diff options
Diffstat (limited to 'lib/libpam/modules')
105 files changed, 640 insertions, 925 deletions
diff --git a/lib/libpam/modules/Makefile b/lib/libpam/modules/Makefile index ee1359bd3acc..0fd25117025c 100644 --- a/lib/libpam/modules/Makefile +++ b/lib/libpam/modules/Makefile @@ -22,7 +22,6 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ .include "modules.inc" diff --git a/lib/libpam/modules/Makefile.inc b/lib/libpam/modules/Makefile.inc index 87885c36b350..955ee5224198 100644 --- a/lib/libpam/modules/Makefile.inc +++ b/lib/libpam/modules/Makefile.inc @@ -1,4 +1,3 @@ -# $FreeBSD$ PAMDIR= ${SRCTOP}/contrib/openpam diff --git a/lib/libpam/modules/modules.inc b/lib/libpam/modules/modules.inc index 02debf7a4330..f3ab65333f4f 100644 --- a/lib/libpam/modules/modules.inc +++ b/lib/libpam/modules/modules.inc @@ -1,4 +1,3 @@ -# $FreeBSD$ .include <src.opts.mk> @@ -17,8 +16,6 @@ MODULES += pam_ksu MODULES += pam_lastlog MODULES += pam_login_access MODULES += pam_nologin -MODULES += pam_opie -MODULES += pam_opieaccess MODULES += pam_passwdqc MODULES += pam_permit .if ${MK_RADIUS_SUPPORT} != "no" @@ -33,3 +30,4 @@ MODULES += pam_ssh .endif MODULES += pam_tacplus MODULES += pam_unix +MODULES += pam_xdg
\ No newline at end of file diff --git a/lib/libpam/modules/pam_chroot/Makefile b/lib/libpam/modules/pam_chroot/Makefile index 6d0fc0ef7a56..ca4f3cc17443 100644 --- a/lib/libpam/modules/pam_chroot/Makefile +++ b/lib/libpam/modules/pam_chroot/Makefile @@ -1,4 +1,3 @@ -# $FreeBSD$ LIB= pam_chroot SRCS= pam_chroot.c diff --git a/lib/libpam/modules/pam_chroot/Makefile.depend b/lib/libpam/modules/pam_chroot/Makefile.depend index a3a7ac4e5850..0665960a2cd2 100644 --- a/lib/libpam/modules/pam_chroot/Makefile.depend +++ b/lib/libpam/modules/pam_chroot/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_chroot/pam_chroot.8 b/lib/libpam/modules/pam_chroot/pam_chroot.8 index 1bb48008d781..e65c513b7b77 100644 --- a/lib/libpam/modules/pam_chroot/pam_chroot.8 +++ b/lib/libpam/modules/pam_chroot/pam_chroot.8 @@ -30,8 +30,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd February 10, 2003 .Dt PAM_CHROOT 8 .Os @@ -81,7 +79,7 @@ the user's home directory. .El .Sh SEE ALSO .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 .Sh AUTHORS The .Nm diff --git a/lib/libpam/modules/pam_chroot/pam_chroot.c b/lib/libpam/modules/pam_chroot/pam_chroot.c index d468c3390819..346be34683c1 100644 --- a/lib/libpam/modules/pam_chroot/pam_chroot.c +++ b/lib/libpam/modules/pam_chroot/pam_chroot.c @@ -34,9 +34,6 @@ * SUCH DAMAGE. */ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <sys/param.h> #include <pwd.h> diff --git a/lib/libpam/modules/pam_deny/Makefile b/lib/libpam/modules/pam_deny/Makefile index 3bf819692747..862d1859d0d6 100644 --- a/lib/libpam/modules/pam_deny/Makefile +++ b/lib/libpam/modules/pam_deny/Makefile @@ -22,7 +22,6 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ LIB= pam_deny SRCS= pam_deny.c diff --git a/lib/libpam/modules/pam_deny/Makefile.depend b/lib/libpam/modules/pam_deny/Makefile.depend index 5fb710255efc..a8b8ddf9d074 100644 --- a/lib/libpam/modules/pam_deny/Makefile.depend +++ b/lib/libpam/modules/pam_deny/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ lib/${CSU_DIR} \ lib/libc \ diff --git a/lib/libpam/modules/pam_deny/pam_deny.8 b/lib/libpam/modules/pam_deny/pam_deny.8 index d9544be9b09f..530bae05c1f3 100644 --- a/lib/libpam/modules/pam_deny/pam_deny.8 +++ b/lib/libpam/modules/pam_deny/pam_deny.8 @@ -22,8 +22,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd July 7, 2001 .Dt PAM_DENY 8 .Os @@ -77,4 +75,4 @@ authentication attempt was declined. .Sh SEE ALSO .Xr syslog 3 , .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 diff --git a/lib/libpam/modules/pam_deny/pam_deny.c b/lib/libpam/modules/pam_deny/pam_deny.c index 372e7e364c08..a3edb213141a 100644 --- a/lib/libpam/modules/pam_deny/pam_deny.c +++ b/lib/libpam/modules/pam_deny/pam_deny.c @@ -27,8 +27,6 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <stddef.h> #define PAM_SM_AUTH diff --git a/lib/libpam/modules/pam_echo/Makefile b/lib/libpam/modules/pam_echo/Makefile index 6f239460e9b0..58aae0053be9 100644 --- a/lib/libpam/modules/pam_echo/Makefile +++ b/lib/libpam/modules/pam_echo/Makefile @@ -1,4 +1,3 @@ -# $FreeBSD$ LIB= pam_echo SRCS= pam_echo.c diff --git a/lib/libpam/modules/pam_echo/Makefile.depend b/lib/libpam/modules/pam_echo/Makefile.depend index a3a7ac4e5850..0665960a2cd2 100644 --- a/lib/libpam/modules/pam_echo/Makefile.depend +++ b/lib/libpam/modules/pam_echo/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_echo/pam_echo.8 b/lib/libpam/modules/pam_echo/pam_echo.8 index 3066007dca74..c38d4d8cee55 100644 --- a/lib/libpam/modules/pam_echo/pam_echo.8 +++ b/lib/libpam/modules/pam_echo/pam_echo.8 @@ -30,8 +30,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd February 6, 2003 .Dt PAM_ECHO 8 .Os @@ -80,7 +78,7 @@ expands to the character following the character. .Sh SEE ALSO .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 .Sh AUTHORS The .Nm diff --git a/lib/libpam/modules/pam_echo/pam_echo.c b/lib/libpam/modules/pam_echo/pam_echo.c index 4217118f3011..73f1c11eca61 100644 --- a/lib/libpam/modules/pam_echo/pam_echo.c +++ b/lib/libpam/modules/pam_echo/pam_echo.c @@ -35,8 +35,6 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <stdio.h> #include <stdlib.h> #include <string.h> diff --git a/lib/libpam/modules/pam_exec/Makefile b/lib/libpam/modules/pam_exec/Makefile index 143f1a6cd6d2..1902d10789b5 100644 --- a/lib/libpam/modules/pam_exec/Makefile +++ b/lib/libpam/modules/pam_exec/Makefile @@ -1,4 +1,3 @@ -# $FreeBSD$ LIB= pam_exec SRCS= pam_exec.c diff --git a/lib/libpam/modules/pam_exec/Makefile.depend b/lib/libpam/modules/pam_exec/Makefile.depend index a3a7ac4e5850..0665960a2cd2 100644 --- a/lib/libpam/modules/pam_exec/Makefile.depend +++ b/lib/libpam/modules/pam_exec/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_exec/pam_exec.8 b/lib/libpam/modules/pam_exec/pam_exec.8 index dbd7c1e17007..c77162955730 100644 --- a/lib/libpam/modules/pam_exec/pam_exec.8 +++ b/lib/libpam/modules/pam_exec/pam_exec.8 @@ -32,8 +32,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd May 24, 2019 .Dt PAM_EXEC 8 .Os @@ -152,13 +150,13 @@ This is useful in shell scripts for instance. .Sh SEE ALSO .Xr pam_get_item 3 , .Xr pam.conf 5 , -.Xr pam 8 , -.Xr pam_sm_acct_mgmt 8 , -.Xr pam_sm_authenticate 8 , -.Xr pam_sm_chauthtok 8 , -.Xr pam_sm_close_session 8 , -.Xr pam_sm_open_session 8 , -.Xr pam_sm_setcred 8 +.Xr pam 3 , +.Xr pam_sm_acct_mgmt 3 , +.Xr pam_sm_authenticate 3 , +.Xr pam_sm_chauthtok 3 , +.Xr pam_sm_close_session 3 , +.Xr pam_sm_open_session 3 , +.Xr pam_sm_setcred 3 .Sh AUTHORS The .Nm diff --git a/lib/libpam/modules/pam_exec/pam_exec.c b/lib/libpam/modules/pam_exec/pam_exec.c index b8f2e1d8fdfc..800a791f04a1 100644 --- a/lib/libpam/modules/pam_exec/pam_exec.c +++ b/lib/libpam/modules/pam_exec/pam_exec.c @@ -36,9 +36,6 @@ * SUCH DAMAGE. */ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <sys/types.h> #include <sys/poll.h> #include <sys/procdesc.h> @@ -261,6 +258,13 @@ _pam_exec(pam_handle_t *pamh, /* don't prompt, only expose existing token */ rc = pam_get_item(pamh, PAM_AUTHTOK, &item); authtok = item; + if (authtok == NULL && rc == PAM_SUCCESS) { + openpam_log(PAM_LOG_ERROR, + "%s: pam_get_authtok(): %s", + func, "authentication token not available"); + OUT(PAM_SYSTEM_ERR); + } + } else { rc = pam_get_authtok(pamh, PAM_AUTHTOK, &authtok, NULL); } diff --git a/lib/libpam/modules/pam_ftpusers/Makefile b/lib/libpam/modules/pam_ftpusers/Makefile index 8bca1aab86dd..e92b752309b5 100644 --- a/lib/libpam/modules/pam_ftpusers/Makefile +++ b/lib/libpam/modules/pam_ftpusers/Makefile @@ -1,4 +1,3 @@ -# $FreeBSD$ LIB= pam_ftpusers SRCS= pam_ftpusers.c diff --git a/lib/libpam/modules/pam_ftpusers/Makefile.depend b/lib/libpam/modules/pam_ftpusers/Makefile.depend index a3a7ac4e5850..0665960a2cd2 100644 --- a/lib/libpam/modules/pam_ftpusers/Makefile.depend +++ b/lib/libpam/modules/pam_ftpusers/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_ftpusers/pam_ftpusers.8 b/lib/libpam/modules/pam_ftpusers/pam_ftpusers.8 index 380e3b026c70..a5c810fd2de5 100644 --- a/lib/libpam/modules/pam_ftpusers/pam_ftpusers.8 +++ b/lib/libpam/modules/pam_ftpusers/pam_ftpusers.8 @@ -32,8 +32,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd April 17, 2002 .Dt PAM_FTPUSERS 8 .Os @@ -86,7 +84,7 @@ will succeed if and only if the user is not listed in .Sh SEE ALSO .Xr ftpusers 5 , .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 .Sh AUTHORS The .Nm diff --git a/lib/libpam/modules/pam_ftpusers/pam_ftpusers.c b/lib/libpam/modules/pam_ftpusers/pam_ftpusers.c index ea800cbb17dd..d33c0e85e0cb 100644 --- a/lib/libpam/modules/pam_ftpusers/pam_ftpusers.c +++ b/lib/libpam/modules/pam_ftpusers/pam_ftpusers.c @@ -35,8 +35,6 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <ctype.h> #include <grp.h> #include <paths.h> diff --git a/lib/libpam/modules/pam_group/Makefile b/lib/libpam/modules/pam_group/Makefile index 73b072a47795..dca723748174 100644 --- a/lib/libpam/modules/pam_group/Makefile +++ b/lib/libpam/modules/pam_group/Makefile @@ -1,4 +1,3 @@ -# $FreeBSD$ LIB= pam_group SRCS= pam_group.c diff --git a/lib/libpam/modules/pam_group/Makefile.depend b/lib/libpam/modules/pam_group/Makefile.depend index a3a7ac4e5850..0665960a2cd2 100644 --- a/lib/libpam/modules/pam_group/Makefile.depend +++ b/lib/libpam/modules/pam_group/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_group/pam_group.8 b/lib/libpam/modules/pam_group/pam_group.8 index 4f368e577c22..ed96d45db503 100644 --- a/lib/libpam/modules/pam_group/pam_group.8 +++ b/lib/libpam/modules/pam_group/pam_group.8 @@ -31,8 +31,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd July 19, 2014 .Dt PAM_GROUP 8 .Os @@ -89,7 +87,7 @@ options are mutually exclusive, and that will fail if both are specified. .Sh SEE ALSO .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 .Sh AUTHORS The .Nm diff --git a/lib/libpam/modules/pam_group/pam_group.c b/lib/libpam/modules/pam_group/pam_group.c index bd6912a02d1a..9707a9cd278c 100644 --- a/lib/libpam/modules/pam_group/pam_group.c +++ b/lib/libpam/modules/pam_group/pam_group.c @@ -35,9 +35,6 @@ * SUCH DAMAGE. */ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <sys/types.h> #include <grp.h> diff --git a/lib/libpam/modules/pam_guest/Makefile b/lib/libpam/modules/pam_guest/Makefile index ccc192e5378a..c168513b98ee 100644 --- a/lib/libpam/modules/pam_guest/Makefile +++ b/lib/libpam/modules/pam_guest/Makefile @@ -1,4 +1,3 @@ -# $FreeBSD$ LIB= pam_guest SRCS= pam_guest.c diff --git a/lib/libpam/modules/pam_guest/Makefile.depend b/lib/libpam/modules/pam_guest/Makefile.depend index a3a7ac4e5850..0665960a2cd2 100644 --- a/lib/libpam/modules/pam_guest/Makefile.depend +++ b/lib/libpam/modules/pam_guest/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_guest/pam_guest.8 b/lib/libpam/modules/pam_guest/pam_guest.8 index 0b858d673d56..541fd299ba8b 100644 --- a/lib/libpam/modules/pam_guest/pam_guest.8 +++ b/lib/libpam/modules/pam_guest/pam_guest.8 @@ -30,8 +30,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd May 26, 2003 .Dt PAM_GUEST 8 .Os @@ -85,7 +83,7 @@ Requires the guest user to type in the guest account name as password. .Xr pam_get_item 3 , .Xr pam_getenv 3 , .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 .Sh AUTHORS The .Nm diff --git a/lib/libpam/modules/pam_guest/pam_guest.c b/lib/libpam/modules/pam_guest/pam_guest.c index 51e9181679c7..c3ef07fc189a 100644 --- a/lib/libpam/modules/pam_guest/pam_guest.c +++ b/lib/libpam/modules/pam_guest/pam_guest.c @@ -35,8 +35,6 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <string.h> #define PAM_SM_AUTH diff --git a/lib/libpam/modules/pam_krb5/Makefile b/lib/libpam/modules/pam_krb5/Makefile index 97fd49092298..1c2831facd50 100644 --- a/lib/libpam/modules/pam_krb5/Makefile +++ b/lib/libpam/modules/pam_krb5/Makefile @@ -22,7 +22,8 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ + +PACKAGE= kerberos LIB= pam_krb5 SRCS= pam_krb5.c diff --git a/lib/libpam/modules/pam_krb5/Makefile.depend b/lib/libpam/modules/pam_krb5/Makefile.depend index f4ad591d36ba..05183339e3a9 100644 --- a/lib/libpam/modules/pam_krb5/Makefile.depend +++ b/lib/libpam/modules/pam_krb5/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ kerberos5/lib/libasn1 \ diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.8 b/lib/libpam/modules/pam_krb5/pam_krb5.8 index bd7ac5b9ca0c..b59fdbdee9c4 100644 --- a/lib/libpam/modules/pam_krb5/pam_krb5.8 +++ b/lib/libpam/modules/pam_krb5/pam_krb5.8 @@ -1,6 +1,5 @@ .\" .\" $Id: pam_krb5.5,v 1.5 2000/01/05 00:59:56 fcusack Exp $ -.\" $FreeBSD$ .Dd May 3, 2010 .Dt PAM_KRB5 8 .Os @@ -108,6 +107,21 @@ and .Ql %p , to designate the current process ID; can be used in .Ar name . +.It Cm allow_kdc_spoof +Allow +.Nm +to succeed even if there is no host or service key available in a +keytab to authenticate the Kerberos KDC's ticket. +If there is no such key, for example on a host with no keytabs, +.Nm +will fail immediately without prompting the user. +.Pp +.Sy Warning : +If the host has not been configured with a keytab from the KDC, setting +this option makes it vulnerable to malicious KDCs, e.g. via DNS +flooding, because +.Nm +has no way to distinguish the legitimate KDC from a spoofed KDC. .It Cm no_user_check Do not verify if a user exists on the local system. This option implies the .Cm no_ccache @@ -210,7 +224,7 @@ file containing Kerberos principals that are allowed access. .Xr passwd 1 , .Xr syslog 3 , .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 .Sh NOTES Applications should not call .Fn pam_authenticate diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.c b/lib/libpam/modules/pam_krb5/pam_krb5.c index 810573bed47e..5f448165b20a 100644 --- a/lib/libpam/modules/pam_krb5/pam_krb5.c +++ b/lib/libpam/modules/pam_krb5/pam_krb5.c @@ -47,9 +47,6 @@ * */ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <sys/types.h> #include <sys/stat.h> #include <errno.h> @@ -76,7 +73,12 @@ __FBSDID("$FreeBSD$"); #define COMPAT_HEIMDAL /* #define COMPAT_MIT */ -static int verify_krb_v5_tgt(krb5_context, krb5_ccache, char *, int); +static int verify_krb_v5_tgt_begin(krb5_context, char *, int, + const char **, krb5_principal *, char[static BUFSIZ]); +static int verify_krb_v5_tgt(krb5_context, krb5_ccache, char *, int, + const char *, krb5_principal, char[static BUFSIZ]); +static void verify_krb_v5_tgt_cleanup(krb5_context, int, + const char *, krb5_principal, char[static BUFSIZ]); static void cleanup_cache(pam_handle_t *, void *, int); static const char *compat_princ_component(krb5_context, krb5_principal, int); static void compat_free_data_contents(krb5_context, krb5_data *); @@ -92,6 +94,7 @@ static void compat_free_data_contents(krb5_context, krb5_data *); #define PAM_OPT_NO_USER_CHECK "no_user_check" #define PAM_OPT_REUSE_CCACHE "reuse_ccache" #define PAM_OPT_NO_USER_CHECK "no_user_check" +#define PAM_OPT_ALLOW_KDC_SPOOF "allow_kdc_spoof" #define PAM_LOG_KRB5_ERR(ctx, rv, fmt, ...) \ do { \ @@ -108,7 +111,11 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc __unused, const char *argv[] __unused) { krb5_error_code krbret; - krb5_context pam_context; + krb5_context krbctx; + int debug; + const char *auth_service; + krb5_principal auth_princ; + char auth_phost[BUFSIZ]; krb5_creds creds; krb5_principal princ; krb5_ccache ccache; @@ -139,15 +146,38 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, PAM_LOG("Got service: %s", (const char *)service); - krbret = krb5_init_context(&pam_context); + if ((srvdup = strdup(service)) == NULL) { + retval = PAM_BUF_ERR; + goto cleanup6; + } + + krbret = krb5_init_context(&krbctx); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - return (PAM_SERVICE_ERR); + retval = PAM_SERVICE_ERR; + goto cleanup5; } PAM_LOG("Context initialised"); - krbret = krb5_cc_register(pam_context, &krb5_mcc_ops, FALSE); + debug = openpam_get_option(pamh, PAM_OPT_DEBUG) ? 1 : 0; + krbret = verify_krb_v5_tgt_begin(krbctx, srvdup, debug, + &auth_service, &auth_princ, auth_phost); + if (krbret != 0) { /* failed to find key */ + /* Keytab or service key does not exist */ + /* + * Give up now because we can't authenticate the KDC + * with a keytab, unless the administrator asked to + * have the traditional behaviour of being vulnerable + * to spoofed KDCs. + */ + if (!openpam_get_option(pamh, PAM_OPT_ALLOW_KDC_SPOOF)) { + retval = PAM_SERVICE_ERR; + goto cleanup4; + } + } + + krbret = krb5_cc_register(krbctx, &krb5_mcc_ops, FALSE); if (krbret != 0 && krbret != KRB5_CC_TYPE_EXISTS) { PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; @@ -164,10 +194,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, PAM_LOG("Created principal: %s", principal); - krbret = krb5_parse_name(pam_context, principal, &princ); + krbret = krb5_parse_name(krbctx, principal, &princ); free(principal); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, "Error krb5_parse_name()"); + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_parse_name()"); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; goto cleanup3; @@ -177,9 +207,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, /* Now convert the principal name into something human readable */ princ_name = NULL; - krbret = krb5_unparse_name(pam_context, princ, &princ_name); + krbret = krb5_unparse_name(krbctx, princ, &princ_name); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_unparse_name()"); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; @@ -202,11 +232,11 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, /* Verify the local user exists (AFTER getting the password) */ if (strchr(user, '@')) { /* get a local account name for this principal */ - krbret = krb5_aname_to_localname(pam_context, princ, + krbret = krb5_aname_to_localname(krbctx, princ, sizeof(luser), luser); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_aname_to_localname()"); retval = PAM_USER_UNKNOWN; goto cleanup2; @@ -231,15 +261,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, } /* Initialize credentials request options. */ - krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts); + krbret = krb5_get_init_creds_opt_alloc(krbctx, &opts); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_get_init_creds_opt_alloc()"); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; goto cleanup2; } - krb5_get_init_creds_opt_set_default_flags(pam_context, + krb5_get_init_creds_opt_set_default_flags(krbctx, service, NULL, opts); if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE)) @@ -249,12 +279,12 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, /* Get a TGT */ memset(&creds, 0, sizeof(krb5_creds)); - krbret = krb5_get_init_creds_password(pam_context, &creds, princ, + krbret = krb5_get_init_creds_password(krbctx, &creds, princ, pass, NULL, pamh, 0, NULL, opts); - krb5_get_init_creds_opt_free(pam_context, opts); + krb5_get_init_creds_opt_free(krbctx, opts); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_get_init_creds_password()"); retval = PAM_AUTH_ERR; goto cleanup2; @@ -263,28 +293,28 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, PAM_LOG("Got TGT"); /* Generate a temporary cache */ - krbret = krb5_cc_new_unique(pam_context, krb5_cc_type_memory, NULL, &ccache); + krbret = krb5_cc_new_unique(krbctx, krb5_cc_type_memory, NULL, &ccache); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_new_unique()"); retval = PAM_SERVICE_ERR; goto cleanup; } - krbret = krb5_cc_initialize(pam_context, ccache, princ); + krbret = krb5_cc_initialize(krbctx, ccache, princ); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_initialize()"); retval = PAM_SERVICE_ERR; goto cleanup; } - krbret = krb5_cc_store_cred(pam_context, ccache, &creds); + krbret = krb5_cc_store_cred(krbctx, ccache, &creds); if (krbret != 0) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_store_cred()"); - krb5_cc_destroy(pam_context, ccache); + krb5_cc_destroy(krbctx, ccache); retval = PAM_SERVICE_ERR; goto cleanup; } @@ -292,16 +322,14 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, PAM_LOG("Credentials stashed"); /* Verify them */ - if ((srvdup = strdup(service)) == NULL) { - retval = PAM_BUF_ERR; - goto cleanup; - } - krbret = verify_krb_v5_tgt(pam_context, ccache, srvdup, - openpam_get_option(pamh, PAM_OPT_DEBUG) ? 1 : 0); + krbret = verify_krb_v5_tgt(krbctx, ccache, srvdup, + debug, + auth_service, auth_princ, auth_phost); free(srvdup); + srvdup = NULL; if (krbret == -1) { PAM_VERBOSE_ERROR("Kerberos 5 error"); - krb5_cc_destroy(pam_context, ccache); + krb5_cc_destroy(krbctx, ccache); retval = PAM_AUTH_ERR; goto cleanup; } @@ -310,7 +338,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, retval = pam_get_data(pamh, "ccache", &ccache_data); if (retval == PAM_SUCCESS) { - krb5_cc_destroy(pam_context, ccache); + krb5_cc_destroy(krbctx, ccache); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_AUTH_ERR; goto cleanup; @@ -318,8 +346,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, PAM_LOG("Credentials stash not pre-existing"); - asprintf(&ccache_name, "%s:%s", krb5_cc_get_type(pam_context, - ccache), krb5_cc_get_name(pam_context, ccache)); + asprintf(&ccache_name, "%s:%s", krb5_cc_get_type(krbctx, + ccache), krb5_cc_get_name(krbctx, ccache)); if (ccache_name == NULL) { PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_BUF_ERR; @@ -327,7 +355,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, } retval = pam_set_data(pamh, "ccache", ccache_name, cleanup_cache); if (retval != 0) { - krb5_cc_destroy(pam_context, ccache); + krb5_cc_destroy(krbctx, ccache); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; goto cleanup; @@ -336,21 +364,33 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, PAM_LOG("Credentials stash saved"); cleanup: - krb5_free_cred_contents(pam_context, &creds); + krb5_free_cred_contents(krbctx, &creds); PAM_LOG("Done cleanup"); cleanup2: - krb5_free_principal(pam_context, princ); + krb5_free_principal(krbctx, princ); if (princ_name) free(princ_name); PAM_LOG("Done cleanup2"); cleanup3: - krb5_free_context(pam_context); + krb5_free_context(krbctx); PAM_LOG("Done cleanup3"); +cleanup4: + verify_krb_v5_tgt_cleanup(krbctx, debug, + auth_service, auth_princ, auth_phost); + PAM_LOG("Done cleanup4"); + +cleanup5: + if (srvdup != NULL) + free(srvdup); + PAM_LOG("Done cleanup5"); + +cleanup6: if (retval != PAM_SUCCESS) PAM_VERBOSE_ERROR("Kerberos 5 refuses you"); + PAM_LOG("Done cleanup6"); return (retval); } @@ -364,7 +404,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, #else krb5_error_code krbret; - krb5_context pam_context; + krb5_context krbctx; krb5_principal princ; krb5_creds creds; krb5_ccache ccache_temp, ccache_perm; @@ -405,7 +445,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, PAM_LOG("Got user: %s", (const char *)user); - krbret = krb5_init_context(&pam_context); + krbret = krb5_init_context(&krbctx); if (krbret != 0) { PAM_LOG("Error krb5_init_context() failed"); return (PAM_SERVICE_ERR); @@ -424,9 +464,9 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, retval = PAM_CRED_UNAVAIL; goto cleanup3; } - krbret = krb5_cc_resolve(pam_context, cache_data, &ccache_temp); + krbret = krb5_cc_resolve(krbctx, cache_data, &ccache_temp); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_resolve(\"%s\")", (const char *)cache_data); retval = PAM_SERVICE_ERR; goto cleanup3; @@ -497,22 +537,22 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, PAM_LOG("Got cache_name: %s", cache_name); /* Initialize the new ccache */ - krbret = krb5_cc_get_principal(pam_context, ccache_temp, &princ); + krbret = krb5_cc_get_principal(krbctx, ccache_temp, &princ); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_get_principal()"); retval = PAM_SERVICE_ERR; goto cleanup3; } - krbret = krb5_cc_resolve(pam_context, cache_name, &ccache_perm); + krbret = krb5_cc_resolve(krbctx, cache_name, &ccache_perm); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, "Error krb5_cc_resolve()"); + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_resolve()"); retval = PAM_SERVICE_ERR; goto cleanup2; } - krbret = krb5_cc_initialize(pam_context, ccache_perm, princ); + krbret = krb5_cc_initialize(krbctx, ccache_perm, princ); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_initialize()"); retval = PAM_SERVICE_ERR; goto cleanup2; @@ -521,11 +561,11 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, PAM_LOG("Cache initialised"); /* Prepare for iteration over creds */ - krbret = krb5_cc_start_seq_get(pam_context, ccache_temp, &cursor); + krbret = krb5_cc_start_seq_get(krbctx, ccache_temp, &cursor); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_start_seq_get()"); - krb5_cc_destroy(pam_context, ccache_perm); + krb5_cc_destroy(krbctx, ccache_perm); retval = PAM_SERVICE_ERR; goto cleanup2; } @@ -533,28 +573,27 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, PAM_LOG("Prepared for iteration"); /* Copy the creds (should be two of them) */ - while ((krbret = krb5_cc_next_cred(pam_context, ccache_temp, - &cursor, &creds) == 0)) { - krbret = krb5_cc_store_cred(pam_context, ccache_perm, &creds); + while (krb5_cc_next_cred(krbctx, ccache_temp, &cursor, &creds) == 0) { + krbret = krb5_cc_store_cred(krbctx, ccache_perm, &creds); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_store_cred()"); - krb5_cc_destroy(pam_context, ccache_perm); - krb5_free_cred_contents(pam_context, &creds); + krb5_cc_destroy(krbctx, ccache_perm); + krb5_free_cred_contents(krbctx, &creds); retval = PAM_SERVICE_ERR; goto cleanup2; } - krb5_free_cred_contents(pam_context, &creds); + krb5_free_cred_contents(krbctx, &creds); PAM_LOG("Iteration"); } - krb5_cc_end_seq_get(pam_context, ccache_temp, &cursor); + krb5_cc_end_seq_get(krbctx, ccache_temp, &cursor); PAM_LOG("Done iterating"); if (strstr(cache_name, "FILE:") == cache_name) { if (chown(&cache_name[5], pwd->pw_uid, pwd->pw_gid) == -1) { PAM_LOG("Error chown(): %s", strerror(errno)); - krb5_cc_destroy(pam_context, ccache_perm); + krb5_cc_destroy(krbctx, ccache_perm); retval = PAM_SERVICE_ERR; goto cleanup2; } @@ -562,21 +601,21 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, if (chmod(&cache_name[5], (S_IRUSR | S_IWUSR)) == -1) { PAM_LOG("Error chmod(): %s", strerror(errno)); - krb5_cc_destroy(pam_context, ccache_perm); + krb5_cc_destroy(krbctx, ccache_perm); retval = PAM_SERVICE_ERR; goto cleanup2; } PAM_LOG("Done chmod()"); } - krb5_cc_close(pam_context, ccache_perm); + krb5_cc_close(krbctx, ccache_perm); PAM_LOG("Cache closed"); retval = pam_setenv(pamh, "KRB5CCNAME", cache_name, 1); if (retval != PAM_SUCCESS) { PAM_LOG("Error pam_setenv(): %s", pam_strerror(pamh, retval)); - krb5_cc_destroy(pam_context, ccache_perm); + krb5_cc_destroy(krbctx, ccache_perm); retval = PAM_SERVICE_ERR; goto cleanup2; } @@ -584,10 +623,10 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, PAM_LOG("Environment done: KRB5CCNAME=%s", cache_name); cleanup2: - krb5_free_principal(pam_context, princ); + krb5_free_principal(krbctx, princ); PAM_LOG("Done cleanup2"); cleanup3: - krb5_free_context(pam_context); + krb5_free_context(krbctx); PAM_LOG("Done cleanup3"); seteuid(euid); @@ -610,7 +649,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc __unused, const char *argv[] __unused) { krb5_error_code krbret; - krb5_context pam_context; + krb5_context krbctx; krb5_ccache ccache; krb5_principal princ; int retval; @@ -629,7 +668,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, PAM_LOG("Got credentials"); - krbret = krb5_init_context(&pam_context); + krbret = krb5_init_context(&krbctx); if (krbret != 0) { PAM_LOG("Error krb5_init_context() failed"); return (PAM_PERM_DENIED); @@ -637,20 +676,20 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, PAM_LOG("Context initialised"); - krbret = krb5_cc_resolve(pam_context, (const char *)ccache_name, &ccache); + krbret = krb5_cc_resolve(krbctx, (const char *)ccache_name, &ccache); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_resolve(\"%s\")", (const char *)ccache_name); - krb5_free_context(pam_context); + krb5_free_context(krbctx); return (PAM_PERM_DENIED); } PAM_LOG("Got ccache %s", (const char *)ccache_name); - krbret = krb5_cc_get_principal(pam_context, ccache, &princ); + krbret = krb5_cc_get_principal(krbctx, ccache, &princ); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_cc_get_principal()"); retval = PAM_PERM_DENIED; goto cleanup; @@ -658,16 +697,16 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, PAM_LOG("Got principal"); - if (krb5_kuserok(pam_context, princ, (const char *)user)) + if (krb5_kuserok(krbctx, princ, (const char *)user)) retval = PAM_SUCCESS; else retval = PAM_PERM_DENIED; - krb5_free_principal(pam_context, princ); + krb5_free_principal(krbctx, princ); PAM_LOG("Done kuserok()"); cleanup: - krb5_free_context(pam_context); + krb5_free_context(krbctx); PAM_LOG("Done cleanup"); return (retval); @@ -682,7 +721,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc __unused, const char *argv[] __unused) { krb5_error_code krbret; - krb5_context pam_context; + krb5_context krbctx; krb5_creds creds; krb5_principal princ; krb5_get_init_creds_opt *opts; @@ -701,7 +740,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, PAM_LOG("Got user: %s", (const char *)user); - krbret = krb5_init_context(&pam_context); + krbret = krb5_init_context(&krbctx); if (krbret != 0) { PAM_LOG("Error krb5_init_context() failed"); return (PAM_SERVICE_ERR); @@ -710,9 +749,9 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, PAM_LOG("Context initialised"); /* Get principal name */ - krbret = krb5_parse_name(pam_context, (const char *)user, &princ); + krbret = krb5_parse_name(krbctx, (const char *)user, &princ); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_parse_name()"); retval = PAM_USER_UNKNOWN; goto cleanup3; @@ -720,9 +759,9 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, /* Now convert the principal name into something human readable */ princ_name = NULL; - krbret = krb5_unparse_name(pam_context, princ, &princ_name); + krbret = krb5_unparse_name(krbctx, princ, &princ_name); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_unparse_name()"); retval = PAM_SERVICE_ERR; goto cleanup2; @@ -738,9 +777,9 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, PAM_LOG("Got password"); /* Initialize credentials request options. */ - krbret = krb5_get_init_creds_opt_alloc(pam_context, &opts); + krbret = krb5_get_init_creds_opt_alloc(krbctx, &opts); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_get_init_creds_opt_alloc()"); PAM_VERBOSE_ERROR("Kerberos 5 error"); retval = PAM_SERVICE_ERR; @@ -750,11 +789,11 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, PAM_LOG("Credentials options initialised"); memset(&creds, 0, sizeof(krb5_creds)); - krbret = krb5_get_init_creds_password(pam_context, &creds, princ, + krbret = krb5_get_init_creds_password(krbctx, &creds, princ, pass, NULL, pamh, 0, "kadmin/changepw", opts); - krb5_get_init_creds_opt_free(pam_context, opts); + krb5_get_init_creds_opt_free(krbctx, opts); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_get_init_creds_password()"); retval = PAM_AUTH_ERR; goto cleanup2; @@ -780,11 +819,11 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, retval = PAM_BUF_ERR; goto cleanup; } - krbret = krb5_set_password(pam_context, &creds, passdup, NULL, + krbret = krb5_set_password(krbctx, &creds, passdup, NULL, &result_code, &result_code_string, &result_string); free(passdup); if (krbret != 0) { - PAM_LOG_KRB5_ERR(pam_context, krbret, + PAM_LOG_KRB5_ERR(krbctx, krbret, "Error krb5_change_password()"); retval = PAM_AUTHTOK_ERR; goto cleanup; @@ -803,16 +842,16 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, free(result_code_string.data); cleanup: - krb5_free_cred_contents(pam_context, &creds); + krb5_free_cred_contents(krbctx, &creds); PAM_LOG("Done cleanup"); cleanup2: - krb5_free_principal(pam_context, princ); + krb5_free_principal(krbctx, princ); if (princ_name) free(princ_name); PAM_LOG("Done cleanup2"); cleanup3: - krb5_free_context(pam_context); + krb5_free_context(krbctx); PAM_LOG("Done cleanup3"); @@ -837,18 +876,18 @@ PAM_MODULE_ENTRY("pam_krb5"); */ /* ARGSUSED */ static int -verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache, - char *pam_service, int debug) +verify_krb_v5_tgt_begin(krb5_context context, char *pam_service, int debug, + const char **servicep, krb5_principal *princp __unused, char phost[static BUFSIZ]) { krb5_error_code retval; krb5_principal princ; krb5_keyblock *keyblock; - krb5_data packet; - krb5_auth_context auth_context; - char phost[BUFSIZ]; const char *services[3], **service; - packet.data = 0; + *servicep = NULL; + + if (debug) + openlog("pam_krb5", LOG_PID, LOG_AUTHPRIV); /* If possible we want to try and verify the ticket we have * received against a keytab. We will try multiple service @@ -895,25 +934,29 @@ verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache, continue; break; } - if (retval != 0) { /* failed to find key */ - /* Keytab or service key does not exist */ - if (debug) { - const char *msg = krb5_get_error_message(context, - retval); - syslog(LOG_DEBUG, - "pam_krb5: verify_krb_v5_tgt(): %s: %s", - "krb5_kt_read_service_key()", msg); - krb5_free_error_message(context, msg); - } - retval = 0; - goto cleanup; - } if (keyblock) krb5_free_keyblock(context, keyblock); + return (retval); +} + +static int +verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache, + char *pam_service __unused, int debug, + const char *service, krb5_principal princ, char phost[static BUFSIZ]) +{ + krb5_error_code retval; + krb5_auth_context auth_context = NULL; + krb5_data packet; + + if (service == NULL) + return (0); /* uncertain, can't authenticate KDC */ + + packet.data = 0; + /* Talk to the kdc and construct the ticket. */ auth_context = NULL; - retval = krb5_mk_req(context, &auth_context, 0, *service, phost, + retval = krb5_mk_req(context, &auth_context, 0, service, phost, NULL, ccache, &packet); if (auth_context) { krb5_auth_con_free(context, auth_context); @@ -952,8 +995,19 @@ verify_krb_v5_tgt(krb5_context context, krb5_ccache ccache, cleanup: if (packet.data) compat_free_data_contents(context, &packet); - krb5_free_principal(context, princ); - return retval; + return (retval); +} + +static void +verify_krb_v5_tgt_cleanup(krb5_context context, int debug, + const char *service, krb5_principal princ, char phost[static BUFSIZ] __unused) +{ + + if (service) + krb5_free_principal(context, princ); + if (debug) + closelog(); + } /* Free the memory for cache_name. Called by pam_end() */ @@ -961,17 +1015,17 @@ cleanup: static void cleanup_cache(pam_handle_t *pamh __unused, void *data, int pam_end_status __unused) { - krb5_context pam_context; + krb5_context krbctx; krb5_ccache ccache; krb5_error_code krbret; - if (krb5_init_context(&pam_context)) + if (krb5_init_context(&krbctx)) return; - krbret = krb5_cc_resolve(pam_context, data, &ccache); + krbret = krb5_cc_resolve(krbctx, data, &ccache); if (krbret == 0) - krb5_cc_destroy(pam_context, ccache); - krb5_free_context(pam_context); + krb5_cc_destroy(krbctx, ccache); + krb5_free_context(krbctx); free(data); } diff --git a/lib/libpam/modules/pam_ksu/Makefile b/lib/libpam/modules/pam_ksu/Makefile index 26f3f850daaa..c5fd72d9db7d 100644 --- a/lib/libpam/modules/pam_ksu/Makefile +++ b/lib/libpam/modules/pam_ksu/Makefile @@ -22,7 +22,8 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ + +PACKAGE= kerberos LIB= pam_ksu SRCS= pam_ksu.c diff --git a/lib/libpam/modules/pam_ksu/Makefile.depend b/lib/libpam/modules/pam_ksu/Makefile.depend index ad4fcd166520..37648d1e6ef7 100644 --- a/lib/libpam/modules/pam_ksu/Makefile.depend +++ b/lib/libpam/modules/pam_ksu/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ kerberos5/lib/libasn1 \ diff --git a/lib/libpam/modules/pam_ksu/pam_ksu.8 b/lib/libpam/modules/pam_ksu/pam_ksu.8 index 614dc9ef78f8..36d6936423b1 100644 --- a/lib/libpam/modules/pam_ksu/pam_ksu.8 +++ b/lib/libpam/modules/pam_ksu/pam_ksu.8 @@ -32,8 +32,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd May 15, 2002 .Dt PAM_KSU 8 .Os @@ -119,4 +117,4 @@ the user is prompted for another password. .Xr su 1 , .Xr syslog 3 , .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 diff --git a/lib/libpam/modules/pam_ksu/pam_ksu.c b/lib/libpam/modules/pam_ksu/pam_ksu.c index 1a4ebc39f65a..47362c835c12 100644 --- a/lib/libpam/modules/pam_ksu/pam_ksu.c +++ b/lib/libpam/modules/pam_ksu/pam_ksu.c @@ -1,5 +1,5 @@ /*- - * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * SPDX-License-Identifier: BSD-2-Clause * * Copyright (c) 2002 Jacques A. Vidrine <nectar@FreeBSD.org> * All rights reserved. @@ -25,8 +25,6 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); #include <sys/param.h> #include <errno.h> diff --git a/lib/libpam/modules/pam_lastlog/Makefile b/lib/libpam/modules/pam_lastlog/Makefile index 9f0e07f767ea..1abf6f2b6304 100644 --- a/lib/libpam/modules/pam_lastlog/Makefile +++ b/lib/libpam/modules/pam_lastlog/Makefile @@ -22,7 +22,8 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ + +PACKAGE= runtime LIB= pam_lastlog SRCS= pam_lastlog.c diff --git a/lib/libpam/modules/pam_lastlog/Makefile.depend b/lib/libpam/modules/pam_lastlog/Makefile.depend index a3a7ac4e5850..0665960a2cd2 100644 --- a/lib/libpam/modules/pam_lastlog/Makefile.depend +++ b/lib/libpam/modules/pam_lastlog/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_lastlog/pam_lastlog.8 b/lib/libpam/modules/pam_lastlog/pam_lastlog.8 index cd75fff05df7..6e5ba8770ada 100644 --- a/lib/libpam/modules/pam_lastlog/pam_lastlog.8 +++ b/lib/libpam/modules/pam_lastlog/pam_lastlog.8 @@ -32,8 +32,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd January 21, 2010 .Dt PAM_LASTLOG 8 .Os @@ -86,11 +84,11 @@ Ignore I/O failures. .Xr last 1 , .Xr w 1 , .Xr getutxent 3 , -.Xr login 3 , -.Xr logout 3 , +.Xr ulog_login 3 , +.Xr ulog_logout 3 , .Xr pam.conf 5 , .Xr lastlogin 8 , -.Xr pam 8 +.Xr pam 3 .Sh AUTHORS The .Nm diff --git a/lib/libpam/modules/pam_lastlog/pam_lastlog.c b/lib/libpam/modules/pam_lastlog/pam_lastlog.c index 00b07bc19142..e631723f6e76 100644 --- a/lib/libpam/modules/pam_lastlog/pam_lastlog.c +++ b/lib/libpam/modules/pam_lastlog/pam_lastlog.c @@ -44,8 +44,6 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #define _BSD_SOURCE #include <sys/time.h> diff --git a/lib/libpam/modules/pam_login_access/Makefile b/lib/libpam/modules/pam_login_access/Makefile index 5679a62f7fba..43c025336354 100644 --- a/lib/libpam/modules/pam_login_access/Makefile +++ b/lib/libpam/modules/pam_login_access/Makefile @@ -22,7 +22,8 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ + +PACKAGE= runtime LIB= pam_login_access SRCS= pam_login_access.c login_access.c diff --git a/lib/libpam/modules/pam_login_access/Makefile.depend b/lib/libpam/modules/pam_login_access/Makefile.depend index a3a7ac4e5850..0665960a2cd2 100644 --- a/lib/libpam/modules/pam_login_access/Makefile.depend +++ b/lib/libpam/modules/pam_login_access/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_login_access/login.access.5 b/lib/libpam/modules/pam_login_access/login.access.5 index 72d4740adbf6..c63b136fb1d8 100644 --- a/lib/libpam/modules/pam_login_access/login.access.5 +++ b/lib/libpam/modules/pam_login_access/login.access.5 @@ -1,6 +1,4 @@ .\" -.\" $FreeBSD$ -.\" .Dd January 30, 2020 .Dt LOGIN.ACCESS 5 .Os diff --git a/lib/libpam/modules/pam_login_access/login_access.c b/lib/libpam/modules/pam_login_access/login_access.c index 719808858dac..1fbb644e2055 100644 --- a/lib/libpam/modules/pam_login_access/login_access.c +++ b/lib/libpam/modules/pam_login_access/login_access.c @@ -13,9 +13,6 @@ static char sccsid[] = "%Z% %M% %I% %E% %U%"; #endif #endif -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <sys/types.h> #include <sys/param.h> #include <ctype.h> diff --git a/lib/libpam/modules/pam_login_access/pam_login_access.8 b/lib/libpam/modules/pam_login_access/pam_login_access.8 index b5406329512e..f4009de3af72 100644 --- a/lib/libpam/modules/pam_login_access/pam_login_access.8 +++ b/lib/libpam/modules/pam_login_access/pam_login_access.8 @@ -32,8 +32,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd January 30, 2020 .Dt PAM_LOGIN_ACCESS 8 .Os diff --git a/lib/libpam/modules/pam_login_access/pam_login_access.c b/lib/libpam/modules/pam_login_access/pam_login_access.c index e0c385a48b8d..8b4e7d8f0880 100644 --- a/lib/libpam/modules/pam_login_access/pam_login_access.c +++ b/lib/libpam/modules/pam_login_access/pam_login_access.c @@ -37,8 +37,6 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #define _BSD_SOURCE #include <sys/param.h> diff --git a/lib/libpam/modules/pam_login_access/pam_login_access.h b/lib/libpam/modules/pam_login_access/pam_login_access.h index b1fd45784d60..c482f1811695 100644 --- a/lib/libpam/modules/pam_login_access/pam_login_access.h +++ b/lib/libpam/modules/pam_login_access/pam_login_access.h @@ -34,8 +34,6 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * $FreeBSD$ */ #include <stdbool.h> diff --git a/lib/libpam/modules/pam_nologin/Makefile b/lib/libpam/modules/pam_nologin/Makefile index 746e9e8882ee..e4c3c5a35c1e 100644 --- a/lib/libpam/modules/pam_nologin/Makefile +++ b/lib/libpam/modules/pam_nologin/Makefile @@ -22,7 +22,8 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ + +PACKAGE= runtime LIB= pam_nologin SRCS= pam_nologin.c diff --git a/lib/libpam/modules/pam_nologin/Makefile.depend b/lib/libpam/modules/pam_nologin/Makefile.depend index 0f5cf60ca00c..dcba122adac8 100644 --- a/lib/libpam/modules/pam_nologin/Makefile.depend +++ b/lib/libpam/modules/pam_nologin/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.8 b/lib/libpam/modules/pam_nologin/pam_nologin.8 index cc94be555d68..30f87a65b63e 100644 --- a/lib/libpam/modules/pam_nologin/pam_nologin.8 +++ b/lib/libpam/modules/pam_nologin/pam_nologin.8 @@ -22,8 +22,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd June 10, 2007 .Dt PAM_NOLOGIN 8 .Os @@ -87,4 +85,4 @@ login attempt was declined. .Xr login.conf 5 , .Xr nologin 5 , .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.c b/lib/libpam/modules/pam_nologin/pam_nologin.c index 1ba2dcd92fad..16f7ebdc2e7c 100644 --- a/lib/libpam/modules/pam_nologin/pam_nologin.c +++ b/lib/libpam/modules/pam_nologin/pam_nologin.c @@ -36,9 +36,6 @@ * SUCH DAMAGE. */ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> diff --git a/lib/libpam/modules/pam_opie/Makefile b/lib/libpam/modules/pam_opie/Makefile deleted file mode 100644 index c2074bf3cbf3..000000000000 --- a/lib/libpam/modules/pam_opie/Makefile +++ /dev/null @@ -1,34 +0,0 @@ -# Copyright 2000 James Bloom -# All rights reserved. -# Based upon code Copyright 1998 Juniper Networks, Inc. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions -# are met: -# 1. Redistributions of source code must retain the above copyright -# notice, this list of conditions and the following disclaimer. -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -# SUCH DAMAGE. -# -# $FreeBSD$ - -LIB= pam_opie -SRCS= pam_opie.c -MAN= pam_opie.8 - -LIBADD+= opie - -.include <bsd.lib.mk> diff --git a/lib/libpam/modules/pam_opie/Makefile.depend b/lib/libpam/modules/pam_opie/Makefile.depend deleted file mode 100644 index da2957f739ba..000000000000 --- a/lib/libpam/modules/pam_opie/Makefile.depend +++ /dev/null @@ -1,19 +0,0 @@ -# $FreeBSD$ -# Autogenerated - do NOT edit! - -DIRDEPS = \ - gnu/lib/csu \ - include \ - include/xlocale \ - lib/${CSU_DIR} \ - lib/libc \ - lib/libcompiler_rt \ - lib/libopie \ - lib/libpam/libpam \ - - -.include <dirdeps.mk> - -.if ${DEP_RELDIR} == ${_DEP_RELDIR} -# local dependencies - needed for -jN in clean tree -.endif diff --git a/lib/libpam/modules/pam_opie/pam_opie.8 b/lib/libpam/modules/pam_opie/pam_opie.8 deleted file mode 100644 index 968985a6c9f6..000000000000 --- a/lib/libpam/modules/pam_opie/pam_opie.8 +++ /dev/null @@ -1,123 +0,0 @@ -.\" Copyright (c) 2001 Mark R V Murray -.\" All rights reserved. -.\" Copyright (c) 2002 Networks Associates Technology, Inc. -.\" All rights reserved. -.\" -.\" Portions of this software were developed for the FreeBSD Project by -.\" ThinkSec AS and NAI Labs, the Security Research Division of Network -.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 -.\" ("CBOSS"), as part of the DARPA CHATS research program. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. The name of the author may not be used to endorse or promote -.\" products derived from this software without specific prior written -.\" permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD$ -.\" -.Dd July 7, 2001 -.Dt PAM_OPIE 8 -.Os -.Sh NAME -.Nm pam_opie -.Nd OPIE PAM module -.Sh SYNOPSIS -.Op Ar service-name -.Ar module-type -.Ar control-flag -.Pa pam_opie -.Op Ar options -.Sh DESCRIPTION -The OPIE authentication service module for PAM, -.Nm -provides functionality for only one PAM category: -that of authentication. -In terms of the -.Ar module-type -parameter, this is the -.Dq Li auth -feature. -It also provides a null function for session management. -.Pp -Note that this module does not enforce -.Xr opieaccess 5 -checks. -There is a separate module, -.Xr pam_opieaccess 8 , -for this purpose. -.Ss OPIE Authentication Module -The OPIE authentication component -provides functions to verify the identity of a user -.Pq Fn pam_sm_authenticate , -which obtains the relevant -.Xr opie 4 -credentials. -It provides the user with an OPIE challenge, -and verifies that this is correct with -.Xr opiechallenge 3 . -.Pp -The following options may be passed to the authentication module: -.Bl -tag -width ".Cm auth_as_self" -.It Cm debug -.Xr syslog 3 -debugging information at -.Dv LOG_DEBUG -level. -.It Cm auth_as_self -This option will require the user -to authenticate himself as the user -given by -.Xr getlogin 2 , -not as the account they are attempting to access. -This is primarily for services like -.Xr su 1 , -where the user's ability to retype -their own password -might be deemed sufficient. -.It Cm no_fake_prompts -Do not generate fake challenges for users who do not have an OPIE key. -Note that this can leak information to a hypothetical attacker about -who uses OPIE and who does not, but it can be useful on systems where -some users want to use OPIE but most do not. -.El -.Pp -Note that -.Nm -ignores the standard options -.Cm try_first_pass -and -.Cm use_first_pass , -since a challenge must be generated before the user can submit a valid -response. -.Sh FILES -.Bl -tag -width ".Pa /etc/opiekeys" -compact -.It Pa /etc/opiekeys -default OPIE password database. -.El -.Sh SEE ALSO -.Xr passwd 1 , -.Xr getlogin 2 , -.Xr opiechallenge 3 , -.Xr syslog 3 , -.Xr opie 4 , -.Xr pam.conf 5 , -.Xr pam 8 diff --git a/lib/libpam/modules/pam_opie/pam_opie.c b/lib/libpam/modules/pam_opie/pam_opie.c deleted file mode 100644 index 41ad84b751bc..000000000000 --- a/lib/libpam/modules/pam_opie/pam_opie.c +++ /dev/null @@ -1,157 +0,0 @@ -/*- - * SPDX-License-Identifier: BSD-3-Clause - * - * Copyright 2000 James Bloom - * All rights reserved. - * Based upon code Copyright 1998 Juniper Networks, Inc. - * Copyright (c) 2001-2003 Networks Associates Technology, Inc. - * All rights reserved. - * - * Portions of this software were developed for the FreeBSD Project by - * ThinkSec AS and NAI Labs, the Security Research Division of Network - * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 - * ("CBOSS"), as part of the DARPA CHATS research program. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#include <sys/types.h> -#include <opie.h> -#include <pwd.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#define PAM_SM_AUTH - -#include <security/pam_appl.h> -#include <security/pam_modules.h> -#include <security/pam_mod_misc.h> - -#define PAM_OPT_NO_FAKE_PROMPTS "no_fake_prompts" - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, - int argc __unused, const char *argv[] __unused) -{ - struct opie opie; - struct passwd *pwd; - int retval, i; - const char *(promptstr[]) = { "%s\nPassword: ", "%s\nPassword [echo on]: "}; - char challenge[OPIE_CHALLENGE_MAX + 1]; - char principal[OPIE_PRINCIPAL_MAX]; - const char *user; - char *response; - int style; - - user = NULL; - if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { - if ((pwd = getpwnam(getlogin())) == NULL) - return (PAM_AUTH_ERR); - user = pwd->pw_name; - } - else { - retval = pam_get_user(pamh, &user, NULL); - if (retval != PAM_SUCCESS) - return (retval); - } - - PAM_LOG("Got user: %s", user); - - /* - * Watch out: libopie feels entitled to truncate the user name - * passed to it if it's longer than OPIE_PRINCIPAL_MAX, which is - * not uncommon in Windows environments. - */ - if (strlen(user) >= sizeof(principal)) - return (PAM_AUTH_ERR); - strlcpy(principal, user, sizeof(principal)); - - /* - * Don't call the OPIE atexit() handler when our program exits, - * since the module has been unloaded and we will SEGV. - */ - opiedisableaeh(); - - /* - * If the no_fake_prompts option was given, and the user - * doesn't have an OPIE key, just fail rather than present the - * user with a bogus OPIE challenge. - */ - if (opiechallenge(&opie, principal, challenge) != 0 && - openpam_get_option(pamh, PAM_OPT_NO_FAKE_PROMPTS)) - return (PAM_AUTH_ERR); - - /* - * It doesn't make sense to use a password that has already been - * typed in, since we haven't presented the challenge to the user - * yet, so clear the stored password. - */ - pam_set_item(pamh, PAM_AUTHTOK, NULL); - - style = PAM_PROMPT_ECHO_OFF; - for (i = 0; i < 2; i++) { - retval = pam_prompt(pamh, style, &response, - promptstr[i], challenge); - if (retval != PAM_SUCCESS) { - opieunlock(); - return (retval); - } - - PAM_LOG("Completed challenge %d: %s", i, response); - - if (response[0] != '\0') - break; - - /* Second time round, echo the password */ - style = PAM_PROMPT_ECHO_ON; - } - - pam_set_item(pamh, PAM_AUTHTOK, response); - - /* - * Opieverify is supposed to return -1 only if an error occurs. - * But it returns -1 even if the response string isn't in the form - * it expects. Thus we can't log an error and can only check for - * success or lack thereof. - */ - retval = opieverify(&opie, response); - free(response); - return (retval == 0 ? PAM_SUCCESS : PAM_AUTH_ERR); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, - int argc __unused, const char *argv[] __unused) -{ - - return (PAM_SUCCESS); -} - -PAM_MODULE_ENTRY("pam_opie"); diff --git a/lib/libpam/modules/pam_opieaccess/Makefile b/lib/libpam/modules/pam_opieaccess/Makefile deleted file mode 100644 index 2e764cd43a5b..000000000000 --- a/lib/libpam/modules/pam_opieaccess/Makefile +++ /dev/null @@ -1,9 +0,0 @@ -# $FreeBSD$ - -LIB= pam_opieaccess -SRCS= ${LIB}.c -MAN= pam_opieaccess.8 - -LIBADD+= opie - -.include <bsd.lib.mk> diff --git a/lib/libpam/modules/pam_opieaccess/Makefile.depend b/lib/libpam/modules/pam_opieaccess/Makefile.depend deleted file mode 100644 index 81514fa091b5..000000000000 --- a/lib/libpam/modules/pam_opieaccess/Makefile.depend +++ /dev/null @@ -1,18 +0,0 @@ -# $FreeBSD$ -# Autogenerated - do NOT edit! - -DIRDEPS = \ - gnu/lib/csu \ - include \ - lib/${CSU_DIR} \ - lib/libc \ - lib/libcompiler_rt \ - lib/libopie \ - lib/libpam/libpam \ - - -.include <dirdeps.mk> - -.if ${DEP_RELDIR} == ${_DEP_RELDIR} -# local dependencies - needed for -jN in clean tree -.endif diff --git a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.8 b/lib/libpam/modules/pam_opieaccess/pam_opieaccess.8 deleted file mode 100644 index 5521a85d1d44..000000000000 --- a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.8 +++ /dev/null @@ -1,142 +0,0 @@ -.\" Copyright (c) 2001 Mark R V Murray -.\" All rights reserved. -.\" Copyright (c) 2002 Networks Associates Technology, Inc. -.\" All rights reserved. -.\" -.\" Portions of this software were developed for the FreeBSD Project by -.\" ThinkSec AS and NAI Labs, the Security Research Division of Network -.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 -.\" ("CBOSS"), as part of the DARPA CHATS research program. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. The name of the author may not be used to endorse or promote -.\" products derived from this software without specific prior written -.\" permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD$ -.\" -.Dd October 26, 2007 -.Dt PAM_OPIEACCESS 8 -.Os -.Sh NAME -.Nm pam_opieaccess -.Nd OPIEAccess PAM module -.Sh SYNOPSIS -.Op Ar service-name -.Ar module-type -.Ar control-flag -.Pa pam_opieaccess -.Op Ar options -.Sh DESCRIPTION -The -.Nm -module is used in conjunction with the -.Xr pam_opie 8 -PAM module to ascertain that authentication can proceed by other means -(such as the -.Xr pam_unix 8 -module) even if OPIE authentication failed. -To properly use this module, -.Xr pam_opie 8 -should be marked -.Dq Li sufficient , -and -.Nm -should be listed right below it and marked -.Dq Li requisite . -.Pp -The -.Nm -module provides functionality for only one PAM category: -authentication. -In terms of the -.Ar module-type -parameter, this is the -.Dq Li auth -feature. -It also provides null functions for the remaining module types. -.Ss OPIEAccess Authentication Module -The authentication component -.Pq Fn pam_sm_authenticate , -returns -.Dv PAM_SUCCESS -in two cases: -.Bl -enum -.It -The user does not have OPIE enabled. -.It -The user has OPIE enabled, and the remote host is listed as a trusted -host in -.Pa /etc/opieaccess , -and the user does not have a file named -.Pa \&.opiealways -in his home directory. -.El -.Pp -Otherwise, it returns -.Dv PAM_AUTH_ERR . -.Pp -The following options may be passed to the authentication module: -.Bl -tag -width ".Cm allow_local" -.It Cm allow_local -Normally, local logins are subjected to the same restrictions as -remote logins from -.Dq localhost . -This option causes -.Nm -to always allow local logins. -.It Cm debug -.Xr syslog 3 -debugging information at -.Dv LOG_DEBUG -level. -.It Cm no_warn -suppress warning messages to the user. -These messages include reasons why the user's authentication attempt -was declined. -.El -.Sh FILES -.Bl -tag -width ".Pa $HOME/.opiealways" -.It Pa /etc/opieaccess -List of trusted hosts or networks. -See -.Xr opieaccess 5 -for a description of its syntax. -.It Pa $HOME/.opiealways -The presence of this file makes OPIE mandatory for the user. -.El -.Sh SEE ALSO -.Xr opie 4 , -.Xr opieaccess 5 , -.Xr pam.conf 5 , -.Xr pam 8 , -.Xr pam_opie 8 -.Sh AUTHORS -The -.Nm -module and this manual page were developed for the -.Fx -Project by -ThinkSec AS and NAI Labs, the Security Research Division of Network -Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035 -.Pq Dq CBOSS , -as part of the DARPA CHATS research program. diff --git a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c b/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c deleted file mode 100644 index 090d98e5f2a6..000000000000 --- a/lib/libpam/modules/pam_opieaccess/pam_opieaccess.c +++ /dev/null @@ -1,97 +0,0 @@ -/*- - * SPDX-License-Identifier: BSD-3-Clause - * - * Copyright (c) 2002 Networks Associates Technology, Inc. - * All rights reserved. - * - * This software was developed for the FreeBSD Project by ThinkSec AS and - * NAI Labs, the Security Research Division of Network Associates, Inc. - * under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the - * DARPA CHATS research program. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior written - * permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - -#define _BSD_SOURCE - -#include <sys/types.h> -#include <opie.h> -#include <pwd.h> -#include <unistd.h> -#include <syslog.h> - -#define PAM_SM_AUTH - -#include <security/pam_appl.h> -#include <security/pam_modules.h> -#include <security/pam_mod_misc.h> - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, - int argc __unused, const char *argv[] __unused) -{ - struct opie opie; - struct passwd *pwent; - const void *luser, *rhost; - int r; - - r = pam_get_item(pamh, PAM_USER, &luser); - if (r != PAM_SUCCESS) - return (r); - if (luser == NULL) - return (PAM_SERVICE_ERR); - - pwent = getpwnam(luser); - if (pwent == NULL || opielookup(&opie, __DECONST(char *, luser)) != 0) - return (PAM_SUCCESS); - - r = pam_get_item(pamh, PAM_RHOST, &rhost); - if (r != PAM_SUCCESS) - return (r); - if (rhost == NULL || *(const char *)rhost == '\0') - rhost = openpam_get_option(pamh, "allow_local") ? - "" : "localhost"; - - if (opieaccessfile(__DECONST(char *, rhost)) != 0 && - opiealways(pwent->pw_dir) != 0) - return (PAM_SUCCESS); - - PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess"); - - return (PAM_AUTH_ERR); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, - int argc __unused, const char *argv[] __unused) -{ - - return (PAM_SUCCESS); -} - -PAM_MODULE_ENTRY("pam_opieaccess"); diff --git a/lib/libpam/modules/pam_passwdqc/Makefile b/lib/libpam/modules/pam_passwdqc/Makefile index 2b10fdcae4a9..60d27529dd19 100644 --- a/lib/libpam/modules/pam_passwdqc/Makefile +++ b/lib/libpam/modules/pam_passwdqc/Makefile @@ -1,4 +1,3 @@ -# $FreeBSD$ SRCDIR= ${SRCTOP}/contrib/pam_modules/pam_passwdqc .PATH: ${SRCDIR} diff --git a/lib/libpam/modules/pam_passwdqc/Makefile.depend b/lib/libpam/modules/pam_passwdqc/Makefile.depend index 3e2c57639cd5..c056162bff30 100644 --- a/lib/libpam/modules/pam_passwdqc/Makefile.depend +++ b/lib/libpam/modules/pam_passwdqc/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_passwdqc/pam_passwdqc.8 b/lib/libpam/modules/pam_passwdqc/pam_passwdqc.8 index abdd3907e972..f2ec1747d1f8 100644 --- a/lib/libpam/modules/pam_passwdqc/pam_passwdqc.8 +++ b/lib/libpam/modules/pam_passwdqc/pam_passwdqc.8 @@ -32,8 +32,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd April 15, 2002 .Dt PAM_PASSWDQC 8 .Os @@ -251,7 +249,7 @@ is that the former is incompatible with .Sh SEE ALSO .Xr getpwnam 3 , .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 .Sh AUTHORS The .Nm diff --git a/lib/libpam/modules/pam_permit/Makefile b/lib/libpam/modules/pam_permit/Makefile index dbbd5b5d5813..5606fe1cf75a 100644 --- a/lib/libpam/modules/pam_permit/Makefile +++ b/lib/libpam/modules/pam_permit/Makefile @@ -22,7 +22,6 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ LIB= pam_permit SRCS= pam_permit.c diff --git a/lib/libpam/modules/pam_permit/Makefile.depend b/lib/libpam/modules/pam_permit/Makefile.depend index 5fb710255efc..a8b8ddf9d074 100644 --- a/lib/libpam/modules/pam_permit/Makefile.depend +++ b/lib/libpam/modules/pam_permit/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ lib/${CSU_DIR} \ lib/libc \ diff --git a/lib/libpam/modules/pam_permit/pam_permit.8 b/lib/libpam/modules/pam_permit/pam_permit.8 index c7d98ab48e16..f0b2f5527066 100644 --- a/lib/libpam/modules/pam_permit/pam_permit.8 +++ b/lib/libpam/modules/pam_permit/pam_permit.8 @@ -22,8 +22,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd July 7, 2001 .Dt PAM_PERMIT 8 .Os @@ -72,4 +70,4 @@ level. .Sh SEE ALSO .Xr syslog 3 , .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 diff --git a/lib/libpam/modules/pam_permit/pam_permit.c b/lib/libpam/modules/pam_permit/pam_permit.c index 38f44b222609..9dfc76ce5cf2 100644 --- a/lib/libpam/modules/pam_permit/pam_permit.c +++ b/lib/libpam/modules/pam_permit/pam_permit.c @@ -1,5 +1,5 @@ /*- - * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * SPDX-License-Identifier: BSD-2-Clause * * Copyright 2001 Mark R V Murray * All rights reserved. @@ -27,8 +27,6 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <stddef.h> #define PAM_SM_AUTH diff --git a/lib/libpam/modules/pam_radius/Makefile b/lib/libpam/modules/pam_radius/Makefile index a9a93e2ab2b5..ab39fedcee04 100644 --- a/lib/libpam/modules/pam_radius/Makefile +++ b/lib/libpam/modules/pam_radius/Makefile @@ -22,7 +22,6 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ LIB= pam_radius SRCS= pam_radius.c diff --git a/lib/libpam/modules/pam_radius/Makefile.depend b/lib/libpam/modules/pam_radius/Makefile.depend index 88b5297a79c5..1e4d327901e8 100644 --- a/lib/libpam/modules/pam_radius/Makefile.depend +++ b/lib/libpam/modules/pam_radius/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_radius/pam_radius.8 b/lib/libpam/modules/pam_radius/pam_radius.8 index 9d12c0b0b6ce..6b2d1ef1fa55 100644 --- a/lib/libpam/modules/pam_radius/pam_radius.8 +++ b/lib/libpam/modules/pam_radius/pam_radius.8 @@ -33,8 +33,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd May 16, 2018 .Dt PAM_RADIUS 8 .Os @@ -127,7 +125,7 @@ The standard RADIUS client configuration file for .Sh SEE ALSO .Xr passwd 5 , .Xr radius.conf 5 , -.Xr pam 8 +.Xr pam 3 .Sh HISTORY The .Nm diff --git a/lib/libpam/modules/pam_radius/pam_radius.c b/lib/libpam/modules/pam_radius/pam_radius.c index 377652382dc4..027916b38138 100644 --- a/lib/libpam/modules/pam_radius/pam_radius.c +++ b/lib/libpam/modules/pam_radius/pam_radius.c @@ -38,9 +38,6 @@ * SUCH DAMAGE. */ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <sys/param.h> #include <sys/socket.h> #include <netdb.h> diff --git a/lib/libpam/modules/pam_rhosts/Makefile b/lib/libpam/modules/pam_rhosts/Makefile index 866267e63e11..af94a24599ab 100644 --- a/lib/libpam/modules/pam_rhosts/Makefile +++ b/lib/libpam/modules/pam_rhosts/Makefile @@ -1,4 +1,3 @@ -# $FreeBSD$ LIB= pam_rhosts SRCS= pam_rhosts.c diff --git a/lib/libpam/modules/pam_rhosts/Makefile.depend b/lib/libpam/modules/pam_rhosts/Makefile.depend index a3a7ac4e5850..0665960a2cd2 100644 --- a/lib/libpam/modules/pam_rhosts/Makefile.depend +++ b/lib/libpam/modules/pam_rhosts/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_rhosts/pam_rhosts.8 b/lib/libpam/modules/pam_rhosts/pam_rhosts.8 index 8adfcc6ed5ae..ea005738840c 100644 --- a/lib/libpam/modules/pam_rhosts/pam_rhosts.8 +++ b/lib/libpam/modules/pam_rhosts/pam_rhosts.8 @@ -32,8 +32,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd December 5, 2001 .Dt PAM_RHOSTS 8 .Os @@ -82,7 +80,7 @@ do not automatically fail if the target user's UID is 0. .Sh SEE ALSO .Xr hosts.equiv 5 , .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 .Sh AUTHORS The .Nm diff --git a/lib/libpam/modules/pam_rhosts/pam_rhosts.c b/lib/libpam/modules/pam_rhosts/pam_rhosts.c index e8b6ba461b2c..597fb47e95c8 100644 --- a/lib/libpam/modules/pam_rhosts/pam_rhosts.c +++ b/lib/libpam/modules/pam_rhosts/pam_rhosts.c @@ -37,8 +37,6 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <pwd.h> #include <stddef.h> #include <string.h> diff --git a/lib/libpam/modules/pam_rootok/Makefile b/lib/libpam/modules/pam_rootok/Makefile index 8582daae97c5..668eeef7f7d9 100644 --- a/lib/libpam/modules/pam_rootok/Makefile +++ b/lib/libpam/modules/pam_rootok/Makefile @@ -22,7 +22,6 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ LIB= pam_rootok SRCS= pam_rootok.c diff --git a/lib/libpam/modules/pam_rootok/Makefile.depend b/lib/libpam/modules/pam_rootok/Makefile.depend index 5fb710255efc..a8b8ddf9d074 100644 --- a/lib/libpam/modules/pam_rootok/Makefile.depend +++ b/lib/libpam/modules/pam_rootok/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ lib/${CSU_DIR} \ lib/libc \ diff --git a/lib/libpam/modules/pam_rootok/pam_rootok.8 b/lib/libpam/modules/pam_rootok/pam_rootok.8 index 4203fbd246b7..d1ab8226e2ca 100644 --- a/lib/libpam/modules/pam_rootok/pam_rootok.8 +++ b/lib/libpam/modules/pam_rootok/pam_rootok.8 @@ -22,8 +22,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd July 8, 2001 .Dt PAM_ROOTOK 8 .Os @@ -72,4 +70,4 @@ authentication attempt was declined. .Sh SEE ALSO .Xr getuid 2 , .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 diff --git a/lib/libpam/modules/pam_rootok/pam_rootok.c b/lib/libpam/modules/pam_rootok/pam_rootok.c index c5540a2683e3..d267d267ef27 100644 --- a/lib/libpam/modules/pam_rootok/pam_rootok.c +++ b/lib/libpam/modules/pam_rootok/pam_rootok.c @@ -37,8 +37,6 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #define _BSD_SOURCE #include <unistd.h> diff --git a/lib/libpam/modules/pam_securetty/Makefile b/lib/libpam/modules/pam_securetty/Makefile index 8eb3e6e7a6d1..3a36a37b543c 100644 --- a/lib/libpam/modules/pam_securetty/Makefile +++ b/lib/libpam/modules/pam_securetty/Makefile @@ -22,7 +22,8 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ + +PACKAGE= runtime LIB= pam_securetty SRCS= pam_securetty.c diff --git a/lib/libpam/modules/pam_securetty/Makefile.depend b/lib/libpam/modules/pam_securetty/Makefile.depend index a3a7ac4e5850..0665960a2cd2 100644 --- a/lib/libpam/modules/pam_securetty/Makefile.depend +++ b/lib/libpam/modules/pam_securetty/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_securetty/pam_securetty.8 b/lib/libpam/modules/pam_securetty/pam_securetty.8 index 5825fb452a7a..b19979000978 100644 --- a/lib/libpam/modules/pam_securetty/pam_securetty.8 +++ b/lib/libpam/modules/pam_securetty/pam_securetty.8 @@ -32,8 +32,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd July 8, 2001 .Dt PAM_SECURETTY 8 .Os @@ -89,4 +87,4 @@ authentication attempt was declined. .Xr syslog 3 , .Xr pam.conf 5 , .Xr ttys 5 , -.Xr pam 8 +.Xr pam 3 diff --git a/lib/libpam/modules/pam_securetty/pam_securetty.c b/lib/libpam/modules/pam_securetty/pam_securetty.c index 50574d315608..4f05961e2737 100644 --- a/lib/libpam/modules/pam_securetty/pam_securetty.c +++ b/lib/libpam/modules/pam_securetty/pam_securetty.c @@ -36,9 +36,6 @@ * SUCH DAMAGE. */ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <sys/types.h> #include <sys/stat.h> #include <pwd.h> diff --git a/lib/libpam/modules/pam_self/Makefile b/lib/libpam/modules/pam_self/Makefile index 50718e179846..0a58728fea52 100644 --- a/lib/libpam/modules/pam_self/Makefile +++ b/lib/libpam/modules/pam_self/Makefile @@ -22,7 +22,8 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ + +PACKAGE= runtime LIB= pam_self SRCS= pam_self.c diff --git a/lib/libpam/modules/pam_self/Makefile.depend b/lib/libpam/modules/pam_self/Makefile.depend index 5fb710255efc..a8b8ddf9d074 100644 --- a/lib/libpam/modules/pam_self/Makefile.depend +++ b/lib/libpam/modules/pam_self/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ lib/${CSU_DIR} \ lib/libc \ diff --git a/lib/libpam/modules/pam_self/pam_self.8 b/lib/libpam/modules/pam_self/pam_self.8 index d021434770c6..c3623998f0be 100644 --- a/lib/libpam/modules/pam_self/pam_self.8 +++ b/lib/libpam/modules/pam_self/pam_self.8 @@ -32,8 +32,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd December 5, 2001 .Dt PAM_SELF 8 .Os @@ -83,7 +81,7 @@ do not automatically fail if the current real user ID is 0. .Sh SEE ALSO .Xr getuid 2 , .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 .Sh AUTHORS The .Nm diff --git a/lib/libpam/modules/pam_self/pam_self.c b/lib/libpam/modules/pam_self/pam_self.c index de69f408d3f9..fceb6466d8fb 100644 --- a/lib/libpam/modules/pam_self/pam_self.c +++ b/lib/libpam/modules/pam_self/pam_self.c @@ -37,8 +37,6 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #define _BSD_SOURCE #include <pwd.h> diff --git a/lib/libpam/modules/pam_ssh/Makefile b/lib/libpam/modules/pam_ssh/Makefile index d2168b395d88..6652244a84af 100644 --- a/lib/libpam/modules/pam_ssh/Makefile +++ b/lib/libpam/modules/pam_ssh/Makefile @@ -1,5 +1,4 @@ # PAM module for SSH -# $FreeBSD$ SSHDIR= ${SRCTOP}/crypto/openssh diff --git a/lib/libpam/modules/pam_ssh/Makefile.depend b/lib/libpam/modules/pam_ssh/Makefile.depend index bee3c0e355ef..7cba2082bc24 100644 --- a/lib/libpam/modules/pam_ssh/Makefile.depend +++ b/lib/libpam/modules/pam_ssh/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.8 b/lib/libpam/modules/pam_ssh/pam_ssh.8 index 1afcfc77e6c1..e63930eb5340 100644 --- a/lib/libpam/modules/pam_ssh/pam_ssh.8 +++ b/lib/libpam/modules/pam_ssh/pam_ssh.8 @@ -32,8 +32,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd October 7, 2011 .Dt PAM_SSH 8 .Os @@ -141,7 +139,7 @@ SSH2 Ed25519 key .Sh SEE ALSO .Xr ssh-agent 1 , .Xr pam.conf 5 , -.Xr pam 8 +.Xr pam 3 .Sh AUTHORS The .Nm diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.c b/lib/libpam/modules/pam_ssh/pam_ssh.c index 9b30ba935a7b..157908b6b910 100644 --- a/lib/libpam/modules/pam_ssh/pam_ssh.c +++ b/lib/libpam/modules/pam_ssh/pam_ssh.c @@ -35,9 +35,6 @@ * SUCH DAMAGE. */ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <sys/param.h> #include <sys/wait.h> @@ -65,7 +62,7 @@ __FBSDID("$FreeBSD$"); #include "sshkey.h" #define ssh_add_identity(auth, key, comment) \ - ssh_add_identity_constrained(auth, key, comment, 0, 0, 0) + ssh_add_identity_constrained(auth, key, comment, 0, 0, 0, NULL, NULL, 0) extern char **environ; diff --git a/lib/libpam/modules/pam_tacplus/Makefile b/lib/libpam/modules/pam_tacplus/Makefile index 5d2a3f34a4d0..2b558d9f72b3 100644 --- a/lib/libpam/modules/pam_tacplus/Makefile +++ b/lib/libpam/modules/pam_tacplus/Makefile @@ -22,7 +22,6 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ LIB= pam_tacplus SRCS= pam_tacplus.c diff --git a/lib/libpam/modules/pam_tacplus/Makefile.depend b/lib/libpam/modules/pam_tacplus/Makefile.depend index bab66eeb796c..d17468f1a7ac 100644 --- a/lib/libpam/modules/pam_tacplus/Makefile.depend +++ b/lib/libpam/modules/pam_tacplus/Makefile.depend @@ -1,8 +1,6 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ - gnu/lib/csu \ include \ include/xlocale \ lib/${CSU_DIR} \ diff --git a/lib/libpam/modules/pam_tacplus/pam_tacplus.8 b/lib/libpam/modules/pam_tacplus/pam_tacplus.8 index ee8cc78e0d9f..ad37b3bba95a 100644 --- a/lib/libpam/modules/pam_tacplus/pam_tacplus.8 +++ b/lib/libpam/modules/pam_tacplus/pam_tacplus.8 @@ -32,9 +32,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" -.Dd August 2, 1999 +.Dd May 17, 2023 .Dt PAM_TACPLUS 8 .Os .Sh NAME @@ -103,9 +101,10 @@ The standard TACACS+ client configuration file for .Nm .El .Sh SEE ALSO +.Xr pam 3 , .Xr passwd 5 , .Xr tacplus.conf 5 , -.Xr pam 8 +.Xr nss_tacplus 8 .Sh HISTORY The .Nm diff --git a/lib/libpam/modules/pam_tacplus/pam_tacplus.c b/lib/libpam/modules/pam_tacplus/pam_tacplus.c index 8f8e9d553ee7..dd19d7da0557 100644 --- a/lib/libpam/modules/pam_tacplus/pam_tacplus.c +++ b/lib/libpam/modules/pam_tacplus/pam_tacplus.c @@ -36,9 +36,6 @@ * SUCH DAMAGE. */ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <sys/param.h> #include <pwd.h> diff --git a/lib/libpam/modules/pam_unix/Makefile b/lib/libpam/modules/pam_unix/Makefile index 5330ae4a5f98..2e76f054c502 100644 --- a/lib/libpam/modules/pam_unix/Makefile +++ b/lib/libpam/modules/pam_unix/Makefile @@ -32,11 +32,12 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ .include <src.opts.mk> .include <bsd.init.mk> +PACKAGE= runtime + LIB= pam_unix SRCS= pam_unix.c MAN= pam_unix.8 diff --git a/lib/libpam/modules/pam_unix/Makefile.depend b/lib/libpam/modules/pam_unix/Makefile.depend index 1327176e9c55..e852c4988ea6 100644 --- a/lib/libpam/modules/pam_unix/Makefile.depend +++ b/lib/libpam/modules/pam_unix/Makefile.depend @@ -1,4 +1,3 @@ -# $FreeBSD$ # Autogenerated - do NOT edit! DIRDEPS = \ diff --git a/lib/libpam/modules/pam_unix/Makefile.depend.options b/lib/libpam/modules/pam_unix/Makefile.depend.options index e7289cb56ce3..a43cdcfaffb4 100644 --- a/lib/libpam/modules/pam_unix/Makefile.depend.options +++ b/lib/libpam/modules/pam_unix/Makefile.depend.options @@ -1,4 +1,3 @@ -# $FreeBSD$ # This file is not autogenerated - take care! DIRDEPS_OPTIONS= NIS diff --git a/lib/libpam/modules/pam_unix/pam_unix.8 b/lib/libpam/modules/pam_unix/pam_unix.8 index 03f8feaf4ba9..170cf65f34db 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.8 +++ b/lib/libpam/modules/pam_unix/pam_unix.8 @@ -32,8 +32,6 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD$ -.\" .Dd April 3, 2020 .Dt PAM_UNIX 8 .Os @@ -206,7 +204,7 @@ password database. .Xr syslog 3 , .Xr nsswitch.conf 5 , .Xr passwd 5 , -.Xr pam 8 , +.Xr pam 3 , .Xr pw 8 , .Xr yp 8 .Sh BUGS diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c index 29588f0af1ea..88313f6ebae8 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.c +++ b/lib/libpam/modules/pam_unix/pam_unix.c @@ -36,9 +36,6 @@ * SUCH DAMAGE. */ -#include <sys/cdefs.h> -__FBSDID("$FreeBSD$"); - #include <sys/param.h> #include <sys/socket.h> #include <sys/time.h> @@ -76,7 +73,7 @@ __FBSDID("$FreeBSD$"); #define LOCKED_PREFIX "*LOCKED*" #define LOCKED_PREFIX_LEN (sizeof(LOCKED_PREFIX) - 1) -static void makesalt(char []); +static void makesalt(char [SALTSIZE + 1]); static char password_hash[] = PASSWORD_HASH; @@ -87,7 +84,7 @@ static char password_hash[] = PASSWORD_HASH; * authentication management */ PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc __unused, const char *argv[] __unused) { login_cap_t *lc; diff --git a/lib/libpam/modules/pam_xdg/Makefile b/lib/libpam/modules/pam_xdg/Makefile new file mode 100644 index 000000000000..2a470e0850bf --- /dev/null +++ b/lib/libpam/modules/pam_xdg/Makefile @@ -0,0 +1,6 @@ + +LIB= pam_xdg +SRCS= pam_xdg.c +MAN= pam_xdg.8 + +.include <bsd.lib.mk> diff --git a/lib/libpam/modules/pam_xdg/pam_xdg.8 b/lib/libpam/modules/pam_xdg/pam_xdg.8 new file mode 100644 index 000000000000..1a8b53def051 --- /dev/null +++ b/lib/libpam/modules/pam_xdg/pam_xdg.8 @@ -0,0 +1,56 @@ +.\" * SPDX-License-Identifier: BSD-2-Clause +.\" +.\" Copyright (c) 2024 Beckhoff Automation GmbH & Co. KG +.\" +.\" * Redistribution and use in source and binary forms, with or without +.\" * modification, are permitted provided that the following conditions +.\" * are met: +.\" * 1. Redistributions of source code must retain the above copyright +.\" * notice, this list of conditions and the following disclaimer. +.\" * 2. Redistributions in binary form must reproduce the above copyright +.\" * notice, this list of conditions and the following disclaimer in the +.\" * documentation and/or other materials provided with the distribution. +.\" * +.\" * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" * SUCH DAMAGE. +.Dd February 21, 2024 +.Dt PAM_XDG 8 +.Os +.Sh NAME +.Nm pam_xdg +.Nd XDG PAM module +.Sh SYNOPSIS +.Op Ar service-name +.Ar module-type +.Ar control-flag +.Pa pam_xdg +.Op Ar arguments +.Sh DESCRIPTION +The xdg service module for PAM sets up the runtime directory according +to the XDG specifications. +.Pp +By default the directory is created under +.Pa /var/run/xdg/<username> . +.Pp +The following option may be passed to the authentication module: +.Bl -tag -width ".Cm runtime_dir" +.It Cm runtime_dir Ns = Ns Ar directory +Use an alternate base directory +.El +.Sh SEE ALSO +.Xr pam 3 , +.Xr pam.conf 5 +.Sh AUTHORS +The +.Nm +module and this manual page were written by +.An Emmanuel Vadot Aq Mt manu@FreeBSD.org . diff --git a/lib/libpam/modules/pam_xdg/pam_xdg.c b/lib/libpam/modules/pam_xdg/pam_xdg.c new file mode 100644 index 000000000000..4d586a21566a --- /dev/null +++ b/lib/libpam/modules/pam_xdg/pam_xdg.c @@ -0,0 +1,328 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2024 Beckhoff Automation GmbH & Co. KG + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include <sys/stat.h> +#include <dirent.h> +#include <errno.h> +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <pwd.h> + +#define PAM_SM_SESSION + +#include <security/pam_appl.h> +#include <security/pam_modules.h> +#include <security/pam_mod_misc.h> + +#define BASE_RUNTIME_DIR_PREFIX "/var/run/xdg" +#define RUNTIME_DIR_PREFIX runtime_dir_prefix != NULL ? runtime_dir_prefix : BASE_RUNTIME_DIR_PREFIX + +#define RUNTIME_DIR_PREFIX_MODE 0711 +#define RUNTIME_DIR_MODE 0700 /* XDG spec */ + +#define XDG_MAX_SESSION 100 /* Arbitrary limit because we need one */ + +static int +_pam_xdg_open(pam_handle_t *pamh, int flags __unused, + int argc __unused, const char *argv[] __unused) +{ + struct passwd *passwd; + const char *user; + const char *runtime_dir_prefix; + struct stat sb; + char *runtime_dir = NULL; + char *xdg_session_file; + int rv, rt_dir_prefix, rt_dir, session_file, i; + + session_file = -1; + rt_dir_prefix = -1; + runtime_dir_prefix = openpam_get_option(pamh, "runtime_dir_prefix"); + + /* Get user info */ + rv = pam_get_item(pamh, PAM_USER, (const void **)&user); + if (rv != PAM_SUCCESS) { + PAM_VERBOSE_ERROR("Can't get user information"); + goto out; + } + if ((passwd = getpwnam(user)) == NULL) { + PAM_VERBOSE_ERROR("Can't get user information"); + rv = PAM_SESSION_ERR; + goto out; + } + + /* Open or create the base xdg directory */ + rt_dir_prefix = open(RUNTIME_DIR_PREFIX, O_DIRECTORY | O_NOFOLLOW); + if (rt_dir_prefix < 0) { + rt_dir_prefix = mkdir(RUNTIME_DIR_PREFIX, RUNTIME_DIR_PREFIX_MODE); + if (rt_dir_prefix != 0) { + PAM_VERBOSE_ERROR("Can't mkdir %s", RUNTIME_DIR_PREFIX); + rv = PAM_SESSION_ERR; + goto out; + } + rt_dir_prefix = open(RUNTIME_DIR_PREFIX, O_DIRECTORY | O_NOFOLLOW); + } + + /* Open or create the user xdg directory */ + rt_dir = openat(rt_dir_prefix, user, O_DIRECTORY | O_NOFOLLOW); + if (rt_dir < 0) { + rt_dir = mkdirat(rt_dir_prefix, user, RUNTIME_DIR_MODE); + if (rt_dir != 0) { + PAM_VERBOSE_ERROR("mkdir: %s/%s (%d)", RUNTIME_DIR_PREFIX, user, rt_dir); + rv = PAM_SESSION_ERR; + goto out; + } + rv = fchownat(rt_dir_prefix, user, passwd->pw_uid, passwd->pw_gid, 0); + if (rv != 0) { + PAM_VERBOSE_ERROR("fchownat: %s/%s (%d)", RUNTIME_DIR_PREFIX, user, rv); + rv = unlinkat(rt_dir_prefix, user, AT_REMOVEDIR); + if (rv == -1) + PAM_VERBOSE_ERROR("unlinkat: %s/%s (%d)", RUNTIME_DIR_PREFIX, user, errno); + rv = PAM_SESSION_ERR; + goto out; + } + } else { + /* Check that the already create dir is correctly owned */ + rv = fstatat(rt_dir_prefix, user, &sb, 0); + if (rv == -1) { + PAM_VERBOSE_ERROR("fstatat %s/%s failed (%d)", RUNTIME_DIR_PREFIX, user, errno); + rv = PAM_SESSION_ERR; + goto out; + } + if (sb.st_uid != passwd->pw_uid || + sb.st_gid != passwd->pw_gid) { + PAM_VERBOSE_ERROR("%s/%s isn't owned by %d:%d\n", RUNTIME_DIR_PREFIX, user, passwd->pw_uid, passwd->pw_gid); + rv = PAM_SESSION_ERR; + goto out; + } + /* Test directory mode */ + if ((sb.st_mode & 0x1FF) != RUNTIME_DIR_MODE) { + PAM_VERBOSE_ERROR("%s/%s have wrong mode\n", RUNTIME_DIR_PREFIX, user); + rv = PAM_SESSION_ERR; + goto out; + } + } + + /* Setup the environment variable */ + rv = asprintf(&runtime_dir, "XDG_RUNTIME_DIR=%s/%s", RUNTIME_DIR_PREFIX, user); + if (rv < 0) { + PAM_VERBOSE_ERROR("asprintf failed %d\n", rv); + rv = PAM_SESSION_ERR; + goto out; + } + rv = pam_putenv(pamh, runtime_dir); + if (rv != PAM_SUCCESS) { + PAM_VERBOSE_ERROR("pam_putenv: failed (%d)", rv); + rv = PAM_SESSION_ERR; + goto out; + } + + /* Setup the session count file */ + for (i = 0; i < XDG_MAX_SESSION; i++) { + rv = asprintf(&xdg_session_file, "%s/xdg_session.%d", user, i); + if (rv < 0) { + PAM_VERBOSE_ERROR("asprintf failed %d\n", rv); + rv = PAM_SESSION_ERR; + goto out; + } + rv = 0; + session_file = openat(rt_dir_prefix, xdg_session_file, O_CREAT | O_EXCL, RUNTIME_DIR_MODE); + free(xdg_session_file); + if (session_file >= 0) + break; + } + if (session_file < 0) { + PAM_VERBOSE_ERROR("Too many sessions"); + rv = PAM_SESSION_ERR; + goto out; + } + +out: + if (session_file >= 0) + close(session_file); + if (rt_dir_prefix >= 0) + close(rt_dir_prefix); + + if (runtime_dir) + free(runtime_dir); + return (rv); +} + +static int +remove_dir(int fd) +{ + DIR *dirp; + struct dirent *dp; + + dirp = fdopendir(fd); + if (dirp == NULL) + return (-1); + + while ((dp = readdir(dirp)) != NULL) { + if (dp->d_type == DT_DIR) { + int dirfd; + + if (strcmp(dp->d_name, ".") == 0 || + strcmp(dp->d_name, "..") == 0) + continue; + dirfd = openat(fd, dp->d_name, 0); + remove_dir(dirfd); + close(dirfd); + unlinkat(fd, dp->d_name, AT_REMOVEDIR); + continue; + } + unlinkat(fd, dp->d_name, 0); + } + closedir(dirp); + + return (0); +} + +static int +_pam_xdg_close(pam_handle_t *pamh __unused, int flags __unused, + int argc __unused, const char *argv[] __unused) +{ + struct passwd *passwd; + const char *user; + const char *runtime_dir_prefix; + struct stat sb; + char *xdg_session_file; + int rv, rt_dir_prefix, rt_dir, session_file, i; + + rt_dir = -1; + rt_dir_prefix = -1; + runtime_dir_prefix = openpam_get_option(pamh, "runtime_dir_prefix"); + + /* Get user info */ + rv = pam_get_item(pamh, PAM_USER, (const void **)&user); + if (rv != PAM_SUCCESS) { + PAM_VERBOSE_ERROR("Can't get user information"); + goto out; + } + if ((passwd = getpwnam(user)) == NULL) { + PAM_VERBOSE_ERROR("Can't get user information"); + rv = PAM_SESSION_ERR; + goto out; + } + + /* Open the xdg base directory */ + rt_dir_prefix = open(RUNTIME_DIR_PREFIX, O_DIRECTORY | O_NOFOLLOW); + if (rt_dir_prefix < 0) { + PAM_VERBOSE_ERROR("open: %s failed (%d)\n", runtime_dir_prefix, rt_dir_prefix); + rv = PAM_SESSION_ERR; + goto out; + } + /* Check that the already created dir is correctly owned */ + rv = fstatat(rt_dir_prefix, user, &sb, 0); + if (rv == -1) { + PAM_VERBOSE_ERROR("fstatat %s/%s failed (%d)", RUNTIME_DIR_PREFIX, user, errno); + rv = PAM_SESSION_ERR; + goto out; + } + if (sb.st_uid != passwd->pw_uid || + sb.st_gid != passwd->pw_gid) { + PAM_VERBOSE_ERROR("%s/%s isn't owned by %d:%d\n", RUNTIME_DIR_PREFIX, user, passwd->pw_uid, passwd->pw_gid); + rv = PAM_SESSION_ERR; + goto out; + } + /* Test directory mode */ + if ((sb.st_mode & 0x1FF) != RUNTIME_DIR_MODE) { + PAM_VERBOSE_ERROR("%s/%s have wrong mode\n", RUNTIME_DIR_PREFIX, user); + rv = PAM_SESSION_ERR; + goto out; + } + + /* Open the user xdg directory */ + rt_dir = openat(rt_dir_prefix, user, O_DIRECTORY | O_NOFOLLOW); + if (rt_dir < 0) { + PAM_VERBOSE_ERROR("openat: %s/%s failed (%d)\n", RUNTIME_DIR_PREFIX, user, rt_dir_prefix); + rv = PAM_SESSION_ERR; + goto out; + } + + /* Get the last session file created */ + for (i = XDG_MAX_SESSION; i >= 0; i--) { + rv = asprintf(&xdg_session_file, "%s/xdg_session.%d", user, i); + if (rv < 0) { + PAM_VERBOSE_ERROR("asprintf failed %d\n", rv); + rv = PAM_SESSION_ERR; + goto out; + } + rv = 0; + session_file = openat(rt_dir_prefix, xdg_session_file, 0); + if (session_file >= 0) { + unlinkat(rt_dir_prefix, xdg_session_file, 0); + free(xdg_session_file); + break; + } + free(xdg_session_file); + } + if (session_file < 0) { + PAM_VERBOSE_ERROR("Can't find session number\n"); + rv = PAM_SESSION_ERR; + goto out; + } + close(session_file); + + /* Final cleanup if last user session */ + if (i == 0) { + remove_dir(rt_dir); + if (unlinkat(rt_dir_prefix, user, AT_REMOVEDIR) != 0) { + PAM_VERBOSE_ERROR("Can't cleanup %s/%s\n", runtime_dir_prefix, user); + rv = PAM_SESSION_ERR; + goto out; + } + } + + rv = PAM_SUCCESS; +out: + if (rt_dir >= 0) + close(rt_dir); + if (rt_dir_prefix >= 0) + close(rt_dir_prefix); + return (rv); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) +{ + + return (_pam_xdg_open(pamh, flags, argc, argv)); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) +{ + + return (_pam_xdg_close(pamh, flags, argc, argv)); +} + +PAM_MODULE_ENTRY("pam_xdg"); |