189707Sdes/*- 289707Sdes * Copyright (c) 2001 Mark R V Murray 389707Sdes * All rights reserved. 492297Sdes * Copyright (c) 2001 Networks Associates Technology, Inc. 589707Sdes * All rights reserved. 689707Sdes * 789707Sdes * Portions of this software were developed for the FreeBSD Project by 889707Sdes * ThinkSec AS and NAI Labs, the Security Research Division of Network 989707Sdes * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 1089707Sdes * ("CBOSS"), as part of the DARPA CHATS research program. 1189707Sdes * 1289707Sdes * Redistribution and use in source and binary forms, with or without 1389707Sdes * modification, are permitted provided that the following conditions 1489707Sdes * are met: 1589707Sdes * 1. Redistributions of source code must retain the above copyright 1689707Sdes * notice, this list of conditions and the following disclaimer. 1789707Sdes * 2. Redistributions in binary form must reproduce the above copyright 1889707Sdes * notice, this list of conditions and the following disclaimer in the 1989707Sdes * documentation and/or other materials provided with the distribution. 2089707Sdes * 3. The name of the author may not be used to endorse or promote 2189707Sdes * products derived from this software without specific prior written 2289707Sdes * permission. 2389707Sdes * 2489707Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 2589707Sdes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2689707Sdes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2789707Sdes * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2889707Sdes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2989707Sdes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 3089707Sdes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 3189707Sdes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 3289707Sdes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 3389707Sdes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3489707Sdes * SUCH DAMAGE. 3589707Sdes */ 3689707Sdes 3789707Sdes#include <sys/cdefs.h> 3889707Sdes__FBSDID("$FreeBSD$"); 3989707Sdes 4089707Sdes#define _BSD_SOURCE 4189707Sdes 4289707Sdes#include <sys/param.h> 4389707Sdes 4489727Sdes#include <syslog.h> 4589707Sdes#include <unistd.h> 4689707Sdes 4789707Sdes#define PAM_SM_ACCOUNT 4889707Sdes 4990229Sdes#include <security/pam_appl.h> 5089707Sdes#include <security/pam_modules.h> 5190229Sdes#include <security/pam_mod_misc.h> 5289707Sdes 5390145Smarkm#include "pam_login_access.h" 5489707Sdes 5589707SdesPAM_EXTERN int 5694564Sdespam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, 5794564Sdes int argc __unused, const char *argv[] __unused) 5889707Sdes{ 59123448Sdes const void *rhost, *tty, *user; 6089707Sdes char hostname[MAXHOSTNAMELEN]; 6189707Sdes int pam_err; 6289707Sdes 63123448Sdes pam_err = pam_get_item(pamh, PAM_USER, &user); 6489707Sdes if (pam_err != PAM_SUCCESS) 6594564Sdes return (pam_err); 6689707Sdes 6789707Sdes if (user == NULL) 6894564Sdes return (PAM_SERVICE_ERR); 6989707Sdes 70125650Sdes PAM_LOG("Got user: %s", (const char *)user); 7189707Sdes 72123448Sdes pam_err = pam_get_item(pamh, PAM_RHOST, &rhost); 7389707Sdes if (pam_err != PAM_SUCCESS) 7494564Sdes return (pam_err); 7589707Sdes 76123448Sdes pam_err = pam_get_item(pamh, PAM_TTY, &tty); 7789707Sdes if (pam_err != PAM_SUCCESS) 7894564Sdes return (pam_err); 7989707Sdes 8089707Sdes gethostname(hostname, sizeof hostname); 8189707Sdes 82271766Sdes if (rhost != NULL && *(const char *)rhost != '\0') { 83271766Sdes PAM_LOG("Checking login.access for user %s from host %s", 84271766Sdes (const char *)user, (const char *)rhost); 85271766Sdes if (login_access(user, rhost) != 0) 86271766Sdes return (PAM_SUCCESS); 87271766Sdes PAM_VERBOSE_ERROR("%s is not allowed to log in from %s", 88272351Sdes (const char *)user, (const char *)rhost); 89271766Sdes } else if (tty != NULL && *(const char *)tty != '\0') { 9089707Sdes PAM_LOG("Checking login.access for user %s on tty %s", 91125650Sdes (const char *)user, (const char *)tty); 9289707Sdes if (login_access(user, tty) != 0) 9394564Sdes return (PAM_SUCCESS); 9489744Sdes PAM_VERBOSE_ERROR("%s is not allowed to log in on %s", 95272351Sdes (const char *)user, (const char *)tty); 9689707Sdes } else { 97272351Sdes PAM_LOG("Checking login.access for user %s", 98272351Sdes (const char *)user); 99272351Sdes if (login_access(user, "***unknown***") != 0) 100272351Sdes return (PAM_SUCCESS); 101272351Sdes PAM_VERBOSE_ERROR("%s is not allowed to log in", 102272351Sdes (const char *)user); 10389707Sdes } 10489707Sdes 10594564Sdes return (PAM_AUTH_ERR); 10689707Sdes} 10789707Sdes 10889727SdesPAM_MODULE_ENTRY("pam_login_access"); 109