diff options
author | Jan Pazdziora <jpazdziora@redhat.com> | 2014-01-06 11:34:22 +0800 |
---|---|---|
committer | Jan Pazdziora <jpazdziora@redhat.com> | 2014-01-06 15:00:44 +0800 |
commit | 67060fba58bfe53f5e81447eb623c386549773d9 (patch) | |
tree | 1dc1f6abe8348d13d760aaa6f2f4288dadd7f3dc /mod_authnz_pam.c | |
download | mod_authnz_pam-67060fba58bfe53f5e81447eb623c386549773d9.tar.gz mod_authnz_pam-67060fba58bfe53f5e81447eb623c386549773d9.tar.xz mod_authnz_pam-67060fba58bfe53f5e81447eb623c386549773d9.zip |
Apache module mod_authnz_pam.
Diffstat (limited to 'mod_authnz_pam.c')
-rw-r--r-- | mod_authnz_pam.c | 136 |
1 files changed, 136 insertions, 0 deletions
diff --git a/mod_authnz_pam.c b/mod_authnz_pam.c new file mode 100644 index 0000000..6ebc77e --- /dev/null +++ b/mod_authnz_pam.c @@ -0,0 +1,136 @@ + +/* + * Copyright 2014 Jan Pazdziora + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <security/pam_appl.h> + +#include "apr_strings.h" + +#include "ap_config.h" +#include "ap_provider.h" +#include "httpd.h" +#include "http_config.h" +#include "http_core.h" +#include "http_log.h" +#include "http_protocol.h" +#include "http_request.h" + +#include "mod_auth.h" + +typedef struct { + char * pam_service; +} authnz_pam_config_rec; + +void * create_dir_conf(apr_pool_t * pool, char * dir) { + authnz_pam_config_rec * cfg = apr_pcalloc(pool, sizeof(authnz_pam_config_rec)); + return cfg; +} + +static const command_rec authnz_pam_cmds[] = { + AP_INIT_TAKE1("AuthPAMService", ap_set_string_slot, + (void *)APR_OFFSETOF(authnz_pam_config_rec, pam_service), + OR_AUTHCFG, "PAM service to authenticate against"), + {NULL} +}; + +int pam_authenticate_conv(int num_msg, const struct pam_message ** msg, struct pam_response ** resp, void * appdata_ptr) { + struct pam_response * response = NULL; + if (!msg || !resp || !appdata_ptr) + return PAM_CONV_ERR; + if (!(response = malloc(num_msg * sizeof(struct pam_response)))) + return PAM_CONV_ERR; + int i; + for (i = 0; i < num_msg; i++) { + response[i].resp = 0; + response[i].resp_retcode = 0; + if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) { + response[i].resp = strdup(appdata_ptr); + } else { + free(response); + return PAM_CONV_ERR; + } + } + * resp = response; + return PAM_SUCCESS; +} + +#define _REMOTE_USER_ENV_NAME "REMOTE_USER" +#define _EXTERNAL_AUTH_ERROR_ENV_NAME "EXTERNAL_AUTH_ERROR" +#define _PAM_STEP_AUTH 1 +#define _PAM_STEP_ACCOUNT 2 +#define _PAM_STEP_ALL 3 +static authn_status pam_authenticate_with_login_password(request_rec * r, const char * pam_service, + const char * login, const char * password, int steps) { + pam_handle_t * pamh = NULL; + struct pam_conv pam_conversation = { &pam_authenticate_conv, (void *) password }; + const char * stage = "PAM transaction failed for service"; + const char * param = pam_service; + int ret; + if ((ret = pam_start(pam_service, login, &pam_conversation, &pamh)) == PAM_SUCCESS) { + if (steps & _PAM_STEP_AUTH) { + param = login; + stage = "PAM authentication failed for user"; + ret = pam_authenticate(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); + } + if ((ret == PAM_SUCCESS) && (steps & _PAM_STEP_ACCOUNT)) { + stage = "PAM account validation failed for user"; + ret = pam_acct_mgmt(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); + } + } + if (ret != PAM_SUCCESS) { + const char * strerr = pam_strerror(pamh, ret); + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server, "mod_authnz_pam: %s %s: %s", stage, param, strerr); + apr_table_setn(r->subprocess_env, _EXTERNAL_AUTH_ERROR_ENV_NAME, apr_pstrdup(r->pool, strerr)); + pam_end(pamh, ret); + return AUTH_DENIED; + } + apr_table_setn(r->subprocess_env, _REMOTE_USER_ENV_NAME, login); + r->user = apr_pstrdup(r->pool, login); + ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, r->server, "mod_authnz_pam: PAM authentication passed for user %s", login); + pam_end(pamh, ret); + return AUTH_GRANTED; +} + +module AP_MODULE_DECLARE_DATA authnz_pam_module; + +static authn_status pam_auth_account(request_rec * r, const char * login, const char * password) { + authnz_pam_config_rec * conf = ap_get_module_config(r->per_dir_config, &authnz_pam_module); + + if (!conf->pam_service) { + return AUTH_GENERAL_ERROR; + } + + return pam_authenticate_with_login_password(r, conf->pam_service, login, password, _PAM_STEP_ALL); +} + +static const authn_provider authn_pam_provider = { + &pam_auth_account, +}; + +static void register_hooks(apr_pool_t * p) { + ap_register_provider(p, AUTHN_PROVIDER_GROUP, "PAM", "0", &authn_pam_provider); +} + +module AP_MODULE_DECLARE_DATA authnz_pam_module = { + STANDARD20_MODULE_STUFF, + create_dir_conf, /* Per-directory configuration handler */ + NULL, /* Merge handler for per-directory configurations */ + NULL, /* Per-server configuration handler */ + NULL, /* Merge handler for per-server configurations */ + authnz_pam_cmds, /* Any directives we may have for httpd */ + register_hooks /* Our hook registering function */ +}; + |