void Authenticator::close_session(void) {
switch((last_result=pam_close_session(pam_handle, 0))) {
// The documentation and implementation of Linux PAM differs:
// PAM_SESSION_ERROR is described in the documentation but
// don't exists in the actual implementation. This issue needs
// to be fixes at some point.
default:
//case PAM_SESSION_ERROR:
pam_setcred(pam_handle, PAM_DELETE_CRED);
_end();
throw Exception(pam_handle, "pam_close_session", last_result);
case PAM_SUCCESS:
break;
};
switch((last_result=pam_setcred(pam_handle, PAM_DELETE_CRED))) {
default:
case PAM_CRED_ERR:
case PAM_CRED_UNAVAIL:
case PAM_CRED_EXPIRED:
case PAM_USER_UNKNOWN:
_end();
throw Exception(pam_handle, "pam_setcred()", last_result);
case PAM_SUCCESS:
break;
}
return;
}
void end_pam()
{
if (pamh) {
pam_close_session(pamh, 0);
pam_end(pamh, 0);
}
}
bool PamHandle::closeSession() {
m_result = pam_close_session(m_handle, m_silent);
if (m_result != PAM_SUCCESS) {
qWarning() << "[PAM] closeSession:" << pam_strerror(m_handle, m_result);
}
return m_result == PAM_SUCCESS;
}
static void
quit(struct weston_launch *wl, int status)
{
struct vt_mode mode = { 0 };
int err;
close(wl->signalfd);
close(wl->sock[0]);
if (wl->new_user) {
err = pam_close_session(wl->ph, 0);
if (err)
fprintf(stderr, "pam_close_session failed: %d: %s\n",
err, pam_strerror(wl->ph, err));
pam_end(wl->ph, err);
}
if (ioctl(wl->tty, KDSKBMUTE, 0) &&
ioctl(wl->tty, KDSKBMODE, wl->kb_mode))
fprintf(stderr, "failed to restore keyboard mode: %m\n");
if (ioctl(wl->tty, KDSETMODE, KD_TEXT))
fprintf(stderr, "failed to set KD_TEXT mode on tty: %m\n");
mode.mode = VT_AUTO;
if (ioctl(wl->tty, VT_SETMODE, &mode) < 0)
fprintf(stderr, "could not reset vt handling\n");
exit(status);
}
static void sftppam_exit_ev(const void *event_data, void *user_data) {
/* Close the PAM session */
if (sftppam_pamh != NULL) {
int res;
#ifdef PAM_CRED_DELETE
res = pam_setcred(sftppam_pamh, PAM_CRED_DELETE);
#else
res = pam_setcred(sftppam_pamh, PAM_DELETE_CRED);
#endif
if (res != PAM_SUCCESS) {
pr_trace_msg(trace_channel, 9, "PAM error setting PAM_DELETE_CRED: %s",
pam_strerror(sftppam_pamh, res));
}
res = pam_close_session(sftppam_pamh, PAM_SILENT);
pam_end(sftppam_pamh, res);
sftppam_pamh = NULL;
}
if (sftppam_user != NULL) {
free(sftppam_user);
sftppam_user = NULL;
sftppam_userlen = 0;
}
}
void terminate(pam_handle_t *pamh, struct command_info *cmd, int status)
{
int retval;
struct command_info *item;
if ((retval = pam_close_session(pamh, 0)) != PAM_SUCCESS) {
fprintf(stderr, "closing pam session error (%d)\n", retval);
status = retval;
}
if ((retval = pam_end(pamh,retval)) != PAM_SUCCESS) {
pamh = NULL;
fprintf(stderr, "release pam error (%d)\n", retval);
status = retval;
}
while ((item = cmd) != NULL) {
F(item->cmd_file);
F(item->salted_cmd);
F(item->cmd);
cmd = cmd->next;
F(item);
}
exit(status);
}
void SessionExit(struct display *d, int status, int removeAuth)
{
#ifdef USE_PAM
pam_handle_t *pamh = thepamh();
if (pamh) {
/* shutdown PAM session */
if (pam_setcred(pamh, PAM_DELETE_CRED) != PAM_SUCCESS)
WDMError("pam_setcred(DELETE_CRED) failed, errno=%d", errno);
pam_close_session(pamh, 0);
pam_end(pamh, PAM_SUCCESS);
pamh = NULL;
}
#endif
/* make sure the server gets reset after the session is over */
if (d->serverPid >= 2 && d->resetSignal)
kill(d->serverPid, d->resetSignal);
else
ResetServer(d);
if (removeAuth) {
setgid(verify.gid);
setuid(verify.uid);
RemoveUserAuthorization(d, &verify);
}
WDMDebug("Display %s exiting with status %d\n", d->name, status);
exit(status);
}
void
pam_finish ()
{
int rc = 0;
/*
* Allow PAM to clean up its state by closing the user session and
* ending the association with PAM.
*/
if (!conf->use_pam)
return;
if (pam_h != NULL) {
/*
* Log any errors, but there's no need to return a SLURM error.
*/
if ((rc = pam_close_session (pam_h, 0)) != PAM_SUCCESS) {
error("pam_close_session: %s", pam_strerror(pam_h, rc));
}
if ((rc = pam_setcred (pam_h, PAM_DELETE_CRED)) != PAM_SUCCESS){
error("pam_setcred DELETE: %s", pam_strerror(pam_h,rc));
}
if ((rc = pam_end (pam_h, rc)) != PAM_SUCCESS) {
error("pam_end: %s", pam_strerror(NULL, rc));
}
pam_h = NULL;
}
}
static enum pamtest_err run_test_case(pam_handle_t *ph,
struct pam_testcase *tc)
{
switch (tc->pam_operation) {
case PAMTEST_AUTHENTICATE:
tc->op_rv = pam_authenticate(ph, tc->flags);
return PAMTEST_ERR_OK;
case PAMTEST_SETCRED:
tc->op_rv = pam_setcred(ph, tc->flags);
return PAMTEST_ERR_OK;
case PAMTEST_ACCOUNT:
tc->op_rv = pam_acct_mgmt(ph, tc->flags);
return PAMTEST_ERR_OK;
case PAMTEST_OPEN_SESSION:
tc->op_rv = pam_open_session(ph, tc->flags);
return PAMTEST_ERR_OK;
case PAMTEST_CLOSE_SESSION:
tc->op_rv = pam_close_session(ph, tc->flags);
return PAMTEST_ERR_OK;
case PAMTEST_CHAUTHTOK:
tc->op_rv = pam_chauthtok(ph, tc->flags);
return PAMTEST_ERR_OK;
case PAMTEST_GETENVLIST:
tc->case_out.envlist = pam_getenvlist(ph);
return PAMTEST_ERR_OK;
case PAMTEST_KEEPHANDLE:
tc->case_out.ph = ph;
return PAMTEST_ERR_KEEPHANDLE;
default:
return PAMTEST_ERR_OP;
}
return PAMTEST_ERR_OP;
}
static void
quit(struct weston_launch *wl, int status)
{
struct vt_mode mode = { 0 };
int err;
close(wl->signalfd);
close(wl->sock[0]);
if (wl->new_user) {
err = pam_close_session(wl->ph, 0);
if (err)
fprintf(stderr, "pam_close_session failed: %d: %s\n",
err, pam_strerror(wl->ph, err));
pam_end(wl->ph, err);
}
if (ioctl(wl->tty, KDSKBMUTE, 0) &&
ioctl(wl->tty, KDSKBMODE, wl->kb_mode))
fprintf(stderr, "failed to restore keyboard mode: %m\n");
if (ioctl(wl->tty, KDSETMODE, KD_TEXT))
fprintf(stderr, "failed to set KD_TEXT mode on tty: %m\n");
/* We have to drop master before we switch the VT back in
* VT_AUTO, so we don't risk switching to a VT with another
* display server, that will then fail to set drm master. */
drmDropMaster(wl->drm_fd);
mode.mode = VT_AUTO;
if (ioctl(wl->tty, VT_SETMODE, &mode) < 0)
fprintf(stderr, "could not reset vt handling\n");
exit(status);
}
/*
* plogout - Logout the user.
*/
static void
plogout(void)
{
#ifdef USE_PAM
struct pam_conv pam_conversation;
pam_handle_t *pamh;
int pam_error;
/*
* Fill the pam_conversion structure. The PAM specification states that the
* session must be able to be closed by a totally different handle from which
* it was created. Hold the PAM group to their own specification!
*/
memset (&pam_conversation, '\0', sizeof (struct pam_conv));
pam_conversation.conv = &pam_conv;
pam_error = pam_start ("ppp", user, &pam_conversation, &pamh);
if (pam_error == PAM_SUCCESS) {
pam_set_item (pamh, PAM_TTY, devnam);
pam_close_session (pamh, PAM_SILENT);
pam_end (pamh, PAM_SUCCESS);
}
#else
char *tty;
tty = devnam;
if (strncmp(tty, _PATH_DEV, sizeof _PATH_DEV - 1) == 0)
tty += 5;
logwtmp(tty, "", ""); /* Wipe out wtmp logout entry */
logout(tty); /* Wipe out utmp */
#endif
logged_in = FALSE;
}
/* Called at exit to cleanly shutdown PAM */
static void
do_pam_cleanup_proc(void *context)
{
int pam_retval;
pam_stuff *pam = (pam_stuff *) context;
if (pam == NULL)
return;
if (pam->authctxt != NULL && pam->authctxt->pam == pam) {
pam->authctxt->pam_retval = pam->last_pam_retval;
pam->authctxt->pam = NULL;
pam->authctxt = NULL;
}
if (pam->h == NULL)
return;
/*
* We're in fatal_cleanup() or not in userauth or without a
* channel -- can't converse now, too bad.
*/
pam_retval = pam_set_item(pam->h, PAM_CONV, NULL);
if (pam_retval != PAM_SUCCESS) {
log("Cannot remove PAM conv, close session or delete creds[%d]: %.200s",
pam_retval, PAM_STRERROR(pam->h, pam_retval));
goto cleanup;
}
if (pam->state & PAM_S_DONE_OPEN_SESSION) {
pam_retval = pam_close_session(pam->h, 0);
if (pam_retval != PAM_SUCCESS)
log("Cannot close PAM session[%d]: %.200s",
pam_retval, PAM_STRERROR(pam->h, pam_retval));
}
if (pam->state & PAM_S_DONE_SETCRED) {
pam_retval = pam_setcred(pam->h, PAM_DELETE_CRED);
if (pam_retval != PAM_SUCCESS)
debug("Cannot delete credentials[%d]: %.200s",
pam_retval, PAM_STRERROR(pam->h, pam_retval));
}
cleanup:
/* Use the previous PAM result, if not PAM_SUCCESS for pam_end() */
if (pam->last_pam_retval != PAM_SUCCESS)
pam_retval = pam_end(pam->h, pam->last_pam_retval);
else if (pam_retval != PAM_SUCCESS)
pam_retval = pam_end(pam->h, pam_retval);
else
pam_retval = pam_end(pam->h, PAM_ABORT);
if (pam_retval != PAM_SUCCESS)
log("Cannot release PAM authentication[%d]: %.200s",
pam_retval, PAM_STRERROR(pam->h, pam_retval));
xfree(pam);
}
PAMAuthenticator::~PAMAuthenticator(void)
{
if (this->m_ph) {
int res = pam_close_session(this->m_ph, 0);
pam_end(this->m_ph, res);
this->m_ph = 0;
}
}
void AuthPAMClose()
{
if (pamh)
{
pam_close_session(pamh, 0);
pam_end(pamh,PAM_SUCCESS);
}
}
static void checkpw_cleanup (pam_handle_t *hdl)
{
#if 0 /* see checkpw() for why this is #if 0 */
pam_close_session (hdl,NIL); /* close session [uw]tmp */
#endif
pam_setcred (hdl,PAM_DELETE_CRED);
pam_end (hdl,PAM_SUCCESS);
}
bool XProcess::pam_stopSession(){
//This should only be run if pam_startSession was successful
int ret = pam_close_session(pamh,0);
bool ok = FALSE;
if(ret == PAM_SUCCESS){ ok = TRUE; }
else{ pam_logFailure(ret); }
return ok;
}
void
mdm_verify_cleanup (MdmDisplay *d)
{
gid_t groups[1] = { 0 };
cur_mdm_disp = d;
if (pamh != NULL) {
gint pamerr;
pam_handle_t *tmp_pamh;
gboolean old_opened_session;
gboolean old_did_setcred;
mdm_debug ("Running mdm_verify_cleanup and pamh != NULL");
mdm_sigterm_block_push ();
mdm_sigchld_block_push ();
tmp_pamh = pamh;
pamh = NULL;
old_opened_session = opened_session;
opened_session = FALSE;
old_did_setcred = did_setcred;
did_setcred = FALSE;
mdm_sigchld_block_pop ();
mdm_sigterm_block_pop ();
pamerr = PAM_SUCCESS;
/* Close the users session */
if (old_opened_session) {
mdm_debug ("Running pam_close_session");
pamerr = pam_close_session (tmp_pamh, 0);
}
/* Throw away the credentials */
if (old_did_setcred) {
mdm_debug ("Running pam_setcred with PAM_DELETE_CRED");
pamerr = pam_setcred (tmp_pamh, PAM_DELETE_CRED);
}
pam_end (tmp_pamh, pamerr);
/* Workaround to avoid mdm messages being logged as PAM_pwdb */
mdm_log_shutdown ();
mdm_log_init ();
}
/* Clear the group setup */
setgid (0);
/* this will get rid of any suplementary groups etc... */
setgroups (1, groups);
cur_mdm_disp = NULL;
/* reset limits */
mdm_reset_limits ();
}
int xlsh_session_close(pam_handle_t* handle)
{
pam_close_session(handle, 0);
if(pam_setcred(handle, PAM_DELETE_CRED) != PAM_SUCCESS) {
pam_end(handle, 0);
return XLSH_ERROR;
}
pam_end(handle, 0);
return XLSH_EOK;
}
int main(int argc, char *argv[])
{
unsigned char lb[2];
unsigned char buf[BUFSIZ];
char *user;
char *pwd;
char *mode;
int sid;
int rval;
struct session *sessp;
// test clause
if (argc == 4 ) {
/* ./epam authmodule user passwd */
printf("testing service=%s u=%s pwd=%s\n", argv[1],argv[2], argv[3]);
do_auth(argv[1], argv[2], argv[3], "AS", 33);
exit(0);
}
wstart();
while (1) {
if (read_fill(0, lb, 2) != 2)
exit(1);
rval = get_int16(lb);
if (read_fill(0, buf, rval) != rval)
exit(1);
switch (buf[0]) {
case 'a':
// auth a user
user = (char *)&buf[1];
pwd = user + strlen(user) + 1;
mode= pwd + strlen(pwd) + 1;
sid = atoi(mode + strlen(mode) + 1);
do_auth(argv[1], user, pwd, mode, sid);
break;
case 'c':
// close session
sid = atoi((char *)&buf[1]);
if ((sessp = del_session(&sessions, sid)) == NULL) {
fprintf(stderr, "Couldn't find session %d\r\n", sid);
break;
}
if (sessp->session_mode == 1) {
pam_close_session(sessp->pamh, 0);
/*fprintf(stderr, "did ok close sess \n\r");*/
}
pam_end(sessp->pamh, PAM_SUCCESS);
free(sessp);
break;
default:
fprintf(stderr, "Bad op \n\r");
}
}
}
void
SessionExit (struct display *d, int status, int removeAuth)
{
#ifdef USE_PAM
pam_handle_t *pamh = thepamh();
#endif
#ifdef USE_PAM
if (pamh) {
/* shutdown PAM session */
pam_close_session(pamh, 0);
pam_end(pamh, PAM_SUCCESS);
pamh = NULL;
}
#endif
/* make sure the server gets reset after the session is over */
if (d->serverPid >= 2 && d->resetSignal)
kill (d->serverPid, d->resetSignal);
else
ResetServer (d);
if (removeAuth)
{
setgid (verify.gid);
setuid (verify.uid);
RemoveUserAuthorization (d, &verify);
#ifdef K5AUTH
/* do like "kdestroy" program */
{
krb5_error_code code;
krb5_ccache ccache;
code = Krb5DisplayCCache(d->name, &ccache);
if (code)
LogError("%s while getting Krb5 ccache to destroy\n",
error_message(code));
else {
code = krb5_cc_destroy(ccache);
if (code) {
if (code == KRB5_FCC_NOFILE) {
Debug ("No Kerberos ccache file found to destroy\n");
} else
LogError("%s while destroying Krb5 credentials cache\n",
error_message(code));
} else
Debug ("Kerberos ccache destroyed\n");
krb5_cc_close(ccache);
}
}
#endif /* K5AUTH */
}
Debug ("Display %s exiting with status %d\n", d->name, status);
exit (status);
}
void context::close_session()
{
_M_code = pam_close_session(_M_pamh, 0);
if(errc(_M_code) != errc::success)
{
rmcred();
throw session_error(_M_pamh, _M_code);
}
_M_code = rmcred();
if(errc(_M_code) != errc::success) throw cred_error(_M_pamh, _M_code);
}
static void
vsf_auth_shutdown(void)
{
if (s_pamh == 0)
{
bug("vsf_auth_shutdown");
}
(void) pam_close_session(s_pamh, 0);
(void) pam_setcred(s_pamh, PAM_DELETE_CRED);
(void) pam_end(s_pamh, PAM_SUCCESS);
s_pamh = 0;
vsf_remove_uwtmp();
}
int
pam_end_session(sudo_auth *auth)
{
int status = PAM_SUCCESS;
if (pamh) {
#ifndef NO_PAM_SESSION
(void) pam_close_session(pamh, PAM_SILENT);
#endif
status = pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
}
return status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE;
}
gboolean pam_session_close(void)
{
g_pamLastStatus = pam_close_session(g_pamHandle, 0);
g_pamLastStatus = pam_setcred(g_pamHandle, PAM_DELETE_CRED);
if (g_pamLastStatus != PAM_SUCCESS)
{
fprintf(stderr, "Jolicloud-DisplayManager: Unable to delete pam credentials. Error %d\n",
g_pamLastStatus);
return FALSE;
}
return TRUE;
}
int
main (void)
{
int retval;
/* 1: Call with NULL as pam handle */
retval = pam_close_session (NULL, 0);
if (retval == PAM_SUCCESS)
{
fprintf (stderr, "pam_close_session (NULL, 0) returned PAM_SUCCESS\n");
return 1;
}
return 0;
}
int lxdm_auth_session_end(LXDM_AUTH *a)
{
int err;
if(!a->handle)
return 0;
if(a->in_session)
{
err = pam_close_session(a->handle, 0);
a->in_session=0;
}
pam_end(a->handle, err);
a->handle = NULL;
passwd_clean(&a->pw);
return 0;
}
static void
cleanup_pam (int retcode)
{
int saved_errno = errno;
if (_pam_session_opened)
pam_close_session (pamh, 0);
if (_pam_cred_established)
pam_setcred (pamh, PAM_DELETE_CRED | PAM_SILENT);
pam_end(pamh, retcode);
errno = saved_errno;
}
static void
quit(struct weston_launch *wl, int status)
{
int err;
close(wl->signalfd);
close(wl->sock[0]);
if (wl->new_user) {
err = pam_close_session(wl->ph, 0);
if (err)
fprintf(stderr, "pam_close_session failed: %d: %s\n",
err, pam_strerror(wl->ph, err));
pam_end(wl->ph, err);
}
exit(status);
}
int main(int argc, char *argv[])
{
char *user = (argc > 1) ? argv[1] : getlogin();
char *service = (argc > 2) ? argv[2] : "pamtest";
struct pam_conv conv;
int rc;
pam_handle_t *pamh = NULL;
conv.conv = pamtestConv;
conv.appdata_ptr = NULL;
fprintf(stderr, "%s:%d Starting with user=%s service=%s\n",
__FILE__, __LINE__, user, service);
rc = pam_start(service, user, &conv, &pamh);
CHECK_STATUS(pamh, "pam_start", rc);
rc = pam_authenticate(pamh, 0);
CHECK_STATUS(pamh, "pam_authenticate", rc);
rc = pam_acct_mgmt(pamh, 0);
CHECK_STATUS(pamh, "pam_acct_mgmt", rc);
if (rc == PAM_SUCCESS) {
rc = pam_open_session(pamh, 0);
CHECK_STATUS(pamh, "pam_open_session", rc);
rc = pam_close_session(pamh, 0);
CHECK_STATUS(pamh, "pam_close_session", rc);
}
if (rc != PAM_SUCCESS) {
return rc;
}
if (pamh != NULL) {
rc = pam_end(pamh, PAM_SUCCESS);
CHECK_STATUS(pamh, "pam_end", rc);
}
return rc;
}
void
sshpam_cleanup(void)
{
if (sshpam_handle == NULL || (use_privsep && !mm_is_monitor()))
return;
debug("PAM: cleanup");
pam_set_item(sshpam_handle, PAM_CONV, (const void *)&null_conv);
if (sshpam_session_open) {
debug("PAM: closing session");
pam_close_session(sshpam_handle, PAM_SILENT);
sshpam_session_open = 0;
}
if (sshpam_cred_established) {
debug("PAM: deleting credentials");
pam_setcred(sshpam_handle, PAM_DELETE_CRED);
sshpam_cred_established = 0;
}
sshpam_authenticated = 0;
pam_end(sshpam_handle, sshpam_err);
sshpam_handle = NULL;
}
