int pam_start(const char *service, const char *user, const struct pam_conv *pam_conv, pam_handle_t **pamh) { char hostname[HOST_NAME_MAX + 1]; struct pam_handle *ph; int r; ENTER(); if ((ph = calloc(1, sizeof *ph)) == NULL) RETURNC(PAM_BUF_ERR); if ((r = pam_set_item(ph, PAM_SERVICE, service)) != PAM_SUCCESS) goto fail; if (gethostname(hostname, sizeof hostname) != 0) strlcpy(hostname, "localhost", sizeof hostname); if ((r = pam_set_item(ph, PAM_HOST, hostname)) != PAM_SUCCESS) goto fail; if ((r = pam_set_item(ph, PAM_USER, user)) != PAM_SUCCESS) goto fail; if ((r = pam_set_item(ph, PAM_CONV, pam_conv)) != PAM_SUCCESS) goto fail; if ((r = openpam_configure(ph, service)) != PAM_SUCCESS) goto fail; *pamh = ph; openpam_log(PAM_LOG_DEBUG, "pam_start(\"%s\") succeeded", service); RETURNC(PAM_SUCCESS); fail: pam_end(ph, r); RETURNC(r); }
int xlsh_session_open(const char* service, const char* user, pam_handle_t** handle) { struct pam_conv conv = { xlsh_session_conv, NULL }; pam_handle_t* pam_handle; if(pam_start(service, user, &conv, &pam_handle) != PAM_SUCCESS) return XLSH_ERROR; if(xlsh_X) pam_set_item(pam_handle, PAM_TTY, XLSH_XTTY); else pam_set_item(pam_handle, PAM_TTY, ttyname(0)); if(pam_authenticate(pam_handle, 0) != PAM_SUCCESS) { pam_end(pam_handle, 0); return XLSH_ERROR; } if(pam_acct_mgmt(pam_handle, 0) != PAM_SUCCESS) { pam_end(pam_handle, 0); return XLSH_ERROR; } if(pam_setcred(pam_handle, PAM_ESTABLISH_CRED) != PAM_SUCCESS) { pam_end(pam_handle, 0); return XLSH_ERROR; } if(pam_open_session(pam_handle, 0) != PAM_SUCCESS) { pam_setcred(pam_handle, PAM_DELETE_CRED); pam_end(pam_handle, 0); return XLSH_ERROR; } *handle = pam_handle; return XLSH_EOK; }
/* Creates a pam handle for the auto login */ static gboolean create_pamh (MdmDisplay *d, const char *service, const char *login, struct pam_conv *conv, const char *display, int *pamerr) { if (display == NULL) { mdm_error ("Cannot setup pam handle with null display"); return FALSE; } if (pamh != NULL) { mdm_error ("create_pamh: Stale pamh around, cleaning up"); pam_end (pamh, PAM_SUCCESS); } /* init things */ pamh = NULL; opened_session = FALSE; did_setcred = FALSE; /* Initialize a PAM session for the user */ if ((*pamerr = pam_start (service, login, conv, &pamh)) != PAM_SUCCESS) { pamh = NULL; /* be anal */ if (mdm_slave_action_pending ()) mdm_error ("Unable to establish service %s: %s\n", service, pam_strerror (NULL, *pamerr)); return FALSE; } /* Inform PAM of the user's tty */ if ((*pamerr = pam_set_item (pamh, PAM_TTY, display)) != PAM_SUCCESS) { if (mdm_slave_action_pending ()) mdm_error ("Can't set PAM_TTY=%s", display); return FALSE; } if ( ! d->attached) { /* Only set RHOST if host is remote */ /* From the host of the display */ if ((*pamerr = pam_set_item (pamh, PAM_RHOST, d->hostname)) != PAM_SUCCESS) { if (mdm_slave_action_pending ()) mdm_error ("Can't set PAM_RHOST=%s", d->hostname); return FALSE; } } // Preselect the previous user if (do_we_need_to_preset_the_username) { do_we_need_to_preset_the_username = FALSE; mdm_preselect_user(pamerr); } return TRUE; }
bool PAMAuthenticator::authenticate(void) { pam_conv c; c.conv = PAMAuthenticator::conv; c.appdata_ptr = this; int res = pam_start("repwatchproxy", 0, &c, &this->m_ph); if (res == PAM_SUCCESS) { res = pam_set_item(this->m_ph, PAM_RUSER, this->m_user.constData()); if (res != PAM_SUCCESS) { goto getout; } res = pam_set_item(this->m_ph, PAM_RHOST, this->m_host.constData()); if (res != PAM_SUCCESS) { goto getout; } res = pam_authenticate(this->m_ph, 0); if (res != PAM_SUCCESS) { goto getout; } res = pam_acct_mgmt(this->m_ph, 0); if (PAM_NEW_AUTHTOK_REQD == res) { res = pam_chauthtok(this->m_ph, PAM_CHANGE_EXPIRED_AUTHTOK); } if (res != PAM_SUCCESS) { goto getout; } res = pam_setcred(this->m_ph, PAM_ESTABLISH_CRED); if (res != PAM_SUCCESS) { goto getout; } res = pam_open_session(this->m_ph, 0); if (res != PAM_SUCCESS) { goto getout; } return true; getout: qWarning("%s: %s", Q_FUNC_INFO, pam_strerror(this->m_ph, res)); pam_end(this->m_ph, res); } else { qCritical("PAM initialization failed"); } this->m_ph = 0; return false; }
int pam_setup (char *user, char *host) { /* * Any application using PAM must provide a conversion function, which * is used for direct communication between a loaded module and the * application. In this case, SLURM does need a communication mechanism, * so the default (or null) conversation function may be used. */ struct pam_conv conv = {misc_conv, NULL}; int rc = 0; if (!conf->use_pam) return SLURM_SUCCESS; /* * SLURM uses PAM to obtain resource limits established by the system * administrator. PAM's session management library is responsible for * handling resource limits. When a PAM session is opened on behalf of * a user, the limits imposed by the sys admin are picked up. Opening * a PAM session requires a PAM handle, which is obtained when the PAM * interface is initialized. (PAM handles are required with essentially * all PAM calls.) It's also necessary to have the users PAM credentials * to open a user session. */ if ((rc = pam_start (SLURM_SERVICE_PAM, user, &conv, &pam_h)) != PAM_SUCCESS) { error ("pam_start: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_set_item (pam_h, PAM_USER, user)) != PAM_SUCCESS) { error ("pam_set_item USER: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_set_item (pam_h, PAM_RUSER, user)) != PAM_SUCCESS) { error ("pam_set_item RUSER: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_set_item (pam_h, PAM_RHOST, host)) != PAM_SUCCESS) { error ("pam_set_item HOST: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_setcred (pam_h, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { error ("pam_setcred: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_open_session (pam_h, 0)) != PAM_SUCCESS) { error("pam_open_session: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } return SLURM_SUCCESS; }
static int sshpam_init(Authctxt *authctxt) { extern char *__progname; const char *pam_rhost, *pam_user, *user = authctxt->user; const char **ptr_pam_user = &pam_user; struct ssh *ssh = active_state; /* XXX */ if (sshpam_handle != NULL) { /* We already have a PAM context; check if the user matches */ sshpam_err = pam_get_item(sshpam_handle, PAM_USER, (sshpam_const void **)ptr_pam_user); if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) return (0); pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; } debug("PAM: initializing for \"%s\"", user); sshpam_err = pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); sshpam_authctxt = authctxt; if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; return (-1); } pam_rhost = auth_get_canonical_hostname(ssh, options.use_dns); debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost); sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost); if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; return (-1); } #ifdef PAM_TTY_KLUDGE /* * Some silly PAM modules (e.g. pam_time) require a TTY to operate. * sshd doesn't set the tty until too late in the auth process and * may not even set one (for tty-less connections) */ debug("PAM: setting PAM_TTY to \"ssh\""); sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh"); if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; return (-1); } #endif return (0); }
bool MainWindow::doAuthenticate() { Authenticated = false; LoginDialog dialog(this); if (dialog.exec()) { pcode = dialog.getPass(); static pam_handle_t *pamh; struct pam_conv pamc = { converse, this }; char hostname[MAXHOSTNAMELEN]; char *ruser; int retcode = 0; char user[] = "root"; pam_start("su", user, &pamc, &pamh); gethostname(hostname, sizeof(hostname)); if ((retcode = pam_set_item(pamh, PAM_RHOST, hostname)) != PAM_SUCCESS) { pcode = ""; dialog.clearPass(); qDebug() << "pam_set_item hostname failed. " << pam_strerror(pamh, retcode); return false; } ruser = getlogin(); if ((retcode = pam_set_item(pamh, PAM_RUSER, ruser)) != PAM_SUCCESS) { pcode = ""; dialog.clearPass(); qDebug() << "pam_set_item remote user failed. " << pam_strerror(pamh, retcode); return false; } if ((retcode = pam_authenticate(pamh, 0)) != PAM_SUCCESS) { pcode = ""; dialog.clearPass(); qDebug() << "pam_authenticate failed. " << pam_strerror(pamh, retcode); return false; } Authenticated = true; qDebug() << "Authenticated as root. "; pcode = ""; dialog.clearPass(); return true; } qDebug() << "Not Authenticated as root."; Authenticated = false; return false; }
static int do_accept(pam_handle_t *pamh, struct rad_handle *radh) { int attrtype; const void *attrval; size_t attrlen; char *s; while ((attrtype = rad_get_attr(radh, &attrval, &attrlen)) > 0) { if (attrtype == RAD_USER_NAME) { s = rad_cvt_string(attrval, attrlen); if (s == NULL) { syslog(LOG_CRIT, "rad_cvt_string: out of memory"); return (-1); } pam_set_item(pamh, PAM_USER, s); free(s); } } if (attrtype == -1) { syslog(LOG_CRIT, "rad_get_attr: %s", rad_strerror(radh)); return (-1); } return (0); }
pam_handle_t * init_pam(const char *username, const char *tty, int log) { pam_handle_t *pamh = 0; int rc = pam_start("vlock", username, &conv, &pamh); if (rc != PAM_SUCCESS) { /* pam_strerror is not available atm. */ if (log) syslog(LOG_WARNING, "pam_start failed: %m"); else kbd_warning(errno, "pam_start"); return 0; } rc = pam_set_item(pamh, PAM_TTY, tty); if (rc != PAM_SUCCESS) { if (log) syslog(LOG_WARNING, "pam_set_item: %s", pam_strerror(pamh, rc)); else kbd_warning(0, "pam_set_item: %s", pam_strerror(pamh, rc)); pam_end(pamh, rc); return 0; } return pamh; }
static int auth(const char *password) { pam_handle_t* pamh; struct passwd *pw; if ((pw = getpwuid(getuid())) == NULL) return 0; struct pam_response * reply = malloc(sizeof(struct pam_response)); if (!reply) return 0; struct pam_conv pamc = { conversation, reply }; int rc = 0; reply->resp = strdup(password); reply->resp_retcode = 0; pam_start("slock", pw->pw_name, &pamc, &pamh); if (pam_set_item(pamh, PAM_AUTHTOK, password) == PAM_SUCCESS && pam_authenticate(pamh,PAM_DISALLOW_NULL_AUTHTOK) == PAM_SUCCESS && pam_acct_mgmt(pamh, 0) == PAM_SUCCESS && pam_setcred(pamh, PAM_REFRESH_CRED) == PAM_SUCCESS) { rc = 1; } pam_end(pamh,0); return rc; }
void context::erase(pam::item item) { if(item == pam::item::conv || item == pam::item::fail_delay) throw item_error(_M_pamh, errc::bad_item); _M_code = pam_set_item(_M_pamh, static_cast<int>(item), nullptr); if(errc(_M_code) != errc::success) throw item_error(_M_pamh, _M_code); }
bool AuthorizationManager::pam_checkPW(QString user, QString pass){ //Convert the inputs to C character arrays for use in PAM QByteArray tmp = user.toUtf8(); char* cUser = tmp.data(); QByteArray tmp2 = pass.toUtf8(); char* cPassword = tmp2.data(); //initialize variables bool result = false; int ret; //Initialize PAM ret = pam_start( user=="root" ? "system": "login", cUser, &pamc, &pamh); if( ret == PAM_SUCCESS ){ //Place the user-supplied password into the structure ret = pam_set_item(pamh, PAM_AUTHTOK, cPassword); //Set the TTY //ret = pam_set_item(pamh, PAM_TTY, "pcdm-terminal"); //Authenticate with PAM ret = pam_authenticate(pamh,0); if( ret == PAM_SUCCESS ){ //Check for valid, unexpired account and verify access restrictions ret = pam_acct_mgmt(pamh,0); if( ret == PAM_SUCCESS ){ result = true; } }else{ pam_logFailure(ret); } } //return verification result return result; }
static int get_response(pam_handle_t *pamh, char *prompt, char **response) { int ret; struct pam_message msg; const struct pam_message *msgp = &msg; const struct pam_conv *conv = NULL; struct pam_response *presponse = NULL; pam_get_item(pamh, PAM_CONV, (const void **)&conv); pam_set_item(pamh, PAM_AUTHTOK, NULL); msg.msg_style = PAM_PROMPT_ECHO_ON; msg.msg = prompt; ret = (*conv->conv) (1, &msgp, &presponse, conv->appdata_ptr); if (NULL != presponse) { if (PAM_SUCCESS == ret) { *response = presponse->resp; presponse->resp = NULL; } } return ret; }
int main(int argc, char *argv[]) { pam_handle_t *pamh = NULL; char *user, *host = NULL; int ret; if (argc < 2) { fprintf(stderr, "Usage: testpam <user> [host]\n"); exit(EXIT_FAILURE); } user = argv[1]; if (argc > 2) host = argv[2]; if ((ret = pam_start("testpam", user, &conv, &pamh)) != PAM_SUCCESS) { die(pamh, ret); } if (host != NULL) { if ((ret = pam_set_item(pamh, PAM_RHOST, host)) != PAM_SUCCESS) die(pamh, ret); } if ((ret = pam_authenticate(pamh, 0)) != PAM_SUCCESS) { die(pamh, ret); } if ((ret = pam_end(pamh, ret)) != PAM_SUCCESS) { die(pamh, ret); } exit(EXIT_SUCCESS); }
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { int retval; const char *user=NULL; /* * authentication requires we know who the user wants to be */ retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) { D(("get user returned error: %s", pam_strerror(pamh,retval))); return retval; } if (user == NULL || *user == '\0') { D(("username not known")); retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER); if (retval != PAM_SUCCESS) return retval; } user = NULL; /* clean up */ retval = parse_args(PAM_SUCCESS, "auth", pamh, argc, argv); return retval; }
int pam_get_user(pam_handle_t *pamh, const char **user, const char *prompt) { const void *promptp; char *resp; int r; ENTER(); if (pamh == NULL || user == NULL) RETURNC(PAM_SYSTEM_ERR); r = pam_get_item(pamh, PAM_USER, (const void **)user); if (r == PAM_SUCCESS && *user != NULL) RETURNC(PAM_SUCCESS); if (prompt == NULL) { r = pam_get_item(pamh, PAM_USER_PROMPT, &promptp); if (r != PAM_SUCCESS || promptp == NULL) prompt = user_prompt; else prompt = promptp; } r = pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &resp, "%s", prompt); if (r != PAM_SUCCESS) RETURNC(r); r = pam_set_item(pamh, PAM_USER, resp); FREE(resp); if (r != PAM_SUCCESS) RETURNC(r); r = pam_get_item(pamh, PAM_USER, (const void **)user); RETURNC(r); }
bool XProcess::pam_checkPW(){ //Requires internal "xuser" and "xpwd" variables to be set //Convert the inputs to C character arrays for use in PAM QByteArray tmp = xuser.toUtf8(); char* cUser = tmp.data(); QByteArray tmp2 = xpwd.toUtf8(); char* cPassword = tmp2.data(); //initialize variables bool result = FALSE; int ret; //Initialize PAM ret = pam_start("login", cUser, &pamc, &pamh); if( ret == PAM_SUCCESS ){ pam_started = TRUE; //flag that pam is started //Place the user-supplied password into the structure ret = pam_set_item(pamh, PAM_AUTHTOK, cPassword); //Set the TTY //ret = pam_set_item(pamh, PAM_TTY, "pcdm-terminal"); //Authenticate with PAM ret = pam_authenticate(pamh,0); if( ret == PAM_SUCCESS ){ //Check for valid, unexpired account and verify access restrictions ret = pam_acct_mgmt(pamh,0); if( ret == PAM_SUCCESS ){ result = TRUE; } }else{ pam_logFailure(ret); } } //return verification result return result; }
int pam_get_confirm_pass(pam_handle_t *pamh, const char **passp, const char *prompt1, const char *prompt2, int options) { int retval = PAM_AUTH_ERR; int i; const void *item = NULL; const struct pam_conv *conv; struct pam_message msgs[2]; const struct pam_message *pmsgs[2]; struct pam_response *resp; /* Grab the already-entered password if we might want to use it.*/ if (options & (PAM_OPT_TRY_FIRST_PASS | PAM_OPT_USE_FIRST_PASS)) { if ((retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&item)) != PAM_SUCCESS) return retval; } if (item == NULL) { if (options & PAM_OPT_USE_FIRST_PASS) return PAM_AUTH_ERR; if ((retval = pam_get_item(pamh, PAM_CONV, (const void **)&item)) != PAM_SUCCESS) return retval; conv = (const struct pam_conv *)item; for(i = 0; i < 2; i++) msgs[i].msg_style = (options & PAM_OPT_ECHO_PASS) ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF; msgs[0].msg = prompt1; msgs[1].msg = prompt2; pmsgs[0] = &msgs[0]; pmsgs[1] = &msgs[1]; if((retval = conv->conv(2, pmsgs, &resp, conv->appdata_ptr)) != PAM_SUCCESS) return retval; if(!resp) return PAM_AUTHTOK_RECOVERY_ERR; if(strcmp(resp[0].resp, resp[1].resp) != 0) return PAM_AUTHTOK_RECOVERY_ERR; retval = pam_set_item(pamh, PAM_AUTHTOK, resp[0].resp); memset(resp[0].resp, 0, strlen(resp[0].resp)); memset(resp[1].resp, 0, strlen(resp[1].resp)); free(resp[0].resp); free(resp[1].resp); free(resp); if(retval == PAM_SUCCESS) { item = NULL; retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&item); } } *passp = (const char*)item; return retval; }
/* * plogout - Logout the user. */ static void plogout(void) { #ifdef USE_PAM struct pam_conv pam_conversation; pam_handle_t *pamh; int pam_error; /* * Fill the pam_conversion structure. The PAM specification states that the * session must be able to be closed by a totally different handle from which * it was created. Hold the PAM group to their own specification! */ memset (&pam_conversation, '\0', sizeof (struct pam_conv)); pam_conversation.conv = &pam_conv; pam_error = pam_start ("ppp", user, &pam_conversation, &pamh); if (pam_error == PAM_SUCCESS) { pam_set_item (pamh, PAM_TTY, devnam); pam_close_session (pamh, PAM_SILENT); pam_end (pamh, PAM_SUCCESS); } #else char *tty; tty = devnam; if (strncmp(tty, _PATH_DEV, sizeof _PATH_DEV - 1) == 0) tty += 5; logwtmp(tty, "", ""); /* Wipe out wtmp logout entry */ logout(tty); /* Wipe out utmp */ #endif logged_in = FALSE; }
int auth_pam(const char *user, const char *pw, char **msg, ev_tstamp *delay) { char status[BUF_SIZE] = ""; int pam_res = -1; auth_pam_data_t data; struct pam_conv conv_info; pam_handle_t *pamh = NULL; data.user = user; data.pw = pw; data.delay = 0.0; conv_info.conv = &auth_pam_conv; conv_info.appdata_ptr = (void *)&data; /* Start pam. */ if (PAM_SUCCESS != (pam_res = pam_start("entente", user, &conv_info, &pamh))) { sprintf(status, "PAM: Could not start pam service: %s\n", pam_strerror(pamh, pam_res)); } else { /* Set failure delay handler function. */ if (PAM_SUCCESS != (pam_res = pam_set_item(pamh, PAM_FAIL_DELAY, &auth_pam_delay))) sprintf(status, "PAM: Could not set failure delay handler: %s\n", pam_strerror(pamh, pam_res)); /* Try auth. */ else if (PAM_SUCCESS != (pam_res = pam_authenticate(pamh, PAM_DISALLOW_NULL_AUTHTOK))) sprintf(status, "PAM: user %s - not authenticated: %s\n", user, pam_strerror(pamh, pam_res)); /* Check that the account is healthy. */ else if (PAM_SUCCESS != (pam_res = pam_acct_mgmt(pamh, PAM_DISALLOW_NULL_AUTHTOK))) sprintf(status, "PAM: user %s - invalid account: %s", user, pam_strerror(pamh, pam_res)); pam_end(pamh, PAM_SUCCESS); } *msg = XSTRDUP(status); *delay = data.delay; return pam_res; }
/* authenticate_via_pam() * * in: pw - struct containing data from our user's line in * the passwd file. * out: nothing * return: value condition * ----- --------- * 1 PAM thinks that the user authenticated themselves properly * 0 otherwise * * This function uses PAM to authenticate the user running this * program. This is the only function in this program that makes PAM * calls. */ int authenticate_via_pam(const char *ttyn, pam_handle_t * pam_handle) { int result = 0; /* set to 0 (not authenticated) by default */ int pam_rc; /* pam return code */ const char *tty_name; if (ttyn) { if (strncmp(ttyn, "/dev/", 5) == 0) tty_name = ttyn + 5; else tty_name = ttyn; pam_rc = pam_set_item(pam_handle, PAM_TTY, tty_name); if (pam_rc != PAM_SUCCESS) { fprintf(stderr, _("failed to set PAM_TTY\n")); goto out; } } /* Ask PAM to authenticate the user running this program */ pam_rc = pam_authenticate(pam_handle, 0); if (pam_rc != PAM_SUCCESS) { goto out; } /* Ask PAM to verify acct_mgmt */ pam_rc = pam_acct_mgmt(pam_handle, 0); if (pam_rc == PAM_SUCCESS) { result = 1; /* user authenticated OK! */ } out: return result; } /* authenticate_via_pam() */
bool PamHandle::setItem(int item_type, const void* item) { m_result = pam_set_item(m_handle, item_type, item); if (m_result != PAM_SUCCESS) { qWarning() << "[PAM] setItem:" << pam_strerror(m_handle, m_result); } return m_result == PAM_SUCCESS; }
/* Attempt password authentation using PAM */ int auth_pam_password(Authctxt *authctxt, const char *password) { int retval; /* Ensure we have a fresh PAM handle / state */ new_start_pam(authctxt, &conv); retval = pam_set_item(authctxt->pam->h, PAM_AUTHTOK, password); if (retval != PAM_SUCCESS) return 1; retval = pam_authenticate(authctxt->pam->h, options.permit_empty_passwd ? 0 : PAM_DISALLOW_NULL_AUTHTOK); if (retval != PAM_SUCCESS) return 0; if ((retval = finish_userauth_do_pam(authctxt)) != PAM_SUCCESS) return 0; if (authctxt->method) authctxt->method->authenticated = 1; /* SSHv2 */ return 1; }
static int pam_conv_pass(pam_handle_t * pamh, const char *prompt, int options) { int retval; const void *item; const struct pam_conv *conv; struct pam_message msg; const struct pam_message *msgs[1]; struct pam_response *resp; if ((retval = pam_get_item(pamh, PAM_CONV, &item)) != PAM_SUCCESS) return retval; conv = (const struct pam_conv *)item; msg.msg_style = options & PAM_OPT_ECHO_PASS ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF; msg.msg = prompt; msgs[0] = &msg; if ((retval = conv->conv(1, msgs, &resp, conv->appdata_ptr)) != PAM_SUCCESS) return retval; if ((retval = pam_set_item(pamh, PAM_AUTHTOK, resp[0].resp)) != PAM_SUCCESS) return retval; memset(resp[0].resp, 0, strlen(resp[0].resp)); free(resp[0].resp); free(resp); return PAM_SUCCESS; }
void context::insert(pam::item item, const std::string& value) { if(item == pam::item::conv || item == pam::item::fail_delay) throw item_error(_M_pamh, errc::bad_item); _M_code = pam_set_item(_M_pamh, static_cast<int>(item), value.data()); if(errc(_M_code) != errc::success) throw item_error(_M_pamh, _M_code); }
/* * Conversation function to obtain the user's password */ static int obtain_authtok(pam_handle_t *pamh) { char *resp; const void *item; int retval; retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &resp, _("Password: ")); if (retval != PAM_SUCCESS) return retval; if (resp == NULL) return PAM_CONV_ERR; /* set the auth token */ retval = pam_set_item(pamh, PAM_AUTHTOK, resp); /* clean it up */ _pam_overwrite(resp); _pam_drop(resp); if ( (retval != PAM_SUCCESS) || (retval = pam_get_item(pamh, PAM_AUTHTOK, &item)) != PAM_SUCCESS ) { return retval; } return retval; }
void do_pam_setcred(int init) { sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&store_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); if (init) { debug("PAM: establishing credentials"); sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED); } else { debug("PAM: reinitializing credentials"); sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED); } if (sshpam_err == PAM_SUCCESS) { sshpam_cred_established = 1; return; } if (sshpam_authenticated) fatal("PAM: pam_setcred(): %s", pam_strerror(sshpam_handle, sshpam_err)); else debug("PAM: pam_setcred(): %s", pam_strerror(sshpam_handle, sshpam_err)); }
static void pamvprompt(pam_handle_t *pamh, int style, char **resp, char *fmt, va_list ap) {/*{{{*/ struct pam_conv *conv; struct pam_message msg; const struct pam_message *msgp; struct pam_response *pamresp; int pam_err; char *text = ""; vasprintf(&text, fmt, ap); pam_get_item(pamh, PAM_CONV, (const void **)&conv); pam_set_item(pamh, PAM_AUTHTOK, NULL); msg.msg_style = style;; msg.msg = text; msgp = &msg; pamresp = NULL; pam_err = (*conv->conv)(1, &msgp, &pamresp, conv->appdata_ptr); if (pamresp != NULL) { if (resp != NULL) *resp = pamresp->resp; else free(pamresp->resp); free(pamresp); } free(text); }/*}}}*/
static int setup_pam(struct weston_launch *wl) { int err; wl->pc.conv = pam_conversation_fn; wl->pc.appdata_ptr = wl; err = pam_start("login", wl->pw->pw_name, &wl->pc, &wl->ph); if (err != PAM_SUCCESS) { fprintf(stderr, "failed to start pam transaction: %d: %s\n", err, pam_strerror(wl->ph, err)); return -1; } err = pam_set_item(wl->ph, PAM_TTY, ttyname(wl->tty)); if (err != PAM_SUCCESS) { fprintf(stderr, "failed to set PAM_TTY item: %d: %s\n", err, pam_strerror(wl->ph, err)); return -1; } err = pam_open_session(wl->ph, 0); if (err != PAM_SUCCESS) { fprintf(stderr, "failed to open pam session: %d: %s\n", err, pam_strerror(wl->ph, err)); return -1; } return 0; }
/* Called at exit to cleanly shutdown PAM */ static void do_pam_cleanup_proc(void *context) { int pam_retval; pam_stuff *pam = (pam_stuff *) context; if (pam == NULL) return; if (pam->authctxt != NULL && pam->authctxt->pam == pam) { pam->authctxt->pam_retval = pam->last_pam_retval; pam->authctxt->pam = NULL; pam->authctxt = NULL; } if (pam->h == NULL) return; /* * We're in fatal_cleanup() or not in userauth or without a * channel -- can't converse now, too bad. */ pam_retval = pam_set_item(pam->h, PAM_CONV, NULL); if (pam_retval != PAM_SUCCESS) { log("Cannot remove PAM conv, close session or delete creds[%d]: %.200s", pam_retval, PAM_STRERROR(pam->h, pam_retval)); goto cleanup; } if (pam->state & PAM_S_DONE_OPEN_SESSION) { pam_retval = pam_close_session(pam->h, 0); if (pam_retval != PAM_SUCCESS) log("Cannot close PAM session[%d]: %.200s", pam_retval, PAM_STRERROR(pam->h, pam_retval)); } if (pam->state & PAM_S_DONE_SETCRED) { pam_retval = pam_setcred(pam->h, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", pam_retval, PAM_STRERROR(pam->h, pam_retval)); } cleanup: /* Use the previous PAM result, if not PAM_SUCCESS for pam_end() */ if (pam->last_pam_retval != PAM_SUCCESS) pam_retval = pam_end(pam->h, pam->last_pam_retval); else if (pam_retval != PAM_SUCCESS) pam_retval = pam_end(pam->h, pam_retval); else pam_retval = pam_end(pam->h, PAM_ABORT); if (pam_retval != PAM_SUCCESS) log("Cannot release PAM authentication[%d]: %.200s", pam_retval, PAM_STRERROR(pam->h, pam_retval)); xfree(pam); }