int pam_setup (char *user, char *host) { /* * Any application using PAM must provide a conversion function, which * is used for direct communication between a loaded module and the * application. In this case, SLURM does need a communication mechanism, * so the default (or null) conversation function may be used. */ struct pam_conv conv = {misc_conv, NULL}; int rc = 0; if (!conf->use_pam) return SLURM_SUCCESS; /* * SLURM uses PAM to obtain resource limits established by the system * administrator. PAM's session management library is responsible for * handling resource limits. When a PAM session is opened on behalf of * a user, the limits imposed by the sys admin are picked up. Opening * a PAM session requires a PAM handle, which is obtained when the PAM * interface is intialized. (PAM handles are required with essentially * all PAM calls.) It's also necessary to have the users PAM credentials * to open a user session. */ if ((rc = pam_start (SLURM_SERVICE_PAM, user, &conv, &pam_h)) != PAM_SUCCESS) { error ("pam_start: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_set_item (pam_h, PAM_USER, user)) != PAM_SUCCESS) { error ("pam_set_item USER: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_set_item (pam_h, PAM_RUSER, user)) != PAM_SUCCESS) { error ("pam_set_item RUSER: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_set_item (pam_h, PAM_RHOST, host)) != PAM_SUCCESS) { error ("pam_set_item HOST: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_setcred (pam_h, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { error ("pam_setcred: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_open_session (pam_h, 0)) != PAM_SUCCESS) { error("pam_open_session: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } return SLURM_SUCCESS; }
int x11_shadow_pam_authenticate(x11ShadowSubsystem* subsystem, const char* user, const char* domain, const char* password) { int pam_status; SHADOW_PAM_AUTH_INFO* info; info = calloc(1, sizeof(SHADOW_PAM_AUTH_INFO)); if (!info) return PAM_CONV_ERR; if (x11_shadow_pam_get_service_name(info) < 0) return -1; info->appdata.user = user; info->appdata.domain = domain; info->appdata.password = password; info->pamc.conv = &x11_shadow_pam_conv; info->pamc.appdata_ptr = &(info->appdata); pam_status = pam_start(info->service_name, 0, &(info->pamc), &(info->handle)); if (pam_status != PAM_SUCCESS) { WLog_ERR(TAG, "pam_start failure: %s", pam_strerror(info->handle, pam_status)); free(info); return -1; } pam_status = pam_authenticate(info->handle, 0); if (pam_status != PAM_SUCCESS) { WLog_ERR(TAG, "pam_authenticate failure: %s", pam_strerror(info->handle, pam_status)); free(info); return -1; } pam_status = pam_acct_mgmt(info->handle, 0); if (pam_status != PAM_SUCCESS) { WLog_ERR(TAG, "pam_acct_mgmt failure: %s", pam_strerror(info->handle, pam_status)); free(info); return -1; } free(info); return 1; }
bool httpPamVerifyUser(HttpConn *conn) { MprBuf *abilities; pam_handle_t *pamh; UserInfo info; struct pam_conv conv = { pamChat, &info }; struct group *gp; int res, i; mprAssert(conn->username); mprAssert(conn->password); mprAssert(!conn->encoded); info.name = (char*) conn->username; info.password = (char*) conn->password; pamh = NULL; if ((res = pam_start("login", info.name, &conv, &pamh)) != PAM_SUCCESS) { return 0; } if ((res = pam_authenticate(pamh, PAM_DISALLOW_NULL_AUTHTOK)) != PAM_SUCCESS) { pam_end(pamh, PAM_SUCCESS); mprLog(5, "httpPamVerifyUser failed to verify %s", conn->username); return 0; } pam_end(pamh, PAM_SUCCESS); mprLog(5, "httpPamVerifyUser verified %s", conn->username); if (!conn->user) { conn->user = mprLookupKey(conn->rx->route->auth->users, conn->username); } if (!conn->user) { Gid groups[32]; int ngroups; /* Create a temporary user with a abilities set to the groups */ ngroups = sizeof(groups) / sizeof(Gid); if ((i = getgrouplist(conn->username, 99999, groups, &ngroups)) >= 0) { abilities = mprCreateBuf(0, 0); for (i = 0; i < ngroups; i++) { if ((gp = getgrgid(groups[i])) != 0) { mprPutFmtToBuf(abilities, "%s ", gp->gr_name); } } mprAddNullToBuf(abilities); mprLog(5, "Create temp user \"%s\" with abilities: %s", conn->username, mprGetBufStart(abilities)); conn->user = httpCreateUser(conn->rx->route->auth, conn->username, 0, mprGetBufStart(abilities)); } } return 1; }
long freerds_authenticate(char* username, char* password, int* errorcode) { int error; char service_name[256]; struct t_auth_info* auth_info; get_service_name(service_name); auth_info = malloc(sizeof(struct t_auth_info)); ZeroMemory(auth_info, sizeof(struct t_auth_info)); strcpy(auth_info->user_pass.user, username); strcpy(auth_info->user_pass.pass, password); auth_info->pamc.conv = &verify_pam_conv; auth_info->pamc.appdata_ptr = &(auth_info->user_pass); error = pam_start(service_name, 0, &(auth_info->pamc), &(auth_info->ph)); if (error != PAM_SUCCESS) { if (errorcode != NULL) *errorcode = error; printf("pam_start failed: %s\n", pam_strerror(auth_info->ph, error)); free(auth_info); return 0; } error = pam_authenticate(auth_info->ph, 0); if (error != PAM_SUCCESS) { if (errorcode != NULL) *errorcode = error; printf("pam_authenticate failed: %s\n", pam_strerror(auth_info->ph, error)); free(auth_info); return 0; } error = pam_acct_mgmt(auth_info->ph, 0); if (error != PAM_SUCCESS) { if (errorcode != NULL) *errorcode = error; printf("pam_acct_mgmt failed: %s\n", pam_strerror(auth_info->ph, error)); free(auth_info); return 0; } return (long) auth_info; }
static int sshpam_init(Authctxt *authctxt) { extern char *__progname; const char *pam_rhost, *pam_user, *user = authctxt->user; const char **ptr_pam_user = &pam_user; struct ssh *ssh = active_state; /* XXX */ if (sshpam_handle != NULL) { /* We already have a PAM context; check if the user matches */ sshpam_err = pam_get_item(sshpam_handle, PAM_USER, (sshpam_const void **)ptr_pam_user); if (sshpam_err == PAM_SUCCESS && strcmp(user, pam_user) == 0) return (0); pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; } debug("PAM: initializing for \"%s\"", user); sshpam_err = pam_start(SSHD_PAM_SERVICE, user, &store_conv, &sshpam_handle); sshpam_authctxt = authctxt; if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; return (-1); } pam_rhost = auth_get_canonical_hostname(ssh, options.use_dns); debug("PAM: setting PAM_RHOST to \"%s\"", pam_rhost); sshpam_err = pam_set_item(sshpam_handle, PAM_RHOST, pam_rhost); if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; return (-1); } #ifdef PAM_TTY_KLUDGE /* * Some silly PAM modules (e.g. pam_time) require a TTY to operate. * sshd doesn't set the tty until too late in the auth process and * may not even set one (for tty-less connections) */ debug("PAM: setting PAM_TTY to \"ssh\""); sshpam_err = pam_set_item(sshpam_handle, PAM_TTY, "ssh"); if (sshpam_err != PAM_SUCCESS) { pam_end(sshpam_handle, sshpam_err); sshpam_handle = NULL; return (-1); } #endif return (0); }
bool MainWindow::doAuthenticate() { Authenticated = false; LoginDialog dialog(this); if (dialog.exec()) { pcode = dialog.getPass(); static pam_handle_t *pamh; struct pam_conv pamc = { converse, this }; char hostname[MAXHOSTNAMELEN]; char *ruser; int retcode = 0; char user[] = "root"; pam_start("su", user, &pamc, &pamh); gethostname(hostname, sizeof(hostname)); if ((retcode = pam_set_item(pamh, PAM_RHOST, hostname)) != PAM_SUCCESS) { pcode = ""; dialog.clearPass(); qDebug() << "pam_set_item hostname failed. " << pam_strerror(pamh, retcode); return false; } ruser = getlogin(); if ((retcode = pam_set_item(pamh, PAM_RUSER, ruser)) != PAM_SUCCESS) { pcode = ""; dialog.clearPass(); qDebug() << "pam_set_item remote user failed. " << pam_strerror(pamh, retcode); return false; } if ((retcode = pam_authenticate(pamh, 0)) != PAM_SUCCESS) { pcode = ""; dialog.clearPass(); qDebug() << "pam_authenticate failed. " << pam_strerror(pamh, retcode); return false; } Authenticated = true; qDebug() << "Authenticated as root. "; pcode = ""; dialog.clearPass(); return true; } qDebug() << "Not Authenticated as root."; Authenticated = false; return false; }
static void do_auth(char *service, char*user, char*pwd, char* mode, int sid) { pam_handle_t *pamh=NULL; int retval; struct session *sessp; conv.appdata_ptr = (void*)strdup(pwd); retval = pam_start(service, user, &conv, &pamh); if (retval != PAM_SUCCESS) { werr(pamh, sid, retval, "start"); return; } pam_set_item(pamh, PAM_RUSER, user); retval = pam_authenticate(pamh, 0); if (retval != PAM_SUCCESS) { werr(pamh, sid, retval, "auth"); return; } if (mode[0] == 'A') { retval = pam_acct_mgmt(pamh, 0); if (retval != PAM_SUCCESS) { werr(pamh, sid, retval, "accounting"); return; } /*fprintf(stderr, "did ok acct \n\r");*/ } if (mode[1] == 'S') { retval = pam_open_session(pamh, 0); if (retval != PAM_SUCCESS) { werr(pamh, sid, retval, "session"); return; } /*fprintf(stderr, "did ok open sess \n\r"); */ } if ((sessp = malloc(sizeof(struct session))) == NULL) { werr(pamh, sid, -1, "malloc"); return; } if (mode[1] == 'S') sessp->session_mode = 1; else sessp->session_mode = 0; sessp->sid = sid; sessp->pamh = pamh; sessp->next = sessions; sessions = sessp; wok(sid); }
int lxdm_auth_user_authenticate(LXDM_AUTH *a,const char *user,const char *pass,int type) { struct passwd *pw; if(!user || !user[0]) { g_debug("user==NULL\n"); return AUTH_ERROR; } pw = getpwnam(user); endpwent(); if(!pw) { g_debug("user %s not found\n",user); return AUTH_BAD_USER; } if(strstr(pw->pw_shell, "nologin")) { g_debug("user %s have nologin shell\n",user); return AUTH_PRIV; } if(a->handle) pam_end(a->handle,0); if(PAM_SUCCESS != pam_start("lxdm", pw->pw_name, &conv, (pam_handle_t**)&a->handle)) { a->handle=NULL; g_debug("user %s start pam fail\n",user); return AUTH_FAIL; } else { int ret; if(type==AUTH_TYPE_AUTO_LOGIN && !pass) goto out; user_pass[0]=(char*)user;user_pass[1]=(char*)pass; ret=pam_authenticate(a->handle,PAM_SILENT); user_pass[0]=0;user_pass[1]=0; if(ret!=PAM_SUCCESS) { g_debug("user %s auth fail with %d\n",user,ret); return AUTH_FAIL; } ret=pam_acct_mgmt(a->handle,PAM_SILENT); if(ret!=PAM_SUCCESS) { g_debug("user %s acct mgmt fail with %d\n",user,ret); return AUTH_FAIL; } } out: passwd_copy(&a->pw,pw); return AUTH_SUCCESS; }
static authn_status pam_authenticate_with_login_password(request_rec * r, const char * pam_service, const char * login, const char * password, int steps) { pam_handle_t * pamh = NULL; struct pam_conv pam_conversation = { &pam_authenticate_conv, (void *) password }; const char * stage = "PAM transaction failed for service"; const char * param = pam_service; int ret; ret = pam_start(pam_service, login, &pam_conversation, &pamh); if (ret == PAM_SUCCESS) { const char * remote_host_or_ip = ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_NAME, NULL); if (remote_host_or_ip) { stage = "PAM pam_set_item PAM_RHOST failed for service"; ret = pam_set_item(pamh, PAM_RHOST, remote_host_or_ip); } } if (ret == PAM_SUCCESS) { if (steps & _PAM_STEP_AUTH) { param = login; stage = "PAM authentication failed for user"; ret = pam_authenticate(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); } if ((ret == PAM_SUCCESS) && (steps & _PAM_STEP_ACCOUNT)) { param = login; stage = "PAM account validation failed for user"; ret = pam_acct_mgmt(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); if (ret == PAM_NEW_AUTHTOK_REQD) { authnz_pam_config_rec * conf = ap_get_module_config(r->per_dir_config, &authnz_pam_module); if (conf && conf->expired_redirect_url) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, "mod_authnz_pam: PAM_NEW_AUTHTOK_REQD: redirect to [%s]", conf->expired_redirect_url); apr_table_addn(r->headers_out, "Location", format_location(r, conf->expired_redirect_url, login)); return HTTP_TEMPORARY_REDIRECT; } } } } if (ret != PAM_SUCCESS) { const char * strerr = pam_strerror(pamh, ret); ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server, "mod_authnz_pam: %s %s: %s", stage, param, strerr); apr_table_setn(r->subprocess_env, _EXTERNAL_AUTH_ERROR_ENV_NAME, apr_pstrdup(r->pool, strerr)); pam_end(pamh, ret); return AUTH_DENIED; } apr_table_setn(r->subprocess_env, _REMOTE_USER_ENV_NAME, login); r->user = apr_pstrdup(r->pool, login); ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, r->server, "mod_authnz_pam: PAM authentication passed for user %s", login); pam_end(pamh, ret); return AUTH_GRANTED; }
/* cjd 19980706 * * for most flexibility, passing a pamauth type to this function * allows you to have multiple authentication types (i.e. multiple * files associated with radius in /etc/pam.d) */ static int pam_pass(char const *name, char const *passwd, char const *pamauth) { pam_handle_t *pamh=NULL; int retval; my_PAM pam_config; struct pam_conv conv; /* * Initialize the structures. */ conv.conv = PAM_conv; conv.appdata_ptr = &pam_config; pam_config.username = name; pam_config.password = passwd; pam_config.error = 0; DEBUG("pam_pass: using pamauth string <%s> for pam.conf lookup", pamauth); retval = pam_start(pamauth, name, &conv, &pamh); if (retval != PAM_SUCCESS) { DEBUG("pam_pass: function pam_start FAILED for <%s>. Reason: %s", name, pam_strerror(pamh, retval)); return -1; } retval = pam_authenticate(pamh, 0); if (retval != PAM_SUCCESS) { DEBUG("pam_pass: function pam_authenticate FAILED for <%s>. Reason: %s", name, pam_strerror(pamh, retval)); pam_end(pamh, retval); return -1; } /* * FreeBSD 3.x doesn't have account and session management * functions in PAM, while 4.0 does. */ #if !defined(__FreeBSD_version) || (__FreeBSD_version >= 400000) retval = pam_acct_mgmt(pamh, 0); if (retval != PAM_SUCCESS) { DEBUG("pam_pass: function pam_acct_mgmt FAILED for <%s>. Reason: %s", name, pam_strerror(pamh, retval)); pam_end(pamh, retval); return -1; } #endif DEBUG("pam_pass: authentication succeeded for <%s>", name); pam_end(pamh, retval); return 0; }
bool XProcess::pam_checkPW(){ //Requires internal "xuser" and "xpwd" variables to be set //Convert the inputs to C character arrays for use in PAM QByteArray tmp = xuser.toUtf8(); char* cUser = tmp.data(); QByteArray tmp2 = xpwd.toUtf8(); char* cPassword = tmp2.data(); //initialize variables bool result = false; int ret; //Initialize PAM //qDebug() << "Starting PAM:" << xuser << tmp << xpwd << tmp2; if(xuser=="root"){ ret = pam_start("system", cUser, &pamc, &pamh); } else{ ret = pam_start("login", cUser, &pamc, &pamh); } if( ret == PAM_SUCCESS ){ pam_started = true; //flag that pam is started //Place the user-supplied password into the structure ret = pam_set_item(pamh, PAM_AUTHTOK, cPassword); if(ret != PAM_SUCCESS){ pam_logFailure(ret); return false; } //Set the TTY //ret = pam_set_item(pamh, PAM_TTY, "pcdm-terminal"); //Authenticate with PAM ret = pam_authenticate(pamh,0); if( ret == PAM_SUCCESS ){ //Check for valid, unexpired account and verify access restrictions ret = pam_acct_mgmt(pamh,0); if( ret == PAM_SUCCESS ){ result = true; } else{ pam_logFailure(ret); } }else{ pam_logFailure(ret); } }else{ qCritical() << "Could not start PAM"; } //return verification result return result; }
static gboolean cockpit_auth_pam_verify_password (CockpitAuth *auth, const gchar *user, const gchar *password, GError **error) { pam_handle_t *pamh = NULL; int pam_status = 0; const char *pam_user; gboolean ret = FALSE; struct pam_conv_data data; struct pam_conv conv; data.inputs[0] = (char *)password; data.inputs[1] = NULL; data.current_input = 0; conv.conv = pam_conv_func; conv.appdata_ptr = (void *)&data; pam_status = pam_start ("cockpit", user, &conv, &pamh); if (pam_status == PAM_SUCCESS) pam_status = pam_authenticate (pamh, 0); if (pam_status == PAM_SUCCESS) pam_status = pam_get_item (pamh, PAM_USER, (const void **)&pam_user); if (pam_status == PAM_AUTH_ERR || pam_status == PAM_USER_UNKNOWN) { g_set_error (error, COCKPIT_ERROR, COCKPIT_ERROR_AUTHENTICATION_FAILED, "Authentication failed"); ret = FALSE; goto out; } if (pam_status != PAM_SUCCESS) { g_set_error (error, COCKPIT_ERROR, COCKPIT_ERROR_FAILED, "%s", pam_strerror (pamh, pam_status)); ret = FALSE; goto out; } ret = TRUE; out: if (pamh) pam_end (pamh, pam_status); return ret; }
static void pm_do_auth(adt_session_data_t *ah) { pam_handle_t *pm_pamh; int err; int pam_flag = 0; int chpasswd_tries; struct pam_conv pam_conv = {pam_tty_conv, NULL}; if (user[0] == '\0') return; if ((err = pam_start("sys-suspend", user, &pam_conv, &pm_pamh)) != PAM_SUCCESS) return; pam_flag = PAM_DISALLOW_NULL_AUTHTOK; do { err = pam_authenticate(pm_pamh, pam_flag); if (err == PAM_SUCCESS) { err = pam_acct_mgmt(pm_pamh, pam_flag); if (err == PAM_NEW_AUTHTOK_REQD) { chpasswd_tries = 0; do { err = pam_chauthtok(pm_pamh, PAM_CHANGE_EXPIRED_AUTHTOK); chpasswd_tries++; } while ((err == PAM_AUTHTOK_ERR || err == PAM_TRY_AGAIN) && chpasswd_tries < DEF_ATTEMPTS); pm_audit_event(ah, ADT_passwd, err); } err = pam_setcred(pm_pamh, PAM_REFRESH_CRED); } if (err != PAM_SUCCESS) { (void) fprintf(stdout, "%s\n", pam_strerror(pm_pamh, err)); pm_audit_event(ah, ADT_screenunlock, err); } } while (err != PAM_SUCCESS); pm_audit_event(ah, ADT_passwd, 0); (void) pam_end(pm_pamh, err); }
static bool pam_check_passwd(struct pam_auth_request *request) { pam_handle_t *hpam; char raddr[PGADDR_BUF]; int rc; struct pam_conv pam_conv = { .conv = pam_conversation, .appdata_ptr = request }; rc = pam_start(PGBOUNCER_PAM_SERVICE, request->username, &pam_conv, &hpam); if (rc != PAM_SUCCESS) { log_warning("pam_start() failed: %s", pam_strerror(NULL, rc)); return false; } /* Set rhost too in case if some PAM modules want to take it into account (and for logging too) */ pga_ntop(&request->remote_addr, raddr, sizeof(raddr)); rc = pam_set_item(hpam, PAM_RHOST, raddr); if (rc != PAM_SUCCESS) { log_warning("pam_set_item(): can't set PAM_RHOST to '%s'", raddr); pam_end(hpam, rc); return false; } /* Here the authentication is performed */ rc = pam_authenticate(hpam, PAM_SILENT); if (rc != PAM_SUCCESS) { log_warning("pam_authenticate() failed: %s", pam_strerror(hpam, rc)); pam_end(hpam, rc); return false; } /* And here we check that the account is not expired, verifies access hours, etc */ rc = pam_acct_mgmt(hpam, PAM_SILENT); if (rc != PAM_SUCCESS) { log_warning("pam_acct_mgmt() failed: %s", pam_strerror(hpam, rc)); pam_end(hpam, rc); return false; } rc = pam_end(hpam, rc); if (rc != PAM_SUCCESS) { log_warning("pam_end() failed: %s", pam_strerror(hpam, rc)); } return true; }
int pam_begin_session(const char* username, int fd) { int rv, i; if (!pam_h && (rv = pam_start(PAM_APPL_NAME, username, &conv, &pam_h)) != PAM_SUCCESS) fatal("pam_start() failure: %d", rv); #ifdef SUN_PAM_TTY_BUG if ((rv = pam_set_item(pam_h, PAM_TTY, "/dev/nld")) != PAM_SUCCESS) fatal("pam_set_item(PAM_TTY,/dev/nld"); #endif conv_reject_prompts = 1; pam_conv_fd = fd; /* On Solaris and HP-UX, the docs say we can't call setcred first, and the * modules actually enforce that. LinuxPAM says we must call setcred first, * and that's preferable, so we do it in all other cases. */ #ifdef SUN_PAM int setcred_first = 0; #else int setcred_first = 1; #endif for (i = 0; i < 2; ++i) { if (i != setcred_first) { if ((rv = pam_setcred(pam_h, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { debug("pam_setcred(PAM_ESTABLISH_CRED): %s", pam_strerror(pam_h, rv)); if (authenticated) { pam_conv_fd = -1; return -1; } } else { setcred = 1; } } else { if ((rv = pam_open_session(pam_h, 0)) != PAM_SUCCESS) { debug("pam_open_session(): %s", pam_strerror(pam_h, rv)); if (authenticated) { pam_conv_fd = -1; return -1; } } else { opened_session = 1; } } } pam_conv_fd = -1; return 0; }
static void test_pam_start(void **state) { int rv; pam_handle_t *ph; struct pwrap_test_ctx *test_ctx; test_ctx = (struct pwrap_test_ctx *) *state; test_ctx->conv.appdata_ptr = (void *) "testpassword"; rv = pam_start("matrix", "trinity", &test_ctx->conv, &ph); assert_int_equal(rv, PAM_SUCCESS); rv = pam_end(ph, PAM_SUCCESS); assert_int_equal(rv, PAM_SUCCESS); }
int pam_auth_user_pass (char const * const user, char const * const pass) { struct pam_conv pamc = { conv, pass }; pam_handle_t * pamh = NULL; int retval = PAM_ABORT; if ((retval = pam_start ("login", user, &pamc, &pamh)) == PAM_SUCCESS) { retval = pam_authenticate (pamh, 0); } LOG (pam_strerror (pamh, retval)); pam_end (pamh, 0); return retval; }
/* returns boolean */ int DEFAULT_CC auth_userpass(char *user, char *pass, int *errorcode) { pam_handle_t *pamh; pam_userpass_t userpass; struct pam_conv conv = {pam_userpass_conv, &userpass}; const void *template1; int status; userpass.user = user; userpass.pass = pass; if (pam_start(SERVICE, user, &conv, &pamh) != PAM_SUCCESS) { return 0; } status = pam_authenticate(pamh, 0); if (status != PAM_SUCCESS) { pam_end(pamh, status); return 0; } status = pam_acct_mgmt(pamh, 0); if (status != PAM_SUCCESS) { pam_end(pamh, status); return 0; } status = pam_get_item(pamh, PAM_USER, &template1); if (status != PAM_SUCCESS) { pam_end(pamh, status); return 0; } if (pam_end(pamh, PAM_SUCCESS) != PAM_SUCCESS) { return 0; } return 1; }
/** Check the users password against the standard UNIX password table + PAM. * * @note For most flexibility, passing a pamauth type to this function * allows you to have multiple authentication types (i.e. multiple * files associated with radius in /etc/pam.d). * * @param request The current request. * @param username User to authenticate. * @param passwd Password to authenticate with, * @param pamauth Type of PAM authentication. * @return 0 on success -1 on failure. */ static int do_pam(REQUEST *request, char const *username, char const *passwd, char const *pamauth) { pam_handle_t *handle = NULL; int ret; rlm_pam_data_t pam_config; struct pam_conv conv; /* * Initialize the structures */ conv.conv = pam_conv; conv.appdata_ptr = &pam_config; pam_config.request = request; pam_config.username = username; pam_config.password = passwd; pam_config.error = false; RDEBUG2("Using pamauth string \"%s\" for pam.conf lookup", pamauth); ret = pam_start(pamauth, username, &conv, &handle); if (ret != PAM_SUCCESS) { RERROR("pam_start failed: %s", pam_strerror(handle, ret)); return -1; } ret = pam_authenticate(handle, 0); if (ret != PAM_SUCCESS) { RERROR("pam_authenticate failed: %s", pam_strerror(handle, ret)); pam_end(handle, ret); return -1; } /* * FreeBSD 3.x doesn't have account and session management * functions in PAM, while 4.0 does. */ #if !defined(__FreeBSD_version) || (__FreeBSD_version >= 400000) ret = pam_acct_mgmt(handle, 0); if (ret != PAM_SUCCESS) { RERROR("pam_acct_mgmt failed: %s", pam_strerror(handle, ret)); pam_end(handle, ret); return -1; } #endif RDEBUG2("Authentication succeeded"); pam_end(handle, ret); return 0; }
int main(int argc, char **argv) { pam_handle_t *pamh=NULL; static struct pam_conv pamc = { misc_conv, NULL }; if( PAM_SUCCESS != pam_start("test", "testa", &pamc, &pamh) ) { fprintf(stderr, "ERR: pam_start failed!\n"); return 1; } /* if( PAM_SUCCESS != pam_set_item(pamh, PAM_USER, "tester") ) { fprintf(stderr, "ERR: pam_set_item user failed!\n"); return 1; } if( PAM_SUCCESS != pam_chauthtok(pamh, 0) ) { fprintf(stderr, "ERR: pam_chauthtok failed!\n"); return 1; } if( PAM_SUCCESS != pam_set_item(pamh, PAM_AUTHTOK, "mypassword") ) { fprintf(stderr, "ERR: pam_set_item password failed!\n"); return 1; } */ if( PAM_SUCCESS != pam_chauthtok(pamh, 0) ) { fprintf(stderr, "ERR: pam_chauthtok failed!\n"); return 1; } if( PAM_SUCCESS != pam_end(pamh, PAM_SUCCESS) ) { fprintf(stderr, "ERR: pam_end failed!\n"); return 1; } return 0; }
static int check_pw(const char *login, const char *pwd) { struct pam_conv pam_c; pam_handle_t *phth; int ret; pam_c.conv = conv_func; pam_c.appdata_ptr = (void *)pwd; assert(pam_start("lolock", login, &pam_c, &phth) == PAM_SUCCESS); ret = pam_authenticate(phth, PAM_SILENT); pam_end(phth, 0); return ret == PAM_SUCCESS; }
static int auth_CheckPasswd(const char *name, const char *data, const char *key) { if (!strcmp(data, "*")) { #ifdef NOPAM /* Then look up the real password database */ struct passwd *pw; int result = 0; char *cryptpw; pw = getpwnam(name); if (pw) { cryptpw = crypt(key, pw->pw_passwd); result = (cryptpw != NULL) && !strcmp(cryptpw, pw->pw_passwd); } endpwent(); return result; #else /* !NOPAM */ /* Then consult with PAM. */ pam_handle_t *pamh; int status; struct pam_conv pamc = { #ifdef OPENPAM &openpam_nullconv, NULL #else &pam_conv, key #endif }; if (pam_start("ppp", name, &pamc, &pamh) != PAM_SUCCESS) return (0); #ifdef OPENPAM if ((status = pam_set_item(pamh, PAM_AUTHTOK, key)) == PAM_SUCCESS) #endif status = pam_authenticate(pamh, 0); pam_end(pamh, status); return (status == PAM_SUCCESS); #endif /* !NOPAM */ } return !strcmp(data, key); }
int main(int argc, char *argv[]) { pam_handle_t *pamh = NULL; int retval; struct pam_conv conv = { gradm_pam_conv, NULL }; struct gr_arg_wrapper wrapper; struct gr_arg arg; int fd; if (argc != 2) exit(EXIT_FAILURE); wrapper.version = GRADM_VERSION; wrapper.size = sizeof(struct gr_arg); wrapper.arg = &arg; arg.mode = GRADM_STATUS; if ((fd = open(GRDEV_PATH, O_WRONLY)) < 0) { fprintf(stderr, "Could not open %s.\n", GRDEV_PATH); failure("open"); } retval = write(fd, &wrapper, sizeof(struct gr_arg_wrapper)); close(fd); if (retval != 1) exit(EXIT_FAILURE); retval = pam_start(PAM_SERVICENAME, argv[1], &conv, &pamh); if (retval == PAM_SUCCESS) retval = pam_authenticate(pamh, 0); if (retval == PAM_SUCCESS) retval = pam_acct_mgmt(pamh, 0); if (retval == PAM_AUTHTOK_EXPIRED) retval = pam_chauthtok(pamh, 0); if (pamh) pam_end(pamh, retval); if (retval != PAM_SUCCESS) exit(EXIT_FAILURE); return EXIT_SUCCESS; }
static int acct_mgmt(char *service, char *user) { struct pam_conv conv = {misc_conv, NULL}; int retval; pam_handle_t *pamh = NULL; retval = pam_start(service, user, &conv, &pamh); if (retval == PAM_SUCCESS) retval = pam_set_item(pamh, PAM_RUSER, user); #ifdef PAM_FAIL_DELAY if (retval == PAM_SUCCESS) retval = pam_set_item(pamh, PAM_FAIL_DELAY, (void *)delay_fn); #endif if (retval == PAM_SUCCESS) retval = pam_acct_mgmt(pamh, 0); pam_end(pamh, retval); return retval; }
static void test_pam_prompt(void **state) { struct pwrap_test_ctx *test_ctx; int rv; char *response; int resp_array[2]; test_ctx = (struct pwrap_test_ctx *) *state; memset(resp_array, 0, sizeof(resp_array)); test_ctx->conv.conv = pwrap_echo_conv; test_ctx->conv.appdata_ptr = resp_array; rv = pam_start("matrix", "trinity", &test_ctx->conv, &test_ctx->ph); assert_int_equal(rv, PAM_SUCCESS); rv = pam_prompt(test_ctx->ph, PAM_PROMPT_ECHO_OFF, &response, "no echo"); assert_int_equal(rv, PAM_SUCCESS); assert_string_equal(response, "echo off: no echo"); free(response); rv = vprompt_test_fn(test_ctx->ph, PAM_PROMPT_ECHO_OFF, &response, "no echo"); assert_int_equal(rv, PAM_SUCCESS); assert_string_equal(response, "echo off: no echo"); free(response); rv = pam_prompt(test_ctx->ph, PAM_PROMPT_ECHO_ON, &response, "echo"); assert_int_equal(rv, PAM_SUCCESS); assert_string_equal(response, "echo on: echo"); free(response); rv = vprompt_test_fn(test_ctx->ph, PAM_PROMPT_ECHO_ON, &response, "echo"); assert_int_equal(rv, PAM_SUCCESS); assert_string_equal(response, "echo on: echo"); free(response); assert_int_equal(resp_array[0], 0); pam_info(test_ctx->ph, "info"); assert_int_equal(resp_array[0], 1); assert_int_equal(resp_array[1], 0); pam_error(test_ctx->ph, "error"); assert_int_equal(resp_array[1], 1); }
int main(void) { pam_handle_t *pamh; struct pam_conv conv = { NULL, NULL }; struct pam_args *args; plan(12); if (pam_start("test", NULL, &conv, &pamh) != PAM_SUCCESS) sysbail("Fake PAM initialization failed"); args = putil_args_new(pamh, 0); ok(args != NULL, "New args struct is not NULL"); if (args == NULL) ok_block(7, 0, "...args struct is NULL"); else { ok(args->pamh == pamh, "...and pamh is correct"); ok(args->config == NULL, "...and config is NULL"); ok(args->user == NULL, "...and user is NULL"); is_int(args->debug, false, "...and debug is false"); is_int(args->silent, false, "...and silent is false"); #ifdef HAVE_KRB5 ok(args->ctx != NULL, "...and the Kerberos context is initialized"); ok(args->realm == NULL, "...and realm is NULL"); #else skip_block(2, "Kerberos support not configured"); #endif } putil_args_free(args); ok(1, "Freeing the args struct works"); args = putil_args_new(pamh, PAM_SILENT); ok(args != NULL, "New args struct with PAM_SILENT is not NULL"); if (args == NULL) ok(0, "...args is NULL"); else is_int(args->silent, true, "...and silent is true"); putil_args_free(args); putil_args_free(NULL); ok(1, "Freeing a NULL args struct works"); pam_end(pamh, 0); return 0; }
/** * \brief Try to authentication user using PAM. Only password could be use now. */ int vs_pam_auth_user(struct vContext *C, const char *username, const char *pass) { struct VSession *vsession = CTX_current_session(C); int retval; /* Use password for user authentication */ vsession->conv.appdata_ptr = (void*)pass; /* Try to initialization PAM transaction */ if((retval = pam_start("verse", username, &vsession->conv, &vsession->pamh)) != PAM_SUCCESS) { v_print_log(VRS_PRINT_ERROR, "pam_start() failed: %s\n", pam_strerror(vsession->pamh, retval)); vs_pam_end_user_auth(vsession, retval); return -1; } /* Try to setup remote host for PAM */ if((retval = pam_set_item(vsession->pamh, PAM_RHOST, vsession->peer_hostname))) { v_print_log(VRS_PRINT_ERROR, "pam_set_item(): hostname: %s failed: %s\n", vsession->peer_hostname, pam_strerror(vsession->pamh, retval)); vs_pam_end_user_auth(vsession, retval); return -1; } /* Authenticate user: is the username in the "database" of valid usernames? */ if((retval = pam_authenticate(vsession->pamh, 0)) != PAM_SUCCESS) { v_print_log(VRS_PRINT_ERROR, "pam_authenticate(): username: %s failed: %s\n", username, pam_strerror(vsession->pamh, retval)); vs_pam_end_user_auth(vsession, retval); return -1; } /* Is user's account valid? */ if((retval = pam_acct_mgmt(vsession->pamh, 0)) == PAM_SUCCESS) { v_print_log(VRS_PRINT_DEBUG_MSG, "pam_acct_mgmt(): username: %s: %s\n", username, pam_strerror(vsession->pamh, retval)); vs_pam_end_user_auth(vsession, retval); /* TODO: get UID and return it */ return -1; } else { v_print_log(VRS_PRINT_ERROR, "pam_cct_mgmt(): username: %s failed: %s\n", username, pam_strerror(vsession->pamh, retval)); vs_pam_end_user_auth(vsession, retval); return -1; } vs_pam_end_user_auth(vsession, retval); return -1; }
int main(int argc, char *argv[]) { pam_handle_t *pamh=NULL; const char *user="******"; const char *stack="tst-pam_authfail"; int retval; int debug = 0; if (argc > 2) { stack = argv[2]; } if (argc > 1) { if (strcmp (argv[1], "-d") == 0) debug = 1; else stack = argv[1]; } retval = pam_start(stack, user, &conv, &pamh); if (retval != PAM_SUCCESS) { if (debug) fprintf (stderr, "test3: pam_start returned %d\n", retval); return 1; } retval = pam_authenticate(pamh, 0); if (retval == PAM_SUCCESS) { if (debug) fprintf (stderr, "test3: pam_authenticate returned %d\n", retval); return 1; } retval = pam_end(pamh,retval); if (retval != PAM_SUCCESS) { if (debug) fprintf (stderr, "test3: pam_end returned %d\n", retval); return 1; } return 0; }
void ssh_gssapi_rekey_creds() { int ok; int ret; #ifdef USE_PAM pam_handle_t *pamh = NULL; struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL}; char *envstr; #endif if (gssapi_client.store.filename == NULL && gssapi_client.store.envval == NULL && gssapi_client.store.envvar == NULL) return; ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store)); if (!ok) return; debug("Rekeyed credentials stored successfully"); /* Actually managing to play with the ssh pam stack from here will * be next to impossible. In any case, we may want different options * for rekeying. So, use our own :) */ #ifdef USE_PAM if (!use_privsep) { debug("Not even going to try and do PAM with privsep disabled"); return; } ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name, &pamconv, &pamh); if (ret) return; xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar, gssapi_client.store.envval); ret = pam_putenv(pamh, envstr); if (!ret) pam_setcred(pamh, PAM_REINITIALIZE_CRED); pam_end(pamh, PAM_SUCCESS); #endif }
int sudo_pam_init(struct passwd *pw, sudo_auth *auth) { static struct pam_conv pam_conv; static int pam_status; debug_decl(sudo_pam_init, SUDO_DEBUG_AUTH) /* Initial PAM setup */ auth->data = (void *) &pam_status; pam_conv.conv = converse; pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ? def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh); if (pam_status != PAM_SUCCESS) { log_warning(USE_ERRNO|NO_MAIL, N_("unable to initialize PAM")); debug_return_int(AUTH_FATAL); } /* * Set PAM_RUSER to the invoking user (the "from" user). * We set PAM_RHOST to avoid a bug in Solaris 7 and below. */ (void) pam_set_item(pamh, PAM_RUSER, user_name); #ifdef __sun__ (void) pam_set_item(pamh, PAM_RHOST, user_host); #endif /* * Some versions of pam_lastlog have a bug that * will cause a crash if PAM_TTY is not set so if * there is no tty, set PAM_TTY to the empty string. */ if (user_ttypath == NULL) (void) pam_set_item(pamh, PAM_TTY, ""); else (void) pam_set_item(pamh, PAM_TTY, user_ttypath); /* * If PAM session and setcred support is disabled we don't * need to keep a sudo process around to close the session. */ if (!def_pam_session && !def_pam_setcred) auth->end_session = NULL; debug_return_int(AUTH_SUCCESS); }