/* Authenticate/authorize */
static int
radius_pap_auth(char *t_user, char *t_passwd, char **t_msgp,
struct wordlist **t_paddrs, struct wordlist **t_popts)
{
int ret;
struct radius_attrib *attriblist;
if (!use_radius) {
if (prev_pap_auth_hook)
return prev_pap_auth_hook(t_user, t_passwd, t_msgp,
t_paddrs, t_popts);
else
return -1;
}
*t_msgp = "Login failed";
if (radius_server == -1) {
error("RADIUS: server not found");
return 0;
}
attriblist = NULL;
if (!radius_add_attrib(
&attriblist, PW_VENDOR_NONE, PW_USER_NAME,
0, t_user, strlen(t_user))) {
radius_free_attrib(attriblist);
return 0;
}
if (!radius_add_attrib(
&attriblist, PW_VENDOR_NONE, PW_PASSWORD,
0, t_passwd, strlen(t_passwd))) {
radius_free_attrib(attriblist);
return 0;
}
ret = radius_auth(&attriblist, NULL);
if (ret > 0)
*t_msgp = "Login ok";
radius_free_attrib(attriblist);
return ret;
}
static int
tacacs_auth(char *t_user, char *t_passwd, char**t_msgp,
struct wordlist **t_paddrs, struct wordlist **t_popts)
{
int tac_fd;
char *msg;
struct areply arep;
struct tac_attrib *attr;
struct tac_attrib *attrentry;
struct wordlist **pnextaddr;
struct wordlist *addr;
int addrlen;
int ret;
if (prev_pap_auth_hook) {
ret = prev_pap_auth_hook(t_user, t_passwd, t_msgp, t_paddrs, t_popts);
if (ret >= 0) {
return ret;
}
}
if (!use_tacacs) return -1;
*t_msgp = "TACACS+ server failed";
*t_popts = NULL;
/* start authentication */
if (tac_server == -1)
return 0;
tac_fd = tac_connect(&tac_server, 1);
if (tac_fd < 0)
return 0;
if (tac_authen_pap_send(tac_fd, t_user, t_passwd, tty) < 0)
return 0;
msg = tac_authen_pap_read(tac_fd);
if (msg != NULL) {
*t_msgp = msg;
return 0;
}
close(tac_fd);
/* user/password is valid, now check authorization */
if (use_authorize) {
tac_fd = tac_connect(&tac_server, 1);
if (tac_fd < 0)
return 0;
attr = NULL;
tac_add_attrib(&attr, "service", "ppp");
tac_add_attrib(&attr, "protocol", "ip");
if (tac_author_send(tac_fd, t_user, tty, attr) < 0)
return 0;
tac_author_read(tac_fd, &arep);
if (arep.status != AUTHOR_STATUS_PASS_ADD
&& arep.status != AUTHOR_STATUS_PASS_REPL) {
*t_msgp = arep.msg;
return 0;
}
tac_free_attrib(&attr);
close(tac_fd);
/* Build up list of allowable addresses */
*t_paddrs = NULL; /* Default to allow all */
pnextaddr = t_paddrs;
for (attrentry=arep.attr; attrentry!=NULL; attrentry=attrentry->next) {
if (strncmp(attrentry->attr, "addr=", 5) == 0) {
addrlen = attrentry->attr_len - 5;
/* Allocate a buffer for both the structure and the address */
addr = (struct wordlist*)malloc(sizeof(struct wordlist)
+ addrlen + 1);
if (addr == NULL)
novm("TACACS+ address");
addr->word = (char*)(addr+1);
strncpy(addr->word, attrentry->attr+5, addrlen);
addr->word[addrlen] = '\0';
addr->next = NULL;
*pnextaddr = addr;
pnextaddr = &addr->next;
}
}
tac_free_attrib(&arep.attr);
}
*t_msgp = "Login succeeded";
syslog(LOG_INFO,"TACACS+ login succeeded for %s", t_user);
authorized = 1;
return 1;
}
