import r2805 tp-int/trunk/unix

AUTHORS

@@ -0,0 +1,4 @@
+
+Dug Song <[email protected]>
+	original author
+

Makefile.am

@@ -0,0 +1,11 @@
+
+ACLOCAL_AMFLAGS = -I autotools
+
+SUBDIRS = compat lib login_duo
+
+if PAM
+SUBDIRS += pam_duo
+endif
+
+EXTRA_DIST = AUTHORS LICENSE README.pam README.ssh
+

README

@@ -0,0 +1,100 @@
+
+Overview
+--------
+
+duo_unix - Duo two-factor authentication for Unix systems
+
+This package allows an admin (or even an ordinary user) to quickly set
+up two-factor authentication for login - without setting up user
+accounts, directory synchronization, servers, hardware, etc.
+
+What's here:
+
+lib
+	Simple C API for the Duo two-factor authentication service.
+
+login_duo
+	Login utility to add secondary Duo authentication to any login
+	session (e.g. for SSH, ForceCommand in sshd_config or a forced
+	command in authorized_keys to follow any password, pubkey, or
+	other auth method).
+
+pam_duo
+	Pluggable Authentication Module for Linux, FreeBSD, NetBSD,
+	MacOS X, Solaris, AIX, HP-UX to add Duo authentication
+	system-wide (e.g. sshd, sudo, su, samba, etc.)
+
+Build
+-----
+
+Build dependencies for libduo (install these first!):
+
+OpenSSL
+	OpenSSL (http://openssl.org) development headers and libraries
+	are installed by default on *BSD and MacOS X.
+
+	Solaris, HP-UX, AIX:	3rd party packages or source build
+	Redhat/Fedora/CentOS:	yum install openssl-devel
+	Debian/Ubuntu: 		apt-get install libssl-dev
+
+libcurl
+	The curl (http://curl.haxx.se) development headers and library
+	are installed by default on MacOS X, and require OpenSSL.
+
+	FreeBSD/NetBSD:		www/curl port or package
+	Solaris, HP-UX, AIX	3rd party packages or source build
+	Redhat/Fedora/CentOS:	yum install curl-devel
+	Debian/Ubuntu:		apt-get install libcurl-dev 
+				(use the openssl version)
+
+Build dependencies for pam_duo:
+
+libpam
+	System PAM development headers and libraries are installed by
+	default on FreeBSD, NetBSD, MacOS X, Solaris, HP-UX, and AIX.
+
+	RedHat/Fedora/CentOS:	yum install pam-devel
+	Debian/Ubuntu:		apt-get install libpam-dev
+
+Options to ./configure:
+
+--with-curl=DIR
+	Specify location of libcurl build or install directory
+	(e.g. "/usr/local", "/opt/csw"), if not installed in a system
+	location (e.g. /usr/lib).
+
+--with-pam[=DIR]
+	Build PAM module, and optionally override the default install
+	directory (determined automatically by platform) if necessary.
+
+--with-privsep-user=USER
+	Specify a different user for privilege separation (e.g. "_duo")
+	in login_duo - by default, "sshd" (or "_sshd" on MacOS X).
+
+Install
+-------
+
+"make install" as root should do it.
+
+The pam_duo module will be installed in the system PAM module location
+by default (/lib/security, /usr/lib/security, /usr/lib/pam, /usr/lib
+depending on platform).
+
+login_duo will be installed setuid root by default in order to keep
+the Duo service credentials (ikey/skey) in login_duo.conf secret. It
+may also be installed non-setuid, such as for a user installation with
+an individual (not system-wide) configuration file.
+
+Usage
+-----
+
+See README.pam, README.ssh, and the login_duo.8 and pam_duo.8 manpages
+for detailed setup instructions.
+
+To build C applications with libduo, use "pkg-config libduo" with
+--cflags and --libs arguments to locate the development headers and
+library. See the duo.3 manpage for API documentation.
+
+
+---
+http://duosecurity.com

README.pam

@@ -0,0 +1,67 @@
+
+How to setup Duo via PAM
+------------------------
+
+You will need your Duo integration key (ikey) and secret key (skey) to
+use the pam_duo module. pam_duo supports PAM's 'auth' facility.
+
+To add support for Duo authentication to a PAM-enabled application
+(eg. sudo, sshd, etc), modify your system's PAM configuration to
+include a line like the following:
+
+    auth required pam_duo.so
+
+See the pam_duo(8) manpage for a full list of configuration options.
+
+The location of this line in your PAM config and the specified control
+flag (eg. required, requisite, sufficient) may vary. For most common
+configurations, place pam_duo directly after pam_unix (frequently
+found in common-auth/system-auth on Linux), set pam_unix's control
+flag to 'requisite', and set pam_duo's control flag to whatever
+pam_unix used to be.
+
+The following are some PAM configuration examples for common systems:
+
+Ubuntu 10.04 LTS (/etc/pam.d/common-auth)
+
+  Before:
+
+    auth    [success=1 default=ignore]   pam_unix.so nullok_secure
+    auth    requisite                    pam_deny.so
+
+  After:
+
+    auth    requisite                    pam_unix.so nullok_secure
+    auth    [success=1 default=ignore]   pam_duo.so
+    auth    requisite                    pam_deny.so
+
+CentOS 5.5 (/etc/pam.d/system-auth)
+
+  Before:
+
+    auth    required      pam_env.so
+    auth    sufficient    pam_unix.so nullok try_first_pass
+    auth    requisite     pam_succeed_if.so uid >= 500 quiet
+    auth    required      pam_deny.so
+
+  After:
+
+    auth    required      pam_env.so
+    auth    requisite     pam_unix.so nullok try_first_pass
+    auth    sufficient    pam_duo.so
+    auth    requisite     pam_succeed_if.so uid >= 500 quiet
+    auth    required      pam_deny.so
+
+Gentoo (/etc/pam.d/system-auth)
+
+  Before:
+
+    auth    required      pam_env.so 
+    auth    required      pam_unix.so try_first_pass likeauth nullok 
+
+  After:
+
+    auth    required      pam_env.so 
+    auth    requisite     pam_unix.so try_first_pass likeauth nullok 
+    auth    required      pam_duo.so
+

README.ssh

@@ -0,0 +1,56 @@
+
+duo_unix for OpenSSH
+--------------------
+
+Solaris, HP-UX, and AIX will need a modern OpenSSH installed from
+http://openssh.org to replace the system sshd in order to support PAM
+or ForceCommand integration.
+
+All other Unix systems (Linux, *BSD, MacOS, etc.) should support Duo
+without any changes to system binaries.
+
+pam_duo
+-------
+
+If you want to use pam_duo with OpenSSH sshd, ensure that the "UsePAM"
+and "ChallengeResponseAuthentication" options are both set to "yes" in
+your sshd_config.
+
+Please note that pam_duo will only be invoked when using password
+authentication and will not be invoked if public key authentication is
+used - in OpenSSH sshd, PAM is bypassed by pubkey auth. :-(
+
+Try login_duo if you need to support pubkey auth!
+
+login_duo
+---------
+
+For a system-wide install (enabling Duo for more than one user), add
+it to your sshd_config, e.g.
+
+	ForceCommand /usr/local/sbin/login_duo
+
+Make sure your /etc/duo/login_duo.conf is owned and readable by only
+the privsep user.
+
+ForceCommand also intercepts sshd Subsystem requests, such as for sftp
+(so you literally only need line to enable Duo for sshd), and remote
+commands, such as for scp and rsync.
+
+Another option is to tie Duo auth to the use of specific SSH pubkeys
+used to login to shared accounts such as root. The "command" option
+may be used in authorized_keys for each pubkey similarly to
+ForceCommand above:
+
+	command="/usr/local/sbin/login_duo -f alice" ssh-ssh‐rsa AAAAB2...19Q== [email protected]
+
+login_duo honors the $SSH_ORIGINAL_COMMAND environment variable set by
+sshd on remote command invocation such as for scp and sftp. To
+override this, specify a command argument to login_duo instead, e.g.
+
+	command="/usr/local/sbin/login_duo -f alice /usr/bin/top" ...
+
+If not installed setuid root, each user must have their own login_duo
+configuration file as the privacy of a shared configuration file
+cannot be guaranteed.
+

acconfig.h

@@ -0,0 +1,21 @@
+@BOTTOM@
+
+#ifndef HAVE_ASPRINTF
+#include <stdarg.h>
+
+int	asprintf(char **ret, const char *format, ...);
+int	vasprintf(char **ret, const char *format, va_list ap);
+#endif
+
+#ifndef HAVE_GETGROUPLIST
+#include <grp.h>
+
+int	getgrouplist(const char *name, gid_t basegid, gid_t *groups, int *ngroups);
+#endif
+
+#ifndef HAVE_STRLCPY
+#include <sys/types.h>
+
+size_t	strlcpy(char *dst, const char *src, size_t size);
+#endif
+