Bandie/pam_panic
1
0
Fork 0
Code Issues 5 Pull Requests Releases Wiki Activity

Password function

Browse Source
This commit is contained in:
Bandie
2018-04-01 01:53:41 +02:00
parent 721f63774c
commit b31cc5948b
19 changed files with 773 additions and 254 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/Makefile
View File

@ -1,9 +1,3 @@
CFLAGS = --std=c99 -O2 -fPIC -DPOWEROFF=\"`which poweroff`\" -DREBOOT=\"`which reboot`\" -DCRYPTSETUP=\"`which cryptsetup`\"
LDFLAGS = -x --shared
all:
mkdir -p ../obj
mkdir -p ../build
cc $(CFLAGS) -c pam_panic.c -o ../obj/pam_panic.o
ld $(LDFLAGS) -o ../build/pam_panic.so ../obj/pam_panic.o
make -C pam_panic -e "PPASSFILE = $(PPASSFILE)"
make -C pam_panic_pw -e "PPASSFILE = $(PPASSFILE)"

220
src/pam_panic.c
View File

@ -1,220 +0,0 @@
/*
FILENAME : pam_panic.c
DESCRIPTION : The pam_panic PAM module shall protect people who have value data on their computer. It provides a panic function.
AUTHOR : Bandie
DATE : 2018-03-27T02:34:08+02:00
LICENSE : GNU-GPLv3
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <regex.h>
#include <string.h>
#include <security/pam_modules.h>
#include <security/pam_ext.h>
#include <syslog.h>
#ifdef REBOOT
#ifdef POWEROFF
#ifdef CRYPTSETUP
#define ASK "Please enter your secret key to decrypt the firewall and access the mainframe. "
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char *argv[])
{
char *resp;
char *allowed_arg = malloc(128 * sizeof(char));
char *rejected_arg = malloc(128 * sizeof(char));
char *serious_arg = malloc(128 * sizeof(char));
char *allowed_temp = NULL;
char *rejected_temp = NULL;
char *serious_temp = NULL;
char *allowed = malloc(60 * sizeof(char));
char *rejected = malloc(60 * sizeof(char));
char *serious_dev = malloc(60 * sizeof(char));
int8_t serious = 0;
int8_t reboot = 0;
int8_t poweroff = 0;
// Regex for checking arguments
char *pattern = "^[A-Fa-f0-9]\\{8\\}\\-[A-Fa-f0-9]\\{4\\}\\-[A-Fa-f0-9]\\{4\\}\\-[A-Fa-f0-9]\\{4\\}\\-[A-Fa-f0-9]\\{12\\}$";
regex_t regex;
if(regcomp(&regex, pattern, 0)){
pam_syslog(pamh, LOG_CRIT, "ERROR: Problem with regcomp.");
return (PAM_IGNORE);
}
// Check number of arguments
if(argc<2){
pam_syslog(pamh, LOG_ERR, "Missing arguments.");
return (PAM_IGNORE);
}
// Argument handling
for(int i=0; i<argc; i++){
if(strstr(argv[i], "allow") != NULL){
strncpy(allowed_arg, argv[i], 128);
allowed_temp = strtok(allowed_arg, "=");
allowed_temp = strtok(NULL, "=");
}
if(strstr(argv[i], "reject") != NULL){
strncpy(rejected_arg, argv[i], 128);
rejected_temp = strtok(rejected_arg, "=");
rejected_temp = strtok(NULL, "=");
}
if(strstr(argv[i], "reboot") != NULL){
reboot = 1;
}
if(strstr(argv[i], "poweroff") != NULL){
poweroff = 1;
}
if(strstr(argv[i], "serious") != NULL){
strncpy(serious_arg, argv[i], 128);
serious_temp = strtok(serious_arg, "=");
serious_temp = strtok(NULL, "=");
serious = 1;
}
}
// Poweroff wins.
if(reboot && poweroff)
reboot = 0;
// Checking arguments
if(
allowed_temp == NULL
|| rejected_temp == NULL
|| regexec(&regex, allowed_temp, 0, NULL, 0) == REG_NOMATCH
|| regexec(&regex, rejected_temp, 0, NULL, 0) == REG_NOMATCH
|| (serious && serious_temp == NULL)
) {
pam_syslog(pamh, LOG_ERR, "Argument invalid. Note that allow and reject must have a valid GPT UUID.");
return (PAM_IGNORE);
}
// Construct variables from arguments
sprintf(rejected, "/dev/disk/by-partuuid/%s", rejected_temp);
sprintf(allowed, "/dev/disk/by-partuuid/%s", allowed_temp);
if(serious)
sprintf(serious_dev, "/dev/disk/by-partuuid/%s", serious_temp);
// Free not needed vars
free(rejected_arg);
free(allowed_arg);
free(serious_arg);
// Check if panic key exist
if(serious && access(serious_dev, F_OK) == -1){
pam_syslog(pamh, LOG_ALERT, "ALERT for argument \"serious\": Device doesn't exist.\n");
return (PAM_IGNORE);
}
// Prompt for (auth|panic) key
int8_t counter = 0;
while(access(allowed, F_OK) == -1 && access(rejected, F_OK) == -1){
pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &resp, ASK);
if(++counter >= 3){
pam_syslog(pamh, LOG_NOTICE, "Couldn't identify any keys. 3 tries.");
return (PAM_MAXTRIES);
}
}
// Auth key? OK!
if(access(allowed, F_OK) != -1)
return (PAM_SUCCESS);
// Panic key? PANIC!!1
if(access(rejected, F_OK) != -1){
if(serious){
int ser_stat;
int yes[2];
pipe(yes);
if(fork() == 0){
close(yes[1]);
dup2(yes[0], 0);
execlp(CRYPTSETUP, CRYPTSETUP, "luksErase", serious_dev, NULL);
}else {
close(yes[0]);
write(yes[1], "YES\n", 4);
close(yes[1]);
wait(&ser_stat);
}
}
if(reboot)
execlp(REBOOT, REBOOT, NULL);
if(poweroff)
execlp(POWEROFF, POWEROFF, NULL);
return (PAM_MAXTRIES);
}
return (PAM_MAXTRIES);
}
// Fuck all of this below.
PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char *argv[])
{
return (PAM_SUCCESS);
}
PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char *argv[])
{
return (PAM_SUCCESS);
}
PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char *argv[])
{
return (PAM_SUCCESS);
}
PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char *argv[])
{
return (PAM_SUCCESS);
}
PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char *argv[])
{
return (PAM_SERVICE_ERR);
}
#endif
#endif
#endif

9
src/pam_panic/Makefile Normal file
View File

@ -0,0 +1,9 @@
CFLAGS = --std=gnu11 -O2 -fPIC -DPOWEROFF=\"`which poweroff`\" -DREBOOT=\"`which reboot`\" -DCRYPTSETUP=\"`which cryptsetup`\" -DPPASSFILE=\"$(PPASSFILE)\"
LDFLAGS = -x --shared -lcrypt
all:
mkdir -p ../../obj
mkdir -p ../../build
cc $(CFLAGS) -c pam_panic.c -o ../../obj/pam_panic.o
ld $(LDFLAGS) -o ../../build/pam_panic.so ../../obj/pam_panic.o

193
src/pam_panic/pam_panic.c Normal file
View File

@ -0,0 +1,193 @@
/*
FILENAME : pam_panic.c
DESCRIPTION : The pam_panic PAM module shall protect people who have value data on their computer. It provides a panic function.
AUTHOR : Bandie
DATE : 2018-03-27T02:34:08+02:00
LICENSE : GNU-GPLv3
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/wait.h>
#include <regex.h>
#include <string.h>
#include <security/pam_modules.h>
#include <security/pam_ext.h>
#include <syslog.h>
#include "pam_panic_reject.h"
#include "pam_panic_authdevice.h"
#include "pam_panic_password.h"
#ifdef REBOOT
#ifdef POWEROFF
#ifdef CRYPTSETUP
void argSplit(char **some_arg, char **some_temp, const char *arg){
strncpy(*some_arg, arg, 128);
*some_temp = strtok(*some_arg, "=");
*some_temp = strtok(NULL, "=");
}
void constrPath(char **dst, char **src){
sprintf(*dst, "/dev/disk/by-partuuid/%s", *src);
}
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char *argv[]){
// Devices
char *allowed_arg = malloc(128 * sizeof(char));
char *rejected_arg = malloc(128 * sizeof(char));
char *serious_arg = malloc(128 * sizeof(char));
char *allowed_temp = NULL;
char *rejected_temp = NULL;
char *serious_temp = NULL;
char *allowed = malloc(60 * sizeof(char));
char *rejected = malloc(60 * sizeof(char));
char *serious_dev = malloc(60 * sizeof(char));
// Switches
int8_t bSerious = 0;
int8_t bReboot = 0;
int8_t bPoweroff = 0;
int8_t bPassword = 0;
// Regex for checking arguments
char *pattern = "^[A-Fa-f0-9]\\{8\\}\\-[A-Fa-f0-9]\\{4\\}\\-[A-Fa-f0-9]\\{4\\}\\-[A-Fa-f0-9]\\{4\\}\\-[A-Fa-f0-9]\\{12\\}$";
regex_t regex;
if(regcomp(&regex, pattern, 0)){
pam_syslog(pamh, LOG_CRIT, "ERROR: Problem with regcomp.");
return (PAM_IGNORE);
}
// Argument handling
for(int i=0; i<argc; i++){
if(strstr(argv[i], "allow") != NULL)
argSplit(&allowed_arg, &allowed_temp, argv[i]);
if(strstr(argv[i], "reject") != NULL)
argSplit(&rejected_arg, &rejected_temp, argv[i]);
if(strstr(argv[i], "reboot") != NULL)
bReboot = 1;
if(strstr(argv[i], "poweroff") != NULL)
bPoweroff = 1;
if(strstr(argv[i], "password") != NULL){
bPassword = 1;
}
if(strstr(argv[i], "serious") != NULL){
argSplit(&serious_arg, &serious_temp, argv[i]);
bSerious = 1;
}
}
// Checking arguments
if(
(allowed_temp == NULL && !bPassword)
|| (rejected_temp == NULL && !bPassword)
|| (allowed_temp != NULL && regexec(&regex, allowed_temp, 0, NULL, 0) == REG_NOMATCH)
|| (rejected_temp != NULL && regexec(&regex, rejected_temp, 0, NULL, 0) == REG_NOMATCH)
|| (bSerious && serious_temp == NULL)
) {
pam_syslog(pamh, LOG_ERR, "Arguments invalid. Note that allow and reject must have a valid GPT UUID.");
return (PAM_IGNORE);
}
// Poweroff wins.
if(bReboot && bPoweroff)
bReboot = 0;
// Devices will win
if(bPassword && allowed_temp != NULL && rejected_temp != NULL)
bPassword = 0;
// Construct variables from arguments
if(allowed_temp != NULL && rejected_temp != NULL){
constrPath(&rejected, &rejected_temp);
constrPath(&allowed, &allowed_temp);
}else{
rejected = NULL;
allowed = NULL;
}
if(bSerious)
constrPath(&serious_dev, &serious_temp);
// Free not needed vars
free(rejected_arg);
free(allowed_arg);
free(serious_arg);
// Check if panic key exist
if(bSerious && access(serious_dev, F_OK) == -1){
pam_syslog(pamh, LOG_ALERT, "ALERT for argument \"serious\": Device doesn't exist.");
return (PAM_IGNORE);
}
//////////////////////// AUTH PROMPT ////////////////////////////////
// Prompt for (auth|panic) key
if(allowed != NULL && rejected != NULL){
return authDevice(pamh, allowed, rejected, serious_dev, bSerious, bReboot, bPoweroff);
}else if(bPassword){
return authPassword(pamh, serious_dev, bSerious, bReboot, bPoweroff);
}
return (PAM_IGNORE);
}
// Fuck all of this below.
PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char *argv[])
{
return (PAM_SUCCESS);
}
PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char *argv[])
{
return (PAM_SUCCESS);
}
PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char *argv[])
{
return (PAM_SUCCESS);
}
PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char *argv[])
{
return (PAM_SUCCESS);
}
PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char *argv[])
{
return (PAM_SERVICE_ERR);
}
#endif
#endif
#endif

18
src/pam_panic/pam_panic_authdevice.c Normal file
View File

@ -0,0 +1,18 @@
int authDevice(pam_handle_t *pamh, char *allowed, char *rejected, char *serious_dev, int8_t bSerious, int8_t bReboot, int8_t bPoweroff){
int8_t counter = 0;
while(access(allowed, F_OK) == -1 && access(rejected, F_OK) == -1){
pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, NULL, ASK);
if(++counter >= 3){
pam_syslog(pamh, LOG_NOTICE, "Couldn't identify any keys. 3 tries.");
return (PAM_MAXTRIES);
}
}
if(access(allowed, F_OK) != -1)
return (PAM_SUCCESS);
if(access(rejected, F_OK) != -1)
return reject(serious_dev, bSerious, bReboot, bPoweroff);
}

3
src/pam_panic/pam_panic_authdevice.h Normal file
View File

@ -0,0 +1,3 @@
#define ASK "Please enter your secret key to decrypt the firewall and access the mainframe. "
#include "pam_panic_authdevice.c"

84
src/pam_panic/pam_panic_password.c Normal file
View File

@ -0,0 +1,84 @@
int readPassword(pam_handle_t *pamh, char pw[2][99]){
// Open file
if(access(PPASSFILE, F_OK) == -1){
pam_syslog(pamh, LOG_ALERT, "ALERT for password option: No password file detected.");
return 2;
}
FILE *f = fopen(PPASSFILE, "r");
if(f == NULL){
pam_syslog(pamh, LOG_ALERT, "ERROR: Couldn't open file.");
return 1;
}
// Get file contents
size_t nread;
char filecontent[198];
char chr;
nread = fread(filecontent, sizeof(char), 198, f);
fclose(f);
if(nread != 198){
pam_syslog(pamh, LOG_CRIT, "CRITICAL: Password file is corrupt!");
return 3;
}
/* Split file content
* pw[0] := key
* pw[1] := panic key
*/
strcpy(pw[0], strtok(filecontent, "\n"));
strcpy(pw[1], strtok(NULL, "\n"));
if(pw[0] == NULL || pw[1] == NULL)
return 1;
return 0;
}
int authPassword(pam_handle_t *pamh, char *serious_dev, int8_t bSerious, int8_t bReboot, int8_t bPoweroff){
// PAM password response
char resp[256];
char *response = NULL;
// Not so panic password
char *pwkey_tmp;
char pwkey[99];
// Panic password
char *pwpanic_tmp;
char pwpanic[99];
// Read passwords from file
char pw[2][99];
if(readPassword(pamh, pw))
return(PAM_IGNORE);
pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &response, "Password:: ");
strcpy(resp, response);
pwkey_tmp = crypt(resp, pw[0]);
strcpy(pwkey, pwkey_tmp);
pwpanic_tmp = crypt(resp, pw[1]);
strcpy(pwpanic, pwpanic_tmp);
// Key?
if(!strcmp(pwkey, pw[0]))
return (PAM_SUCCESS);
if(!strcmp(pwpanic, pw[1])){
return reject(serious_dev, bSerious, bReboot, bPoweroff);
}
return (PAM_AUTH_ERR);
}

2
src/pam_panic/pam_panic_password.h Normal file
View File

@ -0,0 +1,2 @@
#include <crypt.h>
#include "pam_panic_password.c"

28
src/pam_panic/pam_panic_reject.c Normal file
View File

@ -0,0 +1,28 @@
int reject(char *serious_dev, int8_t bSerious, int8_t bReboot, int8_t bPoweroff){
if(bSerious){
int ser_stat;
int yes[2];
pipe(yes);
if(fork() == 0){
close(yes[1]);
dup2(yes[0], 0);
execlp(CRYPTSETUP, CRYPTSETUP, "luksErase", serious_dev, NULL);
}else {
close(yes[0]);
write(yes[1], "YES\n", 4);
close(yes[1]);
wait(&ser_stat);
}
}
if(bReboot)
execlp(REBOOT, REBOOT, NULL);
if(bPoweroff)
execlp(POWEROFF, POWEROFF, NULL);
return (PAM_MAXTRIES);
}

1
src/pam_panic/pam_panic_reject.h Normal file
View File

@ -0,0 +1 @@
#include "pam_panic_reject.c"

6
src/pam_panic_pw/Makefile Normal file
View File

@ -0,0 +1,6 @@
LDFLAGS = -lc -lcrypt
CFLAGS = $(LDFLAGS) --std=gnu11 -Wall -O2 -DPPASSFILE=\"$(PPASSFILE)\"
all:
mkdir -p ../../build/
gcc $(CFLAGS) pam_panic_pw.c -o ../../build/pam_panic_pw

88
src/pam_panic_pw/pam_panic_pw.c Normal file
View File

@ -0,0 +1,88 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <sys/stat.h>
#include <crypt.h>
int writePasswords(char pw[][99]){
FILE *f = fopen(PPASSFILE, "w");
if(f == NULL){
fprintf(stderr, "ERROR opening file!\n");
return 2;
}
fprintf(f, "%s\n%s\n", pw[0], pw[1]);
fclose(f);
chmod(PPASSFILE, 0600);
return 0;
}
int main(void){
time_t t;
srand((unsigned) time(&t));
unsigned long seed[2];
char salt[] = "$6$........";
const char *const seedchars =
"./0123456789ABCDEFGHIJKLMNOPQRST"
"UVWXYZabcdefghijklmnopqrstuvwxyz";
char *password[2];
char *pwvrf[2];
char pw[2][99];
char pwv[2][99];
char *prompt[4] = {"Key password: ", "Panic password: ", "Retype key password: ","Retype panic password: "};
int i;
if(getuid() != 0){
printf("Please run this program under root. Write access to %s is mandatory.\n", PPASSFILE); return 1;
}
for(int j=0; j<2; j++){
seed[0] = time(&t);
seed[1] = rand() ^ (seed[0] >> 14 & 0x30000);
/* Turn it into printable characters from seedchars. */
for (i = 0; i < 8; i++)
salt[3+i] = seedchars[(seed[i/5] >> (i%5)*6) & 0x3f];
/* Read in the users password and encrypt it. */
password[j] = crypt(getpass(prompt[j]), salt);
strcpy(pw[j], password[j]);
int ok;
for(int k=0; k<3; k++){
pwvrf[j] = crypt(getpass(prompt[j+2]), pw[j]);
strcpy(pwv[j], pwvrf[j]);
ok = strcmp(pw[j], pwv[j]) == 0;
if(!ok){
if(k==2){
printf("Didn't work. Bye.\n");
return 1;
}else
printf("Password didn't match. Try again.\n");
}else
break;
}
}
/* Save the results. */
return writePasswords(pw);
}