1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 *
25 * Copyright 2012 Joshua M. Clulow <josh@sysmgr.org>
26 */
27
28 #ifndef _PAM_IMPL_H
29 #define _PAM_IMPL_H
30
31 #ifdef __cplusplus
32 extern "C" {
33 #endif
34
35 #include <limits.h>
36 #include <shadow.h>
37 #include <sys/types.h>
38
39 #define PAMTXD "SUNW_OST_SYSOSPAM"
40
41 #define PAM_CONFIG "/etc/pam.conf"
42 #define PAM_CONFIG_DIR "/etc/pam.d/"
43 #define PAM_ISA "/$ISA/"
44 #define PAM_LIB_DIR "/usr/lib/security/"
45 #ifdef _LP64
46 #define PAM_ISA_DIR "/64/"
47 #else /* !_LP64 */
48 #define PAM_ISA_DIR "/"
49 #endif /* _LP64 */
50
51 /* Service Module Types */
52
53 /*
54 * If new service types are added, they should be named in
55 * pam_framework.c::pam_snames[] as well.
56 */
57
58 #define PAM_ACCOUNT_NAME "account"
59 #define PAM_AUTH_NAME "auth"
60 #define PAM_PASSWORD_NAME "password"
61 #define PAM_SESSION_NAME "session"
62
63 #define PAM_ACCOUNT_MODULE 0
64 #define PAM_AUTH_MODULE 1
65 #define PAM_PASSWORD_MODULE 2
66 #define PAM_SESSION_MODULE 3
67
68 #define PAM_NUM_MODULE_TYPES 4
69
70 /* Control Flags */
71
72 #define PAM_BINDING_NAME "binding"
73 #define PAM_INCLUDE_NAME "include"
74 #define PAM_OPTIONAL_NAME "optional"
75 #define PAM_REQUIRED_NAME "required"
76 #define PAM_REQUISITE_NAME "requisite"
77 #define PAM_SUFFICIENT_NAME "sufficient"
78
79 #define PAM_BINDING 0x01
80 #define PAM_INCLUDE 0x02
81 #define PAM_OPTIONAL 0x04
82 #define PAM_REQUIRED 0x08
83 #define PAM_REQUISITE 0x10
84 #define PAM_SUFFICIENT 0x20
85
86 #define PAM_REQRD_BIND (PAM_REQUIRED | PAM_BINDING)
87 #define PAM_SUFFI_BIND (PAM_SUFFICIENT | PAM_BINDING)
88
89 /* Function Indicators */
90
91 #define PAM_AUTHENTICATE 1
92 #define PAM_SETCRED 2
93 #define PAM_ACCT_MGMT 3
94 #define PAM_OPEN_SESSION 4
95 #define PAM_CLOSE_SESSION 5
96 #define PAM_CHAUTHTOK 6
97
98 /* PAM tracing */
99
100 #define PAM_DEBUG "/etc/pam_debug"
101 #define LOG_PRIORITY "log_priority="
102 #define LOG_FACILITY "log_facility="
103 #define DEBUG_FLAGS "debug_flags="
104 #define PAM_DEBUG_NONE 0x0000
105 #define PAM_DEBUG_DEFAULT 0x0001
106 #define PAM_DEBUG_ITEM 0x0002
107 #define PAM_DEBUG_MODULE 0x0004
108 #define PAM_DEBUG_CONF 0x0008
109 #define PAM_DEBUG_DATA 0x0010
110 #define PAM_DEBUG_CONV 0x0020
111 #define PAM_DEBUG_AUTHTOK 0x8000
112
113 #define PAM_MAX_ITEMS 64 /* Max number of items */
114 #define PAM_MAX_INCLUDE 32 /* Max include flag recursions */
115
116 /* authentication module functions */
117 #define PAM_SM_AUTHENTICATE "pam_sm_authenticate"
118 #define PAM_SM_SETCRED "pam_sm_setcred"
119
120 /* session module functions */
121 #define PAM_SM_OPEN_SESSION "pam_sm_open_session"
122 #define PAM_SM_CLOSE_SESSION "pam_sm_close_session"
123
124 /* password module functions */
125 #define PAM_SM_CHAUTHTOK "pam_sm_chauthtok"
126
127 /* account module functions */
128 #define PAM_SM_ACCT_MGMT "pam_sm_acct_mgmt"
129
130 /* max # of authentication token attributes */
131 #define PAM_MAX_NUM_ATTR 10
132
133 /* max size (in chars) of an authentication token attribute */
134 #define PAM_MAX_ATTR_SIZE 80
135
136 /* utility function prototypes */
137
138 /* source values when calling __pam_get_authtok() */
139 #define PAM_PROMPT 1 /* prompt user for new password */
140 #define PAM_HANDLE 2 /* get password from pam handle (item) */
141
142 #if PASS_MAX >= PAM_MAX_RESP_SIZE
143 #error PASS_MAX > PAM_MAX_RESP_SIZE
144 #endif /* PASS_MAX >= PAM_MAX_RESP_SIZE */
145
146 extern int
147 __pam_get_authtok(pam_handle_t *pamh, int source, int type, char *prompt,
148 char **authtok);
149
150 extern int
151 __pam_display_msg(pam_handle_t *pamh, int msg_style, int num_msg,
152 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE], void *conv_apdp);
153
154 extern void
155 __pam_log(int priority, const char *format, ...);
156
157 /* file handle for pam.conf */
158 struct pam_fh {
159 int fconfig; /* file descriptor returned by open() */
160 char line[256];
161 size_t bufsize; /* size of the buffer which holds */
162 /* the content of pam.conf */
163 char *bufferp; /* used to process data */
164 char *data; /* contents of pam.conf */
165 };
166
167 /* items that can be set/retrieved thru pam_[sg]et_item() */
168 struct pam_item {
169 void *pi_addr; /* pointer to item */
170 int pi_size; /* size of item */
171 };
172
173 /* module specific data stored in the pam handle */
174 struct pam_module_data {
175 char *module_data_name; /* unique module data name */
176 void *data; /* the module specific data */
177 void (*cleanup)(pam_handle_t *pamh, void *data, int pam_status);
178 struct pam_module_data *next; /* pointer to next module data */
179 };
180
181 /* each entry from pam.conf is stored here (in the pam handle) */
182 typedef struct pamtab {
183 char *pam_service; /* PAM service, e.g. login, rlogin */
184 int pam_type; /* AUTH, ACCOUNT, PASSWORD, SESSION */
185 int pam_flag; /* required, optional, sufficient */
186 int pam_err; /* error if line overflow */
187 char *module_path; /* module library */
188 int module_argc; /* module specific options */
189 char **module_argv;
190 void *function_ptr; /* pointer to struct holding function ptrs */
191 struct pamtab *next;
192 } pamtab_t;
193
194 /* list of open fd's (modules that were dlopen'd) */
195 typedef struct fd_list {
196 void *mh; /* module handle */
197 struct fd_list *next;
198 } fd_list;
199
200 /* list of PAM environment varialbes */
201 typedef struct env_list {
202 char *name;
203 char *value;
204 struct env_list *next;
205 } env_list;
206
207 /* pam_inmodule values for pam item checking */
208 #define RW_OK 0 /* Read Write items OK */
209 #define RO_OK 1 /* Read Only items OK */
210 #define WO_OK 2 /* Write Only items/data OK */
211
212 /* the pam handle */
213 struct pam_handle {
214 struct pam_item ps_item[PAM_MAX_ITEMS]; /* array of PAM items */
215 int include_depth;
216 int pam_inmodule; /* Protect restricted pam_get_item calls */
217 char *pam_conf_name[PAM_MAX_INCLUDE+1];
218 pamtab_t *pam_conf_info[PAM_MAX_INCLUDE+1][PAM_NUM_MODULE_TYPES];
219 pamtab_t *pam_conf_modulep[PAM_MAX_INCLUDE+1];
220 struct pam_module_data *ssd; /* module specific data */
221 fd_list *fd; /* module fd's */
222 env_list *pam_env; /* environment variables */
223 };
224
225 /*
226 * the function_ptr field in pamtab_t
227 * will point to one of these modules
228 */
229 struct auth_module {
230 int (*pam_sm_authenticate)(pam_handle_t *pamh, int flags, int argc,
231 const char **argv);
232 int (*pam_sm_setcred)(pam_handle_t *pamh, int flags, int argc,
233 const char **argv);
234 };
235
236 struct password_module {
237 int (*pam_sm_chauthtok)(pam_handle_t *pamh, int flags, int argc,
238 const char **argv);
239 };
240
241 struct session_module {
242 int (*pam_sm_open_session)(pam_handle_t *pamh, int flags, int argc,
243 const char **argv);
244 int (*pam_sm_close_session)(pam_handle_t *pamh, int flags, int argc,
245 const char **argv);
246 };
247
248 struct account_module {
249 int (*pam_sm_acct_mgmt)(pam_handle_t *pamh, int flags, int argc,
250 const char **argv);
251 };
252
253 #ifdef __cplusplus
254 }
255 #endif
256
257 #endif /* _PAM_IMPL_H */