static int
do_item(pam_handle_t *pamh, struct tac_handle *tach, int item,
set_func func, const char *funcname)
{
int retval;
const void *value;
retval = pam_get_item(pamh, item, &value);
if (retval != PAM_SUCCESS)
return retval;
if (value != NULL && (*func)(tach, (const char *)value) == -1) {
syslog(LOG_CRIT, "%s: %s", funcname, tac_strerror(tach));
tac_close(tach);
return PAM_SERVICE_ERR;
}
return PAM_SUCCESS;
}
const void* Authenticator::get_item(const Authenticator::ItemType item) {
const void* data;
switch ((last_result=pam_get_item(pam_handle, item, &data))) {
default:
case PAM_SYSTEM_ERR:
#ifdef __LIBPAM_VERSION
case PAM_BAD_ITEM:
#endif
_end();
throw Exception(pam_handle, "pam_get_item()", last_result);
case PAM_PERM_DENIED: // The value of item was NULL
case PAM_SUCCESS:
break;
}
return data;
}
static int pam_get_rhost(pam_handle_t *pamh, const char **rhost
, const char *prompt)
{
int retval;
const char *current;
retval = pam_get_item (pamh, PAM_RHOST, (const void **)¤t);
if (retval != PAM_SUCCESS)
return retval;
if (current == NULL) {
return PAM_AUTH_ERR;
}
*rhost = current;
return retval; /* pass on any error from conversation */
}
static int record_user(const abl_args *args, abl_info *info, time_t tm) {
const void *user;
int err;
if (err = pam_get_item(args->pamh, PAM_USER, &user), PAM_SUCCESS != err) {
log_pam_error(args, err, "getting PAM_USER");
return err;
}
if (NULL != user) {
info->subject = USER;
info->user = user;
return record(args, info, tm, args->user_purge);
} else {
log_debug(args, "PAM_USER is NULL");
return 0;
}
return 1;
}
/* expected hook, this is where custom stuff happens */
PAM_EXTERN int pam_sm_authenticate(pam_handle_t* pamh, int flags, int argc, const char **argv) {
int ret = 0;
const char* pUsername = NULL;
const char* pUrl = NULL;
const char* pCaFile = NULL;
struct pam_message msg;
struct pam_conv* pItem;
struct pam_response* pResp;
const struct pam_message* pMsg = &msg;
msg.msg_style = PAM_PROMPT_ECHO_OFF;
msg.msg = "Cool buddy: ";
printf("I got called\n");
if (pam_get_user(pamh, &pUsername, NULL) != PAM_SUCCESS) {
return PAM_AUTH_ERR;
}
pUrl = getArg("url", argc, argv);
if (!pUrl) {
return PAM_AUTH_ERR;
}
pCaFile = getArg("cafile", argc, argv);
if (pam_get_item(pamh, PAM_CONV, (const void**)&pItem) != PAM_SUCCESS || !pItem) {
fprintf(stderr, "Couldn't get pam_conv\n");
return PAM_AUTH_ERR;
}
pItem->conv(1, &pMsg, &pResp, pItem->appdata_ptr);
ret = PAM_SUCCESS;
if (getUrl(pUrl, pUsername, pResp[0].resp, pCaFile) != 0) {
ret = PAM_AUTH_ERR;
}
memset(pResp[0].resp, 0, strlen(pResp[0].resp));
free(pResp);
return ret;
}
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
{
int ret;
int faked = 0;
const char *dir = NULL;
const char *fake_suite = NULL;
char *questions;
const char *user;
char *response = NULL;
char fmt[512];
(void)flags;
(void)argc;
(void)argv;
pam_get_item(pamh, PAM_USER, (const void **)&user);
openlog("pam_ocra", 0, LOG_AUTHPRIV);
fake_suite = openpam_get_option(pamh, "fake_prompt");
dir = openpam_get_option(pamh, "dir");
if (PAM_SUCCESS != (ret = challenge(dir, user, &questions))) {
if (PAM_NO_MODULE_DATA == ret && NULL != fake_suite) {
if (PAM_SUCCESS !=
(ret = fake_challenge(fake_suite, &questions)))
goto end;
faked = 1;
} else
goto end;
}
snprintf(fmt, 512, "OCRA Challenge: %s\nOCRA Response: ", questions);
if (PAM_SUCCESS != (ret = get_response(pamh, fmt, &response)))
goto end;
if (1 == faked)
ret = PAM_AUTH_ERR;
else
ret = verify(dir, user, questions, response);
free(response);
end:
closelog();
return ret;
}
static int _get_authtok (pam_handle_t * pamh)
{
int rc;
char *p;
struct pam_message msg[1], *pmsg[1];
struct pam_response *resp;
struct pam_conv *conv;
pmsg[0] = &msg[0];
msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
msg[0].msg = "Password: ";
resp = NULL;
rc = pam_get_item (pamh, PAM_CONV, (const void **) &conv);
if (rc == PAM_SUCCESS)
{
rc = conv->conv (1,
(const struct pam_message **) pmsg,
&resp, conv->appdata_ptr);
}
else
{
return rc;
}
if (resp != NULL)
{
if (resp[0].resp == NULL)
{
free (resp);
return PAM_AUTH_ERR;
}
p = resp[0].resp;
/* leak if resp[0].resp is malloced. */
resp[0].resp = NULL;
}
else
{
return PAM_CONV_ERR;
}
free (resp);
pam_set_item (pamh, PAM_AUTHTOK, p);
return PAM_SUCCESS;
}
static void log_message(int priority, pam_handle_t *pamh, const char *format, ...) {
char *service = NULL;
if (pamh)
pam_get_item(pamh, PAM_SERVICE, (void *)&service);
if (!service)
service = "";
char logname[80];
snprintf(logname, sizeof(logname), "%s(" MODULE_NAME ")", service);
va_list args;
va_start(args, format);
openlog(logname, LOG_CONS | LOG_PID, LOG_AUTHPRIV);
vsyslog(priority, format, args);
va_end(args);
closelog();
}
static int set_the_terminal(pam_handle_t *pamh)
{
const char *tty;
if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS
|| tty == NULL) {
tty = ttyname(STDIN_FILENO);
if (tty == NULL) {
_pam_log(LOG_ERR, "couldn't get the tty name");
return PAM_ABORT;
}
if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) {
_pam_log(LOG_ERR, "couldn't set tty name");
return PAM_ABORT;
}
}
return PAM_SUCCESS;
}
int pam_prompt(pam_handle_t *pamh, int style, char **response,
const char *format, ...)
{
int rc;
struct pam_conv *aconv;
char buffer[200];
va_list ap;
struct pam_message msg, *pmsg;
struct pam_response *resp;
/* the the conversion function */
rc = pam_get_item(pamh, PAM_CONV, (PAM_ITEM_CONST void **)&aconv);
if (rc != PAM_SUCCESS)
return rc;
/* make the message string */
va_start(ap, format);
vsnprintf(buffer, sizeof(buffer), format, ap);
buffer[sizeof(buffer) - 1] = '\0';
va_end(ap);
/* build the message */
msg.msg_style = style;
msg.msg = buffer;
pmsg = &msg;
resp = NULL;
rc = aconv->conv(1, (const struct pam_message **)&pmsg, &resp, aconv->appdata_ptr);
if (rc != PAM_SUCCESS)
return rc;
/* assign response if it is set */
if (response != NULL)
{
if (resp == NULL)
return PAM_CONV_ERR;
if (resp[0].resp == NULL)
{
free(resp);
return PAM_CONV_ERR;
}
*response = resp[0].resp;
}
else
free(resp[0].resp);
free(resp);
return PAM_SUCCESS;
}
static const char *
get_tty(pam_handle_t *pamh)
{
const void *void_terminal_line = NULL;
const char *terminal_line;
if (pam_get_item(pamh, PAM_TTY, &void_terminal_line) != PAM_SUCCESS
|| void_terminal_line == NULL) {
terminal_line = DEFAULT_TERM;
} else {
terminal_line = void_terminal_line;
}
if (!strncmp("/dev/", terminal_line, 5)) {
/* strip leading "/dev/" from tty. */
terminal_line += 5;
}
D(("terminal = %s", terminal_line));
return terminal_line;
}
static int
_PAMCreateAttributesFromHandle(pam_handle_t *pamh, CFDictionaryRef *pAttributes)
{
CFMutableDictionaryRef attributes = NULL;
const char *user;
int rc;
rc = pam_get_item(pamh, PAM_USER, (const void **)&user);
if (rc != PAM_SUCCESS)
return rc;
CFStringRef name = CFStringCreateWithCString(kCFAllocatorDefault, user, kCFStringEncodingUTF8);
if (name == NULL) {
CFRelease(attributes);
return PAM_BUF_ERR;
}
/* In case module returned PAM_TRY_AGAIN */
rc = pam_get_data(pamh, CREDUI_ATTR_DATA, (const void **)&attributes);
if (rc == PAM_SUCCESS && attributes) {
CFStringRef assertedName = (CFStringRef)CFDictionaryGetValue(attributes, kCUIAttrName);
if (assertedName && CFEqual(assertedName, name)) {
*pAttributes = (CFDictionaryRef)CFRetain(attributes);
CFRelease(name);
return PAM_SUCCESS;
}
}
attributes = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
if (attributes == NULL)
return PAM_BUF_ERR;
CFDictionarySetValue(attributes, kCUIAttrNameType, kCUIAttrNameTypePosixName);
CFDictionarySetValue(attributes, kCUIAttrName, name);
/* we don't get AUTHTOK because it might prompt */
CFRelease(name);
*pAttributes = attributes;
return PAM_SUCCESS;
}
static int converse( pam_handle_t * pamh,
struct pam_message ** message,
struct pam_response ** response )
{
int retval;
void const * void_conv;
struct pam_conv const * conv;
retval = pam_get_item( pamh, PAM_CONV, & void_conv );
conv = (struct pam_conv const *) void_conv;
if( retval == PAM_SUCCESS )
{
retval = conv->conv( 1, (struct pam_message const **) message,
response, conv->appdata_ptr );
}
return retval;
}
/*
* This is a conversation function to obtain the user's password
*/
static int get_password(pam_handle_t * pamh, const char *message, const char **passwd)
{
struct pam_message msg[2], *pmsg[2];
struct pam_response *resp;
const struct pam_conv *conv;
pmsg[0] = &msg[0];
msg[0].msg = message;
msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
if (pam_get_item(pamh, PAM_CONV, (const void **) &conv) == PAM_SUCCESS &&
conv->conv(1, (const struct pam_message **) &pmsg, &resp, conv->appdata_ptr) == PAM_SUCCESS &&
resp != NULL) {
*passwd = resp[0].resp;
free(resp);
return PAM_SUCCESS;
}
return PAM_SYSTEM_ERR;
}
char *get_response(pam_handle_t *pamh, const char *prompt, int verbose) {
struct pam_conv *conv;
int retval;
struct pam_message msg;
const struct pam_message *msgp;
struct pam_response *resp;
char *response;
char buffer[MAXBUFSIZE];
retval = pam_get_item(pamh, PAM_CONV, (const void**) &conv);
if (retval != PAM_SUCCESS) {
return NULL;
}
/* check if we want verbose input */
if ( verbose != 0 )
msg.msg_style = PAM_PROMPT_ECHO_ON;
else
msg.msg_style = PAM_PROMPT_ECHO_OFF;
if (prompt) {
snprintf(buffer, MAXBUFSIZE, "%s: ", prompt);
} else {
strcpy(buffer, "Password: ");
}
/* set up the conversation */
msg.msg = buffer;
msgp = &msg;
resp = NULL;
response = NULL;
retval = (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr);
if (resp != NULL) {
if (retval == PAM_SUCCESS) {
response = resp->resp;
} else {
free(resp->resp);
}
free(resp);
}
return response;
}
int converse(pam_handle_t * pamh, int nargs, const struct pam_message *message,
struct pam_response **response) {
int retval;
struct pam_conv *conv;
if ((retval = pam_get_item (pamh, PAM_CONV, (const void **)&conv)) == PAM_SUCCESS) {
retval = conv->conv(nargs, &message, response, conv->appdata_ptr);
if (retval != PAM_SUCCESS) {
_pam_log(LOG_ERR, "(pam_tacplus) converse returned %d", retval);
_pam_log(LOG_ERR, "that is: %s", pam_strerror (pamh, retval));
}
} else {
_pam_log (LOG_ERR, "(pam_tacplus) converse failed to get pam_conv");
}
return retval;
}
static int converse(pam_handle_t *pamh, int style, lo_const char *text,
struct pam_response **resp)
{
struct pam_conv *conv;
struct pam_message msg, *pmsg;
int status;
status = pam_get_item(pamh, PAM_CONV, (pam_item_t *)&conv);
if (status != PAM_SUCCESS)
return status;
pmsg = &msg;
msg.msg_style = style;
msg.msg = text;
*resp = NULL;
return conv->conv(1, (lo_const struct pam_message **)&pmsg, resp,
conv->appdata_ptr);
}
/**
* EscalateModuleStartAddItem:
* @self: Module containing the PAM handle.
* @items: Array to append PAM item type and value tuples to.
* @item: Item type of the value to fetch using pam_get_item().
* @error: (out)(allow-none): Error return location or #NULL.
*
* Returns: #TRUE if there was no fatal error.
*/
static gboolean EscalateModuleStartAddItem(EscalateModule *self,
GVariantBuilder *items, gint item,
GError **error) {
const gchar *value = NULL;
gint status = pam_get_item(self->pamh, item, (const void **) &value);
switch (status) {
case PAM_SUCCESS:
g_variant_builder_add(items, "{ims}", item, value);
return TRUE;
case PAM_BAD_ITEM:
return TRUE;
default:
g_set_error(error, ESCALATE_MODULE_ERROR,
ESCALATE_MODULE_ERROR_GET_ITEM_FAILED,
"Failed to get PAM item %d: %s", item,
pam_strerror(self->pamh, status));
return FALSE;
}
}
static int
pamGssGetAuthTok(pam_handle_t *pamh,
int confFlags,
gss_buffer_t passwordBuf)
{
int status;
struct pam_conv *conv;
struct pam_message msg;
const struct pam_message *msgp;
struct pam_response *resp;
status = pam_get_item(pamh, PAM_CONV, (const void **)&conv);
BAIL_ON_PAM_ERROR(status);
if (conv == NULL) {
status = PAM_CONV_ERR;
goto cleanup;
}
msg.msg_style = PAM_PROMPT_ECHO_OFF;
msg.msg = PASSWORD_PROMPT;
msgp = &msg;
resp = NULL;
status = (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr);
if (resp != NULL) {
if (status == PAM_SUCCESS)
passwordBuf->value = resp->resp;
else
free(resp->resp);
free(resp);
}
passwordBuf->length = passwordBuf->value ? strlen((char *)passwordBuf->value) : 0;
if (passwordBuf->length == 0 && (confFlags & FLAG_NULLOK) == 0) {
status = PAM_AUTH_ERR;
goto cleanup;
}
cleanup:
return status;
}
/*
* get_pam_user - Get the username according to PAM
*
* ptr_pam_user shall point to a malloc'ed string (or NULL).
*/
static void get_pam_user (char **ptr_pam_user)
{
int retcode;
void *ptr_user;
assert (NULL != ptr_pam_user);
retcode = pam_get_item (pamh, PAM_USER, (const void **)&ptr_user);
PAM_FAIL_CHECK;
if (NULL != *ptr_pam_user) {
free (*ptr_pam_user);
}
if (NULL != ptr_user) {
*ptr_pam_user = xstrdup ((const char *)ptr_user);
} else {
*ptr_pam_user = NULL;
}
}
/*
* Entry point from pam_open_session call.
*/
PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
/* Parse arguments. */
if (argc < 1) {
pam_syslog(pamh, LOG_ERR, "usage: pam_unshare.so [group name]");
return PAM_SESSION_ERR;
}
pam_syslog(pamh, LOG_INFO, "Getting PAM_USER");
/* See http://www.linux-pam.org/Linux-PAM-html/mwg-expected-by-module-item.html */
const void *item_v;
int rc = pam_get_item(pamh, PAM_USER, &item_v);
const char *username = "******";
if(rc == PAM_SUCCESS) {
username = item_v;
}
pam_syslog(pamh, LOG_INFO, "pam_unshare, return code %d, found user %s", rc, username);
struct passwd* user = getpwnam(username);
if (user == NULL) {
pam_syslog(pamh, LOG_ERR, "getpwnam(%s) == NULL", username);
return PAM_SESSION_ERR;
}
struct group* group = getgrgid(user->pw_gid);
if (group == NULL) {
pam_syslog(pamh, LOG_ERR, "getgrgid(%d) == NULL", user->pw_gid);
return PAM_SESSION_ERR;
}
const char* target_group = argv[0];
if (strcmp(target_group, group->gr_name) == 0) {
pam_syslog(pamh, LOG_INFO, "found user in target group! calling unshare()");
if(unshare(CLONE_NEWNS) < 0) {
pam_syslog(pamh, LOG_ERR, "Unable to unshare from parent namespace, %m");
return PAM_SESSION_ERR;
}
}
return PAM_SUCCESS;
}
static int
_PAMSetTargetNameWithService(pam_handle_t *pamh, CUIControllerRef controller)
{
const char *service = NULL;
CFStringRef cfService;
int rc;
rc = pam_get_item(pamh, PAM_SERVICE, (const void **)&service);
if (rc != PAM_SUCCESS)
return rc;
cfService = CFStringCreateWithCString(kCFAllocatorDefault, service, kCFStringEncodingUTF8);
if (cfService == NULL)
return PAM_BUF_ERR;
CUIControllerSetTargetName(controller, cfService);
CFRelease(cfService);
return PAM_SUCCESS;
}
static int prompt_password(pam_handle_t *pamh, const char **password)
{
int ret;
const struct pam_conv *conv;
ret = pam_get_item (pamh, PAM_CONV, (const void **) &conv);
if (ret != PAM_SUCCESS) return ret;
const struct pam_message *pmsg[1];
struct pam_message msg[1];
msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
msg[0].msg = "Multipass: ";
pmsg[0] = &msg[0];
struct pam_response *resp = NULL;
ret = conv->conv(1, pmsg, &resp, conv->appdata_ptr);
if (ret != PAM_SUCCESS) return ret;
*password = resp->resp;
free(resp);
return PAM_SUCCESS;
}
static int init(pam_handle_t *pamh,struct pld_cfg *cfg,struct pld_ctx **ctx,
const char **username,const char **service)
{
int rc;
struct passwd *pwent;
/* get user name */
rc=pam_get_user(pamh,username,NULL);
if (rc!=PAM_SUCCESS)
{
pam_syslog(pamh,LOG_ERR,"failed to get user name: %s",pam_strerror(pamh,rc));
return rc;
}
if ((*username==NULL)||((*username)[0]=='\0'))
{
pam_syslog(pamh,LOG_ERR,"got empty user name");
return PAM_USER_UNKNOWN;
}
/* check uid */
if (cfg->minimum_uid>0)
{
pwent=pam_modutil_getpwnam(args->pamh,*username);
if ((pwent!=NULL)&&(pwent->pw_uid<cfg->minimum_uid))
{
if (cfg->debug)
pam_syslog(pamh,LOG_DEBUG,"uid below minimum_uid; user=%s uid=%ld",*username,(long)pwent->pw_uid);
return cfg->ignore_unknown_user?PAM_IGNORE:PAM_USER_UNKNOWN;
}
}
/* get our context */
rc=ctx_get(pamh,*username,ctx);
if (rc!=PAM_SUCCESS)
return rc;
/* get service name */
rc=pam_get_item(pamh,PAM_SERVICE,(const void **)service);
if (rc!=PAM_SUCCESS)
{
pam_syslog(pamh,LOG_ERR,"failed to get service name: %s",pam_strerror(pamh,rc));
return rc;
}
return PAM_SUCCESS;
}
/**
* This function lets us do IO via PAM
* @param pam_handle The PAM handle
* @param pam_argc The number of args
* @param pam_message The message to prompt
* @param pam_response The user response
* @return A PAM return code
* @see pam_unix/support.c
*/
int
pam_converse(pam_handle_t *pam_handle, int pam_argc,
struct pam_message **pam_message, struct pam_response **pam_response)
{
/* PAM data */
struct pam_conv *pam_conversation;
int pam_status;
/* Check feasibility of PAM conversations */
pam_status = pam_get_item(pam_handle, PAM_CONV,
(const void **) &pam_conversation);
/* Converse with PAM */
if(pam_status == PAM_SUCCESS)
pam_status = pam_conversation->conv(pam_argc,
(const struct pam_message **) pam_message, pam_response,
pam_conversation->appdata_ptr);
/* Return PAM status */
return pam_status;
}
static int record_host(const abl_args *args, abl_info *info, time_t tm) {
if (NULL != args->host_db) {
const void *rhost;
int err;
if (err = pam_get_item(args->pamh, PAM_RHOST, &rhost), PAM_SUCCESS != err) {
log_pam_error(args, err, "getting PAM_RHOST");
return err;
}
if (NULL != rhost) {
info->subject = HOST;
info->host = rhost;
return record(args, info, tm, args->host_purge);
} else {
log_debug(args, "PAM_RHOST is NULL");
return 0;
}
} else {
return 0;
}
}
static int pam_http_get_password(pam_handle_t* pamh, char** password)
{
int retval, retry;
struct pam_conv* conv;
struct pam_message msg;
const struct pam_message* msgp;
struct pam_response* resp;
retval = pam_get_item(pamh, PAM_CONV, (const void**)&conv);
if (retval != PAM_SUCCESS)
return PAM_SYSTEM_ERR;
msg.msg_style = PAM_PROMPT_ECHO_OFF;
msg.msg = password_prompt;
msgp = &msg;
for (retry = 0; retry < 3; ++retry) {
resp = NULL;
retval = (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr);
if (resp != NULL) {
if (retval == PAM_SUCCESS)
*password = resp->resp;
else
free(resp->resp);
free(resp);
}
if (retval == PAM_SUCCESS)
break;
}
if (retval == PAM_CONV_ERR)
return retval;
if (retval != PAM_SUCCESS)
return PAM_AUTH_ERR;
return PAM_SUCCESS;
}
int
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
parse_ctrl(argc, argv);
ENTRY("pam_sm_setcred");
switch (flags & ~PAM_SILENT) {
case 0:
case PAM_ESTABLISH_CRED:
if (k_hasafs())
k_setpag();
/* Fall through, fill PAG with credentials below. */
case PAM_REINITIALIZE_CRED:
case PAM_REFRESH_CRED:
if (k_hasafs())
{
void *user = 0;
if (pam_get_item(pamh, PAM_USER, &user) == PAM_SUCCESS)
{
struct passwd *pw = getpwnam((char *)user);
if (pw != 0)
krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0,
pw->pw_uid, pw->pw_dir);
}
}
break;
case PAM_DELETE_CRED:
dest_tkt();
if (k_hasafs())
k_unlog();
break;
default:
psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags);
break;
}
return PAM_SUCCESS;
}
static int pam_auth_user(void* ctx, char *username, int username_size)
{
const char* user = NULL;
struct pam_ctx_st * pctx = ctx;
int pret;
username[0] = 0;
pret = pam_get_item(pctx->ph, PAM_USER, (const void **)&user);
if (pret != PAM_SUCCESS) {
/*syslog(LOG_AUTH, "PAM-auth: pam_get_item(PAM_USER): %s", pam_strerror(pctx->ph, pret));*/
return -1;
}
if (user != NULL) {
strlcpy(username, user, username_size);
return 0;
}
return -1;
}
/* this is a front-end for module-application conversations */
static int converse(pam_handle_t *pamh, int ctrl, int nargs,
struct pam_message **message,
struct pam_response **response)
{
int retval;
struct pam_conv *conv;
retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
if ( retval == PAM_SUCCESS ) {
retval = conv->conv(nargs, (const struct pam_message **)message,
response, conv->appdata_ptr);
if (retval != PAM_SUCCESS && (ctrl && PAM_DEBUG_ARG)) {
_pam_log(LOG_DEBUG, "conversation failure [%s]",
pam_strerror(pamh, retval));
}
} else {
_pam_log(LOG_ERR, "couldn't obtain coversation function [%s]",
pam_strerror(pamh, retval));
}
return retval; /* propagate error status */
}
