static int do_item(pam_handle_t *pamh, struct tac_handle *tach, int item, set_func func, const char *funcname) { int retval; const void *value; retval = pam_get_item(pamh, item, &value); if (retval != PAM_SUCCESS) return retval; if (value != NULL && (*func)(tach, (const char *)value) == -1) { syslog(LOG_CRIT, "%s: %s", funcname, tac_strerror(tach)); tac_close(tach); return PAM_SERVICE_ERR; } return PAM_SUCCESS; }
const void* Authenticator::get_item(const Authenticator::ItemType item) { const void* data; switch ((last_result=pam_get_item(pam_handle, item, &data))) { default: case PAM_SYSTEM_ERR: #ifdef __LIBPAM_VERSION case PAM_BAD_ITEM: #endif _end(); throw Exception(pam_handle, "pam_get_item()", last_result); case PAM_PERM_DENIED: // The value of item was NULL case PAM_SUCCESS: break; } return data; }
static int pam_get_rhost(pam_handle_t *pamh, const char **rhost , const char *prompt) { int retval; const char *current; retval = pam_get_item (pamh, PAM_RHOST, (const void **)¤t); if (retval != PAM_SUCCESS) return retval; if (current == NULL) { return PAM_AUTH_ERR; } *rhost = current; return retval; /* pass on any error from conversation */ }
static int record_user(const abl_args *args, abl_info *info, time_t tm) { const void *user; int err; if (err = pam_get_item(args->pamh, PAM_USER, &user), PAM_SUCCESS != err) { log_pam_error(args, err, "getting PAM_USER"); return err; } if (NULL != user) { info->subject = USER; info->user = user; return record(args, info, tm, args->user_purge); } else { log_debug(args, "PAM_USER is NULL"); return 0; } return 1; }
/* expected hook, this is where custom stuff happens */ PAM_EXTERN int pam_sm_authenticate(pam_handle_t* pamh, int flags, int argc, const char **argv) { int ret = 0; const char* pUsername = NULL; const char* pUrl = NULL; const char* pCaFile = NULL; struct pam_message msg; struct pam_conv* pItem; struct pam_response* pResp; const struct pam_message* pMsg = &msg; msg.msg_style = PAM_PROMPT_ECHO_OFF; msg.msg = "Cool buddy: "; printf("I got called\n"); if (pam_get_user(pamh, &pUsername, NULL) != PAM_SUCCESS) { return PAM_AUTH_ERR; } pUrl = getArg("url", argc, argv); if (!pUrl) { return PAM_AUTH_ERR; } pCaFile = getArg("cafile", argc, argv); if (pam_get_item(pamh, PAM_CONV, (const void**)&pItem) != PAM_SUCCESS || !pItem) { fprintf(stderr, "Couldn't get pam_conv\n"); return PAM_AUTH_ERR; } pItem->conv(1, &pMsg, &pResp, pItem->appdata_ptr); ret = PAM_SUCCESS; if (getUrl(pUrl, pUsername, pResp[0].resp, pCaFile) != 0) { ret = PAM_AUTH_ERR; } memset(pResp[0].resp, 0, strlen(pResp[0].resp)); free(pResp); return ret; }
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { int ret; int faked = 0; const char *dir = NULL; const char *fake_suite = NULL; char *questions; const char *user; char *response = NULL; char fmt[512]; (void)flags; (void)argc; (void)argv; pam_get_item(pamh, PAM_USER, (const void **)&user); openlog("pam_ocra", 0, LOG_AUTHPRIV); fake_suite = openpam_get_option(pamh, "fake_prompt"); dir = openpam_get_option(pamh, "dir"); if (PAM_SUCCESS != (ret = challenge(dir, user, &questions))) { if (PAM_NO_MODULE_DATA == ret && NULL != fake_suite) { if (PAM_SUCCESS != (ret = fake_challenge(fake_suite, &questions))) goto end; faked = 1; } else goto end; } snprintf(fmt, 512, "OCRA Challenge: %s\nOCRA Response: ", questions); if (PAM_SUCCESS != (ret = get_response(pamh, fmt, &response))) goto end; if (1 == faked) ret = PAM_AUTH_ERR; else ret = verify(dir, user, questions, response); free(response); end: closelog(); return ret; }
static int _get_authtok (pam_handle_t * pamh) { int rc; char *p; struct pam_message msg[1], *pmsg[1]; struct pam_response *resp; struct pam_conv *conv; pmsg[0] = &msg[0]; msg[0].msg_style = PAM_PROMPT_ECHO_OFF; msg[0].msg = "Password: "; resp = NULL; rc = pam_get_item (pamh, PAM_CONV, (const void **) &conv); if (rc == PAM_SUCCESS) { rc = conv->conv (1, (const struct pam_message **) pmsg, &resp, conv->appdata_ptr); } else { return rc; } if (resp != NULL) { if (resp[0].resp == NULL) { free (resp); return PAM_AUTH_ERR; } p = resp[0].resp; /* leak if resp[0].resp is malloced. */ resp[0].resp = NULL; } else { return PAM_CONV_ERR; } free (resp); pam_set_item (pamh, PAM_AUTHTOK, p); return PAM_SUCCESS; }
static void log_message(int priority, pam_handle_t *pamh, const char *format, ...) { char *service = NULL; if (pamh) pam_get_item(pamh, PAM_SERVICE, (void *)&service); if (!service) service = ""; char logname[80]; snprintf(logname, sizeof(logname), "%s(" MODULE_NAME ")", service); va_list args; va_start(args, format); openlog(logname, LOG_CONS | LOG_PID, LOG_AUTHPRIV); vsyslog(priority, format, args); va_end(args); closelog(); }
static int set_the_terminal(pam_handle_t *pamh) { const char *tty; if (pam_get_item(pamh, PAM_TTY, (const void **)&tty) != PAM_SUCCESS || tty == NULL) { tty = ttyname(STDIN_FILENO); if (tty == NULL) { _pam_log(LOG_ERR, "couldn't get the tty name"); return PAM_ABORT; } if (pam_set_item(pamh, PAM_TTY, tty) != PAM_SUCCESS) { _pam_log(LOG_ERR, "couldn't set tty name"); return PAM_ABORT; } } return PAM_SUCCESS; }
int pam_prompt(pam_handle_t *pamh, int style, char **response, const char *format, ...) { int rc; struct pam_conv *aconv; char buffer[200]; va_list ap; struct pam_message msg, *pmsg; struct pam_response *resp; /* the the conversion function */ rc = pam_get_item(pamh, PAM_CONV, (PAM_ITEM_CONST void **)&aconv); if (rc != PAM_SUCCESS) return rc; /* make the message string */ va_start(ap, format); vsnprintf(buffer, sizeof(buffer), format, ap); buffer[sizeof(buffer) - 1] = '\0'; va_end(ap); /* build the message */ msg.msg_style = style; msg.msg = buffer; pmsg = &msg; resp = NULL; rc = aconv->conv(1, (const struct pam_message **)&pmsg, &resp, aconv->appdata_ptr); if (rc != PAM_SUCCESS) return rc; /* assign response if it is set */ if (response != NULL) { if (resp == NULL) return PAM_CONV_ERR; if (resp[0].resp == NULL) { free(resp); return PAM_CONV_ERR; } *response = resp[0].resp; } else free(resp[0].resp); free(resp); return PAM_SUCCESS; }
static const char * get_tty(pam_handle_t *pamh) { const void *void_terminal_line = NULL; const char *terminal_line; if (pam_get_item(pamh, PAM_TTY, &void_terminal_line) != PAM_SUCCESS || void_terminal_line == NULL) { terminal_line = DEFAULT_TERM; } else { terminal_line = void_terminal_line; } if (!strncmp("/dev/", terminal_line, 5)) { /* strip leading "/dev/" from tty. */ terminal_line += 5; } D(("terminal = %s", terminal_line)); return terminal_line; }
static int _PAMCreateAttributesFromHandle(pam_handle_t *pamh, CFDictionaryRef *pAttributes) { CFMutableDictionaryRef attributes = NULL; const char *user; int rc; rc = pam_get_item(pamh, PAM_USER, (const void **)&user); if (rc != PAM_SUCCESS) return rc; CFStringRef name = CFStringCreateWithCString(kCFAllocatorDefault, user, kCFStringEncodingUTF8); if (name == NULL) { CFRelease(attributes); return PAM_BUF_ERR; } /* In case module returned PAM_TRY_AGAIN */ rc = pam_get_data(pamh, CREDUI_ATTR_DATA, (const void **)&attributes); if (rc == PAM_SUCCESS && attributes) { CFStringRef assertedName = (CFStringRef)CFDictionaryGetValue(attributes, kCUIAttrName); if (assertedName && CFEqual(assertedName, name)) { *pAttributes = (CFDictionaryRef)CFRetain(attributes); CFRelease(name); return PAM_SUCCESS; } } attributes = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks); if (attributes == NULL) return PAM_BUF_ERR; CFDictionarySetValue(attributes, kCUIAttrNameType, kCUIAttrNameTypePosixName); CFDictionarySetValue(attributes, kCUIAttrName, name); /* we don't get AUTHTOK because it might prompt */ CFRelease(name); *pAttributes = attributes; return PAM_SUCCESS; }
static int converse( pam_handle_t * pamh, struct pam_message ** message, struct pam_response ** response ) { int retval; void const * void_conv; struct pam_conv const * conv; retval = pam_get_item( pamh, PAM_CONV, & void_conv ); conv = (struct pam_conv const *) void_conv; if( retval == PAM_SUCCESS ) { retval = conv->conv( 1, (struct pam_message const **) message, response, conv->appdata_ptr ); } return retval; }
/* * This is a conversation function to obtain the user's password */ static int get_password(pam_handle_t * pamh, const char *message, const char **passwd) { struct pam_message msg[2], *pmsg[2]; struct pam_response *resp; const struct pam_conv *conv; pmsg[0] = &msg[0]; msg[0].msg = message; msg[0].msg_style = PAM_PROMPT_ECHO_OFF; if (pam_get_item(pamh, PAM_CONV, (const void **) &conv) == PAM_SUCCESS && conv->conv(1, (const struct pam_message **) &pmsg, &resp, conv->appdata_ptr) == PAM_SUCCESS && resp != NULL) { *passwd = resp[0].resp; free(resp); return PAM_SUCCESS; } return PAM_SYSTEM_ERR; }
char *get_response(pam_handle_t *pamh, const char *prompt, int verbose) { struct pam_conv *conv; int retval; struct pam_message msg; const struct pam_message *msgp; struct pam_response *resp; char *response; char buffer[MAXBUFSIZE]; retval = pam_get_item(pamh, PAM_CONV, (const void**) &conv); if (retval != PAM_SUCCESS) { return NULL; } /* check if we want verbose input */ if ( verbose != 0 ) msg.msg_style = PAM_PROMPT_ECHO_ON; else msg.msg_style = PAM_PROMPT_ECHO_OFF; if (prompt) { snprintf(buffer, MAXBUFSIZE, "%s: ", prompt); } else { strcpy(buffer, "Password: "); } /* set up the conversation */ msg.msg = buffer; msgp = &msg; resp = NULL; response = NULL; retval = (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr); if (resp != NULL) { if (retval == PAM_SUCCESS) { response = resp->resp; } else { free(resp->resp); } free(resp); } return response; }
int converse(pam_handle_t * pamh, int nargs, const struct pam_message *message, struct pam_response **response) { int retval; struct pam_conv *conv; if ((retval = pam_get_item (pamh, PAM_CONV, (const void **)&conv)) == PAM_SUCCESS) { retval = conv->conv(nargs, &message, response, conv->appdata_ptr); if (retval != PAM_SUCCESS) { _pam_log(LOG_ERR, "(pam_tacplus) converse returned %d", retval); _pam_log(LOG_ERR, "that is: %s", pam_strerror (pamh, retval)); } } else { _pam_log (LOG_ERR, "(pam_tacplus) converse failed to get pam_conv"); } return retval; }
static int converse(pam_handle_t *pamh, int style, lo_const char *text, struct pam_response **resp) { struct pam_conv *conv; struct pam_message msg, *pmsg; int status; status = pam_get_item(pamh, PAM_CONV, (pam_item_t *)&conv); if (status != PAM_SUCCESS) return status; pmsg = &msg; msg.msg_style = style; msg.msg = text; *resp = NULL; return conv->conv(1, (lo_const struct pam_message **)&pmsg, resp, conv->appdata_ptr); }
/** * EscalateModuleStartAddItem: * @self: Module containing the PAM handle. * @items: Array to append PAM item type and value tuples to. * @item: Item type of the value to fetch using pam_get_item(). * @error: (out)(allow-none): Error return location or #NULL. * * Returns: #TRUE if there was no fatal error. */ static gboolean EscalateModuleStartAddItem(EscalateModule *self, GVariantBuilder *items, gint item, GError **error) { const gchar *value = NULL; gint status = pam_get_item(self->pamh, item, (const void **) &value); switch (status) { case PAM_SUCCESS: g_variant_builder_add(items, "{ims}", item, value); return TRUE; case PAM_BAD_ITEM: return TRUE; default: g_set_error(error, ESCALATE_MODULE_ERROR, ESCALATE_MODULE_ERROR_GET_ITEM_FAILED, "Failed to get PAM item %d: %s", item, pam_strerror(self->pamh, status)); return FALSE; } }
static int pamGssGetAuthTok(pam_handle_t *pamh, int confFlags, gss_buffer_t passwordBuf) { int status; struct pam_conv *conv; struct pam_message msg; const struct pam_message *msgp; struct pam_response *resp; status = pam_get_item(pamh, PAM_CONV, (const void **)&conv); BAIL_ON_PAM_ERROR(status); if (conv == NULL) { status = PAM_CONV_ERR; goto cleanup; } msg.msg_style = PAM_PROMPT_ECHO_OFF; msg.msg = PASSWORD_PROMPT; msgp = &msg; resp = NULL; status = (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr); if (resp != NULL) { if (status == PAM_SUCCESS) passwordBuf->value = resp->resp; else free(resp->resp); free(resp); } passwordBuf->length = passwordBuf->value ? strlen((char *)passwordBuf->value) : 0; if (passwordBuf->length == 0 && (confFlags & FLAG_NULLOK) == 0) { status = PAM_AUTH_ERR; goto cleanup; } cleanup: return status; }
/* * get_pam_user - Get the username according to PAM * * ptr_pam_user shall point to a malloc'ed string (or NULL). */ static void get_pam_user (char **ptr_pam_user) { int retcode; void *ptr_user; assert (NULL != ptr_pam_user); retcode = pam_get_item (pamh, PAM_USER, (const void **)&ptr_user); PAM_FAIL_CHECK; if (NULL != *ptr_pam_user) { free (*ptr_pam_user); } if (NULL != ptr_user) { *ptr_pam_user = xstrdup ((const char *)ptr_user); } else { *ptr_pam_user = NULL; } }
/* * Entry point from pam_open_session call. */ PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { /* Parse arguments. */ if (argc < 1) { pam_syslog(pamh, LOG_ERR, "usage: pam_unshare.so [group name]"); return PAM_SESSION_ERR; } pam_syslog(pamh, LOG_INFO, "Getting PAM_USER"); /* See http://www.linux-pam.org/Linux-PAM-html/mwg-expected-by-module-item.html */ const void *item_v; int rc = pam_get_item(pamh, PAM_USER, &item_v); const char *username = "******"; if(rc == PAM_SUCCESS) { username = item_v; } pam_syslog(pamh, LOG_INFO, "pam_unshare, return code %d, found user %s", rc, username); struct passwd* user = getpwnam(username); if (user == NULL) { pam_syslog(pamh, LOG_ERR, "getpwnam(%s) == NULL", username); return PAM_SESSION_ERR; } struct group* group = getgrgid(user->pw_gid); if (group == NULL) { pam_syslog(pamh, LOG_ERR, "getgrgid(%d) == NULL", user->pw_gid); return PAM_SESSION_ERR; } const char* target_group = argv[0]; if (strcmp(target_group, group->gr_name) == 0) { pam_syslog(pamh, LOG_INFO, "found user in target group! calling unshare()"); if(unshare(CLONE_NEWNS) < 0) { pam_syslog(pamh, LOG_ERR, "Unable to unshare from parent namespace, %m"); return PAM_SESSION_ERR; } } return PAM_SUCCESS; }
static int _PAMSetTargetNameWithService(pam_handle_t *pamh, CUIControllerRef controller) { const char *service = NULL; CFStringRef cfService; int rc; rc = pam_get_item(pamh, PAM_SERVICE, (const void **)&service); if (rc != PAM_SUCCESS) return rc; cfService = CFStringCreateWithCString(kCFAllocatorDefault, service, kCFStringEncodingUTF8); if (cfService == NULL) return PAM_BUF_ERR; CUIControllerSetTargetName(controller, cfService); CFRelease(cfService); return PAM_SUCCESS; }
static int prompt_password(pam_handle_t *pamh, const char **password) { int ret; const struct pam_conv *conv; ret = pam_get_item (pamh, PAM_CONV, (const void **) &conv); if (ret != PAM_SUCCESS) return ret; const struct pam_message *pmsg[1]; struct pam_message msg[1]; msg[0].msg_style = PAM_PROMPT_ECHO_OFF; msg[0].msg = "Multipass: "; pmsg[0] = &msg[0]; struct pam_response *resp = NULL; ret = conv->conv(1, pmsg, &resp, conv->appdata_ptr); if (ret != PAM_SUCCESS) return ret; *password = resp->resp; free(resp); return PAM_SUCCESS; }
static int init(pam_handle_t *pamh,struct pld_cfg *cfg,struct pld_ctx **ctx, const char **username,const char **service) { int rc; struct passwd *pwent; /* get user name */ rc=pam_get_user(pamh,username,NULL); if (rc!=PAM_SUCCESS) { pam_syslog(pamh,LOG_ERR,"failed to get user name: %s",pam_strerror(pamh,rc)); return rc; } if ((*username==NULL)||((*username)[0]=='\0')) { pam_syslog(pamh,LOG_ERR,"got empty user name"); return PAM_USER_UNKNOWN; } /* check uid */ if (cfg->minimum_uid>0) { pwent=pam_modutil_getpwnam(args->pamh,*username); if ((pwent!=NULL)&&(pwent->pw_uid<cfg->minimum_uid)) { if (cfg->debug) pam_syslog(pamh,LOG_DEBUG,"uid below minimum_uid; user=%s uid=%ld",*username,(long)pwent->pw_uid); return cfg->ignore_unknown_user?PAM_IGNORE:PAM_USER_UNKNOWN; } } /* get our context */ rc=ctx_get(pamh,*username,ctx); if (rc!=PAM_SUCCESS) return rc; /* get service name */ rc=pam_get_item(pamh,PAM_SERVICE,(const void **)service); if (rc!=PAM_SUCCESS) { pam_syslog(pamh,LOG_ERR,"failed to get service name: %s",pam_strerror(pamh,rc)); return rc; } return PAM_SUCCESS; }
/** * This function lets us do IO via PAM * @param pam_handle The PAM handle * @param pam_argc The number of args * @param pam_message The message to prompt * @param pam_response The user response * @return A PAM return code * @see pam_unix/support.c */ int pam_converse(pam_handle_t *pam_handle, int pam_argc, struct pam_message **pam_message, struct pam_response **pam_response) { /* PAM data */ struct pam_conv *pam_conversation; int pam_status; /* Check feasibility of PAM conversations */ pam_status = pam_get_item(pam_handle, PAM_CONV, (const void **) &pam_conversation); /* Converse with PAM */ if(pam_status == PAM_SUCCESS) pam_status = pam_conversation->conv(pam_argc, (const struct pam_message **) pam_message, pam_response, pam_conversation->appdata_ptr); /* Return PAM status */ return pam_status; }
static int record_host(const abl_args *args, abl_info *info, time_t tm) { if (NULL != args->host_db) { const void *rhost; int err; if (err = pam_get_item(args->pamh, PAM_RHOST, &rhost), PAM_SUCCESS != err) { log_pam_error(args, err, "getting PAM_RHOST"); return err; } if (NULL != rhost) { info->subject = HOST; info->host = rhost; return record(args, info, tm, args->host_purge); } else { log_debug(args, "PAM_RHOST is NULL"); return 0; } } else { return 0; } }
static int pam_http_get_password(pam_handle_t* pamh, char** password) { int retval, retry; struct pam_conv* conv; struct pam_message msg; const struct pam_message* msgp; struct pam_response* resp; retval = pam_get_item(pamh, PAM_CONV, (const void**)&conv); if (retval != PAM_SUCCESS) return PAM_SYSTEM_ERR; msg.msg_style = PAM_PROMPT_ECHO_OFF; msg.msg = password_prompt; msgp = &msg; for (retry = 0; retry < 3; ++retry) { resp = NULL; retval = (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr); if (resp != NULL) { if (retval == PAM_SUCCESS) *password = resp->resp; else free(resp->resp); free(resp); } if (retval == PAM_SUCCESS) break; } if (retval == PAM_CONV_ERR) return retval; if (retval != PAM_SUCCESS) return PAM_AUTH_ERR; return PAM_SUCCESS; }
int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { parse_ctrl(argc, argv); ENTRY("pam_sm_setcred"); switch (flags & ~PAM_SILENT) { case 0: case PAM_ESTABLISH_CRED: if (k_hasafs()) k_setpag(); /* Fall through, fill PAG with credentials below. */ case PAM_REINITIALIZE_CRED: case PAM_REFRESH_CRED: if (k_hasafs()) { void *user = 0; if (pam_get_item(pamh, PAM_USER, &user) == PAM_SUCCESS) { struct passwd *pw = getpwnam((char *)user); if (pw != 0) krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0, pw->pw_uid, pw->pw_dir); } } break; case PAM_DELETE_CRED: dest_tkt(); if (k_hasafs()) k_unlog(); break; default: psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags); break; } return PAM_SUCCESS; }
static int pam_auth_user(void* ctx, char *username, int username_size) { const char* user = NULL; struct pam_ctx_st * pctx = ctx; int pret; username[0] = 0; pret = pam_get_item(pctx->ph, PAM_USER, (const void **)&user); if (pret != PAM_SUCCESS) { /*syslog(LOG_AUTH, "PAM-auth: pam_get_item(PAM_USER): %s", pam_strerror(pctx->ph, pret));*/ return -1; } if (user != NULL) { strlcpy(username, user, username_size); return 0; } return -1; }
/* this is a front-end for module-application conversations */ static int converse(pam_handle_t *pamh, int ctrl, int nargs, struct pam_message **message, struct pam_response **response) { int retval; struct pam_conv *conv; retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv); if ( retval == PAM_SUCCESS ) { retval = conv->conv(nargs, (const struct pam_message **)message, response, conv->appdata_ptr); if (retval != PAM_SUCCESS && (ctrl && PAM_DEBUG_ARG)) { _pam_log(LOG_DEBUG, "conversation failure [%s]", pam_strerror(pamh, retval)); } } else { _pam_log(LOG_ERR, "couldn't obtain coversation function [%s]", pam_strerror(pamh, retval)); } return retval; /* propagate error status */ }