Mercurial > dovecot > original-hg > dovecot-1.2
annotate src/auth/passdb-pam.c @ 9008:fc4f65a4ca60 HEAD
virtual: Don't show mailboxes as \Noselect.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Fri, 01 May 2009 14:56:52 -0400 |
parents | 323c8eff78d4 |
children | 48b1f2b7144b |
rev | line source |
---|---|
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1 /* |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
2 Based on auth_pam.c from popa3d by Solar Designer <solar@openwall.com>. |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
3 |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
4 You're allowed to do whatever you like with this software (including |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
5 re-distribution in source and/or binary form, with or without |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
6 modification), provided that credit is given where it is due and any |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
7 modified versions are marked as such. There's absolutely no warranty. |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
8 */ |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
9 |
3474
9096b7957413
Removed direct config.h including. I'm not sure why it was done before,
Timo Sirainen <tss@iki.fi>
parents:
3426
diff
changeset
|
10 #include "common.h" |
8217
c47b78e843aa
Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents:
6940
diff
changeset
|
11 #include "passdb.h" |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
12 |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
13 #ifdef PASSDB_PAM |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
14 |
4564
6012b0978d2c
Use SIGCHLD handler to check for killed child processes instead of a timeout
Timo Sirainen <tss@iki.fi>
parents:
4374
diff
changeset
|
15 #include "lib-signals.h" |
5263
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
16 #include "str.h" |
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
17 #include "var-expand.h" |
2134
c70d0155d93c
Set PAM_RHOST for PAM if it's known.
Timo Sirainen <tss@iki.fi>
parents:
2099
diff
changeset
|
18 #include "network.h" |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
19 #include "safe-memset.h" |
6241
17e056f924cb
Store cache_key via auth_cache_parse_key() which adds TABs between the
Timo Sirainen <tss@iki.fi>
parents:
6218
diff
changeset
|
20 #include "auth-cache.h" |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
21 |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
22 #include <stdlib.h> |
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
23 #include <sys/stat.h> |
5120
e4acabdc0de0
If PAM child process hasn't responded in two minutes, send KILL signal to
Timo Sirainen <tss@iki.fi>
parents:
4907
diff
changeset
|
24 |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
25 #ifdef HAVE_SECURITY_PAM_APPL_H |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
26 # include <security/pam_appl.h> |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
27 #elif defined(HAVE_PAM_PAM_APPL_H) |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
28 # include <pam/pam_appl.h> |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
29 #endif |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
30 |
1121 | 31 #if !defined(_SECURITY_PAM_APPL_H) && !defined(LINUX_PAM) && !defined(_OPENPAM) |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
32 /* Sun's PAM doesn't use const. we use a bit dirty hack to check it. |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
33 Originally it was just __sun__ check, but HP/UX also uses Sun's PAM |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
34 so I thought this might work better. */ |
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
35 # define SUNPAM |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
36 #endif |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
37 |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
38 #ifdef SUNPAM |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
39 # define linux_const |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
40 #else |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
41 # define linux_const const |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
42 #endif |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
43 typedef linux_const void *pam_item_t; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
44 |
8560
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
45 #define PASSDB_PAM_DEFAULT_MAX_REQUESTS 100 |
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
46 |
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
47 struct pam_passdb_module { |
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
48 struct passdb_module module; |
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
49 |
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
50 const char *service_name, *pam_cache_key; |
8560
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
51 unsigned int requests_left; |
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
52 |
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
53 unsigned int pam_setcred:1; |
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
54 unsigned int pam_session:1; |
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
55 unsigned int failure_show_msg:1; |
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
56 }; |
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
57 |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
58 struct pam_conv_context { |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
59 struct auth_request *request; |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
60 const char *pass; |
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
61 const char *failure_msg; |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
62 }; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
63 |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
64 static int |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
65 pam_userpass_conv(int num_msg, linux_const struct pam_message **msg, |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
66 struct pam_response **resp_r, void *appdata_ptr) |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
67 { |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
68 /* @UNSAFE */ |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
69 struct pam_conv_context *ctx = appdata_ptr; |
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
70 struct passdb_module *_passdb = ctx->request->passdb->passdb; |
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
71 struct pam_passdb_module *passdb = (struct pam_passdb_module *)_passdb; |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
72 struct pam_response *resp; |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
73 char *string; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
74 int i; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
75 |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
76 *resp_r = NULL; |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
77 |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
78 resp = calloc(num_msg, sizeof(struct pam_response)); |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
79 if (resp == NULL) |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
80 i_fatal_status(FATAL_OUTOFMEM, "Out of memory"); |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
81 |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
82 for (i = 0; i < num_msg; i++) { |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
83 auth_request_log_debug(ctx->request, "pam", |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
84 "#%d/%d style=%d msg=%s", i+1, num_msg, |
6216
91f9f6fb8276
Make sure we don't crash if PAM message is NULL and debug is enabled.
Timo Sirainen <tss@iki.fi>
parents:
6215
diff
changeset
|
85 msg[i]->msg_style, |
91f9f6fb8276
Make sure we don't crash if PAM message is NULL and debug is enabled.
Timo Sirainen <tss@iki.fi>
parents:
6215
diff
changeset
|
86 msg[i]->msg != NULL ? msg[i]->msg : ""); |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
87 switch (msg[i]->msg_style) { |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
88 case PAM_PROMPT_ECHO_ON: |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
89 /* Assume we're asking for user. We might not ever |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
90 get here because PAM already knows the user. */ |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
91 string = strdup(ctx->request->user); |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
92 if (string == NULL) |
3198
cb285bd5d8c9
If we run out of memory, exit with FATAL_OUTOFMEM status instead of dumping
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
93 i_fatal_status(FATAL_OUTOFMEM, "Out of memory"); |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
94 break; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
95 case PAM_PROMPT_ECHO_OFF: |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
96 /* Assume we're asking for password */ |
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
97 if (passdb->failure_show_msg) |
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
98 ctx->failure_msg = t_strdup(msg[i]->msg); |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
99 string = strdup(ctx->pass); |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
100 if (string == NULL) |
3198
cb285bd5d8c9
If we run out of memory, exit with FATAL_OUTOFMEM status instead of dumping
Timo Sirainen <tss@iki.fi>
parents:
3166
diff
changeset
|
101 i_fatal_status(FATAL_OUTOFMEM, "Out of memory"); |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
102 break; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
103 case PAM_ERROR_MSG: |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
104 case PAM_TEXT_INFO: |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
105 string = NULL; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
106 break; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
107 default: |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
108 while (--i >= 0) { |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
109 if (resp[i].resp != NULL) { |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
110 safe_memset(resp[i].resp, 0, |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
111 strlen(resp[i].resp)); |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
112 free(resp[i].resp); |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
113 } |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
114 } |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
115 |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
116 free(resp); |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
117 return PAM_CONV_ERR; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
118 } |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
119 |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
120 resp[i].resp_retcode = PAM_SUCCESS; |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
121 resp[i].resp = string; |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
122 } |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
123 |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
124 *resp_r = resp; |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
125 return PAM_SUCCESS; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
126 } |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
127 |
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
128 static const char * |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
129 pam_get_missing_service_file_path(const char *service ATTR_UNUSED) |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
130 { |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
131 #ifdef SUNPAM |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
132 /* Uses /etc/pam.conf - we're not going to parse that */ |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
133 return NULL; |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
134 #else |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
135 static bool service_checked = FALSE; |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
136 const char *path; |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
137 struct stat st; |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
138 |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
139 if (service_checked) { |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
140 /* check and complain only once */ |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
141 return NULL; |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
142 } |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
143 service_checked = TRUE; |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
144 |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
145 path = t_strdup_printf("/etc/pam.d/%s", service); |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
146 if (stat(path, &st) < 0 && errno == ENOENT) { |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
147 /* looks like it's missing. but before assuming that the system |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
148 even uses /etc/pam.d, make sure that it exists. */ |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
149 if (stat("/etc/pam.d", &st) == 0) |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
150 return path; |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
151 } |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
152 /* exists or is unknown */ |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
153 return NULL; |
8252
533b43760eaa
Solaris: Compile fix for previous PAM changes.
Timo Sirainen <tss@iki.fi>
parents:
8251
diff
changeset
|
154 #endif |
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
155 } |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
156 |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
157 static int try_pam_auth(struct auth_request *request, pam_handle_t *pamh, |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
158 const char *service) |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
159 { |
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
160 struct passdb_module *_module = request->passdb->passdb; |
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
161 struct pam_passdb_module *module = (struct pam_passdb_module *)_module; |
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
162 const char *path, *str; |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
163 pam_item_t item; |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
164 int status; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
165 |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
166 if ((status = pam_authenticate(pamh, 0)) != PAM_SUCCESS) { |
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
167 path = pam_get_missing_service_file_path(service); |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
168 switch (status) { |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
169 case PAM_USER_UNKNOWN: |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
170 str = "unknown user"; |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
171 break; |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
172 default: |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
173 str = t_strconcat("pam_authenticate() failed: ", |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
174 pam_strerror(pamh, status), NULL); |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
175 break; |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
176 } |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
177 if (path != NULL) { |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
178 /* log this as error, since it probably is */ |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
179 str = t_strdup_printf("%s (%s missing?)", str, path); |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
180 auth_request_log_error(request, "pam", "%s", str); |
8709
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
181 } else if (status == PAM_AUTH_ERR) { |
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
182 str = t_strconcat(str, " (password mismatch?)", NULL); |
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
183 if (request->auth->verbose_debug_passwords) { |
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
184 str = t_strconcat(str, " (given password: ", |
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
185 request->mech_password, |
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
186 ")", NULL); |
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
187 } |
323c8eff78d4
auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents:
8560
diff
changeset
|
188 auth_request_log_info(request, "pam", "%s", str); |
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
189 } else { |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
190 auth_request_log_info(request, "pam", "%s", str); |
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
191 } |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
192 return status; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
193 } |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
194 |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
195 #ifdef HAVE_PAM_SETCRED |
4357
ffb59f920018
Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents:
3994
diff
changeset
|
196 if (module->pam_setcred) { |
ffb59f920018
Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents:
3994
diff
changeset
|
197 if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != |
ffb59f920018
Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents:
3994
diff
changeset
|
198 PAM_SUCCESS) { |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
199 auth_request_log_error(request, "pam", |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
200 "pam_setcred() failed: %s", |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
201 pam_strerror(pamh, status)); |
4357
ffb59f920018
Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents:
3994
diff
changeset
|
202 return status; |
ffb59f920018
Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents:
3994
diff
changeset
|
203 } |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
204 } |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
205 #endif |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
206 |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
207 if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) { |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
208 auth_request_log_error(request, "pam", |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
209 "pam_acct_mgmt() failed: %s", |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
210 pam_strerror(pamh, status)); |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
211 return status; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
212 } |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
213 |
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
214 if (module->pam_session) { |
3508
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
215 if ((status = pam_open_session(pamh, 0)) != PAM_SUCCESS) { |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
216 auth_request_log_error(request, "pam", |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
217 "pam_open_session() failed: %s", |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
218 pam_strerror(pamh, status)); |
3508
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
219 return status; |
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
220 } |
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
221 |
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
222 if ((status = pam_close_session(pamh, 0)) != PAM_SUCCESS) { |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
223 auth_request_log_error(request, "pam", |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
224 "pam_close_session() failed: %s", |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
225 pam_strerror(pamh, status)); |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
226 return status; |
3508
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
227 } |
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
228 } |
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
229 |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
230 status = pam_get_item(pamh, PAM_USER, &item); |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
231 if (status != PAM_SUCCESS) { |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
232 auth_request_log_error(request, "pam", |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
233 "pam_get_item(PAM_USER) failed: %s", |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
234 pam_strerror(pamh, status)); |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
235 return status; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
236 } |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
237 auth_request_set_field(request, "user", item, NULL); |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
238 return PAM_SUCCESS; |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
239 } |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
240 |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
241 static void set_pam_items(struct auth_request *request, pam_handle_t *pamh) |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
242 { |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
243 const char *host; |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
244 |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
245 /* These shouldn't fail, and we don't really care if they do. */ |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
246 host = net_ip2addr(&request->remote_ip); |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
247 if (host != NULL) |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
248 (void)pam_set_item(pamh, PAM_RHOST, host); |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
249 (void)pam_set_item(pamh, PAM_RUSER, request->user); |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
250 /* TTY is needed by eg. pam_access module */ |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
251 (void)pam_set_item(pamh, PAM_TTY, "dovecot"); |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
252 } |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
253 |
5121
cf996f8e9c89
Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents:
5120
diff
changeset
|
254 static enum passdb_result |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
255 pam_verify_plain_call(struct auth_request *request, const char *service, |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
256 const char *password) |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
257 { |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
258 pam_handle_t *pamh; |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
259 struct pam_conv_context ctx; |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
260 struct pam_conv conv; |
1561
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
261 enum passdb_result result; |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
262 int status, status2; |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
263 |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
264 conv.conv = pam_userpass_conv; |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
265 conv.appdata_ptr = &ctx; |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
266 |
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
267 memset(&ctx, 0, sizeof(ctx)); |
6212
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
268 ctx.request = request; |
6162c80dc9b7
Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents:
6211
diff
changeset
|
269 ctx.pass = password; |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
270 |
2134
c70d0155d93c
Set PAM_RHOST for PAM if it's known.
Timo Sirainen <tss@iki.fi>
parents:
2099
diff
changeset
|
271 status = pam_start(service, request->user, &conv, &pamh); |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
272 if (status != PAM_SUCCESS) { |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
273 auth_request_log_error(request, "pam", "pam_start() failed: %s", |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
274 pam_strerror(pamh, status)); |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
275 return PASSDB_RESULT_INTERNAL_FAILURE; |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
276 } |
2134
c70d0155d93c
Set PAM_RHOST for PAM if it's known.
Timo Sirainen <tss@iki.fi>
parents:
2099
diff
changeset
|
277 |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
278 set_pam_items(request, pamh); |
8251
26e7d4905d81
PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents:
8217
diff
changeset
|
279 status = try_pam_auth(request, pamh, service); |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
280 if ((status2 = pam_end(pamh, status)) != PAM_SUCCESS) { |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
281 auth_request_log_error(request, "pam", "pam_end() failed: %s", |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
282 pam_strerror(pamh, status2)); |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
283 return PASSDB_RESULT_INTERNAL_FAILURE; |
1561
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
284 } |
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
285 |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
286 switch (status) { |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
287 case PAM_SUCCESS: |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
288 result = PASSDB_RESULT_OK; |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
289 break; |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
290 case PAM_USER_UNKNOWN: |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
291 result = PASSDB_RESULT_USER_UNKNOWN; |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
292 break; |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
293 case PAM_NEW_AUTHTOK_REQD: |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
294 case PAM_ACCT_EXPIRED: |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
295 result = PASSDB_RESULT_PASS_EXPIRED; |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
296 break; |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
297 default: |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
298 result = PASSDB_RESULT_PASSWORD_MISMATCH; |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
299 break; |
5121
cf996f8e9c89
Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents:
5120
diff
changeset
|
300 } |
cf996f8e9c89
Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents:
5120
diff
changeset
|
301 |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
302 if (result != PASSDB_RESULT_OK && ctx.failure_msg != NULL) { |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
303 auth_request_set_field(request, "reason", |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
304 ctx.failure_msg, NULL); |
3860 | 305 } |
5121
cf996f8e9c89
Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents:
5120
diff
changeset
|
306 return result; |
1561
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
307 } |
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
308 |
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
309 static void |
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
310 pam_verify_plain(struct auth_request *request, const char *password, |
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
311 verify_plain_callback_t *callback) |
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
312 { |
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
313 struct passdb_module *_module = request->passdb->passdb; |
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
314 struct pam_passdb_module *module = (struct pam_passdb_module *)_module; |
5121
cf996f8e9c89
Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents:
5120
diff
changeset
|
315 enum passdb_result result; |
5263
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
316 string_t *expanded_service; |
1578
ab2fb3c6a12b
Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents:
1576
diff
changeset
|
317 const char *service; |
1561
24dad210417f
Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents:
1191
diff
changeset
|
318 |
8560
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
319 if (module->requests_left > 0) { |
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
320 if (--module->requests_left == 0) |
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
321 shutdown_request = TRUE; |
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
322 } |
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
323 |
5263
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
324 expanded_service = t_str_new(64); |
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
325 var_expand(expanded_service, module->service_name, |
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
326 auth_request_get_var_expand_table(request, NULL)); |
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
327 service = str_c(expanded_service); |
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
328 |
5259 | 329 auth_request_log_debug(request, "pam", "lookup service=%s", service); |
5121
cf996f8e9c89
Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents:
5120
diff
changeset
|
330 |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
331 result = pam_verify_plain_call(request, service, password); |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
332 callback(result, request); |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
333 } |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
334 |
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
335 static struct passdb_module * |
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
336 pam_preinit(struct auth_passdb *auth_passdb, const char *args) |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
337 { |
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
338 struct pam_passdb_module *module; |
3508
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
339 const char *const *t_args; |
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
340 int i; |
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
341 |
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
342 module = p_new(auth_passdb->auth->pool, struct pam_passdb_module, 1); |
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
343 module->service_name = "dovecot"; |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
344 /* we're caching the password by using directly the plaintext password |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
345 given by the auth mechanism */ |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
346 module->module.default_pass_scheme = "PLAIN"; |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
347 module->module.blocking = TRUE; |
8560
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
348 module->requests_left = PASSDB_PAM_DEFAULT_MAX_REQUESTS; |
3508
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
349 |
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
350 t_args = t_strsplit_spaces(args, " "); |
3764
852274ab176d
PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents:
3657
diff
changeset
|
351 for(i = 0; t_args[i] != NULL; i++) { |
852274ab176d
PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents:
3657
diff
changeset
|
352 /* -session for backwards compatibility */ |
852274ab176d
PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents:
3657
diff
changeset
|
353 if (strcmp(t_args[i], "-session") == 0 || |
852274ab176d
PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents:
3657
diff
changeset
|
354 strcmp(t_args[i], "session=yes") == 0) |
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
355 module->pam_session = TRUE; |
4357
ffb59f920018
Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents:
3994
diff
changeset
|
356 else if (strcmp(t_args[i], "setcred=yes") == 0) |
ffb59f920018
Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents:
3994
diff
changeset
|
357 module->pam_setcred = TRUE; |
3656
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3649
diff
changeset
|
358 else if (strncmp(t_args[i], "cache_key=", 10) == 0) { |
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
359 module->module.cache_key = |
6241
17e056f924cb
Store cache_key via auth_cache_parse_key() which adds TABs between the
Timo Sirainen <tss@iki.fi>
parents:
6218
diff
changeset
|
360 auth_cache_parse_key(auth_passdb->auth->pool, |
17e056f924cb
Store cache_key via auth_cache_parse_key() which adds TABs between the
Timo Sirainen <tss@iki.fi>
parents:
6218
diff
changeset
|
361 t_args[i] + 10); |
5121
cf996f8e9c89
Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents:
5120
diff
changeset
|
362 } else if (strcmp(t_args[i], "blocking=yes") == 0) { |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
363 /* ignore, for backwards compatibility */ |
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
364 } else if (strcmp(t_args[i], "failure_show_msg=yes") == 0) { |
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
365 module->failure_show_msg = TRUE; |
3656
fda241fa5d77
Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents:
3649
diff
changeset
|
366 } else if (strcmp(t_args[i], "*") == 0) { |
5263
8384f797c0fc
PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents:
5259
diff
changeset
|
367 /* for backwards compatibility */ |
5491
22f0e7b297d6
Lowercase the PAM service name when calling with "args = *". Linux PAM did
Timo Sirainen <tss@iki.fi>
parents:
5490
diff
changeset
|
368 module->service_name = "%Ls"; |
8560
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
369 } else if (strncmp(t_args[i], "max_requests=", 13) == 0) { |
b6a7bc10c19a
Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents:
8513
diff
changeset
|
370 module->requests_left = atoi(t_args[i] + 13); |
3764
852274ab176d
PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents:
3657
diff
changeset
|
371 } else if (t_args[i+1] == NULL) { |
6215
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
372 module->service_name = |
a9c934833374
Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents:
6212
diff
changeset
|
373 p_strdup(auth_passdb->auth->pool, t_args[i]); |
3764
852274ab176d
PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents:
3657
diff
changeset
|
374 } else { |
8513
0691f5294bb9
Fail if trying to give unknown parameters to passdb/userdb.
Timo Sirainen <tss@iki.fi>
parents:
8252
diff
changeset
|
375 i_fatal("passdb pam: Unknown setting: %s", t_args[i]); |
3508
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
376 } |
b85c96ba56df
Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents:
3474
diff
changeset
|
377 } |
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
378 return &module->module; |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
379 } |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
380 |
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
381 struct passdb_module_interface passdb_pam = { |
2942
c7d426f8cb58
Added name variable for userdb_module and passdb_module and changed their
Timo Sirainen <tss@iki.fi>
parents:
2781
diff
changeset
|
382 "pam", |
c7d426f8cb58
Added name variable for userdb_module and passdb_module and changed their
Timo Sirainen <tss@iki.fi>
parents:
2781
diff
changeset
|
383 |
3657
0c10475d9968
Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents:
3656
diff
changeset
|
384 pam_preinit, |
6218
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
385 NULL, |
74df0c0743c4
PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents:
6216
diff
changeset
|
386 NULL, |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
387 |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
388 pam_verify_plain, |
4782
2c1cc5bbc260
Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents:
4569
diff
changeset
|
389 NULL, |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
390 NULL |
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
391 }; |
8217
c47b78e843aa
Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents:
6940
diff
changeset
|
392 #else |
c47b78e843aa
Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents:
6940
diff
changeset
|
393 struct passdb_module_interface passdb_pam = { |
c47b78e843aa
Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents:
6940
diff
changeset
|
394 MEMBER(name) "pam" |
c47b78e843aa
Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents:
6940
diff
changeset
|
395 }; |
1035
fe49ece0f3ea
We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
396 #endif |