Mercurial > dropbear
comparison svr-authpam.c @ 121:9337c9f9a607 private-rez
PAM improvements
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Tue, 14 Sep 2004 12:51:16 +0000 |
parents | 3394a7cb30cd |
children | 33d976eeb859 |
comparison
equal
deleted
inserted
replaced
119:3394a7cb30cd | 121:9337c9f9a607 |
---|---|
1 /* | 1 /* |
2 * Dropbear - a SSH2 server | 2 * Dropbear SSH |
3 * | 3 * |
4 * Copyright (c) 2002,2003 Matt Johnston | 4 * Copyright (c) 2004 Martin Carlsson |
5 * Portions (c) 2004 Matt Johnston | |
5 * All rights reserved. | 6 * All rights reserved. |
6 * | 7 * |
7 * Permission is hereby granted, free of charge, to any person obtaining a copy | 8 * Permission is hereby granted, free of charge, to any person obtaining a copy |
8 * of this software and associated documentation files (the "Software"), to deal | 9 * of this software and associated documentation files (the "Software"), to deal |
9 * in the Software without restriction, including without limitation the rights | 10 * in the Software without restriction, including without limitation the rights |
20 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER | 21 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, | 22 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE | 23 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
23 * SOFTWARE. */ | 24 * SOFTWARE. */ |
24 | 25 |
25 /* Validates a user password */ | 26 /* Validates a user password using PAM */ |
26 | 27 |
27 #include "includes.h" | 28 #include "includes.h" |
28 #include "session.h" | 29 #include "session.h" |
29 #include "buffer.h" | 30 #include "buffer.h" |
30 #include "dbutil.h" | 31 #include "dbutil.h" |
49 void *appdata_ptr) { | 50 void *appdata_ptr) { |
50 | 51 |
51 int rc = PAM_SUCCESS; | 52 int rc = PAM_SUCCESS; |
52 struct pam_response* resp = NULL; | 53 struct pam_response* resp = NULL; |
53 struct UserDataS* userDatap = (struct UserDataS*) appdata_ptr; | 54 struct UserDataS* userDatap = (struct UserDataS*) appdata_ptr; |
55 | |
54 const char* message = (*msg)->msg; | 56 const char* message = (*msg)->msg; |
55 | 57 |
56 TRACE(("enter pamConvFunc")); | 58 TRACE(("enter pamConvFunc")); |
59 | |
60 if (num_msg != 1) { | |
61 /* If you're getting here - Dropbear probably can't support your pam | |
62 * modules. This whole file is a bit of a hack around lack of | |
63 * asynchronocity in PAM anyway */ | |
64 dropbear_log(LOG_INFO, "pamConvFunc() called with >1 messages: not supported."); | |
65 return PAM_CONV_ERR; | |
66 } | |
67 | |
57 TRACE(("msg_style is %d", (*msg)->msg_style)); | 68 TRACE(("msg_style is %d", (*msg)->msg_style)); |
58 if (message) { | 69 if (message) { |
59 TRACE(("message is '%s'", message)); | 70 TRACE(("message is '%s'", message)); |
60 } else { | 71 } else { |
61 TRACE(("null message")); | 72 TRACE(("null message")); |
69 TRACE(("PAM_PROMPT_ECHO_OFF: unrecognized prompt")); | 80 TRACE(("PAM_PROMPT_ECHO_OFF: unrecognized prompt")); |
70 rc = PAM_CONV_ERR; | 81 rc = PAM_CONV_ERR; |
71 break; | 82 break; |
72 } | 83 } |
73 | 84 |
74 /* XXX leak */ | 85 /* This looks leaky, but the PAM module-writer docs |
86 * assure us that the caller will free it... */ | |
75 resp = (struct pam_response*) m_malloc(sizeof(struct pam_response)); | 87 resp = (struct pam_response*) m_malloc(sizeof(struct pam_response)); |
76 /* XXX leak */ | 88 memset(resp, 0, sizeof(struct pam_response)); |
77 resp->resp = (char*) m_strdup(userDatap->passwd); | 89 |
78 resp->resp_retcode = 0; | 90 /* Safe to just use the direct pointer (no strdup) since |
91 * it shouldn't be getting munged at all */ | |
92 resp->resp = userDatap->passwd; | |
79 (*respp) = resp; | 93 (*respp) = resp; |
80 break; | 94 break; |
81 | 95 |
82 | 96 |
83 case PAM_PROMPT_ECHO_ON: | 97 case PAM_PROMPT_ECHO_ON: |
88 TRACE(("PAM_PROMPT_ECHO_ON: unrecognized prompt")); | 102 TRACE(("PAM_PROMPT_ECHO_ON: unrecognized prompt")); |
89 rc = PAM_CONV_ERR; | 103 rc = PAM_CONV_ERR; |
90 break; | 104 break; |
91 } | 105 } |
92 | 106 |
93 /* XXX leak */ | 107 /* This looks leaky, but the PAM module-writer docs |
108 * assure us that the caller will free it... */ | |
94 resp = (struct pam_response*) m_malloc(sizeof(struct pam_response)); | 109 resp = (struct pam_response*) m_malloc(sizeof(struct pam_response)); |
95 /* XXX leak */ | 110 memset(resp, 0, sizeof(struct pam_response)); |
96 resp->resp = (char*) m_strdup(userDatap->user); | 111 |
112 /* Safe to just use the direct pointer (no strdup) since | |
113 * it shouldn't be getting munged at all */ | |
114 resp->resp = userDatap->user; | |
97 TRACE(("userDatap->user='%s'", userDatap->user)); | 115 TRACE(("userDatap->user='%s'", userDatap->user)); |
98 | |
99 resp->resp_retcode = 0; | |
100 (*respp) = resp; | 116 (*respp) = resp; |
101 break; | |
102 | |
103 case PAM_ERROR_MSG: | |
104 case PAM_TEXT_INFO: | |
105 case PAM_RADIO_TYPE: | |
106 case PAM_BINARY_PROMPT: | |
107 TRACE(("Unhandled message type")); | |
108 rc = PAM_CONV_ERR; | |
109 break; | 117 break; |
110 | 118 |
111 default: | 119 default: |
112 TRACE(("Unknown message type")); | 120 TRACE(("Unknown message type")); |
113 rc = PAM_CONV_ERR; | 121 rc = PAM_CONV_ERR; |
118 | 126 |
119 return rc; | 127 return rc; |
120 } | 128 } |
121 | 129 |
122 /* Process a password auth request, sending success or failure messages as | 130 /* Process a password auth request, sending success or failure messages as |
123 * appropriate. To the client it looks like it's doing normal password auth (as opposed to keyboard-interactive or something), so the pam module has to be fairly standard (ie just "what's your username, what's your password, OK"). | 131 * appropriate. To the client it looks like it's doing normal password auth (as |
132 * opposed to keyboard-interactive or something), so the pam module has to be | |
133 * fairly standard (ie just "what's your username, what's your password, OK"). | |
124 * | 134 * |
125 * Keyboard interactive would be a lot nicer, but since PAM is synchronous, it | 135 * Keyboard interactive would be a lot nicer, but since PAM is synchronous, it |
126 * gets very messy trying to send the interactive challenges, and read the | 136 * gets very messy trying to send the interactive challenges, and read the |
127 * interactive responses, over the network. */ | 137 * interactive responses, over the network. */ |
128 void svr_auth_pam() { | 138 void svr_auth_pam() { |