2010-07-12 12:53:08 +02:00
|
|
|
/*
|
|
|
|
* ngIRCd -- The Next Generation IRC Daemon
|
|
|
|
* Copyright (c)2001-2010 Alexander Barton (alex@barton.de).
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 2 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
* Please read the file COPYING, README and AUTHORS for more information.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "portab.h"
|
|
|
|
|
|
|
|
#ifdef PAM
|
|
|
|
|
2010-12-27 17:14:14 +01:00
|
|
|
/**
|
|
|
|
* @file
|
2013-08-04 13:33:10 +02:00
|
|
|
* PAM User Authentication
|
2010-12-27 17:14:14 +01:00
|
|
|
*/
|
|
|
|
|
2010-07-12 12:53:08 +02:00
|
|
|
#include "imp.h"
|
|
|
|
#include <assert.h>
|
|
|
|
|
|
|
|
#include "defines.h"
|
|
|
|
#include "log.h"
|
|
|
|
#include "conn.h"
|
|
|
|
#include "client.h"
|
|
|
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
#ifdef HAVE_SECURITY_PAM_APPL_H
|
|
|
|
#include <security/pam_appl.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifdef HAVE_PAM_PAM_APPL_H
|
|
|
|
#include <pam/pam_appl.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#include "exp.h"
|
|
|
|
#include "pam.h"
|
|
|
|
|
|
|
|
static char *password;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* PAM "conversation function".
|
|
|
|
* This is a callback function used by the PAM library to get the password.
|
|
|
|
* Please see the PAM documentation for details :-)
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
password_conversation(int num_msg, const struct pam_message **msg,
|
|
|
|
struct pam_response **resp, void *appdata_ptr) {
|
|
|
|
LogDebug("PAM: conv(%d, %d, '%s', '%s')",
|
|
|
|
num_msg, msg[0]->msg_style, msg[0]->msg, appdata_ptr);
|
|
|
|
|
|
|
|
/* Can we deal with this request? */
|
|
|
|
if (num_msg != 1 || msg[0]->msg_style != PAM_PROMPT_ECHO_OFF) {
|
|
|
|
Log(LOG_ERR, "PAM: Unexpected PAM conversation '%d:%s'!",
|
|
|
|
msg[0]->msg_style, msg[0]->msg);
|
|
|
|
return PAM_CONV_ERR;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!appdata_ptr) {
|
|
|
|
/* Sometimes appdata_ptr gets lost!? */
|
|
|
|
appdata_ptr = password;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Duplicate password ("application data") for the PAM library */
|
|
|
|
*resp = calloc(num_msg, sizeof(struct pam_response));
|
|
|
|
if (!*resp) {
|
|
|
|
Log(LOG_ERR, "PAM: Out of memory!");
|
|
|
|
return PAM_CONV_ERR;
|
|
|
|
}
|
|
|
|
|
|
|
|
(*resp)[0].resp = strdup((char *)appdata_ptr);
|
|
|
|
(*resp)[0].resp_retcode = 0;
|
|
|
|
|
|
|
|
return ((*resp)[0].resp ? PAM_SUCCESS : PAM_CONV_ERR);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* PAM "conversation" structure.
|
|
|
|
*/
|
|
|
|
static struct pam_conv conv = {
|
|
|
|
&password_conversation,
|
|
|
|
NULL
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Authenticate a connectiong client using PAM.
|
|
|
|
* @param Client The client to authenticate.
|
|
|
|
* @return true when authentication succeeded, false otherwise.
|
|
|
|
*/
|
|
|
|
GLOBAL bool
|
|
|
|
PAM_Authenticate(CLIENT *Client) {
|
|
|
|
pam_handle_t *pam;
|
|
|
|
int retval = PAM_SUCCESS;
|
|
|
|
|
|
|
|
LogDebug("PAM: Authenticate \"%s\" (%s) ...",
|
|
|
|
Client_OrigUser(Client), Client_Mask(Client));
|
|
|
|
|
|
|
|
/* Set supplied client password */
|
|
|
|
if (password)
|
|
|
|
free(password);
|
2012-08-23 17:07:08 +02:00
|
|
|
password = strdup(Conn_Password(Client_Conn(Client)));
|
|
|
|
conv.appdata_ptr = Conn_Password(Client_Conn(Client));
|
2010-07-12 12:53:08 +02:00
|
|
|
|
|
|
|
/* Initialize PAM */
|
|
|
|
retval = pam_start("ngircd", Client_OrigUser(Client), &conv, &pam);
|
|
|
|
if (retval != PAM_SUCCESS) {
|
|
|
|
Log(LOG_ERR, "PAM: Failed to create authenticator! (%d)", retval);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
pam_set_item(pam, PAM_RUSER, Client_User(Client));
|
|
|
|
pam_set_item(pam, PAM_RHOST, Client_Hostname(Client));
|
2010-10-26 15:13:24 +02:00
|
|
|
#if defined(HAVE_PAM_FAIL_DELAY) && !defined(NO_PAM_FAIL_DELAY)
|
2010-07-12 12:53:08 +02:00
|
|
|
pam_fail_delay(pam, 0);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
/* PAM authentication ... */
|
|
|
|
retval = pam_authenticate(pam, 0);
|
|
|
|
|
|
|
|
/* Success? */
|
|
|
|
if (retval == PAM_SUCCESS)
|
|
|
|
Log(LOG_INFO, "PAM: Authenticated \"%s\" (%s).",
|
|
|
|
Client_OrigUser(Client), Client_Mask(Client));
|
|
|
|
else
|
|
|
|
Log(LOG_ERR, "PAM: Error on \"%s\" (%s): %s",
|
|
|
|
Client_OrigUser(Client), Client_Mask(Client),
|
|
|
|
pam_strerror(pam, retval));
|
|
|
|
|
|
|
|
/* Free PAM structures */
|
|
|
|
if (pam_end(pam, retval) != PAM_SUCCESS)
|
|
|
|
Log(LOG_ERR, "PAM: Failed to release authenticator!");
|
|
|
|
|
|
|
|
return (retval == PAM_SUCCESS);
|
|
|
|
}
|
|
|
|
|
|
|
|
#endif /* PAM */
|
|
|
|
|
|
|
|
/* -eof- */
|