aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/cerberus.c19
-rw-r--r--src/pam.c49
-rw-r--r--src/pam.h15
3 files changed, 76 insertions, 7 deletions
diff --git a/src/cerberus.c b/src/cerberus.c
index 90bab2f..06b83df 100644
--- a/src/cerberus.c
+++ b/src/cerberus.c
@@ -40,20 +40,22 @@ void do_login(int argc, char** argv);
*/
int main(int argc, char** argv)
{
- int _status;
-
do_login(argc, argv);
/* Ignore signals */
signal(SIGQUIT, SIG_IGN);
signal(SIGINT, SIG_IGN);
- /* Wait for the login shell to exit */
- waitpid(child_pid, &_status, 0);
+ /* Wait for the login shell and all grandchildren to exit */
+ while ((wait(NULL) == -1) && (errno == EINTR))
+ ;
/* Reset terminal ownership and mode */
chown_tty(0, tty_group, 0);
+ /* Close login session */
+ close_session_pam();
+
return 0;
}
@@ -213,7 +215,7 @@ void do_login(int argc, char** argv)
/* TODO verify passphrase */
/* Wipe and free the passphrase from the memory */
- if (skip_auth == 0)
+ if ((skip_auth == 0) && passphrase)
{
long i;
for (i = 0; *(passphrase + i); i++)
@@ -226,12 +228,16 @@ void do_login(int argc, char** argv)
reenable_echo();
+ /* Verify account, such as that it is enabled */
+ verify_account_pam();
+
+
/* Partial login */
- /* TODO verify that user is enabled */
chown_tty(entry->pw_uid, tty_group, 0);
chdir_home(entry);
ensure_shell(entry);
set_environ(entry, preserve_env);
+ open_session_pam();
/* Stop signal handling */
@@ -247,6 +253,7 @@ void do_login(int argc, char** argv)
if (child_pid == -1)
{
perror("fork");
+ close_session_pam();
sleep(ERROR_SLEEP);
_exit(1);
}
diff --git a/src/pam.c b/src/pam.c
index dcf9598..5332d7f 100644
--- a/src/pam.c
+++ b/src/pam.c
@@ -26,6 +26,9 @@
#include "pam.h"
+#define __failed(RC) ((RC) != PAM_SUCCESS)
+
+
/**
* The PAM handle
*/
@@ -44,7 +47,7 @@ static struct pam_conv conv = { misc_conv, NULL };
*/
static void do_pam(int rc)
{
- if (rc != PAM_SUCCESS)
+ if (__failed(rc))
{
const char* msg = pam_strerror(handle, rc);
if (msg)
@@ -75,3 +78,47 @@ void initialise_pam(char* remote, char* username)
do_pam(pam_set_item(handle, PAM_TTY, ttyname(STDIN_FILENO) ?: "(none)"));
}
+
+/**
+ * Verify that the account may be used
+ */
+void verify_account_pam(void)
+{
+ int rc = pam_acct_mgmt(handle, 0);
+ if (rc == PAM_NEW_AUTHTOK_REQD)
+ rc = pam_chauthtok(handle, PAM_CHANGE_EXPIRED_AUTHTOK);
+ do_pam(rc);
+}
+
+
+/**
+ * Open PAM session
+ */
+void open_session_pam(void)
+{
+ int rc;
+ do_pam(pam_setcred(handle, PAM_ESTABLISH_CRED));
+
+ if (__failed(rc = pam_open_session(handle, 0)))
+ {
+ pam_setcred(handle, PAM_DELETE_CRED);
+ do_pam(rc);
+ }
+
+ if (__failed(rc = pam_setcred(handle, PAM_REINITIALIZE_CRED)))
+ {
+ pam_close_session(handle, 0);
+ do_pam(rc);
+ }
+}
+
+
+/**
+ * Close PAM session
+ */
+void close_session_pam(void)
+{
+ pam_setcred(handle, PAM_DELETE_CRED);
+ pam_end(handle, pam_close_session(handle, 0));
+}
+
diff --git a/src/pam.h b/src/pam.h
index 791aa07..4c793d3 100644
--- a/src/pam.h
+++ b/src/pam.h
@@ -28,6 +28,21 @@
*/
void initialise_pam(char* remote, char* username);
+/**
+ * Verify that the account may be used
+ */
+void verify_account_pam(void);
+
+/**
+ * Open PAM session
+ */
+void open_session_pam(void);
+
+/**
+ * Close PAM session
+ */
+void close_session_pam(void);
+
#endif