From 66c727e0e7b34d19cdb8dbdc0a0fae15d9d5ff25 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 11 May 2009 09:08:31 -0400 Subject: Move actual password caching into sysdb Convert auth modules to do the caching themselves --- server/responder/pam/pam_LOCAL_domain.c | 2 +- server/responder/pam/pamsrv.h | 1 - server/responder/pam/pamsrv_cache.c | 112 +------------------------------- server/responder/pam/pamsrv_cmd.c | 13 ---- 4 files changed, 2 insertions(+), 126 deletions(-) (limited to 'server/responder/pam') diff --git a/server/responder/pam/pam_LOCAL_domain.c b/server/responder/pam/pam_LOCAL_domain.c index 614d640e..010bd8d4 100644 --- a/server/responder/pam/pam_LOCAL_domain.c +++ b/server/responder/pam/pam_LOCAL_domain.c @@ -115,7 +115,7 @@ static void set_user_attr_req(struct sysdb_req *req, void *pvt) lreq->sysdb_req = req; - ret = sysdb_set_user_attr(req, lreq->dbctx, lreq->preq->domain, + ret = sysdb_set_user_attr(req, lreq->preq->domain, lreq->preq->pd->user, lreq->mod_attrs, set_user_attr_callback, lreq); if (ret != EOK) diff --git a/server/responder/pam/pamsrv.h b/server/responder/pam/pamsrv.h index d95df169..fa688fe1 100644 --- a/server/responder/pam/pamsrv.h +++ b/server/responder/pam/pamsrv.h @@ -27,7 +27,6 @@ struct sss_cmd_table *register_sss_cmds(void); int pam_dp_send_req(struct pam_auth_req *preq, int timeout); -int pam_cache_credentials(struct pam_auth_req *preq); int pam_cache_auth(struct pam_auth_req *preq); int LOCAL_pam_handler(struct pam_auth_req *preq); diff --git a/server/responder/pam/pamsrv_cache.c b/server/responder/pam/pamsrv_cache.c index ed18f6a1..d1c34e5f 100644 --- a/server/responder/pam/pamsrv_cache.c +++ b/server/responder/pam/pamsrv_cache.c @@ -53,120 +53,10 @@ static int authtok2str(const void *mem_ctx, struct set_attrs_ctx { struct pam_auth_req *preq; - struct sysdb_attrs *attrs; struct sysdb_req *sysreq; + char *password; }; -static void pc_set_user_attr_callback(void *pvt, - int ldb_status, - struct ldb_result *res) -{ - struct set_attrs_ctx *ctx; - int error; - - ctx = talloc_get_type(pvt, struct set_attrs_ctx); - error = sysdb_error_to_errno(ldb_status); - - sysdb_transaction_done(ctx->sysreq, error); - - if (ldb_status != LDB_SUCCESS) { - DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n", - ctx->preq->pd->user, error, strerror(error))); - } - - ctx->preq->callback(ctx->preq); -} - -static void pc_set_user_attr_req(struct sysdb_req *req, void *pvt) -{ - struct set_attrs_ctx *ctx; - int ret; - - DEBUG(4, ("entering pc_set_user_attr_req\n")); - - ctx = talloc_get_type(pvt, struct set_attrs_ctx); - - ctx->sysreq = req; - - ret = sysdb_set_user_attr(req, ctx->preq->cctx->rctx->sysdb, - ctx->preq->domain, - ctx->preq->pd->user, - ctx->attrs, - pc_set_user_attr_callback, ctx); - if (ret != EOK) { - sysdb_transaction_done(ctx->sysreq, ret); - } - - if (ret != EOK) { - DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n", - ctx->preq->pd->user, ret, strerror(ret))); - ctx->preq->callback(ctx->preq); - } -} - -int pam_cache_credentials(struct pam_auth_req *preq) -{ - struct set_attrs_ctx *ctx; - struct pam_data *pd; - char *password = NULL; - char *comphash = NULL; - char *salt; - int i, ret; - - pd = preq->pd; - - ret = authtok2str(preq, pd->authtok, pd->authtok_size, &password); - if (ret) { - DEBUG(4, ("Invalid auth token.\n")); - ret = EINVAL; - goto done; - } - - ret = s3crypt_gen_salt(preq, &salt); - if (ret) { - DEBUG(4, ("Failed to generate random salt.\n")); - goto done; - } - - ret = s3crypt_sha512(preq, password, salt, &comphash); - if (ret) { - DEBUG(4, ("Failed to create password hash.\n")); - goto done; - } - - ctx = talloc_zero(preq, struct set_attrs_ctx); - if (!ctx) { - ret = ENOMEM; - goto done; - } - ctx->preq = preq; - - ctx->attrs = sysdb_new_attrs(ctx); - if (!ctx->attrs) { - ret = ENOMEM; - goto done; - } - - ret = sysdb_attrs_add_string(ctx->attrs, SYSDB_CACHEDPWD, comphash); - if (ret) goto done; - - /* FIXME: should we use a different attribute for chache passwords ?? */ - ret = sysdb_attrs_add_long(ctx->attrs, "lastCachedPasswordChange", - (long)time(NULL)); - if (ret) goto done; - - ret = sysdb_transaction(ctx, preq->cctx->rctx->sysdb, - pc_set_user_attr_req, ctx); - -done: - if (password) for (i = 0; password[i]; i++) password[i] = 0; - if (ret != EOK) { - DEBUG(2, ("Failed to cache credentials for user [%s] (%d)!\n", - pd->user, ret, strerror(ret))); - } - return ret; -} - static void pam_cache_auth_return(struct pam_auth_req *preq, int error) { preq->pd->pam_status = error; diff --git a/server/responder/pam/pamsrv_cmd.c b/server/responder/pam/pamsrv_cmd.c index 00765d47..40cccffb 100644 --- a/server/responder/pam/pamsrv_cmd.c +++ b/server/responder/pam/pamsrv_cmd.c @@ -263,19 +263,6 @@ static void pam_reply(struct pam_auth_req *preq) (preq->domain->cache_credentials == true) && (pd->offline_auth == false)) { - if (pd->pam_status == PAM_SUCCESS) { - pd->offline_auth = true; - preq->callback = pam_reply; - ret = pam_cache_credentials(preq); - if (ret == EOK) { - return; - } - else { - DEBUG(0, ("Failed to cache credentials")); - /* this error is not fatal, continue */ - } - } - if (pd->pam_status == PAM_AUTHINFO_UNAVAIL) { /* do auth with offline credentials */ pd->offline_auth = true; -- cgit