/* Authenticate/authorize */ static int radius_pap_auth(char *t_user, char *t_passwd, char **t_msgp, struct wordlist **t_paddrs, struct wordlist **t_popts) { int ret; struct radius_attrib *attriblist; if (!use_radius) { if (prev_pap_auth_hook) return prev_pap_auth_hook(t_user, t_passwd, t_msgp, t_paddrs, t_popts); else return -1; } *t_msgp = "Login failed"; if (radius_server == -1) { error("RADIUS: server not found"); return 0; } attriblist = NULL; if (!radius_add_attrib( &attriblist, PW_VENDOR_NONE, PW_USER_NAME, 0, t_user, strlen(t_user))) { radius_free_attrib(attriblist); return 0; } if (!radius_add_attrib( &attriblist, PW_VENDOR_NONE, PW_PASSWORD, 0, t_passwd, strlen(t_passwd))) { radius_free_attrib(attriblist); return 0; } ret = radius_auth(&attriblist, NULL); if (ret > 0) *t_msgp = "Login ok"; radius_free_attrib(attriblist); return ret; }
static int tacacs_auth(char *t_user, char *t_passwd, char**t_msgp, struct wordlist **t_paddrs, struct wordlist **t_popts) { int tac_fd; char *msg; struct areply arep; struct tac_attrib *attr; struct tac_attrib *attrentry; struct wordlist **pnextaddr; struct wordlist *addr; int addrlen; int ret; if (prev_pap_auth_hook) { ret = prev_pap_auth_hook(t_user, t_passwd, t_msgp, t_paddrs, t_popts); if (ret >= 0) { return ret; } } if (!use_tacacs) return -1; *t_msgp = "TACACS+ server failed"; *t_popts = NULL; /* start authentication */ if (tac_server == -1) return 0; tac_fd = tac_connect(&tac_server, 1); if (tac_fd < 0) return 0; if (tac_authen_pap_send(tac_fd, t_user, t_passwd, tty) < 0) return 0; msg = tac_authen_pap_read(tac_fd); if (msg != NULL) { *t_msgp = msg; return 0; } close(tac_fd); /* user/password is valid, now check authorization */ if (use_authorize) { tac_fd = tac_connect(&tac_server, 1); if (tac_fd < 0) return 0; attr = NULL; tac_add_attrib(&attr, "service", "ppp"); tac_add_attrib(&attr, "protocol", "ip"); if (tac_author_send(tac_fd, t_user, tty, attr) < 0) return 0; tac_author_read(tac_fd, &arep); if (arep.status != AUTHOR_STATUS_PASS_ADD && arep.status != AUTHOR_STATUS_PASS_REPL) { *t_msgp = arep.msg; return 0; } tac_free_attrib(&attr); close(tac_fd); /* Build up list of allowable addresses */ *t_paddrs = NULL; /* Default to allow all */ pnextaddr = t_paddrs; for (attrentry=arep.attr; attrentry!=NULL; attrentry=attrentry->next) { if (strncmp(attrentry->attr, "addr=", 5) == 0) { addrlen = attrentry->attr_len - 5; /* Allocate a buffer for both the structure and the address */ addr = (struct wordlist*)malloc(sizeof(struct wordlist) + addrlen + 1); if (addr == NULL) novm("TACACS+ address"); addr->word = (char*)(addr+1); strncpy(addr->word, attrentry->attr+5, addrlen); addr->word[addrlen] = '\0'; addr->next = NULL; *pnextaddr = addr; pnextaddr = &addr->next; } } tac_free_attrib(&arep.attr); } *t_msgp = "Login succeeded"; syslog(LOG_INFO,"TACACS+ login succeeded for %s", t_user); authorized = 1; return 1; }