1 /* $OpenBSD: auth.c,v 1.23 2002/07/01 19:31:37 deraadt Exp $ */ 2 3 /* 4 * auth.c - PPP authentication and phase control. 5 * 6 * Copyright (c) 1993 The Australian National University. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms are permitted 10 * provided that the above copyright notice and this paragraph are 11 * duplicated in all such forms and that any documentation, 12 * advertising materials, and other materials related to such 13 * distribution and use acknowledge that the software was developed 14 * by the Australian National University. The name of the University 15 * may not be used to endorse or promote products derived from this 16 * software without specific prior written permission. 17 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED 19 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. 20 * 21 * Copyright (c) 1984-2000 Carnegie Mellon University. All rights reserved. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 27 * 1. Redistributions of source code must retain the above copyright 28 * notice, this list of conditions and the following disclaimer. 29 * 30 * 2. Redistributions in binary form must reproduce the above copyright 31 * notice, this list of conditions and the following disclaimer in 32 * the documentation and/or other materials provided with the 33 * distribution. 34 * 35 * 3. The name "Carnegie Mellon University" must not be used to 36 * endorse or promote products derived from this software without 37 * prior written permission. For permission or any legal 38 * details, please contact 39 * Office of Technology Transfer 40 * Carnegie Mellon University 41 * 5000 Forbes Avenue 42 * Pittsburgh, PA 15213-3890 43 * (412) 268-4387, fax: (412) 268-7395 44 * tech-transfer@andrew.cmu.edu 45 * 46 * 4. Redistributions of any form whatsoever must retain the following 47 * acknowledgment: 48 * "This product includes software developed by Computing Services 49 * at Carnegie Mellon University (http://www.cmu.edu/computing/)." 50 * 51 * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO 52 * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 53 * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE 54 * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 55 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN 56 * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING 57 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 58 */ 59 60 #ifndef lint 61 #if 0 62 static char rcsid[] = "Id: auth.c,v 1.37 1998/03/26 04:46:03 paulus Exp $"; 63 #else 64 static char rcsid[] = "$OpenBSD: auth.c,v 1.23 2002/07/01 19:31:37 deraadt Exp $"; 65 #endif 66 #endif 67 68 #include <stdio.h> 69 #include <stddef.h> 70 #include <stdlib.h> 71 #include <unistd.h> 72 #include <syslog.h> 73 #include <pwd.h> 74 #include <string.h> 75 #include <sys/types.h> 76 #include <sys/stat.h> 77 #include <sys/socket.h> 78 #include <utmp.h> 79 #include <fcntl.h> 80 #if defined(_PATH_LASTLOG) && defined(_linux_) 81 #include <lastlog.h> 82 #endif 83 84 #include <netdb.h> 85 #include <netinet/in.h> 86 #include <arpa/inet.h> 87 88 #ifdef USE_PAM 89 #include <security/pam_appl.h> 90 #endif 91 92 #ifdef HAS_SHADOW 93 #include <shadow.h> 94 #ifndef PW_PPP 95 #define PW_PPP PW_LOGIN 96 #endif 97 #endif 98 99 #include "pppd.h" 100 #include "fsm.h" 101 #include "lcp.h" 102 #include "ipcp.h" 103 #include "upap.h" 104 #include "chap.h" 105 #ifdef CBCP_SUPPORT 106 #include "cbcp.h" 107 #endif 108 #include "pathnames.h" 109 110 /* Used for storing a sequence of words. Usually malloced. */ 111 struct wordlist { 112 struct wordlist *next; 113 char word[1]; 114 }; 115 116 /* Bits in scan_authfile return value */ 117 #define NONWILD_SERVER 1 118 #define NONWILD_CLIENT 2 119 120 #define ISWILD(word) (word[0] == '*' && word[1] == 0) 121 122 #define FALSE 0 123 #define TRUE 1 124 125 /* The name by which the peer authenticated itself to us. */ 126 char peer_authname[MAXNAMELEN]; 127 128 /* Records which authentication operations haven't completed yet. */ 129 static int auth_pending[NUM_PPP]; 130 131 /* Set if we have successfully called plogin() */ 132 static int logged_in; 133 134 /* Set if we have run the /etc/ppp/auth-up script. */ 135 static int did_authup; 136 137 /* List of addresses which the peer may use. */ 138 static struct wordlist *addresses[NUM_PPP]; 139 140 /* Number of network protocols which we have opened. */ 141 static int num_np_open; 142 143 /* Number of network protocols which have come up. */ 144 static int num_np_up; 145 146 /* Set if we got the contents of passwd[] from the pap-secrets file. */ 147 static int passwd_from_file; 148 149 /* Bits in auth_pending[] */ 150 #define PAP_WITHPEER 1 151 #define PAP_PEER 2 152 #define CHAP_WITHPEER 4 153 #define CHAP_PEER 8 154 155 extern char *crypt(const char *, const char *); 156 157 /* Prototypes for procedures local to this file. */ 158 159 static void network_phase(int); 160 static void check_idle(void *); 161 static void connect_time_expired(void *); 162 static int plogin(char *, char *, char **, int *); 163 static void plogout(void); 164 static int null_login(int); 165 static int get_pap_passwd(char *); 166 static int have_pap_secret(void); 167 static int have_chap_secret(char *, char *, u_int32_t); 168 static int ip_addr_check(u_int32_t, struct wordlist *); 169 static int scan_authfile(FILE *, char *, char *, u_int32_t, char *, 170 struct wordlist **, char *); 171 static void free_wordlist(struct wordlist *); 172 static void auth_script(char *); 173 static void set_allowed_addrs(int, struct wordlist *); 174 175 /* 176 * An Open on LCP has requested a change from Dead to Establish phase. 177 * Do what's necessary to bring the physical layer up. 178 */ 179 void 180 link_required(unit) 181 int unit; 182 { 183 } 184 185 /* 186 * LCP has terminated the link; go to the Dead phase and take the 187 * physical layer down. 188 */ 189 void 190 link_terminated(unit) 191 int unit; 192 { 193 if (phase == PHASE_DEAD) 194 return; 195 if (logged_in) 196 plogout(); 197 phase = PHASE_DEAD; 198 syslog(LOG_NOTICE, "Connection terminated."); 199 } 200 201 /* 202 * LCP has gone down; it will either die or try to re-establish. 203 */ 204 void 205 link_down(unit) 206 int unit; 207 { 208 int i; 209 struct protent *protp; 210 211 if (did_authup) { 212 auth_script(_PATH_AUTHDOWN); 213 did_authup = 0; 214 } 215 for (i = 0; (protp = protocols[i]) != NULL; ++i) { 216 if (!protp->enabled_flag) 217 continue; 218 if (protp->protocol != PPP_LCP && protp->lowerdown != NULL) 219 (*protp->lowerdown)(unit); 220 if (protp->protocol < 0xC000 && protp->close != NULL) 221 (*protp->close)(unit, "LCP down"); 222 } 223 num_np_open = 0; 224 num_np_up = 0; 225 if (phase != PHASE_DEAD) 226 phase = PHASE_TERMINATE; 227 } 228 229 /* 230 * The link is established. 231 * Proceed to the Dead, Authenticate or Network phase as appropriate. 232 */ 233 void 234 link_established(unit) 235 int unit; 236 { 237 int auth; 238 lcp_options *wo = &lcp_wantoptions[unit]; 239 lcp_options *go = &lcp_gotoptions[unit]; 240 lcp_options *ho = &lcp_hisoptions[unit]; 241 int i; 242 struct protent *protp; 243 244 /* 245 * Tell higher-level protocols that LCP is up. 246 */ 247 for (i = 0; (protp = protocols[i]) != NULL; ++i) 248 if (protp->protocol != PPP_LCP && protp->enabled_flag 249 && protp->lowerup != NULL) 250 (*protp->lowerup)(unit); 251 252 if (auth_required && !(go->neg_chap || go->neg_upap)) { 253 /* 254 * We wanted the peer to authenticate itself, and it refused: 255 * treat it as though it authenticated with PAP using a username 256 * of "" and a password of "". If that's not OK, boot it out. 257 */ 258 if (!wo->neg_upap || !null_login(unit)) { 259 syslog(LOG_WARNING, "peer refused to authenticate"); 260 lcp_close(unit, "peer refused to authenticate"); 261 return; 262 } 263 } 264 265 phase = PHASE_AUTHENTICATE; 266 auth = 0; 267 if (go->neg_chap) { 268 ChapAuthPeer(unit, our_name, go->chap_mdtype); 269 auth |= CHAP_PEER; 270 } else if (go->neg_upap) { 271 upap_authpeer(unit); 272 auth |= PAP_PEER; 273 } 274 if (ho->neg_chap) { 275 ChapAuthWithPeer(unit, user, ho->chap_mdtype); 276 auth |= CHAP_WITHPEER; 277 } else if (ho->neg_upap) { 278 if (passwd[0] == 0) { 279 passwd_from_file = 1; 280 if (!get_pap_passwd(passwd)) 281 syslog(LOG_ERR, "No secret found for PAP login"); 282 } 283 upap_authwithpeer(unit, user, passwd); 284 auth |= PAP_WITHPEER; 285 } 286 auth_pending[unit] = auth; 287 288 if (!auth) 289 network_phase(unit); 290 } 291 292 /* 293 * Proceed to the network phase. 294 */ 295 static void 296 network_phase(unit) 297 int unit; 298 { 299 int i; 300 struct protent *protp; 301 lcp_options *go = &lcp_gotoptions[unit]; 302 303 /* 304 * If the peer had to authenticate, run the auth-up script now. 305 */ 306 if ((go->neg_chap || go->neg_upap) && !did_authup) { 307 auth_script(_PATH_AUTHUP); 308 did_authup = 1; 309 } 310 311 #ifdef CBCP_SUPPORT 312 /* 313 * If we negotiated callback, do it now. 314 */ 315 if (go->neg_cbcp) { 316 phase = PHASE_CALLBACK; 317 (*cbcp_protent.open)(unit); 318 return; 319 } 320 #endif 321 322 phase = PHASE_NETWORK; 323 #if 0 324 if (!demand) 325 set_filters(&pass_filter, &active_filter); 326 #endif 327 for (i = 0; (protp = protocols[i]) != NULL; ++i) 328 if (protp->protocol < 0xC000 && protp->enabled_flag 329 && protp->open != NULL) { 330 (*protp->open)(unit); 331 if (protp->protocol != PPP_CCP) 332 ++num_np_open; 333 } 334 335 if (num_np_open == 0) 336 /* nothing to do */ 337 lcp_close(0, "No network protocols running"); 338 } 339 340 /* 341 * The peer has failed to authenticate himself using `protocol'. 342 */ 343 void 344 auth_peer_fail(unit, protocol) 345 int unit, protocol; 346 { 347 /* 348 * Authentication failure: take the link down 349 */ 350 lcp_close(unit, "Authentication failed"); 351 } 352 353 /* 354 * The peer has been successfully authenticated using `protocol'. 355 */ 356 void 357 auth_peer_success(unit, protocol, name, namelen) 358 int unit, protocol; 359 char *name; 360 int namelen; 361 { 362 int bit; 363 364 switch (protocol) { 365 case PPP_CHAP: 366 bit = CHAP_PEER; 367 break; 368 case PPP_PAP: 369 bit = PAP_PEER; 370 break; 371 default: 372 syslog(LOG_WARNING, "auth_peer_success: unknown protocol %x", 373 protocol); 374 return; 375 } 376 377 /* 378 * Save the authenticated name of the peer for later. 379 */ 380 if (namelen > sizeof(peer_authname) - 1) 381 namelen = sizeof(peer_authname) - 1; 382 BCOPY(name, peer_authname, namelen); 383 peer_authname[namelen] = 0; 384 script_setenv("PEERNAME", peer_authname); 385 386 /* 387 * If there is no more authentication still to be done, 388 * proceed to the network (or callback) phase. 389 */ 390 if ((auth_pending[unit] &= ~bit) == 0) 391 network_phase(unit); 392 } 393 394 /* 395 * We have failed to authenticate ourselves to the peer using `protocol'. 396 */ 397 void 398 auth_withpeer_fail(unit, protocol) 399 int unit, protocol; 400 { 401 if (passwd_from_file) 402 BZERO(passwd, MAXSECRETLEN); 403 /* 404 * We've failed to authenticate ourselves to our peer. 405 * He'll probably take the link down, and there's not much 406 * we can do except wait for that. 407 */ 408 } 409 410 /* 411 * We have successfully authenticated ourselves with the peer using `protocol'. 412 */ 413 void 414 auth_withpeer_success(unit, protocol) 415 int unit, protocol; 416 { 417 int bit; 418 419 switch (protocol) { 420 case PPP_CHAP: 421 bit = CHAP_WITHPEER; 422 break; 423 case PPP_PAP: 424 if (passwd_from_file) 425 BZERO(passwd, MAXSECRETLEN); 426 bit = PAP_WITHPEER; 427 break; 428 default: 429 syslog(LOG_WARNING, "auth_peer_success: unknown protocol %x", 430 protocol); 431 bit = 0; 432 } 433 434 /* 435 * If there is no more authentication still being done, 436 * proceed to the network (or callback) phase. 437 */ 438 if ((auth_pending[unit] &= ~bit) == 0) 439 network_phase(unit); 440 } 441 442 443 /* 444 * np_up - a network protocol has come up. 445 */ 446 void 447 np_up(unit, proto) 448 int unit, proto; 449 { 450 if (num_np_up == 0) { 451 /* 452 * At this point we consider that the link has come up successfully. 453 */ 454 need_holdoff = 0; 455 456 if (idle_time_limit > 0) 457 TIMEOUT(check_idle, NULL, idle_time_limit); 458 459 /* 460 * Set a timeout to close the connection once the maximum 461 * connect time has expired. 462 */ 463 if (maxconnect > 0) 464 TIMEOUT(connect_time_expired, 0, maxconnect); 465 466 /* 467 * Detach now, if the updetach option was given. 468 */ 469 if (nodetach == -1) 470 detach(); 471 } 472 ++num_np_up; 473 } 474 475 /* 476 * np_down - a network protocol has gone down. 477 */ 478 void 479 np_down(unit, proto) 480 int unit, proto; 481 { 482 if (--num_np_up == 0 && idle_time_limit > 0) { 483 UNTIMEOUT(check_idle, NULL); 484 } 485 } 486 487 /* 488 * np_finished - a network protocol has finished using the link. 489 */ 490 void 491 np_finished(unit, proto) 492 int unit, proto; 493 { 494 if (--num_np_open <= 0) { 495 /* no further use for the link: shut up shop. */ 496 lcp_close(0, "No network protocols running"); 497 } 498 } 499 500 /* 501 * check_idle - check whether the link has been idle for long 502 * enough that we can shut it down. 503 */ 504 static void 505 check_idle(arg) 506 void *arg; 507 { 508 struct ppp_idle idle; 509 time_t itime; 510 511 if (!get_idle_time(0, &idle)) 512 return; 513 itime = MIN(idle.xmit_idle, idle.recv_idle); 514 if (itime >= idle_time_limit) { 515 /* link is idle: shut it down. */ 516 syslog(LOG_INFO, "Terminating connection due to lack of activity."); 517 lcp_close(0, "Link inactive"); 518 } else { 519 TIMEOUT(check_idle, NULL, idle_time_limit - itime); 520 } 521 } 522 523 /* 524 * connect_time_expired - log a message and close the connection. 525 */ 526 static void 527 connect_time_expired(arg) 528 void *arg; 529 { 530 syslog(LOG_INFO, "Connect time expired"); 531 lcp_close(0, "Connect time expired"); /* Close connection */ 532 } 533 534 /* 535 * auth_check_options - called to check authentication options. 536 */ 537 void 538 auth_check_options() 539 { 540 lcp_options *wo = &lcp_wantoptions[0]; 541 int can_auth; 542 ipcp_options *ipwo = &ipcp_wantoptions[0]; 543 u_int32_t remote; 544 545 /* Default our_name to hostname, and user to our_name */ 546 if (our_name[0] == 0 || usehostname) 547 strcpy(our_name, hostname); 548 if (user[0] == 0) 549 strcpy(user, our_name); 550 551 /* If authentication is required, ask peer for CHAP or PAP. */ 552 if (auth_required && !wo->neg_chap && !wo->neg_upap) { 553 wo->neg_chap = 1; 554 wo->neg_upap = 1; 555 } 556 557 /* 558 * Check whether we have appropriate secrets to use 559 * to authenticate the peer. 560 */ 561 can_auth = wo->neg_upap && (uselogin || have_pap_secret()); 562 if (!can_auth && wo->neg_chap) { 563 remote = ipwo->accept_remote? 0: ipwo->hisaddr; 564 can_auth = have_chap_secret(remote_name, our_name, remote); 565 } 566 567 if (auth_required && !can_auth) { 568 option_error("peer authentication required but no suitable secret(s) found\n"); 569 if (remote_name[0] == 0) 570 option_error("for authenticating any peer to us (%s)\n", our_name); 571 else 572 option_error("for authenticating peer %s to us (%s)\n", 573 remote_name, our_name); 574 exit(1); 575 } 576 577 /* 578 * Check whether the user tried to override certain values 579 * set by root. 580 */ 581 if (!auth_required && auth_req_info.priv > 0) { 582 if (!default_device && devnam_info.priv == 0) { 583 option_error("can't override device name when noauth option used"); 584 exit(1); 585 } 586 if ((connector != NULL && connector_info.priv == 0) 587 || (disconnector != NULL && disconnector_info.priv == 0) 588 || (welcomer != NULL && welcomer_info.priv == 0)) { 589 option_error("can't override connect, disconnect or welcome"); 590 option_error("option values when noauth option used"); 591 exit(1); 592 } 593 } 594 } 595 596 /* 597 * auth_reset - called when LCP is starting negotiations to recheck 598 * authentication options, i.e. whether we have appropriate secrets 599 * to use for authenticating ourselves and/or the peer. 600 */ 601 void 602 auth_reset(unit) 603 int unit; 604 { 605 lcp_options *go = &lcp_gotoptions[unit]; 606 lcp_options *ao = &lcp_allowoptions[0]; 607 ipcp_options *ipwo = &ipcp_wantoptions[0]; 608 u_int32_t remote; 609 610 ao->neg_upap = !refuse_pap && (passwd[0] != 0 || get_pap_passwd(NULL)); 611 ao->neg_chap = !refuse_chap 612 && have_chap_secret(user, remote_name, (u_int32_t)0); 613 614 if (go->neg_upap && !uselogin && !have_pap_secret()) 615 go->neg_upap = 0; 616 if (go->neg_chap) { 617 remote = ipwo->accept_remote? 0: ipwo->hisaddr; 618 if (!have_chap_secret(remote_name, our_name, remote)) 619 go->neg_chap = 0; 620 } 621 } 622 623 624 /* 625 * check_passwd - Check the user name and passwd against the PAP secrets 626 * file. If requested, also check against the system password database, 627 * and login the user if OK. 628 * 629 * returns: 630 * UPAP_AUTHNAK: Authentication failed. 631 * UPAP_AUTHACK: Authentication succeeded. 632 * In either case, msg points to an appropriate message. 633 */ 634 int 635 check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) 636 int unit; 637 char *auser; 638 int userlen; 639 char *apasswd; 640 int passwdlen; 641 char **msg; 642 int *msglen; 643 { 644 int ret; 645 char *filename; 646 FILE *f; 647 struct wordlist *addrs; 648 u_int32_t remote; 649 ipcp_options *ipwo = &ipcp_wantoptions[unit]; 650 char passwd[256], user[256]; 651 char secret[MAXWORDLEN]; 652 static int attempts = 0; 653 654 /* 655 * Make copies of apasswd and auser, then null-terminate them. 656 */ 657 BCOPY(apasswd, passwd, passwdlen); 658 passwd[passwdlen] = '\0'; 659 BCOPY(auser, user, userlen); 660 user[userlen] = '\0'; 661 *msg = (char *) 0; 662 663 /* 664 * Open the file of pap secrets and scan for a suitable secret 665 * for authenticating this user. 666 */ 667 filename = _PATH_UPAPFILE; 668 addrs = NULL; 669 ret = UPAP_AUTHACK; 670 f = fopen(filename, "r"); 671 if (f == NULL) { 672 syslog(LOG_ERR, "Can't open PAP password file %s: %m", filename); 673 ret = UPAP_AUTHNAK; 674 } else { 675 check_access(f, filename); 676 remote = ipwo->accept_remote? 0: ipwo->hisaddr; 677 if (scan_authfile(f, user, our_name, remote, 678 secret, &addrs, filename) < 0 679 || (secret[0] != 0 && (cryptpap || strcmp(passwd, secret) != 0) 680 && strcmp(crypt(passwd, secret), secret) != 0)) { 681 syslog(LOG_WARNING, "PAP authentication failure for %s", user); 682 ret = UPAP_AUTHNAK; 683 } 684 fclose(f); 685 } 686 687 if (uselogin && ret == UPAP_AUTHACK) { 688 ret = plogin(user, passwd, msg, msglen); 689 if (ret == UPAP_AUTHNAK) { 690 syslog(LOG_WARNING, "PAP login failure for %s", user); 691 } 692 } 693 694 if (ret == UPAP_AUTHNAK) { 695 if (*msg == (char *) 0) 696 *msg = "Login incorrect"; 697 *msglen = strlen(*msg); 698 /* 699 * Frustrate passwd stealer programs. 700 * Allow 10 tries, but start backing off after 3 (stolen from login). 701 * On 10'th, drop the connection. 702 */ 703 if (attempts++ >= 10) { 704 syslog(LOG_WARNING, "%d LOGIN FAILURES ON %s, %s", 705 attempts, devnam, user); 706 quit(); 707 } 708 if (attempts > 3) 709 sleep((u_int) (attempts - 3) * 5); 710 if (addrs != NULL) 711 free_wordlist(addrs); 712 713 } else { 714 attempts = 0; /* Reset count */ 715 if (*msg == (char *) 0) 716 *msg = "Login ok"; 717 *msglen = strlen(*msg); 718 set_allowed_addrs(unit, addrs); 719 } 720 721 BZERO(passwd, sizeof(passwd)); 722 BZERO(secret, sizeof(secret)); 723 724 return ret; 725 } 726 727 /* 728 * This function is needed for PAM. 729 */ 730 731 #ifdef USE_PAM 732 static char *PAM_username = ""; 733 static char *PAM_password = ""; 734 735 #ifdef PAM_ESTABLISH_CRED /* new PAM defines :(^ */ 736 #define MY_PAM_STRERROR(err_code) (char *) pam_strerror(pamh,err_code) 737 #else 738 #define MY_PAM_STRERROR(err_code) (char *) pam_strerror(err_code) 739 #endif 740 741 static int pam_conv (int num_msg, 742 const struct pam_message **msg, 743 struct pam_response **resp, 744 void *appdata_ptr) 745 { 746 int count = 0, replies = 0; 747 struct pam_response *reply = NULL; 748 int size = 0; 749 750 for (count = 0; count < num_msg; count++) 751 { 752 size += sizeof (struct pam_response); 753 reply = realloc (reply, size); /* ANSI: is malloc() if reply==NULL */ 754 if (!reply) 755 return PAM_CONV_ERR; 756 757 switch (msg[count]->msg_style) 758 { 759 case PAM_PROMPT_ECHO_ON: 760 reply[replies].resp_retcode = PAM_SUCCESS; 761 reply[replies++].resp = strdup(PAM_username); /* never NULL */ 762 break; 763 764 case PAM_PROMPT_ECHO_OFF: 765 reply[replies].resp_retcode = PAM_SUCCESS; 766 reply[replies++].resp = strdup(PAM_password); /* never NULL */ 767 break; 768 769 case PAM_TEXT_INFO: 770 reply[replies].resp_retcode = PAM_SUCCESS; 771 reply[replies++].resp = NULL; 772 break; 773 774 case PAM_ERROR_MSG: 775 default: 776 free (reply); 777 return PAM_CONV_ERR; 778 } 779 } 780 781 if (resp) 782 *resp = reply; 783 else 784 free (reply); 785 786 return PAM_SUCCESS; 787 } 788 #endif 789 790 /* 791 * plogin - Check the user name and password against the system 792 * password database, and login the user if OK. 793 * 794 * returns: 795 * UPAP_AUTHNAK: Login failed. 796 * UPAP_AUTHACK: Login succeeded. 797 * In either case, msg points to an appropriate message. 798 */ 799 800 static int 801 plogin(user, passwd, msg, msglen) 802 char *user; 803 char *passwd; 804 char **msg; 805 int *msglen; 806 { 807 808 #ifdef USE_PAM 809 810 struct pam_conv pam_conversation; 811 pam_handle_t *pamh; 812 int pam_error; 813 /* 814 * Fill the pam_conversion structure 815 */ 816 memset (&pam_conversation, '\0', sizeof (struct pam_conv)); 817 pam_conversation.conv = &pam_conv; 818 819 pam_error = pam_start ("ppp", user, &pam_conversation, &pamh); 820 821 if (pam_error != PAM_SUCCESS) { 822 *msg = MY_PAM_STRERROR (pam_error); 823 return UPAP_AUTHNAK; 824 } 825 /* 826 * Define the fields for the credintial validation 827 */ 828 (void) pam_set_item (pamh, PAM_TTY, devnam); 829 PAM_username = user; 830 PAM_password = passwd; 831 /* 832 * Validate the user 833 */ 834 pam_error = pam_authenticate (pamh, PAM_SILENT); 835 if (pam_error == PAM_SUCCESS) { 836 pam_error = pam_acct_mgmt (pamh, PAM_SILENT); 837 838 /* start a session for this user. Session closed when link ends. */ 839 if (pam_error == PAM_SUCCESS) 840 (void) pam_open_session (pamh, PAM_SILENT); 841 } 842 843 *msg = MY_PAM_STRERROR (pam_error); 844 845 PAM_username = 846 PAM_password = ""; 847 /* 848 * Clean up the mess 849 */ 850 (void) pam_end (pamh, pam_error); 851 852 if (pam_error != PAM_SUCCESS) 853 return UPAP_AUTHNAK; 854 /* 855 * Use the non-PAM methods directly 856 */ 857 #else /* #ifdef USE_PAM */ 858 859 struct passwd *pw; 860 char *tty; 861 862 #ifdef HAS_SHADOW 863 struct spwd *spwd; 864 struct spwd *getspnam(); 865 #endif 866 867 pw = getpwnam(user); 868 endpwent(); 869 if (pw == NULL) { 870 return (UPAP_AUTHNAK); 871 } 872 873 #ifdef HAS_SHADOW 874 spwd = getspnam(user); 875 endspent(); 876 if (spwd) { 877 /* check the age of the password entry */ 878 long now = time(NULL) / 86400L; 879 880 if ((spwd->sp_expire > 0 && now >= spwd->sp_expire) 881 || ((spwd->sp_max >= 0 && spwd->sp_max < 10000) 882 && spwd->sp_lstchg >= 0 883 && now >= spwd->sp_lstchg + spwd->sp_max)) { 884 syslog(LOG_WARNING, "Password for %s has expired", user); 885 return (UPAP_AUTHNAK); 886 } 887 pw->pw_passwd = spwd->sp_pwdp; 888 } 889 #endif 890 891 /* 892 * If no passwd, don't let them login. 893 */ 894 if (pw->pw_passwd == NULL || *pw->pw_passwd == '\0' 895 || strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd) != 0) 896 return (UPAP_AUTHNAK); 897 898 /* These functions are not enabled for PAM. The reason for this is that */ 899 /* there is not necessarily a "passwd" entry for this user. That is */ 900 /* real purpose of 'PAM' -- to virtualize the account data from the */ 901 /* application. If you want to do the same thing, write the entry in */ 902 /* the 'session' hook. */ 903 904 /* 905 * Write a wtmp entry for this user. 906 */ 907 908 tty = devnam; 909 if (strncmp(tty, "/dev/", 5) == 0) 910 tty += 5; 911 logwtmp(tty, user, remote_name); /* Add wtmp login entry */ 912 913 #if defined(_PATH_LASTLOG) 914 { 915 struct lastlog ll; 916 int fd; 917 918 if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) { 919 (void)lseek(fd, (off_t)(pw->pw_uid * sizeof(ll)), SEEK_SET); 920 memset((void *)&ll, 0, sizeof(ll)); 921 (void)time(&ll.ll_time); 922 (void)strncpy(ll.ll_line, tty, sizeof(ll.ll_line)); 923 (void)write(fd, (char *)&ll, sizeof(ll)); 924 (void)close(fd); 925 } 926 } 927 #endif 928 929 #endif /* #ifdef USE_PAM */ 930 931 syslog(LOG_INFO, "user %s logged in", user); 932 logged_in = TRUE; 933 934 return (UPAP_AUTHACK); 935 } 936 937 /* 938 * plogout - Logout the user. 939 */ 940 static void 941 plogout() 942 { 943 #ifdef USE_PAM 944 struct pam_conv pam_conversation; 945 pam_handle_t *pamh; 946 int pam_error; 947 /* 948 * Fill the pam_conversion structure. The PAM specification states that the 949 * session must be able to be closed by a totally different handle from which 950 * it was created. Hold the PAM group to their own specification! 951 */ 952 memset (&pam_conversation, '\0', sizeof (struct pam_conv)); 953 pam_conversation.conv = &pam_conv; 954 955 pam_error = pam_start ("ppp", user, &pam_conversation, &pamh); 956 if (pam_error == PAM_SUCCESS) { 957 (void) pam_set_item (pamh, PAM_TTY, devnam); 958 (void) pam_close_session (pamh, PAM_SILENT); 959 (void) pam_end (pamh, PAM_SUCCESS); 960 } 961 962 #else 963 char *tty; 964 965 tty = devnam; 966 if (strncmp(tty, "/dev/", 5) == 0) 967 tty += 5; 968 logwtmp(tty, "", ""); /* Wipe out utmp logout entry */ 969 #endif 970 971 logged_in = FALSE; 972 } 973 974 975 /* 976 * null_login - Check if a username of "" and a password of "" are 977 * acceptable, and iff so, set the list of acceptable IP addresses 978 * and return 1. 979 */ 980 static int 981 null_login(unit) 982 int unit; 983 { 984 char *filename; 985 FILE *f; 986 int i, ret; 987 struct wordlist *addrs; 988 char secret[MAXWORDLEN]; 989 990 /* 991 * Open the file of pap secrets and scan for a suitable secret. 992 * We don't accept a wildcard client. 993 */ 994 filename = _PATH_UPAPFILE; 995 addrs = NULL; 996 f = fopen(filename, "r"); 997 if (f == NULL) 998 return 0; 999 check_access(f, filename); 1000 1001 i = scan_authfile(f, "", our_name, (u_int32_t)0, secret, &addrs, filename); 1002 ret = i >= 0 && (i & NONWILD_CLIENT) != 0 && secret[0] == 0; 1003 BZERO(secret, sizeof(secret)); 1004 1005 if (ret) 1006 set_allowed_addrs(unit, addrs); 1007 else 1008 free_wordlist(addrs); 1009 1010 fclose(f); 1011 return ret; 1012 } 1013 1014 1015 /* 1016 * get_pap_passwd - get a password for authenticating ourselves with 1017 * our peer using PAP. Returns 1 on success, 0 if no suitable password 1018 * could be found. 1019 */ 1020 static int 1021 get_pap_passwd(passwd) 1022 char *passwd; 1023 { 1024 char *filename; 1025 FILE *f; 1026 int ret; 1027 struct wordlist *addrs; 1028 char secret[MAXWORDLEN]; 1029 1030 filename = _PATH_UPAPFILE; 1031 addrs = NULL; 1032 f = fopen(filename, "r"); 1033 if (f == NULL) 1034 return 0; 1035 check_access(f, filename); 1036 ret = scan_authfile(f, user, 1037 remote_name[0]? remote_name: NULL, 1038 (u_int32_t)0, secret, NULL, filename); 1039 fclose(f); 1040 if (ret < 0) 1041 return 0; 1042 if (passwd != NULL) 1043 strlcpy(passwd, secret, MAXSECRETLEN); 1044 BZERO(secret, sizeof(secret)); 1045 return 1; 1046 } 1047 1048 1049 /* 1050 * have_pap_secret - check whether we have a PAP file with any 1051 * secrets that we could possibly use for authenticating the peer. 1052 */ 1053 static int 1054 have_pap_secret() 1055 { 1056 FILE *f; 1057 int ret; 1058 char *filename; 1059 ipcp_options *ipwo = &ipcp_wantoptions[0]; 1060 u_int32_t remote; 1061 1062 filename = _PATH_UPAPFILE; 1063 f = fopen(filename, "r"); 1064 if (f == NULL) 1065 return 0; 1066 1067 remote = ipwo->accept_remote? 0: ipwo->hisaddr; 1068 ret = scan_authfile(f, NULL, our_name, remote, NULL, NULL, filename); 1069 fclose(f); 1070 if (ret < 0) 1071 return 0; 1072 1073 return 1; 1074 } 1075 1076 1077 /* 1078 * have_chap_secret - check whether we have a CHAP file with a 1079 * secret that we could possibly use for authenticating `client' 1080 * on `server'. Either can be the null string, meaning we don't 1081 * know the identity yet. 1082 */ 1083 static int 1084 have_chap_secret(client, server, remote) 1085 char *client; 1086 char *server; 1087 u_int32_t remote; 1088 { 1089 FILE *f; 1090 int ret; 1091 char *filename; 1092 1093 filename = _PATH_CHAPFILE; 1094 f = fopen(filename, "r"); 1095 if (f == NULL) 1096 return 0; 1097 1098 if (client[0] == 0) 1099 client = NULL; 1100 else if (server[0] == 0) 1101 server = NULL; 1102 1103 ret = scan_authfile(f, client, server, remote, NULL, NULL, filename); 1104 fclose(f); 1105 if (ret < 0) 1106 return 0; 1107 1108 return 1; 1109 } 1110 1111 1112 /* 1113 * get_secret - open the CHAP secret file and return the secret 1114 * for authenticating the given client on the given server. 1115 * (We could be either client or server). 1116 */ 1117 int 1118 get_secret(unit, client, server, secret, secret_len, save_addrs) 1119 int unit; 1120 char *client; 1121 char *server; 1122 char *secret; 1123 int *secret_len; 1124 int save_addrs; 1125 { 1126 FILE *f; 1127 int ret, len; 1128 char *filename; 1129 struct wordlist *addrs; 1130 char secbuf[MAXWORDLEN]; 1131 1132 filename = _PATH_CHAPFILE; 1133 addrs = NULL; 1134 secbuf[0] = 0; 1135 1136 f = fopen(filename, "r"); 1137 if (f == NULL) { 1138 syslog(LOG_ERR, "Can't open chap secret file %s: %m", filename); 1139 return 0; 1140 } 1141 check_access(f, filename); 1142 1143 ret = scan_authfile(f, client, server, (u_int32_t)0, 1144 secbuf, &addrs, filename); 1145 fclose(f); 1146 if (ret < 0) 1147 return 0; 1148 1149 if (save_addrs) 1150 set_allowed_addrs(unit, addrs); 1151 1152 len = strlen(secbuf); 1153 if (len > MAXSECRETLEN) { 1154 syslog(LOG_ERR, "Secret for %s on %s is too long", client, server); 1155 len = MAXSECRETLEN; 1156 } 1157 BCOPY(secbuf, secret, len); 1158 BZERO(secbuf, sizeof(secbuf)); 1159 *secret_len = len; 1160 1161 return 1; 1162 } 1163 1164 /* 1165 * set_allowed_addrs() - set the list of allowed addresses. 1166 */ 1167 static void 1168 set_allowed_addrs(unit, addrs) 1169 int unit; 1170 struct wordlist *addrs; 1171 { 1172 if (addresses[unit] != NULL) 1173 free_wordlist(addresses[unit]); 1174 addresses[unit] = addrs; 1175 1176 /* 1177 * If there's only one authorized address we might as well 1178 * ask our peer for that one right away 1179 */ 1180 if (addrs != NULL && addrs->next == NULL) { 1181 char *p = addrs->word; 1182 struct ipcp_options *wo = &ipcp_wantoptions[unit]; 1183 u_int32_t a; 1184 struct hostent *hp; 1185 1186 if (*p != '!' && *p != '-' && !ISWILD(p) && strchr(p, '/') == NULL) { 1187 hp = gethostbyname(p); 1188 if (hp != NULL && hp->h_addrtype == AF_INET) 1189 a = *(u_int32_t *)hp->h_addr; 1190 else 1191 a = inet_addr(p); 1192 if (a != (u_int32_t) -1) 1193 wo->hisaddr = a; 1194 } 1195 } 1196 } 1197 1198 /* 1199 * auth_ip_addr - check whether the peer is authorized to use 1200 * a given IP address. Returns 1 if authorized, 0 otherwise. 1201 */ 1202 int 1203 auth_ip_addr(unit, addr) 1204 int unit; 1205 u_int32_t addr; 1206 { 1207 return ip_addr_check(addr, addresses[unit]); 1208 } 1209 1210 static int 1211 ip_addr_check(addr, addrs) 1212 u_int32_t addr; 1213 struct wordlist *addrs; 1214 { 1215 u_int32_t mask, ah; 1216 struct in_addr ina; 1217 int accept, r = 1; 1218 char *ptr_word, *ptr_mask; 1219 struct hostent *hp; 1220 struct netent *np; 1221 1222 /* don't allow loopback or multicast address */ 1223 if (bad_ip_adrs(addr)) 1224 return 0; 1225 1226 if (addrs == NULL) 1227 return !auth_required; /* no addresses authorized */ 1228 1229 for (; addrs != NULL; addrs = addrs->next) { 1230 /* "-" means no addresses authorized, "*" means any address allowed */ 1231 ptr_word = addrs->word; 1232 if (strcmp(ptr_word, "-") == 0) 1233 break; 1234 if (strcmp(ptr_word, "*") == 0) 1235 return 1; 1236 1237 accept = 1; 1238 if (*ptr_word == '!') { 1239 accept = 0; 1240 ++ptr_word; 1241 } 1242 1243 mask = ~ (u_int32_t) 0; 1244 ptr_mask = strchr (ptr_word, '/'); 1245 if (ptr_mask != NULL) { 1246 int bit_count; 1247 1248 bit_count = (int) strtol (ptr_mask+1, (char **) 0, 10); 1249 if (bit_count <= 0 || bit_count > 32) { 1250 syslog (LOG_WARNING, 1251 "invalid address length %s in auth. address list", 1252 ptr_mask); 1253 continue; 1254 } 1255 *ptr_mask = '\0'; 1256 mask <<= 32 - bit_count; 1257 } 1258 1259 hp = gethostbyname(ptr_word); 1260 if (hp != NULL && hp->h_addrtype == AF_INET) { 1261 ina.s_addr = *(u_int32_t *)hp->h_addr; 1262 } else { 1263 np = getnetbyname (ptr_word); 1264 if (np != NULL && np->n_addrtype == AF_INET) 1265 ina.s_addr = htonl (np->n_net); 1266 else 1267 r = inet_aton (ptr_word, &ina); 1268 if (ptr_mask == NULL) { 1269 /* calculate appropriate mask for net */ 1270 ah = ntohl(ina.s_addr); 1271 if (IN_CLASSA(ah)) 1272 mask = IN_CLASSA_NET; 1273 else if (IN_CLASSB(ah)) 1274 mask = IN_CLASSB_NET; 1275 else if (IN_CLASSC(ah)) 1276 mask = IN_CLASSC_NET; 1277 } 1278 } 1279 1280 if (ptr_mask != NULL) 1281 *ptr_mask = '/'; 1282 1283 if (r == 0) 1284 syslog (LOG_WARNING, 1285 "unknown host %s in auth. address list", 1286 addrs->word); 1287 else 1288 /* Here ina.s_addr and addr are in network byte order, 1289 and mask is in host order. */ 1290 if (((addr ^ ina.s_addr) & htonl(mask)) == 0) 1291 return accept; 1292 } 1293 return 0; /* not in list => can't have it */ 1294 } 1295 1296 /* 1297 * bad_ip_adrs - return 1 if the IP address is one we don't want 1298 * to use, such as an address in the loopback net or a multicast address. 1299 * addr is in network byte order. 1300 */ 1301 int 1302 bad_ip_adrs(addr) 1303 u_int32_t addr; 1304 { 1305 addr = ntohl(addr); 1306 return (addr >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET 1307 || IN_MULTICAST(addr) || IN_BADCLASS(addr); 1308 } 1309 1310 /* 1311 * check_access - complain if a secret file has too-liberal permissions. 1312 */ 1313 void 1314 check_access(f, filename) 1315 FILE *f; 1316 char *filename; 1317 { 1318 struct stat sbuf; 1319 1320 if (fstat(fileno(f), &sbuf) < 0) { 1321 syslog(LOG_WARNING, "cannot stat secret file %s: %m", filename); 1322 } else if ((sbuf.st_mode & (S_IRWXG | S_IRWXO)) != 0) { 1323 syslog(LOG_WARNING, "Warning - secret file %s has world and/or group access", filename); 1324 } 1325 } 1326 1327 1328 /* 1329 * scan_authfile - Scan an authorization file for a secret suitable 1330 * for authenticating `client' on `server'. The return value is -1 1331 * if no secret is found, otherwise >= 0. The return value has 1332 * NONWILD_CLIENT set if the secret didn't have "*" for the client, and 1333 * NONWILD_SERVER set if the secret didn't have "*" for the server. 1334 * Any following words on the line (i.e. address authorization 1335 * info) are placed in a wordlist and returned in *addrs. 1336 */ 1337 static int 1338 scan_authfile(f, client, server, ipaddr, secret, addrs, filename) 1339 FILE *f; 1340 char *client; 1341 char *server; 1342 u_int32_t ipaddr; 1343 char *secret; 1344 struct wordlist **addrs; 1345 char *filename; 1346 { 1347 int newline, xxx; 1348 int got_flag, best_flag; 1349 FILE *sf; 1350 struct wordlist *ap, *addr_list, *alist, *alast; 1351 char word[MAXWORDLEN]; 1352 char atfile[MAXWORDLEN]; 1353 char lsecret[MAXWORDLEN]; 1354 1355 if (addrs != NULL) 1356 *addrs = NULL; 1357 addr_list = NULL; 1358 if (!getword(f, word, &newline, filename)) 1359 return -1; /* file is empty??? */ 1360 newline = 1; 1361 best_flag = -1; 1362 for (;;) { 1363 /* 1364 * Skip until we find a word at the start of a line. 1365 */ 1366 while (!newline && getword(f, word, &newline, filename)) 1367 ; 1368 if (!newline) 1369 break; /* got to end of file */ 1370 1371 /* 1372 * Got a client - check if it's a match or a wildcard. 1373 */ 1374 got_flag = 0; 1375 if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { 1376 newline = 0; 1377 continue; 1378 } 1379 if (!ISWILD(word)) 1380 got_flag = NONWILD_CLIENT; 1381 1382 /* 1383 * Now get a server and check if it matches. 1384 */ 1385 if (!getword(f, word, &newline, filename)) 1386 break; 1387 if (newline) 1388 continue; 1389 if (server != NULL && strcmp(word, server) != 0 && !ISWILD(word)) 1390 continue; 1391 if (!ISWILD(word)) 1392 got_flag |= NONWILD_SERVER; 1393 1394 /* 1395 * Got some sort of a match - see if it's better than what 1396 * we have already. 1397 */ 1398 if (got_flag <= best_flag) 1399 continue; 1400 1401 /* 1402 * Get the secret. 1403 */ 1404 if (!getword(f, word, &newline, filename)) 1405 break; 1406 if (newline) 1407 continue; 1408 1409 /* 1410 * Special syntax: @filename means read secret from file. 1411 */ 1412 if (word[0] == '@') { 1413 strcpy(atfile, word+1); 1414 if ((sf = fopen(atfile, "r")) == NULL) { 1415 syslog(LOG_WARNING, "can't open indirect secret file %s", 1416 atfile); 1417 continue; 1418 } 1419 check_access(sf, atfile); 1420 if (!getword(sf, word, &xxx, atfile)) { 1421 syslog(LOG_WARNING, "no secret in indirect secret file %s", 1422 atfile); 1423 fclose(sf); 1424 continue; 1425 } 1426 fclose(sf); 1427 } 1428 if (secret != NULL) 1429 strcpy(lsecret, word); 1430 1431 /* 1432 * Now read address authorization info and make a wordlist. 1433 */ 1434 alist = alast = NULL; 1435 for (;;) { 1436 if (!getword(f, word, &newline, filename) || newline) 1437 break; 1438 ap = (struct wordlist *) malloc(sizeof(struct wordlist) 1439 + strlen(word)); 1440 if (ap == NULL) 1441 novm("authorized addresses"); 1442 ap->next = NULL; 1443 strcpy(ap->word, word); 1444 if (alist == NULL) 1445 alist = ap; 1446 else 1447 alast->next = ap; 1448 alast = ap; 1449 } 1450 1451 /* 1452 * Check if the given IP address is allowed by the wordlist. 1453 */ 1454 if (ipaddr != 0 && !ip_addr_check(ipaddr, alist)) { 1455 free_wordlist(alist); 1456 continue; 1457 } 1458 1459 /* 1460 * This is the best so far; remember it. 1461 */ 1462 best_flag = got_flag; 1463 if (addr_list) 1464 free_wordlist(addr_list); 1465 addr_list = alist; 1466 if (secret != NULL) 1467 strcpy(secret, lsecret); 1468 1469 if (!newline) 1470 break; 1471 } 1472 1473 if (addrs != NULL) 1474 *addrs = addr_list; 1475 else if (addr_list != NULL) 1476 free_wordlist(addr_list); 1477 1478 return best_flag; 1479 } 1480 1481 /* 1482 * free_wordlist - release memory allocated for a wordlist. 1483 */ 1484 static void 1485 free_wordlist(wp) 1486 struct wordlist *wp; 1487 { 1488 struct wordlist *next; 1489 1490 while (wp != NULL) { 1491 next = wp->next; 1492 free(wp); 1493 wp = next; 1494 } 1495 } 1496 1497 /* 1498 * auth_script - execute a script with arguments 1499 * interface-name peer-name real-user tty speed 1500 */ 1501 static void 1502 auth_script(script) 1503 char *script; 1504 { 1505 char strspeed[32]; 1506 struct passwd *pw; 1507 char struid[32]; 1508 char *user_name; 1509 char *argv[8]; 1510 1511 if ((pw = getpwuid(getuid())) != NULL && pw->pw_name != NULL) 1512 user_name = pw->pw_name; 1513 else { 1514 sprintf(struid, "%u", getuid()); 1515 user_name = struid; 1516 } 1517 sprintf(strspeed, "%d", baud_rate); 1518 1519 argv[0] = script; 1520 argv[1] = ifname; 1521 argv[2] = peer_authname; 1522 argv[3] = user_name; 1523 argv[4] = devnam; 1524 argv[5] = strspeed; 1525 argv[6] = NULL; 1526 1527 run_program(script, argv, 0); 1528 } 1529