int
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
char *user_name, *service;
unsigned int ctrl;
int retval;
const char *login_name;
D(("called."));
ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);
retval = pam_get_item(pamh, PAM_USER, (void *) &user_name);
if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) {
pam_syslog(pamh, LOG_CRIT,
"open_session - error recovering username");
return PAM_SESSION_ERR; /* How did we get authenticated with
no username?! */
}
retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
if (service == NULL || *service == '\0' || retval != PAM_SUCCESS) {
pam_syslog(pamh, LOG_CRIT,
"open_session - error recovering service");
return PAM_SESSION_ERR;
}
login_name = pam_modutil_getlogin(pamh);
if (login_name == NULL) {
login_name = "";
}
if (off (UNIX_QUIET, ctrl))
pam_syslog(pamh, LOG_INFO, "session opened for user %s by %s(uid=%lu)",
user_name, login_name, (unsigned long)getuid());
return PAM_SUCCESS;
}
PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags,
int argc, const char **argv)
{
char *user_name = NULL, *service = NULL;
unsigned int ctrl = 0;
int retval = 0;
const char *login_name = NULL;
const char *login_username = NULL;
const char *old_tai = NULL;
int names_different = 0;
lpc_auth_method auth_method = lpcam_none;
const char *user_remote = NULL, *user_local = NULL;
/* pam_syslog(pamh, LOG_DEBUG, "pam_sm_open_session()"); */
D(("called."));
ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv);
retval = pam_get_item(pamh, PAM_USER, (void *) &user_name);
if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) {
pam_syslog(pamh, LOG_CRIT,
"open_session - error recovering username");
return PAM_SESSION_ERR; /* How did we get authenticated with
no username?! */
}
retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
if (service == NULL || *service == '\0' || retval != PAM_SUCCESS) {
pam_syslog(pamh, LOG_CRIT,
"open_session - error recovering service");
return PAM_SESSION_ERR;
}
login_name = pam_modutil_getlogin(pamh);
if (login_name == NULL) {
login_name = "";
}
login_username = pam_getenv(pamh, "LOGIN_USER");
if (login_username && (!user_name ||
(strcmp(login_username, user_name) != 0))) {
names_different = 1;
pam_syslog(pamh, LOG_INFO, "session opened for user %s (%s) by "
"%s(uid=%lu)"
,login_username, user_name
,login_name, (unsigned long) getuid());
}
else {
names_different = 0;
pam_syslog(pamh, LOG_INFO, "session opened for user %s by %s(uid=%lu)",
user_name, login_name, (unsigned long)getuid());
}
/*
* Make sure TRUSTED_AUTH_INFO is set. The cases are:
*
* 1. Set to the magic string PAM_TRUSTED_AUTH_INFO_SET_STR.
* This is how sshd signals us that it wants us to set it
* ourselves; probably it means the user authenticated in some
* non-PAM way, like with an ssh authorized key.
*
* (a) If user_name and login_name match, we'll assume that
* their authentication was "local", and report it that way.
* (This could be remote authentication if someone
* introduced a new PAM module, but we'll stick with
* Occam's Razor...)
*
* (b) If user_name and login_name do not match, this is
* unexpected. This suggests it was a remote authentication,
* but by a module that's not one we have modified to support
* TRUSTED_AUTH_INFO. Since we don't know the situation,
* leave it alone.
*
* 2. Set to something else. We'll presume it's set to some
* real value here, and leave it alone.
*
* 3. Not set at all. We're not sure how this happened, but
* leave it alone.
*/
old_tai = pam_getenv(pamh, "TRUSTED_AUTH_INFO");
if (old_tai == NULL) { /* Case 3 */
/*
* Leave it unset.
*/
pam_syslog(pamh, LOG_DEBUG, "TRUSTED_AUTH_INFO: not set, "
"leaving it alone");
}
else if (!strcmp(old_tai, PAM_TRUSTED_AUTH_INFO_SET_STR)) { /*Case 1*/
if (login_username && user_name) {
user_remote = login_username;
user_local = user_name;
}
else {
/* We know from above test that user_name is non-NULL */
user_remote = user_name;
user_local = user_name;
}
if (names_different) { /* Case 1b */
pam_syslog(pamh, LOG_WARNING, "TRUSTED_AUTH_INFO: set "
"requested, but two different usernames? "
"(LOGIN_USER = '******', AUTH_USER = '******') "
"Leaving it alone", user_remote, user_local);
}
else { /* Case 1a */
pam_syslog(pamh, LOG_DEBUG, "TRUSTED_AUTH_INFO: set "
"requested, names match, presuming non-PAM local "
"authentication, e.g. ssh authorized key");
auth_method = lpcam_local;
}
if (auth_method != lpcam_none) {
pam_unix_set_trusted_auth_info(pamh, auth_method,
user_remote, user_local);
}
}
else { /* Case 2 */
/*
* Leave it unset.
*/
pam_syslog(pamh, LOG_DEBUG, "TRUSTED_AUTH_INFO: already set, "
"leaving it alone");
}
return PAM_SUCCESS;
}
