int xlsh_session_open(const char* service, const char* user, pam_handle_t** handle) { struct pam_conv conv = { xlsh_session_conv, NULL }; pam_handle_t* pam_handle; if(pam_start(service, user, &conv, &pam_handle) != PAM_SUCCESS) return XLSH_ERROR; if(xlsh_X) pam_set_item(pam_handle, PAM_TTY, XLSH_XTTY); else pam_set_item(pam_handle, PAM_TTY, ttyname(0)); if(pam_authenticate(pam_handle, 0) != PAM_SUCCESS) { pam_end(pam_handle, 0); return XLSH_ERROR; } if(pam_acct_mgmt(pam_handle, 0) != PAM_SUCCESS) { pam_end(pam_handle, 0); return XLSH_ERROR; } if(pam_setcred(pam_handle, PAM_ESTABLISH_CRED) != PAM_SUCCESS) { pam_end(pam_handle, 0); return XLSH_ERROR; } if(pam_open_session(pam_handle, 0) != PAM_SUCCESS) { pam_setcred(pam_handle, PAM_DELETE_CRED); pam_end(pam_handle, 0); return XLSH_ERROR; } *handle = pam_handle; return XLSH_EOK; }
void do_pam_setcred(int init) { sshpam_err = pam_set_item(sshpam_handle, PAM_CONV, (const void *)&store_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); if (init) { debug("PAM: establishing credentials"); sshpam_err = pam_setcred(sshpam_handle, PAM_ESTABLISH_CRED); } else { debug("PAM: reinitializing credentials"); sshpam_err = pam_setcred(sshpam_handle, PAM_REINITIALIZE_CRED); } if (sshpam_err == PAM_SUCCESS) { sshpam_cred_established = 1; return; } if (sshpam_authenticated) fatal("PAM: pam_setcred(): %s", pam_strerror(sshpam_handle, sshpam_err)); else debug("PAM: pam_setcred(): %s", pam_strerror(sshpam_handle, sshpam_err)); }
static void sftppam_exit_ev(const void *event_data, void *user_data) { /* Close the PAM session */ if (sftppam_pamh != NULL) { int res; #ifdef PAM_CRED_DELETE res = pam_setcred(sftppam_pamh, PAM_CRED_DELETE); #else res = pam_setcred(sftppam_pamh, PAM_DELETE_CRED); #endif if (res != PAM_SUCCESS) { pr_trace_msg(trace_channel, 9, "PAM error setting PAM_DELETE_CRED: %s", pam_strerror(sftppam_pamh, res)); } res = pam_close_session(sftppam_pamh, PAM_SILENT); pam_end(sftppam_pamh, res); sftppam_pamh = NULL; } if (sftppam_user != NULL) { free(sftppam_user); sftppam_user = NULL; sftppam_userlen = 0; } }
void Authenticator::close_session(void) { switch((last_result=pam_close_session(pam_handle, 0))) { // The documentation and implementation of Linux PAM differs: // PAM_SESSION_ERROR is described in the documentation but // don't exists in the actual implementation. This issue needs // to be fixes at some point. default: //case PAM_SESSION_ERROR: pam_setcred(pam_handle, PAM_DELETE_CRED); _end(); throw Exception(pam_handle, "pam_close_session", last_result); case PAM_SUCCESS: break; }; switch((last_result=pam_setcred(pam_handle, PAM_DELETE_CRED))) { default: case PAM_CRED_ERR: case PAM_CRED_UNAVAIL: case PAM_CRED_EXPIRED: case PAM_USER_UNKNOWN: _end(); throw Exception(pam_handle, "pam_setcred()", last_result); case PAM_SUCCESS: break; } return; }
static enum pamtest_err run_test_case(pam_handle_t *ph, struct pam_testcase *tc) { switch (tc->pam_operation) { case PAMTEST_AUTHENTICATE: tc->op_rv = pam_authenticate(ph, tc->flags); return PAMTEST_ERR_OK; case PAMTEST_SETCRED: tc->op_rv = pam_setcred(ph, tc->flags); return PAMTEST_ERR_OK; case PAMTEST_ACCOUNT: tc->op_rv = pam_acct_mgmt(ph, tc->flags); return PAMTEST_ERR_OK; case PAMTEST_OPEN_SESSION: tc->op_rv = pam_open_session(ph, tc->flags); return PAMTEST_ERR_OK; case PAMTEST_CLOSE_SESSION: tc->op_rv = pam_close_session(ph, tc->flags); return PAMTEST_ERR_OK; case PAMTEST_CHAUTHTOK: tc->op_rv = pam_chauthtok(ph, tc->flags); return PAMTEST_ERR_OK; case PAMTEST_GETENVLIST: tc->case_out.envlist = pam_getenvlist(ph); return PAMTEST_ERR_OK; case PAMTEST_KEEPHANDLE: tc->case_out.ph = ph; return PAMTEST_ERR_KEEPHANDLE; default: return PAMTEST_ERR_OP; } return PAMTEST_ERR_OP; }
bool PamHandle::setCred(int flags) { m_result = pam_setcred(m_handle, flags | m_silent); if (m_result != PAM_SUCCESS) { qWarning() << "[PAM] setCred:" << pam_strerror(m_handle, m_result); } return m_result == PAM_SUCCESS; }
void SessionExit(struct display *d, int status, int removeAuth) { #ifdef USE_PAM pam_handle_t *pamh = thepamh(); if (pamh) { /* shutdown PAM session */ if (pam_setcred(pamh, PAM_DELETE_CRED) != PAM_SUCCESS) WDMError("pam_setcred(DELETE_CRED) failed, errno=%d", errno); pam_close_session(pamh, 0); pam_end(pamh, PAM_SUCCESS); pamh = NULL; } #endif /* make sure the server gets reset after the session is over */ if (d->serverPid >= 2 && d->resetSignal) kill(d->serverPid, d->resetSignal); else ResetServer(d); if (removeAuth) { setgid(verify.gid); setuid(verify.uid); RemoveUserAuthorization(d, &verify); } WDMDebug("Display %s exiting with status %d\n", d->name, status); exit(status); }
static int auth(const char *password) { pam_handle_t* pamh; struct passwd *pw; if ((pw = getpwuid(getuid())) == NULL) return 0; struct pam_response * reply = malloc(sizeof(struct pam_response)); if (!reply) return 0; struct pam_conv pamc = { conversation, reply }; int rc = 0; reply->resp = strdup(password); reply->resp_retcode = 0; pam_start("slock", pw->pw_name, &pamc, &pamh); if (pam_set_item(pamh, PAM_AUTHTOK, password) == PAM_SUCCESS && pam_authenticate(pamh,PAM_DISALLOW_NULL_AUTHTOK) == PAM_SUCCESS && pam_acct_mgmt(pamh, 0) == PAM_SUCCESS && pam_setcred(pamh, PAM_REFRESH_CRED) == PAM_SUCCESS) { rc = 1; } pam_end(pamh,0); return rc; }
void pam_finish () { int rc = 0; /* * Allow PAM to clean up its state by closing the user session and * ending the association with PAM. */ if (!conf->use_pam) return; if (pam_h != NULL) { /* * Log any errors, but there's no need to return a SLURM error. */ if ((rc = pam_close_session (pam_h, 0)) != PAM_SUCCESS) { error("pam_close_session: %s", pam_strerror(pam_h, rc)); } if ((rc = pam_setcred (pam_h, PAM_DELETE_CRED)) != PAM_SUCCESS){ error("pam_setcred DELETE: %s", pam_strerror(pam_h,rc)); } if ((rc = pam_end (pam_h, rc)) != PAM_SUCCESS) { error("pam_end: %s", pam_strerror(NULL, rc)); } pam_h = NULL; } }
static void init_groups (const struct passwd* pw, gid_t* groups, int num_groups) { int retval; errno = 0; if (num_groups) { retval = setgroups (num_groups, groups); } else { retval = initgroups (pw->pw_name, pw->pw_gid); } if (retval == -1) { cleanup_pam (PAM_ABORT); err (EXIT_FAILURE, _("cannot set groups")); } endgrent (); retval = pam_setcred (pamh, PAM_ESTABLISH_CRED); if (is_pam_failure(retval)) { errx (EXIT_FAILURE, "%s", pam_strerror (pamh, retval)); } else { _pam_cred_established = 1; } }
/* Return 0 if authentication failed, 1 otherwise */ static int mc_pam_auth (const char *username, const char *password) { pam_handle_t *pamh; struct user_pass up; int status; up.username = username; up.password = password; conv.appdata_ptr = &up; if ((status = pam_start ("mcserv", username, &conv, &pamh)) != PAM_SUCCESS) goto failed_pam; if ((status = pam_authenticate (pamh, 0)) != PAM_SUCCESS) goto failed_pam; if ((status = pam_acct_mgmt (pamh, 0)) != PAM_SUCCESS) goto failed_pam; if ((status = pam_setcred (pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) goto failed_pam; pam_end (pamh, status); return 0; failed_pam: pam_end (pamh, status); return 1; }
/* Called at exit to cleanly shutdown PAM */ static void do_pam_cleanup_proc(void *context) { int pam_retval; pam_stuff *pam = (pam_stuff *) context; if (pam == NULL) return; if (pam->authctxt != NULL && pam->authctxt->pam == pam) { pam->authctxt->pam_retval = pam->last_pam_retval; pam->authctxt->pam = NULL; pam->authctxt = NULL; } if (pam->h == NULL) return; /* * We're in fatal_cleanup() or not in userauth or without a * channel -- can't converse now, too bad. */ pam_retval = pam_set_item(pam->h, PAM_CONV, NULL); if (pam_retval != PAM_SUCCESS) { log("Cannot remove PAM conv, close session or delete creds[%d]: %.200s", pam_retval, PAM_STRERROR(pam->h, pam_retval)); goto cleanup; } if (pam->state & PAM_S_DONE_OPEN_SESSION) { pam_retval = pam_close_session(pam->h, 0); if (pam_retval != PAM_SUCCESS) log("Cannot close PAM session[%d]: %.200s", pam_retval, PAM_STRERROR(pam->h, pam_retval)); } if (pam->state & PAM_S_DONE_SETCRED) { pam_retval = pam_setcred(pam->h, PAM_DELETE_CRED); if (pam_retval != PAM_SUCCESS) debug("Cannot delete credentials[%d]: %.200s", pam_retval, PAM_STRERROR(pam->h, pam_retval)); } cleanup: /* Use the previous PAM result, if not PAM_SUCCESS for pam_end() */ if (pam->last_pam_retval != PAM_SUCCESS) pam_retval = pam_end(pam->h, pam->last_pam_retval); else if (pam_retval != PAM_SUCCESS) pam_retval = pam_end(pam->h, pam_retval); else pam_retval = pam_end(pam->h, PAM_ABORT); if (pam_retval != PAM_SUCCESS) log("Cannot release PAM authentication[%d]: %.200s", pam_retval, PAM_STRERROR(pam->h, pam_retval)); xfree(pam); }
static void checkpw_cleanup (pam_handle_t *hdl) { #if 0 /* see checkpw() for why this is #if 0 */ pam_close_session (hdl,NIL); /* close session [uw]tmp */ #endif pam_setcred (hdl,PAM_DELETE_CRED); pam_end (hdl,PAM_SUCCESS); }
void mdm_verify_cleanup (MdmDisplay *d) { gid_t groups[1] = { 0 }; cur_mdm_disp = d; if (pamh != NULL) { gint pamerr; pam_handle_t *tmp_pamh; gboolean old_opened_session; gboolean old_did_setcred; mdm_debug ("Running mdm_verify_cleanup and pamh != NULL"); mdm_sigterm_block_push (); mdm_sigchld_block_push (); tmp_pamh = pamh; pamh = NULL; old_opened_session = opened_session; opened_session = FALSE; old_did_setcred = did_setcred; did_setcred = FALSE; mdm_sigchld_block_pop (); mdm_sigterm_block_pop (); pamerr = PAM_SUCCESS; /* Close the users session */ if (old_opened_session) { mdm_debug ("Running pam_close_session"); pamerr = pam_close_session (tmp_pamh, 0); } /* Throw away the credentials */ if (old_did_setcred) { mdm_debug ("Running pam_setcred with PAM_DELETE_CRED"); pamerr = pam_setcred (tmp_pamh, PAM_DELETE_CRED); } pam_end (tmp_pamh, pamerr); /* Workaround to avoid mdm messages being logged as PAM_pwdb */ mdm_log_shutdown (); mdm_log_init (); } /* Clear the group setup */ setgid (0); /* this will get rid of any suplementary groups etc... */ setgroups (1, groups); cur_mdm_disp = NULL; /* reset limits */ mdm_reset_limits (); }
int context::rmcred() { int code = static_cast<int>(errc::success); if(_M_cred) { code = pam_setcred(_M_pamh, PAM_DELETE_CRED); _M_cred = false; } return code; }
bool PAMAuthenticator::authenticate(void) { pam_conv c; c.conv = PAMAuthenticator::conv; c.appdata_ptr = this; int res = pam_start("repwatchproxy", 0, &c, &this->m_ph); if (res == PAM_SUCCESS) { res = pam_set_item(this->m_ph, PAM_RUSER, this->m_user.constData()); if (res != PAM_SUCCESS) { goto getout; } res = pam_set_item(this->m_ph, PAM_RHOST, this->m_host.constData()); if (res != PAM_SUCCESS) { goto getout; } res = pam_authenticate(this->m_ph, 0); if (res != PAM_SUCCESS) { goto getout; } res = pam_acct_mgmt(this->m_ph, 0); if (PAM_NEW_AUTHTOK_REQD == res) { res = pam_chauthtok(this->m_ph, PAM_CHANGE_EXPIRED_AUTHTOK); } if (res != PAM_SUCCESS) { goto getout; } res = pam_setcred(this->m_ph, PAM_ESTABLISH_CRED); if (res != PAM_SUCCESS) { goto getout; } res = pam_open_session(this->m_ph, 0); if (res != PAM_SUCCESS) { goto getout; } return true; getout: qWarning("%s: %s", Q_FUNC_INFO, pam_strerror(this->m_ph, res)); pam_end(this->m_ph, res); } else { qCritical("PAM initialization failed"); } this->m_ph = 0; return false; }
int xlsh_session_close(pam_handle_t* handle) { pam_close_session(handle, 0); if(pam_setcred(handle, PAM_DELETE_CRED) != PAM_SUCCESS) { pam_end(handle, 0); return XLSH_ERROR; } pam_end(handle, 0); return XLSH_EOK; }
gboolean pam_session_open(void) { g_pamLastStatus = pam_setcred(g_pamHandle, PAM_ESTABLISH_CRED); if (g_pamLastStatus != PAM_SUCCESS) { fprintf(stderr, "Jolicloud-DisplayManager: Unable to define pam credentials. Error %d\n", g_pamLastStatus); return FALSE; } g_pamLastStatus = pam_open_session(g_pamHandle, 0); if (g_pamLastStatus != PAM_SUCCESS) { fprintf(stderr, "Jolicloud-DisplayManager: Unable to open session with pan. Error %d\n", g_pamLastStatus); pam_setcred(g_pamHandle, PAM_DELETE_CRED); return FALSE; } return TRUE; }
/* * Note that the position of the pam_setcred() call is discussable: * * - the PAM docs recommend pam_setcred() before pam_open_session() * - but the original RFC http://www.opengroup.org/rfc/mirror-rfc/rfc86.0.txt * uses pam_setcred() after pam_open_session() * * The old login versions (before year 2011) followed the RFC. This is probably * not optimal, because there could be a dependence between some session modules * and the user's credentials. * * The best is probably to follow openssh and call pam_setcred() before and * after pam_open_session(). -- [email protected] (18-Nov-2011) * */ static void loginpam_session(struct login_context *cxt) { int rc; pam_handle_t *pamh = cxt->pamh; rc = pam_setcred(pamh, PAM_ESTABLISH_CRED); if (is_pam_failure(rc)) loginpam_err(pamh, rc); rc = pam_open_session(pamh, 0); if (is_pam_failure(rc)) { pam_setcred(cxt->pamh, PAM_DELETE_CRED); loginpam_err(pamh, rc); } rc = pam_setcred(pamh, PAM_REINITIALIZE_CRED); if (is_pam_failure(rc)) { pam_close_session(pamh, 0); loginpam_err(pamh, rc); } }
int pam_setup (char *user, char *host) { /* * Any application using PAM must provide a conversion function, which * is used for direct communication between a loaded module and the * application. In this case, SLURM does need a communication mechanism, * so the default (or null) conversation function may be used. */ struct pam_conv conv = {misc_conv, NULL}; int rc = 0; if (!conf->use_pam) return SLURM_SUCCESS; /* * SLURM uses PAM to obtain resource limits established by the system * administrator. PAM's session management library is responsible for * handling resource limits. When a PAM session is opened on behalf of * a user, the limits imposed by the sys admin are picked up. Opening * a PAM session requires a PAM handle, which is obtained when the PAM * interface is initialized. (PAM handles are required with essentially * all PAM calls.) It's also necessary to have the users PAM credentials * to open a user session. */ if ((rc = pam_start (SLURM_SERVICE_PAM, user, &conv, &pam_h)) != PAM_SUCCESS) { error ("pam_start: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_set_item (pam_h, PAM_USER, user)) != PAM_SUCCESS) { error ("pam_set_item USER: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_set_item (pam_h, PAM_RUSER, user)) != PAM_SUCCESS) { error ("pam_set_item RUSER: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_set_item (pam_h, PAM_RHOST, host)) != PAM_SUCCESS) { error ("pam_set_item HOST: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_setcred (pam_h, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { error ("pam_setcred: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } else if ((rc = pam_open_session (pam_h, 0)) != PAM_SUCCESS) { error("pam_open_session: %s", pam_strerror(pam_h, rc)); return SLURM_ERROR; } return SLURM_SUCCESS; }
static void vsf_auth_shutdown(void) { if (s_pamh == 0) { bug("vsf_auth_shutdown"); } (void) pam_close_session(s_pamh, 0); (void) pam_setcred(s_pamh, PAM_DELETE_CRED); (void) pam_end(s_pamh, PAM_SUCCESS); s_pamh = 0; vsf_remove_uwtmp(); }
struct passwd *checkpw (struct passwd *pw,char *pass,int argc,char *argv[]) { pam_handle_t *hdl; struct pam_conv conv; struct checkpw_cred cred; conv.conv = &checkpw_conv; conv.appdata_ptr = &cred; cred.uname = pw->pw_name; cred.pass = pass; if ((pam_start ((char *) mail_parameters (NIL,GET_SERVICENAME,NIL), pw->pw_name,&conv,&hdl) != PAM_SUCCESS) || (pam_set_item (hdl,PAM_RHOST,tcp_clientaddr ()) != PAM_SUCCESS) || (pam_authenticate (hdl,NIL) != PAM_SUCCESS) || (pam_acct_mgmt (hdl,NIL) != PAM_SUCCESS) || (pam_setcred (hdl,PAM_ESTABLISH_CRED) != PAM_SUCCESS)) { /* clean up */ pam_setcred (hdl,PAM_DELETE_CRED); pam_end (hdl,PAM_AUTH_ERR); /* failed */ return NIL; } #if 0 /* * Some people have reported that this causes a SEGV in strncpy() from * pam_unix.so.1 */ /* * This pam_open_session() call is inconsistant with how we handle other * platforms, where we don't write [uw]tmp records. However, unlike our * code on other platforms, pam_acct_mgmt() will check those records for * inactivity and deny the authentication. */ pam_open_session (hdl,NIL); /* make sure account doesn't go inactive */ #endif /* arm hook to delete credentials */ mail_parameters (NIL,SET_LOGOUTHOOK,(void *) checkpw_cleanup); mail_parameters (NIL,SET_LOGOUTDATA,(void *) hdl); return pw; }
gboolean pam_session_close(void) { g_pamLastStatus = pam_close_session(g_pamHandle, 0); g_pamLastStatus = pam_setcred(g_pamHandle, PAM_DELETE_CRED); if (g_pamLastStatus != PAM_SUCCESS) { fprintf(stderr, "Jolicloud-DisplayManager: Unable to delete pam credentials. Error %d\n", g_pamLastStatus); return FALSE; } return TRUE; }
int pam_begin_session(const char* username, int fd) { int rv, i; if (!pam_h && (rv = pam_start(PAM_APPL_NAME, username, &conv, &pam_h)) != PAM_SUCCESS) fatal("pam_start() failure: %d", rv); #ifdef SUN_PAM_TTY_BUG if ((rv = pam_set_item(pam_h, PAM_TTY, "/dev/nld")) != PAM_SUCCESS) fatal("pam_set_item(PAM_TTY,/dev/nld"); #endif conv_reject_prompts = 1; pam_conv_fd = fd; /* On Solaris and HP-UX, the docs say we can't call setcred first, and the * modules actually enforce that. LinuxPAM says we must call setcred first, * and that's preferable, so we do it in all other cases. */ #ifdef SUN_PAM int setcred_first = 0; #else int setcred_first = 1; #endif for (i = 0; i < 2; ++i) { if (i != setcred_first) { if ((rv = pam_setcred(pam_h, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { debug("pam_setcred(PAM_ESTABLISH_CRED): %s", pam_strerror(pam_h, rv)); if (authenticated) { pam_conv_fd = -1; return -1; } } else { setcred = 1; } } else { if ((rv = pam_open_session(pam_h, 0)) != PAM_SUCCESS) { debug("pam_open_session(): %s", pam_strerror(pam_h, rv)); if (authenticated) { pam_conv_fd = -1; return -1; } } else { opened_session = 1; } } } pam_conv_fd = -1; return 0; }
int pam_begin_session(struct passwd *pw, sudo_auth *auth) { int status = PAM_SUCCESS; /* * If there is no valid user we cannot open a PAM session. * This is not an error as sudo can run commands with arbitrary * uids, it just means we are done from a session management standpoint. */ if (pw == NULL) { if (pamh != NULL) { (void) pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT); pamh = NULL; } goto done; } /* If the user did not have to authenticate there is no pam handle yet. */ if (pamh == NULL) pam_init(pw, NULL, NULL); /* * Update PAM_USER to reference the user we are running the command * as, as opposed to the user we authenticated as. */ (void) pam_set_item(pamh, PAM_USER, pw->pw_name); /* * Set credentials (may include resource limits, device ownership, etc). * We don't check the return value here because in Linux-PAM 0.75 * it returns the last saved return code, not the return code * for the setcred module. Because we haven't called pam_authenticate(), * this is not set and so pam_setcred() returns PAM_PERM_DENIED. * We can't call pam_acct_mgmt() with Linux-PAM for a similar reason. */ (void) pam_setcred(pamh, PAM_ESTABLISH_CRED); #ifndef NO_PAM_SESSION status = pam_open_session(pamh, 0); if (status != PAM_SUCCESS) { (void) pam_end(pamh, status | PAM_DATA_SILENT); pamh = NULL; } #endif done: return status == PAM_SUCCESS ? AUTH_SUCCESS : AUTH_FAILURE; }
static void pm_do_auth(adt_session_data_t *ah) { pam_handle_t *pm_pamh; int err; int pam_flag = 0; int chpasswd_tries; struct pam_conv pam_conv = {pam_tty_conv, NULL}; if (user[0] == '\0') return; if ((err = pam_start("sys-suspend", user, &pam_conv, &pm_pamh)) != PAM_SUCCESS) return; pam_flag = PAM_DISALLOW_NULL_AUTHTOK; do { err = pam_authenticate(pm_pamh, pam_flag); if (err == PAM_SUCCESS) { err = pam_acct_mgmt(pm_pamh, pam_flag); if (err == PAM_NEW_AUTHTOK_REQD) { chpasswd_tries = 0; do { err = pam_chauthtok(pm_pamh, PAM_CHANGE_EXPIRED_AUTHTOK); chpasswd_tries++; } while ((err == PAM_AUTHTOK_ERR || err == PAM_TRY_AGAIN) && chpasswd_tries < DEF_ATTEMPTS); pm_audit_event(ah, ADT_passwd, err); } err = pam_setcred(pm_pamh, PAM_REFRESH_CRED); } if (err != PAM_SUCCESS) { (void) fprintf(stdout, "%s\n", pam_strerror(pm_pamh, err)); pm_audit_event(ah, ADT_screenunlock, err); } } while (err != PAM_SUCCESS); pm_audit_event(ah, ADT_passwd, 0); (void) pam_end(pm_pamh, err); }
static void cleanup_pam (int retcode) { int saved_errno = errno; if (_pam_session_opened) pam_close_session (pamh, 0); if (_pam_cred_established) pam_setcred (pamh, PAM_DELETE_CRED | PAM_SILENT); pam_end(pamh, retcode); errno = saved_errno; }
/** * EscalateHelperDoAction: * @self: #EscalateHelper instance. * @error: (out)(allow-none): Error return location or #NULL. * * Return: #TRUE if the action specified in the start message (just * pam_authenticate for now) was called successfully and the finish message was * sent. */ gboolean EscalateHelperDoAction(EscalateHelper *self, GError **error) { int setcred_result = PAM_SUCCESS; EscalateMessage *message = NULL; GVariantBuilder *env = NULL; gboolean result = FALSE; // Run the action specified in the start message. switch (self->action) { case ESCALATE_MESSAGE_ACTION_AUTHENTICATE: self->result = pam_authenticate(self->pamh, self->flags); if (self->result == PAM_SUCCESS || self->result == PAM_NEW_AUTHTOK_REQD) { // Refresh things like Kerberos credentials. This is safe to do here // even if the client never calls pam_setcred() because the entire auth // stack succeeded. // TODO(vonhollen): Make this configurable by pam_escalate.so. setcred_result = pam_setcred(self->pamh, PAM_REINITIALIZE_CRED); if (setcred_result != PAM_SUCCESS) { pam_syslog(self->pamh, LOG_NOTICE, "pam_setcred() failed for user '%s': %s", self->username, pam_strerror(self->pamh, setcred_result)); } } break; default: self->result = PAM_SYSTEM_ERR; g_error("Unsupported action %d", self->action); } // Prevent this function from being run twice. self->action = ESCALATE_MESSAGE_ACTION_UNKNOWN; // Get the PAM environment to include in the result. env = EscalateUtilPamEnvToVariant(self->pamh, error); if (!env) { goto done; } // Send the final PAM result for the action and the complete environment. message = EscalateMessageNew(ESCALATE_MESSAGE_TYPE_FINISH, self->result, env); result = EscalateMessageWrite(message, self->writer, error); EscalateMessageUnref(message); g_variant_builder_unref(env); done: return result; }
static void input_done(void) { STOP_TIMER(clear_pam_wrong_timeout); pam_state = STATE_PAM_VERIFY; redraw_screen(); if (pam_authenticate(pam_handle, 0) == PAM_SUCCESS) { DEBUG("successfully authenticated\n"); clear_password_memory(); /* Turn the screen on, as it may have been turned off * on release of the 'enter' key. */ turn_monitors_on(); /* PAM credentials should be refreshed, this will for example update any kerberos tickets. * Related to credentials pam_end() needs to be called to cleanup any temporary * credentials like kerberos /tmp/krb5cc_pam_* files which may of been left behind if the * refresh of the credentials failed. */ pam_setcred(pam_handle, PAM_REFRESH_CRED); pam_end(pam_handle, PAM_SUCCESS); exit(0); } if (debug_mode) fprintf(stderr, "Authentication failure\n"); pam_state = STATE_PAM_WRONG; failed_attempts += 1; clear_input(); if (unlock_indicator) redraw_screen(); /* Clear this state after 2 seconds (unless the user enters another * password during that time). */ ev_now_update(main_loop); START_TIMER(clear_pam_wrong_timeout, TSTAMP_N_SECS(2), clear_pam_wrong); /* Cancel the clear_indicator_timeout, it would hide the unlock indicator * too early. */ STOP_TIMER(clear_indicator_timeout); /* beep on authentication failure, if enabled */ if (beep) { xcb_bell(conn, 100); xcb_flush(conn); } }
void ssh_gssapi_rekey_creds() { int ok; int ret; #ifdef USE_PAM pam_handle_t *pamh = NULL; struct pam_conv pamconv = {ssh_gssapi_simple_conv, NULL}; char *envstr; #endif if (gssapi_client.store.filename == NULL && gssapi_client.store.envval == NULL && gssapi_client.store.envvar == NULL) return; ok = PRIVSEP(ssh_gssapi_update_creds(&gssapi_client.store)); if (!ok) return; debug("Rekeyed credentials stored successfully"); /* Actually managing to play with the ssh pam stack from here will * be next to impossible. In any case, we may want different options * for rekeying. So, use our own :) */ #ifdef USE_PAM if (!use_privsep) { debug("Not even going to try and do PAM with privsep disabled"); return; } ret = pam_start("sshd-rekey", gssapi_client.store.owner->pw_name, &pamconv, &pamh); if (ret) return; xasprintf(&envstr, "%s=%s", gssapi_client.store.envvar, gssapi_client.store.envval); ret = pam_putenv(pamh, envstr); if (!ret) pam_setcred(pamh, PAM_REINITIALIZE_CRED); pam_end(pamh, PAM_SUCCESS); #endif }