/* Written by Simon Josefsson . * Copyright (c) 2006, 2007, 2008, 2009 Yubico AB * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are * met: * * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * * Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials provided * with the distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include #include #include #include /* Libtool defines PIC for shared objects */ #ifndef PIC #define PAM_STATIC #endif /* These #defines must be present according to PAM documentation. */ #define PAM_SM_AUTH #define PAM_SM_ACCOUNT #define PAM_SM_SESSION #define PAM_SM_PASSWORD #ifdef HAVE_SECURITY_PAM_APPL_H #include #endif #ifdef HAVE_SECURITY_PAM_MODULES_H #include #endif #if defined(DEBUG_PAM) # if defined(HAVE_SECURITY__PAM_MACROS_H) # define DEBUG # include # else # define D(x) do { \ printf ("debug: %s:%d (%s): ", __FILE__, __LINE__, __FUNCTION__); \ printf x; \ printf ("\n"); \ } while (0) # endif #endif #include #ifdef HAVE_LIBLDAP #include #define PORT_NUMBER LDAP_PORT #endif #ifndef PAM_EXTERN #ifdef PAM_STATIC #define PAM_EXTERN static #else #define PAM_EXTERN extern #endif #endif #include #include #define TOKEN_LEN 44 #define TOKEN_ID_LEN 12 /* * This function will look for users name with valid user token id. It * will returns 0 for failure and 1 for success. * * File format is as follows: * :: * : * */ static int check_user_token (const char *authfile, const char *username, const char *usertoken) { static char buf[1024]; char *s_user, *s_token; int retval = 0; FILE *opwfile; opwfile = fopen (authfile, "r"); if (opwfile == NULL) { D ((" %s file does not exists.", authfile)); return retval; } while (fgets (buf, 1024, opwfile)) { if (!strncmp (buf, username, strlen (username))) { buf[strlen (buf) - 1] = '\0'; D (("Got user record :: %s", buf)); s_user = strtok (buf, ":"); s_token = strtok (NULL, ":"); while (s_token != NULL) { if (!strncmp (usertoken, s_token, strlen (usertoken))) { D (("Token Found :: %s", s_token)); retval = 1; break; } s_token = strtok (NULL, ":"); } break; } } fclose (opwfile); return retval; } /* * This F'n will get the configuration file name either from argument * list or from user home directory */ static int validate_user_token (const char *authfile, const char *username, const char *usertoken) { int retval = 0; if (NULL != authfile) { /* Administrator had configured the file and specified is name as an argument for this module. */ retval = check_user_token (authfile, username, usertoken); } else { /* Getting file from user home directory ..... i.e. ~/.yubico/authorized_yubikeys */ struct passwd *p; char *home_dir = NULL; p = getpwnam (username); if (p != NULL) { home_dir = (char *) malloc (strlen (p->pw_dir) + 29); if (NULL != home_dir) { strcpy (home_dir, p->pw_dir); strcat (home_dir, "/.yubico/authorized_yubikeys"); } } retval = check_user_token (home_dir, username, usertoken); if (NULL != home_dir) { free (home_dir); } } return retval; } /* * This function will look in ldap id the token correspond to the * requested user. It will returns 0 for failure and 1 for success. * * For the moment ldaps is not supported. ldap serve can be on a * remote host. * * You need the following parameters in you pam config: * ldapsever= * ldapdn= * user_attr= * yubi_attr= * */ static int validate_user_token_ldap (const char *ldapserver, const char *ldapdn, const char *user_attr, const char *yubi_attr, const char *user, const char *token_id) { int retval = 0; #ifdef HAVE_LIBLDAP LDAP *ld; LDAPMessage *result, *e; BerElement *ber; char *a; char **vals; int i, rc; /* FIXME: dont' use hard coded buffers here. */ char find[256] = ""; char sr[128] = "("; char sep[2] = ","; char eq[2] = "="; char sren[4] = "=*)"; strcat (find, user_attr); strcat (find, eq); strcat (find, user); strcat (find, sep); strcat (find, ldapdn); strcat (sr, yubi_attr); strcat (sr, sren); /* Get a handle to an LDAP connection. */ if ((ld = ldap_init (ldapserver, PORT_NUMBER)) == NULL) { D (("ldap_init")); return (0); } /* Bind anonymously to the LDAP server. */ rc = ldap_simple_bind_s (ld, NULL, NULL); if (rc != LDAP_SUCCESS) { D (("ldap_simple_bind_s: %s", ldap_err2string (rc))); return (0); } /* Search for the entry. */ D (("ldap-dn: %s", find)); D (("ldap-filter: %s", sr)); if ((rc = ldap_search_ext_s (ld, find, LDAP_SCOPE_BASE, sr, NULL, 0, NULL, NULL, LDAP_NO_LIMIT, LDAP_NO_LIMIT, &result)) != LDAP_SUCCESS) { D (("ldap_search_ext_s: %s", ldap_err2string (rc))); return (0); } e = ldap_first_entry (ld, result); if (e != NULL) { /* Iterate through each attribute in the entry. */ for (a = ldap_first_attribute (ld, e, &ber); a != NULL; a = ldap_next_attribute (ld, e, ber)) { if ((vals = ldap_get_values (ld, e, a)) != NULL) { for (i = 0; vals[i] != NULL; i++) { if (!strncmp (token_id, vals[i], strlen (token_id))) { D (("Token Found :: %s", vals[i])); retval = 1; } } ldap_value_free (vals); } ldap_memfree (a); } if (ber != NULL) { ber_free (ber, 0); } } ldap_msgfree (result); ldap_unbind (ld); #else D (("Trying to use LDAP, but this function is not compiled in pam_yubico!!")); D (("Install libldap-dev and then recompile pam_yubico.")); #endif return retval; } PAM_EXTERN int pam_sm_authenticate (pam_handle_t * pamh, int flags, int argc, const char **argv) { int retval, rc; const char *user = NULL; const char *password = NULL; char *auth_file = NULL; const char *token_otp[TOKEN_LEN + 1] = { 0 }; const char *token_id[TOKEN_ID_LEN + 1] = { 0 }; char *token_otp_with_password = NULL; char *token_password = NULL; char *url_template = NULL; int password_len = 0; int valid_token = 0; int i; struct pam_conv *conv; struct pam_message *pmsg[1], msg[1]; struct pam_response *resp; int nargs = 1; int id = -1; int debug = 0; int alwaysok = 0; yubikey_client_t ykc; char *ldapserver = NULL; char *ldapdn = NULL; char *user_attr = NULL; char *yubi_attr = NULL; for (i = 0; i < argc; i++) { if (strncmp (argv[i], "id=", 3) == 0) sscanf (argv[i], "id=%d", &id); if (strcmp (argv[i], "debug") == 0) debug = 1; if (strcmp (argv[i], "alwaysok") == 0) alwaysok = 1; if (strncmp (argv[i], "authfile=", 9) == 0) auth_file = (char *) argv[i] + 9; if (strncmp (argv[i], "url=", 4) == 0) url_template = (char *) argv[i] + 4; if (strncmp (argv[i], "ldapserver=", 11) == 0) ldapserver = (char *) argv[i] + 11; if (strncmp (argv[i], "ldapdn=", 7) == 0) ldapdn = (char *) argv[i] + 7; if (strncmp (argv[i], "user_attr=", 10) == 0) user_attr = (char *) argv[i] + 10; if (strncmp (argv[i], "yubi_attr=", 10) == 0) yubi_attr = (char *) argv[i] + 10; } if (debug) { D (("called.")); D (("flags %d argc %d", flags, argc)); for (i = 0; i < argc; i++) D (("argv[%d]=%s", i, argv[i])); D (("id=%d", id)); D (("debug=%d", debug)); D (("alwaysok=%d", alwaysok)); D (("authfile=%s", auth_file ? auth_file : "(null)")); D (("ldapserver=%s", ldapserver ? ldapserver : "(null"))); D (("ldapdn=%s", ldapdn ? ldapdn : "(null"))); D (("user_attr=%s", user_attr ? user_attr : "(null)")); D (("yubi_attr=%s", yubi_attr ? yubi_attr : "(null)")); } retval = pam_get_user (pamh, &user, NULL); if (retval != PAM_SUCCESS) { if (debug) D (("get user returned error: %s", pam_strerror (pamh, retval))); goto done; } if (debug) D (("get user returned: %s", user)); retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password); if (retval != PAM_SUCCESS) { if (debug) D (("get password returned error: %s", pam_strerror (pamh, retval))); goto done; } if (debug) D (("get password returned: %s", password)); if (password == NULL) { retval = pam_get_item (pamh, PAM_CONV, (const void **) &conv); if (retval != PAM_SUCCESS) { if (debug) D (("get conv returned error: %s", pam_strerror (pamh, retval))); goto done; } pmsg[0] = &msg[0]; { const char *query_template = "Yubikey for `%s': "; size_t len = strlen (query_template) + strlen (user); size_t wrote; msg[0].msg = malloc (len); if (!msg[0].msg) { retval = PAM_BUF_ERR; goto done; } wrote = snprintf ((char *) msg[0].msg, len, query_template, user); if (wrote < 0 || wrote >= len) { retval = PAM_BUF_ERR; goto done; } } msg[0].msg_style = PAM_PROMPT_ECHO_OFF; resp = NULL; retval = conv->conv (nargs, (const struct pam_message **) pmsg, &resp, conv->appdata_ptr); free ((char *) msg[0].msg); if (retval != PAM_SUCCESS) { if (debug) D (("conv returned error: %s", pam_strerror (pamh, retval))); goto done; } if (debug) D (("conv returned: %s", resp->resp)); password = resp->resp; retval = pam_set_item (pamh, PAM_AUTHTOK, password); if (retval != PAM_SUCCESS) { if (debug) D (("set_item returned error: %s", pam_strerror (pamh, retval))); goto done; } } ykc = yubikey_client_init (); if (!ykc) { if (debug) D (("yubikey_client_init() failed")); retval = PAM_AUTHINFO_UNAVAIL; goto done; } yubikey_client_set_info (ykc, id, 0, NULL); if (url_template) yubikey_client_set_url_template (ykc, url_template); /* user will enter there system paasword followed by generated OTP */ token_otp_with_password = (char *) password; password_len = strlen (token_otp_with_password); /* Getting Token value and SSH password */ strncpy ((char *) token_otp, token_otp_with_password + (password_len - TOKEN_LEN), TOKEN_LEN); token_password = malloc ((password_len - TOKEN_LEN) + 1); if (token_password != NULL) { strncpy (token_password, token_otp_with_password, (password_len - TOKEN_LEN)); token_password[(password_len - TOKEN_LEN)] = 0; password = token_password; } strncpy ((char *) token_id, token_otp_with_password + (password_len - TOKEN_LEN), TOKEN_ID_LEN); if (debug) { D ((" Token is : %s and password is %s ", token_otp, password)); D ((" Token ID is: %s ", token_id)); } /* validate the user with supplied token id */ if (ldapserver != NULL) { valid_token = validate_user_token_ldap ((const char *) ldapserver, (const char *) ldapdn, (const char *) user_attr, (const char *) yubi_attr, (const char *) user, (const char *) token_id); } else { valid_token = validate_user_token (auth_file, (const char *) user, (const char *) token_id); } if (password != NULL) { retval = pam_set_item (pamh, PAM_AUTHTOK, password); if (retval != PAM_SUCCESS) { if (debug) D (("set_item returned error: %s", pam_strerror (pamh, retval))); goto done; } } if (valid_token == 0) { if (debug) D (("Invalid Token for user ")); retval = PAM_SERVICE_ERR; goto done; } rc = yubikey_client_request (ykc, (const char *) token_otp); if (token_password != NULL) free (token_password); if (debug) D (("libyubikey-client return value (%d): %s", rc, yubikey_client_strerror (rc))); if (rc != YUBIKEY_CLIENT_OK) { retval = PAM_SERVICE_ERR; goto done; } yubikey_client_done (&ykc); retval = PAM_SUCCESS; done: if (alwaysok && retval != PAM_SUCCESS) { if (debug) D (("alwaysok needed (otherwise return with %d)", retval)); retval = PAM_SUCCESS; } if (debug) D (("done. [%s]", pam_strerror (pamh, retval))); pam_set_data (pamh, "yubico_setcred_return", (void *) retval, NULL); return retval; } PAM_EXTERN int pam_sm_setcred (pam_handle_t * pamh, int flags, int argc, const char **argv) { int retval; int auth_retval; D (("called.")); /* TODO: ? */ retval = pam_get_data (pamh, "yubico_setcred_return", (const void **) &auth_retval); if (retval != PAM_SUCCESS) return PAM_CRED_UNAVAIL; switch (auth_retval) { case PAM_SUCCESS: retval = PAM_SUCCESS; break; case PAM_USER_UNKNOWN: retval = PAM_USER_UNKNOWN; break; case PAM_AUTH_ERR: default: retval = PAM_CRED_ERR; break; } D (("done. [%s]", pam_strerror (pamh, retval))); return retval; } PAM_EXTERN int pam_sm_acct_mgmt (pam_handle_t * pamh, int flags, int argc, const char **argv) { int retval; D (("called.")); /* TODO: ? */ retval = PAM_SUCCESS; D (("done. [%s]", pam_strerror (pamh, retval))); return retval; } PAM_EXTERN int pam_sm_open_session (pam_handle_t * pamh, int flags, int argc, const char **argv) { int retval; D (("called.")); /* TODO: ? */ retval = PAM_SUCCESS; D (("done. [%s]", pam_strerror (pamh, retval))); return retval; } PAM_EXTERN int pam_sm_close_session (pam_handle_t * pamh, int flags, int argc, const char **argv) { int retval; D (("called.")); /* TODO: ? */ retval = PAM_SUCCESS; D (("done. [%s]", pam_strerror (pamh, retval))); return retval; } PAM_EXTERN int pam_sm_chauthtok (pam_handle_t * pamh, int flags, int argc, const char **argv) { int retval; D (("called.")); /* TODO: ? */ retval = PAM_SUCCESS; D (("done. [%s]", pam_strerror (pamh, retval))); return retval; } #ifdef PAM_STATIC struct pam_module _pam_yubico_modstruct = { "pam_yubico", pam_sm_authenticate, pam_sm_setcred, pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session, pam_sm_chauthtok }; #endif