diff options
| -rw-r--r-- | Changelog | 12 | ||||
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | USAGE | 18 | ||||
| -rwxr-xr-x | configure | 18 | ||||
| -rw-r--r-- | configure.ac | 2 | ||||
| -rw-r--r-- | debian/changelog | 26 | ||||
| -rw-r--r-- | debian/control | 9 | ||||
| -rw-r--r-- | debian/copyright | 75 | ||||
| -rw-r--r-- | debian/libpam-radius-auth.dirs | 4 | ||||
| -rw-r--r-- | debian/libpam-radius-auth.install | 4 | ||||
| -rw-r--r-- | debian/libpam-radius-auth.lintian-overrides | 9 | ||||
| -rw-r--r-- | debian/libpam-radius-auth.manpages | 2 | ||||
| -rw-r--r-- | debian/libpam-radius-auth.postinst | 3 | ||||
| -rwxr-xr-x | debian/rules | 15 | ||||
| -rw-r--r-- | pam_radius_auth.5 | 56 | ||||
| -rw-r--r-- | pam_radius_auth.8 | 140 | ||||
| -rw-r--r-- | pam_radius_auth.conf | 34 | ||||
| -rw-r--r-- | src/pam_radius_auth.c | 154 |
18 files changed, 444 insertions, 139 deletions
@@ -1,7 +1,17 @@ 1.4.0 ----- - Many changes. See USAGE for details. + Many changes over 5 years: + src_ip in config file + ipv6 support + configure can use poll or select + Add Calling-Station-Id to accounting requests + mostly thread safe + add force_prompt option to enforce new password prompt for use with Tok + NetBSD fixes + new parameter max_challenge limits number of Access-Challenges + build: do not force flags, add to them instead. + build: use GCC for build, and ensure that unneeded symbols are not exported. 1.3.17 ------ @@ -5,7 +5,7 @@ # $Id: Makefile,v 1.13 2007/03/26 04:22:11 fcusack Exp $ # ############################################################################# -VERSION=1.4.0 +VERSION=1.4.1 ###################################################################### # @@ -1,4 +1,4 @@ - The module takes a number of configuration options. Password changing +This PAM module takes a number of configuration options. Password changing is not implemented, as the RADIUS protocol does not support it. The pam configuration can be: @@ -13,14 +13,17 @@ account sufficient pam_radius_auth.so the following strings. Note that not all of these options are relevant in for all uses of the module. +At a minimum, one server must be listed in the radius client configuration +file + debug - print out extensive debugging information via pam_log. These messages generally end up being handled by sylog(), and go to /var/log/messages. Depending on your host operating system, the log messages may be elsewhere. - You should generally use the debug option when first - trying to install the module, as it will help - enormously in tracking down problems. + You should generally use the debug option when first + trying to install the module, as it will help + enormously in tracking down problems. use_first_pass - Instead of prompting the user for a password, retrieve the password from the previous authentication module. @@ -54,7 +57,8 @@ skip_passwd - Do not prompt for a password, even if there was none Otherwise, no password is sent to the next module. conf=foo - set the configuration filename to 'foo'. - Default is /etc/raddb/server + Default is /etc/raddb/server (/etc/pam_radius_auth.conf + on Debian systems). client_id=bar - send a NAS-Identifier RADIUS attribute with string 'bar'. If the client_id is not specified, the PAM_SERVICE @@ -63,8 +67,8 @@ client_id=bar - send a NAS-Identifier RADIUS attribute with string i.e. A blank client ID. retry = # - How many times to re-send a packet if there is no - response. Once the retry count has been reached, - the module fails, and PAM continues to the next module. + response. Once the retry count has been reached, + the module fails, and PAM continues to the next module. use_authtok - force the use of a previously entered password. This is needed for pluggable password strength checking @@ -578,12 +578,12 @@ MFLAGS= MAKEFLAGS= # Identity of this package. -PACKAGE_NAME='pam_radius' -PACKAGE_TARNAME='pam_radius' -PACKAGE_VERSION='1.5' -PACKAGE_STRING='pam_radius 1.5' -PACKAGE_BUGREPORT='http://bugs.freeradius.org' -PACKAGE_URL='http://www.freeradius.org' +PACKAGE_NAME='libpam-radius-auth' +PACKAGE_TARNAME='libpam-radius-auth' +PACKAGE_VERSION='1.4.1' +PACKAGE_STRING='pam_radius 1.4.1' +PACKAGE_BUGREPORT='http://support.cumulusnetworks.com' +PACKAGE_URL='http://www.cumulusnetworks.com' ac_unique_file="src/pam_radius_auth.c" # Factoring default headers for most tests. @@ -1339,7 +1339,7 @@ Some influential environment variables: Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. -Report bugs to <http://bugs.freeradius.org>. +Report bugs to <http://www.cumulusnetworks.com>. pam_radius home page: <http://www.freeradius.org>. _ACEOF ac_status=$? @@ -1601,7 +1601,7 @@ $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" > { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} ( $as_echo "## ----------------------------------------- ## -## Report this to http://bugs.freeradius.org ## +## Report this to http://www.cumulusnetworks.com ## ## ----------------------------------------- ##" ) | sed "s/^/$as_me: WARNING: /" >&2 ;; @@ -5831,7 +5831,7 @@ Usage: $0 [OPTION]... [TAG]... Configuration headers: $config_headers -Report bugs to <http://bugs.freeradius.org>. +Report bugs to <http://www.cumulusnetworks.com>. pam_radius home page: <http://www.freeradius.org>." _ACEOF diff --git a/configure.ac b/configure.ac index 3767085..ec1913f 100644 --- a/configure.ac +++ b/configure.ac @@ -23,7 +23,7 @@ dnl ############################################################# AC_PREREQ([2.59]) export CFLAGS LIBS LDFLAGS CPPFLAGS -AC_INIT([pam_radius],1.5,[http://bugs.freeradius.org],,[http://www.freeradius.org]) +AC_INIT([pam_radius],1.5,[http://www.cumulusnetworks.com],,[http://www.cumulusnetworks.com]) AC_CONFIG_SRCDIR([src/pam_radius_auth.c]) AC_CONFIG_HEADER([src/config.h]) m4_include([m4/ax_cc.m4]) diff --git a/debian/changelog b/debian/changelog index 978af83..0bafb1c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,8 +1,26 @@ +libpam-radius-auth (1.4.1-cl3u1) unstable; urgency=low + + * Added support for mapping radius accounts to a local account + to get UID, GID, and base of home directory, so radius users + do not need to have an account created locally (or via LDAP) + + -- Dave Olson <olson@cumulusnetworks.com> Fri, 16 Jun 2017 15:44:12 -0700 + libpam-radius-auth (1.4.0) unstable; urgency=low - * Many changes. See USAGE and git log for details. + * Many changes and bug fixes. See USAGE and git log for details. + * src_ip in config file + * ipv6 support + * configure can use poll or select + * Add Calling-Station-Id to accounting requests + * mostly thread safe + * add force_prompt option to enforce new password prompt for use with Tok + * NetBSD fixes + * new parameter max_challenge limits number of Access-Challenges + * build: do not force flags, add to them instead. + * build: use GCC for build, and ensure that unneeded symbols are not exported. - -- Alan T. DeKok <aland@freeradius.org> Wed, 17 Dec 2014 17:00:59 -0500 + -- Alan T. DeKok <aland@freeradius.org> Thu, 23 Mar 2017 19:01:20 -0400 libpam-radius-auth (1.3.17) unstable; urgency=low @@ -14,10 +32,6 @@ libpam-radius-auth (1.3.17) unstable; urgency=low -- Arran Cudbard-Bell <a.cudbardb@freeradius.org> Wed, 24 Oct 2012 08:18:01 +0100 -commit 0c3af1fb2a1ae1befb7a8e366406ded63cb9fa59 - - Note 1.4.0 - libpam-radius-auth (1.3.16-4.4) unstable; urgency=low * Non-maintainer upload to fix pending l10n issues. diff --git a/debian/control b/debian/control index b8090ae..cb8cb49 100644 --- a/debian/control +++ b/debian/control @@ -1,15 +1,14 @@ Source: libpam-radius-auth -Maintainer: Fabio M. Di Nitto <fabbione@fabbione.net> +Maintainer: dev-support <dev-support@cumulusnetworks.com> Section: libs Priority: extra Standards-Version: 3.9.6 -Build-Depends: libpam0g-dev | libpam-dev, debhelper (>= 4.1.16) +Build-Depends: libpam0g-dev | libpam-dev, debhelper (>= 9~) Package: libpam-radius-auth Architecture: any -Depends: ${shlibs:Depends} -Suggests: radius-server -Description: The PAM RADIUS authentication module +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: PAM RADIUS client authentication module This is the PAM to RADIUS authentication module. It allows any PAM-capable machine to become a RADIUS client for authentication and accounting requests. You will, however, need to supply your own RADIUS server to diff --git a/debian/copyright b/debian/copyright index 8d52194..85c3d9e 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,54 +1,25 @@ -This package was debianized by Fabio M. Di Nitto <fabbione@fabbione.net> on -Thu, 31 Oct 2002 09:56:49 +0100 +Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: libpam-auth-user +Source: https://github.com/FreeRADIUS/pam_radius -It was downloaded from ftp://ftp.freeradius.org/pub/radius/ +License: GPL-2+ + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/> + . + On Debian systems, the complete text of the GNU General + Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". -Copyright (extracted from pam_radius_auth.c): - -/* - * This module is a merger of an old version of pam_radius.c, and - * code which went into mod_auth_radius.c, with further modifications - * by Alan DeKok of CRYPTOCard Inc.. - * - * The original pam_radius.c code is copyright (c) Cristian Gafton, 1996, - * <gafton@redhat.com> - * - * The additional code is copyright (c) CRYPTOCard Inc, 1998. - * - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * - */ - -On Debian GNU/Linux systems, the complete text of the GNU General -Public License can be found in /usr/share/common-licenses/GPL file. +Files: * +License: GPL-2+ +Copyright: Cristian Gafton <gafton@redhat.com>, 1996, + Alan T. DeKok <aland@freeradius.org> 1998, 2014, 2015, 2016, 2017 diff --git a/debian/libpam-radius-auth.dirs b/debian/libpam-radius-auth.dirs new file mode 100644 index 0000000..8db6b07 --- /dev/null +++ b/debian/libpam-radius-auth.dirs @@ -0,0 +1,4 @@ +lib/security +etc +usr/share/doc/libpam-radius-auth/html +usr/share/pam-configs diff --git a/debian/libpam-radius-auth.install b/debian/libpam-radius-auth.install new file mode 100644 index 0000000..fca8c6f --- /dev/null +++ b/debian/libpam-radius-auth.install @@ -0,0 +1,4 @@ +pam_radius_auth.so lib/security +pam_radius_auth.conf etc +index.html usr/share/doc/libpam-radius-auth/html +debian/radius usr/share/pam-configs diff --git a/debian/libpam-radius-auth.lintian-overrides b/debian/libpam-radius-auth.lintian-overrides new file mode 100644 index 0000000..49f75dd --- /dev/null +++ b/debian/libpam-radius-auth.lintian-overrides @@ -0,0 +1,9 @@ +# they are old, but current is GPL v3, so leaving old +libpam-radius-auth binary: outdated-autotools-helper-file config.sub 2007-11-19 +libpam-radius-auth binary: outdated-autotools-helper-file config.guess 2007-11-19 +libpam-radius-auth binary: diff-contains-git-control-dir .git +libpam-radius-auth binary: debhelper-but-no-misc-depends libpam-radius-auth +libpam-radius-auth binary: unsupported-source-format 3.0 (git) +libpam-radius-auth binary: source-nmu-has-incorrect-version-number 1.4.1 + + diff --git a/debian/libpam-radius-auth.manpages b/debian/libpam-radius-auth.manpages new file mode 100644 index 0000000..c85854a --- /dev/null +++ b/debian/libpam-radius-auth.manpages @@ -0,0 +1,2 @@ +pam_radius_auth.5 +pam_radius_auth.8 diff --git a/debian/libpam-radius-auth.postinst b/debian/libpam-radius-auth.postinst index 4b0d38e..de079ad 100644 --- a/debian/libpam-radius-auth.postinst +++ b/debian/libpam-radius-auth.postinst @@ -4,3 +4,6 @@ set -e # needed for install, upgrade, remove, and purge, including aborts pam-auth-update --package + +#DEBHELPER# + diff --git a/debian/rules b/debian/rules index 4e68084..9a0976d 100755 --- a/debian/rules +++ b/debian/rules @@ -7,7 +7,8 @@ ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) else CFLAGS += -O2 endif -CFLAGS+=-g3 -Wno-strict-aliasing -DCONF_FILE=\"/etc/pam_radius_auth.conf\" +PAM_CONF_FILE=/etc/pam_radius_auth.conf +CFLAGS+=-g3 -Wno-strict-aliasing -DCONF_FILE=\"${PAM_CONF_FILE}\" ifeq ($(DEB_HOST_GNU_CPU),(hppa|m68k|mips|powerpc|s390|sparc|sparc64|sheb)) CFLAGS += -DHIGHFIRST @@ -17,6 +18,14 @@ export CFLAGS %: dh $@ -override_dh_auto_configure: - ./configure +# all the installing is here, not in Makefile. +# The configuration file with the share secrets needs to be 600 +override_dh_install: + dh_install -v --sourcedir=. + chmod 600 debian/*/${PAM_CONF_FILE} +override_dh_fixperms: + dh_fixperms --exclude ${PAM_CONF_FILE} + +override_dh_installchangelogs: + dh_installchangelogs Changelog diff --git a/pam_radius_auth.5 b/pam_radius_auth.5 new file mode 100644 index 0000000..f117166 --- /dev/null +++ b/pam_radius_auth.5 @@ -0,0 +1,56 @@ +.TH pam_radius_auth 5 +.\" Copyright 2017 Cumulus Networks, Inc. All rights reserved. +.SH NAME +/etc/pam_radius_auth.conf \- RADIUS client configuration file +.SH SYNOPSIS +.B /etc/tacplus_servers +is the RADIUS client configuration file for the PAM RADIUS client plugin. +It contains the information on how to reach the RADIUS server(s), and +because it contains the shared secret key, should be mode 600 and owned +by root. +.SH DESCRIPTION +Other PAM-specific options are described in the +.B pam_radius_auth.8 +manpage, and must be added to the PAM configuration files. +.PP +By default, all components source this file, enabling a single point of +configuration for the TACACS server(s), debug settings, etc. +.PP +Not all keywords use all fields. +.TP +.I debug +Output PAM and RADIUS communication debugging information via syslog(3). +.TP +.I server[:port] secret [timeout] [src_ip] +the port name or number is optional. The default port name is +"radius", and is looked up from +.IR /etc/services . +The timeout field is optional. The default timeout is 3 seconds. +.IP +For IPv6 literal addresses, the address has to be surrounded by +square brackets as usual. E.g. [2001:0db8:85a3::4]. +.IP +If multiple RADIUS server lines exist, they are tried in order. The +first server to return success or failure causes the module to return +success or failure. Only if a server fails to response is it skipped, +and the next server in turn is used. +.IP +The optional timeout field controls how many seconds the module waits before +deciding that the server has failed to respond. It currently must be +less than 60. +.IP +The optional src_ip may be used to configure the source IP address used +in the RADIUS packets to the server. The timeout field must be set if +setting the src_ip is desired +.TP +.I vrf-name VRFNAME +If the management network is in a VRF, set this variable to the VRF name. This +would usually be "mgmt". This is not normally needed with PAM. +.SH "SEE ALSO" +.BR pam_radius_auth (8), +.BR mapuser_nss (5) +.SH FILES +.I /etc/pam_radius_auth.conf +- RADIUS client configuration parameters +.SH AUTHOR +Dave Olson <olson@cumulusnetworks.com> diff --git a/pam_radius_auth.8 b/pam_radius_auth.8 new file mode 100644 index 0000000..a713370 --- /dev/null +++ b/pam_radius_auth.8 @@ -0,0 +1,140 @@ +.TH pam_radius_auth 8 +.\" Copyright 2017 Cumulus Networks, Inc. All rights reserved. +.\" Based on USAGE file in the source package +.SH NAME +pam_radius_auth.so \- PAM RADIUS client plugin +.SH SYNOPSIS +.SH DESCRIPTION +.B pam_radius_auth +is the RADIUS client PAM plugin. +It supports IPv4 and IPv6 connections to a RADIUS server. It only supports +authentication and accounting for sessions, it does not support changing passwords, +because the RADIUS protocol does not support it. +.PP +This PAM module takes a number of standard PAM configuration options, +as well as some specific to this plugin. +.PP +options can be added by editting the files in +.I /etc/pam.d +or by editting the configuration file +.I /usr/share/pam-configs/radius +and then running +.BR pam-auth-config . +.PP +All of the following arguments are optional, and can be combined as needed. +Note that not all of these options are relevant in for all uses of the module. +.TP +.I accounting_bug +When used, the accounting response vector is NOT +validated. This option will probably only be necessary +on REALLY OLD (i.e. Livingston 1.16) servers. +.TP +.I client_id=bar +send a NAS-Identifier RADIUS attribute with string 'bar'. +If the client_id is not specified, the PAM_SERVICE +type is used instead. ('login', 'su', 'passwd', etc.) +This feature may be disabled by using 'client_id='. +i.e. A blank client ID. +.TP +.I conf=foo +set the configuration filename to 'foo'. +Default is /etc/raddb/server (/etc/pam_radius_auth.conf +on Debian systems). +.TP +.I debug +print out extensive debugging information via pam_log. +These messages generally end up being handled by +sylog(), and go to /var/log/messages. Depending on +your host operating system, the log messages may be +elsewhere. +.IP +You should generally use the debug option when first +trying configuring this module, as it will help +enormously in tracking down problems. +.TP +.I force_prompt +Request a new password and not using the previously entered +password. This usefull for multi-factor authentication +when used with a Token. +.TP +.I localifdown +This option tells pam_radius to return PAM_IGNORE instead +of PAM_AUTHINFO_UNAVAIL if RADIUS auth failed due to +network unavailability. PAM_IGNORE tells the pam stack +to continue down the stack regardless of the control flag. +.TP +.I max_challenge=# +configure maximum number of challenges that a server +may request. This is a workaround for broken servers +and disabled by default. +.TP +.I retry=# +How many times to re-send a packet if there is no +response. Once the retry count has been reached, +the module fails, and PAM continues to the next module. +.TP +.I prompt=string +Specifies the prompt, without the ': ', that PAM should +display when prompting for the password. This is useful +when using hardware tokens as part of multi-factor +authentication and presenting the same prompt twice would +confuse users. Use prompt=TokenCode (or some other +relevant string different from Password) in this +situation. +.TP +.I ruser +If PAM_USER is root, Use the value of PAM_RUSER instead +of PAM_USER to determine the username to authenticate via +RADIUS. This is to allow 'su' to act like 'sudo'. +.TP +.I skip_passwd +Do not prompt for a password, even if there was none +retrieved from the previous layer. +Send the previous one (if it exists), or else send a NULL +password. +If this fails, exit. +If an Access-Challenge is returned, display the challenge +message, and ask the user for the response. +Return success/failure as appropriate. +.IP +The password sent to the next authentication module will +NOT be the response to the challenge. If a password from +a previous authentication module exists, it is passed on. +Otherwise, no password is sent to the next module. +.TP +.I try_first_pass +Instead of prompting the user for a password, retrieve +the password from the previous authentication module. +If the password exists, try it, and return success if it +passes. +If there was no previous password, or the previous password +fails authentication, prompt the user with +"Enter RADIUS password: ", and ask for another password. +Try this password, and return success/failure as appropriate. +.IP +This is the default for authentication. +.TP +.I use_first_pass +Instead of prompting the user for a password, retrieve +the password from the previous authentication module. +If the password does not exist, return failure. +If the password exists, try it, returning success/failure +as appropriate. +.TP +.I use_authtok +force the use of a previously entered password. +This is needed for pluggable password strength checking +i.e. try cracklib to be sure it's secure, then go update +the RADIUS server. +.SH "SEE ALSO" +.BR pam_radius_auth (5), +.BR mapuser_nss (5), +.BR pam-auth-update (8) +.SH FILES +.IR /etc/pam_radius_auth.conf , +- RADIUS client configuration parameters +.I /usr/share/pam-config/radius +- configuration to generate RADIUS entries in the PAM files +.SH AUTHOR +Dave Olson <olson@cumulusnetworks.com>, based on the USAGE file written by multiple +contributors diff --git a/pam_radius_auth.conf b/pam_radius_auth.conf index 2fe1f34..120c7a7 100644 --- a/pam_radius_auth.conf +++ b/pam_radius_auth.conf @@ -1,14 +1,16 @@ -# pam_radius_auth configuration file. Copy to: /etc/raddb/server +# pam_radius_auth configuration file. +# +# See 'man pam_radius_auth.conf pam_radius_auth' # # For proper security, this file SHOULD have permissions 0600, # that is readable by root, and NO ONE else. If anyone other than # root can read this file, then they can spoof responses from the server! # -# There are 3 fields per line in this file. There may be multiple +# There are 2-4 fields per line in this file. There may be multiple # lines. Blank lines or lines beginning with '#' are treated as # comments, and are ignored. The fields are: # -# server[:port] secret [timeout] +# server[:port] secret [timeout] [src_ip] # # the port name or number is optional. The default port name is # "radius", and is looked up from /etc/services The timeout field is @@ -22,14 +24,24 @@ # success or failure. Only if a server fails to response is it skipped, # and the next server in turn is used. # -# The timeout field controls how many seconds the module waits before -# deciding that the server has failed to respond. +# The optional timeout field controls how many seconds the module waits before +# deciding that the server has failed to respond. It currently must be +# less than 60. +# +# The optional src_ip may be used to configure the source IP address used +# in the RADIUS packets to the server. The timeout field must be set if +# setting the src_ip is desired # -# server[:port] shared_secret timeout (s) -127.0.0.1 secret 1 -other-server other-secret 3 -[2001:0db8:85a3::4]:1812 other6-secret 1 +# server[:port] shared_secret timeout (secs) src_ip +# 127.0.0.1 secret 1 +# other-server other-secret 3 192.168.3.4 +# [2001:0db8:85a3::4]:1812 other6-secret 1 # -# having localhost in your radius configuration is a Good Thing. +# This allows the radius client to work when a management VRF is in use. +# The syntax is "vrf-name" (keyword) followed by the VRF name, typically "mgmt" +# Since the keyword has an illegal character for a hostname ('-'), this can't +# conflict with a valid hostname +# vrf-name mgmt # -# See the INSTALL file for pam.conf hints. +# Uncomment to enable debugging, can be used instead of altering pam files +# debug diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c index a9fd518..971dc01 100644 --- a/src/pam_radius_auth.c +++ b/src/pam_radius_auth.c @@ -525,13 +525,14 @@ static int initialize(radius_conf_t *conf, int accounting) struct sockaddr_storage salocal6; char hostname[BUFFER_SIZE]; char secret[BUFFER_SIZE]; + char *vrfname = NULL; char buffer[BUFFER_SIZE]; char *p; FILE *fserver; - radius_server_t *server = NULL; + radius_server_t *server = NULL, *tmp; int timeout; - int line = 0; + int line = 0, scancnt; char src_ip[MAX_IP_LEN]; int seen_v6 = 0; @@ -572,48 +573,73 @@ static int initialize(radius_conf_t *conf, int accounting) break; } - timeout = 3; - src_ip[0] = 0; - if (sscanf(p, "%s %s %d %s", hostname, secret, &timeout, src_ip) < 2) { - _pam_log(LOG_ERR, "ERROR reading %s, line %d: Could not read hostname or secret\n", - conf->conf_file, line); - continue; /* invalid line */ - } else { /* read it in and save the data */ - radius_server_t *tmp; - - tmp = malloc(sizeof(radius_server_t)); - if (server) { - server->next = tmp; - server = server->next; - } else { - conf->server = tmp; - server= tmp; /* first time */ - } + scancnt = sscanf(p, "%s %s %d %s", hostname, secret, &timeout, src_ip); - /* sometime later do memory checks here */ - server->hostname = strdup(hostname); - server->secret = strdup(secret); - server->accounting = accounting; + /* is it the name of a vrf we should bind to? */ + if (!strcmp(hostname, "vrf-name")) { + if (scancnt < 2) + _pam_log(LOG_ERR, "ERROR reading %s, line %d: only %d fields\n", + conf->conf_file, line, scancnt); + else + vrfname = strdup(secret); + continue; + } - if ((timeout < 1) || (timeout > 60)) { - server->timeout = 3; - } else { - server->timeout = timeout; - } - server->next = NULL; + /* allow setting debug in config file as well */ + if (!strcmp(hostname, "debug")) { + if (scancnt < 1) + _pam_log(LOG_ERR, "ERROR reading %s, line %d: only %d fields\n", + conf->conf_file, line, scancnt); + else + conf->debug = 1; + continue; + } - if (src_ip[0]) { - memset(&salocal, 0, sizeof(salocal)); - get_ipaddr(src_ip, (struct sockaddr *)&salocal, NULL); - switch (salocal.ss_family) { - case AF_INET: - memcpy(&salocal4, &salocal, sizeof(salocal)); - break; - case AF_INET6: - seen_v6 = 1; - memcpy(&salocal6, &salocal, sizeof(salocal)); - break; - } + if (scancnt < 2) { + _pam_log(LOG_ERR, "ERROR reading %s, line %d: only %d fields\n", + conf->conf_file, line, scancnt); + continue; /* invalid line */ + } + if (scancnt < 4) { + src_ip[0] = 0; + if (scancnt < 3) + timeout = 3; /* default timeout */ + } + + /* read it in and save the data */ + tmp = malloc(sizeof(radius_server_t)); + if (server) { + server->next = tmp; + server = server->next; + } else { + conf->server = tmp; + server= tmp; /* first time */ + } + + /* sometime later do memory checks here */ + server->hostname = strdup(hostname); + server->secret = strdup(secret); + server->accounting = accounting; + + memset(&server->ip, 0, sizeof server->ip); + if ((timeout < 1) || (timeout > 60)) { + server->timeout = 3; + } else { + server->timeout = timeout; + } + server->next = NULL; + + if (src_ip[0]) { + memset(&salocal, 0, sizeof(salocal)); + get_ipaddr(src_ip, (struct sockaddr *)&salocal, NULL); + switch (salocal.ss_family) { + case AF_INET: + memcpy(&salocal4, &salocal, sizeof(salocal)); + break; + case AF_INET6: + seen_v6 = 1; + memcpy(&salocal6, &salocal, sizeof(salocal)); + break; } } } @@ -639,6 +665,17 @@ static int initialize(radius_conf_t *conf, int accounting) return PAM_AUTHINFO_UNAVAIL; } + if (vrfname) { + /* do not fail if the bind fails, connection may succeed */ + if (setsockopt(conf->sockfd, SOL_SOCKET, SO_BINDTODEVICE, + vrfname, strlen(vrfname)+1) < 0) + _pam_log(LOG_WARNING, "Binding socket to VRF %s failed: %m", + vrfname); + else if(conf->debug) + _pam_log(LOG_DEBUG, "Configured vrf as: %s", vrfname); + free(vrfname); + } + #ifndef HAVE_POLL_H if (conf->sockfd >= FD_SETSIZE) { _pam_log(LOG_ERR, "Unusable socket, FD is larger than %d\n", FD_SETSIZE); @@ -1642,8 +1679,39 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST c */ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc,CONST char **argv) { - int retval; - retval = PAM_SUCCESS; + int retval = PAM_SUCCESS; + CONST char *user; + radius_conf_t config; + + (void) _pam_parse(argc, argv, &config); + + /* grab the user name */ + retval = pam_get_user(pamh, &user, NULL); + if (retval != PAM_SUCCESS || user == NULL || strlen(user) > MAXPWNAM) { + return PAM_USER_UNKNOWN; + } + + /* + * parse the config file. We don't make any connections here, so ignore + * any failures. For consistency only. + */ + retval = initialize(&config, FALSE); + + /* + * set SUDO_PROMPT in env so that it prompts as the login user, not the mapped + * user, unless (unlikely) the prompt has already been set. + * It won't hurt to do this if the user wasn't mapped. + */ + if (!pam_getenv(pamh, "SUDO_PROMPT")) { + char nprompt[strlen("SUDO_PROMPT=[sudo] password for ") + + strlen(user) + 3]; /* + 3 for ": " and the \0 */ + snprintf(nprompt, sizeof nprompt, + "SUDO_PROMPT=[sudo] password for %s: ", user); + if (pam_putenv(pamh, nprompt) != PAM_SUCCESS) + _pam_log(LOG_NOTICE, "failed to set PAM sudo prompt " + "(%s)", nprompt); + } + return retval; } |