pam_sss.c revision 683e1f67d08be7165ea456d4594c4c8a4eddc9b3
/*
Authors:
Sumit Bose <sbose@redhat.com>
Copyright (C) 2009 Red Hat
Copyright (C) 2010, rhafer@suse.de, Novell Inc.
it under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "config.h"
#include <unistd.h>
#include <stdlib.h>
#include <stdint.h>
#include <stdio.h>
#include <syslog.h>
#include <time.h>
#include <fcntl.h>
#include <errno.h>
#include <locale.h>
#include <stdbool.h>
#include <security/pam_modules.h>
#include <security/pam_appl.h>
#include "sss_pam_compat.h"
#include "sss_pam_macros.h"
#include "sss_cli.h"
#include "util/atomic_io.h"
#include <libintl.h>
#define FLAGS_USE_FIRST_PASS (1 << 0)
#define PWEXP_FLAG "pam_sss:password_expired_flag"
#define FD_DESTRUCTOR "pam_sss:fd_destructor"
#define PW_RESET_MSG_MAX_SIZE 4096
#define OPT_RETRY_KEY "retry="
struct pam_items {
const char* pam_service;
const char* pam_user;
const char* pam_tty;
const char* pam_ruser;
const char* pam_rhost;
char* pam_authtok;
char* pam_newauthtok;
const char* pamstack_authtok;
const char* pamstack_oldauthtok;
int pam_authtok_type;
int pam_newauthtok_type;
const char *login_name;
char *domain_name;
};
#define DEBUG_MGS_LEN 1024
#ifdef DEBUG
char debug_msg[DEBUG_MGS_LEN];
int ret;
if (ret >= DEBUG_MGS_LEN) {
D(("the following message is truncated: %s", debug_msg));
} else if (ret < 0) {
D(("vsnprintf failed to format debug message!"));
} else {
D((debug_msg));
}
#endif
}
{
}
{
#ifdef PAM_DATA_REPLACE
if (err & PAM_DATA_REPLACE) {
/* Nothing to do */
return;
}
#endif /* PAM_DATA_REPLACE */
D(("Closing the fd"));
}
enum sss_authtok_type authtok_type,
uint32_t c;
c = type;
c = authtok_type;
return rp;
}
uint32_t c;
c = type;
c = sizeof(uint32_t);
c = val;
return rp;
}
uint32_t c;
c = type;
c = size;
return rp;
}
{
}
}
}
int len;
sizeof(uint32_t);
D(("malloc failed."));
return PAM_BUF_ERR;
}
rp = 0;
D(("error during packet creation."));
return PAM_BUF_ERR;
}
return 0;
}
}
enum {
SSS_PAM_CONV_DONE = 0,
};
const char *msg,
const char *reenter_msg,
char **_answer)
{
int ret;
int state = SSS_PAM_CONV_STD;
struct pam_message *pam_msg;
if ((msg_style == PAM_PROMPT_ECHO_OFF ||
msg_style == PAM_PROMPT_ECHO_ON) &&
msg);
}
do {
D(("Malloc failed."));
goto failed;
}
if (state == SSS_PAM_CONV_REENTER) {
} else {
}
conv->appdata_ptr);
if (ret != PAM_SUCCESS) {
goto failed;
}
if (msg_style == PAM_PROMPT_ECHO_OFF ||
msg_style == PAM_PROMPT_ECHO_ON) {
D(("response expected, but resp==NULL"));
goto failed;
}
if (state == SSS_PAM_CONV_REENTER) {
_pam_overwrite((void *) answer);
}
_("Passwords do not match"),
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
goto failed;
}
ret = PAM_CRED_ERR;
goto failed;
}
} else {
D(("Empty password"));
} else {
D(("strndup failed"));
ret = PAM_BUF_ERR;
goto failed;
}
}
}
}
} else {
}
} while (state != SSS_PAM_CONV_DONE);
return PAM_SUCCESS;
return ret;
}
const char *domain_name,
const char *suffix)
{
int ret;
int fd = -1;
D(("Suffix [%s] or domain name [%s] contain illegal character.", suffix,
domain_name));
return EINVAL;
}
D(("malloc failed."));
goto done;
}
suffix);
D(("snprintf failed."));
goto done;
}
if (fd == -1) {
goto done;
}
if (ret == -1) {
goto done;
}
"Password reset message file is not a regular file.");
goto done;
}
"file [%s] must be owned by root with permissions 0644.",
filename);
goto done;
}
goto done;
}
D(("malloc failed."));
goto done;
}
errno = 0;
if (ret == -1) {
goto done;
}
fd = -1;
if (ret == -1) {
}
D(("read fewer bytes [%d] than expected [%d].", total_len,
goto done;
}
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
}
done:
if (fd != -1) {
}
return ret;
}
{
int ret;
char *locale;
const char *domain_name;
D(("Domain name is unknown."));
return EINVAL;
}
ret = -1;
}
if (ret != 0) {
}
if (ret != 0) {
_("Password reset by root is not supported."),
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
}
}
return ret;
}
{
int ret;
char expire_str[128];
char user_msg[256];
expire_str[0] = '\0';
D(("User info response data has the wrong size"));
return PAM_BUF_ERR;
}
if (expire_date > 0) {
if (ret == 0) {
D(("strftime failed."));
expire_str[0] = '\0';
}
} else {
D(("localtime_r failed"));
}
}
_("Authenticated with cached credentials"),
D(("snprintf failed."));
return PAM_SYSTEM_ERR;
}
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
return PAM_SYSTEM_ERR;
}
return PAM_SUCCESS;
}
{
int ret;
char user_msg[256];
D(("User info response data has the wrong size"));
return PAM_BUF_ERR;
}
_("Your password has expired. "
"You have %1$d grace login(s) remaining."),
grace);
D(("snprintf failed."));
return PAM_SYSTEM_ERR;
}
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
return PAM_SYSTEM_ERR;
}
return PAM_SUCCESS;
}
#define MINSEC 60
{
int ret;
char user_msg[256];
const char* unit="second(s)";
D(("User info response data has the wrong size"));
return PAM_BUF_ERR;
}
unit = "day(s)";
unit = "hour(s)";
unit = "minute(s)";
}
D(("snprintf failed."));
return PAM_SYSTEM_ERR;
}
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
return PAM_SYSTEM_ERR;
}
return PAM_SUCCESS;
}
{
int ret;
char delay_str[128];
char user_msg[256];
delay_str[0] = '\0';
D(("User info response data has the wrong size"));
return PAM_BUF_ERR;
}
if (delayed_until <= 0) {
D(("User info response data has an invalid value"));
return PAM_BUF_ERR;
}
if (ret == 0) {
D(("strftime failed."));
delay_str[0] = '\0';
}
} else {
D(("localtime_r failed"));
}
_("Authentication is denied until: "),
D(("snprintf failed."));
return PAM_SYSTEM_ERR;
}
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
return PAM_SYSTEM_ERR;
}
return PAM_SUCCESS;
}
{
int ret;
_("System is offline, password change not possible"),
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
return PAM_SYSTEM_ERR;
}
return PAM_SUCCESS;
}
{
int ret;
_("After changing the OTP password, you need to "
"log out and back in order to acquire a ticket"),
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
return PAM_SYSTEM_ERR;
}
return PAM_SUCCESS;
}
{
int ret;
char *user_msg;
D(("User info response data is too short"));
return PAM_BUF_ERR;
}
D(("User info response data has the wrong size"));
return PAM_BUF_ERR;
}
if (msg_len > 0) {
}
if (!user_msg) {
D(("Out of memory."));
return PAM_SYSTEM_ERR;
}
_("Password change failed. "),
D(("snprintf failed."));
return PAM_SYSTEM_ERR;
}
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
return PAM_SYSTEM_ERR;
}
return PAM_SUCCESS;
}
{
int ret;
D(("User info response data is too short"));
return PAM_BUF_ERR;
}
switch(type) {
break;
break;
break;
break;
break;
break;
break;
default:
D(("Unknown user info type [%d]", type));
}
return ret;
}
{
int ret;
size_t p=0;
char *env_item;
int32_t c;
D(("response buffer is too small"));
return PAM_BUF_ERR;
}
p += sizeof(int32_t);
p += sizeof(int32_t);
while(c>0) {
D(("response buffer is too small"));
return PAM_BUF_ERR;
}
p += sizeof(int32_t);
p += sizeof(int32_t);
D(("response buffer is too small"));
return PAM_BUF_ERR;
}
switch(type) {
case SSS_PAM_SYSTEM_INFO:
D(("system info does not end with \\0."));
break;
}
break;
case SSS_PAM_DOMAIN_NAME:
D(("domain name does not end with \\0."));
break;
}
D(("domain name: [%s]", &buf[p]));
D(("strdup failed"));
}
break;
case SSS_ENV_ITEM:
case SSS_PAM_ENV_ITEM:
case SSS_ALL_ENV_ITEM:
D(("env item does not end with \\0."));
break;
}
D(("env item: [%s]", &buf[p]));
if (ret != PAM_SUCCESS) {
D(("pam_putenv failed."));
break;
}
}
D(("strdup failed"));
break;
}
if (ret == -1) {
D(("putenv failed."));
break;
}
}
break;
case SSS_PAM_USER_INFO:
if (ret != PAM_SUCCESS) {
D(("eval_user_info_response failed"));
}
break;
case SSS_PAM_TEXT_MSG:
D(("system info does not end with \\0."));
break;
}
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
}
break;
default:
D(("Unknown response type [%d]", type));
}
p += len;
--c;
}
return PAM_SUCCESS;
}
{
int ret;
pi->pam_authtok_size = 0;
pi->pam_newauthtok_size = 0;
D(("No user found, aborting."));
return PAM_BAD_ITEM;
}
D(("pam_sss will not handle root."));
return PAM_USER_UNKNOWN;
}
(const void **) &(pi->pamstack_authtok));
(const void **) &(pi->pamstack_oldauthtok));
return PAM_SUCCESS;
}
{
D(("Pamstack_Authtok: %s",
D(("Pamstack_Oldauthtok: %s",
}
{
int ret;
int sret;
int errnop;
struct sss_cli_req_data rd;
int pam_status = PAM_SYSTEM_ERR;
if (ret != 0) {
D(("pack_message failed."));
goto done;
}
errnop = 0;
if (sret != PAM_SUCCESS) {
D(("pam_set_data failed, client might leaks fds"));
}
if (ret != PAM_SUCCESS) {
if (errnop != 0) {
}
goto done;
}
/* FIXME: add an end signature */
D(("response not in expected format."));
goto done;
}
if (ret != PAM_SUCCESS) {
D(("eval_response failed."));
pam_status = ret;
goto done;
}
switch (task) {
case SSS_PAM_AUTHENTICATE:
"authentication %s; logname=%s uid=%lu euid=%d tty=%s "
"ruser=%s rhost=%s user=%s",
if (pam_status != PAM_SUCCESS) {
/* don't log if quiet_mode is on and pam_status is
* User not known to the underlying authentication module
*/
}
}
break;
case SSS_PAM_CHAUTHTOK_PRELIM:
if (pam_status != PAM_SUCCESS) {
/* don't log if quiet_mode is on and pam_status is
* User not known to the underlying authentication module
*/
"Authentication failed for user %s: %d (%s)",
}
}
break;
case SSS_PAM_CHAUTHTOK:
if (pam_status != PAM_SUCCESS) {
"Password change failed for user %s: %d (%s)",
}
break;
case SSS_PAM_ACCT_MGMT:
if (pam_status != PAM_SUCCESS) {
/* don't log if quiet_mode is on and pam_status is
* User not known to the underlying authentication module
*/
"Access denied for user %s: %d (%s)",
}
}
break;
case SSS_PAM_OPEN_SESSION:
case SSS_PAM_SETCRED:
case SSS_PAM_CLOSE_SESSION:
break;
default:
D(("Illegal task [%d]", task));
return PAM_SYSTEM_ERR;
}
done:
}
return pam_status;
}
const char *prompt)
{
int ret;
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
return ret;
}
pi->pam_authtok_size=0;
} else {
_pam_overwrite((void *)answer);
return PAM_BUF_ERR;
}
}
return PAM_SUCCESS;
}
{
int ret;
_("New Password: "),
_("Reenter new Password: "),
&answer);
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
return ret;
}
} else {
_pam_overwrite((void *)answer);
return PAM_BUF_ERR;
}
}
return PAM_SUCCESS;
}
{
char *ep;
*quiet_mode = false;
*flags |= FLAGS_FORWARD_PASS;
*flags |= FLAGS_USE_AUTHTOK;
*retries = 0;
} else {
errno = 0;
if (errno != 0) {
*retries = 0;
}
if (*ep != '\0') {
"extra characters.");
*retries = 0;
}
if (*retries < 0) {
"be negative.");
*retries = 0;
}
}
*quiet_mode = true;
} else {
}
}
return;
}
{
int ret;
if (flags & FLAGS_USE_FIRST_PASS) {
D(("option use_first_pass set, but no password found"));
return PAM_BUF_ERR;
}
} else {
if (ret != PAM_SUCCESS) {
D(("failed to get password from user"));
return ret;
}
if (flags & FLAGS_FORWARD_PASS) {
if (ret != PAM_SUCCESS) {
D(("Failed to set PAM_AUTHTOK [%s], "
"authtok may not be available for other modules",
}
}
}
return PAM_SUCCESS;
}
int pam_flags)
{
int ret;
/* we query for the old password during PAM_PRELIM_CHECK to make
* pam_sss work e.g. with pam_cracklib */
if (pam_flags & PAM_PRELIM_CHECK) {
if (ret != PAM_SUCCESS) {
D(("failed to get password from user"));
return ret;
}
if (ret != PAM_SUCCESS) {
D(("Failed to set PAM_OLDAUTHTOK [%s], "
"oldauthtok may not be available",
return ret;
}
}
return PAM_SUCCESS;
}
if (getuid() != 0) {
D(("no password found for chauthtok"));
return PAM_BUF_ERR;
} else {
pi->pam_authtok_size = 0;
}
} else {
D(("strdup failed"));
return PAM_BUF_ERR;
}
}
if (flags & FLAGS_USE_AUTHTOK) {
D(("option use_authtok set, but no new password found"));
return PAM_BUF_ERR;
}
} else {
if (ret != PAM_SUCCESS) {
D(("failed to get new password from user"));
return ret;
}
if (flags & FLAGS_FORWARD_PASS) {
if (ret != PAM_SUCCESS) {
D(("Failed to set PAM_AUTHTOK [%s], "
"oldauthtok may not be available",
}
}
}
return PAM_SUCCESS;
}
{
int ret;
int pam_status;
int *exp_data;
bool retry = false;
bool quiet_mode = false;
int retries = 0;
D(("Hello pam_sssd: %d", task));
if (ret != PAM_SUCCESS) {
ret = PAM_IGNORE;
}
return ret;
}
do {
retry = false;
switch(task) {
case SSS_PAM_AUTHENTICATE:
if (ret != PAM_SUCCESS) {
D(("failed to get authentication token: %s",
return ret;
}
break;
case SSS_PAM_CHAUTHTOK:
if (ret != PAM_SUCCESS) {
D(("failed to get tokens for password change: %s",
return ret;
}
if (pam_flags & PAM_PRELIM_CHECK) {
}
break;
case SSS_PAM_ACCT_MGMT:
case SSS_PAM_SETCRED:
case SSS_PAM_OPEN_SESSION:
case SSS_PAM_CLOSE_SESSION:
break;
default:
D(("Illegal task [%d]", task));
return PAM_SYSTEM_ERR;
}
&& pam_status == PAM_USER_UNKNOWN) {
}
switch (task) {
case SSS_PAM_AUTHENTICATE:
/* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during
* authentication, see sss_cli.h for details */
if (pam_status == PAM_NEW_AUTHTOK_REQD) {
D(("Authtoken expired, trying to change it"));
D(("malloc failed."));
break;
}
*exp_data = 1;
if (pam_status != PAM_SUCCESS) {
D(("pam_set_data failed."));
}
}
break;
case SSS_PAM_ACCT_MGMT:
if (pam_status == PAM_SUCCESS &&
PAM_SUCCESS) {
_("Password expired. Change your password now."),
if (ret != PAM_SUCCESS) {
D(("do_pam_conversation failed."));
}
}
break;
case SSS_PAM_CHAUTHTOK:
if (ret != PAM_SUCCESS) {
D(("Failed to unset PAM_AUTHTOK [%s]",
}
if (ret != PAM_SUCCESS) {
D(("Failed to unset PAM_OLDAUTHTOK [%s]",
}
}
break;
case SSS_PAM_CHAUTHTOK_PRELIM:
getuid() == 0 &&
PAM_SUCCESS) {
if (ret != 0) {
D(("select_pw_reset_message failed.\n"));
}
}
default:
/* nothing to do */
break;
}
D(("retries [%d].", retries));
if (pam_status != PAM_SUCCESS &&
retries > 0) {
retry = true;
retries--;
if (ret != PAM_SUCCESS) {
D(("Failed to unset PAM_AUTHTOK [%s]",
}
if (ret != PAM_SUCCESS) {
D(("Failed to unset PAM_OLDAUTHTOK [%s]",
}
}
} while(retry);
return pam_status;
}
const char **argv )
{
}
const char **argv )
{
}
const char **argv )
{
}
const char **argv )
{
}
const char **argv )
{
}
const char **argv )
{
}
#ifdef PAM_STATIC
/* static module data */
struct pam_module _pam_sssd_modstruct ={
"pam_sssd",
};
#endif