aboutsummaryrefslogtreecommitdiff
path: root/lib/libpam
diff options
context:
space:
mode:
authorDag-Erling Smørgrav <des@FreeBSD.org>2018-05-16 13:47:30 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2018-05-16 13:47:30 +0000
commit716eff476a0a874358784988772671c26d34af81 (patch)
tree77db5de3f95f1d452008f6df886f9b2f29b12a0e /lib/libpam
parentc9a1264c613906294f62a1c3fb793d387babc06b (diff)
downloadsrc-716eff476a0a874358784988772671c26d34af81.tar.gz
src-716eff476a0a874358784988772671c26d34af81.zip
Forward Reply-Message attributes to the user, unless suppressed by the
new no_reply_message option. MFC after: 1 week Sponsored by: The University of Oslo
Notes
Notes: svn path=/head/; revision=333674
Diffstat (limited to 'lib/libpam')
-rw-r--r--lib/libpam/modules/pam_radius/pam_radius.832
-rw-r--r--lib/libpam/modules/pam_radius/pam_radius.c61
2 files changed, 78 insertions, 15 deletions
diff --git a/lib/libpam/modules/pam_radius/pam_radius.8 b/lib/libpam/modules/pam_radius/pam_radius.8
index d71b41434419..9d12c0b0b6ce 100644
--- a/lib/libpam/modules/pam_radius/pam_radius.8
+++ b/lib/libpam/modules/pam_radius/pam_radius.8
@@ -1,8 +1,9 @@
-.\" Copyright (c) 1999
-.\" Andrzej Bialecki <abial@FreeBSD.org>. All rights reserved.
-.\"
+.\"-
.\" Copyright (c) 1992, 1993, 1994
.\" The Regents of the University of California. All rights reserved.
+.\" Copyright (c) 1999 Andrzej Bialecki <abial@FreeBSD.org>
+.\" All rights reserved.
+.\" Copyright (c) 2018 The University of Oslo
.\" All rights reserved.
.\"
.\" This code is derived from software donated to Berkeley by
@@ -34,7 +35,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd October 28, 2002
+.Dd May 16, 2018
.Dt PAM_RADIUS 8
.Os
.Sh NAME
@@ -80,6 +81,10 @@ specifies a non-standard location for the RADIUS client configuration file
.Pa /etc/radius.conf ) .
.It Cm nas_id Ns = Ns Ar identifier
specifies a NAS identifier to send instead of the hostname.
+.It Cm nas_ipaddr Ns Op No = Ns Ar address
+specifies a NAS IP address to be sent.
+If option is present, but there is no value provided then IP address
+corresponding to the current hostname will be used.
.It Cm template_user Ns = Ns Ar username
specifies a user whose
.Xr passwd 5
@@ -97,10 +102,21 @@ If this option is omitted, and there is no username
in the system databases equal to the supplied one (as determined by call to
.Xr getpwnam 3 ) ,
the authentication will fail.
-.It Cm nas_ipaddr Ns Op No = Ns Ar address
-specifies a NAS IP address to be sent.
-If option is present, but there is no value provided then IP address
-corresponding to the current hostname will be used.
+.It Cm no_reply_message
+suppress printing of the contents of any
+.Cm Reply-Message
+attributes found in
+.Cm Access-Accept
+and
+.Cm Access-Reject
+responses.
+These are normally conveyed to the user as either informational or
+error messages, depending on whether the access request was accepted
+or rejected.
+.It Cm no_warn
+suppress warning messages to the user.
+These messages include reasons why the user's authentication attempt
+was declined.
.El
.Sh FILES
.Bl -tag -width /etc/radius.conf -compact
diff --git a/lib/libpam/modules/pam_radius/pam_radius.c b/lib/libpam/modules/pam_radius/pam_radius.c
index c71d3b954da0..377652382dc4 100644
--- a/lib/libpam/modules/pam_radius/pam_radius.c
+++ b/lib/libpam/modules/pam_radius/pam_radius.c
@@ -5,6 +5,8 @@
* All rights reserved.
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
* All rights reserved.
+ * Copyright (c) 2015-2018 The University of Oslo
+ * All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
* ThinkSec AS and NAI Labs, the Security Research Division of Network
@@ -59,6 +61,7 @@ __FBSDID("$FreeBSD$");
#define PAM_OPT_TEMPLATE_USER "template_user"
#define PAM_OPT_NAS_ID "nas_id"
#define PAM_OPT_NAS_IPADDR "nas_ipaddr"
+#define PAM_OPT_NO_REPLYMSG "no_reply_message"
#define MAX_CHALLENGE_MSGS 10
#define PASSWORD_PROMPT "RADIUS Password:"
@@ -149,15 +152,23 @@ do_accept(pam_handle_t *pamh, struct rad_handle *radh)
char *s;
while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
- if (attrtype == RAD_USER_NAME) {
- s = rad_cvt_string(attrval, attrlen);
- if (s == NULL) {
- syslog(LOG_CRIT,
- "rad_cvt_string: out of memory");
- return (-1);
- }
+ switch (attrtype) {
+ case RAD_USER_NAME:
+ if ((s = rad_cvt_string(attrval, attrlen)) == NULL)
+ goto enomem;
pam_set_item(pamh, PAM_USER, s);
free(s);
+ break;
+ case RAD_REPLY_MESSAGE:
+ if ((s = rad_cvt_string(attrval, attrlen)) == NULL)
+ goto enomem;
+ if (!openpam_get_option(pamh, PAM_OPT_NO_REPLYMSG))
+ pam_info(pamh, "%s", s);
+ free(s);
+ break;
+ default:
+ PAM_LOG("%s(): ignoring RADIUS attribute %d",
+ __func__, attrtype);
}
}
if (attrtype == -1) {
@@ -165,6 +176,41 @@ do_accept(pam_handle_t *pamh, struct rad_handle *radh)
return (-1);
}
return (0);
+enomem:
+ syslog(LOG_CRIT, "%s(): out of memory", __func__);
+ return (-1);
+}
+
+static int
+do_reject(pam_handle_t *pamh, struct rad_handle *radh)
+{
+ int attrtype;
+ const void *attrval;
+ size_t attrlen;
+ char *s;
+
+ while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
+ switch (attrtype) {
+ case RAD_REPLY_MESSAGE:
+ if ((s = rad_cvt_string(attrval, attrlen)) == NULL)
+ goto enomem;
+ if (!openpam_get_option(pamh, PAM_OPT_NO_REPLYMSG))
+ pam_error(pamh, "%s", s);
+ free(s);
+ break;
+ default:
+ PAM_LOG("%s(): ignoring RADIUS attribute %d",
+ __func__, attrtype);
+ }
+ }
+ if (attrtype < 0) {
+ syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh));
+ return (-1);
+ }
+ return (0);
+enomem:
+ syslog(LOG_CRIT, "%s(): out of memory", __func__);
+ return (-1);
}
static int
@@ -332,6 +378,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
return (PAM_SUCCESS);
case RAD_ACCESS_REJECT:
+ retval = do_reject(pamh, radh);
rad_close(radh);
PAM_VERBOSE_ERROR("Radius rejection");
return (PAM_AUTH_ERR);