src - OpenBSD base system

diff options


context:
space:
mode:

author	Todd C. Miller <millert@cvs.openbsd.org>	2001-07-08 17:56:34 +0000
committer	Todd C. Miller <millert@cvs.openbsd.org>	2001-07-08 17:56:34 +0000
commit	f9144522d7069e785812b3434997fbf2b20713e7 (patch)
tree	1d360bc19b20f8d96b294e6fd82e0ea15ff1425e /libexec
parent	9f6b2c42cd06a58a875bb5160fd875e39e6c8998 (diff)

BSD auth module for radius authentication, from BSDi.

Diffstat (limited to 'libexec')

-rw-r--r--

libexec/Makefile

-rw-r--r--

libexec/login_radius/Makefile

-rw-r--r--

libexec/login_radius/login_radius.8

121

-rw-r--r--

libexec/login_radius/login_radius.c

197

-rw-r--r--

libexec/login_radius/raddauth.c

576

5 files changed, 911 insertions, 2 deletions

diff --git a/libexec/Makefile b/libexec/Makefile
index 06f15df1e77..96ab5e741c8 100644
--- a/libexec/Makefile
+++ b/libexec/Makefile

@@ -1,5 +1,5 @@

# from: @(#)Makefile 5.7 (Berkeley) 4/1/91

-# $OpenBSD: Makefile,v 1.23 2001/06/25 15:51:36 hin Exp $

+# $OpenBSD: Makefile,v 1.24 2001/07/08 17:56:33 millert Exp $

.include <bsd.own.mk>

@@ -8,7 +8,7 @@ SUBDIR= atrun comsat fingerd ftpd getNAME getty identd lockspool \

rpc.rquotad rpc.rstatd rpc.rusersd rpc.rwalld rpc.sprayd \

talkd tcpd telnetd tftpd uucpd smtpd

SUBDIR+=login_passwd login_skey login_krb4 login_krb4-or-pwd login_reject \

- login_chpass login_lchpass login_token

+ login_chpass login_lchpass login_token login_radius

.if (${YP:L} == "yes")

SUBDIR+=rpc.yppasswdd

diff --git a/libexec/login_radius/Makefile b/libexec/login_radius/Makefile
new file mode 100644
index 00000000000..2d0ded9a9a2
--- /dev/null
+++ b/libexec/login_radius/Makefile

@@ -0,0 +1,15 @@

+# $OpenBSD: Makefile,v 1.1 2001/07/08 17:56:33 millert Exp $

+PROG= login_radius

+SRCS= login_radius.c raddauth.c

+MAN= login_radius.8

+DPADD= ${LIBUTIL}

+LDADD= -lutil

+CFLAGS+=-Wall

+BINOWN= root

+BINGRP= auth

+BINMODE=4555

+BINDIR= /usr/libexec/auth

+.include <bsd.prog.mk>

diff --git a/libexec/login_radius/login_radius.8 b/libexec/login_radius/login_radius.8
new file mode 100644
index 00000000000..4024d86df74
--- /dev/null
+++ b/libexec/login_radius/login_radius.8

@@ -0,0 +1,121 @@

+.\" $OpenBSD: login_radius.8,v 1.1 2001/07/08 17:56:33 millert Exp $

+.\"

+.\" Redistribution and use in source and binary forms, with or without

+.\" modification, are permitted provided that the following conditions

+.\" are met:

+.\" 1. Redistributions of source code must retain the above copyright

+.\" notice, this list of conditions and the following disclaimer.

+.\" 2. Redistributions in binary form must reproduce the above copyright

+.\" notice, this list of conditions and the following disclaimer in the

+.\" documentation and/or other materials provided with the distribution.

+.\" 3. All advertising materials mentioning features or use of this software

+.\" must display the following acknowledgement:

+.\" This product includes software developed by Berkeley Software Design,

+.\" Inc.

+.\" 4. The name of Berkeley Software Design, Inc. may not be used to endorse

+.\" or promote products derived from this software without specific prior

+.\" written permission.

+.\"

+.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND

+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

+.\" ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE

+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

+.\" SUCH DAMAGE.

+.\"

+.\" BSDI $From: login_radius.8,v 1.2 1996/11/11 18:42:02 prb Exp $

+.\"

+.Dd August 23, 1996

+.Dt LOGIN_RADIUS 8

+.Os

+.Sh NAME

+.Nm login_radius

+.Nd contact radiusd for authentication

+.Sh SYNOPSIS

+.Nm login_radius

+.Op Fl s Ar service

+.Op Fl v Ar name=value

+.Ar user

+.Op Ar class

+.Sh DESCRIPTION

+The

+.Nm

+utility contacts the

+.Xr radiusd 8

+daemon to authenticate a user.

+When executed as the name

+.Pa login_ Ns Ar style

+it will request

+.Xr radiusd 8

+to use the authentication specified by

+.Xr style .

+.Pp

+Available options are:

+.Bl -tag -width indent

+.It Fl s

+Specify the service.

+Currently only

+.Li challenge ,

+.Li login ,

+and

+.Li response

+are supported.

+.It Fl v

+This option and its value are ignored.

+.El

+.Pp

+The

+.Nm

+utility needs to know a shared secret for each radius server it talks to.

+Shared secrets are stored in the file

+.Pa /etc/raddb/servers

+with the format:

+.Bd -literal -offset indent

+server shared_secret

+.Ed

+.Pp

+The primary and possible secondary radius servers are defined in the

+.Xr login.conf 5

+file by the fields:

+.Li radius-server

+and

+.Li radius-server-alt .

+.Pp

+It is expected that rather than requesting the radius style directly

+(in which case the

+.Xr radiusd 8

+server uses a default style)

+that

+.Nm

+will be linked to the various mechanisms desired.

+For instance, to have all CRYPTOCard and ActivCard authentication take

+place on a remote server via the radius protocol, remove the

+.Pa login_activ

+and

+.Pa login_crypto

+modules and link

+.Pa login_radius

+to both of those names.

+Now when the user requests one of those authentication styles,

+.Nm

+will automatically forward the request to the remote

+.Xr radiusd 8

+and request it do the requested style of authentication.

+.Pp

+Unless the the style being used is listed in the

+.Li radius-challenge-styles

+entry of the

+.Pa /etc/login.conf

+file, a password will be requested before sending the request to the

+radius server.

+.Sh SEE ALSO

+.Xr login.conf 5 ,

+.Xr login 8 ,

+.Xr radiusd 8

diff --git a/libexec/login_radius/login_radius.c b/libexec/login_radius/login_radius.c
new file mode 100644
index 00000000000..ea952597d28
--- /dev/null
+++ b/libexec/login_radius/login_radius.c

@@ -0,0 +1,197 @@

+/* $OpenBSD: login_radius.c,v 1.1 2001/07/08 17:56:33 millert Exp $ */

+/*-

+ *

+ * Redistribution and use in source and binary forms, with or without

+ * modification, are permitted provided that the following conditions

+ * are met:

+ * 1. Redistributions of source code must retain the above copyright

+ * notice, this list of conditions and the following disclaimer.

+ * 2. Redistributions in binary form must reproduce the above copyright

+ * notice, this list of conditions and the following disclaimer in the

+ * documentation and/or other materials provided with the distribution.

+ * 3. All advertising materials mentioning features or use of this software

+ * must display the following acknowledgement:

+ * This product includes software developed by Berkeley Software Design,

+ * Inc.

+ * 4. The name of Berkeley Software Design, Inc. may not be used to endorse

+ * or promote products derived from this software without specific prior

+ * written permission.

+ *

+ * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND

+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

+ * ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE

+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

+ * SUCH DAMAGE.

+ *

+ * BSDI $From: login_radius.c,v 1.4 1998/04/14 00:39:02 prb Exp $

+ */

+/*

+ *

+ * tfm associates

+ * P.O. Box 1244

+ * Eugene OR 97440-1244 USA

+ *

+ * This contains unpublished proprietary source code of tfm associates.

+ * The copyright notice above does not evidence any

+ * actual or intended publication of such source code.

+ *

+ * A license is granted to Berkeley Software Design, Inc. by

+ * tfm associates to modify and/or redistribute this software under the

+ * terms and conditions of the software License Agreement provided with this

+ * distribution. The Berkeley Software Design Inc. software License

+ * Agreement specifies the terms and conditions for redistribution.

+ */

+#include <sys/types.h>

+#include <netinet/in.h>

+#include <ctype.h>

+#include <err.h>

+#include <login_cap.h>

+#include <pwd.h>

+#include <stdio.h>

+#include <stdlib.h>

+#include <string.h>

+#include <syslog.h>

+#include <unistd.h>

+#include <bsd_auth.h>

+static int cleanstring(char *);

+int raddauth(char *, char *, char *, char *, char *, char **);

+int

+main(int argc, char **argv)

+ FILE *back;

+ char challenge[1024];

+ char *class, *service, *style, *username, *password, *emsg;

+ int c, n;

+ extern char *__progname;

+ back = NULL;

+ password = class = service = NULL;

+ /*

+ * Usage: login_xxx [-s service] [-v var] user [class]

+ */

+ while ((c = getopt(argc, argv, "ds:v:")) != -1)

+ switch(c) {

+ case 'd':

+ back = stdout;

+ break;

+ case 'v':

+ break;

+ case 's': /* service */

+ service = optarg;

+ if (strcmp(service, "login") != 0 &&

+ strcmp(service, "challenge") != 0 &&

+ strcmp(service, "response") != 0)

+ errx(1, "%s not supported", service);

+ break;

+ default:

+ syslog(LOG_ERR, "usage error");

+ exit(1);

+ }

+ if (service == NULL)

+ service = LOGIN_DEFSERVICE;

+ switch(argc - optind) {

+ case 2:

+ class = argv[optind + 1];

+ case 1:

+ username = argv[optind];

+ break;

+ default:

+ syslog(LOG_ERR, "usage error");

+ exit(1);

+ }

+ if ((style = strrchr(__progname, '/')))

+ ++style;

+ else

+ style = __progname;

+ if (strncmp(style, "login_", 6) == 0)

+ style += 6;

+ if (!cleanstring(style))

+ errx(1, "style contains non-printables");

+ if (!cleanstring(username))

+ errx(1, "username contains non-printables");

+ if (service && !cleanstring(service))

+ errx(1, "service contains non-printables");

+ if (class && !cleanstring(class))

+ errx(1, "class contains non-printables");

+ /*

+ * Filedes 3 is the back channel, where we send back results.

+ */

+ if (back == NULL && (back = fdopen(3, "a")) == NULL) {

+ syslog(LOG_ERR, "reopening back channel");

+ exit(1);

+ }

+ memset(challenge, 0, sizeof(challenge));

+ if (strcmp(service, "response") == 0) {

+ c = -1;

+ n = 0;

+ while (++c < sizeof(challenge) &&

+ read(3, &challenge[c], 1) == 1) {

+ if (challenge[c] == '\0' && ++n == 2)

+ break;

+ if (challenge[c] == '\0' && n == 1)

+ password = challenge + c + 1;

+ }

+ if (n < 2) {

+ syslog(LOG_ERR, "protocol error on back channel");

+ exit(1);

+ }

+ emsg = NULL;

+ c = raddauth(username, class, style,

+ strcmp(service, "login") ? challenge : NULL, password, &emsg);

+ if (c == 0) {

+ if (challenge == NULL || *challenge == '\0')

+ (void)fprintf(back, BI_AUTH "\n");

+ else {

+ (void)fprintf(back, BI_VALUE " challenge %s\n",

+ auth_mkvalue(challenge));

+ (void)fprintf(back, BI_CHALLENGE "\n");

+ }

+ exit(0);

+ }

+ if (emsg && strcmp(service, "login") == 0)

+ (void)fprintf(stderr, "%s\n", emsg);

+ else if (emsg)

+ (void)fprintf(back, "value errormsg %s\n", auth_mkvalue(emsg));

+ if (strcmp(service, "challenge") == 0) {

+ (void)fprintf(back, BI_SILENT "\n");

+ exit(0);

+ }

+ (void)fprintf(back, BI_REJECT "\n");

+ exit(1);

+static int

+cleanstring(char *s)

+ while (*s && isgraph(*s) && *s != '\\')

+ ++s;

+ return(*s == '\0' ? 1 : 0);

diff --git a/libexec/login_radius/raddauth.c b/libexec/login_radius/raddauth.c
new file mode 100644
index 00000000000..efacabe0952
--- /dev/null
+++ b/libexec/login_radius/raddauth.c

@@ -0,0 +1,576 @@

+/* $OpenBSD: raddauth.c,v 1.1 2001/07/08 17:56:33 millert Exp $ */