1 /* 2 * ProFTPD - FTP server daemon 3 * Copyright (c) 2004-2020 The ProFTPD Project team 4 * 5 * This program is free software; you can redistribute it and/or modify 6 * it under the terms of the GNU General Public License as published by 7 * the Free Software Foundation; either version 2 of the License, or 8 * (at your option) any later version. 9 * 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * 15 * You should have received a copy of the GNU General Public License 16 * along with this program; if not, write to the Free Software 17 * Foundation, Inc., 51 Franklin Street, Suite 500, Boston, MA 02110-1335, USA. 18 * 19 * As a special exemption, the ProFTPD Project and other respective copyright 20 * holders give permission to link this program with OpenSSL, and distribute 21 * the resulting executable, without including the source code for OpenSSL in 22 * the source distribution. 23 */ 24 25 /* ProFTPD Auth API */ 26 27 #ifndef PR_AUTH_H 28 #define PR_AUTH_H 29 30 /* Possible return codes for auth handlers 31 */ 32 33 /* Account authenticated by means other than PASS (e.g. RFC2228 modules). 34 * This value is more generic than PR_AUTH_RFC2228_OK. 35 */ 36 #define PR_AUTH_OK_NO_PASS 3 37 38 /* Account authenticated by RFC2228 security data exchange */ 39 #define PR_AUTH_RFC2228_OK 2 40 41 /* Account authenticated normally */ 42 #define PR_AUTH_OK 0 43 44 /* Error occurred in auth handler */ 45 #define PR_AUTH_ERROR -1 46 47 /* Account does not exist */ 48 #define PR_AUTH_NOPWD -2 49 50 /* Password mismatch */ 51 #define PR_AUTH_BADPWD -3 52 53 /* Password hasn't been changed recently enough */ 54 #define PR_AUTH_AGEPWD -4 55 56 /* Account has been disabled */ 57 #define PR_AUTH_DISABLEDPWD -5 58 59 /* Insufficient credentials. */ 60 #define PR_AUTH_CRED_INSUFFICIENT -6 61 62 /* Unavailable credentials. */ 63 #define PR_AUTH_CRED_UNAVAIL -7 64 65 /* Failure setting/using credentials. */ 66 #define PR_AUTH_CRED_ERROR -8 67 68 /* Unavailable credential/authentication service. */ 69 #define PR_AUTH_INFO_UNAVAIL -9 70 71 /* Max authentication attempts reached. */ 72 #define PR_AUTH_MAX_ATTEMPTS_EXCEEDED -10 73 74 /* Authentication service initialization failure. */ 75 #define PR_AUTH_INIT_ERROR -11 76 77 /* New authentication token/credentials needed. */ 78 #define PR_AUTH_NEW_TOKEN_REQUIRED -12 79 80 void pr_auth_setpwent(pool *); 81 void pr_auth_endpwent(pool *); 82 void pr_auth_setgrent(pool *); 83 void pr_auth_endgrent(pool *); 84 struct passwd *pr_auth_getpwent(pool *); 85 struct group *pr_auth_getgrent(pool *); 86 struct passwd *pr_auth_getpwnam(pool *, const char *); 87 struct passwd *pr_auth_getpwuid(pool *, uid_t); 88 struct group *pr_auth_getgrnam(pool *, const char *); 89 struct group *pr_auth_getgrgid(pool *, gid_t); 90 int pr_auth_authenticate(pool *, const char *, const char *); 91 int pr_auth_authorize(pool *, const char *); 92 int pr_auth_check(pool *, const char *, const char *, const char *); 93 const char *pr_auth_uid2name(pool *, uid_t); 94 const char *pr_auth_gid2name(pool *, gid_t); 95 uid_t pr_auth_name2uid(pool *, const char *); 96 gid_t pr_auth_name2gid(pool *, const char *); 97 int pr_auth_getgroups(pool *, const char *, array_header **, array_header **); 98 int pr_auth_requires_pass(pool *, const char *); 99 100 /* This is a convenience function used by mod_auth as part of the 101 * authentication process. Given a user name, retrieve the <Anonymous> 102 * configuration for that user. If the user name is not be handled as 103 * an anonymous login, NULL is returned. 104 */ 105 config_rec *pr_auth_get_anon_config(pool *p, const char **login_user, 106 char **real_user, char **anon_user); 107 108 /* Wrapper function around the chroot(2) system call, handles setting of 109 * appropriate environment variables if necessary. 110 */ 111 int pr_auth_chroot(const char *); 112 113 /* Check the /etc/ftpusers file, as per the UseFtpUsers directive, to see 114 * if the given user is allowed. Returns TRUE if the user is banned by 115 * /etc/ftpusers, FALSE if not banned, and -1 if there was an error. 116 */ 117 int pr_auth_banned_by_ftpusers(xaset_t *, const char *); 118 119 /* Check the /etc/shells file, as per the RequireValidShell directive, to 120 * ensure that the given shell is valid. Returns TRUE if the user has 121 * a valid shell, FALSE if an invalid shell, and -1 if there was an error. 122 */ 123 int pr_auth_is_valid_shell(xaset_t *, const char *); 124 125 /* Add to the list of authenticating-only modules (e.g. PAM). */ 126 int pr_auth_add_auth_only_module(const char *); 127 128 /* Remove the named module from the list of authenticating-only modules. */ 129 int pr_auth_remove_auth_only_module(const char *); 130 131 /* Clear the authenticating-only module list, e.g. when authentication has 132 * completed. 133 */ 134 int pr_auth_clear_auth_only_modules(void); 135 136 /* Clears any cached IDs/names. */ 137 void pr_auth_cache_clear(void); 138 139 /* Enable caching of certain data within the Auth API. */ 140 int pr_auth_cache_set(int enable, unsigned int flags); 141 #define PR_AUTH_CACHE_FL_UID2NAME 0x00001 142 #define PR_AUTH_CACHE_FL_GID2NAME 0x00002 143 #define PR_AUTH_CACHE_FL_AUTH_MODULE 0x00004 144 #define PR_AUTH_CACHE_FL_NAME2UID 0x00008 145 #define PR_AUTH_CACHE_FL_NAME2GID 0x00010 146 #define PR_AUTH_CACHE_FL_BAD_UID2NAME 0x00020 147 #define PR_AUTH_CACHE_FL_BAD_GID2NAME 0x00040 148 #define PR_AUTH_CACHE_FL_BAD_NAME2UID 0x00080 149 #define PR_AUTH_CACHE_FL_BAD_NAME2GID 0x00100 150 151 /* Default Auth API cache flags/settings. */ 152 #define PR_AUTH_CACHE_FL_DEFAULT \ 153 (PR_AUTH_CACHE_FL_UID2NAME|\ 154 PR_AUTH_CACHE_FL_GID2NAME|\ 155 PR_AUTH_CACHE_FL_AUTH_MODULE|\ 156 PR_AUTH_CACHE_FL_NAME2UID|\ 157 PR_AUTH_CACHE_FL_NAME2GID|\ 158 PR_AUTH_CACHE_FL_BAD_UID2NAME|\ 159 PR_AUTH_CACHE_FL_BAD_GID2NAME|\ 160 PR_AUTH_CACHE_FL_BAD_NAME2UID|\ 161 PR_AUTH_CACHE_FL_BAD_NAME2GID) 162 163 /* Wrapper function for retrieving the user's home directory. This handles 164 * any possible RewriteHome configuration. 165 */ 166 const char *pr_auth_get_home(pool *, const char *pw_dir); 167 168 /* Policy setting for the maximum allowable password length. This is 169 * supported for mitigating potential resource consumption attack via the 170 * crypt(3) function. 171 */ 172 size_t pr_auth_set_max_password_len(pool *p, size_t len); 173 174 /* Pool-using convenience wrapper for the bcrypt() function. */ 175 char *pr_auth_bcrypt(pool *p, const char *key, const char *salt, 176 size_t *hashed_len); 177 178 /* For internal use only. */ 179 int init_auth(void); 180 int set_groups(pool *, gid_t, array_header *); 181 182 #endif /* PR_MODULES_H */ 183