void testValues() {
f = 2;
struct utmp * result;
result = getutline(anyut());
//@ assert result == \null || \valid(result);
//@ assert f == 2;
//@ assert vacuous: \false;
}
int
logout (const char *line)
{
struct UT tmp;
struct UT *ut;
int result = 0;
/* if (utmpname (_PATH_UTMP) == -1) return 0; - why?
* this makes it impossible for caller to use other file!
* Does any standard or historical precedent says this must be done? */
/* Open UTMP file. */
setutent ();
/* Fill in search information. */
#if _HAVE_UT_TYPE - 0
tmp.ut_type = USER_PROCESS;
#endif
strncpy (tmp.ut_line, line, sizeof tmp.ut_line);
/* Read the record. */
if ((ut = getutline(&tmp)) != NULL)
{
/* Clear information about who & from where. */
memset (ut->ut_name, 0, sizeof ut->ut_name);
#if _HAVE_UT_HOST - 0
memset (ut->ut_host, 0, sizeof ut->ut_host);
#endif
#if _HAVE_UT_TV - 0
# if !defined __WORDSIZE_TIME64_COMPAT32
gettimeofday (&ut->ut_tv, NULL);
# else
{
struct timeval tv;
gettimeofday (&tv, NULL);
ut->ut_tv.tv_sec = tv.tv_sec;
ut->ut_tv.tv_usec = tv.tv_usec;
}
# endif
#else
time (&ut->ut_time);
#endif
#if _HAVE_UT_TYPE - 0
ut->ut_type = DEAD_PROCESS;
#endif
if (pututline (ut) != NULL)
result = 1;
}
/* Close UTMP file. */
endutent ();
return result;
}
static void logout(const char *line)
{
#ifdef HAVE_GETUTXENT
struct utmpx utx, *putx;
pid_t pid;
strcpy(utx.ut_line, line);
setutxent();
putx = getutxline(&utx);
if (putx != NULL)
{
gettimeofday(&utx.ut_tv, NULL);
strncpy(utx.ut_line, putx->ut_line, sizeof(utx.ut_line));
strncpy(utx.ut_user, putx->ut_name, sizeof(utx.ut_name));
pid = getpid();
utx.ut_pid = pid;
strncpy(utx.ut_id, putx->ut_id, sizeof(utx.ut_id));
utx.ut_type = DEAD_PROCESS;
pututxline(&utx);
updwtmpx(WTFILE, &utx);
}
endutxent();
#else /* HAVE_GETUTXENT */
struct utmp utmp;
struct utmp *putmp;
pid_t pid;
strcpy(utmp.ut_line, line);
setutent();
putmp = getutline(&utmp);
if (putmp != NULL)
{
time(&utmp.ut_time);
strncpy(utmp.ut_line, putmp->ut_line, sizeof(utmp.ut_line));
strncpy(utmp.ut_user, putmp->ut_name, sizeof(utmp.ut_name));
pid = getpid();
utmp.ut_pid = pid;
strncpy(utmp.ut_id, putmp->ut_id, sizeof(utmp.ut_id));
utmp.ut_type = DEAD_PROCESS;
pututline(&utmp);
updwtmp(WTFILE, &utmp);
}
endutent();
#endif /* HAVE_GETUTXENT */
}
struct utmp * get_next_line(char *id, char *line) {
struct utmp request;
if (!id && !line)
return getutent();
memset(&request, 0, sizeof(request));
if (line) {
strncpy(&request.ut_line[0], line, UT_LINESIZE);
return getutline(&request);
}
request.ut_type = INIT_PROCESS;
strncpy(&request.ut_id[0], id, 4);
return getutid(&request);
}
int
logout (const char *line)
{
struct utmp tmp;
struct utmp *ut;
int result = 0;
/* Tell that we want to use the UTMP file. */
utmpname (_PATH_UTMP);
/* Open UTMP file. */
setutent ();
/* Fill in search information. */
#if _HAVE_UT_TYPE - 0
tmp.ut_type = USER_PROCESS;
#endif
strncpy (tmp.ut_line, line, sizeof tmp.ut_line);
/* Read the record. */
if( (ut = getutline(&tmp)) )
{
/* Clear information about who & from where. */
bzero (ut->ut_name, sizeof ut->ut_name);
#if _HAVE_UT_HOST - 0
bzero (ut->ut_host, sizeof ut->ut_host);
#endif
#if _HAVE_UT_TV - 0
gettimeofday (&ut->ut_tv, NULL);
#else
time (&ut->ut_time);
#endif
#if _HAVE_UT_TYPE - 0
ut->ut_type = DEAD_PROCESS;
#endif
if (pututline (ut) != NULL)
result = 1;
}
/* Close UTMP file. */
endutent ();
return result;
}
/* try to detected remote terminal IP address */
static int tcp_term_addr(struct in_addr *ina)
{
char *env_val, *ptr;
int ret = -1;
/* REMOTEHOST is set by telnetd */
if ((env_val = getenv( "REMOTEHOST" )) != NULL &&
tcp_host_addr(env_val, ina) == 0)
ret = 0;
/* SSH_CLIENT is set by sshd but some of
implementation doesn't 'export' it */
if (ret == -1 && (env_val = getenv( "SSH_CLIENT" )) != NULL)
{
if ((ptr = strchr(env_val, ' ')) != NULL)
*ptr = '\0';
if (tcp_host_addr(env_val, ina) == 0)
ret = 0;
}
#ifdef USE_UTMP
/* If we cannot find a proper address in environment we have
to check UTMP entries for our current terminal */
if (ret == -1)
{
struct utmp entry, *ut;
if ((ptr = ttyname( 0 ) ) != NULL)
{
if (strncmp( ptr, "/dev/", 5 ) == 0)
ptr += 5;
strcpy(entry.ut_line, ptr);
setutent();
if ((ut = getutline(&entry)) != NULL &&
ut->ut_addr != 0 && ut->ut_addr != INADDR_NONE &&
(ptr = inet_ntoa(*(struct in_addr*) &ut->ut_addr)) != NULL &&
tcp_host_addr(ptr, ina) == 0)
ret=0;
endutent();
}
}
#endif
if (ret == -1)
ina->s_addr = INADDR_NONE;
return ret;
}
static int
check_logout (const char *line)
{
struct utmp ut;
setutent ();
strcpy (ut.ut_line, line);
if (getutline (&ut) != NULL)
{
error (0, 0, "bogus login entry for `%s'", line);
return 1;
}
endutent ();
return 0;
}
/* save a utmp entry by line
*/
void
setutline(struct utmp *line)
{
if (ut_fd == -1 || lseek(ut_fd, ut_pos, SEEK_SET) != ut_pos) return;
if (ut_dbz) {
dbzdatum key, data;
long data_pos;
key.dsize = strlen(line->ut_line);
key.dptr = line->ut_line;
data = dbzfetch(key);
if ( data.dsize == sizeof data_pos ) /* update existing entry */ {
memcpy(&data_pos, data.dptr, data.dsize);
if ( lseek(ut_fd, data_pos, SEEK_SET) == data_pos )
write(ut_fd, line, sizeof *line);
}
else /* new entry! store it away */ {
data.dsize = sizeof *line;
data.dptr = (char*) line;
/* keep writers from stepping on each other */
if (flock(ut_fd, LOCK_EX) == 0) {
dbzstore(key,data);
flock(ut_fd, LOCK_UN);
}
}
}
else {
struct utmp *data;
if ( (data = getutline(line))
&& lseek(ut_fd, ut_pos, SEEK_SET) == ut_pos ) {
write(ut_fd, line, sizeof *line);
return;
}
}
}
static int
check_login (const char *line)
{
struct utmp *up;
struct utmp ut;
int n;
setutent ();
strcpy (ut.ut_line, line);
up = getutline (&ut);
if (up == NULL)
{
printf("cannot get entry for line `%s' (%d)", line, errno);
++errors;
return 1;
}
endutent ();
for (n = 0; n < num_entries; n++)
{
if (strcmp (line, entry[n].ut_line) == 0)
{
if (memcmp (up, &entry[n], sizeof (struct utmp)))
{
printf ("UTMP entry does not match");
++errors;
return 1;
}
return 0;
}
}
printf ("bogus entry for line `%s'", line);
++errors;
return 1;
}
int pusb_local_login(t_pusb_options *opts, const char *user)
{
struct utmp utsearch;
struct utmp *utent;
const char *from;
int i;
log_debug("Checking whether the caller is local or not...\n");
from = ttyname(STDIN_FILENO);
if (!from || !(*from))
{
log_debug("Couldn't retrieve the tty name, aborting.\n");
return (1);
}
if (!strncmp(from, "/dev/", strlen("/dev/")))
from += strlen("/dev/");
log_debug("Authentication request from tty %s\n", from);
strncpy(utsearch.ut_line, from, sizeof(utsearch.ut_line) - 1);
setutent();
utent = getutline(&utsearch);
endutent();
if (!utent)
{
log_debug("No utmp entry found for tty \"%s\"\n",
from);
return (1);
}
for (i = 0; i < 4; ++i)
{
if (utent->ut_addr_v6[i] != 0)
{
log_error("Remote authentication request: %s\n", utent->ut_host);
return (0);
}
}
log_debug("Caller is local (good)\n");
return (1);
}
void
whoami()
{
struct utmp key, *ut;
char *tty = ttyname(fileno(stdin));
int rc = 0;
if ( tty == 0 || strncmp(tty, "/dev/", 5) != 0 )
exit(1);
tty += 5;
bzero(&key, sizeof key);
strncpy(key.ut_line, tty, sizeof key.ut_line);
setutent();
if ( (ut = getutline(&key)) == 0 )
exit(1);
if (headings) header(ut);
printutmp(ut);
if (quick) putchar('\n');
endutent();
}
static void
rmut (char *line)
{
struct utmp utmp;
struct utmp *utptr;
int fd; /* for /etc/wtmp */
utmp.ut_type = USER_PROCESS;
strncpy(utmp.ut_line, clean_ttyname(line), sizeof(utmp.ut_line));
setutent();
utptr = getutline(&utmp);
/* write it out only if it exists */
if (utptr) {
utptr->ut_type = DEAD_PROCESS;
utptr->ut_time = time(NULL);
pututline(utptr);
/* set wtmp entry if wtmp file exists */
if ((fd = open(wtmpf, O_WRONLY | O_APPEND)) >= 0) {
write(fd, utptr, sizeof(utmp));
close(fd);
}
}
endutent();
chmod(line, 0666);
chown(line, 0, 0);
line[14] = line[13];
line[13] = line[12];
line[8] = 'm';
line[9] = '/';
line[10] = 'p';
line[11] = 't';
line[12] = 'y';
chmod(line, 0666);
chown(line, 0, 0);
}
void
utmp_logout (char *line)
{
#ifdef HAVE_UTMPX_H
struct utmpx utx;
struct utmpx *ut;
strncpy (utx.ut_line, line, sizeof (utx.ut_line));
# ifdef HAVE_PUTUTXLINE
setutxent();
ut = getutxline (&utx);
if (ut)
{
struct timeval tv;
ut->ut_type = DEAD_PROCESS;
# ifdef HAVE_STRUCT_UTMPX_UT_EXIT
memset (&ut->ut_exit, 0, sizeof (ut->ut_exit));
# endif
gettimeofday (&tv, 0);
ut->ut_tv.tv_sec = tv.tv_sec;
ut->ut_tv.tv_usec = tv.tv_usec;
# ifdef HAVE_STRUCT_UTMPX_UT_USER
memset (&ut->ut_user, 0, sizeof (ut->ut_user));
# elif defined HAVE_STRUCT_UTMPX_UT_NAME
memset (&ut->ut_name, 0, sizeof (ut->ut_name));
# endif
# ifdef HAVE_STRUCT_UTMPX_UT_HOST
memset (ut->ut_host, 0, sizeof (ut->ut_host));
# ifdef HAVE_STRUCT_UTMPX_UT_SYSLEN
ut->ut_syslen = 1; /* Counting NUL. */
# endif
# endif /* UT_HOST */
pututxline (ut);
/* Some systems perform wtmp updating
* already in calling pututxline().
*/
# ifdef HAVE_UPDWTMPX
updwtmpx (PATH_WTMPX, ut);
# elif defined HAVE_LOGWTMPX
logwtmpx (ut->ut_line, "", "", 0, DEAD_PROCESS);
# endif
}
endutxent ();
# elif defined HAVE_LOGOUTX /* !HAVE_PUTUTXLINE */
if (logoutx (line, 0, DEAD_PROCESS))
logwtmpx (line, "", "", 0, DEAD_PROCESS);
# endif /* HAVE_LOGOUTX */
#else /* !HAVE_UTMPX_H */
struct utmp utx;
# ifdef HAVE_PUTUTLINE
struct utmp *ut;
# endif
strncpy (utx.ut_line, line, sizeof (utx.ut_line));
# ifdef HAVE_PUTUTLINE
setutent();
ut = getutline (&utx);
if (ut)
{
# ifdef HAVE_STRUCT_UTMP_UT_TV
struct timeval tv;
# endif
# ifdef HAVE_STRUCT_UTMP_UT_TYPE
ut->ut_type = DEAD_PROCESS;
# endif
# ifdef HAVE_STRUCT_UTMP_UT_EXIT
memset (&ut->ut_exit, 0, sizeof (ut->ut_exit));
# endif
# ifdef HAVE_STRUCT_UTMP_UT_TV
gettimeofday (&tv, 0);
ut->ut_tv.tv_sec = tv.tv_sec;
ut->ut_tv.tv_usec = tv.tv_usec;
# else /* !HAVE_STRUCT_UTMP_UT_TV */
time (&(ut->ut_time));
# endif
# ifdef HAVE_STRUCT_UTMP_UT_USER
memset (&ut->ut_user, 0, sizeof (ut->ut_user));
# elif defined HAVE_STRUCT_UTMP_UT_NAME
memset (&ut->ut_name, 0, sizeof (ut->ut_name));
# endif
# ifdef HAVE_STRUCT_UTMP_UT_HOST
memset (ut->ut_host, 0, sizeof (ut->ut_host));
# endif
pututline (ut);
# ifdef HAVE_UPDWTMP
updwtmp (WTMP_FILE, ut);
# elif defined HAVE_LOGWTMP /* !HAVE_UPDWTMP */
logwtmp (ut->ut_line, "", "");
# endif
}
endutent ();
# elif defined HAVE_LOGOUT /* !HAVE_PUTUTLINE */
if (logout (line))
logwtmp (line, "", "");
# endif /* HAVE_LOGOUT */
#endif
}
void KPty::logout()
{
#ifdef HAVE_UTEMPTER
Q_D(KPty);
removeLineFromUtmp(d->ttyName, d->masterFd);
#else
Q_D(KPty);
const char *str_ptr = d->ttyName.data();
if (!memcmp(str_ptr, "/dev/", 5)) {
str_ptr += 5;
}
# ifdef __GLIBC__
else {
const char * sl_ptr = strrchr(str_ptr, '/');
if (sl_ptr) {
str_ptr = sl_ptr + 1;
}
}
# endif
# ifdef HAVE_LOGIN
# ifdef HAVE_LOGINX
::logoutx(str_ptr, 0, DEAD_PROCESS);
# else
::logout(str_ptr);
# endif
# else
# ifdef HAVE_UTMPX
struct utmpx l_struct, *ut;
# else
struct utmp l_struct, *ut;
# endif
memset(&l_struct, 0, sizeof(l_struct));
strncpy(l_struct.ut_line, str_ptr, sizeof(l_struct.ut_line));
# ifdef HAVE_UTMPX
utmpxname(_PATH_UTMPX);
setutxent();
if ((ut = getutxline(&l_struct))) {
# else
utmpname(_PATH_UTMP);
setutent();
if ((ut = getutline(&l_struct))) {
# endif
memset(ut->ut_name, 0, sizeof(*ut->ut_name));
memset(ut->ut_host, 0, sizeof(*ut->ut_host));
# ifdef HAVE_STRUCT_UTMP_UT_SYSLEN
ut->ut_syslen = 0;
# endif
# ifdef HAVE_STRUCT_UTMP_UT_TYPE
ut->ut_type = DEAD_PROCESS;
# endif
# ifdef HAVE_UTMPX
gettimeofday(&ut->ut_tv, 0);
pututxline(ut);
}
endutxent();
# else
ut->ut_time = time(0);
pututline(ut);
}
endutent();
# endif
# endif
#endif
}
/*
* NOT the same locate_host() in locate_host.c. This one just does a
* 'who am i' to try to discover where the user is...
*/
void locate_host(CtdlIPC* ipc, char *hbuf)
{
#ifndef HAVE_UTMP_H
char buf[SIZ];
FILE *who;
int a,b;
who = (FILE *)popen("who am i","r");
if (who==NULL) {
strcpy(hbuf, ipc->ServInfo.fqdn);
return;
}
fgets(buf,sizeof buf,who);
pclose(who);
b = 0;
for (a=0; !IsEmptyStr(&buf[a]); ++a) {
if ((buf[a]=='(')||(buf[a]==')')) ++b;
}
if (b<2) {
strcpy(hbuf, ipc->ServInfo.fqdn);
return;
}
for (a=0; a<strlen(buf); ++a) {
if (buf[a]=='(') {
strcpy(buf,&buf[a+1]);
}
}
for (a=0; a<strlen(buf); ++a) {
if (buf[a]==')') buf[a] = 0;
}
if (IsEmptyStr(buf)) strcpy(hbuf, ipc->ServInfo.fqdn);
else strncpy(hbuf,buf,24);
#else
char *tty = ttyname(0);
#ifdef HAVE_GETUTXLINE
struct utmpx ut, *put;
#else
struct utmp ut, *put;
#endif
if (tty == NULL) {
fail:
safestrncpy(hbuf, ipc->ServInfo.fqdn, 24);
return;
}
if (strncmp(tty, "/dev/", 5))
goto fail;
safestrncpy(ut.ut_line, &tty[5], sizeof ut.ut_line);
#ifdef HAVE_GETUTXLINE /* Solaris uses this */
if ((put = getutxline(&ut)) == NULL)
#else
if ((put = getutline(&ut)) == NULL)
#endif
goto fail;
#if defined(HAVE_UT_TYPE) || defined(HAVE_GETUTXLINE)
if (put->ut_type == USER_PROCESS) {
#endif
#if defined(HAVE_UT_HOST) || defined(HAVE_GETUTXLINE)
if (*put->ut_host)
safestrncpy(hbuf, put->ut_host, 24);
else
#endif
safestrncpy(hbuf, put->ut_line, 24);
#if defined(HAVE_UT_TYPE) || defined(HAVE_GETUTXLINE)
}
else goto fail;
#endif
#endif /* HAVE_UTMP_H */
}
int
main(int argc, char **argv)
{
extern int optind;
extern char *optarg, **environ;
struct group *gr;
register int ch;
register char *p;
int ask, fflag, hflag, pflag, cnt, errsv;
int quietlog, passwd_req;
char *domain, *ttyn;
char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10];
char *termenv;
char *childArgv[10];
char *buff;
int childArgc = 0;
#ifdef HAVE_SECURITY_PAM_MISC_H
int retcode;
pam_handle_t *pamh = NULL;
struct pam_conv conv = { misc_conv, NULL };
pid_t childPid;
#else
char *salt, *pp;
#endif
#ifdef LOGIN_CHOWN_VCS
char vcsn[20], vcsan[20];
#endif
pid = getpid();
signal(SIGALRM, timedout);
alarm((unsigned int)timeout);
signal(SIGQUIT, SIG_IGN);
signal(SIGINT, SIG_IGN);
setlocale(LC_ALL, "");
bindtextdomain(PACKAGE, LOCALEDIR);
textdomain(PACKAGE);
setpriority(PRIO_PROCESS, 0, 0);
initproctitle(argc, argv);
/*
* -p is used by getty to tell login not to destroy the environment
* -f is used to skip a second login authentication
* -h is used by other servers to pass the name of the remote
* host to login so that it may be placed in utmp and wtmp
*/
gethostname(tbuf, sizeof(tbuf));
xstrncpy(thishost, tbuf, sizeof(thishost));
domain = index(tbuf, '.');
username = tty_name = hostname = NULL;
fflag = hflag = pflag = 0;
passwd_req = 1;
while ((ch = getopt(argc, argv, "fh:p")) != -1)
switch (ch) {
case 'f':
fflag = 1;
break;
case 'h':
if (getuid()) {
fprintf(stderr,
_("login: -h for super-user only.\n"));
exit(1);
}
hflag = 1;
if (domain && (p = index(optarg, '.')) &&
strcasecmp(p, domain) == 0)
*p = 0;
hostname = strdup(optarg); /* strdup: Ambrose C. Li */
{
struct hostent *he = gethostbyname(hostname);
/* he points to static storage; copy the part we use */
hostaddress[0] = 0;
if (he && he->h_addr_list && he->h_addr_list[0])
memcpy(hostaddress, he->h_addr_list[0],
sizeof(hostaddress));
}
break;
case 'p':
pflag = 1;
break;
case '?':
default:
fprintf(stderr,
_("usage: login [-fp] [username]\n"));
exit(1);
}
argc -= optind;
argv += optind;
if (*argv) {
char *p = *argv;
username = strdup(p);
ask = 0;
/* wipe name - some people mistype their password here */
/* (of course we are too late, but perhaps this helps a little ..) */
while(*p)
*p++ = ' ';
} else
ask = 1;
for (cnt = getdtablesize(); cnt > 2; cnt--)
close(cnt);
ttyn = ttyname(0);
if (ttyn == NULL || *ttyn == '\0') {
/* no snprintf required - see definition of tname */
sprintf(tname, "%s??", _PATH_TTY);
ttyn = tname;
}
check_ttyname(ttyn);
if (strncmp(ttyn, "/dev/", 5) == 0)
tty_name = ttyn+5;
else
tty_name = ttyn;
if (strncmp(ttyn, "/dev/tty", 8) == 0)
tty_number = ttyn+8;
else {
char *p = ttyn;
while (*p && !isdigit(*p)) p++;
tty_number = p;
}
#ifdef LOGIN_CHOWN_VCS
/* find names of Virtual Console devices, for later mode change */
snprintf(vcsn, sizeof(vcsn), "/dev/vcs%s", tty_number);
snprintf(vcsan, sizeof(vcsan), "/dev/vcsa%s", tty_number);
#endif
/* set pgid to pid */
setpgrp();
/* this means that setsid() will fail */
{
struct termios tt, ttt;
tcgetattr(0, &tt);
ttt = tt;
ttt.c_cflag &= ~HUPCL;
/* These can fail, e.g. with ttyn on a read-only filesystem */
chown(ttyn, 0, 0);
chmod(ttyn, TTY_MODE);
/* Kill processes left on this tty */
tcsetattr(0,TCSAFLUSH,&ttt);
signal(SIGHUP, SIG_IGN); /* so vhangup() wont kill us */
vhangup();
signal(SIGHUP, SIG_DFL);
/* open stdin,stdout,stderr to the tty */
opentty(ttyn);
/* restore tty modes */
tcsetattr(0,TCSAFLUSH,&tt);
}
openlog("login", LOG_ODELAY, LOG_AUTHPRIV);
#if 0
/* other than iso-8859-1 */
printf("\033(K");
fprintf(stderr,"\033(K");
#endif
#ifdef HAVE_SECURITY_PAM_MISC_H
/*
* username is initialized to NULL
* and if specified on the command line it is set.
* Therefore, we are safe not setting it to anything
*/
retcode = pam_start("login",username, &conv, &pamh);
if(retcode != PAM_SUCCESS) {
fprintf(stderr, _("login: PAM Failure, aborting: %s\n"),
pam_strerror(pamh, retcode));
syslog(LOG_ERR, _("Couldn't initialize PAM: %s"),
pam_strerror(pamh, retcode));
exit(99);
}
/* hostname & tty are either set to NULL or their correct values,
depending on how much we know */
retcode = pam_set_item(pamh, PAM_RHOST, hostname);
PAM_FAIL_CHECK;
retcode = pam_set_item(pamh, PAM_TTY, tty_name);
PAM_FAIL_CHECK;
/*
* [email protected]: Provide a user prompt to PAM
* so that the "login: "******"Password: "******"login: "******"\033(K");
fprintf(stderr,"\033(K");
#endif
/* if fflag == 1, then the user has already been authenticated */
if (fflag && (getuid() == 0))
passwd_req = 0;
else
passwd_req = 1;
if(passwd_req == 1) {
int failcount=0;
/* if we didn't get a user on the command line, set it to NULL */
pam_get_item(pamh, PAM_USER, (const void **) &username);
if (!username)
pam_set_item(pamh, PAM_USER, NULL);
/* there may be better ways to deal with some of these
conditions, but at least this way I don't think we'll
be giving away information... */
/* Perhaps someday we can trust that all PAM modules will
pay attention to failure count and get rid of MAX_LOGIN_TRIES? */
retcode = pam_authenticate(pamh, 0);
while((failcount++ < PAM_MAX_LOGIN_TRIES) &&
((retcode == PAM_AUTH_ERR) ||
(retcode == PAM_USER_UNKNOWN) ||
(retcode == PAM_CRED_INSUFFICIENT) ||
(retcode == PAM_AUTHINFO_UNAVAIL))) {
pam_get_item(pamh, PAM_USER, (const void **) &username);
syslog(LOG_NOTICE,_("FAILED LOGIN %d FROM %s FOR %s, %s"),
failcount, hostname, username, pam_strerror(pamh, retcode));
logbtmp(tty_name, username, hostname);
fprintf(stderr,_("Login incorrect\n\n"));
pam_set_item(pamh,PAM_USER,NULL);
retcode = pam_authenticate(pamh, 0);
}
if (retcode != PAM_SUCCESS) {
pam_get_item(pamh, PAM_USER, (const void **) &username);
if (retcode == PAM_MAXTRIES)
syslog(LOG_NOTICE,_("TOO MANY LOGIN TRIES (%d) FROM %s FOR "
"%s, %s"), failcount, hostname, username,
pam_strerror(pamh, retcode));
else
syslog(LOG_NOTICE,_("FAILED LOGIN SESSION FROM %s FOR %s, %s"),
hostname, username, pam_strerror(pamh, retcode));
logbtmp(tty_name, username, hostname);
fprintf(stderr,_("\nLogin incorrect\n"));
pam_end(pamh, retcode);
exit(0);
}
retcode = pam_acct_mgmt(pamh, 0);
if(retcode == PAM_NEW_AUTHTOK_REQD) {
retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
}
PAM_FAIL_CHECK;
}
/*
* Grab the user information out of the password file for future usage
* First get the username that we are actually using, though.
*/
retcode = pam_get_item(pamh, PAM_USER, (const void **) &username);
PAM_FAIL_CHECK;
if (!username || !*username) {
fprintf(stderr, _("\nSession setup problem, abort.\n"));
syslog(LOG_ERR, _("NULL user name in %s:%d. Abort."),
__FUNCTION__, __LINE__);
pam_end(pamh, PAM_SYSTEM_ERR);
exit(1);
}
if (!(pwd = getpwnam(username))) {
fprintf(stderr, _("\nSession setup problem, abort.\n"));
syslog(LOG_ERR, _("Invalid user name \"%s\" in %s:%d. Abort."),
username, __FUNCTION__, __LINE__);
pam_end(pamh, PAM_SYSTEM_ERR);
exit(1);
}
/*
* Create a copy of the pwd struct - otherwise it may get
* clobbered by PAM
*/
memcpy(&pwdcopy, pwd, sizeof(*pwd));
pwd = &pwdcopy;
pwd->pw_name = strdup(pwd->pw_name);
pwd->pw_passwd = strdup(pwd->pw_passwd);
pwd->pw_gecos = strdup(pwd->pw_gecos);
pwd->pw_dir = strdup(pwd->pw_dir);
pwd->pw_shell = strdup(pwd->pw_shell);
if (!pwd->pw_name || !pwd->pw_passwd || !pwd->pw_gecos ||
!pwd->pw_dir || !pwd->pw_shell) {
fprintf(stderr, _("login: Out of memory\n"));
syslog(LOG_ERR, "Out of memory");
pam_end(pamh, PAM_SYSTEM_ERR);
exit(1);
}
username = pwd->pw_name;
/*
* Initialize the supplementary group list.
* This should be done before pam_setcred because
* the PAM modules might add groups during pam_setcred.
*/
if (initgroups(username, pwd->pw_gid) < 0) {
syslog(LOG_ERR, "initgroups: %m");
fprintf(stderr, _("\nSession setup problem, abort.\n"));
pam_end(pamh, PAM_SYSTEM_ERR);
exit(1);
}
retcode = pam_open_session(pamh, 0);
PAM_FAIL_CHECK;
retcode = pam_setcred(pamh, PAM_ESTABLISH_CRED);
PAM_FAIL_CHECK;
#else /* ! HAVE_SECURITY_PAM_MISC_H */
for (cnt = 0;; ask = 1) {
if (ask) {
fflag = 0;
getloginname();
}
/* Dirty patch to fix a gigantic security hole when using
yellow pages. This problem should be solved by the
libraries, and not by programs, but this must be fixed
urgently! If the first char of the username is '+', we
avoid login success.
Feb 95 <*****@*****.**> */
if (username[0] == '+') {
puts(_("Illegal username"));
badlogin(username);
sleepexit(1);
}
/* (void)strcpy(tbuf, username); why was this here? */
if ((pwd = getpwnam(username))) {
# ifdef SHADOW_PWD
struct spwd *sp;
if ((sp = getspnam(username)))
pwd->pw_passwd = sp->sp_pwdp;
# endif
salt = pwd->pw_passwd;
} else
salt = "xx";
if (pwd) {
initgroups(username, pwd->pw_gid);
checktty(username, tty_name, pwd); /* in checktty.c */
}
/* if user not super-user, check for disabled logins */
if (pwd == NULL || pwd->pw_uid)
checknologin();
/*
* Disallow automatic login to root; if not invoked by
* root, disallow if the uid's differ.
*/
if (fflag && pwd) {
int uid = getuid();
passwd_req = pwd->pw_uid == 0 ||
(uid && uid != pwd->pw_uid);
}
/*
* If trying to log in as root, but with insecure terminal,
* refuse the login attempt.
*/
if (pwd && pwd->pw_uid == 0 && !rootterm(tty_name)) {
fprintf(stderr,
_("%s login refused on this terminal.\n"),
pwd->pw_name);
if (hostname)
syslog(LOG_NOTICE,
_("LOGIN %s REFUSED FROM %s ON TTY %s"),
pwd->pw_name, hostname, tty_name);
else
syslog(LOG_NOTICE,
_("LOGIN %s REFUSED ON TTY %s"),
pwd->pw_name, tty_name);
continue;
}
/*
* If no pre-authentication and a password exists
* for this user, prompt for one and verify it.
*/
if (!passwd_req || (pwd && !*pwd->pw_passwd))
break;
setpriority(PRIO_PROCESS, 0, -4);
pp = getpass(_("Password: "******"CRYPTO", 6) == 0) {
if (pwd && cryptocard()) break;
}
# endif /* CRYPTOCARD */
p = crypt(pp, salt);
setpriority(PRIO_PROCESS, 0, 0);
# ifdef KERBEROS
/*
* If not present in pw file, act as we normally would.
* If we aren't Kerberos-authenticated, try the normal
* pw file for a password. If that's ok, log the user
* in without issueing any tickets.
*/
if (pwd && !krb_get_lrealm(realm,1)) {
/*
* get TGT for local realm; be careful about uid's
* here for ticket file ownership
*/
setreuid(geteuid(),pwd->pw_uid);
kerror = krb_get_pw_in_tkt(pwd->pw_name, "", realm,
"krbtgt", realm, DEFAULT_TKT_LIFE, pp);
setuid(0);
if (kerror == INTK_OK) {
memset(pp, 0, strlen(pp));
notickets = 0; /* user got ticket */
break;
}
}
# endif /* KERBEROS */
memset(pp, 0, strlen(pp));
if (pwd && !strcmp(p, pwd->pw_passwd))
break;
printf(_("Login incorrect\n"));
badlogin(username); /* log ALL bad logins */
failures++;
/* we allow 10 tries, but after 3 we start backing off */
if (++cnt > 3) {
if (cnt >= 10) {
sleepexit(1);
}
sleep((unsigned int)((cnt - 3) * 5));
}
}
#endif /* !HAVE_SECURITY_PAM_MISC_H */
/* committed to login -- turn off timeout */
alarm((unsigned int)0);
endpwent();
/* This requires some explanation: As root we may not be able to
read the directory of the user if it is on an NFS mounted
filesystem. We temporarily set our effective uid to the user-uid
making sure that we keep root privs. in the real uid.
A portable solution would require a fork(), but we rely on Linux
having the BSD setreuid() */
{
char tmpstr[MAXPATHLEN];
uid_t ruid = getuid();
gid_t egid = getegid();
/* avoid snprintf - old systems do not have it, or worse,
have a libc in which snprintf is the same as sprintf */
if (strlen(pwd->pw_dir) + sizeof(_PATH_HUSHLOGIN) + 2 > MAXPATHLEN)
quietlog = 0;
else {
sprintf(tmpstr, "%s/%s", pwd->pw_dir, _PATH_HUSHLOGIN);
setregid(-1, pwd->pw_gid);
setreuid(0, pwd->pw_uid);
quietlog = (access(tmpstr, R_OK) == 0);
setuid(0); /* setreuid doesn't do it alone! */
setreuid(ruid, 0);
setregid(-1, egid);
}
}
/* for linux, write entries in utmp and wtmp */
{
struct utmp ut;
struct utmp *utp;
utmpname(_PATH_UTMP);
setutent();
/* Find pid in utmp.
login sometimes overwrites the runlevel entry in /var/run/utmp,
confusing sysvinit. I added a test for the entry type, and the problem
was gone. (In a runlevel entry, st_pid is not really a pid but some number
calculated from the previous and current runlevel).
Michael Riepe <*****@*****.**>
*/
while ((utp = getutent()))
if (utp->ut_pid == pid
&& utp->ut_type >= INIT_PROCESS
&& utp->ut_type <= DEAD_PROCESS)
break;
/* If we can't find a pre-existing entry by pid, try by line.
BSD network daemons may rely on this. (anonymous) */
if (utp == NULL) {
setutent();
ut.ut_type = LOGIN_PROCESS;
strncpy(ut.ut_line, tty_name, sizeof(ut.ut_line));
utp = getutline(&ut);
}
if (utp) {
memcpy(&ut, utp, sizeof(ut));
} else {
/* some gettys/telnetds don't initialize utmp... */
memset(&ut, 0, sizeof(ut));
}
if (ut.ut_id[0] == 0)
strncpy(ut.ut_id, tty_number, sizeof(ut.ut_id));
strncpy(ut.ut_user, username, sizeof(ut.ut_user));
xstrncpy(ut.ut_line, tty_name, sizeof(ut.ut_line));
#ifdef _HAVE_UT_TV /* in <utmpbits.h> included by <utmp.h> */
gettimeofday(&ut.ut_tv, NULL);
#else
{
time_t t;
time(&t);
ut.ut_time = t; /* ut_time is not always a time_t */
/* glibc2 #defines it as ut_tv.tv_sec */
}
#endif
ut.ut_type = USER_PROCESS;
ut.ut_pid = pid;
if (hostname) {
xstrncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
if (hostaddress[0])
memcpy(&ut.ut_addr, hostaddress, sizeof(ut.ut_addr));
}
pututline(&ut);
endutent();
#if HAVE_UPDWTMP
updwtmp(_PATH_WTMP, &ut);
#else
#if 0
/* The O_APPEND open() flag should be enough to guarantee
atomic writes at end of file. */
{
int wtmp;
if((wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY)) >= 0) {
write(wtmp, (char *)&ut, sizeof(ut));
close(wtmp);
}
}
#else
/* Probably all this locking below is just nonsense,
and the short version is OK as well. */
{
int lf, wtmp;
if ((lf = open(_PATH_WTMPLOCK, O_CREAT|O_WRONLY, 0660)) >= 0) {
flock(lf, LOCK_EX);
if ((wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY)) >= 0) {
write(wtmp, (char *)&ut, sizeof(ut));
close(wtmp);
}
flock(lf, LOCK_UN);
close(lf);
}
}
#endif
#endif
}
dolastlog(quietlog);
chown(ttyn, pwd->pw_uid,
(gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid);
chmod(ttyn, TTY_MODE);
#ifdef LOGIN_CHOWN_VCS
/* if tty is one of the VC's then change owner and mode of the
special /dev/vcs devices as well */
if (consoletty(0)) {
chown(vcsn, pwd->pw_uid, (gr ? gr->gr_gid : pwd->pw_gid));
chown(vcsan, pwd->pw_uid, (gr ? gr->gr_gid : pwd->pw_gid));
chmod(vcsn, TTY_MODE);
chmod(vcsan, TTY_MODE);
}
#endif
setgid(pwd->pw_gid);
if (*pwd->pw_shell == '\0')
pwd->pw_shell = _PATH_BSHELL;
/* preserve TERM even without -p flag */
{
char *ep;
if(!((ep = getenv("TERM")) && (termenv = strdup(ep))))
termenv = "dumb";
}
/* destroy environment unless user has requested preservation */
if (!pflag)
{
environ = (char**)malloc(sizeof(char*));
memset(environ, 0, sizeof(char*));
}
setenv("HOME", pwd->pw_dir, 0); /* legal to override */
if(pwd->pw_uid)
setenv("PATH", _PATH_DEFPATH, 1);
else
setenv("PATH", _PATH_DEFPATH_ROOT, 1);
setenv("SHELL", pwd->pw_shell, 1);
setenv("TERM", termenv, 1);
/* mailx will give a funny error msg if you forget this one */
{
char tmp[MAXPATHLEN];
/* avoid snprintf */
if (sizeof(_PATH_MAILDIR) + strlen(pwd->pw_name) + 1 < MAXPATHLEN) {
sprintf(tmp, "%s/%s", _PATH_MAILDIR, pwd->pw_name);
setenv("MAIL",tmp,0);
}
}
/* LOGNAME is not documented in login(1) but
HP-UX 6.5 does it. We'll not allow modifying it.
*/
setenv("LOGNAME", pwd->pw_name, 1);
#ifdef HAVE_SECURITY_PAM_MISC_H
{
int i;
char ** env = pam_getenvlist(pamh);
if (env != NULL) {
for (i=0; env[i]; i++) {
putenv(env[i]);
/* D(("env[%d] = %s", i,env[i])); */
}
}
}
#endif
setproctitle("login", username);
if (!strncmp(tty_name, "ttyS", 4))
syslog(LOG_INFO, _("DIALUP AT %s BY %s"), tty_name, pwd->pw_name);
/* allow tracking of good logins.
-steve philp ([email protected]) */
if (pwd->pw_uid == 0) {
if (hostname)
syslog(LOG_NOTICE, _("ROOT LOGIN ON %s FROM %s"),
tty_name, hostname);
else
syslog(LOG_NOTICE, _("ROOT LOGIN ON %s"), tty_name);
} else {
if (hostname)
syslog(LOG_INFO, _("LOGIN ON %s BY %s FROM %s"), tty_name,
pwd->pw_name, hostname);
else
syslog(LOG_INFO, _("LOGIN ON %s BY %s"), tty_name,
pwd->pw_name);
}
if (!quietlog) {
motd();
#ifdef LOGIN_STAT_MAIL
/*
* This turns out to be a bad idea: when the mail spool
* is NFS mounted, and the NFS connection hangs, the
* login hangs, even root cannot login.
* Checking for mail should be done from the shell.
*/
{
struct stat st;
char *mail;
mail = getenv("MAIL");
if (mail && stat(mail, &st) == 0 && st.st_size != 0) {
if (st.st_mtime > st.st_atime)
printf(_("You have new mail.\n"));
else
printf(_("You have mail.\n"));
}
}
#endif
}
signal(SIGALRM, SIG_DFL);
signal(SIGQUIT, SIG_DFL);
signal(SIGTSTP, SIG_IGN);
#ifdef HAVE_SECURITY_PAM_MISC_H
/*
* We must fork before setuid() because we need to call
* pam_close_session() as root.
*/
childPid = fork();
if (childPid < 0) {
int errsv = errno;
/* error in fork() */
fprintf(stderr, _("login: failure forking: %s"), strerror(errsv));
PAM_END;
exit(0);
}
if (childPid) {
/* parent - wait for child to finish, then cleanup session */
signal(SIGHUP, SIG_IGN);
signal(SIGINT, SIG_IGN);
signal(SIGQUIT, SIG_IGN);
signal(SIGTSTP, SIG_IGN);
signal(SIGTTIN, SIG_IGN);
signal(SIGTTOU, SIG_IGN);
wait(NULL);
PAM_END;
exit(0);
}
/* child */
/*
* Problem: if the user's shell is a shell like ash that doesnt do
* setsid() or setpgrp(), then a ctrl-\, sending SIGQUIT to every
* process in the pgrp, will kill us.
*/
/* start new session */
setsid();
/* make sure we have a controlling tty */
opentty(ttyn);
openlog("login", LOG_ODELAY, LOG_AUTHPRIV); /* reopen */
/*
* TIOCSCTTY: steal tty from other process group.
*/
if (ioctl(0, TIOCSCTTY, 1))
syslog(LOG_ERR, _("TIOCSCTTY failed: %m"));
#endif
signal(SIGINT, SIG_DFL);
/* discard permissions last so can't get killed and drop core */
if(setuid(pwd->pw_uid) < 0 && pwd->pw_uid) {
syslog(LOG_ALERT, _("setuid() failed"));
exit(1);
}
/* wait until here to change directory! */
if (chdir(pwd->pw_dir) < 0) {
printf(_("No directory %s!\n"), pwd->pw_dir);
if (chdir("/"))
exit(0);
pwd->pw_dir = "/";
printf(_("Logging in with home = \"/\".\n"));
}
/* if the shell field has a space: treat it like a shell script */
if (strchr(pwd->pw_shell, ' ')) {
buff = malloc(strlen(pwd->pw_shell) + 6);
if (!buff) {
fprintf(stderr, _("login: no memory for shell script.\n"));
exit(0);
}
strcpy(buff, "exec ");
strcat(buff, pwd->pw_shell);
childArgv[childArgc++] = "/bin/sh";
childArgv[childArgc++] = "-sh";
childArgv[childArgc++] = "-c";
childArgv[childArgc++] = buff;
} else {
tbuf[0] = '-';
xstrncpy(tbuf + 1, ((p = rindex(pwd->pw_shell, '/')) ?
p + 1 : pwd->pw_shell),
sizeof(tbuf)-1);
childArgv[childArgc++] = pwd->pw_shell;
childArgv[childArgc++] = tbuf;
}
childArgv[childArgc++] = NULL;
execvp(childArgv[0], childArgv + 1);
errsv = errno;
if (!strcmp(childArgv[0], "/bin/sh"))
fprintf(stderr, _("login: couldn't exec shell script: %s.\n"),
strerror(errsv));
else
fprintf(stderr, _("login: no shell: %s.\n"), strerror(errsv));
exit(0);
}
void
checkutmp(int picky)
{
char *line;
struct utmp *ut;
#if HAVE_UTMPX_H
struct utmpx *utx;
#endif
pid_t pid = getpid();
#if HAVE_UTMPX_H
setutxent();
#endif
setutent();
if (picky) {
#if HAVE_UTMPX_H
while ((utx = getutxent()))
if (utx->ut_pid == pid)
break;
if (utx)
utxent = *utx;
#endif
while ((ut = getutent()))
if (ut->ut_pid == pid)
break;
if (ut)
utent = *ut;
#if HAVE_UTMPX_H
endutxent();
#endif
endutent();
if (!ut) {
puts(NO_UTENT);
exit(1);
}
#ifndef UNIXPC
/*
* If there is no ut_line value in this record, fill
* it in by getting the TTY name and stuffing it in
* the structure. The UNIX/PC is broken in this regard
* and needs help ...
*/
if (utent.ut_line[0] == '\0')
#endif /* !UNIXPC */
{
if (!(line = ttyname(0))) {
puts(NO_TTY);
exit(1);
}
if (strncmp(line, "/dev/", 5) == 0)
line += 5;
strncpy(utent.ut_line, line, sizeof utent.ut_line);
#if HAVE_UTMPX_H
strncpy(utxent.ut_line, line, sizeof utxent.ut_line);
#endif
}
} else {
if (!(line = ttyname(0))) {
puts(NO_TTY);
exit(1);
}
if (strncmp(line, "/dev/", 5) == 0)
line += 5;
strncpy (utent.ut_line, line, sizeof utent.ut_line);
if ((ut = getutline(&utent)))
strncpy(utent.ut_id, ut->ut_id, sizeof ut->ut_id);
strcpy(utent.ut_user, "LOGIN");
utent.ut_pid = getpid();
utent.ut_type = LOGIN_PROCESS;
time(&utent.ut_time);
#if HAVE_UTMPX_H
strncpy(utxent.ut_line, line, sizeof utxent.ut_line);
if ((utx = getutxline(&utxent)))
strncpy(utxent.ut_id, utx->ut_id, sizeof utxent.ut_id);
strcpy(utxent.ut_user, "LOGIN");
utxent.ut_pid = utent.ut_pid;
utxent.ut_type = utent.ut_type;
gettimeofday((struct timeval *) &utxent.ut_tv, NULL);
utent.ut_time = utxent.ut_tv.tv_sec;
#endif
}
}
/*
* Update wtmp and utmp logs.
*/
static void log_utmp(struct login_context *cxt)
{
struct utmp ut;
struct utmp *utp;
struct timeval tv;
utmpname(_PATH_UTMP);
setutent();
/* Find pid in utmp.
*
* login sometimes overwrites the runlevel entry in /var/run/utmp,
* confusing sysvinit. I added a test for the entry type, and the
* problem was gone. (In a runlevel entry, st_pid is not really a pid
* but some number calculated from the previous and current runlevel.)
* -- Michael Riepe <*****@*****.**>
*/
while ((utp = getutent()))
if (utp->ut_pid == cxt->pid
&& utp->ut_type >= INIT_PROCESS
&& utp->ut_type <= DEAD_PROCESS)
break;
/* If we can't find a pre-existing entry by pid, try by line.
* BSD network daemons may rely on this. */
if (utp == NULL && cxt->tty_name) {
setutent();
ut.ut_type = LOGIN_PROCESS;
strncpy(ut.ut_line, cxt->tty_name, sizeof(ut.ut_line));
utp = getutline(&ut);
}
/* If we can't find a pre-existing entry by pid and line, try it by id.
* Very stupid telnetd daemons don't set up utmp at all. (kzak) */
if (utp == NULL && cxt->tty_number) {
setutent();
ut.ut_type = DEAD_PROCESS;
strncpy(ut.ut_id, cxt->tty_number, sizeof(ut.ut_id));
utp = getutid(&ut);
}
if (utp)
memcpy(&ut, utp, sizeof(ut));
else
/* some gettys/telnetds don't initialize utmp... */
memset(&ut, 0, sizeof(ut));
if (cxt->tty_number && ut.ut_id[0] == 0)
strncpy(ut.ut_id, cxt->tty_number, sizeof(ut.ut_id));
if (cxt->username)
strncpy(ut.ut_user, cxt->username, sizeof(ut.ut_user));
if (cxt->tty_name)
xstrncpy(ut.ut_line, cxt->tty_name, sizeof(ut.ut_line));
#ifdef _HAVE_UT_TV /* in <utmpbits.h> included by <utmp.h> */
gettimeofday(&tv, NULL);
ut.ut_tv.tv_sec = tv.tv_sec;
ut.ut_tv.tv_usec = tv.tv_usec;
#else
{
time_t t;
time(&t);
ut.ut_time = t; /* ut_time is not always a time_t */
/* glibc2 #defines it as ut_tv.tv_sec */
}
#endif
ut.ut_type = USER_PROCESS;
ut.ut_pid = cxt->pid;
if (cxt->hostname) {
xstrncpy(ut.ut_host, cxt->hostname, sizeof(ut.ut_host));
if (*cxt->hostaddress)
memcpy(&ut.ut_addr_v6, cxt->hostaddress,
sizeof(ut.ut_addr_v6));
}
pututline(&ut);
endutent();
updwtmp(_PATH_WTMP, &ut);
}
PAM_EXTERN int
pam_sm_authenticate (pam_handle_t *pamh, int flags,int argc, const char *argv[])
{
const char *service;
const char *user;
int reader_n=READER_N;
int pam_err;
struct utmp utsearch;
struct utmp *utent;
const char *from;
const char *tty;
const char *rhost;
int i;
if (argc > 1)
if (!strcmp(argv[0], "-r"))
reader_n=atoi(argv[1]);
/* identify user */
if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS || !user || !*user)
{
log_error("Unable to retrieve PAM user name.\n",NULL);
return (pam_err);
}
if ((pam_err = pam_get_item(pamh, PAM_SERVICE,(const void **)(const void *)&service)) != PAM_SUCCESS || !user || !*user)
{
log_error("Unable to retrieve PAM service name.\n",NULL);
return (pam_err);
}
log_debug("pam_rfid %s auth start...\n",VERSION);
log_info("Authentication request for user \"%s\" (%s)\n",user, service);
/* check if local */
if (pam_get_item(pamh, PAM_TTY,
(const void **)(const void *)&tty) == PAM_SUCCESS)
{
if (tty && !strcmp(tty, "ssh"))
{
log_debug("SSH Authentication, aborting.\n",NULL);
return (PAM_AUTH_ERR);
}
}
log_debug("Checking whether the caller is local or not...\n",NULL);
/* Some tty checks... */
from = ttyname(STDIN_FILENO);
if (!from || !(*from))
{
log_debug("Couldn't retrieve the tty name.\n",NULL);
/* return (1); */
} else {
if (!strncmp(from, "/dev/", strlen("/dev/")))
from += strlen("/dev/");
log_debug("Authentication request from tty %s\n", from);
strncpy(utsearch.ut_line, from, sizeof(utsearch.ut_line) - 1);
setutent();
utent = getutline(&utsearch);
endutent();
if (!utent)
{
log_debug("No utmp entry found for tty \"%s\"\n",
from);
goto CONTINUE;
}
for (i = 0; i < 4; ++i)
{
if (utent->ut_addr_v6[i] != 0)
{
log_error("Remote authentication request: %s\n", utent->ut_host);
log_debug("Remote login denied. \n",NULL);
return (PAM_CRED_INSUFFICIENT);
}
}
}
CONTINUE:
if ( ( pam_err = pam_get_item(pamh, PAM_RHOST,(const void **)(const void *)&rhost) ) != PAM_SUCCESS )
{
log_error("Unable to retrieve the PAM RHOST.\n",NULL);
return (pam_err);
}
if (rhost && strlen(rhost) > 0)
{
log_debug("Remote login denied. \n",NULL);
return (PAM_CRED_INSUFFICIENT);
}
log_debug("Caller is local (good)\n",NULL);
/* read config */
if (!config_readfile(CONF_FILE))
{
log_info("Error reading configuration file %s. Using defaults.\n",CONF_FILE);
}
/* auth call*/
pam_err=rfid_auth_user(reader_n,user,service);
return (pam_err);
}
void runSuccess() {
getutline(anyut());
}
