示例#1
0
文件: xlsh.c 项目: drwilly/xlsh
int xlsh_session_open(const char* service, const char* user,
                      pam_handle_t** handle)
{
  struct pam_conv conv = { xlsh_session_conv, NULL };
  pam_handle_t* pam_handle;

  if(pam_start(service, user, &conv, &pam_handle) != PAM_SUCCESS)
    return XLSH_ERROR;

  if(xlsh_X)
    pam_set_item(pam_handle, PAM_TTY, XLSH_XTTY);
  else
    pam_set_item(pam_handle, PAM_TTY, ttyname(0));

  if(pam_authenticate(pam_handle, 0) != PAM_SUCCESS) {
    pam_end(pam_handle, 0);
    return XLSH_ERROR;
  }
  if(pam_acct_mgmt(pam_handle, 0) != PAM_SUCCESS) {
    pam_end(pam_handle, 0);
    return XLSH_ERROR;
  }
  if(pam_setcred(pam_handle, PAM_ESTABLISH_CRED) != PAM_SUCCESS) {
    pam_end(pam_handle, 0);
    return XLSH_ERROR;
  }
  if(pam_open_session(pam_handle, 0) != PAM_SUCCESS) {
    pam_setcred(pam_handle, PAM_DELETE_CRED);
    pam_end(pam_handle, 0);
    return XLSH_ERROR;
  }

  *handle = pam_handle;
  return XLSH_EOK;
}
示例#2
0
void
do_pam_setcred(int init)
{
	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
	    (const void *)&store_conv);
	if (sshpam_err != PAM_SUCCESS)
		fatal("PAM: failed to set PAM_CONV: %s",
		    pam_strerror(sshpam_handle, sshpam_err));
	if (init) {
		debug("PAM: establishing credentials");
		sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED);
	} else {
		debug("PAM: reinitializing credentials");
		sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED);
	}
	if (sshpam_err == PAM_SUCCESS) {
		sshpam_cred_established = 1;
		return;
	}
	if (sshpam_authenticated)
		fatal("PAM: pam_setcred(): %s",
		    pam_strerror(sshpam_handle, sshpam_err));
	else
		debug("PAM: pam_setcred(): %s",
		    pam_strerror(sshpam_handle, sshpam_err));
}
示例#3
0
static void sftppam_exit_ev(const void *event_data, void *user_data) {

  /* Close the PAM session */

  if (sftppam_pamh != NULL) {
    int res;

#ifdef PAM_CRED_DELETE
    res = pam_setcred(sftppam_pamh, PAM_CRED_DELETE);
#else
    res = pam_setcred(sftppam_pamh, PAM_DELETE_CRED);
#endif
    if (res != PAM_SUCCESS) {
      pr_trace_msg(trace_channel, 9, "PAM error setting PAM_DELETE_CRED: %s",
        pam_strerror(sftppam_pamh, res));
    }

    res = pam_close_session(sftppam_pamh, PAM_SILENT);
    pam_end(sftppam_pamh, res);
    sftppam_pamh = NULL;
  }

  if (sftppam_user != NULL) {
    free(sftppam_user);
    sftppam_user = NULL;
    sftppam_userlen = 0;
  }
}
示例#4
0
void Authenticator::close_session(void) {
    switch((last_result=pam_close_session(pam_handle, 0))) {
    // The documentation and implementation of Linux PAM differs:
    // PAM_SESSION_ERROR is described in the documentation but
    // don't exists in the actual implementation. This issue needs
    // to be fixes at some point.

    default:
        //case PAM_SESSION_ERROR:
        pam_setcred(pam_handle, PAM_DELETE_CRED);
        _end();
        throw Exception(pam_handle, "pam_close_session", last_result);

    case PAM_SUCCESS:
        break;
    };
    switch((last_result=pam_setcred(pam_handle, PAM_DELETE_CRED))) {
    default:
    case PAM_CRED_ERR:
    case PAM_CRED_UNAVAIL:
    case PAM_CRED_EXPIRED:
    case PAM_USER_UNKNOWN:
        _end();
        throw Exception(pam_handle, "pam_setcred()", last_result);

    case PAM_SUCCESS:
        break;
    }
    return;
}
示例#5
0
static enum pamtest_err run_test_case(pam_handle_t *ph,
				      struct pam_testcase *tc)
{
	switch (tc->pam_operation) {
	case PAMTEST_AUTHENTICATE:
		tc->op_rv = pam_authenticate(ph, tc->flags);
		return PAMTEST_ERR_OK;
	case PAMTEST_SETCRED:
		tc->op_rv = pam_setcred(ph, tc->flags);
		return PAMTEST_ERR_OK;
	case PAMTEST_ACCOUNT:
		tc->op_rv = pam_acct_mgmt(ph, tc->flags);
		return PAMTEST_ERR_OK;
	case PAMTEST_OPEN_SESSION:
		tc->op_rv = pam_open_session(ph, tc->flags);
		return PAMTEST_ERR_OK;
	case PAMTEST_CLOSE_SESSION:
		tc->op_rv = pam_close_session(ph, tc->flags);
		return PAMTEST_ERR_OK;
	case PAMTEST_CHAUTHTOK:
		tc->op_rv = pam_chauthtok(ph, tc->flags);
		return PAMTEST_ERR_OK;
	case PAMTEST_GETENVLIST:
		tc->case_out.envlist = pam_getenvlist(ph);
		return PAMTEST_ERR_OK;
	case PAMTEST_KEEPHANDLE:
		tc->case_out.ph = ph;
		return PAMTEST_ERR_KEEPHANDLE;
	default:
		return PAMTEST_ERR_OP;
	}

	return PAMTEST_ERR_OP;
}
示例#6
0
 bool PamHandle::setCred(int flags) {
     m_result = pam_setcred(m_handle, flags | m_silent);
     if (m_result != PAM_SUCCESS) {
         qWarning() << "[PAM] setCred:" << pam_strerror(m_handle, m_result);
     }
     return m_result == PAM_SUCCESS;
 }
示例#7
0
文件: session.c 项目: bbidulock/wdm
void SessionExit(struct display *d, int status, int removeAuth)
{
#ifdef USE_PAM
	pam_handle_t *pamh = thepamh();
	if (pamh) {
		/* shutdown PAM session */
		if (pam_setcred(pamh, PAM_DELETE_CRED) != PAM_SUCCESS)
			WDMError("pam_setcred(DELETE_CRED) failed, errno=%d", errno);
		pam_close_session(pamh, 0);
		pam_end(pamh, PAM_SUCCESS);
		pamh = NULL;
	}
#endif

	/* make sure the server gets reset after the session is over */
	if (d->serverPid >= 2 && d->resetSignal)
		kill(d->serverPid, d->resetSignal);
	else
		ResetServer(d);
	if (removeAuth) {
		setgid(verify.gid);
		setuid(verify.uid);
		RemoveUserAuthorization(d, &verify);
	}
	WDMDebug("Display %s exiting with status %d\n", d->name, status);
	exit(status);
}
示例#8
0
文件: slock.c 项目: jackdoe/slock
static int auth(const char *password) {
    pam_handle_t* pamh; 
    struct passwd *pw;
    if ((pw = getpwuid(getuid())) == NULL)
        return 0;

    struct pam_response * reply = malloc(sizeof(struct pam_response));
    if (!reply)
        return 0;

    struct pam_conv pamc = { conversation, reply };
    int rc = 0;

    reply->resp = strdup(password);
    reply->resp_retcode = 0; 
    pam_start("slock", pw->pw_name, &pamc, &pamh);
    if (pam_set_item(pamh, PAM_AUTHTOK, password) == PAM_SUCCESS        &&
        pam_authenticate(pamh,PAM_DISALLOW_NULL_AUTHTOK) == PAM_SUCCESS &&
        pam_acct_mgmt(pamh, 0) == PAM_SUCCESS                           &&
        pam_setcred(pamh, PAM_REFRESH_CRED) == PAM_SUCCESS) {
           rc = 1;
    }
    pam_end(pamh,0);
    return rc;
}
示例#9
0
文件: pam_ses.c 项目: HDOD/slurm
void
pam_finish ()
{
        int             rc = 0;

	/* 
	 * Allow PAM to clean up its state by closing the user session and
	 * ending the association with PAM.
	 */

	if (!conf->use_pam)
		return;

        if (pam_h != NULL) {
		/*
		 * Log any errors, but there's no need to return a SLURM error.
		 */
                if ((rc = pam_close_session (pam_h, 0)) != PAM_SUCCESS) {
                        error("pam_close_session: %s", pam_strerror(pam_h, rc));
                }
                if ((rc = pam_setcred (pam_h, PAM_DELETE_CRED)) != PAM_SUCCESS){
                        error("pam_setcred DELETE: %s", pam_strerror(pam_h,rc));
                }
                if ((rc = pam_end (pam_h, rc)) != PAM_SUCCESS) {
                        error("pam_end: %s", pam_strerror(NULL, rc));
                }
                pam_h = NULL;
        }
}
static void
init_groups (const struct passwd* pw, gid_t* groups, int num_groups) {
    int retval;

    errno = 0;

    if (num_groups) {
        retval = setgroups (num_groups, groups);
    } else {
        retval = initgroups (pw->pw_name, pw->pw_gid);
    }

    if (retval == -1) {
        cleanup_pam (PAM_ABORT);
        err (EXIT_FAILURE, _("cannot set groups"));
    }
    endgrent ();

    retval = pam_setcred (pamh, PAM_ESTABLISH_CRED);
    if (is_pam_failure(retval)) {
        errx (EXIT_FAILURE, "%s", pam_strerror (pamh, retval));
    } else {
        _pam_cred_established = 1;
    }
}
示例#11
0
文件: mcserv.c 项目: sfionov/mc-dev
/* Return 0 if authentication failed, 1 otherwise */
static int
mc_pam_auth (const char *username, const char *password)
{
    pam_handle_t *pamh;
    struct user_pass up;
    int status;

    up.username = username;
    up.password = password;
    conv.appdata_ptr = &up;

    if ((status =
	 pam_start ("mcserv", username, &conv, &pamh)) != PAM_SUCCESS)
	goto failed_pam;
    if ((status = pam_authenticate (pamh, 0)) != PAM_SUCCESS)
	goto failed_pam;
    if ((status = pam_acct_mgmt (pamh, 0)) != PAM_SUCCESS)
	goto failed_pam;
    if ((status = pam_setcred (pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS)
	goto failed_pam;
    pam_end (pamh, status);
    return 0;

  failed_pam:
    pam_end (pamh, status);
    return 1;
}
示例#12
0
/* Called at exit to cleanly shutdown PAM */
static void
do_pam_cleanup_proc(void *context)
{
	int pam_retval;
	pam_stuff *pam = (pam_stuff *) context;

	if (pam == NULL)
		return;

	if (pam->authctxt != NULL && pam->authctxt->pam == pam) {
		pam->authctxt->pam_retval = pam->last_pam_retval;
		pam->authctxt->pam = NULL;
		pam->authctxt = NULL;
	}

	if (pam->h == NULL)
		return;

	/*
	 * We're in fatal_cleanup() or not in userauth or without a
	 * channel -- can't converse now, too bad.
	 */
	pam_retval = pam_set_item(pam->h, PAM_CONV, NULL);
	if (pam_retval != PAM_SUCCESS) {
		log("Cannot remove PAM conv, close session or delete creds[%d]: %.200s",
			pam_retval, PAM_STRERROR(pam->h, pam_retval));
		goto cleanup;
	}

	if (pam->state & PAM_S_DONE_OPEN_SESSION) {
		pam_retval = pam_close_session(pam->h, 0);
		if (pam_retval != PAM_SUCCESS)
			log("Cannot close PAM session[%d]: %.200s",
			    pam_retval, PAM_STRERROR(pam->h, pam_retval));
	}

	if (pam->state & PAM_S_DONE_SETCRED) {
		pam_retval = pam_setcred(pam->h, PAM_DELETE_CRED);
		if (pam_retval != PAM_SUCCESS)
			debug("Cannot delete credentials[%d]: %.200s", 
			    pam_retval, PAM_STRERROR(pam->h, pam_retval));
	}

cleanup:

	/* Use the previous PAM result, if not PAM_SUCCESS for pam_end() */
	if (pam->last_pam_retval != PAM_SUCCESS)
		pam_retval = pam_end(pam->h, pam->last_pam_retval);
	else if (pam_retval != PAM_SUCCESS)
		pam_retval = pam_end(pam->h, pam_retval);
	else
		pam_retval = pam_end(pam->h, PAM_ABORT);

	if (pam_retval != PAM_SUCCESS)
		log("Cannot release PAM authentication[%d]: %.200s",
		    pam_retval, PAM_STRERROR(pam->h, pam_retval));

	xfree(pam);
}
示例#13
0
文件: ckp_pam.c 项目: Distrotech/pine
static void checkpw_cleanup (pam_handle_t *hdl)
{
#if 0	/* see checkpw() for why this is #if 0 */
  pam_close_session (hdl,NIL);	/* close session [uw]tmp */
#endif
  pam_setcred (hdl,PAM_DELETE_CRED);
  pam_end (hdl,PAM_SUCCESS);
}
示例#14
0
文件: verify-pam.c 项目: ActusOS/mdm
void
mdm_verify_cleanup (MdmDisplay *d)
{
	gid_t groups[1] = { 0 };
	cur_mdm_disp = d;

	if (pamh != NULL) {
		gint pamerr;
		pam_handle_t *tmp_pamh;
		gboolean old_opened_session;
		gboolean old_did_setcred;

		mdm_debug ("Running mdm_verify_cleanup and pamh != NULL");

		mdm_sigterm_block_push ();
		mdm_sigchld_block_push ();
		tmp_pamh = pamh;
		pamh = NULL;
		old_opened_session = opened_session;
		opened_session = FALSE;
		old_did_setcred = did_setcred;
		did_setcred = FALSE;
		mdm_sigchld_block_pop ();
		mdm_sigterm_block_pop ();

		pamerr = PAM_SUCCESS;

		/* Close the users session */
		if (old_opened_session) {
			mdm_debug ("Running pam_close_session");
			pamerr = pam_close_session (tmp_pamh, 0);
		}

		/* Throw away the credentials */
		if (old_did_setcred) {
			mdm_debug ("Running pam_setcred with PAM_DELETE_CRED");
			pamerr = pam_setcred (tmp_pamh, PAM_DELETE_CRED);
		}

		pam_end (tmp_pamh, pamerr);

		/* Workaround to avoid mdm messages being logged as PAM_pwdb */
                mdm_log_shutdown ();
                mdm_log_init ();
	}

	/* Clear the group setup */
	setgid (0);
	/* this will get rid of any suplementary groups etc... */
	setgroups (1, groups);

	cur_mdm_disp = NULL;

	/* reset limits */
	mdm_reset_limits ();
}
示例#15
0
int context::rmcred()
{
    int code = static_cast<int>(errc::success);
    if(_M_cred)
    {
        code = pam_setcred(_M_pamh, PAM_DELETE_CRED);
        _M_cred = false;
    }
    return code;
}
示例#16
0
bool PAMAuthenticator::authenticate(void)
{
	pam_conv c;
	c.conv        = PAMAuthenticator::conv;
	c.appdata_ptr = this;

	int res = pam_start("repwatchproxy", 0, &c, &this->m_ph);
	if (res == PAM_SUCCESS) {
		res = pam_set_item(this->m_ph, PAM_RUSER, this->m_user.constData());
		if (res != PAM_SUCCESS) {
			goto getout;
		}

		res = pam_set_item(this->m_ph, PAM_RHOST, this->m_host.constData());
		if (res != PAM_SUCCESS) {
			goto getout;
		}

		res = pam_authenticate(this->m_ph, 0);
		if (res != PAM_SUCCESS) {
			goto getout;
		}

		res = pam_acct_mgmt(this->m_ph, 0);
		if (PAM_NEW_AUTHTOK_REQD == res) {
			res = pam_chauthtok(this->m_ph, PAM_CHANGE_EXPIRED_AUTHTOK);
		}

		if (res != PAM_SUCCESS) {
			goto getout;
		}

		res = pam_setcred(this->m_ph, PAM_ESTABLISH_CRED);
		if (res != PAM_SUCCESS) {
			goto getout;
		}

		res = pam_open_session(this->m_ph, 0);
		if (res != PAM_SUCCESS) {
			goto getout;
		}

		return true;

getout:
		qWarning("%s: %s", Q_FUNC_INFO, pam_strerror(this->m_ph, res));
		pam_end(this->m_ph, res);
	}
	else {
		qCritical("PAM initialization failed");
	}

	this->m_ph = 0;
	return false;
}
示例#17
0
文件: xlsh.c 项目: drwilly/xlsh
int xlsh_session_close(pam_handle_t* handle)
{
  pam_close_session(handle, 0);
  if(pam_setcred(handle, PAM_DELETE_CRED) != PAM_SUCCESS) {
    pam_end(handle, 0);
    return XLSH_ERROR;
  }

  pam_end(handle, 0);
  return XLSH_EOK;
}
示例#18
0
gboolean pam_session_open(void)
{
  g_pamLastStatus = pam_setcred(g_pamHandle, PAM_ESTABLISH_CRED);
  if (g_pamLastStatus != PAM_SUCCESS)
    {
      fprintf(stderr, "Jolicloud-DisplayManager: Unable to define pam credentials. Error %d\n",
	      g_pamLastStatus);
      return FALSE;
    }

  g_pamLastStatus = pam_open_session(g_pamHandle, 0);
  if (g_pamLastStatus != PAM_SUCCESS)
    {
      fprintf(stderr, "Jolicloud-DisplayManager: Unable to open session with pan. Error %d\n",
	      g_pamLastStatus);
      pam_setcred(g_pamHandle, PAM_DELETE_CRED);
      return FALSE;
    }

  return TRUE;
}
示例#19
0
/*
 * Note that the position of the pam_setcred() call is discussable:
 *
 *  - the PAM docs recommend pam_setcred() before pam_open_session()
 *  - but the original RFC http://www.opengroup.org/rfc/mirror-rfc/rfc86.0.txt
 *    uses pam_setcred() after pam_open_session()
 *
 * The old login versions (before year 2011) followed the RFC. This is probably
 * not optimal, because there could be a dependence between some session modules
 * and the user's credentials.
 *
 * The best is probably to follow openssh and call pam_setcred() before and
 * after pam_open_session().                -- [email protected]om (18-Nov-2011)
 *
 */
static void loginpam_session(struct login_context *cxt)
{
	int rc;
	pam_handle_t *pamh = cxt->pamh;

	rc = pam_setcred(pamh, PAM_ESTABLISH_CRED);
	if (is_pam_failure(rc))
		loginpam_err(pamh, rc);

	rc = pam_open_session(pamh, 0);
	if (is_pam_failure(rc)) {
		pam_setcred(cxt->pamh, PAM_DELETE_CRED);
		loginpam_err(pamh, rc);
	}

	rc = pam_setcred(pamh, PAM_REINITIALIZE_CRED);
	if (is_pam_failure(rc)) {
		pam_close_session(pamh, 0);
		loginpam_err(pamh, rc);
	}
}
示例#20
0
文件: pam_ses.c 项目: IFCA/slurm
int
pam_setup (char *user, char *host)
{
	/*
	 * Any application using PAM must provide a conversion function, which
	 * is used for direct communication between a loaded module and the
	 * application. In this case, SLURM does need a communication mechanism,
	 * so the default (or null) conversation function may be used.
	 */
	struct pam_conv conv = {misc_conv, NULL};
        int             rc = 0;

	if (!conf->use_pam)
		return SLURM_SUCCESS;
	/*
	 * SLURM uses PAM to obtain resource limits established by the system
	 * administrator. PAM's session management library is responsible for
	 * handling resource limits. When a PAM session is opened on behalf of
	 * a user, the limits imposed by the sys admin are picked up. Opening
	 * a PAM session requires a PAM handle, which is obtained when the PAM
	 * interface is initialized. (PAM handles are required with essentially
	 * all PAM calls.) It's also necessary to have the users PAM credentials
	 * to open a user session.
 	 */
        if ((rc = pam_start (SLURM_SERVICE_PAM, user, &conv, &pam_h))
			!= PAM_SUCCESS) {
                error ("pam_start: %s", pam_strerror(pam_h, rc));
                return SLURM_ERROR;
        } else if ((rc = pam_set_item (pam_h, PAM_USER, user))
			!= PAM_SUCCESS) {
                error ("pam_set_item USER: %s", pam_strerror(pam_h, rc));
                return SLURM_ERROR;
        } else if ((rc = pam_set_item (pam_h, PAM_RUSER, user))
			!= PAM_SUCCESS) {
                error ("pam_set_item RUSER: %s", pam_strerror(pam_h, rc));
                return SLURM_ERROR;
        } else if ((rc = pam_set_item (pam_h, PAM_RHOST, host))
			!= PAM_SUCCESS) {
                error ("pam_set_item HOST: %s", pam_strerror(pam_h, rc));
              return SLURM_ERROR;
        } else if ((rc = pam_setcred (pam_h, PAM_ESTABLISH_CRED))
			!= PAM_SUCCESS) {
                error ("pam_setcred: %s", pam_strerror(pam_h, rc));
                return SLURM_ERROR;
        } else if ((rc = pam_open_session (pam_h, 0)) != PAM_SUCCESS) {
                error("pam_open_session: %s", pam_strerror(pam_h, rc));
                return SLURM_ERROR;
        }

	return SLURM_SUCCESS;

}
示例#21
0
static void
vsf_auth_shutdown(void)
{
  if (s_pamh == 0)
  {
    bug("vsf_auth_shutdown");
  }
  (void) pam_close_session(s_pamh, 0);
  (void) pam_setcred(s_pamh, PAM_DELETE_CRED);
  (void) pam_end(s_pamh, PAM_SUCCESS);
  s_pamh = 0;
  vsf_remove_uwtmp();
}
示例#22
0
文件: ckp_pam.c 项目: Distrotech/pine
struct passwd *checkpw (struct passwd *pw,char *pass,int argc,char *argv[])
{
  pam_handle_t *hdl;
  struct pam_conv conv;
  struct checkpw_cred cred;
  conv.conv = &checkpw_conv;
  conv.appdata_ptr = &cred;
  cred.uname = pw->pw_name;
  cred.pass = pass;
  if ((pam_start ((char *) mail_parameters (NIL,GET_SERVICENAME,NIL),
		  pw->pw_name,&conv,&hdl) != PAM_SUCCESS) ||
      (pam_set_item (hdl,PAM_RHOST,tcp_clientaddr ()) != PAM_SUCCESS) ||
      (pam_authenticate (hdl,NIL) != PAM_SUCCESS) ||
      (pam_acct_mgmt (hdl,NIL) != PAM_SUCCESS) ||
      (pam_setcred (hdl,PAM_ESTABLISH_CRED) != PAM_SUCCESS)) {
				/* clean up */
    pam_setcred (hdl,PAM_DELETE_CRED);
    pam_end (hdl,PAM_AUTH_ERR);	/* failed */
    return NIL;
  }
#if 0
  /*
   * Some people have reported that this causes a SEGV in strncpy() from
   * pam_unix.so.1
   */
  /*
   * This pam_open_session() call is inconsistant with how we handle other
   * platforms, where we don't write [uw]tmp records.  However, unlike our
   * code on other platforms, pam_acct_mgmt() will check those records for
   * inactivity and deny the authentication.
   */
  pam_open_session (hdl,NIL);	/* make sure account doesn't go inactive */
#endif
				/* arm hook to delete credentials */
  mail_parameters (NIL,SET_LOGOUTHOOK,(void *) checkpw_cleanup);
  mail_parameters (NIL,SET_LOGOUTDATA,(void *) hdl);
  return pw;
}
示例#23
0
gboolean pam_session_close(void)
{
  g_pamLastStatus = pam_close_session(g_pamHandle, 0);

  g_pamLastStatus = pam_setcred(g_pamHandle, PAM_DELETE_CRED);
  if (g_pamLastStatus != PAM_SUCCESS)
    {
      fprintf(stderr, "Jolicloud-DisplayManager: Unable to delete pam credentials. Error %d\n",
	      g_pamLastStatus);
      return FALSE;
    }

  return TRUE;
}
示例#24
0
文件: pam.c 项目: NWilson/netlogind
int pam_begin_session(const char* username, int fd)
{
  int rv, i;
  if (!pam_h &&
      (rv = pam_start(PAM_APPL_NAME, username, &conv, &pam_h)) != PAM_SUCCESS)
    fatal("pam_start() failure: %d", rv);
#ifdef SUN_PAM_TTY_BUG
  if ((rv = pam_set_item(pam_h, PAM_TTY, "/dev/nld")) != PAM_SUCCESS)
    fatal("pam_set_item(PAM_TTY,/dev/nld");
#endif

  conv_reject_prompts = 1;
  pam_conv_fd = fd;

  /* On Solaris and HP-UX, the docs say we can't call setcred first, and the
   * modules actually enforce that. LinuxPAM says we must call setcred first,
   * and that's preferable, so we do it in all other cases. */
#ifdef SUN_PAM
  int setcred_first = 0;
#else
  int setcred_first = 1;
#endif

  for (i = 0; i < 2; ++i) {
    if (i != setcred_first) {
      if ((rv = pam_setcred(pam_h, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
        debug("pam_setcred(PAM_ESTABLISH_CRED): %s", pam_strerror(pam_h, rv));
        if (authenticated) {
          pam_conv_fd = -1;
          return -1;
        }
      } else {
        setcred = 1;
      }
    } else {
      if ((rv = pam_open_session(pam_h, 0)) != PAM_SUCCESS) {
        debug("pam_open_session(): %s", pam_strerror(pam_h, rv));
        if (authenticated) {
          pam_conv_fd = -1;
          return -1;
        }
      } else {
        opened_session = 1;
      }
    }
  }
  pam_conv_fd = -1;
  return 0;
}
示例#25
0
文件: pam.c 项目: CVi/sudo
int
pam_begin_session(struct passwd *pw, sudo_auth *auth)
{
    int status = PAM_SUCCESS;

    /*
     * If there is no valid user we cannot open a PAM session.
     * This is not an error as sudo can run commands with arbitrary
     * uids, it just means we are done from a session management standpoint.
     */
    if (pw == NULL) {
	if (pamh != NULL) {
	    (void) pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT);
	    pamh = NULL;
	}
	goto done;
    }

    /* If the user did not have to authenticate there is no pam handle yet. */
    if (pamh == NULL)
	pam_init(pw, NULL, NULL);

    /*
     * Update PAM_USER to reference the user we are running the command
     * as, as opposed to the user we authenticated as.
     */
    (void) pam_set_item(pamh, PAM_USER, pw->pw_name);

    /*
     * Set credentials (may include resource limits, device ownership, etc).
     * We don't check the return value here because in Linux-PAM 0.75
     * it returns the last saved return code, not the return code
     * for the setcred module.  Because we haven't called pam_authenticate(),
     * this is not set and so pam_setcred() returns PAM_PERM_DENIED.
     * We can't call pam_acct_mgmt() with Linux-PAM for a similar reason.
     */
    (void) pam_setcred(pamh, PAM_ESTABLISH_CRED);

#ifndef NO_PAM_SESSION
    status = pam_open_session(pamh, 0);
    if (status != PAM_SUCCESS) {
	(void) pam_end(pamh, status | PAM_DATA_SILENT);
	pamh = NULL;
    }
#endif

done:
    return status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE;
}
示例#26
0
static void
pm_do_auth(adt_session_data_t *ah)
{
	pam_handle_t	*pm_pamh;
	int		err;
	int		pam_flag = 0;
	int		chpasswd_tries;
	struct pam_conv pam_conv = {pam_tty_conv, NULL};

	if (user[0] == '\0')
		return;

	if ((err = pam_start("sys-suspend", user, &pam_conv,
	    &pm_pamh)) != PAM_SUCCESS)
		return;

	pam_flag = PAM_DISALLOW_NULL_AUTHTOK;

	do {
		err = pam_authenticate(pm_pamh, pam_flag);

		if (err == PAM_SUCCESS) {
			err = pam_acct_mgmt(pm_pamh, pam_flag);

			if (err == PAM_NEW_AUTHTOK_REQD) {
				chpasswd_tries = 0;

				do {
					err = pam_chauthtok(pm_pamh,
					    PAM_CHANGE_EXPIRED_AUTHTOK);
					chpasswd_tries++;

				} while ((err == PAM_AUTHTOK_ERR ||
				    err == PAM_TRY_AGAIN) &&
				    chpasswd_tries < DEF_ATTEMPTS);
				pm_audit_event(ah, ADT_passwd, err);
			}
			err = pam_setcred(pm_pamh, PAM_REFRESH_CRED);
		}
		if (err != PAM_SUCCESS) {
			(void) fprintf(stdout, "%s\n",
			    pam_strerror(pm_pamh, err));
			pm_audit_event(ah, ADT_screenunlock, err);
		}
	} while (err != PAM_SUCCESS);
	pm_audit_event(ah, ADT_passwd, 0);

	(void) pam_end(pm_pamh, err);
}
示例#27
0
static void
cleanup_pam (int retcode)
{
  int saved_errno = errno;

  if (_pam_session_opened)
    pam_close_session (pamh, 0);

  if (_pam_cred_established)
    pam_setcred (pamh, PAM_DELETE_CRED | PAM_SILENT);

  pam_end(pamh, retcode);

  errno = saved_errno;
}
示例#28
0
/**
 * EscalateHelperDoAction:
 * @self: #EscalateHelper instance.
 * @error: (out)(allow-none): Error return location or #NULL.
 *
 * Return: #TRUE if the action specified in the start message (just
 * pam_authenticate for now) was called successfully and the finish message was
 * sent.
 */
gboolean EscalateHelperDoAction(EscalateHelper *self, GError **error) {
  int setcred_result = PAM_SUCCESS;
  EscalateMessage *message = NULL;
  GVariantBuilder *env = NULL;
  gboolean result = FALSE;

  // Run the action specified in the start message.
  switch (self->action) {
    case ESCALATE_MESSAGE_ACTION_AUTHENTICATE:
      self->result = pam_authenticate(self->pamh, self->flags);
      if (self->result == PAM_SUCCESS || self->result == PAM_NEW_AUTHTOK_REQD) {
        // Refresh things like Kerberos credentials. This is safe to do here
        // even if the client never calls pam_setcred() because the entire auth
        // stack succeeded.
        // TODO(vonhollen): Make this configurable by pam_escalate.so.
        setcred_result = pam_setcred(self->pamh, PAM_REINITIALIZE_CRED);
        if (setcred_result != PAM_SUCCESS) {
          pam_syslog(self->pamh, LOG_NOTICE,
                     "pam_setcred() failed for user '%s': %s",
                     self->username, pam_strerror(self->pamh, setcred_result));
        }
      }
      break;
    default:
      self->result = PAM_SYSTEM_ERR;
      g_error("Unsupported action %d", self->action);
  }

  // Prevent this function from being run twice.
  self->action = ESCALATE_MESSAGE_ACTION_UNKNOWN;

  // Get the PAM environment to include in the result.
  env = EscalateUtilPamEnvToVariant(self->pamh, error);
  if (!env) {
    goto done;
  }

  // Send the final PAM result for the action and the complete environment.
  message = EscalateMessageNew(ESCALATE_MESSAGE_TYPE_FINISH, self->result, env);
  result = EscalateMessageWrite(message, self->writer, error);
  EscalateMessageUnref(message);
  g_variant_builder_unref(env);

done:
  return result;
}
示例#29
0
文件: i3lock.c 项目: ramnes/i3lock
static void input_done(void) {
    STOP_TIMER(clear_pam_wrong_timeout);
    pam_state = STATE_PAM_VERIFY;
    redraw_screen();

    if (pam_authenticate(pam_handle, 0) == PAM_SUCCESS) {
        DEBUG("successfully authenticated\n");
        clear_password_memory();
        /* Turn the screen on, as it may have been turned off
         * on release of the 'enter' key. */
        turn_monitors_on();

        /* PAM credentials should be refreshed, this will for example update any kerberos tickets.
         * Related to credentials pam_end() needs to be called to cleanup any temporary
         * credentials like kerberos /tmp/krb5cc_pam_* files which may of been left behind if the
         * refresh of the credentials failed. */
        pam_setcred(pam_handle, PAM_REFRESH_CRED);
        pam_end(pam_handle, PAM_SUCCESS);

        exit(0);
    }

    if (debug_mode)
        fprintf(stderr, "Authentication failure\n");

    pam_state = STATE_PAM_WRONG;
    failed_attempts += 1;
    clear_input();
    if (unlock_indicator)
        redraw_screen();

    /* Clear this state after 2 seconds (unless the user enters another
     * password during that time). */
    ev_now_update(main_loop);
    START_TIMER(clear_pam_wrong_timeout, TSTAMP_N_SECS(2), clear_pam_wrong);

    /* Cancel the clear_indicator_timeout, it would hide the unlock indicator
     * too early. */
    STOP_TIMER(clear_indicator_timeout);

    /* beep on authentication failure, if enabled */
    if (beep) {
        xcb_bell(conn, 100);
        xcb_flush(conn);
    }
}
示例#30
0
void
ssh_gssapi_rekey_creds() {
	int ok;
	int ret;
#ifdef USE_PAM
	pam_handle_t *pamh = NULL;
	struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL};
	char *envstr;
#endif

	if (gssapi_client.store.filename == NULL && 
	    gssapi_client.store.envval == NULL &&
	    gssapi_client.store.envvar == NULL)
		return;
 
	ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store));

	if (!ok)
		return;

	debug("Rekeyed credentials stored successfully");

	/* Actually managing to play with the ssh pam stack from here will
	 * be next to impossible. In any case, we may want different options
	 * for rekeying. So, use our own :)
	 */
#ifdef USE_PAM	
	if (!use_privsep) {
		debug("Not even going to try and do PAM with privsep disabled");
		return;
	}

	ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name,
 	    &pamconv, &pamh);
	if (ret)
		return;

	xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar, 
	    gssapi_client.store.envval);

	ret = pam_putenv(pamh, envstr);
	if (!ret)
		pam_setcred(pamh, PAM_REINITIALIZE_CRED);
	pam_end(pamh, PAM_SUCCESS);
#endif
}