diff options
author | John Terpstra <jht@samba.org> | 2001-04-11 01:10:18 +0000 |
---|---|---|
committer | John Terpstra <jht@samba.org> | 2001-04-11 01:10:18 +0000 |
commit | 937fe61e935d0d4839de7b1a0c1273f53ea752dd (patch) | |
tree | 09771e40c8a7488336888c2a53c1189ab00e92e3 | |
parent | ec47ba5ca810cb493eabdcb229f308ecb2b9546f (diff) | |
download | samba-937fe61e935d0d4839de7b1a0c1273f53ea752dd.tar.gz samba-937fe61e935d0d4839de7b1a0c1273f53ea752dd.tar.xz samba-937fe61e935d0d4839de7b1a0c1273f53ea752dd.zip |
This is the beggining of PAM support that goes beyond just vaidating a password.
Watch this space for more. Andrew Bartlett - where are you?
-rw-r--r-- | source/auth/pampass.c | 96 | ||||
-rw-r--r-- | source/passdb/pampass.c | 96 |
2 files changed, 50 insertions, 142 deletions
diff --git a/source/auth/pampass.c b/source/auth/pampass.c index b3108c2fb0c..90a6f773ced 100644 --- a/source/auth/pampass.c +++ b/source/auth/pampass.c @@ -56,7 +56,7 @@ static char *PAM_password; #define COPY_STRING(s) (s) ? strdup(s) : NULL /* - * Macro converted to a function to simplyify this thing + * PAM error handler. */ static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { @@ -132,6 +132,9 @@ static struct pam_conv PAM_conversation = { NULL }; +/* + * PAM Closing out cleanup handler + */ static BOOL proc_pam_end(pam_handle_t *pamh) { int pam_error; @@ -148,7 +151,9 @@ static BOOL proc_pam_end(pam_handle_t *pamh) return False; } -/* Start PAM authentication for specified account */ +/* + * Start PAM authentication for specified account + */ static BOOL proc_pam_start(pam_handle_t **pamh, char *user) { int pam_error; @@ -187,7 +192,6 @@ static BOOL proc_pam_start(pam_handle_t **pamh, char *user) /* * PAM Authentication Handler - * - For now both auth and acct!! Change this!!!! */ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) { @@ -279,7 +283,10 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) } -static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) +/* + * PAM Internal Session Handler + */ +static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) { int pam_error; @@ -313,15 +320,23 @@ static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) return (True); } -BOOL PAM_session(BOOL flag, const connection_struct *conn, char *tty) +/* + * PAM Externally accessible Session handler + */ +BOOL pam_session(BOOL flag, const connection_struct *conn, char *tty) { pam_handle_t *pamh = NULL; char * user; user = malloc(strlen(conn->user)+1); + if ( user == NULL ) + { + DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); + return False; + } /* This is freed by PAM */ - strncpy(user, conn->user, strlen(conn->user)+1); + StrnCpy(user, conn->user, strlen(conn->user)+1); if (!proc_pam_start(&pamh, user)) { @@ -329,7 +344,7 @@ BOOL PAM_session(BOOL flag, const connection_struct *conn, char *tty) return False; } - if (pam_session(pamh, user, tty, flag)) + if (proc_pam_session(pamh, user, tty, flag)) { return proc_pam_end(pamh); } @@ -340,70 +355,9 @@ BOOL PAM_session(BOOL flag, const connection_struct *conn, char *tty) } } -/*********************************************************************************/ -#if NOTBLOCKEDOUT - -static BOOL pam_account(pam_handle_t *pamh, char *user) -{ - int pam_error; - - PAM_password = NULL; - PAM_username = user; - - DEBUG(4,("PAM starting account management for user: %s \n", user)); - - pam_error = pam_acct_mgmt(pamh, PAM_SILENT); - if (!pam_error_handler(pamh, pam_error, "PAM set account management failed", 0)) { - proc_pam_end(pamh); - return False; - } else { - DEBUG(4,("PAM: account management passed\n")); - } - - /* - * This will allow samba to aquire a kerberos token. And, when - * exporting an AFS cell, be able to /write/ to this cell. - */ - pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED)); - if (!pam_error_handler(pamh, pam_error, "set credentials failed\n", 0)) { - proc_pam_end(pamh); - return False; - } - - /* If this point is reached, the user has been authenticated. */ - return (True); -} -static BOOL account_pam(char *user) -{ - /* - * Check the account with the PAM account module: - * - This means that accounts can be disabled - * and or expired with avoidance of samba then just - * bypassing the situation. - */ - - pam_handle_t *pamh = NULL; - char * PAMuser; - - PAMuser = malloc(strlen(user)+1); - /* This is freed by PAM */ - strncpy(PAMuser, user, strlen(user)+1); - - if (proc_pam_start(&pamh, PAMuser)) - { - if (pam_account(pamh, PAMuser)) - { - return proc_pam_end(pamh); - } - } - proc_pam_end(pamh); - return False; -} - - -#endif /* NOTBLOCKEDOUT */ -/************************************************************************************/ - +/* + * PAM Password Validation Suite + */ BOOL pam_passcheck(char * user, char * password) { pam_handle_t *pamh = NULL; diff --git a/source/passdb/pampass.c b/source/passdb/pampass.c index b3108c2fb0c..90a6f773ced 100644 --- a/source/passdb/pampass.c +++ b/source/passdb/pampass.c @@ -56,7 +56,7 @@ static char *PAM_password; #define COPY_STRING(s) (s) ? strdup(s) : NULL /* - * Macro converted to a function to simplyify this thing + * PAM error handler. */ static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl) { @@ -132,6 +132,9 @@ static struct pam_conv PAM_conversation = { NULL }; +/* + * PAM Closing out cleanup handler + */ static BOOL proc_pam_end(pam_handle_t *pamh) { int pam_error; @@ -148,7 +151,9 @@ static BOOL proc_pam_end(pam_handle_t *pamh) return False; } -/* Start PAM authentication for specified account */ +/* + * Start PAM authentication for specified account + */ static BOOL proc_pam_start(pam_handle_t **pamh, char *user) { int pam_error; @@ -187,7 +192,6 @@ static BOOL proc_pam_start(pam_handle_t **pamh, char *user) /* * PAM Authentication Handler - * - For now both auth and acct!! Change this!!!! */ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password) { @@ -279,7 +283,10 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password) } -static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) +/* + * PAM Internal Session Handler + */ +static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) { int pam_error; @@ -313,15 +320,23 @@ static BOOL pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag) return (True); } -BOOL PAM_session(BOOL flag, const connection_struct *conn, char *tty) +/* + * PAM Externally accessible Session handler + */ +BOOL pam_session(BOOL flag, const connection_struct *conn, char *tty) { pam_handle_t *pamh = NULL; char * user; user = malloc(strlen(conn->user)+1); + if ( user == NULL ) + { + DEBUG(0, ("PAM: PAM_session Malloc Failed!\n")); + return False; + } /* This is freed by PAM */ - strncpy(user, conn->user, strlen(conn->user)+1); + StrnCpy(user, conn->user, strlen(conn->user)+1); if (!proc_pam_start(&pamh, user)) { @@ -329,7 +344,7 @@ BOOL PAM_session(BOOL flag, const connection_struct *conn, char *tty) return False; } - if (pam_session(pamh, user, tty, flag)) + if (proc_pam_session(pamh, user, tty, flag)) { return proc_pam_end(pamh); } @@ -340,70 +355,9 @@ BOOL PAM_session(BOOL flag, const connection_struct *conn, char *tty) } } -/*********************************************************************************/ -#if NOTBLOCKEDOUT - -static BOOL pam_account(pam_handle_t *pamh, char *user) -{ - int pam_error; - - PAM_password = NULL; - PAM_username = user; - - DEBUG(4,("PAM starting account management for user: %s \n", user)); - - pam_error = pam_acct_mgmt(pamh, PAM_SILENT); - if (!pam_error_handler(pamh, pam_error, "PAM set account management failed", 0)) { - proc_pam_end(pamh); - return False; - } else { - DEBUG(4,("PAM: account management passed\n")); - } - - /* - * This will allow samba to aquire a kerberos token. And, when - * exporting an AFS cell, be able to /write/ to this cell. - */ - pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED)); - if (!pam_error_handler(pamh, pam_error, "set credentials failed\n", 0)) { - proc_pam_end(pamh); - return False; - } - - /* If this point is reached, the user has been authenticated. */ - return (True); -} -static BOOL account_pam(char *user) -{ - /* - * Check the account with the PAM account module: - * - This means that accounts can be disabled - * and or expired with avoidance of samba then just - * bypassing the situation. - */ - - pam_handle_t *pamh = NULL; - char * PAMuser; - - PAMuser = malloc(strlen(user)+1); - /* This is freed by PAM */ - strncpy(PAMuser, user, strlen(user)+1); - - if (proc_pam_start(&pamh, PAMuser)) - { - if (pam_account(pamh, PAMuser)) - { - return proc_pam_end(pamh); - } - } - proc_pam_end(pamh); - return False; -} - - -#endif /* NOTBLOCKEDOUT */ -/************************************************************************************/ - +/* + * PAM Password Validation Suite + */ BOOL pam_passcheck(char * user, char * password) { pam_handle_t *pamh = NULL; |