mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-12-27 13:34:00 +01:00
Forward Reply-Message attributes to the user, unless suppressed by the
new no_reply_message option. MFC after: 1 week Sponsored by: The University of Oslo
This commit is contained in:
parent
c9a1264c61
commit
716eff476a
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=333674
@ -1,8 +1,9 @@
|
||||
.\" Copyright (c) 1999
|
||||
.\" Andrzej Bialecki <abial@FreeBSD.org>. All rights reserved.
|
||||
.\"
|
||||
.\"-
|
||||
.\" Copyright (c) 1992, 1993, 1994
|
||||
.\" The Regents of the University of California. All rights reserved.
|
||||
.\" Copyright (c) 1999 Andrzej Bialecki <abial@FreeBSD.org>
|
||||
.\" All rights reserved.
|
||||
.\" Copyright (c) 2018 The University of Oslo
|
||||
.\" All rights reserved.
|
||||
.\"
|
||||
.\" This code is derived from software donated to Berkeley by
|
||||
@ -34,7 +35,7 @@
|
||||
.\"
|
||||
.\" $FreeBSD$
|
||||
.\"
|
||||
.Dd October 28, 2002
|
||||
.Dd May 16, 2018
|
||||
.Dt PAM_RADIUS 8
|
||||
.Os
|
||||
.Sh NAME
|
||||
@ -80,6 +81,10 @@ specifies a non-standard location for the RADIUS client configuration file
|
||||
.Pa /etc/radius.conf ) .
|
||||
.It Cm nas_id Ns = Ns Ar identifier
|
||||
specifies a NAS identifier to send instead of the hostname.
|
||||
.It Cm nas_ipaddr Ns Op No = Ns Ar address
|
||||
specifies a NAS IP address to be sent.
|
||||
If option is present, but there is no value provided then IP address
|
||||
corresponding to the current hostname will be used.
|
||||
.It Cm template_user Ns = Ns Ar username
|
||||
specifies a user whose
|
||||
.Xr passwd 5
|
||||
@ -97,10 +102,21 @@ If this option is omitted, and there is no username
|
||||
in the system databases equal to the supplied one (as determined by call to
|
||||
.Xr getpwnam 3 ) ,
|
||||
the authentication will fail.
|
||||
.It Cm nas_ipaddr Ns Op No = Ns Ar address
|
||||
specifies a NAS IP address to be sent.
|
||||
If option is present, but there is no value provided then IP address
|
||||
corresponding to the current hostname will be used.
|
||||
.It Cm no_reply_message
|
||||
suppress printing of the contents of any
|
||||
.Cm Reply-Message
|
||||
attributes found in
|
||||
.Cm Access-Accept
|
||||
and
|
||||
.Cm Access-Reject
|
||||
responses.
|
||||
These are normally conveyed to the user as either informational or
|
||||
error messages, depending on whether the access request was accepted
|
||||
or rejected.
|
||||
.It Cm no_warn
|
||||
suppress warning messages to the user.
|
||||
These messages include reasons why the user's authentication attempt
|
||||
was declined.
|
||||
.El
|
||||
.Sh FILES
|
||||
.Bl -tag -width /etc/radius.conf -compact
|
||||
|
@ -5,6 +5,8 @@
|
||||
* All rights reserved.
|
||||
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
* Copyright (c) 2015-2018 The University of Oslo
|
||||
* All rights reserved.
|
||||
*
|
||||
* Portions of this software were developed for the FreeBSD Project by
|
||||
* ThinkSec AS and NAI Labs, the Security Research Division of Network
|
||||
@ -59,6 +61,7 @@ __FBSDID("$FreeBSD$");
|
||||
#define PAM_OPT_TEMPLATE_USER "template_user"
|
||||
#define PAM_OPT_NAS_ID "nas_id"
|
||||
#define PAM_OPT_NAS_IPADDR "nas_ipaddr"
|
||||
#define PAM_OPT_NO_REPLYMSG "no_reply_message"
|
||||
|
||||
#define MAX_CHALLENGE_MSGS 10
|
||||
#define PASSWORD_PROMPT "RADIUS Password:"
|
||||
@ -149,15 +152,23 @@ do_accept(pam_handle_t *pamh, struct rad_handle *radh)
|
||||
char *s;
|
||||
|
||||
while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
|
||||
if (attrtype == RAD_USER_NAME) {
|
||||
s = rad_cvt_string(attrval, attrlen);
|
||||
if (s == NULL) {
|
||||
syslog(LOG_CRIT,
|
||||
"rad_cvt_string: out of memory");
|
||||
return (-1);
|
||||
}
|
||||
switch (attrtype) {
|
||||
case RAD_USER_NAME:
|
||||
if ((s = rad_cvt_string(attrval, attrlen)) == NULL)
|
||||
goto enomem;
|
||||
pam_set_item(pamh, PAM_USER, s);
|
||||
free(s);
|
||||
break;
|
||||
case RAD_REPLY_MESSAGE:
|
||||
if ((s = rad_cvt_string(attrval, attrlen)) == NULL)
|
||||
goto enomem;
|
||||
if (!openpam_get_option(pamh, PAM_OPT_NO_REPLYMSG))
|
||||
pam_info(pamh, "%s", s);
|
||||
free(s);
|
||||
break;
|
||||
default:
|
||||
PAM_LOG("%s(): ignoring RADIUS attribute %d",
|
||||
__func__, attrtype);
|
||||
}
|
||||
}
|
||||
if (attrtype == -1) {
|
||||
@ -165,6 +176,41 @@ do_accept(pam_handle_t *pamh, struct rad_handle *radh)
|
||||
return (-1);
|
||||
}
|
||||
return (0);
|
||||
enomem:
|
||||
syslog(LOG_CRIT, "%s(): out of memory", __func__);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
static int
|
||||
do_reject(pam_handle_t *pamh, struct rad_handle *radh)
|
||||
{
|
||||
int attrtype;
|
||||
const void *attrval;
|
||||
size_t attrlen;
|
||||
char *s;
|
||||
|
||||
while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
|
||||
switch (attrtype) {
|
||||
case RAD_REPLY_MESSAGE:
|
||||
if ((s = rad_cvt_string(attrval, attrlen)) == NULL)
|
||||
goto enomem;
|
||||
if (!openpam_get_option(pamh, PAM_OPT_NO_REPLYMSG))
|
||||
pam_error(pamh, "%s", s);
|
||||
free(s);
|
||||
break;
|
||||
default:
|
||||
PAM_LOG("%s(): ignoring RADIUS attribute %d",
|
||||
__func__, attrtype);
|
||||
}
|
||||
}
|
||||
if (attrtype < 0) {
|
||||
syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh));
|
||||
return (-1);
|
||||
}
|
||||
return (0);
|
||||
enomem:
|
||||
syslog(LOG_CRIT, "%s(): out of memory", __func__);
|
||||
return (-1);
|
||||
}
|
||||
|
||||
static int
|
||||
@ -332,6 +378,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
return (PAM_SUCCESS);
|
||||
|
||||
case RAD_ACCESS_REJECT:
|
||||
retval = do_reject(pamh, radh);
|
||||
rad_close(radh);
|
||||
PAM_VERBOSE_ERROR("Radius rejection");
|
||||
return (PAM_AUTH_ERR);
|
||||
|
Loading…
Reference in New Issue
Block a user