aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSeraphim Mellos <mellos@ceid.upatras.gr>2008-06-21 14:00:36 +0300
committerSeraphim Mellos <mellos@ceid.upatras.gr>2008-06-21 14:00:36 +0300
commit0280555a431021f2f5164cba09ad86efcdeddde2 (patch)
tree10676aac175eee800716508128da185610a43070 /modules/pam_unix
parentCompleted update_passwd function for pam_unix (diff)
downloadopenpam-modules-0280555a431021f2f5164cba09ad86efcdeddde2.tar.gz
openpam-modules-0280555a431021f2f5164cba09ad86efcdeddde2.tar.bz2
openpam-modules-0280555a431021f2f5164cba09ad86efcdeddde2.zip
Completed pam_rootok and pam_securetty
Diffstat (limited to 'modules/pam_unix')
-rw-r--r--modules/pam_unix/pam_unix.c83
-rw-r--r--modules/pam_unix/pam_unix.c~88
2 files changed, 147 insertions, 24 deletions
diff --git a/modules/pam_unix/pam_unix.c b/modules/pam_unix/pam_unix.c
index a14dbe6..ea1b75d 100644
--- a/modules/pam_unix/pam_unix.c
+++ b/modules/pam_unix/pam_unix.c
@@ -15,7 +15,8 @@
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
-#define PAM_PASSWORD
+#define PAM_SM_PASSWORD
+#define PAM_SM_SESSION
#ifndef __linux__
#include <login_cap.h> /* for BSD login classes */
@@ -32,6 +33,7 @@
#include <security/pam_modules.h>
#include <security/pam_appl.h>
+#include <security/openpam.h>
#include <security/pam_mod_misc.h>
@@ -56,7 +58,7 @@ void makesalt(char salt[SALTSIZE]);
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags,
- int argc , const char **argv ) {
+ int argc , const char *argv[] ) {
#ifndef __linux__
login_cap_t *lc;
@@ -78,7 +80,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
pwd = getpwnam(user);
}
-
+ puts("authenticating as user:");
+ puts(user);
PAM_LOG("Authenticating user: [%s]", user);
/* get password */
@@ -227,17 +230,22 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
}
#endif
/* Check if pw_lstchg or sp_expire is set */
-
+/*
if (pwd->sp_lstchg || pwd->sp_expire)
curtime = time(NULL) / (60 * 60 * 24);
+ puts("before all");
if (pwd->sp_expire) {
+ puts(ctime(&(pwd->sp_expire)));
+ puts(ctime(&curtime));
if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) {
#ifndef __linux__
login_close(lc);
-#endif
+#endif
+ puts("expire 1");
PAM_ERROR("Account has expired!");
return (PAM_ACCT_EXPIRED);
} else if ( ( pwd->sp_expire - curtime < DEFAULT_WARN) ) {
+ puts("expire 2");
PAM_ERROR("Warning: your account expires on %s",
ctime(&pwd->sp_expire));
}
@@ -246,8 +254,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
if (pwd->sp_lstchg == 0 ) {
return (PAM_NEW_AUTHTOK_REQD);
}
-
- /* check all other possibilities (mostly stolen from pam_tcb) */
+ puts("before tcb OK!");
+ * check all other possibilities (mostly stolen from pam_tcb) *
if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) &&
(pwd->sp_max != -1) && (pwd->sp_inact != -1) &&
@@ -255,12 +263,14 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
PAM_ERROR("Account has expired!");
return (PAM_ACCT_EXPIRED);
}
+ puts("after 1");
if (((pwd->sp_lstchg + pwd->sp_max) < curtime) &&
(pwd->sp_max != -1)) {
PAM_ERROR("Account has expired!");
return (PAM_ACCT_EXPIRED);
}
+ puts("after 2");
if ((curtime - pwd->sp_lstchg > pwd->sp_max)
&& (curtime - pwd->sp_lstchg > pwd->sp_inact)
@@ -270,7 +280,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
return (PAM_ACCT_EXPIRED);
}
- pam_err = (PAM_SUCCESS);
+ puts("after 3");
+*/ pam_err = (PAM_SUCCESS);
#ifndef __linux__
@@ -485,6 +496,56 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
}
+PAM_EXTERN int
+pam_sm_open_session( pam_handle_t * pamh, int flags,
+ int argc, const char * argv[])
+{
+
+ char *user, *service;
+ int pam_err;
+
+ pam_err = pam_get_item(pamh, PAM_USER, (void *) &user);
+ if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') {
+ PAM_ERROR("Open session - Error recovering username");
+ return (PAM_SESSION_ERR);
+ }
+
+ pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
+ if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') {
+ PAM_ERROR("Open session - Error recovering service");
+ return (PAM_SESSION_ERR);
+ }
+
+ PAM_LOG("Opened session for user [%s] by %s(uid=%lu)", user, getlogin(),
+ (unsigned long) getuid());
+
+ return PAM_SUCCESS;
+
+}
+
+PAM_EXTERN int
+pam_sm_close_session( pam_handle_t * pamh, int flags,
+ int argc, const char * argv[])
+{
+ char *user, *service;
+ int pam_err;
+
+ pam_err = pam_get_item(pamh, PAM_USER, (void *) &user);
+ if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') {
+ PAM_ERROR("Close session - Error recovering username");
+ return (PAM_SESSION_ERR);
+ }
+
+ pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
+ if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') {
+ PAM_ERROR("Close session - Error recovering service");
+ return (PAM_SESSION_ERR);
+ }
+
+ PAM_LOG("Closed session for user [%s]", user);
+
+ return PAM_SUCCESS;
+}
#ifdef __linux__
@@ -493,7 +554,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
* Update shadow with new user password
*/
-static int update_shadow( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) {
+static int update_shadow( pam_handle_t * pamh , const char * user,
+ const char * newhashedpwd ) {
FILE *oldshadow, *newshadow;
struct spwd *pwd,*cur_pwd;
struct stat filestat;
@@ -592,7 +654,8 @@ static int update_shadow( pam_handle_t * pamh , const char * user ,const char *
#define NEW_PASSWD "/etc/.passwd"
-static int update_passwd( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) {
+static int update_passwd( pam_handle_t * pamh, const char * user,
+ const char * newhashedpwd ) {
FILE *oldpasswd, *newpasswd;
struct passwd *pwd,*cur_pwd;
struct stat filestat;
diff --git a/modules/pam_unix/pam_unix.c~ b/modules/pam_unix/pam_unix.c~
index d1410c9..9a504d0 100644
--- a/modules/pam_unix/pam_unix.c~
+++ b/modules/pam_unix/pam_unix.c~
@@ -15,7 +15,8 @@
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
-#define PAM_PASSWORD
+#define PAM_SM_PASSWORD
+#define PAM_SM_SESSION
#ifndef __linux__
#include <login_cap.h> /* for BSD login classes */
@@ -56,7 +57,7 @@ void makesalt(char salt[SALTSIZE]);
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags,
- int argc , const char **argv ) {
+ int argc , const char *argv[] ) {
#ifndef __linux__
login_cap_t *lc;
@@ -78,7 +79,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
pwd = getpwnam(user);
}
-
+ puts("authenticating as user:");
+ puts(user);
PAM_LOG("Authenticating user: [%s]", user);
/* get password */
@@ -227,17 +229,22 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
}
#endif
/* Check if pw_lstchg or sp_expire is set */
-
+/*
if (pwd->sp_lstchg || pwd->sp_expire)
curtime = time(NULL) / (60 * 60 * 24);
+ puts("before all");
if (pwd->sp_expire) {
+ puts(ctime(&(pwd->sp_expire)));
+ puts(ctime(&curtime));
if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) {
#ifndef __linux__
login_close(lc);
-#endif
+#endif
+ puts("expire 1");
PAM_ERROR("Account has expired!");
return (PAM_ACCT_EXPIRED);
} else if ( ( pwd->sp_expire - curtime < DEFAULT_WARN) ) {
+ puts("expire 2");
PAM_ERROR("Warning: your account expires on %s",
ctime(&pwd->sp_expire));
}
@@ -246,8 +253,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
if (pwd->sp_lstchg == 0 ) {
return (PAM_NEW_AUTHTOK_REQD);
}
-
- /* check all other possibilities (mostly stolen from pam_tcb) */
+ puts("before tcb OK!");
+ * check all other possibilities (mostly stolen from pam_tcb) *
if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) &&
(pwd->sp_max != -1) && (pwd->sp_inact != -1) &&
@@ -255,12 +262,14 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
PAM_ERROR("Account has expired!");
return (PAM_ACCT_EXPIRED);
}
+ puts("after 1");
if (((pwd->sp_lstchg + pwd->sp_max) < curtime) &&
(pwd->sp_max != -1)) {
PAM_ERROR("Account has expired!");
return (PAM_ACCT_EXPIRED);
}
+ puts("after 2");
if ((curtime - pwd->sp_lstchg > pwd->sp_max)
&& (curtime - pwd->sp_lstchg > pwd->sp_inact)
@@ -270,7 +279,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
return (PAM_ACCT_EXPIRED);
}
- pam_err = (PAM_SUCCESS);
+ puts("after 3");
+*/ pam_err = (PAM_SUCCESS);
#ifndef __linux__
@@ -313,8 +323,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
#endif
int pam_err, retries;
- int tmpflags = flags | PAM_UPDATE_AUTHTOK;
-
/* identify user */
if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
@@ -355,7 +363,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
- if (tmpflags & PAM_PRELIM_CHECK) {
+ if (flags & PAM_PRELIM_CHECK) {
puts("DOING PRELIM");
PAM_LOG("Doing preliminary actions.");
@@ -390,7 +398,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
if (strcmp(hashedpwd, old_pwd->pw_passwd) != 0)
return (PAM_PERM_DENIED);
- } else if ( tmpflags & PAM_UPDATE_AUTHTOK ) {
+ } else if ( flags & PAM_UPDATE_AUTHTOK ) {
puts("DOING UPDATE");
PAM_LOG("Doing actual update.");
@@ -487,6 +495,56 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
}
+PAM_EXTERN int
+pam_sm_open_session( pam_handle_t * pamh, int flags,
+ int argc, const char * argv[])
+{
+
+ char *user, *service;
+ int pam_err;
+
+ pam_err = pam_get_item(pamh, PAM_USER, (void *) &user);
+ if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') {
+ PAM_ERROR("Open session - Error recovering username");
+ return (PAM_SESSION_ERR);
+ }
+
+ pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
+ if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') {
+ PAM_ERROR("Open session - Error recovering service");
+ return (PAM_SESSION_ERR);
+ }
+
+ PAM_LOG("Opened session for user [%s] by %s(uid=%lu)", user, getlogin(),
+ (unsigned long) getuid());
+
+ return PAM_SUCCESS;
+
+}
+
+PAM_EXTERN int
+pam_sm_close_session( pam_handle_t * pamh, int flags,
+ int argc, const char * argv[])
+{
+ char *user, *service;
+ int pam_err;
+
+ pam_err = pam_get_item(pamh, PAM_USER, (void *) &user);
+ if ( pam_err != PAM_SUCCESS || user == NULL || *user == '\0') {
+ PAM_ERROR("Close session - Error recovering username");
+ return (PAM_SESSION_ERR);
+ }
+
+ pam_err = pam_get_item(pamh, PAM_SERVICE, (void *) &service);
+ if ( pam_err != PAM_SUCCESS || service == NULL || *service == '\0') {
+ PAM_ERROR("Close session - Error recovering service");
+ return (PAM_SESSION_ERR);
+ }
+
+ PAM_LOG("Closed session for user [%s]", user);
+
+ return PAM_SUCCESS;
+}
#ifdef __linux__
@@ -495,7 +553,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
* Update shadow with new user password
*/
-static int update_shadow( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) {
+static int update_shadow( pam_handle_t * pamh , const char * user,
+ const char * newhashedpwd ) {
FILE *oldshadow, *newshadow;
struct spwd *pwd,*cur_pwd;
struct stat filestat;
@@ -594,7 +653,8 @@ static int update_shadow( pam_handle_t * pamh , const char * user ,const char *
#define NEW_PASSWD "/etc/.passwd"
-static int update_passwd( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ) {
+static int update_passwd( pam_handle_t * pamh, const char * user,
+ const char * newhashedpwd ) {
FILE *oldpasswd, *newpasswd;
struct passwd *pwd,*cur_pwd;
struct stat filestat;