int pam_chauthtok(pam_handle_t *pamh, int flags)
{
int retval;
D(("called."));
IF_NO_PAMH("pam_chauthtok", pamh, PAM_SYSTEM_ERR);
if (__PAM_FROM_MODULE(pamh)) {
D(("called from module!?"));
return PAM_SYSTEM_ERR;
}
/* applications are not allowed to set this flags */
if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) {
pam_syslog (pamh, LOG_ERR,
"PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK set by application");
return PAM_SYSTEM_ERR;
}
if (pamh->former.choice == PAM_NOT_STACKED) {
_pam_start_timer(pamh); /* we try to make the time for a failure
independent of the time it takes to
fail */
_pam_sanitize(pamh);
pamh->former.update = PAM_FALSE;
}
/* first call to check if there will be a problem */
if (pamh->former.update ||
(retval = _pam_dispatch(pamh, flags|PAM_PRELIM_CHECK,
PAM_CHAUTHTOK)) == PAM_SUCCESS) {
D(("completed check ok: former=%d", pamh->former.update));
pamh->former.update = PAM_TRUE;
retval = _pam_dispatch(pamh, flags|PAM_UPDATE_AUTHTOK,
PAM_CHAUTHTOK);
}
/* if we completed we should clean up */
if (retval != PAM_INCOMPLETE) {
_pam_sanitize(pamh);
pamh->former.update = PAM_FALSE;
_pam_await_timer(pamh, retval); /* if unsuccessful then wait now */
D(("pam_chauthtok exit %d - %d", retval, pamh->former.choice));
} else {
D(("will resume when ready", retval));
}
return retval;
}
int pam_setcred(pam_handle_t *pamh, int flags)
{
int retval;
D(("pam_setcred called"));
IF_NO_PAMH("pam_setcred", pamh, PAM_SYSTEM_ERR);
if (__PAM_FROM_MODULE(pamh)) {
D(("called from module!?"));
return PAM_SYSTEM_ERR;
}
if (! flags) {
flags = PAM_ESTABLISH_CRED;
}
retval = _pam_dispatch(pamh, flags, PAM_SETCRED);
#if HAVE_LIBAUDIT
retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags);
#endif
D(("pam_setcred exit"));
return retval;
}
int pam_authenticate(pam_handle_t *pamh, int flags)
{
int retval;
D(("pam_authenticate called"));
IF_NO_PAMH("pam_authenticate", pamh, PAM_SYSTEM_ERR);
if (__PAM_FROM_MODULE(pamh)) {
D(("called from module!?"));
return PAM_SYSTEM_ERR;
}
if (pamh->former.choice == PAM_NOT_STACKED) {
_pam_sanitize(pamh);
_pam_start_timer(pamh); /* we try to make the time for a failure
independent of the time it takes to
fail */
}
retval = _pam_dispatch(pamh, flags, PAM_AUTHENTICATE);
if (retval != PAM_INCOMPLETE) {
_pam_sanitize(pamh);
_pam_await_timer(pamh, retval); /* if unsuccessful then wait now */
D(("pam_authenticate exit"));
} else {
D(("will resume when ready"));
}
return retval;
}
int pam_close_session(pam_handle_t *pamh, int flags)
{
D(("called"));
IF_NO_PAMH("pam_close_session", pamh, PAM_SYSTEM_ERR);
if (__PAM_FROM_MODULE(pamh)) {
D(("called from module!?"));
return PAM_SYSTEM_ERR;
}
return _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION);
}
int pam_close_session(pam_handle_t *pamh, int flags)
{
int retval;
D(("called"));
IF_NO_PAMH("pam_close_session", pamh, PAM_SYSTEM_ERR);
if (__PAM_FROM_MODULE(pamh)) {
D(("called from module!?"));
return PAM_SYSTEM_ERR;
}
retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION);
#if HAVE_LIBAUDIT
retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags);
#endif
#ifdef PAM_STATS
if (retval != PAM_SUCCESS) {
char usr[MAX_PAM_STATS_USR_SIZE];
char buf[MAX_PAM_STATS_BUF_SIZE];
usr[MAX_PAM_STATS_USR_SIZE-1]='\0';
strncpy(usr,(retval == PAM_USER_UNKNOWN)?"unknown":pamh->user,
MAX_PAM_STATS_USR_SIZE-1);
memset(buf,'\0',MAX_PAM_STATS_BUF_SIZE);
snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1,
"statsd -a incr pam_failed_%s %s \\;"
" push pam_last_failure_%s %s \"%s\" 0 \\;"
" incr pam_users %s\\;"
" incr pam_services %s",
usr, pamh->service_name,
usr, pamh->service_name, pam_strerror(pamh, retval),
usr,
pamh->service_name);
if (system(buf) == -1) {
pam_syslog(pamh, LOG_INFO, "%s - failed", buf);
}
}
#endif
return retval;
}
int pam_open_session(pam_handle_t *pamh, int flags)
{
int retval;
D(("called"));
IF_NO_PAMH("pam_open_session", pamh, PAM_SYSTEM_ERR);
if (__PAM_FROM_MODULE(pamh)) {
D(("called from module!?"));
return PAM_SYSTEM_ERR;
}
retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION);
return retval;
}
int pam_acct_mgmt(pam_handle_t *pamh, int flags)
{
int retval;
D(("called"));
IF_NO_PAMH("pam_acct_mgmt", pamh, PAM_SYSTEM_ERR);
if (__PAM_FROM_MODULE(pamh)) {
D(("called from module!?"));
return PAM_SYSTEM_ERR;
}
retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT);
#ifdef HAVE_LIBAUDIT
retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags);
#endif
return retval;
}
int pam_authenticate(pam_handle_t *pamh, int flags)
{
int retval;
D(("pam_authenticate called"));
IF_NO_PAMH("pam_authenticate", pamh, PAM_SYSTEM_ERR);
if (__PAM_FROM_MODULE(pamh)) {
D(("called from module!?"));
return PAM_SYSTEM_ERR;
}
if (pamh->former.choice == PAM_NOT_STACKED) {
_pam_sanitize(pamh);
_pam_start_timer(pamh); /* we try to make the time for a failure
independent of the time it takes to
fail */
}
retval = _pam_dispatch(pamh, flags, PAM_AUTHENTICATE);
if (retval != PAM_INCOMPLETE) {
_pam_sanitize(pamh);
_pam_await_timer(pamh, retval); /* if unsuccessful then wait now */
D(("pam_authenticate exit"));
} else {
D(("will resume when ready"));
}
#ifdef PRELUDE
prelude_send_alert(pamh, retval);
#endif
#if HAVE_LIBAUDIT
retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags);
#endif
#ifdef CONFIG_PROP_STATSD_STATSD
if (retval != PAM_SUCCESS) {
char usr[MAX_PAM_STATS_USR_SIZE];
char buf[MAX_PAM_STATS_BUF_SIZE];
struct pam_data *data;
char *u = NULL;
/* The pam_sg module has stored module data so we
* can tell whether this is a valid user. If not
* we log stats under "unknown". The proper mechanism
* for accessing module data bars access from within
* application code so we are going around it. This is
* a kludge, but the best one possible for now.
*/
data = pamh->data;
while (data) {
if (!strcmp(data->name, pamh->user)) {
u = (char *)(data->data);
break;
}
data = data->next;
}
/* Don't log stats if the module info is unavailable
* or the PAM system itself failed during auth */
if ((u != NULL) && strcmp(u, "PAM_SYSTEM_ERR")) {
u = ((u != NULL) && !strcmp(u, "PAM_USER_UNKNOWN")) ? "unknown":pamh->user;
//u = ((u != NULL) && !strcmp(u, "USER_NOTFOUND")) ? "unknown":pamh->user;
usr[MAX_PAM_STATS_USR_SIZE-1]='\0';
strncpy(usr,u,MAX_PAM_STATS_USR_SIZE-1);
/* OK, start logging stats */
memset(buf,'\0',MAX_PAM_STATS_BUF_SIZE);
snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1,
"statsd incr pam_failed_%s %s",
usr,pamh->service_name);
if (system(buf) == -1) {
pam_syslog(pamh, LOG_INFO, "%s failed", buf);
}
snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1,
"statsd push pam_last_failure_%s %s \"%s\" 0",
usr,pamh->service_name, pam_strerror(pamh, retval));
if (system(buf) == -1) {
pam_syslog(pamh, LOG_INFO, "%s failed", buf);
}
snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1,
"statsd incr pam_users %s",usr);
if (system(buf) == -1) {
pam_syslog(pamh, LOG_INFO, "%s - failed", buf);
}
snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1,
"statsd incr pam_services %s",pamh->service_name);
if (system(buf) == -1) {
pam_syslog(pamh, LOG_INFO, "%s - failed", buf);
}
}
}
#endif
return retval;
}
