From 11a4a5edb9f0e22fe8355291942ed03c9765ced5 Mon Sep 17 00:00:00 2001 From: Sam Chudnick Date: Sun, 3 Jul 2022 05:46:34 -0400 Subject: Properly implemented pam_sm_setcred Properly implemented pam_sm_setcred and handle any flags that may be passed. Split running of python script and getting status into a separate function. --- pam/pam_mfa.c | 66 ++++++++++++++++++++++++++++++++++++++--------------------- 1 file changed, 43 insertions(+), 23 deletions(-) (limited to 'pam') diff --git a/pam/pam_mfa.c b/pam/pam_mfa.c index e366510..5167339 100644 --- a/pam/pam_mfa.c +++ b/pam/pam_mfa.c @@ -12,26 +12,14 @@ #include #include -#define PAMPY "python3 /usr/bin/openmfa/pam/pam.py" +#define PAMPY "python3 /usr/bin/pam_mfa.py" -int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** argv) { - int retval; - const char *user; - const char *service; +int request_mfa(pam_handle_t *pamh, const char *user, const char *service, char* result) { FILE *fp; - - // Get user and service - if (pam_get_item(pamh, PAM_USER, (const void **) &user) != PAM_SUCCESS || user == NULL) { - pam_syslog(pamh,LOG_ERR,"unable to get ruser"); - return PAM_AUTHINFO_UNAVAIL; - } - if (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) != PAM_SUCCESS || service == NULL) { - pam_syslog(pamh,LOG_ERR,"unable to get service"); - return PAM_AUTHINFO_UNAVAIL; - } + int cmdsize = 256; + int result_size = 2; // Build command line - int cmdsize = 256; char cmd[cmdsize]; cmd[0] = '\0'; strcat(cmd, PAMPY); @@ -44,15 +32,37 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** ar // Execute pam.py if ((fp = popen(cmd,"r")) == NULL) { pam_syslog(pamh,LOG_ERR,"Error opening pipe"); - return PAM_AUTH_ERR; + result = "1"; + return 1; } - // Get output and return authentication status - int size = 32; - char result[size]; - fgets(result,size,fp); - pam_syslog(pamh,LOG_INFO,result); + // Set result to output of pam_mfa.py + fgets(result,result_size,fp); pclose(fp); + return 0; +} + +int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** argv) { + const char *user; + const char *service; + + // Get user and service + if (pam_get_item(pamh, PAM_USER, (const void **) &user) != PAM_SUCCESS || user == NULL) { + pam_syslog(pamh,LOG_ERR,"unable to get user"); + return PAM_AUTHINFO_UNAVAIL; + } + if (pam_get_item(pamh, PAM_SERVICE, (const void **) &service) != PAM_SUCCESS || service == NULL) { + pam_syslog(pamh,LOG_ERR,"unable to get service"); + return PAM_AUTHINFO_UNAVAIL; + } + + int retval; + int result_size = 2; + char result[result_size]; + if ((retval = request_mfa(pamh, user, service, result)) != 0) { + pam_syslog(pamh,LOG_ERR,"error performing mfa"); + return PAM_AUTH_ERR; + } if (atoi(result) == 0) { pam_syslog(pamh,LOG_INFO,"auth success"); return PAM_SUCCESS; @@ -63,5 +73,15 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char** ar } int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char** argv) { - return PAM_SUCCESS; + if (flags & PAM_DELETE_CRED || flags & PAM_REFRESH_CRED || flags & PAM_ESTABLISH_CRED) { + return PAM_SUCCESS; + } + if (flags & PAM_REINITIALIZE_CRED) { + int retval = pam_sm_authenticate(pamh,flags,argc,argv); + if (retval == PAM_SUCCESS) { + return PAM_SUCCESS; + } else { + return PAM_CRED_ERR; + } + } } -- cgit v1.2.3