Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/README.md =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/README.md (revision 0) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/README.md (working copy) @@ -0,0 +1,4 @@ +# libnss-ato + +A [libnss-ato](https://github.com/donapieppo/libnss-ato) package +with patching (to compile on CentOS 7). Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/README.md =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/README.md (revision 0) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/README.md (working copy) @@ -0,0 +1,4 @@ +# libnss-ato + +A [libnss-ato](https://github.com/donapieppo/libnss-ato) package +with patching (to compile on CentOS 7). Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/avx.patch =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/avx.patch (revision 0) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/avx.patch (working copy) @@ -0,0 +1,25 @@ +diff --git a/Makefile b/Makefile +index 147e0c4..df950d9 100644 +--- a/Makefile ++++ b/Makefile +@@ -7,6 +7,8 @@ INSTALL = /usr/bin/install + INSTALL_PROGRAM = ${INSTALL} + INSTALL_DATA = ${INSTALL} -m 644 + DESTDIR = "" ++CFLAGS = -std=c99 ++LDFLAGS = -lc + + prefix = "/usr" + exec_prefix = ${prefix} +diff --git a/libnss_ato.c b/libnss_ato.c +index f2f1c38..ec8dc09 100644 +--- a/libnss_ato.c ++++ b/libnss_ato.c +@@ -21,6 +21,7 @@ + * + */ + ++#define _SVID_SOURCE + #include + #include + #include Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/avx.patch =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/avx.patch (revision 0) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/avx.patch (working copy) @@ -0,0 +1,25 @@ +diff --git a/Makefile b/Makefile +index 147e0c4..df950d9 100644 +--- a/Makefile ++++ b/Makefile +@@ -7,6 +7,8 @@ INSTALL = /usr/bin/install + INSTALL_PROGRAM = ${INSTALL} + INSTALL_DATA = ${INSTALL} -m 644 + DESTDIR = "" ++CFLAGS = -std=c99 ++LDFLAGS = -lc + + prefix = "/usr" + exec_prefix = ${prefix} +diff --git a/libnss_ato.c b/libnss_ato.c +index f2f1c38..ec8dc09 100644 +--- a/libnss_ato.c ++++ b/libnss_ato.c +@@ -21,6 +21,7 @@ + * + */ + ++#define _SVID_SOURCE + #include + #include + #include Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/avx.patch =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/avx.patch (revision 0) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/avx.patch (working copy) @@ -0,0 +1,25 @@ +diff --git a/Makefile b/Makefile +index 147e0c4..df950d9 100644 +--- a/Makefile ++++ b/Makefile +@@ -7,6 +7,8 @@ INSTALL = /usr/bin/install + INSTALL_PROGRAM = ${INSTALL} + INSTALL_DATA = ${INSTALL} -m 644 + DESTDIR = "" ++CFLAGS = -std=c99 ++LDFLAGS = -lc + + prefix = "/usr" + exec_prefix = ${prefix} +diff --git a/libnss_ato.c b/libnss_ato.c +index f2f1c38..ec8dc09 100644 +--- a/libnss_ato.c ++++ b/libnss_ato.c +@@ -21,6 +21,7 @@ + * + */ + ++#define _SVID_SOURCE + #include + #include + #include Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/x-gzip Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz (revision 0) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz (working copy) Property changes on: 3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz ___________________________________________________________________ Added: svn:mime-type ## -0,0 +1 ## +application/x-gzip \ No newline at end of property Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/x-gzip Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz (revision 0) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz (working copy) Property changes on: 3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz ___________________________________________________________________ Added: svn:mime-type ## -0,0 +1 ## +application/x-gzip \ No newline at end of property Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz =================================================================== Cannot display: file marked as a binary type. svn:mime-type = application/x-gzip Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz (revision 0) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz (working copy) Property changes on: 3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato-0.2.1.tar.gz ___________________________________________________________________ Added: svn:mime-type ## -0,0 +1 ## +application/x-gzip \ No newline at end of property Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato.conf =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato.conf (revision 0) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato.conf (working copy) @@ -0,0 +1,9 @@ +array:x:1006:1000::/home/array:/ca/bin/ca_shell + +# Only the first line of this file is parsed. +# All next lines are comments. +# You can not set multiple user accounts with this +# nss module. Use the format as in the standard /etc/passwd. +# For security reasons: don't use UID or GID under 500, +# won't work, and in the password field we return +# always an 'x', regardless what you wrote there... Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato.conf =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato.conf (revision 0) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato.conf (working copy) @@ -0,0 +1,9 @@ +array:x:1006:1000::/home/array:/ca/bin/ca_shell + +# Only the first line of this file is parsed. +# All next lines are comments. +# You can not set multiple user accounts with this +# nss module. Use the format as in the standard /etc/passwd. +# For security reasons: don't use UID or GID under 500, +# won't work, and in the password field we return +# always an 'x', regardless what you wrote there... Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato.conf =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato.conf (revision 0) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SOURCES/libnss-ato.conf (working copy) @@ -0,0 +1,9 @@ +array:x:1006:1000::/home/array:/ca/bin/ca_shell + +# Only the first line of this file is parsed. +# All next lines are comments. +# You can not set multiple user accounts with this +# nss module. Use the format as in the standard /etc/passwd. +# For security reasons: don't use UID or GID under 500, +# won't work, and in the password field we return +# always an 'x', regardless what you wrote there... Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SPECS/libnss-ato.spec =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SPECS/libnss-ato.spec (revision 0) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SPECS/libnss-ato.spec (working copy) @@ -0,0 +1,51 @@ +Name: libnss-ato +Summary: The libnss_ato module is a set of C library extensions which allows to map every nss request for unknown user to a single predefined user. +Version: 0.2.1 +Release: 1 +Source: %{name}-%{version}.tar.gz +Vendor: donapieppo +License: GPL +ExclusiveOS: linux +Group: System Environment/Kernel +Provides: %{name} +URL: https://github.com/donapieppo/libnss-ato +BuildRoot: %{_tmppath}/%{name}-%{version}-root +# do not generate debugging packages by default - newer versions of rpmbuild +# may instead need: +#%define debug_package %{nil} +%debug_package %{nil} +Requires: kernel, fileutils, findutils, gawk, bash + +Patch999001: avx.patch + +#### +%description +The libnss_ato module is a set of C library extensions which allows to map every nss request for unknown user to a single predefined user. + +%prep +%setup +%patch999001 -p1 + +%build +make clean +make + +%install +echo %{BuildRoot} + +install -dDm 0755 %{buildroot}/lib/ +install -dDm 0755 %{buildroot}/etc/ + +install -Dm 644 libnss_ato.so.2 %{buildroot}/lib/libnss_ato-2.3.6.so +ln -fs libnss_ato-2.3.6.so %{buildroot}/lib/libnss_ato.so.2 +install -Dm 644 libnss-ato.conf %{buildroot}/etc/libnss-ato.conf + +%clean +rm -rf %{buildroot} + +%files +/lib/libnss_ato.so.2 +/lib/libnss_ato-2.3.6.so +/etc/libnss-ato.conf + +%post Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SPECS/libnss-ato.spec =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SPECS/libnss-ato.spec (revision 0) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SPECS/libnss-ato.spec (working copy) @@ -0,0 +1,51 @@ +Name: libnss-ato +Summary: The libnss_ato module is a set of C library extensions which allows to map every nss request for unknown user to a single predefined user. +Version: 0.2.1 +Release: 1 +Source: %{name}-%{version}.tar.gz +Vendor: donapieppo +License: GPL +ExclusiveOS: linux +Group: System Environment/Kernel +Provides: %{name} +URL: https://github.com/donapieppo/libnss-ato +BuildRoot: %{_tmppath}/%{name}-%{version}-root +# do not generate debugging packages by default - newer versions of rpmbuild +# may instead need: +#%define debug_package %{nil} +%debug_package %{nil} +Requires: kernel, fileutils, findutils, gawk, bash + +Patch999001: avx.patch + +#### +%description +The libnss_ato module is a set of C library extensions which allows to map every nss request for unknown user to a single predefined user. + +%prep +%setup +%patch999001 -p1 + +%build +make clean +make + +%install +echo %{BuildRoot} + +install -dDm 0755 %{buildroot}/lib/ +install -dDm 0755 %{buildroot}/etc/ + +install -Dm 644 libnss_ato.so.2 %{buildroot}/lib/libnss_ato-2.3.6.so +ln -fs libnss_ato-2.3.6.so %{buildroot}/lib/libnss_ato.so.2 +install -Dm 644 libnss-ato.conf %{buildroot}/etc/libnss-ato.conf + +%clean +rm -rf %{buildroot} + +%files +/lib/libnss_ato.so.2 +/lib/libnss_ato-2.3.6.so +/etc/libnss-ato.conf + +%post Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SPECS/libnss-ato.spec =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SPECS/libnss-ato.spec (revision 0) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-libnss-ato/SPECS/libnss-ato.spec (working copy) @@ -0,0 +1,51 @@ +Name: libnss-ato +Summary: The libnss_ato module is a set of C library extensions which allows to map every nss request for unknown user to a single predefined user. +Version: 0.2.1 +Release: 1 +Source: %{name}-%{version}.tar.gz +Vendor: donapieppo +License: GPL +ExclusiveOS: linux +Group: System Environment/Kernel +Provides: %{name} +URL: https://github.com/donapieppo/libnss-ato +BuildRoot: %{_tmppath}/%{name}-%{version}-root +# do not generate debugging packages by default - newer versions of rpmbuild +# may instead need: +#%define debug_package %{nil} +%debug_package %{nil} +Requires: kernel, fileutils, findutils, gawk, bash + +Patch999001: avx.patch + +#### +%description +The libnss_ato module is a set of C library extensions which allows to map every nss request for unknown user to a single predefined user. + +%prep +%setup +%patch999001 -p1 + +%build +make clean +make + +%install +echo %{BuildRoot} + +install -dDm 0755 %{buildroot}/lib/ +install -dDm 0755 %{buildroot}/etc/ + +install -Dm 644 libnss_ato.so.2 %{buildroot}/lib/libnss_ato-2.3.6.so +ln -fs libnss_ato-2.3.6.so %{buildroot}/lib/libnss_ato.so.2 +install -Dm 644 libnss-ato.conf %{buildroot}/etc/libnss-ato.conf + +%clean +rm -rf %{buildroot} + +%files +/lib/libnss_ato.so.2 +/lib/libnss_ato-2.3.6.so +/etc/libnss-ato.conf + +%post Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-openssh/SOURCES/sshd.pam =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-openssh/SOURCES/sshd.pam (revision 8853) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-openssh/SOURCES/sshd.pam (working copy) @@ -1,11 +1,11 @@ #%PAM-1.0 auth required pam_sepermit.so -auth substack password-auth +auth substack array-common-auth.pam auth include postlogin # Used with polkit to reauthorize users in remote sessions -auth optional pam_reauthorize.so prepare account required pam_nologin.so -account include password-auth +account substack array-common-acct.pam password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close Index: /branches/rel_avx_2_7_2/3rdpartyappliance/centos-openssh/SPECS/openssh.spec =================================================================== --- /branches/rel_avx_2_7_2/3rdpartyappliance/centos-openssh/SPECS/openssh.spec (revision 8853) +++ /branches/rel_avx_2_7_2/3rdpartyappliance/centos-openssh/SPECS/openssh.spec (working copy) @@ -64,7 +64,7 @@ # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1 %define openssh_ver 6.6.1p1 -%define openssh_rel 25.4 +%define openssh_rel 25.5 %define pam_ssh_agent_ver 0.9.3 %define pam_ssh_agent_rel 9 Index: /branches/rel_avx_2_7_2/conf/system/array-common-acct.pam =================================================================== --- /branches/rel_avx_2_7_2/conf/system/array-common-acct.pam (revision 0) +++ /branches/rel_avx_2_7_2/conf/system/array-common-acct.pam (working copy) @@ -0,0 +1,5 @@ +# RADIUS account (should be mapped to a predefined user) +account [success=done default=ignore] pam_radius_auth.so debug + +# UNIX account +account [success=done default=bad] pam_unix.so Index: /branches/rel_avx_2_7_2/conf/system/array-common-auth.pam =================================================================== --- /branches/rel_avx_2_7_2/conf/system/array-common-auth.pam (revision 0) +++ /branches/rel_avx_2_7_2/conf/system/array-common-auth.pam (working copy) @@ -0,0 +1,5 @@ +# Use RADIUS authentication +auth [success=done default=ignore] pam_radius_auth.so debug + +# Use system password-auth for UNIX authentication +auth [success=done default=bad] pam_unix.so nullok try_first_pass Index: /branches/rel_avx_2_7_2/src/backend/sys_cmd.c =================================================================== --- /branches/rel_avx_2_7_2/src/backend/sys_cmd.c (revision 8853) +++ /branches/rel_avx_2_7_2/src/backend/sys_cmd.c (working copy) @@ -28,6 +28,7 @@ #include #include #include +#include #include #include #include @@ -40,6 +41,7 @@ #include #include #include +#include #include #include #include @@ -49,6 +51,7 @@ #include #include #include +#include #include @@ -57,6 +60,9 @@ #include #include +#include +#include + #include #include #include @@ -7017,3 +7023,672 @@ } #undef AVX_IF_DESC_CMD_LENGTH + +#define AVX_NSS_CONF "/etc/nsswitch.conf" +#define _AVX_EXAUTH_STR_LEN 64 + +/* The PAM stacks with + * RADIUS authentication enabled appear like the following: + * + * [success=done default=ignore] pam_radius_auth.so + * [success=done default=bad] pam_unix.so + * + * With this setting, PAM will run the following flow: + * 1. First check RADIUS users. + * - If user is met in RADIUS, return to the application + * (done by "success=done"). + * - If not, go to the next step (done by "default=ignore"). + * 2. Check UNIX users. + * - It user is met in UNIX, return to the application. + * - If not, abort the whole PAM authentication + * (done by "default=bad"). + * + * As a counterpart, the PAM stacks with RADIUS authentication + * disabled appear like the following: + * + * [success=done default=bad] pam_unix.so + */ + +#define _AVX_PAM_FIRST_PASS "[success=done default=ignore]" +#define _AVX_PAM_LAST_PASS "[success=done default=bad]" +#define _AVX_PAM_USE_RADIUS "pam_radius_auth.so" +#define _AVX_PAM_USE_UNIX "pam_unix.so" + +#define _AVX_WRITE_PAM_CONF(conf, type, BODY) \ + do { \ + FILE *fp = fopen(conf, "w"); \ + if (!fp) { \ + printf("Cannot open %s PAM conf\n", type); \ + goto fail; \ + } \ + BODY fclose(fp); \ + } while (0) + +#define _AVX_WRITE_PASS(type, ctrl, mod) \ + fprintf(fp, "%s %s %s", type, ctrl, mod) + +#define AUTH_PAM "/etc/pam.d/array-common-auth.pam" +#define ACCT_PAM "/etc/pam.d/array-common-acct.pam" +static char *__MAPPED_USER = "radius"; +static char *__MAPPED_GRP = "config"; + +int exauth_on() { + _AVX_WRITE_PAM_CONF( + AUTH_PAM, "auth", + _AVX_WRITE_PASS("auth", _AVX_PAM_FIRST_PASS, _AVX_PAM_USE_RADIUS); + fprintf(fp, "\n"); + _AVX_WRITE_PASS("auth", _AVX_PAM_LAST_PASS, _AVX_PAM_USE_UNIX); + fprintf(fp, "\n");); + + _AVX_WRITE_PAM_CONF( + ACCT_PAM, "account", + _AVX_WRITE_PASS("account", _AVX_PAM_FIRST_PASS, _AVX_PAM_USE_RADIUS); + fprintf(fp, "\n"); + _AVX_WRITE_PASS("account", _AVX_PAM_LAST_PASS, _AVX_PAM_USE_UNIX); + fprintf(fp, "\n");); + + /* Add RADIUS mapped user */ + pid_t pid; + int pstat = -1; + if(!(pid = fork())) { + execl("/usr/sbin/adduser", "adduser", "-s", CA_SHELL, + "-g", __MAPPED_GRP, "-d", "/home/radius", "-m", __MAPPED_USER, NULL); + _exit(1); + } + if(pid == -1) { + printf("Cannot add RADIUS mapped user\n"); + return -1; + } + waitpid(pid, &pstat, 0); + + /* Add RADIUS mapped user configuration */ + FILE *fp = fopen("/etc/libnss-ato.conf", "w"); + if(!fp) { + printf("Cannot open mapping configuration\n"); + if(!(pid = fork())) { + execl("/usr/sbin/userdel", "userdel", "-f", "-r", __MAPPED_USER, NULL); + _exit(1); + } + if(pid == -1) + return -2; + waitpid(pid, &pstat, 0); + return -1; + } + + /* Get RADIUS mapped user information */ + struct passwd *pw = getpwnam(__MAPPED_USER); + fprintf(fp, "%s:x:%d:%d::%s:%s\n", + pw->pw_name, pw->pw_uid, pw->pw_gid, + pw->pw_dir, pw->pw_shell); + fclose(fp); + + /* Activate NSS of RADIUS users */ + system("sed -i '/^passwd:/s/$/ ato/' " AVX_NSS_CONF); + system("sed -i '/^shadow:/s/$/ ato/' " AVX_NSS_CONF); + + sleep(1); + + return 0; + +fail: + return -1; +} + +int exauth_off() { + _AVX_WRITE_PAM_CONF( + AUTH_PAM, "auth", + _AVX_WRITE_PASS("auth", _AVX_PAM_LAST_PASS, _AVX_PAM_USE_UNIX); + fprintf(fp, "\n");); + + _AVX_WRITE_PAM_CONF( + ACCT_PAM, "account", + _AVX_WRITE_PASS("account", _AVX_PAM_LAST_PASS, _AVX_PAM_USE_UNIX); + fprintf(fp, "\n");); + + /* Deactivate NSS of RADIUS user */ + system("sed -i '/^passwd:/s/ ato//g' " AVX_NSS_CONF); + system("sed -i '/^shadow:/s/ ato//g' " AVX_NSS_CONF); + + /* Delete RADIUS mapped user */ + pid_t pid; + int pstat = -1; + if(!(pid = fork())) { + execl("/usr/sbin/userdel", "userdel", "-f", "-r", __MAPPED_USER, NULL); + _exit(1); + } + if(pid == -1) { + printf("Cannot delete RADIUS mapped user\n"); + goto fail; + } + waitpid(pid, &pstat, 0); + + sleep(1); + + return 0; + +fail: + return -1; +} + +#define _AVX_AES_BLOCK_SZ 16 +#define _AVX_ENCRYPTED_SECRET_LEN 129 + +/*********************************************************************** +* This func is for changing server secret from plaintext to ciphertext +* via AES128 encrypt and base64 encode +* +* This function is originated from APV rel_apv_10_7 branch revision 38549. +* +* secret_in: server secret in plaintext, max length is _AVX_ENCRYPTED_SECRET_LEN +* secret_out: server secret in ciphertext, this is looger than secret_in +* but shorter than 2 times of _AVX_ENCRYPTED_SECRET_LEN +* +************************************************************************/ + +static int +encrypt_secret(const unsigned char *secret_in, unsigned char *secret_out) +{ + AES_KEY aes_key; + unsigned char key[_AVX_AES_BLOCK_SZ]; + unsigned char iv[_AVX_AES_BLOCK_SZ]; + unsigned char seed_key[11] = "ARRAYCLICK"; + unsigned char seed_iv[12] = "ARRAYISBEST"; + unsigned char temp[2 * _AVX_ENCRYPTED_SECRET_LEN]; + int len; + int i; + + memcpy(temp, secret_in, _AVX_ENCRYPTED_SECRET_LEN); + len = strlen((char *)temp) + 1; + + if (len % _AVX_AES_BLOCK_SZ != 0) { + len = (len / _AVX_AES_BLOCK_SZ + 1) * _AVX_AES_BLOCK_SZ; + } + + for (i = 0; i < _AVX_AES_BLOCK_SZ; i++) { + key[i] = seed_key[i % sizeof(seed_key)]; + } + + for (i = 0; i < _AVX_AES_BLOCK_SZ; i++) { + iv[i] = seed_iv[i % sizeof(seed_iv)]; + } + + if (AES_set_encrypt_key(key, 128, &aes_key) < 0) { + return -1; + } + + AES_cbc_encrypt(secret_in, temp, len, &aes_key, iv, AES_ENCRYPT); + + EVP_EncodeBlock(secret_out, temp, len); + + return 0; +} + +/*********************************************************************** +* This func is for changing server secret from ciphertext to plaintext +* via base64 decode and AES128 decrypt +* +* This function is originated from APV rel_apv_10_7 branch revision 38549. +* +* secret_in: server secret in ciphertext, max length is 4/3 times of +* _AVX_ENCRYPTED_SECRET_LEN +* secret_out: server secret in plaintext, this is shorter than _AVX_ENCRYPTED_SECRET_LEN +* +************************************************************************/ + +static int +decrypt_secret(const unsigned char *secret_in, unsigned char *secret_out) +{ + AES_KEY aes_key; + unsigned char key[_AVX_AES_BLOCK_SZ]; + unsigned char iv[_AVX_AES_BLOCK_SZ]; + unsigned char seed_key[11] = "ARRAYCLICK"; + unsigned char seed_iv[12] = "ARRAYISBEST"; + unsigned char temp[2 * _AVX_ENCRYPTED_SECRET_LEN]; + int len; + int i; + + memcpy(temp, secret_in, 2 * _AVX_ENCRYPTED_SECRET_LEN); + temp[2 * _AVX_ENCRYPTED_SECRET_LEN - 1] = '\0'; + len = strlen((char *)temp); + + if (len > (_AVX_ENCRYPTED_SECRET_LEN / 3 * 4)) { + return -1; + } + + if (len < 24) { + /* encrypted secret is 16 Byte at least, after base64 it is 24 */ + return -1; + } + + len = EVP_DecodeBlock(temp, secret_in, len); + + if (len == -1) { + return -1; + } + + len -= len % _AVX_AES_BLOCK_SZ; + + for (i = 0; i < _AVX_AES_BLOCK_SZ; i++) { + key[i] = seed_key[i % sizeof(seed_key)]; + } + + for (i = 0; i < _AVX_AES_BLOCK_SZ; i++) { + iv[i] = seed_iv[i % sizeof(seed_iv)]; + } + + if (AES_set_decrypt_key(key, 128, &aes_key) < 0) { + return -1; + } + + AES_cbc_encrypt(temp, secret_out, len, &aes_key, iv, AES_DECRYPT); + + return 0; +} + +#define AVX_RADIUS_CONF "/etc/pam_radius.conf" + +const char *AVX_EXAUTH_ENCRYPTED_FLAG = "ENCRYPTED"; +const int RADIUS_TIMEOUT = 3; + +int set_radius_server( + char *host, + uint16_t port, + char *secret, + char *encrypted_flag) +{ + FILE *fp = fopen(AVX_RADIUS_CONF, "w"); + if(!fp) { + printf("Cannot open RADIUS server config\n"); + return -1; + } + + int encrypt_enabled = strncmp(encrypted_flag, AVX_EXAUTH_ENCRYPTED_FLAG, strlen(AVX_EXAUTH_ENCRYPTED_FLAG)); + unsigned char d[_AVX_EXAUTH_STR_LEN]; + if(encrypt_enabled == 0) + decrypt_secret((unsigned char *)secret, d); + + struct in6_addr ipv6addr; + /* Is IPv6 address*/ + if(inet_pton(AF_INET6, host, &ipv6addr) == 1){ + fprintf(fp, "[%s]:%d %s %d\n", host, port, encrypt_enabled == 0 ? d : secret, RADIUS_TIMEOUT); + } else { + fprintf(fp, "%s:%d %s %d\n", host, port, encrypt_enabled == 0 ? d : secret, RADIUS_TIMEOUT); + } + + fclose(fp); + + sleep(1); + + return 0; +} + +int unset_radius_server() { + system("rm -rf " AVX_RADIUS_CONF); + + sleep(1); + + return 0; +} + +#define _AVX_EXAUTH_PREFIX "admin aaa" +#define _AVX_EXAUTH_BUF_LEN 1024 +#define _AVX_EXAUTH_STAT _AVX_EXAUTH_PREFIX " %s\n" +#define _AVX_EXAUTH_PORT_LEN 6 + +#define _AVX_EXAUTH_PROPS_BASE \ + _AVX_EXAUTH_PREFIX " server es01 \"%s\" %d \"%s\"" +#define _AVX_EXAUTH_PROPS _AVX_EXAUTH_PROPS_BASE "\n" +#define _AVX_EXAUTH_PROPS_ENCRYPTED \ + _AVX_EXAUTH_PROPS_BASE " \"%s\"\n" + +#define MAX_LINE_LENGTH 256 +#define MAX_IP_LENGTH 128 +#define MAX_SECRET_LENGTH 64 + +/* Count the lines in array-common-auth.pam + * to check whether external authentication is on or off + * (i.e., one for off, two for on). */ +#define AVX_CNT_PAM_LINE(line_cnt) \ + do { \ + FILE *fp; \ + char ret[1035]; \ + fp = popen("wc -l < " AUTH_PAM, "r"); \ + if(!fp) { \ + printf("Failed to run cmd\n"); \ + goto fail; \ + } \ + while(fgets(ret, sizeof(ret), fp) != NULL) \ + line_cnt = atoi(ret); \ + pclose(fp); \ + } while(0) + +typedef struct { + char host[MAX_IP_LENGTH]; + int port; + char secret[MAX_SECRET_LENGTH]; + int retries; +} RadiusConfig; + +int parse_pam_radius_conf(const char *filepath, RadiusConfig *config) { + FILE *file = fopen(filepath, "r"); + if (!file) { + perror("Failed to open file"); + return -1; + } + + char line[MAX_LINE_LENGTH]; + if (fgets(line, sizeof(line), file) != NULL) { + char *token; + char *ip_end; + + /* Find the last colon, which separates IP/Domain and Port */ + ip_end = strrchr(line, ':'); + if (ip_end == NULL) { + fclose(file); + return -1; + } + + /* Separate IP/Domain */ + *ip_end = '\0'; + strncpy(config->host, line, MAX_IP_LENGTH - 1); + + /* If it's an IPv6 address, remove the surrounding brackets [] */ + if (config->host[0] == '[') { + /* Shift left to remove the opening bracket '[' */ + memmove(config->host, config->host + 1, strlen(config->host)); + char *closing_bracket = strchr(config->host, ']'); + if (closing_bracket) { + /* Replace the closing bracket ']' with null terminator */ + *closing_bracket = '\0'; + } + } + + /* Parse Port */ + token = ip_end + 1; + token = strtok(token, " "); + if (token == NULL) { + fclose(file); + return -1; + } + config->port = atoi(token); + + /* Parse Secret */ + token = strtok(NULL, " "); + if (token == NULL) { + fclose(file); + return -1; + } + strncpy(config->secret, token, MAX_SECRET_LENGTH - 1); + + /* Parse Retries */ + token = strtok(NULL, " "); + if (token == NULL) { + fclose(file); + return -1; + } + config->retries = atoi(token); + + fclose(file); + return 0; + } + + fclose(file); + return -1; +} + +char *write_exauth_conf(void) { + char *save_exauth; + save_exauth = (char *)malloc(sizeof(char) * _AVX_EXAUTH_BUF_LEN); + if(!save_exauth) { + printf("System error occurred.\n"); + goto fail; + } + bzero(save_exauth, _AVX_EXAUTH_BUF_LEN); + + RadiusConfig config; + int conf_existed = (access(AVX_RADIUS_CONF, F_OK) == 0); + if(conf_existed) { + parse_pam_radius_conf(AVX_RADIUS_CONF, &config); + } + + unsigned char e[_AVX_ENCRYPTED_SECRET_LEN]; + encrypt_secret((unsigned char *)config.secret, e); + + int line_cnt = 0; + AVX_CNT_PAM_LINE(line_cnt); + + int len = 0; + int ret; +#define _(fmt, ...) \ + do { \ + ret = sprintf(save_exauth + len, fmt, __VA_ARGS__); \ + len += ret; \ + } while(0) + + _(_AVX_EXAUTH_STAT, line_cnt > 1 ? "on" : "off"); + if(conf_existed) + _(_AVX_EXAUTH_PROPS_ENCRYPTED, config.host, config.port, e, AVX_EXAUTH_ENCRYPTED_FLAG); +#undef _ + + return save_exauth; + +fail: + return NULL; +} + +int show_exauth_all(void) { + int line_cnt = 0; + AVX_CNT_PAM_LINE(line_cnt); + + /* Show status of external authentication, + * i.e., the line in array-common-auth.pam. */ + printf(_AVX_EXAUTH_STAT, line_cnt > 1 ? "on" : "off"); + + if(access(AVX_RADIUS_CONF, F_OK) == 0) { + /* Get RADIUS server attributes */ + RadiusConfig config; + parse_pam_radius_conf(AVX_RADIUS_CONF, &config); + printf(_AVX_EXAUTH_PROPS, config.host, config.port, "*****"); + } + + return 0; + +fail: + return -1; +} + +int clear_exauth_conf(void) { + unset_radius_server(); + exauth_off(); +} + +int +add_iphost(char *name, char *ipa) { + int counter; + char buf1[MAXLEN], buf2[MAXLEN], *tmpip, *tmpname, *comment; + FILE *fpr, *fpw; + struct in6_addr in6; + + if (name == NULL || *name == '\0') { + printf("Invalid hostname, hostname is not allowed to be empty\n"); + return (-1); + } + if (name != NULL) { + if (strchr(name, ' ')) { + printf("Invalid hostname, space is not permited\n"); + return (-1); + } + } + + fpr = fopen(HOSTSFILE, "r"); + fpw = fopen(TMPHOSTS, "w"); + + if (!name || !*name || !fpr || !fpw) { + if (fpr) + fclose(fpr); + if (fpw) + fclose(fpw); + return (-1); + } + + if (strchr(ipa, '.')) { + if (strcmp(ipa, "0.0.0.0")==0 || strcmp(ipa, "255.255.255.255")==0) { + printf("Please specify a unicast IP address\n"); + return (-1); + } + } else { + if(inet_pton(AF_INET6, ipa, &in6) != 1) { + printf("IPv6 Address format error\n"); + return (-1); + } + if(IN6_IS_ADDR_MULTICAST(&in6) || + IN6_IS_ADDR_LOOPBACK(&in6) || + IN6_IS_ADDR_V4COMPAT(&in6) || + IN6_IS_ADDR_LINKLOCAL(&in6) || + IN6_IS_ADDR_UNSPECIFIED(&in6)) { + printf("Please specify a unicast IP address\n"); + return (-1); + } + } + + counter = 0; + while (fgets(buf1, MAXLEN, fpr)) { + strcpy(buf2, buf1); /* make a copy of current line */ + tmpip = strtok(buf2, SEP); + tmpname = strtok(NULL, SEP); + comment = strtok(NULL, SEP); + + if (!tmpname || !tmpip || !*tmpname || !tmpip || !comment) { + fprintf(fpw, "%s", buf1); + continue; + } + if (strcmp(ipa, tmpip) || strcmp(name, tmpname) + || strcmp(ARRAYOS, comment)) + fprintf(fpw, "%s", buf1); + if (strcmp(ARRAYOS, comment) == 0) + counter++; + } + + if (counter >= HOSTSLIMIT) { + fclose(fpr); + fclose(fpw); + unlink(TMPHOSTS); + printf("ip host entry reaches limitation!\n"); + sync(); + return (-1); + } + + fprintf(fpw, "%s %s %s\n", ipa, name, ARRAYOS); + fclose(fpr); + fsync(fileno(fpw)); + fclose(fpw); + rename(TMPHOSTS, HOSTSFILE); + + return (0); +} + +int +del_iphost(char *name, char *ipa) { + char buf1[MAXLEN], buf2[MAXLEN], *tmpip, *tmpname, *comment; + FILE *fpr, *fpw; + int done = 0; + + fpr = fopen(HOSTSFILE, "r"); + fpw = fopen(TMPHOSTS, "w"); + + if (!fpr || !fpw) { + if (fpr) fclose(fpr); + if (fpw) fclose(fpw); + return (-1); + } + tmpname = NULL; + + while (fgets(buf1, MAXLEN, fpr)) { + strcpy(buf2, buf1); /* make a copy of current line */ + tmpip = strtok(buf2, SEP); + tmpname = strtok(NULL, SEP); + comment = strtok(NULL, SEP); + + if (!tmpname || !tmpip || !*tmpname || !*tmpip || !comment) { + fprintf(fpw, "%s", buf1); + continue; + } + if (!name && !strcmp(ARRAYOS, comment)) { + done = 1; + continue; + } + if (strlen(ipa)!=0 && name && !strcmp(name, tmpname) && + !strcmp(ARRAYOS, comment) && !strcmp(ipa, tmpip)) { + done = 1; + continue; + } + if (strlen(ipa)==0 && name && !strcmp(name, tmpname) && + !strcmp(ARRAYOS, comment)) { + done = 1; + continue; + } + fprintf(fpw, "%s", buf1); + } + + fclose(fpr); + fsync(fileno(fpw)); + fclose(fpw); + + if (done) { + rename(TMPHOSTS, HOSTSFILE); + } else { + if (name && strlen(ipa)==0) + printf("Hostname %s not found\n", name); + if (name && strlen(ipa)!=0) + printf("Hostname entry \"%s %s\" not found\n", name, ipa); + unlink(TMPHOSTS); + } + + return (0); +} + +int clear_iphost(void) { + return (del_iphost(NULL, "")); +} + +char *write_iphost(void) { + char buf1[MAXLEN], *buf, *tmpip, *tmpname, *comment; + FILE *fpr; + int idx = 0; + + fpr = fopen(HOSTSFILE, "r"); + if (!fpr) + return (NULL); + + buf = malloc(8 * BUFSIZ); + if (!buf) + return (buf); + buf[0] = 0; + + while (fgets(buf1, MAXLEN, fpr)) { + tmpip = strtok(buf1, SEP); + tmpname = strtok(NULL, SEP); + comment = strtok(NULL, SEP); + + if (tmpip && tmpname && comment && !strcmp(comment, ARRAYOS)) + idx += snprintf(buf+idx, (8*BUFSIZ)-idx, + "ip host \"%s\" %s\n", tmpname, tmpip); + } + + fclose(fpr); + + return (buf); +} + +int show_iphost(void) +{ + char *buf; + + buf = write_iphost(); + if (buf) { + printf("%s", buf); + free(buf); + } + + return (0); +} Index: /branches/rel_avx_2_7_2/src/backend/sys_tool.h =================================================================== --- /branches/rel_avx_2_7_2/src/backend/sys_tool.h (revision 8853) +++ /branches/rel_avx_2_7_2/src/backend/sys_tool.h (working copy) @@ -72,6 +72,11 @@ extern char* write_system_interactive(void); extern char* write_if_shutdown(void); extern char* write_if_description(void); +extern char* write_exauth_conf(void); +extern char* write_iphost(void); + +extern int show_exauth_all(void); + extern int clear_nameserver(char *ip); extern int clear_iphost(void); extern int ui_clear_supportip(void); @@ -229,4 +234,6 @@ int clear_all_va_backup(); +extern int clear_exauth_conf(void); + #endif /*_SYS_TOOL_*/ Index: /branches/rel_avx_2_7_2/src/backend/sys_tool.c =================================================================== --- /branches/rel_avx_2_7_2/src/backend/sys_tool.c (revision 8853) +++ /branches/rel_avx_2_7_2/src/backend/sys_tool.c (working copy) @@ -255,6 +255,11 @@ "#ip configuration" }, { + write_iphost, + CMD_NORMAL | CMD_ARRAYOS | CMD_GLOBAL, + "#ip host configuration" + }, + { write_bond, CMD_NORMAL | CMD_ARRAYOS | CMD_GLOBAL, "#bond configuration" @@ -358,6 +363,11 @@ CMD_NORMAL | CMD_ARRAYOS | CMD_GLOBAL, "#interface description" }, + { + write_exauth_conf, + CMD_NORMAL | CMD_ARRAYOS | CMD_GLOBAL, + "#admin aaa configuration" + }, /*last entry is empty*/ { NULL, @@ -435,8 +445,14 @@ clear_ssh, CMD_NORMAL | CMD_ARRAYOS | CMD_GLOBAL }, - - + { + clear_exauth_conf, + CMD_NORMAL | CMD_ARRAYOS | CMD_GLOBAL + }, + { + clear_iphost, + CMD_NORMAL | CMD_ARRAYOS | CMD_GLOBAL + }, /*last entry is empty*/ { NULL, @@ -569,6 +585,14 @@ clear_passthrough_port_rpc, CMD_NORMAL | CMD_ARRAYOS }, + { + clear_exauth_conf, + CMD_NORMAL | CMD_ARRAYOS + }, + { + clear_iphost, + CMD_NORMAL | CMD_ARRAYOS | CMD_GLOBAL + }, /*last entry is empty*/ { NULL, Index: /branches/rel_avx_2_7_2/src/generator/commands.pm =================================================================== --- /branches/rel_avx_2_7_2/src/generator/commands.pm (revision 8853) +++ /branches/rel_avx_2_7_2/src/generator/commands.pm (working copy) @@ -698,6 +698,45 @@ }, { obj_type => "ITEM", + name => "host", + menu => "root_ip", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Add Hostname/IP", + function_name => "add_iphost", + function_args => [ { + type => "STRING", + help_string => "Hostname", + optional => "NO", + }, + { + type => "IPADDR", + help_string => "Host IP", + optional => "NO", + }, ], + }, + { + obj_type => "ITEM", + name => "host", + menu => "root_no_ip", + help_string => "Remove Hostname/IP", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "del_iphost", + function_args => [ { + type => "STRING", + help_string => "Hostname", + optional => "NO", + }, + { + type => "IPADDR", + help_string => "Host IP", + optional => "YES", + default_value => "\"\"", + }, ], + }, + { + obj_type => "ITEM", name => "address", cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", user_level => "CLI_LEVEL_ENABLE", @@ -717,6 +756,16 @@ function_args => [], }, { + obj_type => "ITEM", + name => "host", + help_string => "Display Hostnames/IP", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + menu => "root_show_ip", + function_name => "show_iphost", + function_args => [], + }, + { obj_type => "MENU", parent_menu => "root_show", name => "va", @@ -1748,6 +1797,53 @@ }, { obj_type => "MENU", + name => "admin", + parent_menu => "root_clear", + uniq_name => "root_clear_admin", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Clear administration configurations", + }, + { + obj_type => "MENU", + name => "ip", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + parent_menu => "root_clear", + uniq_name => "root_clear_ip", + help_string => "Clear IP related configurations", + }, + { + obj_type => "ITEM", + name => "host", + menu => "root_clear_ip", + cmd_attribute => "CMD_ARRAYOS|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Clear Hostnames/IP", + function_name => "clear_iphost", + function_args => [], + }, + { + obj_type => "MENU", + name => "aaa", + parent_menu => "root_clear_admin", + uniq_name => "root_clear_admin_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Clear external authentication configurations", + }, + { + obj_type => "ITEM", + name => "all", + menu => "root_clear_admin_aaa", + help_string => "Clear all external authentication configurations", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "clear_exauth_conf", + function_args => [], + }, + { + obj_type => "MENU", name => "alert", parent_menu => "root_no_ha", uniq_name => "root_no_ha_alert", @@ -7249,6 +7345,151 @@ optional => "NO", }, ], }, + { + obj_type => "MENU", + name => "admin", + parent_menu => ".", + uniq_name => "root_admin", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Administration configuration", + }, + { + obj_type => "MENU", + name => "aaa", + parent_menu => "root_admin", + uniq_name => "root_admin_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "External authentication configuration", + }, + { + obj_type => "MENU", + name => "server", + parent_menu => "root_admin_aaa", + uniq_name => "root_admin_server_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "External authentication server configuration", + }, + { + obj_type => "ITEM", + name => "es01", + menu => "root_admin_server_aaa", + help_string => "Configure external RADIUS authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", + user_level => "CLI_LEVEL_CONFIG", + function_name => "set_radius_server", + function_args => [ + { + type => "STRING", + help_string => "Host name or ip address", + optional => "NO", + }, + { + type => "U16", + help_string => "Port", + optional => "NO", + }, + { + type => "STRING", + help_string => "Secret", + optional => "YES", + default_value => "\"\"", + }, + { + type => "STRING", + help_string => "", + optional => "YES", + default_value => "\"\"", + }, + ], + }, + { + obj_type => "MENU", + name => "admin", + parent_menu => "root_no", + uniq_name => "root_no_admin", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_CONFIG", + help_string => "Delete administration configurations", + }, + { + obj_type => "MENU", + name => "aaa", + parent_menu => "root_no_admin", + uniq_name => "root_no_admin_aaa_server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + help_string => "Delete external authentication configurations", + }, + { + obj_type => "MENU", + name => "server", + parent_menu => "root_no_admin_aaa_server", + uniq_name => "root_no_admin_aaa", + help_string => "Delete external authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + }, + { + obj_type => "ITEM", + name => "es01", + menu => "root_no_admin_aaa", + help_string => "Delete external RADIUS authentication server", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL|CMD_SPECIAL_LOG", + user_level => "CLI_LEVEL_CONFIG", + function_name => "unset_radius_server", + function_args => [], + }, + { + obj_type => "ITEM", + name => "on", + menu => "root_admin_aaa", + help_string => "Turn on external authentication", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_on", + function_args => [], + }, + { + obj_type => "ITEM", + name => "off", + menu => "root_admin_aaa", + help_string => "Turn off external authentication", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "exauth_off", + function_args => [], + }, + { + obj_type => "MENU", + name => "admin", + parent_menu => "root_show", + uniq_name => "root_show_admin", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + help_string => "Display administration configurations", + }, + { + obj_type => "MENU", + name => "aaa", + parent_menu => "root_show_admin", + uniq_name => "root_show_admin_aaa", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + help_string => "Display external authentication configurations", + }, + { + obj_type => "ITEM", + name => "all", + menu => "root_show_admin_aaa", + help_string => "Display all external authentication configurations", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_ENABLE", + function_name => "show_exauth_all", + function_args => [], + }, ); # This method is required to expost the command table to the caller. Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/pam.py =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/pam.py (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/pam.py (working copy) @@ -0,0 +1,224 @@ +# (c) 2007 Chris AtLee +# Licensed under the MIT license: +# http://www.opensource.org/licenses/mit-license.php +# +# Original author: Chris AtLee +# +# Modified by David Ford, 2011-12-6 +# added py3 support and encoding +# added pam_end +# added pam_setcred to reset credentials after seeing Leon Walker's remarks +# added byref as well +# use readline to prestuff the getuser input + +''' +PAM module for python + +Provides an authenticate function that will allow the caller to authenticate +a user against the Pluggable Authentication Modules (PAM) on the system. + +Implemented using ctypes, so no compilation is necessary. +''' + +__all__ = ['pam'] +__version__ = '1.8.4' +__author__ = 'David Ford ' +__released__ = '2018 June 15' + +import sys + +from ctypes import CDLL, POINTER, Structure, CFUNCTYPE, cast, byref, sizeof +from ctypes import c_void_p, c_size_t, c_char_p, c_char, c_int +from ctypes import memmove +from ctypes.util import find_library + +class PamHandle(Structure): + """wrapper class for pam_handle_t pointer""" + _fields_ = [ ("handle", c_void_p) ] + + def __init__(self): + Structure.__init__(self) + self.handle = 0 + +class PamMessage(Structure): + """wrapper class for pam_message structure""" + _fields_ = [ ("msg_style", c_int), ("msg", c_char_p) ] + + def __repr__(self): + return "" % (self.msg_style, self.msg) + +class PamResponse(Structure): + """wrapper class for pam_response structure""" + _fields_ = [ ("resp", c_char_p), ("resp_retcode", c_int) ] + + def __repr__(self): + return "" % (self.resp_retcode, self.resp) + +conv_func = CFUNCTYPE(c_int, c_int, POINTER(POINTER(PamMessage)), POINTER(POINTER(PamResponse)), c_void_p) + +class PamConv(Structure): + """wrapper class for pam_conv structure""" + _fields_ = [ ("conv", conv_func), ("appdata_ptr", c_void_p) ] + +# Various constants +PAM_PROMPT_ECHO_OFF = 1 +PAM_PROMPT_ECHO_ON = 2 +PAM_ERROR_MSG = 3 +PAM_TEXT_INFO = 4 +PAM_REINITIALIZE_CRED = 8 + +libc = CDLL(find_library("c")) +libpam = CDLL(find_library("pam")) + +calloc = libc.calloc +calloc.restype = c_void_p +calloc.argtypes = [c_size_t, c_size_t] + +# bug #6 (@NIPE-SYSTEMS), some libpam versions don't include this function +if hasattr(libpam, 'pam_end'): + pam_end = libpam.pam_end + pam_end.restype = c_int + pam_end.argtypes = [PamHandle, c_int] + +pam_start = libpam.pam_start +pam_start.restype = c_int +pam_start.argtypes = [c_char_p, c_char_p, POINTER(PamConv), POINTER(PamHandle)] + +pam_setcred = libpam.pam_setcred +pam_setcred.restype = c_int +pam_setcred.argtypes = [PamHandle, c_int] + +pam_strerror = libpam.pam_strerror +pam_strerror.restype = c_char_p +pam_strerror.argtypes = [PamHandle, c_int] + +pam_authenticate = libpam.pam_authenticate +pam_authenticate.restype = c_int +pam_authenticate.argtypes = [PamHandle, c_int] + +class pam(): + code = 0 + reason = None + + def __init__(self): + pass + + def authenticate(self, username, password, service='login', encoding='utf-8', resetcreds=True): + """username and password authentication for the given service. + + Returns True for success, or False for failure. + + self.code (integer) and self.reason (string) are always stored and may + be referenced for the reason why authentication failed. 0/'Success' will + be stored for success. + + Python3 expects bytes() for ctypes inputs. This function will make + necessary conversions using the supplied encoding. + + Inputs: + username: username to authenticate + password: password in plain text + service: PAM service to authenticate against, defaults to 'login' + + Returns: + success: True + failure: False + """ + + @conv_func + def my_conv(n_messages, messages, p_response, app_data): + """Simple conversation function that responds to any + prompt where the echo is off with the supplied password""" + # Create an array of n_messages response objects + addr = calloc(n_messages, sizeof(PamResponse)) + response = cast(addr, POINTER(PamResponse)) + p_response[0] = response + for i in range(n_messages): + if messages[i].contents.msg_style == PAM_PROMPT_ECHO_OFF: + dst = calloc(len(password)+1, sizeof(c_char)) + memmove(dst, cpassword, len(password)) + response[i].resp = dst + response[i].resp_retcode = 0 + return 0 + + # python3 ctypes prefers bytes + if sys.version_info >= (3,): + if isinstance(username, str): username = username.encode(encoding) + if isinstance(password, str): password = password.encode(encoding) + if isinstance(service, str): service = service.encode(encoding) + else: + if isinstance(username, unicode): + username = username.encode(encoding) + if isinstance(password, unicode): + password = password.encode(encoding) + if isinstance(service, unicode): + service = service.encode(encoding) + + if b'\x00' in username or b'\x00' in password or b'\x00' in service: + self.code = 4 # PAM_SYSTEM_ERR in Linux-PAM + self.reason = 'strings may not contain NUL' + return False + + # do this up front so we can safely throw an exception if there's + # anything wrong with it + cpassword = c_char_p(password) + + handle = PamHandle() + conv = PamConv(my_conv, 0) + retval = pam_start(service, username, byref(conv), byref(handle)) + + if retval != 0: + # This is not an authentication error, something has gone wrong starting up PAM + self.code = retval + self.reason = "pam_start() failed" + return False + + retval = pam_authenticate(handle, 0) + auth_success = retval == 0 + + if auth_success and resetcreds: + retval = pam_setcred(handle, PAM_REINITIALIZE_CRED); + + # store information to inform the caller why we failed + self.code = retval + self.reason = pam_strerror(handle, retval) + if sys.version_info >= (3,): + self.reason = self.reason.decode(encoding) + + if hasattr(libpam, 'pam_end'): + pam_end(handle, retval) + + return auth_success + + +def authenticate(*vargs, **dargs): + """ + Compatibility function for older versions of python-pam. + """ + return pam().authenticate(*vargs, **dargs) + + +if __name__ == "__main__": + import readline, getpass + + def input_with_prefill(prompt, text): + def hook(): + readline.insert_text(text) + readline.redisplay() + readline.set_pre_input_hook(hook) + + if sys.version_info >= (3,): + result = input(prompt) + else: + result = raw_input(prompt) + + readline.set_pre_input_hook() + return result + + pam = pam() + + username = input_with_prefill('Username: ', getpass.getuser()) + + # enter a valid username and an invalid/valid password, to verify both failure and success + pam.authenticate(username, getpass.getpass()) + print('{} {}'.format(pam.code, pam.reason)) Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/DESCRIPTION.rst =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/DESCRIPTION.rst (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/DESCRIPTION.rst (working copy) @@ -0,0 +1,49 @@ +python-pam +========== + +Python pam module supporting py3 (and py2) + +Commandline example: + +``` +[david@Scott python-pam]$ python pam.py +Username: david +Password: +0 Success + +[david@Scott python-pam]$ python2 pam.py +Username: david +Password: +0 Success +``` + +Inline examples: +``` +[david@Scott python-pam]$ python +Python 3.4.1 (default, May 19 2014, 17:23:49) +[GCC 4.9.0 20140507 (prerelease)] on linux +Type "help", "copyright", "credits" or "license" for more information. +>>> import pam +>>> p = pam.pam() +>>> p.authenticate('david', 'correctpassword') +True +>>> p.authenticate('david', 'badpassword') +False +>>> p.authenticate('david', 'correctpassword', service='login') +True +>>> p.authenticate('david', 'correctpassword', service='unknownservice') +False +>>> p.authenticate('david', 'correctpassword', service='login', resetcreds=True) +True +>>> p.authenticate('david', 'correctpassword', encoding='latin-1') +True +>>> print('{} {}'.format(p.code, p.reason)) +0 Success +>>> p.authenticate('david', 'badpassword') +False +>>> print('{} {}'.format(p.code, p.reason)) +7 Authentication failure +>>> +``` + + Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/DESCRIPTION.rst =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/DESCRIPTION.rst (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/DESCRIPTION.rst (working copy) @@ -0,0 +1,49 @@ +python-pam +========== + +Python pam module supporting py3 (and py2) + +Commandline example: + +``` +[david@Scott python-pam]$ python pam.py +Username: david +Password: +0 Success + +[david@Scott python-pam]$ python2 pam.py +Username: david +Password: +0 Success +``` + +Inline examples: +``` +[david@Scott python-pam]$ python +Python 3.4.1 (default, May 19 2014, 17:23:49) +[GCC 4.9.0 20140507 (prerelease)] on linux +Type "help", "copyright", "credits" or "license" for more information. +>>> import pam +>>> p = pam.pam() +>>> p.authenticate('david', 'correctpassword') +True +>>> p.authenticate('david', 'badpassword') +False +>>> p.authenticate('david', 'correctpassword', service='login') +True +>>> p.authenticate('david', 'correctpassword', service='unknownservice') +False +>>> p.authenticate('david', 'correctpassword', service='login', resetcreds=True) +True +>>> p.authenticate('david', 'correctpassword', encoding='latin-1') +True +>>> print('{} {}'.format(p.code, p.reason)) +0 Success +>>> p.authenticate('david', 'badpassword') +False +>>> print('{} {}'.format(p.code, p.reason)) +7 Authentication failure +>>> +``` + + Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/INSTALLER =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/INSTALLER (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/INSTALLER (working copy) @@ -0,0 +1 @@ +pip Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/INSTALLER =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/INSTALLER (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/INSTALLER (working copy) @@ -0,0 +1 @@ +pip Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/METADATA =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/METADATA (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/METADATA (working copy) @@ -0,0 +1,76 @@ +Metadata-Version: 2.0 +Name: python-pam +Version: 1.8.4 +Summary: Python PAM module using ctypes, py3/py2 +Home-page: https://github.com/FirefighterBlu3/python-pam +Author: David Ford +Author-email: david@blue-labs.org +Maintainer: David Ford +Maintainer-email: david@blue-labs.org +License: License :: OSI Approved :: MIT License +Download-URL: https://github.com/FirefighterBlu3/python-pam +Platform: i686 +Platform: x86_64 +Classifier: Development Status :: 6 - Mature +Classifier: Environment :: Plugins +Classifier: Intended Audience :: Developers +Classifier: Intended Audience :: Information Technology +Classifier: Intended Audience :: System Administrators +Classifier: License :: OSI Approved :: MIT License +Classifier: Operating System :: POSIX +Classifier: Operating System :: POSIX :: Linux +Classifier: Programming Language :: Python +Classifier: Programming Language :: Python :: 2 +Classifier: Programming Language :: Python :: 3 +Classifier: Topic :: Security +Classifier: Topic :: System :: Systems Administration :: Authentication/Directory + +python-pam +========== + +Python pam module supporting py3 (and py2) + +Commandline example: + +``` +[david@Scott python-pam]$ python pam.py +Username: david +Password: +0 Success + +[david@Scott python-pam]$ python2 pam.py +Username: david +Password: +0 Success +``` + +Inline examples: +``` +[david@Scott python-pam]$ python +Python 3.4.1 (default, May 19 2014, 17:23:49) +[GCC 4.9.0 20140507 (prerelease)] on linux +Type "help", "copyright", "credits" or "license" for more information. +>>> import pam +>>> p = pam.pam() +>>> p.authenticate('david', 'correctpassword') +True +>>> p.authenticate('david', 'badpassword') +False +>>> p.authenticate('david', 'correctpassword', service='login') +True +>>> p.authenticate('david', 'correctpassword', service='unknownservice') +False +>>> p.authenticate('david', 'correctpassword', service='login', resetcreds=True) +True +>>> p.authenticate('david', 'correctpassword', encoding='latin-1') +True +>>> print('{} {}'.format(p.code, p.reason)) +0 Success +>>> p.authenticate('david', 'badpassword') +False +>>> print('{} {}'.format(p.code, p.reason)) +7 Authentication failure +>>> +``` + + Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/METADATA =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/METADATA (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/METADATA (working copy) @@ -0,0 +1,76 @@ +Metadata-Version: 2.0 +Name: python-pam +Version: 1.8.4 +Summary: Python PAM module using ctypes, py3/py2 +Home-page: https://github.com/FirefighterBlu3/python-pam +Author: David Ford +Author-email: david@blue-labs.org +Maintainer: David Ford +Maintainer-email: david@blue-labs.org +License: License :: OSI Approved :: MIT License +Download-URL: https://github.com/FirefighterBlu3/python-pam +Platform: i686 +Platform: x86_64 +Classifier: Development Status :: 6 - Mature +Classifier: Environment :: Plugins +Classifier: Intended Audience :: Developers +Classifier: Intended Audience :: Information Technology +Classifier: Intended Audience :: System Administrators +Classifier: License :: OSI Approved :: MIT License +Classifier: Operating System :: POSIX +Classifier: Operating System :: POSIX :: Linux +Classifier: Programming Language :: Python +Classifier: Programming Language :: Python :: 2 +Classifier: Programming Language :: Python :: 3 +Classifier: Topic :: Security +Classifier: Topic :: System :: Systems Administration :: Authentication/Directory + +python-pam +========== + +Python pam module supporting py3 (and py2) + +Commandline example: + +``` +[david@Scott python-pam]$ python pam.py +Username: david +Password: +0 Success + +[david@Scott python-pam]$ python2 pam.py +Username: david +Password: +0 Success +``` + +Inline examples: +``` +[david@Scott python-pam]$ python +Python 3.4.1 (default, May 19 2014, 17:23:49) +[GCC 4.9.0 20140507 (prerelease)] on linux +Type "help", "copyright", "credits" or "license" for more information. +>>> import pam +>>> p = pam.pam() +>>> p.authenticate('david', 'correctpassword') +True +>>> p.authenticate('david', 'badpassword') +False +>>> p.authenticate('david', 'correctpassword', service='login') +True +>>> p.authenticate('david', 'correctpassword', service='unknownservice') +False +>>> p.authenticate('david', 'correctpassword', service='login', resetcreds=True) +True +>>> p.authenticate('david', 'correctpassword', encoding='latin-1') +True +>>> print('{} {}'.format(p.code, p.reason)) +0 Success +>>> p.authenticate('david', 'badpassword') +False +>>> print('{} {}'.format(p.code, p.reason)) +7 Authentication failure +>>> +``` + + Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/RECORD =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/RECORD (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/RECORD (working copy) @@ -0,0 +1,9 @@ +pam.py,sha256=9OckkGbj6VMenr5Zko0sfQZVZxPlZzrsdKSVlRfCmrw,7556 +pam.pyc,, +python_pam-1.8.4.dist-info/DESCRIPTION.rst,sha256=ZzlAiDBuUC_95APCmp0_eRYDnsl9NhuXjcgx4fFUz1g,1090 +python_pam-1.8.4.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4 +python_pam-1.8.4.dist-info/METADATA,sha256=o6bjHQd0CpDejv5ZiM656GmHfr7i6skyjgZQdt3-n6M,2127 +python_pam-1.8.4.dist-info/RECORD,, +python_pam-1.8.4.dist-info/WHEEL,sha256=kdsN-5OJAZIiHN-iO4Rhl82KyS0bDWf4uBwMbkNafr8,110 +python_pam-1.8.4.dist-info/metadata.json,sha256=AOmZ9XHKc0EGVu6BkIS36svGBCdgP5mXJo2R4_kzoD4,1151 +python_pam-1.8.4.dist-info/top_level.txt,sha256=0EOjbyc3hQyzjhn6iyMgsEseqA66Xz0p27iBN7G7W1w,4 Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/RECORD =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/RECORD (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/RECORD (working copy) @@ -0,0 +1,9 @@ +pam.py,sha256=9OckkGbj6VMenr5Zko0sfQZVZxPlZzrsdKSVlRfCmrw,7556 +pam.pyc,, +python_pam-1.8.4.dist-info/DESCRIPTION.rst,sha256=ZzlAiDBuUC_95APCmp0_eRYDnsl9NhuXjcgx4fFUz1g,1090 +python_pam-1.8.4.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4 +python_pam-1.8.4.dist-info/METADATA,sha256=o6bjHQd0CpDejv5ZiM656GmHfr7i6skyjgZQdt3-n6M,2127 +python_pam-1.8.4.dist-info/RECORD,, +python_pam-1.8.4.dist-info/WHEEL,sha256=kdsN-5OJAZIiHN-iO4Rhl82KyS0bDWf4uBwMbkNafr8,110 +python_pam-1.8.4.dist-info/metadata.json,sha256=AOmZ9XHKc0EGVu6BkIS36svGBCdgP5mXJo2R4_kzoD4,1151 +python_pam-1.8.4.dist-info/top_level.txt,sha256=0EOjbyc3hQyzjhn6iyMgsEseqA66Xz0p27iBN7G7W1w,4 Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/WHEEL =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/WHEEL (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/WHEEL (working copy) @@ -0,0 +1,6 @@ +Wheel-Version: 1.0 +Generator: bdist_wheel (0.30.0) +Root-Is-Purelib: true +Tag: py2-none-any +Tag: py3-none-any + Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/WHEEL =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/WHEEL (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/WHEEL (working copy) @@ -0,0 +1,6 @@ +Wheel-Version: 1.0 +Generator: bdist_wheel (0.30.0) +Root-Is-Purelib: true +Tag: py2-none-any +Tag: py3-none-any + Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/metadata.json =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/metadata.json (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/metadata.json (working copy) @@ -0,0 +1 @@ +{"classifiers": ["Development Status :: 6 - Mature", "Environment :: Plugins", "Intended Audience :: Developers", "Intended Audience :: Information Technology", "Intended Audience :: System Administrators", "License :: OSI Approved :: MIT License", "Operating System :: POSIX", "Operating System :: POSIX :: Linux", "Programming Language :: Python", "Programming Language :: Python :: 2", "Programming Language :: Python :: 3", "Topic :: Security", "Topic :: System :: Systems Administration :: Authentication/Directory"], "download_url": "https://github.com/FirefighterBlu3/python-pam", "extensions": {"python.details": {"contacts": [{"email": "david@blue-labs.org", "name": "David Ford", "role": "author"}, {"email": "david@blue-labs.org", "name": "David Ford", "role": "maintainer"}], "document_names": {"description": "DESCRIPTION.rst"}, "project_urls": {"Home": "https://github.com/FirefighterBlu3/python-pam"}}}, "generator": "bdist_wheel (0.30.0)", "license": "License :: OSI Approved :: MIT License", "metadata_version": "2.0", "name": "python-pam", "platform": "i686", "summary": "Python PAM module using ctypes, py3/py2", "version": "1.8.4"} \ No newline at end of file Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/metadata.json =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/metadata.json (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/metadata.json (working copy) @@ -0,0 +1 @@ +{"classifiers": ["Development Status :: 6 - Mature", "Environment :: Plugins", "Intended Audience :: Developers", "Intended Audience :: Information Technology", "Intended Audience :: System Administrators", "License :: OSI Approved :: MIT License", "Operating System :: POSIX", "Operating System :: POSIX :: Linux", "Programming Language :: Python", "Programming Language :: Python :: 2", "Programming Language :: Python :: 3", "Topic :: Security", "Topic :: System :: Systems Administration :: Authentication/Directory"], "download_url": "https://github.com/FirefighterBlu3/python-pam", "extensions": {"python.details": {"contacts": [{"email": "david@blue-labs.org", "name": "David Ford", "role": "author"}, {"email": "david@blue-labs.org", "name": "David Ford", "role": "maintainer"}], "document_names": {"description": "DESCRIPTION.rst"}, "project_urls": {"Home": "https://github.com/FirefighterBlu3/python-pam"}}}, "generator": "bdist_wheel (0.30.0)", "license": "License :: OSI Approved :: MIT License", "metadata_version": "2.0", "name": "python-pam", "platform": "i686", "summary": "Python PAM module using ctypes, py3/py2", "version": "1.8.4"} \ No newline at end of file Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/top_level.txt =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/top_level.txt (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/top_level.txt (working copy) @@ -0,0 +1 @@ +pam Index: /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/top_level.txt =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/top_level.txt (revision 0) +++ /branches/rel_avx_2_7_2/src/webui/webui/exfiles/python/lib/python_pam-1.8.4.dist-info/top_level.txt (working copy) @@ -0,0 +1 @@ +pam Index: /branches/rel_avx_2_7_2/src/webui/webui/htdocs/new/src/hive/auth.py =================================================================== --- /branches/rel_avx_2_7_2/src/webui/webui/htdocs/new/src/hive/auth.py (revision 8853) +++ /branches/rel_avx_2_7_2/src/webui/webui/htdocs/new/src/hive/auth.py (working copy) @@ -4,20 +4,23 @@ AUTH_ENABLE=2 def auth_avx(username, password): - try: - import spwd, pwd, grp - cryptedpasswd = spwd.getspnam(username)[1] - gp_name = grp.getgrgid(pwd.getpwnam(username).pw_gid)[0] - except KeyError: - return False - if cryptedpasswd: - if crypt.crypt(password, cryptedpasswd) == cryptedpasswd: - if gp_name == 'enable': - return AUTH_ENABLE - else: - return AUTH_CONFIG - return False + import pam + p = pam.pam() + + authenticated = p.authenticate(username, password, service = 'array-common-auth.pam') + if authenticated: + try: + import pwd, grp + gp_name = grp.getgrgid(pwd.getpwnam(username).pw_gid)[0] + except KeyError: + return AUTH_CONFIG + if gp_name == 'enable': + return AUTH_ENABLE + else: + return AUTH_CONFIG + return False + def auth_apv_local(username, password, api): try: try: Index: /branches/rel_avx_2_7_2/update/avxsystem.ks =================================================================== --- /branches/rel_avx_2_7_2/update/avxsystem.ks (revision 8853) +++ /branches/rel_avx_2_7_2/update/avxsystem.ks (working copy) @@ -116,7 +116,7 @@ file-5.11-31.el7.x86_64 sysstat-10.1.5-7.el7.x86_64 hesiod-3.2.1-3.el7.x86_64 -openssh-server-6.6.1p1-25.4.el7.centos.x86_64 +openssh-server-6.6.1p1-25.5.el7.centos.x86_64 libxslt-1.1.28-5.el7.x86_64 openvswitch-2.7.0-4.3.2.4.el7.centos.x86_64 groff-base-1.22.2-8.el7.x86_64 @@ -368,7 +368,7 @@ irqbalance-1.0.7-5.el7.x86_64 rsync-3.0.9-17.el7.x86_64 watchdog-5.13-11.el7.x86_64 -openssh-clients-6.6.1p1-25.4.el7.centos.x86_64 +openssh-clients-6.6.1p1-25.5.el7.centos.x86_64 tcpdump-4.5.1-3.el7.x86_64 xmlrpc-c-client-1.32.5-1905.svn2451.1.el7.centos.x86_64 wget-1.14-10.el7_0.1.x86_64 @@ -404,7 +404,7 @@ gawk-4.0.2-4.el7.x86_64 libutempter-1.1.6-4.el7.x86_64 elfutils-libelf-0.163-3.el7.x86_64 -openssh-6.6.1p1-25.4.el7.centos.x86_64 +openssh-6.6.1p1-25.5.el7.centos.x86_64 libcap-2.22-8.el7.x86_64 libsemanage-python-2.1.10-18.el7.x86_64 nettle-2.7.1-4.el7.x86_64 @@ -510,6 +510,8 @@ intel_auxiliary-1.0.1-1.x86_64 qat-4.15.0-0.x86_64 bc-1.06.95-13.el7.x86_64 +pam_radius-1.4.0-4.el7.x86_64 +libnss-ato-0.2-1.x86_64 %end %post --nochroot --interpreter ../tools/image-minimizer