int pam_chauthtok(pam_handle_t *pamh, int flags) { int retval; D(("called.")); IF_NO_PAMH("pam_chauthtok", pamh, PAM_SYSTEM_ERR); if (__PAM_FROM_MODULE(pamh)) { D(("called from module!?")); return PAM_SYSTEM_ERR; } /* applications are not allowed to set this flags */ if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) { pam_syslog (pamh, LOG_ERR, "PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK set by application"); return PAM_SYSTEM_ERR; } if (pamh->former.choice == PAM_NOT_STACKED) { _pam_start_timer(pamh); /* we try to make the time for a failure independent of the time it takes to fail */ _pam_sanitize(pamh); pamh->former.update = PAM_FALSE; } /* first call to check if there will be a problem */ if (pamh->former.update || (retval = _pam_dispatch(pamh, flags|PAM_PRELIM_CHECK, PAM_CHAUTHTOK)) == PAM_SUCCESS) { D(("completed check ok: former=%d", pamh->former.update)); pamh->former.update = PAM_TRUE; retval = _pam_dispatch(pamh, flags|PAM_UPDATE_AUTHTOK, PAM_CHAUTHTOK); } /* if we completed we should clean up */ if (retval != PAM_INCOMPLETE) { _pam_sanitize(pamh); pamh->former.update = PAM_FALSE; _pam_await_timer(pamh, retval); /* if unsuccessful then wait now */ D(("pam_chauthtok exit %d - %d", retval, pamh->former.choice)); } else { D(("will resume when ready", retval)); } return retval; }
int pam_setcred(pam_handle_t *pamh, int flags) { int retval; D(("pam_setcred called")); IF_NO_PAMH("pam_setcred", pamh, PAM_SYSTEM_ERR); if (__PAM_FROM_MODULE(pamh)) { D(("called from module!?")); return PAM_SYSTEM_ERR; } if (! flags) { flags = PAM_ESTABLISH_CRED; } retval = _pam_dispatch(pamh, flags, PAM_SETCRED); #if HAVE_LIBAUDIT retval = _pam_auditlog(pamh, PAM_SETCRED, retval, flags); #endif D(("pam_setcred exit")); return retval; }
int pam_authenticate(pam_handle_t *pamh, int flags) { int retval; D(("pam_authenticate called")); IF_NO_PAMH("pam_authenticate", pamh, PAM_SYSTEM_ERR); if (__PAM_FROM_MODULE(pamh)) { D(("called from module!?")); return PAM_SYSTEM_ERR; } if (pamh->former.choice == PAM_NOT_STACKED) { _pam_sanitize(pamh); _pam_start_timer(pamh); /* we try to make the time for a failure independent of the time it takes to fail */ } retval = _pam_dispatch(pamh, flags, PAM_AUTHENTICATE); if (retval != PAM_INCOMPLETE) { _pam_sanitize(pamh); _pam_await_timer(pamh, retval); /* if unsuccessful then wait now */ D(("pam_authenticate exit")); } else { D(("will resume when ready")); } return retval; }
int pam_close_session(pam_handle_t *pamh, int flags) { D(("called")); IF_NO_PAMH("pam_close_session", pamh, PAM_SYSTEM_ERR); if (__PAM_FROM_MODULE(pamh)) { D(("called from module!?")); return PAM_SYSTEM_ERR; } return _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION); }
int pam_close_session(pam_handle_t *pamh, int flags) { int retval; D(("called")); IF_NO_PAMH("pam_close_session", pamh, PAM_SYSTEM_ERR); if (__PAM_FROM_MODULE(pamh)) { D(("called from module!?")); return PAM_SYSTEM_ERR; } retval = _pam_dispatch(pamh, flags, PAM_CLOSE_SESSION); #if HAVE_LIBAUDIT retval = _pam_auditlog(pamh, PAM_CLOSE_SESSION, retval, flags); #endif #ifdef PAM_STATS if (retval != PAM_SUCCESS) { char usr[MAX_PAM_STATS_USR_SIZE]; char buf[MAX_PAM_STATS_BUF_SIZE]; usr[MAX_PAM_STATS_USR_SIZE-1]='\0'; strncpy(usr,(retval == PAM_USER_UNKNOWN)?"unknown":pamh->user, MAX_PAM_STATS_USR_SIZE-1); memset(buf,'\0',MAX_PAM_STATS_BUF_SIZE); snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1, "statsd -a incr pam_failed_%s %s \\;" " push pam_last_failure_%s %s \"%s\" 0 \\;" " incr pam_users %s\\;" " incr pam_services %s", usr, pamh->service_name, usr, pamh->service_name, pam_strerror(pamh, retval), usr, pamh->service_name); if (system(buf) == -1) { pam_syslog(pamh, LOG_INFO, "%s - failed", buf); } } #endif return retval; }
int pam_open_session(pam_handle_t *pamh, int flags) { int retval; D(("called")); IF_NO_PAMH("pam_open_session", pamh, PAM_SYSTEM_ERR); if (__PAM_FROM_MODULE(pamh)) { D(("called from module!?")); return PAM_SYSTEM_ERR; } retval = _pam_dispatch(pamh, flags, PAM_OPEN_SESSION); return retval; }
int pam_acct_mgmt(pam_handle_t *pamh, int flags) { int retval; D(("called")); IF_NO_PAMH("pam_acct_mgmt", pamh, PAM_SYSTEM_ERR); if (__PAM_FROM_MODULE(pamh)) { D(("called from module!?")); return PAM_SYSTEM_ERR; } retval = _pam_dispatch(pamh, flags, PAM_ACCOUNT); #ifdef HAVE_LIBAUDIT retval = _pam_auditlog(pamh, PAM_ACCOUNT, retval, flags); #endif return retval; }
int pam_authenticate(pam_handle_t *pamh, int flags) { int retval; D(("pam_authenticate called")); IF_NO_PAMH("pam_authenticate", pamh, PAM_SYSTEM_ERR); if (__PAM_FROM_MODULE(pamh)) { D(("called from module!?")); return PAM_SYSTEM_ERR; } if (pamh->former.choice == PAM_NOT_STACKED) { _pam_sanitize(pamh); _pam_start_timer(pamh); /* we try to make the time for a failure independent of the time it takes to fail */ } retval = _pam_dispatch(pamh, flags, PAM_AUTHENTICATE); if (retval != PAM_INCOMPLETE) { _pam_sanitize(pamh); _pam_await_timer(pamh, retval); /* if unsuccessful then wait now */ D(("pam_authenticate exit")); } else { D(("will resume when ready")); } #ifdef PRELUDE prelude_send_alert(pamh, retval); #endif #if HAVE_LIBAUDIT retval = _pam_auditlog(pamh, PAM_AUTHENTICATE, retval, flags); #endif #ifdef CONFIG_PROP_STATSD_STATSD if (retval != PAM_SUCCESS) { char usr[MAX_PAM_STATS_USR_SIZE]; char buf[MAX_PAM_STATS_BUF_SIZE]; struct pam_data *data; char *u = NULL; /* The pam_sg module has stored module data so we * can tell whether this is a valid user. If not * we log stats under "unknown". The proper mechanism * for accessing module data bars access from within * application code so we are going around it. This is * a kludge, but the best one possible for now. */ data = pamh->data; while (data) { if (!strcmp(data->name, pamh->user)) { u = (char *)(data->data); break; } data = data->next; } /* Don't log stats if the module info is unavailable * or the PAM system itself failed during auth */ if ((u != NULL) && strcmp(u, "PAM_SYSTEM_ERR")) { u = ((u != NULL) && !strcmp(u, "PAM_USER_UNKNOWN")) ? "unknown":pamh->user; //u = ((u != NULL) && !strcmp(u, "USER_NOTFOUND")) ? "unknown":pamh->user; usr[MAX_PAM_STATS_USR_SIZE-1]='\0'; strncpy(usr,u,MAX_PAM_STATS_USR_SIZE-1); /* OK, start logging stats */ memset(buf,'\0',MAX_PAM_STATS_BUF_SIZE); snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1, "statsd incr pam_failed_%s %s", usr,pamh->service_name); if (system(buf) == -1) { pam_syslog(pamh, LOG_INFO, "%s failed", buf); } snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1, "statsd push pam_last_failure_%s %s \"%s\" 0", usr,pamh->service_name, pam_strerror(pamh, retval)); if (system(buf) == -1) { pam_syslog(pamh, LOG_INFO, "%s failed", buf); } snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1, "statsd incr pam_users %s",usr); if (system(buf) == -1) { pam_syslog(pamh, LOG_INFO, "%s - failed", buf); } snprintf(buf, MAX_PAM_STATS_BUF_SIZE-1, "statsd incr pam_services %s",pamh->service_name); if (system(buf) == -1) { pam_syslog(pamh, LOG_INFO, "%s - failed", buf); } } } #endif return retval; }