/* * Authenticate the user via one of any well-known password. */ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *request) { int rcode; rlm_securid_t *inst = instance; char buffer[MAX_STRING_LEN]=""; char const *username=NULL, *password=NULL; VALUE_PAIR *vp; /* * We can only authenticate user requests which HAVE * a User-Name attribute. */ if (!request->username) { AUTH("rlm_securid: Attribute \"User-Name\" is required for authentication"); return RLM_MODULE_INVALID; } if (!request->password) { RAUTH("Attribute \"Password\" is required for authentication"); return RLM_MODULE_INVALID; } /* * Clear-text passwords are the only ones we support. */ if (request->password->da->attr != PW_USER_PASSWORD) { RAUTH("Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->da->name); return RLM_MODULE_INVALID; } /* * The user MUST supply a non-zero-length password. */ if (request->password->vp_length == 0) { REDEBUG("Password should not be empty"); return RLM_MODULE_INVALID; } /* * shortcuts */ username = request->username->vp_strvalue; password = request->password->vp_strvalue; if (RDEBUG_ENABLED3) { RDEBUG3("Login attempt with password \"%s\"", password); } else { RDEBUG("Login attempt with password"); } rcode = securidAuth(inst, request, username, password, buffer, sizeof(buffer)); switch (rcode) { case RC_SECURID_AUTH_SUCCESS: rcode = RLM_MODULE_OK; break; case RC_SECURID_AUTH_CHALLENGE: /* reply with Access-challenge message code (11) */ /* Generate Prompt attribute */ vp = paircreate(request->reply, PW_PROMPT, 0); rad_assert(vp != NULL); vp->vp_integer = 0; /* no echo */ pairadd(&request->reply->vps, vp); /* Mark the packet as a Acceess-Challenge Packet */ request->reply->code = PW_CODE_ACCESS_CHALLENGE; RDEBUG("Sending Access-Challenge"); rcode = RLM_MODULE_HANDLED; break; case RC_SECURID_AUTH_FAILURE: case RC_SECURID_AUTH_ACCESS_DENIED_FAILURE: case RC_SECURID_AUTH_INVALID_SERVER_FAILURE: default: rcode = RLM_MODULE_REJECT; break; } if (*buffer) pairmake_reply("Reply-Message", buffer, T_OP_EQ); return rcode; }
/* * Authenticate the user via one of any well-known password. */ static int securid_authenticate(void *instance, REQUEST *request) { int rcode; rlm_securid_t *inst = instance; VALUE_PAIR *module_fmsg_vp; VALUE_PAIR *vp; char buffer[MAX_STRING_LEN]=""; const char *username=NULL, *password=NULL; char module_fmsg[MAX_STRING_LEN]=""; /* * We can only authenticate user requests which HAVE * a User-Name attribute. */ if (!request->username) { radlog(L_AUTH, "rlm_securid: Attribute \"User-Name\" is required for authentication."); return RLM_MODULE_INVALID; } if (!request->password) { radlog_request(L_AUTH, 0, request, "Attribute \"Password\" is required for authentication."); return RLM_MODULE_INVALID; } /* * Clear-text passwords are the only ones we support. */ if (request->password->attribute != PW_USER_PASSWORD) { radlog_request(L_AUTH, 0, request, "Attribute \"User-Password\" is required for authentication. Cannot use \"%s\".", request->password->name); return RLM_MODULE_INVALID; } /* * The user MUST supply a non-zero-length password. */ if (request->password->length == 0) { snprintf(module_fmsg,sizeof(module_fmsg),"rlm_securid: empty password supplied"); module_fmsg_vp = pairmake("Module-Failure-Message", module_fmsg, T_OP_EQ); pairadd(&request->packet->vps, module_fmsg_vp); return RLM_MODULE_INVALID; } /* * shortcuts */ username = request->username->vp_strvalue; password = request->password->vp_strvalue; RDEBUG("User [%s] login attempt with password [%s]", username, password); rcode = securidAuth(inst, request, username, password, buffer, sizeof(buffer)); switch (rcode) { case RC_SECURID_AUTH_SUCCESS: rcode = RLM_MODULE_OK; break; case RC_SECURID_AUTH_CHALLENGE: /* reply with Access-challenge message code (11) */ /* Generate Prompt attribute */ vp = paircreate(PW_PROMPT, 0, PW_TYPE_INTEGER); rad_assert(vp != NULL); vp->vp_integer = 0; /* no echo */ pairadd(&request->reply->vps, vp); /* Mark the packet as a Acceess-Challenge Packet */ request->reply->code = PW_ACCESS_CHALLENGE; RDEBUG("Sending Access-Challenge."); rcode = RLM_MODULE_HANDLED; break; case RC_SECURID_AUTH_FAILURE: case RC_SECURID_AUTH_ACCESS_DENIED_FAILURE: case RC_SECURID_AUTH_INVALID_SERVER_FAILURE: default: rcode = RLM_MODULE_REJECT; break; } if (*buffer) { /* Generate Reply-Message attribute with reply message data */ vp = pairmake("Reply-Message", buffer, T_OP_EQ); /* make sure message ends with '\0' */ if (vp->length < (int) sizeof(vp->vp_strvalue)) { vp->vp_strvalue[vp->length] = '\0'; vp->length++; } pairadd(&request->reply->vps,vp); } return rcode; }
/* * Authenticate the user via one of any well-known password. */ static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, UNUSED void *thread, REQUEST *request) { int rcode; rlm_securid_t const *inst = instance; char buffer[FR_MAX_STRING_LEN]=""; char const *username=NULL, *password=NULL; VALUE_PAIR *vp; /* * We can only authenticate user requests which HAVE * a User-Name attribute. */ if (!request->username) { REDEBUG("Attribute \"User-Name\" is required for authentication"); return RLM_MODULE_INVALID; } if (!request->password) { REDEBUG("Attribute \"Password\" is required for authentication"); return RLM_MODULE_INVALID; } /* * Clear-text passwords are the only ones we support. */ if (request->password->da != attr_user_password) { REDEBUG("Attribute \"User-Password\" is required for authentication. Cannot use \"%s\"", request->password->da->name); return RLM_MODULE_INVALID; } /* * The user MUST supply a non-zero-length password. */ if (request->password->vp_length == 0) { REDEBUG("Password should not be empty"); return RLM_MODULE_INVALID; } /* * shortcuts */ username = request->username->vp_strvalue; password = request->password->vp_strvalue; if (RDEBUG_ENABLED3) { RDEBUG3("Login attempt with password \"%s\"", password); } else { RDEBUG2("Login attempt with password"); } rcode = securidAuth(inst, request, username, password, buffer, sizeof(buffer)); switch (rcode) { case RC_SECURID_AUTH_SUCCESS: rcode = RLM_MODULE_OK; break; case RC_SECURID_AUTH_CHALLENGE: /* reply with Access-challenge message code (11) */ /* Generate Prompt attribute */ MEM(pair_update_reply(&vp, attr_prompt) >= 0); vp->vp_uint32 = 0; /* no echo */ /* Mark the packet as a Acceess-Challenge Packet */ request->reply->code = FR_CODE_ACCESS_CHALLENGE; RDEBUG2("Sending Access-Challenge"); rcode = RLM_MODULE_HANDLED; break; case RC_SECURID_AUTH_FAILURE: case RC_SECURID_AUTH_ACCESS_DENIED_FAILURE: case RC_SECURID_AUTH_INVALID_SERVER_FAILURE: default: rcode = RLM_MODULE_REJECT; break; } if (*buffer) { MEM(pair_update_reply(&vp, attr_reply_message) >= 0); fr_pair_value_strcpy(vp, buffer); } return rcode; }