PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { int retval; const char *user=NULL; /* * authentication requires we know who the user wants to be */ retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) { D(("get user returned error: %s", pam_strerror(pamh,retval))); return retval; } if (user == NULL || *user == '\0') { D(("username not known")); retval = pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER); if (retval != PAM_SUCCESS) return retval; } user = NULL; /* clean up */ retval = parse_args(PAM_SUCCESS, "auth", pamh, argc, argv); return retval; }
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc , const char **argv) { const char *service=NULL, *user=NULL, *terminal=NULL , *rhost=NULL, *ruser=NULL; (void) pam_get_item(pamh, PAM_SERVICE, (const void **)&service); (void) pam_get_item(pamh, PAM_TTY, (const void **)&terminal); _pam_log(LOG_NOTICE, "service: %s [on terminal: %s]" , service ? service : "<unknown>" , terminal ? terminal : "<unknown>" ); (void) pam_get_user(pamh, &user, "Who are you? "); (void) pam_get_item(pamh, PAM_RUSER, (const void **)&ruser); (void) pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); _pam_log(LOG_NOTICE, "user: (uid=%d) -> %s [remote: %s@%s]" , getuid() , user ? user : "******" , ruser ? ruser : "******" , rhost ? rhost : "?nowhere" ); /* we are just a fly on the wall */ return PAM_IGNORE; }
int _whawty_ctx_init(whawty_ctx_t* ctx, pam_handle_t *pamh, int flags, int argc, const char **argv) { ctx->flags_ = 0; ctx->pamh_ = pamh; ctx->username_ = NULL; ctx->password_ = NULL; ctx->sockpath_ = NULL; ctx->sock_ = -1; ctx->timeout_ = 3; if(flags & PAM_SILENT) ctx->flags_ |= WHAWTY_CONF_SILENT; // flag PAM_DISALLOW_NULL_AUTHTOK is not applicable and will therefore be ignored int ret = _whawty_parse_args(ctx, argc, argv); if(ret != PAM_SUCCESS) return ret; ret = pam_get_user(pamh, &(ctx->username_), NULL); if(ret == PAM_SUCCESS) { _whawty_logf(ctx, LOG_DEBUG, "successfully initialized [sock=%s]", ctx->sockpath_); } else { _whawty_logf(ctx, LOG_ERR, "pam_get_user() failed [%s]", pam_strerror(ctx->pamh_, ret)); } return ret; }
PAM_EXTERN int pam_sm_chauthtok (pam_handle_t *ph, int flags, int argc, const char **argv) { const char *user; struct passwd *pwd; uint args; int ret; args = parse_args (ph, argc, argv); if (args & ARG_IGNORE_SERVICE) return PAM_SUCCESS; /* Figure out and/or prompt for the user name */ ret = pam_get_user (ph, &user, NULL); if (ret != PAM_SUCCESS) { syslog (GKR_LOG_ERR, "gkr-pam: couldn't get the user name: %s", pam_strerror (ph, ret)); return PAM_SERVICE_ERR; } pwd = getpwnam (user); if (!pwd) { syslog (GKR_LOG_ERR, "gkr-pam: error looking up user information for: %s", user); return PAM_SERVICE_ERR; } if (flags & PAM_PRELIM_CHECK) return pam_chauthtok_preliminary (ph, pwd); else if (flags & PAM_UPDATE_AUTHTOK) return pam_chauthtok_update (ph, pwd, args); else return PAM_IGNORE; }
PAM_EXTERN int pam_sm_authenticate ( pam_handle_t *pamh, int flags, int argc, const char *argv[] ) { int retval; const char *user, *prompt; char *data,*data2,*flag; char * pwdt,*pwds; retval = pam_get_user ( pamh, &user, NULL ); if (retval != PAM_SUCCESS) return retval; D(("Got user: %s", user)); D(("cenas")); pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &data,"attempt"); if(data == NULL) return PAM_AUTH_ERR; Base64Decode(data,&pwdt); D(("Attempted Password: %s \n", pwdt)); pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &data2,"storedpassword"); Base64Decode(data2,&pwds); if(strlen(data2) == 0) return PAM_AUTH_ERR; D(("Stored Password: %s \n", pwds)); if(strcmp(pwdt,pwds) == 0){ D(("PTEID CC authentication: success!")); return PAM_SUCCESS; } return PAM_AUTH_ERR; }
static int pam_get_uid( pam_handle_t *pamh, uid_t *uid, const char **userp ) { const char *user; struct passwd *pw; #ifdef MAIN user = cline_user; #else pam_get_user( pamh, &user, NULL ); #endif if ( !user || !*user ) { _pam_log(LOG_ERR, MODULE_NAME ": pam_get_uid; user?"); return PAM_AUTH_ERR; } if ( ! ( pw = getpwnam( user ) ) ) { _pam_log(LOG_ERR,MODULE_NAME ": pam_get_uid; no such user %s",user); return PAM_USER_UNKNOWN; } if ( uid ) *uid = pw->pw_uid; if ( userp ) *userp = user; return PAM_SUCCESS; }
int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { const char *PAM_user = NULL; int ret; if (!cgm_dbus_connect()) { mysyslog(LOG_ERR, "Failed to connect to cgmanager\n"); return PAM_SESSION_ERR; } if (argc > 1 && strcmp(argv[0], "-c") == 0) ctrl_list = validate_and_dup(argv[1]); if (!ctrl_list) get_active_controllers(); cgm_escape(); ret = pam_get_user(pamh, &PAM_user, NULL); if (ret != PAM_SUCCESS) { cgm_dbus_disconnect(); mysyslog(LOG_ERR, "PAM-CGM: couldn't get user\n"); return PAM_SESSION_ERR; } ret = handle_login(PAM_user); cgm_dbus_disconnect(); return ret; }
PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { const struct passwd *pwent; const char *user; struct stat di; void (*sh)(int); pid_t child; int res; /* Who are we talking about anyway? */ res = pam_get_user(pamh, &user, NULL); if (res != PAM_SUCCESS) return res; /* Fetch passwd entry */ pwent = getpwnam(user); if (!pwent) { pam_error(pamh, "User not found in passwd?"); return PAM_CRED_INSUFFICIENT; } openlog("pam_mkhomedir", LOG_PID, LOG_AUTH); if (stat(pwent->pw_dir, &di)) return pam_mkhd_copy(pamh, pwent, "/etc/skel", pwent->pw_dir); return PAM_SUCCESS; }
PAM_VISIBLE int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { modopt_t *options = NULL; const char *user, *rhost; int rc; PGresult *res; PGconn *conn; user = NULL; rhost = NULL; if ((options = mod_options(argc, argv)) != NULL) { if (options->query_session_close) { if ((rc = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost)) == PAM_SUCCESS) { if ((rc = pam_get_user(pamh, &user, NULL)) == PAM_SUCCESS) { DBGLOG("Session opened for user: %s", user); if ((conn = db_connect(options))) { pg_execParam(conn, &res, options->query_session_close, pam_get_service(pamh), user, NULL, rhost); PQclear(res); PQfinish(conn); } } } } //free_module_options(options); } return (PAM_SUCCESS); }
/* Create and populate a context based on a given PAM handle and * module name. */ struct context * get_context(pam_handle_t *pamh, char *name, char *module) { struct context *ctx; syslog(LOG_AUTH|LOG_DEBUG, "get_context (%s) in", module ? module : "??"); ctx = malloc(sizeof(struct context)); memset(ctx, 0, sizeof(struct context)); syslog(LOG_AUTH|LOG_DEBUG, "uname"); uname(&ctx->uts); syslog(LOG_AUTH|LOG_DEBUG, "pam_get_user"); pam_get_user(pamh, &ctx->user, NULL); syslog(LOG_AUTH|LOG_DEBUG, "pam_get_item(PAM_SERVICE)"); pam_get_item(pamh, PAM_SERVICE, (PAM_CONST void **)&ctx->svc); syslog(LOG_AUTH|LOG_DEBUG, "pam_get_item(PAM_RHOST)"); pam_get_item(pamh, PAM_RHOST, (PAM_CONST void **)&ctx->rhost); syslog(LOG_AUTH|LOG_DEBUG, "strdup"); ctx->module = strdup(module); ctx->name = strdup(name); ctx->log = LOG_AUTH; if (ctx->user == NULL) ctx->user = "******"; if (ctx->svc == NULL) ctx->svc = "(unknown)"; if (ctx->rhost == NULL) ctx->rhost = "(local)"; syslog(LOG_AUTH|LOG_DEBUG, "get_context (%s) out", module ? module : "??"); return ctx; }
PAM_EXTERN int pam_sm_close_session (pam_handle_t *ph, int flags, int argc, const char **argv) { struct passwd *pwd; const char *user; int ret; ret = pam_get_user (ph, &user, NULL); if (ret != PAM_SUCCESS) { syslog (GKR_LOG_ERR, "gkr-pam: couldn't get user from pam: %s", pam_strerror (ph, ret)); return PAM_SERVICE_ERR; } pwd = getpwnam (user); if (!pwd) { syslog (GKR_LOG_ERR, "gkr-pam: error looking up user information for: %s", user); return PAM_SERVICE_ERR; } stop_daemon (ph, pwd); /* Don't bother user when daemon can't be stopped */ return PAM_SUCCESS; }
PAM_EXTERN int pam_sm_open_session (pam_handle_t *ph, int flags, int argc, const char **argv) { const char *user = NULL, *password = NULL; struct passwd *pwd; int ret; uint args; int started_daemon; args = parse_args (ph, argc, argv); if (args & ARG_IGNORE_SERVICE) return PAM_SUCCESS; /* Figure out the user name */ ret = pam_get_user (ph, &user, NULL); if (ret != PAM_SUCCESS) { syslog (GKR_LOG_ERR, "gkr-pam: couldn't get the user name: %s", pam_strerror (ph, ret)); return PAM_SERVICE_ERR; } pwd = getpwnam (user); if (!pwd) { syslog (GKR_LOG_ERR, "gkr-pam: error looking up user information for: %s", user); return PAM_SERVICE_ERR; } /* Get the stored authtok here */ if (pam_get_data (ph, "gkr_system_authtok", (const void**)&password) != PAM_SUCCESS) { /* * No password, no worries, maybe this (PAM using) application * didn't do authentication, or is hopeless and wants to call * different PAM callbacks from different processes. * * No use complaining */ password = NULL; } started_daemon = 0; /* Should we start the daemon? */ if (args & ARG_AUTO_START) { ret = start_daemon_if_necessary (ph, pwd, password, &started_daemon); if (ret != PAM_SUCCESS) return ret; } /* If mate keyring is running, but we didn't start it here, then unlock now */ if (get_any_env (ph, ENV_CONTROL) != NULL) { if (!started_daemon && password != NULL) { if (unlock_keyring (ph, pwd, password) != PAM_SUCCESS) return PAM_SERVICE_ERR; } } return PAM_SUCCESS; }
/** * EscalateModuleNew: * @pamh: PAM handle. * @flags: PAM flags. * @argc: Number of arguments given to the PAM module. * @argv: Array of argument strings given to the PAM module. * @helper: Path to helper executable, or #NULL for the default path. * @error: (out)(allow-none): Error return location or #NULL. * * Returns: New #EscalateModule instance. */ EscalateModule *EscalateModuleNew(pam_handle_t *pamh, gint flags, gint argc, const gchar **argv, const gchar *helper, GError **error) { EscalateModule *self = g_new0(EscalateModule, 1); gint pam_result = PAM_SYSTEM_ERR; const gchar *username = NULL; self->pamh = pamh; self->flags = flags; self->keep_going = TRUE; self->result = PAM_SYSTEM_ERR; for (guint i = 0; i < argc; i++) { const gchar *arg = argv[i]; if (g_str_equal(arg, "use_first_pass")) { self->use_first_pass = TRUE; } else if (g_str_equal(arg, "try_first_pass")) { self->try_first_pass = TRUE; } else { g_set_error(error, ESCALATE_MODULE_ERROR, ESCALATE_MODULE_ERROR_UNKNOWN_ARG, "Unknown argument '%s'", arg); goto failed; } } pam_result = pam_get_item(pamh, PAM_CONV, (const void **) &self->conv); if (pam_result != PAM_SUCCESS) { g_error("Failed to get conversation function: %s", pam_strerror(pamh, pam_result)); } if (!self->conv) { g_set_error(error, ESCALATE_MODULE_ERROR, ESCALATE_MODULE_ERROR_CONV, "No conversation function available"); goto failed; } pam_result = pam_get_user(pamh, &username, NULL); if (pam_result != PAM_SUCCESS) { g_set_error(error, ESCALATE_MODULE_ERROR, ESCALATE_MODULE_ERROR_NO_USERNAME, "Failed to find a username"); goto failed; } self->username = g_strdup(username); // TODO(vonhollen): Handle SIGCHLD for this process without messing up an // existing handler. self->child = EscalateSubprocessNew(helper, error); if (!self->child) goto failed; return self; failed: EscalateModuleFree(self); return NULL; }
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { const char *username; char *password; int retval = PAM_AUTH_ERR; gray_pam_init(PAM_SERVICE_ERR); /* parse arguments */ _pam_parse(argc, argv); /* Get the username */ retval = pam_get_user(pamh, &username, NULL); if (retval != PAM_SUCCESS || !username) { DEBUG(1, ("can not get the username")); return PAM_SERVICE_ERR; } /* Get the password */ if (_pam_get_password(pamh, &password, "Password:"******"Could not retrive user's password"); return PAM_SERVICE_ERR; } if (gray_env_read(gpam_sql_config_file, &config_env)) retval = PAM_SERVICE_ERR; else { gray_slist_t slist; /* FIXME: This comment is needed to pacify `make check-sql-config' in doc: gpam_sql_find_config("passwd-query") */ retval = gpam_sql_verify_user_pass(pamh, password, get_query2(pamh, "passwd-query", "query", &slist, 1)); gray_slist_free(&slist); } gray_env_free(config_env); config_env = NULL; switch (retval) { case PAM_ACCT_EXPIRED: _pam_log(LOG_NOTICE, "user '%s': account expired", username); break; case PAM_SUCCESS: _pam_log(LOG_NOTICE, "user '%s' granted access", username); break; default: _pam_log(LOG_NOTICE, "user '%s' failed to authenticate", username); } return retval; }
/* public: check if account has expired, or needs new password */ PAM_VISIBLE int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) { modopt_t *options = NULL; const char *user, *rhost; int rc = PAM_AUTH_ERR; PGconn *conn; PGresult *res; user = NULL; rhost = NULL; if ((options = mod_options(argc, argv)) != NULL) { /* query not specified, just succeed. */ if (options->query_acct == NULL) { //free_module_options(options); return PAM_SUCCESS; } if ((rc = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost)) == PAM_SUCCESS) { if((rc = pam_get_user(pamh, &user, NULL)) == PAM_SUCCESS) { if(!(conn = db_connect(options))) { rc = PAM_AUTH_ERR; } else { DBGLOG("query: %s", options->query_acct); rc = PAM_AUTH_ERR; if(pg_execParam(conn, &res, options->query_acct, pam_get_service(pamh), user, NULL, rhost) == PAM_SUCCESS) { if (PQntuples(res) == 1 && PQnfields(res) >= 2 && PQnfields(res) <= 3) { char *expired_db = PQgetvalue(res, 0, 0); char *newtok_db = PQgetvalue(res, 0, 1); rc = PAM_SUCCESS; if (PQnfields(res)>=3) { char *nulltok_db = PQgetvalue(res, 0, 2); if ((!strcmp(nulltok_db, "t")) && (flags & PAM_DISALLOW_NULL_AUTHTOK)) rc = PAM_NEW_AUTHTOK_REQD; } if (!strcmp(newtok_db, "t")) rc = PAM_NEW_AUTHTOK_REQD; if (!strcmp(expired_db, "t")) rc = PAM_ACCT_EXPIRED; } else { DBGLOG("query_acct should return one row and two or three columns"); rc = PAM_PERM_DENIED; } PQclear(res); } PQfinish(conn); } } } } //free_module_options(options); return rc; }
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char *argv[]){ // log pam_syslog(pamh, LOG_INFO, "moje logiii"); struct passwd *pw = NULL, pw_s; const char *user = NULL; char btaddr[50]; int port; char buffer[1024], checkfile[1024]; int pgu_ret, gpn_ret, snp_ret, a_ret; pgu_ret = pam_get_user(pamh, &user, NULL); fprintf(stderr, "%s", user); fprintf(stderr, "\n"); if (pgu_ret != PAM_SUCCESS || user == NULL) { return(PAM_IGNORE); } /* gpn_ret = getpwnam_r(user, &pw_s, buffer, sizeof(buffer), &pw);*/ /* if (gpn_ret != 0 || pw == NULL || pw->pw_dir == NULL || pw->pw_dir[0] != '/') {*/ /* return(PAM_IGNORE);*/ /* }*/ //snp_ret = snprintf(checkfile, sizeof(checkfile), "%s/.pam_blue_auth", pw->pw_dir); //if (snp_ret >= sizeof(checkfile)) { // return(PAM_IGNORE); //} a_ret = check_user_rules(&user, &btaddr, &port); //a_ret = access(checkfile, F_OK); if (a_ret == 0) { fprintf(stderr, "The user's file exists\n"); if(rfcomm_client(btaddr, port)==0){ //if(1==1){ fprintf(stderr, "return authentication success\n"); return(PAM_SUCCESS); } else{ fprintf(stderr, "return authentication success\n"); return(PAM_AUTH_ERR); } } else{ fprintf(stderr, "The user's doesn't file exist, return authentication PAM_IGNORE\n"); return(PAM_AUTH_ERR); } }
/***************************************************************************** Func Name: pam_sm_authenticate Date Created: 2009/2/23 Author: chendong Description: PAM 认证接口函数 Input: pam_handle_t * pamh PAM HANDLE int flags 调试标记 int argc 参数列表大小 const char ** argv 参数列表 Output: 无 Return: PAM错误码 Caution: ----------------------------------------------------------------------------- Modification History DATE NAME DESCRIPTION ----------------------------------------------------------------------------- ******************************************************************************/ PAM_EXTERN int pam_sm_authenticate (pam_handle_t * pamh, int flags, int argc, const char **argv) { int method; int ret; struct pam_ext_item *item = NULL; char user_name[256]; const char *user; void *item_tmp = (void *)item; int auth_mode = 1; pam_local_parse_option (argc, argv); method = PAM_EXT_METHOD_PAP; ret = pam_get_item (pamh, PAM_EXT_METHOD, (const void **)&item_tmp); item = (struct pam_ext_item *)item_tmp; if (PAM_SUCCESS == ret) { method = *(int *) item->item_value; } switch (method) { case PAM_EXT_METHOD_EAP: ret = pam_local_eap_auth (pamh, user_name); user = user_name; break; case PAM_EXT_METHOD_PAP: default: /* 取用户名 */ ret = pam_get_user (pamh, &user, NULL); if (ret != PAM_SUCCESS) { return ret; } ret = pam_local_pap_auth (pamh, user); /**/ if (ret != PAM_SUCCESS) { return ret; } pam_set_extern_item(pamh, PAM_EXT_WEB_AUTH_MODE, sizeof(int), (void *)&auth_mode); break; } if (PAM_SUCCESS == ret) { pam_local_authorization (pamh, user); /**/ } pam_local_logger ("Local authenticate user %s %s", user, (PAM_SUCCESS == ret)?"succeeded":"failed"); (void) flags; return ret; }
/* PAM entry point for authentication verification */ PAM_EXTERN int pam_sm_authenticate(pam_handle_t _unused_ *ph, int _unused_ flags, int _unused_ argc, const char _unused_ **argv) { struct agent_data_t data; const struct passwd *pwd; const char *user, *password; enum agent id = AGENT_DEFAULT; int ret; ret = pam_get_user(ph, &user, NULL); if (ret != PAM_SUCCESS) { syslog(PAM_LOG_ERR, "pam-envoy: couldn't get the user name: %s", pam_strerror(ph, ret)); return PAM_SERVICE_ERR; } pwd = getpwnam(user); if (!pwd) { syslog(PAM_LOG_ERR, "pam-envoy: error looking up user information: %s", strerror(errno)); return PAM_SERVICE_ERR; } /* Look up the password */ ret = pam_get_item(ph, PAM_AUTHTOK, (const void**)&password); if (ret != PAM_SUCCESS || password == NULL) { if (ret == PAM_SUCCESS) syslog(PAM_LOG_WARN, "pam-envoy: no password is available for user"); else syslog(PAM_LOG_WARN, "pam-envoy: no password is available for user: %s", pam_strerror(ph, ret)); return PAM_SUCCESS; } if (pam_get_agent(&data, id, pwd->pw_uid, pwd->pw_gid) < 0) { syslog(PAM_LOG_WARN, "pam-envoy: failed to get agent for user"); return PAM_SUCCESS; } if (data.status == ENVOY_RUNNING && data.type == AGENT_GPG_AGENT) { _cleanup_gpg_ struct gpg_t *agent = gpg_agent_connection(data.gpg); if (password) { const struct fingerprint_t *fpt = gpg_keyinfo(agent); for (; fpt; fpt = fpt->next) { if (gpg_preset_passphrase(agent, fpt->fingerprint, -1, password) < 0) syslog(PAM_LOG_ERR, "failed to unlock '%s'", fpt->fingerprint); } } gpg_close(agent); } return PAM_SUCCESS; }
char *_pam_get_user(pam_handle_t *pamh) { int retval; char *user; retval = pam_get_user(pamh, (void *)&user, "Username: "******"unable to obtain username"); user = NULL; } return user; }
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { int retval = PAM_SUCCESS; int fd; const char *username; char *mtmp=NULL; struct passwd *user_pwd; struct pam_conv *conversation; struct pam_message message; struct pam_message *pmessage = &message; struct pam_response *resp = NULL; struct stat st; if ((fd = open("/etc/nologin", O_RDONLY, 0)) >= 0) { /* root can still log in; lusers cannot */ if ((pam_get_user(pamh, &username, NULL) != PAM_SUCCESS) || !username) { return PAM_SERVICE_ERR; } user_pwd = getpwnam(username); if (user_pwd && user_pwd->pw_uid == 0) { message.msg_style = PAM_TEXT_INFO; } else { if (!user_pwd) { retval = PAM_USER_UNKNOWN; } else { retval = PAM_AUTH_ERR; } message.msg_style = PAM_ERROR_MSG; } /* fill in message buffer with contents of /etc/nologin */ if (fstat(fd, &st) < 0) /* give up trying to display message */ return retval; message.msg = mtmp = malloc(st.st_size+1); /* if malloc failed... */ if (!message.msg) return retval; read(fd, mtmp, st.st_size); mtmp[st.st_size] = '\000'; /* Use conversation function to give user contents of /etc/nologin */ pam_get_item(pamh, PAM_CONV, (const void **)&conversation); conversation->conv(1, (const struct pam_message **)&pmessage, &resp, conversation->appdata_ptr); free(mtmp); if (resp) _pam_drop_reply(resp, 1); } return retval; }
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { const char *user; int retval; retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) { return retval; } return is_authenticated(user) ? PAM_SUCCESS : PAM_AUTH_ERR; }
// PAM entry point for authentication. This function gets called by pam when //a login occurs. argc and argv work just like argc and argv for the 'main' //function of programs, except they pass in the options defined for this //module in the pam configuration files in /etc/pam.conf or /etc/pam.d/ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { char *Tempstr=NULL, *KeyList=NULL; char *ActiveUSBKeys=NULL; const char *ptr; int result=PAM_IGNORE, i; //These are defined as 'const char' because they passwd to us from the parent //library. When we called pam_get_<whatever> the pam library passes pointers //to strings in it's own code. Thus we must not change or free them const char *pam_user = NULL, *pam_tty=NULL, *pam_rhost=NULL; //get the user. If something goes wrong we return PAM_IGNORE. This tells //pam that our module failed in some way, so ignore it. Perhaps we should //return PAM_PERM_DENIED to deny login, but this runs the risk of a broken //module preventing anyone from logging into the system! if (pam_get_user(pamh, &pam_user, NULL) != PAM_SUCCESS) return(PAM_IGNORE); if (pam_user == NULL) return(PAM_IGNORE); //perhaps there will not be a tty if we are logging in remotely pam_get_item(pamh, PAM_TTY, (const void **) &pam_tty); if (! pam_tty) pam_tty=""; //perhaps there will not be a remote host if we are logging in locally pam_get_item(pamh, PAM_RHOST, (const void **) &pam_rhost); if (! pam_rhost) pam_rhost=""; for (i=0; i < argc; i++) { ptr=argv[i]; if (strncmp(ptr,"key=",4)==0) Tempstr=MCatStr(Tempstr, ptr, " ", NULL); if (strncmp(ptr,"keys=",5)==0) Tempstr=MCatStr(Tempstr, ptr, " ", NULL); if (strncmp(ptr,"tty=",4)==0) Tempstr=MCatStr(Tempstr, ptr, " ", NULL); if (strncmp(ptr,"ttys=",5)==0) Tempstr=MCatStr(Tempstr, ptr, " ", NULL); if (strncmp(ptr,"user="******" ", NULL); if (strncmp(ptr,"users=",6)==0) Tempstr=MCatStr(Tempstr, ptr, " ", NULL); } if (StrLen(Tempstr)) KeyList=MCopyStr(KeyList, Tempstr, "|", NULL); ActiveUSBKeys=LoadActiveUSBSerialNums(ActiveUSBKeys); result=CheckAuth(KeyList, ActiveUSBKeys, pam_user, pam_tty, pam_rhost); Destroy(ActiveUSBKeys); Destroy(Tempstr); Destroy(KeyList); return(result); }
PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { const char *user; const void *data; if (pam_get_user(pamh, &user, NULL) == PAM_SUCCESS && pam_get_data(pamh, "pam_auth_ticket", &data) == PAM_SUCCESS) write_ticket(user, (const char*)data); return (PAM_SUCCESS); }
PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv) { struct options options; struct ttyent *ttyfileinfo; struct passwd *pwd; int retval; const char *user, *ttyname; pam_std_option(&options, NULL, argc, argv); PAM_LOG("Options processed"); retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) PAM_RETURN(retval); PAM_LOG("Got user: %s", user); retval = pam_get_item(pamh, PAM_TTY, (const void **)&ttyname); if (retval != PAM_SUCCESS) PAM_RETURN(retval); PAM_LOG("Got TTY: %s", ttyname); /* Ignore any "/dev/" on the PAM_TTY item */ if (strncmp(TTY_PREFIX, ttyname, sizeof(TTY_PREFIX) - 1) == 0) ttyname += sizeof(TTY_PREFIX) - 1; /* If the user is not root, secure ttys do not apply */ pwd = getpwnam(user); if (pwd == NULL) PAM_RETURN(PAM_IGNORE); else if (pwd->pw_uid != 0) PAM_RETURN(PAM_SUCCESS); PAM_LOG("User is not root"); ttyfileinfo = getttynam(ttyname); if (ttyfileinfo == NULL) PAM_RETURN(PAM_SERVICE_ERR); PAM_LOG("Got ttyfileinfo"); if (ttyfileinfo->ty_status & TTY_SECURE) PAM_RETURN(PAM_SUCCESS); else { PAM_VERBOSE_ERROR("Not on secure TTY"); PAM_RETURN(PAM_PERM_DENIED); } }
int pam_sm_authenticate( pam_handle_t * pamh, int flags, int argc, char const ** argv ) { int retval = PAM_AUTH_ERR; char const * username = NULL; char const * password = NULL; // Parse arguments int argmask = _pam_parse( argc, argv ); // Get the username retval = pam_get_user( pamh, &username, NULL ); if( (retval != PAM_SUCCESS) || (!username) ) { return PAM_SERVICE_ERR; } // If we've been told to use the first pass, we don't converse with // the user for a password. if( ! argmask & CPAMARG_USEFIRSTPASS ) { // Converse just to be sure we have a password retval = conversation( pamh ); if( retval != PAM_SUCCESS ) { return PAM_CONV_ERR; } } // Check if we got a password. If use_authtok wasn't specified, // then we've already asked once and needn't do so again. retval = pam_get_item( pamh, PAM_AUTHTOK, (void const **) & password ); if( retval != PAM_SUCCESS ) { return -2; } Curl curl; if( username != NULL && password != NULL && curl.checkAuthorized( username, password ) ) { return PAM_SUCCESS; } else { return PAM_AUTH_ERR; } return PAM_USER_UNKNOWN; }
PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc ,const char **argv) { const char *service=NULL, *tty=NULL; const char *user=NULL; /* set service name */ if (pam_get_item(pamh, PAM_SERVICE, (const void **)&service) != PAM_SUCCESS || service == NULL) { _log_err("cannot find the current service name"); return PAM_ABORT; } /* set username */ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL || *user == '\0') { _log_err("cannot determine the user's name"); return PAM_USER_UNKNOWN; } /* set tty name */ if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS || tty == NULL) { D(("PAM_TTY not set, probing stdin")); tty = ttyname(STDIN_FILENO); if (tty == NULL) { _log_err("couldn't get the tty name"); return PAM_ABORT; } if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) { _log_err("couldn't set tty name"); return PAM_ABORT; } } if (strncmp("/dev/",tty,5) == 0) { /* strip leading /dev/ */ tty += 5; } /* good, now we have the service name, the user and the terminal name */ D(("service=%s", service)); D(("user=%s", user)); D(("tty=%s", tty)); return check_account(service,tty,user); }
static int init(pam_handle_t *pamh, struct pld_cfg *cfg, struct pld_ctx **ctx, const char **username, const char **service, const char **ruser, const char **rhost, const char **tty) { int rc; struct passwd *pwent; /* get user name */ rc = pam_get_user(pamh, username, NULL); if (rc != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "failed to get user name: %s", pam_strerror(pamh, rc)); return rc; } if ((*username == NULL) || ((*username)[0] == '\0')) { pam_syslog(pamh, LOG_ERR, "got empty user name"); return PAM_USER_UNKNOWN; } /* check uid */ if (cfg->minimum_uid > 0) { pwent = pam_modutil_getpwnam(args->pamh, *username); if ((pwent != NULL) && (pwent->pw_uid < cfg->minimum_uid)) { if (cfg->debug) pam_syslog(pamh, LOG_DEBUG, "uid below minimum_uid; user=%s uid=%ld", *username, (long)pwent->pw_uid); return cfg->ignore_unknown_user ? PAM_IGNORE : PAM_USER_UNKNOWN; } } /* get our context */ rc = ctx_get(pamh, *username, ctx); if (rc != PAM_SUCCESS) return rc; /* get service name */ rc = pam_get_item(pamh, PAM_SERVICE, (PAM_ITEM_CONST void **)service); if (rc != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "failed to get service name: %s", pam_strerror(pamh, rc)); return rc; } /* get more PAM information (ignore errors) */ pam_get_item(pamh, PAM_RUSER, (PAM_ITEM_CONST void **)ruser); pam_get_item(pamh, PAM_RHOST, (PAM_ITEM_CONST void **)rhost); pam_get_item(pamh, PAM_TTY, (PAM_ITEM_CONST void **)tty); return PAM_SUCCESS; }
PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { pam_syslog(pamh, LOG_INFO, "pam_sm_open_session\n"); if (get_env(pamh, "PAM_KWALLET_LOGIN") != NULL) { pam_syslog(pamh, LOG_INFO, "pam_kwallet: we were already executed"); return PAM_SUCCESS; } parseArguments(argc, argv); int result; result = pam_set_data(pamh, "sm_open_session", "1", NULL); if (result != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "pam_kwallet: Impossible to store sm_open_session: %s" , pam_strerror(pamh, result)); return PAM_IGNORE; } //Fetch the user, needed to get user information const char *username; result = pam_get_user(pamh, &username, NULL); if (result != PAM_SUCCESS) { pam_syslog(pamh, LOG_ERR, "pam_kwallet: Couldn't get username %s", pam_strerror(pamh, result)); return PAM_IGNORE;//Since we are not an essential module, just make pam ignore us } struct passwd *userInfo; userInfo = getpwnam(username); if (!userInfo) { pam_syslog(pamh, LOG_ERR, "pam_kwallet: Couldn't get user info (passwd) info"); return PAM_IGNORE; } const char *kwalletKey; result = pam_get_data(pamh, "kwallet_key", (const void **)&kwalletKey); if (result != PAM_SUCCESS) { pam_syslog(pamh, LOG_INFO, "pam_kwallet: open_session called without kwallet_key"); return PAM_SUCCESS;//We will wait for pam_sm_authenticate } start_kwallet(pamh, userInfo, kwalletKey); return PAM_SUCCESS; }
/* PAM entry point for session creation */ PAM_EXTERN int pam_sm_open_session(pam_handle_t *ph, int _unused_ flags, int argc, const char **argv) { struct agent_data_t data; const struct passwd *pwd; const char *user; enum agent id = AGENT_DEFAULT; int ret; ret = pam_get_user(ph, &user, NULL); if (ret != PAM_SUCCESS) { syslog(PAM_LOG_ERR, "pam-envoy: couldn't get the user name: %s", pam_strerror(ph, ret)); return PAM_SERVICE_ERR; } pwd = getpwnam(user); if (!pwd) { syslog(PAM_LOG_ERR, "pam-envoy: error looking up user information: %s", strerror(errno)); return PAM_SERVICE_ERR; } if (argc > 1) { syslog(PAM_LOG_WARN, "pam-envoy: too many arguments"); return PAM_SUCCESS; } else if (argc == 1) { id = lookup_agent(argv[0]); } if (pam_get_agent(&data, id, pwd->pw_uid, pwd->pw_gid) < 0) { syslog(PAM_LOG_WARN, "pam-envoy: failed to get agent for user"); return PAM_SUCCESS; } if (data.type == AGENT_GPG_AGENT) { _cleanup_gpg_ struct gpg_t *agent = gpg_agent_connection(data.gpg); gpg_update_tty(agent); pam_setenv(ph, "GPG_AGENT_INFO=%s", data.gpg); } pam_setenv(ph, "SSH_AUTH_SOCK=%s", data.sock); pam_setenv(ph, "SSH_AGENT_PID=%d", data.pid); return PAM_SUCCESS; }
/***************************************************************************** Func Name: pam_sm_chauthtok Date Created: 2009/2/23 Author: chendong Description: PAM修改密码接口函数 Input: pam_handle_t * pamh PAM HANDLE int flags 调试标记 int argc 参数列表大小 const char ** argv 参数列表 Output: 无 Return: PAM错误码 Caution: ----------------------------------------------------------------------------- Modification History DATE NAME DESCRIPTION ----------------------------------------------------------------------------- ******************************************************************************/ PAM_EXTERN int pam_sm_chauthtok (pam_handle_t * pamh, int flags, int argc, const char **argv) { struct pam_ext_item *item = NULL; const char *user; const char *new_password; int ret; int method; void *item_tmp = (void *)item; pam_local_parse_option (argc, argv); /* 获取认证方法, 只有PAP才支持修改密码 */ method = PAM_EXT_METHOD_PAP; ret = pam_get_item (pamh, PAM_EXT_METHOD, (const void **)&item_tmp); item = (struct pam_ext_item *)item_tmp; if (PAM_SUCCESS == ret) { method = *(int *) item->item_value; } if (PAM_EXT_METHOD_PAP != method) { return PAM_AUTH_ERR; } /* 取用户名 */ ret = pam_get_user (pamh, &user, NULL); if (ret != PAM_SUCCESS) { return ret; } /* 取新密码 */ /*!! 调用会话函数获取 */ new_password = NULL; /* 更新用户密码 */ if (0 != pam_local_update_password (user, new_password)) { return PAM_SYSTEM_ERR; } (void) flags; return (PAM_SUCCESS); }