1 /* 2 Copyright (c) 1995-1996 by Cisco systems, Inc. 3 4 Permission to use, copy, modify, and distribute this software for 5 any purpose and without fee is hereby granted, provided that this 6 copyright and permission notice appear on all copies of the 7 software and supporting documentation, the name of Cisco Systems, 8 Inc. not be used in advertising or publicity pertaining to 9 distribution of the program without specific prior permission, and 10 notice be given in supporting documentation that modification, 11 copying and distribution is by permission of Cisco Systems, Inc. 12 13 Cisco Systems, Inc. makes no representations about the suitability 14 of this software for any purpose. THIS SOFTWARE IS PROVIDED ``AS 15 IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, 16 WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 17 FITNESS FOR A PARTICULAR PURPOSE. 18 */ 19 20 /* 21 * If you are defining a system from scratch, the following may be useful. 22 * Otherwise, just use the system definitions below this section. 23 */ 24 25 /* Define this for minor include file differences on SYSV-based systems */ 26 /* #define SYSV */ 27 28 /* Define this if your sys_errlist is defined using const */ 29 /* #define CONST_SYSERRLIST */ 30 31 /* Do you need tacacs+ versions of bzero etc. */ 32 /* #define NEED_BZERO */ 33 34 /* Define this if you have shadow passwords in /etc/passwd and 35 * /etc/shadow. Note that you usually need to be root to read 36 * /etc/shadow */ 37 /* #define SHADOW_PASSWORDS */ 38 39 /* Define this if your malloc is defined in malloc.h instead of stdlib.h */ 40 /* #define STDLIB_MALLOC */ 41 42 /* Define this if your wait call status is a union as opposed to an int */ 43 /* #define UNIONWAIT */ 44 45 /* Define this if your signal() uses a function returning void instead 46 * of int 47 */ 48 /* #define VOIDSIG */ 49 50 /* Define this if your password file does not contain age and comment fields. */ 51 /* #define NO_PWAGE */ 52 53 /* Define this if you need a getdtablesize routine defined */ 54 /* #define GETDTABLESIZE */ 55 56 /* Define this if your system does not reap children automatically 57 * when you ignore SIGCLD */ 58 /* #define REAPCHILD */ 59 60 /* Define this if you have DES routines you can link to for ARAP (See 61 * the user's guide for more details). 62 */ 63 /* #define ARAP_DES */ 64 65 /* Define this if you find that your daemon quits after being sent more than 66 * one SIGUSR1. Some systems need to explicitly rearm signals after they've been 67 * used once 68 */ 69 /* #define REARMSIGNAL */ 70 71 /*#define VERSION "3.0.11.alpha" 72 */ 73 /* 74 * System definitions. 75 */ 76 77 #ifdef NETBSD 78 #define STDLIB_MALLOC 79 #define NO_PWAGE 80 #define CONST_SYSERRLIST 81 #define VOIDSIG 82 #endif 83 84 #ifdef AIX 85 86 /* 87 * The only way to properly compile BSD stuff on AIX is to define a 88 * "bsdcc" compiler on your system. See /usr/lpp/bos/bsdport on your 89 * system for details. People who do NOT do this tell me that the code 90 * still compiles but that it then doesn't behave correctly e.g. child 91 * processes are not reaped correctly. Don't expect much sympathy if 92 * you do this. 93 */ 94 95 #define _BSD 1 96 #define _BSD_INCLUDES 97 #define UNIONWAIT 98 #define NO_PWAGE 99 #endif /* AIX */ 100 101 #ifdef LINUX 102 #define VOIDSIG 103 #define NO_PWAGE 104 #define REAPCHILD 105 #include <unistd.h> 106 #define REARMSIGNAL 107 #endif /* LINUX */ 108 109 #ifdef MIPS 110 #define SYSV 111 #define GETDTABLESIZE 112 #define REAPCHILD 113 #define NEED_BZERO 114 #endif /* MIPS */ 115 116 #ifdef SOLARIS 117 #define SYSV 118 #define GETDTABLESIZE 119 #define REAPCHILD 120 #define SHADOW_PASSWORDS 121 #define NEED_BZERO 122 #endif /* SOLARIS */ 123 124 #ifdef HPUX 125 #define SYSV 126 #define GETDTABLESIZE 127 #define REAPCHILD 128 #define SYSLOG_IN_SYS 129 #define REARMSIGNAL 130 #endif /* HPUX */ 131 132 #ifdef FREEBSD 133 #define CONST_SYSERRLIST 134 #define STDLIB_MALLOC 135 #define VOIDSIG 136 #define NO_PWAGE 137 #endif 138 139 #ifdef BSDI 140 #define VOIDSIG 141 #define STDLIB_MALLOC 142 #define NO_PWAGE 143 #endif 144 145 #define MD5_LEN 16 146 147 #include <string.h> 148 #include <sys/types.h> 149 #include <sys/socket.h> 150 #include <sys/ioctl.h> 151 #include <sys/file.h> 152 #include <sys/time.h> 153 #include <netinet/in.h> 154 155 #include <stdio.h> 156 #include <errno.h> 157 #include <pwd.h> 158 #include <netdb.h> 159 160 #ifdef SYSLOG_IN_SYS 161 #include <syslog.h> 162 #else 163 #include <sys/syslog.h> 164 #endif 165 166 #ifdef LINUX 167 #include <fcntl.h> 168 #endif 169 170 171 #include <unistd.h> 172 173 #ifdef SYSV 174 #include <fcntl.h> 175 #define index strchr 176 #else /* ! SYSV */ 177 #include <strings.h> 178 #endif /* SYSV */ 179 180 #ifndef TAC_PLUS_PIDFILE 181 #define TAC_PLUS_PIDFILE "/etc/tac_plus.pid" 182 #endif 183 184 185 /* 186 * You probably shouldn't be changing much below this line unless you really 187 * know what you are doing. 188 */ 189 190 #define DOLLARSIGN '$' 191 192 /* 193 * XTACACSP protocol defintions 194 */ 195 196 /* 197 * This structure describes an authentication method. 198 * authen_name contains the name of the authentication method. 199 * authen_func is a pointer to the authentication function. 200 * authen_method numeric value of authentication method 201 */ 202 203 #define AUTHEN_NAME_SIZE 128 204 205 struct authen_type { 206 char authen_name[AUTHEN_NAME_SIZE]; 207 int (*authen_func)(); 208 int authen_type; 209 }; 210 211 /* 212 * This structure describes a principal that is to be authenticated. 213 * username is the principals name (ASCII, null terminated) 214 * NAS_name is the name of the NAS where the user is 215 * NAS_port is the port on the NAS where the user is 216 * NAC_address is the remote user location. This may be 217 * a remote IP address or a caller-ID or ... 218 * priv_lvl user's requested privilege level. 219 */ 220 221 struct identity { 222 char *username; 223 char *NAS_name; 224 char *NAS_port; 225 char *NAC_address; 226 int priv_lvl; 227 }; 228 229 /* 230 * The authen_data structure is the data structure for passing 231 * information to and from the authentication function 232 * (authen_type.authen_func). 233 */ 234 235 struct authen_data { 236 struct identity *NAS_id; /* user identity */ 237 char *server_msg; /* null-terminated output msg */ 238 239 int server_dlen; /* output data length */ 240 char *server_data; /* output data */ 241 242 char *client_msg; /* null-terminated input msg a user typed */ 243 244 int client_dlen; /* input data length */ 245 char *client_data; /* input data */ 246 247 void *method_data; /* opaque private method data */ 248 int action; /* what's to be done */ 249 int service; /* calling service */ 250 int status; /* Authen status */ 251 int type; /* Authen type */ 252 u_char flags; /* input & output flags fields */ 253 }; 254 255 256 /* return values for choose_authen(); */ 257 258 #define CHOOSE_FAILED -1 /* failed to choose an authentication function */ 259 #define CHOOSE_OK 0 /* successfully chose an authentication function */ 260 #define CHOOSE_GETUSER 1 /* need a username before choosing */ 261 #define CHOOSE_BADTYPE 2 /* Invalid preferred authen function specified */ 262 263 264 /* 265 * This structure is the data structure for passing information to 266 * and from the authorization function (do_author()). 267 */ 268 struct author_data { 269 struct identity *id; /* user id */ 270 int authen_method; /* authentication method */ 271 272 #define AUTHEN_METH_NONE 0x01 273 #define AUTHEN_METH_KRB5 0x02 274 #define AUTHEN_METH_LINE 0x03 275 #define AUTHEN_METH_ENABLE 0x04 276 #define AUTHEN_METH_LOCAL 0x05 277 #define AUTHEN_METH_TACACSPLUS 0x06 278 #define AUTHEN_METH_RCMD 0x20 279 280 int authen_type; /* authentication type see authen_type */ 281 int service; /* calling service */ 282 char *msg; /* optional NULL-terminated return message */ 283 char *admin_msg; /* optional NULL-terminated admin message */ 284 int status; /* return status */ 285 286 #define AUTHOR_STATUS_PASS_ADD 0x01 287 #define AUTHOR_STATUS_PASS_REPL 0x02 288 #define AUTHOR_STATUS_FAIL 0x10 289 #define AUTHOR_STATUS_ERROR 0x11 290 291 int num_in_args; /* input arg count */ 292 char **input_args; /* input arguments */ 293 int num_out_args; /* output arg cnt */ 294 char **output_args; /* output arguments */ 295 296 }; 297 298 /* An API accounting record structure */ 299 struct acct_rec { 300 int acct_type; /* start, stop, update */ 301 302 #define ACCT_TYPE_START 1 303 #define ACCT_TYPE_STOP 2 304 #define ACCT_TYPE_UPDATE 3 305 306 struct identity *identity; 307 int authen_method; 308 int authen_type; 309 int authen_service; 310 char *msg; /* output field */ 311 char *admin_msg; /* output field */ 312 int num_args; 313 char **args; 314 }; 315 316 #ifndef TAC_PLUS_PORT 317 #define TAC_PLUS_PORT 49 318 #endif 319 320 #define TAC_PLUS_READ_TIMEOUT 180 /* seconds */ 321 #define TAC_PLUS_WRITE_TIMEOUT 180 /* seconds */ 322 323 #define NAS_PORT_MAX_LEN 255 324 325 struct session { 326 int session_id; /* host specific unique session id */ 327 int aborted; /* have we received an abort flag? */ 328 int seq_no; /* seq. no. of last packet exchanged */ 329 time_t last_exch; /* time of last packet exchange */ 330 int sock; /* socket for this connection */ 331 char *key; /* the key */ 332 int keyline; /* line number key was found on */ 333 char *peer; /* name of connected peer */ 334 char *cfgfile; /* config file name */ 335 char *acctfile; /* name of accounting file */ 336 char port[NAS_PORT_MAX_LEN+1]; /* For error reporting */ 337 u_char version; /* version of last packet read */ 338 }; 339 340 extern struct session session; /* the session */ 341 342 /* Global variables */ 343 344 /* Get type conflicts with Perl on some Linux unless we do this */ 345 #define debug tacplus_client_debug 346 347 extern int debug; /* debugging flag */ 348 extern int logging; /* syslog logging flag */ 349 //extern int single; /* do not fork (for debugging) */ 350 extern int console; /* log to console */ 351 extern FILE *ostream; /* for logging to console */ 352 extern int parse_only; /* exit after parsing verbosely */ 353 extern int sendauth_only; /* don't do sendauth */ 354 355 /* All tacacs+ packets have the same header format */ 356 357 struct tac_plus_pak_hdr { 358 u_char version; 359 360 #define TAC_PLUS_MAJOR_VER_MASK 0xf0 361 #define TAC_PLUS_MAJOR_VER 0xc0 362 363 #define TAC_PLUS_MINOR_VER_0 0x0 364 #define TAC_PLUS_VER_0 (TAC_PLUS_MAJOR_VER | TAC_PLUS_MINOR_VER_0) 365 366 #define TAC_PLUS_MINOR_VER_1 0x01 367 #define TAC_PLUS_VER_1 (TAC_PLUS_MAJOR_VER | TAC_PLUS_MINOR_VER_1) 368 369 u_char type; 370 371 #define TAC_PLUS_AUTHEN 1 372 #define TAC_PLUS_AUTHOR 2 373 #define TAC_PLUS_ACCT 3 374 375 u_char seq_no; /* packet sequence number */ 376 u_char encryption; /* packet is encrypted or cleartext */ 377 378 #define TAC_PLUS_ENCRYPTED 0x0 /* packet is encrypted */ 379 #define TAC_PLUS_CLEAR 0x1 /* packet is not encrypted */ 380 381 int session_id; /* session identifier FIXME: Is this needed? */ 382 int datalength; /* length of encrypted data following this 383 * header */ 384 /* datalength bytes of encrypted data */ 385 }; 386 387 #define HASH_TAB_SIZE 157 /* user and group hash table sizes */ 388 389 #define TAC_PLUS_HDR_SIZE 12 390 391 typedef struct tac_plus_pak_hdr HDR; 392 393 /* Authentication packet NAS sends to us */ 394 395 struct authen_start { 396 u_char action; 397 398 #define TAC_PLUS_AUTHEN_LOGIN 0x1 399 #define TAC_PLUS_AUTHEN_CHPASS 0x2 400 #define TAC_PLUS_AUTHEN_SENDPASS 0x3 /* deprecated */ 401 #define TAC_PLUS_AUTHEN_SENDAUTH 0x4 402 403 u_char priv_lvl; 404 405 #define TAC_PLUS_PRIV_LVL_MIN 0x0 406 #define TAC_PLUS_PRIV_LVL_MAX 0xf 407 408 u_char authen_type; 409 410 #define TAC_PLUS_AUTHEN_TYPE_ASCII 1 411 #define TAC_PLUS_AUTHEN_TYPE_PAP 2 412 #define TAC_PLUS_AUTHEN_TYPE_CHAP 3 413 #define TAC_PLUS_AUTHEN_TYPE_ARAP 4 414 415 u_char service; 416 417 #define TAC_PLUS_AUTHEN_SVC_LOGIN 1 418 #define TAC_PLUS_AUTHEN_SVC_ENABLE 2 419 #define TAC_PLUS_AUTHEN_SVC_PPP 3 420 #define TAC_PLUS_AUTHEN_SVC_ARAP 4 421 #define TAC_PLUS_AUTHEN_SVC_PT 5 422 #define TAC_PLUS_AUTHEN_SVC_RCMD 6 423 #define TAC_PLUS_AUTHEN_SVC_X25 7 424 #define TAC_PLUS_AUTHEN_SVC_NASI 8 425 426 u_char user_len; 427 u_char port_len; 428 u_char rem_addr_len; 429 u_char data_len; 430 /* <user_len bytes of char data> */ 431 /* <port_len bytes of char data> */ 432 /* <rem_addr_len bytes of u_char data> */ 433 /* <data_len bytes of u_char data> */ 434 }; 435 436 #define TAC_AUTHEN_START_FIXED_FIELDS_SIZE 8 437 438 /* Authentication continue packet NAS sends to us */ 439 struct authen_cont { 440 u_short user_msg_len; 441 u_short user_data_len; 442 u_char flags; 443 444 #define TAC_PLUS_CONTINUE_FLAG_ABORT 0x1 445 446 /* <user_msg_len bytes of u_char data> */ 447 /* <user_data_len bytes of u_char data> */ 448 }; 449 450 #define TAC_AUTHEN_CONT_FIXED_FIELDS_SIZE 5 451 452 /* Authentication reply packet we send to NAS */ 453 struct authen_reply { 454 u_char status; 455 456 #define TAC_PLUS_AUTHEN_STATUS_PASS 1 457 #define TAC_PLUS_AUTHEN_STATUS_FAIL 2 458 #define TAC_PLUS_AUTHEN_STATUS_GETDATA 3 459 #define TAC_PLUS_AUTHEN_STATUS_GETUSER 4 460 #define TAC_PLUS_AUTHEN_STATUS_GETPASS 5 461 #define TAC_PLUS_AUTHEN_STATUS_RESTART 6 462 #define TAC_PLUS_AUTHEN_STATUS_ERROR 7 463 #define TAC_PLUS_AUTHEN_STATUS_FOLLOW 0x21 464 465 u_char flags; 466 467 #define TAC_PLUS_AUTHEN_FLAG_NOECHO 0x1 468 469 u_short msg_len; 470 u_short data_len; 471 472 /* <msg_len bytes of char data> */ 473 /* <data_len bytes of u_char data> */ 474 }; 475 476 #define TAC_AUTHEN_REPLY_FIXED_FIELDS_SIZE 6 477 478 /* An authorization request packet */ 479 struct author { 480 u_char authen_method; 481 u_char priv_lvl; 482 u_char authen_type; 483 u_char service; 484 485 u_char user_len; 486 u_char port_len; 487 u_char rem_addr_len; 488 u_char arg_cnt; /* the number of args */ 489 490 /* <arg_cnt u_chars containing the lengths of args 1 to arg n> */ 491 /* <user_len bytes of char data> */ 492 /* <port_len bytes of char data> */ 493 /* <rem_addr_len bytes of u_char data> */ 494 /* <char data for each arg> */ 495 }; 496 497 #define TAC_AUTHOR_REQ_FIXED_FIELDS_SIZE 8 498 499 /* An authorization reply packet */ 500 struct author_reply { 501 u_char status; 502 u_char arg_cnt; 503 u_short msg_len; 504 u_short data_len; 505 506 /* <arg_cnt u_chars containing the lengths of arg 1 to arg n> */ 507 /* <msg_len bytes of char data> */ 508 /* <data_len bytes of char data> */ 509 /* <char data for each arg> */ 510 }; 511 512 #define TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE 6 513 514 struct acct { 515 u_char flags; 516 517 #define TAC_PLUS_ACCT_FLAG_MORE 0x1 518 #define TAC_PLUS_ACCT_FLAG_START 0x2 519 #define TAC_PLUS_ACCT_FLAG_STOP 0x4 520 #define TAC_PLUS_ACCT_FLAG_WATCHDOG 0x8 521 522 u_char authen_method; 523 u_char priv_lvl; 524 u_char authen_type; 525 u_char authen_service; 526 u_char user_len; 527 u_char port_len; 528 u_char rem_addr_len; 529 u_char arg_cnt; /* the number of cmd args */ 530 /* one u_char containing size for each arg */ 531 /* <user_len bytes of char data> */ 532 /* <port_len bytes of char data> */ 533 /* <rem_addr_len bytes of u_char data> */ 534 /* char data for args 1 ... n */ 535 }; 536 537 #define TAC_ACCT_REQ_FIXED_FIELDS_SIZE 9 538 539 struct acct_reply { 540 u_short msg_len; 541 u_short data_len; 542 u_char status; 543 544 #define TAC_PLUS_ACCT_STATUS_SUCCESS 0x1 545 #define TAC_PLUS_ACCT_STATUS_ERROR 0x2 546 #define TAC_PLUS_ACCT_STATUS_FOLLOW 0x21 547 548 }; 549 550 #define TAC_ACCT_REPLY_FIXED_FIELDS_SIZE 5 551 552 /* Odds and ends */ 553 #define TAC_PLUS_MAX_ITERATIONS 50 554 #undef MIN 555 #define MIN(a,b) ((a)<(b)?(a):(b)) 556 #define STREQ(a,b) (strcmp(a,b)==0) 557 #define MAX_INPUT_LINE_LEN 255 558 559 /* Debugging flags */ 560 561 #define DEBUG_PARSE_FLAG 2 562 #define DEBUG_FORK_FLAG 4 563 #define DEBUG_AUTHOR_FLAG 8 564 #define DEBUG_AUTHEN_FLAG 16 565 #define DEBUG_PASSWD_FLAG 32 566 #define DEBUG_ACCT_FLAG 64 567 #define DEBUG_CONFIG_FLAG 128 568 #define DEBUG_PACKET_FLAG 256 569 #define DEBUG_HEX_FLAG 512 570 #define DEBUG_MD5_HASH_FLAG 1024 571 #define DEBUG_XOR_FLAG 2048 572 #define DEBUG_CLEAN_FLAG 4096 573 #define DEBUG_SUBST_FLAG 8192 574 #define DEBUG_PROXY_FLAG 16384 575 #define DEBUG_MAXSESS_FLAG 32768 576 577 578 extern char *codestring(); 579 extern int keycode(); 580 581 #define TAC_IS_USER 1 582 #define TAC_PLUS_RECURSE 1 583 #define TAC_PLUS_NORECURSE 0 584 585 #define DEFAULT_USERNAME "DEFAULT" 586 587 #include "parse.h" 588 589 /* Node types */ 590 591 #define N_arg 50 592 #define N_optarg 51 593 #define N_svc_exec 52 594 #define N_svc_slip 53 595 #define N_svc_ppp 54 596 #define N_svc_arap 55 597 #define N_svc_cmd 56 598 #define N_permit 57 599 #define N_deny 58 600 #define N_svc 59 601 602 /* A parse tree node */ 603 struct node { 604 int type; /* node type (arg, svc, proto) */ 605 void *next; /* pointer to next node in chain */ 606 void *value; /* node value */ 607 void *value1; /* node value */ 608 int dflt; /* default value for node */ 609 int line; /* line number declared on */ 610 }; 611 612 typedef struct node NODE; 613 614 union v { 615 int intval; 616 void *pval; 617 }; 618 619 typedef union v VALUE; 620 621 /* acct.c */ 622 extern void accounting(); 623 624 /* report.c */ 625 extern void report_string(); 626 extern void report_hex(); 627 extern void report(); 628 629 /* packet.c */ 630 extern u_char *get_authen_continue(); 631 extern int send_authen_reply(); 632 633 /* utils.c */ 634 extern char *tac_malloc(); 635 extern char *tac_strdup(); 636 extern char *tac_make_string(); 637 extern char *tac_find_substring(); 638 extern char *tac_realloc(); 639 640 /* dump.c */ 641 extern char *summarise_outgoing_packet_type(); 642 extern char *summarise_incoming_packet_type(); 643 644 /* author.c */ 645 extern void author(); 646 647 /* hash.c */ 648 extern void *hash_add_entry(); 649 extern void **hash_get_entries(); 650 extern void *hash_lookup(); 651 652 /* config.c */ 653 extern int cfg_get_intvalue(); 654 extern char * cfg_get_pvalue(); 655 extern char *cfg_get_authen_default(); 656 extern char **cfg_get_svc_attrs(); 657 extern NODE *cfg_get_cmd_node(); 658 extern NODE *cfg_get_svc_node(); 659 extern char *cfg_get_expires(); 660 extern char *cfg_get_login_secret(); 661 extern char *cfg_get_arap_secret(); 662 extern char *cfg_get_chap_secret(); 663 extern char *cfg_get_pap_secret(); 664 extern char *cfg_get_opap_secret(); 665 extern char *cfg_get_global_secret(); 666 extern void cfg_clean_config(); 667 extern char *cfg_nodestring(); 668 669 /* pw.c */ 670 extern struct passwd *tac_passwd_lookup(); 671 672 /* parse.c */ 673 extern void parser_init(); 674 675 /* pwlib.c */ 676 extern void set_expiration_status(); 677 678 /* miscellaneous */ 679 #ifdef CONST_SYSERRLIST 680 extern const char *const sys_errlist[]; 681 #else 682 /*extern char *sys_errlist[];*/ 683 #endif 684 extern int errno; 685 extern int sendauth_fn(); 686 extern int sendpass_fn(); 687 extern int enable_fn(); 688 extern int default_fn(); 689 extern int default_v0_fn(); 690 extern int skey_fn(); 691 692 int md5_xor(HDR* hdr, u_char* data, char* key); 693 694 #ifdef MAXSESS 695 696 extern void maxsess_loginit(); 697 extern int maxsess_check_count(); 698 699 /* 700 * This is a shared file used to maintain a record of who's on 701 */ 702 #define WHOLOG "/var/tmp/tac.who_log" 703 704 /* 705 * This is state kept per user/session 706 */ 707 struct peruser { 708 char username[64]; /* User name */ 709 char NAS_name[32]; /* NAS user logged into */ 710 char NAS_port[32]; /* ...port on that NAS */ 711 char NAC_address[32]; /* ...IP address of NAS */ 712 }; 713 714 #endif /* MAXSESS */ 715