/** * cerberus – Minimal login program * * Copyright © 2013 Mattias Andrée (maandree@member.fsf.org) * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see . */ #include #include #include #include #include #include #include "config.h" #include "pam.h" #define __failed(RC) ((RC) != PAM_SUCCESS) void quit_pam(int sig); int conv_pam(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr); /** * Old signal action for SIGHUP */ struct sigaction signal_action_hup; /** * Old signal action for SIGTERM */ struct sigaction signal_action_term; /** * The process ID of the child process, 0 if none */ extern pid_t child_pid; /** * The PAM handle */ static pam_handle_t* handle = NULL; /** * The PAM convention */ static struct pam_conv conv = { conv_pam, NULL }; /** * Whether the user was auto-authenticated */ static char auto_authenticated = 1; /** * Function that can be used to read a passphrase from the terminal */ static char* (*passphrase_reader)(void) = NULL; /** * Exit if a PAM instruction failed * * @param rc What the PAM instruction return */ static void do_pam(int rc) { if (__failed(rc)) { const char* msg = pam_strerror(handle, rc); if (msg) fprintf(stderr, "%s\n", msg); pam_end(handle, rc); sleep(ERROR_SLEEP); _exit(1); } } /** * Initialise PAM * * @param remote The remote computer, {@code NULL} for local login * @param username The username of the user to log in to * @param reader Function that can be used to read a passphrase from the terminal */ void initialise_pam(char* remote, char* username, char* (*reader)(void)) { passphrase_reader = reader; if (pam_start(remote ? "remote" : "local", username, &conv, &handle) != PAM_SUCCESS) { fprintf(stderr, "Cannot initialise PAM\n"); sleep(ERROR_SLEEP); _exit(1); } do_pam(pam_set_item(handle, PAM_RHOST, remote ?: "localhost")); do_pam(pam_set_item(handle, PAM_TTY, ttyname(STDIN_FILENO) ?: "(none)")); } /** * Verify that the account may be used */ void verify_account_pam(void) { int rc = pam_acct_mgmt(handle, 0); if (rc == PAM_NEW_AUTHTOK_REQD) rc = pam_chauthtok(handle, PAM_CHANGE_EXPIRED_AUTHTOK); do_pam(rc); } /** * Open PAM session */ void open_session_pam(void) { int rc; char** env; struct sigaction signal_action; do_pam(pam_setcred(handle, PAM_ESTABLISH_CRED)); if (__failed(rc = pam_open_session(handle, 0))) { pam_setcred(handle, PAM_DELETE_CRED); do_pam(rc); } if (__failed(rc = pam_setcred(handle, PAM_REINITIALIZE_CRED))) { pam_close_session(handle, 0); do_pam(rc); } memset(&signal_action, 0, sizeof(signal_action)); signal_action.sa_handler = SIG_IGN; sigaction(SIGINT, &signal_action, NULL); sigaction(SIGHUP, &signal_action, &signal_action_hup); signal_action.sa_handler = quit_pam; sigaction(SIGHUP, &signal_action, NULL); sigaction(SIGTERM, &signal_action, &signal_action_term); for (env = pam_getenvlist(handle); env && *env; env++) if (putenv(*env)) { pam_setcred(handle, PAM_DELETE_CRED); pam_end(handle, pam_close_session(handle, 0)); sleep(ERROR_SLEEP); _exit(1); } } /** * Close PAM session */ void close_session_pam(void) { sigaction(SIGHUP, &signal_action_hup, NULL); sigaction(SIGTERM, &signal_action_term, NULL); pam_setcred(handle, PAM_DELETE_CRED); pam_end(handle, pam_close_session(handle, 0)); } /** * Signal handler for cleanly exit PAM session * * @param sig The received signal */ void quit_pam(int sig) { if (child_pid) kill(-child_pid, sig); if (sig == SIGTERM) kill(-child_pid, SIGHUP); pam_setcred(handle, PAM_DELETE_CRED); pam_end(handle, pam_close_session(handle, 0)); _exit(sig); } /** * Perform token authentication * * @return Whether the user got automatically authenticated */ char authenticate_pam(void) { int rc; if (__failed(rc = pam_authenticate(handle, 0))) { printf("Incorrect passphrase\n"); pam_end(handle, rc); sleep(FAILURE_SLEEP); _exit(1); } return auto_authenticated; } /** * Callback function for converation between PAM this application * * @param num_msg Number of pointers in the array `msg` * @param msg Message from PAM * @param resp Pointer to responses to PAM for by index corresponding messages * @param appdata_ptr (Not used) * @return `PAM_SUCCESS`, `PAM_CONV_ERR` or `PAM_BUF_ERR` */ int conv_pam(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr) { int i; (void) appdata_ptr; *resp = calloc(num_msg, sizeof(struct pam_response)); for (i = 0; i < num_msg; i++) { ((*resp) + i)->resp = NULL; ((*resp) + i)->resp_retcode = 0; if ((**(msg + i)).msg_style == PAM_PROMPT_ECHO_OFF) { (*resp + i)->resp = passphrase_reader(); auto_authenticated = 0; } } return PAM_SUCCESS; }