2 * A simple pam authentication routine written by
3 * Max Liccardo <ravel@tiscalinet.it>
4 * PAM_RUSER=username/rem_addr.
8 This program was contributed by Shane Watts
11 You need to add the following (or equivalent) to the /etc/pam.conf file.
13 check_user auth required /usr/lib/security/pam_unix_auth.so
14 check_user account required /usr/lib/security/pam_unix_acct.so
25 #include <security/pam_appl.h>
30 #include "choose_authen.h" /* for "struct authen_data" */
31 #include "do_author.h" /* for "struct identity" */
41 static int fconv TAC_ARGS((int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr));
43 static int fconv(num_msg, msg, resp, appdata_ptr)
45 const struct pam_message **msg;
46 struct pam_response **resp;
53 lUserCred = appdata_ptr;
55 if(lUserCred == NULL) {
56 report(LOG_ERR,"argh....maybe a SunOs 5.6 ???");
60 *resp = (struct pam_response *) tac_malloc(num_msg * sizeof(struct pam_response));
62 for (i=0; i<num_msg; i++) {
63 switch(msg[i]->msg_style) {
65 case PAM_PROMPT_ECHO_OFF:
66 resp[i]->resp = strdup(lUserCred->Passwd);
69 case PAM_PROMPT_ECHO_ON:
70 resp[i]->resp = strdup(lUserCred->UserName);
75 report(LOG_DEBUG,"conv default");
78 resp[i]->resp_retcode = 0;
85 int tac_pam_auth TAC_ARGS((const char *aszUserName, const char *aszPassword, struct authen_data *data, const char *aszService));
88 tac_pam_auth(aszUserName, aszPassword, data, aszService)
89 const char *aszUserName;
90 const char *aszPassword;
91 struct authen_data *data;
92 const char *aszService;
94 pam_handle_t *pamh = NULL;
96 char *lpszRemoteUser; /* Username/NAC address */
97 struct pam_conv s_conv;
101 s_UserCred.UserName = aszUserName;
102 s_UserCred.Passwd = aszPassword;
105 s_conv.appdata_ptr = (void *) &s_UserCred;
108 lpszRemoteUser = tac_malloc((strlen(aszUserName)+1+strlen(data->NAS_id->NAC_address)+1) * sizeof(char));
110 retval = pam_start(aszService,aszUserName , &s_conv, &pamh);
112 if (retval != PAM_SUCCESS) {
113 report(LOG_ERR, "cannot start pam-authentication");
114 free(lpszRemoteUser);
119 sprintf(lpszRemoteUser,"%s:%s",aszUserName,data->NAS_id->NAC_address);
121 pam_set_item(pamh,PAM_RUSER,lpszRemoteUser);
122 pam_set_item(pamh,PAM_RHOST,data->NAS_id->NAS_name);
123 pam_set_item(pamh,PAM_TTY,data->NAS_id->NAS_port);
125 free(lpszRemoteUser);
127 retval = pam_authenticate(pamh,0); /* is user really user? */
129 if(retval != PAM_SUCCESS)
130 report(LOG_ERR, "%s",pam_strerror(pamh,retval));
132 if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */
137 return ( retval == PAM_SUCCESS ? 0:1 ); /* indicate success */
141 /* PAM authorization rotine written by
142 * Devrim SERAL <devrim@tef.gazi.edu.tr>
145 int tac_pam_authorization TAC_ARGS((const char *aszUserName, struct author_data *data, const char *aszService));
148 tac_pam_authorization(aszUserName, data, aszService)
149 const char *aszUserName;
150 struct author_data *data;
151 const char *aszService;
153 pam_handle_t *pamh = NULL;
155 char *lpszRemoteUser; /* Username/NAC address */
156 struct pam_conv s_conv;
160 s_UserCred.UserName = aszUserName;
163 s_conv.appdata_ptr = (void *) &s_UserCred;
165 if (aszService== NULL) {
166 report(LOG_ERR,"Service Name doesn't available So authorize him");
170 lpszRemoteUser = tac_malloc((strlen(aszUserName)+strlen(data->id->NAC_address)+2) * sizeof(char));
172 retval = pam_start(aszService,aszUserName , &s_conv, &pamh);
174 if (retval != PAM_SUCCESS) {
175 report(LOG_ERR, "cannot start pam-authentication");
176 free(lpszRemoteUser);
181 sprintf(lpszRemoteUser,"%s:%s",aszUserName,data->id->NAC_address);
183 pam_set_item(pamh,PAM_RUSER,lpszRemoteUser);
184 pam_set_item(pamh,PAM_RHOST,data->id->NAS_name);
185 pam_set_item(pamh,PAM_TTY,data->id->NAS_port);
187 free(lpszRemoteUser);
189 retval = pam_acct_mgmt(pamh, 0); /* Is user permit to gain access system */
191 if (retval != PAM_SUCCESS)
192 report(LOG_ERR, "Pam Account Managment:%s",pam_strerror(pamh,retval));
194 if (debug & DEBUG_AUTHOR_FLAG)
195 report(LOG_DEBUG, "PAM authorization allow user");
198 if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */
203 return ( retval == PAM_SUCCESS ? 0:1 ); /* indicate success */