Beispiel #1
0
int pam_authenticate(pam_handle_t *pamh, int flags)
{
    int retval;

    D(("pam_authenticate called"));

    IF_NO_PAMH("pam_authenticate", pamh, PAM_SYSTEM_ERR);

    if (__PAM_FROM_MODULE(pamh)) {
	D(("called from module!?"));
	return PAM_SYSTEM_ERR;
    }

    if (pamh->former.choice == PAM_NOT_STACKED) {
	_pam_sanitize(pamh);
	_pam_start_timer(pamh);    /* we try to make the time for a failure
				      independent of the time it takes to
				      fail */
    }

    retval = _pam_dispatch(pamh, flags, PAM_AUTHENTICATE);

    if (retval != PAM_INCOMPLETE) {
	_pam_sanitize(pamh);
	_pam_await_timer(pamh, retval);   /* if unsuccessful then wait now */
	D(("pam_authenticate exit"));
    } else {
	D(("will resume when ready"));
    }

    return retval;
}
Beispiel #2
0
int pam_chauthtok(pam_handle_t *pamh, int flags)
{
    int retval;

    D(("called."));

    IF_NO_PAMH("pam_chauthtok", pamh, PAM_SYSTEM_ERR);

    if (__PAM_FROM_MODULE(pamh)) {
	D(("called from module!?"));
	return PAM_SYSTEM_ERR;
    }

    /* applications are not allowed to set this flags */
    if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) {
      pam_syslog (pamh, LOG_ERR,
		  "PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK set by application");
      return PAM_SYSTEM_ERR;
    }

    if (pamh->former.choice == PAM_NOT_STACKED) {
	_pam_start_timer(pamh);    /* we try to make the time for a failure
				      independent of the time it takes to
				      fail */
	_pam_sanitize(pamh);
	pamh->former.update = PAM_FALSE;
    }

    /* first call to check if there will be a problem */
    if (pamh->former.update ||
	(retval = _pam_dispatch(pamh, flags|PAM_PRELIM_CHECK,
				PAM_CHAUTHTOK)) == PAM_SUCCESS) {
	D(("completed check ok: former=%d", pamh->former.update));
	pamh->former.update = PAM_TRUE;
	retval = _pam_dispatch(pamh, flags|PAM_UPDATE_AUTHTOK,
			       PAM_CHAUTHTOK);
    }

    /* if we completed we should clean up */
    if (retval != PAM_INCOMPLETE) {
	_pam_sanitize(pamh);
	pamh->former.update = PAM_FALSE;
	_pam_await_timer(pamh, retval);   /* if unsuccessful then wait now */
	D(("pam_chauthtok exit %d - %d", retval, pamh->former.choice));
    } else {
	D(("will resume when ready", retval));
    }

    return retval;
}
int pam_authenticate_secondary(pam_handle_t *pamh,
			       char *target_username,
			       char *target_module_type,
			       char *target_authn_domain,
			       char *target_supp_data,
			       unsigned char *target_module_authtok,
			       int flags)
{
    int retval=PAM_SYSTEM_ERR;

    D(("called"));

    _pam_start_timer(pamh);    /* we try to make the time for a failure
				  independent of the time it takes to
				  fail */

    IF_NO_PAMH("pam_authenticate_secondary",pamh,PAM_SYSTEM_ERR);

    _pam_await_timer(pamh, retval);   /* if unsuccessful then wait now */

    D(("pam_authenticate_secondary exit"));

    return retval;
}
Beispiel #4
0
int pam_authenticate(pam_handle_t *pamh, int flags)
{
    int retval;

    D(("pam_authenticate called"));

    IF_NO_PAMH("pam_authenticate", pamh, PAM_SYSTEM_ERR);

    if (__PAM_FROM_MODULE(pamh)) {
	D(("called from module!?"));
	return PAM_SYSTEM_ERR;
    }

    if (pamh->former.choice == PAM_NOT_STACKED) {
	_pam_sanitize(pamh);
	_pam_start_timer(pamh);    /* we try to make the time for a failure
				      independent of the time it takes to
				      fail */
    }

    retval = _pam_dispatch(pamh, flags, PAM_AUTHENTICATE);

    if (retval != PAM_INCOMPLETE) {
	_pam_sanitize(pamh);
	_pam_await_timer(pamh, retval);   /* if unsuccessful then wait now */
	D(("pam_authenticate exit"));
    } else {
	D(("will resume when ready"));
    }
    	
#ifdef PRELUDE
    prelude_send_alert(pamh, retval);
#endif
     	
#if HAVE_LIBAUDIT
    retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags);
#endif

#ifdef CONFIG_PROP_STATSD_STATSD
	if (retval != PAM_SUCCESS) {

        char usr[MAX_PAM_STATS_USR_SIZE];
		char buf[MAX_PAM_STATS_BUF_SIZE]; 
		struct pam_data *data;
        char *u = NULL;

		/* The pam_sg module has stored module data so we 
		 * can tell whether this is a valid user. If not
		 * we log stats under "unknown". The proper mechanism
		 * for accessing module data bars access from within 
		 * application code so we are going around it. This is 
		 * a kludge, but the best one possible for now.
		 */
		data = pamh->data;
		while (data) {
			if (!strcmp(data->name, pamh->user)) {
				u = (char *)(data->data);
				break;
			}
			data = data->next;
		}

		/* Don't log stats if the module info is unavailable
		 * or the PAM system itself failed during auth */
		if ((u != NULL) && strcmp(u, "PAM_SYSTEM_ERR")) {

			u = ((u != NULL) && !strcmp(u, "PAM_USER_UNKNOWN")) ? "unknown":pamh->user;
			//u = ((u != NULL) && !strcmp(u, "USER_NOTFOUND")) ? "unknown":pamh->user;

			usr[MAX_PAM_STATS_USR_SIZE-1]='\0';
			strncpy(usr,u,MAX_PAM_STATS_USR_SIZE-1);

			/* OK, start logging stats */
			memset(buf,'\0',MAX_PAM_STATS_BUF_SIZE);

			snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1,
					"statsd incr pam_failed_%s %s",
					usr,pamh->service_name);

			if (system(buf) == -1) {
				pam_syslog(pamh, LOG_INFO, "%s failed", buf);
			}

			snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1,
					"statsd push pam_last_failure_%s %s \"%s\" 0",
					usr,pamh->service_name, pam_strerror(pamh, retval));

			if (system(buf) == -1) {
				pam_syslog(pamh, LOG_INFO, "%s failed", buf);
			}

			snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1,
					"statsd incr pam_users %s",usr);

			if (system(buf) == -1) {
				pam_syslog(pamh, LOG_INFO, "%s - failed", buf);
			}

			snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1,
					"statsd incr pam_services %s",pamh->service_name);

			if (system(buf) == -1) {
				pam_syslog(pamh, LOG_INFO, "%s - failed", buf);
			}
		} 
	}
#endif

    return retval;
}