static int
mdm_verify_pam_conv (int num_msg,
MDM_PAM_QUAL struct pam_message **msg,
struct pam_response **resp,
void *appdata_ptr)
{
int replies = 0;
int i;
char *s = NULL;
struct pam_response *reply = NULL;
MDM_PAM_QUAL void *p;
const char *login;
if (pamh == NULL)
return PAM_CONV_ERR;
/* Should never happen unless PAM is on crack and keeps asking questions
after we told it to go away. So tell it to go away again and
maybe it will listen */
/* well, it actually happens if there are multiple pam modules
* with conversations */
if ( ! mdm_slave_action_pending () || selected_user)
return PAM_CONV_ERR;
reply = malloc (sizeof (struct pam_response) * num_msg);
if (reply == NULL)
return PAM_CONV_ERR;
memset (reply, 0, sizeof (struct pam_response) * num_msg);
/* Here we set the login if it wasn't already set,
* this is kind of anal, but this way we guarantee that
* the greeter always is up to date on the login */
if (pam_get_item (pamh, PAM_USER, &p) == PAM_SUCCESS) {
login = (const char *)p;
mdm_slave_greeter_ctl_no_ret (MDM_SETLOGIN, login);
}
/* Workaround to avoid mdm messages being logged as PAM_pwdb */
mdm_log_shutdown ();
mdm_log_init ();
for (replies = 0; replies < num_msg; replies++) {
const char *m = (*msg)[replies].msg;
m = perhaps_translate_message (m);
switch ((*msg)[replies].msg_style) {
/* PAM requested textual input with echo on */
case PAM_PROMPT_ECHO_ON:
if (strcmp (m, _("Username:"******"Please enter your username"));
s = mdm_slave_greeter_ctl (MDM_PROMPT, m);
/* this will clear the message */
mdm_slave_greeter_ctl_no_ret (MDM_MSG, "");
}
} else {
s = mdm_slave_greeter_ctl (MDM_PROMPT, m);
}
if (mdm_slave_greeter_check_interruption ()) {
g_free (s);
for (i = 0; i < replies; i++)
if (reply[replies].resp != NULL)
free (reply[replies].resp);
free (reply);
return PAM_CONV_ERR;
}
reply[replies].resp_retcode = PAM_SUCCESS;
reply[replies].resp = strdup (ve_sure_string (s));
g_free (s);
break;
case PAM_PROMPT_ECHO_OFF:
if (strcmp (m, _("Password:")) == 0)
did_we_ask_for_password = TRUE;
/* PAM requested textual input with echo off */
s = mdm_slave_greeter_ctl (MDM_NOECHO, m);
if (mdm_slave_greeter_check_interruption ()) {
g_free (s);
for (i = 0; i < replies; i++)
if (reply[replies].resp != NULL)
free (reply[replies].resp);
free (reply);
return PAM_CONV_ERR;
}
reply[replies].resp_retcode = PAM_SUCCESS;
reply[replies].resp = strdup (ve_sure_string (s));
g_free (s);
break;
case PAM_ERROR_MSG:
/* PAM sent a message that should displayed to the user */
mdm_slave_greeter_ctl_no_ret (MDM_ERRDLG, m);
reply[replies].resp_retcode = PAM_SUCCESS;
reply[replies].resp = NULL;
break;
case PAM_TEXT_INFO:
/* PAM sent a message that should displayed to the user */
mdm_slave_greeter_ctl_no_ret (MDM_MSG, m);
reply[replies].resp_retcode = PAM_SUCCESS;
reply[replies].resp = NULL;
break;
default:
/* PAM has been smoking serious crack */
for (i = 0; i < replies; i++)
if (reply[replies].resp != NULL)
free (reply[replies].resp);
free (reply);
return PAM_CONV_ERR;
}
}
*resp = reply;
return PAM_SUCCESS;
}
gchar *
mdm_verify_user (MdmDisplay *d,
const char *username,
gboolean allow_retry)
{
gchar *login, *passwd, *ppasswd;
struct passwd *pwent;
struct spwd *sp;
#if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS) \
|| defined (HAVE_LOGINRESTRICTIONS)
gchar *message = NULL;
#endif
#if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS)
gchar *info_msg = NULL, *response = NULL;
gint reEnter, ret;
#endif
if (d->attached && d->timed_login_ok)
mdm_slave_greeter_ctl_no_ret (MDM_STARTTIMER, "");
if (username == NULL) {
authenticate_again:
/* Ask for the user's login */
mdm_verify_select_user (NULL);
mdm_slave_greeter_ctl_no_ret (MDM_MSG, _("Please enter your username"));
login = mdm_slave_greeter_ctl (MDM_PROMPT, _("Username:"******"");
g_free (login);
return NULL;
}
}
mdm_slave_greeter_ctl_no_ret (MDM_MSG, "");
if (mdm_daemon_config_get_value_bool (MDM_KEY_DISPLAY_LAST_LOGIN)) {
char *info = mdm_get_last_info (login);
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, info);
g_free (info);
}
} else {
login = g_strdup (username);
}
mdm_slave_greeter_ctl_no_ret (MDM_SETLOGIN, login);
pwent = getpwnam (login);
setspent ();
/* Lookup shadow password */
sp = getspnam (login);
/* Use shadow password when available */
if (sp != NULL) {
ppasswd = g_strdup (sp->sp_pwdp);
} else {
/* In case shadow password cannot be retrieved (when using NIS
authentication for example), use standard passwd */
if (pwent != NULL &&
pwent->pw_passwd != NULL)
ppasswd = g_strdup (pwent->pw_passwd);
else
/* If no password can be retrieved, set it to NULL */
ppasswd = NULL;
}
endspent ();
/* Request the user's password */
if (pwent != NULL &&
ve_string_empty (ppasswd)) {
/* eeek a passwordless account */
passwd = g_strdup ("");
} else {
passwd = mdm_slave_greeter_ctl (MDM_NOECHO, _("Password:"******"");
if (mdm_slave_greeter_check_interruption ()) {
if (d->attached)
mdm_slave_greeter_ctl_no_ret (MDM_STOPTIMER, "");
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
}
if (d->attached)
mdm_slave_greeter_ctl_no_ret (MDM_STOPTIMER, "");
if (pwent == NULL) {
mdm_sleep_no_signal (mdm_daemon_config_get_value_int (MDM_KEY_RETRY_DELAY));
mdm_debug ("Couldn't authenticate user");
print_cant_auth_errbox ();
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
/* Check whether password is valid */
if (ppasswd == NULL || (ppasswd[0] != '\0' &&
strcmp (crypt (passwd, ppasswd), ppasswd) != 0)) {
mdm_sleep_no_signal (mdm_daemon_config_get_value_int (MDM_KEY_RETRY_DELAY));
mdm_debug ("Couldn't authenticate user");
print_cant_auth_errbox ();
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
if (( ! mdm_daemon_config_get_value_bool (MDM_KEY_ALLOW_ROOT) ||
( ! mdm_daemon_config_get_value_bool (MDM_KEY_ALLOW_REMOTE_ROOT) &&
! d->attached)) && pwent->pw_uid == 0) {
mdm_debug ("Root login disallowed on display '%s'", d->name);
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("The system administrator "
"is not allowed to login "
"from this screen"));
/*mdm_slave_greeter_ctl_no_ret (MDM_ERRDLG,
_("Root login disallowed"));*/
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
#ifdef HAVE_LOGINRESTRICTIONS
/* Check with the 'loginrestrictions' function
if the user has been disallowed */
if (loginrestrictions (login, 0, NULL, &message) != 0) {
mdm_debug ("User not allowed to log in");
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("\nThe system administrator "
"has disabled your "
"account."));
g_free (login);
g_free (passwd);
g_free (ppasswd);
if (message != NULL)
free (message);
return NULL;
}
if (message != NULL)
free (message);
message = NULL;
#else /* ! HAVE_LOGINRESTRICTIONS */
/* check for the standard method of disallowing users */
if (pwent->pw_shell != NULL &&
(strcmp (pwent->pw_shell, NOLOGIN) == 0 ||
strcmp (pwent->pw_shell, "/bin/true") == 0 ||
strcmp (pwent->pw_shell, "/bin/false") == 0)) {
mdm_debug ("User not allowed to log in");
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("\nThe system administrator "
"has disabled your "
"account."));
/*mdm_slave_greeter_ctl_no_ret (MDM_ERRDLG,
_("Login disabled"));*/
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
#endif /* HAVE_LOGINRESTRICTIONS */
g_free (passwd);
g_free (ppasswd);
if ( ! mdm_slave_check_user_wants_to_log_in (login)) {
g_free (login);
login = NULL;
goto authenticate_again;
}
if ( ! mdm_setup_gids (login, pwent->pw_gid)) {
mdm_debug ("Cannot set user group");
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("\nCannot set your user group; "
"you will not be able to log in. "
"Please contact your system administrator."));
g_free (login);
return NULL;
}
#if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS)
switch (passwdexpired (login, &info_msg)) {
case 1 :
mdm_debug ("User password has expired");
mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
_("You are required to change your password.\n"
"Please choose a new one."));
g_free (info_msg);
do {
ret = chpass (login, response, &reEnter, &message);
g_free (response);
if (ret != 1) {
if (ret != 0) {
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("\nCannot change your password; "
"you will not be able to log in. "
"Please try again later or contact "
"your system administrator."));
} else if ((reEnter != 0) && (message)) {
response = mdm_slave_greeter_ctl (MDM_NOECHO, message);
if (response == NULL)
response = g_strdup ("");
}
}
g_free (message);
message = NULL;
} while ( ((reEnter != 0) && (ret == 0))
|| (ret ==1) );
g_free (response);
g_free (message);
if ((ret != 0) || (reEnter != 0)) {
return NULL;
}
#if defined (CAN_CLEAR_ADMCHG)
/* The password is changed by root, clear the ADM_CHG
flag in the passwd file */
ret = setpwdb (S_READ | S_WRITE);
if (!ret) {
upwd = getuserpw (login);
if (upwd == NULL) {
ret = -1;
}
else {
upwd->upw_flags &= ~PW_ADMCHG;
ret = putuserpw (upwd);
if (!ret) {
ret = endpwdb ();
}
}
}
if (ret) {
mdm_errorgui_error_box (d, GTK_MESSAGE_WARNING,
_("Your password has been changed but "
"you may have to change it again. "
"Please try again later or contact "
"your system administrator."));
}
#else /* !CAN_CLEAR_ADMCHG */
mdm_errorgui_error_box (d, GTK_MESSAGE_WARNING,
_("Your password has been changed but you "
"may have to change it again. Please try again "
"later or contact your system administrator."));
#endif /* CAN_CLEAR_ADMCHG */
break;
case 2 :
mdm_debug ("User password has expired");
mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
_("Your password has expired.\n"
"Only a system administrator can now change it"));
g_free (info_msg);
return NULL;
break;
case -1 :
mdm_debug ("Internal error on passwdexpired");
mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
_("An internal error occurred. You will not be able to log in.\n"
"Please try again later or contact your system administrator."));
g_free (info_msg);
return NULL;
break;
default :
g_free (info_msg);
break;
}
#endif /* HAVE_PASSWDEXPIRED && HAVE_CHPASS */
return login;
}
