2 * Redistribution and use in source and binary forms, with or without
3 * modification, are permitted provided that the following conditions
5 * 1. Redistributions of source code must retain the above copyright
6 * notice, and the entire permission notice in its entirety,
7 * including the disclaimer of warranties.
8 * 2. Redistributions in binary form must reproduce the above copyright
9 * notice, this list of conditions and the following disclaimer in the
10 * documentation and/or other materials provided with the distribution.
11 * 3. The name of the author may not be used to endorse or promote
12 * products derived from this software without specific prior
15 * ALTERNATIVELY, this product may be distributed under the terms of
16 * the GNU Public License, in which case the provisions of the GPL are
17 * required INSTEAD OF the above restrictions. (This clause is
18 * necessary due to a potential bad interaction between the GPL and
19 * the restrictions contained in a BSD-style copyright.)
21 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
22 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
23 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
24 * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
25 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
26 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
29 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
30 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
31 * OF THE POSSIBILITY OF SUCH DAMAGE.
40 #define PAM_SM_AUTH /* only defines this management group */
42 #include <security/pam_modules.h>
43 #include <security/pam_modutil.h>
44 #include <security/pam_ext.h>
47 int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,
50 const char *luser = NULL;
51 const char *ruser = NULL, *rhost = NULL;
52 const char *opt_superuser = NULL;
59 opt_silent = flags & PAM_SILENT;
62 if (strcmp(*argv, "debug") == 0)
64 else if (strcmp (*argv, "silent") == 0 || strcmp(*argv, "suppress") == 0)
66 else if (strncmp(*argv, "superuser=", sizeof("superuser=")-1) == 0)
67 opt_superuser = *argv+sizeof("superuser=")-1;
69 pam_syslog(pamh, LOG_WARNING, "unrecognized option '%s'", *argv);
74 retval = pam_get_item (pamh, PAM_RHOST, &c_void);
75 if (retval != PAM_SUCCESS) {
76 pam_syslog(pamh, LOG_ERR, "could not get the remote host name");
81 retval = pam_get_item(pamh, PAM_RUSER, &c_void);
83 if (retval != PAM_SUCCESS) {
84 pam_syslog(pamh, LOG_ERR, "could not get the remote username");
88 retval = pam_get_user(pamh, &luser, NULL);
89 if (retval != PAM_SUCCESS) {
90 pam_syslog(pamh, LOG_ERR, "could not determine name of local user");
94 if (rhost == NULL || ruser == NULL || luser == NULL)
97 if (opt_superuser && strcmp(opt_superuser, luser) == 0)
102 lpwd = pam_modutil_getpwnam(pamh, luser);
105 /* don't print by default, could be the users password */
106 pam_syslog(pamh, LOG_DEBUG,
107 "user '%s' unknown to this system", luser);
108 return PAM_USER_UNKNOWN;
111 as_root = (lpwd->pw_uid == 0);
114 #ifdef HAVE_RUSEROK_AF
115 retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC);
117 retval = ruserok (rhost, as_root, ruser, luser);
120 if (!opt_silent || opt_debug)
121 pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s",
122 ruser, rhost, luser);
125 if (!opt_silent || opt_debug)
126 pam_syslog(pamh, LOG_NOTICE, "allowed access to %s@%s as %s",
127 ruser, rhost, luser);
134 pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
135 int argc UNUSED, const char **argv UNUSED)
143 /* static module data */
145 struct pam_module _pam_rhosts_modstruct = {