]>
Commit | Line | Data |
---|---|---|
94439e4e | 1 | /* |
262a0e14 | 2 | * $Id$ |
94439e4e | 3 | * |
4 | * PAM authenticator module for Squid. | |
2900aadb | 5 | * Copyright (C) 1999,2002,2003 Henrik Nordstrom <hno@squid-cache.org> |
94439e4e | 6 | * |
7 | * This program is free software; you can redistribute it and/or modify | |
8 | * it under the terms of the GNU General Public License as published by | |
9 | * the Free Software Foundation; either version 2 of the License, or | |
10 | * (at your option) any later version. | |
11 | * | |
12 | * This program is distributed in the hope that it will be useful, | |
13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
15 | * GNU General Public License for more details. | |
16 | * | |
17 | * You should have received a copy of the GNU General Public License | |
18 | * along with this program; if not, write to the Free Software | |
19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. | |
20 | * | |
21 | * Install instructions: | |
22 | * | |
23 | * This program authenticates users against a PAM configured authentication | |
24 | * service "squid". This allows you to authenticate Squid users to any | |
25 | * authentication source for which you have a PAM module. Commonly available | |
26 | * PAM modules includes "UNIX", RADIUS, Kerberos and SMB, but a lot of other | |
27 | * PAM modules are available from various sources. | |
28 | * | |
29 | * Example PAM configuration for standard UNIX passwd authentication: | |
30 | * /etc/pam.conf: | |
31 | * squid auth required /lib/security/pam_unix.so.1 | |
32 | * squid account required /lib/security/pam_unix.so.1 | |
33 | * | |
34 | * Note that some PAM modules (for example shadow password authentication) | |
fab7a87e | 35 | * requires the program to be installed suid root to gain access to the |
36 | * user password database | |
94439e4e | 37 | * |
fab7a87e | 38 | * Change Log: |
94439e4e | 39 | * |
5a48ed18 AJ |
40 | * Version 2.3, 2009-11-06 |
41 | * Converted to C++. Brought into line with Squid-3 code styles. | |
42 | * | |
2900aadb | 43 | * Version 2.2, 2003-11-05 |
44 | * One shot mode is now the default mode of operation | |
45 | * with persistent PAM connections enabled by -t option. | |
46 | * Support for clearing the PAM_AUTHTOK attribute on | |
47 | * persistent PAM connections. | |
48 | * | |
49 | * Version 2.1, 2002-08-12 | |
50 | * Squid-2.5 support (URL encoded login, password strings) | |
51 | * | |
fab7a87e | 52 | * Version 2.0, 2002-01-07 |
53 | * One shot mode, command line options | |
54 | * man page | |
43f7ea67 | 55 | * |
56 | * Version 1.3, 1999-12-10 | |
57 | * Bugfix release 1.3 to work around Solaris 2.6 | |
58 | * brokenness (not sending arguments to conversation | |
59 | * functions) | |
60 | * | |
fab7a87e | 61 | * Version 1.2, internal release |
43f7ea67 | 62 | * |
63 | * Version 1.1, 1999-05-11 | |
64 | * Initial version | |
fab7a87e | 65 | * |
5a48ed18 | 66 | * Compile this program with: gcc -o basic_pam_auth basic_pam_auth.cc -lpam -ldl |
94439e4e | 67 | */ |
5a48ed18 | 68 | #include "config.h" |
43fed740 | 69 | #include "helpers/defines.h" |
1fa9b1a7 | 70 | #include "rfc1738.h" |
7483aded | 71 | #include "util.h" |
72 | ||
5a48ed18 | 73 | #if HAVE_STDIO_H |
94439e4e | 74 | #include <stdio.h> |
5a48ed18 AJ |
75 | #endif |
76 | #if HAVE_ASSERT_H | |
94439e4e | 77 | #include <assert.h> |
5a48ed18 | 78 | #endif |
5a48ed18 | 79 | #if HAVE_STRING_H |
94439e4e | 80 | #include <string.h> |
5a48ed18 AJ |
81 | #endif |
82 | #if HAVE_SIGNAL_H | |
94439e4e | 83 | #include <signal.h> |
5a48ed18 AJ |
84 | #endif |
85 | #if HAVE_TIME_H | |
94439e4e | 86 | #include <time.h> |
5a48ed18 AJ |
87 | #endif |
88 | #if HAVE_UNISTD_H | |
fab7a87e | 89 | #include <unistd.h> |
5a48ed18 AJ |
90 | #endif |
91 | #if HAVE_SECURITY_PAM_APPL_H | |
94439e4e | 92 | #include <security/pam_appl.h> |
5a48ed18 | 93 | #endif |
94439e4e | 94 | |
94439e4e | 95 | /* The default PAM service name */ |
fab7a87e | 96 | #ifndef DEFAULT_SQUID_PAM_SERVICE |
97 | #define DEFAULT_SQUID_PAM_SERVICE "squid" | |
94439e4e | 98 | #endif |
99 | ||
fab7a87e | 100 | /* The default TTL */ |
101 | #ifndef DEFAULT_SQUID_PAM_TTL | |
2900aadb | 102 | #define DEFAULT_SQUID_PAM_TTL 0 |
fab7a87e | 103 | #endif |
94439e4e | 104 | |
5a48ed18 | 105 | #if _SQUID_SOLARIS_ |
94439e4e | 106 | static char *password = NULL; /* Workaround for Solaris 2.6 brokenness */ |
5a48ed18 | 107 | #endif |
94439e4e | 108 | |
5a48ed18 | 109 | /** |
94439e4e | 110 | * A simple "conversation" function returning the supplied password. |
111 | * Has a bit to much error control, but this is my first PAM application | |
112 | * so I'd rather check everything than make any mistakes. The function | |
113 | * expects a single converstation message of type PAM_PROMPT_ECHO_OFF. | |
114 | */ | |
115 | static int | |
3c586e38 | 116 | password_conversation(int num_msg, PAM_CONV_FUNC_CONST_PARM struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) |
94439e4e | 117 | { |
118 | if (num_msg != 1 || msg[0]->msg_style != PAM_PROMPT_ECHO_OFF) { | |
43fed740 | 119 | debug("ERROR: Unexpected PAM converstaion '%d/%s'\n", msg[0]->msg_style, msg[0]->msg); |
26ac0430 | 120 | return PAM_CONV_ERR; |
94439e4e | 121 | } |
519267d1 | 122 | #if _SQUID_SOLARIS_ |
94439e4e | 123 | if (!appdata_ptr) { |
26ac0430 AJ |
124 | /* Workaround for Solaris 2.6 where the PAM library is broken |
125 | * and does not pass appdata_ptr to the conversation routine | |
126 | */ | |
127 | appdata_ptr = password; | |
94439e4e | 128 | } |
519267d1 | 129 | #endif |
94439e4e | 130 | if (!appdata_ptr) { |
43fed740 | 131 | debug("ERROR: No password available to password_converstation!\n"); |
26ac0430 | 132 | return PAM_CONV_ERR; |
94439e4e | 133 | } |
519267d1 | 134 | *resp = static_cast<struct pam_response *>(calloc(num_msg, sizeof(struct pam_response))); |
94439e4e | 135 | if (!*resp) { |
43fed740 | 136 | debug("ERROR: Out of memory!\n"); |
26ac0430 | 137 | return PAM_CONV_ERR; |
94439e4e | 138 | } |
bb85e424 | 139 | (*resp)[0].resp = xstrdup((char *) appdata_ptr); |
94439e4e | 140 | (*resp)[0].resp_retcode = 0; |
141 | ||
142 | return ((*resp)[0].resp ? PAM_SUCCESS : PAM_CONV_ERR); | |
143 | } | |
144 | ||
26ac0430 | 145 | static struct pam_conv conv = { |
94439e4e | 146 | &password_conversation, |
147 | NULL | |
148 | }; | |
149 | ||
fab7a87e | 150 | static void usage(char *program) |
94439e4e | 151 | { |
fab7a87e | 152 | fprintf(stderr, "Usage: %s [options..]\n", program); |
153 | fprintf(stderr, " -n service_name\n"); | |
154 | fprintf(stderr, " The PAM service name (default \"%s\")\n", DEFAULT_SQUID_PAM_SERVICE); | |
155 | fprintf(stderr, " -t ttl PAM connection ttl in seconds (default %d)\n", DEFAULT_SQUID_PAM_TTL); | |
156 | fprintf(stderr, " during this time the same connection will be reused\n"); | |
157 | fprintf(stderr, " to authenticate all users\n"); | |
158 | fprintf(stderr, " -o Do not perform account mgmt (account expiration etc)\n"); | |
159 | fprintf(stderr, " -1 Only one user authentication per PAM connection\n"); | |
94439e4e | 160 | } |
161 | ||
162 | int | |
163 | main(int argc, char *argv[]) | |
164 | { | |
165 | pam_handle_t *pamh = NULL; | |
fab7a87e | 166 | int retval = PAM_SUCCESS; |
94439e4e | 167 | char *user; |
519267d1 | 168 | char *password_buf; |
43fed740 | 169 | char buf[HELPER_INPUT_BUFFER]; |
94439e4e | 170 | time_t pamh_created = 0; |
fab7a87e | 171 | int ttl = DEFAULT_SQUID_PAM_TTL; |
e9505fad | 172 | const char *service = DEFAULT_SQUID_PAM_SERVICE; |
fab7a87e | 173 | int no_acct_mgmt = 0; |
94439e4e | 174 | |
175 | /* make standard output line buffered */ | |
176 | setvbuf(stdout, NULL, _IOLBF, 0); | |
177 | ||
fab7a87e | 178 | while (1) { |
26ac0430 AJ |
179 | int ch = getopt(argc, argv, "1n:t:o"); |
180 | switch (ch) { | |
181 | case -1: | |
182 | goto start; | |
183 | case 'n': | |
184 | service = optarg; | |
185 | break; | |
186 | case 't': | |
187 | ttl = atoi(optarg); | |
188 | break; | |
189 | case '1': | |
190 | ttl = 0; | |
191 | break; | |
192 | case 'o': | |
193 | no_acct_mgmt = 1; | |
194 | break; | |
195 | default: | |
43fed740 | 196 | fprintf(stderr, "FATAL: Unknown getopt value '%c'\n", ch); |
26ac0430 AJ |
197 | usage(argv[0]); |
198 | exit(1); | |
199 | } | |
fab7a87e | 200 | } |
201 | start: | |
202 | if (optind < argc) { | |
43fed740 | 203 | fprintf(stderr, "FATAL: Unknown option '%s'\n", argv[optind]); |
26ac0430 AJ |
204 | usage(argv[0]); |
205 | exit(1); | |
fab7a87e | 206 | } |
207 | ||
43fed740 | 208 | while (fgets(buf, HELPER_INPUT_BUFFER, stdin)) { |
26ac0430 | 209 | user = buf; |
519267d1 AJ |
210 | password_buf = strchr(buf, '\n'); |
211 | if (!password_buf) { | |
43fed740 | 212 | debug("ERROR: %s: Unexpected input '%s'\n", argv[0], buf); |
26ac0430 AJ |
213 | goto error; |
214 | } | |
519267d1 AJ |
215 | *password_buf = '\0'; |
216 | password_buf = strchr(buf, ' '); | |
217 | if (!password_buf) { | |
43fed740 | 218 | debug("ERROR: %s: Unexpected input '%s'\n", argv[0], buf); |
26ac0430 AJ |
219 | goto error; |
220 | } | |
519267d1 | 221 | *password_buf++ = '\0'; |
26ac0430 | 222 | rfc1738_unescape(user); |
519267d1 AJ |
223 | rfc1738_unescape(password_buf); |
224 | conv.appdata_ptr = (char *) password_buf; /* from buf above. not allocated */ | |
fab7a87e | 225 | |
519267d1 | 226 | #if _SQUID_SOLARIS_ |
22beb156 A |
227 | /* Workaround for Solaris 2.6 where the PAM library is broken |
228 | * and does not pass appdata_ptr to the conversation routine | |
229 | */ | |
230 | password = password_buf; | |
519267d1 | 231 | #endif |
26ac0430 AJ |
232 | if (ttl == 0) { |
233 | /* Create PAM connection */ | |
234 | retval = pam_start(service, user, &conv, &pamh); | |
235 | if (retval != PAM_SUCCESS) { | |
43fed740 | 236 | debug("ERROR: failed to create PAM authenticator\n"); |
26ac0430 AJ |
237 | goto error; |
238 | } | |
239 | } else if (!pamh || (time(NULL) - pamh_created) >= ttl || pamh_created > time(NULL)) { | |
240 | /* Close previous PAM connection */ | |
241 | if (pamh) { | |
242 | retval = pam_end(pamh, retval); | |
243 | if (retval != PAM_SUCCESS) { | |
43fed740 | 244 | debug("WARNING: failed to release PAM authenticator\n"); |
26ac0430 AJ |
245 | } |
246 | pamh = NULL; | |
247 | } | |
248 | /* Initialize persistent PAM connection */ | |
249 | retval = pam_start(service, "squid@", &conv, &pamh); | |
250 | if (retval != PAM_SUCCESS) { | |
43fed740 | 251 | debug("ERROR: failed to create PAM authenticator\n"); |
26ac0430 AJ |
252 | goto error; |
253 | } | |
254 | pamh_created = time(NULL); | |
255 | } | |
256 | /* Authentication */ | |
257 | retval = PAM_SUCCESS; | |
258 | if (ttl != 0) { | |
259 | if (retval == PAM_SUCCESS) | |
260 | retval = pam_set_item(pamh, PAM_USER, user); | |
261 | if (retval == PAM_SUCCESS) | |
262 | retval = pam_set_item(pamh, PAM_CONV, &conv); | |
263 | } | |
264 | if (retval == PAM_SUCCESS) | |
265 | retval = pam_authenticate(pamh, 0); | |
266 | if (retval == PAM_SUCCESS && !no_acct_mgmt) | |
267 | retval = pam_acct_mgmt(pamh, 0); | |
268 | if (retval == PAM_SUCCESS) { | |
43fed740 | 269 | SEND_OK(""); |
26ac0430 | 270 | } else { |
fab7a87e | 271 | error: |
43fed740 | 272 | SEND_ERR(""); |
26ac0430 AJ |
273 | } |
274 | /* cleanup */ | |
275 | retval = PAM_SUCCESS; | |
5a48ed18 | 276 | #if defined(PAM_AUTHTOK) |
26ac0430 AJ |
277 | if (ttl != 0) { |
278 | if (retval == PAM_SUCCESS) | |
279 | retval = pam_set_item(pamh, PAM_AUTHTOK, NULL); | |
280 | } | |
4ebcec86 | 281 | #endif |
26ac0430 AJ |
282 | if (ttl == 0 || retval != PAM_SUCCESS) { |
283 | retval = pam_end(pamh, retval); | |
284 | if (retval != PAM_SUCCESS) { | |
43fed740 | 285 | debug("WARNING: failed to release PAM authenticator\n"); |
26ac0430 AJ |
286 | } |
287 | pamh = NULL; | |
288 | } | |
94439e4e | 289 | } |
290 | ||
291 | if (pamh) { | |
26ac0430 AJ |
292 | retval = pam_end(pamh, retval); |
293 | if (retval != PAM_SUCCESS) { | |
294 | pamh = NULL; | |
43fed740 | 295 | debug("ERROR: failed to release PAM authenticator\n"); |
26ac0430 | 296 | } |
94439e4e | 297 | } |
fab7a87e | 298 | return 0; |
94439e4e | 299 | } |