Attachment #81492 for bug #55279




$Id: INSTALL,v 1.1.1.1 2005/06/18 12:11:24 kreator Exp $

Gentoo patch
------------
Most everything below still holds, though the libraries required are now
those used by Gentoo.  Other S/Key libraries may work with a bit of
tweaking.

The options listed for the module below are no longer valid.  See the
Gentoo patch section in README for details.

The intended method for configuring PAM is by using the newer module
specification, with a line like:

auth	[success=done ignore=ignore auth_err=die default=bad] /lib/security/pam_skey.so

This is a combination of the standard "sufficient" and "requisite"
specifications:

- If the module returns PAM_SUCCESS, we are authenticated and no other
  modules should be tested.
- If the module returns PAM_IGNORE, then the module didn't accept its
  input as an S/Key response, and the next module should try using
  the input (using the try_first_pass option).
- If the module returns PAM_AUTH_ERR, then the module accepted an
  S/Key input but it was invalid.  Do not try any more modules in the
  stack; the user already chose S/Key authentication.
- If the module returns any other code, it is a simple error in processing.
  Set the error flag but try other modules, just in case.

The module is intended to be placed before another authentication module,
like pam_unix.so; if not, it should be placed before pam_deny.so.

If the newer module specification is unavailable in your version of PAM,
the "sufficient" specification will work.

Required
--------
For building this package you will probably need original Wietse Venema's




LIBS=@LIBS@ @SKEYLIB@ @PAMLIB@
LDFLAGS=@LDFLAGS@

INSTALL=@INSTALL@
INSTALL_LIB=${INSTALL} -m 755
RM=@RM@ -f
CP=@CP@ -f
LN=@LN@ -s
AWK=@AWK@

PAM_FILES=pam_skey.so

all: $(PAM_FILES)

pam_skey.so: pam_skey.o
	$(CC) $(CFLAGS) -o $@ $< $(LIBS) $(LDFLAGS)

pam_skey_access.so.1: pam_skey_access.o
	$(CC) $(CFLAGS) -o $@ $< $(LIBS) $(LDFLAGS)

lint-pam_skey:
	lclint $(CFLAGS) pam_skey.c

install: all
	$(INSTALL) -d $(INSTALLDIR)
	$(INSTALL_LIB) $(PAM_FILES) $(INSTALLDIR)
install:
	@if test ! -d $(INSTALLDIR); then \
		echo "Missing $(INSTALLDIR). Problem with PAM installation?"; \
	else \
		for file in $(PAM_FILES); do \
			if test ! -f "$(INSTALLDIR)/$$file"; then \
				echo "Installing $$file in $(INSTALLDIR)"; \
				$(INSTALL) "$$file" "$(INSTALLDIR)/$$file"; \
				(cd $(INSTALLDIR) && $(LN) "$$file" `echo $$file | cut -d. -f1,2`); \
			else \
				echo "$$file exists - will not overwrite it"; \
			fi \
		done \
	fi

clean:
	$(RM) a.out core *.so.1 *.o *.bak




$Id: README,v 1.2 2005/06/18 12:36:18 kreator Exp $

Gentoo patch
------------

The Gentoo pam_skey patch changes the original module in a number of ways.
The behavior of the module is changed to make it more consistent with the
PAM design, and several changes were made throughout the code to make the
module interact better with the skey library used by Gentoo.  Many of
these changes will break pam_skey's compatibility with other systems and
libraries, but this is, after all, the Gentoo patch.

A (not necessarily) exhaustive list of the changes is as follows:
- pam_skey_access.so is completely removed, since the Gentoo skey library
  does not support the skey_access() call.
- The pam_skey.so authentication code is completely rewritten.  The
  original code contained many references to the standard I/O library
  (writing to stderr, etc.), as well as inconsistent communication with
  the PAM libraries.  Also, the authentication process is different, as
  described below.
- The options accepted by the pam_skey.so module are different, as
  described below.

Four options are accepted by the pam_skey.so module:
  debug                  - This option turns on debug logging.
  try_first_pass         - This option tells the module to first try using
                           the authentication token passed from the
			   previous module as an S/Key response, before
			   informing the user of the challenge.  If the
			   token is not valid, the module will proceed with
			   the standard process of challenging the user
			   and requesting a response, subject to the
			   no_default_skey option below.
  use_first_pass         - This option is identical to the try_first_pass
                           option, except that if the token is not valid,
			   it will return silently without challenging the
			   user.
  no_default_skey        - This flag changes the behavior of pam_skey.
                           Instead of immediately challenging the user with
			   an S/Key challenge, it will present the user with
			   a standard "Password: " prompt.  If the user enters
			   the password "s/key" (case insensitive), it will
			   then challenge the user.  Any other input will
			   cause the module to pass the given password to the
			   next module in the authentication stack (usually
			   pam_unix.so with the try_first_pass option).

The exact behavior of pam_skey.so is detailed below:

1. Retrieve username from PAM, possibly querying the user for it.
2. If the user does not have any S/Key information, return PAM_IGNORE to
   proceed to the next module in the stack.
3. If *_first_pass is enabled, check the given authentication token to see
   if it is a valid response to the current S/Key challenge.  If so,
   return PAM_SUCCESS.
 3a. If the token is invalid and use_first_pass is enabled, return
     PAM_IGNORE.
4. If no_default_skey is enabled, issue a "Password: " prompt.
 4a. If the response is anything besides "s/key" (case insensitive),
     store it as the authentication token and return PAM_IGNORE.
5. Display the current S/Key challenge and request a response, with
   input not echoed.  If no_default_skey is enabled, this will only be
   an S/Key response request; otherwise, it will request either an
   S/Key response or a system passsword.
 5a. If an empty response is given, request the S/Key response again,
     this time with input echoed.
 5b. If the response is a valid S/Key response, return PAM_SUCCESS.
     Otherwise, return PAM_AUTHERR.
6. If the response is a valid S/Key response, return PAM_SUCCESS.
7. Otherwise, if no_default_skey is enabled (the user specifically
   requested "s/key" authentication), return PAM_AUTHERR.
8. Otherwise, store the response as the authentication token and
   return PAM_IGNORE.

About
-----
This is complete pam_skey modul as interface to existing S/Key

Lines 1-5 Link Here

(-)pam_skey-1.1.4/RELEASENOTES (-1 / +4 lines)
1	RELEASE 1.1.4 - Sat Jun 18 14:28:31 CEST 2005	1	RELEASE 1.1.4 - Sat Jun 18 14:28:31 CEST 2005
2		2
3	* fix for _pam_delete() if we got AUTHTOK	3	* misc changes in source
		4	* FreeBSD testing
		5	* add support for Yuri Yudin's S/Key library (port from OpenBSD)
		6	* fixed dlopen() issue for Solaris (appearing in proftpd suite)
4		7
5	- Dinko Korunic <kreator@srce.hr>	8	- Dinko Korunic <kreator@srce.hr>




/* Define if we can include both string.h and strings.h */
#undef STRING_WITH_STRINGS

/* Define if you have Linux */
#undef LINUX

/* Define if you have *BSD */
#undef BSD

/* Define if not missing skeyaccess() */
#undef HAVE_SKEYACCESS

/* Define if not missing skeyinfo() */
#undef HAVE_SKEYINFO

/* Define if you have skeylookup() instead of skeyinfo() */
#undef HAVE_SKEYLOOKUP




AC_LANG_C
AC_LANG_SAVE

dnl Get system type
AC_CANONICAL_HOST
MYHOST=$host_os
case "$host_os" in
*linux*)
  AC_DEFINE(LINUX)
  ;;
*bsd*)
  AC_DEFINE(BSD)
  ;;
esac

dnl Package information
PACKAGE=pam_skey
VERSION=1.4r1

dnl Standard installation path
AC_PREFIX_DEFAULT(/usr)

AC_ARG_WITH(skey-inc, [  --with-skey-inc=DIR     Directory containing skey include files], CFLAGS="${CFLAGS} -I${withval}")

dnl Check for skey library
AC_CHECK_LIB(socket, socket, LIBS="${LIBS} -lsocket")
AC_CHECK_LIB(nsl, gethostbyname, LIBS="${LIBS} -lnsl")
AC_CHECK_LIB(skey, skeyverify, SKEYLIB="-lskey", AC_MSG_ERROR(skey library not found or unknown interface))
AC_CHECK_LIB(skey, skeyaccess, AC_DEFINE(HAVE_SKEYACCESS))
AC_CHECK_LIB(skey, skeyinfo, AC_DEFINE(HAVE_SKEYINFO),
  AC_CHECK_LIB(skey, skeylookup, AC_DEFINE(HAVE_SKEYLOOKUP))
)

dnl Check against -G linker flag
hold_ldflags=$LDFLAGS




# include <unistd.h>
#endif"

ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT SET_MAKE RM LN CP AWK INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CPP EGREP SKEYLIB PAMLIB MYHOST PACKAGE VERSION LIBOBJS LTLIBOBJS'
ac_subst_files=''

# Initialize some variables set by options.

  	  /^X\(\/\).*/{ s//\1/; q; }
  	  s/.*/./; q'`
  srcdir=$ac_confdir
  if test ! -r "$srcdir/$ac_unique_file"; then
    srcdir=..
  fi
else
  ac_srcdir_defaulted=no
fi
if test ! -r "$srcdir/$ac_unique_file"; then
  if test "$ac_srcdir_defaulted" = yes; then
    { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2
   { (exit 1); exit 1; }; }

   { (exit 1); exit 1; }; }
  fi
fi
(cd $srcdir && test -r "./$ac_unique_file") 2>/dev/null ||
  { echo "$as_me: error: sources are in $srcdir, but \`cd $srcdir' does not work" >&2
   { (exit 1); exit 1; }; }
srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'`

_ACEOF

  cat <<\_ACEOF

System types:
  --build=BUILD     configure for building on BUILD [guessed]
  --host=HOST       cross-compile to build programs to run on HOST [BUILD]
_ACEOF
fi


    else
      echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
    fi
    cd $ac_popdir
  done
fi





# Make sure we can run config.sub.
$ac_config_sub sun4 >/dev/null 2>&1 ||
  { { echo "$as_me:$LINENO: error: cannot run $ac_config_sub" >&5
echo "$as_me: error: cannot run $ac_config_sub" >&2;}
   { (exit 1); exit 1; }; }

echo "$as_me:$LINENO: checking build system type" >&5
echo $ECHO_N "checking build system type... $ECHO_C" >&6
if test "${ac_cv_build+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
else
  ac_cv_build_alias=$build_alias
test -z "$ac_cv_build_alias" &&
  ac_cv_build_alias=`$ac_config_guess`
test -z "$ac_cv_build_alias" &&
  { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5
echo "$as_me: error: cannot guess build type; you must specify one" >&2;}
   { (exit 1); exit 1; }; }
ac_cv_build=`$ac_config_sub $ac_cv_build_alias` ||
  { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_build_alias failed" >&5
echo "$as_me: error: $ac_config_sub $ac_cv_build_alias failed" >&2;}
   { (exit 1); exit 1; }; }

fi
echo "$as_me:$LINENO: result: $ac_cv_build" >&5
echo "${ECHO_T}$ac_cv_build" >&6
build=$ac_cv_build
build_cpu=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
build_vendor=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
build_os=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`


echo "$as_me:$LINENO: checking host system type" >&5
echo $ECHO_N "checking host system type... $ECHO_C" >&6
if test "${ac_cv_host+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
else
  ac_cv_host_alias=$host_alias
test -z "$ac_cv_host_alias" &&
  ac_cv_host_alias=$ac_cv_build_alias
ac_cv_host=`$ac_config_sub $ac_cv_host_alias` ||
  { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_host_alias failed" >&5
echo "$as_me: error: $ac_config_sub $ac_cv_host_alias failed" >&2;}
   { (exit 1); exit 1; }; }

fi
echo "$as_me:$LINENO: result: $ac_cv_host" >&5
echo "${ECHO_T}$ac_cv_host" >&6
host=$ac_cv_host
host_cpu=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'`
host_vendor=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'`
host_os=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'`


MYHOST=$host_os
case "$host_os" in
*linux*)
  cat >>confdefs.h <<\_ACEOF
#define LINUX 1
_ACEOF

  ;;
*bsd*)
  cat >>confdefs.h <<\_ACEOF
#define BSD 1
_ACEOF

  ;;
esac

PACKAGE=pam_skey
VERSION=1.4r1




  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

  CFLAGS="${CFLAGS} -I${withval}"
fi;


echo "$as_me:$LINENO: checking for socket in -lsocket" >&5
echo $ECHO_N "checking for socket in -lsocket... $ECHO_C" >&6
if test "${ac_cv_lib_socket_socket+set}" = set; then

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5
echo "${ECHO_T}$ac_cv_lib_socket_socket" >&6
if test $ac_cv_lib_socket_socket = yes; then
  LIBS="${LIBS} -lsocket"
#define HAVE_LIBSOCKET 1
_ACEOF

  LIBS="-lsocket $LIBS"

fi


echo "$as_me:$LINENO: checking for gethostbyname in -lnsl" >&5
echo $ECHO_N "checking for gethostbyname in -lnsl... $ECHO_C" >&6
if test "${ac_cv_lib_nsl_gethostbyname+set}" = set; then

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_gethostbyname" >&5
echo "${ECHO_T}$ac_cv_lib_nsl_gethostbyname" >&6
if test $ac_cv_lib_nsl_gethostbyname = yes; then
  LIBS="${LIBS} -lnsl"
#define HAVE_LIBNSL 1
_ACEOF

  LIBS="-lnsl $LIBS"

fi

echo "$as_me:$LINENO: checking for skeyverify in -lskey" >&5

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

   { (exit 1); exit 1; }; }
fi

echo "$as_me:$LINENO: checking for skeyaccess in -lskey" >&5
echo $ECHO_N "checking for skeyaccess in -lskey... $ECHO_C" >&6
if test "${ac_cv_lib_skey_skeyaccess+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
else
  ac_check_lib_save_LIBS=$LIBS
LIBS="-lskey  $LIBS"
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h.  */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h.  */

/* Override any gcc2 internal prototype to avoid an error.  */
#ifdef __cplusplus
extern "C"
#endif
/* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
char skeyaccess ();
int
main ()
{
skeyaccess ();
  ;
  return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
  (eval $ac_link) 2>conftest.er1
  ac_status=$?
  grep -v '^ *+' conftest.er1 >conftest.err
  rm -f conftest.er1
  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); }; } &&
	 { ac_try='test -s conftest$ac_exeext'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_skey_skeyaccess=yes
else
  echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5

ac_cv_lib_skey_skeyaccess=no
fi
rm -f conftest.err conftest.$ac_objext \
      conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeyaccess" >&5
echo "${ECHO_T}$ac_cv_lib_skey_skeyaccess" >&6
if test $ac_cv_lib_skey_skeyaccess = yes; then
  cat >>confdefs.h <<\_ACEOF
#define HAVE_SKEYACCESS 1
_ACEOF

fi

echo "$as_me:$LINENO: checking for skeyinfo in -lskey" >&5
echo $ECHO_N "checking for skeyinfo in -lskey... $ECHO_C" >&6
if test "${ac_cv_lib_skey_skeyinfo+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
else
  ac_check_lib_save_LIBS=$LIBS
LIBS="-lskey  $LIBS"
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h.  */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h.  */

/* Override any gcc2 internal prototype to avoid an error.  */
#ifdef __cplusplus
extern "C"
#endif
/* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
char skeyinfo ();
int
main ()
{
skeyinfo ();
  ;
  return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
  (eval $ac_link) 2>conftest.er1
  ac_status=$?
  grep -v '^ *+' conftest.er1 >conftest.err
  rm -f conftest.er1
  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); }; } &&
	 { ac_try='test -s conftest$ac_exeext'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_skey_skeyinfo=yes
else
  echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5

ac_cv_lib_skey_skeyinfo=no
fi
rm -f conftest.err conftest.$ac_objext \
      conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeyinfo" >&5
echo "${ECHO_T}$ac_cv_lib_skey_skeyinfo" >&6
if test $ac_cv_lib_skey_skeyinfo = yes; then
  cat >>confdefs.h <<\_ACEOF
#define HAVE_SKEYINFO 1
_ACEOF

else
  echo "$as_me:$LINENO: checking for skeylookup in -lskey" >&5
echo $ECHO_N "checking for skeylookup in -lskey... $ECHO_C" >&6
if test "${ac_cv_lib_skey_skeylookup+set}" = set; then
  echo $ECHO_N "(cached) $ECHO_C" >&6
else
  ac_check_lib_save_LIBS=$LIBS
LIBS="-lskey  $LIBS"
cat >conftest.$ac_ext <<_ACEOF
/* confdefs.h.  */
_ACEOF
cat confdefs.h >>conftest.$ac_ext
cat >>conftest.$ac_ext <<_ACEOF
/* end confdefs.h.  */

/* Override any gcc2 internal prototype to avoid an error.  */
#ifdef __cplusplus
extern "C"
#endif
/* We use char because int might match the return type of a gcc2
   builtin and then its argument prototype would still apply.  */
char skeylookup ();
int
main ()
{
skeylookup ();
  ;
  return 0;
}
_ACEOF
rm -f conftest.$ac_objext conftest$ac_exeext
if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5
  (eval $ac_link) 2>conftest.er1
  ac_status=$?
  grep -v '^ *+' conftest.er1 >conftest.err
  rm -f conftest.er1
  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); }; } &&
	 { ac_try='test -s conftest$ac_exeext'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); }; }; then
  ac_cv_lib_skey_skeylookup=yes
else
  echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5

ac_cv_lib_skey_skeylookup=no
fi
rm -f conftest.err conftest.$ac_objext \
      conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeylookup" >&5
echo "${ECHO_T}$ac_cv_lib_skey_skeylookup" >&6
if test $ac_cv_lib_skey_skeylookup = yes; then
  cat >>confdefs.h <<\_ACEOF
#define HAVE_SKEYLOOKUP 1
_ACEOF

fi


fi


hold_ldflags=$LDFLAGS
echo "$as_me:$LINENO: checking for the ld -shared flag" >&5

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

  cat conftest.err >&5
  echo "$as_me:$LINENO: \$? = $ac_status" >&5
  (exit $ac_status); } &&
	 { ac_try='test -z "$ac_c_werror_flag"
			 || test ! -s conftest.err'
  { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5
  (eval $ac_try) 2>&5
  ac_status=$?

s,@ECHO_N@,$ECHO_N,;t t
s,@ECHO_T@,$ECHO_T,;t t
s,@LIBS@,$LIBS,;t t
s,@build@,$build,;t t
s,@build_cpu@,$build_cpu,;t t
s,@build_vendor@,$build_vendor,;t t
s,@build_os@,$build_os,;t t
s,@host@,$host,;t t
s,@host_cpu@,$host_cpu,;t t
s,@host_vendor@,$host_vendor,;t t
s,@host_os@,$host_os,;t t
s,@CC@,$CC,;t t
s,@CFLAGS@,$CFLAGS,;t t
s,@LDFLAGS@,$LDFLAGS,;t t

  *) ac_INSTALL=$ac_top_builddir$INSTALL ;;
  esac

  if test x"$ac_file" != x-; then
    { echo "$as_me:$LINENO: creating $ac_file" >&5
echo "$as_me: creating $ac_file" >&6;}
    rm -f "$ac_file"
  fi
  # Let's still pretend it is `configure' which instantiates (i.e., don't
  # use $as_me), people would be surprised to read:
  #    /* config.h.  Generated by config.status.  */

	 fi;;
      esac
    done` || { (exit 1); exit 1; }

  if test x"$ac_file" != x-; then
    { echo "$as_me:$LINENO: creating $ac_file" >&5
echo "$as_me: creating $ac_file" >&6;}
    rm -f "$ac_file"
  fi
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF
  sed "$ac_vpsub




/* defs.h.in.  Generated automatically from configure.in by autoheader.  */
/* Define if we can include both string.h and strings.h */
#undef STRING_WITH_STRINGS

/* Define if you have Linux */
#undef LINUX

/* Define if you have *BSD */
#undef BSD

/* Define if you have the ANSI C header files.  */
#undef STDC_HEADERS

/* Define if not missing skeyinfo() */
#undef HAVE_SKEYINFO

/* Define if we can include both string.h and strings.h */
#undef STRING_WITH_STRINGS

/* Define if you have the fprintf function.  */
#undef HAVE_FPRINTF

/* Define if you have the gethostbyname function.  */
#undef HAVE_GETHOSTBYNAME

/* Define if you have the snprintf function.  */
#undef HAVE_SNPRINTF

/* Define if you have the strncmp function.  */
#undef HAVE_STRNCMP

/* Define if you have the syslog function.  */
#undef HAVE_SYSLOG

/* Define if you have the <pwd.h> header file.  */
#undef HAVE_PWD_H

/* Define if you have the <security/pam_appl.h> header file.  */
#undef HAVE_SECURITY_PAM_APPL_H

/* Define if you have the <security/pam_modules.h> header file.  */
#undef HAVE_SECURITY_PAM_MODULES_H

/* Define if you have the <stdlib.h> header file.  */
#undef HAVE_SNPRINTF

/* Define to 1 if you have the <stdint.h> header file. */
#undef HAVE_STDINT_H

/* Define to 1 if you have the <stdlib.h> header file. */
#undef HAVE_STDLIB_H

/* Define if you have the <string.h> header file.  */
#undef HAVE_STRINGS_H

/* Define to 1 if you have the <string.h> header file. */
#undef HAVE_STRING_H

/* Define if you have the <strings.h> header file.  */
#undef HAVE_STRINGS_H

/* Define to 1 if you have the `syslog' function. */
#undef HAVE_SYSLOG

/* Define to 1 if you have the <syslog.h> header file. */
#undef HAVE_SYSLOG_H

/* Define to 1 if you have the <sys/stat.h> header file. */
#undef HAVE_SYS_STAT_H

/* Define if you have the <sys/syslog.h> header file.  */
#undef HAVE_SYS_SYSLOG_H

/* Define if you have the <sys/types.h> header file.  */
#undef HAVE_SYS_TYPES_H

/* Define if you have the <syslog.h> header file.  */
#undef HAVE_SYSLOG_H

/* Define to the address where bug reports for this package should be sent. */
#undef PACKAGE_BUGREPORT

/* Define to the full name of this package. */
#undef PACKAGE_NAME

/* Define to the full name and version of this package. */
#undef PACKAGE_STRING

/* Define to the one symbol short name of this package. */
#undef PACKAGE_TARNAME

/* Define to the version of this package. */
#undef PACKAGE_VERSION

/* Define to 1 if you have the ANSI C header files. */
#undef STDC_HEADERS




/* 
 * Rewrite (c) 2005 Dani Church, dani.church@gmail.com
 * Original (c) 2001 Dinko Korunic, kreator@srce.hr
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF

#include <pwd.h> 
#include <sys/types.h>
#include <syslog.h>
#include <ctype.h>

#define PAM_EXTERN extern
#undef PAM_STATIC

#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/_pam_macros.h>

#include "skey.h"
#include "pam_skey.h"
#include "misc.h"

#define LOGDEBUG(x) if (mod_opt & _MOD_DEBUG) { syslog x ;}
#define QUERY_USERNAME NULL /* Use default username prompt */
#define QUERY_PASSWORD "Password: "
#define QUERY_RESPONSE_OR_PASSWORD "S/Key response or system password: "
#define QUERY_RESPONSE "S/Key response: "

PAM_EXTERN int pam_sm_setcred (pam_handle_t *pamh, int flags,
  int argc, const char **argv)
{
  return PAM_SUCCESS;
}

/*
 * The authentication module will return the following status codes:
 * PAM_SUCCESS: Successful authentication via S/Key.
 * PAM_IGNORE: The user doesn't have S/Key or doesn't want to use it.
 *             Continue with the next module, using try_first_pass.
 * PAM_AUTH_ERR: The user asked to use S/Key, but failed the authentication.
 *               Don't try any more PAM modules.
 * others: random errors, try next authentication method
 */

PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
  int argc, const char **argv)
{
  const char *challenge; /* challenge to print in conv */
  const char *username = NULL; /* username spacer */
  char *username = NULL; /* username spacer */
  char *response = NULL; /* response spacer */
  struct skey skey; /* structure that contains skey information */
  int status; /* return status spacer */
  unsigned mod_opt=_MOD_NONE_ON; /* module options */

  /* Get module options */
  mod_getopt(&mod_opt, argc, argv);

  /* Get username (taken mainly from pam_unix) */
  status = pam_get_user(pamh, &username, QUERY_USERNAME);
  if (status == PAM_SUCCESS) {
    if (username == NULL || !isalnum(*username)) {
      syslog(LOG_ERR, "bad username [%s]", username);
      return PAM_USER_UNKNOWN;
      != PAM_SUCCESS)
  {
    fprintf(stderr, "cannot determine username\n");
    if (mod_opt & _MOD_DEBUG)
      syslog(LOG_DEBUG, "cannot determine username");
    return PAM_USER_UNKNOWN;
  }

  if (mod_opt & _MOD_DEBUG)
    syslog(LOG_DEBUG, "got username %s", username);

#ifdef HAVE_SKEYACCESS
  /* Check S/Key access permissions - user, host and port. Also include
   * sanity checks */
  if (mod_opt & _MOD_ACCESS_CHECK)
  {
    char *host; /* points to host */
    char *port; /* points to port */
    struct passwd *pwuser; /* structure for getpw() */

    /* Get host.. */
#if defined LINUX || defined BSD
    if (pam_get_item(pamh, PAM_RHOST, (const void **)&host)
#else
    if (pam_get_item(pamh, PAM_RHOST, (void **)&host)
#endif
        != PAM_SUCCESS)
      host = NULL; /* couldn't get host */
    /* ..and port */
#if defined LINUX || defined BSD
    if (pam_get_item(pamh, PAM_TTY, (const void **)&port)
#else
    if (pam_get_item(pamh, PAM_TTY, (void **)&port)
#endif
        != PAM_SUCCESS)
      port = NULL; /* couldn't get port */

    if (mod_opt & _MOD_DEBUG)
      syslog(LOG_DEBUG, "checking s/key access for user %s,"
        " host %s, port %s", username,
        (host != NULL) ? host : "*unknown*",
        (port != NULL) ? port : "*unknown*");

    /* Get information from passwd file */
    if ((pwuser = getpwnam(username)) == NULL)
    {
      fprintf(stderr, "no such user\n");
      syslog(LOG_NOTICE, "cannot find user %s", username);
      return PAM_USER_UNKNOWN; /* perhaps even return PAM_ABORT here? */
    }
    LOGDEBUG((LOG_DEBUG, "username [%s] obtained", username));
  } else {
    LOGDEBUG((LOG_DEBUG, "trouble reading username"));
    if (status == PAM_CONV_AGAIN)
      return PAM_INCOMPLETE;
    return status;
  }

  /* Check whether or not this user has an S/Key */
  if (skey_haskey(username) != 0) {
    LOGDEBUG((LOG_DEBUG, "user [%s] has no S/Key entry", username));
    return PAM_IGNORE;
    {
      fprintf(stderr, "no s/key access permissions\n");
      syslog(LOG_NOTICE, "no s/key access permissions for %s",
          username);
      return PAM_AUTH_ERR;
    }
  }
  else

  if ((mod_opt & _MOD_TRY_FIRST_PASS) || (mod_opt & _MOD_USE_FIRST_PASS)) {
    status = pam_get_item(pamh, PAM_AUTHTOK, (const void **) &response);
    if (status != PAM_SUCCESS) {
      syslog(LOG_ALERT, "pam_get_item returned error to pam_skey");
      return status;
    } else if (response != NULL) {
      if (skey_passcheck(username, response) != -1) {
	return PAM_SUCCESS;
      } else if (mod_opt & _MOD_USE_FIRST_PASS) {
	return PAM_IGNORE;
      }
    } else if (mod_opt & _MOD_USE_FIRST_PASS) {
      return PAM_AUTHTOK_RECOVER_ERR;
    }

  /* Get S/Key information on user with skeyinfo() */
#ifdef HAVE_SKEYINFO
  switch (skeyinfo(&skey, username, NULL))
#else
#ifdef HAVE_SKEYLOOKUP
  switch (skeylookup(&skey, username))
#endif /* HAVE_SKEYLOOKUP */
#endif /* HAVE_SKEYINFO */
  {
  /* 0: OK */
  case 0:
    break;
  /* -1: File error */
  case -1:
#if 0
  /* XXX- This seems broken in (at least) logdaemon-5.8. It returns -1
   * when user not found in keyfile. -kre */
    fprintf(stderr, "s/key database error\n");
    syslog(LOG_NOTICE, "s/key database error");
    return PAM_AUTH_ERR;
#endif
  /* 1: No such user in database */
  case 1:
    /* We won't confuse the ordinary user telling him about missing skeys
     * -kre */
#if 0
    fprintf(stderr, "no s/key for %s\n", username);
#endif
    if (mod_opt & _MOD_DEBUG)
      syslog(LOG_DEBUG, "no s/key for %s\n", username);
    return PAM_AUTH_ERR;
  }
  
  if (mod_opt & _MOD_NO_DEFAULT_SKEY) {
    status = mod_talk_touser(pamh, mod_opt, NULL, QUERY_PASSWORD, 0, &response);
    if (status != PAM_SUCCESS) {
      _pam_delete(response)
      return status;
  snprintf(challenge, CHALLENGE_MAXSIZE, "s/key %d %s",
      skey.n - 1, skey.seed);
#endif

  if (mod_opt & _MOD_DEBUG)
    syslog(LOG_DEBUG, "got challenge %s for %s", challenge,
        username);

  /* Read response from last module's PAM_AUTHTOK */
  if (mod_opt & _MOD_USE_FIRST_PASS)
  {
    /* Try to extract authtoken */
#if defined LINUX || defined BSD
    if (pam_get_item(pamh, PAM_AUTHTOK, (const void **)&response)
#else
    if (pam_get_item(pamh, PAM_AUTHTOK, (void **)&response)
#endif
        != PAM_SUCCESS)
    {
      if (mod_opt & _MOD_DEBUG)
        syslog(LOG_DEBUG, "could not get PAM_AUTHTOK");
      mod_opt &= ~_MOD_USE_FIRST_PASS;
    }
    if (strcasecmp(response,"s/key")!=0) {
      status = pam_set_item(pamh, PAM_AUTHTOK, response);
      if (status != PAM_SUCCESS)
	return status;
      return PAM_IGNORE;
        if (mod_opt & _MOD_DEBUG)
          syslog(LOG_DEBUG, "empty PAM_AUTHTOK");
        mod_opt &= ~_MOD_USE_FIRST_PASS;
      }
      else
        /* All OK, print challenge information */
        fprintf(stderr, "challenge %s\n", challenge);
    }
    _pam_delete(response);
  }

  challenge = skey_keyinfo(username);
  if (challenge == NULL) {
    syslog(LOG_ALERT, "Could not retrieve S/Key challenge for [%s]", username);
    return PAM_AUTHINFO_UNAVAIL;
  }
    snprintf(msg_text, PAM_MAX_MSG_SIZE,
        "challenge %s\npassword: ", challenge);

    /* Talk with user */
    if (mod_talk_touser(pamh, &mod_opt, msg_text, &response)
        != PAM_SUCCESS)
      return PAM_SERVICE_ERR;

    /* Simulate standard S/Key login procedure - if empty token, turn on
     * ECHO and prompt again */
    if (empty_authtok(response) && !(mod_opt & _MOD_ONLY_ONE_TRY))
    {
      /* Was there echo off? */
      if (mod_opt & _MOD_ECHO_OFF)
      {
        _pam_delete(response);
        fprintf(stderr, "(turning echo on)\n");
        mod_opt &= ~_MOD_ECHO_OFF;

        /* Prepare a complete message for conversation */
        snprintf(msg_text, PAM_MAX_MSG_SIZE, "password: ");

        /* Talk with user */
        if (mod_talk_touser(pamh, &mod_opt, msg_text, &response)
          != PAM_SUCCESS)
          return PAM_SERVICE_ERR;

        /* Got again empty response. Bailout and don't save auth token */
        if (empty_authtok(response))
          return PAM_AUTH_ERR;
      }
      else
      /* There was echo on already - just get out and don't save auth token
       * for other modules */
        return PAM_AUTH_ERR;
    }

  if (mod_opt & _MOD_NO_DEFAULT_SKEY) 
    status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE, 0, &response);
  else
    status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE_OR_PASSWORD, 0, &response);
    /* Store auth token - that next module can use with `use_first_pass' */
    if (pam_set_item(pamh, PAM_AUTHTOK, response) != PAM_SUCCESS)
    {
      syslog(LOG_NOTICE, "unable to save auth token");
      return PAM_SERVICE_ERR;
    }

  if (status != PAM_SUCCESS)
    return status;
  
  if (*response == '\0') {
    _pam_delete(response);
    status = mod_talk_touser(pamh, mod_opt, NULL, QUERY_RESPONSE, 1, &response);
    if (status != PAM_SUCCESS)
      return status;
    status = pam_set_item(pamh, PAM_AUTHTOK, response);
    status = skey_passcheck(username, response);
    _pam_delete(response);
    if (status != -1)
      return PAM_SUCCESS;
    return PAM_AUTH_ERR;
  }

  status = pam_set_item(pamh, PAM_AUTHTOK, response);
  status = skey_passcheck(username, response);
  if (status != -1) {
    _pam_delete(response);
    return PAM_SUCCESS;
  }
  
  if (mod_opt & _MOD_NO_DEFAULT_SKEY) {
    _pam_delete(response);
    return PAM_AUTH_ERR;
        syslog(LOG_DEBUG, "verify for %s failed, database"
            " unchanged", username);
      return PAM_AUTH_ERR;
  }

  status = pam_set_item(pamh, PAM_AUTHTOK, response);
  return PAM_IGNORE;
}

/* Get module optional parameters */

}

/* This will talk to user through PAM_CONV */
static int mod_talk_touser(pam_handle_t *pamh, unsigned mod_opt,
    const char *info_text, const char *prompt_text, int echo_on, char **response)
{
  struct pam_message message[2], *pmessage[2];
  const struct pam_message *pmessage = &message;
  struct pam_conv *conv = NULL;
  struct pam_response *presponse = NULL;
  int i=0;
  
  /* Better safe than sorry */
  *response = NULL;

  /* Be paranoid */
  memset(&message, 0, sizeof(message));

  pmessage[0] = &message[0];
  pmessage[1] = &message[1];
  
  /* Set info text, if any */
  if (info_text) {
    message[i].msg = info_text;
    message[i].msg_style = PAM_TEXT_INFO;
    i++;
  }
  
  /* Set prompt text */
  message[i].msg = prompt_text;
  message[i].msg_style = echo_on ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
  i++;

  /* Do conversation and see if all is OK */
  if (pam_get_item(pamh, PAM_CONV, (const void **)&conv) != PAM_SUCCESS) {
    LOGDEBUG((LOG_DEBUG, "error in conversation"));
#else
  if (pam_get_item(pamh, PAM_CONV, (void **)&conv)
#endif
      != PAM_SUCCESS)
  {
    if (*mod_opt & _MOD_DEBUG)
      syslog(LOG_DEBUG, "error in conversation");
    return PAM_SERVICE_ERR;
  }
  /* Convert into pam_response */
  if (conv->conv(i, (const struct pam_message **)pmessage, &presponse,
#if defined LINUX || defined BSD
  if (conv->conv(1, &pmessage, &presponse,
        conv->appdata_ptr)
#else
  if (conv->conv(1, (struct pam_message **)&pmessage, &presponse,
        conv->appdata_ptr)
#endif
    != PAM_SUCCESS)
  {
    _pam_delete(presponse->resp);

  if (presponse != NULL)
  {
    /* Save address */
    *response = presponse[i-1].resp;
    /* To ensure that response address will not be erased */
    presponse[i-1].resp = NULL;
    _pam_drop_reply(presponse,i);
  }
  else
    return PAM_SERVICE_ERR;




 */

/* Prototypes */
#ifndef BSD
extern int skeyinfo(struct skey *, char *, char *); /* ORGH! Not in skey.h */
#endif

static void mod_getopt(unsigned *, int, const char **);
static int mod_talk_touser(pam_handle_t *, unsigned, const char *, const char *, int, char **);

/* free() macro */
/*#define _pam_drop(X)  \
if (X != NULL)        \
{                     \
  free(X);            \
  X = NULL;           \
}*/

/* Secure overwrite */
/*#define _pam_overwrite(x)   \
{                           \
  register char *__xx__;    \
  if ((__xx__ = (x)))       \
    while (*__xx__)         \
    *__xx__++ = '\0';       \
}*/

/* Drop-in secure replacement - we do not want cleartext passwords lying
 * scattered around */


/* This will get us rid of first '\n' in response string and cut-off the
 * rest of the string. It should be ASCIIZ, of course */
/*#define _pam_degarbage(x)      \
{                              \
  register char *__xx__;       \
    if ((__xx__ = (x)))        \

        else                   \
          __xx__++;            \
      }                        \
}*/

/* Handy empty AUTHTOK macro */
#define empty_authtok(a) (a == NULL || !*a || *a == '\n')

/* Maximum challenge size. It should be 64, but be sure */
#define CHALLENGE_MAXSIZE 128

/* Define module flags */
#define _MOD_NONE_ON         0x0000	/* Generic flag */
#define _MOD_ALL_ON    (~_MOD_NONE_ON)	/* Generic mask */
#define _MOD_DEBUG           0x0001	/* Debugging options on */
#define _MOD_TRY_FIRST_PASS  0x0002	/* Attempt using PAM_AUTHTOK */
#define _MOD_USE_FIRST_PASS  0x0004	/* Only use PAM_AUTHTOK */
#define _MOD_NO_DEFAULT_SKEY 0x0008	/* Don't use S/Key by default */
#define _MOD_ONLY_ONE_TRY   0x0010      /* Only one try, no matter of echo */
#define _MOD_SPACER         0x0020      /* Currently unused */

/* Setup defaults - use echo off only */
#define _MOD_DEFAULT_FLAG   _MOD_NONE_ON
#define _MOD_DEFAULT_MASK   _MOD_ALL_ON

/* Number of parameters currently known */
#define _MOD_ARGS           4

/* Structure for flexible argument parsing */
typedef struct

{
  /* String            Mask                           Flag */
  {"debug",            _MOD_ALL_ON,                   _MOD_DEBUG},
  {"try_first_pass",   _MOD_ALL_ON,                   _MOD_TRY_FIRST_PASS},
  {"echo=on",          _MOD_ALL_ON^_MOD_ECHO_OFF,     _MOD_NONE_ON},
  {"access_check=on",  _MOD_ALL_ON,                   _MOD_ACCESS_CHECK},
  {"access_check=off", _MOD_ALL_ON^_MOD_ACCESS_CHECK, _MOD_NONE_ON},
  {"use_first_pass",   _MOD_ALL_ON,                   _MOD_USE_FIRST_PASS},
  {"no_default_skey",  _MOD_ALL_ON,                   _MOD_NO_DEFAULT_SKEY}
  {"only_one_try",     _MOD_ALL_ON,                   _MOD_ONLY_ONE_TRY}
};




/* 
 * (c) 2001 Dinko Korunic, kreator@srce.hr
 *
 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 *
 * S/KEY is a trademark of Bellcore.
 * Mink is the former name of the S/KEY authentication system.
 *
 * Programs that had some influence in development of this source:
 *  Wietse Venema's logdaemon package
 *  Olaf Kirch's Linux S/Key package
 *  Linux-PAM modules and templates
 *  Wyman Miles' pam_securid module
 *
 * Should you choose to use and/or modify this source code, please do so
 * under the terms of the GNU General Public License under which this
 * program is distributed.
 */

static char rcsid[] = "$Id: pam_skey_access.c,v 1.2 2005/06/18 12:36:18 kreator Exp $";

#include "defs.h"

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef STRING_WITH_STRINGS
# include <strings.h>
#endif
#include <unistd.h>
#include <pwd.h> 
#include <sys/types.h>
#include <syslog.h>

#define PAM_EXTERN extern
#undef PAM_STATIC

#include <security/pam_appl.h>
#include <security/pam_modules.h>

#include "skey.h"
#include "pam_skey.h"
#include "misc.h"

PAM_EXTERN int pam_sm_setcred (pam_handle_t *pamh, int flags,
  int argc, const char **argv)
{
  return PAM_SUCCESS;
}

PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
  int argc, const char **argv)
{
  char *username = NULL; /* will point to username */
  unsigned mod_opt = _MOD_NONE_ON; /* module options */
  char *host; /* will point to host */
  char *port; /* will point to port */
  struct passwd *pwuser;

  /* Get module options */
  mod_getopt(&mod_opt, argc, argv);

  /* Get username */
#if defined LINUX || defined BSD
  if (pam_get_user(pamh, (const char **)&username, "login:")!=PAM_SUCCESS)
#else
  if (pam_get_user(pamh, (char **)&username, "login:")!=PAM_SUCCESS)
#endif
  {
    fprintf(stderr, "cannot determine username\n");
    if (mod_opt & _MOD_DEBUG)
      syslog(LOG_DEBUG, "cannot determine username");
    return PAM_AUTHINFO_UNAVAIL;
  }

  if (mod_opt & _MOD_DEBUG)
    syslog(LOG_DEBUG, "got username %s", username);

  /* Check S/Key access permissions - user, host and port. Also include
   * sanity checks */
  /* Get host.. */
#if defined LINUX || defined BSD
  if (pam_get_item(pamh, PAM_RHOST, (const void **)&host)
#else
  if (pam_get_item(pamh, PAM_RHOST, (void **)&host)
#endif
    != PAM_SUCCESS)
      host = NULL;
  /* ..and port */
#ifdef LINUX
  if (pam_get_item(pamh, PAM_TTY, (const void **)&port)
#else
  if (pam_get_item(pamh, PAM_TTY, (void **)&port)
#endif
    != PAM_SUCCESS)
      port = NULL;

  if (mod_opt & _MOD_DEBUG)
    syslog(LOG_DEBUG, "checking s/key access for user %s,"
      " host %s, port %s", username,
      (host != NULL) ? host : "*unknown*",
      (port != NULL) ? port : "*unknown*");

  /* Get information from passwd file */
  if ((pwuser = getpwnam(username)) == NULL)
  {
    fprintf(stderr, "no such user\n");
    syslog(LOG_NOTICE, "cannot find user %s",
      username);
    return PAM_AUTHINFO_UNAVAIL;
  }

#ifdef HAVE_SKEYACCESS

  /* Do actual checking - we assume skeyaccess() returns PERMIT which is
   * by default 1. Notice 4th argument is NULL - we will not perform
   * address checks on host itself */
  if (skeyaccess(pwuser, port, host, NULL) != 1)
  {
    fprintf(stderr, "no s/key access permissions\n");
    syslog(LOG_NOTICE, "no s/key access permissions for %s",
        username);
    return PAM_AUTH_ERR;
  }

#endif /* HAVE_SKEYACCESS */

  return PAM_SUCCESS;
}

/* Get module optional parameters */
static void mod_getopt(unsigned *mod_opt, int mod_argc, const char **mod_argv)
{
  int i;

  /* Setup runtime defaults */
  *mod_opt |= _MOD_DEFAULT_FLAG;
  *mod_opt &= _MOD_DEFAULT_MASK;

  /* Setup runtime options */
  while (mod_argc--)
  {
    for (i = 0; i < _MOD_ARGS; ++i)
    {
      if (mod_args[i].token != NULL &&
          !strncmp(*mod_argv, mod_args[i].token,
            strlen(mod_args[i].token)))
        break;
    }
    if (i >= _MOD_ARGS)
      syslog(LOG_ERR, "unknown option %s", *mod_argv);
    else
    {
      *mod_opt &= mod_args[i].mask; /* Turn off */
      *mod_opt |= mod_args[i].flag; /* Turn on */
    }
    ++mod_argv;
  }
}

Return to bug 55279

Lines 1-96 Link Here

(-)pam_skey-1.1.4/defs.h.in (-72 / +25 lines)
1	/* defs.h.in. Generated from configure.in by autoheader. */	1	/* defs.h.in. Generated automatically from configure.in by autoheader. */
2	/* Define if we can include both string.h and strings.h */
3	#undef STRING_WITH_STRINGS
4
5	/* Define if you have Linux */
6	#undef LINUX
7
8	/* Define if you have BSD /
9	#undef BSD
10		2
11	/* Define if not missing skeyaccess() */	3	/* Define if you have the ANSI C header files. */
12	#undef HAVE_SKEYACCESS	4	#undef STDC_HEADERS
13
14	/* Define if not missing skeyinfo() */
15	#undef HAVE_SKEYINFO
16		5
17	/* Define if you have skeylookup() instead of skeyinfo() */	6	/* Define if we can include both string.h and strings.h */
18	#undef HAVE_SKEYLOOKUP	7	#undef STRING_WITH_STRINGS
19		8
20	/* Define to 1 if you have the `fprintf' function. */	9	/* Define if you have the fprintf function. */
21	#undef HAVE_FPRINTF	10	#undef HAVE_FPRINTF
22		11
23	/* Define to 1 if you have the <inttypes.h> header file. */	12	/* Define if you have the gethostbyname function. */
24	#undef HAVE_INTTYPES_H	13	#undef HAVE_GETHOSTBYNAME
25		14
26	/* Define to 1 if you have the `nsl' library (-lnsl). */	15	/* Define if you have the snprintf function. */
27	#undef HAVE_LIBNSL	16	#undef HAVE_SNPRINTF
28		17
29	/* Define to 1 if you have the `socket' library (-lsocket). */	18	/* Define if you have the strncmp function. */
30	#undef HAVE_LIBSOCKET	19	#undef HAVE_STRNCMP
31		20
32	/* Define to 1 if you have the <memory.h> header file. */	21	/* Define if you have the syslog function. */
33	#undef HAVE_MEMORY_H	22	#undef HAVE_SYSLOG
34		23
35	/* Define to 1 if you have the <pwd.h> header file. */	24	/* Define if you have the <pwd.h> header file. */
36	#undef HAVE_PWD_H	25	#undef HAVE_PWD_H
37		26
38	/* Define to 1 if you have the <security/pam_appl.h> header file. */	27	/* Define if you have the <security/pam_appl.h> header file. */
39	#undef HAVE_SECURITY_PAM_APPL_H	28	#undef HAVE_SECURITY_PAM_APPL_H
40		29
41	/* Define to 1 if you have the <security/pam_modules.h> header file. */	30	/* Define if you have the <security/pam_modules.h> header file. */
42	#undef HAVE_SECURITY_PAM_MODULES_H	31	#undef HAVE_SECURITY_PAM_MODULES_H
43		32
44	/* Define to 1 if you have the `snprintf' function. */	33	/* Define if you have the <stdlib.h> header file. */
45	#undef HAVE_SNPRINTF
46
47	/* Define to 1 if you have the <stdint.h> header file. */
48	#undef HAVE_STDINT_H
49
50	/* Define to 1 if you have the <stdlib.h> header file. */
51	#undef HAVE_STDLIB_H	34	#undef HAVE_STDLIB_H
52		35
53	/* Define to 1 if you have the <strings.h> header file. */	36	/* Define if you have the <string.h> header file. */
54	#undef HAVE_STRINGS_H
55
56	/* Define to 1 if you have the <string.h> header file. */
57	#undef HAVE_STRING_H	37	#undef HAVE_STRING_H
58		38
59	/* Define to 1 if you have the `strncmp' function. */	39	/* Define if you have the <strings.h> header file. */
60	#undef HAVE_STRNCMP	40	#undef HAVE_STRINGS_H
61
62	/* Define to 1 if you have the `syslog' function. */
63	#undef HAVE_SYSLOG
64
65	/* Define to 1 if you have the <syslog.h> header file. */
66	#undef HAVE_SYSLOG_H
67
68	/* Define to 1 if you have the <sys/stat.h> header file. */
69	#undef HAVE_SYS_STAT_H
70		41
71	/* Define to 1 if you have the <sys/syslog.h> header file. */	42	/* Define if you have the <sys/syslog.h> header file. */
72	#undef HAVE_SYS_SYSLOG_H	43	#undef HAVE_SYS_SYSLOG_H
73		44
74	/* Define to 1 if you have the <sys/types.h> header file. */	45	/* Define if you have the <sys/types.h> header file. */
75	#undef HAVE_SYS_TYPES_H	46	#undef HAVE_SYS_TYPES_H
76		47
77	/* Define to 1 if you have the <unistd.h> header file. */	48	/* Define if you have the <syslog.h> header file. */
78	#undef HAVE_UNISTD_H	49	#undef HAVE_SYSLOG_H
79
80	/* Define to the address where bug reports for this package should be sent. */
81	#undef PACKAGE_BUGREPORT
82
83	/* Define to the full name of this package. */
84	#undef PACKAGE_NAME
85
86	/* Define to the full name and version of this package. */
87	#undef PACKAGE_STRING
88
89	/* Define to the one symbol short name of this package. */
90	#undef PACKAGE_TARNAME
91
92	/* Define to the version of this package. */
93	#undef PACKAGE_VERSION
94
95	/* Define to 1 if you have the ANSI C header files. */
96	#undef STDC_HEADERS

Lines 22-50 Link Here

(-)pam_skey-1.1.4/pam_skey.h (-30 / +17 lines)
22	*/	22	*/
23		23
24	/* Prototypes */	24	/* Prototypes */
25	#ifndef BSD
26	extern int skeyinfo(struct skey , char , char ); / ORGH! Not in skey.h */
27	#endif
28
29	static void mod_getopt(unsigned , int, const char *);	25	static void mod_getopt(unsigned , int, const char *);
30	static int mod_talk_touser(pam_handle_t , unsigned , char , char *);	26	static int mod_talk_touser(pam_handle_t , unsigned, const char , const char , int, char *);
31		27
32	/* free() macro */	28	/* free() macro */
33	#define _pam_drop(X) \	29	/*#define _pam_drop(X) \
34	if (X != NULL) \	30	if (X != NULL) \
35	{ \	31	{ \
36	free(X); \	32	free(X); \
37	X = NULL; \	33	X = NULL; \
38	}	34	}*/
39		35
40	/* Secure overwrite */	36	/* Secure overwrite */
41	#define _pam_overwrite(x) \	37	/*#define _pam_overwrite(x) \
42	{ \	38	{ \
43	register char *__xx__; \	39	register char *__xx__; \
44	if ((__xx__ = (x))) \	40	if ((__xx__ = (x))) \
45	while (*__xx__) \	41	while (*__xx__) \
46	*__xx__++ = '\0'; \	42	*__xx__++ = '\0'; \
47	}	43	}*/
48		44
49	/* Drop-in secure replacement - we do not want cleartext passwords lying	45	/* Drop-in secure replacement - we do not want cleartext passwords lying
50	* scattered around */	46	* scattered around */
Lines 56-62 Link Here
56		52
57	/* This will get us rid of first '\n' in response string and cut-off the	53	/* This will get us rid of first '\n' in response string and cut-off the
58	* rest of the string. It should be ASCIIZ, of course */	54	* rest of the string. It should be ASCIIZ, of course */
59	#define _pam_degarbage(x) \	55	/*#define _pam_degarbage(x) \
60	{ \	56	{ \
61	register char *__xx__; \	57	register char *__xx__; \
62	if ((__xx__ = (x))) \	58	if ((__xx__ = (x))) \
Lines 70-99 Link Here
70	else \	66	else \
71	__xx__++; \	67	__xx__++; \
72	} \	68	} \
73	}	69	}*/
74		70
75	/* Handy empty AUTHTOK macro */	71	/* Handy empty AUTHTOK macro */
76	#define empty_authtok(a) (a == NULL \|\| !a \|\| a == '\n')	72	#define empty_authtok(a) (a == NULL \|\| !a \|\| a == '\n')
77		73
78	/* Maximum challenge size. It should be 64, but be sure */
79	#define CHALLENGE_MAXSIZE 128
80
81	/* Define module flags */	74	/* Define module flags */
82	#define _MOD_NONE_ON 0x0000 /* Generic flag */	75	#define _MOD_NONE_ON 0x0000 /* Generic flag */
83	#define _MOD_ALL_ON (~_MOD_NONE_ON) /* Generic mask */	76	#define _MOD_ALL_ON (~_MOD_NONE_ON) /* Generic mask */
84	#define _MOD_DEBUG 0x0001 /* Debugging options on */	77	#define _MOD_DEBUG 0x0001 /* Debugging options on */
85	#define _MOD_ECHO_OFF 0x0002 /* PAM_ECHO_OFF */	78	#define _MOD_TRY_FIRST_PASS 0x0002 /* Attempt using PAM_AUTHTOK */
86	#define _MOD_ACCESS_CHECK 0x0004 /* Check S/Key access permissions */	79	#define _MOD_USE_FIRST_PASS 0x0004 /* Only use PAM_AUTHTOK */
87	#define _MOD_USE_FIRST_PASS 0x0008 /* Use PAM_AUTHTOK */	80	#define _MOD_NO_DEFAULT_SKEY 0x0008 /* Don't use S/Key by default */
88	#define _MOD_ONLY_ONE_TRY 0x0010 /* Only one try, no matter of echo */
89	#define _MOD_SPACER 0x0020 /* Currently unused */
90		81
91	/* Setup defaults - use echo off only */	82	/* Setup defaults - use echo off only */
92	#define _MOD_DEFAULT_FLAG _MOD_ECHO_OFF	83	#define _MOD_DEFAULT_FLAG _MOD_NONE_ON
93	#define _MOD_DEFAULT_MASK _MOD_ALL_ON	84	#define _MOD_DEFAULT_MASK _MOD_ALL_ON
94		85
95	/* Number of parameters currently known */	86	/* Number of parameters currently known */
96	#define _MOD_ARGS 8	87	#define _MOD_ARGS 4
97		88
98	/* Structure for flexible argument parsing */	89	/* Structure for flexible argument parsing */
99	typedef struct	90	typedef struct
Lines 108-118 Link Here
108	{	99	{
109	/* String Mask Flag */	100	/* String Mask Flag */
110	{"debug", _MOD_ALL_ON, _MOD_DEBUG},	101	{"debug", _MOD_ALL_ON, _MOD_DEBUG},
111	{"echo=off", _MOD_ALL_ON, _MOD_ECHO_OFF},	102	{"try_first_pass", _MOD_ALL_ON, _MOD_TRY_FIRST_PASS},
112	{"echo=on", _MOD_ALL_ON^_MOD_ECHO_OFF, _MOD_NONE_ON},
113	{"access_check=on", _MOD_ALL_ON, _MOD_ACCESS_CHECK},
114	{"access_check=off", _MOD_ALL_ON^_MOD_ACCESS_CHECK, _MOD_NONE_ON},
115	{"use_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS},	103	{"use_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS},
116	{"try_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS},	104	{"no_default_skey", _MOD_ALL_ON, _MOD_NO_DEFAULT_SKEY}
117	{"only_one_try", _MOD_ALL_ON, _MOD_ONLY_ONE_TRY}
118	};	105	};

Lines 1-5 Link Here

(-)pam_skey-1.1.4/INSTALL (+34 lines)
1	$Id: INSTALL,v 1.1.1.1 2005/06/18 12:11:24 kreator Exp $	1	$Id: INSTALL,v 1.1.1.1 2005/06/18 12:11:24 kreator Exp $
2		2
		3	Gentoo patch
		4	------------
		5	Most everything below still holds, though the libraries required are now
		6	those used by Gentoo. Other S/Key libraries may work with a bit of
		7	tweaking.
		8
		9	The options listed for the module below are no longer valid. See the
		10	Gentoo patch section in README for details.
		11
		12	The intended method for configuring PAM is by using the newer module
		13	specification, with a line like:
		14
		15	auth [success=done ignore=ignore auth_err=die default=bad] /lib/security/pam_skey.so
		16
		17	This is a combination of the standard "sufficient" and "requisite"
		18	specifications:
		19
		20	- If the module returns PAM_SUCCESS, we are authenticated and no other
		21	modules should be tested.
		22	- If the module returns PAM_IGNORE, then the module didn't accept its
		23	input as an S/Key response, and the next module should try using
		24	the input (using the try_first_pass option).
		25	- If the module returns PAM_AUTH_ERR, then the module accepted an
		26	S/Key input but it was invalid. Do not try any more modules in the
		27	stack; the user already chose S/Key authentication.
		28	- If the module returns any other code, it is a simple error in processing.
		29	Set the error flag but try other modules, just in case.
		30
		31	The module is intended to be placed before another authentication module,
		32	like pam_unix.so; if not, it should be placed before pam_deny.so.
		33
		34	If the newer module specification is unavailable in your version of PAM,
		35	the "sufficient" specification will work.
		36
3	Required	37	Required
4	--------	38	--------
5	For building this package you will probably need original Wietse Venema's	39	For building this package you will probably need original Wietse Venema's

Lines 12-53 Link Here

(-)pam_skey-1.1.4/Makefile.in (-23 / +7 lines)
12	LIBS=@LIBS@ @SKEYLIB@ @PAMLIB@	12	LIBS=@LIBS@ @SKEYLIB@ @PAMLIB@
13	LDFLAGS=@LDFLAGS@	13	LDFLAGS=@LDFLAGS@
14		14
15	INSTALL=@INSTALL@ -m 644	15	INSTALL=@INSTALL@
		16	INSTALL_LIB=${INSTALL} -m 755
16	RM=@RM@ -f	17	RM=@RM@ -f
17	CP=@CP@ -f	18	CP=@CP@ -f
18	LN=@LN@ -s	19	LN=@LN@ -s
19	AWK=@AWK@	20	AWK=@AWK@
20		21
21	PAM_FILES=pam_skey.so.1 pam_skey_access.so.1	22	PAM_FILES=pam_skey.so
22		23
23	all: $(PAM_FILES)	24	all: $(PAM_FILES)
24		25
25	pam_skey.so.1: pam_skey.o	26	pam_skey.so: pam_skey.o
26	$(CC) $(CFLAGS) -o $@ $< $(LIBS) $(LDFLAGS)
27
28	pam_skey_access.so.1: pam_skey_access.o
29	$(CC) $(CFLAGS) -o $@ $< $(LIBS) $(LDFLAGS)	27	$(CC) $(CFLAGS) -o $@ $< $(LIBS) $(LDFLAGS)
30		28
31	lint-pam_skey:	29	lint-pam_skey:
32	lclint $(CFLAGS) pam_skey.c	30	lclint $(CFLAGS) pam_skey.c
33		31
34	lint-pam_skey_access:	32	install: all
35	lclint $(CFLAGS) pam_skey_access.c	33	$(INSTALL) -d $(INSTALLDIR)
36		34	$(INSTALL_LIB) $(PAM_FILES) $(INSTALLDIR)
37	install:
38	@if test ! -d $(INSTALLDIR); then \
39	echo "Missing $(INSTALLDIR). Problem with PAM installation?"; \
40	else \
41	for file in $(PAM_FILES); do \
42	if test ! -f "$(INSTALLDIR)/$$file"; then \
43	echo "Installing $$file in $(INSTALLDIR)"; \
44	$(INSTALL) "$$file" "$(INSTALLDIR)/$$file"; \
45	(cd $(INSTALLDIR) && $(LN) "$$file" `echo $$file \| cut -d. -f1,2`); \
46	else \
47	echo "$$file exists - will not overwrite it"; \
48	fi \
49	done \
50	fi
51		35
52	clean:	36	clean:
53	$(RM) a.out core .so.1 .o *.bak	37	$(RM) a.out core .so.1 .o *.bak

Lines 1-5 Link Here

(-)pam_skey-1.1.4/README (+72 lines)
1	$Id: README,v 1.2 2005/06/18 12:36:18 kreator Exp $	1	$Id: README,v 1.2 2005/06/18 12:36:18 kreator Exp $
2		2
		3	Gentoo patch
		4	------------
		5
		6	The Gentoo pam_skey patch changes the original module in a number of ways.
		7	The behavior of the module is changed to make it more consistent with the
		8	PAM design, and several changes were made throughout the code to make the
		9	module interact better with the skey library used by Gentoo. Many of
		10	these changes will break pam_skey's compatibility with other systems and
		11	libraries, but this is, after all, the Gentoo patch.
		12
		13	A (not necessarily) exhaustive list of the changes is as follows:
		14	- pam_skey_access.so is completely removed, since the Gentoo skey library
		15	does not support the skey_access() call.
		16	- The pam_skey.so authentication code is completely rewritten. The
		17	original code contained many references to the standard I/O library
		18	(writing to stderr, etc.), as well as inconsistent communication with
		19	the PAM libraries. Also, the authentication process is different, as
		20	described below.
		21	- The options accepted by the pam_skey.so module are different, as
		22	described below.
		23
		24	Four options are accepted by the pam_skey.so module:
		25	debug - This option turns on debug logging.
		26	try_first_pass - This option tells the module to first try using
		27	the authentication token passed from the
		28	previous module as an S/Key response, before
		29	informing the user of the challenge. If the
		30	token is not valid, the module will proceed with
		31	the standard process of challenging the user
		32	and requesting a response, subject to the
		33	no_default_skey option below.
		34	use_first_pass - This option is identical to the try_first_pass
		35	option, except that if the token is not valid,
		36	it will return silently without challenging the
		37	user.
		38	no_default_skey - This flag changes the behavior of pam_skey.
		39	Instead of immediately challenging the user with
		40	an S/Key challenge, it will present the user with
		41	a standard "Password: " prompt. If the user enters
		42	the password "s/key" (case insensitive), it will
		43	then challenge the user. Any other input will
		44	cause the module to pass the given password to the
		45	next module in the authentication stack (usually
		46	pam_unix.so with the try_first_pass option).
		47
		48	The exact behavior of pam_skey.so is detailed below:
		49
		50	1. Retrieve username from PAM, possibly querying the user for it.
		51	2. If the user does not have any S/Key information, return PAM_IGNORE to
		52	proceed to the next module in the stack.
		53	3. If *_first_pass is enabled, check the given authentication token to see
		54	if it is a valid response to the current S/Key challenge. If so,
		55	return PAM_SUCCESS.
		56	3a. If the token is invalid and use_first_pass is enabled, return
		57	PAM_IGNORE.
		58	4. If no_default_skey is enabled, issue a "Password: " prompt.
		59	4a. If the response is anything besides "s/key" (case insensitive),
		60	store it as the authentication token and return PAM_IGNORE.
		61	5. Display the current S/Key challenge and request a response, with
		62	input not echoed. If no_default_skey is enabled, this will only be
		63	an S/Key response request; otherwise, it will request either an
		64	S/Key response or a system passsword.
		65	5a. If an empty response is given, request the S/Key response again,
		66	this time with input echoed.
67	5b. If the response is a valid S/Key response, return PAM_SUCCESS.
68	Otherwise, return PAM_AUTHERR.
69	6. If the response is a valid S/Key response, return PAM_SUCCESS.
70	7. Otherwise, if no_default_skey is enabled (the user specifically
71	requested "s/key" authentication), return PAM_AUTHERR.
72	8. Otherwise, store the response as the authentication token and
73	return PAM_IGNORE.
74
3	About	75	About
4	-----	76	-----
5	This is complete pam_skey modul as interface to existing S/Key	77	This is complete pam_skey modul as interface to existing S/Key

Lines 1-17 Link Here

(-)pam_skey-1.1.4/autoconf/acconfig.h (-15 lines)
1	/* Define if we can include both string.h and strings.h */	1	/* Define if we can include both string.h and strings.h */
2	#undef STRING_WITH_STRINGS	2	#undef STRING_WITH_STRINGS
3
4	/* Define if you have Linux */
5	#undef LINUX
6
7	/* Define if you have BSD /
8	#undef BSD
9
10	/* Define if not missing skeyaccess() */
11	#undef HAVE_SKEYACCESS
12
13	/* Define if not missing skeyinfo() */
14	#undef HAVE_SKEYINFO
15
16	/* Define if you have skeylookup() instead of skeyinfo() */
17	#undef HAVE_SKEYLOOKUP

Lines 10-30 Link Here

(-)pam_skey-1.1.4/autoconf/configure.in (-19 / +3 lines)
10	AC_LANG_C	10	AC_LANG_C
11	AC_LANG_SAVE	11	AC_LANG_SAVE
12		12
13	dnl Get system type
14	AC_CANONICAL_HOST
15	MYHOST=$host_os
16	case "$host_os" in
17	linux)
18	AC_DEFINE(LINUX)
19	;;
20	bsd)
21	AC_DEFINE(BSD)
22	;;
23	esac
24
25	dnl Package information	13	dnl Package information
26	PACKAGE=pam_skey	14	PACKAGE=pam_skey
27	VERSION=1.1	15	VERSION=1.4r1
28		16
29	dnl Standard installation path	17	dnl Standard installation path
30	AC_PREFIX_DEFAULT(/usr)	18	AC_PREFIX_DEFAULT(/usr)
Lines 65-77 Link Here
65	AC_ARG_WITH(skey-inc, [ --with-skey-inc=DIR Directory containing skey include files], CFLAGS="${CFLAGS} -I${withval}")	53	AC_ARG_WITH(skey-inc, [ --with-skey-inc=DIR Directory containing skey include files], CFLAGS="${CFLAGS} -I${withval}")
66		54
67	dnl Check for skey library	55	dnl Check for skey library
68	AC_CHECK_LIB(socket, socket)	56	AC_CHECK_LIB(socket, socket, LIBS="${LIBS} -lsocket")
69	AC_CHECK_LIB(nsl, gethostbyname)	57	AC_CHECK_LIB(nsl, gethostbyname, LIBS="${LIBS} -lnsl")
70	AC_CHECK_LIB(skey, skeyverify, SKEYLIB="-lskey", AC_MSG_ERROR(skey library not found or unknown interface))	58	AC_CHECK_LIB(skey, skeyverify, SKEYLIB="-lskey", AC_MSG_ERROR(skey library not found or unknown interface))
71	AC_CHECK_LIB(skey, skeyaccess, AC_DEFINE(HAVE_SKEYACCESS))
72	AC_CHECK_LIB(skey, skeyinfo, AC_DEFINE(HAVE_SKEYINFO),
73	AC_CHECK_LIB(skey, skeylookup, AC_DEFINE(HAVE_SKEYLOOKUP))
74	)
75		59
76	dnl Check against -G linker flag	60	dnl Check against -G linker flag
77	hold_ldflags=$LDFLAGS	61	hold_ldflags=$LDFLAGS

Lines 1-5 Link Here

(-)pam_skey-1.1.4/pam_skey.c (-257 / +125 lines)
1	/*	1	/*
2	* (c) 2001 Dinko Korunic, kreator@srce.hr	2	* Rewrite (c) 2005 Dani Church, dani.church@gmail.com
		3	* Original (c) 2001 Dinko Korunic, kreator@srce.hr
3	*	4	*
4	* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED	5	* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
5	* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF	6	* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
Lines 33-304 Link Here
33	#include <pwd.h>	34	#include <pwd.h>
34	#include <sys/types.h>	35	#include <sys/types.h>
35	#include <syslog.h>	36	#include <syslog.h>
		37	#include <ctype.h>
36		38
37	#define PAM_EXTERN extern	39	#define PAM_EXTERN extern
38	#undef PAM_STATIC	40	#undef PAM_STATIC
39		41
40	#include <security/pam_appl.h>	42	#include <security/pam_appl.h>
41	#include <security/pam_modules.h>	43	#include <security/pam_modules.h>
		44	#include <security/_pam_macros.h>
42		45
43	#include "skey.h"	46	#include "skey.h"
44	#include "pam_skey.h"	47	#include "pam_skey.h"
45	#include "misc.h"	48	#include "misc.h"
46		49
		50	#define LOGDEBUG(x) if (mod_opt & _MOD_DEBUG) { syslog x ;}
		51	#define QUERY_USERNAME NULL /* Use default username prompt */
		52	#define QUERY_PASSWORD "Password: "
		53	#define QUERY_RESPONSE_OR_PASSWORD "S/Key response or system password: "
		54	#define QUERY_RESPONSE "S/Key response: "
		55
47	PAM_EXTERN int pam_sm_setcred (pam_handle_t *pamh, int flags,	56	PAM_EXTERN int pam_sm_setcred (pam_handle_t *pamh, int flags,
48	int argc, const char **argv)	57	int argc, const char **argv)
49	{	58	{
50	return PAM_SUCCESS;	59	return PAM_SUCCESS;
51	}	60	}
52		61
		62	/*
		63	* The authentication module will return the following status codes:
		64	* PAM_SUCCESS: Successful authentication via S/Key.
		65	* PAM_IGNORE: The user doesn't have S/Key or doesn't want to use it.
		66	* Continue with the next module, using try_first_pass.
		67	* PAM_AUTH_ERR: The user asked to use S/Key, but failed the authentication.
		68	* Don't try any more PAM modules.
		69	* others: random errors, try next authentication method
		70	*/
		71
53	PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,	72	PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
54	int argc, const char **argv)	73	int argc, const char **argv)
55	{	74	{
56	char challenge[CHALLENGE_MAXSIZE]; /* challenge to print in conv */	75	const char challenge; / challenge to print in conv */
57	char msg_text[PAM_MAX_MSG_SIZE]; /* text for pam conv */	76	const char username = NULL; / username spacer */
58	char username = NULL; / username spacer */
59	char response = NULL; / response spacer */	77	char response = NULL; / response spacer */
60	struct skey skey; /* structure that contains skey information */
61	int status; /* return status spacer */	78	int status; /* return status spacer */
62	unsigned mod_opt = _MOD_NONE_ON; /* module options */	79	unsigned mod_opt=_MOD_NONE_ON; /* module options */
63		80
64	/* Get module options */	81	/* Get module options */
65	mod_getopt(&mod_opt, argc, argv);	82	mod_getopt(&mod_opt, argc, argv);
66		83
67	/* Get username */	84	/* Get username (taken mainly from pam_unix) */
68	#if defined LINUX \|\| defined BSD	85	status = pam_get_user(pamh, &username, QUERY_USERNAME);
69	if (pam_get_user(pamh, (const char **)&username, "login:")	86	if (status == PAM_SUCCESS) {
70	#else	87	if (username == NULL \|\| !isalnum(*username)) {
71	if (pam_get_user(pamh, (char **)&username, "login:")	88	syslog(LOG_ERR, "bad username [%s]", username);
72	#endif	89	return PAM_USER_UNKNOWN;
73	!= PAM_SUCCESS)
74	{
75	fprintf(stderr, "cannot determine username\n");
76	if (mod_opt & _MOD_DEBUG)
77	syslog(LOG_DEBUG, "cannot determine username");
78	return PAM_USER_UNKNOWN;
79	}
80
81	if (mod_opt & _MOD_DEBUG)
82	syslog(LOG_DEBUG, "got username %s", username);
83
84	#ifdef HAVE_SKEYACCESS
85	/* Check S/Key access permissions - user, host and port. Also include
86	* sanity checks */
87	if (mod_opt & _MOD_ACCESS_CHECK)
88	{
89	char host; / points to host */
90	char port; / points to port */
91	struct passwd pwuser; / structure for getpw() */
92
93	/* Get host.. */
94	#if defined LINUX \|\| defined BSD
95	if (pam_get_item(pamh, PAM_RHOST, (const void **)&host)
96	#else
97	if (pam_get_item(pamh, PAM_RHOST, (void **)&host)
98	#endif
99	!= PAM_SUCCESS)
100	host = NULL; /* couldn't get host */
101	/* ..and port */
102	#if defined LINUX \|\| defined BSD
103	if (pam_get_item(pamh, PAM_TTY, (const void **)&port)
104	#else
105	if (pam_get_item(pamh, PAM_TTY, (void **)&port)
106	#endif
107	!= PAM_SUCCESS)
108	port = NULL; /* couldn't get port */
109
110	if (mod_opt & _MOD_DEBUG)
111	syslog(LOG_DEBUG, "checking s/key access for user %s,"
112	" host %s, port %s", username,
113	(host != NULL) ? host : "unknown",
114	(port != NULL) ? port : "unknown");
115
116	/* Get information from passwd file */
117	if ((pwuser = getpwnam(username)) == NULL)
118	{
119	fprintf(stderr, "no such user\n");
120	syslog(LOG_NOTICE, "cannot find user %s", username);
121	return PAM_USER_UNKNOWN; /* perhaps even return PAM_ABORT here? */
122	}	90	}
		91	LOGDEBUG((LOG_DEBUG, "username [%s] obtained", username));
		92	} else {
		93	LOGDEBUG((LOG_DEBUG, "trouble reading username"));
		94	if (status == PAM_CONV_AGAIN)
		95	return PAM_INCOMPLETE;
		96	return status;
		97	}
123		98
124	/* Do actual checking - we assume skeyaccess() returns PERMIT which is	99	/* Check whether or not this user has an S/Key */
125	* by default 1. Notice 4th argument is NULL - we will not perform	100	if (skey_haskey(username) != 0) {
126	* address checks on host itself */	101	LOGDEBUG((LOG_DEBUG, "user [%s] has no S/Key entry", username));
127	if (skeyaccess(pwuser, port, host, NULL) != 1)	102	return PAM_IGNORE;
128	{
129	fprintf(stderr, "no s/key access permissions\n");
130	syslog(LOG_NOTICE, "no s/key access permissions for %s",
131	username);
132	return PAM_AUTH_ERR;
133	}
134	}	103	}
135	else
136		104
137	#endif /* HAVE_SKEYACCESS */	105	if ((mod_opt & _MOD_TRY_FIRST_PASS) \|\| (mod_opt & _MOD_USE_FIRST_PASS)) {
138		106	status = pam_get_item(pamh, PAM_AUTHTOK, (const void **) &response);
139	/* Only do check whether user has passwd entry */	107	if (status != PAM_SUCCESS) {
140	if (getpwnam(username) == NULL)	108	syslog(LOG_ALERT, "pam_get_item returned error to pam_skey");
141	{	109	return status;
142	fprintf(stderr, "no such user\n");	110	} else if (response != NULL) {
143	if (mod_opt & _MOD_DEBUG)	111	if (skey_passcheck(username, response) != -1) {
144	syslog(LOG_DEBUG, "cannot find user %s",	112	return PAM_SUCCESS;
145	username);	113	} else if (mod_opt & _MOD_USE_FIRST_PASS) {
146	return PAM_USER_UNKNOWN;	114	return PAM_IGNORE;
		115	}
		116	} else if (mod_opt & _MOD_USE_FIRST_PASS) {
		117	return PAM_AUTHTOK_RECOVER_ERR;
147	}	118	}
148
149	/* Get S/Key information on user with skeyinfo() */
150	#ifdef HAVE_SKEYINFO
151	switch (skeyinfo(&skey, username, NULL))
152	#else
153	#ifdef HAVE_SKEYLOOKUP
154	switch (skeylookup(&skey, username))
155	#endif /* HAVE_SKEYLOOKUP */
156	#endif /* HAVE_SKEYINFO */
157	{
158	/* 0: OK */
159	case 0:
160	break;
161	/* -1: File error */
162	case -1:
163	#if 0
164	/* XXX- This seems broken in (at least) logdaemon-5.8. It returns -1
165	* when user not found in keyfile. -kre */
166	fprintf(stderr, "s/key database error\n");
167	syslog(LOG_NOTICE, "s/key database error");
168	return PAM_AUTH_ERR;
169	#endif
170	/* 1: No such user in database */
171	case 1:
172	/* We won't confuse the ordinary user telling him about missing skeys
173	* -kre */
174	#if 0
175	fprintf(stderr, "no s/key for %s\n", username);
176	#endif
177	if (mod_opt & _MOD_DEBUG)
178	syslog(LOG_DEBUG, "no s/key for %s\n", username);
179	return PAM_AUTH_ERR;
180	}	119	}
181		120
182	/* Make challenge string */	121	if (mod_opt & _MOD_NO_DEFAULT_SKEY) {
183	#if defined(SKEY_MAX_HASHNAME_LEN) && defined(SKEY_MAX_SEED_LEN)	122	status = mod_talk_touser(pamh, mod_opt, NULL, QUERY_PASSWORD, 0, &response);
184	snprintf(challenge, CHALLENGE_MAXSIZE, "otp-%.s %d %.s",	123	if (status != PAM_SUCCESS) {
185	SKEY_MAX_HASHNAME_LEN, skey_get_algorithm(), skey.n - 1, SKEY_MAX_SEED_LEN, skey.seed);	124	_pam_delete(response)
186	#else	125	return status;
187	snprintf(challenge, CHALLENGE_MAXSIZE, "s/key %d %s",
188	skey.n - 1, skey.seed);
189	#endif
190
191	if (mod_opt & _MOD_DEBUG)
192	syslog(LOG_DEBUG, "got challenge %s for %s", challenge,
193	username);
194
195	/* Read response from last module's PAM_AUTHTOK */
196	if (mod_opt & _MOD_USE_FIRST_PASS)
197	{
198	/* Try to extract authtoken */
199	#if defined LINUX \|\| defined BSD
200	if (pam_get_item(pamh, PAM_AUTHTOK, (const void **)&response)
201	#else
202	if (pam_get_item(pamh, PAM_AUTHTOK, (void **)&response)
203	#endif
204	!= PAM_SUCCESS)
205	{
206	if (mod_opt & _MOD_DEBUG)
207	syslog(LOG_DEBUG, "could not get PAM_AUTHTOK");
208	mod_opt &= ~_MOD_USE_FIRST_PASS;
209	}	126	}
210	else	127	if (strcasecmp(response,"s/key")!=0) {
211	{	128	status = pam_set_item(pamh, PAM_AUTHTOK, response);
212	/* Got AUTHTOK, but it was empty */	129	if (status != PAM_SUCCESS)
213	if (empty_authtok(response))	130	return status;
214	{	131	return PAM_IGNORE;
215	if (mod_opt & _MOD_DEBUG)
216	syslog(LOG_DEBUG, "empty PAM_AUTHTOK");
217	mod_opt &= ~_MOD_USE_FIRST_PASS;
218	}
219	else
220	/* All OK, print challenge information */
221	fprintf(stderr, "challenge %s\n", challenge);
222	}	132	}
		133	_pam_delete(response);
223	}	134	}
224		135
225	/* There was no PAM_AUTHTOK, or there was no such option in pam-conf	136	challenge = skey_keyinfo(username);
226	* file */	137	if (challenge == NULL) {
227	if (!(mod_opt & _MOD_USE_FIRST_PASS))	138	syslog(LOG_ALERT, "Could not retrieve S/Key challenge for [%s]", username);
228	{	139	return PAM_AUTHINFO_UNAVAIL;
229	/* Prepare a complete message for conversation */	140	}
230	snprintf(msg_text, PAM_MAX_MSG_SIZE,
231	"challenge %s\npassword: ", challenge);
232
233	/* Talk with user */
234	if (mod_talk_touser(pamh, &mod_opt, msg_text, &response)
235	!= PAM_SUCCESS)
236	return PAM_SERVICE_ERR;
237
238	/* Simulate standard S/Key login procedure - if empty token, turn on
239	* ECHO and prompt again */
240	if (empty_authtok(response) && !(mod_opt & _MOD_ONLY_ONE_TRY))
241	{
242	/* Was there echo off? */
243	if (mod_opt & _MOD_ECHO_OFF)
244	{
245	_pam_delete(response);
246	fprintf(stderr, "(turning echo on)\n");
247	mod_opt &= ~_MOD_ECHO_OFF;
248
249	/* Prepare a complete message for conversation */
250	snprintf(msg_text, PAM_MAX_MSG_SIZE, "password: ");
251
252	/* Talk with user */
253	if (mod_talk_touser(pamh, &mod_opt, msg_text, &response)
254	!= PAM_SUCCESS)
255	return PAM_SERVICE_ERR;
256
257	/* Got again empty response. Bailout and don't save auth token */
258	if (empty_authtok(response))
259	return PAM_AUTH_ERR;
260	}
261	else
262	/* There was echo on already - just get out and don't save auth token
263	* for other modules */
264	return PAM_AUTH_ERR;
265	}
266		141
267	/* XXX - ECHO ON puts '\n' at the end in Solaris 2.7! This is	142	if (mod_opt & _MOD_NO_DEFAULT_SKEY)
268	* cludge to get rid of this nasty `feature' -kre */	143	status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE, 0, &response);
269	_pam_degarbage(response);	144	else
270		145	status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE_OR_PASSWORD, 0, &response);
271	/* Store auth token - that next module can use with `use_first_pass' */
272	if (pam_set_item(pamh, PAM_AUTHTOK, response) != PAM_SUCCESS)
273	{
274	syslog(LOG_NOTICE, "unable to save auth token");
275	return PAM_SERVICE_ERR;
276	}
277		146
278	/* cleanup conversation */	147	if (status != PAM_SUCCESS)
		148	return status;
		149
		150	if (*response == '\0') {
279	_pam_delete(response);	151	_pam_delete(response);
280	}	152	status = mod_talk_touser(pamh, mod_opt, NULL, QUERY_RESPONSE, 1, &response);
281		153	if (status != PAM_SUCCESS)
282	/* Verify S/Key */	154	return status;
283	status = skeyverify(&skey, response);	155	status = pam_set_item(pamh, PAM_AUTHTOK, response);
		156	status = skey_passcheck(username, response);
		157	_pam_delete(response);
		158	if (status != -1)
		159	return PAM_SUCCESS;
		160	return PAM_AUTH_ERR;
		161	}
284		162
285	switch (status)	163	status = pam_set_item(pamh, PAM_AUTHTOK, response);
286	{	164	status = skey_passcheck(username, response);
287	/* 0: Verify successful, database updated */	165	if (status != -1) {
288	case 0:	166	_pam_delete(response);
289	break;	167	return PAM_SUCCESS;
290	/* -1: Error of some sort; database unchanged */	168	}
291	/* 1: Verify failed, database unchanged */	169
292	case -1:	170	if (mod_opt & _MOD_NO_DEFAULT_SKEY) {
293	case 1:	171	_pam_delete(response);
294	if (mod_opt & _MOD_DEBUG)	172	return PAM_AUTH_ERR;
295	syslog(LOG_DEBUG, "verify for %s failed, database"
296	" unchanged", username);
297	return PAM_AUTH_ERR;
298	}	173	}
299		174
300	/* Success by default */	175	status = pam_set_item(pamh, PAM_AUTHTOK, response);
301	return PAM_SUCCESS;	176	return PAM_IGNORE;
302	}	177	}
303		178
304	/* Get module optional parameters */	179	/* Get module optional parameters */
Lines 332-381 Link Here
332	}	207	}
333		208
334	/* This will talk to user through PAM_CONV */	209	/* This will talk to user through PAM_CONV */
335	static int mod_talk_touser(pam_handle_t pamh, unsigned mod_opt,	210	static int mod_talk_touser(pam_handle_t *pamh, unsigned mod_opt,
336	char msg_text, char *response)	211	const char info_text, const char prompt_text, int echo_on, char **response)
337	{	212	{
338	struct pam_message message;	213	struct pam_message message[2], *pmessage[2];
339	const struct pam_message *pmessage = &message;
340	struct pam_conv *conv = NULL;	214	struct pam_conv *conv = NULL;
341	struct pam_response *presponse = NULL;	215	struct pam_response *presponse = NULL;
342		216	int i=0;
		217
343	/* Better safe than sorry */	218	/* Better safe than sorry */
344	*response = NULL;	219	*response = NULL;
345		220
346	/* Be paranoid */	221	/* Be paranoid */
347	memset(&message, 0, sizeof(message));	222	memset(&message, 0, sizeof(message));
348		223
349	/* Turn on/off PAM echo */	224	pmessage[0] = &message[0];
350	if (*mod_opt & _MOD_ECHO_OFF)	225	pmessage[1] = &message[1];
351	message.msg_style = PAM_PROMPT_ECHO_OFF;	226
352	else	227	/* Set info text, if any */
353	message.msg_style = PAM_PROMPT_ECHO_ON;	228	if (info_text) {
		229	message[i].msg = info_text;
		230	message[i].msg_style = PAM_TEXT_INFO;
		231	i++;
		232	}
354		233
355	/* Point to conversation text */	234	/* Set prompt text */
356	message.msg = msg_text;	235	message[i].msg = prompt_text;
		236	message[i].msg_style = echo_on ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
		237	i++;
357		238
358	/* Do conversation and see if all is OK */	239	/* Do conversation and see if all is OK */
359	#if defined LINUX \|\| defined BSD	240	if (pam_get_item(pamh, PAM_CONV, (const void **)&conv) != PAM_SUCCESS) {
360	if (pam_get_item(pamh, PAM_CONV, (const void **)&conv)	241	LOGDEBUG((LOG_DEBUG, "error in conversation"));
361	#else
362	if (pam_get_item(pamh, PAM_CONV, (void **)&conv)
363	#endif
364	!= PAM_SUCCESS)
365	{
366	if (*mod_opt & _MOD_DEBUG)
367	syslog(LOG_DEBUG, "error in conversation");
368	return PAM_SERVICE_ERR;	242	return PAM_SERVICE_ERR;
369	}	243	}
370		244	/* Convert into pam_response */
371	/* Convert into pam_response - only 1 reply expected */	245	if (conv->conv(i, (const struct pam_message **)pmessage, &presponse,
372	#if defined LINUX \|\| defined BSD
373	if (conv->conv(1, &pmessage, &presponse,
374	conv->appdata_ptr)	246	conv->appdata_ptr)
375	#else
376	if (conv->conv(1, (struct pam_message **)&pmessage, &presponse,
377	conv->appdata_ptr)
378	#endif
379	!= PAM_SUCCESS)	247	!= PAM_SUCCESS)
380	{	248	{
381	_pam_delete(presponse->resp);	249	_pam_delete(presponse->resp);
Lines 385-394 Link Here
385	if (presponse != NULL)	253	if (presponse != NULL)
386	{	254	{
387	/* Save address */	255	/* Save address */
388	*response = presponse->resp;	256	*response = presponse[i-1].resp;
389	/* To ensure that response address will not be erased */	257	/* To ensure that response address will not be erased */
390	presponse->resp = NULL;	258	presponse[i-1].resp = NULL;
391	_pam_drop(presponse);	259	_pam_drop_reply(presponse,i);
392	}	260	}
393	else	261	else
394	return PAM_SERVICE_ERR;	262	return PAM_SERVICE_ERR;

Lines 1-161 Link Here

(-)pam_skey-1.1.4/pam_skey_access.c (-161 lines)
1	/*
2	* (c) 2001 Dinko Korunic, kreator@srce.hr
3	*
4	* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
5	* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
6	* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
7	*
8	* S/KEY is a trademark of Bellcore.
9	* Mink is the former name of the S/KEY authentication system.
10	*
11	* Programs that had some influence in development of this source:
12	* Wietse Venema's logdaemon package
13	* Olaf Kirch's Linux S/Key package
14	* Linux-PAM modules and templates
15	* Wyman Miles' pam_securid module
16	*
17	* Should you choose to use and/or modify this source code, please do so
18	* under the terms of the GNU General Public License under which this
19	* program is distributed.
20	*/
21
22	static char rcsid[] = "$Id: pam_skey_access.c,v 1.2 2005/06/18 12:36:18 kreator Exp $";
23
24	#include "defs.h"
25
26	#include <stdio.h>
27	#include <stdlib.h>
28	#include <string.h>
29	#ifdef STRING_WITH_STRINGS
30	# include <strings.h>
31	#endif
32	#include <unistd.h>
33	#include <pwd.h>
34	#include <sys/types.h>
35	#include <syslog.h>
36
37	#define PAM_EXTERN extern
38	#undef PAM_STATIC
39
40	#include <security/pam_appl.h>
41	#include <security/pam_modules.h>
42
43	#include "skey.h"
44	#include "pam_skey.h"
45	#include "misc.h"
46
47	PAM_EXTERN int pam_sm_setcred (pam_handle_t *pamh, int flags,
48	int argc, const char **argv)
49	{
50	return PAM_SUCCESS;
51	}
52
53	PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
54	int argc, const char **argv)
55	{
56	char username = NULL; / will point to username */
57	unsigned mod_opt = _MOD_NONE_ON; /* module options */
58	char host; / will point to host */
59	char port; / will point to port */
60	struct passwd *pwuser;
61
62	/* Get module options */
63	mod_getopt(&mod_opt, argc, argv);
64
65	/* Get username */
66	#if defined LINUX \|\| defined BSD
67	if (pam_get_user(pamh, (const char **)&username, "login:")!=PAM_SUCCESS)
68	#else
69	if (pam_get_user(pamh, (char **)&username, "login:")!=PAM_SUCCESS)
70	#endif
71	{
72	fprintf(stderr, "cannot determine username\n");
73	if (mod_opt & _MOD_DEBUG)
74	syslog(LOG_DEBUG, "cannot determine username");
75	return PAM_AUTHINFO_UNAVAIL;
76	}
77
78	if (mod_opt & _MOD_DEBUG)
79	syslog(LOG_DEBUG, "got username %s", username);
80
81	/* Check S/Key access permissions - user, host and port. Also include
82	* sanity checks */
83	/* Get host.. */
84	#if defined LINUX \|\| defined BSD
85	if (pam_get_item(pamh, PAM_RHOST, (const void **)&host)
86	#else
87	if (pam_get_item(pamh, PAM_RHOST, (void **)&host)
88	#endif
89	!= PAM_SUCCESS)
90	host = NULL;
91	/* ..and port */
92	#ifdef LINUX
93	if (pam_get_item(pamh, PAM_TTY, (const void **)&port)
94	#else
95	if (pam_get_item(pamh, PAM_TTY, (void **)&port)
96	#endif
97	!= PAM_SUCCESS)
98	port = NULL;
99
100	if (mod_opt & _MOD_DEBUG)
101	syslog(LOG_DEBUG, "checking s/key access for user %s,"
102	" host %s, port %s", username,
103	(host != NULL) ? host : "unknown",
104	(port != NULL) ? port : "unknown");
105
106	/* Get information from passwd file */
107	if ((pwuser = getpwnam(username)) == NULL)
108	{
109	fprintf(stderr, "no such user\n");
110	syslog(LOG_NOTICE, "cannot find user %s",
111	username);
112	return PAM_AUTHINFO_UNAVAIL;
113	}
114
115	#ifdef HAVE_SKEYACCESS
116
117	/* Do actual checking - we assume skeyaccess() returns PERMIT which is
118	* by default 1. Notice 4th argument is NULL - we will not perform
119	* address checks on host itself */
120	if (skeyaccess(pwuser, port, host, NULL) != 1)
121	{
122	fprintf(stderr, "no s/key access permissions\n");
123	syslog(LOG_NOTICE, "no s/key access permissions for %s",
124	username);
125	return PAM_AUTH_ERR;
126	}
127
128	#endif /* HAVE_SKEYACCESS */
129
130	return PAM_SUCCESS;
131	}
132
133	/* Get module optional parameters */
134	static void mod_getopt(unsigned mod_opt, int mod_argc, const char *mod_argv)
135	{
136	int i;
137
138	/* Setup runtime defaults */
139	*mod_opt \|= _MOD_DEFAULT_FLAG;
140	*mod_opt &= _MOD_DEFAULT_MASK;
141
142	/* Setup runtime options */
143	while (mod_argc--)
144	{
145	for (i = 0; i < _MOD_ARGS; ++i)
146	{
147	if (mod_args[i].token != NULL &&
148	!strncmp(*mod_argv, mod_args[i].token,
149	strlen(mod_args[i].token)))
150	break;
151	}
152	if (i >= _MOD_ARGS)
153	syslog(LOG_ERR, "unknown option %s", *mod_argv);
154	else
155	{
156	mod_opt &= mod_args[i].mask; / Turn off */
157	mod_opt \|= mod_args[i].flag; / Turn on */
158	}
159	++mod_argv;
160	}
161	}