Hardware authentication for Linux using ordinary USB Flash Drives.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

114 lines
2.7 KiB

/*
* Copyright (c) 2003-2007 Andrea Luzzardi <scox@sig11.org>
*
* This file is part of the pam_usb project. pam_usb is free software;
* you can redistribute it and/or modify it under the terms of the GNU General
* Public License version 2, as published by the Free Software Foundation.
*
* pam_usb is distributed in the hope that it will be useful, but WITHOUT ANY
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
* details.
*
* You should have received a copy of the GNU General Public License along with
* this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
* Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#define PAM_SM_AUTH
#include <security/pam_modules.h>
#include <security/_pam_macros.h>
#include "version.h"
#include "conf.h"
#include "log.h"
#include "local.h"
#include "device.h"
PAM_EXTERN
int pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
t_pusb_options opts;
const char *service;
const char *user;
const char *tty;
char *conf_file = PUSB_CONF_FILE;
int retval;
pusb_log_init(&opts);
retval = pam_get_item(pamh, PAM_SERVICE,
(const void **)(const void *)&service);
if (retval != PAM_SUCCESS)
{
log_error("Unable to retrieve the PAM service name.\n");
return (PAM_AUTH_ERR);
}
if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || !user || !*user)
{
log_error("Unable to retrieve the PAM user name.\n");
return (PAM_AUTH_ERR);
}
if (argc > 1)
if (!strcmp(argv[0], "-c"))
conf_file = (char *)argv[1];
if (!pusb_conf_init(&opts))
return (PAM_AUTH_ERR);
if (!pusb_conf_parse(conf_file, &opts, user, service))
return (PAM_AUTH_ERR);
if (!opts.enable)
{
log_debug("Not enabled, exiting...\n");
return (PAM_IGNORE);
}
log_info("pam_usb v%s\n", PUSB_VERSION);
log_info("Authentication request for user \"%s\" (%s)\n",
user, service);
if (pam_get_item(pamh, PAM_TTY,
(const void **)(const void *)&tty) == PAM_SUCCESS)
{
if (tty && !strcmp(tty, "ssh"))
{
log_debug("SSH Authentication, aborting.\n");
return (PAM_AUTH_ERR);
}
}
if (!pusb_local_login(&opts, user))
{
log_error("Access denied.\n");
return (PAM_AUTH_ERR);
}
if (pusb_device_check(&opts, user))
{
log_info("Access granted.\n");
return (PAM_SUCCESS);
}
log_error("Access denied.\n");
return (PAM_AUTH_ERR);
}
PAM_EXTERN
int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc,
const char **argv)
{
return (PAM_SUCCESS);
}
#ifdef PAM_STATIC
struct pam_module _pam_usb_modstruct = {
"pam_usb",
pam_sm_authenticate,
pam_sm_setcred,
NULL,
NULL,
NULL,
NULL
};
#endif