From 61733cebeb3a752d5fae2b87b605ce82d15ba88f Mon Sep 17 00:00:00 2001 From: Mattias Andrée Date: Wed, 20 Nov 2013 21:02:25 +0100 Subject: some work on pam usage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mattias Andrée --- src/cerberus.c | 19 +++++++++++++------ src/pam.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- src/pam.h | 15 +++++++++++++++ 3 files changed, 76 insertions(+), 7 deletions(-) diff --git a/src/cerberus.c b/src/cerberus.c index 90bab2f..06b83df 100644 --- a/src/cerberus.c +++ b/src/cerberus.c @@ -40,20 +40,22 @@ void do_login(int argc, char** argv); */ int main(int argc, char** argv) { - int _status; - do_login(argc, argv); /* Ignore signals */ signal(SIGQUIT, SIG_IGN); signal(SIGINT, SIG_IGN); - /* Wait for the login shell to exit */ - waitpid(child_pid, &_status, 0); + /* Wait for the login shell and all grandchildren to exit */ + while ((wait(NULL) == -1) && (errno == EINTR)) + ; /* Reset terminal ownership and mode */ chown_tty(0, tty_group, 0); + /* Close login session */ + close_session_pam(); + return 0; } @@ -213,7 +215,7 @@ void do_login(int argc, char** argv) /* TODO verify passphrase */ /* Wipe and free the passphrase from the memory */ - if (skip_auth == 0) + if ((skip_auth == 0) && passphrase) { long i; for (i = 0; *(passphrase + i); i++) @@ -226,12 +228,16 @@ void do_login(int argc, char** argv) reenable_echo(); + /* Verify account, such as that it is enabled */ + verify_account_pam(); + + /* Partial login */ - /* TODO verify that user is enabled */ chown_tty(entry->pw_uid, tty_group, 0); chdir_home(entry); ensure_shell(entry); set_environ(entry, preserve_env); + open_session_pam(); /* Stop signal handling */ @@ -247,6 +253,7 @@ void do_login(int argc, char** argv) if (child_pid == -1) { perror("fork"); + close_session_pam(); sleep(ERROR_SLEEP); _exit(1); } diff --git a/src/pam.c b/src/pam.c index dcf9598..5332d7f 100644 --- a/src/pam.c +++ b/src/pam.c @@ -26,6 +26,9 @@ #include "pam.h" +#define __failed(RC) ((RC) != PAM_SUCCESS) + + /** * The PAM handle */ @@ -44,7 +47,7 @@ static struct pam_conv conv = { misc_conv, NULL }; */ static void do_pam(int rc) { - if (rc != PAM_SUCCESS) + if (__failed(rc)) { const char* msg = pam_strerror(handle, rc); if (msg) @@ -75,3 +78,47 @@ void initialise_pam(char* remote, char* username) do_pam(pam_set_item(handle, PAM_TTY, ttyname(STDIN_FILENO) ?: "(none)")); } + +/** + * Verify that the account may be used + */ +void verify_account_pam(void) +{ + int rc = pam_acct_mgmt(handle, 0); + if (rc == PAM_NEW_AUTHTOK_REQD) + rc = pam_chauthtok(handle, PAM_CHANGE_EXPIRED_AUTHTOK); + do_pam(rc); +} + + +/** + * Open PAM session + */ +void open_session_pam(void) +{ + int rc; + do_pam(pam_setcred(handle, PAM_ESTABLISH_CRED)); + + if (__failed(rc = pam_open_session(handle, 0))) + { + pam_setcred(handle, PAM_DELETE_CRED); + do_pam(rc); + } + + if (__failed(rc = pam_setcred(handle, PAM_REINITIALIZE_CRED))) + { + pam_close_session(handle, 0); + do_pam(rc); + } +} + + +/** + * Close PAM session + */ +void close_session_pam(void) +{ + pam_setcred(handle, PAM_DELETE_CRED); + pam_end(handle, pam_close_session(handle, 0)); +} + diff --git a/src/pam.h b/src/pam.h index 791aa07..4c793d3 100644 --- a/src/pam.h +++ b/src/pam.h @@ -28,6 +28,21 @@ */ void initialise_pam(char* remote, char* username); +/** + * Verify that the account may be used + */ +void verify_account_pam(void); + +/** + * Open PAM session + */ +void open_session_pam(void); + +/** + * Close PAM session + */ +void close_session_pam(void); + #endif -- cgit v1.2.3-70-g09d2