Properly implemented pam_sm_setcred

Properly implemented pam_sm_setcred and handle any flags that may be passed. Split running of python script and getting status into a separate function.
author: Sam Chudnick <sam@chudnick.com> 2022-07-03 05:46:34 -0400
committer: Sam Chudnick <sam@chudnick.com> 2022-07-03 05:46:34 -0400
commit: 11a4a5edb9f0e22fe8355291942ed03c9765ced5 (patch)
tree: 0b28f2e34aa4990c7c345146ee6e7adea5fc45d4
parent: ce3c9f1e849b871db2fa91b5aa030e8ea471a7ca (diff)
1 files changed, 43 insertions, 23 deletions
diff --git a/pam/pam_mfa.c b/pam/pam_mfa.c
index e366510..5167339 100644
--- a/pam/pam_mfa.c
+++ b/pam/pam_mfa.c
@@ -12,26 +12,14 @@
 #include <security/pam_modules.h>
 #include <security/pam_ext.h>
-#define PAMPY "python3 /usr/bin/openmfa/pam/pam.py"
+#define PAMPY "python3 /usr/bin/pam_mfa.py"
-int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** argv) {
+int request_mfa(pam_handle_t *pamh, const char *user, const char *service, char* result) {
-        int retval;
-        const char *user;
-        const char *service;
        FILE *fp;
+        int cmdsize = 256;
-        // Get user and service
+        int result_size = 2;
-        if (pam_get_item(pamh, PAM_USER, (const void **) &user) != PAM_SUCCESS || user == NULL) {
-                        pam_syslog(pamh,LOG_ERR,"unable to get ruser");
-                        return PAM_AUTHINFO_UNAVAIL;
-        }
-        if (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) != PAM_SUCCESS || service == NULL)  {
-                        pam_syslog(pamh,LOG_ERR,"unable to get service");
-                        return PAM_AUTHINFO_UNAVAIL;
-        }
        // Build command line
-        int cmdsize = 256;
        char cmd[cmdsize];
        cmd[0] = '\0';
        strcat(cmd, PAMPY);
@@ -44,15 +32,37 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** ar
        // Execute pam.py
        if ((fp = popen(cmd,"r")) == NULL) {
                pam_syslog(pamh,LOG_ERR,"Error opening pipe");
-                return PAM_AUTH_ERR;
+                result = "1";
+                return 1;
        }
-        // Get output and return authentication status
+        // Set result to output of pam_mfa.py
-        int size = 32;
+        fgets(result,result_size,fp);
-        char result[size];
-        fgets(result,size,fp);
-        pam_syslog(pamh,LOG_INFO,result);
        pclose(fp);
+        return 0;
+}
+int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** argv) {
+        const char *user;
+        const char *service;
+        // Get user and service
+        if (pam_get_item(pamh, PAM_USER, (const void **) &user) != PAM_SUCCESS || user == NULL) {
+                        pam_syslog(pamh,LOG_ERR,"unable to get user");
+                        return PAM_AUTHINFO_UNAVAIL;
+        }
+        if (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) != PAM_SUCCESS || service == NULL)  {
+                        pam_syslog(pamh,LOG_ERR,"unable to get service");
+                        return PAM_AUTHINFO_UNAVAIL;
+        }
+        int retval;
+        int result_size = 2;
+        char result[result_size];
+        if ((retval = request_mfa(pamh, user, service, result)) != 0) {
+                pam_syslog(pamh,LOG_ERR,"error performing mfa");
+                return PAM_AUTH_ERR;
+        }
        if (atoi(result) == 0) {
                pam_syslog(pamh,LOG_INFO,"auth success");
                return PAM_SUCCESS;
@@ -63,5 +73,15 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** ar
 }
 int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char** argv) {
-        return PAM_SUCCESS;
+        if (flags & PAM_DELETE_CRED || flags & PAM_REFRESH_CRED || flags & PAM_ESTABLISH_CRED) {
+                return PAM_SUCCESS;
+        }
+        if (flags & PAM_REINITIALIZE_CRED) {
+                int retval = pam_sm_authenticate(pamh,flags,argc,argv);
+                if (retval == PAM_SUCCESS) {
+                        return PAM_SUCCESS;
+                } else {
+                        return PAM_CRED_ERR;
+                }
+        }
 }
author	Sam Chudnick <sam@chudnick.com>	2022-07-03 05:46:34 -0400
committer	Sam Chudnick <sam@chudnick.com>	2022-07-03 05:46:34 -0400
commit	11a4a5edb9f0e22fe8355291942ed03c9765ced5 (patch)
tree	0b28f2e34aa4990c7c345146ee6e7adea5fc45d4
parent	ce3c9f1e849b871db2fa91b5aa030e8ea471a7ca (diff)

diff --git a/pam/pam_mfa.c b/pam/pam_mfa.c index e366510..5167339 100644 --- a/pam/pam_mfa.c +++ b/pam/pam_mfa.c
@@ -12,26 +12,14 @@
12	#include <security/pam_modules.h>	12	#include <security/pam_modules.h>
13	#include <security/pam_ext.h>	13	#include <security/pam_ext.h>
14		14
15	#define PAMPY "python3 /usr/bin/openmfa/pam/pam.py"	15	#define PAMPY "python3 /usr/bin/pam_mfa.py"
16		16
17	int pam_sm_authenticate(pam_handle_t pamh, int flags, int argc, const char* argv) {	17	int request_mfa(pam_handle_t pamh, const char user, const char service, char result) {
18	int retval;
19	const char *user;
20	const char *service;
21	FILE *fp;	18	FILE *fp;
22		19	int cmdsize = 256;
23	// Get user and service	20	int result_size = 2;
24	if (pam_get_item(pamh, PAM_USER, (const void **) &user) != PAM_SUCCESS \|\| user == NULL) {
25	pam_syslog(pamh,LOG_ERR,"unable to get ruser");
26	return PAM_AUTHINFO_UNAVAIL;
27	}
28	if (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) != PAM_SUCCESS \|\| service == NULL) {
29	pam_syslog(pamh,LOG_ERR,"unable to get service");
30	return PAM_AUTHINFO_UNAVAIL;
31	}
32		21
33	// Build command line	22	// Build command line
34	int cmdsize = 256;
35	char cmd[cmdsize];	23	char cmd[cmdsize];
36	cmd[0] = '\0';	24	cmd[0] = '\0';
37	strcat(cmd, PAMPY);	25	strcat(cmd, PAMPY);
@@ -44,15 +32,37 @@ int pam_sm_authenticate(pam_handle_t pamh, int flags, int argc, const char* ar
44	// Execute pam.py	32	// Execute pam.py
45	if ((fp = popen(cmd,"r")) == NULL) {	33	if ((fp = popen(cmd,"r")) == NULL) {
46	pam_syslog(pamh,LOG_ERR,"Error opening pipe");	34	pam_syslog(pamh,LOG_ERR,"Error opening pipe");
47	return PAM_AUTH_ERR;	35	result = "1";
		36	return 1;
48	}	37	}
49		38
50	// Get output and return authentication status	39	// Set result to output of pam_mfa.py
51	int size = 32;	40	fgets(result,result_size,fp);
52	char result[size];
53	fgets(result,size,fp);
54	pam_syslog(pamh,LOG_INFO,result);
55	pclose(fp);	41	pclose(fp);
		42	return 0;
		43	}
		44
		45	int pam_sm_authenticate(pam_handle_t pamh, int flags, int argc, const char* argv) {
		46	const char *user;
		47	const char *service;
		48
		49	// Get user and service
		50	if (pam_get_item(pamh, PAM_USER, (const void **) &user) != PAM_SUCCESS \|\| user == NULL) {
		51	pam_syslog(pamh,LOG_ERR,"unable to get user");
		52	return PAM_AUTHINFO_UNAVAIL;
		53	}
		54	if (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) != PAM_SUCCESS \|\| service == NULL) {
		55	pam_syslog(pamh,LOG_ERR,"unable to get service");
		56	return PAM_AUTHINFO_UNAVAIL;
		57	}
		58
		59	int retval;
		60	int result_size = 2;
		61	char result[result_size];
		62	if ((retval = request_mfa(pamh, user, service, result)) != 0) {
		63	pam_syslog(pamh,LOG_ERR,"error performing mfa");
		64	return PAM_AUTH_ERR;
		65	}
56	if (atoi(result) == 0) {	66	if (atoi(result) == 0) {
57	pam_syslog(pamh,LOG_INFO,"auth success");	67	pam_syslog(pamh,LOG_INFO,"auth success");
58	return PAM_SUCCESS;	68	return PAM_SUCCESS;
@@ -63,5 +73,15 @@ int pam_sm_authenticate(pam_handle_t pamh, int flags, int argc, const char* ar
63	}	73	}
64		74
65	int pam_sm_setcred(pam_handle_t pamh, int flags, int argc, const char* argv) {	75	int pam_sm_setcred(pam_handle_t pamh, int flags, int argc, const char* argv) {
66	return PAM_SUCCESS;	76	if (flags & PAM_DELETE_CRED \|\| flags & PAM_REFRESH_CRED \|\| flags & PAM_ESTABLISH_CRED) {
		77	return PAM_SUCCESS;
		78	}
		79	if (flags & PAM_REINITIALIZE_CRED) {
		80	int retval = pam_sm_authenticate(pamh,flags,argc,argv);
		81	if (retval == PAM_SUCCESS) {
		82	return PAM_SUCCESS;
		83	} else {
		84	return PAM_CRED_ERR;
		85	}
		86	}
67	}	87	}