[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Status of skey module.



-----BEGIN PGP SIGNED MESSAGE-----

> Date: Tue, 18 Mar 1997 10:28:23 -0600
> From: "Karl O. Pinc" <kop@meme.com>
> Resent-From: pam-list@redhat.com
> 
> Is there a status on the skey module?
> 
> I haven't been following pam at all, so forgive any redundency.
> 
> Karl
> 
> May the Legos (TM) always be swept from your path in the night.

There may be several PAM-S/Key modules under development.  I have one
which is working completely (AFAIK), but I haven't found the time or
energy to make an RPM out of it.  I'm not sure how it should be
packaged, because it requires some of the utilities and libraries from
the skey-2.2-1.i386.rpm package, but if you install the whole package
then it overwrites the PAM versions of login etc. with S/Key-specific
versions.

In any case, following is the source for my module: suggestions
regarding the source or the way to package/distribute it would be
_very_ welcome.

I've tested this on two machines running RH4.0 and RH4.1, and it works
quite reliably.

Attached is the source code: you also need the S/Key source to be able
to compile it, and the utilities from skey (keyinit, keyinfo...) for
it to be any use.

- -- 
  Martin Pool <m.pool@pharos.com.au> | Designer, Pharos Business Solutions

  "Without fungi there's not the loaf of bread or the jug of wine 
  or even thou" -- Robert Fulghum


- ---------- Makefile

# Makefile for pam_skey
#
# (C) 1997 Pharos Intellectual Property P/L
# $Header: /home/mbp/pam/Makefile,v 1.1 1997-02-26 11:01:36+10 mbp Exp $

TITLE=pam_skey
LIBSRC=$(TITLE).c
LIBOBJ=$(TITLE).o
LIBOBJD=$(LIBOBJ)

CC=gcc
CFLAG=$(RPM_OPT_FLAGS) -pipe $(EXTRAS) -DHAVE_SHADOW_H -DHAVE_CRACK_H # -ggdb
DEBUG= -g -DDEBUG
PAMLIB=-lpam 
SYSINCLUDES=/usr/include/security
LIBDIR=/lib
SECUREDIR=/lib/security
LIBDL=-ldl
LIBSKEY=-lskey -L/usr/local/skey-2.2/libskey -L/usr/local/skey-2.2/libmd -lmd 
WARNINGS=-Wall -pedantic
CFLAGS  = -DLINUX $(WARNINGS) $(DEBUG) $(CFLAG) -fPIC
DYNAMIC=-DPAM_DYNAMIC
export DYNAMIC

ifdef DYNAMIC
LIBSHARED = $(TITLE).so
endif
ifdef STATIC
LIBSTATIC = lib$(TITLE).o
endif

ifdef DYNAMIC
$(LIBOBJD): $(LIBSRC)

$(LIBSHARED):	$(LIBOBJD)
		$(LD) -x --shared -o $@ $(LIBOBJD) $(LIBSKEY)
endif


.c.o:	
	$(CC) $(CFLAGS) -c $<

clean:
	rm pam_skey.{o,so}


- ---------------- pam_skey.c

/* pam/pam_skey.c - A module to interface the Linux-PAM Pluggable
 * Authentication Module to the S/Key one-time-password system.
 *
 * This compiles into pam_skey.so which should be installed into
 * /usr/lib/security/pam_skey.so.  It can be used through a pam.conf
 * line, preferably stacked with unix_auth, similar to 
 * telnet     auth       required     /lib/security/pam_unix_auth.so
 * telnet     auth       required     /lib/security/pam_skey.so
 *
 * This module provides only the 'auth' capability.
 *
 * You need both the skey and Linux-PAM packages for this to be
 * useful.
 *
 * Copyright (C) 1997 Pharos Intellectual Property Pty Ltd.
 * All rights reserved.
 */

/* The following options are permitted in the pam.conf file:
   
   debug = enable debugging output to syslog(AUTHPRIV.DEBUG)

   noecho = don't echo the password back.  This is not on by default
   because S/Key passwords are long, and because the system design assumes
   that they may be snooped anyhow.  Turn it on if you wish.

   use_first_pass and try_first_pass are not implemented because it is
   unlikely that the S/Key password would be the same as that of
   another PAM.
   
 */

/* NO WARRANTY: THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
 * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
 * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.  */
 

static const char rcsid[] = "$Header: /home/mbp/pam/pam_skey.c,v 1.1 1997-02-26 11:01:17+10 mbp Exp $ "
"Linux-PAM S/Key authentication functions "
"Martin Pool <m.pool@pharos.com.au>";

/* Capabilities provided by this module */
#define PAM_SM_AUTH

#include <stdio.h>
#include <syslog.h>
#include <string.h>

#include <security/pam_modules.h>
#include <security/skey.h>


/* Prototypes */
int read_options(int argc, const char ** argv);

/* Module-globals representing command-line flags */
int debug=0, noecho=0;

/* The guts of PAM-S/Key authentication.  Returns a PAM_* status code,
 * depending on whether the user was successfully authenticated or
 * not.  This fn attempts to map the error codes returned by S/Key
 * into the corresponding PAM codes: they ought to be close but
 * probably not perfect. */
int _pam_auth_skey(pam_handle_t *pamh,
		   int flags,
		   int argc,
		   const char **argv)
{
  /* Unlike the skey-provided login(1), this module never accepts the
   * unix passwd - use the pam.conf to stack pam_skey and
   * pam_unix_auth if you want to give the user the option. */
  char const *user;
  char challenge[1024];
  int rc;
  struct skey sk;
  struct pam_conv *conv;
  struct pam_message msg[1];
  const struct pam_message *pmsg[1];
  struct pam_response *presponse=NULL;

  /* Get the users name, if it is not already known */
  rc = pam_get_user(pamh, &user, "s/key login: ");
  if ( rc != PAM_SUCCESS ) return rc;
  if (debug) 
    syslog(LOG_AUTHPRIV|LOG_NOTICE, "pam_skey login attempt for '%s'",
	   user);

  /* Get the string with which to challenge the user */
  rc = skeychallenge(&sk, (char *) user, challenge);
  switch(rc) {
  case -1: 
    syslog(LOG_AUTHPRIV|LOG_WARNING, 
	   "pam_skey: system error finding challenge string");
    return PAM_SYSTEM_ERR;
  case 1: 
    syslog(LOG_AUTHPRIV|LOG_WARNING, "pam_skey: user '%s' unknown",
	   user);
    return PAM_USER_UNKNOWN;
  }
  if (debug)
    syslog(LOG_AUTHPRIV|LOG_NOTICE, "pam_skey login challenge is '%s'",
	   challenge);
  strcat(challenge, ": ");

  /* Get the conversation function with which to prompt the user for
  * their password. */
  rc = pam_get_item(pamh, PAM_CONV, (const void **) &conv );
  if ( rc != PAM_SUCCESS ) return rc;

  /* Prompt the user with the challenge, and get their response */
  pmsg[0] = &msg[0];
  msg[0].msg_style = noecho ? PAM_PROMPT_ECHO_OFF : PAM_PROMPT_ECHO_ON;
  msg[0].msg = challenge;
  presponse = NULL;

  rc = conv->conv(1, 
		  (const struct pam_message **) &pmsg, 
		  &presponse, 
		  conv->appdata_ptr); 
  if ( rc != PAM_SUCCESS ) return rc;
  
#if 0
  /* a bit insecure */
  if (debug)
    syslog(LOG_AUTHPRIV|LOG_NOTICE, "pam_skey response is '%s'",
	   presponse->resp); 
#endif

  /* Check the response with S/Key.  S/Key uses the username specified
   * above. */
  rc = skeyverify(&sk, presponse->resp);
  switch ( rc ) {
  case -1: 
    syslog(LOG_AUTHPRIV|LOG_WARNING, 
	   "pam_skey: S/Key system error or authentication failure");
    return PAM_AUTH_ERR;
  case 1:
    syslog(LOG_AUTHPRIV|LOG_WARNING, 
	   "pam_skey: user '%s' S/Key authentication failed",
	   user);
    return PAM_AUTH_ERR;
  }
  if (debug) 
    syslog(LOG_AUTHPRIV|LOG_NOTICE, "pam_skey login OK",
	   presponse->resp); 

  return PAM_SUCCESS;
}





/* pam_sm_authenticate: Entry point for a PAM request to validate a
 * user. */

PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
				   int flags,
				   int argc,
				   const char **argv)
{
  int rc;
  rc = read_options(argc, argv);
  if ( rc != PAM_SUCCESS ) return rc;
  return _pam_auth_skey(pamh, flags, argc, argv);
}


/* Read "command-line" options */
int read_options(int argc, const char ** argv) 
{
  int i;
  for ( i = 0; i < argc; i++ ) {
    if ( !strcmp(argv[i], "debug") ) 
      debug++;
    else if ( !strcmp(argv[i], "noecho") ) 
      noecho = 1;
    else /* PAM spec says unknown options must be ignored */
      syslog(LOG_AUTHPRIV|LOG_WARNING, "pam_skey: unknown argument '%s'",
	     argv[i]);
  }
  return PAM_SUCCESS;
}



/* Is there anything this can usefully do?  What are credentials,
 * anyhow? */
PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, 
			      int flags,
			      int argc, 
			      const char **argv)
{
  return PAM_SUCCESS;
}



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQB1AwUBMy8oiTr8By6pblTZAQHOyAL/S8UsI/4DbZLciAjPmDJxHYiNJXPmrA5S
SqgfKUqfYfTDE4gEJrqLQMMQMKgRcKdkkohz5C9B7KmvsFhTmkW4BFqR6oA3iicY
9iKH9cpH5klzv8/+DdxUjSbBQ0zcyEUa
=WHNy
-----END PGP SIGNATURE-----



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []