mirror of
https://github.com/freebsd/freebsd-src
synced 2024-10-18 06:14:27 +00:00
Add a PAM module that provides an account management component for checking
either PAM_RHOST or PAM_TTY against /etc/login.access.o This uncovers a problem with PAM_RHOST, in that if we always set it, there is no way to distinguish between a user logging in locally and a user logging in using 'ssh localhost'. This will be fixed by first making sure that all PAM modules can handle PAM_RHOST being unset (which is currently not the case), and then modifying su(1) and login(1) to not set it for local logins. Sponsored by: DARPA, NAI Labs
This commit is contained in:
parent
774a10071d
commit
53f3167d07
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=89707
35
lib/libpam/modules/pam_login_access/Makefile
Normal file
35
lib/libpam/modules/pam_login_access/Makefile
Normal file
|
@ -0,0 +1,35 @@
|
|||
# Copyright 2001 Mark R V Murray
|
||||
# All rights reserved.
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without
|
||||
# modification, are permitted provided that the following conditions
|
||||
# are met:
|
||||
# 1. Redistributions of source code must retain the above copyright
|
||||
# notice, this list of conditions and the following disclaimer.
|
||||
# 2. Redistributions in binary form must reproduce the above copyright
|
||||
# notice, this list of conditions and the following disclaimer in the
|
||||
# documentation and/or other materials provided with the distribution.
|
||||
#
|
||||
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
# SUCH DAMAGE.
|
||||
#
|
||||
# $FreeBSD$
|
||||
|
||||
LIB= pam_login_access
|
||||
SHLIB_NAME= pam_login_access.so
|
||||
SRCS= pam_login_access.c login_access.c
|
||||
CFLAGS+= -DLOGIN_ACCESS
|
||||
MAN= pam_login_access.8
|
||||
|
||||
.include <bsd.lib.mk>
|
||||
|
||||
.PATH: ${.CURDIR}/../../../../usr.bin/login
|
87
lib/libpam/modules/pam_login_access/pam_login_access.8
Normal file
87
lib/libpam/modules/pam_login_access/pam_login_access.8
Normal file
|
@ -0,0 +1,87 @@
|
|||
.\" Copyright (c) 2001 Mark R V Murray
|
||||
.\" All rights reserved.
|
||||
.\" Copyright (c) 2001 Networks Associates Technologies, Inc.
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" Portions of this software were developed for the FreeBSD Project by
|
||||
.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
|
||||
.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
.\" ("CBOSS"), as part of the DARPA CHATS research program.
|
||||
.\"
|
||||
.\" Redistribution and use in source and binary forms, with or without
|
||||
.\" modification, are permitted provided that the following conditions
|
||||
.\" are met:
|
||||
.\" 1. Redistributions of source code must retain the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer.
|
||||
.\" 2. Redistributions in binary form must reproduce the above copyright
|
||||
.\" notice, this list of conditions and the following disclaimer in the
|
||||
.\" documentation and/or other materials provided with the distribution.
|
||||
.\" 3. The name of the author may not be used to endorse or promote
|
||||
.\" products derived from this software without specific prior written
|
||||
.\" permission.
|
||||
.\"
|
||||
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd December 5, 2001
|
||||
.Dt PAM_LOGIN_ACCESS 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
.Nm pam_login_access
|
||||
.Nd Self PAM module
|
||||
.Sh SYNOPSIS
|
||||
.Op Ar service-name
|
||||
.Ar module-type
|
||||
.Ar control-flag
|
||||
.Pa pam_login_access
|
||||
.Op Ar options
|
||||
.Sh DESCRIPTION
|
||||
The
|
||||
.Pa login.access
|
||||
authentication service module for PAM,
|
||||
.Nm
|
||||
provides functionality for only one PAM category:
|
||||
account management.
|
||||
In terms of the
|
||||
.Ar module-type
|
||||
parameter, this is the
|
||||
.Dq Li account
|
||||
feature.
|
||||
.Ss Login.access Account Management Module
|
||||
The
|
||||
.Pa login.access
|
||||
account management component
|
||||
.Pq Fn pam_sm_acct_mgmt ,
|
||||
returns success if and only the user is allowed to login in on the
|
||||
specified tty (in the case of a local login) or from the specified
|
||||
remote host (in the case of a remote login), according to the
|
||||
restrictions listed in
|
||||
.Pa /etc/login.access .
|
||||
.Sh SEE ALSO
|
||||
.Xr login.access 5 ,
|
||||
.Xr pam.conf 5 ,
|
||||
.Xr pam 8
|
||||
.Sh AUTHORS
|
||||
The
|
||||
.Xr login.access 5
|
||||
access control scheme was designed and implemented by
|
||||
.An Wietse Venema .
|
||||
.Pp
|
||||
The
|
||||
.Nm
|
||||
module and this manual page were developed for the FreeBSD Project by
|
||||
ThinkSec AS and NAI Labs, the Security Research Division of Network
|
||||
Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
.Pq Dq CBOSS ,
|
||||
as part of the DARPA CHATS research program.
|
163
lib/libpam/modules/pam_login_access/pam_login_access.c
Normal file
163
lib/libpam/modules/pam_login_access/pam_login_access.c
Normal file
|
@ -0,0 +1,163 @@
|
|||
/*-
|
||||
* Copyright (c) 2001 Mark R V Murray
|
||||
* All rights reserved.
|
||||
* Copyright (c) 2001 Networks Associates Technologies, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Portions of this software were developed for the FreeBSD Project by
|
||||
* ThinkSec AS and NAI Labs, the Security Research Division of Network
|
||||
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
* ("CBOSS"), as part of the DARPA CHATS research program.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
* 1. Redistributions of source code must retain the above copyright
|
||||
* notice, this list of conditions and the following disclaimer.
|
||||
* 2. Redistributions in binary form must reproduce the above copyright
|
||||
* notice, this list of conditions and the following disclaimer in the
|
||||
* documentation and/or other materials provided with the distribution.
|
||||
* 3. The name of the author may not be used to endorse or promote
|
||||
* products derived from this software without specific prior written
|
||||
* permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
||||
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
||||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
||||
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
||||
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
||||
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
||||
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
||||
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
||||
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
#include <sys/cdefs.h>
|
||||
__FBSDID("$FreeBSD$");
|
||||
|
||||
#define _BSD_SOURCE
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <unistd.h>
|
||||
#include <syslog.h>
|
||||
|
||||
#define PAM_SM_AUTH
|
||||
#define PAM_SM_ACCOUNT
|
||||
#define PAM_SM_SESSION
|
||||
#define PAM_SM_PASSWORD
|
||||
|
||||
#include <security/pam_modules.h>
|
||||
#include <pam_mod_misc.h>
|
||||
|
||||
extern int login_access(const char *, const char *);
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc ,const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
const char *rhost, *tty, *user;
|
||||
char hostname[MAXHOSTNAMELEN];
|
||||
int pam_err;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
pam_err = pam_get_item(pamh, PAM_USER, (const void **)&user);
|
||||
if (pam_err != PAM_SUCCESS)
|
||||
PAM_RETURN(pam_err);
|
||||
|
||||
if (user == NULL)
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
pam_err = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
|
||||
if (pam_err != PAM_SUCCESS)
|
||||
PAM_RETURN(pam_err);
|
||||
|
||||
pam_err = pam_get_item(pamh, PAM_TTY, (const void **)&tty);
|
||||
if (pam_err != PAM_SUCCESS)
|
||||
PAM_RETURN(pam_err);
|
||||
|
||||
gethostname(hostname, sizeof hostname);
|
||||
|
||||
if (strcmp(hostname, rhost) == 0) {
|
||||
PAM_LOG("Checking login.access for user %s on tty %s",
|
||||
user, tty);
|
||||
if (login_access(user, tty) != 0)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
} else {
|
||||
PAM_LOG("Checking login.access for user %s from host %s",
|
||||
user, rhost);
|
||||
if (login_access(user, rhost) != 0)
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
|
||||
pam_std_option(&options, NULL, argc, argv);
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
PAM_RETURN(PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_MODULE_ENTRY("pam_self");
|
Loading…
Reference in a new issue