diff options
author | Sam Chudnick <sam@chudnick.com> | 2022-07-03 05:46:34 -0400 |
---|---|---|
committer | Sam Chudnick <sam@chudnick.com> | 2022-07-03 05:46:34 -0400 |
commit | 11a4a5edb9f0e22fe8355291942ed03c9765ced5 (patch) | |
tree | 0b28f2e34aa4990c7c345146ee6e7adea5fc45d4 | |
parent | ce3c9f1e849b871db2fa91b5aa030e8ea471a7ca (diff) |
Properly implemented pam_sm_setcred
Properly implemented pam_sm_setcred and handle any flags that may be
passed. Split running of python script and getting status into a
separate function.
-rw-r--r-- | pam/pam_mfa.c | 66 |
1 files changed, 43 insertions, 23 deletions
diff --git a/pam/pam_mfa.c b/pam/pam_mfa.c index e366510..5167339 100644 --- a/pam/pam_mfa.c +++ b/pam/pam_mfa.c | |||
@@ -12,26 +12,14 @@ | |||
12 | #include <security/pam_modules.h> | 12 | #include <security/pam_modules.h> |
13 | #include <security/pam_ext.h> | 13 | #include <security/pam_ext.h> |
14 | 14 | ||
15 | #define PAMPY "python3 /usr/bin/openmfa/pam/pam.py" | 15 | #define PAMPY "python3 /usr/bin/pam_mfa.py" |
16 | 16 | ||
17 | int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** argv) { | 17 | int request_mfa(pam_handle_t *pamh, const char *user, const char *service, char* result) { |
18 | int retval; | ||
19 | const char *user; | ||
20 | const char *service; | ||
21 | FILE *fp; | 18 | FILE *fp; |
22 | 19 | int cmdsize = 256; | |
23 | // Get user and service | 20 | int result_size = 2; |
24 | if (pam_get_item(pamh, PAM_USER, (const void **) &user) != PAM_SUCCESS || user == NULL) { | ||
25 | pam_syslog(pamh,LOG_ERR,"unable to get ruser"); | ||
26 | return PAM_AUTHINFO_UNAVAIL; | ||
27 | } | ||
28 | if (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) != PAM_SUCCESS || service == NULL) { | ||
29 | pam_syslog(pamh,LOG_ERR,"unable to get service"); | ||
30 | return PAM_AUTHINFO_UNAVAIL; | ||
31 | } | ||
32 | 21 | ||
33 | // Build command line | 22 | // Build command line |
34 | int cmdsize = 256; | ||
35 | char cmd[cmdsize]; | 23 | char cmd[cmdsize]; |
36 | cmd[0] = '\0'; | 24 | cmd[0] = '\0'; |
37 | strcat(cmd, PAMPY); | 25 | strcat(cmd, PAMPY); |
@@ -44,15 +32,37 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** ar | |||
44 | // Execute pam.py | 32 | // Execute pam.py |
45 | if ((fp = popen(cmd,"r")) == NULL) { | 33 | if ((fp = popen(cmd,"r")) == NULL) { |
46 | pam_syslog(pamh,LOG_ERR,"Error opening pipe"); | 34 | pam_syslog(pamh,LOG_ERR,"Error opening pipe"); |
47 | return PAM_AUTH_ERR; | 35 | result = "1"; |
36 | return 1; | ||
48 | } | 37 | } |
49 | 38 | ||
50 | // Get output and return authentication status | 39 | // Set result to output of pam_mfa.py |
51 | int size = 32; | 40 | fgets(result,result_size,fp); |
52 | char result[size]; | ||
53 | fgets(result,size,fp); | ||
54 | pam_syslog(pamh,LOG_INFO,result); | ||
55 | pclose(fp); | 41 | pclose(fp); |
42 | return 0; | ||
43 | } | ||
44 | |||
45 | int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** argv) { | ||
46 | const char *user; | ||
47 | const char *service; | ||
48 | |||
49 | // Get user and service | ||
50 | if (pam_get_item(pamh, PAM_USER, (const void **) &user) != PAM_SUCCESS || user == NULL) { | ||
51 | pam_syslog(pamh,LOG_ERR,"unable to get user"); | ||
52 | return PAM_AUTHINFO_UNAVAIL; | ||
53 | } | ||
54 | if (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) != PAM_SUCCESS || service == NULL) { | ||
55 | pam_syslog(pamh,LOG_ERR,"unable to get service"); | ||
56 | return PAM_AUTHINFO_UNAVAIL; | ||
57 | } | ||
58 | |||
59 | int retval; | ||
60 | int result_size = 2; | ||
61 | char result[result_size]; | ||
62 | if ((retval = request_mfa(pamh, user, service, result)) != 0) { | ||
63 | pam_syslog(pamh,LOG_ERR,"error performing mfa"); | ||
64 | return PAM_AUTH_ERR; | ||
65 | } | ||
56 | if (atoi(result) == 0) { | 66 | if (atoi(result) == 0) { |
57 | pam_syslog(pamh,LOG_INFO,"auth success"); | 67 | pam_syslog(pamh,LOG_INFO,"auth success"); |
58 | return PAM_SUCCESS; | 68 | return PAM_SUCCESS; |
@@ -63,5 +73,15 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** ar | |||
63 | } | 73 | } |
64 | 74 | ||
65 | int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char** argv) { | 75 | int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char** argv) { |
66 | return PAM_SUCCESS; | 76 | if (flags & PAM_DELETE_CRED || flags & PAM_REFRESH_CRED || flags & PAM_ESTABLISH_CRED) { |
77 | return PAM_SUCCESS; | ||
78 | } | ||
79 | if (flags & PAM_REINITIALIZE_CRED) { | ||
80 | int retval = pam_sm_authenticate(pamh,flags,argc,argv); | ||
81 | if (retval == PAM_SUCCESS) { | ||
82 | return PAM_SUCCESS; | ||
83 | } else { | ||
84 | return PAM_CRED_ERR; | ||
85 | } | ||
86 | } | ||
67 | } | 87 | } |