diff options
Diffstat (limited to 'src/auth')
| -rw-r--r-- | src/auth/pam.c | 258 | ||||
| -rw-r--r-- | src/auth/pam.h | 56 |
2 files changed, 314 insertions, 0 deletions
diff --git a/src/auth/pam.c b/src/auth/pam.c new file mode 100644 index 0000000..e02aed1 --- /dev/null +++ b/src/auth/pam.c @@ -0,0 +1,258 @@ +/** + * cerberus – Minimal login program + * + * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ +#include <stdio.h> +#include <unistd.h> +#include <signal.h> +#include <string.h> +#include <security/pam_appl.h> +#include <security/pam_misc.h> + +#include "../config.h" + +#include "pam.h" + + +#define __failed(RC) ((RC) != PAM_SUCCESS) + + +void quit_pam(int sig); + +int conv_pam(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr); + + +/** + * Old signal action for SIGHUP + */ +struct sigaction signal_action_hup; + +/** + * Old signal action for SIGTERM + */ +struct sigaction signal_action_term; + +/** + * The process ID of the child process, 0 if none + */ +extern pid_t child_pid; + +/** + * The PAM handle + */ +static pam_handle_t* handle = NULL; + +/** + * The PAM convention + */ +static struct pam_conv conv = { conv_pam, NULL }; + +/** + * Whether the user was auto-authenticated + */ +static char auto_authenticated = 1; + +/** + * Function that can be used to read a passphrase from the terminal + */ +static char* (*passphrase_reader)(void) = NULL; + + +/** + * Exit if a PAM instruction failed + * + * @param rc What the PAM instruction return + */ +static void do_pam(int rc) +{ + if (__failed(rc)) + { + const char* msg = pam_strerror(handle, rc); + if (msg) + fprintf(stderr, "%s\n", msg); + pam_end(handle, rc); + sleep(ERROR_SLEEP); + _exit(1); + } +} + + +/** + * Initialise PAM + * + * @param remote The remote computer, {@code NULL} for local login + * @param username The username of the user to log in to + * @param reader Function that can be used to read a passphrase from the terminal + */ +void initialise_pam(char* remote, char* username, char* (*reader)(void)) +{ + passphrase_reader = reader; + + if (pam_start(remote ? "remote" : "local", username, &conv, &handle) != PAM_SUCCESS) + { + fprintf(stderr, "Cannot initialise PAM\n"); + sleep(ERROR_SLEEP); + _exit(1); + } + + do_pam(pam_set_item(handle, PAM_RHOST, remote ?: "localhost")); + do_pam(pam_set_item(handle, PAM_TTY, ttyname(STDIN_FILENO) ?: "(none)")); +} + + +/** + * Verify that the account may be used + */ +void verify_account_pam(void) +{ + /* FIXME freezes */ + /* + int rc = pam_acct_mgmt(handle, 0); + if (rc == PAM_NEW_AUTHTOK_REQD) + rc = pam_chauthtok(handle, PAM_CHANGE_EXPIRED_AUTHTOK); + do_pam(rc); + */ +} + + +/** + * Open PAM session + */ +void open_session_pam(void) +{ + int rc; + char** env; + struct sigaction signal_action; + + do_pam(pam_setcred(handle, PAM_ESTABLISH_CRED)); + + if (__failed(rc = pam_open_session(handle, 0))) + { + pam_setcred(handle, PAM_DELETE_CRED); + do_pam(rc); + } + + if (__failed(rc = pam_setcred(handle, PAM_REINITIALIZE_CRED))) + { + pam_close_session(handle, 0); + do_pam(rc); + } + + memset(&signal_action, 0, sizeof(signal_action)); + signal_action.sa_handler = SIG_IGN; + sigaction(SIGINT, &signal_action, NULL); + sigaction(SIGHUP, &signal_action, &signal_action_hup); + signal_action.sa_handler = quit_pam; + sigaction(SIGHUP, &signal_action, NULL); + sigaction(SIGTERM, &signal_action, &signal_action_term); + + for (env = pam_getenvlist(handle); env && *env; env++) + if (putenv(*env)) + { + pam_setcred(handle, PAM_DELETE_CRED); + pam_end(handle, pam_close_session(handle, 0)); + sleep(ERROR_SLEEP); + _exit(1); + } +} + + +/** + * Close PAM session + */ +void close_session_pam(void) +{ + sigaction(SIGHUP, &signal_action_hup, NULL); + sigaction(SIGTERM, &signal_action_term, NULL); + + pam_setcred(handle, PAM_DELETE_CRED); + pam_end(handle, pam_close_session(handle, 0)); +} + + +/** + * Signal handler for cleanly exit PAM session + * + * @param sig The received signal + */ +void quit_pam(int sig) +{ + if (child_pid) + kill(-child_pid, sig); + if (sig == SIGTERM) + kill(-child_pid, SIGHUP); + + pam_setcred(handle, PAM_DELETE_CRED); + pam_end(handle, pam_close_session(handle, 0)); + + _exit(sig); +} + + +/** + * Perform token authentication + * + * @return Whether the user got automatically authenticated + */ +char authenticate_pam(void) +{ + int rc; + + if (__failed(rc = pam_authenticate(handle, 0))) + { + printf("Incorrect passphrase\n"); + pam_end(handle, rc); + sleep(FAILURE_SLEEP); + _exit(1); + } + + return auto_authenticated; +} + + +/** + * Callback function for converation between PAM this application + * + * @param num_msg Number of pointers in the array `msg` + * @param msg Message from PAM + * @param resp Pointer to responses to PAM for by index corresponding messages + * @param appdata_ptr (Not used) + * @return `PAM_SUCCESS`, `PAM_CONV_ERR` or `PAM_BUF_ERR` + */ +int conv_pam(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr) +{ + int i; + + (void) appdata_ptr; + + *resp = calloc(num_msg, sizeof(struct pam_response)); + + for (i = 0; i < num_msg; i++) + { + ((*resp) + i)->resp = NULL; + ((*resp) + i)->resp_retcode = 0; + + if ((**(msg + i)).msg_style == PAM_PROMPT_ECHO_OFF) + { + (*resp + i)->resp = passphrase_reader(); + auto_authenticated = 0; + } + } + + return PAM_SUCCESS; +} + diff --git a/src/auth/pam.h b/src/auth/pam.h new file mode 100644 index 0000000..ee766df --- /dev/null +++ b/src/auth/pam.h @@ -0,0 +1,56 @@ +/** + * cerberus – Minimal login program + * + * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ +#ifndef __PAM_H__ +#define __PAM_H__ + + +/** + * Initialise PAM + * + * @param remote The remote computer, {@code NULL} for local login + * @param username The username of the user to log in to + * @param reader Function that can be used to read a passphrase from the terminal + */ +void initialise_pam(char* remote, char* username, char* (*reader)(void)); + +/** + * Verify that the account may be used + */ +void verify_account_pam(void); + +/** + * Open PAM session + */ +void open_session_pam(void); + +/** + * Close PAM session + */ +void close_session_pam(void); + +/** + * Perform token authentication + * + * @return Whether the user got automatically authenticated + */ +char authenticate_pam(void); + + +#endif + |