Пример #1
0
int
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
	char *user_name, *service;
	unsigned int ctrl;
	int retval;
    const char *login_name;

	D(("called."));

	ctrl = _set_ctrl(pamh, flags, NULL, NULL, NULL, argc, argv);

	retval = pam_get_item(pamh, PAM_USER, (void *) &user_name);
	if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) {
		pam_syslog(pamh, LOG_CRIT,
		         "open_session - error recovering username");
		return PAM_SESSION_ERR;		/* How did we get authenticated with
						   no username?! */
	}
	retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
	if (service == NULL || *service == '\0' || retval != PAM_SUCCESS) {
		pam_syslog(pamh, LOG_CRIT,
		         "open_session - error recovering service");
		return PAM_SESSION_ERR;
	}
	login_name = pam_modutil_getlogin(pamh);
	if (login_name == NULL) {
	    login_name = "";
	}
	if (off (UNIX_QUIET, ctrl))
	  pam_syslog(pamh, LOG_INFO, "session opened for user %s by %s(uid=%lu)",
		     user_name, login_name, (unsigned long)getuid());

	return PAM_SUCCESS;
}
PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags,
				   int argc, const char **argv)
{
	char *user_name = NULL, *service = NULL;
	unsigned int ctrl = 0;
	int retval = 0;
	const char *login_name = NULL;
	const char *login_username = NULL;
	const char *old_tai = NULL;
	int names_different = 0;
        lpc_auth_method auth_method = lpcam_none;
        const char *user_remote = NULL, *user_local = NULL;

        /* pam_syslog(pamh, LOG_DEBUG, "pam_sm_open_session()"); */

	D(("called."));

	ctrl = _set_ctrl(pamh, flags, NULL, NULL, argc, argv);

	retval = pam_get_item(pamh, PAM_USER, (void *) &user_name);
	if (user_name == NULL || *user_name == '\0' || retval != PAM_SUCCESS) {
		pam_syslog(pamh, LOG_CRIT,
		         "open_session - error recovering username");
		return PAM_SESSION_ERR;		/* How did we get authenticated with
						   no username?! */
	}
	retval = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
	if (service == NULL || *service == '\0' || retval != PAM_SUCCESS) {
		pam_syslog(pamh, LOG_CRIT,
		         "open_session - error recovering service");
		return PAM_SESSION_ERR;
	}
	login_name = pam_modutil_getlogin(pamh);
	if (login_name == NULL) {
	    login_name = "";
	}

	login_username = pam_getenv(pamh, "LOGIN_USER");
	if (login_username && (!user_name || 
                               (strcmp(login_username, user_name) != 0))) {
            names_different = 1;
	    pam_syslog(pamh, LOG_INFO, "session opened for user %s (%s) by "
                       "%s(uid=%lu)"
                       ,login_username, user_name
                       ,login_name, (unsigned long) getuid());
	}
	else {
	    names_different = 0;
	    pam_syslog(pamh, LOG_INFO, "session opened for user %s by %s(uid=%lu)",
		       user_name, login_name, (unsigned long)getuid());
	}

	/*
	 * Make sure TRUSTED_AUTH_INFO is set.  The cases are:
	 * 
	 *   1. Set to the magic string PAM_TRUSTED_AUTH_INFO_SET_STR.
         *      This is how sshd signals us that it wants us to set it
         *      ourselves; probably it means the user authenticated in some
         *      non-PAM way, like with an ssh authorized key.
	 *
	 *      (a) If user_name and login_name match, we'll assume that
	 *	    their authentication was "local", and report it that way.
	 *	    (This could be remote authentication if someone
         *          introduced a new PAM module, but we'll stick with 
         *          Occam's Razor...)
	 *
	 *      (b) If user_name and login_name do not match, this is
	 *	    unexpected.  This suggests it was a remote authentication,
	 *	    but by a module that's not one we have modified to support
	 *	    TRUSTED_AUTH_INFO.  Since we don't know the situation,
         *          leave it alone.
         *
         *   2. Set to something else.  We'll presume it's set to some
         *      real value here, and leave it alone.
         *
         *   3. Not set at all.  We're not sure how this happened, but
         *      leave it alone.
	 */
	old_tai = pam_getenv(pamh, "TRUSTED_AUTH_INFO");

	if (old_tai == NULL) { /* Case 3 */
            /*
             * Leave it unset.
             */
	    pam_syslog(pamh, LOG_DEBUG, "TRUSTED_AUTH_INFO: not set, "
                       "leaving it alone");
        }
        else if (!strcmp(old_tai, PAM_TRUSTED_AUTH_INFO_SET_STR)) { /*Case 1*/
            if (login_username && user_name) {
                user_remote = login_username;
                user_local = user_name;
            }
            else {
                /* We know from above test that user_name is non-NULL */
                user_remote = user_name;
                user_local = user_name;
            }

	    if (names_different) { /* Case 1b */
		pam_syslog(pamh, LOG_WARNING, "TRUSTED_AUTH_INFO: set "
                           "requested, but two different usernames?  "
                           "(LOGIN_USER = '******', AUTH_USER = '******')  "
                           "Leaving it alone", user_remote, user_local);
	    }
	    else { /* Case 1a */
		pam_syslog(pamh, LOG_DEBUG, "TRUSTED_AUTH_INFO: set "
                           "requested, names match, presuming non-PAM local "
			   "authentication, e.g. ssh authorized key");
                auth_method = lpcam_local;
	    }

            if (auth_method != lpcam_none) {
                pam_unix_set_trusted_auth_info(pamh, auth_method,
                                               user_remote, user_local);
            }
	}
        else { /* Case 2 */
            /*
             * Leave it unset.
             */
	    pam_syslog(pamh, LOG_DEBUG, "TRUSTED_AUTH_INFO: already set, "
                       "leaving it alone");
        }

	return PAM_SUCCESS;
}