1 /* auth-pam.c -- PAM authentification routine for vlock,
2 * the VT locking program for linux
3 *
4 * This program is copyright (C) 2007 Frank Benkstein, and is free
5 * software which is freely distributable under the terms of the
6 * GNU General Public License version 2, included as the file COPYING in this
7 * distribution. It is NOT public domain software, and any
8 * redistribution not permitted by the GNU General Public License is
9 * expressly forbidden without prior written permission from
10 * the author.
11 *
12 *
13 * The conversation function (conversation) was inspired by/copied from
14 * openpam's openpam_ttyconv.c:
15 *
16 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
17 *
18 * Redistribution and use in source and binary forms, with or without
19 * modification, are permitted provided that the following conditions
20 * are met:
21 * 1. Redistributions of source code must retain the above copyright
22 * notice, this list of conditions and the following disclaimer.
23 * 2. Redistributions in binary form must reproduce the above copyright
24 * notice, this list of conditions and the following disclaimer in the
25 * documentation and/or other materials provided with the distribution.
26 * 3. The name of the author may not be used to endorse or promote
27 * products derived from this software without specific prior written
28 * permission.
29 *
30 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
31 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
32 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
34 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
35 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
36 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
37 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
38 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
39 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40 * SUCH DAMAGE.
41 *
42 */
43
44 #include <stdbool.h>
45 #include <stdio.h>
46 #include <stdlib.h>
47 #include <string.h>
48 #include <unistd.h>
49
50 #include <security/pam_appl.h>
51
52 #include "auth.h"
53 #include "prompt.h"
54
conversation(int num_msg,const struct pam_message ** msg,struct pam_response ** resp,void * appdata_ptr)55 static int conversation(int num_msg, const struct pam_message **msg, struct
56 pam_response **resp, void *appdata_ptr)
57 {
58 struct pam_response *aresp;
59 struct timespec *timeout = appdata_ptr;
60
61 if (num_msg <= 0 || num_msg > PAM_MAX_NUM_MSG)
62 return PAM_CONV_ERR;
63
64 if ((aresp = calloc((size_t) num_msg, sizeof *aresp)) == NULL)
65 return PAM_BUF_ERR;
66
67 for (int i = 0; i < num_msg; i++) {
68 switch (msg[i]->msg_style) {
69 case PAM_PROMPT_ECHO_OFF:
70 aresp[i].resp = prompt_echo_off(msg[i]->msg, timeout);
71 if (aresp[i].resp == NULL)
72 goto fail;
73 break;
74 case PAM_PROMPT_ECHO_ON:
75 aresp[i].resp = prompt(msg[i]->msg, timeout);
76 if (aresp[i].resp == NULL)
77 goto fail;
78 break;
79 case PAM_TEXT_INFO:
80 case PAM_ERROR_MSG:
81 {
82 size_t msg_len = strlen(msg[i]->msg);
83 (void) fputs(msg[i]->msg, stderr);
84 if (msg_len > 0 && msg[i]->msg[msg_len - 1] != '\n')
85 (void) fputc('\n', stderr);
86 }
87 break;
88 default:
89 goto fail;
90 }
91 }
92
93 *resp = aresp;
94 return PAM_SUCCESS;
95
96 fail:
97 for (int i = 0; i < num_msg; ++i) {
98 if (aresp[i].resp != NULL) {
99 memset(aresp[i].resp, 0, strlen(aresp[i].resp));
100 free(aresp[i].resp);
101 }
102 }
103
104 memset(aresp, 0, num_msg * sizeof *aresp);
105 free(aresp);
106 *resp = NULL;
107
108 return PAM_CONV_ERR;
109 }
110
auth(const char * user,struct timespec * timeout)111 bool auth(const char *user, struct timespec *timeout)
112 {
113 char *pam_tty;
114 pam_handle_t *pamh;
115 int pam_status;
116 int pam_end_status;
117 struct pam_conv pamc = {
118 .conv = conversation,
119 .appdata_ptr = timeout,
120 };
121
122 /* initialize pam */
123 pam_status = pam_start("vlock", user, &pamc, &pamh);
124
125 if (pam_status != PAM_SUCCESS) {
126 fprintf(stderr, "vlock: %s\n", pam_strerror(pamh, pam_status));
127 goto end;
128 }
129
130 /* get the name of stdin's tty device, if any */
131 pam_tty = ttyname(STDIN_FILENO);
132
133 /* set PAM_TTY */
134 if (pam_tty != NULL) {
135 pam_status = pam_set_item(pamh, PAM_TTY, pam_tty);
136
137 if (pam_status != PAM_SUCCESS) {
138 fprintf(stderr, "vlock: %s\n", pam_strerror(pamh, pam_status));
139 goto end;
140 }
141 }
142
143 /* put the username before the password prompt */
144 fprintf(stderr, "%s's ", user);
145 fflush(stderr);
146 /* authenticate the user */
147 pam_status = pam_authenticate(pamh, 0);
148
149 if (pam_status != PAM_SUCCESS) {
150 fprintf(stderr, "vlock: %s\n", pam_strerror(pamh, pam_status));
151 }
152
153 end:
154 /* finish pam */
155 pam_end_status = pam_end(pamh, pam_status);
156
157 if (pam_end_status != PAM_SUCCESS) {
158 fprintf(stderr, "vlock: %s\n", pam_strerror(pamh, pam_end_status));
159 }
160
161 return (pam_status == PAM_SUCCESS);
162 }
163