From 11a4a5edb9f0e22fe8355291942ed03c9765ced5 Mon Sep 17 00:00:00 2001
From: Sam Chudnick <sam@chudnick.com>
Date: Sun, 3 Jul 2022 05:46:34 -0400
Subject: Properly implemented pam_sm_setcred

Properly implemented pam_sm_setcred and handle any flags that may be
passed. Split running of python script and getting status into a
separate function.
---
 pam/pam_mfa.c | 66 ++++++++++++++++++++++++++++++++++++++---------------------
 1 file changed, 43 insertions(+), 23 deletions(-)

diff --git a/pam/pam_mfa.c b/pam/pam_mfa.c
index e366510..5167339 100644
--- a/pam/pam_mfa.c
+++ b/pam/pam_mfa.c
@@ -12,26 +12,14 @@
 #include <security/pam_modules.h>
 #include <security/pam_ext.h>
 
-#define PAMPY "python3 /usr/bin/openmfa/pam/pam.py"
+#define PAMPY "python3 /usr/bin/pam_mfa.py"
 
-int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** argv) {
-	int retval;
-	const char *user;
-	const char *service;
+int request_mfa(pam_handle_t *pamh, const char *user, const char *service, char* result) {
 	FILE *fp;
-
-	// Get user and service
-	if (pam_get_item(pamh, PAM_USER, (const void **) &user) != PAM_SUCCESS || user == NULL) {
-			pam_syslog(pamh,LOG_ERR,"unable to get ruser");
-			return PAM_AUTHINFO_UNAVAIL;
-	}
-	if (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) != PAM_SUCCESS || service == NULL)  {
-			pam_syslog(pamh,LOG_ERR,"unable to get service");
-			return PAM_AUTHINFO_UNAVAIL;
-	}
+	int cmdsize = 256;
+	int result_size = 2;
 
 	// Build command line
-	int cmdsize = 256;
 	char cmd[cmdsize];
 	cmd[0] = '\0';
 	strcat(cmd, PAMPY);
@@ -44,15 +32,37 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** ar
 	// Execute pam.py
 	if ((fp = popen(cmd,"r")) == NULL) {
 		pam_syslog(pamh,LOG_ERR,"Error opening pipe");
-		return PAM_AUTH_ERR;
+		result = "1";
+		return 1;
 	}
 
-	// Get output and return authentication status
-	int size = 32;
-	char result[size];
-	fgets(result,size,fp);
-	pam_syslog(pamh,LOG_INFO,result);
+	// Set result to output of pam_mfa.py
+	fgets(result,result_size,fp);
 	pclose(fp);
+	return 0;
+}
+
+int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** argv) {
+	const char *user;
+	const char *service;
+
+	// Get user and service
+	if (pam_get_item(pamh, PAM_USER, (const void **) &user) != PAM_SUCCESS || user == NULL) {
+			pam_syslog(pamh,LOG_ERR,"unable to get user");
+			return PAM_AUTHINFO_UNAVAIL;
+	}
+	if (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) != PAM_SUCCESS || service == NULL)  {
+			pam_syslog(pamh,LOG_ERR,"unable to get service");
+			return PAM_AUTHINFO_UNAVAIL;
+	}
+
+	int retval;
+	int result_size = 2;
+	char result[result_size];
+	if ((retval = request_mfa(pamh, user, service, result)) != 0) {
+		pam_syslog(pamh,LOG_ERR,"error performing mfa");
+		return PAM_AUTH_ERR;
+	}
 	if (atoi(result) == 0) {
 		pam_syslog(pamh,LOG_INFO,"auth success");
 		return PAM_SUCCESS;
@@ -63,5 +73,15 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** ar
 }
 
 int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char** argv) {
-	return PAM_SUCCESS;
+	if (flags & PAM_DELETE_CRED || flags & PAM_REFRESH_CRED || flags & PAM_ESTABLISH_CRED) {
+		return PAM_SUCCESS;
+	}
+	if (flags & PAM_REINITIALIZE_CRED) {
+		int retval = pam_sm_authenticate(pamh,flags,argc,argv);
+		if (retval == PAM_SUCCESS) {
+			return PAM_SUCCESS;
+		} else {
+			return PAM_CRED_ERR;
+		}
+	}
 }
-- 
cgit v1.2.3