Initial commit

Author: bahner

.gitignore

@@ -0,0 +1,2 @@
+pam_split_token.o
+pam_split_token.so

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright © 2004-2023 Basefarm AS all rights reserved
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,21 @@
+# Variables
+TARGET = pam_split_token.so
+OBJS = pam_split_token.o
+CFLAGS = -fPIC -Wall
+LDFLAGS = -shared
+LIBS = -lpam
+
+# Default target
+all: $(TARGET)
+
+# Compile the object file
+%.o: %.c
+	$(CC) $(CFLAGS) -c $< -o $@
+
+# Link the shared library
+$(TARGET): $(OBJS)
+	$(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
+
+# Clean up the build files
+clean:
+	rm -f $(OBJS) $(TARGET)

README.md

@@ -0,0 +1,50 @@
+# pam_split_token
+
+The purpose of this module is to simply split of an OTP token from the password received. It strips of the last "+" and following chars.
+
+The `PAM_AUTHTOK` is modified to be only the first part of the received token (password) and it sets the environnment variable `PAM_SPLIT_TOKEN` to the chars following the + sign. The PAM_SPLIT_TOKEN can the be accessed with pam_getenv. The pam_exec.so module does this, but the pam_script.so module does not.
+
+This was you can for example use this as backend element for Apache basic auth using mod_authnz_pam.
+
+## Requirements
+
+You must pass the parameter `forward_pass` to the module, so that it's allowed to pass on the modified `PAM_AUTHTOK`.
+
+## options
+
+If `PAM_AUTHTOK` is not set you can let the module ask for it if you provide the argument `query_missing_token`.
+This way you can use it as the first module in an auth stack in PAM, eg. for SSH login.
+
+## Examples
+
+This is how you might use the module to receive the password+token combo in /etc/pam-d/sshd
+
+```pam
+auth    required                        pam_split_token.so forward_pass query_missing_token 
+auth    required                        pam_exec.so /usr/share/libpam-script/pam_script_auth
+@include common-auth
+```
+
+If the password is already provided, eg. in /etc/pam.d/apache you don't to query for the token,
+as this could lead to errors.
+
+```pam
+auth    required                        pam_split_token.so forward_pass
+auth    required                        pam_exec.so /usr/share/libpam-script/pam_script_auth
+@include common-auth
+```
+
+The pam_script_auth could then contain something like:
+```bash
+#!/bin/bash
+
+if [[ $PAM_SPLIT_TOKEN == "123456" ]]; then
+  exit 0
+fi
+echo "Bad OTP: $PAM_SPLIT_TOKEN"
+exit 1
+```
+
+This would succeed if the password `Sup3rS3cre7+123456` was provided.
+
+2024-09-04: bahner

pam_split_token.c

@@ -0,0 +1,122 @@
+#include <security/pam_modules.h>
+#include <security/pam_ext.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <syslog.h>
+
+/*
+ * Helper function to check if a specific argument is provided in pam.conf
+ */
+int has_argument(int argc, const char **argv, const char *arg) {
+    for (int i = 0; i < argc; i++) {
+        if (strcmp(argv[i], arg) == 0) {
+            return 1; // Argument found
+        }
+    }
+    return 0; // Argument not found
+}
+
+/*
+ * PAM authentication function.
+*/
+PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) {
+    const char *authtok;
+    int pam_ret;
+
+    // Check if the "query_missing_token" argument is provided
+    int query_missing_token = has_argument(argc, argv, "query_missing_token");
+
+    // Retrieve the current PAM_AUTHTOK (the user-supplied password + token)
+    pam_ret = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&authtok);
+    if (pam_ret != PAM_SUCCESS || authtok == NULL || strlen(authtok) == 0) {
+        // Only prompt if query_missing_token argument is provided
+        if (query_missing_token) {
+            // Allocate a buffer for the input
+            char *input = NULL;
+
+            // Prompt the user for the password+token
+            pam_ret = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &input, "Password+Token: ");
+            if (pam_ret != PAM_SUCCESS || input == NULL) {
+                pam_syslog(pamh, LOG_ERR, "Failed to prompt for Password+Token.");
+                return PAM_AUTH_ERR;
+            }
+
+            authtok = input; // Use this as the authtok
+        } else {
+            pam_syslog(pamh, LOG_ERR, "PAM_AUTHTOK is empty and query_missing_token is not set.");
+            return PAM_AUTH_ERR; // Fail if no authtok and no query_missing_token argument
+        }
+    }
+
+    // Ensure the authtok is not unreasonably long
+    if (strlen(authtok) > PAM_MAX_RESP_SIZE) {
+        pam_syslog(pamh, LOG_ERR, "PAM_AUTHTOK is too long.");
+        return PAM_AUTH_ERR;
+    }
+
+    // Find the position of the last '+' character
+    char *plus_pos = strrchr(authtok, '+');
+    if (plus_pos == NULL) {
+        pam_syslog(pamh, LOG_ERR, "No '+' found in PAM_AUTHTOK.");
+        return PAM_AUTH_ERR;
+    }
+
+    // Split the authtok into password and token
+    size_t password_len = plus_pos - authtok;
+    char *password = strndup(authtok, password_len); // Copy only the password part
+    if (password == NULL) {
+        pam_syslog(pamh, LOG_ERR, "Failed to allocate memory for password.");
+        return PAM_BUF_ERR;
+    }
+
+    // Ensure the token is not empty
+    if (*(plus_pos + 1) == '\0') {
+        pam_syslog(pamh, LOG_ERR, "No token found after the last '+'.");
+        free(password);
+        return PAM_AUTH_ERR;
+    }
+
+    const char *token = plus_pos + 1;  // Token part starts after '+'
+
+    // Set the modified password (without the token) back into PAM_AUTHTOK
+    pam_ret = pam_set_item(pamh, PAM_AUTHTOK, password);
+    if (pam_ret != PAM_SUCCESS) {
+        pam_syslog(pamh, LOG_ERR, "Failed to set PAM_AUTHTOK.");
+        free(password);
+        return PAM_AUTH_ERR;
+    }
+
+    // Allocate memory for the environment variable to hold the token
+    size_t token_env_size = strlen("PAM_SPLIT_TOKEN=") + strlen(token) + 1; // +1 for null terminator
+    char *token_env = malloc(token_env_size);
+    if (!token_env) {
+        pam_syslog(pamh, LOG_ERR, "Failed to allocate memory for token environment variable.");
+        free(password);
+        return PAM_BUF_ERR;
+    }
+
+    snprintf(token_env, token_env_size, "PAM_SPLIT_TOKEN=%s", token);
+
+    // Set PAM_SPLIT_TOKEN environment variable to the token
+    pam_ret = pam_putenv(pamh, token_env);
+    if (pam_ret != PAM_SUCCESS) {
+        pam_syslog(pamh, LOG_ERR, "Failed to set PAM_SPLIT_TOKEN environment variable.");
+        free(password);
+        free(token_env);
+        return PAM_AUTH_ERR;
+    }
+
+    // Log success
+    pam_syslog(pamh, LOG_INFO, "PAM_AUTHTOK and PAM_SPLIT_TOKEN set successfully.");
+
+    // Clean up
+    free(password);
+    free(token_env);
+
+    return PAM_SUCCESS;
+}
+
+PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
+    return PAM_SUCCESS;
+}