|
/*
|
|
* Copyright (c) 2003-2007 Andrea Luzzardi <scox@sig11.org>
|
|
*
|
|
* This file is part of the pam_usb project. pam_usb is free software;
|
|
* you can redistribute it and/or modify it under the terms of the GNU General
|
|
* Public License version 2, as published by the Free Software Foundation.
|
|
*
|
|
* pam_usb is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
* WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
* FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
|
|
* details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along with
|
|
* this program; if not, write to the Free Software Foundation, Inc., 51 Franklin
|
|
* Street, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*/
|
|
|
|
#define PAM_SM_AUTH
|
|
#include <security/pam_modules.h>
|
|
#include <security/_pam_macros.h>
|
|
|
|
#include "version.h"
|
|
#include "conf.h"
|
|
#include "log.h"
|
|
#include "local.h"
|
|
#include "device.h"
|
|
|
|
PAM_EXTERN
|
|
int pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
|
int argc, const char **argv)
|
|
{
|
|
t_pusb_options opts;
|
|
const char *service;
|
|
const char *user;
|
|
const char *tty;
|
|
char *conf_file = PUSB_CONF_FILE;
|
|
int retval;
|
|
|
|
pusb_log_init(&opts);
|
|
retval = pam_get_item(pamh, PAM_SERVICE,
|
|
(const void **)(const void *)&service);
|
|
if (retval != PAM_SUCCESS)
|
|
{
|
|
log_error("Unable to retrieve the PAM service name.\n");
|
|
return (PAM_AUTH_ERR);
|
|
}
|
|
|
|
if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || !user || !*user)
|
|
{
|
|
log_error("Unable to retrieve the PAM user name.\n");
|
|
return (PAM_AUTH_ERR);
|
|
}
|
|
|
|
if (argc > 1)
|
|
if (!strcmp(argv[0], "-c"))
|
|
conf_file = (char *)argv[1];
|
|
if (!pusb_conf_init(&opts))
|
|
return (PAM_AUTH_ERR);
|
|
if (!pusb_conf_parse(conf_file, &opts, user, service))
|
|
return (PAM_AUTH_ERR);
|
|
|
|
if (!opts.enable)
|
|
{
|
|
log_debug("Not enabled, exiting...\n");
|
|
return (PAM_IGNORE);
|
|
}
|
|
|
|
log_info("pam_usb v%s\n", PUSB_VERSION);
|
|
log_info("Authentication request for user \"%s\" (%s)\n",
|
|
user, service);
|
|
|
|
if (pam_get_item(pamh, PAM_TTY,
|
|
(const void **)(const void *)&tty) == PAM_SUCCESS)
|
|
{
|
|
if (tty && !strcmp(tty, "ssh"))
|
|
{
|
|
log_debug("SSH Authentication, aborting.\n");
|
|
return (PAM_AUTH_ERR);
|
|
}
|
|
}
|
|
if (!pusb_local_login(&opts, user))
|
|
{
|
|
log_error("Access denied.\n");
|
|
return (PAM_AUTH_ERR);
|
|
}
|
|
if (pusb_device_check(&opts, user))
|
|
{
|
|
log_info("Access granted.\n");
|
|
return (PAM_SUCCESS);
|
|
}
|
|
log_error("Access denied.\n");
|
|
return (PAM_AUTH_ERR);
|
|
}
|
|
|
|
PAM_EXTERN
|
|
int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc,
|
|
const char **argv)
|
|
{
|
|
return (PAM_SUCCESS);
|
|
}
|
|
|
|
#ifdef PAM_STATIC
|
|
|
|
struct pam_module _pam_usb_modstruct = {
|
|
"pam_usb",
|
|
pam_sm_authenticate,
|
|
pam_sm_setcred,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL
|
|
};
|
|
|
|
#endif
|