From 62101bd49ce2f8b797d361c87762853c56d2481a Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Wed, 28 Jun 2006 07:22:40 +0000 Subject: Relevant BUGIDs: Purpose of commit: new feature/big release cleanup Commit summary: --------------- Big cleanup to get 0.99.5.0 release done: 2006-06-28 Thorsten Kukuk * bump version number to 0.99.5.0 * modules/pam_rhosts/pam_rhosts.c: New module, replaces pam_rhosts_auth.so. * modules/pam_rhosts/pam_rhosts.8.xml: New. * modules/pam_rhosts/pam_rhosts.8: New, generated from XML source. * modules/pam_rhosts/tst-pam_rhosts: New. * modules/pam_rhosts/Makefile.am: Add pam_rhosts, generate manual page and README. * modules/pam_rhosts/README.xml: New. * modules/pam_rhosts/reADME: Regenerated from XML source. * doc/man/pam_sm_acct_mgmt.3.xml: Adjust syntax for module writers guide. * doc/man/pam_sm_authenticate.3.xml: Likewise. * doc/man/pam_sm_chauthtok.3.xml: Likewise. * doc/man/pam_sm_close_session.3.xml: Likewise. * doc/man/pam_sm_open_session.3.xml: Likewise. * doc/man/pam_sm_setcred.3.xml: Likewise. * po/POTFILES.in: Add new source files. * libpam/pam_static_modules.h: Add new modules. * modules/pam_keyinit.c: Add _pam_keyinit_modstruct. --- modules/pam_rhosts/Makefile.am | 17 +++- modules/pam_rhosts/README | 81 ++++++++-------- modules/pam_rhosts/README.xml | 41 ++++++++ modules/pam_rhosts/pam_rhosts.8 | 98 +++++++++++++++++++ modules/pam_rhosts/pam_rhosts.8.xml | 171 +++++++++++++++++++++++++++++++++ modules/pam_rhosts/pam_rhosts.c | 155 ++++++++++++++++++++++++++++++ modules/pam_rhosts/tst-pam_rhosts | 2 +- modules/pam_rhosts/tst-pam_rhosts_auth | 2 + 8 files changed, 522 insertions(+), 45 deletions(-) create mode 100644 modules/pam_rhosts/README.xml create mode 100644 modules/pam_rhosts/pam_rhosts.8 create mode 100644 modules/pam_rhosts/pam_rhosts.8.xml create mode 100644 modules/pam_rhosts/pam_rhosts.c create mode 100755 modules/pam_rhosts/tst-pam_rhosts_auth (limited to 'modules/pam_rhosts') diff --git a/modules/pam_rhosts/Makefile.am b/modules/pam_rhosts/Makefile.am index 5c8cc188..d4ca7578 100644 --- a/modules/pam_rhosts/Makefile.am +++ b/modules/pam_rhosts/Makefile.am @@ -4,9 +4,13 @@ CLEANFILES = *~ -EXTRA_DIST = README tst-pam_rhosts +EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rhosts_auth tst-pam_rhosts -TESTS = tst-pam_rhosts +TESTS = tst-pam_rhosts_auth tst-pam_rhosts + +man_MANS = pam_rhosts.8 + +XMLS = README.xml pam_rhosts.8.xml securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) @@ -18,4 +22,11 @@ if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -securelib_LTLIBRARIES = pam_rhosts_auth.la +securelib_LTLIBRARIES = pam_rhosts_auth.la pam_rhosts.la + +if ENABLE_REGENERATE_MAN +noinst_DATA = README +README: pam_rhosts.8.xml +-include $(top_srcdir)/Make.xml.rules +endif + diff --git a/modules/pam_rhosts/README b/modules/pam_rhosts/README index d2e93d1d..b1911785 100644 --- a/modules/pam_rhosts/README +++ b/modules/pam_rhosts/README @@ -1,57 +1,56 @@ -arguments recognized: +pam_rhosts — The rhosts PAM module -"no_hosts_equiv" -"no_rhosts" -"debug" -"nowarn" -"suppress" -"promiscuous" +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ -.rhosts/hosts.equiv format: +DESCRIPTION -There are positive entries, when one is matched authentication -succeeds and terminates. There are negative entries, when one is -matched authentication fails and terminates. Thus order is -significant. +This module performs the standard network authentication for services, as used +by traditional implementations of rlogin and rsh etc. -Entry hosts.equiv .rhosts - All users on are ok Same username from is ok - from is ok ditto -- No users from are ok ditto - - from is not ok ditto +The authentication mechanism of this module is based on the contents of two +files; /etc/hosts.equiv (or and ~/.rhosts. Firstly, hosts listed in the former +file are treated as equivalent to the localhost. Secondly, entries in the +user's own copy of the latter file is used to map "remote-host remote-user" +pairs to that user's account on the current host. Access is granted to the user +if their host is present in /etc/hosts.equiv and their remote account is +identical to their local one, or if their remote account has an entry in their +personal configuration file. - can be ip (IPv4) numbers. +The module authenticates a remote user (internally specified by the item +PAM_RUSER connecting from the remote host (internally specified by the item +PAM_RHOST). Accordingly, for applications to be compatible this authentication +module they must set these items prior to calling pam_authenticate(). The +module is not capable of independently probing the network connection for such +information. -Netgroups may be used in either host or user fields, and then applies -to all hosts, or users, in the netgroup. The syntax is +OPTIONS - +@ +debug -The entries + Print debug information. - +@ - +@ +@ - +@ +silent -means exactly what you think it does. Negative entries are of the -form + Don't print informative messages. - -@ +superuser=account -When the "promiscuous" option is given the special character + may be -used as a wildcard in any field. + Handle account as root. - + Allow anyone from any host to connect. DANGEROUS. - + + Ditto. - + Allow the user to connect from anywhere. DANGEROUS. - + Allow any user from the host. Dangerous. - -These, perhaps more useful, forms of the + form is also disallowed -unless "promiscuous" is specified: +EXAMPLES - + - Disallow the user from any host - + -@ Disallow all members of the netgroup from any host +To grant a remote user access by /etc/hosts.equiv or .rhosts for rsh add the +following lines to /etc/pam.d/rsh: -When "promiscuous" is not specified a '+' is handled as a negative -match. +#%PAM-1.0 +# +auth required pam_rhosts.so +auth required pam_nologin.so +auth required pam_env.so +auth required pam_unix.so + + +AUTHOR + +pam_rhosts was written by Thorsten Kukuk diff --git a/modules/pam_rhosts/README.xml b/modules/pam_rhosts/README.xml new file mode 100644 index 00000000..5d3307e7 --- /dev/null +++ b/modules/pam_rhosts/README.xml @@ -0,0 +1,41 @@ + + +--> +]> + +
+ + + + + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_rhosts.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_rhosts-name"]/*)'/> + + + + +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
+ +
diff --git a/modules/pam_rhosts/pam_rhosts.8 b/modules/pam_rhosts/pam_rhosts.8 new file mode 100644 index 00000000..0d7f4a16 --- /dev/null +++ b/modules/pam_rhosts/pam_rhosts.8 @@ -0,0 +1,98 @@ +.\" Title: pam_rhosts +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.70.1 +.\" Date: 06/28/2006 +.\" Manual: Linux\-PAM Manual +.\" Source: Linux\-PAM Manual +.\" +.TH "PAM_RHOSTS" "8" "06/28/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_rhosts \- The rhosts PAM module +.SH "SYNOPSIS" +.HP 14 +\fBpam_rhosts.so\fR +.SH "DESCRIPTION" +.PP +This module performs the standard network authentication for services, as used by traditional implementations of +\fBrlogin\fR +and +\fBrsh\fR +etc. +.PP +The authentication mechanism of this module is based on the contents of two files; +\fI/etc/hosts.equiv\fR +(or and +\fI~/.rhosts\fR. Firstly, hosts listed in the former file are treated as equivalent to the localhost. Secondly, entries in the user's own copy of the latter file is used to map "\fIremote\-host remote\-user\fR" pairs to that user's account on the current host. Access is granted to the user if their host is present in +\fI/etc/hosts.equiv\fR +and their remote account is identical to their local one, or if their remote account has an entry in their personal configuration file. +.PP +The module authenticates a remote user (internally specified by the item +\fIPAM_RUSER\fR +connecting from the remote host (internally specified by the item +\fBPAM_RHOST\fR). Accordingly, for applications to be compatible this authentication module they must set these items prior to calling +\fBpam_authenticate()\fR. The module is not capable of independently probing the network connection for such information. +.SH "OPTIONS" +.TP 3n +\fBdebug\fR +Print debug information. +.TP 3n +\fBsilent\fR +Don't print informative messages. +.TP 3n +\fBsuperuser=\fR\fB\fIaccount\fR\fR +Handle +\fIaccount\fR +as root. +.SH "MODULE SERVICES PROVIDED" +.PP +Only the +\fBauth\fR +service is supported. +.SH "RETURN VALUES" +.TP 3n +PAM_AUTH_ERR +The remote host, remote user name or the local user name couldn't be determined or access was denied by +\fI.rhosts\fR +file. +.TP 3n +PAM_USER_UNKNOWN +User is not known to system. +.SH "EXAMPLES" +.PP +To grant a remote user access by +\fI/etc/hosts.equiv\fR +or +\fI.rhosts\fR +for +\fBrsh\fR +add the following lines to +\fI/etc/pam.d/rsh\fR: +.sp +.RS 3n +.nf +#%PAM\-1.0 +# +auth required pam_rhosts.so +auth required pam_nologin.so +auth required pam_env.so +auth required pam_unix.so + +.fi +.RE +.sp +.SH "SEE ALSO" +.PP + +\fBrootok\fR(3), +\fBhosts.equiv\fR(5), +\fBrhosts\fR(5), +\fBpam.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8) +.SH "AUTHOR" +.PP +pam_rhosts was written by Thorsten Kukuk diff --git a/modules/pam_rhosts/pam_rhosts.8.xml b/modules/pam_rhosts/pam_rhosts.8.xml new file mode 100644 index 00000000..e559f315 --- /dev/null +++ b/modules/pam_rhosts/pam_rhosts.8.xml @@ -0,0 +1,171 @@ + + + + + + + pam_rhosts + 8 + Linux-PAM Manual + + + + pam_rhosts + The rhosts PAM module + + + + + pam_rhosts.so + + + + + + DESCRIPTION + + + This module performs the standard network authentication for services, + as used by traditional implementations of rlogin + and rsh etc. + + + The authentication mechanism of this module is based on the contents + of two files; /etc/hosts.equiv (or + and ~/.rhosts. Firstly, hosts listed in the + former file are treated as equivalent to the localhost. Secondly, + entries in the user's own copy of the latter file is used to map + "remote-host remote-user" pairs to that user's + account on the current host. Access is granted to the user if their + host is present in /etc/hosts.equiv and their + remote account is identical to their local one, or if their remote + account has an entry in their personal configuration file. + + + The module authenticates a remote user (internally specified by the + item PAM_RUSER connecting from the remote + host (internally specified by the item PAM_RHOST). + Accordingly, for applications to be compatible this authentication + module they must set these items prior to calling + pam_authenticate(). The module is not capable + of independently probing the network connection for such information. + + + + + OPTIONS + + + + + + + + Print debug information. + + + + + + + + + + Don't print informative messages. + + + + + + + + + + Handle account as root. + + + + + + + + MODULE SERVICES PROVIDED + + Only the service is supported. + + + + + RETURN VALUES + + + PAM_AUTH_ERR + + + The remote host, remote user name or the local user name + couldn't be determined or access was denied by + .rhosts file. + + + + + PAM_USER_UNKNOWN + + + User is not known to system. + + + + + + + + EXAMPLES + + To grant a remote user access by /etc/hosts.equiv + or .rhosts for rsh add the + following lines to /etc/pam.d/rsh: + +#%PAM-1.0 +# +auth required pam_rhosts.so +auth required pam_nologin.so +auth required pam_env.so +auth required pam_unix.so + + + + + + SEE ALSO + + + rootok3 + , + + hosts.equiv5 + , + + rhosts5 + , + + pam.conf5 + , + + pam.d8 + , + + pam8 + + + + + + AUTHOR + + pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de> + + + + diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c new file mode 100644 index 00000000..8e120614 --- /dev/null +++ b/modules/pam_rhosts/pam_rhosts.c @@ -0,0 +1,155 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#include "config.h" + +#include +#include +#include +#include + +#define PAM_SM_AUTH /* only defines this management group */ + +#include +#include +#include + +PAM_EXTERN +int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, + const char **argv) +{ + const char *luser = NULL; + const char *ruser = NULL, *rhost = NULL; + const char *opt_superuser = NULL; + const void *c_void; + int opt_debug = 0; + int opt_silent; + int as_root; + int retval; + + opt_silent = flags & PAM_SILENT; + + while (argc-- > 0) { + if (strcmp(*argv, "debug") == 0) + opt_debug = 1; + else if (strcmp (*argv, "silent") == 0 || strcmp(*argv, "suppress") == 0) + opt_silent = 1; + else if (strncmp(*argv, "superuser=", sizeof("superuser=")-1) == 0) + opt_superuser = *argv+sizeof("superuser=")-1; + else + pam_syslog(pamh, LOG_WARNING, "unrecognized option '%s'", *argv); + + ++argv; + } + + retval = pam_get_item (pamh, PAM_RHOST, &c_void); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "could not get the remote host name"); + return retval; + } + rhost = c_void; + + retval = pam_get_item(pamh, PAM_RUSER, &c_void); + ruser = c_void; + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "could not get the remote username"); + return retval; + } + + retval = pam_get_user(pamh, &luser, NULL); + if (retval != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "could not determine name of local user"); + return retval; + } + + if (rhost == NULL || ruser == NULL || luser == NULL) + return PAM_AUTH_ERR; + + if (opt_superuser && strcmp(opt_superuser, luser) == 0) + as_root = 1; + else { + struct passwd *lpwd; + + lpwd = pam_modutil_getpwnam(pamh, luser); + if (lpwd == NULL) { + if (opt_debug) + /* don't print by default, could be the users password */ + pam_syslog(pamh, LOG_DEBUG, + "user '%s' unknown to this system", luser); + return PAM_USER_UNKNOWN; + + } + as_root = (lpwd->pw_uid == 0); + } + +#ifdef HAVE_RUSEROK_AF + retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC); +#else + retval = ruserok (rhost, as_root, ruser, luser); +#endif + if (retval != 0) { + if (!opt_silent || opt_debug) + pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s", + ruser, rhost, luser); + return PAM_AUTH_ERR; + } else { + if (!opt_silent || opt_debug) + pam_syslog(pamh, LOG_NOTICE, "allowed access to %s@%s as %s", + ruser, rhost, luser); + return PAM_SUCCESS; + } +} + + +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} + + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_rhosts_modstruct = { + "pam_rhosts", + pam_sm_authenticate, + pam_sm_setcred, + NULL, + NULL, + NULL, + NULL, +}; + +#endif diff --git a/modules/pam_rhosts/tst-pam_rhosts b/modules/pam_rhosts/tst-pam_rhosts index 6b14ec51..65e85a98 100755 --- a/modules/pam_rhosts/tst-pam_rhosts +++ b/modules/pam_rhosts/tst-pam_rhosts @@ -1,2 +1,2 @@ #!/bin/sh -../../tests/tst-dlopen .libs/pam_rhosts_auth.so +../../tests/tst-dlopen .libs/pam_rhosts.so diff --git a/modules/pam_rhosts/tst-pam_rhosts_auth b/modules/pam_rhosts/tst-pam_rhosts_auth new file mode 100755 index 00000000..6b14ec51 --- /dev/null +++ b/modules/pam_rhosts/tst-pam_rhosts_auth @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_rhosts_auth.so -- cgit v1.2.3