Package: ipsec-tools Version: 0.5-4
Instead of having "system"-authentication, i.e., /etc/passwd, PAM authentication would be a lot more flexible - the attached patch works fine for me, but of course it could be enhanced ...
It uses the auth/racoon , i.e. something like auth required pam_unix.so
in /etc/pam.d/racoon
should do the trick.
Regards, Michael -- ------------------------------------------------ Michael Tautschnig
System operator @ Chair Brauer Technical University of Munich
________________________________________________
diff -urN ipsec-tools-0.5/configure.ac ipsec-tools-0.5.mod/configure.ac
--- ipsec-tools-0.5/configure.ac 2005-02-18 06:05:46.000000000 +0100
+++ ipsec-tools-0.5.mod/configure.ac 2005-03-16 16:58:26.901894943 +0100
@@ -26,7 +26,7 @@
LDFLAGS="-Wl,-R/usr/pkg/lib $LDFLAGS"
;;
*linux*)
- LIBS="$LIBS -lresolv"
+ LIBS="$LIBS -lresolv -lssl"
INSTALL_OPTS="-o bin -g bin"
INCLUDE_GLIBC="include-glibc"
RPM="rpm"
@@ -149,6 +149,23 @@
], [])], [])
fi
+# Check if pam support is requested
+AC_MSG_CHECKING(if pam support is requested)
+AC_ARG_WITH(pam,
+ [ --with-pam support pam authentication (yes by default)],
+ [with_pam="$withval"], [with_pam="yes"])
+AC_MSG_RESULT($with_pam)
+
+# Is pam available?
+if test $with_pam != "no"; then
+ AC_CHECK_HEADER([security/pam_appl.h],
+ [AC_CHECK_LIB(pam_misc, misc_conv, [
+ AC_DEFINE(HAVE_PAM, [],
+ [Is pam available?])
+ LIBS="$LIBS -lpam -lpam_misc"
+ ], [])], [])
+fi
+
# Check if a different OpenSSL directory was specified
AC_MSG_CHECKING(if --with-openssl option is specified)
AC_ARG_WITH(openssl, [ --with-openssl=DIR specify OpenSSL directory],
diff -urN ipsec-tools-0.5/debian/control ipsec-tools-0.5.mod/debian/control
--- ipsec-tools-0.5/debian/control 2005-03-16 18:07:10.243284973 +0100
+++ ipsec-tools-0.5.mod/debian/control 2005-03-16 09:27:01.839885642 +0100
@@ -2,7 +2,7 @@
Section: net
Priority: extra
Maintainer: Ganesan Rajagopal <[EMAIL PROTECTED]>
-Build-Depends: debhelper (>= 4.0.0), flex, bison, libssl-dev (>= 0.9.6),
libreadline5-dev
+Build-Depends: debhelper (>= 4.0.0), flex, bison, libssl-dev (>= 0.9.6),
libreadline5-dev, libpam0g-dev
Standards-Version: 3.6.1
Package: ipsec-tools
@@ -16,7 +16,7 @@
Package: racoon
Architecture: any
Provides: ike-server
-Depends: ${shlibs:Depends}, debconf (>= 0.2.26), ${perl:Depends}
+Depends: ${shlibs:Depends}, debconf (>= 0.2.26), ${perl:Depends}, libpam0g
Description: IPsec IKE keying daemon
racoon is the KAME IKE (ipsec key exchange) server. It can be used with
the Linux ipsec implementation in 2.6 and later kernels or with
diff -urN ipsec-tools-0.5/src/racoon/isakmp_xauth.c
ipsec-tools-0.5.mod/src/racoon/isakmp_xauth.c
--- ipsec-tools-0.5/src/racoon/isakmp_xauth.c 2004-11-30 01:46:09.000000000
+0100
+++ ipsec-tools-0.5.mod/src/racoon/isakmp_xauth.c 2005-03-16
16:58:15.398341412 +0100
@@ -87,6 +87,11 @@
#include <radlib.h>
#endif
+#ifdef HAVE_PAM
+#include <security/pam_misc.h>
+#include <security/pam_appl.h>
+#endif
+
void
xauth_sendreq(iph1)
struct ph1handle *iph1;
@@ -500,30 +505,103 @@
}
#endif
+#ifndef HAVE_PAM
int
xauth_login_system(iph1, usr, pwd)
- struct ph1handle *iph1;
- char *usr;
- char *pwd;
-{
- struct passwd *pw;
- char *cryptpwd;
-
- if ((pw = getpwnam(usr)) == NULL)
- return -1;
-
- /* No root login. Ever. */
- if (pw->pw_uid == 0)
- return -1;
+ struct ph1handle *iph1;
+ char *usr;
+ char *pwd;
+{
+ struct passwd *pw;
+ char *cryptpwd;
+
+ if ((pw = getpwnam(usr)) == NULL)
+ return -1;
+
+ /* No root login. Ever. */
+ if (pw->pw_uid == 0)
+ return -1;
+
+ if ((cryptpwd = crypt(pwd, pw->pw_passwd)) == NULL)
+ return -1;
+
+ if (strcmp(cryptpwd, pw->pw_passwd) == 0)
+ return 0;
+
+ return -1;
+}
+
+#else
+
+static int checkpw_conv (int num_msg,const struct pam_message **msg,
+ struct pam_response **resp,void *appdata_ptr)
+{
+ int i;
+ struct pam_response *reply = (struct pam_response*) vmalloc(sizeof (struct
pam_response) * num_msg);
+ for (i = 0; i < num_msg; i++) switch (msg[i]->msg_style) {
+ case PAM_PROMPT_ECHO_ON: /* assume want user name */
+ reply[i].resp_retcode = PAM_SUCCESS;
+ reply[i].resp = NULL;
+ break;
+ case PAM_PROMPT_ECHO_OFF: /* assume want password */
+ reply[i].resp_retcode = PAM_SUCCESS;
+ reply[i].resp = (char*) appdata_ptr;
+ break;
+ case PAM_TEXT_INFO:
+ case PAM_ERROR_MSG:
+ reply[i].resp_retcode = PAM_SUCCESS;
+ reply[i].resp = NULL;
+ break;
+ default: /* unknown message style */
+ vfree( (void*) reply );
+ return PAM_CONV_ERR;
+ }
+ *resp = reply;
+ return PAM_SUCCESS;
+}
- if ((cryptpwd = crypt(pwd, pw->pw_passwd)) == NULL)
- return -1;
+int
+xauth_login_system(iph1, usr, pwd)
+ struct ph1handle *iph1;
+ char *usr;
+ char *pwd;
+{
+ pam_handle_t *pamh = NULL;
+ int retval;
+ struct passwd *pw;
+ char * debugpwd = NULL;
+
+ struct pam_conv conv = {
+ checkpw_conv,
+ pwd
+ };
+
+ if( ( pw = getpwnam( usr ) ) == NULL )
+ return -1;
+ if( pw->pw_uid == 0 )
+ return -1;
+
+ retval = pam_start( "racoon", usr, &conv, &pamh );
+ //plog(LLV_ERROR, LOCATION, NULL,
+ // "Set password %s\n", pwd);
+ //retval = pam_set_item( pamh, PAM_AUTHTOK, pwd );
+ //plog(LLV_ERROR, LOCATION, NULL,
+ // "PAM returned %s\n", pam_strerror( pamh, retval ) );
+ //pam_get_item( pamh, PAM_AUTHTOK, (const void**) &debugpwd );
+ //plog(LLV_ERROR, LOCATION, NULL,
+ // "Got password %s\n", debugpwd);
+
+ if( retval == PAM_SUCCESS )
+ retval = pam_authenticate( pamh, 0 );
+ else
+ return -1;
- if (strcmp(cryptpwd, pw->pw_passwd) == 0)
- return 0;
+ if( pam_end( pamh, retval ) != PAM_SUCCESS )
+ return -1;
- return -1;
+ return ( retval == PAM_SUCCESS ? 0 : -1 );
}
+#endif
int
xauth_check(iph1)
