static void
quit(struct weston_launch *wl, int status)
{
struct vt_mode mode = { 0 };
int err;
close(wl->signalfd);
close(wl->sock[0]);
if (wl->new_user) {
err = pam_close_session(wl->ph, 0);
if (err)
fprintf(stderr, "pam_close_session failed: %d: %s\n",
err, pam_strerror(wl->ph, err));
pam_end(wl->ph, err);
}
if (ioctl(wl->tty, KDSKBMUTE, 0) &&
ioctl(wl->tty, KDSKBMODE, wl->kb_mode))
fprintf(stderr, "failed to restore keyboard mode: %m\n");
if (ioctl(wl->tty, KDSETMODE, KD_TEXT))
fprintf(stderr, "failed to set KD_TEXT mode on tty: %m\n");
/* We have to drop master before we switch the VT back in
* VT_AUTO, so we don't risk switching to a VT with another
* display server, that will then fail to set drm master. */
drmDropMaster(wl->drm_fd);
mode.mode = VT_AUTO;
if (ioctl(wl->tty, VT_SETMODE, &mode) < 0)
fprintf(stderr, "could not reset vt handling\n");
exit(status);
}
static void sftppam_exit_ev(const void *event_data, void *user_data) {
/* Close the PAM session */
if (sftppam_pamh != NULL) {
int res;
#ifdef PAM_CRED_DELETE
res = pam_setcred(sftppam_pamh, PAM_CRED_DELETE);
#else
res = pam_setcred(sftppam_pamh, PAM_DELETE_CRED);
#endif
if (res != PAM_SUCCESS) {
pr_trace_msg(trace_channel, 9, "PAM error setting PAM_DELETE_CRED: %s",
pam_strerror(sftppam_pamh, res));
}
res = pam_close_session(sftppam_pamh, PAM_SILENT);
pam_end(sftppam_pamh, res);
sftppam_pamh = NULL;
}
if (sftppam_user != NULL) {
free(sftppam_user);
sftppam_user = NULL;
sftppam_userlen = 0;
}
}
static void loginpam_acct(struct login_context *cxt)
{
int rc;
pam_handle_t *pamh = cxt->pamh;
rc = pam_acct_mgmt(pamh, 0);
if (rc == PAM_NEW_AUTHTOK_REQD)
rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
if (is_pam_failure(rc))
loginpam_err(pamh, rc);
/*
* Grab the user information out of the password file for future use.
* First get the username that we are actually using, though.
*/
rc = loginpam_get_username(pamh, &cxt->username);
if (is_pam_failure(rc))
loginpam_err(pamh, rc);
if (!cxt->username || !*cxt->username) {
warnx(_("\nSession setup problem, abort."));
syslog(LOG_ERR, _("NULL user name in %s:%d. Abort."),
__FUNCTION__, __LINE__);
pam_end(pamh, PAM_SYSTEM_ERR);
sleepexit(EXIT_FAILURE);
}
}
int
main (int argc, char **argv)
{
pam_handle_t *pamh;
int rc;
for (loop = 0; loop < sizeof (tv) / sizeof (tv[0]); loop++)
{
rc = pam_start ("pam_oath1", tv[loop].user, &conv, &pamh);
if (rc != PAM_SUCCESS)
{
printf ("pam_start failed loop %ld rc %d: %s\n", loop, rc,
pam_strerror (pamh, rc));
return 1;
}
rc = pam_authenticate (pamh, 0);
if (rc != tv[loop].expectrc)
{
printf ("pam_authenticate failed loop %ld rc %d: %s\n", loop, rc,
pam_strerror (pamh, rc));
return 1;
}
rc = pam_end (pamh, rc);
if (rc != PAM_SUCCESS)
{
printf ("pam_end failed loop %ld rc %d: %s\n", loop, rc,
pam_strerror (pamh, rc));
return 1;
}
}
return 0;
}
static gboolean
close_pam_handle (int status)
{
if (pam_handle != NULL) {
int status2;
status2 = pam_end (pam_handle, status);
pam_handle = NULL;
if (gs_auth_get_verbose ()) {
g_message (" pam_end (...) ==> %d (%s)",
status2,
(status2 == PAM_SUCCESS ? "Success" : "Failure"));
}
}
if (message_handled_condition != NULL) {
g_cond_free (message_handled_condition);
message_handled_condition = NULL;
}
if (message_handler_mutex != NULL) {
g_mutex_free (message_handler_mutex);
message_handler_mutex = NULL;
}
return TRUE;
}
static void checkpw_cleanup (pam_handle_t *hdl)
{
#if 0 /* see checkpw() for why this is #if 0 */
pam_close_session (hdl,NIL); /* close session [uw]tmp */
#endif
pam_setcred (hdl,PAM_DELETE_CRED);
pam_end (hdl,PAM_SUCCESS);
}
PAMAuthenticator::~PAMAuthenticator(void)
{
if (this->m_ph) {
int res = pam_close_session(this->m_ph, 0);
pam_end(this->m_ph, res);
this->m_ph = 0;
}
}
void AuthPAMClose()
{
if (pamh)
{
pam_close_session(pamh, 0);
pam_end(pamh,PAM_SUCCESS);
}
}
void context::close() noexcept
{
if(_M_pamh)
{
pam_end(_M_pamh, _M_code);
_M_pamh = nullptr;
}
}
static auth_result_t do_pam_authenticate(const char* service, const char *username,
const char *password,
error_handler_t *error_handler)
{
#ifdef JUTI_NO_PAM
error_handler->error(MSG_AUTHUSER_PAM_NOT_AVAILABLE);
return JUTI_AUTH_ERROR;
#else
auth_result_t ret;
int status;
pam_handle_t *pamh; /* pam handle */
struct pam_conv pamconv; /* pam init structure */
struct app_pam_data app_data; /* pam application data */
pamh = NULL;
/*
* app_data gets passed through the framework
* to "login_conv". Set the password for use in login_conv
* and set up the pam_conv data with the conversation
* function and the application data pointer.
*/
app_data.password = password;
pamconv.conv = login_conv;
pamconv.appdata_ptr = &app_data;
/* pam start session */
status = pam_start(service, username, &pamconv, &pamh);
if(status != PAM_SUCCESS) {
ret = JUTI_AUTH_ERROR;
goto error;
}
status = pam_authenticate(pamh, PAM_SILENT);
if(status != PAM_SUCCESS) {
ret = JUTI_AUTH_FAILED;
goto error;
}
/* check if the authenicated user is allowed to use machine */
status = pam_acct_mgmt(pamh, PAM_SILENT);
if (status != PAM_SUCCESS) {
ret = JUTI_AUTH_FAILED;
goto error;
}
ret = JUTI_AUTH_SUCCESS;
error:
if (status != PAM_SUCCESS) {
const char *pam_err_msg = pam_strerror(pamh, status);
error_handler->error(MSG_AUTHUSER_PAM_ERROR_S, pam_err_msg);
}
/* end pam session */
if (pamh != NULL) {
pam_end(pamh, status == PAM_SUCCESS ? PAM_SUCCESS : PAM_ABORT);
}
return ret;
#endif
}
int authenticate_user(const char *user, const char *pass)
{
pam_handle_t *pamh;
tAppdata appdata = {user, pass};
struct pam_conv pam_conv = {&pam_exchange, &appdata};
if ((pam_start (PAM_SERVICE_NAME, NULL, &pam_conv, &pamh) != PAM_SUCCESS) ||
(pam_authenticate (pamh,PAM_SILENT) != PAM_SUCCESS) ||
(pam_acct_mgmt (pamh,0) != PAM_SUCCESS) ||
(pam_setcred (pamh,PAM_ESTABLISH_CRED) != PAM_SUCCESS))
{
pam_end (pamh,PAM_AUTH_ERR);
return 0;
}
pam_end (pamh,PAM_SUCCESS);
return 1;
}
int
main(void)
{
pam_handle_t *pamh;
struct pam_args *args;
struct pam_conv conv = { NULL, NULL };
char *expected;
struct output *seen;
#ifdef HAVE_KRB5
krb5_error_code code;
krb5_principal princ;
#endif
plan(27);
if (pam_start("test", NULL, &conv, &pamh) != PAM_SUCCESS)
sysbail("Fake PAM initialization failed");
args = putil_args_new(pamh, 0);
if (args == NULL)
bail("cannot create PAM argument struct");
TEST(putil_crit, LOG_CRIT, "putil_crit");
TEST(putil_err, LOG_ERR, "putil_err");
putil_debug(args, "%s", "foo");
ok(pam_output() == NULL, "putil_debug without debug on");
args->debug = true;
TEST(putil_debug, LOG_DEBUG, "putil_debug");
args->debug = false;
TEST_PAM(putil_crit_pam, PAM_SYSTEM_ERR, LOG_CRIT, "putil_crit_pam S");
TEST_PAM(putil_crit_pam, PAM_BUF_ERR, LOG_CRIT, "putil_crit_pam B");
TEST_PAM(putil_crit_pam, PAM_SUCCESS, LOG_CRIT, "putil_crit_pam ok");
TEST_PAM(putil_err_pam, PAM_SYSTEM_ERR, LOG_ERR, "putil_err_pam");
putil_debug_pam(args, PAM_SYSTEM_ERR, "%s", "bar");
ok(pam_output() == NULL, "putil_debug_pam without debug on");
args->debug = true;
TEST_PAM(putil_debug_pam, PAM_SYSTEM_ERR, LOG_DEBUG, "putil_debug_pam");
TEST_PAM(putil_debug_pam, PAM_SUCCESS, LOG_DEBUG, "putil_debug_pam ok");
args->debug = false;
#ifdef HAVE_KRB5
TEST_KRB5(putil_crit_krb5, LOG_CRIT, "putil_crit_krb5");
TEST_KRB5(putil_err_krb5, LOG_ERR, "putil_err_krb5");
code = krb5_parse_name(args->ctx, "foo@[email protected]", &princ);
putil_debug_krb5(args, code, "%s", "krb");
ok(pam_output() == NULL, "putil_debug_krb5 without debug on");
args->debug = true;
TEST_KRB5(putil_debug_krb5, LOG_DEBUG, "putil_debug_krb5");
args->debug = false;
#else
skip_block(4, "not built with Kerberos support");
#endif
putil_args_free(args);
pam_end(pamh, 0);
return 0;
}
/* Creates a pam handle for the auto login */
static gboolean
create_pamh (MdmDisplay *d,
const char *service,
const char *login,
struct pam_conv *conv,
const char *display,
int *pamerr)
{
if (display == NULL) {
mdm_error ("Cannot setup pam handle with null display");
return FALSE;
}
if (pamh != NULL) {
mdm_error ("create_pamh: Stale pamh around, cleaning up");
pam_end (pamh, PAM_SUCCESS);
}
/* init things */
pamh = NULL;
opened_session = FALSE;
did_setcred = FALSE;
/* Initialize a PAM session for the user */
if ((*pamerr = pam_start (service, login, conv, &pamh)) != PAM_SUCCESS) {
pamh = NULL; /* be anal */
if (mdm_slave_action_pending ())
mdm_error ("Unable to establish service %s: %s\n", service, pam_strerror (NULL, *pamerr));
return FALSE;
}
/* Inform PAM of the user's tty */
if ((*pamerr = pam_set_item (pamh, PAM_TTY, display)) != PAM_SUCCESS) {
if (mdm_slave_action_pending ())
mdm_error ("Can't set PAM_TTY=%s", display);
return FALSE;
}
if ( ! d->attached) {
/* Only set RHOST if host is remote */
/* From the host of the display */
if ((*pamerr = pam_set_item (pamh, PAM_RHOST,
d->hostname)) != PAM_SUCCESS) {
if (mdm_slave_action_pending ())
mdm_error ("Can't set PAM_RHOST=%s", d->hostname);
return FALSE;
}
}
// Preselect the previous user
if (do_we_need_to_preset_the_username) {
do_we_need_to_preset_the_username = FALSE;
mdm_preselect_user(pamerr);
}
return TRUE;
}
void
mdm_verify_cleanup (MdmDisplay *d)
{
gid_t groups[1] = { 0 };
cur_mdm_disp = d;
if (pamh != NULL) {
gint pamerr;
pam_handle_t *tmp_pamh;
gboolean old_opened_session;
gboolean old_did_setcred;
mdm_debug ("Running mdm_verify_cleanup and pamh != NULL");
mdm_sigterm_block_push ();
mdm_sigchld_block_push ();
tmp_pamh = pamh;
pamh = NULL;
old_opened_session = opened_session;
opened_session = FALSE;
old_did_setcred = did_setcred;
did_setcred = FALSE;
mdm_sigchld_block_pop ();
mdm_sigterm_block_pop ();
pamerr = PAM_SUCCESS;
/* Close the users session */
if (old_opened_session) {
mdm_debug ("Running pam_close_session");
pamerr = pam_close_session (tmp_pamh, 0);
}
/* Throw away the credentials */
if (old_did_setcred) {
mdm_debug ("Running pam_setcred with PAM_DELETE_CRED");
pamerr = pam_setcred (tmp_pamh, PAM_DELETE_CRED);
}
pam_end (tmp_pamh, pamerr);
/* Workaround to avoid mdm messages being logged as PAM_pwdb */
mdm_log_shutdown ();
mdm_log_init ();
}
/* Clear the group setup */
setgid (0);
/* this will get rid of any suplementary groups etc... */
setgroups (1, groups);
cur_mdm_disp = NULL;
/* reset limits */
mdm_reset_limits ();
}
void XProcess::pam_shutdown(){
if(pam_session_open){
pam_stopSession();
pam_session_open = FALSE;
}
if(pam_started){
pam_end(pamh,0);
pam_started = FALSE;
}
}
void AuthHandle::destroy()
{
// only act on it if it was actually set (avoid issues with auth challenge)
if (0 != hdl)
{
pam_end((pam_handle_t*) hdl,0);
// Call to pam_end with value of hdl
hdl = 0;
}
}
void check_password(void)
{
static struct pam_conv conv =
{
ulock_conv,
NULL
};
pam_handle_t *pamh;
char username[1 << 8];
username[0] = '\0';
strncat(username, getpwuid(getuid())->pw_name, (sizeof username) - 1);
pam_start("ulock", username, &conv, &pamh);
writes(STDOUT_FILENO, "The terminal is now locked. Please enter the password to unlock it.\n");
char *username2 = username;
for (int i = 0; ; i++)
{
int pam_error;
writes(STDOUT_FILENO, username2);
writes(STDOUT_FILENO, "'s password: "******"Erm, one minute penalty...\n");
sleep(60);
}
username2 = (username2 == username) ? "root" : username;
}
pam_end(pamh, PAM_SUCCESS);
fatal("Something went *SERIOUSLY* wrong\n");
}
enum pamtest_err _pamtest_conv(const char *service,
const char *user,
pam_conv_fn conv_fn,
void *conv_userdata,
struct pam_testcase test_cases[],
size_t num_test_cases)
{
int rv;
pam_handle_t *ph;
struct pam_conv conv;
size_t tcindex;
struct pam_testcase *tc = NULL;
bool call_pam_end = true;
conv.conv = conv_fn;
conv.appdata_ptr = conv_userdata;
if (test_cases == NULL) {
return PAMTEST_ERR_INTERNAL;
}
rv = pam_start(service, user, &conv, &ph);
if (rv != PAM_SUCCESS) {
return PAMTEST_ERR_START;
}
for (tcindex = 0; tcindex < num_test_cases; tcindex++) {
tc = &test_cases[tcindex];
rv = run_test_case(ph, tc);
if (rv == PAMTEST_ERR_KEEPHANDLE) {
call_pam_end = false;
continue;
} else if (rv != PAMTEST_ERR_OK) {
return PAMTEST_ERR_INTERNAL;
}
if (tc->op_rv != tc->expected_rv) {
break;
}
}
if (call_pam_end == true && tc != NULL) {
rv = pam_end(ph, tc->op_rv);
if (rv != PAM_SUCCESS) {
return PAMTEST_ERR_END;
}
}
if (tcindex < num_test_cases) {
return PAMTEST_ERR_CASE;
}
return PAMTEST_ERR_OK;
}
bool PAMAuthenticator::authenticate(void)
{
pam_conv c;
c.conv = PAMAuthenticator::conv;
c.appdata_ptr = this;
int res = pam_start("repwatchproxy", 0, &c, &this->m_ph);
if (res == PAM_SUCCESS) {
res = pam_set_item(this->m_ph, PAM_RUSER, this->m_user.constData());
if (res != PAM_SUCCESS) {
goto getout;
}
res = pam_set_item(this->m_ph, PAM_RHOST, this->m_host.constData());
if (res != PAM_SUCCESS) {
goto getout;
}
res = pam_authenticate(this->m_ph, 0);
if (res != PAM_SUCCESS) {
goto getout;
}
res = pam_acct_mgmt(this->m_ph, 0);
if (PAM_NEW_AUTHTOK_REQD == res) {
res = pam_chauthtok(this->m_ph, PAM_CHANGE_EXPIRED_AUTHTOK);
}
if (res != PAM_SUCCESS) {
goto getout;
}
res = pam_setcred(this->m_ph, PAM_ESTABLISH_CRED);
if (res != PAM_SUCCESS) {
goto getout;
}
res = pam_open_session(this->m_ph, 0);
if (res != PAM_SUCCESS) {
goto getout;
}
return true;
getout:
qWarning("%s: %s", Q_FUNC_INFO, pam_strerror(this->m_ph, res));
pam_end(this->m_ph, res);
}
else {
qCritical("PAM initialization failed");
}
this->m_ph = 0;
return false;
}
/* Main Sequence when PAM Auth gets invoked */
static int tlock_auth_pam_auth(const char* username, const char* pass, int as_gid) {
pam_handle_t* pam_handle = NULL;
const char* user;
struct passwd *pwd;
gid_t gids[15 + 1];
int count, pam_error, ret, i;
if (!pass || strlen(pass) < 1 || !pwd_entry)
return 0;
PAM_username = pwd_entry->pw_name;
PAM_password = pass;
fprintf(stderr, "auth: starting pam_conv(%s)\n",
PAM_SERVICE_NAME);
pam_error = pam_start(PAM_SERVICE_NAME, PAM_username, &PAM_conversation,
&pam_handle);
PAM_EXCEPTION;
pam_error = pam_set_item(pam_handle, PAM_TTY, ttyname(0));
PAM_EXCEPTION;
/* At this point we have the interface to PAM for the PAM_user
* so we can end the session and use libc functionality to get
* the groups and other administrative data for the the via
* libc.pwnam functions.
*/
/* get mapped user namqe; PAM may have changed it */
pam_error = pam_get_item(pam_handle, PAM_USER, (const void **) &user);
if ((pwd_entry = getpwnam(user)) == NULL) {
pam_error = 1;
}
PAM_EXCEPTION;
pam_error = pam_end(pam_handle, pam_error);
PAM_EXCEPTION;
/* pwd is not null, and no error reported.... lets get the group list
* from the native interface the gecos.
*/
/* Retrieve group list */
count = 11;
ret = getgrouplist(user,pwd_entry->pw_gid, gids, &count);
printf("User '%s' found in %d group(s).\n", PAM_username, ret+1);
if (ret != -1) {
for (i=0;i<count;i++) {
printf("group#%d: %u\n", i, (unsigned)gids[i]);
}
}
return 0;
}
int main(int argc, char *argv[])
{
unsigned char lb[2];
unsigned char buf[BUFSIZ];
char *user;
char *pwd;
char *mode;
int sid;
int rval;
struct session *sessp;
// test clause
if (argc == 4 ) {
/* ./epam authmodule user passwd */
printf("testing service=%s u=%s pwd=%s\n", argv[1],argv[2], argv[3]);
do_auth(argv[1], argv[2], argv[3], "AS", 33);
exit(0);
}
wstart();
while (1) {
if (read_fill(0, lb, 2) != 2)
exit(1);
rval = get_int16(lb);
if (read_fill(0, buf, rval) != rval)
exit(1);
switch (buf[0]) {
case 'a':
// auth a user
user = (char *)&buf[1];
pwd = user + strlen(user) + 1;
mode= pwd + strlen(pwd) + 1;
sid = atoi(mode + strlen(mode) + 1);
do_auth(argv[1], user, pwd, mode, sid);
break;
case 'c':
// close session
sid = atoi((char *)&buf[1]);
if ((sessp = del_session(&sessions, sid)) == NULL) {
fprintf(stderr, "Couldn't find session %d\r\n", sid);
break;
}
if (sessp->session_mode == 1) {
pam_close_session(sessp->pamh, 0);
/*fprintf(stderr, "did ok close sess \n\r");*/
}
pam_end(sessp->pamh, PAM_SUCCESS);
free(sessp);
break;
default:
fprintf(stderr, "Bad op \n\r");
}
}
}
int validate_password(uid_t uid, const char *pass)
{
#ifdef HAVE_PAM_START
struct pam_conv pc;
struct appdata data;
pam_handle_t *ph;
int i;
#else
char *crypted_pwd;
#ifdef HAVE_GETSPNAM
struct spwd *sp;
#endif
#endif
struct passwd *pw;
int retval = 0;
if ((pw = getpwuid(uid)) == NULL) {
return retval;
}
#ifdef HAVE_PAM_START
#ifdef PAM_DATA_SILENT
int flags = PAM_DATA_SILENT;
#else
int flags = 0;
#endif /* PAM_DATA_SILENT */
pc.conv = conv;
pc.appdata_ptr = &data;
data.name = pw->pw_name;
data.pw = pass;
if (pam_start("citadel", pw->pw_name, &pc, &ph) != PAM_SUCCESS)
return retval;
if ((i = pam_authenticate(ph, flags)) == PAM_SUCCESS)
if ((i = pam_acct_mgmt(ph, flags)) == PAM_SUCCESS)
retval = -1;
pam_end(ph, i | flags);
#else
crypted_pwd = pw->pw_passwd;
#ifdef HAVE_GETSPNAM
if ((sp = getspnam(pw->pw_name)) != NULL)
crypted_pwd = sp->sp_pwdp;
#endif
if (!strcmp(crypt(pass, crypted_pwd), crypted_pwd))
retval = -1;
#endif /* HAVE_PAM_START */
return retval;
}
int main(int argc, char *argv[])
{
pam_handle_t *pamh=NULL;
int retval;
const char *user="******";
if(argc == 2) {
user = argv[1];
}
if(argc > 2) {
fprintf(stderr, "Usage: check_user [username]\n");
exit(1);
}
retval = pam_start("sqlite3", user, &conv, &pamh);
if(retval == PAM_SUCCESS)
printf("PAM started.\n");
if (retval == PAM_SUCCESS)
retval = pam_authenticate(pamh, 0); /* is user really user? */
if(retval == PAM_SUCCESS)
printf("Authentication succeeded, checking access.\n");
else
printf("Authentication failed: %s\n", pam_strerror(pamh, retval));
if (retval == PAM_SUCCESS)
retval = pam_acct_mgmt(pamh, 0); /* permitted access? */
if(retval == PAM_SUCCESS)
printf("Access permitted.\n");
else
printf("Access denied: %s\n", pam_strerror(pamh, retval));
/* lets try print password */
printf("Changing authentication token...\n");
retval = pam_chauthtok(pamh, 0);
if(retval != PAM_SUCCESS) {
printf("Failed: %s\n", pam_strerror(pamh, retval));
} else {
printf("Token changed.\n");
}
/* This is where we have been authorized or not. */
if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */
pamh = NULL;
fprintf(stderr, "check_user: failed to release authenticator\n");
exit(1);
}
return ( retval == PAM_SUCCESS ? 0:1 ); /* indicate success */
}
static void pam_auth_deinit(void* ctx)
{
struct pam_ctx_st * pctx = ctx;
pam_end(pctx->ph, pctx->cr_ret);
free(pctx->replies);
str_clear(&pctx->msg);
if (pctx->cr != NULL)
co_delete(pctx->cr);
talloc_free(pctx);
}
static void loginpam_err(pam_handle_t *pamh, int retcode)
{
const char *msg = pam_strerror(pamh, retcode);
if (msg) {
fprintf(stderr, "\n%s\n", msg);
syslog(LOG_ERR, "%s", msg);
}
pam_end(pamh, retcode);
sleepexit(EXIT_FAILURE);
}
static bool IsPasswordCorrect(const char *puser, const char* password, PasswordFormat format, const struct passwd *passwd_info)
{
/*
* Check if password is already correct. If format is 'hash' we just do a simple
* comparison with the supplied hash value, otherwise we try a pam login using
* the real password.
*/
if (format == PASSWORD_FORMAT_HASH)
{
const char *system_hash;
if (!GetPasswordHash(puser, passwd_info, &system_hash))
{
return false;
}
bool result = (strcmp(password, system_hash) == 0);
Log(LOG_LEVEL_VERBOSE, "Verifying password hash for user '%s': %s.", puser, result ? "correct" : "incorrect");
return result;
}
else if (format != PASSWORD_FORMAT_PLAINTEXT)
{
ProgrammingError("Unknown PasswordFormat value");
}
int status;
pam_handle_t *handle;
struct pam_conv conv;
conv.conv = PasswordSupplier;
conv.appdata_ptr = (void*)password;
status = pam_start("login", puser, &conv, &handle);
if (status != PAM_SUCCESS)
{
Log(LOG_LEVEL_ERR, "Could not initialize pam session. (pam_start: '%s')", pam_strerror(NULL, status));
return false;
}
status = pam_authenticate(handle, PAM_SILENT);
pam_end(handle, status);
if (status == PAM_SUCCESS)
{
Log(LOG_LEVEL_VERBOSE, "Verifying plaintext password for user '%s': correct.", puser);
return true;
}
else if (status != PAM_AUTH_ERR)
{
Log(LOG_LEVEL_ERR, "Could not check password for user '%s' against stored password. (pam_authenticate: '%s')",
puser, pam_strerror(NULL, status));
return false;
}
Log(LOG_LEVEL_VERBOSE, "Verifying plaintext password for user '%s': incorrect.", puser);
return false;
}
static
int checkpw_internal_pam( const char* uname, const char* password )
{
int checkpwret = CHECKPW_FAILURE;
int pamret = PAM_SUCCESS;
pam_handle_t *pamh;
struct pam_conv pamc;
pamc.conv = &openpam_nullconv;
pamret = pam_start(PAM_STACK_NAME, uname, &pamc, &pamh);
if (PAM_SUCCESS != pamret)
{
syslog(LOG_WARNING,"PAM: Unable to start pam.");
goto pamerr_no_end;
}
pamret = pam_set_item(pamh, PAM_AUTHTOK, password);
if (PAM_SUCCESS != pamret)
{
syslog(LOG_WARNING,"PAM: Unable to set password.");
goto pamerr;
}
pamret = pam_authenticate(pamh, 0);
if (PAM_SUCCESS != pamret)
{
syslog(LOG_WARNING,"PAM: Unable to authenticate.");
checkpwret = CHECKPW_BADPASSWORD;
goto pamerr;
}
pamret = pam_acct_mgmt(pamh, 0);
if (PAM_SUCCESS != pamret)
{
if (PAM_NEW_AUTHTOK_REQD == pamret)
{
syslog(LOG_WARNING,"PAM: Unable to authorize, password needs to be changed.");
} else {
syslog(LOG_WARNING,"PAM: Unable to authorize.");
}
goto pamerr;
}
checkpwret = CHECKPW_SUCCESS;
pamerr:
pam_end(pamh, pamret);
pamerr_no_end:
return checkpwret;
}
void
SessionExit (struct display *d, int status, int removeAuth)
{
#ifdef USE_PAM
pam_handle_t *pamh = thepamh();
#endif
#ifdef USE_PAM
if (pamh) {
/* shutdown PAM session */
pam_close_session(pamh, 0);
pam_end(pamh, PAM_SUCCESS);
pamh = NULL;
}
#endif
/* make sure the server gets reset after the session is over */
if (d->serverPid >= 2 && d->resetSignal)
kill (d->serverPid, d->resetSignal);
else
ResetServer (d);
if (removeAuth)
{
setgid (verify.gid);
setuid (verify.uid);
RemoveUserAuthorization (d, &verify);
#ifdef K5AUTH
/* do like "kdestroy" program */
{
krb5_error_code code;
krb5_ccache ccache;
code = Krb5DisplayCCache(d->name, &ccache);
if (code)
LogError("%s while getting Krb5 ccache to destroy\n",
error_message(code));
else {
code = krb5_cc_destroy(ccache);
if (code) {
if (code == KRB5_FCC_NOFILE) {
Debug ("No Kerberos ccache file found to destroy\n");
} else
LogError("%s while destroying Krb5 credentials cache\n",
error_message(code));
} else
Debug ("Kerberos ccache destroyed\n");
krb5_cc_close(ccache);
}
}
#endif /* K5AUTH */
}
Debug ("Display %s exiting with status %d\n", d->name, status);
exit (status);
}
int main(int argc, char *argv[]) {
char **args;
pam_handle_t *pamh=NULL;
int retval;
struct passwd *pw;
if (argc==1){
return -1;
}
pw=getpwuid(getuid());
retval = pam_start(PAM_NAME, pw->pw_name, &conv, &pamh);
if (retval == PAM_SUCCESS)
retval = pam_acct_mgmt(pamh, 0); /* permitted access? */
else
fprintf(stderr,"%s: pam_start failed\n",PAM_NAME);
if (retval == PAM_SUCCESS)
retval = pam_open_session(pamh, 0);
else
fprintf(stderr,"%s: pam_acct failed\n",PAM_NAME);
if (retval != PAM_SUCCESS)
fprintf(stderr,"%s: pam_acct failed\n",PAM_NAME);
if (pam_end(pamh,retval) != PAM_SUCCESS) { /* close Linux-PAM */
pamh = NULL;
fprintf(stderr, "check_user: failed to release authenticator\n");
exit(1);
}
if (retval != PAM_SUCCESS)
return 99;
#ifdef LOG
log=fopen(LOG,"a");
if (log!=NULL){
for (i=0;i<argc;i++){
fprintf(log,"%s ",argv[i]);
}
fprintf(log,"\n");
fclose(log);
}
#endif
args = &argv[1];
execvp(args[0], args);
}
int
pam_cleanup(struct passwd *pw, sudo_auth *auth)
{
int *pam_status = (int *) auth->data;
/* If successful, we can't close the session until pam_end_session() */
if (auth->status == AUTH_SUCCESS)
return AUTH_SUCCESS;
*pam_status = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
return *pam_status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE;
}