Not needed any more, vendor sources have PAM support.
This commit is contained in:
David E. O'Brien
parent
67f52b8478
commit
d808b43a01
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=161772
@ -1,153 +0,0 @@
|
||||
/* $FreeBSD$ */
|
||||
|
||||
|
||||
#ifdef USE_PAM
|
||||
/*
|
||||
* the following code is stolen from imap-uw PAM authentication module and
|
||||
* login.c
|
||||
*/
|
||||
#define COPY_STRING(s) (s ? strdup(s) : NULL)
|
||||
|
||||
struct cred_t {
|
||||
const char *uname; /* user name */
|
||||
const char *pass; /* password */
|
||||
};
|
||||
typedef struct cred_t cred_t;
|
||||
|
||||
static int
|
||||
auth_conv(int num_msg, const struct pam_message **msg,
|
||||
struct pam_response **resp, void *appdata)
|
||||
{
|
||||
int i;
|
||||
cred_t *cred = (cred_t *) appdata;
|
||||
struct pam_response *reply;
|
||||
|
||||
reply = calloc(num_msg, sizeof *reply);
|
||||
if (reply == NULL)
|
||||
return PAM_BUF_ERR;
|
||||
|
||||
for (i = 0; i < num_msg; i++) {
|
||||
switch (msg[i]->msg_style) {
|
||||
case PAM_PROMPT_ECHO_ON: /* assume want user name */
|
||||
reply[i].resp_retcode = PAM_SUCCESS;
|
||||
reply[i].resp = COPY_STRING(cred->uname);
|
||||
/* PAM frees resp. */
|
||||
break;
|
||||
case PAM_PROMPT_ECHO_OFF: /* assume want password */
|
||||
reply[i].resp_retcode = PAM_SUCCESS;
|
||||
reply[i].resp = COPY_STRING(cred->pass);
|
||||
/* PAM frees resp. */
|
||||
break;
|
||||
case PAM_TEXT_INFO:
|
||||
case PAM_ERROR_MSG:
|
||||
reply[i].resp_retcode = PAM_SUCCESS;
|
||||
reply[i].resp = NULL;
|
||||
break;
|
||||
default: /* unknown message style */
|
||||
free(reply);
|
||||
return PAM_CONV_ERR;
|
||||
}
|
||||
}
|
||||
|
||||
*resp = reply;
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
/*
|
||||
* Attempt to authenticate the user using PAM. Returns 0 if the user is
|
||||
* authenticated, or 1 if not authenticated. If some sort of PAM system
|
||||
* error occurs (e.g., the "/etc/pam.conf" file is missing) then this
|
||||
* function returns -1. This can be used as an indication that we should
|
||||
* fall back to a different authentication mechanism.
|
||||
*/
|
||||
static int
|
||||
auth_pam(struct passwd **ppw, const char *pass)
|
||||
{
|
||||
pam_handle_t *pamh = NULL;
|
||||
const char *tmpl_user;
|
||||
const void *item;
|
||||
int rval;
|
||||
int e;
|
||||
cred_t auth_cred = { (*ppw)->pw_name, pass };
|
||||
struct pam_conv conv = { &auth_conv, &auth_cred };
|
||||
|
||||
e = pam_start("ftpd", (*ppw)->pw_name, &conv, &pamh);
|
||||
if (e != PAM_SUCCESS) {
|
||||
syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e));
|
||||
return -1;
|
||||
}
|
||||
|
||||
e = pam_set_item(pamh, PAM_RHOST, remotehost);
|
||||
if (e != PAM_SUCCESS) {
|
||||
syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s",
|
||||
pam_strerror(pamh, e));
|
||||
return -1;
|
||||
}
|
||||
|
||||
e = pam_authenticate(pamh, 0);
|
||||
switch (e) {
|
||||
case PAM_SUCCESS:
|
||||
/*
|
||||
* With PAM we support the concept of a "template"
|
||||
* user. The user enters a login name which is
|
||||
* authenticated by PAM, usually via a remote service
|
||||
* such as RADIUS or TACACS+. If authentication
|
||||
* succeeds, a different but related "template" name
|
||||
* is used for setting the credentials, shell, and
|
||||
* home directory. The name the user enters need only
|
||||
* exist on the remote authentication server, but the
|
||||
* template name must be present in the local password
|
||||
* database.
|
||||
*
|
||||
* This is supported by two various mechanisms in the
|
||||
* individual modules. However, from the application's
|
||||
* point of view, the template user is always passed
|
||||
* back as a changed value of the PAM_USER item.
|
||||
*/
|
||||
if ((e = pam_get_item(pamh, PAM_USER, &item)) ==
|
||||
PAM_SUCCESS) {
|
||||
tmpl_user = (const char *) item;
|
||||
if (strcmp((*ppw)->pw_name, tmpl_user) != 0)
|
||||
*ppw = getpwnam(tmpl_user);
|
||||
} else
|
||||
syslog(LOG_ERR, "Couldn't get PAM_USER: %s",
|
||||
pam_strerror(pamh, e));
|
||||
rval = 0;
|
||||
break;
|
||||
|
||||
case PAM_AUTH_ERR:
|
||||
case PAM_USER_UNKNOWN:
|
||||
case PAM_MAXTRIES:
|
||||
rval = 1;
|
||||
break;
|
||||
|
||||
default:
|
||||
syslog(LOG_ERR, "pam_authenticate: %s", pam_strerror(pamh, e));
|
||||
rval = -1;
|
||||
break;
|
||||
}
|
||||
|
||||
if (rval == 0) {
|
||||
e = pam_acct_mgmt(pamh, 0);
|
||||
if (e == PAM_NEW_AUTHTOK_REQD) {
|
||||
e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
|
||||
if (e != PAM_SUCCESS) {
|
||||
syslog(LOG_ERR, "pam_chauthtok: %s",
|
||||
pam_strerror(pamh, e));
|
||||
rval = 1;
|
||||
}
|
||||
} else if (e != PAM_SUCCESS) {
|
||||
rval = 1;
|
||||
}
|
||||
}
|
||||
|
||||
if (rval != 0) {
|
||||
if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
|
||||
syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
|
||||
}
|
||||
pamh = NULL;
|
||||
}
|
||||
return rval;
|
||||
}
|
||||
|
||||
#endif /* USE_PAM */
|
||||
Loading…
Reference in New Issue
Block a user