2 Copyright (c) 1995-1998 by Cisco systems, Inc.
4 Permission to use, copy, modify, and distribute this software for
5 any purpose and without fee is hereby granted, provided that this
6 copyright and permission notice appear on all copies of the
7 software and supporting documentation, the name of Cisco Systems,
8 Inc. not be used in advertising or publicity pertaining to
9 distribution of the program without specific prior permission, and
10 notice be given in supporting documentation that modification,
11 copying and distribution is by permission of Cisco Systems, Inc.
13 Cisco Systems, Inc. makes no representations about the suitability
14 of this software for any purpose. THIS SOFTWARE IS PROVIDED ``AS
15 IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
16 WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
17 FITNESS FOR A PARTICULAR PURPOSE.
23 * If you are defining a system from scratch, the following may be useful.
24 * Otherwise, just use the system definitions below this section.
27 /* Define this for minor include file differences on SYSV-based systems */
30 /* Define this if your sys_errlist is defined using const */
31 /* #define CONST_SYSERRLIST */
33 /* Do you need tacacs+ versions of bzero etc. */
34 /* #define NEED_BZERO */
36 /* Define this if you have shadow passwords in /etc/passwd and
37 * /etc/shadow. Note that you usually need to be root to read
39 /*#define SHADOW_PASSWORDS*/
41 /* Define this if your malloc is defined in malloc.h instead of stdlib.h */
42 /* #define STDLIB_MALLOC */
44 /* Define this if your wait call status is a union as opposed to an int */
45 /* #define UNIONWAIT */
47 /* Define this if your signal() uses a function returning void instead
52 /* Define this if your password file does not contain age and comment fields. */
53 /* #define NO_PWAGE */
55 /* Define this if you need a getdtablesize routine defined */
56 /* #define GETDTABLESIZE */
58 /* Define this if your system does not reap children automatically
59 * when you ignore SIGCLD */
60 /* #define REAPCHILD */
62 /* Define this if you have DES routines you can link to for ARAP (See
63 * the user's guide for more details).
65 /* #define ARAP_DES */
67 /* Define this if you find that your daemon quits after being sent more than
68 * one SIGUSR1. Some systems need to explicitly rearm signals after they've been
71 /* #define REARMSIGNAL */
73 #define VERSION "F4.0.3.alpha.v8 (Extended Tac_plus)"
82 #define CONST_SYSERRLIST
89 * The only way to properly compile BSD stuff on AIX is to define a
90 * "bsdcc" compiler on your system. See /usr/lpp/bos/bsdport on your
91 * system for details. People who do NOT do this tell me that the code
92 * still compiles but that it then doesn't behave correctly e.g. child
93 * processes are not reaped correctly. Don't expect much sympathy if
110 #define CONST_SYSERRLIST
116 #define GETDTABLESIZE
123 #define GETDTABLESIZE
125 #define SHADOW_PASSWORDS
132 #define GETDTABLESIZE
134 #define SYSLOG_IN_SYS
139 #define CONST_SYSERRLIST
140 #define STDLIB_MALLOC
147 #define STDLIB_MALLOC
153 #define MSCHAP_DIGEST_LEN 49
157 #include <sys/types.h>
158 #include <sys/socket.h>
159 #include <sys/ioctl.h>
160 #include <sys/file.h>
161 #include <sys/time.h>
162 #include <netinet/in.h>
172 #include <sys/syslog.h>
186 #ifndef TACPLUS_PIDFILE
187 #define TACPLUS_PIDFILE "/var/run/tac_plus.pid"
192 * You probably shouldn't be changing much below this line unless you really
193 * know what you are doing.
196 #define DOLLARSIGN '$'
199 * XTACACSP protocol defintions
203 * This structure describes an authentication method.
204 * authen_name contains the name of the authentication method.
205 * authen_func is a pointer to the authentication function.
206 * authen_method numeric value of authentication method
209 #define AUTHEN_NAME_SIZE 128
212 char authen_name[AUTHEN_NAME_SIZE];
213 int (*authen_func)();
218 * This structure describes a principal that is to be authenticated.
219 * username is the principals name (ASCII, null terminated)
220 * NAS_name is the name of the NAS where the user is
221 * NAS_port is the port on the NAS where the user is
222 * NAC_address is the remote user location. This may be
223 * a remote IP address or a caller-ID or ...
224 * priv_lvl user's requested privilege level.
236 * The authen_data structure is the data structure for passing
237 * information to and from the authentication function
238 * (authen_type.authen_func).
242 struct identity *NAS_id; /* user identity */
243 char *server_msg; /* null-terminated output msg */
245 int server_dlen; /* output data length */
246 char *server_data; /* output data */
248 char *client_msg; /* null-terminated input msg a user typed */
250 int client_dlen; /* input data length */
251 char *client_data; /* input data */
253 void *method_data; /* opaque private method data */
254 int action; /* what's to be done */
255 int service; /* calling service */
256 int status; /* Authen status */
257 int type; /* Authen type */
258 u_char flags; /* input & output flags fields */
262 /* return values for choose_authen(); */
264 #define CHOOSE_FAILED -1 /* failed to choose an authentication function */
265 #define CHOOSE_OK 0 /* successfully chose an authentication function */
266 #define CHOOSE_GETUSER 1 /* need a username before choosing */
267 #define CHOOSE_BADTYPE 2 /* Invalid preferred authen function specified */
271 * This structure is the data structure for passing information to
272 * and from the authorization function (do_author()).
275 struct identity *id; /* user id */
276 int authen_method; /* authentication method */
278 #define AUTHEN_METH_NONE 0x01
279 #define AUTHEN_METH_KRB5 0x02
280 #define AUTHEN_METH_LINE 0x03
281 #define AUTHEN_METH_ENABLE 0x04
282 #define AUTHEN_METH_LOCAL 0x05
283 #define AUTHEN_METH_TACACSPLUS 0x06
284 #define AUTHEN_METH_RCMD 0x20
286 int authen_type; /* authentication type see authen_type */
287 int service; /* calling service */
288 char *msg; /* optional NULL-terminated return message */
289 char *admin_msg; /* optional NULL-terminated admin message */
290 int status; /* return status */
292 #define AUTHOR_STATUS_PASS_ADD 0x01
293 #define AUTHOR_STATUS_PASS_REPL 0x02
294 #define AUTHOR_STATUS_FAIL 0x10
295 #define AUTHOR_STATUS_ERROR 0x11
297 int num_in_args; /* input arg count */
298 char **input_args; /* input arguments */
299 int num_out_args; /* output arg cnt */
300 char **output_args; /* output arguments */
304 /* An API accounting record structure */
306 int acct_type; /* start, stop, update */
308 #define ACCT_TYPE_START 1
309 #define ACCT_TYPE_STOP 2
310 #define ACCT_TYPE_UPDATE 3
312 struct identity *identity;
316 char *msg; /* output field */
317 char *admin_msg; /* output field */
322 #ifndef TAC_PLUS_PORT
323 #define TAC_PLUS_PORT 49
326 /* Define tac_plus name for hosts.* files */
328 #define TACNAME "tac_plus"
331 #define TAC_PLUS_READ_TIMEOUT 180 /* seconds */
332 #define TAC_PLUS_WRITE_TIMEOUT 180 /* seconds */
334 #define NAS_PORT_MAX_LEN 255
337 int session_id; /* host specific unique session id */
338 int aborted; /* have we received an abort flag? */
339 int seq_no; /* seq. no. of last packet exchanged */
340 time_t last_exch; /* time of last packet exchange */
341 int sock; /* socket for this connection */
342 char *key; /* the key */
343 int keyline; /* line number key was found on */
344 char *peer; /* name of connected peer */
345 char *cfgfile; /* config file name */
346 char *acctfile; /* name of accounting file */
347 char *db_acct; /* name of db accounting string */
348 char port[NAS_PORT_MAX_LEN+1]; /* For error reporting */
349 u_char version; /* version of last packet read */
352 extern struct session session; /* the session */
354 /* Global variables */
356 extern int debug; /* debugging flag */
357 extern int logging; /* syslog logging flag */
358 extern int single; /* do not fork (for debugging) */
359 extern int console; /* log to console */
360 extern FILE *ostream; /* for logging to console */
361 extern int parse_only; /* exit after parsing verbosely */
362 extern int sendauth_only; /* don't do sendauth */
364 /* All tacacs+ packets have the same header format */
366 struct tac_plus_pak_hdr {
369 #define TAC_PLUS_MAJOR_VER_MASK 0xf0
370 #define TAC_PLUS_MAJOR_VER 0xc0
372 #define TAC_PLUS_MINOR_VER_0 0x0
373 #define TAC_PLUS_VER_0 (TAC_PLUS_MAJOR_VER | TAC_PLUS_MINOR_VER_0)
375 #define TAC_PLUS_MINOR_VER_1 0x01
376 #define TAC_PLUS_VER_1 (TAC_PLUS_MAJOR_VER | TAC_PLUS_MINOR_VER_1)
380 #define TAC_PLUS_AUTHEN 1
381 #define TAC_PLUS_AUTHOR 2
382 #define TAC_PLUS_ACCT 3
384 u_char seq_no; /* packet sequence number */
385 u_char encryption; /* packet is encrypted or cleartext */
387 #define TAC_PLUS_ENCRYPTED 0x0 /* packet is encrypted */
388 #define TAC_PLUS_CLEAR 0x1 /* packet is not encrypted */
390 int session_id; /* session identifier FIXME: Is this needed? */
391 int datalength; /* length of encrypted data following this
393 /* datalength bytes of encrypted data */
396 #define HASH_TAB_SIZE 157 /* user and group hash table sizes */
398 #define TAC_PLUS_HDR_SIZE 12
400 typedef struct tac_plus_pak_hdr HDR;
402 /* Authentication packet NAS sends to us */
404 struct authen_start {
407 #define TAC_PLUS_AUTHEN_LOGIN 0x1
408 #define TAC_PLUS_AUTHEN_CHPASS 0x2
409 #define TAC_PLUS_AUTHEN_SENDPASS 0x3 /* deprecated */
410 #define TAC_PLUS_AUTHEN_SENDAUTH 0x4
414 #define TAC_PLUS_PRIV_LVL_MIN 0x0
415 #define TAC_PLUS_PRIV_LVL_MAX 0xf
419 #define TAC_PLUS_AUTHEN_TYPE_ASCII 1
420 #define TAC_PLUS_AUTHEN_TYPE_PAP 2
421 #define TAC_PLUS_AUTHEN_TYPE_CHAP 3
422 #define TAC_PLUS_AUTHEN_TYPE_ARAP 4
424 #define TAC_PLUS_AUTHEN_TYPE_MSCHAP 5
429 #define TAC_PLUS_AUTHEN_SVC_LOGIN 1
430 #define TAC_PLUS_AUTHEN_SVC_ENABLE 2
431 #define TAC_PLUS_AUTHEN_SVC_PPP 3
432 #define TAC_PLUS_AUTHEN_SVC_ARAP 4
433 #define TAC_PLUS_AUTHEN_SVC_PT 5
434 #define TAC_PLUS_AUTHEN_SVC_RCMD 6
435 #define TAC_PLUS_AUTHEN_SVC_X25 7
436 #define TAC_PLUS_AUTHEN_SVC_NASI 8
442 /* <user_len bytes of char data> */
443 /* <port_len bytes of char data> */
444 /* <rem_addr_len bytes of u_char data> */
445 /* <data_len bytes of u_char data> */
448 #define TAC_AUTHEN_START_FIXED_FIELDS_SIZE 8
450 /* Authentication continue packet NAS sends to us */
452 u_short user_msg_len;
453 u_short user_data_len;
456 #define TAC_PLUS_CONTINUE_FLAG_ABORT 0x1
458 /* <user_msg_len bytes of u_char data> */
459 /* <user_data_len bytes of u_char data> */
462 #define TAC_AUTHEN_CONT_FIXED_FIELDS_SIZE 5
464 /* Authentication reply packet we send to NAS */
465 struct authen_reply {
468 #define TAC_PLUS_AUTHEN_STATUS_PASS 1
469 #define TAC_PLUS_AUTHEN_STATUS_FAIL 2
470 #define TAC_PLUS_AUTHEN_STATUS_GETDATA 3
471 #define TAC_PLUS_AUTHEN_STATUS_GETUSER 4
472 #define TAC_PLUS_AUTHEN_STATUS_GETPASS 5
473 #define TAC_PLUS_AUTHEN_STATUS_RESTART 6
474 #define TAC_PLUS_AUTHEN_STATUS_ERROR 7
475 #define TAC_PLUS_AUTHEN_STATUS_FOLLOW 0x21
479 #define TAC_PLUS_AUTHEN_FLAG_NOECHO 0x1
484 /* <msg_len bytes of char data> */
485 /* <data_len bytes of u_char data> */
488 #define TAC_AUTHEN_REPLY_FIXED_FIELDS_SIZE 6
490 /* An authorization request packet */
492 u_char authen_method;
500 u_char arg_cnt; /* the number of args */
502 /* <arg_cnt u_chars containing the lengths of args 1 to arg n> */
503 /* <user_len bytes of char data> */
504 /* <port_len bytes of char data> */
505 /* <rem_addr_len bytes of u_char data> */
506 /* <char data for each arg> */
509 #define TAC_AUTHOR_REQ_FIXED_FIELDS_SIZE 8
511 /* An authorization reply packet */
512 struct author_reply {
518 /* <arg_cnt u_chars containing the lengths of arg 1 to arg n> */
519 /* <msg_len bytes of char data> */
520 /* <data_len bytes of char data> */
521 /* <char data for each arg> */
524 #define TAC_AUTHOR_REPLY_FIXED_FIELDS_SIZE 6
529 #define TAC_PLUS_ACCT_FLAG_MORE 0x1
530 #define TAC_PLUS_ACCT_FLAG_START 0x2
531 #define TAC_PLUS_ACCT_FLAG_STOP 0x4
532 #define TAC_PLUS_ACCT_FLAG_WATCHDOG 0x8
534 u_char authen_method;
537 u_char authen_service;
541 u_char arg_cnt; /* the number of cmd args */
542 /* one u_char containing size for each arg */
543 /* <user_len bytes of char data> */
544 /* <port_len bytes of char data> */
545 /* <rem_addr_len bytes of u_char data> */
546 /* char data for args 1 ... n */
549 #define TAC_ACCT_REQ_FIXED_FIELDS_SIZE 9
556 #define TAC_PLUS_ACCT_STATUS_SUCCESS 0x1
557 #define TAC_PLUS_ACCT_STATUS_ERROR 0x2
558 #define TAC_PLUS_ACCT_STATUS_FOLLOW 0x21
562 #define TAC_ACCT_REPLY_FIXED_FIELDS_SIZE 5
565 #define TAC_PLUS_MAX_ITERATIONS 50
567 #define MIN(a,b) ((a)<(b)?(a):(b))
568 #define STREQ(a,b) (strcmp(a,b)==0)
569 #define MAX_INPUT_LINE_LEN 255
571 /* Debugging flags */
573 #define DEBUG_PARSE_FLAG 2
574 #define DEBUG_FORK_FLAG 4
575 #define DEBUG_AUTHOR_FLAG 8
576 #define DEBUG_AUTHEN_FLAG 16
577 #define DEBUG_PASSWD_FLAG 32
578 #define DEBUG_ACCT_FLAG 64
579 #define DEBUG_CONFIG_FLAG 128
580 #define DEBUG_PACKET_FLAG 256
581 #define DEBUG_HEX_FLAG 512
582 #define DEBUG_MD5_HASH_FLAG 1024
583 #define DEBUG_XOR_FLAG 2048
584 #define DEBUG_CLEAN_FLAG 4096
585 #define DEBUG_SUBST_FLAG 8192
586 #define DEBUG_PROXY_FLAG 16384
587 #define DEBUG_MAXSESS_FLAG 32768
588 #define DEBUG_LOCK_FLAG 65536
590 extern char *codestring();
591 extern int keycode();
593 #define TAC_IS_USER 1
594 #define TAC_PLUS_RECURSE 1
595 #define TAC_PLUS_NORECURSE 0
597 #define DEFAULT_USERNAME "DEFAULT"
605 #define N_svc_exec 52
606 #define N_svc_slip 53
608 #define N_svc_arap 55
614 /* A parse tree node */
616 int type; /* node type (arg, svc, proto) */
617 void *next; /* pointer to next node in chain */
618 void *value; /* node value */
619 void *value1; /* node value */
620 int dflt; /* default value for node */
621 int line; /* line number declared on */
624 typedef struct node NODE;
631 typedef union v VALUE;
634 extern void accounting();
637 extern void report_string();
638 extern void report_hex();
640 extern void report(int priority, char *fmt,...);
642 extern void report();
646 extern u_char *get_authen_continue();
647 extern int send_authen_reply();
650 extern char *tac_malloc();
651 extern char *tac_strdup();
652 extern char *tac_make_string();
653 extern char *tac_find_substring();
654 extern char *tac_realloc();
657 extern char *summarise_outgoing_packet_type();
658 extern char *summarise_incoming_packet_type();
661 extern void author();
664 extern void *hash_add_entry();
665 extern void **hash_get_entries();
666 extern void *hash_lookup();
669 extern int cfg_get_intvalue();
670 extern char * cfg_get_pvalue();
671 extern char *cfg_get_authen_default();
672 extern int cfg_get_authen_default_method();
673 extern char **cfg_get_svc_attrs();
674 extern NODE *cfg_get_cmd_node();
675 extern NODE *cfg_get_svc_node();
676 extern char *cfg_get_expires();
677 extern char *cfg_get_login_secret();
678 extern int cfg_get_user_nopasswd();
679 extern char *cfg_get_arap_secret();
680 extern char *cfg_get_chap_secret();
682 extern char *cfg_get_mschap_secret();
684 extern char *cfg_get_pap_secret();
685 extern char *cfg_get_opap_secret();
686 extern char *cfg_get_global_secret();
688 extern char *cfg_get_pam_service();
690 extern void cfg_clean_config();
691 extern char *cfg_nodestring();
694 extern struct passwd *tac_passwd_lookup();
697 extern void parser_init();
700 extern void set_expiration_status();
703 #ifdef CONST_SYSERRLIST
704 extern const char *const sys_errlist[];
706 extern char *sys_errlist[];
709 extern int sendauth_fn();
710 extern int sendpass_fn();
711 extern int enable_fn();
712 extern int default_fn();
713 extern int default_v0_fn();
714 extern int skey_fn();
716 extern void mschap_lmchallengeresponse();
717 extern void mschap_ntchallengeresponse();
722 extern void maxsess_loginit();
723 extern int maxsess_check_count();
726 * This is a shared file used to maintain a record of who's on
728 #define WHOLOG_DEFAULT "/var/log/tac_who.log"
731 * This is state kept per user/session
734 char username[64]; /* User name */
735 char NAS_name[32]; /* NAS user logged into */
736 char NAS_port[32]; /* ...port on that NAS */
737 char NAC_address[32]; /* ...IP address of NAS */
743 extern int tac_pam_authorization();
746 #define LOGFILE_DEFAULT "/var/log/tac_plus.log"
748 extern struct timeval started_at;
749 extern char *logfile;
750 extern char *wtmpfile;