int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
{
char *user, *pw;
char *service;
char **proxies;
char netid[14];
int i, success;
Flags f = NONE;
/* initialize proxy array */
proxies = (char **)malloc(sizeof(char **));
proxies[0] = NULL;
/* get username and password */
if (pam_get_user(pamh, (const char**) &user, NULL) != PAM_SUCCESS)
return PAM_AUTH_ERR;
if (pam_get_item(pamh, PAM_AUTHTOK, (const void**) &pw) != PAM_SUCCESS)
return PAM_AUTH_ERR;
/*
* Abort if the password doesn't look like a ticket. This speeds things
* up and reduces the likelihood that the user's password will end up
* in an HTTPD log.
*/
if ((strncmp(CAS_BEGIN_PT, pw, strlen(CAS_BEGIN_PT)) != 0)
&& (strncmp(CAS_BEGIN_ST, pw, strlen(CAS_BEGIN_ST)) != 0))
return PAM_AUTH_ERR;
/* prepare log */
openlog("PAM_cas", LOG_PID, LOG_AUTH);
/* check arguments */
for (i = 0; i < argc; i++) {
if (!strcmp(argv[i], "debug"))
f |= DEBUG;
else if (!strncmp(argv[i], "-s", 2)) {
service = strdup(argv[i] + 2);
} else if (!strncmp(argv[i], "-p", 2)) {
proxies = add_proxy(proxies, argv[i] + 2);
} else if (!strncmp(argv[i], "-e", 2)) {
/* don't let the username pass through if it's excluded */
if (!strcmp(argv[i] + 2, user)) {
syslog(LOG_NOTICE, "user '%s' is excluded from the CAS PAM",
user);
free_proxies(proxies);
return PAM_AUTH_ERR;
}
} else
syslog(LOG_ERR, "invalid option '%s'", argv[i]);
}
/* determine the CAS-authenticated username */
success = cas_validate(pw,
service,
netid,
sizeof(netid),
proxies);
/* free the memory used by the proxy array */
free_proxies(proxies);
/* Confirm the user and return appropriately. */
if ((success == CAS_SUCCESS) && (!strcmp(user, netid))) {
closelog();
return PAM_SUCCESS;
} else {
syslog(LOG_NOTICE,
"authentication failure code %d for user '%s'", success, user);
closelog();
return PAM_AUTH_ERR;
}
}
int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
{
pam_cas_config_t *pstConfig = NULL;
char *configFile = NULL;
char *user, *pw;
char *service = NULL;
char netid[CAS_LEN_NETID];
int i, success, res, ret;
/* prepare log */
openlog("PAM_cas", LOG_PID, LOG_AUTH);
/* get username and password */
if (pam_get_user(pamh, (const char**) &user, NULL) != PAM_SUCCESS){
syslog(LOG_ERR, "Cannot get username");
END(PAM_AUTH_ERR);
}
if (pam_get_item(pamh, PAM_AUTHTOK, (const void**) &pw) != PAM_SUCCESS){
syslog(LOG_ERR, "Cannot get password (ticket)");
END(PAM_AUTH_ERR);
}
if (!pw)
{
if (_get_authtok(pamh) != PAM_SUCCESS){
syslog(LOG_ERR, "Cannot get_authtok from pamh");
END(PAM_AUTH_ERR);
}
if (pam_get_item(pamh, PAM_AUTHTOK, (const void**) &pw) != PAM_SUCCESS){
syslog(LOG_ERR, "Cannot get password (ticket) item from pamh");
END(PAM_AUTH_ERR);
}
}
/*
* Abort if the password doesn't look like a ticket. This speeds things
* up and reduces the likelihood that the user's password will end up
* in an HTTPD log.
*/
if ((strncmp(CAS_BEGIN_PT, pw, strlen(CAS_BEGIN_PT)) != 0)
&& (strncmp(CAS_BEGIN_ST, pw, strlen(CAS_BEGIN_ST)) != 0))
END(PAM_AUTH_ERR);
/* check arguments */
for (i = 0; i < argc; i++) {
if (!strncmp(argv[i], "-s", 2)) {
service = strdup(argv[i] + 2);
} else if (!strncmp(argv[i], "-f", 2)) {
configFile = strdup(argv[i] + 2);
} else if (!strncmp(argv[i], "-e", 2)) {
/* don't let the username pass through if it's excluded */
if (!strcmp(argv[i] + 2, user)) {
syslog(LOG_NOTICE, "user '%s' is excluded from the CAS PAM",
user);
END(PAM_AUTH_ERR);
}
} else
syslog(LOG_ERR, "invalid option '%s'", argv[i]);
}
res = read_config (configFile, &pstConfig, DEBUG_NO);
if (res != CAS_SUCCESS)
{
syslog(LOG_ERR, "Error with config file %s : %s\n", configFile, ErrorMessage[res]);
END(PAM_AUTH_ERR);
}
/* determine the CAS-authenticated username */
success = cas_validate(pw,
service,
netid,
sizeof(netid),
pstConfig);
/* Confirm the user and return appropriately. */
if ((success == CAS_SUCCESS) && (!strcasecmp(user, netid))) {
if (pstConfig->debug)
syslog(LOG_NOTICE, "USER '%s' AUTHENTICATED WITH CAS PT:%s", user, pw);
END(PAM_SUCCESS);
} else {
if (strcmp(user, netid) && (success == CAS_SUCCESS)) {
syslog(LOG_NOTICE,
"authentication failure : PAM login (%s) different from CAS login (%s)", user, netid);
} else {
if (pstConfig->debug)
syslog(LOG_NOTICE,
"authentication failure for user '%s' : %s. PT=%s", user, ErrorMessage[success],pw);
else
syslog(LOG_NOTICE,
"authentication failure for user '%s' : %s.", user, ErrorMessage[success]);
}
END(PAM_AUTH_ERR);
}
end:
closelog();
if (service)
free(service);
if (configFile)
free(configFile);
// if (pstConfig)
//free_config(&pstConfig);
return ret;
}
