summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNalin Dahyabhai <nalin@redhat.com>2010-04-20 18:07:53 -0400
committerNalin Dahyabhai <nalin@redhat.com>2010-04-20 18:07:53 -0400
commit590376832b48024102d0cfd4024465d2aa00f8c8 (patch)
treeddb307ef40228fcea936e8c82e5f65ae5d47a116
downloadpam_rps-590376832b48024102d0cfd4024465d2aa00f8c8.tar.gz
pam_rps-590376832b48024102d0cfd4024465d2aa00f8c8.tar.xz
pam_rps-590376832b48024102d0cfd4024465d2aa00f8c8.zip
- import the last version before this module was dropped from pam-redhat
-rw-r--r--Makefile.am21
-rw-r--r--README12
-rw-r--r--pam_rps.835
-rw-r--r--pam_rps.c139
4 files changed, 207 insertions, 0 deletions
diff --git a/Makefile.am b/Makefile.am
new file mode 100644
index 0000000..756d68b
--- /dev/null
+++ b/Makefile.am
@@ -0,0 +1,21 @@
+#
+# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de>
+# Copyright (c) 2005 Red Hat, Inc.
+#
+
+CLEANFILES = *~
+
+man_MANS = pam_rps.8
+EXTRA_DIST = README $(man_MANS)
+
+securelibdir = $(SECUREDIR)
+secureconfdir = $(SCONFIGDIR)
+
+AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+AM_LDFLAGS = -no-undefined -avoid-version -module \
+ -L$(top_builddir)/libpam -lpam
+if HAVE_VERSIONING
+ AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+endif
+
+securelib_LTLIBRARIES = pam_rps.la
diff --git a/README b/README
new file mode 100644
index 0000000..a108d84
--- /dev/null
+++ b/README
@@ -0,0 +1,12 @@
+pam_rps:
+ A primitive challenge-response authentication module.
+
+RECOGNIZED ARGUMENTS:
+ debug write debugging messages to syslog
+ throw= control the challenge issued
+
+MODULE SERVICES PROVIDED:
+ authentication
+
+AUTHOR:
+ Nalin Dahyabhai <nalin@redhat.com>
diff --git a/pam_rps.8 b/pam_rps.8
new file mode 100644
index 0000000..a3e3c23
--- /dev/null
+++ b/pam_rps.8
@@ -0,0 +1,35 @@
+.\" Copyright 2003 Red Hat, Inc.
+.\" Written by Nalin Dahyabhai <nalin@redhat.com>
+.TH pam_rps 8 2003/6/30 "Red Hat Linux" "System Administrator's Manual"
+
+.SH NAME
+pam_rps \- challenge-response authentication
+
+.SH SYNOPSIS
+.B auth sufficient pam_rps.so
+
+.SH DESCRIPTION
+pam_rps.so is designed to provide a true challenge-response authentication
+mechanism for PAM-enabled applications.
+
+Without pam_rps, successful authentication can only occur for a user if the
+user has previously established an authentication token for use with the
+server. Using pam_rps removes this limitation.
+
+.SH ARGUMENTS
+.IP debug
+Enable module debugging. The module will log its progress to syslog.
+.IP throw=\fInumber\fP
+The challenge issued to the user is derived from a random number. This
+argument allows the administrator to control which challenge will be presented
+to the user. This argument is meant for use only when debugging.
+
+.SH NOTES
+Never use this module.
+
+.SH BUGS
+Let's hope not, but if you find any, please report them via the "Bug Track"
+link at http://bugzilla.redhat.com/bugzilla/
+
+.SH AUTHOR
+Nalin Dahyabhai <nalin@redhat.com>
diff --git a/pam_rps.c b/pam_rps.c
new file mode 100644
index 0000000..a68c0ab
--- /dev/null
+++ b/pam_rps.c
@@ -0,0 +1,139 @@
+/******************************************************************************
+ * A truly challenge-response module for PAM.
+ *
+ * Copyright (c) 2003 Red Hat, Inc.
+ * Written by Nalin Dahyabhai <nalin@redhat.com>
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, and the entire permission notice in its entirety,
+ * including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ * products derived from this software without specific prior
+ * written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions. (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <sys/types.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+#include <errno.h>
+#include <security/pam_modules.h>
+#include <security/_pam_macros.h>
+#include <security/pam_ext.h>
+
+int
+pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+ const char *values[] = {
+ "\x72\x6f\x63\x6b",
+ "\x70\x61\x70\x65\x72",
+ "\x73\x63\x69\x73\x73\x6f\x72\x73"};
+ char prompt_text[32] = "";
+ const char *want = "";
+ char *response = NULL;
+
+ int debug = 0;
+
+ int ret, fd, r, i;
+ unsigned char c;
+
+ for (i = 0; i < argc; i++) {
+ if (strcmp(argv[i], "debug") == 0) {
+ debug = 1;
+ break;
+ }
+ }
+
+ r = -1;
+ for (i = 0; i < argc; i++) {
+ if (strncmp(argv[i], "throw=", 6) == 0) {
+ r = atol(argv[i] + 6) % 3;
+ break;
+ }
+ }
+ if (r == -1) {
+ r = 0;
+ fd = open("/dev/urandom", O_RDONLY);
+ if (fd != -1) {
+ c = 0;
+ do {
+ ret = read(fd, &c, 1);
+ } while ( ((ret == 1) && (c == 0xff)) ||
+ ((ret == -1) && (errno == EINTR)) );
+ /* We drop 0xff here to avoid a variation on
+ * Bleichenbacher's attack. */
+ r = c / 85;
+ close(fd);
+ }
+ else /* Something is wrong with /dev/urandom */
+ return PAM_CONV_ERR;
+ }
+ switch (r) {
+ case 0:
+ strcpy(prompt_text, values[0]);
+ want = values[1];
+ break;
+ case 1:
+ strcpy(prompt_text, values[1]);
+ want = values[2];
+ break;
+ case 2:
+ strcpy(prompt_text, values[2]);
+ want = values[0];
+ break;
+ }
+ if (debug) {
+ pam_syslog(pamh, LOG_DEBUG, "challenge is \"%s\", "
+ "expected response is \"%s\"", prompt_text, want);
+ }
+ ret = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &response, "%s: ", prompt_text);
+ if (ret != PAM_SUCCESS) {
+ pam_syslog(pamh, LOG_CRIT,
+ "conversation error");
+ return PAM_CONV_ERR;
+ }
+ if ((response != NULL) &&
+ (strcasecmp(response, want) == 0)) {
+ ret = PAM_SUCCESS;
+ } else {
+ ret = PAM_AUTH_ERR;
+ }
+ if (response) {
+ _pam_overwrite(response);
+ free(response);
+ }
+ return ret;
+}
+
+int
+pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
+{
+ return PAM_SUCCESS;
+}