Etusivu Tutki Apua
Kirjaudu sisään
SoftwareDesign
/
csu3_am335x
8
0
Fork 0
Tiedostot Ongelmat 0 Pull-pyynnöt 0 Wiki
Haara: master
Haarat Tagit
csu3_am335x
/
EVSE
/
GPL
/
linux-pam-1.5.2
/
libpamc
/
test
/
agents
/
secret@here

secret@here 6.8 KB
Pysyvä linkki Historia Raaka

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307 
  1. #!/usr/bin/perl
    2. 

  2. #
    3. 

  3. # This is a simple example PAM authentication agent, it implements a
    4. 

  4. # simple shared secret authentication scheme. The PAM module pam_secret.so
    5. 

  5. # is its counter part. Both the agent and the remote server are able to
    6. 

  6. # authenticate one another, but the server is given the opportunity to
    7. 

  7. # ignore a failed authentication.
    8. 

  8. #
    9. 

  9. 

  10. $^W = 1;
    11. 

  11. use strict;
    12. 

  12. use IPC::Open2;
    13. 

  13. $| = 1;
    14. 

  14. 

  15. # display extra information to STDERR
    16. 

  16. my $debug = 0;
    17. 

  17. if (scalar @ARGV) {
    18. 

  18.     $debug = 1;
    19. 

  19. }
    20. 

  20. 

  21. # Globals
    22. 

  22. 

  23. my %state;
    24. 

  24. my $default_key;
    25. 

  25. 

  26. my $next_key = $$;
    27. 

  27. 

  28. # loop over binary prompts
    29. 

  29. for (;;) {
    30. 

  30.     my ($control, $data) = ReadBinaryPrompt();
    31. 

  31.     my ($reply_control, $reply_data);
    32. 

  32. 

  33.     if ($control == 0) {
    34. 

  34. 	if ($debug) {
    35. 

  35. 	    print STDERR "agent: no packet to read\n";
    36. 

  36. 	}
    37. 

  37. 	last;
    38. 

  38.     } elsif ($control == 0x02) {
    39. 

  39. 	($reply_control, $reply_data) = HandleAgentSelection($data);
    40. 

  40.     } elsif ($control == 0x01) {
    41. 

  41. 	($reply_control, $reply_data) = HandleContinuation($data);
    42. 

  42.     } else {
    43. 

  43. 	if ($debug) {
    44. 

  44. 	    print STDERR
    45. 

  45. 		"agent: unrecognized packet $control {$data} to read\n";
    46. 

  46. 	}
    47. 

  47. 	($reply_control, $reply_data) = (0x04, "");
    48. 

  48.     }
    49. 

  49. 

  50.     WriteBinaryPrompt($reply_control, $reply_data);
    51. 

  51. }
    52. 

  52. 

  53. # Only willing to exit well if we've completed our authentication exchange
    54. 

  54. 

  55. if (scalar keys %state) {
    56. 

  56.     if ($debug) {
    57. 

  57. 	print STDERR "The following sessions are still active:\n  ";
    58. 

  58. 	print STDERR join ', ', keys %state;
    59. 

  59. 	print STDERR "\n";
    60. 

  60.     }
    61. 

  61.     exit 1;
    62. 

  62. } else {
    63. 

  63.     exit 0;
    64. 

  64. }
    65. 

  65. 

  66. sub HandleAgentSelection ($) {
    67. 

  67.     my ($data) = @_;
    68. 

  68. 

  69.     unless ( $data =~ /^([a-zA-Z0-9_]+\@?[a-zA-Z0-9_.]*)\/(.*)$/ ) {
    70. 

  70. 	return (0x04, "");
    71. 

  71.     }
    72. 

  72. 

  73.     my ($agent_name, $payload) = ($1, $2);
    74. 

  74.     if ($debug) {
    75. 

  75. 	print STDERR "agent: ". "agent=$agent_name, payload=$payload\n";
    76. 

  76.     }
    77. 

  77. 

  78.     # this agent has a defined name
    79. 

  79.     if ($agent_name ne "secret\@here") {
    80. 

  80. 	if ($debug) {
    81. 

  81. 	    print STDERR "bad agent name: [$agent_name]\n";
    82. 

  82. 	}
    83. 

  83. 	return (0x04, "");
    84. 

  84.     }
    85. 

  85. 

  86.     # the selection request is acompanied with a hexadecimal cookie
    87. 

  87.     my @tokens = split '\|', $payload;
    88. 

  88. 

  89.     unless ((scalar @tokens) == 2) {
    90. 

  90. 	if ($debug) {
    91. 

  91. 	    print STDERR "bad payload\n";
    92. 

  92. 	}
    93. 

  93. 	return (0x04, "");
    94. 

  94.     }
    95. 

  95. 

  96.     unless ($tokens[1] =~ /^[a-z0-9]+$/) {
    97. 

  97. 	if ($debug) {
    98. 

  98. 	    print STDERR "bad server cookie\n";
    99. 

  99. 	}
    100. 

  100. 	return (0x04, "");
    101. 

  101.     }
    102. 

  102. 

  103.     my $shared_secret = IdentifyLocalSecret($tokens[0]);
    104. 

  104. 

  105.     unless (defined $shared_secret) {
    106. 

  106. 	# make a secret up
    107. 

  107. 	if ($debug) {
    108. 

  108. 	    print STDERR "agent: cannot authenticate user\n";
    109. 

  109. 	}
    110. 

  110. 	$shared_secret = GetRandom();
    111. 

  111.     }
    112. 

  112. 

  113.     my $local_cookie = GetRandom();
    114. 

  114.     $default_key = $next_key++;
    115. 

  115. 

  116.     $state{$default_key} = $local_cookie ."|". $tokens[1] ."|". $shared_secret;
    117. 

  117. 

  118.     if ($debug) {
    119. 

  119. 	print STDERR "agent: \$state{$default_key} = $state{$default_key}\n";
    120. 

  120.     }
    121. 

  121. 

  122.     return (0x01, $default_key ."|". $local_cookie);
    123. 

  123. }
    124. 

  124. 

  125. sub HandleContinuation ($) {
    126. 

  126.     my ($data) = @_;
    127. 

  127. 

  128.     my ($key, $server_digest) = split '\|', $data;
    129. 

  129. 

  130.     unless (defined $state{$key}) {
    131. 

  131. 	# retries and out of sequence prompts are not permitted
    132. 

  132. 	return (0x04, "");
    133. 

  133.     }
    134. 

  134. 

  135.     my $expected_digest = CreateDigest($state{$key});
    136. 

  136.     my ($local_cookie, $remote_cookie, $shared_secret)
    137. 

  137. 	= split '\|', $state{$key};
    138. 

  138.     delete $state{$key};
    139. 

  139. 

  140.     unless ($expected_digest eq $server_digest) {
    141. 

  141. 	if ($debug) {
    142. 

  142. 	    print STDERR "agent: don't trust server - faking reply\n";
    143. 

  143. 	    print STDERR "agent: got      ($server_digest)\n";
    144. 

  144. 	    print STDERR "agent: expected ($expected_digest)\n";
    145. 

  145. 	}
    146. 

  146. 

  147. 	## FIXME: Agent should exchange a prompt with the client warning
    148. 

  148. 	## that the server is faking us out.
    149. 

  149. 

  150. 	return (0x03, CreateDigest($expected_digest . $data . GetRandom()));
    151. 

  151.     }
    152. 

  152. 

  153.     if ($debug) {
    154. 

  154. 	print STDERR "agent: server appears to know the secret\n";
    155. 

  155.     }
    156. 

  156. 

  157.     my $session_authenticated_ticket =
    158. 

  158. 	CreateDigest($remote_cookie."|".$shared_secret."|".$local_cookie);
    159. 

  159. 

  160.     # FIXME: Agent should set a derived session key environment
    161. 

  161.     # variable (available for the client (and its children) to sign
    162. 

  162.     # future data exchanges.
    163. 

  163. 

  164.     if ($debug) {
    165. 

  165. 	print STDERR "agent: should putenv("
    166. 

  166. 	    ."\"AUTH_SESSION_TICKET=$session_authenticated_ticket\")\n";
    167. 

  167.     }
    168. 

  168. 

  169.     # return agent's authenticating digest
    170. 

  170.     return (0x03, CreateDigest($shared_secret."|".$remote_cookie
    171. 

  171. 			       ."|".$local_cookie));
    172. 

  172. }
    173. 

  173. 

  174. sub ReadBinaryPrompt {
    175. 

  175.     my $buffer = "     ";
    176. 

  176.     my $count = read(STDIN, $buffer, 5);
    177. 

  177.     if ($count == 0) {
    178. 

  178. 	# no more packets to read
    179. 

  179. 	return (0, "");
    180. 

  180.     }
    181. 

  181. 

  182.     if ($count != 5) {
    183. 

  183. 	# broken packet header
    184. 

  184. 	return (-1, "");
    185. 

  185.     }
    186. 

  186. 

  187.     my ($length, $control) = unpack("N C", $buffer);
    188. 

  188.     if ($length < 5) {
    189. 

  189. 	# broken packet length
    190. 

  190. 	return (-1, "");
    191. 

  191.     }
    192. 

  192. 

  193.     my $data = "";
    194. 

  194.     $length -= 5;
    195. 

  195.     while ($count = read(STDIN, $buffer, $length)) {
    196. 

  196. 	$data .= $buffer;
    197. 

  197. 	if ($count != $length) {
    198. 

  198. 	    $length -= $count;
    199. 

  199. 	    next;
    200. 

  200. 	}
    201. 

  201. 

  202. 	if ($debug) {
    203. 

  203. 	    print STDERR "agent: ". "data is [$data]\n";
    204. 

  204. 	}
    205. 

  205. 

  206. 	return ($control, $data);
    207. 

  207.     }
    208. 

  208. 

  209.     # broken packet data
    210. 

  210.     return (-1, "");
    211. 

  211. }
    212. 

  212. 

  213. sub WriteBinaryPrompt ($$) {
    214. 

  214.     my ($control, $data) = @_;
    215. 

  215. 

  216.     my $length = 5 + length($data);
    217. 

  217.     if ($debug) {
    218. 

  218. 	printf STDERR "agent: ". "{%d|0x%.2x|%s}\n", $length, $control, $data;
    219. 

  219.     }
    220. 

  220.     my $bp = pack("N C a*", $length, $control, $data);
    221. 

  221.     print STDOUT $bp;
    222. 

  222.     if ($debug) {
    223. 

  223. 	printf STDERR "agent: ". "agent has replied\n";
    224. 

  224.     }
    225. 

  225. }
    226. 

  226. 

  227. ##
    228. 

  228. ## Here is where we parse the simple secret file
    229. 

  229. ## The format of this file is a list of lines of the following form:
    230. 

  230. ##
    231. 

  231. ## user@client0.host.name  secret_string1
    232. 

  232. ## user@client1.host.name  secret_string2
    233. 

  233. ## user@client2.host.name  secret_string3
    234. 

  234. ##
    235. 

  235. 

  236. sub IdentifyLocalSecret ($) {
    237. 

  237.     my ($identifier) = @_;
    238. 

  238.     my $secret;
    239. 

  239. 

  240.     if (open SECRETS, "< ". (getpwuid($<))[7] ."/.secret\@here") {
    241. 

  241. 	my $line;
    242. 

  242. 	while (defined ($line = <SECRETS>)) {
    243. 

  243. 	    my ($id, $sec) = split /[\s]+/, $line;
    244. 

  244. 	    if ((defined $id) && ($id eq $identifier)) {
    245. 

  245. 		$secret = $sec;
    246. 

  246. 		last;
    247. 

  247. 	    }
    248. 

  248. 	}
    249. 

  249. 	close SECRETS;
    250. 

  250.     }
    251. 

  251. 

  252.     return $secret;
    253. 

  253. }
    254. 

  254. 

  255. ## Here is where we generate a message digest
    256. 

  256. 

  257. sub CreateDigest ($) {
    258. 

  258.     my ($data) = @_;
    259. 

  259. 

  260.     my $pid = open2(\*MD5out, \*MD5in, "/usr/bin/md5sum -")
    261. 

  261. 	or die "you'll need /usr/bin/md5sum installed";
    262. 

  262. 

  263.     my $oldfd = select MD5in; $|=1; select $oldfd;
    264. 

  264.     if ($debug) {
    265. 

  265. 	print STDERR "agent: ". "telling md5: <$data>\n";
    266. 

  266.     }
    267. 

  267.     print MD5in "$data";
    268. 

  268.     close MD5in;
    269. 

  269.     my $reply = <MD5out>;
    270. 

  270.     ($reply) = split /\s/, $reply;
    271. 

  271.     if ($debug) {
    272. 

  272. 	print STDERR "agent: ". "md5 said: <$reply>\n";
    273. 

  273.     }
    274. 

  274.     close MD5out;
    275. 

  275. 

  276.     return $reply;
    277. 

  277. }
    278. 

  278. 

  279. ## get a random number
    280. 

  280. 

  281. sub GetRandom {
    282. 

  282. 

  283.     if ( -r "/dev/urandom" ) {
    284. 

  284. 	open RANDOM, "< /dev/urandom" or die "crazy";
    285. 

  285. 

  286. 	my $i;
    287. 

  287. 	my $reply = "";
    288. 

  288. 

  289. 	for ($i=0; $i<4; ++$i) {
    290. 

  290. 	    my $buffer = "    ";
    291. 

  291. 	    while (read(RANDOM, $buffer, 4) != 4) {
    292. 

  292. 		;
    293. 

  293. 	    }
    294. 

  294. 	    $reply .= sprintf "%.8x", unpack("N", $buffer);
    295. 

  295. 	    if ($debug) {
    296. 

  296. 		print STDERR "growing reply: [$reply]\n";
    297. 

  297. 	    }
    298. 

  298. 	}
    299. 

  299. 	close RANDOM;
    300. 

  300. 

  301. 	return $reply;
    302. 

  302.     } else {
    303. 

  303. 	print STDERR "agent: ". "[got linux?]\n";
    304. 

  304. 	return "%.8x%.8x%.8x%.8x", time, time, time, time;
    305. 

  305.     }
    306. 

  306. 

  307. }
    308.