Mercurial > dovecot > original-hg > dovecot-1.2
annotate src/auth/passdb-pam.c @ 9608:f30e6a345d73 HEAD
Added tag 1.2.14 for changeset eb04e2b13e3d
| author | Timo Sirainen <tss@iki.fi> |
|---|---|
| date | Tue, 24 Aug 2010 18:10:29 +0100 |
| parents | 48b1f2b7144b |
| children |
| rev | line source |
|---|---|
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1 /* |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
2 Based on auth_pam.c from popa3d by Solar Designer <solar@openwall.com>. |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
3 |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
4 You're allowed to do whatever you like with this software (including |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
5 re-distribution in source and/or binary form, with or without |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
6 modification), provided that credit is given where it is due and any |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
7 modified versions are marked as such. There's absolutely no warranty. |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
8 */ |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
9 |
|
3474
9096b7957413
Removed direct config.h including. I'm not sure why it was done before,
Timo Sirainen <tss@iki.fi>
parents:
3426
diff
changeset
|
10 #include "common.h" |
|
8217
c47b78e843aa
Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents:
6940
diff
changeset
|
11 #include "passdb.h" |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
12 |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
13 #ifdef PASSDB_PAM |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
14 |
|
4564
6012b0978d2c
Use SIGCHLD handler to check for killed child processes instead of a timeout
Timo Sirainen <tss@iki.fi>
parents:
4374
diff
changeset
|
15 #include "lib-signals.h" |
|
5263
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
16 #include "str.h" |
|
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
17 #include "var-expand.h" |
|
2134
c70d0155d93c
Set PAM_RHOST for PAM if it's known.
Timo Sirainen <tss@iki.fi>
parents:
2099
diff
changeset
|
18 #include "network.h" |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
19 #include "safe-memset.h" |
|
6241
17e056f924cb
Store cache_key via auth_cache_parse_key() which adds TABs between the
Timo Sirainen <tss@iki.fi>
parents:
6218
diff
changeset
|
20 #include "auth-cache.h" |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
21 |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
22 #include <stdlib.h> |
|
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
23 #include <sys/stat.h> |
|
5120
e4acabdc0de0
If PAM child process hasn't responded in two minutes, send KILL signal to
Timo Sirainen <tss@iki.fi>
parents:
4907
diff
changeset
|
24 |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
25 #ifdef HAVE_SECURITY_PAM_APPL_H |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
26 # include <security/pam_appl.h> |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
27 #elif defined(HAVE_PAM_PAM_APPL_H) |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
28 # include <pam/pam_appl.h> |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
29 #endif |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
30 |
|
9249
48b1f2b7144b
pam: Fixed compiler warning with BSDs.
Timo Sirainen <tss@iki.fi>
parents:
8709
diff
changeset
|
31 #if defined(sun) || defined(__sun__) || defined(_HPUX_SOURCE) |
|
48b1f2b7144b
pam: Fixed compiler warning with BSDs.
Timo Sirainen <tss@iki.fi>
parents:
8709
diff
changeset
|
32 # define pam_const |
|
48b1f2b7144b
pam: Fixed compiler warning with BSDs.
Timo Sirainen <tss@iki.fi>
parents:
8709
diff
changeset
|
33 #else |
|
48b1f2b7144b
pam: Fixed compiler warning with BSDs.
Timo Sirainen <tss@iki.fi>
parents:
8709
diff
changeset
|
34 # define pam_const const |
|
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
35 #endif |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
36 |
|
9249
48b1f2b7144b
pam: Fixed compiler warning with BSDs.
Timo Sirainen <tss@iki.fi>
parents:
8709
diff
changeset
|
37 typedef pam_const void *pam_item_t; |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
38 |
|
8560
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
39 #define PASSDB_PAM_DEFAULT_MAX_REQUESTS 100 |
|
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
40 |
|
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
41 struct pam_passdb_module { |
|
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
42 struct passdb_module module; |
|
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
43 |
|
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
44 const char *service_name, *pam_cache_key; |
|
8560
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
45 unsigned int requests_left; |
|
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
46 |
|
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
47 unsigned int pam_setcred:1; |
|
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
48 unsigned int pam_session:1; |
|
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
49 unsigned int failure_show_msg:1; |
|
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
50 }; |
|
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
51 |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
52 struct pam_conv_context { |
|
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
53 struct auth_request *request; |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
54 const char *pass; |
|
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
55 const char *failure_msg; |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
56 }; |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
57 |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
58 static int |
|
9249
48b1f2b7144b
pam: Fixed compiler warning with BSDs.
Timo Sirainen <tss@iki.fi>
parents:
8709
diff
changeset
|
59 pam_userpass_conv(int num_msg, pam_const struct pam_message **msg, |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
60 struct pam_response **resp_r, void *appdata_ptr) |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
61 { |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
62 /* @UNSAFE */ |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
63 struct pam_conv_context *ctx = appdata_ptr; |
|
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
64 struct passdb_module *_passdb = ctx->request->passdb->passdb; |
|
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
65 struct pam_passdb_module *passdb = (struct pam_passdb_module *)_passdb; |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
66 struct pam_response *resp; |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
67 char *string; |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
68 int i; |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
69 |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
70 *resp_r = NULL; |
|
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
71 |
|
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
72 resp = calloc(num_msg, sizeof(struct pam_response)); |
|
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
73 if (resp == NULL) |
|
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
74 i_fatal_status(FATAL_OUTOFMEM, "Out of memory"); |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
75 |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
76 for (i = 0; i < num_msg; i++) { |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
77 auth_request_log_debug(ctx->request, "pam", |
|
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
78 "#%d/%d style=%d msg=%s", i+1, num_msg, |
|
6216
91f9f6fb8276
Make sure we don't crash if PAM message is NULL and debug is enabled.
Timo Sirainen <tss@iki.fi>
parents:
6215
diff
changeset
|
79 msg[i]->msg_style, |
|
91f9f6fb8276
Make sure we don't crash if PAM message is NULL and debug is enabled.
Timo Sirainen <tss@iki.fi>
parents:
6215
diff
changeset
|
80 msg[i]->msg != NULL ? msg[i]->msg : ""); |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
81 switch (msg[i]->msg_style) { |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
82 case PAM_PROMPT_ECHO_ON: |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
83 /* Assume we're asking for user. We might not ever |
|
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
84 get here because PAM already knows the user. */ |
|
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
85 string = strdup(ctx->request->user); |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
86 if (string == NULL) |
|
3198
cb285bd5d8c9
If we run out of memory, exit with FATAL_OUTOFMEM status instead of dumping
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
87 i_fatal_status(FATAL_OUTOFMEM, "Out of memory"); |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
88 break; |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
89 case PAM_PROMPT_ECHO_OFF: |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
90 /* Assume we're asking for password */ |
|
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
91 if (passdb->failure_show_msg) |
|
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
92 ctx->failure_msg = t_strdup(msg[i]->msg); |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
93 string = strdup(ctx->pass); |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
94 if (string == NULL) |
|
3198
cb285bd5d8c9
If we run out of memory, exit with FATAL_OUTOFMEM status instead of dumping
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
95 i_fatal_status(FATAL_OUTOFMEM, "Out of memory"); |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
96 break; |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
97 case PAM_ERROR_MSG: |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
98 case PAM_TEXT_INFO: |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
99 string = NULL; |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
100 break; |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
101 default: |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
102 while (--i >= 0) { |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
103 if (resp[i].resp != NULL) { |
|
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
104 safe_memset(resp[i].resp, 0, |
|
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
105 strlen(resp[i].resp)); |
|
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
106 free(resp[i].resp); |
|
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
107 } |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
108 } |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
109 |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
110 free(resp); |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
111 return PAM_CONV_ERR; |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
112 } |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
113 |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
114 resp[i].resp_retcode = PAM_SUCCESS; |
|
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
115 resp[i].resp = string; |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
116 } |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
117 |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
118 *resp_r = resp; |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
119 return PAM_SUCCESS; |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
120 } |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
121 |
|
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
122 static const char * |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
123 pam_get_missing_service_file_path(const char *service ATTR_UNUSED) |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
124 { |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
125 #ifdef SUNPAM |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
126 /* Uses /etc/pam.conf - we're not going to parse that */ |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
127 return NULL; |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
128 #else |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
129 static bool service_checked = FALSE; |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
130 const char *path; |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
131 struct stat st; |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
132 |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
133 if (service_checked) { |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
134 /* check and complain only once */ |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
135 return NULL; |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
136 } |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
137 service_checked = TRUE; |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
138 |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
139 path = t_strdup_printf("/etc/pam.d/%s", service); |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
140 if (stat(path, &st) < 0 && errno == ENOENT) { |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
141 /* looks like it's missing. but before assuming that the system |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
142 even uses /etc/pam.d, make sure that it exists. */ |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
143 if (stat("/etc/pam.d", &st) == 0) |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
144 return path; |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
145 } |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
146 /* exists or is unknown */ |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
147 return NULL; |
|
8252
533b43760eaa
Solaris: Compile fix for previous PAM changes.
Timo Sirainen <tss@iki.fi>
parents:
8251
diff
changeset
|
148 #endif |
|
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
149 } |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
150 |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
151 static int try_pam_auth(struct auth_request *request, pam_handle_t *pamh, |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
152 const char *service) |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
153 { |
|
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
154 struct passdb_module *_module = request->passdb->passdb; |
|
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
155 struct pam_passdb_module *module = (struct pam_passdb_module *)_module; |
|
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
156 const char *path, *str; |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
157 pam_item_t item; |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
158 int status; |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
159 |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
160 if ((status = pam_authenticate(pamh, 0)) != PAM_SUCCESS) { |
|
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
161 path = pam_get_missing_service_file_path(service); |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
162 switch (status) { |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
163 case PAM_USER_UNKNOWN: |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
164 str = "unknown user"; |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
165 break; |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
166 default: |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
167 str = t_strconcat("pam_authenticate() failed: ", |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
168 pam_strerror(pamh, status), NULL); |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
169 break; |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
170 } |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
171 if (path != NULL) { |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
172 /* log this as error, since it probably is */ |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
173 str = t_strdup_printf("%s (%s missing?)", str, path); |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
174 auth_request_log_error(request, "pam", "%s", str); |
|
8709
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
175 } else if (status == PAM_AUTH_ERR) { |
|
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
176 str = t_strconcat(str, " (password mismatch?)", NULL); |
|
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
177 if (request->auth->verbose_debug_passwords) { |
|
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
178 str = t_strconcat(str, " (given password: ", |
|
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
179 request->mech_password, |
|
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
180 ")", NULL); |
|
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
181 } |
|
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
182 auth_request_log_info(request, "pam", "%s", str); |
|
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
183 } else { |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
184 auth_request_log_info(request, "pam", "%s", str); |
|
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
185 } |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
186 return status; |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
187 } |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
188 |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
189 #ifdef HAVE_PAM_SETCRED |
|
4357
ffb59f920018
Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents:
3994
diff
changeset
|
190 if (module->pam_setcred) { |
|
ffb59f920018
Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents:
3994
diff
changeset
|
191 if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != |
|
ffb59f920018
Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents:
3994
diff
changeset
|
192 PAM_SUCCESS) { |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
193 auth_request_log_error(request, "pam", |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
194 "pam_setcred() failed: %s", |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
195 pam_strerror(pamh, status)); |
|
4357
ffb59f920018
Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents:
3994
diff
changeset
|
196 return status; |
|
ffb59f920018
Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents:
3994
diff
changeset
|
197 } |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
198 } |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
199 #endif |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
200 |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
201 if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) { |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
202 auth_request_log_error(request, "pam", |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
203 "pam_acct_mgmt() failed: %s", |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
204 pam_strerror(pamh, status)); |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
205 return status; |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
206 } |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
207 |
|
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
208 if (module->pam_session) { |
|
3508
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
209 if ((status = pam_open_session(pamh, 0)) != PAM_SUCCESS) { |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
210 auth_request_log_error(request, "pam", |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
211 "pam_open_session() failed: %s", |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
212 pam_strerror(pamh, status)); |
|
3508
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
213 return status; |
|
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
214 } |
|
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
215 |
|
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
216 if ((status = pam_close_session(pamh, 0)) != PAM_SUCCESS) { |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
217 auth_request_log_error(request, "pam", |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
218 "pam_close_session() failed: %s", |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
219 pam_strerror(pamh, status)); |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
220 return status; |
|
3508
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
221 } |
|
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
222 } |
|
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
223 |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
224 status = pam_get_item(pamh, PAM_USER, &item); |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
225 if (status != PAM_SUCCESS) { |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
226 auth_request_log_error(request, "pam", |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
227 "pam_get_item(PAM_USER) failed: %s", |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
228 pam_strerror(pamh, status)); |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
229 return status; |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
230 } |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
231 auth_request_set_field(request, "user", item, NULL); |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
232 return PAM_SUCCESS; |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
233 } |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
234 |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
235 static void set_pam_items(struct auth_request *request, pam_handle_t *pamh) |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
236 { |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
237 const char *host; |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
238 |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
239 /* These shouldn't fail, and we don't really care if they do. */ |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
240 host = net_ip2addr(&request->remote_ip); |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
241 if (host != NULL) |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
242 (void)pam_set_item(pamh, PAM_RHOST, host); |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
243 (void)pam_set_item(pamh, PAM_RUSER, request->user); |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
244 /* TTY is needed by eg. pam_access module */ |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
245 (void)pam_set_item(pamh, PAM_TTY, "dovecot"); |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
246 } |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
247 |
|
5121
cf996f8e9c89
Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents:
5120
diff
changeset
|
248 static enum passdb_result |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
249 pam_verify_plain_call(struct auth_request *request, const char *service, |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
250 const char *password) |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
251 { |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
252 pam_handle_t *pamh; |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
253 struct pam_conv_context ctx; |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
254 struct pam_conv conv; |
|
1561
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
255 enum passdb_result result; |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
256 int status, status2; |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
257 |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
258 conv.conv = pam_userpass_conv; |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
259 conv.appdata_ptr = &ctx; |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
260 |
|
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
261 memset(&ctx, 0, sizeof(ctx)); |
|
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
262 ctx.request = request; |
|
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
263 ctx.pass = password; |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
264 |
|
2134
c70d0155d93c
Set PAM_RHOST for PAM if it's known.
Timo Sirainen <tss@iki.fi>
parents:
2099
diff
changeset
|
265 status = pam_start(service, request->user, &conv, &pamh); |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
266 if (status != PAM_SUCCESS) { |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
267 auth_request_log_error(request, "pam", "pam_start() failed: %s", |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
268 pam_strerror(pamh, status)); |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
269 return PASSDB_RESULT_INTERNAL_FAILURE; |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
270 } |
|
2134
c70d0155d93c
Set PAM_RHOST for PAM if it's known.
Timo Sirainen <tss@iki.fi>
parents:
2099
diff
changeset
|
271 |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
272 set_pam_items(request, pamh); |
|
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
273 status = try_pam_auth(request, pamh, service); |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
274 if ((status2 = pam_end(pamh, status)) != PAM_SUCCESS) { |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
275 auth_request_log_error(request, "pam", "pam_end() failed: %s", |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
276 pam_strerror(pamh, status2)); |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
277 return PASSDB_RESULT_INTERNAL_FAILURE; |
|
1561
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
278 } |
|
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
279 |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
280 switch (status) { |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
281 case PAM_SUCCESS: |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
282 result = PASSDB_RESULT_OK; |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
283 break; |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
284 case PAM_USER_UNKNOWN: |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
285 result = PASSDB_RESULT_USER_UNKNOWN; |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
286 break; |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
287 case PAM_NEW_AUTHTOK_REQD: |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
288 case PAM_ACCT_EXPIRED: |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
289 result = PASSDB_RESULT_PASS_EXPIRED; |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
290 break; |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
291 default: |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
292 result = PASSDB_RESULT_PASSWORD_MISMATCH; |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
293 break; |
|
5121
cf996f8e9c89
Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents:
5120
diff
changeset
|
294 } |
|
cf996f8e9c89
Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents:
5120
diff
changeset
|
295 |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
296 if (result != PASSDB_RESULT_OK && ctx.failure_msg != NULL) { |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
297 auth_request_set_field(request, "reason", |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
298 ctx.failure_msg, NULL); |
| 3860 | 299 } |
|
5121
cf996f8e9c89
Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents:
5120
diff
changeset
|
300 return result; |
|
1561
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
301 } |
|
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
302 |
|
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
303 static void |
|
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
304 pam_verify_plain(struct auth_request *request, const char *password, |
|
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
305 verify_plain_callback_t *callback) |
|
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
306 { |
|
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
307 struct passdb_module *_module = request->passdb->passdb; |
|
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
308 struct pam_passdb_module *module = (struct pam_passdb_module *)_module; |
|
5121
cf996f8e9c89
Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents:
5120
diff
changeset
|
309 enum passdb_result result; |
|
5263
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
310 string_t *expanded_service; |
|
1578
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1576
diff
changeset
|
311 const char *service; |
|
1561
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
312 |
|
8560
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
313 if (module->requests_left > 0) { |
|
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
314 if (--module->requests_left == 0) |
|
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
315 shutdown_request = TRUE; |
|
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
316 } |
|
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
317 |
|
5263
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
318 expanded_service = t_str_new(64); |
|
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
319 var_expand(expanded_service, module->service_name, |
|
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
320 auth_request_get_var_expand_table(request, NULL)); |
|
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
321 service = str_c(expanded_service); |
|
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
322 |
| 5259 | 323 auth_request_log_debug(request, "pam", "lookup service=%s", service); |
|
5121
cf996f8e9c89
Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents:
5120
diff
changeset
|
324 |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
325 result = pam_verify_plain_call(request, service, password); |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
326 callback(result, request); |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
327 } |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
328 |
|
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
329 static struct passdb_module * |
|
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
330 pam_preinit(struct auth_passdb *auth_passdb, const char *args) |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
331 { |
|
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
332 struct pam_passdb_module *module; |
|
3508
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
333 const char *const *t_args; |
|
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
334 int i; |
|
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
335 |
|
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
336 module = p_new(auth_passdb->auth->pool, struct pam_passdb_module, 1); |
|
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
337 module->service_name = "dovecot"; |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
338 /* we're caching the password by using directly the plaintext password |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
339 given by the auth mechanism */ |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
340 module->module.default_pass_scheme = "PLAIN"; |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
341 module->module.blocking = TRUE; |
|
8560
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
342 module->requests_left = PASSDB_PAM_DEFAULT_MAX_REQUESTS; |
|
3508
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
343 |
|
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
344 t_args = t_strsplit_spaces(args, " "); |
|
3764
852274ab176d
PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents:
3657
diff
changeset
|
345 for(i = 0; t_args[i] != NULL; i++) { |
|
852274ab176d
PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents:
3657
diff
changeset
|
346 /* -session for backwards compatibility */ |
|
852274ab176d
PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents:
3657
diff
changeset
|
347 if (strcmp(t_args[i], "-session") == 0 || |
|
852274ab176d
PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents:
3657
diff
changeset
|
348 strcmp(t_args[i], "session=yes") == 0) |
|
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
349 module->pam_session = TRUE; |
|
4357
ffb59f920018
Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents:
3994
diff
changeset
|
350 else if (strcmp(t_args[i], "setcred=yes") == 0) |
|
ffb59f920018
Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents:
3994
diff
changeset
|
351 module->pam_setcred = TRUE; |
|
3656
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3649
diff
changeset
|
352 else if (strncmp(t_args[i], "cache_key=", 10) == 0) { |
|
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
353 module->module.cache_key = |
|
6241
17e056f924cb
Store cache_key via auth_cache_parse_key() which adds TABs between the
Timo Sirainen <tss@iki.fi>
parents:
6218
diff
changeset
|
354 auth_cache_parse_key(auth_passdb->auth->pool, |
|
17e056f924cb
Store cache_key via auth_cache_parse_key() which adds TABs between the
Timo Sirainen <tss@iki.fi>
parents:
6218
diff
changeset
|
355 t_args[i] + 10); |
|
5121
cf996f8e9c89
Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents:
5120
diff
changeset
|
356 } else if (strcmp(t_args[i], "blocking=yes") == 0) { |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
357 /* ignore, for backwards compatibility */ |
|
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
358 } else if (strcmp(t_args[i], "failure_show_msg=yes") == 0) { |
|
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
359 module->failure_show_msg = TRUE; |
|
3656
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3649
diff
changeset
|
360 } else if (strcmp(t_args[i], "*") == 0) { |
|
5263
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
361 /* for backwards compatibility */ |
|
5491
22f0e7b297d6
Lowercase the PAM service name when calling with "args = *". Linux PAM did
Timo Sirainen <tss@iki.fi>
parents:
5490
diff
changeset
|
362 module->service_name = "%Ls"; |
|
8560
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
363 } else if (strncmp(t_args[i], "max_requests=", 13) == 0) { |
|
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
364 module->requests_left = atoi(t_args[i] + 13); |
|
3764
852274ab176d
PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents:
3657
diff
changeset
|
365 } else if (t_args[i+1] == NULL) { |
|
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
366 module->service_name = |
|
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
367 p_strdup(auth_passdb->auth->pool, t_args[i]); |
|
3764
852274ab176d
PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents:
3657
diff
changeset
|
368 } else { |
|
8513
0691f5294bb9
Fail if trying to give unknown parameters to passdb/userdb.
Timo Sirainen <tss@iki.fi>
parents:
8252
diff
changeset
|
369 i_fatal("passdb pam: Unknown setting: %s", t_args[i]); |
|
3508
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
370 } |
|
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
371 } |
|
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
372 return &module->module; |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
373 } |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
374 |
|
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
375 struct passdb_module_interface passdb_pam = { |
|
2942
c7d426f8cb58
Added name variable for userdb_module and passdb_module and changed their
Timo Sirainen <tss@iki.fi>
parents:
2781
diff
changeset
|
376 "pam", |
|
c7d426f8cb58
Added name variable for userdb_module and passdb_module and changed their
Timo Sirainen <tss@iki.fi>
parents:
2781
diff
changeset
|
377 |
|
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
378 pam_preinit, |
|
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
379 NULL, |
|
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
380 NULL, |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
381 |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
382 pam_verify_plain, |
|
4782
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4569
diff
changeset
|
383 NULL, |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
384 NULL |
|
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
385 }; |
|
8217
c47b78e843aa
Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents:
6940
diff
changeset
|
386 #else |
|
c47b78e843aa
Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents:
6940
diff
changeset
|
387 struct passdb_module_interface passdb_pam = { |
|
c47b78e843aa
Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents:
6940
diff
changeset
|
388 MEMBER(name) "pam" |
|
c47b78e843aa
Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents:
6940
diff
changeset
|
389 }; |
|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
390 #endif |