Exemplo n.º 1
0
int
pam_setup (char *user, char *host)
{
	/*
	 * Any application using PAM must provide a conversion function, which
	 * is used for direct communication between a loaded module and the
	 * application. In this case, SLURM does need a communication mechanism,
	 * so the default (or null) conversation function may be used.
	 */
	struct pam_conv conv = {misc_conv, NULL};
        int             rc = 0;

	if (!conf->use_pam)
		return SLURM_SUCCESS;
	/*
	 * SLURM uses PAM to obtain resource limits established by the system
	 * administrator. PAM's session management library is responsible for
	 * handling resource limits. When a PAM session is opened on behalf of
	 * a user, the limits imposed by the sys admin are picked up. Opening
	 * a PAM session requires a PAM handle, which is obtained when the PAM
	 * interface is intialized. (PAM handles are required with essentially
	 * all PAM calls.) It's also necessary to have the users PAM credentials
	 * to open a user session.
 	 */
        if ((rc = pam_start (SLURM_SERVICE_PAM, user, &conv, &pam_h))
			!= PAM_SUCCESS) {
                error ("pam_start: %s", pam_strerror(pam_h, rc));
                return SLURM_ERROR;
        } else if ((rc = pam_set_item (pam_h, PAM_USER, user))
			!= PAM_SUCCESS) {
                error ("pam_set_item USER: %s", pam_strerror(pam_h, rc));
                return SLURM_ERROR;
        } else if ((rc = pam_set_item (pam_h, PAM_RUSER, user))
			!= PAM_SUCCESS) {
                error ("pam_set_item RUSER: %s", pam_strerror(pam_h, rc));
                return SLURM_ERROR;
        } else if ((rc = pam_set_item (pam_h, PAM_RHOST, host))
			!= PAM_SUCCESS) {
                error ("pam_set_item HOST: %s", pam_strerror(pam_h, rc));
              return SLURM_ERROR;
        } else if ((rc = pam_setcred (pam_h, PAM_ESTABLISH_CRED))
			!= PAM_SUCCESS) {
                error ("pam_setcred: %s", pam_strerror(pam_h, rc));
                return SLURM_ERROR;
        } else if ((rc = pam_open_session (pam_h, 0)) != PAM_SUCCESS) {
                error("pam_open_session: %s", pam_strerror(pam_h, rc));
                return SLURM_ERROR;
        }

	return SLURM_SUCCESS;

}
Exemplo n.º 2
0
int x11_shadow_pam_authenticate(x11ShadowSubsystem* subsystem, const char* user, const char* domain, const char* password)
{
	int pam_status;
	SHADOW_PAM_AUTH_INFO* info;

	info = calloc(1, sizeof(SHADOW_PAM_AUTH_INFO));

	if (!info)
		return PAM_CONV_ERR;

	if (x11_shadow_pam_get_service_name(info) < 0)
		return -1;

	info->appdata.user = user;
	info->appdata.domain = domain;
	info->appdata.password = password;

	info->pamc.conv = &x11_shadow_pam_conv;
	info->pamc.appdata_ptr = &(info->appdata);

	pam_status = pam_start(info->service_name, 0, &(info->pamc), &(info->handle));

	if (pam_status != PAM_SUCCESS)
	{
		WLog_ERR(TAG, "pam_start failure: %s", pam_strerror(info->handle, pam_status));
		free(info);
		return -1;
	}

	pam_status = pam_authenticate(info->handle, 0);

	if (pam_status != PAM_SUCCESS)
	{
		WLog_ERR(TAG, "pam_authenticate failure: %s", pam_strerror(info->handle, pam_status));
		free(info);
		return -1;
	}

	pam_status = pam_acct_mgmt(info->handle, 0);

	if (pam_status != PAM_SUCCESS)
	{
		WLog_ERR(TAG, "pam_acct_mgmt failure: %s", pam_strerror(info->handle, pam_status));
		free(info);
		return -1;
	}

	free(info);

	return 1;
}
Exemplo n.º 3
0
bool httpPamVerifyUser(HttpConn *conn)
{
    MprBuf              *abilities;
    pam_handle_t        *pamh;
    UserInfo            info;
    struct pam_conv     conv = { pamChat, &info };
    struct group        *gp;
    int                 res, i;
   
    mprAssert(conn->username);
    mprAssert(conn->password);
    mprAssert(!conn->encoded);

    info.name = (char*) conn->username;
    info.password = (char*) conn->password;
    pamh = NULL;
    if ((res = pam_start("login", info.name, &conv, &pamh)) != PAM_SUCCESS) {
        return 0;
    }
    if ((res = pam_authenticate(pamh, PAM_DISALLOW_NULL_AUTHTOK)) != PAM_SUCCESS) {
        pam_end(pamh, PAM_SUCCESS);
        mprLog(5, "httpPamVerifyUser failed to verify %s", conn->username);
        return 0;
    }
    pam_end(pamh, PAM_SUCCESS);
    mprLog(5, "httpPamVerifyUser verified %s", conn->username);

    if (!conn->user) {
        conn->user = mprLookupKey(conn->rx->route->auth->users, conn->username);
    }
    if (!conn->user) {
        Gid     groups[32];
        int     ngroups;
        /* 
            Create a temporary user with a abilities set to the groups 
         */
        ngroups = sizeof(groups) / sizeof(Gid);
        if ((i = getgrouplist(conn->username, 99999, groups, &ngroups)) >= 0) {
            abilities = mprCreateBuf(0, 0);
            for (i = 0; i < ngroups; i++) {
                if ((gp = getgrgid(groups[i])) != 0) {
                    mprPutFmtToBuf(abilities, "%s ", gp->gr_name);
                }
            }
            mprAddNullToBuf(abilities);
            mprLog(5, "Create temp user \"%s\" with abilities: %s", conn->username, mprGetBufStart(abilities));
            conn->user = httpCreateUser(conn->rx->route->auth, conn->username, 0, mprGetBufStart(abilities));
        }
    }
    return 1;
}
Exemplo n.º 4
0
long freerds_authenticate(char* username, char* password, int* errorcode)
{
	int error;
	char service_name[256];
	struct t_auth_info* auth_info;

	get_service_name(service_name);
	auth_info = malloc(sizeof(struct t_auth_info));
	ZeroMemory(auth_info, sizeof(struct t_auth_info));
	strcpy(auth_info->user_pass.user, username);
	strcpy(auth_info->user_pass.pass, password);
	auth_info->pamc.conv = &verify_pam_conv;
	auth_info->pamc.appdata_ptr = &(auth_info->user_pass);
	error = pam_start(service_name, 0, &(auth_info->pamc), &(auth_info->ph));

	if (error != PAM_SUCCESS)
	{
		if (errorcode != NULL)
			*errorcode = error;

		printf("pam_start failed: %s\n", pam_strerror(auth_info->ph, error));
		free(auth_info);
		return 0;
	}

	error = pam_authenticate(auth_info->ph, 0);

	if (error != PAM_SUCCESS)
	{
		if (errorcode != NULL)
			*errorcode = error;

		printf("pam_authenticate failed: %s\n", pam_strerror(auth_info->ph, error));
		free(auth_info);
		return 0;
	}

	error = pam_acct_mgmt(auth_info->ph, 0);

	if (error != PAM_SUCCESS)
	{
		if (errorcode != NULL)
			*errorcode = error;

		printf("pam_acct_mgmt failed: %s\n", pam_strerror(auth_info->ph, error));
		free(auth_info);
		return 0;
	}

	return (long) auth_info;
}
Exemplo n.º 5
0
static int
sshpam_init(Authctxt *authctxt)
{
	extern char *__progname;
	const char *pam_rhost, *pam_user, *user = authctxt->user;
	const char **ptr_pam_user = &pam_user;
	struct ssh *ssh = active_state; /* XXX */

	if (sshpam_handle != NULL) {
		/* We already have a PAM context; check if the user matches */
		sshpam_err = pam_get_item(sshpam_handle,
		    PAM_USER, (sshpam_const void **)ptr_pam_user);
		if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0)
			return (0);
		pam_end(sshpam_handle, sshpam_err);
		sshpam_handle = NULL;
	}
	debug("PAM: initializing for \"%s\"", user);
	sshpam_err =
	    pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle);
	sshpam_authctxt = authctxt;

	if (sshpam_err != PAM_SUCCESS) {
		pam_end(sshpam_handle, sshpam_err);
		sshpam_handle = NULL;
		return (-1);
	}
	pam_rhost = auth_get_canonical_hostname(ssh, options.use_dns);
	debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost);
	sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost);
	if (sshpam_err != PAM_SUCCESS) {
		pam_end(sshpam_handle, sshpam_err);
		sshpam_handle = NULL;
		return (-1);
	}
#ifdef PAM_TTY_KLUDGE
	/*
	 * Some silly PAM modules (e.g. pam_time) require a TTY to operate.
	 * sshd doesn't set the tty until too late in the auth process and
	 * may not even set one (for tty-less connections)
	 */
	debug("PAM: setting PAM_TTY to \"ssh\"");
	sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh");
	if (sshpam_err != PAM_SUCCESS) {
		pam_end(sshpam_handle, sshpam_err);
		sshpam_handle = NULL;
		return (-1);
	}
#endif
	return (0);
}
Exemplo n.º 6
0
bool MainWindow::doAuthenticate() {

    Authenticated = false;
    LoginDialog dialog(this);
    if (dialog.exec()) {
        pcode = dialog.getPass();

        static pam_handle_t *pamh;
        struct pam_conv pamc = { converse, this };
        char hostname[MAXHOSTNAMELEN];
        char *ruser;
        int retcode = 0;

        char user[] = "root";
        pam_start("su", user, &pamc, &pamh);

        gethostname(hostname, sizeof(hostname));
        if ((retcode = pam_set_item(pamh, PAM_RHOST, hostname)) != PAM_SUCCESS) {
            pcode = "";
            dialog.clearPass();
            qDebug() << "pam_set_item hostname failed. " << pam_strerror(pamh, retcode);
            return false;
        }

        ruser = getlogin();
        if ((retcode = pam_set_item(pamh, PAM_RUSER, ruser)) != PAM_SUCCESS) {
            pcode = "";
            dialog.clearPass();
            qDebug() << "pam_set_item remote user failed. " << pam_strerror(pamh, retcode);
            return false;
        }

        if ((retcode = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
            pcode = "";
            dialog.clearPass();
            qDebug() << "pam_authenticate failed. " << pam_strerror(pamh, retcode);
            return false;
        }

        Authenticated = true;

        qDebug() << "Authenticated as root. ";
        pcode = "";
        dialog.clearPass();
        return true;
    }

    qDebug() << "Not Authenticated as root.";
    Authenticated = false;
    return false;
}
Exemplo n.º 7
0
static void do_auth(char *service, char*user, char*pwd, char* mode, int sid)
{
    pam_handle_t *pamh=NULL;
    int retval;
    struct session *sessp;

    conv.appdata_ptr = (void*)strdup(pwd);
    retval = pam_start(service, user, &conv, &pamh);
    
    if (retval != PAM_SUCCESS) {
        werr(pamh, sid, retval, "start");
        return;
    }
    pam_set_item(pamh, PAM_RUSER, user);

    retval = pam_authenticate(pamh, 0); 
    if (retval != PAM_SUCCESS) {
        werr(pamh, sid, retval, "auth");
        return;
    }
    if (mode[0] == 'A') {
        retval = pam_acct_mgmt(pamh, 0); 
        if (retval != PAM_SUCCESS) {
            werr(pamh, sid, retval, "accounting");
            return;
        }
        /*fprintf(stderr, "did ok acct \n\r");*/
    }
    if (mode[1] == 'S') {
        retval = pam_open_session(pamh, 0);
        if (retval != PAM_SUCCESS) {
            werr(pamh, sid, retval, "session");
            return;
        }
        /*fprintf(stderr, "did ok open sess \n\r"); */
    }
    if ((sessp = malloc(sizeof(struct session))) == NULL) {
        werr(pamh, sid, -1, "malloc");
        return;
    }
    if (mode[1] == 'S') 
        sessp->session_mode = 1;
    else
        sessp->session_mode = 0;
    sessp->sid = sid;
    sessp->pamh = pamh;
    sessp->next = sessions;
    sessions = sessp;
    
    wok(sid);
}
Exemplo n.º 8
0
int lxdm_auth_user_authenticate(LXDM_AUTH *a,const char *user,const char *pass,int type)
{
	struct passwd *pw;
	if(!user || !user[0])
	{
		g_debug("user==NULL\n");
		return AUTH_ERROR;
	}
	pw = getpwnam(user);
	endpwent();
	if(!pw)
	{
		g_debug("user %s not found\n",user);
		return AUTH_BAD_USER;
	}
	if(strstr(pw->pw_shell, "nologin"))
	{
		g_debug("user %s have nologin shell\n",user);
		return AUTH_PRIV;
	}
	if(a->handle) pam_end(a->handle,0);
	if(PAM_SUCCESS != pam_start("lxdm", pw->pw_name, &conv, (pam_handle_t**)&a->handle))
	{
		a->handle=NULL;
		g_debug("user %s start pam fail\n",user);
		return AUTH_FAIL;
	}
	else
	{
		int ret;
		if(type==AUTH_TYPE_AUTO_LOGIN && !pass)
			goto out;
		user_pass[0]=(char*)user;user_pass[1]=(char*)pass;
		ret=pam_authenticate(a->handle,PAM_SILENT);
		user_pass[0]=0;user_pass[1]=0;
		if(ret!=PAM_SUCCESS)
		{
			g_debug("user %s auth fail with %d\n",user,ret);
			return AUTH_FAIL;
		}
		ret=pam_acct_mgmt(a->handle,PAM_SILENT);
		if(ret!=PAM_SUCCESS)
		{
			g_debug("user %s acct mgmt fail with %d\n",user,ret);
			return AUTH_FAIL;
		}
	}
out:
	passwd_copy(&a->pw,pw);
	return AUTH_SUCCESS;
}
Exemplo n.º 9
0
static authn_status pam_authenticate_with_login_password(request_rec * r, const char * pam_service,
	const char * login, const char * password, int steps) {
	pam_handle_t * pamh = NULL;
	struct pam_conv pam_conversation = { &pam_authenticate_conv, (void *) password };
	const char * stage = "PAM transaction failed for service";
	const char * param = pam_service;
	int ret;
	ret = pam_start(pam_service, login, &pam_conversation, &pamh);
	if (ret == PAM_SUCCESS) {
		const char * remote_host_or_ip = ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME, NULL);
		if (remote_host_or_ip) {
			stage = "PAM pam_set_item PAM_RHOST failed for service";
			ret = pam_set_item(pamh, PAM_RHOST, remote_host_or_ip);
		}
	}
	if (ret == PAM_SUCCESS) {
		if (steps & _PAM_STEP_AUTH) {
			param = login;
			stage = "PAM authentication failed for user";
			ret = pam_authenticate(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK);
		}
		if ((ret == PAM_SUCCESS) && (steps & _PAM_STEP_ACCOUNT)) {
			param = login;
			stage = "PAM account validation failed for user";
			ret = pam_acct_mgmt(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK);
			if (ret == PAM_NEW_AUTHTOK_REQD) {
				authnz_pam_config_rec * conf = ap_get_module_config(r->per_dir_config, &authnz_pam_module);
				if (conf && conf->expired_redirect_url) {
					ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
						"mod_authnz_pam: PAM_NEW_AUTHTOK_REQD: redirect to [%s]",
						conf->expired_redirect_url);
					apr_table_addn(r->headers_out, "Location", format_location(r, conf->expired_redirect_url, login));
					return HTTP_TEMPORARY_REDIRECT;
				}
			}
		}
	}
	if (ret != PAM_SUCCESS) {
		const char * strerr = pam_strerror(pamh, ret);
		ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server, "mod_authnz_pam: %s %s: %s", stage, param, strerr);
		apr_table_setn(r->subprocess_env, _EXTERNAL_AUTH_ERROR_ENV_NAME, apr_pstrdup(r->pool, strerr));
		pam_end(pamh, ret);
		return AUTH_DENIED;
	}
	apr_table_setn(r->subprocess_env, _REMOTE_USER_ENV_NAME, login);
	r->user = apr_pstrdup(r->pool, login);
	ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, r->server, "mod_authnz_pam: PAM authentication passed for user %s", login);
	pam_end(pamh, ret);
	return AUTH_GRANTED;
}
Exemplo n.º 10
0
/* cjd 19980706
 *
 * for most flexibility, passing a pamauth type to this function
 * allows you to have multiple authentication types (i.e. multiple
 * files associated with radius in /etc/pam.d)
 */
static int pam_pass(char const *name, char const *passwd, char const *pamauth)
{
    pam_handle_t *pamh=NULL;
    int retval;
    my_PAM pam_config;
    struct pam_conv conv;

    /*
     *  Initialize the structures.
     */
    conv.conv = PAM_conv;
    conv.appdata_ptr = &pam_config;
    pam_config.username = name;
    pam_config.password = passwd;
    pam_config.error = 0;

    DEBUG("pam_pass: using pamauth string <%s> for pam.conf lookup", pamauth);
    retval = pam_start(pamauth, name, &conv, &pamh);
    if (retval != PAM_SUCCESS) {
      DEBUG("pam_pass: function pam_start FAILED for <%s>. Reason: %s",
	    name, pam_strerror(pamh, retval));
      return -1;
    }

    retval = pam_authenticate(pamh, 0);
    if (retval != PAM_SUCCESS) {
      DEBUG("pam_pass: function pam_authenticate FAILED for <%s>. Reason: %s",
	    name, pam_strerror(pamh, retval));
      pam_end(pamh, retval);
      return -1;
    }

    /*
     * FreeBSD 3.x doesn't have account and session management
     * functions in PAM, while 4.0 does.
     */
#if !defined(__FreeBSD_version) || (__FreeBSD_version >= 400000)
    retval = pam_acct_mgmt(pamh, 0);
    if (retval != PAM_SUCCESS) {
      DEBUG("pam_pass: function pam_acct_mgmt FAILED for <%s>. Reason: %s",
	    name, pam_strerror(pamh, retval));
      pam_end(pamh, retval);
      return -1;
    }
#endif

    DEBUG("pam_pass: authentication succeeded for <%s>", name);
    pam_end(pamh, retval);
    return 0;
}
Exemplo n.º 11
0
bool XProcess::pam_checkPW(){
 //Requires internal "xuser" and "xpwd" variables to be set
	
//Convert the inputs to C character arrays for use in PAM
  QByteArray tmp = xuser.toUtf8();
  char* cUser = tmp.data();
  QByteArray tmp2 = xpwd.toUtf8();
  char* cPassword = tmp2.data();
  //initialize variables
  bool result = false;
  int ret;
  //Initialize PAM
  //qDebug() << "Starting PAM:" << xuser << tmp << xpwd << tmp2;
  if(xuser=="root"){ ret = pam_start("system", cUser, &pamc, &pamh); }
  else{ ret = pam_start("login", cUser, &pamc, &pamh); }
  if( ret == PAM_SUCCESS ){
    pam_started = true; //flag that pam is started
    //Place the user-supplied password into the structure 
    ret = pam_set_item(pamh, PAM_AUTHTOK, cPassword);
    if(ret != PAM_SUCCESS){ pam_logFailure(ret); return false; }
    //Set the TTY 
    //ret = pam_set_item(pamh, PAM_TTY, "pcdm-terminal");
    //Authenticate with PAM
    ret = pam_authenticate(pamh,0);
    if( ret == PAM_SUCCESS ){
      //Check for valid, unexpired account and verify access restrictions
      ret = pam_acct_mgmt(pamh,0);
      if( ret == PAM_SUCCESS ){ result = true; }
      else{ pam_logFailure(ret); }
    
    }else{
      pam_logFailure(ret);
    }
  }else{ qCritical() << "Could not start PAM"; }
  //return verification result
  return result;	
}
Exemplo n.º 12
0
static gboolean
cockpit_auth_pam_verify_password (CockpitAuth *auth,
                                  const gchar *user,
                                  const gchar *password,
                                  GError **error)
{
  pam_handle_t *pamh = NULL;
  int pam_status = 0;
  const char *pam_user;
  gboolean ret = FALSE;
  struct pam_conv_data data;
  struct pam_conv conv;

  data.inputs[0] = (char *)password;
  data.inputs[1] = NULL;
  data.current_input = 0;
  conv.conv = pam_conv_func;
  conv.appdata_ptr = (void *)&data;

  pam_status = pam_start ("cockpit", user, &conv, &pamh);
  if (pam_status == PAM_SUCCESS)
    pam_status = pam_authenticate (pamh, 0);

  if (pam_status == PAM_SUCCESS)
    pam_status = pam_get_item (pamh, PAM_USER, (const void **)&pam_user);

  if (pam_status == PAM_AUTH_ERR || pam_status == PAM_USER_UNKNOWN)
    {
      g_set_error (error, COCKPIT_ERROR, COCKPIT_ERROR_AUTHENTICATION_FAILED,
                   "Authentication failed");
      ret = FALSE;
      goto out;
    }

  if (pam_status != PAM_SUCCESS)
    {
      g_set_error (error, COCKPIT_ERROR, COCKPIT_ERROR_FAILED,
                   "%s", pam_strerror (pamh, pam_status));
      ret = FALSE;
      goto out;
    }

  ret = TRUE;

out:
  if (pamh)
    pam_end (pamh, pam_status);
  return ret;
}
Exemplo n.º 13
0
static void
pm_do_auth(adt_session_data_t *ah)
{
	pam_handle_t	*pm_pamh;
	int		err;
	int		pam_flag = 0;
	int		chpasswd_tries;
	struct pam_conv pam_conv = {pam_tty_conv, NULL};

	if (user[0] == '\0')
		return;

	if ((err = pam_start("sys-suspend", user, &pam_conv,
	    &pm_pamh)) != PAM_SUCCESS)
		return;

	pam_flag = PAM_DISALLOW_NULL_AUTHTOK;

	do {
		err = pam_authenticate(pm_pamh, pam_flag);

		if (err == PAM_SUCCESS) {
			err = pam_acct_mgmt(pm_pamh, pam_flag);

			if (err == PAM_NEW_AUTHTOK_REQD) {
				chpasswd_tries = 0;

				do {
					err = pam_chauthtok(pm_pamh,
					    PAM_CHANGE_EXPIRED_AUTHTOK);
					chpasswd_tries++;

				} while ((err == PAM_AUTHTOK_ERR ||
				    err == PAM_TRY_AGAIN) &&
				    chpasswd_tries < DEF_ATTEMPTS);
				pm_audit_event(ah, ADT_passwd, err);
			}
			err = pam_setcred(pm_pamh, PAM_REFRESH_CRED);
		}
		if (err != PAM_SUCCESS) {
			(void) fprintf(stdout, "%s\n",
			    pam_strerror(pm_pamh, err));
			pm_audit_event(ah, ADT_screenunlock, err);
		}
	} while (err != PAM_SUCCESS);
	pm_audit_event(ah, ADT_passwd, 0);

	(void) pam_end(pm_pamh, err);
}
Exemplo n.º 14
0
static bool pam_check_passwd(struct pam_auth_request *request)
{
	pam_handle_t *hpam;
	char raddr[PGADDR_BUF];
	int rc;

	struct pam_conv pam_conv = {
		.conv = pam_conversation,
		.appdata_ptr = request
	};

	rc = pam_start(PGBOUNCER_PAM_SERVICE, request->username, &pam_conv, &hpam);
	if (rc != PAM_SUCCESS) {
		log_warning("pam_start() failed: %s", pam_strerror(NULL, rc));
		return false;
	}

	/* Set rhost too in case if some PAM modules want to take it into account (and for logging too) */
	pga_ntop(&request->remote_addr, raddr, sizeof(raddr));
	rc = pam_set_item(hpam, PAM_RHOST, raddr);
	if (rc != PAM_SUCCESS) {
		log_warning("pam_set_item(): can't set PAM_RHOST to '%s'", raddr);
		pam_end(hpam, rc);
		return false;
	}

	/* Here the authentication is performed */
	rc = pam_authenticate(hpam, PAM_SILENT);
	if (rc != PAM_SUCCESS) {
		log_warning("pam_authenticate() failed: %s", pam_strerror(hpam, rc));
		pam_end(hpam, rc);
		return false;
	}

	/* And here we check that the account is not expired, verifies access hours, etc */
	rc = pam_acct_mgmt(hpam, PAM_SILENT);
	if (rc != PAM_SUCCESS) {
		log_warning("pam_acct_mgmt() failed: %s", pam_strerror(hpam, rc));
		pam_end(hpam, rc);
		return false;
	}

	rc = pam_end(hpam, rc);
	if (rc != PAM_SUCCESS) {
		log_warning("pam_end() failed: %s", pam_strerror(hpam, rc));
	}

	return true;
}
Exemplo n.º 15
0
int pam_begin_session(const char* username, int fd)
{
  int rv, i;
  if (!pam_h &&
      (rv = pam_start(PAM_APPL_NAME, username, &conv, &pam_h)) != PAM_SUCCESS)
    fatal("pam_start() failure: %d", rv);
#ifdef SUN_PAM_TTY_BUG
  if ((rv = pam_set_item(pam_h, PAM_TTY, "/dev/nld")) != PAM_SUCCESS)
    fatal("pam_set_item(PAM_TTY,/dev/nld");
#endif

  conv_reject_prompts = 1;
  pam_conv_fd = fd;

  /* On Solaris and HP-UX, the docs say we can't call setcred first, and the
   * modules actually enforce that. LinuxPAM says we must call setcred first,
   * and that's preferable, so we do it in all other cases. */
#ifdef SUN_PAM
  int setcred_first = 0;
#else
  int setcred_first = 1;
#endif

  for (i = 0; i < 2; ++i) {
    if (i != setcred_first) {
      if ((rv = pam_setcred(pam_h, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
        debug("pam_setcred(PAM_ESTABLISH_CRED): %s", pam_strerror(pam_h, rv));
        if (authenticated) {
          pam_conv_fd = -1;
          return -1;
        }
      } else {
        setcred = 1;
      }
    } else {
      if ((rv = pam_open_session(pam_h, 0)) != PAM_SUCCESS) {
        debug("pam_open_session(): %s", pam_strerror(pam_h, rv));
        if (authenticated) {
          pam_conv_fd = -1;
          return -1;
        }
      } else {
        opened_session = 1;
      }
    }
  }
  pam_conv_fd = -1;
  return 0;
}
Exemplo n.º 16
0
static void test_pam_start(void **state)
{
	int rv;
	pam_handle_t *ph;
	struct pwrap_test_ctx *test_ctx;

	test_ctx = (struct pwrap_test_ctx *) *state;
	test_ctx->conv.appdata_ptr = (void *) "testpassword";

	rv = pam_start("matrix", "trinity", &test_ctx->conv, &ph);
	assert_int_equal(rv, PAM_SUCCESS);

	rv = pam_end(ph, PAM_SUCCESS);
	assert_int_equal(rv, PAM_SUCCESS);
}
Exemplo n.º 17
0
int pam_auth_user_pass (char const * const user, char const * const pass)
{
    struct pam_conv pamc = { conv, pass };
    pam_handle_t * pamh = NULL; 
    int retval = PAM_ABORT;

    if ((retval = pam_start ("login", user, &pamc, &pamh)) == PAM_SUCCESS)
    {
        retval = pam_authenticate (pamh, 0);
    }

    LOG (pam_strerror (pamh, retval));
    pam_end (pamh, 0); 
    return retval;
}
Exemplo n.º 18
0
/* returns boolean */
int DEFAULT_CC
auth_userpass(char *user, char *pass, int *errorcode)
{
    pam_handle_t *pamh;
    pam_userpass_t userpass;
    struct pam_conv conv = {pam_userpass_conv, &userpass};
    const void *template1;
    int status;

    userpass.user = user;
    userpass.pass = pass;

    if (pam_start(SERVICE, user, &conv, &pamh) != PAM_SUCCESS)
    {
        return 0;
    }

    status = pam_authenticate(pamh, 0);

    if (status != PAM_SUCCESS)
    {
        pam_end(pamh, status);
        return 0;
    }

    status = pam_acct_mgmt(pamh, 0);

    if (status != PAM_SUCCESS)
    {
        pam_end(pamh, status);
        return 0;
    }

    status = pam_get_item(pamh, PAM_USER, &template1);

    if (status != PAM_SUCCESS)
    {
        pam_end(pamh, status);
        return 0;
    }

    if (pam_end(pamh, PAM_SUCCESS) != PAM_SUCCESS)
    {
        return 0;
    }

    return 1;
}
Exemplo n.º 19
0
/** Check the users password against the standard UNIX password table + PAM.
 *
 * @note For most flexibility, passing a pamauth type to this function
 *	 allows you to have multiple authentication types (i.e. multiple
 *	 files associated with radius in /etc/pam.d).
 *
 * @param request The current request.
 * @param username User to authenticate.
 * @param passwd Password to authenticate with,
 * @param pamauth Type of PAM authentication.
 * @return 0 on success -1 on failure.
 */
static int do_pam(REQUEST *request, char const *username, char const *passwd, char const *pamauth)
{
	pam_handle_t *handle = NULL;
	int ret;
	rlm_pam_data_t pam_config;
	struct pam_conv conv;

	/*
	 *  Initialize the structures
	 */
	conv.conv = pam_conv;
	conv.appdata_ptr = &pam_config;
	pam_config.request = request;
	pam_config.username = username;
	pam_config.password = passwd;
	pam_config.error = false;

	RDEBUG2("Using pamauth string \"%s\" for pam.conf lookup", pamauth);

	ret = pam_start(pamauth, username, &conv, &handle);
	if (ret != PAM_SUCCESS) {
		RERROR("pam_start failed: %s", pam_strerror(handle, ret));
		return -1;
	}

	ret = pam_authenticate(handle, 0);
	if (ret != PAM_SUCCESS) {
		RERROR("pam_authenticate failed: %s", pam_strerror(handle, ret));
		pam_end(handle, ret);
		return -1;
	}

	/*
	 *	FreeBSD 3.x doesn't have account and session management
	 *	functions in PAM, while 4.0 does.
	 */
#if !defined(__FreeBSD_version) || (__FreeBSD_version >= 400000)
	ret = pam_acct_mgmt(handle, 0);
	if (ret != PAM_SUCCESS) {
		RERROR("pam_acct_mgmt failed: %s", pam_strerror(handle, ret));
		pam_end(handle, ret);
		return -1;
	}
#endif
	RDEBUG2("Authentication succeeded");
	pam_end(handle, ret);
	return 0;
}
Exemplo n.º 20
0
int main(int argc, char **argv) {
	pam_handle_t *pamh=NULL;
	static struct pam_conv pamc = {
			misc_conv,
			NULL
	};

	if( PAM_SUCCESS != pam_start("test", "testa", &pamc, &pamh) )
	{
		fprintf(stderr, "ERR: pam_start failed!\n");
		return 1;
	}

	/*
	if( PAM_SUCCESS != pam_set_item(pamh, PAM_USER, "tester") )
	{
		fprintf(stderr, "ERR: pam_set_item user failed!\n");
		return 1;
	}

	if( PAM_SUCCESS != pam_chauthtok(pamh, 0) )
	{
		fprintf(stderr, "ERR: pam_chauthtok failed!\n");
		return 1;
	}

	if( PAM_SUCCESS != pam_set_item(pamh, PAM_AUTHTOK, "mypassword") )
	{
		fprintf(stderr, "ERR: pam_set_item password failed!\n");
		return 1;
	}
	*/

	if( PAM_SUCCESS != pam_chauthtok(pamh, 0) )
	{
		fprintf(stderr, "ERR: pam_chauthtok failed!\n");
		return 1;
	}

	if( PAM_SUCCESS != pam_end(pamh, PAM_SUCCESS) )
	{
		fprintf(stderr, "ERR: pam_end failed!\n");
		return 1;
	}

	return 0;

}
Exemplo n.º 21
0
static int check_pw(const char *login, const char *pwd)
{
  struct pam_conv  pam_c;
  pam_handle_t    *phth;
  int              ret;

  pam_c.conv = conv_func;
  pam_c.appdata_ptr = (void *)pwd;

  assert(pam_start("lolock", login, &pam_c, &phth) == PAM_SUCCESS);

  ret = pam_authenticate(phth, PAM_SILENT);

  pam_end(phth, 0);
  return ret == PAM_SUCCESS;
}
Exemplo n.º 22
0
static int
auth_CheckPasswd(const char *name, const char *data, const char *key)
{
  if (!strcmp(data, "*")) {
#ifdef NOPAM
    /* Then look up the real password database */
    struct passwd *pw;
    int result = 0;
    char *cryptpw;
    
    pw = getpwnam(name);

    if (pw) {
      cryptpw = crypt(key, pw->pw_passwd);

      result = (cryptpw != NULL) && !strcmp(cryptpw, pw->pw_passwd);
    }

    endpwent();

    return result;
#else /* !NOPAM */
    /* Then consult with PAM. */
    pam_handle_t *pamh;
    int status;

    struct pam_conv pamc = {
#ifdef OPENPAM
      &openpam_nullconv, NULL
#else
      &pam_conv, key
#endif
    };

    if (pam_start("ppp", name, &pamc, &pamh) != PAM_SUCCESS)
      return (0);
#ifdef OPENPAM
    if ((status = pam_set_item(pamh, PAM_AUTHTOK, key)) == PAM_SUCCESS)
#endif
      status = pam_authenticate(pamh, 0);
    pam_end(pamh, status);
    return (status == PAM_SUCCESS);
#endif /* !NOPAM */
  }

  return !strcmp(data, key);
}
Exemplo n.º 23
0
int main(int argc, char *argv[])
{
	pam_handle_t *pamh = NULL;
	int retval;
	struct pam_conv conv = { gradm_pam_conv, NULL };
	struct gr_arg_wrapper wrapper;
	struct gr_arg arg;
	int fd;

	if (argc != 2)
		exit(EXIT_FAILURE);

	wrapper.version = GRADM_VERSION;
	wrapper.size = sizeof(struct gr_arg);
	wrapper.arg = &arg;
	arg.mode = GRADM_STATUS;

	if ((fd = open(GRDEV_PATH, O_WRONLY)) < 0) {
		fprintf(stderr, "Could not open %s.\n", GRDEV_PATH);
		failure("open");
	}

	retval = write(fd, &wrapper, sizeof(struct gr_arg_wrapper));
	close(fd);

	if (retval != 1)
		exit(EXIT_FAILURE);

	retval = pam_start(PAM_SERVICENAME, argv[1], &conv, &pamh);

	if (retval == PAM_SUCCESS)
		retval = pam_authenticate(pamh, 0);

	if (retval == PAM_SUCCESS)
		retval = pam_acct_mgmt(pamh, 0);

	if (retval == PAM_AUTHTOK_EXPIRED)
		retval = pam_chauthtok(pamh, 0);

	if (pamh)
		pam_end(pamh, retval);

	if (retval != PAM_SUCCESS)
		exit(EXIT_FAILURE);

	return EXIT_SUCCESS;
}
Exemplo n.º 24
0
static int acct_mgmt(char *service, char *user)
{
  struct pam_conv conv = {misc_conv, NULL};
  int retval;
  pam_handle_t *pamh = NULL;
  retval = pam_start(service, user, &conv, &pamh);
  if (retval == PAM_SUCCESS)
    retval = pam_set_item(pamh, PAM_RUSER, user);
#ifdef PAM_FAIL_DELAY
  if (retval == PAM_SUCCESS)
    retval = pam_set_item(pamh, PAM_FAIL_DELAY, (void *)delay_fn);
#endif
  if (retval == PAM_SUCCESS)
    retval = pam_acct_mgmt(pamh, 0);
  pam_end(pamh, retval);
  return retval;
}
Exemplo n.º 25
0
static void test_pam_prompt(void **state)
{
	struct pwrap_test_ctx *test_ctx;
	int rv;
	char *response;
	int resp_array[2];

	test_ctx = (struct pwrap_test_ctx *) *state;

	memset(resp_array, 0, sizeof(resp_array));

	test_ctx->conv.conv = pwrap_echo_conv;
	test_ctx->conv.appdata_ptr = resp_array;

	rv = pam_start("matrix", "trinity",
		       &test_ctx->conv, &test_ctx->ph);
	assert_int_equal(rv, PAM_SUCCESS);

	rv = pam_prompt(test_ctx->ph, PAM_PROMPT_ECHO_OFF, &response, "no echo");
	assert_int_equal(rv, PAM_SUCCESS);
	assert_string_equal(response, "echo off: no echo");
	free(response);

	rv = vprompt_test_fn(test_ctx->ph, PAM_PROMPT_ECHO_OFF, &response, "no echo");
	assert_int_equal(rv, PAM_SUCCESS);
	assert_string_equal(response, "echo off: no echo");
	free(response);

	rv = pam_prompt(test_ctx->ph, PAM_PROMPT_ECHO_ON, &response, "echo");
	assert_int_equal(rv, PAM_SUCCESS);
	assert_string_equal(response, "echo on: echo");
	free(response);

	rv = vprompt_test_fn(test_ctx->ph, PAM_PROMPT_ECHO_ON, &response, "echo");
	assert_int_equal(rv, PAM_SUCCESS);
	assert_string_equal(response, "echo on: echo");
	free(response);

	assert_int_equal(resp_array[0], 0);
	pam_info(test_ctx->ph, "info");
	assert_int_equal(resp_array[0], 1);

	assert_int_equal(resp_array[1], 0);
	pam_error(test_ctx->ph, "error");
	assert_int_equal(resp_array[1], 1);
}
Exemplo n.º 26
0
int
main(void)
{
    pam_handle_t *pamh;
    struct pam_conv conv = { NULL, NULL };
    struct pam_args *args;

    plan(12);

    if (pam_start("test", NULL, &conv, &pamh) != PAM_SUCCESS)
        sysbail("Fake PAM initialization failed");
    args = putil_args_new(pamh, 0);
    ok(args != NULL, "New args struct is not NULL");
    if (args == NULL)
        ok_block(7, 0, "...args struct is NULL");
    else {
        ok(args->pamh == pamh, "...and pamh is correct");
        ok(args->config == NULL, "...and config is NULL");
        ok(args->user == NULL, "...and user is NULL");
        is_int(args->debug, false, "...and debug is false");
        is_int(args->silent, false, "...and silent is false");
#ifdef HAVE_KRB5
        ok(args->ctx != NULL, "...and the Kerberos context is initialized");
        ok(args->realm == NULL, "...and realm is NULL");
#else
        skip_block(2, "Kerberos support not configured");
#endif
    }
    putil_args_free(args);
    ok(1, "Freeing the args struct works");

    args = putil_args_new(pamh, PAM_SILENT);
    ok(args != NULL, "New args struct with PAM_SILENT is not NULL");
    if (args == NULL)
        ok(0, "...args is NULL");
    else
        is_int(args->silent, true, "...and silent is true");
    putil_args_free(args);

    putil_args_free(NULL);
    ok(1, "Freeing a NULL args struct works");

    pam_end(pamh, 0);

    return 0;
}
Exemplo n.º 27
0
/**
 * \brief Try to authentication user using PAM. Only password could be use now.
 */
int vs_pam_auth_user(struct vContext *C, const char *username, const char *pass)
{
	struct VSession *vsession = CTX_current_session(C);
	int retval;

	/* Use password for user authentication */
	vsession->conv.appdata_ptr = (void*)pass;

	/* Try to initialization PAM transaction */
	if((retval = pam_start("verse", username, &vsession->conv, &vsession->pamh)) != PAM_SUCCESS) {
		v_print_log(VRS_PRINT_ERROR, "pam_start() failed: %s\n", pam_strerror(vsession->pamh, retval));
		vs_pam_end_user_auth(vsession, retval);
		return -1;
	}

	/* Try to setup remote host for PAM */
	if((retval = pam_set_item(vsession->pamh, PAM_RHOST, vsession->peer_hostname))) {
		v_print_log(VRS_PRINT_ERROR, "pam_set_item(): hostname: %s failed: %s\n",
				vsession->peer_hostname, pam_strerror(vsession->pamh, retval));
		vs_pam_end_user_auth(vsession, retval);
		return -1;
	}

	/* Authenticate user: is the username in the "database" of valid usernames? */
	if((retval = pam_authenticate(vsession->pamh, 0)) != PAM_SUCCESS) {
		v_print_log(VRS_PRINT_ERROR, "pam_authenticate(): username: %s failed: %s\n", username, pam_strerror(vsession->pamh, retval));
		vs_pam_end_user_auth(vsession, retval);
		return -1;
	}

	/* Is user's account valid? */
	if((retval = pam_acct_mgmt(vsession->pamh, 0)) == PAM_SUCCESS) {
		v_print_log(VRS_PRINT_DEBUG_MSG, "pam_acct_mgmt(): username: %s: %s\n", username, pam_strerror(vsession->pamh, retval));
		vs_pam_end_user_auth(vsession, retval);
		/* TODO: get UID and return it */
		return -1;
	} else {
		v_print_log(VRS_PRINT_ERROR, "pam_cct_mgmt(): username: %s failed: %s\n", username, pam_strerror(vsession->pamh, retval));
		vs_pam_end_user_auth(vsession, retval);
		return -1;
	}

	vs_pam_end_user_auth(vsession, retval);

	return -1;
}
Exemplo n.º 28
0
int
main(int argc, char *argv[])
{
  pam_handle_t *pamh=NULL;
  const char *user="******";
  const char *stack="tst-pam_authfail";
  int retval;
  int debug = 0;

  if (argc > 2) {
    stack = argv[2];
  }

  if (argc > 1) {
    if (strcmp (argv[1], "-d") == 0)
      debug = 1;
    else
      stack = argv[1];
  }


  retval = pam_start(stack, user, &conv, &pamh);
  if (retval != PAM_SUCCESS)
    {
      if (debug)
	fprintf (stderr, "test3: pam_start returned %d\n", retval);
      return 1;
    }

  retval = pam_authenticate(pamh, 0);
  if (retval == PAM_SUCCESS)
    {
      if (debug)
	fprintf (stderr, "test3: pam_authenticate returned %d\n", retval);
      return 1;
    }

  retval = pam_end(pamh,retval);
  if (retval != PAM_SUCCESS)
    {
      if (debug)
	fprintf (stderr, "test3: pam_end returned %d\n", retval);
      return 1;
    }
  return 0;
}
Exemplo n.º 29
0
void
ssh_gssapi_rekey_creds() {
	int ok;
	int ret;
#ifdef USE_PAM
	pam_handle_t *pamh = NULL;
	struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL};
	char *envstr;
#endif

	if (gssapi_client.store.filename == NULL && 
	    gssapi_client.store.envval == NULL &&
	    gssapi_client.store.envvar == NULL)
		return;
 
	ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));

	if (!ok)
		return;

	debug("Rekeyed credentials stored successfully");

	/* Actually managing to play with the ssh pam stack from here will
	 * be next to impossible. In any case, we may want different options
	 * for rekeying. So, use our own :)
	 */
#ifdef USE_PAM	
	if (!use_privsep) {
		debug("Not even going to try and do PAM with privsep disabled");
		return;
	}

	ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name,
 	    &pamconv, &pamh);
	if (ret)
		return;

	xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar, 
	    gssapi_client.store.envval);

	ret = pam_putenv(pamh, envstr);
	if (!ret)
		pam_setcred(pamh, PAM_REINITIALIZE_CRED);
	pam_end(pamh, PAM_SUCCESS);
#endif
}
int
sudo_pam_init(struct passwd *pw, sudo_auth *auth)
{
    static struct pam_conv pam_conv;
    static int pam_status;
    debug_decl(sudo_pam_init, SUDO_DEBUG_AUTH)

    /* Initial PAM setup */
    auth->data = (void *) &pam_status;
    pam_conv.conv = converse;
    pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ?
	def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh);
    if (pam_status != PAM_SUCCESS) {
	log_warning(USE_ERRNO|NO_MAIL, N_("unable to initialize PAM"));
	debug_return_int(AUTH_FATAL);
    }

    /*
     * Set PAM_RUSER to the invoking user (the "from" user).
     * We set PAM_RHOST to avoid a bug in Solaris 7 and below.
     */
    (void) pam_set_item(pamh, PAM_RUSER, user_name);
#ifdef __sun__
    (void) pam_set_item(pamh, PAM_RHOST, user_host);
#endif

    /*
     * Some versions of pam_lastlog have a bug that
     * will cause a crash if PAM_TTY is not set so if
     * there is no tty, set PAM_TTY to the empty string.
     */
    if (user_ttypath == NULL)
	(void) pam_set_item(pamh, PAM_TTY, "");
    else
	(void) pam_set_item(pamh, PAM_TTY, user_ttypath);

    /*
     * If PAM session and setcred support is disabled we don't
     * need to keep a sudo process around to close the session.
     */
    if (!def_pam_session && !def_pam_setcred)
	auth->end_session = NULL;

    debug_return_int(AUTH_SUCCESS);
}