Mercurial > dovecot > original-hg > dovecot-1.2

annotate src/auth/passdb-pam.c @ 9008:fc4f65a4ca60 HEAD

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
virtual: Don't show mailboxes as \Noselect.
author Timo Sirainen <tss@iki.fi>
date Fri, 01 May 2009 14:56:52 -0400
parents 323c8eff78d4
children 48b1f2b7144b
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
1 /*
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
2 Based on auth_pam.c from popa3d by Solar Designer <solar@openwall.com>.
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
3
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
4 You're allowed to do whatever you like with this software (including
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
5 re-distribution in source and/or binary form, with or without
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
6 modification), provided that credit is given where it is due and any
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
7 modified versions are marked as such. There's absolutely no warranty.
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
8 */
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
9
3474
9096b7957413 Removed direct config.h including. I'm not sure why it was done before,
Timo Sirainen <tss@iki.fi>
parents: 3426
diff changeset
10 #include "common.h"
8217
c47b78e843aa Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents: 6940
diff changeset
11 #include "passdb.h"
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
12
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
13 #ifdef PASSDB_PAM
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
14
4564
6012b0978d2c Use SIGCHLD handler to check for killed child processes instead of a timeout
Timo Sirainen <tss@iki.fi>
parents: 4374
diff changeset
15 #include "lib-signals.h"
5263
8384f797c0fc PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents: 5259
diff changeset
16 #include "str.h"
8384f797c0fc PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents: 5259
diff changeset
17 #include "var-expand.h"
2134
c70d0155d93c Set PAM_RHOST for PAM if it's known.
Timo Sirainen <tss@iki.fi>
parents: 2099
diff changeset
18 #include "network.h"
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
19 #include "safe-memset.h"
6241
17e056f924cb Store cache_key via auth_cache_parse_key() which adds TABs between the
Timo Sirainen <tss@iki.fi>
parents: 6218
diff changeset
20 #include "auth-cache.h"
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
21
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
22 #include <stdlib.h>
8251
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
23 #include <sys/stat.h>
5120
e4acabdc0de0 If PAM child process hasn't responded in two minutes, send KILL signal to
Timo Sirainen <tss@iki.fi>
parents: 4907
diff changeset
24
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
25 #ifdef HAVE_SECURITY_PAM_APPL_H
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
26 # include <security/pam_appl.h>
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
27 #elif defined(HAVE_PAM_PAM_APPL_H)
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
28 # include <pam/pam_appl.h>
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
29 #endif
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
30
1121
282e0980c3f2 OpenPAM uses const too.
Timo Sirainen <tss@iki.fi>
parents: 1075
diff changeset
31 #if !defined(_SECURITY_PAM_APPL_H) && !defined(LINUX_PAM) && !defined(_OPENPAM)
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
32 /* Sun's PAM doesn't use const. we use a bit dirty hack to check it.
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
33 Originally it was just __sun__ check, but HP/UX also uses Sun's PAM
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
34 so I thought this might work better. */
8251
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
35 # define SUNPAM
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
36 #endif
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
37
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
38 #ifdef SUNPAM
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
39 # define linux_const
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
40 #else
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
41 # define linux_const const
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
42 #endif
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
43 typedef linux_const void *pam_item_t;
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
44
8560
b6a7bc10c19a Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents: 8513
diff changeset
45 #define PASSDB_PAM_DEFAULT_MAX_REQUESTS 100
b6a7bc10c19a Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents: 8513
diff changeset
46
3657
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
47 struct pam_passdb_module {
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
48 struct passdb_module module;
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
49
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
50 const char *service_name, *pam_cache_key;
8560
b6a7bc10c19a Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents: 8513
diff changeset
51 unsigned int requests_left;
6215
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
52
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
53 unsigned int pam_setcred:1;
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
54 unsigned int pam_session:1;
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
55 unsigned int failure_show_msg:1;
3657
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
56 };
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
57
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
58 struct pam_conv_context {
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
59 struct auth_request *request;
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
60 const char *pass;
6215
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
61 const char *failure_msg;
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
62 };
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
63
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
64 static int
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
65 pam_userpass_conv(int num_msg, linux_const struct pam_message **msg,
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
66 struct pam_response **resp_r, void *appdata_ptr)
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
67 {
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
68 /* @UNSAFE */
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
69 struct pam_conv_context *ctx = appdata_ptr;
6215
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
70 struct passdb_module *_passdb = ctx->request->passdb->passdb;
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
71 struct pam_passdb_module *passdb = (struct pam_passdb_module *)_passdb;
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
72 struct pam_response *resp;
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
73 char *string;
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
74 int i;
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
75
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
76 *resp_r = NULL;
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
77
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
78 resp = calloc(num_msg, sizeof(struct pam_response));
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
79 if (resp == NULL)
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
80 i_fatal_status(FATAL_OUTOFMEM, "Out of memory");
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
81
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
82 for (i = 0; i < num_msg; i++) {
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
83 auth_request_log_debug(ctx->request, "pam",
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
84 "#%d/%d style=%d msg=%s", i+1, num_msg,
6216
91f9f6fb8276 Make sure we don't crash if PAM message is NULL and debug is enabled.
Timo Sirainen <tss@iki.fi>
parents: 6215
diff changeset
85 msg[i]->msg_style,
91f9f6fb8276 Make sure we don't crash if PAM message is NULL and debug is enabled.
Timo Sirainen <tss@iki.fi>
parents: 6215
diff changeset
86 msg[i]->msg != NULL ? msg[i]->msg : "");
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
87 switch (msg[i]->msg_style) {
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
88 case PAM_PROMPT_ECHO_ON:
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
89 /* Assume we're asking for user. We might not ever
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
90 get here because PAM already knows the user. */
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
91 string = strdup(ctx->request->user);
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
92 if (string == NULL)
3198
cb285bd5d8c9 If we run out of memory, exit with FATAL_OUTOFMEM status instead of dumping
Timo Sirainen <tss@iki.fi>
parents: 3166
diff changeset
93 i_fatal_status(FATAL_OUTOFMEM, "Out of memory");
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
94 break;
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
95 case PAM_PROMPT_ECHO_OFF:
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
96 /* Assume we're asking for password */
6215
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
97 if (passdb->failure_show_msg)
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
98 ctx->failure_msg = t_strdup(msg[i]->msg);
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
99 string = strdup(ctx->pass);
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
100 if (string == NULL)
3198
cb285bd5d8c9 If we run out of memory, exit with FATAL_OUTOFMEM status instead of dumping
Timo Sirainen <tss@iki.fi>
parents: 3166
diff changeset
101 i_fatal_status(FATAL_OUTOFMEM, "Out of memory");
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
102 break;
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
103 case PAM_ERROR_MSG:
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
104 case PAM_TEXT_INFO:
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
105 string = NULL;
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
106 break;
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
107 default:
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
108 while (--i >= 0) {
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
109 if (resp[i].resp != NULL) {
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
110 safe_memset(resp[i].resp, 0,
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
111 strlen(resp[i].resp));
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
112 free(resp[i].resp);
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
113 }
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
114 }
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
115
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
116 free(resp);
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
117 return PAM_CONV_ERR;
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
118 }
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
119
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
120 resp[i].resp_retcode = PAM_SUCCESS;
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
121 resp[i].resp = string;
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
122 }
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
123
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
124 *resp_r = resp;
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
125 return PAM_SUCCESS;
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
126 }
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
127
8251
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
128 static const char *
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
129 pam_get_missing_service_file_path(const char *service ATTR_UNUSED)
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
130 {
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
131 #ifdef SUNPAM
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
132 /* Uses /etc/pam.conf - we're not going to parse that */
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
133 return NULL;
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
134 #else
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
135 static bool service_checked = FALSE;
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
136 const char *path;
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
137 struct stat st;
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
138
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
139 if (service_checked) {
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
140 /* check and complain only once */
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
141 return NULL;
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
142 }
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
143 service_checked = TRUE;
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
144
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
145 path = t_strdup_printf("/etc/pam.d/%s", service);
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
146 if (stat(path, &st) < 0 && errno == ENOENT) {
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
147 /* looks like it's missing. but before assuming that the system
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
148 even uses /etc/pam.d, make sure that it exists. */
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
149 if (stat("/etc/pam.d", &st) == 0)
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
150 return path;
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
151 }
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
152 /* exists or is unknown */
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
153 return NULL;
8252
533b43760eaa Solaris: Compile fix for previous PAM changes.
Timo Sirainen <tss@iki.fi>
parents: 8251
diff changeset
154 #endif
8251
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
155 }
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
156
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
157 static int try_pam_auth(struct auth_request *request, pam_handle_t *pamh,
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
158 const char *service)
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
159 {
3657
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
160 struct passdb_module *_module = request->passdb->passdb;
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
161 struct pam_passdb_module *module = (struct pam_passdb_module *)_module;
8251
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
162 const char *path, *str;
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
163 pam_item_t item;
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
164 int status;
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
165
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
166 if ((status = pam_authenticate(pamh, 0)) != PAM_SUCCESS) {
8251
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
167 path = pam_get_missing_service_file_path(service);
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
168 switch (status) {
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
169 case PAM_USER_UNKNOWN:
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
170 str = "unknown user";
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
171 break;
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
172 default:
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
173 str = t_strconcat("pam_authenticate() failed: ",
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
174 pam_strerror(pamh, status), NULL);
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
175 break;
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
176 }
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
177 if (path != NULL) {
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
178 /* log this as error, since it probably is */
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
179 str = t_strdup_printf("%s (%s missing?)", str, path);
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
180 auth_request_log_error(request, "pam", "%s", str);
8709
323c8eff78d4 auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents: 8560
diff changeset
181 } else if (status == PAM_AUTH_ERR) {
323c8eff78d4 auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents: 8560
diff changeset
182 str = t_strconcat(str, " (password mismatch?)", NULL);
323c8eff78d4 auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents: 8560
diff changeset
183 if (request->auth->verbose_debug_passwords) {
323c8eff78d4 auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents: 8560
diff changeset
184 str = t_strconcat(str, " (given password: ",
323c8eff78d4 auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents: 8560
diff changeset
185 request->mech_password,
323c8eff78d4 auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents: 8560
diff changeset
186 ")", NULL);
323c8eff78d4 auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents: 8560
diff changeset
187 }
323c8eff78d4 auth_debug_passwords=yes: Log password for PAM lookups.
Timo Sirainen <tss@iki.fi>
parents: 8560
diff changeset
188 auth_request_log_info(request, "pam", "%s", str);
8251
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
189 } else {
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
190 auth_request_log_info(request, "pam", "%s", str);
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
191 }
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
192 return status;
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
193 }
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
194
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
195 #ifdef HAVE_PAM_SETCRED
4357
ffb59f920018 Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents: 3994
diff changeset
196 if (module->pam_setcred) {
ffb59f920018 Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents: 3994
diff changeset
197 if ((status = pam_setcred(pamh, PAM_ESTABLISH_CRED)) !=
ffb59f920018 Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents: 3994
diff changeset
198 PAM_SUCCESS) {
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
199 auth_request_log_error(request, "pam",
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
200 "pam_setcred() failed: %s",
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
201 pam_strerror(pamh, status));
4357
ffb59f920018 Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents: 3994
diff changeset
202 return status;
ffb59f920018 Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents: 3994
diff changeset
203 }
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
204 }
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
205 #endif
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
206
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
207 if ((status = pam_acct_mgmt(pamh, 0)) != PAM_SUCCESS) {
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
208 auth_request_log_error(request, "pam",
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
209 "pam_acct_mgmt() failed: %s",
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
210 pam_strerror(pamh, status));
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
211 return status;
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
212 }
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
213
3657
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
214 if (module->pam_session) {
3508
b85c96ba56df Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents: 3474
diff changeset
215 if ((status = pam_open_session(pamh, 0)) != PAM_SUCCESS) {
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
216 auth_request_log_error(request, "pam",
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
217 "pam_open_session() failed: %s",
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
218 pam_strerror(pamh, status));
3508
b85c96ba56df Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents: 3474
diff changeset
219 return status;
b85c96ba56df Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents: 3474
diff changeset
220 }
b85c96ba56df Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents: 3474
diff changeset
221
b85c96ba56df Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents: 3474
diff changeset
222 if ((status = pam_close_session(pamh, 0)) != PAM_SUCCESS) {
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
223 auth_request_log_error(request, "pam",
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
224 "pam_close_session() failed: %s",
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
225 pam_strerror(pamh, status));
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
226 return status;
3508
b85c96ba56df Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents: 3474
diff changeset
227 }
b85c96ba56df Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents: 3474
diff changeset
228 }
b85c96ba56df Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents: 3474
diff changeset
229
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
230 status = pam_get_item(pamh, PAM_USER, &item);
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
231 if (status != PAM_SUCCESS) {
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
232 auth_request_log_error(request, "pam",
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
233 "pam_get_item(PAM_USER) failed: %s",
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
234 pam_strerror(pamh, status));
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
235 return status;
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
236 }
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
237 auth_request_set_field(request, "user", item, NULL);
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
238 return PAM_SUCCESS;
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
239 }
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
240
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
241 static void set_pam_items(struct auth_request *request, pam_handle_t *pamh)
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
242 {
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
243 const char *host;
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
244
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
245 /* These shouldn't fail, and we don't really care if they do. */
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
246 host = net_ip2addr(&request->remote_ip);
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
247 if (host != NULL)
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
248 (void)pam_set_item(pamh, PAM_RHOST, host);
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
249 (void)pam_set_item(pamh, PAM_RUSER, request->user);
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
250 /* TTY is needed by eg. pam_access module */
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
251 (void)pam_set_item(pamh, PAM_TTY, "dovecot");
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
252 }
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
253
5121
cf996f8e9c89 Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents: 5120
diff changeset
254 static enum passdb_result
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
255 pam_verify_plain_call(struct auth_request *request, const char *service,
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
256 const char *password)
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
257 {
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
258 pam_handle_t *pamh;
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
259 struct pam_conv_context ctx;
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
260 struct pam_conv conv;
1561
24dad210417f Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents: 1191
diff changeset
261 enum passdb_result result;
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
262 int status, status2;
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
263
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
264 conv.conv = pam_userpass_conv;
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
265 conv.appdata_ptr = &ctx;
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
266
6215
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
267 memset(&ctx, 0, sizeof(ctx));
6212
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
268 ctx.request = request;
6162c80dc9b7 Code cleanups. Also if auth_debug is enabled, log PAM messages.
Timo Sirainen <tss@iki.fi>
parents: 6211
diff changeset
269 ctx.pass = password;
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
270
2134
c70d0155d93c Set PAM_RHOST for PAM if it's known.
Timo Sirainen <tss@iki.fi>
parents: 2099
diff changeset
271 status = pam_start(service, request->user, &conv, &pamh);
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
272 if (status != PAM_SUCCESS) {
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
273 auth_request_log_error(request, "pam", "pam_start() failed: %s",
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
274 pam_strerror(pamh, status));
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
275 return PASSDB_RESULT_INTERNAL_FAILURE;
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
276 }
2134
c70d0155d93c Set PAM_RHOST for PAM if it's known.
Timo Sirainen <tss@iki.fi>
parents: 2099
diff changeset
277
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
278 set_pam_items(request, pamh);
8251
26e7d4905d81 PAM: Attempt to give better error messages.
Timo Sirainen <tss@iki.fi>
parents: 8217
diff changeset
279 status = try_pam_auth(request, pamh, service);
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
280 if ((status2 = pam_end(pamh, status)) != PAM_SUCCESS) {
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
281 auth_request_log_error(request, "pam", "pam_end() failed: %s",
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
282 pam_strerror(pamh, status2));
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
283 return PASSDB_RESULT_INTERNAL_FAILURE;
1561
24dad210417f Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents: 1191
diff changeset
284 }
24dad210417f Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents: 1191
diff changeset
285
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
286 switch (status) {
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
287 case PAM_SUCCESS:
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
288 result = PASSDB_RESULT_OK;
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
289 break;
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
290 case PAM_USER_UNKNOWN:
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
291 result = PASSDB_RESULT_USER_UNKNOWN;
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
292 break;
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
293 case PAM_NEW_AUTHTOK_REQD:
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
294 case PAM_ACCT_EXPIRED:
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
295 result = PASSDB_RESULT_PASS_EXPIRED;
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
296 break;
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
297 default:
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
298 result = PASSDB_RESULT_PASSWORD_MISMATCH;
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
299 break;
5121
cf996f8e9c89 Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents: 5120
diff changeset
300 }
cf996f8e9c89 Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents: 5120
diff changeset
301
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
302 if (result != PASSDB_RESULT_OK && ctx.failure_msg != NULL) {
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
303 auth_request_set_field(request, "reason",
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
304 ctx.failure_msg, NULL);
3860
0d5d42c49b51 Check write()'s return value
Timo Sirainen <tss@iki.fi>
parents: 3764
diff changeset
305 }
5121
cf996f8e9c89 Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents: 5120
diff changeset
306 return result;
1561
24dad210417f Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents: 1191
diff changeset
307 }
24dad210417f Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents: 1191
diff changeset
308
24dad210417f Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents: 1191
diff changeset
309 static void
24dad210417f Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents: 1191
diff changeset
310 pam_verify_plain(struct auth_request *request, const char *password,
24dad210417f Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents: 1191
diff changeset
311 verify_plain_callback_t *callback)
24dad210417f Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents: 1191
diff changeset
312 {
3657
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
313 struct passdb_module *_module = request->passdb->passdb;
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
314 struct pam_passdb_module *module = (struct pam_passdb_module *)_module;
5121
cf996f8e9c89 Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents: 5120
diff changeset
315 enum passdb_result result;
5263
8384f797c0fc PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents: 5259
diff changeset
316 string_t *expanded_service;
1578
ab2fb3c6a12b Using "*" as PAM service name now uses imap/pop3 service.
Timo Sirainen <tss@iki.fi>
parents: 1576
diff changeset
317 const char *service;
1561
24dad210417f Fork new process for each PAM check. Not exactly fast, but we have to do it
Timo Sirainen <tss@iki.fi>
parents: 1191
diff changeset
318
8560
b6a7bc10c19a Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents: 8513
diff changeset
319 if (module->requests_left > 0) {
b6a7bc10c19a Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents: 8513
diff changeset
320 if (--module->requests_left == 0)
b6a7bc10c19a Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents: 8513
diff changeset
321 shutdown_request = TRUE;
b6a7bc10c19a Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents: 8513
diff changeset
322 }
b6a7bc10c19a Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents: 8513
diff changeset
323
5263
8384f797c0fc PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents: 5259
diff changeset
324 expanded_service = t_str_new(64);
8384f797c0fc PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents: 5259
diff changeset
325 var_expand(expanded_service, module->service_name,
8384f797c0fc PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents: 5259
diff changeset
326 auth_request_get_var_expand_table(request, NULL));
8384f797c0fc PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents: 5259
diff changeset
327 service = str_c(expanded_service);
8384f797c0fc PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents: 5259
diff changeset
328
5259
228eacfb2647 Added more debug logging.
Timo Sirainen <tss@iki.fi>
parents: 5175
diff changeset
329 auth_request_log_debug(request, "pam", "lookup service=%s", service);
5121
cf996f8e9c89 Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents: 5120
diff changeset
330
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
331 result = pam_verify_plain_call(request, service, password);
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
332 callback(result, request);
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
333 }
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
334
3657
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
335 static struct passdb_module *
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
336 pam_preinit(struct auth_passdb *auth_passdb, const char *args)
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
337 {
3657
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
338 struct pam_passdb_module *module;
3508
b85c96ba56df Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents: 3474
diff changeset
339 const char *const *t_args;
b85c96ba56df Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents: 3474
diff changeset
340 int i;
b85c96ba56df Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents: 3474
diff changeset
341
3657
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
342 module = p_new(auth_passdb->auth->pool, struct pam_passdb_module, 1);
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
343 module->service_name = "dovecot";
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
344 /* we're caching the password by using directly the plaintext password
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
345 given by the auth mechanism */
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
346 module->module.default_pass_scheme = "PLAIN";
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
347 module->module.blocking = TRUE;
8560
b6a7bc10c19a Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents: 8513
diff changeset
348 module->requests_left = PASSDB_PAM_DEFAULT_MAX_REQUESTS;
3508
b85c96ba56df Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents: 3474
diff changeset
349
6215
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
350 t_args = t_strsplit_spaces(args, " ");
3764
852274ab176d PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents: 3657
diff changeset
351 for(i = 0; t_args[i] != NULL; i++) {
852274ab176d PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents: 3657
diff changeset
352 /* -session for backwards compatibility */
852274ab176d PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents: 3657
diff changeset
353 if (strcmp(t_args[i], "-session") == 0 ||
852274ab176d PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents: 3657
diff changeset
354 strcmp(t_args[i], "session=yes") == 0)
3657
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
355 module->pam_session = TRUE;
4357
ffb59f920018 Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents: 3994
diff changeset
356 else if (strcmp(t_args[i], "setcred=yes") == 0)
ffb59f920018 Don't call pam_setcred() unless setcred=yes PAM passdb argument was given.
Timo Sirainen <tss@iki.fi>
parents: 3994
diff changeset
357 module->pam_setcred = TRUE;
3656
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents: 3649
diff changeset
358 else if (strncmp(t_args[i], "cache_key=", 10) == 0) {
3657
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
359 module->module.cache_key =
6241
17e056f924cb Store cache_key via auth_cache_parse_key() which adds TABs between the
Timo Sirainen <tss@iki.fi>
parents: 6218
diff changeset
360 auth_cache_parse_key(auth_passdb->auth->pool,
17e056f924cb Store cache_key via auth_cache_parse_key() which adds TABs between the
Timo Sirainen <tss@iki.fi>
parents: 6218
diff changeset
361 t_args[i] + 10);
5121
cf996f8e9c89 Added blocking=yes to PAM passdb to use auth workers instead of forking a
Timo Sirainen <tss@iki.fi>
parents: 5120
diff changeset
362 } else if (strcmp(t_args[i], "blocking=yes") == 0) {
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
363 /* ignore, for backwards compatibility */
6215
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
364 } else if (strcmp(t_args[i], "failure_show_msg=yes") == 0) {
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
365 module->failure_show_msg = TRUE;
3656
fda241fa5d77 Make auth caching work with non-sql/ldap passdbs too.
Timo Sirainen <tss@iki.fi>
parents: 3649
diff changeset
366 } else if (strcmp(t_args[i], "*") == 0) {
5263
8384f797c0fc PAM service name supports variables now.
Timo Sirainen <tss@iki.fi>
parents: 5259
diff changeset
367 /* for backwards compatibility */
5491
22f0e7b297d6 Lowercase the PAM service name when calling with "args = *". Linux PAM did
Timo Sirainen <tss@iki.fi>
parents: 5490
diff changeset
368 module->service_name = "%Ls";
8560
b6a7bc10c19a Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents: 8513
diff changeset
369 } else if (strncmp(t_args[i], "max_requests=", 13) == 0) {
b6a7bc10c19a Replaced auth_worker_max_request_count setting with passdb pam { args = max_requests=n }
Timo Sirainen <tss@iki.fi>
parents: 8513
diff changeset
370 module->requests_left = atoi(t_args[i] + 13);
3764
852274ab176d PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents: 3657
diff changeset
371 } else if (t_args[i+1] == NULL) {
6215
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
372 module->service_name =
a9c934833374 Added failure_show_msg=yes parameter to PAM. If set, the first line of PAM
Timo Sirainen <tss@iki.fi>
parents: 6212
diff changeset
373 p_strdup(auth_passdb->auth->pool, t_args[i]);
3764
852274ab176d PAM: Changed -session to session=yes to be more consistent with other
Timo Sirainen <tss@iki.fi>
parents: 3657
diff changeset
374 } else {
8513
0691f5294bb9 Fail if trying to give unknown parameters to passdb/userdb.
Timo Sirainen <tss@iki.fi>
parents: 8252
diff changeset
375 i_fatal("passdb pam: Unknown setting: %s", t_args[i]);
3508
b85c96ba56df Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents: 3474
diff changeset
376 }
b85c96ba56df Open/close PAM session if -session option is given. Patch by Pasi Sj�m.
Timo Sirainen <tss@iki.fi>
parents: 3474
diff changeset
377 }
3657
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
378 return &module->module;
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
379 }
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
380
3657
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
381 struct passdb_module_interface passdb_pam = {
2942
c7d426f8cb58 Added name variable for userdb_module and passdb_module and changed their
Timo Sirainen <tss@iki.fi>
parents: 2781
diff changeset
382 "pam",
c7d426f8cb58 Added name variable for userdb_module and passdb_module and changed their
Timo Sirainen <tss@iki.fi>
parents: 2781
diff changeset
383
3657
0c10475d9968 Separated passdb_module's interface and the actual data struct. Now it's
Timo Sirainen <tss@iki.fi>
parents: 3656
diff changeset
384 pam_preinit,
6218
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
385 NULL,
74df0c0743c4 PAM lookups are now always done in auth worker processes.
Timo Sirainen <tss@iki.fi>
parents: 6216
diff changeset
386 NULL,
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
387
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
388 pam_verify_plain,
4782
2c1cc5bbc260 Added auth_request_set_credentials() to modify credentials in passdb and
Timo Sirainen <tss@iki.fi>
parents: 4569
diff changeset
389 NULL,
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
390 NULL
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
391 };
8217
c47b78e843aa Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents: 6940
diff changeset
392 #else
c47b78e843aa Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents: 6940
diff changeset
393 struct passdb_module_interface passdb_pam = {
c47b78e843aa Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents: 6940
diff changeset
394 MEMBER(name) "pam"
c47b78e843aa Separate "unknown passdb/userdb X" and "support for X not compiled in" error messages.
Timo Sirainen <tss@iki.fi>
parents: 6940
diff changeset
395 };
1035
fe49ece0f3ea We have now separate "userdb" and "passdb". They aren't tied to each others
Timo Sirainen <tss@iki.fi>
parents:
diff changeset
396 #endif