struct passwd *checkpw (struct passwd *pw,char *pass,int argc,char *argv[])
{
pam_handle_t *hdl;
struct pam_conv conv;
struct checkpw_cred cred;
conv.conv = &checkpw_conv;
conv.appdata_ptr = &cred;
cred.uname = pw->pw_name;
cred.pass = pass;
if ((pam_start ((char *) mail_parameters (NIL,GET_SERVICENAME,NIL),
pw->pw_name,&conv,&hdl) != PAM_SUCCESS) ||
(pam_set_item (hdl,PAM_RHOST,tcp_clientaddr ()) != PAM_SUCCESS) ||
(pam_authenticate (hdl,NIL) != PAM_SUCCESS) ||
(pam_acct_mgmt (hdl,NIL) != PAM_SUCCESS) ||
(pam_setcred (hdl,PAM_ESTABLISH_CRED) != PAM_SUCCESS)) {
/* clean up */
pam_setcred (hdl,PAM_DELETE_CRED);
pam_end (hdl,PAM_AUTH_ERR); /* failed */
return NIL;
}
#if 0
/*
* Some people have reported that this causes a SEGV in strncpy() from
* pam_unix.so.1
*/
/*
* This pam_open_session() call is inconsistant with how we handle other
* platforms, where we don't write [uw]tmp records. However, unlike our
* code on other platforms, pam_acct_mgmt() will check those records for
* inactivity and deny the authentication.
*/
pam_open_session (hdl,NIL); /* make sure account doesn't go inactive */
#endif
/* arm hook to delete credentials */
mail_parameters (NIL,SET_LOGOUTHOOK,(void *) checkpw_cleanup);
mail_parameters (NIL,SET_LOGOUTDATA,(void *) hdl);
return pw;
}
long tcp_clientport ()
{
if (!myClientHost && !myClientAddr) tcp_clientaddr ();
return myClientPort;
}
