int passwd_init(struct passwd *pw, sudo_auth *auth) { #ifdef HAVE_SKEYACCESS if (skeyaccess(pw, user_tty, NULL, NULL) == 0) return AUTH_FAILURE; #endif sudo_setspent(); auth->data = sudo_getepw(pw); sudo_endspent(); return AUTH_SUCCESS; }
PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { char *username = NULL; /* will point to username */ unsigned mod_opt = _MOD_NONE_ON; /* module options */ char *host; /* will point to host */ char *port; /* will point to port */ struct passwd *pwuser; /* Get module options */ mod_getopt(&mod_opt, argc, argv); /* Get username */ if (pam_get_user(pamh, (_PAM_CONST char **)&username, "login:"******"cannot determine username\n"); if (mod_opt & _MOD_DEBUG) syslog(LOG_DEBUG, "cannot determine username"); return PAM_USER_UNKNOWN; } if (mod_opt & _MOD_DEBUG) syslog(LOG_DEBUG, "got username %s", username); /* Check S/Key access permissions - user, host and port. Also include * sanity checks */ /* Get host.. */ if (pam_get_item(pamh, PAM_RHOST, (_PAM_CONST void **)&host) != PAM_SUCCESS) host = NULL; /* ..and port */ if (pam_get_item(pamh, PAM_TTY, (_PAM_CONST void **)&port) != PAM_SUCCESS) port = NULL; if (mod_opt & _MOD_DEBUG) syslog(LOG_DEBUG, "checking s/key access for user %s," " host %s, port %s", username, (host != NULL) ? host : "*unknown*", (port != NULL) ? port : "*unknown*"); /* Get information from passwd file */ if ((pwuser = getpwnam(username)) == NULL) { fprintf(stderr, "no such user\n"); syslog(LOG_NOTICE, "cannot find user %s", username); return PAM_USER_UNKNOWN; /* perhaps even return PAM_ABORT here? */ } #ifdef HAVE_SKEYACCESS /* Do actual checking - we assume skeyaccess() returns PERMIT which is * by default 1. Notice 4th argument is NULL - we will not perform * address checks on host itself */ if (skeyaccess(pwuser, port, host, NULL) != 1) { fprintf(stderr, "no s/key access permissions\n"); syslog(LOG_NOTICE, "no s/key access permissions for %s", username); return PAM_AUTH_ERR; } #endif /* HAVE_SKEYACCESS */ return PAM_SUCCESS; }