-
Notifications
You must be signed in to change notification settings - Fork 0
/
pam_module.c
114 lines (93 loc) · 3.33 KB
/
pam_module.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
#include <pwd.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <security/pam_modules.h>
#include <security/pam_appl.h>
static char password_prompt[] = "Password:";
#define MAX_STR_LENGTH 100000
#define PAM_ENV_URI "GANETI_RAPI_URI"
#define PAM_ENV_BODY "GANETI_REQUEST_BODY"
#define PAM_ENV_METHOD "GANETI_REQUEST_METHOD"
#define PAM_ENV_ACCESS "GANETI_RESOURCE_ACCESS"
#define PAM_ENV_USER "GANETI_RAPI_USER"
#define PAM_ENV_PASSWORD "GANETI_RAPI_PASSWORD"
#define PAM_ENV_AUTHTOK "GANETI_RAPI_AUTHTOK"
#define STR(str) (str) ? (str) : ""
int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char *argv[]) {
int pam_err = PAM_SUCCESS;
const char *user = NULL;
if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
return pam_err;
const void *ptr = NULL;
pam_err = pam_get_item(pamh, PAM_CONV, &ptr);
if (pam_err != PAM_SUCCESS)
return PAM_SYSTEM_ERR;
const struct pam_conv *conv = ptr;
struct pam_message msg = {};
msg.msg_style = PAM_PROMPT_ECHO_OFF;
msg.msg = password_prompt;
const struct pam_message *msgp = &msg;
struct pam_response *resp = NULL;
pam_err = (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr);
char *password = NULL;
if (resp != NULL) {
if (pam_err == PAM_SUCCESS)
password = resp->resp;
else
free(resp->resp);
free(resp);
}
if (pam_err == PAM_CONV_ERR)
return pam_err;
if (pam_err != PAM_SUCCESS)
return PAM_AUTH_ERR;
const char *authtok = NULL;
pam_get_item(pamh, PAM_AUTHTOK, (const void**) &authtok);
char buffer[MAX_STR_LENGTH * 4] = {};
sprintf(buffer, "%s='%s' %s='%s' %s='%s' GANETI_PATH='%s'"
" python " PAM_LIB_PATH "/ganeti_basic/authenticate.py",
PAM_ENV_USER, STR(user), PAM_ENV_PASSWORD, STR(password),
PAM_ENV_AUTHTOK, STR(authtok), GANETI_PATH);
if (system(buffer))
return PAM_AUTH_ERR;
return PAM_SUCCESS;
}
int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
const char *argv[]) {
return PAM_SUCCESS;
}
int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
const char *argv[]) {
const char *user = NULL;
int pam_err = PAM_SUCCESS;
if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS)
return pam_err;
const char *uri = pam_getenv(pamh, PAM_ENV_URI);
const char *body = pam_getenv(pamh, PAM_ENV_BODY);
const char *method = pam_getenv(pamh, PAM_ENV_METHOD);
const char *access = pam_getenv(pamh, PAM_ENV_ACCESS);
char buffer[MAX_STR_LENGTH * 6] = {};
sprintf(buffer, "%s='%s' %s='%s' %s='%s' %s='%s' %s='%s', GANETI_PATH='%s'"
" python " PAM_LIB_PATH "/ganeti_basic/authorize.py",
PAM_ENV_USER, STR(user), PAM_ENV_URI, STR(uri),
PAM_ENV_BODY, STR(body), PAM_ENV_METHOD, STR(method),
PAM_ENV_ACCESS, STR(access), GANETI_PATH);
if (system(buffer))
return PAM_AUTH_ERR;
return PAM_SUCCESS;
}
int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
const char *argv[]) {
return PAM_SUCCESS;
}
int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
const char *argv[]) {
return PAM_SUCCESS;
}
int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc,
const char *argv[]) {
return PAM_SERVICE_ERR;
}