helpers/basic_auth/PAM/basic_pam_auth.cc

   1 /*
   2  * PAM authenticator module for Squid.
   3  * Copyright (C) 1999,2002,2003 Henrik Nordstrom <hno@squid-cache.org>
   4  *
   5  *  This program is free software; you can redistribute it and/or modify
   6  *  it under the terms of the GNU General Public License as published by
   7  *  the Free Software Foundation; either version 2 of the License, or
   8  *  (at your option) any later version.
   9  *
  10  *  This program is distributed in the hope that it will be useful,
  11  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  12  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  13  *  GNU General Public License for more details.
  14  *
  15  *  You should have received a copy of the GNU General Public License
  16  *  along with this program; if not, write to the Free Software
  17  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  18  *
  19  * Install instructions:
  20  *
  21  * This program authenticates users against a PAM configured authentication
  22  * service "squid". This allows you to authenticate Squid users to any
  23  * authentication source for which you have a PAM module. Commonly available
  24  * PAM modules includes "UNIX", RADIUS, Kerberos and SMB, but a lot of other
  25  * PAM modules are available from various sources.
  26  *
  27  * Example PAM configuration for standard UNIX passwd authentication:
  28  * /etc/pam.conf:
  29  *  squid auth     required /lib/security/pam_unix.so.1
  30  *  squid account  required /lib/security/pam_unix.so.1
  31  *
  32  * Note that some PAM modules (for example shadow password authentication)
  33  * requires the program to be installed suid root to gain access to the
  34  * user password database
  35  *
  36  * Change Log:
  37  *
  38  *   Version 2.3, 2009-11-06
  39  *      Converted to C++. Brought into line with Squid-3 code styles.
  40  *
  41  *   Version 2.2, 2003-11-05
  42  *      One shot mode is now the default mode of operation
  43  *      with persistent PAM connections enabled by -t option.
  44  *      Support for clearing the PAM_AUTHTOK attribute on
  45  *      persistent PAM connections.
  46  *
  47  *   Version 2.1, 2002-08-12
  48  *      Squid-2.5 support (URL encoded login, password strings)
  49  *
  50  *   Version 2.0, 2002-01-07
  51  *      One shot mode, command line options
  52  *      man page
  53  *
  54  *   Version 1.3, 1999-12-10
  55  *      Bugfix release 1.3 to work around Solaris 2.6
  56  *      brokenness (not sending arguments to conversation
  57  *      functions)
  58  *
  59  *   Version 1.2, internal release
  60  *
  61  *   Version 1.1, 1999-05-11
  62  *      Initial version
  63  *
  64  * Compile this program with: gcc -o basic_pam_auth basic_pam_auth.cc -lpam -ldl
  65  */
  66 #include "squid.h"
  67 #include "helpers/defines.h"
  68 #include "rfc1738.h"
  69 #include "util.h"
  70
  71 #include <cassert>
  72 #include <csignal>
  73 #include <cstring>
  74 #include <ctime>
  75 #if HAVE_UNISTD_H
  76 #include <unistd.h>
  77 #endif
  78 #if HAVE_SECURITY_PAM_APPL_H
  79 #include <security/pam_appl.h>
  80 #endif
  81
  82 /* The default PAM service name */
  83 #if !defined(DEFAULT_SQUID_PAM_SERVICE)
  84 #define DEFAULT_SQUID_PAM_SERVICE "squid"
  85 #endif
  86
  87 /* The default TTL */
  88 #if !defined(DEFAULT_SQUID_PAM_TTL)
  89 #define DEFAULT_SQUID_PAM_TTL 0
  90 #endif
  91
  92 #if _SQUID_SOLARIS_
  93 static char *password = NULL;   /* Workaround for Solaris 2.6 brokenness */
  94 #endif
  95
  96 extern "C" int password_conversation(int num_msg, PAM_CONV_FUNC_CONST_PARM struct pam_message **msg,
  97                                      struct pam_response **resp, void *appdata_ptr);
  98
  99 /**
 100  * A simple "conversation" function returning the supplied password.
 101  * Has a bit to much error control, but this is my first PAM application
 102  * so I'd rather check everything than make any mistakes. The function
 103  * expects a single converstation message of type PAM_PROMPT_ECHO_OFF.
 104  */
 105 int
 106 password_conversation(int num_msg, PAM_CONV_FUNC_CONST_PARM struct pam_message **msg, struct pam_response **resp, void *appdata_ptr)
 107 {
 108     if (num_msg != 1 || msg[0]->msg_style != PAM_PROMPT_ECHO_OFF) {
 109         debug("ERROR: Unexpected PAM converstaion '%d/%s'\n", msg[0]->msg_style, msg[0]->msg);
 110         return PAM_CONV_ERR;
 111     }
 112 #if _SQUID_SOLARIS_
 113     if (!appdata_ptr) {
 114         /* Workaround for Solaris 2.6 where the PAM library is broken
 115          * and does not pass appdata_ptr to the conversation routine
 116          */
 117         appdata_ptr = password;
 118     }
 119 #endif
 120     if (!appdata_ptr) {
 121         debug("ERROR: No password available to password_converstation!\n");
 122         return PAM_CONV_ERR;
 123     }
 124     *resp = static_cast<struct pam_response *>(calloc(num_msg, sizeof(struct pam_response)));
 125     if (!*resp) {
 126         debug("ERROR: Out of memory!\n");
 127         return PAM_CONV_ERR;
 128     }
 129     (*resp)[0].resp = xstrdup((char *) appdata_ptr);
 130     (*resp)[0].resp_retcode = 0;
 131
 132     return ((*resp)[0].resp ? PAM_SUCCESS : PAM_CONV_ERR);
 133 }
 134
 135 static struct pam_conv conv = {
 136     &password_conversation,
 137     NULL
 138 };
 139
 140 static void usage(char *program)
 141 {
 142     fprintf(stderr, "Usage: %s [options..]\n", program);
 143     fprintf(stderr, " -n service_name\n");
 144     fprintf(stderr, "           The PAM service name (default \"%s\")\n", DEFAULT_SQUID_PAM_SERVICE);
 145     fprintf(stderr, " -t ttl    PAM connection ttl in seconds (default %d)\n", DEFAULT_SQUID_PAM_TTL);
 146     fprintf(stderr, "           during this time the same connection will be reused\n");
 147     fprintf(stderr, "           to authenticate all users\n");
 148     fprintf(stderr, " -o        Do not perform account mgmt (account expiration etc)\n");
 149     fprintf(stderr, " -1        Only one user authentication per PAM connection\n");
 150     fprintf(stderr, " -r        Detect and remove Negotiate/NTLM realm from username\n");
 151 }
 152
 153 int
 154 main(int argc, char *argv[])
 155 {
 156     pam_handle_t *pamh = NULL;
 157     int retval = PAM_SUCCESS;
 158     char *user;
 159     char *password_buf;
 160     char buf[HELPER_INPUT_BUFFER];
 161     time_t pamh_created = 0;
 162     int ttl = DEFAULT_SQUID_PAM_TTL;
 163     const char *service = DEFAULT_SQUID_PAM_SERVICE;
 164     int no_acct_mgmt = 0;
 165     int no_realm = 0;
 166
 167     /* make standard output line buffered */
 168     setvbuf(stdout, NULL, _IOLBF, 0);
 169
 170     while (1) {
 171         int ch = getopt(argc, argv, "1n:t:or");
 172         switch (ch) {
 173         case -1:
 174             goto start;
 175         case 'n':
 176             service = optarg;
 177             break;
 178         case 't':
 179             ttl = atoi(optarg);
 180             break;
 181         case '1':
 182             ttl = 0;
 183             break;
 184         case 'o':
 185             no_acct_mgmt = 1;
 186             break;
 187         case 'r':
 188             no_realm = 1;
 189             break;
 190         default:
 191             fprintf(stderr, "FATAL: Unknown getopt value '%c'\n", ch);
 192             usage(argv[0]);
 193             exit(1);
 194         }
 195     }
 196 start:
 197     if (optind < argc) {
 198         fprintf(stderr, "FATAL: Unknown option '%s'\n", argv[optind]);
 199         usage(argv[0]);
 200         exit(1);
 201     }
 202
 203     while (fgets(buf, HELPER_INPUT_BUFFER, stdin)) {
 204         user = buf;
 205         password_buf = strchr(buf, '\n');
 206         if (!password_buf) {
 207             debug("ERROR: %s: Unexpected input '%s'\n", argv[0], buf);
 208             goto error;
 209         }
 210         *password_buf = '\0';
 211         password_buf = strchr(buf, ' ');
 212         if (!password_buf) {
 213             debug("ERROR: %s: Unexpected input '%s'\n", argv[0], buf);
 214             goto error;
 215         }
 216         *password_buf = '\0';
 217         ++password_buf;
 218         rfc1738_unescape(user);
 219         rfc1738_unescape(password_buf);
 220         conv.appdata_ptr = (char *) password_buf;       /* from buf above. not allocated */
 221
 222         if (no_realm) {
 223             /* Remove DOMAIN\.. and ...@domain from the user name in case the user
 224              * thought this was an NTLM or Negotiate authentication popup box
 225              */
 226             char * user_ptr = strchr(user, '@');
 227             if (user_ptr) *user_ptr = 0;
 228             else {
 229                 user_ptr = strchr(user, '\\');
 230                 if (user_ptr) user = user_ptr + 1;
 231             }
 232         }
 233
 234 #if _SQUID_SOLARIS_
 235         /* Workaround for Solaris 2.6 where the PAM library is broken
 236          * and does not pass appdata_ptr to the conversation routine
 237          */
 238         password = password_buf;
 239 #endif
 240         if (ttl == 0) {
 241             /* Create PAM connection */
 242             retval = pam_start(service, user, &conv, &pamh);
 243             if (retval != PAM_SUCCESS) {
 244                 debug("ERROR: failed to create PAM authenticator\n");
 245                 goto error;
 246             }
 247         } else if (!pamh || (time(NULL) - pamh_created) >= ttl || pamh_created > time(NULL)) {
 248             /* Close previous PAM connection */
 249             if (pamh) {
 250                 retval = pam_end(pamh, retval);
 251                 if (retval != PAM_SUCCESS) {
 252                     debug("WARNING: failed to release PAM authenticator\n");
 253                 }
 254                 pamh = NULL;
 255             }
 256             /* Initialize persistent PAM connection */
 257             retval = pam_start(service, "squid@", &conv, &pamh);
 258             if (retval != PAM_SUCCESS) {
 259                 debug("ERROR: failed to create PAM authenticator\n");
 260                 goto error;
 261             }
 262             pamh_created = time(NULL);
 263         }
 264         /* Authentication */
 265         retval = PAM_SUCCESS;
 266         if (ttl != 0) {
 267             retval = pam_set_item(pamh, PAM_USER, user);
 268             if (retval == PAM_SUCCESS)
 269                 retval = pam_set_item(pamh, PAM_CONV, &conv);
 270         }
 271         if (retval == PAM_SUCCESS)
 272             retval = pam_authenticate(pamh, 0);
 273         if (retval == PAM_SUCCESS && !no_acct_mgmt)
 274             retval = pam_acct_mgmt(pamh, 0);
 275         if (retval == PAM_SUCCESS) {
 276             SEND_OK("");
 277         } else {
 278 error:
 279             SEND_ERR("");
 280         }
 281         /* cleanup */
 282         retval = PAM_SUCCESS;
 283 #if defined(PAM_AUTHTOK)
 284         if (ttl != 0 && pamh) {
 285             retval = pam_set_item(pamh, PAM_AUTHTOK, NULL);
 286         }
 287 #endif
 288         if (pamh && (ttl == 0 || retval != PAM_SUCCESS)) {
 289             retval = pam_end(pamh, retval);
 290             if (retval != PAM_SUCCESS) {
 291                 debug("WARNING: failed to release PAM authenticator\n");
 292             }
 293             pamh = NULL;
 294         }
 295     }
 296
 297     if (pamh) {
 298         retval = pam_end(pamh, retval);
 299         if (retval != PAM_SUCCESS) {
 300             pamh = NULL;
 301             debug("ERROR: failed to release PAM authenticator\n");
 302         }
 303     }
 304     return 0;
 305 }