diff options
Diffstat (limited to 'server/responder/pam')
| -rw-r--r-- | server/responder/pam/pamsrv.c | 171 | ||||
| -rw-r--r-- | server/responder/pam/pamsrv.h | 33 | ||||
| -rw-r--r-- | server/responder/pam/pamsrv_cmd.c | 196 | ||||
| -rw-r--r-- | server/responder/pam/pamsrv_dp.c | 215 | ||||
| -rw-r--r-- | server/responder/pam/pamsrv_util.c | 16 |
5 files changed, 631 insertions, 0 deletions
diff --git a/server/responder/pam/pamsrv.c b/server/responder/pam/pamsrv.c new file mode 100644 index 00000000..b6593bcf --- /dev/null +++ b/server/responder/pam/pamsrv.c @@ -0,0 +1,171 @@ +/* + SSSD + + PAM Responder + + Copyright (C) Simo Sorce <ssorce@redhat.com> 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <stdio.h> +#include <unistd.h> +#include <fcntl.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <sys/socket.h> +#include <sys/un.h> +#include <string.h> +#include <sys/time.h> +#include <errno.h> +#include "popt.h" +#include "util/util.h" +#include "db/sysdb.h" +#include "confdb/confdb.h" +#include "dbus/dbus.h" +#include "sbus/sssd_dbus.h" +#include "util/btreemap.h" +#include "responder/common/responder_packet.h" +#include "responder/common/responder_cmd.h" +#include "responder/common/responder_common.h" +#include "providers/data_provider.h" +#include "monitor/monitor_sbus.h" +#include "monitor/monitor_interfaces.h" +#include "sbus/sbus_client.h" +#include "responder/pam/pamsrv.h" + +#define SSS_PAM_PIPE_NAME "pam" +#define PAM_SBUS_SERVICE_VERSION 0x0001 +#define PAM_SBUS_SERVICE_NAME "pam" +#define CONFDB_SOCKET_PATH "config/services/pam" + +static int service_identity(DBusMessage *message, struct sbus_conn_ctx *sconn); +static int service_pong(DBusMessage *message, struct sbus_conn_ctx *sconn); +static int service_reload(DBusMessage *message, struct sbus_conn_ctx *sconn); + +struct sbus_method sss_sbus_methods[] = { + {SERVICE_METHOD_IDENTITY, service_identity}, + {SERVICE_METHOD_PING, service_pong}, + {SERVICE_METHOD_RELOAD, service_reload}, + {NULL, NULL} +}; + +static int service_identity(DBusMessage *message, struct sbus_conn_ctx *sconn) +{ + dbus_uint16_t version = PAM_SBUS_SERVICE_VERSION; + const char *name = PAM_SBUS_SERVICE_NAME; + DBusMessage *reply; + dbus_bool_t ret; + + DEBUG(4,("Sending ID reply: (%s,%d)\n", name, version)); + + reply = dbus_message_new_method_return(message); + if (!reply) return ENOMEM; + + ret = dbus_message_append_args(reply, + DBUS_TYPE_STRING, &name, + DBUS_TYPE_UINT16, &version, + DBUS_TYPE_INVALID); + if (!ret) { + dbus_message_unref(reply); + return EIO; + } + + /* send reply back */ + sbus_conn_send_reply(sconn, reply); + dbus_message_unref(reply); + + return EOK; +} + +static int service_pong(DBusMessage *message, struct sbus_conn_ctx *sconn) +{ + DBusMessage *reply; + dbus_bool_t ret; + + reply = dbus_message_new_method_return(message); + if (!reply) return ENOMEM; + + ret = dbus_message_append_args(reply, DBUS_TYPE_INVALID); + if (!ret) { + return EIO; + } + + /* send reply back */ + sbus_conn_send_reply(sconn, reply); + dbus_message_unref(reply); + + return EOK; +} + +static int service_reload(DBusMessage *message, struct sbus_conn_ctx *sconn) { + /* Monitor calls this function when we need to reload + * our configuration information. Perform whatever steps + * are needed to update the configuration objects. + */ + + /* Send an empty reply to acknowledge receipt */ + return service_pong(message, sconn); +} + +int main(int argc, const char *argv[]) +{ + int opt; + poptContext pc; + struct main_context *main_ctx; + int ret; + struct sbus_method *pam_dp_methods; + struct sss_cmd_table *sss_cmds; + + struct poptOption long_options[] = { + POPT_AUTOHELP + SSSD_MAIN_OPTS + { NULL } + }; + + pc = poptGetContext(argv[0], argc, argv, long_options, 0); + while((opt = poptGetNextOpt(pc)) != -1) { + switch(opt) { + default: + fprintf(stderr, "\nInvalid option %s: %s\n\n", + poptBadOption(pc, 0), poptStrerror(opt)); + poptPrintUsage(pc, stderr, 0); + return 1; + } + } + + poptFreeContext(pc); + + /* set up things like debug , signals, daemonization, etc... */ + ret = server_setup("sssd[pam]", 0, &main_ctx); + if (ret != EOK) return 2; + + pam_dp_methods = register_pam_dp_methods(); + sss_cmds = register_sss_cmds(); + ret = sss_process_init(main_ctx, + main_ctx->event_ctx, + main_ctx->confdb_ctx, + sss_sbus_methods, + sss_cmds, + SSS_PAM_PIPE_NAME, + CONFDB_SOCKET_PATH, + pam_dp_methods); + if (ret != EOK) return 3; + + /* loop on main */ + server_loop(main_ctx); + + return 0; +} + diff --git a/server/responder/pam/pamsrv.h b/server/responder/pam/pamsrv.h new file mode 100644 index 00000000..bb0082ac --- /dev/null +++ b/server/responder/pam/pamsrv.h @@ -0,0 +1,33 @@ +#include "sbus/sssd_dbus.h" +#include "responder/common/responder_cmd.h" + +#define PAM_DP_TIMEOUT 5000 + +#define DEBUG_PAM_DATA(level, pd) do { \ + if (level <= debug_level) pam_print_data(level, pd); \ +} while(0); + +struct pam_data { + int cmd; + uint32_t authtok_type; + uint32_t authtok_size; + uint32_t newauthtok_type; + uint32_t newauthtok_size; + char *domain; + char *user; + char *service; + char *tty; + char *ruser; + char *rhost; + uint8_t *authtok; + uint8_t *newauthtok; +}; + +void pam_print_data(int l, struct pam_data *pd); + +typedef void (*pam_dp_callback_t)(struct cli_ctx *cctx, int pam_status, char *domain); + +struct sbus_method *register_pam_dp_methods(void); +struct sss_cmd_table *register_sss_cmds(void); +int pam_dp_send_req(struct cli_ctx *cctx, pam_dp_callback_t callback, + int timeout, struct pam_data *pd); diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c new file mode 100644 index 00000000..4fdded30 --- /dev/null +++ b/server/responder/pam/pamsrv_cmd.c @@ -0,0 +1,196 @@ +#include <errno.h> +#include <talloc.h> + +#include "util/util.h" +#include "responder/common/responder_common.h" +#include "responder/common/responder_cmd.h" +#include "responder/common/responder_packet.h" +#include "responder/pam/pamsrv.h" + +static int pam_parse_in_data(uint8_t *body, size_t blen, struct pam_data *pd) { + int start; + int end; + int last=blen-1; + char *delim; + + start = end = 0; + while ( end < last && body[end++]!='\0'); + pd->user = (char *) &body[start]; + + delim = strchr(pd->user, SSS_DOMAIN_DELIM); + if (delim != NULL ) { + *delim = '\0'; + pd->domain = delim+1; + } else { + pd->domain = NULL; + } + + start = end; + while ( end < last && body[end++]!='\0'); + pd->service = (char *) &body[start]; + + start = end; + while ( end < last && body[end++]!='\0'); + pd->tty = (char *) &body[start]; + + start = end; + while ( end < last && body[end++]!='\0'); + pd->ruser = (char *) &body[start]; + + start = end; + while ( end < last && body[end++]!='\0'); + pd->rhost = (char *) &body[start]; + + start = end; + pd->authtok_type = (int) body[start]; + start += sizeof(uint32_t); + pd->authtok_size = (int) body[start]; + start += sizeof(uint32_t); + end = start+pd->authtok_size; + if ( pd->authtok_size == 0 ) { + pd->authtok = NULL; + } else { + if ( end <= blen ) { + pd->authtok = (uint8_t *) &body[start]; + } else { + DEBUG(1, ("Invalid authtok size: %d\n", pd->authtok_size)); + return EINVAL; + } + } + + start = end; + pd->newauthtok_type = (int) body[start]; + start += sizeof(uint32_t); + pd->newauthtok_size = (int) body[start]; + start += sizeof(uint32_t); + end = start+pd->newauthtok_size; + if ( pd->newauthtok_size == 0 ) { + pd->newauthtok = NULL; + } else { + if ( end <= blen ) { + pd->newauthtok = (uint8_t *) &body[start]; + } else { + DEBUG(1, ("Invalid newauthtok size: %d\n", pd->newauthtok_size)); + return EINVAL; + } + } + + DEBUG_PAM_DATA(4, pd); + + return EOK; +} + +static void pam_reply(struct cli_ctx *cctx, int pam_status, char *domain) { + struct sss_cmd_ctx *nctx; + int32_t ret_status = pam_status; + uint8_t *body; + size_t blen; + int ret; + int err = EOK; + + DEBUG(4, ("pam_reply get called.\n")); + nctx = talloc_zero(cctx, struct sss_cmd_ctx); + if (!nctx) { + err = ENOMEM; + goto done; + } + nctx->cctx = cctx; + nctx->check_expiration = true; + + ret = sss_packet_new(cctx->creq, 0, sss_packet_get_cmd(cctx->creq->in), + &cctx->creq->out); + if (ret != EOK) { + err = ret; + goto done; + } + + ret = sss_packet_grow(cctx->creq->out, sizeof(int) + strlen(domain)+1 ); + if (ret != EOK) { + err = ret; + goto done; + } + + sss_packet_get_body(cctx->creq->out, &body, &blen); + DEBUG(4, ("blen: %d\n", blen)); + memcpy(body, &ret_status, sizeof(int32_t)); + memcpy(body+sizeof(int32_t), domain, strlen(domain)+1); + +done: + sss_cmd_done(nctx); +} + +static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd) +{ + uint8_t *body; + size_t blen; + int ret; + struct pam_data *pd; + + pd = talloc(cctx, struct pam_data); + if (pd == NULL) return ENOMEM; + + sss_packet_get_body(cctx->creq->in, &body, &blen); + if (blen >= sizeof(uint32_t) && + ((uint32_t *)(&body[blen - sizeof(uint32_t)]))[0] != END_OF_PAM_REQUEST) { + DEBUG(1, ("Received data not terminated.\n")); + talloc_free(pd); + return EINVAL; + } + + pd->cmd = pam_cmd; + ret=pam_parse_in_data(body, blen, pd); + if( ret != 0 ) { + talloc_free(pd); + return EINVAL; + } + + ret=pam_dp_send_req(cctx, pam_reply, PAM_DP_TIMEOUT, pd); + DEBUG(4, ("pam_dp_send_req returned %d\n", ret)); + + return ret; +} + +static int pam_cmd_authenticate(struct cli_ctx *cctx) { + DEBUG(4, ("entering pam_cmd_authenticate\n")); + return pam_forwarder(cctx, SSS_PAM_AUTHENTICATE); +} + +static int pam_cmd_setcred(struct cli_ctx *cctx) { + DEBUG(4, ("entering pam_cmd_setcred\n")); + return pam_forwarder(cctx, SSS_PAM_SETCRED); +} + +static int pam_cmd_acct_mgmt(struct cli_ctx *cctx) { + DEBUG(4, ("entering pam_cmd_acct_mgmt\n")); + return pam_forwarder(cctx, SSS_PAM_ACCT_MGMT); +} + +static int pam_cmd_open_session(struct cli_ctx *cctx) { + DEBUG(4, ("entering pam_cmd_open_session\n")); + return pam_forwarder(cctx, SSS_PAM_OPEN_SESSION); +} + +static int pam_cmd_close_session(struct cli_ctx *cctx) { + DEBUG(4, ("entering pam_cmd_close_session\n")); + return pam_forwarder(cctx, SSS_PAM_CLOSE_SESSION); +} + +static int pam_cmd_chauthtok(struct cli_ctx *cctx) { + DEBUG(4, ("entering pam_cmd_chauthtok\n")); + return pam_forwarder(cctx, SSS_PAM_CHAUTHTOK); +} + +struct sss_cmd_table *register_sss_cmds(void) { + static struct sss_cmd_table sss_cmds[] = { + {SSS_GET_VERSION, sss_cmd_get_version}, + {SSS_PAM_AUTHENTICATE, pam_cmd_authenticate}, + {SSS_PAM_SETCRED, pam_cmd_setcred}, + {SSS_PAM_ACCT_MGMT, pam_cmd_acct_mgmt}, + {SSS_PAM_OPEN_SESSION, pam_cmd_open_session}, + {SSS_PAM_CLOSE_SESSION, pam_cmd_close_session}, + {SSS_PAM_CHAUTHTOK, pam_cmd_chauthtok}, + {SSS_CLI_NULL, NULL} + }; + + return sss_cmds; +} diff --git a/server/responder/pam/pamsrv_dp.c b/server/responder/pam/pamsrv_dp.c new file mode 100644 index 00000000..8a10c6bd --- /dev/null +++ b/server/responder/pam/pamsrv_dp.c @@ -0,0 +1,215 @@ +/* + SSSD + + NSS Responder - Data Provider Interfaces + + Copyright (C) Simo Sorce <ssorce@redhat.com> 2008 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <sys/time.h> +#include <time.h> + +#include <talloc.h> +#include <security/pam_modules.h> + +#include "util/util.h" +#include "responder/common/responder_packet.h" +#include "responder/nss/nsssrv.h" +#include "providers/data_provider.h" +#include "sbus/sbus_client.h" +#include "providers/dp_sbus.h" +#include "responder/pam/pamsrv.h" + +struct pam_reply_ctx { + struct cli_ctx *cctx; + pam_dp_callback_t callback; +}; + +static void pam_process_dp_reply(DBusPendingCall *pending, void *ptr) { + DBusError dbus_error; + DBusMessage* msg; + int ret; + int type; + dbus_uint32_t pam_status; + char *domain; + struct pam_reply_ctx *rctx; + + rctx = talloc_get_type(ptr, struct pam_reply_ctx); + + dbus_error_init(&dbus_error); + + dbus_pending_call_block(pending); + msg = dbus_pending_call_steal_reply(pending); + if (msg == NULL) { + DEBUG(0, ("Severe error. A reply callback was called but no reply was received and no timeout occurred\n")); + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + + type = dbus_message_get_type(msg); + switch (type) { + case DBUS_MESSAGE_TYPE_METHOD_RETURN: + ret = dbus_message_get_args(msg, &dbus_error, + DBUS_TYPE_UINT32, &pam_status, + DBUS_TYPE_STRING, &domain, + DBUS_TYPE_INVALID); + if (!ret) { + DEBUG(0, ("Failed to parse reply.\n")); + pam_status = PAM_SYSTEM_ERR; + domain = ""; + goto done; + } + DEBUG(4, ("received: [%d][%s]\n", pam_status, domain)); + break; + case DBUS_MESSAGE_TYPE_ERROR: + DEBUG(0, ("Reply error.\n")); + pam_status = PAM_SYSTEM_ERR; + break; + default: + DEBUG(0, ("Default... what now?.\n")); + pam_status = PAM_SYSTEM_ERR; + } + + +done: + dbus_pending_call_unref(pending); + dbus_message_unref(msg); + rctx->callback(rctx->cctx, pam_status, domain); +} + +int pam_dp_send_req(struct cli_ctx *cctx, + pam_dp_callback_t callback, + int timeout, struct pam_data *pd) { + DBusMessage *msg; + DBusPendingCall *pending_reply; + DBusConnection *conn; + DBusError dbus_error; + dbus_bool_t ret; + struct pam_reply_ctx *rctx; + + rctx = talloc(cctx, struct pam_reply_ctx); + if (rctx == NULL) { + DEBUG(0,("Out of memory?!\n")); + return ENOMEM; + } + rctx->cctx=cctx; + rctx->callback=callback; + + if (pd->domain==NULL || + pd->user==NULL || + pd->service==NULL || + pd->tty==NULL || + pd->ruser==NULL || + pd->rhost==NULL ) { + return EINVAL; + } + + conn = sbus_get_connection(cctx->nctx->dp_ctx->scon_ctx); + dbus_error_init(&dbus_error); + + msg = dbus_message_new_method_call(NULL, + DP_CLI_PATH, + DP_CLI_INTERFACE, + DP_SRV_METHOD_PAMHANDLER); + if (msg == NULL) { + DEBUG(0,("Out of memory?!\n")); + return ENOMEM; + } + + + DEBUG(4, ("Sending request with the following data:\n")); + DEBUG_PAM_DATA(4, pd); + + ret = dbus_message_append_args(msg, + DBUS_TYPE_INT32, &(pd->cmd), + DBUS_TYPE_STRING, &(pd->domain), + DBUS_TYPE_STRING, &(pd->user), + DBUS_TYPE_STRING, &(pd->service), + DBUS_TYPE_STRING, &(pd->tty), + DBUS_TYPE_STRING, &(pd->ruser), + DBUS_TYPE_STRING, &(pd->rhost), + DBUS_TYPE_INT32, &(pd->authtok_type), + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, + &(pd->authtok), pd->authtok_size, + DBUS_TYPE_INT32, &(pd->newauthtok_type), + DBUS_TYPE_ARRAY, DBUS_TYPE_BYTE, + &(pd->newauthtok), pd->newauthtok_size, + DBUS_TYPE_INVALID); + if (!ret) { + DEBUG(1,("Failed to build message\n")); + return EIO; + } + + ret = dbus_connection_send_with_reply(conn, msg, &pending_reply, timeout); + if (!ret) { + /* + * Critical Failure + * We can't communicate on this connection + * We'll drop it using the default destructor. + */ + DEBUG(0, ("D-BUS send failed.\n")); + dbus_message_unref(msg); + return EIO; + } + + dbus_pending_call_set_notify(pending_reply, pam_process_dp_reply, rctx, + NULL); + dbus_message_unref(msg); + + return EOK; +} + +static int pam_dp_identity(DBusMessage *message, struct sbus_conn_ctx *sconn) +{ + dbus_uint16_t version = DATA_PROVIDER_VERSION; + dbus_uint16_t clitype = DP_CLI_FRONTEND; + const char *cliname = "PAM"; + const char *nullname = ""; + DBusMessage *reply; + dbus_bool_t ret; + + DEBUG(4,("Sending ID reply: (%d,%d,%s)\n", clitype, version, cliname)); + + reply = dbus_message_new_method_return(message); + if (!reply) return ENOMEM; + + ret = dbus_message_append_args(reply, + DBUS_TYPE_UINT16, &clitype, + DBUS_TYPE_UINT16, &version, + DBUS_TYPE_STRING, &cliname, + DBUS_TYPE_STRING, &nullname, + DBUS_TYPE_INVALID); + if (!ret) { + dbus_message_unref(reply); + return EIO; + } + + /* send reply back */ + sbus_conn_send_reply(sconn, reply); + dbus_message_unref(reply); + + return EOK; +} + +struct sbus_method *register_pam_dp_methods(void) { + static struct sbus_method pam_dp_methods[] = { + { DP_CLI_METHOD_IDENTITY, pam_dp_identity }, + { NULL, NULL } + }; + + return pam_dp_methods; +} diff --git a/server/responder/pam/pamsrv_util.c b/server/responder/pam/pamsrv_util.c new file mode 100644 index 00000000..5dab9b67 --- /dev/null +++ b/server/responder/pam/pamsrv_util.c @@ -0,0 +1,16 @@ +#include "util/util.h" +#include "responder/pam/pamsrv.h" + +void pam_print_data(int l, struct pam_data *pd) { + DEBUG(l, ("command: %d\n", pd->cmd)); + DEBUG(l, ("domain: %s\n", pd->domain)); + DEBUG(l, ("user: %s\n", pd->user)); + DEBUG(l, ("service: %s\n", pd->service)); + DEBUG(l, ("tty: %s\n", pd->tty)); + DEBUG(l, ("ruser: %s\n", pd->ruser)); + DEBUG(l, ("rhost: %s\n", pd->rhost)); + DEBUG(l, ("authtok type: %d\n", pd->authtok_type)); + DEBUG(l, ("authtok size: %d\n", pd->authtok_size)); + DEBUG(l, ("newauthtok type: %d\n", pd->newauthtok_type)); + DEBUG(l, ("newauthtok size: %d\n", pd->newauthtok_size)); +} |