2 Copyright (c) 1995-1998 by Cisco systems, Inc.
4 Permission to use, copy, modify, and distribute this software for
5 any purpose and without fee is hereby granted, provided that this
6 copyright and permission notice appear on all copies of the
7 software and supporting documentation, the name of Cisco Systems,
8 Inc. not be used in advertising or publicity pertaining to
9 distribution of the program without specific prior permission, and
10 notice be given in supporting documentation that modification,
11 copying and distribution is by permission of Cisco Systems, Inc.
13 Cisco Systems, Inc. makes no representations about the suitability
14 of this software for any purpose. THIS SOFTWARE IS PROVIDED ``AS
15 IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
16 WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
17 FITNESS FOR A PARTICULAR PURPOSE.
27 struct authen_data *data;
30 char *name = data->NAS_id->username;
31 char *port = data->NAS_id->NAS_port;
34 /* sendpass is disallowed */
35 report(LOG_ERR, "%s: %s %s sendpass request rejected",
36 session.peer, session.port, name ? name : "<unknown>");
37 data->status = TAC_PLUS_AUTHEN_STATUS_FAIL;
41 if (STREQ(name, DEFAULT_USERNAME)) {
42 data->status = TAC_PLUS_AUTHEN_STATUS_FAIL;
45 status = do_sendpass_fn(data);
49 report(LOG_INFO, "sendpass query for '%s' %s from %s %s",
50 name && name[0] ? name : "unknown",
51 port && port[0] ? port : "unknown",
53 (data->status == TAC_PLUS_AUTHEN_STATUS_PASS) ?
54 "accepted" : "rejected");
60 * Cleartext password information has been requested. Look this up in
61 * the config file. Set authen_data->status.
63 * Any strings pointed to by authen_data must come from the heap. They
64 * will get freed by the caller.
66 * Return 0 if data->status is valid, otherwise 1 */
70 struct authen_data *data;
78 data->status = TAC_PLUS_AUTHEN_STATUS_FAIL;
80 /* We must have a username */
81 if (!data->NAS_id->username[0]) {
82 /* choose_authen should have already asked for a username, so this is
84 data->status = TAC_PLUS_AUTHEN_STATUS_ERROR;
85 data->server_msg = tac_strdup("No username supplied");
86 report(LOG_ERR, "%s: No username for sendpass_fn", session.peer);
89 name = data->NAS_id->username;
91 exp_date = cfg_get_expires(name, TAC_PLUS_RECURSE);
93 /* The user exists. Check her expiration date, if any */
94 expired = check_expiration(exp_date);
98 data->status = TAC_PLUS_AUTHEN_STATUS_FAIL;
99 data->server_msg = tac_strdup("Password has expired");
103 data->status = TAC_PLUS_AUTHEN_STATUS_ERROR;
104 data->server_msg = tac_strdup("Bad return value for password expiration check");
105 report(LOG_ERR, "%s: Bogus return value %d from check_expiration",
106 session.peer, expired);
112 /* The user exists, and has not expired. Return her secret info */
113 switch (data->type) {
114 case TAC_PLUS_AUTHEN_TYPE_CHAP:
115 secret = cfg_get_chap_secret(name, TAC_PLUS_RECURSE);
117 secret = cfg_get_global_secret(name, TAC_PLUS_RECURSE);
121 case TAC_PLUS_AUTHEN_TYPE_MSCHAP:
122 secret = cfg_get_mschap_secret(name, TAC_PLUS_RECURSE);
124 secret = cfg_get_global_secret(name, TAC_PLUS_RECURSE);
128 case TAC_PLUS_AUTHEN_TYPE_ARAP:
129 secret = cfg_get_arap_secret(name, TAC_PLUS_RECURSE);
131 secret = cfg_get_global_secret(name, TAC_PLUS_RECURSE);
134 case TAC_PLUS_AUTHEN_TYPE_PAP:
135 secret = cfg_get_opap_secret(name, TAC_PLUS_RECURSE);
139 data->status = TAC_PLUS_AUTHEN_STATUS_ERROR;
140 data->server_msg = tac_strdup("Illegal authentication type");
141 report(LOG_ERR, "%s: Illegal authentication type %d",
142 session.peer, data->type);
147 data->status = TAC_PLUS_AUTHEN_STATUS_FAIL;
148 data->server_msg = tac_strdup("No secret");
152 p = tac_find_substring("cleartext ", secret);
154 /* Should never happen */
155 data->status = TAC_PLUS_AUTHEN_STATUS_ERROR;
156 data->server_msg = tac_strdup("Illegal secret format");
157 report(LOG_ERR, "%s: Illegal secret format %s",
158 session.peer, secret);
162 data->server_data = tac_strdup(p);
163 data->server_dlen = strlen(data->server_data);
164 data->status = TAC_PLUS_AUTHEN_STATUS_PASS;
165 if (expired == PW_EXPIRING) {
166 data->server_msg = tac_strdup("Secret will expire soon");