Author: des
Date: Wed May 16 13:47:30 2018
New Revision: 333674
URL: https://svnweb.freebsd.org/changeset/base/333674
Log:
Forward Reply-Message attributes to the user, unless suppressed by the
new no_reply_message option.
MFC after: 1 week
Sponsored by: The University of Oslo
Modified:
head/lib/libpam/modules/pam_radius/pam_radius.8
head/lib/libpam/modules/pam_radius/pam_radius.c
Modified: head/lib/libpam/modules/pam_radius/pam_radius.8
==============================================================================
--- head/lib/libpam/modules/pam_radius/pam_radius.8 Wed May 16 13:18:37
2018 (r333673)
+++ head/lib/libpam/modules/pam_radius/pam_radius.8 Wed May 16 13:47:30
2018 (r333674)
@@ -1,9 +1,10 @@
-.\" Copyright (c) 1999
-.\" Andrzej Bialecki <ab...@freebsd.org>. All rights reserved.
-.\"
+.\"-
.\" Copyright (c) 1992, 1993, 1994
.\" The Regents of the University of California. All rights reserved.
+.\" Copyright (c) 1999 Andrzej Bialecki <ab...@freebsd.org>
.\" All rights reserved.
+.\" Copyright (c) 2018 The University of Oslo
+.\" All rights reserved.
.\"
.\" This code is derived from software donated to Berkeley by
.\" Jan-Simon Pendry.
@@ -34,7 +35,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd October 28, 2002
+.Dd May 16, 2018
.Dt PAM_RADIUS 8
.Os
.Sh NAME
@@ -80,6 +81,10 @@ specifies a non-standard location for the RADIUS clien
.Pa /etc/radius.conf ) .
.It Cm nas_id Ns = Ns Ar identifier
specifies a NAS identifier to send instead of the hostname.
+.It Cm nas_ipaddr Ns Op No = Ns Ar address
+specifies a NAS IP address to be sent.
+If option is present, but there is no value provided then IP address
+corresponding to the current hostname will be used.
.It Cm template_user Ns = Ns Ar username
specifies a user whose
.Xr passwd 5
@@ -97,10 +102,21 @@ If this option is omitted, and there is no username
in the system databases equal to the supplied one (as determined by call to
.Xr getpwnam 3 ) ,
the authentication will fail.
-.It Cm nas_ipaddr Ns Op No = Ns Ar address
-specifies a NAS IP address to be sent.
-If option is present, but there is no value provided then IP address
-corresponding to the current hostname will be used.
+.It Cm no_reply_message
+suppress printing of the contents of any
+.Cm Reply-Message
+attributes found in
+.Cm Access-Accept
+and
+.Cm Access-Reject
+responses.
+These are normally conveyed to the user as either informational or
+error messages, depending on whether the access request was accepted
+or rejected.
+.It Cm no_warn
+suppress warning messages to the user.
+These messages include reasons why the user's authentication attempt
+was declined.
.El
.Sh FILES
.Bl -tag -width /etc/radius.conf -compact
Modified: head/lib/libpam/modules/pam_radius/pam_radius.c
==============================================================================
--- head/lib/libpam/modules/pam_radius/pam_radius.c Wed May 16 13:18:37
2018 (r333673)
+++ head/lib/libpam/modules/pam_radius/pam_radius.c Wed May 16 13:47:30
2018 (r333674)
@@ -5,6 +5,8 @@
* All rights reserved.
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
* All rights reserved.
+ * Copyright (c) 2015-2018 The University of Oslo
+ * All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
* ThinkSec AS and NAI Labs, the Security Research Division of Network
@@ -59,6 +61,7 @@ __FBSDID("$FreeBSD$");
#define PAM_OPT_TEMPLATE_USER "template_user"
#define PAM_OPT_NAS_ID "nas_id"
#define PAM_OPT_NAS_IPADDR "nas_ipaddr"
+#define PAM_OPT_NO_REPLYMSG "no_reply_message"
#define MAX_CHALLENGE_MSGS 10
#define PASSWORD_PROMPT "RADIUS Password:"
@@ -149,15 +152,23 @@ do_accept(pam_handle_t *pamh, struct rad_handle *radh)
char *s;
while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
- if (attrtype == RAD_USER_NAME) {
- s = rad_cvt_string(attrval, attrlen);
- if (s == NULL) {
- syslog(LOG_CRIT,
- "rad_cvt_string: out of memory");
- return (-1);
- }
+ switch (attrtype) {
+ case RAD_USER_NAME:
+ if ((s = rad_cvt_string(attrval, attrlen)) == NULL)
+ goto enomem;
pam_set_item(pamh, PAM_USER, s);
free(s);
+ break;
+ case RAD_REPLY_MESSAGE:
+ if ((s = rad_cvt_string(attrval, attrlen)) == NULL)
+ goto enomem;
+ if (!openpam_get_option(pamh, PAM_OPT_NO_REPLYMSG))
+ pam_info(pamh, "%s", s);
+ free(s);
+ break;
+ default:
+ PAM_LOG("%s(): ignoring RADIUS attribute %d",
+ __func__, attrtype);
}
}
if (attrtype == -1) {
@@ -165,9 +176,44 @@ do_accept(pam_handle_t *pamh, struct rad_handle *radh)
return (-1);
}
return (0);
+enomem:
+ syslog(LOG_CRIT, "%s(): out of memory", __func__);
+ return (-1);
}
static int
+do_reject(pam_handle_t *pamh, struct rad_handle *radh)
+{
+ int attrtype;
+ const void *attrval;
+ size_t attrlen;
+ char *s;
+
+ while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) {
+ switch (attrtype) {
+ case RAD_REPLY_MESSAGE:
+ if ((s = rad_cvt_string(attrval, attrlen)) == NULL)
+ goto enomem;
+ if (!openpam_get_option(pamh, PAM_OPT_NO_REPLYMSG))
+ pam_error(pamh, "%s", s);
+ free(s);
+ break;
+ default:
+ PAM_LOG("%s(): ignoring RADIUS attribute %d",
+ __func__, attrtype);
+ }
+ }
+ if (attrtype < 0) {
+ syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh));
+ return (-1);
+ }
+ return (0);
+enomem:
+ syslog(LOG_CRIT, "%s(): out of memory", __func__);
+ return (-1);
+}
+
+static int
do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user,
const char *nas_id, const char *nas_ipaddr, const char *rhost)
{
@@ -332,6 +378,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __un
return (PAM_SUCCESS);
case RAD_ACCESS_REJECT:
+ retval = do_reject(pamh, radh);
rad_close(radh);
PAM_VERBOSE_ERROR("Radius rejection");
return (PAM_AUTH_ERR);
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
