From abd96b890bc03e06672777c73b55a18b9e869620 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 11 Apr 2001 01:29:42 +0000 Subject: Updating pampass from Samba-2.2 code tree. ===> JHT (This used to be commit 88b6043b4e26c2771e0c444376b7017f5048baf8) --- source3/auth/pampass.c | 226 +++++++++++++++++++------------------------------ 1 file changed, 87 insertions(+), 139 deletions(-) (limited to 'source3/auth') diff --git a/source3/auth/pampass.c b/source3/auth/pampass.c index a23727b689..90a6f773ce 100644 --- a/source3/auth/pampass.c +++ b/source3/auth/pampass.c @@ -56,7 +56,7 @@ static char *PAM_password; #define COPY_STRING(s) (s) ? strdup(s) : NULL /* - * Macro converted to a function to simplyify this thing + * PAM error handler. */ static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { @@ -65,7 +65,7 @@ static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int if( pam_error != PAM_SUCCESS) { - DEBUG(dbglvl, ("PAM %s: %s\n", pam_strerror(pamh, pam_error))); + DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error))); return False; } return True; @@ -132,6 +132,9 @@ static struct pam_conv PAM_conversation = { NULL }; +/* + * PAM Closing out cleanup handler + */ static BOOL proc_pam_end(pam_handle_t *pamh) { int pam_error; @@ -140,38 +143,66 @@ static BOOL proc_pam_end(pam_handle_t *pamh) { pam_error = pam_end(pamh, 0); if(pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) { + DEBUG(4, ("PAM: PAM_END OK.\n")); return True; } } - DEBUG(2,("PAM not initialised")); + DEBUG(2,("PAM: not initialised")); return False; } - -static BOOL pam_auth(char *user, char *password) +/* + * Start PAM authentication for specified account + */ +static BOOL proc_pam_start(pam_handle_t **pamh, char *user) { - pam_handle_t *pamh; - int pam_error; + int pam_error; + char * rhost; - /* - * Now use PAM to do authentication. Bail out if there are any - * errors. - */ + DEBUG(4,("PAM: Init user: %s\n", user)); - PAM_password = password; - PAM_username = user; - DEBUG(4,("PAM Start for User: %s\n", user)); - pam_error = pam_start("samba", user, &PAM_conversation, &pamh); - if(!pam_error_handler(pamh, pam_error, "start failure", 2)) { - proc_pam_end(pamh); - return False; - } + pam_error = pam_start("samba", user, &PAM_conversation, pamh); + if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { + proc_pam_end(*pamh); + return False; + } + + rhost = client_name(); + if (strcmp(rhost,"UNKNOWN") == 0) + rhost = client_addr(); + +#ifdef PAM_RHOST + DEBUG(4,("PAM: setting rhost to: %s\n", rhost)); + pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); + if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { + proc_pam_end(*pamh); + return False; + } +#endif +#ifdef PAM_TTY + pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); + if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { + proc_pam_end(*pamh); + return False; + } +#endif + DEBUG(4,("PAM: Init passed for user: %s\n", user)); + return True; +} + +/* + * PAM Authentication Handler + */ +static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) +{ + int pam_error; /* * To enable debugging set in /etc/pam.d/samba: * auth required /lib/security/pam_pwdb.so nullok shadow audit */ + DEBUG(4,("PAM: Authenticate User: %s\n", user)); pam_error = pam_authenticate(pamh, PAM_SILENT); /* Can we authenticate user? */ switch( pam_error ){ case PAM_AUTH_ERR: @@ -199,10 +230,18 @@ static BOOL pam_auth(char *user, char *password) proc_pam_end(pamh); return False; } + /* If this point is reached, the user has been authenticated. */ + return (True); +} - /* - * Now do account management control and validation - */ +/* + * PAM Account Handler + */ +static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) +{ + int pam_error; + + DEBUG(4,("PAM: Account Management for User: %s\n", user)); pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */ switch( pam_error ) { case PAM_AUTHTOK_EXPIRED: @@ -218,7 +257,7 @@ static BOOL pam_auth(char *user, char *password) DEBUG(0, ("PAM: User is NOT permitted to access system at this time\n")); break; case PAM_USER_UNKNOWN: - DEBUG(2, ("PAM: User \"%s\" is NOT known to account management\n", user)); + DEBUG(0, ("PAM: User \"%s\" is NOT known to account management\n", user)); break; default: DEBUG(4, ("PAM: Account OK for User: %s\n", user)); @@ -239,54 +278,15 @@ static BOOL pam_auth(char *user, char *password) return False; } - if( !proc_pam_end(pamh)) - return False; - /* If this point is reached, the user has been authenticated. */ - DEBUG(4, ("PAM: pam_authentication passed for User: %s\n", user)); return (True); } -#if NOTBLOCKEDOUT -/* Start PAM authentication for specified account */ -static BOOL proc_pam_start(pam_handle_t **pamh, char *user) -{ - int pam_error; - char * rhost; - - DEBUG(4,("PAM Init for user: %s\n", user)); - - pam_error = pam_start("samba", user, &PAM_conversation, pamh); - if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) { - proc_pam_end(*pamh); - return False; - } - - rhost = client_name(); - if (strcmp(rhost,"UNKNOWN") == 0) - rhost = client_addr(); - -#ifdef PAM_RHOST - DEBUG(4,("PAM setting rhost to: %s\n", rhost)); - pam_error = pam_set_item(*pamh, PAM_RHOST, rhost); - if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) { - proc_pam_end(*pamh); - return False; - } -#endif - -#if defined(PAM_TTY_KLUDGE) && defined(PAM_TTY) - pam_error = pam_set_item(*pamh, PAM_TTY, "samba"); - if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) { - proc_pam_end(*pamh); - return False; - } -#endif - - return True; -} -static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL instance) +/* + * PAM Internal Session Handler + */ +static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) { int pam_error; @@ -294,7 +294,7 @@ static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL instance PAM_username = user; #ifdef PAM_TTY - DEBUG(4,("PAM tty set to: %s\"\n", tty)); + DEBUG(4,("PAM: tty set to: %s\n", tty)); pam_error = pam_set_item(pamh, PAM_TTY, tty); if (!pam_error_handler(pamh, pam_error, "set tty failed", 0)) { proc_pam_end(pamh); @@ -302,7 +302,7 @@ static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL instance } #endif - if (instance) { + if (flag) { pam_error = pam_open_session(pamh, PAM_SILENT); if (!pam_error_handler(pamh, pam_error, "session setup failed", 0)) { proc_pam_end(pamh); @@ -320,72 +320,23 @@ static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL instance return (True); } -static BOOL pam_account(pam_handle_t *pamh, char *user) -{ - int pam_error; - - PAM_password = NULL; - PAM_username = user; - - DEBUG(4,("PAM starting account management for user: %s \n", user)); - - pam_error = pam_acct_mgmt(pamh, PAM_SILENT); - if (!pam_error_handler(pamh, pam_error, "PAM set account management failed", 0)) { - proc_pam_end(pamh); - return False; - } else { - DEBUG(4,("PAM account management passed\n")); - } - - /* - * This will allow samba to aquire a kerberos token. And, when - * exporting an AFS cell, be able to /write/ to this cell. - */ - pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED)); - if (!pam_error_handler(pamh, pam_error, "set credentials failed\n", 0)) { - proc_pam_end(pamh); - return False; - } - - /* If this point is reached, the user has been authenticated. */ - return (True); -} -static BOOL account_pam(char *user) -{ - /* - * Check the account with the PAM account module: - * - This means that accounts can be disabled - * and or expired with avoidance of samba then just - * bypassing the situation. - */ - - pam_handle_t *pamh = NULL; - char * PAMuser; - - PAMuser = malloc(strlen(user)+1); - /* This is freed by PAM */ - strncpy(PAMuser, user, strlen(user)+1); - - if (proc_pam_start(&pamh, PAMuser)) - { - if (pam_account(pamh, PAMuser)) - { - return proc_pam_end(pamh); - } - } - proc_pam_end(pamh); - return False; -} - -BOOL PAM_session(BOOL instance, const connection_struct *conn, char *tty) +/* + * PAM Externally accessible Session handler + */ +BOOL pam_session(BOOL flag, const connection_struct *conn, char *tty) { - pam_handle_t *pamh=NULL; + pam_handle_t *pamh = NULL; char * user; user = malloc(strlen(conn->user)+1); + if ( user == NULL ) + { + DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); + return False; + } /* This is freed by PAM */ - strncpy(user, conn->user, strlen(conn->user)+1); + StrnCpy(user, conn->user, strlen(conn->user)+1); if (!proc_pam_start(&pamh, user)) { @@ -393,7 +344,7 @@ BOOL PAM_session(BOOL instance, const connection_struct *conn, char *tty) return False; } - if (pam_session(pamh, user, tty, instance)) + if (proc_pam_session(pamh, user, tty, flag)) { return proc_pam_end(pamh); } @@ -404,6 +355,9 @@ BOOL PAM_session(BOOL instance, const connection_struct *conn, char *tty) } } +/* + * PAM Password Validation Suite + */ BOOL pam_passcheck(char * user, char * password) { pam_handle_t *pamh = NULL; @@ -413,24 +367,18 @@ BOOL pam_passcheck(char * user, char * password) if( proc_pam_start(&pamh, user)) { - if( pam_auth(user, password)) + if ( pam_auth(pamh, user, password)) { - if( account_pam(user)) + if ( pam_account(pamh, user, password)) { return( proc_pam_end(pamh)); } - } + } } - proc_pam_end(pamh); + DEBUG(0, ("PAM: System Validation Failed - Rejecting User!\n")); return( False ); } -#endif /* NOTBLOCKEDOUT */ -BOOL pam_passcheck( char * user, char * password ) -{ - return( pam_auth( user, password )); - -} #else /* Do *NOT* make this function static. Doing so breaks the compile on gcc */ -- cgit