8 files changed, 522 insertions, 45 deletions
diff --git a/modules/pam_rhosts/Makefile.am b/modules/pam_rhosts/Makefile.am
index 5c8cc188..d4ca7578 100644
--- a/modules/pam_rhosts/Makefile.am
+++ b/modules/pam_rhosts/Makefile.am
@@ -4,9 +4,13 @@
 
 CLEANFILES = *~
 
-EXTRA_DIST = README tst-pam_rhosts
+EXTRA_DIST = README $(MANS) $(XMLS) tst-pam_rhosts_auth tst-pam_rhosts
 
-TESTS = tst-pam_rhosts
+TESTS = tst-pam_rhosts_auth tst-pam_rhosts
+
+man_MANS = pam_rhosts.8
+
+XMLS = README.xml pam_rhosts.8.xml
 
 securelibdir = $(SECUREDIR)
 secureconfdir = $(SCONFIGDIR)
@@ -18,4 +22,11 @@ if HAVE_VERSIONING
   AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
 endif
 
-securelib_LTLIBRARIES = pam_rhosts_auth.la
+securelib_LTLIBRARIES = pam_rhosts_auth.la pam_rhosts.la
+
+if ENABLE_REGENERATE_MAN
+noinst_DATA = README
+README: pam_rhosts.8.xml
+-include $(top_srcdir)/Make.xml.rules
+endif
+
diff --git a/modules/pam_rhosts/README b/modules/pam_rhosts/README
index d2e93d1d..b1911785 100644
--- a/modules/pam_rhosts/README
+++ b/modules/pam_rhosts/README
@@ -1,57 +1,56 @@
-arguments recognized:
+pam_rhosts — The rhosts PAM module
 
-"no_hosts_equiv"
-"no_rhosts"
-"debug"
-"nowarn"
-"suppress"
-"promiscuous"
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
-.rhosts/hosts.equiv format:
+DESCRIPTION
 
-There are positive entries, when one is matched authentication
-succeeds and terminates.  There are negative entries, when one is
-matched authentication fails and terminates.  Thus order is
-significant.
+This module performs the standard network authentication for services, as used
+by traditional implementations of rlogin and rsh etc.
 
-Entry          hosts.equiv                     .rhosts
-<host>         All users on <host> are ok      Same username from <host> is ok
-<host> <user>  <user> from <host> is ok        ditto
--<host>                No users from <host> are ok     ditto
-<host> -<user> <user> from <host> is not ok    ditto
+The authentication mechanism of this module is based on the contents of two
+files; /etc/hosts.equiv (or and ~/.rhosts. Firstly, hosts listed in the former
+file are treated as equivalent to the localhost. Secondly, entries in the
+user's own copy of the latter file is used to map "remote-host remote-user"
+pairs to that user's account on the current host. Access is granted to the user
+if their host is present in /etc/hosts.equiv and their remote account is
+identical to their local one, or if their remote account has an entry in their
+personal configuration file.
 
-<host> can be ip (IPv4) numbers.
+The module authenticates a remote user (internally specified by the item
+PAM_RUSER connecting from the remote host (internally specified by the item
+PAM_RHOST). Accordingly, for applications to be compatible this authentication
+module they must set these items prior to calling pam_authenticate(). The
+module is not capable of independently probing the network connection for such
+information.
 
-Netgroups may be used in either host or user fields, and then applies
-to all hosts, or users, in the netgroup.  The syntax is
+OPTIONS
 
-  +@<ng>
+debug
 
-The entries
+    Print debug information.
 
-  <host> +@<ng>
-  +@<ng> +@<ng>
-  +@<ng> <user>
+silent
 
-means exactly what you think it does.  Negative entries are of the
-form
+    Don't print informative messages.
 
-  -@<ng>
+superuser=account
 
-When the "promiscuous" option is given the special character + may be
-used as a wildcard in any field.
+    Handle account as root.
 
-  +                    Allow anyone from any host to connect. DANGEROUS.
-  + +                  Ditto.
-  + <user>             Allow the user to connect from anywhere. DANGEROUS.
-  <host> +             Allow any user from the host. Dangerous.
-  
-These, perhaps more useful, forms of the + form is also disallowed
-unless "promiscuous" is specified:
+EXAMPLES
 
-  + -<user>            Disallow the user from any host
-  + -@<ng>             Disallow all members of the netgroup from any host
+To grant a remote user access by /etc/hosts.equiv or .rhosts for rsh add the
+following lines to /etc/pam.d/rsh:
 
-When "promiscuous" is not specified a '+' is handled as a negative
-match.
+#%PAM-1.0
+#
+auth     required       pam_rhosts.so
+auth     required       pam_nologin.so
+auth     required       pam_env.so
+auth     required       pam_unix.so
+
+
+AUTHOR
+
+pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de>
 
diff --git a/modules/pam_rhosts/README.xml b/modules/pam_rhosts/README.xml
new file mode 100644
index 00000000..5d3307e7
--- /dev/null
+++ b/modules/pam_rhosts/README.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+"http://www.docbook.org/xml/4.3/docbookx.dtd"
+[
+<!--
+<!ENTITY pamaccess SYSTEM "pam_rhosts.8.xml">
+-->
+]>
+
+<article>
+
+  <articleinfo>
+
+    <title>
+      <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_rhosts.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_rhosts-name"]/*)'/>
+    </title>
+
+  </articleinfo>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-description"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-options"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-examples"]/*)'/>
+  </section>
+
+  <section>
+    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
+      href="pam_rhosts.8.xml" xpointer='xpointer(//refsect1[@id = "pam_rhosts-author"]/*)'/>
+  </section>
+
+</article>
diff --git a/modules/pam_rhosts/pam_rhosts.8 b/modules/pam_rhosts/pam_rhosts.8
new file mode 100644
index 00000000..0d7f4a16
--- /dev/null
+++ b/modules/pam_rhosts/pam_rhosts.8
@@ -0,0 +1,98 @@
+.\"     Title: pam_rhosts
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+.\"      Date: 06/28/2006
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "PAM_RHOSTS" "8" "06/28/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pam_rhosts \- The rhosts PAM module
+.SH "SYNOPSIS"
+.HP 14
+\fBpam_rhosts.so\fR
+.SH "DESCRIPTION"
+.PP
+This module performs the standard network authentication for services, as used by traditional implementations of
+\fBrlogin\fR
+and
+\fBrsh\fR
+etc.
+.PP
+The authentication mechanism of this module is based on the contents of two files;
+\fI/etc/hosts.equiv\fR
+(or and
+\fI~/.rhosts\fR. Firstly, hosts listed in the former file are treated as equivalent to the localhost. Secondly, entries in the user's own copy of the latter file is used to map "\fIremote\-host remote\-user\fR" pairs to that user's account on the current host. Access is granted to the user if their host is present in
+\fI/etc/hosts.equiv\fR
+and their remote account is identical to their local one, or if their remote account has an entry in their personal configuration file.
+.PP
+The module authenticates a remote user (internally specified by the item
+\fIPAM_RUSER\fR
+connecting from the remote host (internally specified by the item
+\fBPAM_RHOST\fR). Accordingly, for applications to be compatible this authentication module they must set these items prior to calling
+\fBpam_authenticate()\fR. The module is not capable of independently probing the network connection for such information.
+.SH "OPTIONS"
+.TP 3n
+\fBdebug\fR
+Print debug information.
+.TP 3n
+\fBsilent\fR
+Don't print informative messages.
+.TP 3n
+\fBsuperuser=\fR\fB\fIaccount\fR\fR
+Handle
+\fIaccount\fR
+as root.
+.SH "MODULE SERVICES PROVIDED"
+.PP
+Only the
+\fBauth\fR
+service is supported.
+.SH "RETURN VALUES"
+.TP 3n
+PAM_AUTH_ERR
+The remote host, remote user name or the local user name couldn't be determined or access was denied by
+\fI.rhosts\fR
+file.
+.TP 3n
+PAM_USER_UNKNOWN
+User is not known to system.
+.SH "EXAMPLES"
+.PP
+To grant a remote user access by
+\fI/etc/hosts.equiv\fR
+or
+\fI.rhosts\fR
+for
+\fBrsh\fR
+add the following lines to
+\fI/etc/pam.d/rsh\fR:
+.sp
+.RS 3n
+.nf
+#%PAM\-1.0
+#
+auth     required       pam_rhosts.so
+auth     required       pam_nologin.so
+auth     required       pam_env.so
+auth     required       pam_unix.so
+      
+.fi
+.RE
+.sp
+.SH "SEE ALSO"
+.PP
+
+\fBrootok\fR(3),
+\fBhosts.equiv\fR(5),
+\fBrhosts\fR(5),
+\fBpam.conf\fR(5),
+\fBpam.d\fR(8),
+\fBpam\fR(8)
+.SH "AUTHOR"
+.PP
+pam_rhosts was written by Thorsten Kukuk <kukuk@thkukuk.de>
diff --git a/modules/pam_rhosts/pam_rhosts.8.xml b/modules/pam_rhosts/pam_rhosts.8.xml
new file mode 100644
index 00000000..e559f315
--- /dev/null
+++ b/modules/pam_rhosts/pam_rhosts.8.xml
@@ -0,0 +1,171 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+	"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="pam_rhosts">
+
+  <refmeta>
+    <refentrytitle>pam_rhosts</refentrytitle>
+    <manvolnum>8</manvolnum>
+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv id="pam_rhosts-name">
+    <refname>pam_rhosts</refname>
+    <refpurpose>The rhosts PAM module</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis id="pam_rhosts-cmdsynopsis">
+      <command>pam_rhosts.so</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1 id="pam_rhosts-description">
+
+    <title>DESCRIPTION</title>
+
+    <para>
+      This module performs the standard network authentication for services,
+      as used by traditional implementations of <command>rlogin</command>
+      and <command>rsh</command> etc.
+    </para>
+    <para>
+      The authentication mechanism of this module is based on the contents
+      of two files; <filename>/etc/hosts.equiv</filename> (or
+      and <filename>~/.rhosts</filename>. Firstly, hosts listed in the
+      former file are treated as equivalent to the localhost. Secondly,
+      entries in the user's own copy of the latter file is used to map
+      "<emphasis>remote-host remote-user</emphasis>" pairs to that user's
+      account on the current host. Access is granted to the user if their
+      host is present in <filename>/etc/hosts.equiv</filename> and their
+      remote account is identical to their local one, or if their remote
+      account has an entry in their personal configuration file.
+    </para>
+    <para>
+      The module authenticates a remote user (internally specified by the
+      item <parameter>PAM_RUSER</parameter> connecting from the remote
+      host (internally specified by the item <command>PAM_RHOST</command>).
+      Accordingly, for applications to be compatible this authentication
+      module they must set these items prior to calling
+      <function>pam_authenticate()</function>.  The module is not capable
+      of independently probing the network connection for such information.
+    </para>
+  </refsect1>
+
+  <refsect1 id="pam_rhosts-options">
+    <title>OPTIONS</title>
+    <variablelist>
+      <varlistentry>
+        <term>
+          <option>debug</option>
+        </term>
+        <listitem>
+          <para>
+            Print debug information.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>silent</option>
+        </term>
+        <listitem>
+          <para>
+            Don't print informative messages.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>
+          <option>superuser=<replaceable>account</replaceable></option>
+        </term>
+        <listitem>
+          <para>
+            Handle <replaceable>account</replaceable> as root.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id="pam_rhosts-services">
+    <title>MODULE SERVICES PROVIDED</title>
+    <para>
+      Only the <option>auth</option> service is supported.
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_rhosts-return_values'>
+    <title>RETURN VALUES</title>
+    <variablelist>
+      <varlistentry>
+      <term>PAM_AUTH_ERR</term>
+        <listitem>
+          <para>
+            The remote host, remote user name or the local user name
+            couldn't be determined or access was denied by
+            <filename>.rhosts</filename> file.
+          </para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
+        <term>PAM_USER_UNKNOWN</term>
+        <listitem>
+          <para>
+            User is not known to system.
+          </para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1 id='pam_rhosts-examples'>
+    <title>EXAMPLES</title>
+    <para>
+      To grant a remote user access by <filename>/etc/hosts.equiv</filename>
+      or <filename>.rhosts</filename> for <command>rsh</command> add the
+      following lines to <filename>/etc/pam.d/rsh</filename>:
+      <programlisting>
+#%PAM-1.0
+#
+auth     required       pam_rhosts.so
+auth     required       pam_nologin.so
+auth     required       pam_env.so
+auth     required       pam_unix.so
+      </programlisting>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_rhosts-see_also'>
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry>
+	<refentrytitle>rootok</refentrytitle><manvolnum>3</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>hosts.equiv</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>rhosts</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>,
+      <citerefentry>
+	<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
+    </para>
+  </refsect1>
+
+  <refsect1 id='pam_rhosts-author'>
+    <title>AUTHOR</title>
+      <para>
+        pam_rhosts was written by Thorsten Kukuk &lt;kukuk@thkukuk.de&gt;
+      </para>
+  </refsect1>
+
+</refentry>
diff --git a/modules/pam_rhosts/pam_rhosts.c b/modules/pam_rhosts/pam_rhosts.c
new file mode 100644
index 00000000..8e120614
--- /dev/null
+++ b/modules/pam_rhosts/pam_rhosts.c
@@ -0,0 +1,155 @@
+/*
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, and the entire permission notice in its entirety,
+ *    including the disclaimer of warranties.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote
+ *    products derived from this software without specific prior
+ *    written permission.
+ *
+ * ALTERNATIVELY, this product may be distributed under the terms of
+ * the GNU Public License, in which case the provisions of the GPL are
+ * required INSTEAD OF the above restrictions.  (This clause is
+ * necessary due to a potential bad interaction between the GPL and
+ * the restrictions contained in a BSD-style copyright.)
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include "config.h"
+
+#include <pwd.h>
+#include <netdb.h>
+#include <string.h>
+#include <syslog.h>
+
+#define PAM_SM_AUTH  /* only defines this management group */
+
+#include <security/pam_modules.h>
+#include <security/pam_modutil.h>
+#include <security/pam_ext.h>
+
+PAM_EXTERN
+int pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc,
+			 const char **argv)
+{
+    const char *luser = NULL;
+    const char *ruser = NULL, *rhost = NULL;
+    const char *opt_superuser = NULL;
+    const void *c_void;
+    int opt_debug = 0;
+    int opt_silent;
+    int as_root;
+    int retval;
+
+    opt_silent = flags & PAM_SILENT;
+
+    while (argc-- > 0) {
+      if (strcmp(*argv, "debug") == 0)
+	opt_debug = 1;
+      else if (strcmp (*argv, "silent") == 0 || strcmp(*argv, "suppress") == 0)
+	opt_silent = 1;
+      else if (strncmp(*argv, "superuser=", sizeof("superuser=")-1) == 0)
+	opt_superuser = *argv+sizeof("superuser=")-1;
+      else
+	pam_syslog(pamh, LOG_WARNING, "unrecognized option '%s'", *argv);
+
+      ++argv;
+    }
+
+    retval = pam_get_item (pamh, PAM_RHOST, &c_void);
+    if (retval != PAM_SUCCESS) {
+      pam_syslog(pamh, LOG_ERR, "could not get the remote host name");
+      return retval;
+    }
+    rhost = c_void;
+
+    retval = pam_get_item(pamh, PAM_RUSER, &c_void);
+    ruser = c_void;
+    if (retval != PAM_SUCCESS) {
+      pam_syslog(pamh, LOG_ERR, "could not get the remote username");
+      return retval;
+    }
+
+    retval = pam_get_user(pamh, &luser, NULL);
+    if (retval != PAM_SUCCESS) {
+      pam_syslog(pamh, LOG_ERR, "could not determine name of local user");
+      return retval;
+    }
+
+    if (rhost == NULL || ruser == NULL || luser == NULL)
+      return PAM_AUTH_ERR;
+
+    if (opt_superuser && strcmp(opt_superuser, luser) == 0)
+      as_root = 1;
+    else {
+      struct passwd *lpwd;
+
+      lpwd = pam_modutil_getpwnam(pamh, luser);
+      if (lpwd == NULL) {
+	if (opt_debug)
+	  /* don't print by default, could be the users password */
+	  pam_syslog(pamh, LOG_DEBUG,
+		     "user '%s' unknown to this system", luser);
+	return PAM_USER_UNKNOWN;
+
+      }
+      as_root = (lpwd->pw_uid == 0);
+    }
+
+#ifdef HAVE_RUSEROK_AF
+    retval = ruserok_af (rhost, as_root, ruser, luser, PF_UNSPEC);
+#else
+    retval = ruserok (rhost, as_root, ruser, luser);
+#endif
+    if (retval != 0) {
+      if (!opt_silent || opt_debug)
+	pam_syslog(pamh, LOG_WARNING, "denied access to %s@%s as %s",
+		   ruser, rhost, luser);
+      return PAM_AUTH_ERR;
+    } else {
+      if (!opt_silent || opt_debug)
+	pam_syslog(pamh, LOG_NOTICE, "allowed access to %s@%s as %s",
+		   ruser, rhost, luser);
+      return PAM_SUCCESS;
+    }
+}
+
+
+PAM_EXTERN int
+pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
+		int argc UNUSED, const char **argv UNUSED)
+{
+  return PAM_SUCCESS;
+}
+
+
+#ifdef PAM_STATIC
+
+/* static module data */
+
+struct pam_module _pam_rhosts_modstruct = {
+  "pam_rhosts",
+  pam_sm_authenticate,
+  pam_sm_setcred,
+  NULL,
+  NULL,
+  NULL,
+  NULL,
+};
+
+#endif
diff --git a/modules/pam_rhosts/tst-pam_rhosts b/modules/pam_rhosts/tst-pam_rhosts
index 6b14ec51..65e85a98 100755
--- a/modules/pam_rhosts/tst-pam_rhosts
+++ b/modules/pam_rhosts/tst-pam_rhosts
@@ -1,2 +1,2 @@
 #!/bin/sh
-../../tests/tst-dlopen .libs/pam_rhosts_auth.so
+../../tests/tst-dlopen .libs/pam_rhosts.so
diff --git a/modules/pam_rhosts/tst-pam_rhosts_auth b/modules/pam_rhosts/tst-pam_rhosts_auth
new file mode 100755
index 00000000..6b14ec51
--- /dev/null
+++ b/modules/pam_rhosts/tst-pam_rhosts_auth
@@ -0,0 +1,2 @@
+#!/bin/sh
+../../tests/tst-dlopen .libs/pam_rhosts_auth.so