diff options
author | Jan Pazdziora <jpazdziora@redhat.com> | 2014-01-08 19:04:59 +0800 |
---|---|---|
committer | Jan Pazdziora <jpazdziora@redhat.com> | 2014-01-09 10:00:47 +0800 |
commit | 05dad6aec81f5debb3b229cb2e77083fd2724fb4 (patch) | |
tree | 80e5f50ba3f3c504d6bd5f772c7401f1ee5b5103 | |
parent | df8b6850cb48bee2d83177b85aa6663888edba25 (diff) | |
download | mod_intercept_form_submit-05dad6aec81f5debb3b229cb2e77083fd2724fb4.tar.gz mod_intercept_form_submit-05dad6aec81f5debb3b229cb2e77083fd2724fb4.tar.xz mod_intercept_form_submit-05dad6aec81f5debb3b229cb2e77083fd2724fb4.zip |
Use pam_authenticate_with_login_password from mod_authnz_pam.mod_intercept_form_submit-0.9.1
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | mod_intercept_form_submit.c | 78 | ||||
-rw-r--r-- | mod_intercept_form_submit.spec | 10 |
3 files changed, 28 insertions, 62 deletions
@@ -99,7 +99,7 @@ Building from sources When building from sources, command - apxs -i -a -c mod_intercept_form_submit.c -lpam -Wall -pedantic + apxs -i -a -c mod_intercept_form_submit.c -Wall -pedantic should build and install the module. diff --git a/mod_intercept_form_submit.c b/mod_intercept_form_submit.c index 3a64196..4543e59 100644 --- a/mod_intercept_form_submit.c +++ b/mod_intercept_form_submit.c @@ -22,7 +22,7 @@ #include "http_config.h" #include "http_request.h" -#include <security/pam_appl.h> +#include "mod_auth.h" typedef struct ifs_config { char * login_name; @@ -40,11 +40,17 @@ typedef struct { int password_fragment_start_bucket_offset; } ifs_filter_ctx_t; + module AP_MODULE_DECLARE_DATA intercept_form_submit_module; APR_DECLARE_OPTIONAL_FN(int, lookup_identity_hook, (request_rec * r)); static APR_OPTIONAL_FN_TYPE(lookup_identity_hook) * lookup_identity_hook_fn = NULL; +APR_DECLARE_OPTIONAL_FN(authn_status, pam_authenticate_with_login_password, + (request_rec * r, const char * pam_service, + const char * login, const char * password, int steps)); +static APR_OPTIONAL_FN_TYPE(pam_authenticate_with_login_password) * pam_authenticate_with_login_password_fn = NULL; + const char * add_login_to_blacklist(cmd_parms * cmd, void * conf_void, const char * arg) { ifs_config * cfg = (ifs_config *) conf_void; if (cfg) { @@ -66,65 +72,14 @@ static const command_rec directives[] = { { NULL } }; -int pam_authenticate_conv(int num_msg, const struct pam_message ** msg, struct pam_response ** resp, void * appdata_ptr) { - struct pam_response * response = NULL; - if (!msg || !resp || !appdata_ptr) - return PAM_CONV_ERR; - if (!(response = malloc(num_msg * sizeof(struct pam_response)))) - return PAM_CONV_ERR; - int i; - for (i = 0; i < num_msg; i++) { - response[i].resp = 0; - response[i].resp_retcode = 0; - if (msg[i]->msg_style == PAM_PROMPT_ECHO_OFF) { - response[i].resp = strdup(appdata_ptr); - } else { - free(response); - return PAM_CONV_ERR; - } - } - * resp = response; - return PAM_SUCCESS; -} - #define _REMOTE_USER_ENV_NAME "REMOTE_USER" -#define _EXTERNAL_AUTH_ERROR_ENV_NAME "EXTERNAL_AUTH_ERROR" -int pam_authenticate_with_login_password(request_rec * r, const char * pam_service, char * login, const char * password) { - pam_handle_t * pamh = NULL; - struct pam_conv pam_conversation = { &pam_authenticate_conv, (void *) password }; - const char * stage = "PAM transaction failed for service"; - const char * param = pam_service; - int ret; - if ((ret = pam_start(pam_service, login, &pam_conversation, &pamh)) == PAM_SUCCESS) { - param = login; - stage = "PAM authentication failed for user"; - if ((ret = pam_authenticate(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK)) == PAM_SUCCESS) { - stage = "PAM account validation failed for user"; - ret = pam_acct_mgmt(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); - } - } - if (ret != PAM_SUCCESS) { - const char * strerr = pam_strerror(pamh, ret); - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server, "mod_intercept_form_submit: %s %s: %s", stage, param, strerr); - apr_table_setn(r->subprocess_env, _EXTERNAL_AUTH_ERROR_ENV_NAME, apr_pstrdup(r->pool, strerr)); - pam_end(pamh, ret); - return 0; - } - apr_table_setn(r->subprocess_env, _REMOTE_USER_ENV_NAME, login); - r->user = login; - ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, r->server, "mod_intercept_form_submit: PAM authentication passed for user %s", login); - pam_end(pamh, ret); - if (lookup_identity_hook_fn) { - ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "mod_intercept_form_submit: calling lookup_identity_hook"); - lookup_identity_hook_fn(r); - } else { - ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "mod_intercept_form_submit: not calling lookup_identity_hook, is NULL"); - } - return 1; -} + void register_lookup_identity_hook_fn(void) { lookup_identity_hook_fn = APR_RETRIEVE_OPTIONAL_FN(lookup_identity_hook); } +void register_pam_authenticate_with_login_password_fn(void) { + pam_authenticate_with_login_password_fn = APR_RETRIEVE_OPTIONAL_FN(pam_authenticate_with_login_password); +} int hex2char(int c) { if (c >= '0' && c <= '9') @@ -291,7 +246,15 @@ int intercept_form_submit_process_buffer(ap_filter_t * f, ifs_config * config, c } } if (run_auth) { - pam_authenticate_with_login_password(r, config->pam_service, *login_value, *password_value); + authn_status auth_result = pam_authenticate_with_login_password_fn(r, config->pam_service, *login_value, *password_value, 3); + if (auth_result == AUTH_GRANTED) { + if (lookup_identity_hook_fn) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "mod_intercept_form_submit: calling lookup_identity_hook"); + lookup_identity_hook_fn(r); + } else { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, "mod_intercept_form_submit: not calling lookup_identity_hook, is NULL"); + } + } if (config->password_redact > 0) { intercept_form_redact_password(f, config); } @@ -477,6 +440,7 @@ static void register_hooks(apr_pool_t * pool) { ap_hook_insert_filter(intercept_form_submit_init, NULL, NULL, APR_HOOK_MIDDLE); ap_register_input_filter("intercept_form_submit_filter", intercept_form_submit_filter, NULL, AP_FTYPE_RESOURCE); ap_hook_optional_fn_retrieve(register_lookup_identity_hook_fn, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_optional_fn_retrieve(register_pam_authenticate_with_login_password_fn, NULL, NULL, APR_HOOK_MIDDLE); } module AP_MODULE_DECLARE_DATA intercept_form_submit_module = { diff --git a/mod_intercept_form_submit.spec b/mod_intercept_form_submit.spec index 17477a1..471ec9a 100644 --- a/mod_intercept_form_submit.spec +++ b/mod_intercept_form_submit.spec @@ -6,18 +6,17 @@ Summary: Apache module to intercept login form submission and run PAM authentication. Name: mod_intercept_form_submit -Version: 0.9 +Version: 0.9.1 Release: 1%{?dist} License: ASL 2.0 Group: System Environment/Daemons URL: http://www.adelton.com/apache/mod_intercept_form_submit/ Source0: http://www.adelton.com/apache/mod_intercept_form_submit/%{name}-%{version}.tar.gz BuildRequires: httpd-devel -BuildRequires: pam-devel BuildRequires: pkgconfig Requires(pre): httpd Requires: httpd -Requires: pam +Requires: mod_authnz_pam >= 0.6 # Suppres auto-provides for module DSO %{?filter_provides_in: %filter_provides_in %{_libdir}/httpd/modules/.*\.so$} @@ -33,7 +32,7 @@ the REMOTE_USER environment variable if the authentication passes. %setup -q -n %{name}-%{version} %build -%{_httpd_apxs} -c mod_intercept_form_submit.c -lpam -Wall -pedantic +%{_httpd_apxs} -c mod_intercept_form_submit.c -Wall -pedantic %install rm -rf $RPM_BUILD_ROOT @@ -57,6 +56,9 @@ install -Dp -m 0644 intercept_form_submit.conf $RPM_BUILD_ROOT%{_httpd_confdir}/ %{_httpd_moddir}/*.so %changelog +* Wed Jan 08 2014 Jan Pazdziora - 0.9.1-1 +- Use mod_authnz_pam for the actual PAM authentication. + * Thu Dec 05 2013 Jan Pazdziora - 0.9-1 - Perform PAM account validation, not just authentication. - Support Content-Type with charset parameter. |