/*
* Authenticate the user via one of any well-known password.
*/
static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *request)
{
int rcode;
rlm_securid_t *inst = instance;
char buffer[MAX_STRING_LEN]="";
char const *username=NULL, *password=NULL;
VALUE_PAIR *vp;
/*
* We can only authenticate user requests which HAVE
* a User-Name attribute.
*/
if (!request->username) {
AUTH("rlm_securid: Attribute \"User-Name\" is required for authentication");
return RLM_MODULE_INVALID;
}
if (!request->password) {
RAUTH("Attribute \"Password\" is required for authentication");
return RLM_MODULE_INVALID;
}
/*
* Clear-text passwords are the only ones we support.
*/
if (request->password->da->attr != PW_USER_PASSWORD) {
RAUTH("Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->da->name);
return RLM_MODULE_INVALID;
}
/*
* The user MUST supply a non-zero-length password.
*/
if (request->password->vp_length == 0) {
REDEBUG("Password should not be empty");
return RLM_MODULE_INVALID;
}
/*
* shortcuts
*/
username = request->username->vp_strvalue;
password = request->password->vp_strvalue;
if (RDEBUG_ENABLED3) {
RDEBUG3("Login attempt with password \"%s\"", password);
} else {
RDEBUG("Login attempt with password");
}
rcode = securidAuth(inst, request, username, password,
buffer, sizeof(buffer));
switch (rcode) {
case RC_SECURID_AUTH_SUCCESS:
rcode = RLM_MODULE_OK;
break;
case RC_SECURID_AUTH_CHALLENGE:
/* reply with Access-challenge message code (11) */
/* Generate Prompt attribute */
vp = paircreate(request->reply, PW_PROMPT, 0);
rad_assert(vp != NULL);
vp->vp_integer = 0; /* no echo */
pairadd(&request->reply->vps, vp);
/* Mark the packet as a Acceess-Challenge Packet */
request->reply->code = PW_CODE_ACCESS_CHALLENGE;
RDEBUG("Sending Access-Challenge");
rcode = RLM_MODULE_HANDLED;
break;
case RC_SECURID_AUTH_FAILURE:
case RC_SECURID_AUTH_ACCESS_DENIED_FAILURE:
case RC_SECURID_AUTH_INVALID_SERVER_FAILURE:
default:
rcode = RLM_MODULE_REJECT;
break;
}
if (*buffer) pairmake_reply("Reply-Message", buffer, T_OP_EQ);
return rcode;
}
/*
* Authenticate the user via one of any well-known password.
*/
static int securid_authenticate(void *instance, REQUEST *request)
{
int rcode;
rlm_securid_t *inst = instance;
VALUE_PAIR *module_fmsg_vp;
VALUE_PAIR *vp;
char buffer[MAX_STRING_LEN]="";
const char *username=NULL, *password=NULL;
char module_fmsg[MAX_STRING_LEN]="";
/*
* We can only authenticate user requests which HAVE
* a User-Name attribute.
*/
if (!request->username) {
radlog(L_AUTH, "rlm_securid: Attribute \"User-Name\" is required for authentication.");
return RLM_MODULE_INVALID;
}
if (!request->password) {
radlog_request(L_AUTH, 0, request, "Attribute \"Password\" is required for authentication.");
return RLM_MODULE_INVALID;
}
/*
* Clear-text passwords are the only ones we support.
*/
if (request->password->attribute != PW_USER_PASSWORD) {
radlog_request(L_AUTH, 0, request, "Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name);
return RLM_MODULE_INVALID;
}
/*
* The user MUST supply a non-zero-length password.
*/
if (request->password->length == 0) {
snprintf(module_fmsg,sizeof(module_fmsg),"rlm_securid: empty password supplied");
module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ);
pairadd(&request->packet->vps, module_fmsg_vp);
return RLM_MODULE_INVALID;
}
/*
* shortcuts
*/
username = request->username->vp_strvalue;
password = request->password->vp_strvalue;
RDEBUG("User [%s] login attempt with password [%s]",
username, password);
rcode = securidAuth(inst, request, username, password,
buffer, sizeof(buffer));
switch (rcode) {
case RC_SECURID_AUTH_SUCCESS:
rcode = RLM_MODULE_OK;
break;
case RC_SECURID_AUTH_CHALLENGE:
/* reply with Access-challenge message code (11) */
/* Generate Prompt attribute */
vp = paircreate(PW_PROMPT, 0, PW_TYPE_INTEGER);
rad_assert(vp != NULL);
vp->vp_integer = 0; /* no echo */
pairadd(&request->reply->vps, vp);
/* Mark the packet as a Acceess-Challenge Packet */
request->reply->code = PW_ACCESS_CHALLENGE;
RDEBUG("Sending Access-Challenge.");
rcode = RLM_MODULE_HANDLED;
break;
case RC_SECURID_AUTH_FAILURE:
case RC_SECURID_AUTH_ACCESS_DENIED_FAILURE:
case RC_SECURID_AUTH_INVALID_SERVER_FAILURE:
default:
rcode = RLM_MODULE_REJECT;
break;
}
if (*buffer) {
/* Generate Reply-Message attribute with reply message data */
vp = pairmake("Reply-Message", buffer, T_OP_EQ);
/* make sure message ends with '\0' */
if (vp->length < (int) sizeof(vp->vp_strvalue)) {
vp->vp_strvalue[vp->length] = '\0';
vp->length++;
}
pairadd(&request->reply->vps,vp);
}
return rcode;
}
/*
* Authenticate the user via one of any well-known password.
*/
static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, UNUSED void *thread, REQUEST *request)
{
int rcode;
rlm_securid_t const *inst = instance;
char buffer[FR_MAX_STRING_LEN]="";
char const *username=NULL, *password=NULL;
VALUE_PAIR *vp;
/*
* We can only authenticate user requests which HAVE
* a User-Name attribute.
*/
if (!request->username) {
REDEBUG("Attribute \"User-Name\" is required for authentication");
return RLM_MODULE_INVALID;
}
if (!request->password) {
REDEBUG("Attribute \"Password\" is required for authentication");
return RLM_MODULE_INVALID;
}
/*
* Clear-text passwords are the only ones we support.
*/
if (request->password->da != attr_user_password) {
REDEBUG("Attribute \"User-Password\" is required for authentication. Cannot use \"%s\"",
request->password->da->name);
return RLM_MODULE_INVALID;
}
/*
* The user MUST supply a non-zero-length password.
*/
if (request->password->vp_length == 0) {
REDEBUG("Password should not be empty");
return RLM_MODULE_INVALID;
}
/*
* shortcuts
*/
username = request->username->vp_strvalue;
password = request->password->vp_strvalue;
if (RDEBUG_ENABLED3) {
RDEBUG3("Login attempt with password \"%s\"", password);
} else {
RDEBUG2("Login attempt with password");
}
rcode = securidAuth(inst, request, username, password,
buffer, sizeof(buffer));
switch (rcode) {
case RC_SECURID_AUTH_SUCCESS:
rcode = RLM_MODULE_OK;
break;
case RC_SECURID_AUTH_CHALLENGE:
/* reply with Access-challenge message code (11) */
/* Generate Prompt attribute */
MEM(pair_update_reply(&vp, attr_prompt) >= 0);
vp->vp_uint32 = 0; /* no echo */
/* Mark the packet as a Acceess-Challenge Packet */
request->reply->code = FR_CODE_ACCESS_CHALLENGE;
RDEBUG2("Sending Access-Challenge");
rcode = RLM_MODULE_HANDLED;
break;
case RC_SECURID_AUTH_FAILURE:
case RC_SECURID_AUTH_ACCESS_DENIED_FAILURE:
case RC_SECURID_AUTH_INVALID_SERVER_FAILURE:
default:
rcode = RLM_MODULE_REJECT;
break;
}
if (*buffer) {
MEM(pair_update_reply(&vp, attr_reply_message) >= 0);
fr_pair_value_strcpy(vp, buffer);
}
return rcode;
}
