diff options
| author | Steve Langasek <vorlon@debian.org> | 2009-08-24 03:06:11 -0700 |
|---|---|---|
| committer | Steve Langasek <vorlon@debian.org> | 2019-01-08 21:25:43 -0800 |
| commit | 78915f5a06936cc24cf7776c8b53d08b6ea3616c (patch) | |
| tree | 6325216d4660f2a33d2161d71302b8c3f47c76e5 /modules/pam_timestamp | |
| parent | fdd6439782a15a1abe342044e07e5f7501ae73de (diff) | |
| parent | 212b52cf29c06cc209bc8ac0540dbab1acdf1464 (diff) | |
| download | pam-78915f5a06936cc24cf7776c8b53d08b6ea3616c.tar.gz pam-78915f5a06936cc24cf7776c8b53d08b6ea3616c.tar.bz2 pam-78915f5a06936cc24cf7776c8b53d08b6ea3616c.zip | |
merge upstream version 1.1.0
Diffstat (limited to 'modules/pam_timestamp')
| -rw-r--r-- | modules/pam_timestamp/Makefile.am | 47 | ||||
| -rw-r--r-- | modules/pam_timestamp/Makefile.in | 806 | ||||
| -rw-r--r-- | modules/pam_timestamp/README | 49 | ||||
| -rw-r--r-- | modules/pam_timestamp/README.xml | 46 | ||||
| -rwxr-xr-x | modules/pam_timestamp/hmacfile | 130 | ||||
| -rw-r--r-- | modules/pam_timestamp/hmacfile.c | 159 | ||||
| -rw-r--r-- | modules/pam_timestamp/hmacsha1.c | 293 | ||||
| -rw-r--r-- | modules/pam_timestamp/hmacsha1.h | 15 | ||||
| -rw-r--r-- | modules/pam_timestamp/pam_timestamp.8 | 277 | ||||
| -rw-r--r-- | modules/pam_timestamp/pam_timestamp.8.xml | 189 | ||||
| -rw-r--r-- | modules/pam_timestamp/pam_timestamp.c | 831 | ||||
| -rw-r--r-- | modules/pam_timestamp/pam_timestamp_check.8 | 289 | ||||
| -rw-r--r-- | modules/pam_timestamp/pam_timestamp_check.8.xml | 208 | ||||
| -rw-r--r-- | modules/pam_timestamp/pam_timestamp_check.c | 42 | ||||
| -rw-r--r-- | modules/pam_timestamp/sha1.c | 254 | ||||
| -rw-r--r-- | modules/pam_timestamp/sha1.h | 60 | ||||
| -rwxr-xr-x | modules/pam_timestamp/tst-pam_timestamp | 2 |
17 files changed, 3697 insertions, 0 deletions
diff --git a/modules/pam_timestamp/Makefile.am b/modules/pam_timestamp/Makefile.am new file mode 100644 index 00000000..37cbabf9 --- /dev/null +++ b/modules/pam_timestamp/Makefile.am @@ -0,0 +1,47 @@ +# +# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de> +# Copyright (c) 2005, 2008 Red Hat, Inc. +# + +CLEANFILES = *~ + +XMLS = README.xml pam_timestamp.8.xml pam_timestamp_check.8.xml +man_MANS = pam_timestamp.8 pam_timestamp_check.8 +TESTS = tst-pam_timestamp hmacfile + +EXTRA_DIST = $(man_MANS) $(XMLS) $(TESTS) + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +noinst_HEADERS = hmacsha1.h sha1.h + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include + +pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module $(AM_LDFLAGS) +pam_timestamp_la_LIBADD = -L$(top_builddir)/libpam -lpam +if HAVE_VERSIONING + pam_timestamp_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_timestamp.la +sbin_PROGRAMS = pam_timestamp_check + +pam_timestamp_la_SOURCES = pam_timestamp.c hmacsha1.c sha1.c +pam_timestamp_la_CFLAGS = $(AM_CFLAGS) + +pam_timestamp_check_SOURCES = pam_timestamp_check.c +pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ +pam_timestamp_check_LDADD = -L$(top_builddir)/libpam -lpam +pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@ + +hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c +hmacfile_LDADD = -L$(top_builddir)/libpam -lpam + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_timestamp.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + +noinst_PROGRAMS = hmacfile diff --git a/modules/pam_timestamp/Makefile.in b/modules/pam_timestamp/Makefile.in new file mode 100644 index 00000000..221a34d5 --- /dev/null +++ b/modules/pam_timestamp/Makefile.in @@ -0,0 +1,806 @@ +# Makefile.in generated by automake 1.10.2 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de> +# Copyright (c) 2005, 2008 Red Hat, Inc. +# + + + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +TESTS = tst-pam_timestamp hmacfile$(EXEEXT) +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +sbin_PROGRAMS = pam_timestamp_check$(EXEEXT) +noinst_PROGRAMS = hmacfile$(EXEEXT) +subdir = modules/pam_timestamp +DIST_COMMON = README $(noinst_HEADERS) $(srcdir)/Makefile.am \ + $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ + $(top_srcdir)/m4/japhar_grep_cflags.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \ + $(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" \ + "$(DESTDIR)$(man8dir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_timestamp_la_DEPENDENCIES = +am_pam_timestamp_la_OBJECTS = pam_timestamp_la-pam_timestamp.lo \ + pam_timestamp_la-hmacsha1.lo pam_timestamp_la-sha1.lo +pam_timestamp_la_OBJECTS = $(am_pam_timestamp_la_OBJECTS) +pam_timestamp_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(pam_timestamp_la_CFLAGS) \ + $(CFLAGS) $(pam_timestamp_la_LDFLAGS) $(LDFLAGS) -o $@ +sbinPROGRAMS_INSTALL = $(INSTALL_PROGRAM) +PROGRAMS = $(noinst_PROGRAMS) $(sbin_PROGRAMS) +am_hmacfile_OBJECTS = hmacfile.$(OBJEXT) hmacsha1.$(OBJEXT) \ + sha1.$(OBJEXT) +hmacfile_OBJECTS = $(am_hmacfile_OBJECTS) +hmacfile_DEPENDENCIES = +am_pam_timestamp_check_OBJECTS = \ + pam_timestamp_check-pam_timestamp_check.$(OBJEXT) +pam_timestamp_check_OBJECTS = $(am_pam_timestamp_check_OBJECTS) +pam_timestamp_check_DEPENDENCIES = +pam_timestamp_check_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(pam_timestamp_check_CFLAGS) $(CFLAGS) \ + $(pam_timestamp_check_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(pam_timestamp_la_SOURCES) $(hmacfile_SOURCES) \ + $(pam_timestamp_check_SOURCES) +DIST_SOURCES = $(pam_timestamp_la_SOURCES) $(hmacfile_SOURCES) \ + $(pam_timestamp_check_SOURCES) +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +HEADERS = $(noinst_HEADERS) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FO2PDF = @FO2PDF@ +GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +XMLS = README.xml pam_timestamp.8.xml pam_timestamp_check.8.xml +man_MANS = pam_timestamp.8 pam_timestamp_check.8 +EXTRA_DIST = $(man_MANS) $(XMLS) $(TESTS) +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +noinst_HEADERS = hmacsha1.h sha1.h +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include +pam_timestamp_la_LDFLAGS = -no-undefined -avoid-version -module \ + $(AM_LDFLAGS) $(am__append_1) +pam_timestamp_la_LIBADD = -L$(top_builddir)/libpam -lpam +securelib_LTLIBRARIES = pam_timestamp.la +pam_timestamp_la_SOURCES = pam_timestamp.c hmacsha1.c sha1.c +pam_timestamp_la_CFLAGS = $(AM_CFLAGS) +pam_timestamp_check_SOURCES = pam_timestamp_check.c +pam_timestamp_check_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ +pam_timestamp_check_LDADD = -L$(top_builddir)/libpam -lpam +pam_timestamp_check_LDFLAGS = @PIE_LDFLAGS@ +hmacfile_SOURCES = hmacfile.c hmacsha1.c sha1.c +hmacfile_LDADD = -L$(top_builddir)/libpam -lpam +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_timestamp/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_timestamp/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_timestamp.la: $(pam_timestamp_la_OBJECTS) $(pam_timestamp_la_DEPENDENCIES) + $(pam_timestamp_la_LINK) -rpath $(securelibdir) $(pam_timestamp_la_OBJECTS) $(pam_timestamp_la_LIBADD) $(LIBS) + +clean-noinstPROGRAMS: + @list='$(noinst_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done +install-sbinPROGRAMS: $(sbin_PROGRAMS) + @$(NORMAL_INSTALL) + test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)" + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ + p1=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + if test -f $$p \ + || test -f $$p1 \ + ; then \ + f=`echo "$$p1" | sed 's,^.*/,,;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(sbinPROGRAMS_INSTALL) '$$p' '$(DESTDIR)$(sbindir)/$$f'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(sbinPROGRAMS_INSTALL) "$$p" "$(DESTDIR)$(sbindir)/$$f" || exit 1; \ + else :; fi; \ + done + +uninstall-sbinPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ + f=`echo "$$p" | sed 's,^.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/'`; \ + echo " rm -f '$(DESTDIR)$(sbindir)/$$f'"; \ + rm -f "$(DESTDIR)$(sbindir)/$$f"; \ + done + +clean-sbinPROGRAMS: + @list='$(sbin_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done +hmacfile$(EXEEXT): $(hmacfile_OBJECTS) $(hmacfile_DEPENDENCIES) + @rm -f hmacfile$(EXEEXT) + $(LINK) $(hmacfile_OBJECTS) $(hmacfile_LDADD) $(LIBS) +pam_timestamp_check$(EXEEXT): $(pam_timestamp_check_OBJECTS) $(pam_timestamp_check_DEPENDENCIES) + @rm -f pam_timestamp_check$(EXEEXT) + $(pam_timestamp_check_LINK) $(pam_timestamp_check_OBJECTS) $(pam_timestamp_check_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmacfile.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hmacsha1.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-hmacsha1.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-pam_timestamp.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_timestamp_la-sha1.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sha1.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +pam_timestamp_la-pam_timestamp.lo: pam_timestamp.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -MT pam_timestamp_la-pam_timestamp.lo -MD -MP -MF $(DEPDIR)/pam_timestamp_la-pam_timestamp.Tpo -c -o pam_timestamp_la-pam_timestamp.lo `test -f 'pam_timestamp.c' || echo '$(srcdir)/'`pam_timestamp.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/pam_timestamp_la-pam_timestamp.Tpo $(DEPDIR)/pam_timestamp_la-pam_timestamp.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='pam_timestamp.c' object='pam_timestamp_la-pam_timestamp.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -c -o pam_timestamp_la-pam_timestamp.lo `test -f 'pam_timestamp.c' || echo '$(srcdir)/'`pam_timestamp.c + +pam_timestamp_la-hmacsha1.lo: hmacsha1.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -MT pam_timestamp_la-hmacsha1.lo -MD -MP -MF $(DEPDIR)/pam_timestamp_la-hmacsha1.Tpo -c -o pam_timestamp_la-hmacsha1.lo `test -f 'hmacsha1.c' || echo '$(srcdir)/'`hmacsha1.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/pam_timestamp_la-hmacsha1.Tpo $(DEPDIR)/pam_timestamp_la-hmacsha1.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hmacsha1.c' object='pam_timestamp_la-hmacsha1.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -c -o pam_timestamp_la-hmacsha1.lo `test -f 'hmacsha1.c' || echo '$(srcdir)/'`hmacsha1.c + +pam_timestamp_la-sha1.lo: sha1.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -MT pam_timestamp_la-sha1.lo -MD -MP -MF $(DEPDIR)/pam_timestamp_la-sha1.Tpo -c -o pam_timestamp_la-sha1.lo `test -f 'sha1.c' || echo '$(srcdir)/'`sha1.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/pam_timestamp_la-sha1.Tpo $(DEPDIR)/pam_timestamp_la-sha1.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='sha1.c' object='pam_timestamp_la-sha1.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_la_CFLAGS) $(CFLAGS) -c -o pam_timestamp_la-sha1.lo `test -f 'sha1.c' || echo '$(srcdir)/'`sha1.c + +pam_timestamp_check-pam_timestamp_check.o: pam_timestamp_check.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_check_CFLAGS) $(CFLAGS) -MT pam_timestamp_check-pam_timestamp_check.o -MD -MP -MF $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Tpo -c -o pam_timestamp_check-pam_timestamp_check.o `test -f 'pam_timestamp_check.c' || echo '$(srcdir)/'`pam_timestamp_check.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Tpo $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='pam_timestamp_check.c' object='pam_timestamp_check-pam_timestamp_check.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_check_CFLAGS) $(CFLAGS) -c -o pam_timestamp_check-pam_timestamp_check.o `test -f 'pam_timestamp_check.c' || echo '$(srcdir)/'`pam_timestamp_check.c + +pam_timestamp_check-pam_timestamp_check.obj: pam_timestamp_check.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_check_CFLAGS) $(CFLAGS) -MT pam_timestamp_check-pam_timestamp_check.obj -MD -MP -MF $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Tpo -c -o pam_timestamp_check-pam_timestamp_check.obj `if test -f 'pam_timestamp_check.c'; then $(CYGPATH_W) 'pam_timestamp_check.c'; else $(CYGPATH_W) '$(srcdir)/pam_timestamp_check.c'; fi` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Tpo $(DEPDIR)/pam_timestamp_check-pam_timestamp_check.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='pam_timestamp_check.c' object='pam_timestamp_check-pam_timestamp_check.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(pam_timestamp_check_CFLAGS) $(CFLAGS) -c -o pam_timestamp_check-pam_timestamp_check.obj `if test -f 'pam_timestamp_check.c'; then $(CYGPATH_W) 'pam_timestamp_check.c'; else $(CYGPATH_W) '$(srcdir)/pam_timestamp_check.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $$i; then file=$$i; \ + else file=$(srcdir)/$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$tst[\ \ ]*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$all" -eq 1; then \ + tests="test"; \ + All=""; \ + else \ + tests="tests"; \ + All="All "; \ + fi; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="$$All$$all $$tests passed"; \ + else \ + if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ + banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all $$tests failed"; \ + else \ + if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ + banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + if test "$$skip" -eq 1; then \ + skipped="($$skip test was not run)"; \ + else \ + skipped="($$skip tests were not run)"; \ + fi; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) $(HEADERS) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: install-sbinPROGRAMS + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-sbinPROGRAMS \ + uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-noinstPROGRAMS \ + clean-sbinPROGRAMS clean-securelibLTLIBRARIES ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-man8 install-pdf install-pdf-am install-ps \ + install-ps-am install-sbinPROGRAMS \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-man uninstall-man8 \ + uninstall-sbinPROGRAMS uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_timestamp.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/modules/pam_timestamp/README b/modules/pam_timestamp/README new file mode 100644 index 00000000..17b96437 --- /dev/null +++ b/modules/pam_timestamp/README @@ -0,0 +1,49 @@ +pam_timestamp — Authenticate using cached successful authentication attempts + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +In a nutshell, pam_timestamp caches successful authentication attempts, and +allows you to use a recent successful attempt as the basis for authentication. +This is similar mechanism which is used in sudo. + +When an application opens a session using pam_timestamp, a timestamp file is +created in the timestampdir directory for the user. When an application +attempts to authenticate the user, a pam_timestamp will treat a sufficiently +recent timestamp file as grounds for succeeding. + +OPTIONS + +timestamp_timeout=number + + How long should pam_timestamp treat timestamp as valid after their last + modification date (in seconds). Default is 300 seconds. + +verbose + + Attempt to inform the user when access is granted. + +debug + + Turns on debugging messages sent to syslog(3). + +NOTES + +Users can get confused when they are not always asked for passwords when +running a given program. Some users reflexively begin typing information before +noticing that it is not being asked for. + +EXAMPLES + +auth sufficient pam_timestamp.so verbose +auth required pam_unix.so + +session required pam_unix.so +session optional pam_timestamp.so + + +AUTHOR + +pam_tally was written by Nalin Dahyabhai. + diff --git a/modules/pam_timestamp/README.xml b/modules/pam_timestamp/README.xml new file mode 100644 index 00000000..5b72deb1 --- /dev/null +++ b/modules/pam_timestamp/README.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_timestamp.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_timestamp.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_timestamp-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-notes"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_timestamp.8.xml" xpointer='xpointer(//refsect1[@id = "pam_timestamp-author"]/*)'/> + </section> + +</article> diff --git a/modules/pam_timestamp/hmacfile b/modules/pam_timestamp/hmacfile new file mode 100755 index 00000000..89e2a4b6 --- /dev/null +++ b/modules/pam_timestamp/hmacfile @@ -0,0 +1,130 @@ +#! /bin/sh + +# hmacfile - temporary wrapper script for .libs/hmacfile +# Generated by ltmain.sh (GNU libtool) 2.2.6 +# +# The hmacfile program cannot be directly executed until all the libtool +# libraries that it depends on are installed. +# +# This wrapper script should never be moved out of the build directory. +# If it is, it will not operate correctly. + +# Sed substitution that helps us do robust quoting. It backslashifies +# metacharacters that are still active within double-quoted strings. +Xsed='/bin/sed -e 1s/^X//' +sed_quote_subst='s/\([`"$\\]\)/\\\1/g' + +# Be Bourne compatible +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: + # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac +fi +BIN_SH=xpg4; export BIN_SH # for Tru64 +DUALCASE=1; export DUALCASE # for MKS sh + +# The HP-UX ksh and POSIX shell print the target directory to stdout +# if CDPATH is set. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + +relink_command="" + +# This environment variable determines our operation mode. +if test "$libtool_install_magic" = "%%%MAGIC variable%%%"; then + # install mode needs the following variables: + generated_by_libtool_version='2.2.6' + notinst_deplibs=' /data/cvs/Linux-PAM/libpam/libpam.la' +else + # When we are sourced in execute mode, $file and $ECHO are already set. + if test "$libtool_execute_magic" != "%%%MAGIC variable%%%"; then + ECHO="echo" + file="$0" + # Make sure echo works. + if test "X$1" = X--no-reexec; then + # Discard the --no-reexec flag, and continue. + shift + elif test "X`{ $ECHO '\t'; } 2>/dev/null`" = 'X\t'; then + # Yippee, $ECHO works! + : + else + # Restart under the correct shell, and then maybe $ECHO will work. + exec /bin/sh "$0" --no-reexec ${1+"$@"} + fi + fi + + # Find the directory that this script lives in. + thisdir=`$ECHO "X$file" | $Xsed -e 's%/[^/]*$%%'` + test "x$thisdir" = "x$file" && thisdir=. + + # Follow symbolic links until we get to the real thisdir. + file=`ls -ld "$file" | /bin/sed -n 's/.*-> //p'` + while test -n "$file"; do + destdir=`$ECHO "X$file" | $Xsed -e 's%/[^/]*$%%'` + + # If there was a directory component, then change thisdir. + if test "x$destdir" != "x$file"; then + case "$destdir" in + [\\/]* | [A-Za-z]:[\\/]*) thisdir="$destdir" ;; + *) thisdir="$thisdir/$destdir" ;; + esac + fi + + file=`$ECHO "X$file" | $Xsed -e 's%^.*/%%'` + file=`ls -ld "$thisdir/$file" | /bin/sed -n 's/.*-> //p'` + done + + + # Usually 'no', except on cygwin/mingw when embedded into + # the cwrapper. + WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=no + if test "$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR" = "yes"; then + # special case for '.' + if test "$thisdir" = "."; then + thisdir=`pwd` + fi + # remove .libs from thisdir + case "$thisdir" in + *[\\/].libs ) thisdir=`$ECHO "X$thisdir" | $Xsed -e 's%[\\/][^\\/]*$%%'` ;; + .libs ) thisdir=. ;; + esac + fi + + # Try to get the absolute directory name. + absdir=`cd "$thisdir" && pwd` + test -n "$absdir" && thisdir="$absdir" + + program='hmacfile' + progdir="$thisdir/.libs" + + + if test -f "$progdir/$program"; then + # Add our own library path to LD_LIBRARY_PATH + LD_LIBRARY_PATH="/data/cvs/Linux-PAM/libpam/.libs:$LD_LIBRARY_PATH" + + # Some systems cannot cope with colon-terminated LD_LIBRARY_PATH + # The second colon is a workaround for a bug in BeOS R4 sed + LD_LIBRARY_PATH=`$ECHO "X$LD_LIBRARY_PATH" | $Xsed -e 's/::*$//'` + + export LD_LIBRARY_PATH + + if test "$libtool_execute_magic" != "%%%MAGIC variable%%%"; then + # Run the actual program with our arguments. + + exec "$progdir/$program" ${1+"$@"} + + $ECHO "$0: cannot exec $program $*" 1>&2 + exit 1 + fi + else + # The program doesn't exist. + $ECHO "$0: error: \`$progdir/$program' does not exist" 1>&2 + $ECHO "This script is just a wrapper for $program." 1>&2 + echo "See the libtool documentation for more information." 1>&2 + exit 1 + fi +fi diff --git a/modules/pam_timestamp/hmacfile.c b/modules/pam_timestamp/hmacfile.c new file mode 100644 index 00000000..d2da5ff1 --- /dev/null +++ b/modules/pam_timestamp/hmacfile.c @@ -0,0 +1,159 @@ +/* + * Copyright 2003,2004 Red Hat, Inc. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <sys/types.h> +#include <sys/stat.h> +#include <errno.h> +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include "hmacsha1.h" + +static void +testvectors(void) +{ + void *hmac; + size_t hmac_len; + size_t i, j; + char hex[3]; + struct vector { + const char *key; + int key_len; + const char *data; + int data_len; + const char *hmac; + } vectors[] = { + { + "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b", 20, + "Hi There", 8, + "b617318655057264e28bc0b6fb378c8ef146be00", + }, + +#ifdef HMAC_ALLOW_SHORT_KEYS + { + "Jefe", 4, + "what do ya want for nothing?", 28, + "effcdf6ae5eb2fa2d27416d5f184df9c259a7c79", + }, +#endif + + { + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", 20, + "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd", 50, + "125d7342b9ac11cd91a39af48aa17b4f63f175d3", + }, + + { + "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19", 25, + "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd", + 50, + "4c9007f4026250c6bc8414f9bf50c86c2d7235da", + }, + + { + "\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c\x0c", 20, + "Test With Truncation", 20, + "4c1a03424b55e07fe7f27be1d58bb9324a9a5a04", + }, + + { + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", + 80, + "Test Using Larger Than Block-Size Key - Hash Key First", 54, + "aa4ae5e15272d00e95705637ce8a3b55ed402112", + }, + + { + "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa", + 80, + "Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data", 73, + "e8e99d0f45237d786d6bbaa7965c7808bbff1a91", + }, + }; + for (i = 0; i < sizeof(vectors) / sizeof(vectors[0]); i++) { + hmac = NULL; + hmac_len = 0; + hmac_sha1_generate(&hmac, &hmac_len, + vectors[i].key, vectors[i].key_len, + vectors[i].data, vectors[i].data_len); + if (hmac != NULL) { + unsigned char *hmacc = hmac; + for (j = 0; j < hmac_len; j++) { + snprintf(hex, sizeof(hex), "%02x", + hmacc[j] & 0xff); + if (strncasecmp(hex, + vectors[i].hmac + 2 * j, + 2) != 0) { + printf("Incorrect result for vector %lu\n", i + 1); + exit(1); + + } + } + free(hmac); + } else { + printf("Error in vector %lu.\n", i + 1); + exit(1); + } + } +} + +int +main(int argc, char **argv) +{ + void *hmac; + size_t maclen; + const char *keyfile; + int i; + size_t j; + + testvectors(); + + keyfile = argv[1]; + for (i = 2; i < argc; i++) { + hmac_sha1_generate_file(NULL, &hmac, &maclen, keyfile, -1, -1, + argv[i], strlen(argv[i])); + if (hmac != NULL) { + unsigned char *hmacc = hmac; + for (j = 0; j < maclen; j++) { + printf("%02x", hmacc[j] & 0xff); + } + printf(" %s\n", argv[i]); + free(hmac); + } + } + return 0; +} diff --git a/modules/pam_timestamp/hmacsha1.c b/modules/pam_timestamp/hmacsha1.c new file mode 100644 index 00000000..5b3774ff --- /dev/null +++ b/modules/pam_timestamp/hmacsha1.c @@ -0,0 +1,293 @@ +/* An implementation of HMAC using SHA-1. + * + * Copyright (c) 2003 Red Hat, Inc. + * Written by Nalin Dahyabhai <nalin@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +/* See RFC 2104 for descriptions. */ +#include <sys/types.h> +#include <sys/stat.h> +#include <errno.h> +#include <fcntl.h> +#include <grp.h> +#include <pwd.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <syslog.h> +#include <security/pam_ext.h> +#include "hmacsha1.h" +#include "sha1.h" + +#define MINIMUM_KEY_SIZE SHA1_OUTPUT_SIZE +#define MAXIMUM_KEY_SIZE SHA1_BLOCK_SIZE + +static void +hmac_key_create(pam_handle_t *pamh, const char *filename, size_t key_size, + uid_t owner, gid_t group) +{ + int randfd, keyfd, i; + size_t count; + char *key; + + /* Open the destination file. */ + keyfd = open(filename, + O_WRONLY | O_CREAT | O_EXCL | O_TRUNC, + S_IRUSR | S_IWUSR); + if (keyfd == -1) { + pam_syslog(pamh, LOG_ERR, "Cannot create %s: %m", filename); + return; + } + + + if (fchown(keyfd, owner, group) == -1) { + pam_syslog(pamh, LOG_ERR, "Cannot chown %s: %m", filename); + return; + } + + /* Open the random device to get key data. */ + randfd = open("/dev/urandom", O_RDONLY); + if (randfd == -1) { + pam_syslog(pamh, LOG_ERR, "Cannot open /dev/urandom: %m"); + close(keyfd); + return; + } + + /* Read random data for use as the key. */ + key = malloc(key_size); + count = 0; + if (!key) { + close(keyfd); + close(randfd); + return; + } + while (count < key_size) { + i = read(randfd, key + count, key_size - count); + if ((i == 0) || (i == -1)) { + break; + } + count += i; + } + + close(randfd); + + /* If we didn't get enough, stop here. */ + if (count < key_size) { + pam_syslog(pamh, LOG_ERR, "Short read on random device"); + memset(key, 0, key_size); + free(key); + close(keyfd); + return; + } + + /* Now write the key. */ + count = 0; + while (count < key_size) { + i = write(keyfd, key + count, key_size - count); + if ((i == 0) || (i == -1)) { + break; + } + count += i; + } + memset(key, 0, key_size); + free(key); + close(keyfd); +} + +static void +hmac_key_read(pam_handle_t *pamh, const char *filename, size_t default_key_size, + uid_t owner, gid_t group, + void **key, size_t *key_size) +{ + char *tmp; + int keyfd, i, count; + struct stat st; + + tmp = NULL; + *key = NULL; + *key_size = 0; + + /* Try to open the key file. */ + keyfd = open(filename, O_RDONLY); + if (keyfd == -1) { + /* No such thing? Create it. */ + if (errno == ENOENT) { + hmac_key_create(pamh, filename, default_key_size, + owner, group); + keyfd = open(filename, O_RDONLY); + } else { + pam_syslog(pamh, LOG_ERR, "Cannot open %s: %m", filename); + } + if (keyfd == -1) + return; + } + + /* If we failed to open the file, we're done. */ + if (fstat(keyfd, &st) == -1) { + close(keyfd); + return; + } + + /* Read the contents of the file. */ + tmp = malloc(st.st_size); + if (!tmp) { + close(keyfd); + return; + } + + count = 0; + while (count < st.st_size) { + i = read(keyfd, tmp + count, st.st_size - count); + if ((i == 0) || (i == -1)) { + break; + } + count += i; + } + close(keyfd); + + /* Require that we got the expected amount of data. */ + if (count < st.st_size) { + memset(tmp, 0, st.st_size); + free(tmp); + return; + } + + /* Pass the key back. */ + *key = tmp; + *key_size = st.st_size; +} + +static void +xor_block(unsigned char *p, unsigned char byte, size_t length) +{ + size_t i; + for (i = 0; i < length; i++) { + p[i] = p[i] ^ byte; + } +} + +void +hmac_sha1_generate(void **mac, size_t *mac_length, + const void *raw_key, size_t raw_key_size, + const void *text, size_t text_length) +{ + unsigned char key[MAXIMUM_KEY_SIZE], tmp_key[MAXIMUM_KEY_SIZE]; + size_t maximum_key_size = SHA1_BLOCK_SIZE, + minimum_key_size = SHA1_OUTPUT_SIZE; + const unsigned char ipad = 0x36, opad = 0x5c; + struct sha1_context sha1; + unsigned char inner[SHA1_OUTPUT_SIZE], outer[SHA1_OUTPUT_SIZE]; + + *mac = NULL; + *mac_length = 0; + +#ifndef HMAC_ALLOW_SHORT_KEYS + /* If the key is too short, don't bother. */ + if (raw_key_size < minimum_key_size) { + return; + } +#endif + + /* If the key is too long, "compress" it, else copy it and pad it + * out with zero bytes. */ + memset(key, 0, sizeof(key)); + if (raw_key_size > maximum_key_size) { + sha1_init(&sha1); + sha1_update(&sha1, raw_key, raw_key_size); + sha1_output(&sha1, key); + } else { + memmove(key, raw_key, raw_key_size); + } + + /* Generate the inner sum. */ + memcpy(tmp_key, key, sizeof(tmp_key)); + xor_block(tmp_key, ipad, sizeof(tmp_key)); + + sha1_init(&sha1); + sha1_update(&sha1, tmp_key, sizeof(tmp_key)); + sha1_update(&sha1, text, text_length); + sha1_output(&sha1, inner); + + /* Generate the outer sum. */ + memcpy(tmp_key, key, sizeof(tmp_key)); + xor_block(tmp_key, opad, sizeof(tmp_key)); + + sha1_init(&sha1); + sha1_update(&sha1, tmp_key, sizeof(tmp_key)); + sha1_update(&sha1, inner, sizeof(inner)); + sha1_output(&sha1, outer); + + /* We don't need any of the keys any more. */ + memset(key, 0, sizeof(key)); + memset(tmp_key, 0, sizeof(tmp_key)); + + /* Allocate space to store the output. */ + *mac_length = sizeof(outer); + *mac = malloc(*mac_length); + if (*mac == NULL) { + *mac_length = 0; + return; + } + + memcpy(*mac, outer, *mac_length); +} + +void +hmac_sha1_generate_file(pam_handle_t *pamh, void **mac, size_t *mac_length, + const char *keyfile, uid_t owner, gid_t group, + const void *text, size_t text_length) +{ + void *key; + size_t key_length; + + hmac_key_read(pamh, keyfile, + MAXIMUM_KEY_SIZE, owner, group, + &key, &key_length); + if (key == NULL) { + *mac = NULL; + *mac_length = 0; + return; + } + hmac_sha1_generate(mac, mac_length, + key, key_length, + text, text_length); + memset(key, 0, key_length); + free(key); +} + +size_t +hmac_sha1_size(void) +{ + return SHA1_OUTPUT_SIZE; +} diff --git a/modules/pam_timestamp/hmacsha1.h b/modules/pam_timestamp/hmacsha1.h new file mode 100644 index 00000000..200d1d06 --- /dev/null +++ b/modules/pam_timestamp/hmacsha1.h @@ -0,0 +1,15 @@ +#ifndef pam_timestamp_hmacfile_h +#define pam_timestamp_hmacfile_h + +#include <sys/types.h> +#include <security/pam_modules.h> + +size_t hmac_sha1_size(void); +void hmac_sha1_generate(void **mac, size_t *mac_length, + const void *key, size_t key_length, + const void *text, size_t text_length); +void hmac_sha1_generate_file(pam_handle_t *pamh, void **mac, size_t *mac_length, + const char *keyfile, uid_t owner, gid_t group, + const void *text, size_t text_length); + +#endif diff --git a/modules/pam_timestamp/pam_timestamp.8 b/modules/pam_timestamp/pam_timestamp.8 new file mode 100644 index 00000000..7560ca74 --- /dev/null +++ b/modules/pam_timestamp/pam_timestamp.8 @@ -0,0 +1,277 @@ +.\" Title: pam_timestamp +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/> +.\" Date: 06/16/2009 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_TIMESTAMP" "8" "06/16/2009" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * (re)Define some macros +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" toupper - uppercase a string (locale-aware) +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de toupper +.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ +\\$* +.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SH-xref - format a cross-reference to an SH section +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de SH-xref +.ie n \{\ +.\} +.toupper \\$* +.el \{\ +\\$* +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SH - level-one heading that works better for non-TTY output +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de1 SH +.\" put an extra blank line of space above the head in non-TTY output +.if t \{\ +.sp 1 +.\} +.sp \\n[PD]u +.nr an-level 1 +.set-an-margin +.nr an-prevailing-indent \\n[IN] +.fi +.in \\n[an-margin]u +.ti 0 +.HTML-TAG ".NH \\n[an-level]" +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +\." make the size of the head bigger +.ps +3 +.ft B +.ne (2v + 1u) +.ie n \{\ +.\" if n (TTY output), use uppercase +.toupper \\$* +.\} +.el \{\ +.nr an-break-flag 0 +.\" if not n (not TTY), use normal case (not uppercase) +\\$1 +.in \\n[an-margin]u +.ti 0 +.\" if not n (not TTY), put a border/line under subheading +.sp -.6 +\l'\n(.lu' +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SS - level-two heading that works better for non-TTY output +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de1 SS +.sp \\n[PD]u +.nr an-level 1 +.set-an-margin +.nr an-prevailing-indent \\n[IN] +.fi +.in \\n[IN]u +.ti \\n[SN]u +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +.ps \\n[PS-SS]u +\." make the size of the head bigger +.ps +2 +.ft B +.ne (2v + 1u) +.if \\n[.$] \&\\$* +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" BB/BE - put background/screen (filled box) around block of text +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de BB +.if t \{\ +.sp -.5 +.br +.in +2n +.ll -2n +.gcolor red +.di BX +.\} +.. +.de EB +.if t \{\ +.if "\\$2"adjust-for-leading-newline" \{\ +.sp -1 +.\} +.br +.di +.in +.ll +.gcolor +.nr BW \\n(.lu-\\n(.i +.nr BH \\n(dn+.5v +.ne \\n(BHu+.5v +.ie "\\$2"adjust-for-leading-newline" \{\ +\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] +.\} +.el \{\ +\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] +.\} +.in 0 +.sp -.5v +.nf +.BX +.in +.sp .5v +.fi +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" BM/EM - put colored marker in margin next to block of text +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de BM +.if t \{\ +.br +.ll -2n +.gcolor red +.di BX +.\} +.. +.de EM +.if t \{\ +.br +.di +.ll +.gcolor +.nr BH \\n(dn +.ne \\n(BHu +\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] +.in 0 +.nf +.BX +.in +.fi +.\} +.. +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "Name" +pam_timestamp \- Authenticate using cached successful authentication attempts +.SH "Synopsis" +.fam C +.HP \w'\fBpam_timestamp\&.so\fR\ 'u +\fBpam_timestamp\&.so\fR [timestamp_timeout=\fInumber\fR] [verbose] [debug] +.fam +.SH "DESCRIPTION" +.PP +In a nutshell, +\fIpam_timestamp\fR +caches successful authentication attempts, and allows you to use a recent successful attempt as the basis for authentication\&. This is similar mechanism which is used in +\fBsudo\fR\&. +.PP +When an application opens a session using +\fIpam_timestamp\fR, a timestamp file is created in the +\fItimestampdir\fR +directory for the user\&. When an application attempts to authenticate the user, a +\fIpam_timestamp\fR +will treat a sufficiently recent timestamp file as grounds for succeeding\&. +.SH "OPTIONS" +.PP +\fBtimestamp_timeout=\fR\fB\fInumber\fR\fR +.RS 4 +How long should pam_timestamp treat timestamp as valid after their last modification date (in seconds)\&. Default is 300 seconds\&. +.RE +.PP +\fBverbose\fR +.RS 4 +Attempt to inform the user when access is granted\&. +.RE +.PP +\fBdebug\fR +.RS 4 +Turns on debugging messages sent to +\fBsyslog\fR(3)\&. +.RE +.SH "MODULE TYPES PROVIDED" +.PP +The +\fBauth\fR +and +\fBsession\fR +module types are provided\&. +.SH "RETURN VALUES" +.PP +PAM_AUTH_ERR +.RS 4 +The module was not able to retrieve the user name or no valid timestamp file was found\&. +.RE +.PP +PAM_SUCCESS +.RS 4 +Everything was successful\&. +.RE +.PP +PAM_SESSION_ERR +.RS 4 +Timestamp file could not be created or updated\&. +.RE +.SH "NOTES" +.PP +Users can get confused when they are not always asked for passwords when running a given program\&. Some users reflexively begin typing information before noticing that it is not being asked for\&. +.SH "EXAMPLES" +.sp +.if n \{\ +.RS 4 +.\} +.fam C +.ps -1 +.nf +.if t \{\ +.sp -1 +.\} +.BB lightgray adjust-for-leading-newline +.sp -1 + +auth sufficient pam_timestamp\&.so verbose +auth required pam_unix\&.so + +session required pam_unix\&.so +session optional pam_timestamp\&.so + +.EB lightgray adjust-for-leading-newline +.if t \{\ +.sp 1 +.\} +.fi +.fam +.ps +1 +.if n \{\ +.RE +.\} +.SH "FILES" +.PP +\FC/var/run/sudo/\&.\&.\&.\F[] +.RS 4 +timestamp files and directories +.RE +.SH "SEE ALSO" +.PP + +\fBpam_timestamp_check\fR(8), +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_tally was written by Nalin Dahyabhai\&. diff --git a/modules/pam_timestamp/pam_timestamp.8.xml b/modules/pam_timestamp/pam_timestamp.8.xml new file mode 100644 index 00000000..adb87a79 --- /dev/null +++ b/modules/pam_timestamp/pam_timestamp.8.xml @@ -0,0 +1,189 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_timestamp"> + + <refmeta> + <refentrytitle>pam_timestamp</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_timestamp-name"> + <refname>pam_timestamp</refname> + <refpurpose>Authenticate using cached successful authentication attempts</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_timestamp-cmdsynopsis"> + <command>pam_timestamp.so</command> + <arg choice="opt"> + timestamp_timeout=<replaceable>number</replaceable> + </arg> + <arg choice="opt"> + verbose + </arg> + <arg choice="opt"> + debug + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_timestamp-description"> + + <title>DESCRIPTION</title> + + <para> + In a nutshell, <emphasis>pam_timestamp</emphasis> caches successful +authentication attempts, and allows you to use a recent successful attempt as +the basis for authentication. This is similar mechanism which is used in +<command>sudo</command>. + </para> + <para> + When an application opens a session using <emphasis>pam_timestamp</emphasis>, +a timestamp file is created in the <emphasis>timestampdir</emphasis> directory +for the user. When an application attempts to authenticate the user, a +<emphasis>pam_timestamp</emphasis> will treat a sufficiently recent timestamp +file as grounds for succeeding. + </para> + </refsect1> + + <refsect1 id="pam_timestamp-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>timestamp_timeout=<replaceable>number</replaceable></option> + </term> + <listitem> + <para> + How long should pam_timestamp treat timestamp as valid after their + last modification date (in seconds). Default is 300 seconds. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>verbose</option> + </term> + <listitem> + <para> + Attempt to inform the user when access is granted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Turns on debugging messages sent to <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_timestamp-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + The <option>auth</option> and <option>session</option> + module types are provided. + </para> + </refsect1> + + <refsect1 id='pam_timestamp-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_AUTH_ERR</term> + <listitem> + <para> + The module was not able to retrieve the user name or + no valid timestamp file was found. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Everything was successful. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + Timestamp file could not be created or updated. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_timestamp-notes'> + <title>NOTES</title> + <para> + Users can get confused when they are not always asked for passwords when +running a given program. Some users reflexively begin typing information before +noticing that it is not being asked for. + </para> + </refsect1> + + <refsect1 id='pam_timestamp-examples'> + <title>EXAMPLES</title> + <programlisting> +auth sufficient pam_timestamp.so verbose +auth required pam_unix.so + +session required pam_unix.so +session optional pam_timestamp.so + </programlisting> + </refsect1> + + <refsect1 id="pam_timestamp-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/var/run/sudo/...</filename></term> + <listitem> + <para>timestamp files and directories</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_timestamp-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_timestamp_check</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_timestamp-author'> + <title>AUTHOR</title> + <para> + pam_tally was written by Nalin Dahyabhai. + </para> + </refsect1> + +</refentry> + diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c new file mode 100644 index 00000000..7e6c4b0b --- /dev/null +++ b/modules/pam_timestamp/pam_timestamp.c @@ -0,0 +1,831 @@ +/****************************************************************************** + * A module for Linux-PAM that will cache authentication results, inspired by + * (and implemented with an eye toward being mixable with) sudo. + * + * Copyright (c) 2002 Red Hat, Inc. + * Written by Nalin Dahyabhai <nalin@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#define PAM_SM_AUTH +#define PAM_SM_SESSION + +#include "config.h" + +#include <sys/stat.h> +#include <sys/types.h> +#include <errno.h> +#include <fcntl.h> +#include <limits.h> +#include <pwd.h> +#include <signal.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <time.h> +#include <sys/time.h> +#include <unistd.h> +#include <utmp.h> +#include <syslog.h> +#include "hmacsha1.h" + +#include <security/pam_modules.h> +#include <security/_pam_macros.h> +#include <security/pam_ext.h> +#include <security/pam_modutil.h> + +/* The default timeout we use is 5 minutes, which matches the sudo default + * for the timestamp_timeout parameter. */ +#define DEFAULT_TIMESTAMP_TIMEOUT (5 * 60) +#define MODULE "pam_timestamp" +#define TIMESTAMPDIR "/var/run/sudo" +#define TIMESTAMPKEY TIMESTAMPDIR "/_pam_timestamp_key" + +/* Various buffers we use need to be at least as large as either PATH_MAX or + * LINE_MAX, so choose the larger of the two. */ +#if (LINE_MAX > PATH_MAX) +#define BUFLEN LINE_MAX +#else +#define BUFLEN PATH_MAX +#endif + +/* Return PAM_SUCCESS if the given directory looks "safe". */ +static int +check_dir_perms(pam_handle_t *pamh, const char *tdir) +{ + char scratch[BUFLEN]; + struct stat st; + int i; + /* Check that the directory is "safe". */ + if ((tdir == NULL) || (strlen(tdir) == 0)) { + return PAM_AUTH_ERR; + } + /* Iterate over the path, checking intermediate directories. */ + memset(scratch, 0, sizeof(scratch)); + for (i = 0; (tdir[i] != '\0') && (i < (int)sizeof(scratch)); i++) { + scratch[i] = tdir[i]; + if ((scratch[i] == '/') || (tdir[i + 1] == '\0')) { + /* We now have the name of a directory in the path, so + * we need to check it. */ + if ((lstat(scratch, &st) == -1) && (errno != ENOENT)) { + pam_syslog(pamh, LOG_ERR, + "unable to read `%s': %m", + scratch); + return PAM_AUTH_ERR; + } + if (!S_ISDIR(st.st_mode)) { + pam_syslog(pamh, LOG_ERR, + "`%s' is not a directory", + scratch); + return PAM_AUTH_ERR; + } + if (S_ISLNK(st.st_mode)) { + pam_syslog(pamh, LOG_ERR, + "`%s' is a symbolic link", + scratch); + return PAM_AUTH_ERR; + } + if (st.st_uid != 0) { + pam_syslog(pamh, LOG_ERR, + "`%s' owner UID != 0", + scratch); + return PAM_AUTH_ERR; + } + if (st.st_gid != 0) { + pam_syslog(pamh, LOG_ERR, + "`%s' owner GID != 0", + scratch); + return PAM_AUTH_ERR; + } + if ((st.st_mode & (S_IWGRP | S_IWOTH)) != 0) { + pam_syslog(pamh, LOG_ERR, + "`%s' permissions are lax", + scratch); + return PAM_AUTH_ERR; + } + } + } + return PAM_SUCCESS; +} + +/* Validate a tty pathname as actually belonging to a tty, and return its base + * name if it's valid. */ +static const char * +check_tty(const char *tty) +{ + /* Check that we're not being set up to take a fall. */ + if ((tty == NULL) || (strlen(tty) == 0)) { + return NULL; + } + /* Pull out the meaningful part of the tty's name. */ + if (strchr(tty, '/') != NULL) { + if (strncmp(tty, "/dev/", 5) != 0) { + /* Make sure the device node is actually in /dev/, + * noted by Michal Zalewski. */ + return NULL; + } + tty = strrchr(tty, '/') + 1; + } + /* Make sure the tty wasn't actually a directory (no basename). */ + if (strlen(tty) == 0) { + return NULL; + } + return tty; +} + +/* Determine the right path name for a given user's timestamp. */ +static int +format_timestamp_name(char *path, size_t len, + const char *timestamp_dir, + const char *tty, + const char *ruser, + const char *user) +{ + if (strcmp(ruser, user) == 0) { + return snprintf(path, len, "%s/%s/%s", timestamp_dir, + ruser, tty); + } else { + return snprintf(path, len, "%s/%s/%s:%s", timestamp_dir, + ruser, tty, user); + } +} + +/* Check if a given timestamp date, when compared to a current time, fits + * within the given interval. */ +static int +timestamp_good(time_t then, time_t now, time_t interval) +{ + if (((now >= then) && ((now - then) < interval)) || + ((now < then) && ((then - now) < (2 * interval)))) { + return PAM_SUCCESS; + } + return PAM_AUTH_ERR; +} + +static int +check_login_time(const char *ruser, time_t timestamp) +{ + struct utmp utbuf, *ut; + time_t oldest_login = 0; + + setutent(); + while(!getutent_r(&utbuf, &ut)) { + if (ut->ut_type != USER_PROCESS) { + continue; + } + if (strncmp(ruser, ut->ut_user, sizeof(ut->ut_user) != 0)) { + continue; + } + if (oldest_login == 0 || oldest_login > ut->ut_tv.tv_sec) { + oldest_login = ut->ut_tv.tv_sec; + } + } + endutent(); + if(oldest_login == 0 || timestamp < oldest_login) { + return PAM_AUTH_ERR; + } + return PAM_SUCCESS; +} + +#ifndef PAM_TIMESTAMP_MAIN +static int +get_ruser(pam_handle_t *pamh, char *ruserbuf, size_t ruserbuflen) +{ + const void *ruser; + struct passwd *pwd; + + if (ruserbuf == NULL || ruserbuflen < 1) + return -2; + /* Get the name of the source user. */ + if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS) { + ruser = NULL; + } + if ((ruser == NULL) || (strlen(ruser) == 0)) { + /* Barring that, use the current RUID. */ + pwd = pam_modutil_getpwuid(pamh, getuid()); + if (pwd != NULL) { + ruser = pwd->pw_name; + } + } + if (ruser == NULL || strlen(ruser) >= ruserbuflen) { + *ruserbuf = '\0'; + return -1; + } + strcpy(ruserbuf, ruser); + return 0; +} + +/* Get the path to the timestamp to use. */ +static int +get_timestamp_name(pam_handle_t *pamh, int argc, const char **argv, + char *path, size_t len) +{ + const char *user, *tty; + const void *void_tty; + const char *tdir = TIMESTAMPDIR; + char ruser[BUFLEN]; + int i, debug = 0; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; + } + } + for (i = 0; i < argc; i++) { + if (strncmp(argv[i], "timestampdir=", 13) == 0) { + tdir = argv[i] + 13; + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "storing timestamps in `%s'", + tdir); + } + } + } + i = check_dir_perms(pamh, tdir); + if (i != PAM_SUCCESS) { + return i; + } + /* Get the name of the target user. */ + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS) { + user = NULL; + } + if ((user == NULL) || (strlen(user) == 0)) { + return PAM_AUTH_ERR; + } + if (debug) { + pam_syslog(pamh, LOG_DEBUG, "becoming user `%s'", user); + } + /* Get the name of the source user. */ + if (get_ruser(pamh, ruser, sizeof(ruser)) || strlen(ruser) == 0) { + return PAM_AUTH_ERR; + } + if (debug) { + pam_syslog(pamh, LOG_DEBUG, "currently user `%s'", ruser); + } + /* Get the name of the terminal. */ + if (pam_get_item(pamh, PAM_TTY, &void_tty) != PAM_SUCCESS) { + tty = NULL; + } else { + tty = void_tty; + } + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = ttyname(STDIN_FILENO); + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = ttyname(STDOUT_FILENO); + } + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = ttyname(STDERR_FILENO); + } + if ((tty == NULL) || (strlen(tty) == 0)) { + /* Match sudo's behavior for this case. */ + tty = "unknown"; + } + } + if (debug) { + pam_syslog(pamh, LOG_DEBUG, "tty is `%s'", tty); + } + /* Snip off all but the last part of the tty name. */ + tty = check_tty(tty); + if (tty == NULL) { + return PAM_AUTH_ERR; + } + /* Generate the name of the file used to cache auth results. These + * paths should jive with sudo's per-tty naming scheme. */ + if (format_timestamp_name(path, len, tdir, tty, ruser, user) >= (int)len) { + return PAM_AUTH_ERR; + } + if (debug) { + pam_syslog(pamh, LOG_DEBUG, "using timestamp file `%s'", path); + } + return PAM_SUCCESS; +} + +/* Tell the user that access has been granted. */ +static void +verbose_success(pam_handle_t *pamh, long diff) +{ + pam_info(pamh, _("Access granted (last access was %ld seconds ago)."), diff); +} + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + struct stat st; + time_t interval = DEFAULT_TIMESTAMP_TIMEOUT; + int i, fd, debug = 0, verbose = 0; + char path[BUFLEN], *p, *message, *message_end; + long tmp; + const void *void_service; + const char *service; + time_t now, then; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; + } + } + for (i = 0; i < argc; i++) { + if (strncmp(argv[i], "timestamp_timeout=", 18) == 0) { + tmp = strtol(argv[i] + 18, &p, 0); + if ((p != NULL) && (*p == '\0')) { + interval = tmp; + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "setting timeout to %ld" + " seconds", (long)interval); + } + } + } else + if (strcmp(argv[i], "verbose") == 0) { + verbose = 1; + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "becoming more verbose"); + } + } + } + + if (flags & PAM_SILENT) { + verbose = 0; + } + + /* Get the name of the timestamp file. */ + if (get_timestamp_name(pamh, argc, argv, + path, sizeof(path)) != PAM_SUCCESS) { + return PAM_AUTH_ERR; + } + + /* Get the name of the service. */ + if (pam_get_item(pamh, PAM_SERVICE, &void_service) != PAM_SUCCESS) { + service = NULL; + } else { + service = void_service; + } + if ((service == NULL) || (strlen(service) == 0)) { + service = "(unknown)"; + } + + /* Open the timestamp file. */ + fd = open(path, O_RDONLY | O_NOFOLLOW); + if (fd == -1) { + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "cannot open timestamp `%s': %m", + path); + } + return PAM_AUTH_ERR; + } + + if (fstat(fd, &st) == 0) { + int count; + void *mac; + size_t maclen; + char ruser[BUFLEN]; + + /* Check that the file is owned by the superuser. */ + if ((st.st_uid != 0) || (st.st_gid != 0)) { + pam_syslog(pamh, LOG_ERR, "timestamp file `%s' is " + "not owned by root", path); + close(fd); + return PAM_AUTH_ERR; + } + + /* Check that the file is a normal file. */ + if (!(S_ISREG(st.st_mode))) { + pam_syslog(pamh, LOG_ERR, "timestamp file `%s' is " + "not a regular file", path); + close(fd); + return PAM_AUTH_ERR; + } + + /* Check that the file is the expected size. */ + if (st.st_size == 0) { + /* Invalid, but may have been created by sudo. */ + close(fd); + return PAM_AUTH_ERR; + } + if (st.st_size != + (off_t)(strlen(path) + 1 + sizeof(then) + hmac_sha1_size())) { + pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' " + "appears to be corrupted", path); + close(fd); + return PAM_AUTH_ERR; + } + + /* Read the file contents. */ + message = malloc(st.st_size); + count = 0; + if (!message) { + close(fd); + return PAM_BUF_ERR; + } + while (count < st.st_size) { + i = read(fd, message + count, st.st_size - count); + if ((i == 0) || (i == -1)) { + break; + } + count += i; + } + if (count < st.st_size) { + pam_syslog(pamh, LOG_NOTICE, "error reading timestamp " + "file `%s': %m", path); + close(fd); + free(message); + return PAM_AUTH_ERR; + } + message_end = message + strlen(path) + 1 + sizeof(then); + + /* Regenerate the MAC. */ + hmac_sha1_generate_file(pamh, &mac, &maclen, TIMESTAMPKEY, 0, 0, + message, message_end - message); + if ((mac == NULL) || + (memcmp(path, message, strlen(path)) != 0) || + (memcmp(mac, message_end, maclen) != 0)) { + pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' is " + "corrupted", path); + close(fd); + free(message); + return PAM_AUTH_ERR; + } + free(mac); + memmove(&then, message + strlen(path) + 1, sizeof(then)); + free(message); + + /* Check oldest login against timestamp */ + if (get_ruser(pamh, ruser, sizeof(ruser))) + { + close(fd); + return PAM_AUTH_ERR; + } + if (check_login_time(ruser, then) != PAM_SUCCESS) + { + pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' is " + "older than oldest login, disallowing " + "access to %s for user %s", + path, service, ruser); + close(fd); + return PAM_AUTH_ERR; + } + + /* Compare the dates. */ + now = time(NULL); + if (timestamp_good(then, now, interval) == PAM_SUCCESS) { + close(fd); + pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' is " + "only %ld seconds old, allowing access to %s " + "for user %s", path, (long) (now - st.st_mtime), + service, ruser); + if (verbose) { + verbose_success(pamh, now - st.st_mtime); + } + return PAM_SUCCESS; + } else { + close(fd); + pam_syslog(pamh, LOG_NOTICE, "timestamp file `%s' has " + "unacceptable age (%ld seconds), disallowing " + "access to %s for user %s", + path, (long) (now - st.st_mtime), + service, ruser); + return PAM_AUTH_ERR; + } + } + close(fd); + + /* Fail by default. */ + return PAM_AUTH_ERR; +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) +{ + char path[BUFLEN], subdir[BUFLEN], *text, *p; + void *mac; + size_t maclen; + time_t now; + int fd, i, debug = 0; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; + } + } + + /* Get the name of the timestamp file. */ + if (get_timestamp_name(pamh, argc, argv, + path, sizeof(path)) != PAM_SUCCESS) { + return PAM_SESSION_ERR; + } + + /* Create the directory for the timestamp file if it doesn't already + * exist. */ + for (i = 1; path[i] != '\0'; i++) { + if (path[i] == '/') { + /* Attempt to create the directory. */ + strncpy(subdir, path, i); + subdir[i] = '\0'; + if (mkdir(subdir, 0700) == 0) { + /* Attempt to set the owner to the superuser. */ + if (lchown(subdir, 0, 0) != 0) { + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "error setting permissions on `%s': %m", + subdir); + } + return PAM_SESSION_ERR; + } + } else { + if (errno != EEXIST) { + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "error creating directory `%s': %m", + subdir); + } + return PAM_SESSION_ERR; + } + } + } + } + + /* Generate the message. */ + text = malloc(strlen(path) + 1 + sizeof(now) + hmac_sha1_size()); + if (text == NULL) { + pam_syslog(pamh, LOG_ERR, "unable to allocate memory: %m"); + return PAM_SESSION_ERR; + } + p = text; + + strcpy(text, path); + p += strlen(path) + 1; + + now = time(NULL); + memmove(p, &now, sizeof(now)); + p += sizeof(now); + + /* Generate the MAC and append it to the plaintext. */ + hmac_sha1_generate_file(pamh, &mac, &maclen, + TIMESTAMPKEY, + 0, 0, + text, p - text); + if (mac == NULL) { + pam_syslog(pamh, LOG_ERR, "failure generating MAC: %m"); + free(text); + return PAM_SESSION_ERR; + } + memmove(p, mac, maclen); + p += maclen; + free(mac); + + /* Open the file. */ + fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, S_IRUSR | S_IWUSR); + if (fd == -1) { + pam_syslog(pamh, LOG_ERR, "unable to open `%s': %m", path); + free(text); + return PAM_SESSION_ERR; + } + + /* Attempt to set the owner to the superuser. */ + if (fchown(fd, 0, 0) != 0) { + if (debug) { + pam_syslog(pamh, LOG_DEBUG, + "error setting ownership of `%s': %m", + path); + } + return PAM_SESSION_ERR; + } + + + /* Write the timestamp to the file. */ + if (write(fd, text, p - text) != p - text) { + pam_syslog(pamh, LOG_ERR, "unable to write to `%s': %m", path); + close(fd); + free(text); + return PAM_SESSION_ERR; + } + + /* Close the file and return successfully. */ + close(fd); + free(text); + pam_syslog(pamh, LOG_DEBUG, "updated timestamp file `%s'", path); + return PAM_SUCCESS; +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh UNUSED, int flags UNUSED, int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} + +#ifdef PAM_STATIC +/* static module data */ + +struct pam_module _pam_timestamp_modstruct = { + "pam_timestamp", + pam_sm_authenticate, + pam_sm_setcred, + NULL, + pam_sm_open_session, + pam_sm_close_session, + NULL +}; +#endif + + +#else /* PAM_TIMESTAMP_MAIN */ + +#define USAGE "Usage: %s [[-k] | [-d]] [target user]\n" +#define CHECK_INTERVAL 7 + +int +main(int argc, char **argv) +{ + int i, pretval = -1, retval = 0, dflag = 0, kflag = 0; + const char *target_user = NULL, *user = NULL, *tty = NULL; + struct passwd *pwd; + struct timeval tv; + fd_set write_fds; + char path[BUFLEN]; + struct stat st; + + /* Check that there's nothing funny going on with stdio. */ + if ((fstat(STDIN_FILENO, &st) == -1) || + (fstat(STDOUT_FILENO, &st) == -1) || + (fstat(STDERR_FILENO, &st) == -1)) { + /* Appropriate the "no controlling tty" error code. */ + return 3; + } + + /* Parse arguments. */ + while ((i = getopt(argc, argv, "dk")) != -1) { + switch (i) { + case 'd': + dflag++; + break; + case 'k': + kflag++; + break; + default: + fprintf(stderr, USAGE, argv[0]); + return 1; + break; + } + } + + /* Bail if both -k and -d are given together. */ + if ((kflag + dflag) > 1) { + fprintf(stderr, USAGE, argv[0]); + return 1; + } + + /* Check that we're setuid. */ + if (geteuid() != 0) { + fprintf(stderr, "%s must be setuid root\n", + argv[0]); + retval = 2; + } + + /* Check that we have a controlling tty. */ + tty = ttyname(STDIN_FILENO); + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = ttyname(STDOUT_FILENO); + } + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = ttyname(STDERR_FILENO); + } + if ((tty == NULL) || (strlen(tty) == 0)) { + tty = "unknown"; + } + + /* Get the name of the invoking (requesting) user. */ + pwd = getpwuid(getuid()); + if (pwd == NULL) { + retval = 4; + } + + /* Get the name of the target user. */ + user = strdup(pwd->pw_name); + if (user == NULL) { + retval = 4; + } else { + target_user = (optind < argc) ? argv[optind] : user; + if ((strchr(target_user, '.') != NULL) || + (strchr(target_user, '/') != NULL) || + (strchr(target_user, '%') != NULL)) { + fprintf(stderr, "unknown user: %s\n", + target_user); + retval = 4; + } + } + + /* Sanity check the tty to make sure we should be checking + * for timestamps which pertain to it. */ + if (retval == 0) { + tty = check_tty(tty); + if (tty == NULL) { + fprintf(stderr, "invalid tty\n"); + retval = 6; + } + } + + do { + /* Sanity check the timestamp directory itself. */ + if (retval == 0) { + if (check_dir_perms(NULL, TIMESTAMPDIR) != PAM_SUCCESS) { + retval = 5; + } + } + + if (retval == 0) { + /* Generate the name of the timestamp file. */ + format_timestamp_name(path, sizeof(path), TIMESTAMPDIR, + tty, user, target_user); + } + + if (retval == 0) { + if (kflag) { + /* Remove the timestamp. */ + if (lstat(path, &st) != -1) { + retval = unlink(path); + } + } else { + /* Check the timestamp. */ + if (lstat(path, &st) != -1) { + /* Check oldest login against timestamp */ + if (check_login_time(user, st.st_mtime) != PAM_SUCCESS) { + retval = 7; + } else if (!timestamp_good(st.st_mtime, time(NULL), + DEFAULT_TIMESTAMP_TIMEOUT) == PAM_SUCCESS) { + retval = 7; + } + } else { + retval = 7; + } + } + } + + if (dflag > 0) { + struct timeval now; + /* Send the would-be-returned value to our parent. */ + signal(SIGPIPE, SIG_DFL); + fprintf(stdout, "%d\n", retval); + fflush(stdout); + /* Wait. */ + gettimeofday(&now, NULL); + tv.tv_sec = CHECK_INTERVAL; + /* round the sleep time to get woken up on a whole second */ + tv.tv_usec = 1000000 - now.tv_usec; + if (now.tv_usec < 500000) + tv.tv_sec--; + FD_ZERO(&write_fds); + FD_SET(STDOUT_FILENO, &write_fds); + select(STDOUT_FILENO + 1, + NULL, NULL, &write_fds, + &tv); + pretval = retval; + retval = 0; + } + } while (dflag > 0); + + return retval; +} + +#endif diff --git a/modules/pam_timestamp/pam_timestamp_check.8 b/modules/pam_timestamp/pam_timestamp_check.8 new file mode 100644 index 00000000..4c4a5d96 --- /dev/null +++ b/modules/pam_timestamp/pam_timestamp_check.8 @@ -0,0 +1,289 @@ +.\" Title: pam_timestamp_check +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/> +.\" Date: 06/16/2009 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_TIMESTAMP_CHECK" "8" "06/16/2009" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * (re)Define some macros +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" toupper - uppercase a string (locale-aware) +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de toupper +.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ +\\$* +.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SH-xref - format a cross-reference to an SH section +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de SH-xref +.ie n \{\ +.\} +.toupper \\$* +.el \{\ +\\$* +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SH - level-one heading that works better for non-TTY output +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de1 SH +.\" put an extra blank line of space above the head in non-TTY output +.if t \{\ +.sp 1 +.\} +.sp \\n[PD]u +.nr an-level 1 +.set-an-margin +.nr an-prevailing-indent \\n[IN] +.fi +.in \\n[an-margin]u +.ti 0 +.HTML-TAG ".NH \\n[an-level]" +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +\." make the size of the head bigger +.ps +3 +.ft B +.ne (2v + 1u) +.ie n \{\ +.\" if n (TTY output), use uppercase +.toupper \\$* +.\} +.el \{\ +.nr an-break-flag 0 +.\" if not n (not TTY), use normal case (not uppercase) +\\$1 +.in \\n[an-margin]u +.ti 0 +.\" if not n (not TTY), put a border/line under subheading +.sp -.6 +\l'\n(.lu' +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" SS - level-two heading that works better for non-TTY output +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de1 SS +.sp \\n[PD]u +.nr an-level 1 +.set-an-margin +.nr an-prevailing-indent \\n[IN] +.fi +.in \\n[IN]u +.ti \\n[SN]u +.it 1 an-trap +.nr an-no-space-flag 1 +.nr an-break-flag 1 +.ps \\n[PS-SS]u +\." make the size of the head bigger +.ps +2 +.ft B +.ne (2v + 1u) +.if \\n[.$] \&\\$* +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" BB/BE - put background/screen (filled box) around block of text +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de BB +.if t \{\ +.sp -.5 +.br +.in +2n +.ll -2n +.gcolor red +.di BX +.\} +.. +.de EB +.if t \{\ +.if "\\$2"adjust-for-leading-newline" \{\ +.sp -1 +.\} +.br +.di +.in +.ll +.gcolor +.nr BW \\n(.lu-\\n(.i +.nr BH \\n(dn+.5v +.ne \\n(BHu+.5v +.ie "\\$2"adjust-for-leading-newline" \{\ +\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] +.\} +.el \{\ +\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] +.\} +.in 0 +.sp -.5v +.nf +.BX +.in +.sp .5v +.fi +.\} +.. +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" BM/EM - put colored marker in margin next to block of text +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.de BM +.if t \{\ +.br +.ll -2n +.gcolor red +.di BX +.\} +.. +.de EM +.if t \{\ +.br +.di +.ll +.gcolor +.nr BH \\n(dn +.ne \\n(BHu +\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] +.in 0 +.nf +.BX +.in +.fi +.\} +.. +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "Name" +pam_timestamp_check \- Check to see if the default timestamp is valid +.SH "Synopsis" +.fam C +.HP \w'\fBpam_timestamp_check\fR\ 'u +\fBpam_timestamp_check\fR [\-k] [\-d] [\fItarget_user\fR] +.fam +.SH "DESCRIPTION" +.PP +With no arguments +\fBpam_timestamp_check\fR +will check to see if the default timestamp is valid, or optionally remove it\&. +.SH "OPTIONS" +.PP +\fB\-k\fR +.RS 4 +Instead of checking the validity of a timestamp, remove it\&. This is analogous to sudo\'s +\fI\-k\fR +option\&. +.RE +.PP +\fB\-d\fR +.RS 4 +Instead of returning validity using an exit status, loop indefinitely, polling regularly and printing the status on standard output\&. +.RE +.PP +\fB\fItarget_user\fR\fR +.RS 4 +By default +\fBpam_timestamp_check\fR +checks or removes timestamps generated by +\fIpam_timestamp\fR +when the user authenticates as herself\&. When the user authenticates as a different user, the name of the timestamp file changes to accommodate this\&. +\fItarget_user\fR +allows to specify this user name\&. +.RE +.SH "RETURN VALUES" +.PP +0 +.RS 4 +The timestamp is valid\&. +.RE +.PP +2 +.RS 4 +The binary is not setuid root\&. +.RE +.PP +3 +.RS 4 +Invalid invocation\&. +.RE +.PP +4 +.RS 4 +User is unknown\&. +.RE +.PP +5 +.RS 4 +Permissions error\&. +.RE +.PP +6 +.RS 4 +Invalid controlling tty\&. +.RE +.PP +7 +.RS 4 +Timestamp is not valid\&. +.RE +.SH "NOTES" +.PP +Users can get confused when they are not always asked for passwords when running a given program\&. Some users reflexively begin typing information before noticing that it is not being asked for\&. +.SH "EXAMPLES" +.sp +.if n \{\ +.RS 4 +.\} +.fam C +.ps -1 +.nf +.if t \{\ +.sp -1 +.\} +.BB lightgray adjust-for-leading-newline +.sp -1 + +auth sufficient pam_timestamp\&.so verbose +auth required pam_unix\&.so + +session required pam_unix\&.so +session optional pam_timestamp\&.so + +.EB lightgray adjust-for-leading-newline +.if t \{\ +.sp 1 +.\} +.fi +.fam +.ps +1 +.if n \{\ +.RE +.\} +.SH "FILES" +.PP +\FC/var/run/sudo/\&.\&.\&.\F[] +.RS 4 +timestamp files and directories +.RE +.SH "SEE ALSO" +.PP + +\fBpam_timestamp_check\fR(8), +\fBpam.conf\fR(5), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_tally was written by Nalin Dahyabhai\&. diff --git a/modules/pam_timestamp/pam_timestamp_check.8.xml b/modules/pam_timestamp/pam_timestamp_check.8.xml new file mode 100644 index 00000000..7ec7140e --- /dev/null +++ b/modules/pam_timestamp/pam_timestamp_check.8.xml @@ -0,0 +1,208 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_timestamp_check"> + + <refmeta> + <refentrytitle>pam_timestamp_check</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_timestamp_check-name"> + <refname>pam_timestamp_check</refname> + <refpurpose>Check to see if the default timestamp is valid</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_timestamp_check-cmdsynopsis"> + <command>pam_timestamp_check</command> + <arg choice="opt"> + -k + </arg> + <arg choice="opt"> + -d + </arg> + <arg choice="opt"> + <replaceable>target_user</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_timestamp_check-description"> + + <title>DESCRIPTION</title> + + <para> + With no arguments <command>pam_timestamp_check</command> will check to +see if the default timestamp is valid, or optionally remove it. + </para> + </refsect1> + + <refsect1 id="pam_timestamp_check-options"> + + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>-k</option> + </term> + <listitem> + <para> + Instead of checking the validity of a timestamp, remove it. + This is analogous to sudo's <emphasis>-k</emphasis> option. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>-d</option> + </term> + <listitem> + <para> + Instead of returning validity using an exit status, + loop indefinitely, polling regularly and printing the status on + standard output. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option><replaceable>target_user</replaceable></option> + </term> + <listitem> + <para> + By default <command>pam_timestamp_check</command> checks or removes + timestamps generated by <emphasis>pam_timestamp</emphasis> when + the user authenticates as herself. When the user authenticates as a + different user, the name of the timestamp file changes to + accommodate this. <replaceable>target_user</replaceable> allows + to specify this user name. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_timestamp_check-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>0</term> + <listitem> + <para> + The timestamp is valid. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>2</term> + <listitem> + <para> + The binary is not setuid root. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>3</term> + <listitem> + <para> + Invalid invocation. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>4</term> + <listitem> + <para> + User is unknown. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>5</term> + <listitem> + <para> + Permissions error. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>6</term> + <listitem> + <para> + Invalid controlling tty. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>7</term> + <listitem> + <para> + Timestamp is not valid. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_timestamp-notes'> + <title>NOTES</title> + <para> + Users can get confused when they are not always asked for passwords when +running a given program. Some users reflexively begin typing information before +noticing that it is not being asked for. + </para> + </refsect1> + + <refsect1 id='pam_timestamp-examples'> + <title>EXAMPLES</title> + <programlisting> +auth sufficient pam_timestamp.so verbose +auth required pam_unix.so + +session required pam_unix.so +session optional pam_timestamp.so + </programlisting> + </refsect1> + + <refsect1 id="pam_timestamp-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/var/run/sudo/...</filename></term> + <listitem> + <para>timestamp files and directories</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_timestamp-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>pam_timestamp_check</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_timestamp-author'> + <title>AUTHOR</title> + <para> + pam_tally was written by Nalin Dahyabhai. + </para> + </refsect1> + +</refentry> + diff --git a/modules/pam_timestamp/pam_timestamp_check.c b/modules/pam_timestamp/pam_timestamp_check.c new file mode 100644 index 00000000..52b5a95a --- /dev/null +++ b/modules/pam_timestamp/pam_timestamp_check.c @@ -0,0 +1,42 @@ +/****************************************************************************** + * A module for Linux-PAM that will cache authentication results, inspired by + * (and implemented with an eye toward being mixable with) sudo. + * + * Copyright (c) 2002 Red Hat, Inc. + * Written by Nalin Dahyabhai <nalin@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#define PAM_TIMESTAMP_MAIN 1 +#include "pam_timestamp.c" diff --git a/modules/pam_timestamp/sha1.c b/modules/pam_timestamp/sha1.c new file mode 100644 index 00000000..e6705eb5 --- /dev/null +++ b/modules/pam_timestamp/sha1.c @@ -0,0 +1,254 @@ +/* Yet another SHA-1 implementation. + * + * Copyright (c) 2003 Red Hat, Inc. + * Written by Nalin Dahyabhai <nalin@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +/* See http://www.itl.nist.gov/fipspubs/fip180-1.htm for descriptions. */ + +#include <sys/types.h> +#include <sys/stat.h> +#include <netinet/in.h> +#include <fcntl.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <endian.h> +#include <unistd.h> +#include "sha1.h" + +static unsigned char +padding[SHA1_BLOCK_SIZE] = { + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, +}; + +static u_int32_t +F(u_int32_t b, u_int32_t c, u_int32_t d) +{ + return (b & c) | ((~b) & d); +} + +static u_int32_t +G(u_int32_t b, u_int32_t c, u_int32_t d) +{ + return b ^ c ^ d; +} + +static u_int32_t +H(u_int32_t b, u_int32_t c, u_int32_t d) +{ + return (b & c) | (b & d) | (c & d); +} + +static u_int32_t +RL(u_int32_t n, u_int32_t s) +{ + return (n << s) | (n >> (32 - s)); +} + +static u_int32_t +sha1_round(u_int32_t (*FUNC)(u_int32_t, u_int32_t, u_int32_t), + u_int32_t a, u_int32_t b, u_int32_t c, u_int32_t d, u_int32_t e, + u_int32_t i, u_int32_t n) +{ + return RL(a, 5) + FUNC(b, c, d) + e + i + n; +} + +void +sha1_init(struct sha1_context *ctx) +{ + memset(ctx, 0, sizeof(*ctx)); + ctx->a = 0x67452301; + ctx->b = 0xefcdab89; + ctx->c = 0x98badcfe; + ctx->d = 0x10325476; + ctx->e = 0xc3d2e1f0; +} + +static void +sha1_process(struct sha1_context *ctx, u_int32_t buffer[SHA1_BLOCK_SIZE / 4]) +{ + u_int32_t a, b, c, d, e, temp; + u_int32_t data[80]; + int i; + + for (i = 0; i < 16; i++) { + data[i] = htonl(buffer[i]); + } + for (i = 16; i < 80; i++) { + data[i] = RL(data[i - 3] ^ data[i - 8] ^ data[i - 14] ^ data[i - 16], 1); + } + + a = ctx->a; + b = ctx->b; + c = ctx->c; + d = ctx->d; + e = ctx->e; + + for (i = 0; i < 20; i++) { + temp = sha1_round(F, a, b, c, d, e, data[i], 0x5a827999); + e = d; d = c; c = RL(b, 30); b = a; a = temp; + } + for (i = 20; i < 40; i++) { + temp = sha1_round(G, a, b, c, d, e, data[i], 0x6ed9eba1); + e = d; d = c; c = RL(b, 30); b = a; a = temp; + } + for (i = 40; i < 60; i++) { + temp = sha1_round(H, a, b, c, d, e, data[i], 0x8f1bbcdc); + e = d; d = c; c = RL(b, 30); b = a; a = temp; + } + for (i = 60; i < 80; i++) { + temp = sha1_round(G, a, b, c, d, e, data[i], 0xca62c1d6); + e = d; d = c; c = RL(b, 30); b = a; a = temp; + } + + ctx->a += a; + ctx->b += b; + ctx->c += c; + ctx->d += d; + ctx->e += e; + + memset(buffer, 0, sizeof(buffer[0]) * SHA1_BLOCK_SIZE / 4); + memset(data, 0, sizeof(data)); +} + +void +sha1_update(struct sha1_context *ctx, const unsigned char *data, size_t length) +{ + size_t i = 0, l = length, c, t; + u_int32_t count = 0; + + /* Process any pending + data blocks. */ + while (l + ctx->pending_count >= SHA1_BLOCK_SIZE) { + c = ctx->pending_count; + t = SHA1_BLOCK_SIZE - c; + memcpy(ctx->pending + c, &data[i], t); + sha1_process(ctx, (u_int32_t*) ctx->pending); + i += t; + l -= t; + ctx->pending_count = 0; + } + + /* Save what's left of the data block as a pending data block. */ + c = ctx->pending_count; + memcpy(ctx->pending + c, &data[i], l); + ctx->pending_count += l; + + /* Update the message length. */ + ctx->count += length; + + /* Update our internal counts. */ + if (length != 0) { + count = ctx->counts[0]; + ctx->counts[0] += length; + if (count >= ctx->counts[0]) { + ctx->counts[1]++; + } + } +} + +size_t +sha1_output(struct sha1_context *ctx, unsigned char *out) +{ + struct sha1_context ctx2; + + /* Output the sum. */ + if (out != NULL) { + u_int32_t c; + memcpy(&ctx2, ctx, sizeof(ctx2)); + + /* Pad this block. */ + c = ctx2.pending_count; + memcpy(ctx2.pending + c, + padding, SHA1_BLOCK_SIZE - c); + + /* Do we need to process two blocks now? */ + if (c >= (SHA1_BLOCK_SIZE - (sizeof(u_int32_t) * 2))) { + /* Process this block. */ + sha1_process(&ctx2, + (u_int32_t*) ctx2.pending); + /* Set up another block. */ + ctx2.pending_count = 0; + memset(ctx2.pending, 0, SHA1_BLOCK_SIZE); + ctx2.pending[0] = + (c == SHA1_BLOCK_SIZE) ? 0x80 : 0; + } + + /* Process the final block. */ + ctx2.counts[1] <<= 3; + if (ctx2.counts[0] >> 29) { + ctx2.counts[1] |= + (ctx2.counts[0] >> 29); + } + ctx2.counts[0] <<= 3; + ctx2.counts[0] = htonl(ctx2.counts[0]); + ctx2.counts[1] = htonl(ctx2.counts[1]); + memcpy(ctx2.pending + 56, + &ctx2.counts[1], sizeof(u_int32_t)); + memcpy(ctx2.pending + 60, + &ctx2.counts[0], sizeof(u_int32_t)); + sha1_process(&ctx2, (u_int32_t*) ctx2.pending); + + /* Output the data. */ + out[ 3] = (ctx2.a >> 0) & 0xff; + out[ 2] = (ctx2.a >> 8) & 0xff; + out[ 1] = (ctx2.a >> 16) & 0xff; + out[ 0] = (ctx2.a >> 24) & 0xff; + + out[ 7] = (ctx2.b >> 0) & 0xff; + out[ 6] = (ctx2.b >> 8) & 0xff; + out[ 5] = (ctx2.b >> 16) & 0xff; + out[ 4] = (ctx2.b >> 24) & 0xff; + + out[11] = (ctx2.c >> 0) & 0xff; + out[10] = (ctx2.c >> 8) & 0xff; + out[ 9] = (ctx2.c >> 16) & 0xff; + out[ 8] = (ctx2.c >> 24) & 0xff; + + out[15] = (ctx2.d >> 0) & 0xff; + out[14] = (ctx2.d >> 8) & 0xff; + out[13] = (ctx2.d >> 16) & 0xff; + out[12] = (ctx2.d >> 24) & 0xff; + + out[19] = (ctx2.e >> 0) & 0xff; + out[18] = (ctx2.e >> 8) & 0xff; + out[17] = (ctx2.e >> 16) & 0xff; + out[16] = (ctx2.e >> 24) & 0xff; + } + + return SHA1_OUTPUT_SIZE; +} diff --git a/modules/pam_timestamp/sha1.h b/modules/pam_timestamp/sha1.h new file mode 100644 index 00000000..667b87ca --- /dev/null +++ b/modules/pam_timestamp/sha1.h @@ -0,0 +1,60 @@ +/* Yet another SHA-1 implementation. + * + * Copyright (c) 2003 Red Hat, Inc. + * Written by Nalin Dahyabhai <nalin@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ +#ifndef pam_timestamp_sha1_h +#define pam_timestamp_sha1_h + +#include <sys/types.h> + +#define SHA1_BLOCK_SIZE 64 + +struct sha1_context { + size_t count; + unsigned char pending[SHA1_BLOCK_SIZE]; + u_int32_t counts[2]; + size_t pending_count; + u_int32_t a, b, c, d, e; +}; + +#define SHA1_OUTPUT_SIZE 20 + +void sha1_init(struct sha1_context *ctx); +void sha1_update(struct sha1_context *ctx, + const unsigned char *data, size_t length); +size_t sha1_output(struct sha1_context *ctx, unsigned char *out); + +#endif diff --git a/modules/pam_timestamp/tst-pam_timestamp b/modules/pam_timestamp/tst-pam_timestamp new file mode 100755 index 00000000..1d425b83 --- /dev/null +++ b/modules/pam_timestamp/tst-pam_timestamp @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_timestamp.so |