2002-03-20 23:21:22 +00:00
|
|
|
/*
|
|
|
|
* $Id$
|
|
|
|
*
|
|
|
|
* Copyright (C) 2001, 2002
|
|
|
|
* Antti Tapaninen <aet@cc.hut.fi>
|
|
|
|
* Anna Erika Suortti <asuortti@cc.hut.fi>
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write to the Free Software
|
|
|
|
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111, USA.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
#include <config.h>
|
|
|
|
#endif
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
2002-10-19 14:04:52 +00:00
|
|
|
#ifdef HAVE_UNISTD_H
|
2002-03-20 23:21:22 +00:00
|
|
|
#include <unistd.h>
|
2002-10-19 14:04:52 +00:00
|
|
|
#endif
|
2002-03-20 23:21:22 +00:00
|
|
|
#include <ctype.h>
|
2002-03-21 17:41:32 +00:00
|
|
|
#include "pam_support.h"
|
2002-03-20 23:21:22 +00:00
|
|
|
#include "scam.h"
|
|
|
|
|
|
|
|
#define PAM_SM_AUTH
|
|
|
|
#define PAM_SM_ACCOUNT
|
|
|
|
#define PAM_SM_SESSION
|
|
|
|
#define PAM_SM_PASSWORD
|
|
|
|
|
2002-04-08 08:27:34 +00:00
|
|
|
static scam_context sctx = {0,};
|
2002-04-07 19:36:59 +00:00
|
|
|
|
|
|
|
typedef struct _scam_msg_data {
|
|
|
|
pam_handle_t *pamh;
|
|
|
|
unsigned int *ctrl;
|
|
|
|
} scam_msg_data;
|
|
|
|
|
2002-04-08 08:27:34 +00:00
|
|
|
static void printmsg(scam_context * sctx, char *str)
|
2002-04-07 19:36:59 +00:00
|
|
|
{
|
2002-04-08 08:27:34 +00:00
|
|
|
scam_msg_data *msg = (scam_msg_data *) sctx->msg_data;
|
2002-04-07 19:36:59 +00:00
|
|
|
|
|
|
|
if (msg->pamh && msg->ctrl)
|
|
|
|
opensc_pam_msg(msg->pamh, *msg->ctrl, PAM_TEXT_INFO, str);
|
|
|
|
}
|
|
|
|
|
2002-04-08 08:27:34 +00:00
|
|
|
static void logmsg(scam_context * sctx, char *str)
|
2002-04-07 19:36:59 +00:00
|
|
|
{
|
2002-04-08 08:27:34 +00:00
|
|
|
scam_msg_data *msg = (scam_msg_data *) sctx->msg_data;
|
2002-04-07 19:36:59 +00:00
|
|
|
|
|
|
|
if (msg->pamh)
|
2003-11-06 10:43:41 +00:00
|
|
|
opensc_pam_log(LOG_NOTICE, msg->pamh, "%s", str);
|
2002-04-07 19:36:59 +00:00
|
|
|
}
|
2002-03-20 23:21:22 +00:00
|
|
|
|
|
|
|
static void usage(void)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
printf("pam_opensc: [options]\n\n");
|
|
|
|
printf("Generic options:\n");
|
|
|
|
printf(" -h Show help\n\n");
|
|
|
|
for (i = 0; scam_frameworks[i]; i++) {
|
|
|
|
if (scam_frameworks[i]->name && scam_frameworks[i]->usage) {
|
|
|
|
printf("auth_method[%s]:\n%s\n", scam_frameworks[i]->name, scam_frameworks[i]->usage());
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
#if (defined(PAM_STATIC) && defined(PAM_SM_AUTH)) || !defined(PAM_STATIC)
|
|
|
|
PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc, const char **argv)
|
|
|
|
{
|
|
|
|
PAM_CONST char *user = NULL, *password = NULL, *tty = NULL, *service = NULL;
|
|
|
|
const char *pinentry = NULL;
|
|
|
|
unsigned int ctrl = 0;
|
|
|
|
int rv = 0, i = 0;
|
2002-04-07 19:36:59 +00:00
|
|
|
scam_msg_data msg = {pamh, &ctrl};
|
2002-03-20 23:21:22 +00:00
|
|
|
|
|
|
|
for (i = 0; i < argc; i++) {
|
|
|
|
if (argv[i][0] == '-') {
|
|
|
|
switch (argv[i][1]) {
|
|
|
|
case 'h':
|
|
|
|
case '?':
|
|
|
|
usage();
|
2002-03-24 12:14:19 +00:00
|
|
|
return PAM_MAXTRIES;
|
2002-03-20 23:21:22 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2004-01-05 18:44:49 +00:00
|
|
|
ctrl = opensc_pam_set_ctrl(pamh, flags, argc, (const char **) argv);
|
2002-04-08 08:27:34 +00:00
|
|
|
memset(&sctx, 0, sizeof(scam_context));
|
|
|
|
scam_parse_parameters(&sctx, argc, (const char **) argv);
|
|
|
|
sctx.printmsg = printmsg;
|
|
|
|
sctx.logmsg = logmsg;
|
|
|
|
sctx.msg_data = &msg;
|
|
|
|
if (sctx.auth_method) {
|
|
|
|
sctx.method = scam_select_by_name(sctx.auth_method);
|
|
|
|
free(sctx.auth_method);
|
|
|
|
sctx.auth_method = NULL;
|
2002-03-20 23:21:22 +00:00
|
|
|
}
|
2002-04-08 08:27:34 +00:00
|
|
|
if (sctx.method < 0) {
|
2002-03-20 23:21:22 +00:00
|
|
|
return PAM_TRY_AGAIN;
|
|
|
|
}
|
2002-04-08 08:27:34 +00:00
|
|
|
rv = scam_init(&sctx, argc, (const char **) argv);
|
2002-03-20 23:21:22 +00:00
|
|
|
if (rv != SCAM_SUCCESS) {
|
2002-04-08 08:27:34 +00:00
|
|
|
scam_deinit(&sctx);
|
2002-03-20 23:21:22 +00:00
|
|
|
return PAM_TRY_AGAIN;
|
|
|
|
}
|
2002-04-08 08:27:34 +00:00
|
|
|
pinentry = scam_pinentry(&sctx);
|
2002-03-20 23:21:22 +00:00
|
|
|
|
|
|
|
/* Get the username */
|
|
|
|
rv = pam_get_user(pamh, &user, "login: ");
|
|
|
|
if (rv == PAM_SUCCESS) {
|
|
|
|
/*
|
|
|
|
* Various libraries at various times have had bugs related to
|
|
|
|
* '+' or '-' as the first character of a user name. Don't take
|
|
|
|
* any chances here. Require that the username starts with an
|
|
|
|
* alphanumeric character.
|
|
|
|
*/
|
|
|
|
if (!user || !isalnum((int) *user)) {
|
|
|
|
opensc_pam_log(LOG_ERR, pamh, "bad username [%s]\n", user);
|
|
|
|
rv = PAM_USER_UNKNOWN;
|
2002-04-08 08:27:34 +00:00
|
|
|
scam_deinit(&sctx);
|
2002-03-20 23:21:22 +00:00
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
if (rv == PAM_SUCCESS && on(OPENSC_DEBUG, ctrl)) {
|
|
|
|
opensc_pam_log(LOG_DEBUG, pamh, "username [%s] obtained\n", user);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
opensc_pam_log(LOG_DEBUG, pamh, "trouble reading username\n");
|
|
|
|
if (rv == PAM_CONV_AGAIN) {
|
|
|
|
opensc_pam_log(LOG_DEBUG, pamh, "pam_get_user/conv() function is not ready yet\n");
|
|
|
|
/* it is safe to resume this function so we translate this
|
|
|
|
* rv to the value that indicates we're happy to resume.
|
|
|
|
*/
|
|
|
|
rv = PAM_INCOMPLETE;
|
|
|
|
}
|
2002-04-08 08:27:34 +00:00
|
|
|
scam_deinit(&sctx);
|
2002-03-20 23:21:22 +00:00
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
/* Check tty */
|
2002-04-19 14:23:31 +00:00
|
|
|
rv = pam_get_item(pamh, PAM_TTY, (PAM_CONST void **) &tty);
|
2002-03-20 23:21:22 +00:00
|
|
|
/* Get the name of the service */
|
|
|
|
rv = pam_get_item(pamh, PAM_SERVICE, (PAM_CONST void **) &service);
|
|
|
|
if (rv != PAM_SUCCESS) {
|
2002-04-08 08:27:34 +00:00
|
|
|
scam_deinit(&sctx);
|
2002-03-20 23:21:22 +00:00
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
/* get this user's authentication token */
|
2004-01-05 18:44:49 +00:00
|
|
|
rv = opensc_pam_read_password(pamh, ctrl, NULL, (PAM_CONST char *) (pinentry ? pinentry : DEFAULT_PINENTRY), NULL, _PAM_AUTHTOK, &password);
|
2002-03-20 23:21:22 +00:00
|
|
|
if (rv != PAM_SUCCESS) {
|
|
|
|
if (rv != PAM_CONV_AGAIN) {
|
|
|
|
opensc_pam_log(LOG_CRIT, pamh, "auth could not identify password for [%s]\n", user);
|
|
|
|
} else {
|
|
|
|
opensc_pam_log(LOG_DEBUG, pamh, "conversation function is not ready yet\n");
|
|
|
|
/*
|
|
|
|
* it is safe to resume this function so we translate this
|
|
|
|
* rv to the value that indicates we're happy to resume.
|
|
|
|
*/
|
|
|
|
rv = PAM_INCOMPLETE;
|
|
|
|
}
|
|
|
|
user = NULL;
|
2002-04-08 08:27:34 +00:00
|
|
|
scam_deinit(&sctx);
|
2002-03-20 23:21:22 +00:00
|
|
|
return rv;
|
|
|
|
}
|
|
|
|
if (!user) {
|
2002-04-08 08:27:34 +00:00
|
|
|
scam_deinit(&sctx);
|
2002-03-20 23:21:22 +00:00
|
|
|
return PAM_USER_UNKNOWN;
|
|
|
|
}
|
|
|
|
if (!tty) {
|
|
|
|
tty = "";
|
|
|
|
}
|
|
|
|
if (!service || !password) {
|
2002-04-08 08:27:34 +00:00
|
|
|
scam_deinit(&sctx);
|
2002-03-20 23:21:22 +00:00
|
|
|
return PAM_AUTH_ERR;
|
|
|
|
}
|
|
|
|
#if 1
|
|
|
|
/* No remote logins allowed through xdm */
|
|
|
|
if ((!strcmp(service, "xdm") &&
|
|
|
|
strcmp(tty, ":0"))) {
|
2002-03-21 14:05:24 +00:00
|
|
|
char buf[256];
|
|
|
|
|
|
|
|
snprintf(buf, 256, "User %s (tty %s) tried remote login through service %s, permission denied.\n", user, tty, service);
|
|
|
|
opensc_pam_log(LOG_NOTICE, pamh, buf);
|
2002-04-08 08:27:34 +00:00
|
|
|
scam_deinit(&sctx);
|
2002-03-20 23:21:22 +00:00
|
|
|
return PAM_PERM_DENIED;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2002-04-08 08:27:34 +00:00
|
|
|
rv = scam_qualify(&sctx, (unsigned char *) password);
|
2002-03-20 23:21:22 +00:00
|
|
|
if (rv != SCAM_SUCCESS) {
|
|
|
|
pam_set_item(pamh, PAM_AUTHTOK, password);
|
2002-04-08 08:27:34 +00:00
|
|
|
scam_deinit(&sctx);
|
2002-03-20 23:21:22 +00:00
|
|
|
return PAM_TRY_AGAIN;
|
|
|
|
}
|
2002-04-08 08:27:34 +00:00
|
|
|
rv = scam_auth(&sctx, argc, (const char **) argv, user, password);
|
|
|
|
scam_deinit(&sctx);
|
2002-03-20 23:21:22 +00:00
|
|
|
if (rv != SCAM_SUCCESS) {
|
|
|
|
opensc_pam_log(LOG_INFO, pamh, "Authentication failed for %s at %s.\n", user, tty);
|
|
|
|
return PAM_AUTH_ERR;
|
|
|
|
}
|
|
|
|
opensc_pam_log(LOG_INFO, pamh, "Authentication successful for %s at %s.\n", user, tty);
|
|
|
|
return PAM_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags, int argc,
|
|
|
|
const char **argv)
|
|
|
|
{
|
|
|
|
return PAM_SUCCESS;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#if (defined(PAM_STATIC) && defined(PAM_SM_ACCOUNT)) || !defined(PAM_STATIC)
|
|
|
|
PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc,
|
|
|
|
const char **argv)
|
|
|
|
{
|
|
|
|
return PAM_SUCCESS;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#if (defined(PAM_STATIC) && defined(PAM_SM_SESSION)) || !defined(PAM_STATIC)
|
|
|
|
PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags, int argc,
|
|
|
|
const char **argv)
|
|
|
|
{
|
|
|
|
PAM_CONST char *user = NULL, *service = NULL;
|
|
|
|
unsigned int ctrl = 0;
|
|
|
|
int rv = 0;
|
2002-04-07 19:36:59 +00:00
|
|
|
scam_msg_data msg = {pamh, &ctrl};
|
2002-03-20 23:21:22 +00:00
|
|
|
|
2004-01-05 18:44:49 +00:00
|
|
|
ctrl = opensc_pam_set_ctrl(pamh, flags, argc, argv);
|
2002-04-08 08:27:34 +00:00
|
|
|
memset(&sctx, 0, sizeof(scam_context));
|
|
|
|
scam_parse_parameters(&sctx, argc, (const char **) argv);
|
|
|
|
sctx.printmsg = printmsg;
|
|
|
|
sctx.logmsg = logmsg;
|
|
|
|
sctx.msg_data = &msg;
|
|
|
|
if (sctx.auth_method) {
|
|
|
|
sctx.method = scam_select_by_name(sctx.auth_method);
|
|
|
|
free(sctx.auth_method);
|
|
|
|
sctx.auth_method = NULL;
|
2002-03-20 23:21:22 +00:00
|
|
|
}
|
2002-04-08 08:27:34 +00:00
|
|
|
if (sctx.method < 0) {
|
2002-03-20 23:21:22 +00:00
|
|
|
return PAM_SESSION_ERR;
|
|
|
|
}
|
2002-04-19 14:23:31 +00:00
|
|
|
rv = pam_get_item(pamh, PAM_USER, (PAM_CONST void **) &user);
|
2002-03-20 23:21:22 +00:00
|
|
|
if (!user || rv != PAM_SUCCESS) {
|
|
|
|
opensc_pam_log(LOG_CRIT, pamh, "open_session - error recovering username\n");
|
|
|
|
return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */
|
|
|
|
}
|
|
|
|
if (on(OPENSC_DEBUG, ctrl))
|
|
|
|
opensc_pam_log(LOG_INFO, pamh, "Pam user name %s\n", user);
|
2002-04-19 14:23:31 +00:00
|
|
|
rv = pam_get_item(pamh, PAM_SERVICE, (PAM_CONST void **) &service);
|
2002-03-20 23:21:22 +00:00
|
|
|
if (!service || rv != PAM_SUCCESS) {
|
|
|
|
opensc_pam_log(LOG_CRIT, pamh, "open_session - error recovering service\n");
|
|
|
|
return PAM_SESSION_ERR;
|
|
|
|
}
|
2002-04-08 08:27:34 +00:00
|
|
|
rv = scam_open_session(&sctx, argc, (const char **) argv, user);
|
2002-03-20 23:21:22 +00:00
|
|
|
if (rv != SCAM_SUCCESS) {
|
|
|
|
opensc_pam_log(LOG_CRIT, pamh, "open_session - scam_open_session failed\n");
|
|
|
|
return PAM_SESSION_ERR;
|
|
|
|
}
|
2004-01-05 18:44:49 +00:00
|
|
|
opensc_pam_log(LOG_INFO, pamh, "session opened for user %s by %s(uid=%d)\n", user, opensc_pam_get_login() == NULL ? "" : opensc_pam_get_login(), getuid());
|
2002-03-20 23:21:22 +00:00
|
|
|
return PAM_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags, int argc,
|
|
|
|
const char **argv)
|
|
|
|
{
|
|
|
|
PAM_CONST char *user = NULL, *service = NULL;
|
|
|
|
unsigned int ctrl = 0;
|
|
|
|
int rv = 0;
|
2002-04-07 19:36:59 +00:00
|
|
|
scam_msg_data msg = {pamh, &ctrl};
|
2002-03-20 23:21:22 +00:00
|
|
|
|
2004-01-05 18:44:49 +00:00
|
|
|
ctrl = opensc_pam_set_ctrl(pamh, flags, argc, argv);
|
2002-04-08 08:27:34 +00:00
|
|
|
memset(&sctx, 0, sizeof(scam_context));
|
|
|
|
scam_parse_parameters(&sctx, argc, (const char **) argv);
|
|
|
|
sctx.printmsg = printmsg;
|
|
|
|
sctx.logmsg = logmsg;
|
|
|
|
sctx.msg_data = &msg;
|
|
|
|
if (sctx.auth_method) {
|
|
|
|
sctx.method = scam_select_by_name(sctx.auth_method);
|
|
|
|
free(sctx.auth_method);
|
|
|
|
sctx.auth_method = NULL;
|
2002-03-20 23:21:22 +00:00
|
|
|
}
|
2002-04-08 08:27:34 +00:00
|
|
|
if (sctx.method < 0) {
|
2002-03-20 23:21:22 +00:00
|
|
|
return PAM_SESSION_ERR;
|
|
|
|
}
|
2002-04-19 14:23:31 +00:00
|
|
|
rv = pam_get_item(pamh, PAM_USER, (PAM_CONST void **) &user);
|
2002-03-20 23:21:22 +00:00
|
|
|
if (!user || rv != PAM_SUCCESS) {
|
|
|
|
opensc_pam_log(LOG_CRIT, pamh, "close_session - error recovering username\n");
|
|
|
|
return PAM_SESSION_ERR; /* How did we get authenticated with no username?! */
|
|
|
|
}
|
2002-04-19 14:23:31 +00:00
|
|
|
rv = pam_get_item(pamh, PAM_SERVICE, (PAM_CONST void **) &service);
|
2002-03-20 23:21:22 +00:00
|
|
|
if (!service || rv != PAM_SUCCESS) {
|
|
|
|
opensc_pam_log(LOG_CRIT, pamh, "close_session - error recovering service\n");
|
|
|
|
return PAM_SESSION_ERR;
|
|
|
|
}
|
2002-04-08 08:27:34 +00:00
|
|
|
rv = scam_close_session(&sctx, argc, (const char **) argv, user);
|
2002-03-20 23:21:22 +00:00
|
|
|
if (rv != SCAM_SUCCESS) {
|
|
|
|
opensc_pam_log(LOG_CRIT, pamh, "open_session - scam_close_session failed\n");
|
|
|
|
return PAM_SESSION_ERR;
|
|
|
|
}
|
|
|
|
opensc_pam_log(LOG_INFO, pamh, "session closed for user %s\n", user);
|
|
|
|
return PAM_SUCCESS;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#if (defined(PAM_STATIC) && defined(PAM_SM_PASSWORD)) || !defined(PAM_STATIC)
|
|
|
|
PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc,
|
|
|
|
const char **argv)
|
|
|
|
{
|
|
|
|
return PAM_SUCCESS;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef PAM_STATIC
|
|
|
|
struct pam_module _pam_opensc_modstruct =
|
|
|
|
{
|
|
|
|
"pam_opensc",
|
|
|
|
pam_sm_authenticate,
|
|
|
|
pam_sm_setcred,
|
|
|
|
NULL,
|
|
|
|
pam_sm_open_session,
|
|
|
|
pam_sm_close_session,
|
|
|
|
NULL,
|
|
|
|
};
|
|
|
|
#endif
|