]) +{ + int i = 0; + if (array) + { + while (array[i]) + ++i; + } + return i; +} + +/* + * Socket read/write functions. + */ + +static int +recv_control (int fd) +{ + unsigned char c; + const ssize_t size = read (fd, &c, sizeof (c)); + if (size == sizeof (c)) + return c; + else + { + /*fprintf (stderr, "AUTH-PAM: DEBUG recv_control.read=%d\n", (int)size);*/ + return -1; + } +} + +static int +send_control (int fd, int code) +{ + unsigned char c = (unsigned char) code; + const ssize_t size = write (fd, &c, sizeof (c)); + if (size == sizeof (c)) + return (int) size; + else + return -1; +} + +static int +recv_string (int fd, char *buffer, int len) +{ + if (len > 0) + { + ssize_t size; + memset (buffer, 0, len); + size = read (fd, buffer, len); + buffer[len-1] = 0; + if (size >= 1) + return (int)size; + } + return -1; +} + +static int +send_string (int fd, const char *string) +{ + const int len = strlen (string) + 1; + const ssize_t size = write (fd, string, len); + if (size == len) + return (int) size; + else + return -1; +} + +#ifdef DO_DAEMONIZE + +/* + * Daemonize if "daemon" env var is true. + * Preserve stderr across daemonization if + * "daemon_log_redirect" env var is true. + */ +static void +daemonize (const char *envp[]) +{ + const char *daemon_string = get_env ("daemon", envp); + if (daemon_string && daemon_string[0] == '1') + { + const char *log_redirect = get_env ("daemon_log_redirect", envp); + int fd = -1; + if (log_redirect && log_redirect[0] == '1') + fd = dup (2); + if (daemon (0, 0) < 0) + { + fprintf (stderr, "AUTH-PAM: daemonization failed\n"); + } + else if (fd >= 3) + { + dup2 (fd, 2); + close (fd); + } + } +} + +#endif + +/* + * Close most of parent's fds. + * Keep stdin/stdout/stderr, plus one + * other fd which is presumed to be + * our pipe back to parent. + * Admittedly, a bit of a kludge, + * but posix doesn't give us a kind + * of FD_CLOEXEC which will stop + * fds from crossing a fork(). + */ +static void +close_fds_except (int keep) +{ + int i; + closelog (); + for (i = 3; i <= 100; ++i) + { + if (i != keep) + close (i); + } +} + +/* + * Usually we ignore signals, because our parent will + * deal with them. + */ +static void +set_signals (void) +{ + signal (SIGTERM, SIG_DFL); + + signal (SIGINT, SIG_IGN); + signal (SIGHUP, SIG_IGN); + signal (SIGUSR1, SIG_IGN); + signal (SIGUSR2, SIG_IGN); + signal (SIGPIPE, SIG_IGN); +} + +/* + * Return 1 if query matches match. + */ +static int +name_value_match (const char *query, const char *match) +{ + while (!isalnum (*query)) + { + if (*query == '\0') + return 0; + ++query; + } + return strncasecmp (match, query, strlen (match)) == 0; +} + +OPENVPN_EXPORT openvpn_plugin_handle_t +openvpn_plugin_open_v1 (unsigned int *type_mask, const char *argv[], const char *envp[]) +{ + pid_t pid; + int fd[2]; + + struct auth_pam_context *context; + struct name_value_list name_value_list; + + const int base_parms = 2; + + /* + * Allocate our context + */ + context = (struct auth_pam_context *) calloc (1, sizeof (struct auth_pam_context)); + if (!context) + goto error; + context->foreground_fd = -1; + + /* + * Intercept the --auth-user-pass-verify callback. + */ + *type_mask = OPENVPN_PLUGIN_MASK (OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY); + + /* + * Make sure we have two string arguments: the first is the .so name, + * the second is the PAM service type. + */ + if (string_array_len (argv) < base_parms) + { + fprintf (stderr, "AUTH-PAM: need PAM service parameter\n"); + goto error; + } + + /* + * See if we have optional name/value pairs to match against + * PAM module queried fields in the conversation function. + */ + name_value_list.len = 0; + if (string_array_len (argv) > base_parms) + { + const int nv_len = string_array_len (argv) - base_parms; + int i; + + if ((nv_len & 1) == 1 || (nv_len / 2) > N_NAME_VALUE) + { + fprintf (stderr, "AUTH-PAM: bad name/value list length\n"); + goto error; + } + + name_value_list.len = nv_len / 2; + for (i = 0; i < name_value_list.len; ++i) + { + const int base = base_parms + i * 2; + name_value_list.data[i].name = argv[base]; + name_value_list.data[i].value = argv[base+1]; + } + } + + /* + * Get verbosity level from environment + */ + { + const char *verb_string = get_env ("verb", envp); + if (verb_string) + context->verb = atoi (verb_string); + } + + /* + * Make a socket for foreground and background processes + * to communicate. + */ + if (socketpair (PF_UNIX, SOCK_DGRAM, 0, fd) == -1) + { + fprintf (stderr, "AUTH-PAM: socketpair call failed\n"); + goto error; + } + + /* + * Fork off the privileged process. It will remain privileged + * even after the foreground process drops its privileges. + */ + pid = fork (); + + if (pid) + { + int status; + + /* + * Foreground Process + */ + + context->background_pid = pid; + + /* close our copy of child's socket */ + close (fd[1]); + + /* don't let future subprocesses inherit child socket */ + if (fcntl (fd[0], F_SETFD, FD_CLOEXEC) < 0) + fprintf (stderr, "AUTH-PAM: Set FD_CLOEXEC flag on socket file descriptor failed\n"); + + /* wait for background child process to initialize */ + status = recv_control (fd[0]); + if (status == RESPONSE_INIT_SUCCEEDED) + { + context->foreground_fd = fd[0]; + return (openvpn_plugin_handle_t) context; + } + } + else + { + /* + * Background Process + */ + + /* close all parent fds except our socket back to parent */ + close_fds_except (fd[1]); + + /* Ignore most signals (the parent will receive them) */ + set_signals (); + +#ifdef DO_DAEMONIZE + /* Daemonize if --daemon option is set. */ + daemonize (envp); +#endif + + /* execute the event loop */ + pam_server (fd[1], argv[1], context->verb, &name_value_list); + + close (fd[1]); + + exit (0); + return 0; /* NOTREACHED */ + } + + error: + if (context) + free (context); + return NULL; +} + +OPENVPN_EXPORT int +openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const char *argv[], const char *envp[]) +{ + struct auth_pam_context *context = (struct auth_pam_context *) handle; + + if (type == OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY && context->foreground_fd >= 0) + { + /* get username/password from envp string array */ + const char *username = get_env ("username", envp); + const char *password = get_env ("password", envp); + const char *common_name = get_env ("common_name", envp) ? get_env ("common_name", envp) : ""; + + if (username && strlen (username) > 0 && password) + { + if (send_control (context->foreground_fd, COMMAND_VERIFY) == -1 + || send_string (context->foreground_fd, username) == -1 + || send_string (context->foreground_fd, password) == -1 + || send_string (context->foreground_fd, common_name) == -1) + { + fprintf (stderr, "AUTH-PAM: Error sending auth info to background process\n"); + } + else + { + const int status = recv_control (context->foreground_fd); + if (status == RESPONSE_VERIFY_SUCCEEDED) + return OPENVPN_PLUGIN_FUNC_SUCCESS; + if (status == -1) + fprintf (stderr, "AUTH-PAM: Error receiving auth confirmation from background process\n"); + } + } + } + return OPENVPN_PLUGIN_FUNC_ERROR; +} + +OPENVPN_EXPORT void +openvpn_plugin_close_v1 (openvpn_plugin_handle_t handle) +{ + struct auth_pam_context *context = (struct auth_pam_context *) handle; + + if (DEBUG (context->verb)) + fprintf (stderr, "AUTH-PAM: close\n"); + + if (context->foreground_fd >= 0) + { + /* tell background process to exit */ + if (send_control (context->foreground_fd, COMMAND_EXIT) == -1) + fprintf (stderr, "AUTH-PAM: Error signaling background process to exit\n"); + + /* wait for background process to exit */ + if (context->background_pid > 0) + waitpid (context->background_pid, NULL, 0); + + close (context->foreground_fd); + context->foreground_fd = -1; + } + + free (context); +} + +OPENVPN_EXPORT void +openvpn_plugin_abort_v1 (openvpn_plugin_handle_t handle) +{ + struct auth_pam_context *context = (struct auth_pam_context *) handle; + + /* tell background process to exit */ + if (context && context->foreground_fd >= 0) + { + send_control (context->foreground_fd, COMMAND_EXIT); + close (context->foreground_fd); + context->foreground_fd = -1; + } +} + +/* + * PAM conversation function + */ +static int +my_conv (int n, const struct pam_message **msg_array, + struct pam_response **response_array, void *appdata_ptr) +{ + const struct user_pass *up = ( const struct user_pass *) appdata_ptr; + struct pam_response *aresp; + int i; + int ret = PAM_SUCCESS; + + *response_array = NULL; + + if (n <= 0 || n > PAM_MAX_NUM_MSG) + return (PAM_CONV_ERR); + if ((aresp = calloc (n, sizeof *aresp)) == NULL) + return (PAM_BUF_ERR); + + /* loop through each PAM-module query */ + for (i = 0; i < n; ++i) + { + const struct pam_message *msg = msg_array[i]; + aresp[i].resp_retcode = 0; + aresp[i].resp = NULL; + + if (DEBUG (up->verb)) + { + fprintf (stderr, "AUTH-PAM: BACKGROUND: my_conv[%d] query='%s' style=%d\n", + i, + msg->msg ? msg->msg : "NULL", + msg->msg_style); + } + + if (up->name_value_list && up->name_value_list->len > 0) + { + /* use name/value list match method */ + const struct name_value_list *list = up->name_value_list; + int j; + + /* loop through name/value pairs */ + for (j = 0; j < list->len; ++j) + { + const char *match_name = list->data[j].name; + const char *match_value = list->data[j].value; + + if (name_value_match (msg->msg, match_name)) + { + /* found name/value match */ + aresp[i].resp = NULL; + + if (DEBUG (up->verb)) + fprintf (stderr, "AUTH-PAM: BACKGROUND: name match found, query/match-string ['%s', '%s'] = '%s'\n", + msg->msg, + match_name, + match_value); + + if (strstr(match_value, "USERNAME")) + aresp[i].resp = searchandreplace(match_value, "USERNAME", up->username); + else if (strstr(match_value, "PASSWORD")) + aresp[i].resp = searchandreplace(match_value, "PASSWORD", up->password); + else if (strstr(match_value, "COMMONNAME")) + aresp[i].resp = searchandreplace(match_value, "COMMONNAME", up->common_name); + else + aresp[i].resp = strdup (match_value); + + if (aresp[i].resp == NULL) + ret = PAM_CONV_ERR; + break; + } + } + + if (j == list->len) + ret = PAM_CONV_ERR; + } + else + { + /* use PAM_PROMPT_ECHO_x hints */ + switch (msg->msg_style) + { + case PAM_PROMPT_ECHO_OFF: + aresp[i].resp = strdup (up->password); + if (aresp[i].resp == NULL) + ret = PAM_CONV_ERR; + break; + + case PAM_PROMPT_ECHO_ON: + aresp[i].resp = strdup (up->username); + if (aresp[i].resp == NULL) + ret = PAM_CONV_ERR; + break; + + case PAM_ERROR_MSG: + case PAM_TEXT_INFO: + break; + + default: + ret = PAM_CONV_ERR; + break; + } + } + } + + if (ret == PAM_SUCCESS) + *response_array = aresp; + return ret; +} + +/* + * Return 1 if authenticated and 0 if failed. + * Called once for every username/password + * to be authenticated. + */ +static int +pam_auth (const char *service, const struct user_pass *up) +{ + struct pam_conv conv; + pam_handle_t *pamh = NULL; + int status = PAM_SUCCESS; + int ret = 0; + const int name_value_list_provided = (up->name_value_list && up->name_value_list->len > 0); + + /* Initialize PAM */ + conv.conv = my_conv; + conv.appdata_ptr = (void *)up; + status = pam_start (service, name_value_list_provided ? NULL : up->username, &conv, &pamh); + if (status == PAM_SUCCESS) + { + /* Call PAM to verify username/password */ + status = pam_authenticate(pamh, 0); + if (status == PAM_SUCCESS) + status = pam_acct_mgmt (pamh, 0); + if (status == PAM_SUCCESS) + ret = 1; + + /* Output error message if failed */ + if (!ret) + { + fprintf (stderr, "AUTH-PAM: BACKGROUND: user '%s' failed to authenticate: %s\n", + up->username, + pam_strerror (pamh, status)); + } + + /* Close PAM */ + pam_end (pamh, status); + } + + return ret; +} + +/* + * Background process -- runs with privilege. + */ +static void +pam_server (int fd, const char *service, int verb, const struct name_value_list *name_value_list) +{ + struct user_pass up; + int command; +#ifdef USE_PAM_DLOPEN + static const char pam_so[] = "libpam.so"; +#endif + + /* + * Do initialization + */ + if (DEBUG (verb)) + fprintf (stderr, "AUTH-PAM: BACKGROUND: INIT service='%s'\n", service); + +#ifdef USE_PAM_DLOPEN + /* + * Load PAM shared object + */ + if (!dlopen_pam (pam_so)) + { + fprintf (stderr, "AUTH-PAM: BACKGROUND: could not load PAM lib %s: %s\n", pam_so, dlerror()); + send_control (fd, RESPONSE_INIT_FAILED); + goto done; + } +#endif + + /* + * Tell foreground that we initialized successfully + */ + if (send_control (fd, RESPONSE_INIT_SUCCEEDED) == -1) + { + fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on response socket [1]\n"); + goto done; + } + + /* + * Event loop + */ + while (1) + { + memset (&up, 0, sizeof (up)); + up.verb = verb; + up.name_value_list = name_value_list; + + /* get a command from foreground process */ + command = recv_control (fd); + + if (DEBUG (verb)) + fprintf (stderr, "AUTH-PAM: BACKGROUND: received command code: %d\n", command); + + switch (command) + { + case COMMAND_VERIFY: + if (recv_string (fd, up.username, sizeof (up.username)) == -1 + || recv_string (fd, up.password, sizeof (up.password)) == -1 + || recv_string (fd, up.common_name, sizeof (up.common_name)) == -1) + { + fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n", + command); + goto done; + } + + if (DEBUG (verb)) + { +#if 0 + fprintf (stderr, "AUTH-PAM: BACKGROUND: USER/PASS: %s/%s\n", + up.username, up.password); +#else + fprintf (stderr, "AUTH-PAM: BACKGROUND: USER: %s\n", up.username); +#endif + } + + if (pam_auth (service, &up)) /* Succeeded */ + { + if (send_control (fd, RESPONSE_VERIFY_SUCCEEDED) == -1) + { + fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on response socket [2]\n"); + goto done; + } + } + else /* Failed */ + { + if (send_control (fd, RESPONSE_VERIFY_FAILED) == -1) + { + fprintf (stderr, "AUTH-PAM: BACKGROUND: write error on response socket [3]\n"); + goto done; + } + } + break; + + case COMMAND_EXIT: + goto done; + + case -1: + fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel\n"); + goto done; + + default: + fprintf (stderr, "AUTH-PAM: BACKGROUND: unknown command code: code=%d, exiting\n", + command); + goto done; + } + } + done: + +#ifdef USE_PAM_DLOPEN + dlclose_pam (); +#endif + if (DEBUG (verb)) + fprintf (stderr, "AUTH-PAM: BACKGROUND: EXIT\n"); + + return; +} diff --git a/src/plugins/auth-pam/auth-pam.exports b/src/plugins/auth-pam/auth-pam.exports new file mode 100644 index 0000000..b07937c --- /dev/null +++ b/src/plugins/auth-pam/auth-pam.exports @@ -0,0 +1,4 @@ +openvpn_plugin_open_v1 +openvpn_plugin_func_v1 +openvpn_plugin_close_v1 +openvpn_plugin_abort_v1 diff --git a/src/plugins/auth-pam/pamdl.c b/src/plugins/auth-pam/pamdl.c new file mode 100644 index 0000000..26e9821 --- /dev/null +++ b/src/plugins/auth-pam/pamdl.c @@ -0,0 +1,184 @@ +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif + +#ifdef USE_PAM_DLOPEN +/* + * If you want to dynamically load libpam using dlopen() or something, + * then dlopen( ' this shared object ' ); It takes care of exporting + * the right symbols to any modules loaded by libpam. + * + * Modified by JY for use with openvpn-pam-auth + */ + +#include <stdio.h> +#include <dlfcn.h> +#include <security/pam_appl.h> + +#include "pamdl.h" + +static void *libpam_h = NULL; + +#define RESOLVE_PAM_FUNCTION(x, y, z, err) \ + { \ + union { const void *tpointer; y (*fn) z ; } fptr; \ + fptr.tpointer = dlsym(libpam_h, #x); real_##x = fptr.fn; \ + if (real_##x == NULL) { \ + fprintf (stderr, "PAMDL: unable to resolve '%s': %s\n", #x, dlerror()); \ + return err; \ + } \ + } + +int +dlopen_pam (const char *so) +{ + if (libpam_h == NULL) + { + libpam_h = dlopen(so, RTLD_GLOBAL|RTLD_NOW); + } + return libpam_h != NULL; +} + +void +dlclose_pam (void) +{ + if (libpam_h != NULL) + { + dlclose(libpam_h); + libpam_h = NULL; + } +} + +int pam_start(const char *service_name, const char *user, + const struct pam_conv *pam_conversation, + pam_handle_t **pamh) +{ + int (*real_pam_start)(const char *, const char *, + const struct pam_conv *, + pam_handle_t **); + RESOLVE_PAM_FUNCTION(pam_start, int, (const char *, const char *, + const struct pam_conv *, + pam_handle_t **), PAM_ABORT); + return real_pam_start(service_name, user, pam_conversation, pamh); +} + +int pam_end(pam_handle_t *pamh, int pam_status) +{ + int (*real_pam_end)(pam_handle_t *, int); + RESOLVE_PAM_FUNCTION(pam_end, int, (pam_handle_t *, int), PAM_ABORT); + return real_pam_end(pamh, pam_status); +} + +int pam_set_item(pam_handle_t *pamh, int item_type, const void *item) +{ + int (*real_pam_set_item)(pam_handle_t *, int, const void *); + RESOLVE_PAM_FUNCTION(pam_set_item, int, + (pam_handle_t *, int, const void *), PAM_ABORT); + return real_pam_set_item(pamh, item_type, item); +} + +int pam_get_item(const pam_handle_t *pamh, int item_type, const void **item) +{ + int (*real_pam_get_item)(const pam_handle_t *, int, const void **); + RESOLVE_PAM_FUNCTION(pam_get_item, int, + (const pam_handle_t *, int, const void **), + PAM_ABORT); + return real_pam_get_item(pamh, item_type, item); +} + +int pam_fail_delay(pam_handle_t *pamh, unsigned int musec_delay) +{ + int (*real_pam_fail_delay)(pam_handle_t *, unsigned int); + RESOLVE_PAM_FUNCTION(pam_fail_delay, int, (pam_handle_t *, unsigned int), + PAM_ABORT); + return real_pam_fail_delay(pamh, musec_delay); +} + +typedef const char * const_char_pointer; + +const_char_pointer pam_strerror(pam_handle_t *pamh, int errnum) +{ + const_char_pointer (*real_pam_strerror)(pam_handle_t *, int); + RESOLVE_PAM_FUNCTION(pam_strerror, const_char_pointer, + (pam_handle_t *, int), NULL); + return real_pam_strerror(pamh, errnum); +} + +int pam_putenv(pam_handle_t *pamh, const char *name_value) +{ + int (*real_pam_putenv)(pam_handle_t *, const char *); + RESOLVE_PAM_FUNCTION(pam_putenv, int, (pam_handle_t *, const char *), + PAM_ABORT); + return real_pam_putenv(pamh, name_value); +} + +const_char_pointer pam_getenv(pam_handle_t *pamh, const char *name) +{ + const_char_pointer (*real_pam_getenv)(pam_handle_t *, const char *); + RESOLVE_PAM_FUNCTION(pam_getenv, const_char_pointer, + (pam_handle_t *, const char *), NULL); + return real_pam_getenv(pamh, name); +} + +typedef char ** char_ppointer; +char_ppointer pam_getenvlist(pam_handle_t *pamh) +{ + char_ppointer (*real_pam_getenvlist)(pam_handle_t *); + RESOLVE_PAM_FUNCTION(pam_getenvlist, char_ppointer, (pam_handle_t *), + NULL); + return real_pam_getenvlist(pamh); +} + +/* Authentication management */ + +int pam_authenticate(pam_handle_t *pamh, int flags) +{ + int (*real_pam_authenticate)(pam_handle_t *, int); + RESOLVE_PAM_FUNCTION(pam_authenticate, int, (pam_handle_t *, int), + PAM_ABORT); + return real_pam_authenticate(pamh, flags); +} + +int pam_setcred(pam_handle_t *pamh, int flags) +{ + int (*real_pam_setcred)(pam_handle_t *, int); + RESOLVE_PAM_FUNCTION(pam_setcred, int, (pam_handle_t *, int), PAM_ABORT); + return real_pam_setcred(pamh, flags); +} + +/* Account Management API's */ + +int pam_acct_mgmt(pam_handle_t *pamh, int flags) +{ + int (*real_pam_acct_mgmt)(pam_handle_t *, int); + RESOLVE_PAM_FUNCTION(pam_acct_mgmt, int, (pam_handle_t *, int), PAM_ABORT); + return real_pam_acct_mgmt(pamh, flags); +} + +/* Session Management API's */ + +int pam_open_session(pam_handle_t *pamh, int flags) +{ + int (*real_pam_open_session)(pam_handle_t *, int); + RESOLVE_PAM_FUNCTION(pam_open_session, int, (pam_handle_t *, int), + PAM_ABORT); + return real_pam_open_session(pamh, flags); +} + +int pam_close_session(pam_handle_t *pamh, int flags) +{ + int (*real_pam_close_session)(pam_handle_t *, int); + RESOLVE_PAM_FUNCTION(pam_close_session, int, (pam_handle_t *, int), + PAM_ABORT); + return real_pam_close_session(pamh, flags); +} + +/* Password Management API's */ + +int pam_chauthtok(pam_handle_t *pamh, int flags) +{ + int (*real_pam_chauthtok)(pam_handle_t *, int); + RESOLVE_PAM_FUNCTION(pam_chauthtok, int, (pam_handle_t *, int), PAM_ABORT); + return real_pam_chauthtok(pamh, flags); +} +#endif diff --git a/src/plugins/auth-pam/pamdl.h b/src/plugins/auth-pam/pamdl.h new file mode 100644 index 0000000..12ba068 --- /dev/null +++ b/src/plugins/auth-pam/pamdl.h @@ -0,0 +1,5 @@ +#ifdef USE_PAM_DLOPEN +/* Dynamically load and unload the PAM library */ +int dlopen_pam (const char *so); +void dlclose_pam (void); +#endif |