[src/trunk]: src Add an S/Key PAM module.

[thorpej <thorpej%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/a7bcc08396df
branches:  trunk
changeset: 574404:a7bcc08396df
user:      thorpej <thorpej%NetBSD.org@localhost>
date:      Sun Feb 27 21:01:59 2005 +0000

description:
Add an S/Key PAM module.

diffstat:

 distrib/sets/lists/base/shl.mi         |    3 +-
 distrib/sets/lists/man/mi              |    4 +-
 lib/libpam/modules/Makefile            |    6 +-
 lib/libpam/modules/pam_skey/Makefile   |   15 ++++
 lib/libpam/modules/pam_skey/pam_skey.8 |   69 +++++++++++++++++++
 lib/libpam/modules/pam_skey/pam_skey.c |  117 +++++++++++++++++++++++++++++++++
 6 files changed, 211 insertions(+), 3 deletions(-)

diffs (274 lines):

diff -r 87d6ee99a052 -r a7bcc08396df distrib/sets/lists/base/shl.mi
--- a/distrib/sets/lists/base/shl.mi    Sun Feb 27 19:30:20 2005 +0000
+++ b/distrib/sets/lists/base/shl.mi    Sun Feb 27 21:01:59 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: shl.mi,v 1.299 2005/02/20 06:49:01 christos Exp $
+# $NetBSD: shl.mi,v 1.300 2005/02/27 21:01:59 thorpej Exp $
 # Note: libtermcap and libtermlib are hardlinked and share the same version.
 ./lib/libc.so.12.125                           base-sys-shlib
 ./lib/libcrypt.so.0.2                          base-sys-shlib
@@ -101,5 +101,6 @@
 ./usr/lib/security/pam_rootok.so.0             base-sys-shlib          pam
 ./usr/lib/security/pam_securetty.so.0          base-sys-shlib          pam
 ./usr/lib/security/pam_self.so.0               base-sys-shlib          pam
+./usr/lib/security/pam_skey.so.0               base-sys-shlib          pam
 ./usr/lib/security/pam_ssh.so.0                        base-sys-shlib          pam
 ./usr/lib/security/pam_unix.so.0               base-sys-shlib          pam
diff -r 87d6ee99a052 -r a7bcc08396df distrib/sets/lists/man/mi
--- a/distrib/sets/lists/man/mi Sun Feb 27 19:30:20 2005 +0000
+++ b/distrib/sets/lists/man/mi Sun Feb 27 21:01:59 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.763 2005/02/22 14:40:00 peter Exp $
+# $NetBSD: mi,v 1.764 2005/02/27 21:01:59 thorpej Exp $
 ./etc/mtree/set.man                            man-sys-root
 ./usr/share/info/am-utils.info                 man-amd-info            info
 ./usr/share/info/as.info                       man-computil-info       bfd,info
@@ -1966,6 +1966,7 @@
 ./usr/share/man/cat8/pam_rootok.0              man-sysutil-catman      pam,.cat
 ./usr/share/man/cat8/pam_securetty.0           man-sysutil-catman      pam,.cat
 ./usr/share/man/cat8/pam_self.0                        man-sysutil-catman      pam,.cat
+./usr/share/man/cat8/pam_skey.0                        man-sysutil-catman      pam,.cat
 ./usr/share/man/cat8/pam_ssh.0                 man-sysutil-catman      pam,.cat
 ./usr/share/man/cat8/pam_unix.0                        man-sysutil-catman      pam,.cat
 ./usr/share/man/cat8/pc532/MAKEDEV.0           man-obsolete            obsolete
@@ -4164,6 +4165,7 @@
 ./usr/share/man/man8/pam_rootok.8              man-sysutil-man         .man,pam
 ./usr/share/man/man8/pam_securetty.8           man-sysutil-man         .man,pam
 ./usr/share/man/man8/pam_self.8                        man-sysutil-man         .man,pam
+./usr/share/man/man8/pam_skey.8                        man-sysutil-man         .man,pam
 ./usr/share/man/man8/pam_ssh.8                 man-sysutil-man         .man,pam
 ./usr/share/man/man8/pam_unix.8                        man-sysutil-man         .man,pam
 ./usr/share/man/man8/pc532/MAKEDEV.8           man-obsolete            obsolete
diff -r 87d6ee99a052 -r a7bcc08396df lib/libpam/modules/Makefile
--- a/lib/libpam/modules/Makefile       Sun Feb 27 19:30:20 2005 +0000
+++ b/lib/libpam/modules/Makefile       Sun Feb 27 21:01:59 2005 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.7 2005/02/20 00:37:49 christos Exp $
+# $NetBSD: Makefile,v 1.8 2005/02/27 21:01:59 thorpej Exp $
 # Copyright 1998 Juniper Networks, Inc.
 # All rights reserved.
 #
@@ -35,6 +35,10 @@
 
 LIBDPLIBS=     util    ${LIB_ROOT_DIR}/libutil
 
+.if (${MKSKEY} != "no")
+SUBDIR+= pam_skey
+.endif
+
 .if (${MKKERBEROS} != "no")
 SUBDIR+= pam_krb5 pam_ksu
 LIBDPLIBS+=    krb5    ${LIB_ROOT_DIR}/libkrb5 \
diff -r 87d6ee99a052 -r a7bcc08396df lib/libpam/modules/pam_skey/Makefile
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/libpam/modules/pam_skey/Makefile      Sun Feb 27 21:01:59 2005 +0000
@@ -0,0 +1,15 @@
+# $NetBSD: Makefile,v 1.1 2005/02/27 21:01:59 thorpej Exp $
+
+NOLINT=                # don't build a lint library
+NOPROFILE=     # don't build a profile library
+NOPICINSTALL=  # don't install _pic.a library
+
+.include <bsd.own.mk>
+
+LIB=   pam_skey
+SRCS=  pam_skey.c
+MAN=   pam_skey.8
+
+LIBDPLIBS=     skey    ${LIB_ROOT_DIR}/libskey
+
+.include "${.CURDIR}/../mod.mk"
diff -r 87d6ee99a052 -r a7bcc08396df lib/libpam/modules/pam_skey/pam_skey.8
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/libpam/modules/pam_skey/pam_skey.8    Sun Feb 27 21:01:59 2005 +0000
@@ -0,0 +1,69 @@
+.\"    $NetBSD: pam_skey.8,v 1.1 2005/02/27 21:01:59 thorpej Exp $
+.\"
+.\" Copyright (c) 2005 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Jason R. Thorpe.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"        This product includes software developed by the NetBSD
+.\"        Foundation, Inc. and its contributors.
+.\" 4. Neither the name of The NetBSD Foundation nor the names of its
+.\"    contributors may be used to endorse or promote products derived
+.\"    from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd February 27, 2005
+.Dt PAM_SKEY 8
+.Os
+.Sh NAME
+.Nm pam_skey
+.Nd S/Key PAM module
+.Sh SYNOPSIS
+.Op Ar service-name
+.Ar module-type
+.Ar control-flag
+.Pa pam_skey
+.Op Ar options
+.Sh DESCRIPTION
+The
+.Em S/Key
+service module for PAM provides authentication services based on the
+.Em S/Key
+One Time Password
+.Pq OTP
+authentication system.
+.Pp
+The
+.Nm
+module has no optional parameters.
+.Sh FILES
+.Bl -tag -width ".Pa /etc/skeykeys" -compact
+.It Pa /etc/skeykeys
+database of information for the S/Key system.
+.El
+.Sh SEE ALSO
+.Xr skey 1 ,
+.Xr skeyinit 1 ,
+.Xr pam 8
diff -r 87d6ee99a052 -r a7bcc08396df lib/libpam/modules/pam_skey/pam_skey.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/lib/libpam/modules/pam_skey/pam_skey.c    Sun Feb 27 21:01:59 2005 +0000
@@ -0,0 +1,117 @@
+/*     $NetBSD: pam_skey.c,v 1.1 2005/02/27 21:01:59 thorpej Exp $     */
+
+/*-
+ * Copyright (c) 2005 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Jason R. Thorpe.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *     This product includes software developed by the NetBSD
+ *     Foundation, Inc. and its contributors.
+ * 4. Neither the name of The NetBSD Foundation nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+__RCSID("$NetBSD: pam_skey.c,v 1.1 2005/02/27 21:01:59 thorpej Exp $");
+
+#include <sys/types.h>
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <skey.h>
+
+#define        PAM_SM_AUTH
+
+#include <security/pam_appl.h>
+#include <security/pam_modules.h>
+#include <security/pam_mod_misc.h>
+
+/*
+ * authentication management
+ */
+PAM_EXTERN int
+/*ARGSUSED*/
+pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
+    int argc __unused, const char *argv[] __unused)
+{
+       const char *user, *skinfo, *pass;
+       char *response;
+       int retval;
+       char skprompt[80];
+
+       if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
+               user = getlogin();
+       } else {
+               retval = pam_get_user(pamh, &user, NULL);
+               if (retval != PAM_SUCCESS)
+                       return (retval);
+               PAM_LOG("Got user: %s", user);
+       }
+
+       if (skey_haskey(user) != 0)
+               return (PAM_SERVICE_ERR);       /* XXX PAM_AUTHINFO_UNAVAIL? */
+
+       skinfo = skey_keyinfo(user);
+       if (skinfo == NULL) {
+               PAM_VERBOSE_ERROR("Error getting S/Key challenge");
+               return (PAM_SERVICE_ERR);
+       }
+
+       (void) snprintf(skprompt, sizeof(skprompt),
+           "Password [%s]:", skinfo);
+
+       retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, skprompt);
+       if (retval != PAM_SUCCESS)
+               return (retval);
+
+       response = strdup(pass);
+       if (response == NULL) {
+               pam_error(pamh, "Unable to copy S/Key response");
+               return (PAM_SERVICE_ERR);
+       }
+
+       retval = skey_passcheck(user, response) == -1 ?
+           PAM_AUTH_ERR : PAM_SUCCESS;
+
+       free(response);
+
+       return (retval);
+}
+
+PAM_EXTERN int
+/*ARGSUSED*/
+pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
+    int argc __unused, const char *argv[] __unused)
+{
+
+       return (PAM_SUCCESS);
+}
+
+PAM_MODULE_ENTRY("pam_skey");