int xlsh_session_open(const char* service, const char* user,
pam_handle_t** handle)
{
struct pam_conv conv = { xlsh_session_conv, NULL };
pam_handle_t* pam_handle;
if(pam_start(service, user, &conv, &pam_handle) != PAM_SUCCESS)
return XLSH_ERROR;
if(xlsh_X)
pam_set_item(pam_handle, PAM_TTY, XLSH_XTTY);
else
pam_set_item(pam_handle, PAM_TTY, ttyname(0));
if(pam_authenticate(pam_handle, 0) != PAM_SUCCESS) {
pam_end(pam_handle, 0);
return XLSH_ERROR;
}
if(pam_acct_mgmt(pam_handle, 0) != PAM_SUCCESS) {
pam_end(pam_handle, 0);
return XLSH_ERROR;
}
if(pam_setcred(pam_handle, PAM_ESTABLISH_CRED) != PAM_SUCCESS) {
pam_end(pam_handle, 0);
return XLSH_ERROR;
}
if(pam_open_session(pam_handle, 0) != PAM_SUCCESS) {
pam_setcred(pam_handle, PAM_DELETE_CRED);
pam_end(pam_handle, 0);
return XLSH_ERROR;
}
*handle = pam_handle;
return XLSH_EOK;
}
void
do_pam_setcred(int init)
{
sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
(const void *)&store_conv);
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err));
if (init) {
debug("PAM: establishing credentials");
sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
} else {
debug("PAM: reinitializing credentials");
sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED);
}
if (sshpam_err == PAM_SUCCESS) {
sshpam_cred_established = 1;
return;
}
if (sshpam_authenticated)
fatal("PAM: pam_setcred(): %s",
pam_strerror(sshpam_handle, sshpam_err));
else
debug("PAM: pam_setcred(): %s",
pam_strerror(sshpam_handle, sshpam_err));
}
static void sftppam_exit_ev(const void *event_data, void *user_data) {
/* Close the PAM session */
if (sftppam_pamh != NULL) {
int res;
#ifdef PAM_CRED_DELETE
res = pam_setcred(sftppam_pamh, PAM_CRED_DELETE);
#else
res = pam_setcred(sftppam_pamh, PAM_DELETE_CRED);
#endif
if (res != PAM_SUCCESS) {
pr_trace_msg(trace_channel, 9, "PAM error setting PAM_DELETE_CRED: %s",
pam_strerror(sftppam_pamh, res));
}
res = pam_close_session(sftppam_pamh, PAM_SILENT);
pam_end(sftppam_pamh, res);
sftppam_pamh = NULL;
}
if (sftppam_user != NULL) {
free(sftppam_user);
sftppam_user = NULL;
sftppam_userlen = 0;
}
}
void Authenticator::close_session(void) {
switch((last_result=pam_close_session(pam_handle, 0))) {
// The documentation and implementation of Linux PAM differs:
// PAM_SESSION_ERROR is described in the documentation but
// don't exists in the actual implementation. This issue needs
// to be fixes at some point.
default:
//case PAM_SESSION_ERROR:
pam_setcred(pam_handle, PAM_DELETE_CRED);
_end();
throw Exception(pam_handle, "pam_close_session", last_result);
case PAM_SUCCESS:
break;
};
switch((last_result=pam_setcred(pam_handle, PAM_DELETE_CRED))) {
default:
case PAM_CRED_ERR:
case PAM_CRED_UNAVAIL:
case PAM_CRED_EXPIRED:
case PAM_USER_UNKNOWN:
_end();
throw Exception(pam_handle, "pam_setcred()", last_result);
case PAM_SUCCESS:
break;
}
return;
}
static enum pamtest_err run_test_case(pam_handle_t *ph,
struct pam_testcase *tc)
{
switch (tc->pam_operation) {
case PAMTEST_AUTHENTICATE:
tc->op_rv = pam_authenticate(ph, tc->flags);
return PAMTEST_ERR_OK;
case PAMTEST_SETCRED:
tc->op_rv = pam_setcred(ph, tc->flags);
return PAMTEST_ERR_OK;
case PAMTEST_ACCOUNT:
tc->op_rv = pam_acct_mgmt(ph, tc->flags);
return PAMTEST_ERR_OK;
case PAMTEST_OPEN_SESSION:
tc->op_rv = pam_open_session(ph, tc->flags);
return PAMTEST_ERR_OK;
case PAMTEST_CLOSE_SESSION:
tc->op_rv = pam_close_session(ph, tc->flags);
return PAMTEST_ERR_OK;
case PAMTEST_CHAUTHTOK:
tc->op_rv = pam_chauthtok(ph, tc->flags);
return PAMTEST_ERR_OK;
case PAMTEST_GETENVLIST:
tc->case_out.envlist = pam_getenvlist(ph);
return PAMTEST_ERR_OK;
case PAMTEST_KEEPHANDLE:
tc->case_out.ph = ph;
return PAMTEST_ERR_KEEPHANDLE;
default:
return PAMTEST_ERR_OP;
}
return PAMTEST_ERR_OP;
}
bool PamHandle::setCred(int flags) {
m_result = pam_setcred(m_handle, flags | m_silent);
if (m_result != PAM_SUCCESS) {
qWarning() << "[PAM] setCred:" << pam_strerror(m_handle, m_result);
}
return m_result == PAM_SUCCESS;
}
void SessionExit(struct display *d, int status, int removeAuth)
{
#ifdef USE_PAM
pam_handle_t *pamh = thepamh();
if (pamh) {
/* shutdown PAM session */
if (pam_setcred(pamh, PAM_DELETE_CRED) != PAM_SUCCESS)
WDMError("pam_setcred(DELETE_CRED) failed, errno=%d", errno);
pam_close_session(pamh, 0);
pam_end(pamh, PAM_SUCCESS);
pamh = NULL;
}
#endif
/* make sure the server gets reset after the session is over */
if (d->serverPid >= 2 && d->resetSignal)
kill(d->serverPid, d->resetSignal);
else
ResetServer(d);
if (removeAuth) {
setgid(verify.gid);
setuid(verify.uid);
RemoveUserAuthorization(d, &verify);
}
WDMDebug("Display %s exiting with status %d\n", d->name, status);
exit(status);
}
static int auth(const char *password) {
pam_handle_t* pamh;
struct passwd *pw;
if ((pw = getpwuid(getuid())) == NULL)
return 0;
struct pam_response * reply = malloc(sizeof(struct pam_response));
if (!reply)
return 0;
struct pam_conv pamc = { conversation, reply };
int rc = 0;
reply->resp = strdup(password);
reply->resp_retcode = 0;
pam_start("slock", pw->pw_name, &pamc, &pamh);
if (pam_set_item(pamh, PAM_AUTHTOK, password) == PAM_SUCCESS &&
pam_authenticate(pamh,PAM_DISALLOW_NULL_AUTHTOK) == PAM_SUCCESS &&
pam_acct_mgmt(pamh, 0) == PAM_SUCCESS &&
pam_setcred(pamh, PAM_REFRESH_CRED) == PAM_SUCCESS) {
rc = 1;
}
pam_end(pamh,0);
return rc;
}
void
pam_finish ()
{
int rc = 0;
/*
* Allow PAM to clean up its state by closing the user session and
* ending the association with PAM.
*/
if (!conf->use_pam)
return;
if (pam_h != NULL) {
/*
* Log any errors, but there's no need to return a SLURM error.
*/
if ((rc = pam_close_session (pam_h, 0)) != PAM_SUCCESS) {
error("pam_close_session: %s", pam_strerror(pam_h, rc));
}
if ((rc = pam_setcred (pam_h, PAM_DELETE_CRED)) != PAM_SUCCESS){
error("pam_setcred DELETE: %s", pam_strerror(pam_h,rc));
}
if ((rc = pam_end (pam_h, rc)) != PAM_SUCCESS) {
error("pam_end: %s", pam_strerror(NULL, rc));
}
pam_h = NULL;
}
}
static void
init_groups (const struct passwd* pw, gid_t* groups, int num_groups) {
int retval;
errno = 0;
if (num_groups) {
retval = setgroups (num_groups, groups);
} else {
retval = initgroups (pw->pw_name, pw->pw_gid);
}
if (retval == -1) {
cleanup_pam (PAM_ABORT);
err (EXIT_FAILURE, _("cannot set groups"));
}
endgrent ();
retval = pam_setcred (pamh, PAM_ESTABLISH_CRED);
if (is_pam_failure(retval)) {
errx (EXIT_FAILURE, "%s", pam_strerror (pamh, retval));
} else {
_pam_cred_established = 1;
}
}
/* Return 0 if authentication failed, 1 otherwise */
static int
mc_pam_auth (const char *username, const char *password)
{
pam_handle_t *pamh;
struct user_pass up;
int status;
up.username = username;
up.password = password;
conv.appdata_ptr = &up;
if ((status =
pam_start ("mcserv", username, &conv, &pamh)) != PAM_SUCCESS)
goto failed_pam;
if ((status = pam_authenticate (pamh, 0)) != PAM_SUCCESS)
goto failed_pam;
if ((status = pam_acct_mgmt (pamh, 0)) != PAM_SUCCESS)
goto failed_pam;
if ((status = pam_setcred (pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS)
goto failed_pam;
pam_end (pamh, status);
return 0;
failed_pam:
pam_end (pamh, status);
return 1;
}
/* Called at exit to cleanly shutdown PAM */
static void
do_pam_cleanup_proc(void *context)
{
int pam_retval;
pam_stuff *pam = (pam_stuff *) context;
if (pam == NULL)
return;
if (pam->authctxt != NULL && pam->authctxt->pam == pam) {
pam->authctxt->pam_retval = pam->last_pam_retval;
pam->authctxt->pam = NULL;
pam->authctxt = NULL;
}
if (pam->h == NULL)
return;
/*
* We're in fatal_cleanup() or not in userauth or without a
* channel -- can't converse now, too bad.
*/
pam_retval = pam_set_item(pam->h, PAM_CONV, NULL);
if (pam_retval != PAM_SUCCESS) {
log("Cannot remove PAM conv, close session or delete creds[%d]: %.200s",
pam_retval, PAM_STRERROR(pam->h, pam_retval));
goto cleanup;
}
if (pam->state & PAM_S_DONE_OPEN_SESSION) {
pam_retval = pam_close_session(pam->h, 0);
if (pam_retval != PAM_SUCCESS)
log("Cannot close PAM session[%d]: %.200s",
pam_retval, PAM_STRERROR(pam->h, pam_retval));
}
if (pam->state & PAM_S_DONE_SETCRED) {
pam_retval = pam_setcred(pam->h, PAM_DELETE_CRED);
if (pam_retval != PAM_SUCCESS)
debug("Cannot delete credentials[%d]: %.200s",
pam_retval, PAM_STRERROR(pam->h, pam_retval));
}
cleanup:
/* Use the previous PAM result, if not PAM_SUCCESS for pam_end() */
if (pam->last_pam_retval != PAM_SUCCESS)
pam_retval = pam_end(pam->h, pam->last_pam_retval);
else if (pam_retval != PAM_SUCCESS)
pam_retval = pam_end(pam->h, pam_retval);
else
pam_retval = pam_end(pam->h, PAM_ABORT);
if (pam_retval != PAM_SUCCESS)
log("Cannot release PAM authentication[%d]: %.200s",
pam_retval, PAM_STRERROR(pam->h, pam_retval));
xfree(pam);
}
static void checkpw_cleanup (pam_handle_t *hdl)
{
#if 0 /* see checkpw() for why this is #if 0 */
pam_close_session (hdl,NIL); /* close session [uw]tmp */
#endif
pam_setcred (hdl,PAM_DELETE_CRED);
pam_end (hdl,PAM_SUCCESS);
}
void
mdm_verify_cleanup (MdmDisplay *d)
{
gid_t groups[1] = { 0 };
cur_mdm_disp = d;
if (pamh != NULL) {
gint pamerr;
pam_handle_t *tmp_pamh;
gboolean old_opened_session;
gboolean old_did_setcred;
mdm_debug ("Running mdm_verify_cleanup and pamh != NULL");
mdm_sigterm_block_push ();
mdm_sigchld_block_push ();
tmp_pamh = pamh;
pamh = NULL;
old_opened_session = opened_session;
opened_session = FALSE;
old_did_setcred = did_setcred;
did_setcred = FALSE;
mdm_sigchld_block_pop ();
mdm_sigterm_block_pop ();
pamerr = PAM_SUCCESS;
/* Close the users session */
if (old_opened_session) {
mdm_debug ("Running pam_close_session");
pamerr = pam_close_session (tmp_pamh, 0);
}
/* Throw away the credentials */
if (old_did_setcred) {
mdm_debug ("Running pam_setcred with PAM_DELETE_CRED");
pamerr = pam_setcred (tmp_pamh, PAM_DELETE_CRED);
}
pam_end (tmp_pamh, pamerr);
/* Workaround to avoid mdm messages being logged as PAM_pwdb */
mdm_log_shutdown ();
mdm_log_init ();
}
/* Clear the group setup */
setgid (0);
/* this will get rid of any suplementary groups etc... */
setgroups (1, groups);
cur_mdm_disp = NULL;
/* reset limits */
mdm_reset_limits ();
}
int context::rmcred()
{
int code = static_cast<int>(errc::success);
if(_M_cred)
{
code = pam_setcred(_M_pamh, PAM_DELETE_CRED);
_M_cred = false;
}
return code;
}
bool PAMAuthenticator::authenticate(void)
{
pam_conv c;
c.conv = PAMAuthenticator::conv;
c.appdata_ptr = this;
int res = pam_start("repwatchproxy", 0, &c, &this->m_ph);
if (res == PAM_SUCCESS) {
res = pam_set_item(this->m_ph, PAM_RUSER, this->m_user.constData());
if (res != PAM_SUCCESS) {
goto getout;
}
res = pam_set_item(this->m_ph, PAM_RHOST, this->m_host.constData());
if (res != PAM_SUCCESS) {
goto getout;
}
res = pam_authenticate(this->m_ph, 0);
if (res != PAM_SUCCESS) {
goto getout;
}
res = pam_acct_mgmt(this->m_ph, 0);
if (PAM_NEW_AUTHTOK_REQD == res) {
res = pam_chauthtok(this->m_ph, PAM_CHANGE_EXPIRED_AUTHTOK);
}
if (res != PAM_SUCCESS) {
goto getout;
}
res = pam_setcred(this->m_ph, PAM_ESTABLISH_CRED);
if (res != PAM_SUCCESS) {
goto getout;
}
res = pam_open_session(this->m_ph, 0);
if (res != PAM_SUCCESS) {
goto getout;
}
return true;
getout:
qWarning("%s: %s", Q_FUNC_INFO, pam_strerror(this->m_ph, res));
pam_end(this->m_ph, res);
}
else {
qCritical("PAM initialization failed");
}
this->m_ph = 0;
return false;
}
int xlsh_session_close(pam_handle_t* handle)
{
pam_close_session(handle, 0);
if(pam_setcred(handle, PAM_DELETE_CRED) != PAM_SUCCESS) {
pam_end(handle, 0);
return XLSH_ERROR;
}
pam_end(handle, 0);
return XLSH_EOK;
}
gboolean pam_session_open(void)
{
g_pamLastStatus = pam_setcred(g_pamHandle, PAM_ESTABLISH_CRED);
if (g_pamLastStatus != PAM_SUCCESS)
{
fprintf(stderr, "Jolicloud-DisplayManager: Unable to define pam credentials. Error %d\n",
g_pamLastStatus);
return FALSE;
}
g_pamLastStatus = pam_open_session(g_pamHandle, 0);
if (g_pamLastStatus != PAM_SUCCESS)
{
fprintf(stderr, "Jolicloud-DisplayManager: Unable to open session with pan. Error %d\n",
g_pamLastStatus);
pam_setcred(g_pamHandle, PAM_DELETE_CRED);
return FALSE;
}
return TRUE;
}
/* * Note that the position of the pam_setcred() call is discussable: * * - the PAM docs recommend pam_setcred() before pam_open_session() * - but the original RFC http://www.opengroup.org/rfc/mirror-rfc/rfc86.0.txt * uses pam_setcred() after pam_open_session() * * The old login versions (before year 2011) followed the RFC. This is probably * not optimal, because there could be a dependence between some session modules * and the user's credentials. * * The best is probably to follow openssh and call pam_setcred() before and * after pam_open_session(). -- [email protected] (18-Nov-2011) * */ static void loginpam_session(struct login_context *cxt) { int rc; pam_handle_t *pamh = cxt->pamh; rc = pam_setcred(pamh, PAM_ESTABLISH_CRED); if (is_pam_failure(rc)) loginpam_err(pamh, rc); rc = pam_open_session(pamh, 0); if (is_pam_failure(rc)) { pam_setcred(cxt->pamh, PAM_DELETE_CRED); loginpam_err(pamh, rc); } rc = pam_setcred(pamh, PAM_REINITIALIZE_CRED); if (is_pam_failure(rc)) { pam_close_session(pamh, 0); loginpam_err(pamh, rc); } }
int
pam_setup (char *user, char *host)
{
/*
* Any application using PAM must provide a conversion function, which
* is used for direct communication between a loaded module and the
* application. In this case, SLURM does need a communication mechanism,
* so the default (or null) conversation function may be used.
*/
struct pam_conv conv = {misc_conv, NULL};
int rc = 0;
if (!conf->use_pam)
return SLURM_SUCCESS;
/*
* SLURM uses PAM to obtain resource limits established by the system
* administrator. PAM's session management library is responsible for
* handling resource limits. When a PAM session is opened on behalf of
* a user, the limits imposed by the sys admin are picked up. Opening
* a PAM session requires a PAM handle, which is obtained when the PAM
* interface is initialized. (PAM handles are required with essentially
* all PAM calls.) It's also necessary to have the users PAM credentials
* to open a user session.
*/
if ((rc = pam_start (SLURM_SERVICE_PAM, user, &conv, &pam_h))
!= PAM_SUCCESS) {
error ("pam_start: %s", pam_strerror(pam_h, rc));
return SLURM_ERROR;
} else if ((rc = pam_set_item (pam_h, PAM_USER, user))
!= PAM_SUCCESS) {
error ("pam_set_item USER: %s", pam_strerror(pam_h, rc));
return SLURM_ERROR;
} else if ((rc = pam_set_item (pam_h, PAM_RUSER, user))
!= PAM_SUCCESS) {
error ("pam_set_item RUSER: %s", pam_strerror(pam_h, rc));
return SLURM_ERROR;
} else if ((rc = pam_set_item (pam_h, PAM_RHOST, host))
!= PAM_SUCCESS) {
error ("pam_set_item HOST: %s", pam_strerror(pam_h, rc));
return SLURM_ERROR;
} else if ((rc = pam_setcred (pam_h, PAM_ESTABLISH_CRED))
!= PAM_SUCCESS) {
error ("pam_setcred: %s", pam_strerror(pam_h, rc));
return SLURM_ERROR;
} else if ((rc = pam_open_session (pam_h, 0)) != PAM_SUCCESS) {
error("pam_open_session: %s", pam_strerror(pam_h, rc));
return SLURM_ERROR;
}
return SLURM_SUCCESS;
}
static void
vsf_auth_shutdown(void)
{
if (s_pamh == 0)
{
bug("vsf_auth_shutdown");
}
(void) pam_close_session(s_pamh, 0);
(void) pam_setcred(s_pamh, PAM_DELETE_CRED);
(void) pam_end(s_pamh, PAM_SUCCESS);
s_pamh = 0;
vsf_remove_uwtmp();
}
struct passwd *checkpw (struct passwd *pw,char *pass,int argc,char *argv[])
{
pam_handle_t *hdl;
struct pam_conv conv;
struct checkpw_cred cred;
conv.conv = &checkpw_conv;
conv.appdata_ptr = &cred;
cred.uname = pw->pw_name;
cred.pass = pass;
if ((pam_start ((char *) mail_parameters (NIL,GET_SERVICENAME,NIL),
pw->pw_name,&conv,&hdl) != PAM_SUCCESS) ||
(pam_set_item (hdl,PAM_RHOST,tcp_clientaddr ()) != PAM_SUCCESS) ||
(pam_authenticate (hdl,NIL) != PAM_SUCCESS) ||
(pam_acct_mgmt (hdl,NIL) != PAM_SUCCESS) ||
(pam_setcred (hdl,PAM_ESTABLISH_CRED) != PAM_SUCCESS)) {
/* clean up */
pam_setcred (hdl,PAM_DELETE_CRED);
pam_end (hdl,PAM_AUTH_ERR); /* failed */
return NIL;
}
#if 0
/*
* Some people have reported that this causes a SEGV in strncpy() from
* pam_unix.so.1
*/
/*
* This pam_open_session() call is inconsistant with how we handle other
* platforms, where we don't write [uw]tmp records. However, unlike our
* code on other platforms, pam_acct_mgmt() will check those records for
* inactivity and deny the authentication.
*/
pam_open_session (hdl,NIL); /* make sure account doesn't go inactive */
#endif
/* arm hook to delete credentials */
mail_parameters (NIL,SET_LOGOUTHOOK,(void *) checkpw_cleanup);
mail_parameters (NIL,SET_LOGOUTDATA,(void *) hdl);
return pw;
}
gboolean pam_session_close(void)
{
g_pamLastStatus = pam_close_session(g_pamHandle, 0);
g_pamLastStatus = pam_setcred(g_pamHandle, PAM_DELETE_CRED);
if (g_pamLastStatus != PAM_SUCCESS)
{
fprintf(stderr, "Jolicloud-DisplayManager: Unable to delete pam credentials. Error %d\n",
g_pamLastStatus);
return FALSE;
}
return TRUE;
}
int pam_begin_session(const char* username, int fd)
{
int rv, i;
if (!pam_h &&
(rv = pam_start(PAM_APPL_NAME, username, &conv, &pam_h)) != PAM_SUCCESS)
fatal("pam_start() failure: %d", rv);
#ifdef SUN_PAM_TTY_BUG
if ((rv = pam_set_item(pam_h, PAM_TTY, "/dev/nld")) != PAM_SUCCESS)
fatal("pam_set_item(PAM_TTY,/dev/nld");
#endif
conv_reject_prompts = 1;
pam_conv_fd = fd;
/* On Solaris and HP-UX, the docs say we can't call setcred first, and the
* modules actually enforce that. LinuxPAM says we must call setcred first,
* and that's preferable, so we do it in all other cases. */
#ifdef SUN_PAM
int setcred_first = 0;
#else
int setcred_first = 1;
#endif
for (i = 0; i < 2; ++i) {
if (i != setcred_first) {
if ((rv = pam_setcred(pam_h, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
debug("pam_setcred(PAM_ESTABLISH_CRED): %s", pam_strerror(pam_h, rv));
if (authenticated) {
pam_conv_fd = -1;
return -1;
}
} else {
setcred = 1;
}
} else {
if ((rv = pam_open_session(pam_h, 0)) != PAM_SUCCESS) {
debug("pam_open_session(): %s", pam_strerror(pam_h, rv));
if (authenticated) {
pam_conv_fd = -1;
return -1;
}
} else {
opened_session = 1;
}
}
}
pam_conv_fd = -1;
return 0;
}
int
pam_begin_session(struct passwd *pw, sudo_auth *auth)
{
int status = PAM_SUCCESS;
/*
* If there is no valid user we cannot open a PAM session.
* This is not an error as sudo can run commands with arbitrary
* uids, it just means we are done from a session management standpoint.
*/
if (pw == NULL) {
if (pamh != NULL) {
(void) pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
pamh = NULL;
}
goto done;
}
/* If the user did not have to authenticate there is no pam handle yet. */
if (pamh == NULL)
pam_init(pw, NULL, NULL);
/*
* Update PAM_USER to reference the user we are running the command
* as, as opposed to the user we authenticated as.
*/
(void) pam_set_item(pamh, PAM_USER, pw->pw_name);
/*
* Set credentials (may include resource limits, device ownership, etc).
* We don't check the return value here because in Linux-PAM 0.75
* it returns the last saved return code, not the return code
* for the setcred module. Because we haven't called pam_authenticate(),
* this is not set and so pam_setcred() returns PAM_PERM_DENIED.
* We can't call pam_acct_mgmt() with Linux-PAM for a similar reason.
*/
(void) pam_setcred(pamh, PAM_ESTABLISH_CRED);
#ifndef NO_PAM_SESSION
status = pam_open_session(pamh, 0);
if (status != PAM_SUCCESS) {
(void) pam_end(pamh, status | PAM_DATA_SILENT);
pamh = NULL;
}
#endif
done:
return status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE;
}
static void
pm_do_auth(adt_session_data_t *ah)
{
pam_handle_t *pm_pamh;
int err;
int pam_flag = 0;
int chpasswd_tries;
struct pam_conv pam_conv = {pam_tty_conv, NULL};
if (user[0] == '\0')
return;
if ((err = pam_start("sys-suspend", user, &pam_conv,
&pm_pamh)) != PAM_SUCCESS)
return;
pam_flag = PAM_DISALLOW_NULL_AUTHTOK;
do {
err = pam_authenticate(pm_pamh, pam_flag);
if (err == PAM_SUCCESS) {
err = pam_acct_mgmt(pm_pamh, pam_flag);
if (err == PAM_NEW_AUTHTOK_REQD) {
chpasswd_tries = 0;
do {
err = pam_chauthtok(pm_pamh,
PAM_CHANGE_EXPIRED_AUTHTOK);
chpasswd_tries++;
} while ((err == PAM_AUTHTOK_ERR ||
err == PAM_TRY_AGAIN) &&
chpasswd_tries < DEF_ATTEMPTS);
pm_audit_event(ah, ADT_passwd, err);
}
err = pam_setcred(pm_pamh, PAM_REFRESH_CRED);
}
if (err != PAM_SUCCESS) {
(void) fprintf(stdout, "%s\n",
pam_strerror(pm_pamh, err));
pm_audit_event(ah, ADT_screenunlock, err);
}
} while (err != PAM_SUCCESS);
pm_audit_event(ah, ADT_passwd, 0);
(void) pam_end(pm_pamh, err);
}
static void
cleanup_pam (int retcode)
{
int saved_errno = errno;
if (_pam_session_opened)
pam_close_session (pamh, 0);
if (_pam_cred_established)
pam_setcred (pamh, PAM_DELETE_CRED | PAM_SILENT);
pam_end(pamh, retcode);
errno = saved_errno;
}
/**
* EscalateHelperDoAction:
* @self: #EscalateHelper instance.
* @error: (out)(allow-none): Error return location or #NULL.
*
* Return: #TRUE if the action specified in the start message (just
* pam_authenticate for now) was called successfully and the finish message was
* sent.
*/
gboolean EscalateHelperDoAction(EscalateHelper *self, GError **error) {
int setcred_result = PAM_SUCCESS;
EscalateMessage *message = NULL;
GVariantBuilder *env = NULL;
gboolean result = FALSE;
// Run the action specified in the start message.
switch (self->action) {
case ESCALATE_MESSAGE_ACTION_AUTHENTICATE:
self->result = pam_authenticate(self->pamh, self->flags);
if (self->result == PAM_SUCCESS || self->result == PAM_NEW_AUTHTOK_REQD) {
// Refresh things like Kerberos credentials. This is safe to do here
// even if the client never calls pam_setcred() because the entire auth
// stack succeeded.
// TODO(vonhollen): Make this configurable by pam_escalate.so.
setcred_result = pam_setcred(self->pamh, PAM_REINITIALIZE_CRED);
if (setcred_result != PAM_SUCCESS) {
pam_syslog(self->pamh, LOG_NOTICE,
"pam_setcred() failed for user '%s': %s",
self->username, pam_strerror(self->pamh, setcred_result));
}
}
break;
default:
self->result = PAM_SYSTEM_ERR;
g_error("Unsupported action %d", self->action);
}
// Prevent this function from being run twice.
self->action = ESCALATE_MESSAGE_ACTION_UNKNOWN;
// Get the PAM environment to include in the result.
env = EscalateUtilPamEnvToVariant(self->pamh, error);
if (!env) {
goto done;
}
// Send the final PAM result for the action and the complete environment.
message = EscalateMessageNew(ESCALATE_MESSAGE_TYPE_FINISH, self->result, env);
result = EscalateMessageWrite(message, self->writer, error);
EscalateMessageUnref(message);
g_variant_builder_unref(env);
done:
return result;
}
static void input_done(void) {
STOP_TIMER(clear_pam_wrong_timeout);
pam_state = STATE_PAM_VERIFY;
redraw_screen();
if (pam_authenticate(pam_handle, 0) == PAM_SUCCESS) {
DEBUG("successfully authenticated\n");
clear_password_memory();
/* Turn the screen on, as it may have been turned off
* on release of the 'enter' key. */
turn_monitors_on();
/* PAM credentials should be refreshed, this will for example update any kerberos tickets.
* Related to credentials pam_end() needs to be called to cleanup any temporary
* credentials like kerberos /tmp/krb5cc_pam_* files which may of been left behind if the
* refresh of the credentials failed. */
pam_setcred(pam_handle, PAM_REFRESH_CRED);
pam_end(pam_handle, PAM_SUCCESS);
exit(0);
}
if (debug_mode)
fprintf(stderr, "Authentication failure\n");
pam_state = STATE_PAM_WRONG;
failed_attempts += 1;
clear_input();
if (unlock_indicator)
redraw_screen();
/* Clear this state after 2 seconds (unless the user enters another
* password during that time). */
ev_now_update(main_loop);
START_TIMER(clear_pam_wrong_timeout, TSTAMP_N_SECS(2), clear_pam_wrong);
/* Cancel the clear_indicator_timeout, it would hide the unlock indicator
* too early. */
STOP_TIMER(clear_indicator_timeout);
/* beep on authentication failure, if enabled */
if (beep) {
xcb_bell(conn, 100);
xcb_flush(conn);
}
}
void
ssh_gssapi_rekey_creds() {
int ok;
int ret;
#ifdef USE_PAM
pam_handle_t *pamh = NULL;
struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL};
char *envstr;
#endif
if (gssapi_client.store.filename == NULL &&
gssapi_client.store.envval == NULL &&
gssapi_client.store.envvar == NULL)
return;
ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));
if (!ok)
return;
debug("Rekeyed credentials stored successfully");
/* Actually managing to play with the ssh pam stack from here will
* be next to impossible. In any case, we may want different options
* for rekeying. So, use our own :)
*/
#ifdef USE_PAM
if (!use_privsep) {
debug("Not even going to try and do PAM with privsep disabled");
return;
}
ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name,
&pamconv, &pamh);
if (ret)
return;
xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar,
gssapi_client.store.envval);
ret = pam_putenv(pamh, envstr);
if (!ret)
pam_setcred(pamh, PAM_REINITIALIZE_CRED);
pam_end(pamh, PAM_SUCCESS);
#endif
}
