[src/trunk]: src/usr.bin/login Add PAM support to login(8)

[manu <manu%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/ccf695333744
branches:  trunk
changeset: 573233:ccf695333744
user:      manu <manu%NetBSD.org@localhost>
date:      Sun Jan 23 09:47:43 2005 +0000

description:
Add PAM support to login(8)

diffstat:

 usr.bin/login/Makefile    |   46 +-
 usr.bin/login/login_pam.c |  804 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 831 insertions(+), 19 deletions(-)

diffs (truncated from 878 to 300 lines):

diff -r cfeb756d5a27 -r ccf695333744 usr.bin/login/Makefile
--- a/usr.bin/login/Makefile    Sun Jan 23 09:45:02 2005 +0000
+++ b/usr.bin/login/Makefile    Sun Jan 23 09:47:43 2005 +0000
@@ -1,34 +1,23 @@
-#      $NetBSD: Makefile,v 1.43 2005/01/20 15:41:14 xtraeme Exp $
+#      $NetBSD: Makefile,v 1.44 2005/01/23 09:47:43 manu Exp $
 #      @(#)Makefile    8.1 (Berkeley) 7/19/93
 
 .include <bsd.own.mk>
 
 WARNS= 2
 PROG=  login
-SRCS=  login.c copyrightstr.c
+SRCS=  copyrightstr.c
 DPADD+=        ${LIBUTIL} ${LIBCRYPT}
 LDADD+=        -lutil -lcrypt
 BINOWN=        root
 BINMODE=4555
+
+.if (${USE_PAM} != "no")
+SRCS+= login_pam.c
+LDADD+=        -lpam
+.else
+SRCS+= login.c
 CPPFLAGS+=-DLOGIN_CAP -DSUPPORT_UTMP -DSUPPORT_UTMPX
 
-.if (${USE_SKEY} != "no")
-CPPFLAGS+=-DSKEY
-DPADD+= ${LIBSKEY}
-LDADD+=        -lskey
-.endif
-
-CLEANFILES+=   copyrightstr.c
-
-copyrightstr.c: ${NETBSDSRCDIR}/sys/conf/copyright
-       ${_MKTARGET_CREATE}
-       rm -f ${.TARGET}
-       awk '\
-               BEGIN { print "const char copyrightstr[] =" }\
-               { print "\""$$0"\\n\""}\
-               END { print "\"\\n\";" }\
-       ' ${.ALLSRC} > ${.TARGET}
-
 .if (${USE_KERBEROS} != "no")
 SRCS+= k5login.c
 CPPFLAGS+=-DKERBEROS5 -I${DESTDIR}/usr/include/krb5
@@ -46,4 +35,23 @@
 LDADD+=        -lcrypto -lroken -lcom_err
 .endif
 
+.if (${USE_SKEY} != "no")
+CPPFLAGS+=-DSKEY
+DPADD+= ${LIBSKEY}
+LDADD+=        -lskey
+.endif
+.endif
+
+CLEANFILES+=   copyrightstr.c
+
+copyrightstr.c: ${NETBSDSRCDIR}/sys/conf/copyright
+       ${_MKTARGET_CREATE}
+       rm -f ${.TARGET}
+       awk '\
+               BEGIN { print "const char copyrightstr[] =" }\
+               { print "\""$$0"\\n\""}\
+               END { print "\"\\n\";" }\
+       ' ${.ALLSRC} > ${.TARGET}
+
+
 .include <bsd.prog.mk>
diff -r cfeb756d5a27 -r ccf695333744 usr.bin/login/login_pam.c
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/usr.bin/login/login_pam.c Sun Jan 23 09:47:43 2005 +0000
@@ -0,0 +1,804 @@
+/*     $NetBSD: login_pam.c,v 1.1 2005/01/23 09:47:43 manu Exp $       */
+
+/*-
+ * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994
+ *     The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/cdefs.h>
+#ifndef lint
+__COPYRIGHT(
+"@(#) Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994\n\
+       The Regents of the University of California.  All rights reserved.\n");
+#endif /* not lint */
+
+#ifndef lint
+#if 0
+static char sccsid[] = "@(#)login.c    8.4 (Berkeley) 4/2/94";
+#endif
+__RCSID("$NetBSD: login_pam.c,v 1.1 2005/01/23 09:47:43 manu Exp $");
+#endif /* not lint */
+
+/*
+ * login [ name ]
+ * login -h hostname   (for telnetd, etc.)
+ * login -f name       (for pre-authenticated login: datakit, xterm, etc.)
+ */
+
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/resource.h>
+#include <sys/file.h>
+#include <sys/wait.h>
+#include <sys/socket.h>
+
+#include <err.h>
+#include <errno.h>
+#include <grp.h>
+#include <pwd.h>
+#include <setjmp.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <time.h>
+#include <ttyent.h>
+#include <tzfile.h>
+#include <unistd.h>
+#include <util.h>
+#include <login_cap.h>
+#include <vis.h>
+
+#include <security/pam_appl.h>
+#include <security/openpam.h>
+
+#include "pathnames.h"
+
+void    badlogin (char *);
+static void     update_db (int);
+void    getloginname (void);
+int     main (int, char *[]);
+void    motd (char *);
+int     rootterm (char *);
+void    sigint (int);
+void    sleepexit (int);
+const   char *stypeof (const char *);
+void    timedout (int);
+void    decode_ss (const char *);
+void    usage (void);
+
+static struct pam_conv pamc = { openpam_ttyconv, NULL };
+
+#define        TTYGRPNAME      "tty"           /* name of group to own ttys */
+
+#define DEFAULT_BACKOFF 3
+#define DEFAULT_RETRIES 10
+
+/*
+ * This bounds the time given to login.  Not a define so it can
+ * be patched on machines where it's too small.
+ */
+u_int  timeout = 300;
+
+struct passwd *pwd;
+int    failures, have_ss;
+char   term[64], *envinit[1], *hostname, *username, *tty, *nested;
+struct timeval now;
+struct sockaddr_storage ss;
+
+extern const char copyrightstr[];
+
+int
+main(int argc, char *argv[])
+{
+       extern char **environ;
+       struct stat st;
+       int ask, ch, cnt, fflag, hflag, pflag, sflag, quietlog, rootlogin;
+       int auth_passed;
+       int Fflag;
+       uid_t uid, saved_uid;
+       gid_t saved_gid, saved_gids[NGROUPS_MAX];
+       int nsaved_gids;
+       char *domain, *p, *ttyn, *pwprompt;
+       char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10];
+       char localhost[MAXHOSTNAMELEN + 1];
+       int need_chpass, require_chpass;
+       int login_retries = DEFAULT_RETRIES, 
+           login_backoff = DEFAULT_BACKOFF;
+       char *shell = NULL;
+       login_cap_t *lc = NULL;
+       pam_handle_t *pamh = NULL;
+       int pam_err;
+       void *oint;
+       void *oabrt;
+       const void *newuser;
+       int pam_silent = PAM_SILENT;
+       pid_t xpid, pid;
+       int status;
+       char *saved_term;
+       char **pamenv;
+
+       tbuf[0] = '\0';
+       pwprompt = NULL;
+       nested = NULL;
+       need_chpass = require_chpass = 0;
+
+       (void)signal(SIGALRM, timedout);
+       (void)alarm(timeout);
+       (void)signal(SIGQUIT, SIG_IGN);
+       (void)signal(SIGINT, SIG_IGN);
+       (void)setpriority(PRIO_PROCESS, 0, 0);
+
+       openlog("login", 0, LOG_AUTH);
+
+       /*
+        * -p is used by getty to tell login not to destroy the environment
+        * -f is used to skip a second login authentication
+        * -h is used by other servers to pass the name of the remote host to
+        *    login so that it may be placed in utmp/utmpx and wtmp/wtmpx
+        * -a in addition to -h, a server my supply -a to pass the actual
+        *    server address.
+        * -s is used to force use of S/Key or equivalent.
+        */
+       domain = NULL;
+       if (gethostname(localhost, sizeof(localhost)) < 0)
+               syslog(LOG_ERR, "couldn't get local hostname: %m");
+       else
+               domain = strchr(localhost, '.');
+       localhost[sizeof(localhost) - 1] = '\0';
+
+       Fflag = fflag = hflag = pflag = sflag = 0;
+       have_ss = 0;
+       uid = getuid();
+       while ((ch = getopt(argc, argv, "a:Ffh:ps")) != -1)
+               switch (ch) {
+               case 'a':
+                       if (uid)
+                               errx(1, "-a option: %s", strerror(EPERM));
+                       decode_ss(optarg);
+                       break;
+               case 'F':
+                       Fflag = 1;
+                       /* FALLTHROUGH */
+               case 'f':
+                       fflag = 1;
+                       break;
+               case 'h':
+                       if (uid)
+                               errx(1, "-h option: %s", strerror(EPERM));
+                       hflag = 1;
+                       if (domain && (p = strchr(optarg, '.')) != NULL &&
+                           strcasecmp(p, domain) == 0)
+                               *p = '\0';
+                       hostname = optarg;
+                       break;
+               case 'p':
+                       pflag = 1;
+                       break;
+               case 's':
+                       sflag = 1;
+                       break;
+               default:
+               case '?':
+                       usage();
+                       break;
+               }
+       argc -= optind;
+       argv += optind;
+
+       if (*argv) {
+               username = *argv;
+               ask = 0;
+       } else
+               ask = 1;
+
+       for (cnt = getdtablesize(); cnt > 2; cnt--)
+               (void)close(cnt);
+
+       ttyn = ttyname(STDIN_FILENO);
+       if (ttyn == NULL || *ttyn == '\0') {
+               (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY);