1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
/*
* FreeIPA 2FA companion daemon
*
* Authors: Nathaniel McCallum <npmccallum@redhat.com>
*
* Copyright (C) 2013 Nathaniel McCallum, Red Hat
* see file 'COPYING' for use and warranty information
*
* This program is free software you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*
* This file proxies the incoming RADIUS request (stdio.c/query.c) to a
* third-party RADIUS server if the user is configured for forwarding. The
* result is placed in the stdout queue (stdio.c).
*/
#include "internal.h"
static void forward_cb(krb5_error_code retval, const krad_packet *request,
const krad_packet *response, void *data)
{
krad_code code, acpt;
struct otpd_queue_item *item = data;
(void)request;
acpt = krad_code_name2num("Access-Accept");
code = krad_packet_get_code(response);
if (retval == 0 && code == acpt) {
item->sent = 0;
retval = krad_packet_new_response(ctx.kctx, SECRET, acpt,
NULL, item->req, &item->rsp);
}
otpd_log_req(item->req, "forward end: %s",
retval == 0
? krad_code_num2name(code)
: krb5_get_error_message(ctx.kctx, retval));
otpd_queue_push(&ctx.stdio.responses, item);
verto_set_flags(ctx.stdio.writer, VERTO_EV_FLAG_PERSIST |
VERTO_EV_FLAG_IO_ERROR |
VERTO_EV_FLAG_IO_READ |
VERTO_EV_FLAG_IO_WRITE);
}
krb5_error_code otpd_forward(struct otpd_queue_item **item)
{
krad_attr usernameid, passwordid;
const krb5_data *password;
krb5_error_code retval;
char *username;
krb5_data data;
/* Find the username. */
username = (*item)->user.ipatokenRadiusUserName;
if (username == NULL) {
username = (*item)->user.other;
if (username == NULL)
username = (*item)->user.uid;
}
/* Check to see if we are supposed to forward. */
if ((*item)->radius.ipatokenRadiusServer == NULL ||
(*item)->radius.ipatokenRadiusSecret == NULL ||
username == NULL)
return 0;
otpd_log_req((*item)->req, "forward start: %s / %s", username,
(*item)->radius.ipatokenRadiusServer);
usernameid = krad_attr_name2num("User-Name");
passwordid = krad_attr_name2num("User-Password");
/* Set User-Name. */
data.data = username;
data.length = strlen(data.data);
retval = krad_attrset_add(ctx.attrs, usernameid, &data);
if (retval != 0)
goto error;
/* Set User-Password. */
password = krad_packet_get_attr((*item)->req, passwordid, 0);
if (password == NULL) {
krad_attrset_del(ctx.attrs, usernameid, 0);
goto error;
}
retval = krad_attrset_add(ctx.attrs, passwordid, password);
if (retval != 0) {
krad_attrset_del(ctx.attrs, usernameid, 0);
goto error;
}
/* Forward the request to the RADIUS server. */
retval = krad_client_send(ctx.client,
krad_code_name2num("Access-Request"),
ctx.attrs,
(*item)->radius.ipatokenRadiusServer,
(*item)->radius.ipatokenRadiusSecret,
(*item)->radius.ipatokenRadiusTimeout,
(*item)->radius.ipatokenRadiusRetries,
forward_cb, *item);
krad_attrset_del(ctx.attrs, usernameid, 0);
krad_attrset_del(ctx.attrs, passwordid, 0);
if (retval == 0)
*item = NULL;
error:
if (retval != 0)
otpd_log_req((*item)->req, "forward end: %s",
krb5_get_error_message(ctx.kctx, retval));
return retval;
}
|
