Line data Source code
1 : /*
2 : Authors:
3 : Sumit Bose <sbose@redhat.com>
4 :
5 : Copyright (C) 2009 Red Hat
6 : Copyright (C) 2010, rhafer@suse.de, Novell Inc.
7 :
8 : This program is free software; you can redistribute it and/or modify
9 : it under the terms of the GNU Lesser General Public License as published by
10 : the Free Software Foundation; either version 3 of the License, or
11 : (at your option) any later version.
12 :
13 : This program is distributed in the hope that it will be useful,
14 : but WITHOUT ANY WARRANTY; without even the implied warranty of
15 : MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 : GNU Lesser General Public License for more details.
17 :
18 : You should have received a copy of the GNU Lesser General Public License
19 : along with this program. If not, see <http://www.gnu.org/licenses/>.
20 : */
21 :
22 : #include "config.h"
23 : #include <sys/types.h>
24 : #include <unistd.h>
25 : #include <stdlib.h>
26 : #include <stdint.h>
27 : #include <stdio.h>
28 : #include <syslog.h>
29 : #include <time.h>
30 : #include <sys/stat.h>
31 : #include <fcntl.h>
32 : #include <errno.h>
33 : #include <locale.h>
34 : #include <stdbool.h>
35 :
36 : #include <security/pam_modules.h>
37 : #include <security/pam_appl.h>
38 :
39 : #include "sss_pam_compat.h"
40 : #include "sss_pam_macros.h"
41 :
42 : #include "sss_cli.h"
43 : #include "pam_message.h"
44 : #include "util/atomic_io.h"
45 : #include "util/authtok-utils.h"
46 :
47 : #include <libintl.h>
48 : #define _(STRING) dgettext (PACKAGE, STRING)
49 :
50 : #define FLAGS_USE_FIRST_PASS (1 << 0)
51 : #define FLAGS_FORWARD_PASS (1 << 1)
52 : #define FLAGS_USE_AUTHTOK (1 << 2)
53 : #define FLAGS_IGNORE_UNKNOWN_USER (1 << 3)
54 : #define FLAGS_IGNORE_AUTHINFO_UNAVAIL (1 << 4)
55 : #define FLAGS_USE_2FA (1 << 5)
56 :
57 : #define PWEXP_FLAG "pam_sss:password_expired_flag"
58 : #define FD_DESTRUCTOR "pam_sss:fd_destructor"
59 :
60 : #define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s"
61 : #define PW_RESET_MSG_MAX_SIZE 4096
62 :
63 : #define OPT_RETRY_KEY "retry="
64 : #define OPT_DOMAINS_KEY "domains="
65 :
66 : #define EXP_ACC_MSG _("Permission denied. ")
67 : #define SRV_MSG _("Server message: ")
68 :
69 : #define DEBUG_MGS_LEN 1024
70 : #define MAX_AUTHTOK_SIZE (1024*1024)
71 : #define CHECK_AND_RETURN_PI_STRING(s) ((s != NULL && *s != '\0')? s : "(not available)")
72 :
73 18 : static void logger(pam_handle_t *pamh, int level, const char *fmt, ...) {
74 : va_list ap;
75 :
76 18 : va_start(ap, fmt);
77 :
78 : #ifdef DEBUG
79 : va_list apd;
80 : char debug_msg[DEBUG_MGS_LEN];
81 : int ret;
82 : va_copy(apd, ap);
83 :
84 : ret = vsnprintf(debug_msg, DEBUG_MGS_LEN, fmt, apd);
85 : if (ret >= DEBUG_MGS_LEN) {
86 : D(("the following message is truncated: %s", debug_msg));
87 : } else if (ret < 0) {
88 : D(("vsnprintf failed to format debug message!"));
89 : } else {
90 : D((debug_msg));
91 : }
92 :
93 : va_end(apd);
94 : #endif
95 :
96 18 : pam_vsyslog(pamh, LOG_AUTHPRIV|level, fmt, ap);
97 :
98 18 : va_end(ap);
99 18 : }
100 :
101 0 : static void free_exp_data(pam_handle_t *pamh, void *ptr, int err)
102 : {
103 0 : free(ptr);
104 0 : }
105 :
106 16 : static void close_fd(pam_handle_t *pamh, void *ptr, int err)
107 : {
108 : #ifdef PAM_DATA_REPLACE
109 16 : if (err & PAM_DATA_REPLACE) {
110 : /* Nothing to do */
111 5 : return;
112 : }
113 : #endif /* PAM_DATA_REPLACE */
114 :
115 : D(("Closing the fd"));
116 11 : sss_pam_close_fd();
117 : }
118 :
119 17 : static void overwrite_and_free_authtoks(struct pam_items *pi)
120 : {
121 17 : if (pi->pam_authtok != NULL) {
122 12 : _pam_overwrite_n((void *)pi->pam_authtok, pi->pam_authtok_size);
123 12 : free((void *)pi->pam_authtok);
124 12 : pi->pam_authtok = NULL;
125 : }
126 :
127 17 : if (pi->pam_newauthtok != NULL) {
128 1 : _pam_overwrite_n((void *)pi->pam_newauthtok, pi->pam_newauthtok_size);
129 1 : free((void *)pi->pam_newauthtok);
130 1 : pi->pam_newauthtok = NULL;
131 : }
132 :
133 17 : if (pi->first_factor != NULL) {
134 0 : _pam_overwrite_n((void *)pi->first_factor, strlen(pi->first_factor));
135 0 : free((void *)pi->first_factor);
136 0 : pi->first_factor = NULL;
137 : }
138 :
139 17 : pi->pamstack_authtok = NULL;
140 17 : pi->pamstack_oldauthtok = NULL;
141 17 : }
142 :
143 17 : static void overwrite_and_free_pam_items(struct pam_items *pi)
144 : {
145 17 : overwrite_and_free_authtoks(pi);
146 :
147 17 : free(pi->domain_name);
148 17 : pi->domain_name = NULL;
149 :
150 17 : free(pi->otp_vendor);
151 17 : pi->otp_vendor = NULL;
152 :
153 17 : free(pi->otp_token_id);
154 17 : pi->otp_token_id = NULL;
155 :
156 17 : free(pi->otp_challenge);
157 17 : pi->otp_challenge = NULL;
158 :
159 17 : free(pi->cert_user);
160 17 : pi->cert_user = NULL;
161 :
162 17 : free(pi->token_name);
163 17 : pi->token_name = NULL;
164 17 : }
165 :
166 2 : static int null_strcmp(const char *s1, const char *s2) {
167 2 : if (s1 == NULL && s2 == NULL) return 0;
168 2 : if (s1 == NULL && s2 != NULL) return -1;
169 2 : if (s1 != NULL && s2 == NULL) return 1;
170 2 : return strcmp(s1, s2);
171 : }
172 :
173 : enum {
174 : SSS_PAM_CONV_DONE = 0,
175 : SSS_PAM_CONV_STD,
176 : SSS_PAM_CONV_REENTER,
177 : };
178 :
179 13 : static int do_pam_conversation(pam_handle_t *pamh, const int msg_style,
180 : const char *msg,
181 : const char *reenter_msg,
182 : char **_answer)
183 : {
184 : int ret;
185 13 : int state = SSS_PAM_CONV_STD;
186 : const struct pam_conv *conv;
187 : const struct pam_message *mesg[1];
188 : struct pam_message *pam_msg;
189 13 : struct pam_response *resp=NULL;
190 13 : char *answer = NULL;
191 :
192 13 : if ((msg_style == PAM_TEXT_INFO || msg_style == PAM_ERROR_MSG) &&
193 0 : msg == NULL) return PAM_SYSTEM_ERR;
194 :
195 13 : if ((msg_style == PAM_PROMPT_ECHO_OFF ||
196 12 : msg_style == PAM_PROMPT_ECHO_ON) &&
197 12 : (msg == NULL || _answer == NULL)) return PAM_SYSTEM_ERR;
198 :
199 13 : if (msg_style == PAM_TEXT_INFO || msg_style == PAM_ERROR_MSG) {
200 1 : logger(pamh, LOG_INFO, "User %s message: %s",
201 : msg_style == PAM_TEXT_INFO ? "info" : "error",
202 : msg);
203 : }
204 :
205 13 : ret=pam_get_item(pamh, PAM_CONV, (const void **) &conv);
206 13 : if (ret != PAM_SUCCESS) return ret;
207 :
208 : do {
209 15 : pam_msg = malloc(sizeof(struct pam_message));
210 15 : if (pam_msg == NULL) {
211 : D(("Malloc failed."));
212 0 : ret = PAM_SYSTEM_ERR;
213 0 : goto failed;
214 : }
215 :
216 15 : pam_msg->msg_style = msg_style;
217 15 : if (state == SSS_PAM_CONV_REENTER) {
218 2 : pam_msg->msg = reenter_msg;
219 : } else {
220 13 : pam_msg->msg = msg;
221 : }
222 :
223 15 : mesg[0] = (const struct pam_message *) pam_msg;
224 :
225 30 : ret=conv->conv(1, mesg, &resp,
226 15 : conv->appdata_ptr);
227 15 : free(pam_msg);
228 15 : if (ret != PAM_SUCCESS) {
229 : D(("Conversation failure: %s.", pam_strerror(pamh,ret)));
230 0 : goto failed;
231 : }
232 :
233 15 : if (msg_style == PAM_PROMPT_ECHO_OFF ||
234 : msg_style == PAM_PROMPT_ECHO_ON) {
235 14 : if (resp == NULL) {
236 : D(("response expected, but resp==NULL"));
237 0 : ret = PAM_SYSTEM_ERR;
238 0 : goto failed;
239 : }
240 :
241 14 : if (state == SSS_PAM_CONV_REENTER) {
242 2 : if (null_strcmp(answer, resp[0].resp) != 0) {
243 1 : logger(pamh, LOG_NOTICE, "Passwords do not match.");
244 1 : _pam_overwrite((void *)resp[0].resp);
245 1 : free(resp[0].resp);
246 1 : if (answer != NULL) {
247 1 : _pam_overwrite((void *) answer);
248 1 : free(answer);
249 1 : answer = NULL;
250 : }
251 1 : ret = do_pam_conversation(pamh, PAM_ERROR_MSG,
252 1 : _("Passwords do not match"),
253 : NULL, NULL);
254 1 : if (ret != PAM_SUCCESS) {
255 : D(("do_pam_conversation failed."));
256 0 : ret = PAM_SYSTEM_ERR;
257 0 : goto failed;
258 : }
259 1 : ret = PAM_CRED_ERR;
260 1 : goto failed;
261 : }
262 1 : _pam_overwrite((void *)resp[0].resp);
263 1 : free(resp[0].resp);
264 : } else {
265 12 : if (resp[0].resp == NULL) {
266 : D(("Empty password"));
267 0 : answer = NULL;
268 : } else {
269 12 : answer = strndup(resp[0].resp, MAX_AUTHTOK_SIZE);
270 12 : _pam_overwrite((void *)resp[0].resp);
271 12 : free(resp[0].resp);
272 12 : if(answer == NULL) {
273 : D(("strndup failed"));
274 0 : ret = PAM_BUF_ERR;
275 0 : goto failed;
276 : }
277 : }
278 : }
279 13 : free(resp);
280 13 : resp = NULL;
281 : }
282 :
283 14 : if (reenter_msg != NULL && state == SSS_PAM_CONV_STD) {
284 2 : state = SSS_PAM_CONV_REENTER;
285 : } else {
286 12 : state = SSS_PAM_CONV_DONE;
287 : }
288 14 : } while (state != SSS_PAM_CONV_DONE);
289 :
290 12 : if (_answer) *_answer = answer;
291 12 : return PAM_SUCCESS;
292 :
293 : failed:
294 1 : free(answer);
295 1 : return ret;
296 :
297 : }
298 :
299 0 : static errno_t display_pw_reset_message(pam_handle_t *pamh,
300 : const char *domain_name,
301 : const char *suffix)
302 : {
303 : int ret;
304 : struct stat stat_buf;
305 0 : char *msg_buf = NULL;
306 0 : int fd = -1;
307 : size_t size;
308 : size_t total_len;
309 0 : char *filename = NULL;
310 :
311 0 : if (strchr(suffix, '/') != NULL || strchr(domain_name, '/') != NULL) {
312 : D(("Suffix [%s] or domain name [%s] contain illegal character.", suffix,
313 : domain_name));
314 0 : return EINVAL;
315 : }
316 :
317 0 : size = sizeof(PW_RESET_MSG_FILENAME_TEMPLATE) + strlen(domain_name) +
318 0 : strlen(suffix);
319 0 : filename = malloc(size);
320 0 : if (filename == NULL) {
321 : D(("malloc failed."));
322 0 : ret = ENOMEM;
323 0 : goto done;
324 : }
325 0 : ret = snprintf(filename, size, PW_RESET_MSG_FILENAME_TEMPLATE, domain_name,
326 : suffix);
327 0 : if (ret < 0 || ret >= size) {
328 : D(("snprintf failed."));
329 0 : ret = EFAULT;
330 0 : goto done;
331 : }
332 :
333 0 : fd = open(filename, O_RDONLY);
334 0 : if (fd == -1) {
335 0 : ret = errno;
336 : D(("open failed [%d][%s].\n", ret, strerror(ret)));
337 0 : goto done;
338 : }
339 :
340 0 : ret = fstat(fd, &stat_buf);
341 0 : if (ret == -1) {
342 0 : ret = errno;
343 : D(("fstat failed [%d][%s].", ret, strerror(ret)));
344 0 : goto done;
345 : }
346 :
347 0 : if (!S_ISREG(stat_buf.st_mode)) {
348 0 : logger(pamh, LOG_ERR,
349 : "Password reset message file is not a regular file.");
350 0 : ret = EINVAL;
351 0 : goto done;
352 : }
353 :
354 0 : if (stat_buf.st_uid != 0 || stat_buf.st_gid != 0 ||
355 0 : (stat_buf.st_mode & ~S_IFMT) != 0644) {
356 0 : logger(pamh, LOG_ERR,"Permission error, "
357 : "file [%s] must be owned by root with permissions 0644.",
358 : filename);
359 0 : ret = EPERM;
360 0 : goto done;
361 : }
362 :
363 0 : if (stat_buf.st_size > PW_RESET_MSG_MAX_SIZE) {
364 0 : logger(pamh, LOG_ERR, "Password reset message file is too large.");
365 0 : ret = EFBIG;
366 0 : goto done;
367 : }
368 :
369 0 : msg_buf = malloc(stat_buf.st_size + 1);
370 0 : if (msg_buf == NULL) {
371 : D(("malloc failed."));
372 0 : ret = ENOMEM;
373 0 : goto done;
374 : }
375 :
376 0 : errno = 0;
377 0 : total_len = sss_atomic_read_s(fd, msg_buf, stat_buf.st_size);
378 0 : if (total_len == -1) {
379 0 : ret = errno;
380 : D(("read failed [%d][%s].", ret, strerror(ret)));
381 0 : goto done;
382 : }
383 :
384 0 : ret = close(fd);
385 0 : fd = -1;
386 0 : if (ret == -1) {
387 0 : ret = errno;
388 : D(("close failed [%d][%s].", ret, strerror(ret)));
389 : }
390 :
391 0 : if (total_len != stat_buf.st_size) {
392 : D(("read fewer bytes [%d] than expected [%d].", total_len,
393 : stat_buf.st_size));
394 0 : ret = EIO;
395 0 : goto done;
396 : }
397 :
398 0 : msg_buf[stat_buf.st_size] = '\0';
399 :
400 0 : ret = do_pam_conversation(pamh, PAM_TEXT_INFO, msg_buf, NULL, NULL);
401 : if (ret != PAM_SUCCESS) {
402 : D(("do_pam_conversation failed."));
403 : }
404 :
405 : done:
406 0 : if (fd != -1) {
407 0 : close(fd);
408 : }
409 0 : free(msg_buf);
410 0 : free(filename);
411 :
412 0 : return ret;
413 : }
414 :
415 0 : static errno_t select_pw_reset_message(pam_handle_t *pamh, struct pam_items *pi)
416 : {
417 : int ret;
418 : char *locale;
419 : const char *domain_name;
420 :
421 0 : domain_name = pi->domain_name;
422 0 : if (domain_name == NULL || *domain_name == '\0') {
423 : D(("Domain name is unknown."));
424 0 : return EINVAL;
425 : }
426 :
427 0 : locale = setlocale(LC_MESSAGES, NULL);
428 :
429 0 : ret = -1;
430 0 : if (locale != NULL) {
431 0 : ret = display_pw_reset_message(pamh, domain_name, locale);
432 : }
433 :
434 0 : if (ret != 0) {
435 0 : ret = display_pw_reset_message(pamh, domain_name, "txt");
436 : }
437 :
438 0 : if (ret != 0) {
439 0 : ret = do_pam_conversation(pamh, PAM_TEXT_INFO,
440 0 : _("Password reset by root is not supported."),
441 : NULL, NULL);
442 : if (ret != PAM_SUCCESS) {
443 : D(("do_pam_conversation failed."));
444 : }
445 : }
446 :
447 0 : return ret;
448 : }
449 :
450 0 : static int user_info_offline_auth(pam_handle_t *pamh, size_t buflen,
451 : uint8_t *buf)
452 : {
453 : int ret;
454 : int64_t expire_date;
455 : struct tm tm;
456 : char expire_str[128];
457 : char user_msg[256];
458 :
459 0 : expire_str[0] = '\0';
460 :
461 0 : if (buflen != sizeof(uint32_t) + sizeof(int64_t)) {
462 : D(("User info response data has the wrong size"));
463 0 : return PAM_BUF_ERR;
464 : }
465 :
466 0 : memcpy(&expire_date, buf + sizeof(uint32_t), sizeof(int64_t));
467 :
468 0 : if (expire_date > 0) {
469 0 : if (localtime_r((time_t *) &expire_date, &tm) != NULL) {
470 0 : ret = strftime(expire_str, sizeof(expire_str), "%c", &tm);
471 0 : if (ret == 0) {
472 : D(("strftime failed."));
473 0 : expire_str[0] = '\0';
474 : }
475 : } else {
476 : D(("localtime_r failed"));
477 : }
478 : }
479 :
480 0 : ret = snprintf(user_msg, sizeof(user_msg), "%s%s%s.",
481 : _("Authenticated with cached credentials"),
482 0 : expire_str[0] ? _(", your cached password will expire at: ") : "",
483 0 : expire_str[0] ? expire_str : "");
484 0 : if (ret < 0 || ret >= sizeof(user_msg)) {
485 : D(("snprintf failed."));
486 0 : return PAM_SYSTEM_ERR;
487 : }
488 :
489 0 : ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL);
490 0 : if (ret != PAM_SUCCESS) {
491 : D(("do_pam_conversation failed."));
492 0 : return PAM_SYSTEM_ERR;
493 : }
494 :
495 0 : return PAM_SUCCESS;
496 : }
497 :
498 0 : static int user_info_grace_login(pam_handle_t *pamh,
499 : size_t buflen,
500 : uint8_t *buf)
501 : {
502 : int ret;
503 : uint32_t grace;
504 : char user_msg[256];
505 :
506 0 : if (buflen != 2* sizeof(uint32_t)) {
507 : D(("User info response data has the wrong size"));
508 0 : return PAM_BUF_ERR;
509 : }
510 0 : memcpy(&grace, buf + sizeof(uint32_t), sizeof(uint32_t));
511 0 : ret = snprintf(user_msg, sizeof(user_msg),
512 0 : _("Your password has expired. "
513 : "You have %1$d grace login(s) remaining."),
514 : grace);
515 0 : if (ret < 0 || ret >= sizeof(user_msg)) {
516 : D(("snprintf failed."));
517 0 : return PAM_SYSTEM_ERR;
518 : }
519 0 : ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL);
520 :
521 0 : if (ret != PAM_SUCCESS) {
522 : D(("do_pam_conversation failed."));
523 0 : return PAM_SYSTEM_ERR;
524 : }
525 :
526 0 : return PAM_SUCCESS;
527 : }
528 :
529 : #define MINSEC 60
530 : #define HOURSEC (60*MINSEC)
531 : #define DAYSEC (24*HOURSEC)
532 0 : static int user_info_expire_warn(pam_handle_t *pamh,
533 : size_t buflen,
534 : uint8_t *buf)
535 : {
536 : int ret;
537 : uint32_t expire;
538 : char user_msg[256];
539 0 : const char* unit="second(s)";
540 :
541 0 : if (buflen != 2* sizeof(uint32_t)) {
542 : D(("User info response data has the wrong size"));
543 0 : return PAM_BUF_ERR;
544 : }
545 0 : memcpy(&expire, buf + sizeof(uint32_t), sizeof(uint32_t));
546 0 : if (expire >= DAYSEC) {
547 0 : expire /= DAYSEC;
548 0 : unit = "day(s)";
549 0 : } else if (expire >= HOURSEC) {
550 0 : expire /= HOURSEC;
551 0 : unit = "hour(s)";
552 0 : } else if (expire >= MINSEC) {
553 0 : expire /= MINSEC;
554 0 : unit = "minute(s)";
555 : }
556 :
557 0 : ret = snprintf(user_msg, sizeof(user_msg),
558 0 : _("Your password will expire in %1$d %2$s."), expire, unit);
559 0 : if (ret < 0 || ret >= sizeof(user_msg)) {
560 : D(("snprintf failed."));
561 0 : return PAM_SYSTEM_ERR;
562 : }
563 0 : ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL);
564 :
565 0 : if (ret != PAM_SUCCESS) {
566 : D(("do_pam_conversation failed."));
567 0 : return PAM_SYSTEM_ERR;
568 : }
569 :
570 0 : return PAM_SUCCESS;
571 : }
572 :
573 0 : static int user_info_offline_auth_delayed(pam_handle_t *pamh, size_t buflen,
574 : uint8_t *buf)
575 : {
576 : int ret;
577 : int64_t delayed_until;
578 : struct tm tm;
579 : char delay_str[128];
580 : char user_msg[256];
581 :
582 0 : delay_str[0] = '\0';
583 :
584 0 : if (buflen != sizeof(uint32_t) + sizeof(int64_t)) {
585 : D(("User info response data has the wrong size"));
586 0 : return PAM_BUF_ERR;
587 : }
588 :
589 0 : memcpy(&delayed_until, buf + sizeof(uint32_t), sizeof(int64_t));
590 :
591 0 : if (delayed_until <= 0) {
592 : D(("User info response data has an invalid value"));
593 0 : return PAM_BUF_ERR;
594 : }
595 :
596 0 : if (localtime_r((time_t *) &delayed_until, &tm) != NULL) {
597 0 : ret = strftime(delay_str, sizeof(delay_str), "%c", &tm);
598 0 : if (ret == 0) {
599 : D(("strftime failed."));
600 0 : delay_str[0] = '\0';
601 : }
602 : } else {
603 : D(("localtime_r failed"));
604 : }
605 :
606 0 : ret = snprintf(user_msg, sizeof(user_msg), "%s%s.",
607 : _("Authentication is denied until: "),
608 : delay_str);
609 0 : if (ret < 0 || ret >= sizeof(user_msg)) {
610 : D(("snprintf failed."));
611 0 : return PAM_SYSTEM_ERR;
612 : }
613 :
614 0 : ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL);
615 0 : if (ret != PAM_SUCCESS) {
616 : D(("do_pam_conversation failed."));
617 0 : return PAM_SYSTEM_ERR;
618 : }
619 :
620 0 : return PAM_SUCCESS;
621 : }
622 :
623 0 : static int user_info_offline_chpass(pam_handle_t *pamh)
624 : {
625 : int ret;
626 :
627 0 : ret = do_pam_conversation(pamh, PAM_TEXT_INFO,
628 0 : _("System is offline, password change not possible"),
629 : NULL, NULL);
630 0 : if (ret != PAM_SUCCESS) {
631 : D(("do_pam_conversation failed."));
632 0 : return PAM_SYSTEM_ERR;
633 : }
634 :
635 0 : return PAM_SUCCESS;
636 : }
637 :
638 0 : static int user_info_otp_chpass(pam_handle_t *pamh)
639 : {
640 : int ret;
641 :
642 0 : ret = do_pam_conversation(pamh, PAM_TEXT_INFO,
643 0 : _("After changing the OTP password, you need to "
644 : "log out and back in order to acquire a ticket"),
645 : NULL, NULL);
646 0 : if (ret != PAM_SUCCESS) {
647 : D(("do_pam_conversation failed."));
648 0 : return PAM_SYSTEM_ERR;
649 : }
650 :
651 0 : return PAM_SUCCESS;
652 : }
653 :
654 0 : static int user_info_account_expired(pam_handle_t *pamh, size_t buflen,
655 : uint8_t *buf)
656 : {
657 : int ret;
658 : uint32_t msg_len;
659 : char *user_msg;
660 0 : size_t bufsize = 0;
661 :
662 : /* resp_type and length of message are expected to be in buf */
663 0 : if (buflen < 2* sizeof(uint32_t)) {
664 : D(("User info response data is too short"));
665 0 : return PAM_BUF_ERR;
666 : }
667 :
668 : /* msg_len = legth of message */
669 0 : memcpy(&msg_len, buf + sizeof(uint32_t), sizeof(uint32_t));
670 :
671 0 : if (buflen != 2* sizeof(uint32_t) + msg_len) {
672 : D(("User info response data has the wrong size"));
673 0 : return PAM_BUF_ERR;
674 : }
675 :
676 0 : bufsize = strlen(EXP_ACC_MSG) + 1;
677 :
678 0 : if (msg_len > 0) {
679 0 : bufsize += strlen(SRV_MSG) + msg_len;
680 : }
681 :
682 0 : user_msg = (char *)malloc(sizeof(char) * bufsize);
683 0 : if (!user_msg) {
684 : D(("Out of memory."));
685 0 : return PAM_SYSTEM_ERR;
686 : }
687 :
688 0 : ret = snprintf(user_msg, bufsize, "%s%s%.*s",
689 : EXP_ACC_MSG,
690 0 : msg_len > 0 ? SRV_MSG : "",
691 : msg_len,
692 0 : msg_len > 0 ? (char *)(buf + 2 * sizeof(uint32_t)) : "" );
693 0 : if (ret < 0 || ret > bufsize) {
694 : D(("snprintf failed."));
695 :
696 0 : free(user_msg);
697 0 : return PAM_SYSTEM_ERR;
698 : }
699 :
700 0 : ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL);
701 0 : free(user_msg);
702 0 : if (ret != PAM_SUCCESS) {
703 : D(("do_pam_conversation failed."));
704 :
705 0 : return PAM_SYSTEM_ERR;
706 : }
707 :
708 0 : return PAM_SUCCESS;
709 : }
710 :
711 0 : static int user_info_chpass_error(pam_handle_t *pamh, size_t buflen,
712 : uint8_t *buf)
713 : {
714 : int ret;
715 : uint32_t msg_len;
716 : char *user_msg;
717 0 : size_t bufsize = 0;
718 :
719 0 : if (buflen < 2* sizeof(uint32_t)) {
720 : D(("User info response data is too short"));
721 0 : return PAM_BUF_ERR;
722 : }
723 :
724 0 : memcpy(&msg_len, buf + sizeof(uint32_t), sizeof(uint32_t));
725 :
726 0 : if (buflen != 2* sizeof(uint32_t) + msg_len) {
727 : D(("User info response data has the wrong size"));
728 0 : return PAM_BUF_ERR;
729 : }
730 :
731 0 : bufsize = strlen(_("Password change failed. ")) + 1;
732 :
733 0 : if (msg_len > 0) {
734 0 : bufsize += strlen(_("Server message: ")) + msg_len;
735 : }
736 :
737 0 : user_msg = (char *)malloc(sizeof(char) * bufsize);
738 0 : if (!user_msg) {
739 : D(("Out of memory."));
740 0 : return PAM_SYSTEM_ERR;
741 : }
742 :
743 0 : ret = snprintf(user_msg, bufsize, "%s%s%.*s",
744 : _("Password change failed. "),
745 0 : msg_len > 0 ? _("Server message: ") : "",
746 : msg_len,
747 0 : msg_len > 0 ? (char *)(buf + 2 * sizeof(uint32_t)) : "" );
748 0 : if (ret < 0 || ret > bufsize) {
749 : D(("snprintf failed."));
750 :
751 0 : free(user_msg);
752 0 : return PAM_SYSTEM_ERR;
753 : }
754 :
755 0 : ret = do_pam_conversation(pamh, PAM_TEXT_INFO, user_msg, NULL, NULL);
756 0 : free(user_msg);
757 0 : if (ret != PAM_SUCCESS) {
758 : D(("do_pam_conversation failed."));
759 :
760 0 : return PAM_SYSTEM_ERR;
761 : }
762 :
763 0 : return PAM_SUCCESS;
764 : }
765 :
766 0 : static int eval_user_info_response(pam_handle_t *pamh, size_t buflen,
767 : uint8_t *buf)
768 : {
769 : int ret;
770 : uint32_t type;
771 :
772 0 : if (buflen < sizeof(uint32_t)) {
773 : D(("User info response data is too short"));
774 0 : return PAM_BUF_ERR;
775 : }
776 :
777 0 : memcpy(&type, buf, sizeof(uint32_t));
778 :
779 0 : switch(type) {
780 : case SSS_PAM_USER_INFO_OFFLINE_AUTH:
781 0 : ret = user_info_offline_auth(pamh, buflen, buf);
782 0 : break;
783 : case SSS_PAM_USER_INFO_GRACE_LOGIN:
784 0 : ret = user_info_grace_login(pamh, buflen, buf);
785 0 : break;
786 : case SSS_PAM_USER_INFO_EXPIRE_WARN:
787 0 : ret = user_info_expire_warn(pamh, buflen, buf);
788 0 : break;
789 : case SSS_PAM_USER_INFO_OFFLINE_AUTH_DELAYED:
790 0 : ret = user_info_offline_auth_delayed(pamh, buflen, buf);
791 0 : break;
792 : case SSS_PAM_USER_INFO_OFFLINE_CHPASS:
793 0 : ret = user_info_offline_chpass(pamh);
794 0 : break;
795 : case SSS_PAM_USER_INFO_OTP_CHPASS:
796 0 : ret = user_info_otp_chpass(pamh);
797 0 : break;
798 : case SSS_PAM_USER_INFO_CHPASS_ERROR:
799 0 : ret = user_info_chpass_error(pamh, buflen, buf);
800 0 : break;
801 : case SSS_PAM_USER_INFO_ACCOUNT_EXPIRED:
802 0 : ret = user_info_account_expired(pamh, buflen, buf);
803 0 : break;
804 : default:
805 : D(("Unknown user info type [%d]", type));
806 0 : ret = PAM_SYSTEM_ERR;
807 : }
808 :
809 0 : return ret;
810 : }
811 :
812 16 : static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,
813 : struct pam_items *pi)
814 : {
815 : int ret;
816 16 : size_t p=0;
817 : char *env_item;
818 : int32_t c;
819 : int32_t type;
820 : int32_t len;
821 : int32_t pam_status;
822 : size_t offset;
823 :
824 16 : if (buflen < (2*sizeof(int32_t))) {
825 : D(("response buffer is too small"));
826 0 : return PAM_BUF_ERR;
827 : }
828 :
829 16 : memcpy(&pam_status, buf+p, sizeof(int32_t));
830 16 : p += sizeof(int32_t);
831 :
832 :
833 16 : memcpy(&c, buf+p, sizeof(int32_t));
834 16 : p += sizeof(int32_t);
835 :
836 34 : while(c>0) {
837 2 : if (buflen < (p+2*sizeof(int32_t))) {
838 : D(("response buffer is too small"));
839 0 : return PAM_BUF_ERR;
840 : }
841 :
842 2 : memcpy(&type, buf+p, sizeof(int32_t));
843 2 : p += sizeof(int32_t);
844 :
845 2 : memcpy(&len, buf+p, sizeof(int32_t));
846 2 : p += sizeof(int32_t);
847 :
848 2 : if (buflen < (p + len)) {
849 : D(("response buffer is too small"));
850 0 : return PAM_BUF_ERR;
851 : }
852 :
853 2 : switch(type) {
854 : case SSS_PAM_SYSTEM_INFO:
855 0 : if (buf[p + (len -1)] != '\0') {
856 : D(("system info does not end with \\0."));
857 0 : break;
858 : }
859 0 : logger(pamh, LOG_INFO, "system info: [%s]", &buf[p]);
860 0 : break;
861 : case SSS_PAM_DOMAIN_NAME:
862 0 : if (buf[p + (len -1)] != '\0') {
863 : D(("domain name does not end with \\0."));
864 0 : break;
865 : }
866 : D(("domain name: [%s]", &buf[p]));
867 0 : pi->domain_name = strdup((char *) &buf[p]);
868 0 : if (pi->domain_name == NULL) {
869 : D(("strdup failed"));
870 : }
871 0 : break;
872 : case SSS_ENV_ITEM:
873 : case SSS_PAM_ENV_ITEM:
874 : case SSS_ALL_ENV_ITEM:
875 2 : if (buf[p + (len -1)] != '\0') {
876 : D(("env item does not end with \\0."));
877 0 : break;
878 : }
879 :
880 : D(("env item: [%s]", &buf[p]));
881 2 : if (type == SSS_PAM_ENV_ITEM || type == SSS_ALL_ENV_ITEM) {
882 2 : ret = pam_putenv(pamh, (char *)&buf[p]);
883 2 : if (ret != PAM_SUCCESS) {
884 : D(("pam_putenv failed."));
885 0 : break;
886 : }
887 : }
888 :
889 2 : if (type == SSS_ENV_ITEM || type == SSS_ALL_ENV_ITEM) {
890 2 : env_item = strdup((char *)&buf[p]);
891 2 : if (env_item == NULL) {
892 : D(("strdup failed"));
893 0 : break;
894 : }
895 2 : ret = putenv(env_item);
896 2 : if (ret == -1) {
897 : D(("putenv failed."));
898 0 : break;
899 : }
900 : }
901 2 : break;
902 : case SSS_PAM_USER_INFO:
903 0 : ret = eval_user_info_response(pamh, len, &buf[p]);
904 : if (ret != PAM_SUCCESS) {
905 : D(("eval_user_info_response failed"));
906 : }
907 0 : break;
908 : case SSS_PAM_TEXT_MSG:
909 0 : if (buf[p + (len -1)] != '\0') {
910 : D(("system info does not end with \\0."));
911 0 : break;
912 : }
913 :
914 0 : ret = do_pam_conversation(pamh, PAM_TEXT_INFO, (char *) &buf[p],
915 : NULL, NULL);
916 : if (ret != PAM_SUCCESS) {
917 : D(("do_pam_conversation failed."));
918 : }
919 0 : break;
920 : case SSS_OTP:
921 : D(("OTP was used, removing authtokens."));
922 0 : overwrite_and_free_authtoks(pi);
923 0 : ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
924 : if (ret != PAM_SUCCESS) {
925 : D(("Failed to remove PAM_AUTHTOK after using otp [%s]",
926 : pam_strerror(pamh,ret)));
927 : }
928 0 : break;
929 : case SSS_PAM_OTP_INFO:
930 0 : if (buf[p + (len - 1)] != '\0') {
931 : D(("otp info does not end with \\0."));
932 0 : break;
933 : }
934 :
935 0 : pi->otp_vendor = strdup((char *) &buf[p]);
936 0 : if (pi->otp_vendor == NULL) {
937 : D(("strdup failed"));
938 0 : break;
939 : }
940 :
941 0 : offset = strlen(pi->otp_vendor) + 1;
942 0 : if (offset >= len) {
943 : D(("OTP message size mismatch"));
944 0 : free(pi->otp_vendor);
945 0 : pi->otp_vendor = NULL;
946 0 : break;
947 : }
948 0 : pi->otp_token_id = strdup((char *) &buf[p + offset]);
949 0 : if (pi->otp_token_id == NULL) {
950 : D(("strdup failed"));
951 0 : break;
952 : }
953 :
954 0 : offset += strlen(pi->otp_token_id) + 1;
955 0 : if (offset >= len) {
956 : D(("OTP message size mismatch"));
957 0 : free(pi->otp_token_id);
958 0 : pi->otp_token_id = NULL;
959 0 : break;
960 : }
961 0 : pi->otp_challenge = strdup((char *) &buf[p + offset]);
962 0 : if (pi->otp_challenge == NULL) {
963 : D(("strdup failed"));
964 0 : break;
965 : }
966 :
967 0 : break;
968 : case SSS_PAM_CERT_INFO:
969 0 : if (buf[p + (len - 1)] != '\0') {
970 : D(("cert info does not end with \\0."));
971 0 : break;
972 : }
973 :
974 0 : pi->cert_user = strdup((char *) &buf[p]);
975 0 : if (pi->cert_user == NULL) {
976 : D(("strdup failed"));
977 0 : break;
978 : }
979 :
980 0 : offset = strlen(pi->cert_user) + 1;
981 0 : if (offset >= len) {
982 : D(("Cert message size mismatch"));
983 0 : free(pi->cert_user);
984 0 : pi->cert_user = NULL;
985 0 : break;
986 : }
987 0 : pi->token_name = strdup((char *) &buf[p + offset]);
988 0 : if (pi->token_name == NULL) {
989 : D(("strdup failed"));
990 0 : break;
991 : }
992 : D(("cert user: [%s] token name: [%s]", pi->cert_user,
993 : pi->token_name));
994 0 : break;
995 : default:
996 : D(("Unknown response type [%d]", type));
997 : }
998 2 : p += len;
999 :
1000 2 : --c;
1001 : }
1002 :
1003 16 : return PAM_SUCCESS;
1004 : }
1005 :
1006 18 : static int get_pam_items(pam_handle_t *pamh, struct pam_items *pi)
1007 : {
1008 : int ret;
1009 :
1010 18 : pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
1011 18 : pi->pam_authtok = NULL;
1012 18 : pi->pam_authtok_size = 0;
1013 18 : pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_EMPTY;
1014 18 : pi->pam_newauthtok = NULL;
1015 18 : pi->pam_newauthtok_size = 0;
1016 18 : pi->first_factor = NULL;
1017 :
1018 18 : ret = pam_get_item(pamh, PAM_SERVICE, (const void **) &(pi->pam_service));
1019 18 : if (ret != PAM_SUCCESS) return ret;
1020 18 : if (pi->pam_service == NULL) pi->pam_service="";
1021 18 : pi->pam_service_size=strlen(pi->pam_service)+1;
1022 :
1023 18 : ret = pam_get_item(pamh, PAM_USER, (const void **) &(pi->pam_user));
1024 18 : if (ret != PAM_SUCCESS) return ret;
1025 18 : if (pi->pam_user == NULL) {
1026 : D(("No user found, aborting."));
1027 0 : return PAM_BAD_ITEM;
1028 : }
1029 18 : if (strcmp(pi->pam_user, "root") == 0) {
1030 : D(("pam_sss will not handle root."));
1031 2 : return PAM_USER_UNKNOWN;
1032 : }
1033 16 : pi->pam_user_size=strlen(pi->pam_user)+1;
1034 :
1035 :
1036 16 : ret = pam_get_item(pamh, PAM_TTY, (const void **) &(pi->pam_tty));
1037 16 : if (ret != PAM_SUCCESS) return ret;
1038 16 : if (pi->pam_tty == NULL) pi->pam_tty="";
1039 16 : pi->pam_tty_size=strlen(pi->pam_tty)+1;
1040 :
1041 16 : ret = pam_get_item(pamh, PAM_RUSER, (const void **) &(pi->pam_ruser));
1042 16 : if (ret != PAM_SUCCESS) return ret;
1043 16 : if (pi->pam_ruser == NULL) pi->pam_ruser="";
1044 16 : pi->pam_ruser_size=strlen(pi->pam_ruser)+1;
1045 :
1046 16 : ret = pam_get_item(pamh, PAM_RHOST, (const void **) &(pi->pam_rhost));
1047 16 : if (ret != PAM_SUCCESS) return ret;
1048 16 : if (pi->pam_rhost == NULL) pi->pam_rhost="";
1049 16 : pi->pam_rhost_size=strlen(pi->pam_rhost)+1;
1050 :
1051 16 : ret = pam_get_item(pamh, PAM_AUTHTOK,
1052 16 : (const void **) &(pi->pamstack_authtok));
1053 16 : if (ret != PAM_SUCCESS) return ret;
1054 16 : if (pi->pamstack_authtok == NULL) pi->pamstack_authtok="";
1055 :
1056 16 : ret = pam_get_item(pamh, PAM_OLDAUTHTOK,
1057 16 : (const void **) &(pi->pamstack_oldauthtok));
1058 16 : if (ret != PAM_SUCCESS) return ret;
1059 16 : if (pi->pamstack_oldauthtok == NULL) pi->pamstack_oldauthtok="";
1060 :
1061 16 : pi->cli_pid = getpid();
1062 :
1063 16 : pi->login_name = pam_modutil_getlogin(pamh);
1064 16 : if (pi->login_name == NULL) pi->login_name="";
1065 :
1066 16 : pi->domain_name = NULL;
1067 :
1068 16 : if (pi->requested_domains == NULL) pi->requested_domains = "";
1069 16 : pi->requested_domains_size = strlen(pi->requested_domains) + 1;
1070 :
1071 16 : pi->otp_vendor = NULL;
1072 16 : pi->otp_token_id = NULL;
1073 16 : pi->otp_challenge = NULL;
1074 :
1075 16 : pi->cert_user = NULL;
1076 16 : pi->token_name = NULL;
1077 :
1078 16 : return PAM_SUCCESS;
1079 : }
1080 :
1081 16 : static void print_pam_items(struct pam_items *pi)
1082 : {
1083 16 : if (pi == NULL) return;
1084 :
1085 : D(("Service: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_service)));
1086 : D(("User: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_user)));
1087 : D(("Tty: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_tty)));
1088 : D(("Ruser: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_ruser)));
1089 : D(("Rhost: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_rhost)));
1090 : D(("Pamstack_Authtok: %s",
1091 : CHECK_AND_RETURN_PI_STRING(pi->pamstack_authtok)));
1092 : D(("Pamstack_Oldauthtok: %s",
1093 : CHECK_AND_RETURN_PI_STRING(pi->pamstack_oldauthtok)));
1094 : D(("Authtok: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_authtok)));
1095 : D(("Newauthtok: %s", CHECK_AND_RETURN_PI_STRING(pi->pam_newauthtok)));
1096 : D(("Cli_PID: %d", pi->cli_pid));
1097 : D(("Requested domains: %s", pi->requested_domains));
1098 : }
1099 :
1100 16 : static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
1101 : enum sss_cli_command task, bool quiet_mode)
1102 : {
1103 : int ret;
1104 : int sret;
1105 : int errnop;
1106 : struct sss_cli_req_data rd;
1107 16 : uint8_t *buf = NULL;
1108 16 : uint8_t *repbuf = NULL;
1109 : size_t replen;
1110 16 : int pam_status = PAM_SYSTEM_ERR;
1111 :
1112 16 : print_pam_items(pi);
1113 :
1114 16 : ret = pack_message_v3(pi, &rd.len, &buf);
1115 16 : if (ret != 0) {
1116 : D(("pack_message failed."));
1117 0 : pam_status = PAM_SYSTEM_ERR;
1118 0 : goto done;
1119 : }
1120 16 : rd.data = buf;
1121 :
1122 16 : errnop = 0;
1123 16 : ret = sss_pam_make_request(task, &rd, &repbuf, &replen, &errnop);
1124 :
1125 16 : sret = pam_set_data(pamh, FD_DESTRUCTOR, NULL, close_fd);
1126 : if (sret != PAM_SUCCESS) {
1127 : D(("pam_set_data failed, client might leaks fds"));
1128 : }
1129 :
1130 16 : if (ret != PAM_SUCCESS) {
1131 0 : if (errnop != 0) {
1132 0 : logger(pamh, LOG_ERR, "Request to sssd failed. %s", ssscli_err2string(errnop));
1133 : }
1134 0 : pam_status = PAM_AUTHINFO_UNAVAIL;
1135 0 : goto done;
1136 : }
1137 :
1138 : /* FIXME: add an end signature */
1139 16 : if (replen < (2*sizeof(int32_t))) {
1140 : D(("response not in expected format."));
1141 0 : pam_status = PAM_SYSTEM_ERR;
1142 0 : goto done;
1143 : }
1144 :
1145 16 : SAFEALIGN_COPY_UINT32(&pam_status, repbuf, NULL);
1146 16 : ret = eval_response(pamh, replen, repbuf, pi);
1147 16 : if (ret != PAM_SUCCESS) {
1148 : D(("eval_response failed."));
1149 0 : pam_status = ret;
1150 0 : goto done;
1151 : }
1152 :
1153 16 : switch (task) {
1154 : case SSS_PAM_AUTHENTICATE:
1155 21 : logger(pamh, (pam_status == PAM_SUCCESS ? LOG_INFO : LOG_NOTICE),
1156 : "authentication %s; logname=%s uid=%lu euid=%d tty=%s "
1157 : "ruser=%s rhost=%s user=%s",
1158 7 : pam_status == PAM_SUCCESS ? "success" : "failure",
1159 7 : pi->login_name, getuid(), (unsigned long) geteuid(),
1160 : pi->pam_tty, pi->pam_ruser, pi->pam_rhost, pi->pam_user);
1161 7 : if (pam_status != PAM_SUCCESS) {
1162 : /* don't log if quiet_mode is on and pam_status is
1163 : * User not known to the underlying authentication module
1164 : */
1165 4 : if (!quiet_mode || pam_status != 10) {
1166 4 : logger(pamh, LOG_NOTICE, "received for user %s: %d (%s)",
1167 : pi->pam_user, pam_status,
1168 : pam_strerror(pamh,pam_status));
1169 : }
1170 : }
1171 7 : break;
1172 : case SSS_PAM_CHAUTHTOK_PRELIM:
1173 3 : if (pam_status != PAM_SUCCESS) {
1174 : /* don't log if quiet_mode is on and pam_status is
1175 : * User not known to the underlying authentication module
1176 : */
1177 1 : if (!quiet_mode || pam_status != 10) {
1178 1 : logger(pamh, LOG_NOTICE,
1179 : "Authentication failed for user %s: %d (%s)",
1180 : pi->pam_user, pam_status,
1181 : pam_strerror(pamh,pam_status));
1182 : }
1183 : }
1184 3 : break;
1185 : case SSS_PAM_CHAUTHTOK:
1186 1 : if (pam_status != PAM_SUCCESS) {
1187 0 : logger(pamh, LOG_NOTICE,
1188 : "Password change failed for user %s: %d (%s)",
1189 : pi->pam_user, pam_status,
1190 : pam_strerror(pamh,pam_status));
1191 : }
1192 1 : break;
1193 : case SSS_PAM_ACCT_MGMT:
1194 2 : if (pam_status != PAM_SUCCESS) {
1195 : /* don't log if quiet_mode is on and pam_status is
1196 : * User not known to the underlying authentication module
1197 : */
1198 1 : if (!quiet_mode || pam_status != 10) {
1199 1 : logger(pamh, LOG_NOTICE,
1200 : "Access denied for user %s: %d (%s)",
1201 : pi->pam_user, pam_status,
1202 : pam_strerror(pamh,pam_status));
1203 : }
1204 : }
1205 2 : break;
1206 : case SSS_PAM_OPEN_SESSION:
1207 : case SSS_PAM_SETCRED:
1208 : case SSS_PAM_CLOSE_SESSION:
1209 : case SSS_PAM_PREAUTH:
1210 3 : break;
1211 : default:
1212 : D(("Illegal task [%#x]", task));
1213 0 : return PAM_SYSTEM_ERR;
1214 : }
1215 :
1216 : done:
1217 16 : if (buf != NULL ) {
1218 16 : _pam_overwrite_n((void *)buf, rd.len);
1219 16 : free(buf);
1220 : }
1221 16 : free(repbuf);
1222 :
1223 16 : return pam_status;
1224 : }
1225 :
1226 10 : static int prompt_password(pam_handle_t *pamh, struct pam_items *pi,
1227 : const char *prompt)
1228 : {
1229 : int ret;
1230 10 : char *answer = NULL;
1231 :
1232 10 : ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt, NULL, &answer);
1233 10 : if (ret != PAM_SUCCESS) {
1234 : D(("do_pam_conversation failed."));
1235 0 : return ret;
1236 : }
1237 :
1238 10 : if (answer == NULL) {
1239 0 : pi->pam_authtok = NULL;
1240 0 : pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
1241 0 : pi->pam_authtok_size=0;
1242 : } else {
1243 10 : pi->pam_authtok = strdup(answer);
1244 10 : _pam_overwrite((void *)answer);
1245 10 : free(answer);
1246 10 : answer=NULL;
1247 10 : if (pi->pam_authtok == NULL) {
1248 0 : return PAM_BUF_ERR;
1249 : }
1250 10 : pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
1251 10 : pi->pam_authtok_size=strlen(pi->pam_authtok);
1252 : }
1253 :
1254 10 : return PAM_SUCCESS;
1255 : }
1256 :
1257 0 : static int prompt_2fa(pam_handle_t *pamh, struct pam_items *pi,
1258 : const char *prompt_fa1, const char *prompt_fa2)
1259 : {
1260 : int ret;
1261 : const struct pam_conv *conv;
1262 0 : const struct pam_message *mesg[2] = { NULL, NULL };
1263 : struct pam_message *m1;
1264 : struct pam_message *m2;
1265 0 : struct pam_response *resp = NULL;
1266 : size_t needed_size;
1267 :
1268 0 : ret = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
1269 0 : if (ret != PAM_SUCCESS) {
1270 0 : return ret;
1271 : }
1272 :
1273 0 : m1 = malloc(sizeof(struct pam_message));
1274 0 : if (m1 == NULL) {
1275 : D(("Malloc failed."));
1276 0 : return PAM_SYSTEM_ERR;
1277 : }
1278 :
1279 0 : m2 = malloc(sizeof(struct pam_message));
1280 0 : if (m2 == NULL) {
1281 : D(("Malloc failed."));
1282 0 : free(m1);
1283 0 : return PAM_SYSTEM_ERR;
1284 : }
1285 0 : m1->msg_style = PAM_PROMPT_ECHO_OFF;
1286 0 : m1->msg = prompt_fa1;
1287 0 : m2->msg_style = PAM_PROMPT_ECHO_OFF;
1288 0 : m2->msg = prompt_fa2;
1289 :
1290 0 : mesg[0] = (const struct pam_message *) m1;
1291 0 : mesg[1] = (const struct pam_message *) m2;
1292 :
1293 0 : ret = conv->conv(2, mesg, &resp, conv->appdata_ptr);
1294 0 : free(m1);
1295 0 : free(m2);
1296 0 : if (ret != PAM_SUCCESS) {
1297 : D(("Conversation failure: %s.", pam_strerror(pamh, ret)));
1298 0 : return ret;
1299 : }
1300 :
1301 0 : if (resp == NULL) {
1302 : D(("response expected, but resp==NULL"));
1303 0 : return PAM_SYSTEM_ERR;
1304 : }
1305 :
1306 0 : if (resp[0].resp == NULL || *(resp[0].resp) == '\0') {
1307 : D(("Missing factor."));
1308 0 : ret = PAM_CRED_INSUFFICIENT;
1309 0 : goto done;
1310 : }
1311 :
1312 0 : if (resp[1].resp == NULL || *(resp[1].resp) == '\0'
1313 0 : || (pi->pam_service != NULL && strcmp(pi->pam_service, "sshd") == 0
1314 0 : && strcmp(resp[0].resp, resp[1].resp) == 0)) {
1315 : /* Missing second factor, assume first factor contains combined 2FA
1316 : * credentials.
1317 : * Special handling for SSH with password authentication. Combined
1318 : * 2FA credentials are used but SSH puts them in both responses. */
1319 :
1320 0 : pi->pam_authtok = strndup(resp[0].resp, MAX_AUTHTOK_SIZE);
1321 0 : if (pi->pam_authtok == NULL) {
1322 : D(("strndup failed."));
1323 0 : ret = PAM_BUF_ERR;
1324 0 : goto done;
1325 : }
1326 0 : pi->pam_authtok_size = strlen(pi->pam_authtok) + 1;
1327 0 : pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
1328 : } else {
1329 :
1330 0 : ret = sss_auth_pack_2fa_blob(resp[0].resp, 0, resp[1].resp, 0, NULL, 0,
1331 : &needed_size);
1332 0 : if (ret != EAGAIN) {
1333 : D(("sss_auth_pack_2fa_blob failed."));
1334 0 : ret = PAM_BUF_ERR;
1335 0 : goto done;
1336 : }
1337 :
1338 0 : pi->pam_authtok = malloc(needed_size);
1339 0 : if (pi->pam_authtok == NULL) {
1340 : D(("malloc failed."));
1341 0 : ret = PAM_BUF_ERR;
1342 0 : goto done;
1343 : }
1344 :
1345 0 : ret = sss_auth_pack_2fa_blob(resp[0].resp, 0, resp[1].resp, 0,
1346 0 : (uint8_t *) pi->pam_authtok, needed_size,
1347 : &needed_size);
1348 0 : if (ret != EOK) {
1349 : D(("sss_auth_pack_2fa_blob failed."));
1350 0 : ret = PAM_BUF_ERR;
1351 0 : goto done;
1352 : }
1353 :
1354 0 : pi->pam_authtok_size = needed_size;
1355 0 : pi->pam_authtok_type = SSS_AUTHTOK_TYPE_2FA;
1356 0 : pi->first_factor = strndup(resp[0].resp, MAX_AUTHTOK_SIZE);
1357 0 : if (pi->first_factor == NULL) {
1358 : D(("strndup failed."));
1359 0 : ret = PAM_BUF_ERR;
1360 0 : goto done;
1361 : }
1362 : }
1363 :
1364 0 : ret = PAM_SUCCESS;
1365 :
1366 : done:
1367 0 : if (resp != NULL) {
1368 0 : if (resp[0].resp != NULL) {
1369 0 : _pam_overwrite((void *)resp[0].resp);
1370 0 : free(resp[0].resp);
1371 : }
1372 0 : if (resp[1].resp != NULL) {
1373 0 : _pam_overwrite((void *)resp[1].resp);
1374 0 : free(resp[1].resp);
1375 : }
1376 :
1377 0 : free(resp);
1378 0 : resp = NULL;
1379 : }
1380 :
1381 0 : return ret;
1382 : }
1383 :
1384 : #define SC_PROMPT_FMT "PIN for %s for user %s"
1385 0 : static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
1386 : {
1387 : int ret;
1388 0 : char *answer = NULL;
1389 : char *prompt;
1390 : size_t size;
1391 :
1392 0 : if (pi->token_name == NULL || *pi->token_name == '\0'
1393 0 : || pi->cert_user == NULL || *pi->cert_user == '\0') {
1394 0 : return EINVAL;
1395 : }
1396 :
1397 0 : size = sizeof(SC_PROMPT_FMT) + strlen(pi->token_name) +
1398 0 : strlen(pi->cert_user);
1399 0 : prompt = malloc(size);
1400 0 : if (prompt == NULL) {
1401 : D(("malloc failed."));
1402 0 : return ENOMEM;
1403 : }
1404 :
1405 0 : ret = snprintf(prompt, size, SC_PROMPT_FMT, pi->token_name, pi->cert_user);
1406 0 : if (ret < 0 || ret >= size) {
1407 : D(("snprintf failed."));
1408 0 : free(prompt);
1409 0 : return EFAULT;
1410 : }
1411 :
1412 0 : ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF, prompt, NULL, &answer);
1413 0 : free(prompt);
1414 0 : if (ret != PAM_SUCCESS) {
1415 : D(("do_pam_conversation failed."));
1416 0 : return ret;
1417 : }
1418 :
1419 0 : if (answer == NULL) {
1420 0 : pi->pam_authtok = NULL;
1421 0 : pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
1422 0 : pi->pam_authtok_size=0;
1423 : } else {
1424 0 : pi->pam_authtok = strdup(answer);
1425 0 : _pam_overwrite((void *)answer);
1426 0 : free(answer);
1427 0 : answer=NULL;
1428 0 : if (pi->pam_authtok == NULL) {
1429 0 : return PAM_BUF_ERR;
1430 : }
1431 0 : pi->pam_authtok_type = SSS_AUTHTOK_TYPE_SC_PIN;
1432 0 : pi->pam_authtok_size=strlen(pi->pam_authtok);
1433 : }
1434 :
1435 0 : return PAM_SUCCESS;
1436 : }
1437 :
1438 2 : static int prompt_new_password(pam_handle_t *pamh, struct pam_items *pi)
1439 : {
1440 : int ret;
1441 2 : char *answer = NULL;
1442 :
1443 2 : ret = do_pam_conversation(pamh, PAM_PROMPT_ECHO_OFF,
1444 2 : _("New Password: "),
1445 2 : _("Reenter new Password: "),
1446 : &answer);
1447 2 : if (ret != PAM_SUCCESS) {
1448 : D(("do_pam_conversation failed."));
1449 1 : return ret;
1450 : }
1451 1 : if (answer == NULL) {
1452 0 : pi->pam_newauthtok = NULL;
1453 0 : pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_EMPTY;
1454 0 : pi->pam_newauthtok_size=0;
1455 : } else {
1456 1 : pi->pam_newauthtok = strdup(answer);
1457 1 : _pam_overwrite((void *)answer);
1458 1 : free(answer);
1459 1 : answer=NULL;
1460 1 : if (pi->pam_newauthtok == NULL) {
1461 0 : return PAM_BUF_ERR;
1462 : }
1463 1 : pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
1464 1 : pi->pam_newauthtok_size=strlen(pi->pam_newauthtok);
1465 : }
1466 :
1467 1 : return PAM_SUCCESS;
1468 : }
1469 :
1470 19 : static void eval_argv(pam_handle_t *pamh, int argc, const char **argv,
1471 : uint32_t *flags, int *retries, bool *quiet_mode,
1472 : const char **domains)
1473 : {
1474 : char *ep;
1475 :
1476 19 : *quiet_mode = false;
1477 :
1478 25 : for (; argc-- > 0; ++argv) {
1479 6 : if (strcmp(*argv, "forward_pass") == 0) {
1480 0 : *flags |= FLAGS_FORWARD_PASS;
1481 6 : } else if (strcmp(*argv, "use_first_pass") == 0) {
1482 0 : *flags |= FLAGS_USE_FIRST_PASS;
1483 6 : } else if (strcmp(*argv, "use_authtok") == 0) {
1484 0 : *flags |= FLAGS_USE_AUTHTOK;
1485 6 : } else if (strncmp(*argv, OPT_DOMAINS_KEY, strlen(OPT_DOMAINS_KEY)) == 0) {
1486 2 : if (*(*argv+strlen(OPT_DOMAINS_KEY)) == '\0') {
1487 1 : logger(pamh, LOG_ERR, "Missing argument to option domains.");
1488 1 : *domains = "";
1489 : } else {
1490 1 : *domains = *argv+strlen(OPT_DOMAINS_KEY);
1491 : }
1492 :
1493 4 : } else if (strncmp(*argv, OPT_RETRY_KEY, strlen(OPT_RETRY_KEY)) == 0) {
1494 3 : if (*(*argv+6) == '\0') {
1495 1 : logger(pamh, LOG_ERR, "Missing argument to option retry.");
1496 1 : *retries = 0;
1497 : } else {
1498 2 : errno = 0;
1499 2 : *retries = strtol(*argv+6, &ep, 10);
1500 2 : if (errno != 0) {
1501 : D(("strtol failed [%d][%s]", errno, strerror(errno)));
1502 0 : *retries = 0;
1503 : }
1504 2 : if (*ep != '\0') {
1505 0 : logger(pamh, LOG_ERR, "Argument to option retry contains "
1506 : "extra characters.");
1507 0 : *retries = 0;
1508 : }
1509 2 : if (*retries < 0) {
1510 1 : logger(pamh, LOG_ERR, "Argument to option retry must not "
1511 : "be negative.");
1512 1 : *retries = 0;
1513 : }
1514 : }
1515 1 : } else if (strcmp(*argv, "quiet") == 0) {
1516 0 : *quiet_mode = true;
1517 1 : } else if (strcmp(*argv, "ignore_unknown_user") == 0) {
1518 1 : *flags |= FLAGS_IGNORE_UNKNOWN_USER;
1519 0 : } else if (strcmp(*argv, "ignore_authinfo_unavail") == 0) {
1520 0 : *flags |= FLAGS_IGNORE_AUTHINFO_UNAVAIL;
1521 0 : } else if (strcmp(*argv, "use_2fa") == 0) {
1522 0 : *flags |= FLAGS_USE_2FA;
1523 : } else {
1524 0 : logger(pamh, LOG_WARNING, "unknown option: %s", *argv);
1525 : }
1526 : }
1527 :
1528 19 : return;
1529 : }
1530 :
1531 7 : static int get_authtok_for_authentication(pam_handle_t *pamh,
1532 : struct pam_items *pi,
1533 : uint32_t flags)
1534 : {
1535 : int ret;
1536 :
1537 7 : if (flags & FLAGS_USE_FIRST_PASS) {
1538 0 : pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
1539 0 : pi->pam_authtok = strdup(pi->pamstack_authtok);
1540 0 : if (pi->pam_authtok == NULL) {
1541 : D(("option use_first_pass set, but no password found"));
1542 0 : return PAM_BUF_ERR;
1543 : }
1544 0 : pi->pam_authtok_size = strlen(pi->pam_authtok);
1545 : } else {
1546 7 : if (flags & FLAGS_USE_2FA
1547 7 : || (pi->otp_vendor != NULL && pi->otp_token_id != NULL
1548 0 : && pi->otp_challenge != NULL)) {
1549 0 : ret = prompt_2fa(pamh, pi, _("First Factor: "),
1550 0 : _("Second Factor: "));
1551 7 : } else if (pi->cert_user != NULL) {
1552 0 : ret = prompt_sc_pin(pamh, pi);
1553 : } else {
1554 7 : ret = prompt_password(pamh, pi, _("Password: "));
1555 : }
1556 7 : if (ret != PAM_SUCCESS) {
1557 : D(("failed to get password from user"));
1558 0 : return ret;
1559 : }
1560 :
1561 7 : if (flags & FLAGS_FORWARD_PASS) {
1562 0 : if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_PASSWORD) {
1563 0 : ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_authtok);
1564 0 : } else if (pi->pam_authtok_type == SSS_AUTHTOK_TYPE_2FA
1565 0 : && pi->first_factor != NULL) {
1566 0 : ret = pam_set_item(pamh, PAM_AUTHTOK, pi->first_factor);
1567 : } else {
1568 0 : ret = EINVAL;
1569 : }
1570 : if (ret != PAM_SUCCESS) {
1571 : D(("Failed to set PAM_AUTHTOK [%s], "
1572 : "authtok may not be available for other modules",
1573 : pam_strerror(pamh,ret)));
1574 : }
1575 : }
1576 : }
1577 :
1578 7 : return PAM_SUCCESS;
1579 : }
1580 :
1581 5 : static int get_authtok_for_password_change(pam_handle_t *pamh,
1582 : struct pam_items *pi,
1583 : uint32_t flags,
1584 : int pam_flags)
1585 : {
1586 : int ret;
1587 5 : const int *exp_data = NULL;
1588 5 : pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data);
1589 :
1590 : /* we query for the old password during PAM_PRELIM_CHECK to make
1591 : * pam_sss work e.g. with pam_cracklib */
1592 5 : if (pam_flags & PAM_PRELIM_CHECK) {
1593 3 : if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) {
1594 3 : ret = prompt_password(pamh, pi, _("Current Password: "));
1595 3 : if (ret != PAM_SUCCESS) {
1596 : D(("failed to get password from user"));
1597 0 : return ret;
1598 : }
1599 :
1600 3 : ret = pam_set_item(pamh, PAM_OLDAUTHTOK, pi->pam_authtok);
1601 3 : if (ret != PAM_SUCCESS) {
1602 : D(("Failed to set PAM_OLDAUTHTOK [%s], "
1603 : "oldauthtok may not be available",
1604 : pam_strerror(pamh,ret)));
1605 0 : return ret;
1606 : }
1607 : }
1608 :
1609 3 : return PAM_SUCCESS;
1610 : }
1611 :
1612 2 : if (pi->pamstack_oldauthtok == NULL) {
1613 0 : if (getuid() != 0) {
1614 : D(("no password found for chauthtok"));
1615 0 : return PAM_BUF_ERR;
1616 : } else {
1617 0 : pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY;
1618 0 : pi->pam_authtok = NULL;
1619 0 : pi->pam_authtok_size = 0;
1620 : }
1621 : } else {
1622 2 : pi->pam_authtok = strdup(pi->pamstack_oldauthtok);
1623 2 : if (pi->pam_authtok == NULL) {
1624 : D(("strdup failed"));
1625 0 : return PAM_BUF_ERR;
1626 : }
1627 2 : pi->pam_authtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
1628 2 : pi->pam_authtok_size = strlen(pi->pam_authtok);
1629 : }
1630 :
1631 2 : if (flags & FLAGS_USE_AUTHTOK) {
1632 0 : pi->pam_newauthtok_type = SSS_AUTHTOK_TYPE_PASSWORD;
1633 0 : pi->pam_newauthtok = strdup(pi->pamstack_authtok);
1634 0 : if (pi->pam_newauthtok == NULL) {
1635 : D(("option use_authtok set, but no new password found"));
1636 0 : return PAM_BUF_ERR;
1637 : }
1638 0 : pi->pam_newauthtok_size = strlen(pi->pam_newauthtok);
1639 : } else {
1640 2 : ret = prompt_new_password(pamh, pi);
1641 2 : if (ret != PAM_SUCCESS) {
1642 : D(("failed to get new password from user"));
1643 1 : return ret;
1644 : }
1645 :
1646 1 : if (flags & FLAGS_FORWARD_PASS) {
1647 0 : ret = pam_set_item(pamh, PAM_AUTHTOK, pi->pam_newauthtok);
1648 : if (ret != PAM_SUCCESS) {
1649 : D(("Failed to set PAM_AUTHTOK [%s], "
1650 : "oldauthtok may not be available",
1651 : pam_strerror(pamh,ret)));
1652 : }
1653 : }
1654 : }
1655 :
1656 1 : return PAM_SUCCESS;
1657 : }
1658 :
1659 19 : static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
1660 : int pam_flags, int argc, const char **argv)
1661 : {
1662 : int ret;
1663 : int pam_status;
1664 : struct pam_items pi;
1665 19 : uint32_t flags = 0;
1666 : const int *exp_data;
1667 : int *pw_exp_data;
1668 19 : bool retry = false;
1669 19 : bool quiet_mode = false;
1670 19 : int retries = 0;
1671 19 : const char *domains = NULL;
1672 :
1673 19 : bindtextdomain(PACKAGE, LOCALEDIR);
1674 :
1675 : D(("Hello pam_sssd: %#x", task));
1676 :
1677 19 : eval_argv(pamh, argc, argv, &flags, &retries, &quiet_mode, &domains);
1678 :
1679 : /* Fail all authentication on misconfigured domains= parameter. The admin
1680 : * probably wanted to restrict authentication, so it's safer to fail */
1681 19 : if (domains && strcmp(domains, "") == 0) {
1682 1 : return PAM_SYSTEM_ERR;
1683 : }
1684 :
1685 18 : pi.requested_domains = domains;
1686 :
1687 18 : ret = get_pam_items(pamh, &pi);
1688 18 : if (ret != PAM_SUCCESS) {
1689 : D(("get items returned error: %s", pam_strerror(pamh,ret)));
1690 2 : if (flags & FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
1691 1 : ret = PAM_IGNORE;
1692 : }
1693 2 : if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
1694 0 : && ret == PAM_AUTHINFO_UNAVAIL) {
1695 0 : ret = PAM_IGNORE;
1696 : }
1697 2 : return ret;
1698 : }
1699 :
1700 : do {
1701 17 : retry = false;
1702 :
1703 17 : switch(task) {
1704 : case SSS_PAM_AUTHENTICATE:
1705 : /*
1706 : * Only do preauth if
1707 : * - FLAGS_USE_FIRST_PASS is not set
1708 : * - no password is on the stack
1709 : * - preauth indicator file exists.
1710 : */
1711 7 : if ( !(flags & FLAGS_USE_FIRST_PASS) && pi.pam_authtok == NULL
1712 7 : && access(PAM_PREAUTH_INDICATOR, F_OK) == 0) {
1713 0 : pam_status = send_and_receive(pamh, &pi, SSS_PAM_PREAUTH,
1714 : quiet_mode);
1715 : if (pam_status != PAM_SUCCESS) {
1716 : D(("send_and_receive returned [%d] during pre-auth",
1717 : pam_status));
1718 : /*
1719 : * Since we are only interested in the result message
1720 : * and will always use password authentication
1721 : * as a fallback, errors can be ignored here.
1722 : */
1723 : }
1724 : }
1725 :
1726 7 : ret = get_authtok_for_authentication(pamh, &pi, flags);
1727 7 : if (ret != PAM_SUCCESS) {
1728 : D(("failed to get authentication token: %s",
1729 : pam_strerror(pamh, ret)));
1730 0 : return ret;
1731 : }
1732 7 : break;
1733 : case SSS_PAM_CHAUTHTOK:
1734 5 : ret = get_authtok_for_password_change(pamh, &pi, flags, pam_flags);
1735 5 : if (ret != PAM_SUCCESS) {
1736 : D(("failed to get tokens for password change: %s",
1737 : pam_strerror(pamh, ret)));
1738 1 : overwrite_and_free_pam_items(&pi);
1739 1 : return ret;
1740 : }
1741 4 : if (pam_flags & PAM_PRELIM_CHECK) {
1742 3 : task = SSS_PAM_CHAUTHTOK_PRELIM;
1743 : }
1744 4 : break;
1745 : case SSS_PAM_ACCT_MGMT:
1746 : case SSS_PAM_SETCRED:
1747 : case SSS_PAM_OPEN_SESSION:
1748 : case SSS_PAM_CLOSE_SESSION:
1749 5 : break;
1750 : default:
1751 : D(("Illegal task [%#x]", task));
1752 0 : return PAM_SYSTEM_ERR;
1753 : }
1754 :
1755 16 : pam_status = send_and_receive(pamh, &pi, task, quiet_mode);
1756 :
1757 16 : if (flags & FLAGS_IGNORE_UNKNOWN_USER
1758 0 : && pam_status == PAM_USER_UNKNOWN) {
1759 0 : pam_status = PAM_IGNORE;
1760 : }
1761 16 : if (flags & FLAGS_IGNORE_AUTHINFO_UNAVAIL
1762 0 : && pam_status == PAM_AUTHINFO_UNAVAIL) {
1763 0 : pam_status = PAM_IGNORE;
1764 : }
1765 :
1766 16 : switch (task) {
1767 : case SSS_PAM_AUTHENTICATE:
1768 : /* We allow sssd to send the return code PAM_NEW_AUTHTOK_REQD during
1769 : * authentication, see sss_cli.h for details */
1770 7 : if (pam_status == PAM_NEW_AUTHTOK_REQD) {
1771 : D(("Authtoken expired, trying to change it"));
1772 :
1773 0 : pw_exp_data = malloc(sizeof(int));
1774 0 : if (pw_exp_data == NULL) {
1775 : D(("malloc failed."));
1776 0 : pam_status = PAM_BUF_ERR;
1777 0 : break;
1778 : }
1779 0 : *pw_exp_data = 1;
1780 :
1781 0 : pam_status = pam_set_data(pamh, PWEXP_FLAG, pw_exp_data,
1782 : free_exp_data);
1783 : if (pam_status != PAM_SUCCESS) {
1784 : D(("pam_set_data failed."));
1785 : }
1786 : }
1787 7 : break;
1788 : case SSS_PAM_ACCT_MGMT:
1789 3 : if (pam_status == PAM_SUCCESS &&
1790 1 : pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data) ==
1791 : PAM_SUCCESS) {
1792 0 : ret = do_pam_conversation(pamh, PAM_TEXT_INFO,
1793 0 : _("Password expired. Change your password now."),
1794 : NULL, NULL);
1795 : if (ret != PAM_SUCCESS) {
1796 : D(("do_pam_conversation failed."));
1797 : }
1798 0 : pam_status = PAM_NEW_AUTHTOK_REQD;
1799 : }
1800 2 : break;
1801 : case SSS_PAM_CHAUTHTOK:
1802 1 : if (pam_status != PAM_SUCCESS && pam_status != PAM_USER_UNKNOWN) {
1803 0 : ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
1804 : if (ret != PAM_SUCCESS) {
1805 : D(("Failed to unset PAM_AUTHTOK [%s]",
1806 : pam_strerror(pamh,ret)));
1807 : }
1808 0 : ret = pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
1809 : if (ret != PAM_SUCCESS) {
1810 : D(("Failed to unset PAM_OLDAUTHTOK [%s]",
1811 : pam_strerror(pamh,ret)));
1812 : }
1813 : }
1814 1 : break;
1815 : case SSS_PAM_CHAUTHTOK_PRELIM:
1816 3 : if (pam_status == PAM_PERM_DENIED && pi.pam_authtok_size == 0 &&
1817 0 : getuid() == 0 &&
1818 0 : pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data) !=
1819 : PAM_SUCCESS) {
1820 :
1821 0 : ret = select_pw_reset_message(pamh, &pi);
1822 : if (ret != 0) {
1823 : D(("select_pw_reset_message failed.\n"));
1824 : }
1825 : }
1826 : default:
1827 : /* nothing to do */
1828 6 : break;
1829 : }
1830 :
1831 16 : overwrite_and_free_pam_items(&pi);
1832 :
1833 : D(("retries [%d].", retries));
1834 :
1835 16 : if (pam_status != PAM_SUCCESS &&
1836 7 : (task == SSS_PAM_AUTHENTICATE || task == SSS_PAM_CHAUTHTOK_PRELIM) &&
1837 5 : retries > 0) {
1838 1 : retry = true;
1839 1 : retries--;
1840 :
1841 1 : flags &= ~FLAGS_USE_FIRST_PASS;
1842 1 : ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);
1843 : if (ret != PAM_SUCCESS) {
1844 : D(("Failed to unset PAM_AUTHTOK [%s]",
1845 : pam_strerror(pamh,ret)));
1846 : }
1847 1 : ret = pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
1848 : if (ret != PAM_SUCCESS) {
1849 : D(("Failed to unset PAM_OLDAUTHTOK [%s]",
1850 : pam_strerror(pamh,ret)));
1851 : }
1852 : }
1853 16 : } while(retry);
1854 :
1855 15 : return pam_status;
1856 : }
1857 :
1858 : PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
1859 : const char **argv )
1860 : {
1861 9 : return pam_sss(SSS_PAM_AUTHENTICATE, pamh, flags, argc, argv);
1862 : }
1863 :
1864 :
1865 : PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc,
1866 : const char **argv )
1867 : {
1868 1 : return pam_sss(SSS_PAM_SETCRED, pamh, flags, argc, argv);
1869 : }
1870 :
1871 : PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
1872 : const char **argv )
1873 : {
1874 2 : return pam_sss(SSS_PAM_ACCT_MGMT, pamh, flags, argc, argv);
1875 : }
1876 :
1877 : PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc,
1878 : const char **argv )
1879 : {
1880 5 : return pam_sss(SSS_PAM_CHAUTHTOK, pamh, flags, argc, argv);
1881 : }
1882 :
1883 : PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
1884 : const char **argv )
1885 : {
1886 1 : return pam_sss(SSS_PAM_OPEN_SESSION, pamh, flags, argc, argv);
1887 : }
1888 :
1889 : PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
1890 : const char **argv )
1891 : {
1892 1 : return pam_sss(SSS_PAM_CLOSE_SESSION, pamh, flags, argc, argv);
1893 : }
1894 :
1895 :
1896 : #ifdef PAM_STATIC
1897 :
1898 : /* static module data */
1899 :
1900 : struct pam_module _pam_sssd_modstruct ={
1901 : "pam_sssd",
1902 : pam_sm_authenticate,
1903 : pam_sm_setcred,
1904 : pam_sm_acct_mgmt,
1905 : pam_sm_open_session,
1906 : pam_sm_close_session,
1907 : pam_sm_chauthtok
1908 : };
1909 :
1910 : #endif
|
