diff options
Diffstat (limited to 'src/pam_radius_auth.c')
| -rw-r--r-- | src/pam_radius_auth.c | 1596 |
1 files changed, 1596 insertions, 0 deletions
diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c new file mode 100644 index 0000000..887ee1e --- /dev/null +++ b/src/pam_radius_auth.c @@ -0,0 +1,1596 @@ +/* + * $Id: pam_radius_auth.c,v 1.39 2007/03/26 05:35:31 fcusack Exp $ + * pam_radius_auth + * Authenticate a user via a RADIUS session + * + * 0.9.0 - Didn't compile quite right. + * 0.9.1 - Hands off passwords properly. Solaris still isn't completely happy + * 0.9.2 - Solaris now does challenge-response. Added configuration file + * handling, and skip_passwd field + * 1.0.0 - Added handling of port name/number, and continue on select + * 1.1.0 - more options, password change requests work now, too. + * 1.1.1 - Added client_id=foo (NAS-Identifier), defaulting to PAM_SERVICE + * 1.1.2 - multi-server capability. + * 1.2.0 - ugly merger of pam_radius.c to get full RADIUS capability + * 1.3.0 - added my own accounting code. Simple, clean, and neat. + * 1.3.1 - Supports accounting port (oops!), and do accounting authentication + * 1.3.2 - added support again for 'skip_passwd' control flag. + * 1.3.10 - ALWAYS add Password attribute, to make packets RFC compliant. + * 1.3.11 - Bug fixes by Jon Nelson <jnelson@securepipe.com> + * 1.3.12 - miscellanous bug fixes. Don't add password to accounting + * requests; log more errors; add NAS-Port and NAS-Port-Type + * attributes to ALL packets. Some patches based on input from + * Grzegorz Paszka <Grzegorz.Paszka@pik-net.pl> + * 1.3.13 - Always update the configuration file, even if we're given + * no options. Patch from Jon Nelson <jnelson@securepipe.com> + * 1.3.14 - Don't use PATH_MAX, so it builds on GNU Hurd. + * 1.3.15 - Implement retry option, miscellanous bug fixes. + * 1.3.16 - Miscellaneous fixes (see CVS for history) + * 1.3.17 - Security fixes + * + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * The original pam_radius.c code is copyright (c) Cristian Gafton, 1996, + * <gafton@redhat.com> + * + * Some challenge-response code is copyright (c) CRYPTOCard Inc, 1998. + * All rights reserved. + */ + +#define PAM_SM_AUTH +#define PAM_SM_PASSWORD +#define PAM_SM_SESSION + +#include <limits.h> +#include <errno.h> +#include <sys/time.h> + +#include "pam_radius_auth.h" + +#define DPRINT if (ctrl & PAM_DEBUG_ARG) _pam_log + +/* internal data */ +static CONST char *pam_module_name = "pam_radius_auth"; +static char conf_file[BUFFER_SIZE]; /* configuration file */ + +/* we need to save these from open_session to close_session, since + * when close_session will be called we won't be root anymore and + * won't be able to access again the radius server configuration file + * -- cristiang */ +static radius_server_t *live_server = NULL; +static time_t session_time; + +/* logging */ +static void _pam_log(int err, CONST char *format, ...) +{ + va_list args; + char buffer[BUFFER_SIZE]; + + va_start(args, format); + vsprintf(buffer, format, args); + /* don't do openlog or closelog, but put our name in to be friendly */ + syslog(err, "%s: %s", pam_module_name, buffer); + va_end(args); +} + +/* argument parsing */ +static int _pam_parse(int argc, CONST char **argv, radius_conf_t *conf) +{ + int ctrl=0; + + memset(conf, 0, sizeof(radius_conf_t)); /* ensure it's initialized */ + + strcpy(conf_file, CONF_FILE); + + /* + * If either is not there, then we can't parse anything. + */ + if ((argc == 0) || (argv == NULL)) { + return ctrl; + } + + /* step through arguments */ + for (ctrl=0; argc-- > 0; ++argv) { + + /* generic options */ + if (!strncmp(*argv,"conf=",5)) { + strcpy(conf_file,*argv+5); + + } else if (!strcmp(*argv, "use_first_pass")) { + ctrl |= PAM_USE_FIRST_PASS; + + } else if (!strcmp(*argv, "try_first_pass")) { + ctrl |= PAM_TRY_FIRST_PASS; + + } else if (!strcmp(*argv, "skip_passwd")) { + ctrl |= PAM_SKIP_PASSWD; + + } else if (!strncmp(*argv, "retry=", 6)) { + conf->retries = atoi(*argv+6); + + } else if (!strcmp(*argv, "localifdown")) { + conf->localifdown = 1; + + } else if (!strncmp(*argv, "client_id=", 10)) { + if (conf->client_id) { + _pam_log(LOG_WARNING, "ignoring duplicate '%s'", *argv); + } else { + conf->client_id = (char *) *argv+10; /* point to the client-id */ + } + } else if (!strcmp(*argv, "accounting_bug")) { + conf->accounting_bug = TRUE; + + } else if (!strcmp(*argv, "ruser")) { + ctrl |= PAM_RUSER_ARG; + + } else if (!strcmp(*argv, "debug")) { + ctrl |= PAM_DEBUG_ARG; + conf->debug = 1; + + } else { + _pam_log(LOG_WARNING, "unrecognized option '%s'", *argv); + } + } + + return ctrl; +} + +/* Callback function used to free the saved return value for pam_setcred. */ +void _int_free(pam_handle_t * pamh, void *x, int error_status) +{ + free(x); +} + +/************************************************************************* + * SMALL HELPER FUNCTIONS + *************************************************************************/ + +/* + * Return an IP address in host long notation from + * one supplied in standard dot notation. + */ +static uint32_t ipstr2long(char *ip_str) { + char buf[6]; + char *ptr; + int i; + int count; + uint32_t ipaddr; + int cur_byte; + + ipaddr = (uint32_t)0; + + for(i = 0;i < 4;i++) { + ptr = buf; + count = 0; + *ptr = '\0'; + + while(*ip_str != '.' && *ip_str != '\0' && count < 4) { + if(!isdigit(*ip_str)) { + return((uint32_t)0); + } + *ptr++ = *ip_str++; + count++; + } + + if(count >= 4 || count == 0) { + return((uint32_t)0); + } + + *ptr = '\0'; + cur_byte = atoi(buf); + if(cur_byte < 0 || cur_byte > 255) { + return ((uint32_t)0); + } + + ip_str++; + ipaddr = ipaddr << 8 | (uint32_t)cur_byte; + } + return(ipaddr); +} + +/* + * Check for valid IP address in standard dot notation. + */ +static int good_ipaddr(char *addr) { + int dot_count; + int digit_count; + + dot_count = 0; + digit_count = 0; + while(*addr != '\0' && *addr != ' ') { + if(*addr == '.') { + dot_count++; + digit_count = 0; + } else if(!isdigit(*addr)) { + dot_count = 5; + } else { + digit_count++; + if(digit_count > 3) { + dot_count = 5; + } + } + addr++; + } + if(dot_count != 3) { + return(-1); + } else { + return(0); + } +} + +/* + * Return an IP address in host long notation from a host + * name or address in dot notation. + */ +static uint32_t get_ipaddr(char *host) { + struct hostent *hp; + + if(good_ipaddr(host) == 0) { + return(ipstr2long(host)); + } else if((hp = gethostbyname(host)) == (struct hostent *)NULL) { + return((uint32_t)0); + } + + return(ntohl(*(uint32_t *)hp->h_addr)); +} + +/* + * take server->hostname, and convert it to server->ip and server->port + */ +static int host2server(radius_server_t *server) +{ + char *p; + int ctrl = 1; /* for DPRINT */ + + if ((p = strchr(server->hostname, ':')) != NULL) { + *(p++) = '\0'; /* split the port off from the host name */ + } + + if ((server->ip.s_addr = get_ipaddr(server->hostname)) == ((uint32_t)0)) { + DPRINT(LOG_DEBUG, "DEBUG: get_ipaddr(%s) returned 0.\n", server->hostname); + return PAM_AUTHINFO_UNAVAIL; + } + + /* + * If the server port hasn't already been defined, go get it. + */ + if (!server->port) { + if (p && isdigit(*p)) { /* the port looks like it's a number */ + unsigned int i = atoi(p) & 0xffff; + + if (!server->accounting) { + server->port = htons((uint16_t) i); + } else { + server->port = htons((uint16_t) (i + 1)); + } + } else { /* the port looks like it's a name */ + struct servent *svp; + + if (p) { /* maybe it's not "radius" */ + svp = getservbyname (p, "udp"); + /* quotes allow distinction from above, lest p be radius or radacct */ + DPRINT(LOG_DEBUG, "DEBUG: getservbyname('%s', udp) returned %d.\n", p, svp); + *(--p) = ':'; /* be sure to put the delimiter back */ + } else { + if (!server->accounting) { + svp = getservbyname ("radius", "udp"); + DPRINT(LOG_DEBUG, "DEBUG: getservbyname(radius, udp) returned %d.\n", svp); + } else { + svp = getservbyname ("radacct", "udp"); + DPRINT(LOG_DEBUG, "DEBUG: getservbyname(radacct, udp) returned %d.\n", svp); + } + } + + if (svp == (struct servent *) 0) { + /* debugging above... */ + return PAM_AUTHINFO_UNAVAIL; + } + + server->port = svp->s_port; + } + } + + return PAM_SUCCESS; +} + +/* + * Do XOR of two buffers. + */ +static unsigned char * xor(unsigned char *p, unsigned char *q, int length) +{ + int i; + unsigned char *retval = p; + + for (i = 0; i < length; i++) { + *(p++) ^= *(q++); + } + return retval; +} + +/************************************************************************** + * MID-LEVEL RADIUS CODE + **************************************************************************/ + +/* + * get a pseudo-random vector. + */ +static void get_random_vector(unsigned char *vector) +{ +#ifdef linux + int fd = open("/dev/urandom",O_RDONLY); /* Linux: get *real* random numbers */ + int total = 0; + if (fd >= 0) { + while (total < AUTH_VECTOR_LEN) { + int bytes = read(fd, vector + total, AUTH_VECTOR_LEN - total); + if (bytes <= 0) + break; /* oops! Error */ + total += bytes; + } + close(fd); + } + + if (total != AUTH_VECTOR_LEN) +#endif + { /* do this *always* on other platforms */ + MD5_CTX my_md5; + struct timeval tv; + struct timezone tz; + static unsigned int session = 0; /* make the number harder to guess */ + + /* Use the time of day with the best resolution the system can + give us -- often close to microsecond accuracy. */ + gettimeofday(&tv,&tz); + + if (session == 0) { + session = getppid(); /* (possibly) hard to guess information */ + } + + tv.tv_sec ^= getpid() * session++; + + /* Hash things to get maybe cryptographically strong pseudo-random numbers */ + MD5Init(&my_md5); + MD5Update(&my_md5, (unsigned char *) &tv, sizeof(tv)); + MD5Update(&my_md5, (unsigned char *) &tz, sizeof(tz)); + MD5Final(vector, &my_md5); /* set the final vector */ + } +} + +/* + * RFC 2139 says to do generate the accounting request vector this way. + * However, the Livingston 1.16 server doesn't check it. The Cistron + * server (http://home.cistron.nl/~miquels/radius/) does, and this code + * seems to work with it. It also works with Funk's Steel-Belted RADIUS. + */ +static void get_accounting_vector(AUTH_HDR *request, radius_server_t *server) +{ + MD5_CTX my_md5; + int secretlen = strlen(server->secret); + int len = ntohs(request->length); + + memset(request->vector, 0, AUTH_VECTOR_LEN); + MD5Init(&my_md5); + memcpy(((char *)request) + len, server->secret, secretlen); + + MD5Update(&my_md5, (unsigned char *)request, len + secretlen); + MD5Final(request->vector, &my_md5); /* set the final vector */ +} + +/* + * Verify the response from the server + */ +static int verify_packet(char *secret, AUTH_HDR *response, AUTH_HDR *request) +{ + MD5_CTX my_md5; + unsigned char calculated[AUTH_VECTOR_LEN]; + unsigned char reply[AUTH_VECTOR_LEN]; + + /* + * We could dispense with the memcpy, and do MD5's of the packet + * + vector piece by piece. This is easier understand, and maybe faster. + */ + memcpy(reply, response->vector, AUTH_VECTOR_LEN); /* save the reply */ + memcpy(response->vector, request->vector, AUTH_VECTOR_LEN); /* sent vector */ + + /* MD5(response packet header + vector + response packet data + secret) */ + MD5Init(&my_md5); + MD5Update(&my_md5, (unsigned char *) response, ntohs(response->length)); + + /* + * This next bit is necessary because of a bug in the original Livingston + * RADIUS server. The authentication vector is *supposed* to be MD5'd + * with the old password (as the secret) for password changes. + * However, the old password isn't used. The "authentication" vector + * for the server reply packet is simply the MD5 of the reply packet. + * Odd, the code is 99% there, but the old password is never copied + * to the secret! + */ + if (*secret) { + MD5Update(&my_md5, (unsigned char *) secret, strlen(secret)); + } + + MD5Final(calculated, &my_md5); /* set the final vector */ + + /* Did he use the same random vector + shared secret? */ + if (memcmp(calculated, reply, AUTH_VECTOR_LEN) != 0) { + return FALSE; + } + return TRUE; +} + +/* + * Find an attribute in a RADIUS packet. Note that the packet length + * is *always* kept in network byte order. + */ +static attribute_t *find_attribute(AUTH_HDR *response, unsigned char type) +{ + attribute_t *attr = (attribute_t *) &response->data; + + int len = ntohs(response->length) - AUTH_HDR_LEN; + + while (attr->attribute != type) { + if ((len -= attr->length) <= 0) { + return NULL; /* not found */ + } + attr = (attribute_t *) ((char *) attr + attr->length); + } + + return attr; +} + +/* + * Add an attribute to a RADIUS packet. + */ +static void add_attribute(AUTH_HDR *request, unsigned char type, CONST unsigned char *data, int length) +{ + attribute_t *p; + + p = (attribute_t *) ((unsigned char *)request + ntohs(request->length)); + p->attribute = type; + p->length = length + 2; /* the total size of the attribute */ + request->length = htons(ntohs(request->length) + p->length); + memcpy(p->data, data, length); +} + +/* + * Add an integer attribute to a RADIUS packet. + */ +static void add_int_attribute(AUTH_HDR *request, unsigned char type, int data) +{ + int value = htonl(data); + + add_attribute(request, type, (unsigned char *) &value, sizeof(int)); +} + +/* + * Add a RADIUS password attribute to the packet. Some magic is done here. + * + * If it's an PW_OLD_PASSWORD attribute, it's encrypted using the encrypted + * PW_PASSWORD attribute as the initialization vector. + * + * If the password attribute already exists, it's over-written. This allows + * us to simply call add_password to update the password for different + * servers. + */ +static void add_password(AUTH_HDR *request, unsigned char type, CONST char *password, char *secret) +{ + MD5_CTX md5_secret, my_md5; + unsigned char misc[AUTH_VECTOR_LEN]; + int i; + int length = strlen(password); + unsigned char hashed[256 + AUTH_PASS_LEN]; /* can't be longer than this */ + unsigned char *vector; + attribute_t *attr; + + if (length > MAXPASS) { /* shorten the password for now */ + length = MAXPASS; + } + + if (length == 0) { + length = AUTH_PASS_LEN; /* 0 maps to 16 */ + } if ((length & (AUTH_PASS_LEN - 1)) != 0) { + length += (AUTH_PASS_LEN - 1); /* round it up */ + length &= ~(AUTH_PASS_LEN - 1); /* chop it off */ + } /* 16*N maps to itself */ + + memset(hashed, 0, length); + memcpy(hashed, password, strlen(password)); + + attr = find_attribute(request, PW_PASSWORD); + + if (type == PW_PASSWORD) { + vector = request->vector; + } else { + vector = attr->data; /* attr CANNOT be NULL here. */ + } + + /* ************************************************************ */ + /* encrypt the password */ + /* password : e[0] = p[0] ^ MD5(secret + vector) */ + MD5Init(&md5_secret); + MD5Update(&md5_secret, (unsigned char *) secret, strlen(secret)); + my_md5 = md5_secret; /* so we won't re-do the hash later */ + MD5Update(&my_md5, vector, AUTH_VECTOR_LEN); + MD5Final(misc, &my_md5); /* set the final vector */ + xor(hashed, misc, AUTH_PASS_LEN); + + /* For each step through, e[i] = p[i] ^ MD5(secret + e[i-1]) */ + for (i = 1; i < (length >> 4); i++) { + my_md5 = md5_secret; /* grab old value of the hash */ + MD5Update(&my_md5, &hashed[(i-1) * AUTH_PASS_LEN], AUTH_PASS_LEN); + MD5Final(misc, &my_md5); /* set the final vector */ + xor(&hashed[i * AUTH_PASS_LEN], misc, AUTH_PASS_LEN); + } + + if (type == PW_OLD_PASSWORD) { + attr = find_attribute(request, PW_OLD_PASSWORD); + } + + if (!attr) { + add_attribute(request, type, hashed, length); + } else { + memcpy(attr->data, hashed, length); /* overwrite the packet */ + } +} + +static void cleanup(radius_server_t *server) +{ + radius_server_t *next; + + while (server) { + next = server->next; + _pam_drop(server->hostname); + _pam_forget(server->secret); + _pam_drop(server); + server = next; + } +} + +/* + * allocate and open a local port for communication with the RADIUS + * server + */ +static int initialize(radius_conf_t *conf, int accounting) +{ + struct sockaddr salocal; + uint16_t local_port; + char hostname[BUFFER_SIZE]; + char secret[BUFFER_SIZE]; + + char buffer[BUFFER_SIZE]; + char *p; + FILE *fserver; + radius_server_t *server = NULL; + struct sockaddr_in * s_in; + int timeout; + int line = 0; + + /* the first time around, read the configuration file */ + if ((fserver = fopen (conf_file, "r")) == (FILE*)NULL) { + _pam_log(LOG_ERR, "Could not open configuration file %s: %s\n", + conf_file, strerror(errno)); + return PAM_ABORT; + } + + while (!feof(fserver) && (fgets (buffer, sizeof(buffer), fserver) != (char*) NULL) && (!ferror(fserver))) { + line++; + p = buffer; + + /* + * Skip blank lines and whitespace + */ + while (*p && ((*p == ' ') || (*p == '\t') || (*p == '\r') || (*p == '\n'))) { + p++; + } + + /* + * Nothing, or just a comment. Ignore the line. + */ + if ((!*p) || (*p == '#')) { + continue; + } + + timeout = 3; + if (sscanf(p, "%s %s %d", hostname, secret, &timeout) < 2) { + _pam_log(LOG_ERR, "ERROR reading %s, line %d: Could not read hostname or secret\n", + conf_file, line); + continue; /* invalid line */ + } else { /* read it in and save the data */ + radius_server_t *tmp; + + tmp = malloc(sizeof(radius_server_t)); + if (server) { + server->next = tmp; + server = server->next; + } else { + conf->server = tmp; + server= tmp; /* first time */ + } + + /* sometime later do memory checks here */ + server->hostname = strdup(hostname); + server->secret = strdup(secret); + server->accounting = accounting; + server->port = 0; + + if ((timeout < 1) || (timeout > 60)) { + server->timeout = 3; + } else { + server->timeout = timeout; + } + server->next = NULL; + } + } + fclose(fserver); + + if (!server) { /* no server found, die a horrible death */ + _pam_log(LOG_ERR, "No RADIUS server found in configuration file %s\n", + conf_file); + return PAM_AUTHINFO_UNAVAIL; + } + + /* open a socket. Dies if it fails */ + conf->sockfd = socket(AF_INET, SOCK_DGRAM, 0); + if (conf->sockfd < 0) { + _pam_log(LOG_ERR, "Failed to open RADIUS socket: %s\n", strerror(errno)); + return PAM_AUTHINFO_UNAVAIL; + } + + /* set up the local end of the socket communications */ + s_in = (struct sockaddr_in *) &salocal; + memset ((char *) s_in, '\0', sizeof(struct sockaddr)); + s_in->sin_family = AF_INET; + s_in->sin_addr.s_addr = INADDR_ANY; + + /* + * Use our process ID as a local port for RADIUS. + */ + local_port = (getpid() & 0x7fff) + 1024; + do { + local_port++; + s_in->sin_port = htons(local_port); + } while ((bind(conf->sockfd, &salocal, sizeof (struct sockaddr_in)) < 0) && (local_port < 64000)); + + if (local_port >= 64000) { + close(conf->sockfd); + _pam_log(LOG_ERR, "No open port we could bind to."); + return PAM_AUTHINFO_UNAVAIL; + } + + return PAM_SUCCESS; +} + +/* + * Helper function for building a radius packet. + * It initializes *some* of the header, and adds common attributes. + */ +static void build_radius_packet(AUTH_HDR *request, CONST char *user, CONST char *password, radius_conf_t *conf) +{ + char hostname[256]; + uint32_t ipaddr; + + hostname[0] = '\0'; + gethostname(hostname, sizeof(hostname) - 1); + + request->length = htons(AUTH_HDR_LEN); + + if (password) { /* make a random authentication req vector */ + get_random_vector(request->vector); + } + + add_attribute(request, PW_USER_NAME, (unsigned char *) user, strlen(user)); + + /* + * Add a password, if given. + */ + if (password) { + add_password(request, PW_PASSWORD, password, conf->server->secret); + + /* + * Add a NULL password to non-accounting requests. + */ + } else if (request->code != PW_ACCOUNTING_REQUEST) { + add_password(request, PW_PASSWORD, "", conf->server->secret); + } + + /* the packet is from localhost if on localhost, to make configs easier */ + if ((conf->server->ip.s_addr == ntohl(0x7f000001)) || (!hostname[0])) { + ipaddr = 0x7f000001; + } else { + struct hostent *hp; + + if ((hp = gethostbyname(hostname)) == (struct hostent *) NULL) { + ipaddr = 0x00000000; /* no client IP address */ + } else { + ipaddr = ntohl(*(uint32_t *) hp->h_addr); /* use the first one available */ + } + } + + /* If we can't find an IP address, then don't add one */ + if (ipaddr) { + add_int_attribute(request, PW_NAS_IP_ADDRESS, ipaddr); + } + + /* There's always a NAS identifier */ + if (conf->client_id && *conf->client_id) { + add_attribute(request, PW_NAS_IDENTIFIER, (unsigned char *) conf->client_id, strlen(conf->client_id)); + } + + /* + * Add in the port (pid) and port type (virtual). + * + * We might want to give the TTY name here, too. + */ + add_int_attribute(request, PW_NAS_PORT_ID, getpid()); + add_int_attribute(request, PW_NAS_PORT_TYPE, PW_NAS_PORT_TYPE_VIRTUAL); +} + +/* + * Talk RADIUS to a server. + * Send a packet and get the response + */ +static int talk_radius(radius_conf_t *conf, AUTH_HDR *request, AUTH_HDR *response, + char *password, char *old_password, int tries) +{ + socklen_t salen; + int total_length; + fd_set set; + struct timeval tv; + time_t now, end; + int rcode; + struct sockaddr saremote; + struct sockaddr_in *s_in = (struct sockaddr_in *) &saremote; + radius_server_t *server = conf->server; + int ok; + int server_tries; + int retval; + + /* ************************************************************ */ + /* Now that we're done building the request, we can send it */ + + /* + Hmm... on password change requests, all of the found server information + could be saved with a pam_set_data(), which means even the radius_conf_t + information will have to be malloc'd at some point + + On the other hand, we could just try all of the servers again in + sequence, on the off chance that one may have ended up fixing itself. + + */ + + /* loop over all available servers */ + while (server != NULL) { + + /* only look up IP information as necessary */ + if ((retval = host2server(server)) != PAM_SUCCESS) { + _pam_log(LOG_ERR, + "Failed looking up IP address for RADIUS server %s (errcode=%d)", + server->hostname, retval); + ok = FALSE; + goto next; /* skip to the next server */ + } + + /* set up per-server IP && port configuration */ + memset ((char *) s_in, '\0', sizeof(struct sockaddr)); + s_in->sin_family = AF_INET; + s_in->sin_addr.s_addr = htonl(server->ip.s_addr); + s_in->sin_port = server->port; + total_length = ntohs(request->length); + + if (!password) { /* make an RFC 2139 p6 request authenticator */ + get_accounting_vector(request, server); + } + + server_tries = tries; + send: + /* send the packet */ + if (sendto(conf->sockfd, (char *) request, total_length, 0, + &saremote, sizeof(struct sockaddr_in)) < 0) { + _pam_log(LOG_ERR, "Error sending RADIUS packet to server %s: %s", + server->hostname, strerror(errno)); + ok = FALSE; + goto next; /* skip to the next server */ + } + + /* ************************************************************ */ + /* Wait for the response, and verify it. */ + salen = sizeof(struct sockaddr); + tv.tv_sec = server->timeout; /* wait for the specified time */ + tv.tv_usec = 0; + FD_ZERO(&set); /* clear out the set */ + FD_SET(conf->sockfd, &set); /* wait only for the RADIUS UDP socket */ + + time(&now); + end = now + tv.tv_sec; + + /* loop, waiting for the select to return data */ + ok = TRUE; + while (ok) { + rcode = select(conf->sockfd + 1, &set, NULL, NULL, &tv); + + /* select timed out */ + if (rcode == 0) { + _pam_log(LOG_ERR, "RADIUS server %s failed to respond", server->hostname); + if (--server_tries) { + goto send; + } + ok = FALSE; + break; /* exit from the select loop */ + } else if (rcode < 0) { + + /* select had an error */ + if (errno == EINTR) { /* we were interrupted */ + time(&now); + + if (now > end) { + _pam_log(LOG_ERR, "RADIUS server %s failed to respond", + server->hostname); + if (--server_tries) goto send; + ok = FALSE; + break; /* exit from the select loop */ + } + + tv.tv_sec = end - now; + if (tv.tv_sec == 0) { /* keep waiting */ + tv.tv_sec = 1; + } + + } else { /* not an interrupt, it was a real error */ + _pam_log(LOG_ERR, "Error waiting for response from RADIUS server %s: %s", + server->hostname, strerror(errno)); + ok = FALSE; + break; + } + + /* the select returned OK */ + } else if (FD_ISSET(conf->sockfd, &set)) { + + /* try to receive some data */ + if ((total_length = recvfrom(conf->sockfd, (void *) response, BUFFER_SIZE, + 0, &saremote, &salen)) < 0) { + _pam_log(LOG_ERR, "error reading RADIUS packet from server %s: %s", + server->hostname, strerror(errno)); + ok = FALSE; + break; + + /* there's data, see if it's valid */ + } else { + char *p = server->secret; + + if ((ntohs(response->length) != total_length) || + (ntohs(response->length) > BUFFER_SIZE)) { + _pam_log(LOG_ERR, "RADIUS packet from server %s is corrupted", + server->hostname); + ok = FALSE; + break; + } + + /* Check if we have the data OK. We should also check request->id */ + if (password) { + if (old_password) { +#ifdef LIVINGSTON_PASSWORD_VERIFY_BUG_FIXED + p = old_password; /* what it should be */ +#else + p = ""; /* what it really is */ +#endif + } + /* + * RFC 2139 p.6 says not do do this, but the Livingston 1.16 + * server disagrees. If the user says he wants the bug, give in. + */ + } else { /* authentication request */ + if (conf->accounting_bug) { + p = ""; + } + } + + if (!verify_packet(p, response, request)) { + _pam_log(LOG_ERR, "packet from RADIUS server %s failed verification: " + "The shared secret is probably incorrect.", server->hostname); + ok = FALSE; + break; + } + + /* + * Check that the response ID matches the request ID. + */ + if (response->id != request->id) { + _pam_log(LOG_WARNING, "Response packet ID %d does not match the " + "request packet ID %d: verification of packet fails", + response->id, request->id); + ok = FALSE; + break; + } + } + + /* + * Whew! The select is done. It hasn't timed out, or errored out. + * It's our descriptor. We've got some data. It's the right size. + * The packet is valid. + * NOW, we can skip out of the select loop, and process the packet + */ + break; + } + /* otherwise, we've got data on another descriptor, keep select'ing */ + } + + /* go to the next server if this one didn't respond */ + next: + if (!ok) { + radius_server_t *old; /* forget about this server */ + + old = server; + server = server->next; + conf->server = server; + + _pam_forget(old->secret); + free(old->hostname); + free(old); + + if (server) { /* if there's more servers to check */ + /* get a new authentication vector, and update the passwords */ + get_random_vector(request->vector); + request->id = request->vector[0]; + + /* update passwords, as appropriate */ + if (password) { + get_random_vector(request->vector); + if (old_password) { /* password change request */ + add_password(request, PW_PASSWORD, password, old_password); + add_password(request, PW_OLD_PASSWORD, old_password, old_password); + } else { /* authentication request */ + add_password(request, PW_PASSWORD, password, server->secret); + } + } + } + continue; + + } else { + /* we've found one that does respond, forget about the other servers */ + cleanup(server->next); + server->next = NULL; + live_server = server; /* we've got a live one! */ + break; + } + } + + if (!server) { + _pam_log(LOG_ERR, "All RADIUS servers failed to respond."); + if (conf->localifdown) + retval = PAM_IGNORE; + else + retval = PAM_AUTHINFO_UNAVAIL; + } else { + retval = PAM_SUCCESS; + } + + return retval; +} + +/************************************************************************** + * MIDLEVEL PAM CODE + **************************************************************************/ + +/* this is our front-end for module-application conversations */ + +#undef PAM_FAIL_CHECK +#define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) { return retval; } + +static int rad_converse(pam_handle_t *pamh, int msg_style, char *message, char **password) +{ + CONST struct pam_conv *conv; + struct pam_message resp_msg; + CONST struct pam_message *msg[1]; + struct pam_response *resp = NULL; + int retval; + + resp_msg.msg_style = msg_style; + resp_msg.msg = message; + msg[0] = &resp_msg; + + /* grab the password */ + retval = pam_get_item(pamh, PAM_CONV, (CONST void **) &conv); + PAM_FAIL_CHECK; + + retval = conv->conv(1, msg, &resp,conv->appdata_ptr); + PAM_FAIL_CHECK; + + if (password) { /* assume msg.type needs a response */ + /* I'm not sure if this next bit is necessary on Linux */ +#ifdef sun + /* NULL response, fail authentication */ + if ((resp == NULL) || (resp->resp == NULL)) { + return PAM_SYSTEM_ERR; + } +#endif + + *password = resp->resp; + free(resp); + } + + return PAM_SUCCESS; +} + +/************************************************************************** + * GENERAL CODE + **************************************************************************/ + +#undef PAM_FAIL_CHECK +#define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) { \ + int *pret = malloc(sizeof(int)); \ + *pret = retval; \ + pam_set_data(pamh, "rad_setcred_return", (void *) pret, _int_free); \ + return retval; } + +PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST char **argv) +{ + CONST char *user; + CONST char *userinfo; + char *password = NULL; + CONST char *rhost; + char *resp2challenge = NULL; + int ctrl; + int retval = PAM_AUTH_ERR; + + char recv_buffer[4096]; + char send_buffer[4096]; + AUTH_HDR *request = (AUTH_HDR *) send_buffer; + AUTH_HDR *response = (AUTH_HDR *) recv_buffer; + radius_conf_t config; + + ctrl = _pam_parse(argc, argv, &config); + + /* grab the user name */ + retval = pam_get_user(pamh, &user, NULL); + PAM_FAIL_CHECK; + + /* check that they've entered something, and not too long, either */ + if ((user == NULL) || (strlen(user) > MAXPWNAM)) { + int *pret = malloc(sizeof(int)); + *pret = PAM_USER_UNKNOWN; + pam_set_data(pamh, "rad_setcred_return", (void *) pret, _int_free); + + DPRINT(LOG_DEBUG, "User name was NULL, or too long"); + return PAM_USER_UNKNOWN; + } + DPRINT(LOG_DEBUG, "Got user name %s", user); + + if (ctrl & PAM_RUSER_ARG) { + retval = pam_get_item(pamh, PAM_RUSER, (CONST void **) &userinfo); + PAM_FAIL_CHECK; + DPRINT(LOG_DEBUG, "Got PAM_RUSER name %s", userinfo); + + if (!strcmp("root", user)) { + user = userinfo; + DPRINT(LOG_DEBUG, "Username now %s from ruser", user); + } else { + DPRINT(LOG_DEBUG, "Skipping ruser for non-root auth"); + }; + }; + + /* + * Get the IP address of the authentication server + * Then, open a socket, and bind it to a port + */ + retval = initialize(&config, FALSE); + PAM_FAIL_CHECK; + + /* + * If there's no client id specified, use the service type, to help + * keep track of which service is doing the authentication. + */ + if (!config.client_id) { + retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id); + PAM_FAIL_CHECK; + } + + /* now we've got a socket open, so we've got to clean it up on error */ +#undef PAM_FAIL_CHECK +#define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) {goto error; } + + /* build and initialize the RADIUS packet */ + request->code = PW_AUTHENTICATION_REQUEST; + get_random_vector(request->vector); + request->id = request->vector[0]; /* this should be evenly distributed */ + + /* grab the password (if any) from the previous authentication layer */ + retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &password); + PAM_FAIL_CHECK; + + if(password) { + password = strdup(password); + DPRINT(LOG_DEBUG, "Got password %s", password); + } + + /* no previous password: maybe get one from the user */ + if (!password) { + if (ctrl & PAM_USE_FIRST_PASS) { + retval = PAM_AUTH_ERR; /* use one pass only, stopping if it fails */ + goto error; + } + + /* check to see if we send a NULL password the first time around */ + if (!(ctrl & PAM_SKIP_PASSWD)) { + retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "Password: ", &password); + PAM_FAIL_CHECK; + + } + } /* end of password == NULL */ + + build_radius_packet(request, user, password, &config); + /* not all servers understand this service type, but some do */ + add_int_attribute(request, PW_USER_SERVICE_TYPE, PW_AUTHENTICATE_ONLY); + + /* + * Tell the server which host the user is coming from. + * + * Note that this is NOT the IP address of the machine running PAM! + * It's the IP address of the client. + */ + retval = pam_get_item(pamh, PAM_RHOST, (CONST void **) &rhost); + PAM_FAIL_CHECK; + if (rhost) { + add_attribute(request, PW_CALLING_STATION_ID, (unsigned char *) rhost, + strlen(rhost)); + } + + DPRINT(LOG_DEBUG, "Sending RADIUS request code %d", request->code); + + retval = talk_radius(&config, request, response, password, NULL, config.retries + 1); + PAM_FAIL_CHECK; + + DPRINT(LOG_DEBUG, "Got RADIUS response code %d", response->code); + + /* + * If we get an authentication failure, and we sent a NULL password, + * ask the user for one and continue. + * + * If we get an access challenge, then do a response, for as many + * challenges as we receive. + */ + while (response->code == PW_ACCESS_CHALLENGE) { + attribute_t *a_state, *a_reply; + char challenge[BUFFER_SIZE]; + + /* Now we do a bit more work: challenge the user, and get a response */ + if (((a_state = find_attribute(response, PW_STATE)) == NULL) || + ((a_reply = find_attribute(response, PW_REPLY_MESSAGE)) == NULL)) { + /* Actually, State isn't required. */ + _pam_log(LOG_ERR, "RADIUS Access-Challenge received with State or Reply-Message missing"); + retval = PAM_AUTHINFO_UNAVAIL; + goto error; + } + + /* + * Security fixes. + */ + if ((a_state->length <= 2) || (a_reply->length <= 2)) { + _pam_log(LOG_ERR, "RADIUS Access-Challenge received with invalid State or Reply-Message"); + retval = PAM_AUTHINFO_UNAVAIL; + goto error; + } + + memcpy(challenge, a_reply->data, a_reply->length - 2); + challenge[a_reply->length - 2] = 0; + + /* It's full challenge-response, we should have echo on */ + retval = rad_converse(pamh, PAM_PROMPT_ECHO_ON, challenge, &resp2challenge); + + /* now that we've got a response, build a new radius packet */ + build_radius_packet(request, user, resp2challenge, &config); + /* request->code is already PW_AUTHENTICATION_REQUEST */ + request->id++; /* one up from the request */ + + /* copy the state over from the servers response */ + add_attribute(request, PW_STATE, a_state->data, a_state->length - 2); + + retval = talk_radius(&config, request, response, resp2challenge, NULL, 1); + PAM_FAIL_CHECK; + + DPRINT(LOG_DEBUG, "Got response to challenge code %d", response->code); + } + + /* Whew! Done the pasword checks, look for an authentication acknowledge */ + if (response->code == PW_AUTHENTICATION_ACK) { + retval = PAM_SUCCESS; + } else { + retval = PAM_AUTH_ERR; /* authentication failure */ + +error: + /* If there was a password pass it to the next layer */ + if (password && *password) { + pam_set_item(pamh, PAM_AUTHTOK, password); + } + } + + if (ctrl & PAM_DEBUG_ARG) { + _pam_log(LOG_DEBUG, "authentication %s", retval==PAM_SUCCESS ? "succeeded":"failed"); + } + + close(config.sockfd); + cleanup(config.server); + _pam_forget(password); + _pam_forget(resp2challenge); + { + int *pret = malloc(sizeof(int)); + *pret = retval; + pam_set_data(pamh, "rad_setcred_return", (void *) pret, _int_free); + } + return retval; +} + +/* + * Return a value matching the return value of pam_sm_authenticate, for + * greatest compatibility. + * (Always returning PAM_SUCCESS breaks other authentication modules; + * always returning PAM_IGNORE breaks PAM when we're the only module.) + */ +PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc,CONST char **argv) +{ + int retval, *pret; + + retval = PAM_SUCCESS; + pret = &retval; + pam_get_data(pamh, "rad_setcred_return", (CONST void **) &pret); + return *pret; +} + +#undef PAM_FAIL_CHECK +#define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) { return PAM_SESSION_ERR; } + +static int pam_private_session(pam_handle_t *pamh, int flags, int argc, CONST char **argv, int status) +{ + CONST char *user; + int ctrl; + int retval = PAM_AUTH_ERR; + + char recv_buffer[4096]; + char send_buffer[4096]; + AUTH_HDR *request = (AUTH_HDR *) send_buffer; + AUTH_HDR *response = (AUTH_HDR *) recv_buffer; + radius_conf_t config; + + ctrl = _pam_parse(argc, argv, &config); + + /* grab the user name */ + retval = pam_get_user(pamh, &user, NULL); + PAM_FAIL_CHECK; + + /* check that they've entered something, and not too long, either */ + if ((user == NULL) || (strlen(user) > MAXPWNAM)) { + return PAM_USER_UNKNOWN; + } + + /* + * Get the IP address of the authentication server + * Then, open a socket, and bind it to a port + */ + retval = initialize(&config, TRUE); + PAM_FAIL_CHECK; + + /* + * If there's no client id specified, use the service type, to help + * keep track of which service is doing the authentication. + */ + if (!config.client_id) { + retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id); + PAM_FAIL_CHECK; + } + + /* now we've got a socket open, so we've got to clean it up on error */ +#undef PAM_FAIL_CHECK +#define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) {goto error; } + + /* build and initialize the RADIUS packet */ + request->code = PW_ACCOUNTING_REQUEST; + get_random_vector(request->vector); + request->id = request->vector[0]; /* this should be evenly distributed */ + + build_radius_packet(request, user, NULL, &config); + + add_int_attribute(request, PW_ACCT_STATUS_TYPE, status); + + sprintf(recv_buffer, "%08d", (int) getpid()); + add_attribute(request, PW_ACCT_SESSION_ID, (unsigned char *) recv_buffer, strlen(recv_buffer)); + + add_int_attribute(request, PW_ACCT_AUTHENTIC, PW_AUTH_RADIUS); + + if (status == PW_STATUS_START) { + session_time = time(NULL); + } else { + add_int_attribute(request, PW_ACCT_SESSION_TIME, time(NULL) - session_time); + } + + retval = talk_radius(&config, request, response, NULL, NULL, 1); + PAM_FAIL_CHECK; + + /* oops! They don't have the right password. Complain and die. */ + if (response->code != PW_ACCOUNTING_RESPONSE) { + retval = PAM_PERM_DENIED; + goto error; + } + + retval = PAM_SUCCESS; + +error: + + close(config.sockfd); + cleanup(config.server); + + return retval; +} + +PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, CONST char **argv) +{ + return pam_private_session(pamh, flags, argc, argv, PW_STATUS_START); +} + +PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, CONST char **argv) +{ + return pam_private_session(pamh, flags, argc, argv, PW_STATUS_STOP); +} + +#undef PAM_FAIL_CHECK +#define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) {return retval; } +#define MAX_PASSWD_TRIES 3 + +PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST char **argv) +{ + CONST char *user; + char *password = NULL; + char *new_password = NULL; + char *check_password = NULL; + int ctrl; + int retval = PAM_AUTHTOK_ERR; + int attempts; + + char recv_buffer[4096]; + char send_buffer[4096]; + AUTH_HDR *request = (AUTH_HDR *) send_buffer; + AUTH_HDR *response = (AUTH_HDR *) recv_buffer; + radius_conf_t config; + + ctrl = _pam_parse(argc, argv, &config); + + /* grab the user name */ + retval = pam_get_user(pamh, &user, NULL); + PAM_FAIL_CHECK; + + /* check that they've entered something, and not too long, either */ + if ((user == NULL) || (strlen(user) > MAXPWNAM)) { + return PAM_USER_UNKNOWN; + } + + /* + * Get the IP address of the authentication server + * Then, open a socket, and bind it to a port + */ + retval = initialize(&config, FALSE); + PAM_FAIL_CHECK; + + /* + * If there's no client id specified, use the service type, to help + * keep track of which service is doing the authentication. + */ + if (!config.client_id) { + retval = pam_get_item(pamh, PAM_SERVICE, (CONST void **) &config.client_id); + PAM_FAIL_CHECK; + } + + /* now we've got a socket open, so we've got to clean it up on error */ +#undef PAM_FAIL_CHECK +#define PAM_FAIL_CHECK if (retval != PAM_SUCCESS) {goto error; } + + /* grab the old password (if any) from the previous password layer */ + retval = pam_get_item(pamh, PAM_OLDAUTHTOK, (CONST void **) &password); + PAM_FAIL_CHECK; + if(password) password = strdup(password); + + /* grab the new password (if any) from the previous password layer */ + retval = pam_get_item(pamh, PAM_AUTHTOK, (CONST void **) &new_password); + PAM_FAIL_CHECK; + if(new_password) new_password = strdup(new_password); + + /* preliminary password change checks. */ + if (flags & PAM_PRELIM_CHECK) { + if (!password) { /* no previous password: ask for one */ + retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "Password: ", &password); + PAM_FAIL_CHECK; + } + + /* + * We now check the password to see if it's the right one. + * If it isn't, we let the user try again. + * Note that RADIUS doesn't have any concept of 'root'. The only way + * that root can change someone's password is to log into the RADIUS + * server, and and change it there. + */ + + /* build and initialize the access request RADIUS packet */ + request->code = PW_AUTHENTICATION_REQUEST; + get_random_vector(request->vector); + request->id = request->vector[0]; /* this should be evenly distributed */ + + build_radius_packet(request, user, password, &config); + add_int_attribute(request, PW_USER_SERVICE_TYPE, PW_AUTHENTICATE_ONLY); + + retval = talk_radius(&config, request, response, password, NULL, 1); + PAM_FAIL_CHECK; + + /* oops! They don't have the right password. Complain and die. */ + if (response->code != PW_AUTHENTICATION_ACK) { + _pam_forget(password); + retval = PAM_PERM_DENIED; + goto error; + } + + /* + * We're now sure it's the right user. + * Ask for their new password, if appropriate + */ + + if (!new_password) { /* not found yet: ask for it */ + int new_attempts; + attempts = 0; + + /* loop, trying to get matching new passwords */ + while (attempts++ < 3) { + + /* loop, trying to get a new password */ + new_attempts = 0; + while (new_attempts++ < 3) { + retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, + "New password: ", &new_password); + PAM_FAIL_CHECK; + + /* the old password may be short. Check it, first. */ + if (strcmp(password, new_password) == 0) { /* are they the same? */ + rad_converse(pamh, PAM_ERROR_MSG, + "You must choose a new password.", NULL); + _pam_forget(new_password); + continue; + } else if (strlen(new_password) < 6) { + rad_converse(pamh, PAM_ERROR_MSG, "it's WAY too short", NULL); + _pam_forget(new_password); + continue; + } + + /* insert crypt password checking here */ + + break; /* the new password is OK */ + } + + if (new_attempts >= 3) { /* too many new password attempts: die */ + retval = PAM_AUTHTOK_ERR; + goto error; + } + + /* make sure of the password by asking for verification */ + retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, + "New password (again): ", &check_password); + PAM_FAIL_CHECK; + + retval = strcmp(new_password, check_password); + _pam_forget(check_password); + + /* if they don't match, don't pass them to the next module */ + if (retval != 0) { + _pam_forget(new_password); + rad_converse(pamh, PAM_ERROR_MSG, + "You must enter the same password twice.", NULL); + retval = PAM_AUTHTOK_ERR; + goto error; /* ??? maybe this should be a 'continue' ??? */ + } + + break; /* everything's fine */ + } /* loop, trying to get matching new passwords */ + + if (attempts >= 3) { /* too many new password attempts: die */ + retval = PAM_AUTHTOK_ERR; + goto error; + } + } /* now we have a new password which passes all of our tests */ + + /* + * Solaris 2.6 calls pam_sm_chauthtok only ONCE, with PAM_PRELIM_CHECK + * set. + */ +#ifndef sun + /* If told to update the authentication token, do so. */ + } else if (flags & PAM_UPDATE_AUTHTOK) { +#endif + + if (!password || !new_password) { /* ensure we've got passwords */ + retval = PAM_AUTHTOK_ERR; + goto error; + } + + /* build and initialize the password change request RADIUS packet */ + request->code = PW_PASSWORD_REQUEST; + get_random_vector(request->vector); + request->id = request->vector[0]; /* this should be evenly distributed */ + + /* the secret here can not be know to the user, so it's the new password */ + _pam_forget(config.server->secret); + config.server->secret = strdup(password); /* it's free'd later */ + + build_radius_packet(request, user, new_password, &config); + add_password(request, PW_OLD_PASSWORD, password, password); + + retval = talk_radius(&config, request, response, new_password, password, 1); + PAM_FAIL_CHECK; + + /* Whew! Done password changing, check for password acknowledge */ + if (response->code != PW_PASSWORD_ACK) { + retval = PAM_AUTHTOK_ERR; + goto error; + } + } + + /* + * Send the passwords to the next stage if preliminary checks fail, + * or if the password change request fails. + */ + if ((flags & PAM_PRELIM_CHECK) || (retval != PAM_SUCCESS)) { + error: + + /* If there was a password pass it to the next layer */ + if (password && *password) { + pam_set_item(pamh, PAM_OLDAUTHTOK, password); + } + + if (new_password && *new_password) { + pam_set_item(pamh, PAM_AUTHTOK, new_password); + } + } + + if (ctrl & PAM_DEBUG_ARG) { + _pam_log(LOG_DEBUG, "password change %s", retval==PAM_SUCCESS ? "succeeded" : "failed"); + } + + close(config.sockfd); + cleanup(config.server); + + _pam_forget(password); + _pam_forget(new_password); + return retval; +} + +/* + * Do nothing for account management. This is apparently needed by + * some programs. + */ +PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc,CONST char **argv) +{ + int retval; + retval = PAM_SUCCESS; + return retval; +} + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_radius_modstruct = { + "pam_radius_auth", + pam_sm_authenticate, + pam_sm_setcred, + pam_sm_acct_mgmt, + pam_sm_open_session, + pam_sm_close_session, + pam_sm_chauthtok, +}; +#endif + |