#include <afsconfig.h>
#include <afs/param.h>
-RCSID("$Header$");
+RCSID
+ ("$Header$");
#include <syslog.h>
#include <stdlib.h>
#define RET(x) { retcode = (x); goto out; }
extern int
-pam_sm_authenticate(
- pam_handle_t *pamh,
- int flags,
- int argc,
- const char **argv)
+pam_sm_authenticate(pam_handle_t * pamh, int flags, int argc,
+ const char **argv)
{
int retcode = PAM_SUCCESS;
int errcode = PAM_SUCCESS;
int nowarn = 0;
int use_first_pass = 0;
int try_first_pass = 0;
- int ignore_uid = 0;
+ int ignore_uid = 0;
uid_t ignore_uid_id = 0;
char my_password_buf[256];
- char *cell_ptr=NULL;
+ char *cell_ptr = NULL;
/*
* these options are added to handle stupid apps, which won't call
* pam_set_cred()
/* satisfy kdm 2.x
*/
int use_klog = 0;
- int set_expires = 0; /* This option is only used in pam_set_cred() */
+ int set_expires = 0; /* This option is only used in pam_set_cred() */
int got_authtok = 0; /* got PAM_AUTHTOK upon entry */
char *user = NULL, *password = NULL;
long password_expires = -1;
int auth_ok;
struct passwd unix_pwd, *upwd = NULL;
char upwd_buf[2048]; /* size is a guess. */
- char* reason = NULL;
+ char *reason = NULL;
pid_t cpid, rcpid;
- int status;
+ int status;
struct sigaction newAction, origAction;
#ifndef AFS_SUN56_ENV
- openlog(pam_afs_ident, LOG_CONS|LOG_PID, LOG_AUTH);
+ openlog(pam_afs_ident, LOG_CONS | LOG_PID, LOG_AUTH);
#endif
origmask = setlogmask(logmask);
* Parse the user options. Log an error for any unknown options.
*/
for (i = 0; i < argc; i++) {
- if ( strcasecmp(argv[i], "debug" ) == 0) {
+ if (strcasecmp(argv[i], "debug") == 0) {
logmask |= LOG_MASK(LOG_DEBUG);
- (void) setlogmask(logmask);
- } else if (strcasecmp(argv[i], "nowarn" ) == 0) {
+ (void)setlogmask(logmask);
+ } else if (strcasecmp(argv[i], "nowarn") == 0) {
nowarn = 1;
} else if (strcasecmp(argv[i], "use_first_pass") == 0) {
use_first_pass = 1;
} else if (strcasecmp(argv[i], "try_first_pass") == 0) {
try_first_pass = 1;
- } else if (strcasecmp(argv[i], "ignore_root" ) == 0) {
+ } else if (strcasecmp(argv[i], "ignore_root") == 0) {
ignore_uid = 1;
ignore_uid_id = 0;
- } else if (strcasecmp(argv[i], "ignore_uid" ) == 0) {
+ } else if (strcasecmp(argv[i], "ignore_uid") == 0) {
i++;
if (i == argc) {
- pam_afs_syslog(LOG_ERR, PAMAFS_IGNOREUID, "ignore_uid missing argument");
+ pam_afs_syslog(LOG_ERR, PAMAFS_IGNOREUID,
+ "ignore_uid missing argument");
ignore_uid = 0;
} else {
- ignore_uid = 1;
- ignore_uid_id = (uid_t) strtol(argv[i], (char**)NULL, 10);
- if ( (ignore_uid_id < 0) || (ignore_uid_id > IGNORE_MAX)) {
- ignore_uid = 0;
- pam_afs_syslog(LOG_ERR, PAMAFS_IGNOREUID, argv[i]);
- }
+ ignore_uid = 1;
+ ignore_uid_id = (uid_t) strtol(argv[i], (char **)NULL, 10);
+ if ((ignore_uid_id < 0) || (ignore_uid_id > IGNORE_MAX)) {
+ ignore_uid = 0;
+ pam_afs_syslog(LOG_ERR, PAMAFS_IGNOREUID, argv[i]);
+ }
}
} else if (strcasecmp(argv[i], "cell") == 0) {
i++;
if (i == argc) {
- pam_afs_syslog(LOG_ERR, PAMAFS_OTHERCELL, "cell missing argument");
+ pam_afs_syslog(LOG_ERR, PAMAFS_OTHERCELL,
+ "cell missing argument");
} else {
- cell_ptr=argv[i];
- pam_afs_syslog(LOG_INFO, PAMAFS_OTHERCELL, cell_ptr);
- }
- } else if (strcasecmp(argv[i], "refresh_token" ) == 0) {
+ cell_ptr = argv[i];
+ pam_afs_syslog(LOG_INFO, PAMAFS_OTHERCELL, cell_ptr);
+ }
+ } else if (strcasecmp(argv[i], "refresh_token") == 0) {
refresh_token = 1;
- } else if (strcasecmp(argv[i], "set_token" ) == 0) {
+ } else if (strcasecmp(argv[i], "set_token") == 0) {
set_token = 1;
- } else if (strcasecmp(argv[i], "dont_fork" ) == 0) {
- if (!use_klog) dont_fork = 1;
- else pam_afs_syslog(LOG_ERR, PAMAFS_CONFLICTOPT, "dont_fork");
- } else if (strcasecmp(argv[i], "use_klog" ) == 0) {
- if (!dont_fork) use_klog = 1;
- else pam_afs_syslog(LOG_ERR, PAMAFS_CONFLICTOPT, "use_klog");
+ } else if (strcasecmp(argv[i], "dont_fork") == 0) {
+ if (!use_klog)
+ dont_fork = 1;
+ else
+ pam_afs_syslog(LOG_ERR, PAMAFS_CONFLICTOPT, "dont_fork");
+ } else if (strcasecmp(argv[i], "use_klog") == 0) {
+ if (!dont_fork)
+ use_klog = 1;
+ else
+ pam_afs_syslog(LOG_ERR, PAMAFS_CONFLICTOPT, "use_klog");
} else if (strcasecmp(argv[i], "setenv_password_expires") == 0) {
- set_expires = 1;
+ set_expires = 1;
} else {
pam_afs_syslog(LOG_ERR, PAMAFS_UNKNOWNOPT, argv[i]);
}
/* Later we use try_first_pass to see if we can try again. */
/* If use_first_pass is true we don't want to ever try again, */
- /* so turn that flag off right now. */
- if (use_first_pass) try_first_pass = 0;
+ /* so turn that flag off right now. */
+ if (use_first_pass)
+ try_first_pass = 0;
if (logmask && LOG_MASK(LOG_DEBUG))
- pam_afs_syslog(LOG_DEBUG, PAMAFS_OPTIONS, nowarn, use_first_pass, try_first_pass, ignore_uid, ignore_uid_id, refresh_token, set_token, dont_fork, use_klog);
+ pam_afs_syslog(LOG_DEBUG, PAMAFS_OPTIONS, nowarn, use_first_pass,
+ try_first_pass, ignore_uid, ignore_uid_id,
+ refresh_token, set_token, dont_fork, use_klog);
/* Try to get the user-interaction info, if available. */
- errcode = pam_get_item(pamh, PAM_CONV, (const void **) &pam_convp);
+ errcode = pam_get_item(pamh, PAM_CONV, (const void **)&pam_convp);
if (errcode != PAM_SUCCESS) {
pam_afs_syslog(LOG_WARNING, PAMAFS_NO_USER_INT);
pam_convp = NULL;
}
/* Who are we trying to authenticate here? */
- if ((errcode = pam_get_user(pamh, (const char **)&user, "login: ")) != PAM_SUCCESS) {
+ if ((errcode =
+ pam_get_user(pamh, (const char **)&user,
+ "login: ")) != PAM_SUCCESS) {
pam_afs_syslog(LOG_ERR, PAMAFS_NOUSER, errcode);
RET(PAM_USER_UNKNOWN);
}
if (logmask && LOG_MASK(LOG_DEBUG))
- pam_afs_syslog(LOG_DEBUG, PAMAFS_USERNAMEDEBUG, user);
+ pam_afs_syslog(LOG_DEBUG, PAMAFS_USERNAMEDEBUG, user);
/*
* If the user has a "local" (or via nss, possibly nss_dce) pwent,
#if defined(AFS_HPUX_ENV)
#if defined(AFS_HPUX110_ENV)
i = getpwnam_r(user, &unix_pwd, upwd_buf, sizeof(upwd_buf), &upwd);
-#else /* AFS_HPUX110_ENV */
+#else /* AFS_HPUX110_ENV */
i = getpwnam_r(user, &unix_pwd, upwd_buf, sizeof(upwd_buf));
- if ( i == 0 ) /* getpwnam_r success */
- upwd = &unix_pwd;
-#endif /* else AFS_HPUX110_ENV */
- if (ignore_uid && i == 0 && upwd->pw_uid <= ignore_uid_id) {
+ if (i == 0) /* getpwnam_r success */
+ upwd = &unix_pwd;
+#endif /* else AFS_HPUX110_ENV */
+ if (ignore_uid && i == 0 && upwd->pw_uid <= ignore_uid_id) {
pam_afs_syslog(LOG_INFO, PAMAFS_IGNORINGROOT, user);
RET(PAM_AUTH_ERR);
}
RET(PAM_AUTH_ERR);
}
#endif
- errcode = pam_get_item(pamh, PAM_AUTHTOK, (const void **) &password);
+ errcode = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&password);
if (errcode != PAM_SUCCESS || password == NULL) {
if (use_first_pass) {
pam_afs_syslog(LOG_ERR, PAMAFS_PASSWD_REQ, user);
password = NULL;
}
-try_auth:
+ try_auth:
if (password == NULL) {
torch_password = 1;
}
/*
- * We aren't going to free the password later (we will wipe it,
- * though), because the storage for it if we get it from other
- * paths may belong to someone else. Since we do need to free
- * this storage, copy it to a buffer that won't need to be freed
- * later, and free this storage now.
- */
-
- strncpy(my_password_buf, password, sizeof(my_password_buf));
- my_password_buf[sizeof(my_password_buf)-1] = '\0';
- memset(password, 0, strlen(password));
- free(password);
- password = my_password_buf;
+ * We aren't going to free the password later (we will wipe it,
+ * though), because the storage for it if we get it from other
+ * paths may belong to someone else. Since we do need to free
+ * this storage, copy it to a buffer that won't need to be freed
+ * later, and free this storage now.
+ */
+
+ strncpy(my_password_buf, password, sizeof(my_password_buf));
+ my_password_buf[sizeof(my_password_buf) - 1] = '\0';
+ memset(password, 0, strlen(password));
+ free(password);
+ password = my_password_buf;
}
* apps (such as screensavers) wont call setcred but authenticate :-(
*/
if (!refresh_token) {
- setpag();
+ setpag();
#ifdef AFS_KERBEROS_ENV
- ktc_newpag();
+ ktc_newpag();
#endif
- if (logmask && LOG_MASK(LOG_DEBUG))
- syslog(LOG_DEBUG, "New PAG created in pam_authenticate()");
+ if (logmask && LOG_MASK(LOG_DEBUG))
+ syslog(LOG_DEBUG, "New PAG created in pam_authenticate()");
}
if (!dont_fork) {
- /* Prepare for fork(): set SIGCHLD signal handler to default */
- sigemptyset(&newAction.sa_mask);
- newAction.sa_handler = SIG_DFL;
- newAction.sa_flags = 0;
- code = sigaction(SIGCHLD, &newAction, &origAction);
- if (code) {
- pam_afs_syslog(LOG_ERR, PAMAFS_PAMERROR, errno);
- RET(PAM_AUTH_ERR);
- }
+ /* Prepare for fork(): set SIGCHLD signal handler to default */
+ sigemptyset(&newAction.sa_mask);
+ newAction.sa_handler = SIG_DFL;
+ newAction.sa_flags = 0;
+ code = sigaction(SIGCHLD, &newAction, &origAction);
+ if (code) {
+ pam_afs_syslog(LOG_ERR, PAMAFS_PAMERROR, errno);
+ RET(PAM_AUTH_ERR);
+ }
- /* Fork a process and let it verify authentication. So that any
- * memory/sockets allocated will get cleaned up when the child
- * exits: defect 11686.
- */
- if (use_klog) { /* used by kdm 2.x */
- if (refresh_token || set_token) {
- i = do_klog(user, password, NULL, cell_ptr);
- } else {
- i = do_klog(user, password, "00:00:01", cell_ptr);
- ktc_ForgetAllTokens();
- }
- if (logmask && LOG_MASK(LOG_DEBUG))
- syslog(LOG_DEBUG, "do_klog returned %d", i);
- auth_ok = i ? 0 : 1;
+ /* Fork a process and let it verify authentication. So that any
+ * memory/sockets allocated will get cleaned up when the child
+ * exits: defect 11686.
+ */
+ if (use_klog) { /* used by kdm 2.x */
+ if (refresh_token || set_token) {
+ i = do_klog(user, password, NULL, cell_ptr);
+ } else {
+ i = do_klog(user, password, "00:00:01", cell_ptr);
+ ktc_ForgetAllTokens();
+ }
+ if (logmask && LOG_MASK(LOG_DEBUG))
+ syslog(LOG_DEBUG, "do_klog returned %d", i);
+ auth_ok = i ? 0 : 1;
} else {
- if (logmask && LOG_MASK(LOG_DEBUG))
- syslog(LOG_DEBUG, "forking ...");
- cpid = fork();
- if (cpid <= 0) { /* The child process */
- if (logmask && LOG_MASK(LOG_DEBUG))
- syslog(LOG_DEBUG, "in child");
- if (refresh_token || set_token)
- code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION,
- user, /* kerberos name */
- NULL, /* instance */
- cell_ptr, /* realm */
- password, /* password */
- 0, /* default lifetime */
- &password_expires,
- 0, /* spare 2 */
- &reason /* error string */ );
- else
- code = ka_VerifyUserPassword(KA_USERAUTH_VERSION,
- user, /* kerberos name */
- NULL, /* instance */
- cell_ptr, /* realm */
- password, /* password */
- 0, /* spare 2 */
- &reason /* error string */ );
- if (code) {
- pam_afs_syslog(LOG_ERR, PAMAFS_LOGIN_FAILED, user, reason);
- auth_ok = 0;
- } else {
- auth_ok = 1;
- }
- if (logmask && LOG_MASK(LOG_DEBUG))
- syslog(LOG_DEBUG, "child: auth_ok=%d", auth_ok);
- if (cpid == 0) exit(auth_ok);
- } else {
- do {
- if (logmask && LOG_MASK(LOG_DEBUG))
- syslog(LOG_DEBUG, "in parent, waiting ...");
- rcpid = waitpid(cpid, &status, 0);
- } while ((rcpid == -1) && (errno == EINTR));
-
- if ((rcpid == cpid) && WIFEXITED(status)) {
- auth_ok = WEXITSTATUS(status);
- } else {
- auth_ok = 0;
- }
- if (logmask && LOG_MASK(LOG_DEBUG))
- syslog(LOG_DEBUG, "parent: auth_ok=%d", auth_ok);
- }
- }
- /* Restore old signal handler */
- code = sigaction(SIGCHLD, &origAction, NULL);
- if (code) {
- pam_afs_syslog(LOG_ERR, PAMAFS_PAMERROR, errno);
- }
- } else { /* dont_fork, used by httpd */
- if (logmask && LOG_MASK(LOG_DEBUG))
- syslog(LOG_DEBUG, "dont_fork");
- if (refresh_token || set_token)
- code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION,
- user, /* kerberos name */
- NULL, /* instance */
- cell_ptr, /* realm */
- password, /* password */
- 0, /* default lifetime */
- &password_expires,
- 0, /* spare 2 */
- &reason /* error string */ );
- else
- code = ka_VerifyUserPassword(KA_USERAUTH_VERSION,
- user, /* kerberos name */
- NULL, /* instance */
- cell_ptr, /* realm */
- password, /* password */
- 0, /* spare 2 */
- &reason /* error string */ );
+ if (logmask && LOG_MASK(LOG_DEBUG))
+ syslog(LOG_DEBUG, "forking ...");
+ cpid = fork();
+ if (cpid <= 0) { /* The child process */
+ if (logmask && LOG_MASK(LOG_DEBUG))
+ syslog(LOG_DEBUG, "in child");
+ if (refresh_token || set_token)
+ code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION, user, /* kerberos name */
+ NULL, /* instance */
+ cell_ptr, /* realm */
+ password, /* password */
+ 0, /* default lifetime */
+ &password_expires, 0, /* spare 2 */
+ &reason
+ /* error string */ );
+ else
+ code = ka_VerifyUserPassword(KA_USERAUTH_VERSION, user, /* kerberos name */
+ NULL, /* instance */
+ cell_ptr, /* realm */
+ password, /* password */
+ 0, /* spare 2 */
+ &reason /* error string */ );
+ if (code) {
+ pam_afs_syslog(LOG_ERR, PAMAFS_LOGIN_FAILED, user,
+ reason);
+ auth_ok = 0;
+ } else {
+ auth_ok = 1;
+ }
+ if (logmask && LOG_MASK(LOG_DEBUG))
+ syslog(LOG_DEBUG, "child: auth_ok=%d", auth_ok);
+ if (cpid == 0)
+ exit(auth_ok);
+ } else {
+ do {
+ if (logmask && LOG_MASK(LOG_DEBUG))
+ syslog(LOG_DEBUG, "in parent, waiting ...");
+ rcpid = waitpid(cpid, &status, 0);
+ } while ((rcpid == -1) && (errno == EINTR));
+
+ if ((rcpid == cpid) && WIFEXITED(status)) {
+ auth_ok = WEXITSTATUS(status);
+ } else {
+ auth_ok = 0;
+ }
+ if (logmask && LOG_MASK(LOG_DEBUG))
+ syslog(LOG_DEBUG, "parent: auth_ok=%d", auth_ok);
+ }
+ }
+ /* Restore old signal handler */
+ code = sigaction(SIGCHLD, &origAction, NULL);
+ if (code) {
+ pam_afs_syslog(LOG_ERR, PAMAFS_PAMERROR, errno);
+ }
+ } else { /* dont_fork, used by httpd */
if (logmask && LOG_MASK(LOG_DEBUG))
- syslog(LOG_DEBUG, "dont_fork, code = %d",code);
- if (code) {
+ syslog(LOG_DEBUG, "dont_fork");
+ if (refresh_token || set_token)
+ code = ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION, user, /* kerberos name */
+ NULL, /* instance */
+ cell_ptr, /* realm */
+ password, /* password */
+ 0, /* default lifetime */
+ &password_expires, 0, /* spare 2 */
+ &reason /* error string */ );
+ else
+ code = ka_VerifyUserPassword(KA_USERAUTH_VERSION, user, /* kerberos name */
+ NULL, /* instance */
+ cell_ptr, /* realm */
+ password, /* password */
+ 0, /* spare 2 */
+ &reason /* error string */ );
+ if (logmask && LOG_MASK(LOG_DEBUG))
+ syslog(LOG_DEBUG, "dont_fork, code = %d", code);
+ if (code) {
pam_afs_syslog(LOG_ERR, PAMAFS_LOGIN_FAILED, user, reason);
auth_ok = 0;
- } else {
+ } else {
auth_ok = 1;
- }
+ }
if (logmask && LOG_MASK(LOG_DEBUG))
- syslog(LOG_DEBUG, "dont_fork: auth_ok=%d", auth_ok);
+ syslog(LOG_DEBUG, "dont_fork: auth_ok=%d", auth_ok);
}
if (!auth_ok && try_first_pass) {
*/
if (!got_authtok) {
torch_password = 0;
- (void) pam_set_item(pamh, PAM_AUTHTOK, password);
+ (void)pam_set_item(pamh, PAM_AUTHTOK, password);
}
if (logmask && LOG_MASK(LOG_DEBUG))
- syslog(LOG_DEBUG, "leaving auth: auth_ok=%d", auth_ok);
- if (code == KANOENT) RET(PAM_USER_UNKNOWN);
+ syslog(LOG_DEBUG, "leaving auth: auth_ok=%d", auth_ok);
+ if (code == KANOENT)
+ RET(PAM_USER_UNKNOWN);
RET(auth_ok ? PAM_SUCCESS : PAM_AUTH_ERR);
-
- out:
- if ( password )
- {
+
+ out:
+ if (password) {
/* we store the password in the data portion */
- char* tmp = strdup(password);
- (void) pam_set_data(pamh, pam_afs_lh, tmp, lc_cleanup);
- if ( torch_password) memset(password, 0, strlen(password));
+ char *tmp = strdup(password);
+ (void)pam_set_data(pamh, pam_afs_lh, tmp, lc_cleanup);
+ if (torch_password)
+ memset(password, 0, strlen(password));
}
- (void) setlogmask(origmask);
+ (void)setlogmask(origmask);
#ifndef AFS_SUN56_ENV
closelog();
#endif