diff options
author | millert <millert@openbsd.org> | 2000-12-12 02:34:43 +0000 |
---|---|---|
committer | millert <millert@openbsd.org> | 2000-12-12 02:34:43 +0000 |
commit | b8a38d8e25339452e7b0496cfb43d8ea1b771997 (patch) | |
tree | f9892bfa77b3c13d280a75f8a3f929abe70c1ccc /libexec/login_reject | |
parent | passwd login script; authenticates the user via passwd/yp (diff) | |
download | wireguard-openbsd-b8a38d8e25339452e7b0496cfb43d8ea1b771997.tar.xz wireguard-openbsd-b8a38d8e25339452e7b0496cfb43d8ea1b771997.zip |
reject login script; rejects attempted authentication
will be used when BSD authentication is enabled
Diffstat (limited to 'libexec/login_reject')
-rw-r--r-- | libexec/login_reject/Makefile | 12 | ||||
-rw-r--r-- | libexec/login_reject/login_reject.8 | 75 | ||||
-rw-r--r-- | libexec/login_reject/login_reject.c | 133 |
3 files changed, 220 insertions, 0 deletions
diff --git a/libexec/login_reject/Makefile b/libexec/login_reject/Makefile new file mode 100644 index 00000000000..f877d6044ff --- /dev/null +++ b/libexec/login_reject/Makefile @@ -0,0 +1,12 @@ +# $OpenBSD: Makefile,v 1.1 2000/12/12 02:34:43 millert Exp $ + +PROG= login_reject +MAN= login_reject.8 +CFLAGS+=-Wall + +BINOWN= root +BINGRP= auth +BINMODE=555 +BINDIR= /usr/libexec/auth + +.include <bsd.prog.mk> diff --git a/libexec/login_reject/login_reject.8 b/libexec/login_reject/login_reject.8 new file mode 100644 index 00000000000..944b0d0ae46 --- /dev/null +++ b/libexec/login_reject/login_reject.8 @@ -0,0 +1,75 @@ +.\" $OpenBSD: login_reject.8,v 1.1 2000/12/12 02:34:43 millert Exp $ +.\" +.\" Copyright (c) 1995 Berkeley Software Design, Inc. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by Berkeley Software Design, +.\" Inc. +.\" 4. The name of Berkeley Software Design, Inc. may not be used to endorse +.\" or promote products derived from this software without specific prior +.\" written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" BSDI $From: login_reject.8,v 1.2 1996/08/01 21:02:26 prb Exp $ +.\" +.Dd September 29, 1995 +.Dt LOGIN_REJECT 8 +.Os +.Sh NAME +.Nm login_reject +.Nd provide rejected authentication +.Sh SYNOPSIS +.Nm login_reject +.Op Fl s Ar service +.Ar user +.Op Ar class +.Sh DESCRIPTION +.Pp +The +.Nm +utility provides the rejection authentication class. +The +.Ar user +name, while required, is ignored. +The +.Ar class +name, which is optional, is also ignored. +The +.Nm reject +authentication mechanism is intended to be used to disallow certain +types of logins. For example, a class entry (see +.Xr login.conf 5 ) +may contain: +.Bd -literal -compact + + :auth=krb-or-pwd,kerberos,passwd: + :auth-ftp=reject: + +.Ed +which would allow authentication for this class in most situations +but would reject attempts to authenticate from +.Xr ftpd 8 . +.Sh SEE ALSO +.Xr login.conf 5 , +.Xr ftpd 8 , +.Xr login 8 diff --git a/libexec/login_reject/login_reject.c b/libexec/login_reject/login_reject.c new file mode 100644 index 00000000000..e1dff6fe3c0 --- /dev/null +++ b/libexec/login_reject/login_reject.c @@ -0,0 +1,133 @@ +/* $OpenBSD: login_reject.c,v 1.1 2000/12/12 02:34:43 millert Exp $ */ + +/*- + * Copyright (c) 1995 Berkeley Software Design, Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Berkeley Software Design, + * Inc. + * 4. The name of Berkeley Software Design, Inc. may not be used to endorse + * or promote products derived from this software without specific prior + * written permission. + * + * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * BSDI $From: login_reject.c,v 1.5 1996/08/22 20:43:11 prb Exp $ + */ +#include <sys/param.h> +#include <sys/stat.h> +#include <sys/time.h> +#include <sys/resource.h> +#include <sys/file.h> +#include <sys/wait.h> + +#include <err.h> +#include <errno.h> +#include <login_cap.h> +#include <pwd.h> +#include <signal.h> +#include <stdarg.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <syslog.h> +#include <unistd.h> + +int +main(argc, argv) + int argc; + char *argv[]; +{ + FILE *back; + char passbuf[1]; + int c; + struct rlimit rl; + int mode = 0; + + rl.rlim_cur = 0; + rl.rlim_max = 0; + (void)setrlimit(RLIMIT_CORE, &rl); + + (void)signal(SIGQUIT, SIG_IGN); + (void)signal(SIGINT, SIG_IGN); + (void)setpriority(PRIO_PROCESS, 0, 0); + + openlog("login", LOG_ODELAY, LOG_AUTH); + + while ((c = getopt(argc, argv, "v:s:")) != EOF) + switch(c) { + case 'v': + break; + case 's': /* service */ + if (strcmp(optarg, "login") == 0) + mode = 0; + else if (strcmp(optarg, "challenge") == 0) + mode = 1; + else if (strcmp(optarg, "response") == 0) + mode = 2; + else { + syslog(LOG_ERR, "%s: invalid service", optarg); + exit(1); + } + break; + default: + syslog(LOG_ERR, "usage error"); + exit(1); + } + + switch(argc - optind) { + case 2: + case 1: + break; + default: + syslog(LOG_ERR, "usage error"); + exit(1); + } + + if (!(back = fdopen(3, "r+"))) { + syslog(LOG_ERR, "reopening back channel: %m"); + exit(1); + } + if (mode == 1) { + fprintf(back, BI_SILENT "\n"); + exit(0); + } + + if (mode == 2) { + mode = 0; + c = -1; + while (read(3, passbuf, 1) == 1) { + if (passbuf[0] == '\0' && ++mode == 2) + break; + } + if (mode < 2) { + syslog(LOG_ERR, "protocol error on back channel"); + exit(1); + } + } else + getpass("Password:"); + + + crypt("password", "xx"); + fprintf(back, BI_REJECT "\n"); + exit(1); +} |