path: root/src/auth/pam.c

/**
 * cerberus – Minimal login program
 * 
 * Copyright © 2013  Mattias Andrée (maandree@member.fsf.org)
 * 
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <string.h>
#include <security/pam_appl.h>
#include <security/pam_misc.h>

#include "../config.h"

#include "pam.h"


#define __failed(RC)  ((RC) != PAM_SUCCESS)


void quit_pam(int sig);

int conv_pam(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr);


/**
 * Old signal action for SIGHUP
 */
struct sigaction signal_action_hup;

/**
 * Old signal action for SIGTERM
 */
struct sigaction signal_action_term;

/**
 * The process ID of the child process, 0 if none
 */
extern pid_t child_pid;

/**
 * The PAM handle
 */
static pam_handle_t* handle = NULL;

/**
 * The PAM convention
 */
static struct pam_conv conv = { conv_pam, NULL };

/**
 * Whether the user was auto-authenticated
 */
static char auto_authenticated = 1;

/**
 * Function that can be used to read a passphrase from the terminal
 */
static char* (*passphrase_reader)(void) = NULL;


/**
 * Exit if a PAM instruction failed
 * 
 * @param  rc  What the PAM instruction return
 */
static void do_pam(int rc)
{
  if (__failed(rc))
    {
      const char* msg = pam_strerror(handle, rc);
      if (msg)
	fprintf(stderr, "%s\n", msg);
      pam_end(handle, rc);
      sleep(ERROR_SLEEP);
      _exit(1);
    }
}


/**
 * Initialise PAM
 * 
 * @param  remote    The remote computer, {@code NULL} for local login
 * @param  username  The username of the user to log in to
 * @param  reader    Function that can be used to read a passphrase from the terminal
 */
void initialise_pam(char* remote, char* username, char* (*reader)(void))
{
  passphrase_reader = reader;
  
  if (pam_start(remote ? "remote" : "local", username, &conv, &handle) != PAM_SUCCESS)
    {
      fprintf(stderr, "Cannot initialise PAM\n");
      sleep(ERROR_SLEEP);
      _exit(1);
    }
  
  do_pam(pam_set_item(handle, PAM_RHOST, remote ?: "localhost"));
  do_pam(pam_set_item(handle, PAM_TTY, ttyname(STDIN_FILENO) ?: "(none)"));
}


/**
 * Verify that the account may be used
 */
void verify_account_pam(void)
{
  /* FIXME freezes */
  /*
  int rc = pam_acct_mgmt(handle, 0);
  if (rc == PAM_NEW_AUTHTOK_REQD)
    rc = pam_chauthtok(handle, PAM_CHANGE_EXPIRED_AUTHTOK);
  do_pam(rc);
  */
}


/**
 * Open PAM session
 */
void open_session_pam(void)
{
  int rc;
  char** env;
  struct sigaction signal_action;
  
  do_pam(pam_setcred(handle, PAM_ESTABLISH_CRED));
  
  if (__failed(rc = pam_open_session(handle, 0)))
    {
      pam_setcred(handle, PAM_DELETE_CRED);
      do_pam(rc);
    }
  
  if (__failed(rc = pam_setcred(handle, PAM_REINITIALIZE_CRED)))
    {
      pam_close_session(handle, 0);
      do_pam(rc);
    }
  
  memset(&signal_action, 0, sizeof(signal_action));
  signal_action.sa_handler = SIG_IGN;
  sigaction(SIGINT, &signal_action, NULL);
  sigaction(SIGHUP, &signal_action, &signal_action_hup);
  signal_action.sa_handler = quit_pam;
  sigaction(SIGHUP, &signal_action, NULL);
  sigaction(SIGTERM, &signal_action, &signal_action_term);
  
  for (env = pam_getenvlist(handle); env && *env; env++)
    if (putenv(*env))
      {
	pam_setcred(handle, PAM_DELETE_CRED);
	pam_end(handle, pam_close_session(handle, 0));
	sleep(ERROR_SLEEP);
	_exit(1);
      }
}


/**
 * Close PAM session
 */
void close_session_pam(void)
{
  sigaction(SIGHUP, &signal_action_hup, NULL);
  sigaction(SIGTERM, &signal_action_term, NULL);
  
  pam_setcred(handle, PAM_DELETE_CRED);
  pam_end(handle, pam_close_session(handle, 0));
}


/**
 * Signal handler for cleanly exit PAM session
 * 
 * @param  sig  The received signal
 */
void quit_pam(int sig)
{
  if (child_pid)
    kill(-child_pid, sig);
  if (sig == SIGTERM)
    kill(-child_pid, SIGHUP);
  
  pam_setcred(handle, PAM_DELETE_CRED);
  pam_end(handle, pam_close_session(handle, 0));
  
  _exit(sig);
}


/**
 * Perform token authentication
 * 
 * @return  Whether the user got automatically authenticated
 */
char authenticate_pam(void)
{
  int rc;
  
  if (__failed(rc = pam_authenticate(handle, 0)))
    {
      printf("Incorrect passphrase\n");
      pam_end(handle, rc);
      sleep(FAILURE_SLEEP);
      _exit(1);
    }
  
  return auto_authenticated;
}


/**
 * Callback function for converation between PAM this application
 * 
 * @param   num_msg      Number of pointers in the array `msg`
 * @param   msg          Message from PAM
 * @param   resp         Pointer to responses to PAM for by index corresponding messages
 * @param   appdata_ptr  (Not used)
 * @return               `PAM_SUCCESS`, `PAM_CONV_ERR` or `PAM_BUF_ERR`
 */
int conv_pam(int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr)
{
  int i;
  
  (void) appdata_ptr;
  
  *resp = calloc(num_msg, sizeof(struct pam_response));
  
  for (i = 0; i < num_msg; i++)
    {
      ((*resp) + i)->resp = NULL;
      ((*resp) + i)->resp_retcode = 0;
      
      if ((**(msg + i)).msg_style == PAM_PROMPT_ECHO_OFF)
	{
	  (*resp + i)->resp = passphrase_reader();
	  auto_authenticated = 0;
	}
    }
  
  return PAM_SUCCESS;
}