Exemplo n.º 1
0
static void
quit(struct weston_launch *wl, int status)
{
	struct vt_mode mode = { 0 };
	int err;

	close(wl->signalfd);
	close(wl->sock[0]);

	if (wl->new_user) {
		err = pam_close_session(wl->ph, 0);
		if (err)
			fprintf(stderr, "pam_close_session failed: %d: %s\n",
				err, pam_strerror(wl->ph, err));
		pam_end(wl->ph, err);
	}

	if (ioctl(wl->tty, KDSKBMUTE, 0) &&
	    ioctl(wl->tty, KDSKBMODE, wl->kb_mode))
		fprintf(stderr, "failed to restore keyboard mode: %m\n");

	if (ioctl(wl->tty, KDSETMODE, KD_TEXT))
		fprintf(stderr, "failed to set KD_TEXT mode on tty: %m\n");

	/* We have to drop master before we switch the VT back in
	 * VT_AUTO, so we don't risk switching to a VT with another
	 * display server, that will then fail to set drm master. */
	drmDropMaster(wl->drm_fd);

	mode.mode = VT_AUTO;
	if (ioctl(wl->tty, VT_SETMODE, &mode) < 0)
		fprintf(stderr, "could not reset vt handling\n");

	exit(status);
}
Exemplo n.º 2
0
static void sftppam_exit_ev(const void *event_data, void *user_data) {

  /* Close the PAM session */

  if (sftppam_pamh != NULL) {
    int res;

#ifdef PAM_CRED_DELETE
    res = pam_setcred(sftppam_pamh, PAM_CRED_DELETE);
#else
    res = pam_setcred(sftppam_pamh, PAM_DELETE_CRED);
#endif
    if (res != PAM_SUCCESS) {
      pr_trace_msg(trace_channel, 9, "PAM error setting PAM_DELETE_CRED: %s",
        pam_strerror(sftppam_pamh, res));
    }

    res = pam_close_session(sftppam_pamh, PAM_SILENT);
    pam_end(sftppam_pamh, res);
    sftppam_pamh = NULL;
  }

  if (sftppam_user != NULL) {
    free(sftppam_user);
    sftppam_user = NULL;
    sftppam_userlen = 0;
  }
}
Exemplo n.º 3
0
static void loginpam_acct(struct login_context *cxt)
{
	int rc;
	pam_handle_t *pamh = cxt->pamh;

	rc = pam_acct_mgmt(pamh, 0);

	if (rc == PAM_NEW_AUTHTOK_REQD)
		rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);

	if (is_pam_failure(rc))
		loginpam_err(pamh, rc);

	/*
	 * Grab the user information out of the password file for future use.
	 * First get the username that we are actually using, though.
	 */
	rc = loginpam_get_username(pamh, &cxt->username);
	if (is_pam_failure(rc))
		loginpam_err(pamh, rc);

	if (!cxt->username || !*cxt->username) {
		warnx(_("\nSession setup problem, abort."));
		syslog(LOG_ERR, _("NULL user name in %s:%d. Abort."),
		       __FUNCTION__, __LINE__);
		pam_end(pamh, PAM_SYSTEM_ERR);
		sleepexit(EXIT_FAILURE);
	}
}
int
main (int argc, char **argv)
{
  pam_handle_t *pamh;
  int rc;

  for (loop = 0; loop < sizeof (tv) / sizeof (tv[0]); loop++)
    {
      rc = pam_start ("pam_oath1", tv[loop].user, &conv, &pamh);
      if (rc != PAM_SUCCESS)
	{
	  printf ("pam_start failed loop %ld rc %d: %s\n", loop, rc,
		  pam_strerror (pamh, rc));
	  return 1;
	}

      rc = pam_authenticate (pamh, 0);
      if (rc != tv[loop].expectrc)
	{
	  printf ("pam_authenticate failed loop %ld rc %d: %s\n", loop, rc,
		  pam_strerror (pamh, rc));
	  return 1;
	}

      rc = pam_end (pamh, rc);
      if (rc != PAM_SUCCESS)
	{
	  printf ("pam_end failed loop %ld rc %d: %s\n", loop, rc,
		  pam_strerror (pamh, rc));
	  return 1;
	}
    }

  return 0;
}
static gboolean
close_pam_handle (int status)
{

        if (pam_handle != NULL) {
                int status2;

                status2 = pam_end (pam_handle, status);
                pam_handle = NULL;

                if (gs_auth_get_verbose ()) {
                        g_message (" pam_end (...) ==> %d (%s)",
                                   status2,
                                   (status2 == PAM_SUCCESS ? "Success" : "Failure"));
                }
        }

        if (message_handled_condition != NULL) {
                g_cond_free (message_handled_condition);
                message_handled_condition = NULL;
        }

        if (message_handler_mutex != NULL) {
                g_mutex_free (message_handler_mutex);
                message_handler_mutex = NULL;
        }

        return TRUE;
}
Exemplo n.º 6
0
static void checkpw_cleanup (pam_handle_t *hdl)
{
#if 0	/* see checkpw() for why this is #if 0 */
  pam_close_session (hdl,NIL);	/* close session [uw]tmp */
#endif
  pam_setcred (hdl,PAM_DELETE_CRED);
  pam_end (hdl,PAM_SUCCESS);
}
Exemplo n.º 7
0
PAMAuthenticator::~PAMAuthenticator(void)
{
	if (this->m_ph) {
		int res = pam_close_session(this->m_ph, 0);
		pam_end(this->m_ph, res);
		this->m_ph = 0;
	}
}
Exemplo n.º 8
0
void AuthPAMClose()
{
	if (pamh)
	{
	pam_close_session(pamh, 0);
	pam_end(pamh,PAM_SUCCESS);
	}
}
Exemplo n.º 9
0
void context::close() noexcept
{
    if(_M_pamh)
    {
        pam_end(_M_pamh, _M_code);
        _M_pamh = nullptr;
    }
}
Exemplo n.º 10
0
static auth_result_t do_pam_authenticate(const char* service, const char *username, 
                                  const char *password,
                                  error_handler_t *error_handler)
{
#ifdef JUTI_NO_PAM
   error_handler->error(MSG_AUTHUSER_PAM_NOT_AVAILABLE);
   return JUTI_AUTH_ERROR;
#else
   auth_result_t ret;
	int status;
	pam_handle_t *pamh;		/* pam handle */
	struct pam_conv pamconv;	/* pam init structure */
	struct app_pam_data app_data;	/* pam application data */

	pamh = NULL;
	/*
	 * app_data gets passed through the framework
	 * to "login_conv". Set the password for use in login_conv
	 * and set up the pam_conv data with the conversation
	 * function and the application data pointer.
	 */
	app_data.password = password;
	pamconv.conv = login_conv;
	pamconv.appdata_ptr = &app_data;

	/* pam start session */
	status = pam_start(service, username, &pamconv, &pamh);
   if(status != PAM_SUCCESS) {
      ret = JUTI_AUTH_ERROR;
      goto error;
   }
   status = pam_authenticate(pamh, PAM_SILENT);
   if(status != PAM_SUCCESS) {
      ret = JUTI_AUTH_FAILED;
      goto error;
   }

	/* check if the authenicated user is allowed to use machine */
   status = pam_acct_mgmt(pamh, PAM_SILENT);
	if (status != PAM_SUCCESS) {
      ret = JUTI_AUTH_FAILED;
      goto error;
	}
   ret = JUTI_AUTH_SUCCESS; 

error:
	if (status != PAM_SUCCESS) {
		const char *pam_err_msg = pam_strerror(pamh, status);
		error_handler->error(MSG_AUTHUSER_PAM_ERROR_S, pam_err_msg);
	}

	/* end pam session */
	if (pamh != NULL) {
	    pam_end(pamh, status == PAM_SUCCESS ? PAM_SUCCESS : PAM_ABORT);
	}
	return ret;
#endif
}
Exemplo n.º 11
0
int authenticate_user(const char *user, const char *pass)
{
  pam_handle_t *pamh;
  tAppdata appdata = {user, pass};
  struct pam_conv pam_conv = {&pam_exchange, &appdata};

  if ((pam_start (PAM_SERVICE_NAME, NULL, &pam_conv, &pamh) != PAM_SUCCESS) ||
      (pam_authenticate (pamh,PAM_SILENT) != PAM_SUCCESS) ||
      (pam_acct_mgmt (pamh,0) != PAM_SUCCESS) ||
      (pam_setcred (pamh,PAM_ESTABLISH_CRED) != PAM_SUCCESS))
  {
    pam_end (pamh,PAM_AUTH_ERR); 
    return 0;
  }	

  pam_end (pamh,PAM_SUCCESS);	
  return 1;	
}
Exemplo n.º 12
0
int
main(void)
{
    pam_handle_t *pamh;
    struct pam_args *args;
    struct pam_conv conv = { NULL, NULL };
    char *expected;
    struct output *seen;
#ifdef HAVE_KRB5
    krb5_error_code code;
    krb5_principal princ;
#endif

    plan(27);

    if (pam_start("test", NULL, &conv, &pamh) != PAM_SUCCESS)
        sysbail("Fake PAM initialization failed");
    args = putil_args_new(pamh, 0);
    if (args == NULL)
        bail("cannot create PAM argument struct");
    TEST(putil_crit,  LOG_CRIT,  "putil_crit");
    TEST(putil_err,   LOG_ERR,   "putil_err");
    putil_debug(args, "%s", "foo");
    ok(pam_output() == NULL, "putil_debug without debug on");
    args->debug = true;
    TEST(putil_debug, LOG_DEBUG, "putil_debug");
    args->debug = false;

    TEST_PAM(putil_crit_pam,  PAM_SYSTEM_ERR, LOG_CRIT,  "putil_crit_pam S");
    TEST_PAM(putil_crit_pam,  PAM_BUF_ERR,    LOG_CRIT,  "putil_crit_pam B");
    TEST_PAM(putil_crit_pam,  PAM_SUCCESS,    LOG_CRIT,  "putil_crit_pam ok");
    TEST_PAM(putil_err_pam,   PAM_SYSTEM_ERR, LOG_ERR,   "putil_err_pam");
    putil_debug_pam(args, PAM_SYSTEM_ERR, "%s", "bar");
    ok(pam_output() == NULL, "putil_debug_pam without debug on");
    args->debug = true;
    TEST_PAM(putil_debug_pam, PAM_SYSTEM_ERR, LOG_DEBUG, "putil_debug_pam");
    TEST_PAM(putil_debug_pam, PAM_SUCCESS,    LOG_DEBUG, "putil_debug_pam ok");
    args->debug = false;

#ifdef HAVE_KRB5
    TEST_KRB5(putil_crit_krb5,  LOG_CRIT,  "putil_crit_krb5");
    TEST_KRB5(putil_err_krb5,   LOG_ERR,   "putil_err_krb5");
    code = krb5_parse_name(args->ctx, "foo@[email protected]", &princ);
    putil_debug_krb5(args, code, "%s", "krb");
    ok(pam_output() == NULL, "putil_debug_krb5 without debug on");
    args->debug = true;
    TEST_KRB5(putil_debug_krb5, LOG_DEBUG, "putil_debug_krb5");
    args->debug = false;
#else
    skip_block(4, "not built with Kerberos support");
#endif

    putil_args_free(args);
    pam_end(pamh, 0);

    return 0;
}
Exemplo n.º 13
0
/* Creates a pam handle for the auto login */
static gboolean
create_pamh (MdmDisplay *d,
	     const char *service,
	     const char *login,
	     struct pam_conv *conv,
	     const char *display,
	     int *pamerr)
{

	if (display == NULL) {
		mdm_error ("Cannot setup pam handle with null display");
		return FALSE;
	}

	if (pamh != NULL) {
		mdm_error ("create_pamh: Stale pamh around, cleaning up");
		pam_end (pamh, PAM_SUCCESS);
	}
	/* init things */
	pamh = NULL;
	opened_session = FALSE;
	did_setcred = FALSE;

	/* Initialize a PAM session for the user */
	if ((*pamerr = pam_start (service, login, conv, &pamh)) != PAM_SUCCESS) {
		pamh = NULL; /* be anal */
		if (mdm_slave_action_pending ())
			mdm_error ("Unable to establish service %s: %s\n", service, pam_strerror (NULL, *pamerr));
		return FALSE;
	}

	/* Inform PAM of the user's tty */
		if ((*pamerr = pam_set_item (pamh, PAM_TTY, display)) != PAM_SUCCESS) {
			if (mdm_slave_action_pending ())
				mdm_error ("Can't set PAM_TTY=%s", display);
			return FALSE;
		}

	if ( ! d->attached) {
		/* Only set RHOST if host is remote */
		/* From the host of the display */
		if ((*pamerr = pam_set_item (pamh, PAM_RHOST,
					     d->hostname)) != PAM_SUCCESS) {
			if (mdm_slave_action_pending ())
				mdm_error ("Can't set PAM_RHOST=%s", d->hostname);
			return FALSE;
		}
	}

	// Preselect the previous user
	if (do_we_need_to_preset_the_username) {		
		do_we_need_to_preset_the_username = FALSE;
		mdm_preselect_user(pamerr);
	}

	return TRUE;
}
Exemplo n.º 14
0
void
mdm_verify_cleanup (MdmDisplay *d)
{
	gid_t groups[1] = { 0 };
	cur_mdm_disp = d;

	if (pamh != NULL) {
		gint pamerr;
		pam_handle_t *tmp_pamh;
		gboolean old_opened_session;
		gboolean old_did_setcred;

		mdm_debug ("Running mdm_verify_cleanup and pamh != NULL");

		mdm_sigterm_block_push ();
		mdm_sigchld_block_push ();
		tmp_pamh = pamh;
		pamh = NULL;
		old_opened_session = opened_session;
		opened_session = FALSE;
		old_did_setcred = did_setcred;
		did_setcred = FALSE;
		mdm_sigchld_block_pop ();
		mdm_sigterm_block_pop ();

		pamerr = PAM_SUCCESS;

		/* Close the users session */
		if (old_opened_session) {
			mdm_debug ("Running pam_close_session");
			pamerr = pam_close_session (tmp_pamh, 0);
		}

		/* Throw away the credentials */
		if (old_did_setcred) {
			mdm_debug ("Running pam_setcred with PAM_DELETE_CRED");
			pamerr = pam_setcred (tmp_pamh, PAM_DELETE_CRED);
		}

		pam_end (tmp_pamh, pamerr);

		/* Workaround to avoid mdm messages being logged as PAM_pwdb */
                mdm_log_shutdown ();
                mdm_log_init ();
	}

	/* Clear the group setup */
	setgid (0);
	/* this will get rid of any suplementary groups etc... */
	setgroups (1, groups);

	cur_mdm_disp = NULL;

	/* reset limits */
	mdm_reset_limits ();
}
Exemplo n.º 15
0
void XProcess::pam_shutdown(){
  if(pam_session_open){
    pam_stopSession();
    pam_session_open = FALSE;
  }
  if(pam_started){
    pam_end(pamh,0);
    pam_started = FALSE;
  }
}
Exemplo n.º 16
0
void AuthHandle::destroy()
{
    // only act on it if it was actually set (avoid issues with auth challenge)
    if (0 != hdl)
    {
        pam_end((pam_handle_t*) hdl,0);
        // Call to pam_end with value of hdl
        hdl = 0;
    }
}
Exemplo n.º 17
0
Arquivo: ulock.c Projeto: jwilk/ulock
void check_password(void)
{
  static struct pam_conv conv =
  {
    ulock_conv,
    NULL
  };
  pam_handle_t *pamh;
  char username[1 << 8];
  username[0] = '\0';
  strncat(username, getpwuid(getuid())->pw_name, (sizeof username) - 1);
  pam_start("ulock", username, &conv, &pamh);
  writes(STDOUT_FILENO, "The terminal is now locked. Please enter the password to unlock it.\n");
  char *username2 = username;
  for (int i = 0; ; i++)
  {
    int pam_error;
    writes(STDOUT_FILENO, username2);
    writes(STDOUT_FILENO, "'s password: "******"Erm, one minute penalty...\n");
      sleep(60);
    }
    username2 = (username2 == username) ? "root" : username;
  }
  pam_end(pamh, PAM_SUCCESS);
  fatal("Something went *SERIOUSLY* wrong\n");
}
Exemplo n.º 18
0
enum pamtest_err _pamtest_conv(const char *service,
			       const char *user,
			       pam_conv_fn conv_fn,
			       void *conv_userdata,
			       struct pam_testcase test_cases[],
			       size_t num_test_cases)
{
	int rv;
	pam_handle_t *ph;
	struct pam_conv conv;
	size_t tcindex;
	struct pam_testcase *tc = NULL;
	bool call_pam_end = true;

	conv.conv = conv_fn;
	conv.appdata_ptr = conv_userdata;

	if (test_cases == NULL) {
		return PAMTEST_ERR_INTERNAL;
	}

	rv = pam_start(service, user, &conv, &ph);
	if (rv != PAM_SUCCESS) {
		return PAMTEST_ERR_START;
	}

	for (tcindex = 0; tcindex < num_test_cases; tcindex++) {
		tc = &test_cases[tcindex];

		rv = run_test_case(ph, tc);
		if (rv == PAMTEST_ERR_KEEPHANDLE) {
			call_pam_end = false;
			continue;
		} else if (rv != PAMTEST_ERR_OK) {
			return PAMTEST_ERR_INTERNAL;
		}

		if (tc->op_rv != tc->expected_rv) {
			break;
		}
	}

	if (call_pam_end == true && tc != NULL) {
		rv = pam_end(ph, tc->op_rv);
		if (rv != PAM_SUCCESS) {
			return PAMTEST_ERR_END;
		}
	}

	if (tcindex < num_test_cases) {
		return PAMTEST_ERR_CASE;
	}

	return PAMTEST_ERR_OK;
}
Exemplo n.º 19
0
bool PAMAuthenticator::authenticate(void)
{
	pam_conv c;
	c.conv        = PAMAuthenticator::conv;
	c.appdata_ptr = this;

	int res = pam_start("repwatchproxy", 0, &c, &this->m_ph);
	if (res == PAM_SUCCESS) {
		res = pam_set_item(this->m_ph, PAM_RUSER, this->m_user.constData());
		if (res != PAM_SUCCESS) {
			goto getout;
		}

		res = pam_set_item(this->m_ph, PAM_RHOST, this->m_host.constData());
		if (res != PAM_SUCCESS) {
			goto getout;
		}

		res = pam_authenticate(this->m_ph, 0);
		if (res != PAM_SUCCESS) {
			goto getout;
		}

		res = pam_acct_mgmt(this->m_ph, 0);
		if (PAM_NEW_AUTHTOK_REQD == res) {
			res = pam_chauthtok(this->m_ph, PAM_CHANGE_EXPIRED_AUTHTOK);
		}

		if (res != PAM_SUCCESS) {
			goto getout;
		}

		res = pam_setcred(this->m_ph, PAM_ESTABLISH_CRED);
		if (res != PAM_SUCCESS) {
			goto getout;
		}

		res = pam_open_session(this->m_ph, 0);
		if (res != PAM_SUCCESS) {
			goto getout;
		}

		return true;

getout:
		qWarning("%s: %s", Q_FUNC_INFO, pam_strerror(this->m_ph, res));
		pam_end(this->m_ph, res);
	}
	else {
		qCritical("PAM initialization failed");
	}

	this->m_ph = 0;
	return false;
}
Exemplo n.º 20
0
/* Main Sequence when PAM Auth gets invoked */
static int tlock_auth_pam_auth(const char* username, const char* pass, int as_gid) {

	pam_handle_t* pam_handle = NULL;
	const char* user;
	struct passwd *pwd;
	gid_t gids[15 + 1];
	int count, pam_error, ret, i;



	if (!pass || strlen(pass) < 1 || !pwd_entry)
		return 0;

	PAM_username = pwd_entry->pw_name;
	PAM_password = pass;

	fprintf(stderr, "auth: starting pam_conv(%s)\n",
	PAM_SERVICE_NAME);

	pam_error = pam_start(PAM_SERVICE_NAME, PAM_username, &PAM_conversation,
			&pam_handle);
	PAM_EXCEPTION;
	pam_error = pam_set_item(pam_handle, PAM_TTY, ttyname(0));
	PAM_EXCEPTION;
	/* At this point we have the interface to PAM for the PAM_user
	 * so we can end the session and use libc functionality to get
	 * the groups and other administrative data for the the via
	 * libc.pwnam functions.
	 */
	/* get mapped user namqe; PAM may have changed it */
	pam_error = pam_get_item(pam_handle, PAM_USER, (const void **) &user);
	if ((pwd_entry = getpwnam(user)) == NULL) {
		pam_error = 1;
	}
	PAM_EXCEPTION;

	pam_error = pam_end(pam_handle, pam_error);
	PAM_EXCEPTION;

	/* pwd is not null, and no error reported.... lets get the group list
	 * from the native interface the gecos.
	 */

	/* Retrieve group list */
	count = 11;
	ret = getgrouplist(user,pwd_entry->pw_gid, gids, &count);
	printf("User '%s' found in %d group(s).\n", PAM_username, ret+1);
	if (ret != -1) {
		for (i=0;i<count;i++) {
			printf("group#%d: %u\n", i, (unsigned)gids[i]);
		}
	}
	return 0;
}
Exemplo n.º 21
0
int main(int argc, char *argv[])
{
    unsigned char lb[2];
    unsigned char buf[BUFSIZ];
    char *user;
    char *pwd;
    char *mode;
    int sid;
    int rval;
    struct session *sessp;

    // test clause
    if (argc == 4 ) {
        /* ./epam authmodule user passwd */
        printf("testing service=%s u=%s pwd=%s\n", argv[1],argv[2], argv[3]);
        do_auth(argv[1], argv[2], argv[3], "AS", 33);
        exit(0);
    }
    wstart();
    while (1) {
        if (read_fill(0, lb, 2) != 2)
            exit(1);
        rval = get_int16(lb);
        if (read_fill(0, buf, rval) != rval)
            exit(1);
        switch (buf[0]) {
        case 'a': 
            // auth a user
            user = (char *)&buf[1];
            pwd = user + strlen(user) + 1;
            mode= pwd + strlen(pwd) + 1;
            sid = atoi(mode + strlen(mode) + 1);
            
            do_auth(argv[1], user, pwd, mode, sid);
            break;
        case 'c': 
            // close session
            sid = atoi((char *)&buf[1]);
            if ((sessp = del_session(&sessions, sid)) == NULL) {
                fprintf(stderr, "Couldn't find session %d\r\n", sid); 
                break;
            }
            if (sessp->session_mode == 1) {
                pam_close_session(sessp->pamh, 0);
                /*fprintf(stderr, "did ok close sess \n\r");*/
            }
            pam_end(sessp->pamh, PAM_SUCCESS); 
            free(sessp);
            break;
        default:
            fprintf(stderr, "Bad op \n\r");
        }
    }
}
Exemplo n.º 22
0
int validate_password(uid_t uid, const char *pass)
{
#ifdef HAVE_PAM_START
	struct pam_conv pc;
	struct appdata data;
	pam_handle_t *ph;
	int i;
#else
	char *crypted_pwd;
#ifdef HAVE_GETSPNAM
	struct spwd *sp;
#endif
#endif
	struct passwd *pw;
	int retval = 0;

	if ((pw = getpwuid(uid)) == NULL) {
		return retval;
	}

#ifdef HAVE_PAM_START

#ifdef PAM_DATA_SILENT
	int flags = PAM_DATA_SILENT;
#else
	int flags = 0;
#endif /* PAM_DATA_SILENT */

	pc.conv = conv;
	pc.appdata_ptr = &data;
	data.name = pw->pw_name;
	data.pw = pass;
	if (pam_start("citadel", pw->pw_name, &pc, &ph) != PAM_SUCCESS)
		return retval;

	if ((i = pam_authenticate(ph, flags)) == PAM_SUCCESS)
		if ((i = pam_acct_mgmt(ph, flags)) == PAM_SUCCESS)
			retval = -1;

	pam_end(ph, i | flags);
#else
	crypted_pwd = pw->pw_passwd;

#ifdef HAVE_GETSPNAM
	if ((sp = getspnam(pw->pw_name)) != NULL)
		crypted_pwd = sp->sp_pwdp;
#endif

	if (!strcmp(crypt(pass, crypted_pwd), crypted_pwd))
		retval = -1;
#endif				/* HAVE_PAM_START */

	return retval;
}
Exemplo n.º 23
0
int main(int argc, char *argv[])
{
    pam_handle_t *pamh=NULL;
    int retval;
    const char *user="******";

    if(argc == 2) {
        user = argv[1];
    }

    if(argc > 2) {
        fprintf(stderr, "Usage: check_user [username]\n");
        exit(1);
    }

    retval = pam_start("sqlite3", user, &conv, &pamh);

    if(retval == PAM_SUCCESS)
        printf("PAM started.\n");

    if (retval == PAM_SUCCESS)
        retval = pam_authenticate(pamh, 0);    /* is user really user? */

    if(retval == PAM_SUCCESS)
        printf("Authentication succeeded, checking access.\n");
    else 
        printf("Authentication failed: %s\n", pam_strerror(pamh, retval));

    if (retval == PAM_SUCCESS)
        retval = pam_acct_mgmt(pamh, 0);       /* permitted access? */

    if(retval == PAM_SUCCESS)
        printf("Access permitted.\n");
    else 
        printf("Access denied: %s\n", pam_strerror(pamh, retval));

    /* lets try print password */
    printf("Changing authentication token...\n");
    retval = pam_chauthtok(pamh, 0); 
    if(retval != PAM_SUCCESS) {
        printf("Failed: %s\n", pam_strerror(pamh, retval));
    } else {
        printf("Token changed.\n");
    }

    /* This is where we have been authorized or not. */
    if (pam_end(pamh,retval) != PAM_SUCCESS) {     /* close Linux-PAM */
        pamh = NULL;
        fprintf(stderr, "check_user: failed to release authenticator\n");
        exit(1);
    }

    return ( retval == PAM_SUCCESS ? 0:1 );       /* indicate success */
}
Exemplo n.º 24
0
Arquivo: pam.c Projeto: fqtools/ocserv
static void pam_auth_deinit(void* ctx)
{
struct pam_ctx_st * pctx = ctx;

	pam_end(pctx->ph, pctx->cr_ret);
	free(pctx->replies);
	str_clear(&pctx->msg);
	if (pctx->cr != NULL)
		co_delete(pctx->cr);
	talloc_free(pctx);
}
Exemplo n.º 25
0
static void loginpam_err(pam_handle_t *pamh, int retcode)
{
	const char *msg = pam_strerror(pamh, retcode);

	if (msg) {
		fprintf(stderr, "\n%s\n", msg);
		syslog(LOG_ERR, "%s", msg);
	}
	pam_end(pamh, retcode);
	sleepexit(EXIT_FAILURE);
}
Exemplo n.º 26
0
static bool IsPasswordCorrect(const char *puser, const char* password, PasswordFormat format, const struct passwd *passwd_info)
{
    /*
     * Check if password is already correct. If format is 'hash' we just do a simple
     * comparison with the supplied hash value, otherwise we try a pam login using
     * the real password.
     */

    if (format == PASSWORD_FORMAT_HASH)
    {
        const char *system_hash;
        if (!GetPasswordHash(puser, passwd_info, &system_hash))
        {
            return false;
        }
        bool result = (strcmp(password, system_hash) == 0);
        Log(LOG_LEVEL_VERBOSE, "Verifying password hash for user '%s': %s.", puser, result ? "correct" : "incorrect");
        return result;
    }
    else if (format != PASSWORD_FORMAT_PLAINTEXT)
    {
        ProgrammingError("Unknown PasswordFormat value");
    }

    int status;
    pam_handle_t *handle;
    struct pam_conv conv;
    conv.conv = PasswordSupplier;
    conv.appdata_ptr = (void*)password;

    status = pam_start("login", puser, &conv, &handle);
    if (status != PAM_SUCCESS)
    {
        Log(LOG_LEVEL_ERR, "Could not initialize pam session. (pam_start: '%s')", pam_strerror(NULL, status));
        return false;
    }
    status = pam_authenticate(handle, PAM_SILENT);
    pam_end(handle, status);
    if (status == PAM_SUCCESS)
    {
        Log(LOG_LEVEL_VERBOSE, "Verifying plaintext password for user '%s': correct.", puser);
        return true;
    }
    else if (status != PAM_AUTH_ERR)
    {
        Log(LOG_LEVEL_ERR, "Could not check password for user '%s' against stored password. (pam_authenticate: '%s')",
            puser, pam_strerror(NULL, status));
        return false;
    }

    Log(LOG_LEVEL_VERBOSE, "Verifying plaintext password for user '%s': incorrect.", puser);
    return false;
}
Exemplo n.º 27
0
static
int checkpw_internal_pam( const char* uname, const char* password )
{
	int checkpwret = CHECKPW_FAILURE;

	int pamret = PAM_SUCCESS;
	pam_handle_t *pamh;
	struct pam_conv pamc;
	pamc.conv = &openpam_nullconv;

	pamret = pam_start(PAM_STACK_NAME, uname, &pamc, &pamh);
	if (PAM_SUCCESS != pamret)
	{
		syslog(LOG_WARNING,"PAM: Unable to start pam.");
		goto pamerr_no_end;
	}

	pamret = pam_set_item(pamh, PAM_AUTHTOK, password);
	if (PAM_SUCCESS != pamret)
	{
		syslog(LOG_WARNING,"PAM: Unable to set password.");
		goto pamerr;
	}

	pamret = pam_authenticate(pamh, 0);
	if (PAM_SUCCESS != pamret)
	{
		syslog(LOG_WARNING,"PAM: Unable to authenticate.");
		checkpwret = CHECKPW_BADPASSWORD;
		goto pamerr;
	}

	pamret = pam_acct_mgmt(pamh, 0);
	if (PAM_SUCCESS != pamret)
	{
		if (PAM_NEW_AUTHTOK_REQD == pamret)
		{
			syslog(LOG_WARNING,"PAM: Unable to authorize, password needs to be changed.");
		} else {
			syslog(LOG_WARNING,"PAM: Unable to authorize.");
		}

		goto pamerr;
	}

	checkpwret = CHECKPW_SUCCESS;

pamerr:
	pam_end(pamh, pamret);
pamerr_no_end:
	return checkpwret;

}
Exemplo n.º 28
0
void
SessionExit (struct display *d, int status, int removeAuth)
{
#ifdef USE_PAM
	pam_handle_t *pamh = thepamh();
#endif
#ifdef USE_PAM
    if (pamh) {
        /* shutdown PAM session */
	pam_close_session(pamh, 0);
	pam_end(pamh, PAM_SUCCESS);
	pamh = NULL;
    }
#endif

    /* make sure the server gets reset after the session is over */
    if (d->serverPid >= 2 && d->resetSignal)
	kill (d->serverPid, d->resetSignal);
    else
	ResetServer (d);
    if (removeAuth)
    {
	setgid (verify.gid);
	setuid (verify.uid);
	RemoveUserAuthorization (d, &verify);
#ifdef K5AUTH
	/* do like "kdestroy" program */
        {
	    krb5_error_code code;
	    krb5_ccache ccache;

	    code = Krb5DisplayCCache(d->name, &ccache);
	    if (code)
		LogError("%s while getting Krb5 ccache to destroy\n",
			 error_message(code));
	    else {
		code = krb5_cc_destroy(ccache);
		if (code) {
		    if (code == KRB5_FCC_NOFILE) {
			Debug ("No Kerberos ccache file found to destroy\n");
		    } else
			LogError("%s while destroying Krb5 credentials cache\n",
				 error_message(code));
		} else
		    Debug ("Kerberos ccache destroyed\n");
		krb5_cc_close(ccache);
	    }
	}
#endif /* K5AUTH */
    }
    Debug ("Display %s exiting with status %d\n", d->name, status);
    exit (status);
}
Exemplo n.º 29
0
int main(int argc, char *argv[]) {
	char **args;
	pam_handle_t *pamh=NULL;
	int retval;
	struct passwd *pw;


	if (argc==1){
		return -1;
	}
	pw=getpwuid(getuid());


	retval = pam_start(PAM_NAME, pw->pw_name, &conv, &pamh);

	if (retval == PAM_SUCCESS)
		retval = pam_acct_mgmt(pamh, 0);	/* permitted access? */
	else
		fprintf(stderr,"%s: pam_start failed\n",PAM_NAME);
	
	if (retval == PAM_SUCCESS)
		retval = pam_open_session(pamh, 0);
	else
		fprintf(stderr,"%s: pam_acct failed\n",PAM_NAME);
		
	if (retval != PAM_SUCCESS)
		fprintf(stderr,"%s: pam_acct failed\n",PAM_NAME);
	

	if (pam_end(pamh,retval) != PAM_SUCCESS) {	/* close Linux-PAM */
		pamh = NULL;
		fprintf(stderr, "check_user: failed to release authenticator\n");
		exit(1);
	}

	if (retval != PAM_SUCCESS)
		return 99;

#ifdef LOG
	log=fopen(LOG,"a");
	if (log!=NULL){
		for (i=0;i<argc;i++){
			fprintf(log,"%s ",argv[i]);
		}
		fprintf(log,"\n");
		fclose(log);
	}
#endif

	args = &argv[1];

	execvp(args[0], args);
}
Exemplo n.º 30
0
Arquivo: pam.c Projeto: CVi/sudo
int
pam_cleanup(struct passwd *pw, sudo_auth *auth)
{
    int *pam_status = (int *) auth->data;

    /* If successful, we can't close the session until pam_end_session() */
    if (auth->status == AUTH_SUCCESS)
	return AUTH_SUCCESS;

    *pam_status = pam_end(pamh, *pam_status | PAM_DATA_SILENT);
    return *pam_status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE;
}