diff options
Diffstat (limited to 'modules/pam_access')
| -rw-r--r-- | modules/pam_access/Makefile.am | 37 | ||||
| -rw-r--r-- | modules/pam_access/Makefile.in | 740 | ||||
| -rw-r--r-- | modules/pam_access/README | 120 | ||||
| -rw-r--r-- | modules/pam_access/README.xml | 39 | ||||
| -rw-r--r-- | modules/pam_access/access.conf | 122 | ||||
| -rw-r--r-- | modules/pam_access/access.conf.5 | 170 | ||||
| -rw-r--r-- | modules/pam_access/access.conf.5.xml | 203 | ||||
| -rw-r--r-- | modules/pam_access/pam_access.8 | 112 | ||||
| -rw-r--r-- | modules/pam_access/pam_access.8.xml | 253 | ||||
| -rw-r--r-- | modules/pam_access/pam_access.c | 922 | ||||
| -rwxr-xr-x | modules/pam_access/tst-pam_access | 2 |
11 files changed, 2720 insertions, 0 deletions
diff --git a/modules/pam_access/Makefile.am b/modules/pam_access/Makefile.am new file mode 100644 index 00000000..9b58e81e --- /dev/null +++ b/modules/pam_access/Makefile.am @@ -0,0 +1,37 @@ +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de> +# + +CLEANFILES = *~ + +EXTRA_DIST = README access.conf $(MANS) $(XMLS) tst-pam_access + +man_MANS = access.conf.5 pam_access.8 + +XMLS = README.xml access.conf.5.xml pam_access.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" +AM_LDFLAGS = -no-undefined -avoid-version -module +if HAVE_VERSIONING + AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +securelib_LTLIBRARIES = pam_access.la +pam_access_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBNSL@ + +secureconf_DATA = access.conf + +if ENABLE_REGENERATE_MAN + +noinst_DATA = README + +README: pam_access.8.xml access.conf.5.xml + +-include $(top_srcdir)/Make.xml.rules +endif + +TESTS = tst-pam_access diff --git a/modules/pam_access/Makefile.in b/modules/pam_access/Makefile.in new file mode 100644 index 00000000..a75e4529 --- /dev/null +++ b/modules/pam_access/Makefile.in @@ -0,0 +1,740 @@ +# Makefile.in generated by automake 1.10.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006 Thorsten Kukuk <kukuk@thkukuk.de> +# + + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +subdir = modules/pam_access +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ + $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" \ + "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)" +securelibLTLIBRARIES_INSTALL = $(INSTALL) +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_access_la_DEPENDENCIES = +pam_access_la_SOURCES = pam_access.c +pam_access_la_OBJECTS = pam_access.lo +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = pam_access.c +DIST_SOURCES = pam_access.c +man5dir = $(mandir)/man5 +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +secureconfDATA_INSTALL = $(INSTALL_DATA) +DATA = $(noinst_DATA) $(secureconf_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXDEPMODE = @CXXDEPMODE@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DSYMUTIL = @DSYMUTIL@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +FO2PDF = @FO2PDF@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBNSL = @LIBNSL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +NMEDIT = @NMEDIT@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +WITH_DEBUG = @WITH_DEBUG@ +WITH_PAMLOCKING = @WITH_PAMLOCKING@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +EXTRA_DIST = README access.conf $(MANS) $(XMLS) tst-pam_access +man_MANS = access.conf.5 pam_access.8 +XMLS = README.xml access.conf.5.xml pam_access.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -DPAM_ACCESS_CONFIG=\"$(SCONFIGDIR)/access.conf\" + +AM_LDFLAGS = -no-undefined -avoid-version -module $(am__append_1) +securelib_LTLIBRARIES = pam_access.la +pam_access_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBNSL@ +secureconf_DATA = access.conf +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README +TESTS = tst-pam_access +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_access/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_access/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + if test -f $$p; then \ + f=$(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + else :; fi; \ + done + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + p=$(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +pam_access.la: $(pam_access_la_OBJECTS) $(pam_access_la_DEPENDENCIES) + $(LINK) -rpath $(securelibdir) $(pam_access_la_OBJECTS) $(pam_access_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_access.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man5: $(man5_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst"; \ + done +uninstall-man5: + @$(NORMAL_UNINSTALL) + @list='$(man5_MANS) $(dist_man5_MANS) $(nodist_man5_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.5*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 5*) ;; \ + *) ext='5' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man5dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man5dir)/$$inst"; \ + done +install-man8: $(man8_MANS) $(man_MANS) + @$(NORMAL_INSTALL) + test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ + else file=$$i; fi; \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ + done +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ + l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ + for i in $$l2; do \ + case "$$i" in \ + *.8*) list="$$list $$i" ;; \ + esac; \ + done; \ + for i in $$list; do \ + ext=`echo $$i | sed -e 's/^.*\\.//'`; \ + case "$$ext" in \ + 8*) ;; \ + *) ext='8' ;; \ + esac; \ + inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ + inst=`echo $$inst | sed -e 's/^.*\///'`; \ + inst=`echo $$inst | sed '$(transform)'`.$$ext; \ + echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ + rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ + done +install-secureconfDATA: $(secureconf_DATA) + @$(NORMAL_INSTALL) + test -z "$(secureconfdir)" || $(MKDIR_P) "$(DESTDIR)$(secureconfdir)" + @list='$(secureconf_DATA)'; for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + f=$(am__strip_dir) \ + echo " $(secureconfDATA_INSTALL) '$$d$$p' '$(DESTDIR)$(secureconfdir)/$$f'"; \ + $(secureconfDATA_INSTALL) "$$d$$p" "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +uninstall-secureconfDATA: + @$(NORMAL_UNINSTALL) + @list='$(secureconf_DATA)'; for p in $$list; do \ + f=$(am__strip_dir) \ + echo " rm -f '$(DESTDIR)$(secureconfdir)/$$f'"; \ + rm -f "$(DESTDIR)$(secureconfdir)/$$f"; \ + done + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(secureconfdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-securelibLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: install-man install-secureconfDATA \ + install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-exec-am: + +install-html: install-html-am + +install-info: install-info-am + +install-man: install-man5 install-man8 + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man5 uninstall-man8 + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-securelibLTLIBRARIES ctags \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man5 install-man8 \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-secureconfDATA install-securelibLTLIBRARIES \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am uninstall-man \ + uninstall-man5 uninstall-man8 uninstall-secureconfDATA \ + uninstall-securelibLTLIBRARIES + + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_access.8.xml access.conf.5.xml + +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/modules/pam_access/README b/modules/pam_access/README new file mode 100644 index 00000000..ec0d67e0 --- /dev/null +++ b/modules/pam_access/README @@ -0,0 +1,120 @@ +pam_access — PAM module for logdaemon style login access control + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +The pam_access PAM module is mainly for access management. It provides +logdaemon style login access control based on login names, host or domain +names, internet addresses or network numbers, or on terminal line names in case +of non-networked logins. + +By default rules for access management are taken from config file /etc/security +/access.conf if you don't specify another file. + +If Linux PAM is compiled with audit support the module will report when it +denies access based on origin (host or tty). + +OPTIONS + +accessfile=/path/to/access.conf + + Indicate an alternative access.conf style configuration file to override + the default. This can be useful when different services need different + access lists. + +debug + + A lot of debug informations are printed with syslog(3). + +noaudit + + Do not report logins from disallowed hosts and ttys to the audit subsystem. + +fieldsep=separators + + This option modifies the field separator character that pam_access will + recognize when parsing the access configuration file. For example: fieldsep + =| will cause the default `:' character to be treated as part of a field + value and `|' becomes the field separator. Doing this may be useful in + conjuction with a system that wants to use pam_access with X based + applications, since the PAM_TTY item is likely to be of the form + "hostname:0" which includes a `:' character in its value. But you should + not need this. + +listsep=separators + + This option modifies the list separator character that pam_access will + recognize when parsing the access configuration file. For example: listsep + =, will cause the default ` ' (space) and `\t' (tab) characters to be + treated as part of a list element value and `,' becomes the only list + element separator. Doing this may be useful on a system with group + information obtained from a Windows domain, where the default built-in + groups "Domain Users", "Domain Admins" contain a space. + +nodefgroup + + The group database will not be used for tokens not identified as account + name. + +EXAMPLES + +These are some example lines which might be specified in /etc/security/ +access.conf. + +User root should be allowed to get access via cron, X11 terminal :0, tty1, ..., +tty5, tty6. + ++ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 + +User root should be allowed to get access from hosts which own the IPv4 +addresses. This does not mean that the connection have to be a IPv4 one, a IPv6 +connection from a host with one of this IPv4 addresses does work, too. + ++ : root : 192.168.200.1 192.168.200.4 192.168.200.9 + ++ : root : 127.0.0.1 + +User root should get access from network 192.168.201. where the term will be +evaluated by string matching. But it might be better to use network/netmask +instead. The same meaning of 192.168.201. is 192.168.201.0/24 or 192.168.201.0/ +255.255.255.0. + ++ : root : 192.168.201. + +User root should be able to have access from hosts foo1.bar.org and +foo2.bar.org (uses string matching also). + ++ : root : foo1.bar.org foo2.bar.org + +User root should be able to have access from domain foo.bar.org (uses string +matching also). + ++ : root : .foo.bar.org + +User root should be denied to get access from all other sources. + +- : root : ALL + +User foo and members of netgroup admins should be allowed to get access from +all sources. This will only work if netgroup service is available. + ++ : @admins foo : ALL + +User john and foo should get access from IPv6 host address. + ++ : john foo : 2001:4ca0:0:101::1 + +User john should get access from IPv6 net/mask. + ++ : john : 2001:4ca0:0:101::/64 + +Disallow console logins to all but the shutdown, sync and all other accounts, +which are a member of the wheel group. + +-:ALL EXCEPT (wheel) shutdown sync:LOCAL + +All other users should be denied to get access from all sources. + +- : ALL : ALL + diff --git a/modules/pam_access/README.xml b/modules/pam_access/README.xml new file mode 100644 index 00000000..8c7d078b --- /dev/null +++ b/modules/pam_access/README.xml @@ -0,0 +1,39 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_access.8.xml"> +--> +<!-- +<!ENTITY accessconf SYSTEM "access.conf.5.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_access.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_access-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_access.8.xml" xpointer='xpointer(//refsect1[@id = "pam_access-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="access.conf.5.xml" xpointer='xpointer(//refsect1[@id = "access.conf-examples"]/*)'/> + </section> + +</article> diff --git a/modules/pam_access/access.conf b/modules/pam_access/access.conf new file mode 100644 index 00000000..74c5fbe8 --- /dev/null +++ b/modules/pam_access/access.conf @@ -0,0 +1,122 @@ +# Login access control table. +# +# Comment line must start with "#", no space at front. +# Order of lines is important. +# +# When someone logs in, the table is scanned for the first entry that +# matches the (user, host) combination, or, in case of non-networked +# logins, the first entry that matches the (user, tty) combination. The +# permissions field of that table entry determines whether the login will +# be accepted or refused. +# +# Format of the login access control table is three fields separated by a +# ":" character: +# +# [Note, if you supply a 'fieldsep=|' argument to the pam_access.so +# module, you can change the field separation character to be +# '|'. This is useful for configurations where you are trying to use +# pam_access with X applications that provide PAM_TTY values that are +# the display variable like "host:0".] +# +# permission : users : origins +# +# The first field should be a "+" (access granted) or "-" (access denied) +# character. +# +# The second field should be a list of one or more login names, group +# names, or ALL (always matches). A pattern of the form user@host is +# matched when the login name matches the "user" part, and when the +# "host" part matches the local machine name. +# +# The third field should be a list of one or more tty names (for +# non-networked logins), host names, domain names (begin with "."), host +# addresses, internet network numbers (end with "."), ALL (always +# matches), NONE (matches no tty on non-networked logins) or +# LOCAL (matches any string that does not contain a "." character). +# +# You can use @netgroupname in host or user patterns; this even works +# for @usergroup@@hostgroup patterns. +# +# The EXCEPT operator makes it possible to write very compact rules. +# +# The group file is searched only when a name does not match that of the +# logged-in user. Both the user's primary group is matched, as well as +# groups in which users are explicitly listed. +# To avoid problems with accounts, which have the same name as a group, +# you can use brackets around group names '(group)' to differentiate. +# In this case, you should also set the "nodefgroup" option. +# +# TTY NAMES: Must be in the form returned by ttyname(3) less the initial +# "/dev" (e.g. tty1 or vc/1) +# +############################################################################## +# +# Disallow non-root logins on tty1 +# +#-:ALL EXCEPT root:tty1 +# +# Disallow console logins to all but a few accounts. +# +#-:ALL EXCEPT wheel shutdown sync:LOCAL +# +# Same, but make sure that really the group wheel and not the user +# wheel is used (use nodefgroup argument, too): +# +#-:ALL EXCEPT (wheel) shutdown sync:LOCAL +# +# Disallow non-local logins to privileged accounts (group wheel). +# +#-:wheel:ALL EXCEPT LOCAL .win.tue.nl +# +# Some accounts are not allowed to login from anywhere: +# +#-:wsbscaro wsbsecr wsbspac wsbsym wscosor wstaiwde:ALL +# +# All other accounts are allowed to login from anywhere. +# +############################################################################## +# All lines from here up to the end are building a more complex example. +############################################################################## +# +# User "root" should be allowed to get access via cron .. tty5 tty6. +#+ : root : cron crond :0 tty1 tty2 tty3 tty4 tty5 tty6 +# +# User "root" should be allowed to get access from hosts with ip addresses. +#+ : root : 192.168.200.1 192.168.200.4 192.168.200.9 +#+ : root : 127.0.0.1 +# +# User "root" should get access from network 192.168.201. +# This term will be evaluated by string matching. +# comment: It might be better to use network/netmask instead. +# The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0 +#+ : root : 192.168.201. +# +# User "root" should be able to have access from domain. +# Uses string matching also. +#+ : root : .foo.bar.org +# +# User "root" should be denied to get access from all other sources. +#- : root : ALL +# +# User "foo" and members of netgroup "nis_group" should be +# allowed to get access from all sources. +# This will only work if netgroup service is available. +#+ : @nis_group foo : ALL +# +# User "john" should get access from ipv4 net/mask +#+ : john : 127.0.0.0/24 +# +# User "john" should get access from ipv4 as ipv6 net/mask +#+ : john : ::ffff:127.0.0.0/127 +# +# User "john" should get access from ipv6 host address +#+ : john : 2001:4ca0:0:101::1 +# +# User "john" should get access from ipv6 host address (same as above) +#+ : john : 2001:4ca0:0:101:0:0:0:1 +# +# User "john" should get access from ipv6 net/mask +#+ : john : 2001:4ca0:0:101::/64 +# +# All other users should be denied to get access from all sources. +#- : ALL : ALL diff --git a/modules/pam_access/access.conf.5 b/modules/pam_access/access.conf.5 new file mode 100644 index 00000000..4221ccfc --- /dev/null +++ b/modules/pam_access/access.conf.5 @@ -0,0 +1,170 @@ +.\" Title: access.conf +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/> +.\" Date: 04/16/2008 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" +.TH "ACCESS\.CONF" "5" "04/16/2008" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +access.conf - the login access control table file +.SH "DESCRIPTION" +.PP +The +\fI/etc/security/access\.conf\fR +file specifies (\fIuser/group\fR, +\fIhost\fR), (\fIuser/group\fR, +\fInetwork/netmask\fR) or (\fIuser/group\fR, +\fItty\fR) combinations for which a login will be either accepted or refused\. +.PP +When someone logs in, the file +\fIaccess\.conf\fR +is scanned for the first entry that matches the (\fIuser/group\fR, +\fIhost\fR) or (\fIuser/group\fR, +\fInetwork/netmask\fR) combination, or, in case of non\-networked logins, the first entry that matches the (\fIuser/group\fR, +\fItty\fR) combination\. The permissions field of that table entry determines whether the login will be accepted or refused\. +.PP +Each line of the login access control table has three fields separated by a ":" character (colon): +.PP + +\fIpermission\fR:\fIusers/groups\fR:\fIorigins\fR +.PP +The first field, the +\fIpermission\fR +field, can be either a "\fI+\fR" character (plus) for access granted or a "\fI\-\fR" character (minus) for access denied\. +.PP +The second field, the +\fIusers\fR/\fIgroup\fR +field, should be a list of one or more login names, group names, or +\fIALL\fR +(which always matches)\. To differentiate user entries from group entries, group entries should be written with brackets, e\.g\. +\fI(group)\fR\. +.PP +The third field, the +\fIorigins\fR +field, should be a list of one or more tty names (for non\-networked logins), host names, domain names (begin with "\."), host addresses, internet network numbers (end with "\."), internet network addresses with network mask (where network mask can be a decimal number or an internet address also), +\fIALL\fR +(which always matches) or +\fILOCAL\fR +(which matches any string that does not contain a "\." character)\. If supported by the system you can use +\fI@netgroupname\fR +in host or user patterns\. +.PP +The +\fIEXCEPT\fR +operator makes it possible to write very compact rules\. +.PP +If the +\fBnodefgroup\fR +is not set, the group file is searched when a name does not match that of the logged\-in user\. Only groups are matched in which users are explicitly listed\. However the PAM module does not look at the primary group id of a user\. +.PP +The "\fI#\fR" character at start of line (no space at front) can be used to mark this line as a comment line\. +.SH "EXAMPLES" +.PP +These are some example lines which might be specified in +\fI/etc/security/access\.conf\fR\. +.PP +User +\fIroot\fR +should be allowed to get access via +\fIcron\fR, X11 terminal +\fI:0\fR, +\fItty1\fR, \.\.\., +\fItty5\fR, +\fItty6\fR\. +.PP ++ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6 +.PP +User +\fIroot\fR +should be allowed to get access from hosts which own the IPv4 addresses\. This does not mean that the connection have to be a IPv4 one, a IPv6 connection from a host with one of this IPv4 addresses does work, too\. +.PP ++ : root : 192\.168\.200\.1 192\.168\.200\.4 192\.168\.200\.9 +.PP ++ : root : 127\.0\.0\.1 +.PP +User +\fIroot\fR +should get access from network +192\.168\.201\. +where the term will be evaluated by string matching\. But it might be better to use network/netmask instead\. The same meaning of +192\.168\.201\. +is +\fI192\.168\.201\.0/24\fR +or +\fI192\.168\.201\.0/255\.255\.255\.0\fR\. +.PP ++ : root : 192\.168\.201\. +.PP +User +\fIroot\fR +should be able to have access from hosts +\fIfoo1\.bar\.org\fR +and +\fIfoo2\.bar\.org\fR +(uses string matching also)\. +.PP ++ : root : foo1\.bar\.org foo2\.bar\.org +.PP +User +\fIroot\fR +should be able to have access from domain +\fIfoo\.bar\.org\fR +(uses string matching also)\. +.PP ++ : root : \.foo\.bar\.org +.PP +User +\fIroot\fR +should be denied to get access from all other sources\. +.PP +\- : root : ALL +.PP +User +\fIfoo\fR +and members of netgroup +\fIadmins\fR +should be allowed to get access from all sources\. This will only work if netgroup service is available\. +.PP ++ : @admins foo : ALL +.PP +User +\fIjohn\fR +and +\fIfoo\fR +should get access from IPv6 host address\. +.PP ++ : john foo : 2001:4ca0:0:101::1 +.PP +User +\fIjohn\fR +should get access from IPv6 net/mask\. +.PP ++ : john : 2001:4ca0:0:101::/64 +.PP +Disallow console logins to all but the shutdown, sync and all other accounts, which are a member of the wheel group\. +.PP +\-:ALL EXCEPT (wheel) shutdown sync:LOCAL +.PP +All other users should be denied to get access from all sources\. +.PP +\- : ALL : ALL +.SH "SEE ALSO" +.PP + +\fBpam_access\fR(8), +\fBpam.d\fR(5), +\fBpam\fR(8) +.SH "AUTHORS" +.PP +Original +\fBlogin.access\fR(5) +manual was provided by Guido van Rooij which was renamed to +\fBaccess.conf\fR(5) +to reflect relation to default config file\. +.PP +Network address / netmask description and example text was introduced by Mike Becher <mike\.becher@lrz\-muenchen\.de>\. diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml new file mode 100644 index 00000000..f8eb7a4e --- /dev/null +++ b/modules/pam_access/access.conf.5.xml @@ -0,0 +1,203 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" + "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> + +<refentry id="access.conf"> + + <refmeta> + <refentrytitle>access.conf</refentrytitle> + <manvolnum>5</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv> + <refname>access.conf</refname> + <refpurpose>the login access control table file</refpurpose> + </refnamediv> + + + <refsect1 id='access.conf-description'> + <title>DESCRIPTION</title> + <para> + The <filename>/etc/security/access.conf</filename> file specifies + (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>), + (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>) or + (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>) + combinations for which a login will be either accepted or refused. + </para> + <para> + When someone logs in, the file <filename>access.conf</filename> is + scanned for the first entry that matches the + (<replaceable>user/group</replaceable>, <replaceable>host</replaceable>) or + (<replaceable>user/group</replaceable>, <replaceable>network/netmask</replaceable>) + combination, or, in case of non-networked logins, the first entry + that matches the + (<replaceable>user/group</replaceable>, <replaceable>tty</replaceable>) + combination. The permissions field of that table entry determines + whether the login will be accepted or refused. + </para> + + <para> + Each line of the login access control table has three fields separated + by a ":" character (colon): + </para> + + <para> + <replaceable>permission</replaceable>:<replaceable>users/groups</replaceable>:<replaceable>origins</replaceable> + </para> + + + <para> + The first field, the <replaceable>permission</replaceable> field, can be either a + "<emphasis>+</emphasis>" character (plus) for access granted or a + "<emphasis>-</emphasis>" character (minus) for access denied. + </para> + + <para> + The second field, the + <replaceable>users</replaceable>/<replaceable>group</replaceable> + field, should be a list of one or more login names, group names, or + <emphasis>ALL</emphasis> (which always matches). To differentiate + user entries from group entries, group entries should be written + with brackets, e.g. <emphasis>(group)</emphasis>. + </para> + + <para> + The third field, the <replaceable>origins</replaceable> + field, should be a list of one or more tty names (for non-networked + logins), host names, domain names (begin with "."), host addresses, + internet network numbers (end with "."), internet network addresses + with network mask (where network mask can be a decimal number or an + internet address also), <emphasis>ALL</emphasis> (which always matches) + or <emphasis>LOCAL</emphasis> (which matches any string that does not + contain a "." character). If supported by the system you can use + <emphasis>@netgroupname</emphasis> in host or user patterns. + </para> + + <para> + The <replaceable>EXCEPT</replaceable> operator makes it possible to + write very compact rules. + </para> + + <para> + If the <option>nodefgroup</option> is not set, the group file + is searched when a name does not match that of the logged-in + user. Only groups are matched in which users are explicitly listed. + However the PAM module does not look at the primary group id of a user. + </para> + + + <para> + The "<emphasis>#</emphasis>" character at start of line (no space + at front) can be used to mark this line as a comment line. + </para> + + </refsect1> + + <refsect1 id="access.conf-examples"> + <title>EXAMPLES</title> + <para> + These are some example lines which might be specified in + <filename>/etc/security/access.conf</filename>. + </para> + + <para> + User <emphasis>root</emphasis> should be allowed to get access via + <emphasis>cron</emphasis>, X11 terminal <emphasis remap='I'>:0</emphasis>, + <emphasis>tty1</emphasis>, ..., <emphasis>tty5</emphasis>, + <emphasis>tty6</emphasis>. + </para> + <para>+ : root : crond :0 tty1 tty2 tty3 tty4 tty5 tty6</para> + + <para> + User <emphasis>root</emphasis> should be allowed to get access from + hosts which own the IPv4 addresses. This does not mean that the + connection have to be a IPv4 one, a IPv6 connection from a host with + one of this IPv4 addresses does work, too. + </para> + <para>+ : root : 192.168.200.1 192.168.200.4 192.168.200.9</para> + <para>+ : root : 127.0.0.1</para> + + <para> + User <emphasis>root</emphasis> should get access from network + <literal>192.168.201.</literal> where the term will be evaluated by + string matching. But it might be better to use network/netmask instead. + The same meaning of <literal>192.168.201.</literal> is + <emphasis>192.168.201.0/24</emphasis> or + <emphasis>192.168.201.0/255.255.255.0</emphasis>. + </para> + <para>+ : root : 192.168.201.</para> + + <para> + User <emphasis>root</emphasis> should be able to have access from hosts + <emphasis>foo1.bar.org</emphasis> and <emphasis>foo2.bar.org</emphasis> + (uses string matching also). + </para> + <para>+ : root : foo1.bar.org foo2.bar.org</para> + + <para> + User <emphasis>root</emphasis> should be able to have access from + domain <emphasis>foo.bar.org</emphasis> (uses string matching also). + </para> + <para>+ : root : .foo.bar.org</para> + + <para> + User <emphasis>root</emphasis> should be denied to get access + from all other sources. + </para> + <para>- : root : ALL</para> + + <para> + User <emphasis>foo</emphasis> and members of netgroup + <emphasis>admins</emphasis> should be allowed to get access + from all sources. This will only work if netgroup service is available. + </para> + <para>+ : @admins foo : ALL</para> + + <para> + User <emphasis>john</emphasis> and <emphasis>foo</emphasis> + should get access from IPv6 host address. + </para> + <para>+ : john foo : 2001:4ca0:0:101::1</para> + + <para> + User <emphasis>john</emphasis> should get access from IPv6 net/mask. + </para> + <para>+ : john : 2001:4ca0:0:101::/64</para> + + <para> + Disallow console logins to all but the shutdown, sync and all + other accounts, which are a member of the wheel group. + </para> + <para>-:ALL EXCEPT (wheel) shutdown sync:LOCAL</para> + + <para> + All other users should be denied to get access from all sources. + </para> + <para>- : ALL : ALL</para> + + </refsect1> + + <refsect1 id="access.conf-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry><refentrytitle>pam_access</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry> + </para> + </refsect1> + + <refsect1 id="access.conf-author"> + <title>AUTHORS</title> + <para> + Original <citerefentry><refentrytitle>login.access</refentrytitle><manvolnum>5</manvolnum></citerefentry> + manual was provided by Guido van Rooij which was renamed to + <citerefentry><refentrytitle>access.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry> + to reflect relation to default config file. + </para> + <para> + Network address / netmask description and example text was + introduced by Mike Becher <mike.becher@lrz-muenchen.de>. + </para> + </refsect1> +</refentry> diff --git a/modules/pam_access/pam_access.8 b/modules/pam_access/pam_access.8 new file mode 100644 index 00000000..ef907492 --- /dev/null +++ b/modules/pam_access/pam_access.8 @@ -0,0 +1,112 @@ +.\" Title: pam_access +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.73.1 <http://docbook.sf.net/> +.\" Date: 04/16/2008 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" +.TH "PAM_ACCESS" "8" "04/16/2008" "Linux-PAM Manual" "Linux-PAM Manual" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +pam_access - PAM module for logdaemon style login access control +.SH "SYNOPSIS" +.HP 14 +\fBpam_access\.so\fR [debug] [nodefgroup] [noaudit] [accessfile=\fIfile\fR] [fieldsep=\fIsep\fR] [listsep=\fIsep\fR] +.SH "DESCRIPTION" +.PP +The pam_access PAM module is mainly for access management\. It provides logdaemon style login access control based on login names, host or domain names, internet addresses or network numbers, or on terminal line names in case of non\-networked logins\. +.PP +By default rules for access management are taken from config file +\fI/etc/security/access\.conf\fR +if you don\'t specify another file\. +.PP +If Linux PAM is compiled with audit support the module will report when it denies access based on origin (host or tty)\. +.SH "OPTIONS" +.PP +\fBaccessfile=\fR\fB\fI/path/to/access\.conf\fR\fR +.RS 4 +Indicate an alternative +\fIaccess\.conf\fR +style configuration file to override the default\. This can be useful when different services need different access lists\. +.RE +.PP +\fBdebug\fR +.RS 4 +A lot of debug informations are printed with +\fBsyslog\fR(3)\. +.RE +.PP +\fBnoaudit\fR +.RS 4 +Do not report logins from disallowed hosts and ttys to the audit subsystem\. +.RE +.PP +\fBfieldsep=\fR\fB\fIseparators\fR\fR +.RS 4 +This option modifies the field separator character that pam_access will recognize when parsing the access configuration file\. For example: +\fBfieldsep=|\fR +will cause the default `:\' character to be treated as part of a field value and `|\' becomes the field separator\. Doing this may be useful in conjuction with a system that wants to use pam_access with X based applications, since the +\fBPAM_TTY\fR +item is likely to be of the form "hostname:0" which includes a `:\' character in its value\. But you should not need this\. +.RE +.PP +\fBlistsep=\fR\fB\fIseparators\fR\fR +.RS 4 +This option modifies the list separator character that pam_access will recognize when parsing the access configuration file\. For example: +\fBlistsep=,\fR +will cause the default ` \' (space) and `\et\' (tab) characters to be treated as part of a list element value and `,\' becomes the only list element separator\. Doing this may be useful on a system with group information obtained from a Windows domain, where the default built\-in groups "Domain Users", "Domain Admins" contain a space\. +.RE +.PP +\fBnodefgroup\fR +.RS 4 +The group database will not be used for tokens not identified as account name\. +.RE +.SH "MODULE SERVICES PROVIDED" +.PP +All services are supported\. +.SH "RETURN VALUES" +.PP +PAM_SUCCESS +.RS 4 +Access was granted\. +.RE +.PP +PAM_PERM_DENIED +.RS 4 +Access was not granted\. +.RE +.PP +PAM_IGNORE +.RS 4 + +\fBpam_setcred\fR +was called which does nothing\. +.RE +.PP +PAM_ABORT +.RS 4 +Not all relevant data or options could be gotten\. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +The user is not known to the system\. +.RE +.SH "FILES" +.PP +\fI/etc/security/access\.conf\fR +.RS 4 +Default configuration file +.RE +.SH "SEE ALSO" +.PP + +\fBaccess.conf\fR(5), +\fBpam.d\fR(8), +\fBpam\fR(8)\. +.SH "AUTHORS" +.PP +The logdaemon style login access control scheme was designed and implemented by Wietse Venema\. The pam_access PAM module was developed by Alexei Nogin <alexei@nogin\.dnttm\.ru>\. The IPv6 support and the network(address) / netmask feature was developed and provided by Mike Becher <mike\.becher@lrz\-muenchen\.de>\. diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml new file mode 100644 index 00000000..21970d49 --- /dev/null +++ b/modules/pam_access/pam_access.8.xml @@ -0,0 +1,253 @@ +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN" + "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> + +<refentry id='pam_access'> + + <refmeta> + <refentrytitle>pam_access</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class='setdesc'>Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id='pam_access-name'> + <refname>pam_access</refname> + <refpurpose> + PAM module for logdaemon style login access control + </refpurpose> + </refnamediv> + +<!-- body begins here --> + + <refsynopsisdiv> + <cmdsynopsis id="pam_access-cmdsynopsis"> + <command>pam_access.so</command> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + nodefgroup + </arg> + <arg choice="opt"> + noaudit + </arg> + <arg choice="opt"> + accessfile=<replaceable>file</replaceable> + </arg> + <arg choice="opt"> + fieldsep=<replaceable>sep</replaceable> + </arg> + <arg choice="opt"> + listsep=<replaceable>sep</replaceable> + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + + <refsect1 id="pam_access-description"> + <title>DESCRIPTION</title> + <para> + The pam_access PAM module is mainly for access management. + It provides logdaemon style login access control based on login + names, host or domain names, internet addresses or network numbers, + or on terminal line names in case of non-networked logins. + </para> + <para> + By default rules for access management are taken from config file + <filename>/etc/security/access.conf</filename> if you don't specify + another file. + </para> + <para> + If Linux PAM is compiled with audit support the module will report + when it denies access based on origin (host or tty). + </para> + </refsect1> + + <refsect1 id="pam_access-options"> + <title>OPTIONS</title> + <variablelist> + + <varlistentry> + <term> + <option>accessfile=<replaceable>/path/to/access.conf</replaceable></option> + </term> + <listitem> + <para> + Indicate an alternative <filename>access.conf</filename> + style configuration file to override the default. This can + be useful when different services need different access lists. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + A lot of debug informations are printed with + <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>noaudit</option> + </term> + <listitem> + <para> + Do not report logins from disallowed hosts and ttys to the audit subsystem. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>fieldsep=<replaceable>separators</replaceable></option> + </term> + <listitem> + <para> + This option modifies the field separator character that + pam_access will recognize when parsing the access + configuration file. For example: + <emphasis remap='B'>fieldsep=|</emphasis> will cause the + default `:' character to be treated as part of a field value + and `|' becomes the field separator. Doing this may be + useful in conjuction with a system that wants to use + pam_access with X based applications, since the + <emphasis remap='B'>PAM_TTY</emphasis> item is likely to be + of the form "hostname:0" which includes a `:' character in + its value. But you should not need this. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>listsep=<replaceable>separators</replaceable></option> + </term> + <listitem> + <para> + This option modifies the list separator character that + pam_access will recognize when parsing the access + configuration file. For example: + <emphasis remap='B'>listsep=,</emphasis> will cause the + default ` ' (space) and `\t' (tab) characters to be treated + as part of a list element value and `,' becomes the only + list element separator. Doing this may be useful on a system + with group information obtained from a Windows domain, + where the default built-in groups "Domain Users", + "Domain Admins" contain a space. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term> + <option>nodefgroup</option> + </term> + <listitem> + <para> + The group database will not be used for tokens not + identified as account name. + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1 id="pam_access-services"> + <title>MODULE SERVICES PROVIDED</title> + <para> + All services are supported. + </para> + </refsect1> + + <refsect1 id="pam_access-return_values"> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + Access was granted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_PERM_DENIED</term> + <listitem> + <para> + Access was not granted. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_IGNORE</term> + <listitem> + <para> + <function>pam_setcred</function> was called which does nothing. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_ABORT</term> + <listitem> + <para> + Not all relevant data or options could be gotten. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The user is not known to the system. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_access-files"> + <title>FILES</title> + <variablelist> + <varlistentry> + <term><filename>/etc/security/access.conf</filename></term> + <listitem> + <para>Default configuration file</para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_access-see_also"> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>access.conf</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>. + </para> + </refsect1> + + <refsect1 id="pam_access-authors"> + <title>AUTHORS</title> + <para> + The logdaemon style login access control scheme was designed and implemented by + Wietse Venema. + The pam_access PAM module was developed by + Alexei Nogin <alexei@nogin.dnttm.ru>. + The IPv6 support and the network(address) / netmask feature + was developed and provided by Mike Becher <mike.becher@lrz-muenchen.de>. + </para> + </refsect1> +</refentry> diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c new file mode 100644 index 00000000..edb8fb0a --- /dev/null +++ b/modules/pam_access/pam_access.c @@ -0,0 +1,922 @@ +/* pam_access module */ + +/* + * Written by Alexei Nogin <alexei@nogin.dnttm.ru> 1997/06/15 + * (I took login_access from logdaemon-5.6 and converted it to PAM + * using parts of pam_time code.) + * + ************************************************************************ + * Copyright message from logdaemon-5.6 (original file name DISCLAIMER) + ************************************************************************ + * Copyright 1995 by Wietse Venema. All rights reserved. Individual files + * may be covered by other copyrights (as noted in the file itself.) + * + * This material was originally written and compiled by Wietse Venema at + * Eindhoven University of Technology, The Netherlands, in 1990, 1991, + * 1992, 1993, 1994 and 1995. + * + * Redistribution and use in source and binary forms are permitted + * provided that this entire copyright notice is duplicated in all such + * copies. + * + * This software is provided "as is" and without any expressed or implied + * warranties, including, without limitation, the implied warranties of + * merchantibility and fitness for any particular purpose. + ************************************************************************* + */ + +#include "config.h" + +#include <stdio.h> +#include <stdlib.h> +#include <unistd.h> + +#include <stdarg.h> +#include <syslog.h> +#include <string.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <pwd.h> +#include <grp.h> +#include <errno.h> +#include <ctype.h> +#include <sys/utsname.h> +#include <rpcsvc/ypclnt.h> +#include <arpa/inet.h> +#include <netdb.h> +#include <sys/socket.h> + +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#endif + +/* + * here, we make definitions for the externally accessible functions + * in this file (these definitions are required for static modules + * but strongly encouraged generally) they are used to instruct the + * modules include file to define their prototypes. + */ + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + +#include <security/_pam_macros.h> +#include <security/pam_modules.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> + +/* login_access.c from logdaemon-5.6 with several changes by A.Nogin: */ + + /* + * This module implements a simple but effective form of login access + * control based on login names and on host (or domain) names, internet + * addresses (or network numbers), or on terminal line names in case of + * non-networked logins. Diagnostics are reported through syslog(3). + * + * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. + */ + +#if !defined(MAXHOSTNAMELEN) || (MAXHOSTNAMELEN < 64) +#undef MAXHOSTNAMELEN +#define MAXHOSTNAMELEN 256 +#endif + + /* Delimiters for fields and for lists of users, ttys or hosts. */ + + +#define ALL 2 +#define YES 1 +#define NO 0 + + /* + * A structure to bundle up all login-related information to keep the + * functional interfaces as generic as possible. + */ +struct login_info { + const struct passwd *user; + const char *from; + const char *config_file; + int debug; /* Print debugging messages. */ + int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */ + int noaudit; /* Do not audit denials */ + const char *fs; /* field separator */ + const char *sep; /* list-element separator */ +}; + +/* Parse module config arguments */ + +static int +parse_args(pam_handle_t *pamh, struct login_info *loginfo, + int argc, const char **argv) +{ + int i; + + loginfo->noaudit = NO; + loginfo->debug = NO; + loginfo->only_new_group_syntax = NO; + loginfo->fs = ":"; + loginfo->sep = ", \t"; + for (i=0; i<argc; ++i) { + if (!strncmp("fieldsep=", argv[i], 9)) { + + /* the admin wants to override the default field separators */ + loginfo->fs = argv[i]+9; + + } else if (!strncmp("listsep=", argv[i], 8)) { + + /* the admin wants to override the default list separators */ + loginfo->sep = argv[i]+8; + + } else if (!strncmp("accessfile=", argv[i], 11)) { + FILE *fp = fopen(11 + argv[i], "r"); + + if (fp) { + loginfo->config_file = 11 + argv[i]; + fclose(fp); + } else { + pam_syslog(pamh, LOG_ERR, + "failed to open accessfile=[%s]: %m", 11 + argv[i]); + return 0; + } + + } else if (strcmp (argv[i], "debug") == 0) { + loginfo->debug = YES; + } else if (strcmp (argv[i], "nodefgroup") == 0) { + loginfo->only_new_group_syntax = YES; + } else if (strcmp (argv[i], "noaudit") == 0) { + loginfo->noaudit = YES; + } else { + pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]); + } + } + + return 1; /* OK */ +} + +/* --- static functions for checking whether the user should be let in --- */ + +typedef int match_func (pam_handle_t *, char *, struct login_info *); + +static int list_match (pam_handle_t *, char *, char *, struct login_info *, + match_func *); +static int user_match (pam_handle_t *, char *, struct login_info *); +static int group_match (pam_handle_t *, const char *, const char *, int); +static int from_match (pam_handle_t *, char *, struct login_info *); +static int string_match (pam_handle_t *, const char *, const char *, int); +static int network_netmask_match (pam_handle_t *, const char *, const char *, int); + + +/* isipaddr - find out if string provided is an IP address or not */ + +static int +isipaddr (const char *string, int *addr_type, + struct sockaddr_storage *addr) +{ + struct sockaddr_storage local_addr; + int is_ip; + + /* We use struct sockaddr_storage addr because + * struct in_addr/in6_addr is an integral part + * of struct sockaddr and we doesn't want to + * use its value. + */ + + if (addr == NULL) + addr = &local_addr; + + memset(addr, 0, sizeof(struct sockaddr_storage)); + + /* first ipv4 */ + if (inet_pton(AF_INET, string, addr) > 0) + { + if (addr_type != NULL) + *addr_type = AF_INET; + + is_ip = YES; + } + else if (inet_pton(AF_INET6, string, addr) > 0) + { /* then ipv6 */ + if (addr_type != NULL) { + *addr_type = AF_INET6; + } + is_ip = YES; + } + else + is_ip = NO; + + return is_ip; +} + + +/* are_addresses_equal - translate IP address strings to real IP + * addresses and compare them to find out if they are equal. + * If netmask was provided it will be used to focus comparation to + * relevant bits. + */ +static int +are_addresses_equal (const char *ipaddr0, const char *ipaddr1, + const char *netmask) +{ + struct sockaddr_storage addr0; + struct sockaddr_storage addr1; + int addr_type0 = 0; + int addr_type1 = 0; + + if (isipaddr (ipaddr0, &addr_type0, &addr0) == NO) + return NO; + + if (isipaddr (ipaddr1, &addr_type1, &addr1) == NO) + return NO; + + if (addr_type0 != addr_type1) + /* different address types */ + return NO; + + if (netmask != NULL) { + /* Got a netmask, so normalize addresses? */ + struct sockaddr_storage nmask; + unsigned char *byte_a, *byte_nm; + + memset(&nmask, 0, sizeof(struct sockaddr_storage)); + if (inet_pton(addr_type0, netmask, (void *)&nmask) > 0) { + unsigned int i; + byte_a = (unsigned char *)(&addr0); + byte_nm = (unsigned char *)(&nmask); + for (i=0; i<sizeof(struct sockaddr_storage); i++) { + byte_a[i] = byte_a[i] & byte_nm[i]; + } + + byte_a = (unsigned char *)(&addr1); + byte_nm = (unsigned char *)(&nmask); + for (i=0; i<sizeof(struct sockaddr_storage); i++) { + byte_a[i] = byte_a[i] & byte_nm[i]; + } + } + } + + + /* Are the two addresses equal? */ + if (memcmp((void *)&addr0, (void *)&addr1, + sizeof(struct sockaddr_storage)) == 0) { + return(YES); + } + + return(NO); +} + +static char * +number_to_netmask (long netmask, int addr_type, + char *ipaddr_buf, size_t ipaddr_buf_len) +{ + /* We use struct sockaddr_storage addr because + * struct in_addr/in6_addr is an integral part + * of struct sockaddr and we doesn't want to + * use its value. + */ + struct sockaddr_storage nmask; + unsigned char *byte_nm; + const char *ipaddr_dst = NULL; + int i, ip_bytes; + + if (netmask == 0) { + /* mask 0 is the same like no mask */ + return(NULL); + } + + memset(&nmask, 0, sizeof(struct sockaddr_storage)); + if (addr_type == AF_INET6) { + /* ipv6 address mask */ + ip_bytes = 16; + } else { + /* default might be an ipv4 address mask */ + addr_type = AF_INET; + ip_bytes = 4; + } + + byte_nm = (unsigned char *)(&nmask); + /* translate number to mask */ + for (i=0; i<ip_bytes; i++) { + if (netmask >= 8) { + byte_nm[i] = 0xff; + netmask -= 8; + } else + if (netmask > 0) { + byte_nm[i] = 0xff << (8 - netmask); + break; + } else + if (netmask <= 0) { + break; + } + } + + /* now generate netmask address string */ + ipaddr_dst = inet_ntop(addr_type, &nmask, ipaddr_buf, ipaddr_buf_len); + if (ipaddr_dst == ipaddr_buf) { + return (ipaddr_buf); + } + + return (NULL); +} + +/* login_access - match username/group and host/tty with access control file */ + +static int +login_access (pam_handle_t *pamh, struct login_info *item) +{ + FILE *fp; + char line[BUFSIZ]; + char *perm; /* becomes permission field */ + char *users; /* becomes list of login names */ + char *froms; /* becomes list of terminals or hosts */ + int match = NO; + int nonall_match = NO; + int end; + int lineno = 0; /* for diagnostics */ + char *sptr; + + if (item->debug) + pam_syslog (pamh, LOG_DEBUG, + "login_access: user=%s, from=%s, file=%s", + item->user->pw_name, + item->from, item->config_file); + + /* + * Process the table one line at a time and stop at the first match. + * Blank lines and lines that begin with a '#' character are ignored. + * Non-comment lines are broken at the ':' character. All fields are + * mandatory. The first field should be a "+" or "-" character. A + * non-existing table means no access control. + */ + + if ((fp = fopen(item->config_file, "r"))!=NULL) { + while (!match && fgets(line, sizeof(line), fp)) { + lineno++; + if (line[end = strlen(line) - 1] != '\n') { + pam_syslog(pamh, LOG_ERR, + "%s: line %d: missing newline or line too long", + item->config_file, lineno); + continue; + } + if (line[0] == '#') + continue; /* comment line */ + while (end > 0 && isspace(line[end - 1])) + end--; + line[end] = 0; /* strip trailing whitespace */ + if (line[0] == 0) /* skip blank lines */ + continue; + + /* Allow field seperator in last field of froms */ + if (!(perm = strtok_r(line, item->fs, &sptr)) + || !(users = strtok_r(NULL, item->fs, &sptr)) + || !(froms = strtok_r(NULL, "\n", &sptr))) { + pam_syslog(pamh, LOG_ERR, "%s: line %d: bad field count", + item->config_file, lineno); + continue; + } + if (perm[0] != '+' && perm[0] != '-') { + pam_syslog(pamh, LOG_ERR, "%s: line %d: bad first field", + item->config_file, lineno); + continue; + } + if (item->debug) + pam_syslog (pamh, LOG_DEBUG, + "line %d: %s : %s : %s", lineno, perm, users, froms); + match = list_match(pamh, users, NULL, item, user_match); + if (item->debug) + pam_syslog (pamh, LOG_DEBUG, "user_match=%d, \"%s\"", + match, item->user->pw_name); + if (match) { + match = list_match(pamh, froms, NULL, item, from_match); + if (!match && perm[0] == '+') { + nonall_match = YES; + } + if (item->debug) + pam_syslog (pamh, LOG_DEBUG, + "from_match=%d, \"%s\"", match, item->from); + } + } + (void) fclose(fp); + } else if (errno == ENOENT) { + /* This is no error. */ + pam_syslog(pamh, LOG_WARNING, "warning: cannot open %s: %m", + item->config_file); + } else { + pam_syslog(pamh, LOG_ERR, "cannot open %s: %m", item->config_file); + return NO; + } +#ifdef HAVE_LIBAUDIT + if (!item->noaudit && line[0] == '-' && (match == YES || (match == ALL && + nonall_match == YES))) { + pam_modutil_audit_write(pamh, AUDIT_ANOM_LOGIN_LOCATION, + "pam_access", 0); + } +#endif + return (match == NO || (line[0] == '+')); +} + + +/* list_match - match an item against a list of tokens with exceptions */ + +static int +list_match(pam_handle_t *pamh, char *list, char *sptr, + struct login_info *item, match_func *match_fn) +{ + char *tok; + int match = NO; + + if (item->debug && list != NULL) + pam_syslog (pamh, LOG_DEBUG, + "list_match: list=%s, item=%s", list, item->user->pw_name); + + /* + * Process tokens one at a time. We have exhausted all possible matches + * when we reach an "EXCEPT" token or the end of the list. If we do find + * a match, look for an "EXCEPT" list and recurse to determine whether + * the match is affected by any exceptions. + */ + + for (tok = strtok_r(list, item->sep, &sptr); tok != 0; + tok = strtok_r(NULL, item->sep, &sptr)) { + if (strcasecmp(tok, "EXCEPT") == 0) /* EXCEPT: give up */ + break; + if ((match = (*match_fn) (pamh, tok, item))) /* YES */ + break; + } + /* Process exceptions to matches. */ + + if (match != NO) { + while ((tok = strtok_r(NULL, item->sep, &sptr)) && strcasecmp(tok, "EXCEPT")) + /* VOID */ ; + if (tok == 0) + return match; + if (list_match(pamh, NULL, sptr, item, match_fn) == NO) + return YES; /* drop special meaning of ALL */ + } + return (NO); +} + +/* myhostname - figure out local machine name */ + +static char *myhostname(void) +{ + static char name[MAXHOSTNAMELEN + 1]; + + if (gethostname(name, MAXHOSTNAMELEN) == 0) { + name[MAXHOSTNAMELEN] = 0; + return (name); + } + return NULL; +} + +/* netgroup_match - match group against machine or user */ + +static int +netgroup_match (pam_handle_t *pamh, const char *netgroup, + const char *machine, const char *user, int debug) +{ + char *mydomain = NULL; + int retval; + + yp_get_default_domain(&mydomain); + + + retval = innetgr (netgroup, machine, user, mydomain); + if (debug == YES) + pam_syslog (pamh, LOG_DEBUG, + "netgroup_match: %d (netgroup=%s, machine=%s, user=%s, domain=%s)", + retval, netgroup ? netgroup : "NULL", + machine ? machine : "NULL", + user ? user : "NULL", mydomain ? mydomain : "NULL"); + return retval; + +} + +/* user_match - match a username against one token */ + +static int +user_match (pam_handle_t *pamh, char *tok, struct login_info *item) +{ + char *string = item->user->pw_name; + struct login_info fake_item; + char *at; + int rv; + + if (item->debug) + pam_syslog (pamh, LOG_DEBUG, + "user_match: tok=%s, item=%s", tok, string); + + /* + * If a token has the magic value "ALL" the match always succeeds. + * Otherwise, return YES if the token fully matches the username, if the + * token is a group that contains the username, or if the token is the + * name of the user's primary group. + */ + + if ((at = strchr(tok + 1, '@')) != 0) { /* split user@host pattern */ + *at = 0; + fake_item.from = myhostname(); + if (fake_item.from == NULL) + return NO; + return (user_match (pamh, tok, item) && + from_match (pamh, at + 1, &fake_item)); + } else if (tok[0] == '@') /* netgroup */ + return (netgroup_match (pamh, tok + 1, (char *) 0, string, item->debug)); + else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') + return (group_match (pamh, tok, string, item->debug)); + else if ((rv=string_match (pamh, tok, string, item->debug)) != NO) /* ALL or exact match */ + return rv; + else if (item->only_new_group_syntax == NO && + pam_modutil_user_in_group_nam_nam (pamh, + item->user->pw_name, tok)) + /* try group membership */ + return YES; + + return NO; +} + + +/* group_match - match a username against token named group */ + +static int +group_match (pam_handle_t *pamh, const char *tok, const char* usr, + int debug) +{ + char grptok[BUFSIZ]; + + if (debug) + pam_syslog (pamh, LOG_DEBUG, + "group_match: grp=%s, user=%s", grptok, usr); + + if (strlen(tok) < 3) + return NO; + + /* token is recieved under the format '(...)' */ + memset(grptok, 0, BUFSIZ); + strncpy(grptok, tok + 1, strlen(tok) - 2); + + if (pam_modutil_user_in_group_nam_nam(pamh, usr, grptok)) + return YES; + + return NO; +} + + +/* from_match - match a host or tty against a list of tokens */ + +static int +from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item) +{ + const char *string = item->from; + int tok_len; + int str_len; + int rv; + + if (item->debug) + pam_syslog (pamh, LOG_DEBUG, + "from_match: tok=%s, item=%s", tok, string); + + /* + * If a token has the magic value "ALL" the match always succeeds. Return + * YES if the token fully matches the string. If the token is a domain + * name, return YES if it matches the last fields of the string. If the + * token has the magic value "LOCAL", return YES if the string does not + * contain a "." character. If the token is a network number, return YES + * if it matches the head of the string. + */ + + if (string == NULL) { + return NO; + } else if (tok[0] == '@') { /* netgroup */ + return (netgroup_match (pamh, tok + 1, string, (char *) 0, item->debug)); + } else if ((rv = string_match(pamh, tok, string, item->debug)) != NO) { + /* ALL or exact match */ + return rv; + } else if (tok[0] == '.') { /* domain: match last fields */ + if ((str_len = strlen(string)) > (tok_len = strlen(tok)) + && strcasecmp(tok, string + str_len - tok_len) == 0) + return (YES); + } else if (strcasecmp(tok, "LOCAL") == 0) { /* local: no dots */ + if (strchr(string, '.') == 0) + return (YES); + } else if (tok[(tok_len = strlen(tok)) - 1] == '.') { + struct addrinfo *res; + struct addrinfo hint; + + memset (&hint, '\0', sizeof (hint)); + hint.ai_flags = AI_CANONNAME; + hint.ai_family = AF_INET; + + if (getaddrinfo (string, NULL, &hint, &res) != 0) + return NO; + else + { + struct addrinfo *runp = res; + + while (runp != NULL) + { + char buf[INET_ADDRSTRLEN+2]; + + if (runp->ai_family == AF_INET) + { + inet_ntop (runp->ai_family, + &((struct sockaddr_in *) runp->ai_addr)->sin_addr, + buf, sizeof (buf)); + + strcat (buf, "."); + + if (strncmp(tok, buf, tok_len) == 0) + { + freeaddrinfo (res); + return YES; + } + } + runp = runp->ai_next; + } + freeaddrinfo (res); + } + } else if (isipaddr(string, NULL, NULL) == YES) { + /* Assume network/netmask with a IP of a host. */ + if (network_netmask_match(pamh, tok, string, item->debug)) + return YES; + } else { + /* Assume network/netmask with a name of a host. */ + struct addrinfo *res; + struct addrinfo hint; + + memset (&hint, '\0', sizeof (hint)); + hint.ai_flags = AI_CANONNAME; + hint.ai_family = AF_UNSPEC; + + if (getaddrinfo (string, NULL, &hint, &res) != 0) + return NO; + else + { + struct addrinfo *runp = res; + + while (runp != NULL) + { + char buf[INET6_ADDRSTRLEN]; + + inet_ntop (runp->ai_family, + runp->ai_family == AF_INET + ? (void *) &((struct sockaddr_in *) runp->ai_addr)->sin_addr + : (void *) &((struct sockaddr_in6 *) runp->ai_addr)->sin6_addr, + buf, sizeof (buf)); + + if (network_netmask_match(pamh, tok, buf, item->debug)) + { + freeaddrinfo (res); + return YES; + } + runp = runp->ai_next; + } + freeaddrinfo (res); + } + } + + return NO; +} + +/* string_match - match a string against one token */ + +static int +string_match (pam_handle_t *pamh, const char *tok, const char *string, + int debug) +{ + + if (debug) + pam_syslog (pamh, LOG_DEBUG, + "string_match: tok=%s, item=%s", tok, string); + + /* + * If the token has the magic value "ALL" the match always succeeds. + * Otherwise, return YES if the token fully matches the string. + * "NONE" token matches NULL string. + */ + + if (strcasecmp(tok, "ALL") == 0) { /* all: always matches */ + return (ALL); + } else if (string != NULL) { + if (strcasecmp(tok, string) == 0) { /* try exact match */ + return (YES); + } + } else if (strcasecmp(tok, "NONE") == 0) { + return (YES); + } + return (NO); +} + + +/* network_netmask_match - match a string against one token + * where string is an ip (v4,v6) address and tok represents + * whether a single ip (v4,v6) address or a network/netmask + */ +static int +network_netmask_match (pam_handle_t *pamh, + const char *tok, const char *string, int debug) +{ + if (debug) + pam_syslog (pamh, LOG_DEBUG, + "network_netmask_match: tok=%s, item=%s", tok, string); + + if (isipaddr(string, NULL, NULL) == YES) + { + char *netmask_ptr = NULL; + static char netmask_string[MAXHOSTNAMELEN + 1] = ""; + int addr_type; + + /* OK, check if tok is of type addr/mask */ + if ((netmask_ptr = strchr(tok, '/')) != NULL) + { + long netmask = 0; + + /* YES */ + *netmask_ptr = 0; + netmask_ptr++; + + if (isipaddr(tok, &addr_type, NULL) == NO) + { /* no netaddr */ + return(NO); + } + + /* check netmask */ + if (isipaddr(netmask_ptr, NULL, NULL) == NO) + { /* netmask as integre value */ + char *endptr = NULL; + netmask = strtol(netmask_ptr, &endptr, 0); + if ((endptr == NULL) || (*endptr != '\0')) + { /* invalid netmask value */ + return(NO); + } + if ((netmask < 0) || (netmask >= 128)) + { /* netmask value out of range */ + return(NO); + } + + netmask_ptr = number_to_netmask(netmask, addr_type, + netmask_string, MAXHOSTNAMELEN); + } + + /* Netmask is now an ipv4/ipv6 address. + * This works also if netmask_ptr is NULL. + */ + return (are_addresses_equal(string, tok, netmask_ptr)); + } + else + /* NO, then check if it is only an addr */ + if (isipaddr(tok, NULL, NULL) == YES) + { /* check if they are the same, no netmask */ + return(are_addresses_equal(string, tok, NULL)); + } + } + + return (NO); +} + + +/* --- public PAM management functions --- */ + +PAM_EXTERN int +pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + struct login_info loginfo; + const char *user=NULL; + const void *void_from=NULL; + const char *from; + struct passwd *user_pw; + + /* set username */ + + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL + || *user == '\0') { + pam_syslog(pamh, LOG_ERR, "cannot determine the user's name"); + return PAM_USER_UNKNOWN; + } + + if ((user_pw=pam_modutil_getpwnam(pamh, user))==NULL) + return (PAM_USER_UNKNOWN); + + /* + * Bundle up the arguments to avoid unnecessary clumsiness later on. + */ + loginfo.user = user_pw; + loginfo.config_file = PAM_ACCESS_CONFIG; + + /* parse the argument list */ + + if (!parse_args(pamh, &loginfo, argc, argv)) { + pam_syslog(pamh, LOG_ERR, "failed to parse the module arguments"); + return PAM_ABORT; + } + + /* remote host name */ + + if (pam_get_item(pamh, PAM_RHOST, &void_from) + != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "cannot find the remote host name"); + return PAM_ABORT; + } + from = void_from; + + if ((from==NULL) || (*from=='\0')) { + + /* local login, set tty name */ + + if (pam_get_item(pamh, PAM_TTY, &void_from) != PAM_SUCCESS + || void_from == NULL) { + D(("PAM_TTY not set, probing stdin")); + from = ttyname(STDIN_FILENO); + if (from != NULL) { + if (pam_set_item(pamh, PAM_TTY, from) != PAM_SUCCESS) + pam_syslog(pamh, LOG_WARNING, "couldn't set tty name"); + } else { + if (pam_get_item(pamh, PAM_SERVICE, &void_from) != PAM_SUCCESS + || void_from == NULL) { + pam_syslog (pamh, LOG_ERR, + "cannot determine remote host, tty or service name"); + return PAM_ABORT; + } + from = void_from; + if (loginfo.debug) + pam_syslog (pamh, LOG_DEBUG, + "cannot determine tty or remote hostname, using service %s", + from); + } + } + else + from = void_from; + + if (from[0] == '/') { /* full path, remove device path. */ + const char *f; + from++; + if ((f = strchr(from, '/')) != NULL) { + from = f + 1; + } + } + } + + loginfo.from = from; + + if (login_access(pamh, &loginfo)) { + return (PAM_SUCCESS); + } else { + pam_syslog(pamh, LOG_ERR, + "access denied for user `%s' from `%s'",user,from); + return (PAM_PERM_DENIED); + } +} + +PAM_EXTERN int +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_IGNORE; +} + +PAM_EXTERN int +pam_sm_acct_mgmt (pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate (pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_close_session(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +PAM_EXTERN int +pam_sm_chauthtok(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + return pam_sm_authenticate(pamh, flags, argc, argv); +} + +/* end of module definition */ + +#ifdef PAM_STATIC + +/* static module data */ + +struct pam_module _pam_access_modstruct = { + "pam_access", + pam_sm_authenticate, + pam_sm_setcred, + pam_sm_acct_mgmt, + pam_sm_open_session, + pam_sm_close_session, + pam_sm_chauthtok +}; +#endif diff --git a/modules/pam_access/tst-pam_access b/modules/pam_access/tst-pam_access new file mode 100755 index 00000000..271e69fe --- /dev/null +++ b/modules/pam_access/tst-pam_access @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_access.so |