Mercurial > dropbear
comparison svr-authpam.c @ 121:9337c9f9a607 private-rez
PAM improvements
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Tue, 14 Sep 2004 12:51:16 +0000 |
| parents | 3394a7cb30cd |
| children | 33d976eeb859 |
comparison
equal
deleted
inserted
replaced
| 119:3394a7cb30cd | 121:9337c9f9a607 |
|---|---|
| 1 /* | 1 /* |
| 2 * Dropbear - a SSH2 server | 2 * Dropbear SSH |
| 3 * | 3 * |
| 4 * Copyright (c) 2002,2003 Matt Johnston | 4 * Copyright (c) 2004 Martin Carlsson |
| 5 * Portions (c) 2004 Matt Johnston | |
| 5 * All rights reserved. | 6 * All rights reserved. |
| 6 * | 7 * |
| 7 * Permission is hereby granted, free of charge, to any person obtaining a copy | 8 * Permission is hereby granted, free of charge, to any person obtaining a copy |
| 8 * of this software and associated documentation files (the "Software"), to deal | 9 * of this software and associated documentation files (the "Software"), to deal |
| 9 * in the Software without restriction, including without limitation the rights | 10 * in the Software without restriction, including without limitation the rights |
| 20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | 21 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
| 21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | 22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
| 22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | 23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
| 23 * SOFTWARE. */ | 24 * SOFTWARE. */ |
| 24 | 25 |
| 25 /* Validates a user password */ | 26 /* Validates a user password using PAM */ |
| 26 | 27 |
| 27 #include "includes.h" | 28 #include "includes.h" |
| 28 #include "session.h" | 29 #include "session.h" |
| 29 #include "buffer.h" | 30 #include "buffer.h" |
| 30 #include "dbutil.h" | 31 #include "dbutil.h" |
| 49 void *appdata_ptr) { | 50 void *appdata_ptr) { |
| 50 | 51 |
| 51 int rc = PAM_SUCCESS; | 52 int rc = PAM_SUCCESS; |
| 52 struct pam_response* resp = NULL; | 53 struct pam_response* resp = NULL; |
| 53 struct UserDataS* userDatap = (struct UserDataS*) appdata_ptr; | 54 struct UserDataS* userDatap = (struct UserDataS*) appdata_ptr; |
| 55 | |
| 54 const char* message = (*msg)->msg; | 56 const char* message = (*msg)->msg; |
| 55 | 57 |
| 56 TRACE(("enter pamConvFunc")); | 58 TRACE(("enter pamConvFunc")); |
| 59 | |
| 60 if (num_msg != 1) { | |
| 61 /* If you're getting here - Dropbear probably can't support your pam | |
| 62 * modules. This whole file is a bit of a hack around lack of | |
| 63 * asynchronocity in PAM anyway */ | |
| 64 dropbear_log(LOG_INFO, "pamConvFunc() called with >1 messages: not supported."); | |
| 65 return PAM_CONV_ERR; | |
| 66 } | |
| 67 | |
| 57 TRACE(("msg_style is %d", (*msg)->msg_style)); | 68 TRACE(("msg_style is %d", (*msg)->msg_style)); |
| 58 if (message) { | 69 if (message) { |
| 59 TRACE(("message is '%s'", message)); | 70 TRACE(("message is '%s'", message)); |
| 60 } else { | 71 } else { |
| 61 TRACE(("null message")); | 72 TRACE(("null message")); |
| 69 TRACE(("PAM_PROMPT_ECHO_OFF: unrecognized prompt")); | 80 TRACE(("PAM_PROMPT_ECHO_OFF: unrecognized prompt")); |
| 70 rc = PAM_CONV_ERR; | 81 rc = PAM_CONV_ERR; |
| 71 break; | 82 break; |
| 72 } | 83 } |
| 73 | 84 |
| 74 /* XXX leak */ | 85 /* This looks leaky, but the PAM module-writer docs |
| 86 * assure us that the caller will free it... */ | |
| 75 resp = (struct pam_response*) m_malloc(sizeof(struct pam_response)); | 87 resp = (struct pam_response*) m_malloc(sizeof(struct pam_response)); |
| 76 /* XXX leak */ | 88 memset(resp, 0, sizeof(struct pam_response)); |
| 77 resp->resp = (char*) m_strdup(userDatap->passwd); | 89 |
| 78 resp->resp_retcode = 0; | 90 /* Safe to just use the direct pointer (no strdup) since |
| 91 * it shouldn't be getting munged at all */ | |
| 92 resp->resp = userDatap->passwd; | |
| 79 (*respp) = resp; | 93 (*respp) = resp; |
| 80 break; | 94 break; |
| 81 | 95 |
| 82 | 96 |
| 83 case PAM_PROMPT_ECHO_ON: | 97 case PAM_PROMPT_ECHO_ON: |
| 88 TRACE(("PAM_PROMPT_ECHO_ON: unrecognized prompt")); | 102 TRACE(("PAM_PROMPT_ECHO_ON: unrecognized prompt")); |
| 89 rc = PAM_CONV_ERR; | 103 rc = PAM_CONV_ERR; |
| 90 break; | 104 break; |
| 91 } | 105 } |
| 92 | 106 |
| 93 /* XXX leak */ | 107 /* This looks leaky, but the PAM module-writer docs |
| 108 * assure us that the caller will free it... */ | |
| 94 resp = (struct pam_response*) m_malloc(sizeof(struct pam_response)); | 109 resp = (struct pam_response*) m_malloc(sizeof(struct pam_response)); |
| 95 /* XXX leak */ | 110 memset(resp, 0, sizeof(struct pam_response)); |
| 96 resp->resp = (char*) m_strdup(userDatap->user); | 111 |
| 112 /* Safe to just use the direct pointer (no strdup) since | |
| 113 * it shouldn't be getting munged at all */ | |
| 114 resp->resp = userDatap->user; | |
| 97 TRACE(("userDatap->user='%s'", userDatap->user)); | 115 TRACE(("userDatap->user='%s'", userDatap->user)); |
| 98 | |
| 99 resp->resp_retcode = 0; | |
| 100 (*respp) = resp; | 116 (*respp) = resp; |
| 101 break; | |
| 102 | |
| 103 case PAM_ERROR_MSG: | |
| 104 case PAM_TEXT_INFO: | |
| 105 case PAM_RADIO_TYPE: | |
| 106 case PAM_BINARY_PROMPT: | |
| 107 TRACE(("Unhandled message type")); | |
| 108 rc = PAM_CONV_ERR; | |
| 109 break; | 117 break; |
| 110 | 118 |
| 111 default: | 119 default: |
| 112 TRACE(("Unknown message type")); | 120 TRACE(("Unknown message type")); |
| 113 rc = PAM_CONV_ERR; | 121 rc = PAM_CONV_ERR; |
| 118 | 126 |
| 119 return rc; | 127 return rc; |
| 120 } | 128 } |
| 121 | 129 |
| 122 /* Process a password auth request, sending success or failure messages as | 130 /* Process a password auth request, sending success or failure messages as |
| 123 * appropriate. To the client it looks like it's doing normal password auth (as opposed to keyboard-interactive or something), so the pam module has to be fairly standard (ie just "what's your username, what's your password, OK"). | 131 * appropriate. To the client it looks like it's doing normal password auth (as |
| 132 * opposed to keyboard-interactive or something), so the pam module has to be | |
| 133 * fairly standard (ie just "what's your username, what's your password, OK"). | |
| 124 * | 134 * |
| 125 * Keyboard interactive would be a lot nicer, but since PAM is synchronous, it | 135 * Keyboard interactive would be a lot nicer, but since PAM is synchronous, it |
| 126 * gets very messy trying to send the interactive challenges, and read the | 136 * gets very messy trying to send the interactive challenges, and read the |
| 127 * interactive responses, over the network. */ | 137 * interactive responses, over the network. */ |
| 128 void svr_auth_pam() { | 138 void svr_auth_pam() { |