summaryrefslogtreecommitdiff
path: root/pam
diff options
context:
space:
mode:
authorSam Chudnick <sam@chudnick.com>2022-07-03 05:46:34 -0400
committerSam Chudnick <sam@chudnick.com>2022-07-03 05:46:34 -0400
commit11a4a5edb9f0e22fe8355291942ed03c9765ced5 (patch)
tree0b28f2e34aa4990c7c345146ee6e7adea5fc45d4 /pam
parentce3c9f1e849b871db2fa91b5aa030e8ea471a7ca (diff)
Properly implemented pam_sm_setcred
Properly implemented pam_sm_setcred and handle any flags that may be passed. Split running of python script and getting status into a separate function.
Diffstat (limited to 'pam')
-rw-r--r--pam/pam_mfa.c66
1 files changed, 43 insertions, 23 deletions
diff --git a/pam/pam_mfa.c b/pam/pam_mfa.c
index e366510..5167339 100644
--- a/pam/pam_mfa.c
+++ b/pam/pam_mfa.c
@@ -12,26 +12,14 @@
12#include <security/pam_modules.h> 12#include <security/pam_modules.h>
13#include <security/pam_ext.h> 13#include <security/pam_ext.h>
14 14
15#define PAMPY "python3 /usr/bin/openmfa/pam/pam.py" 15#define PAMPY "python3 /usr/bin/pam_mfa.py"
16 16
17int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** argv) { 17int request_mfa(pam_handle_t *pamh, const char *user, const char *service, char* result) {
18 int retval;
19 const char *user;
20 const char *service;
21 FILE *fp; 18 FILE *fp;
22 19 int cmdsize = 256;
23 // Get user and service 20 int result_size = 2;
24 if (pam_get_item(pamh, PAM_USER, (const void **) &user) != PAM_SUCCESS || user == NULL) {
25 pam_syslog(pamh,LOG_ERR,"unable to get ruser");
26 return PAM_AUTHINFO_UNAVAIL;
27 }
28 if (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) != PAM_SUCCESS || service == NULL) {
29 pam_syslog(pamh,LOG_ERR,"unable to get service");
30 return PAM_AUTHINFO_UNAVAIL;
31 }
32 21
33 // Build command line 22 // Build command line
34 int cmdsize = 256;
35 char cmd[cmdsize]; 23 char cmd[cmdsize];
36 cmd[0] = '\0'; 24 cmd[0] = '\0';
37 strcat(cmd, PAMPY); 25 strcat(cmd, PAMPY);
@@ -44,15 +32,37 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** ar
44 // Execute pam.py 32 // Execute pam.py
45 if ((fp = popen(cmd,"r")) == NULL) { 33 if ((fp = popen(cmd,"r")) == NULL) {
46 pam_syslog(pamh,LOG_ERR,"Error opening pipe"); 34 pam_syslog(pamh,LOG_ERR,"Error opening pipe");
47 return PAM_AUTH_ERR; 35 result = "1";
36 return 1;
48 } 37 }
49 38
50 // Get output and return authentication status 39 // Set result to output of pam_mfa.py
51 int size = 32; 40 fgets(result,result_size,fp);
52 char result[size];
53 fgets(result,size,fp);
54 pam_syslog(pamh,LOG_INFO,result);
55 pclose(fp); 41 pclose(fp);
42 return 0;
43}
44
45int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** argv) {
46 const char *user;
47 const char *service;
48
49 // Get user and service
50 if (pam_get_item(pamh, PAM_USER, (const void **) &user) != PAM_SUCCESS || user == NULL) {
51 pam_syslog(pamh,LOG_ERR,"unable to get user");
52 return PAM_AUTHINFO_UNAVAIL;
53 }
54 if (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) != PAM_SUCCESS || service == NULL) {
55 pam_syslog(pamh,LOG_ERR,"unable to get service");
56 return PAM_AUTHINFO_UNAVAIL;
57 }
58
59 int retval;
60 int result_size = 2;
61 char result[result_size];
62 if ((retval = request_mfa(pamh, user, service, result)) != 0) {
63 pam_syslog(pamh,LOG_ERR,"error performing mfa");
64 return PAM_AUTH_ERR;
65 }
56 if (atoi(result) == 0) { 66 if (atoi(result) == 0) {
57 pam_syslog(pamh,LOG_INFO,"auth success"); 67 pam_syslog(pamh,LOG_INFO,"auth success");
58 return PAM_SUCCESS; 68 return PAM_SUCCESS;
@@ -63,5 +73,15 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** ar
63} 73}
64 74
65int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char** argv) { 75int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char** argv) {
66 return PAM_SUCCESS; 76 if (flags & PAM_DELETE_CRED || flags & PAM_REFRESH_CRED || flags & PAM_ESTABLISH_CRED) {
77 return PAM_SUCCESS;
78 }
79 if (flags & PAM_REINITIALIZE_CRED) {
80 int retval = pam_sm_authenticate(pamh,flags,argc,argv);
81 if (retval == PAM_SUCCESS) {
82 return PAM_SUCCESS;
83 } else {
84 return PAM_CRED_ERR;
85 }
86 }
67} 87}