1 /* Written by Simon Josefsson <simon@yubico.com>.
2 * Copyright (c) 2006-2016 Yubico AB
3 * Copyright (c) 2011 Tollef Fog Heen <tfheen@err.no>
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions are
8 * met:
9 *
10 * * Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * * Redistributions in binary form must reproduce the above
14 * copyright notice, this list of conditions and the following
15 * disclaimer in the documentation and/or other materials provided
16 * with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
21 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
22 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
23 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
24 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
25 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
26 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
27 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <stdarg.h>
34 #include <ctype.h>
35 #include <syslog.h>
36
37 #include <sys/types.h>
38 #include <sys/stat.h>
39 #include <fcntl.h>
40 #include <unistd.h>
41 #include <errno.h>
42 #include <string.h>
43
44 #include "util.h"
45 #include "drop_privs.h"
46
47 #include <ykclient.h>
48
49 #if HAVE_CR
50 /* for yubikey_hex_encode */
51 #include <yubikey.h>
52 /* for yubikey pbkdf2*/
53 #include <ykpbkdf2.h>
54 #endif /* HAVE_CR */
55
56 /* Libtool defines PIC for shared objects */
57 #ifndef PIC
58 #define PAM_STATIC
59 #endif
60
61 /* These #defines must be present according to PAM documentation. */
62 #define PAM_SM_AUTH
63
64 #ifdef HAVE_SECURITY_PAM_APPL_H
65 #include <security/pam_appl.h>
66 #endif
67 #ifdef HAVE_SECURITY_PAM_MODULES_H
68 #include <security/pam_modules.h>
69 #endif
70
71 #ifdef HAVE_LIBLDAP
72 /* Some functions like ldap_init, ldap_simple_bind_s, ldap_unbind are
73 deprecated but still available. We will drop support for 'ldapserver'
74 (in favour of 'ldap_uri' and update to using the new functions instead
75 soon.
76 */
77 #define LDAP_DEPRECATED 1
78
79 #include <ldap.h>
80 #define PORT_NUMBER LDAP_PORT
81 #endif
82
83 #ifndef PAM_EXTERN
84 #ifdef PAM_STATIC
85 #define PAM_EXTERN static
86 #else
87 #define PAM_EXTERN extern
88 #endif
89 #endif
90
91 #define TOKEN_OTP_LEN 32u
92 #define MAX_TOKEN_ID_LEN 16u
93 #define DEFAULT_TOKEN_ID_LEN 12u
94
95 #define TMPFILE_SUFFIX ".XXXXXX"
96
97 enum key_mode {
98 CHRESP,
99 CLIENT
100 };
101
102 struct cfg
103 {
104 unsigned int client_id;
105 const char *client_key;
106 int debug;
107 int alwaysok;
108 int verbose_otp;
109 int try_first_pass;
110 int use_first_pass;
111 int nullok;
112 const char *auth_file;
113 const char *capath;
114 const char *cainfo;
115 const char *proxy;
116 const char *url;
117 const char *urllist;
118 const char *ldapserver;
119 const char *ldap_uri;
120 const char *ldap_bind_user;
121 const char *ldap_bind_password;
122 const char *ldap_filter;
123 const char *ldap_cacertfile;
124 const char *ldapdn;
125 const char *user_attr;
126 const char *yubi_attr;
127 const char *yubi_attr_prefix;
128 unsigned int token_id_length;
129 enum key_mode mode;
130 const char *chalresp_path;
131 FILE *debug_file;
132 };
133
134 #ifdef DBG
135 #undef DBG
136 #endif
137 #define DBG(x...) if (cfg->debug) { D(cfg->debug_file, x); }
138
139 /*
140 * Authorize authenticated OTP_ID for login as USERNAME using AUTHFILE.
141 *
142 * Returns one of AUTH_FOUND, AUTH_NOT_FOUND, AUTH_NO_TOKENS, AUTH_ERROR.
143 */
144 static int
authorize_user_token(struct cfg * cfg,const char * username,const char * otp_id,pam_handle_t * pamh)145 authorize_user_token (struct cfg *cfg,
146 const char *username,
147 const char *otp_id,
148 pam_handle_t *pamh)
149 {
150 int retval = AUTH_ERROR;
151
152 if (cfg->auth_file)
153 {
154 /* Administrator had configured the file and specified is name
155 as an argument for this module.
156 */
157 DBG ("Using system-wide auth_file %s", cfg->auth_file);
158 retval = check_user_token (cfg->auth_file, username, otp_id, cfg->debug, cfg->debug_file);
159 }
160 else
161 {
162 char *userfile = NULL;
163 struct passwd pass, *p;
164 char buf[1024];
165 size_t buflen = sizeof(buf);
166 int pwres;
167 PAM_MODUTIL_DEF_PRIVS(privs);
168
169 pwres = getpwnam_r (username, &pass, buf, buflen, &p);
170 if (p == NULL) {
171 if (pwres == 0) {
172 DBG ("User '%s' not found", username);
173 } else {
174 DBG ("getpwnam_r: %s", strerror(pwres));
175 }
176 return AUTH_ERROR;
177 }
178
179 /* Getting file from user home directory
180 ..... i.e. ~/.yubico/authorized_yubikeys
181 */
182 if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", p, &userfile)) {
183 DBG ("Failed figuring out per-user cfgfile");
184 return AUTH_ERROR;
185 }
186
187 DBG ("Dropping privileges");
188 if(pam_modutil_drop_priv(pamh, &privs, p)) {
189 DBG ("could not drop privileges");
190 goto free_out;
191 }
192
193 retval = check_user_token (userfile, username, otp_id, cfg->debug, cfg->debug_file);
194
195 if(pam_modutil_regain_priv(pamh, &privs)) {
196 DBG ("could not restore privileges");
197 goto free_out;
198 }
199
200 free_out:
201 free (userfile);
202 }
203
204 return retval;
205 }
206
207 /*
208 * This function will look in ldap id the token correspond to the
209 * requested user.
210 *
211 * ldaps is only supported for ldap_uri based connections.
212 * ldap_cacertfile usually needs to be set for this to work.
213 *
214 * ldap serve can be on a remote host.
215 *
216 * You need the following parameters in you pam config:
217 * ldapserver= OR ldap_uri=
218 * ldapdn=
219 * user_attr=
220 * yubi_attr=
221 *
222 * If using ldap_uri, you can specify multiple failover hosts
223 * eg.
224 * ldap_uri=ldaps://host1.fqdn.example.com,ldaps://host2.fqdn.example.com
225 *
226 * Returns one of AUTH_FOUND, AUTH_NOT_FOUND, AUTH_NO_TOKENS, AUTH_ERROR.
227 */
228 static int
authorize_user_token_ldap(struct cfg * cfg,const char * user,const char * token_id)229 authorize_user_token_ldap (struct cfg *cfg,
230 const char *user,
231 const char *token_id)
232 {
233 int retval = AUTH_ERROR;
234 #ifdef HAVE_LIBLDAP
235 /* LDAPv2 is historical -- RFC3494. */
236 int protocol = LDAP_VERSION3;
237 size_t yubi_attr_prefix_len = 0;
238 LDAP *ld = NULL;
239 LDAPMessage *result = NULL, *e;
240 BerElement *ber;
241 char *attr_name;
242 char *attrs[2] = {NULL, NULL};
243
244 struct berval **vals;
245 int rc;
246 size_t i;
247
248 char *filter = NULL;
249 char *find = NULL;
250 int scope = LDAP_SCOPE_BASE;
251 #endif
252 DBG(("called"));
253 #ifdef HAVE_LIBLDAP
254 if (cfg->yubi_attr == NULL) {
255 DBG (("Trying to look up user to YubiKey mapping in LDAP, but yubi_attr not set!"));
256 return 0;
257 }
258 if (cfg->user_attr && cfg->ldapdn == NULL) {
259 DBG (("Trying to look up user to YubiKey mapping in LDAP, user_attr set but ldapdn not set!"));
260 return 0;
261 }
262
263 /* Get a handle to an LDAP connection. */
264 if (cfg->ldap_uri)
265 {
266 rc = ldap_initialize (&ld, cfg->ldap_uri);
267 if (rc != LDAP_SUCCESS)
268 {
269 DBG ("ldap_initialize: %s", ldap_err2string (rc));
270 goto done;
271 }
272 }
273 else
274 {
275 if ((ld = ldap_init (cfg->ldapserver, PORT_NUMBER)) == NULL)
276 {
277 DBG ("ldap_init");
278 goto done;
279 }
280 }
281
282 ldap_set_option(ld, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
283 ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &protocol);
284
285 if (cfg->ldap_uri && cfg->ldap_cacertfile) {
286 /* Set CA CERTFILE. This makes ldaps work when using ldap_uri */
287 ldap_set_option (0, LDAP_OPT_X_TLS_CACERTFILE, cfg->ldap_cacertfile);
288 }
289 /* Bind anonymously to the LDAP server. */
290 if (cfg->ldap_bind_user && cfg->ldap_bind_password) {
291 DBG ("try bind with: %s:[%s]", cfg->ldap_bind_user, cfg->ldap_bind_password);
292 rc = ldap_simple_bind_s (ld, cfg->ldap_bind_user, cfg->ldap_bind_password);
293 } else {
294 DBG ("try bind anonymous");
295 rc = ldap_simple_bind_s (ld, NULL, NULL);
296 }
297 if (rc != LDAP_SUCCESS)
298 {
299 DBG ("ldap_simple_bind_s: %s", ldap_err2string (rc));
300 goto done;
301 }
302
303 /* Allocation of memory for search strings depending on input size */
304 if (cfg->user_attr && cfg->yubi_attr && cfg->ldapdn) {
305 i = (strlen(cfg->user_attr) + strlen(cfg->ldapdn) + strlen(user) + 3) * sizeof(char);
306 if ((find = malloc(i)) == NULL) {
307 DBG ("Failed allocating %zu bytes", i);
308 goto done;
309 }
310 sprintf (find, "%s=%s,%s", cfg->user_attr, user, cfg->ldapdn);
311 filter = NULL;
312 } else if (cfg->ldapdn) {
313 find = strdup(cfg->ldapdn); /* allow free later */
314 }
315 if (cfg->ldap_filter) {
316 filter = filter_printf(cfg->ldap_filter, user);
317 scope = LDAP_SCOPE_SUBTREE;
318 }
319 attrs[0] = (char *) cfg->yubi_attr;
320
321 DBG("LDAP : look up object base='%s' filter='%s', ask for attribute '%s'", find,
322 filter ? filter:"(null)", cfg->yubi_attr);
323
324 /* Search for the entry. */
325 if ((rc = ldap_search_ext_s (ld, find, scope,
326 filter, attrs, 0, NULL, NULL, LDAP_NO_LIMIT,
327 LDAP_NO_LIMIT, &result)) != LDAP_SUCCESS)
328 {
329 DBG ("ldap_search_ext_s: %s", ldap_err2string (rc));
330
331 goto done;
332 }
333
334 /* Start looing for tokens */
335 retval = AUTH_NO_TOKENS;
336
337 e = ldap_first_entry (ld, result);
338 if (e == NULL)
339 {
340 DBG (("No result from LDAP search"));
341 }
342 else
343 {
344 /* Iterate through each returned attribute. */
345 for (attr_name = ldap_first_attribute (ld, e, &ber);
346 attr_name != NULL; attr_name = ldap_next_attribute (ld, e, ber))
347 {
348 if (strcmp(attr_name, cfg->yubi_attr) != 0) {
349 DBG("Ignored non-requested attribute: %s", attr_name);
350 continue;
351 }
352 if ((vals = ldap_get_values_len (ld, e, attr_name)) != NULL)
353 {
354 yubi_attr_prefix_len = cfg->yubi_attr_prefix ? strlen(cfg->yubi_attr_prefix) : 0;
355
356 DBG("LDAP : Found %i values for %s - checking if any of them match '%s:%s'",
357 ldap_count_values_len(vals),
358 attr_name,
359 cfg->yubi_attr_prefix ? cfg->yubi_attr_prefix : "",
360 token_id ? token_id : "(null)");
361
362 /* Compare each value for the attribute against the token id. */
363 for (i = 0; vals[i] != NULL; i++)
364 {
365 DBG("LDAP : Checking value %zu: %s:%s",
366 i + 1,
367 cfg->yubi_attr_prefix ? cfg->yubi_attr_prefix : "",
368 vals[i]->bv_val);
369
370 /* Only values containing this prefix are considered. */
371 if ((!cfg->yubi_attr_prefix || !strncmp (cfg->yubi_attr_prefix, vals[i]->bv_val, yubi_attr_prefix_len)))
372 {
373 /* We have found at least one possible token ID so change the default return value to AUTH_NOT_FOUND */
374 if (retval == AUTH_NO_TOKENS)
375 {
376 retval = AUTH_NOT_FOUND;
377 }
378 if(token_id && !strncmp (token_id, vals[i]->bv_val + yubi_attr_prefix_len, strlen (vals[i]->bv_val + yubi_attr_prefix_len)))
379 {
380 DBG ("Token Found :: %s", vals[i]->bv_val);
381 retval = AUTH_FOUND;
382 }
383 }
384 }
385 ldap_value_free_len (vals);
386 }
387 ldap_memfree (attr_name);
388 }
389 if (ber != NULL)
390 ber_free (ber, 0);
391 }
392
393 done:
394 if (result != NULL)
395 ldap_msgfree (result);
396 if (ld != NULL)
397 ldap_unbind (ld);
398
399 /* free memory allocated for search strings */
400 if (find != NULL)
401 free(find);
402 if (filter != NULL)
403 free(filter);
404
405 #else
406 DBG (("Trying to use LDAP, but this function is not compiled in pam_yubico!!"));
407 DBG (("Install libldap-dev and then recompile pam_yubico."));
408 #endif
409 return retval;
410 }
411
412 #if HAVE_CR
413 static int
display_error(pam_handle_t * pamh,const char * message,struct cfg * cfg)414 display_error(pam_handle_t *pamh, const char *message, struct cfg *cfg) {
415 struct pam_conv *conv;
416 const struct pam_message *pmsg[1];
417 struct pam_message msg[1];
418 struct pam_response *resp = NULL;
419 int retval;
420
421 retval = pam_get_item (pamh, PAM_CONV, (const void **) &conv);
422 if (retval != PAM_SUCCESS) {
423 DBG("get conv returned error: %s", pam_strerror (pamh, retval));
424 return retval;
425 }
426
427 if(!conv || !conv->conv){
428 DBG("conv() function invalid");
429 return PAM_CONV_ERR;
430 }
431 pmsg[0] = &msg[0];
432 msg[0].msg = (char *) message; /* on some systems, pam_message.msg isn't const */
433 msg[0].msg_style = PAM_ERROR_MSG;
434 retval = conv->conv(1, pmsg, &resp, conv->appdata_ptr);
435
436 if (retval != PAM_SUCCESS) {
437 DBG("conv returned error: %s", pam_strerror (pamh, retval));
438 return retval;
439 }
440
441 if (resp)
442 {
443 DBG("conv returned: '%s'", resp->resp);
444 if (resp->resp)
445 free (resp->resp);
446 free (resp);
447 }
448 return retval;
449 }
450 #endif /* HAVE_CR */
451
452 #if HAVE_CR
453 static int
do_challenge_response(pam_handle_t * pamh,struct cfg * cfg,const char * username)454 do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
455 {
456 char *userfile = NULL, *tmpfile = NULL;
457 FILE *f = NULL;
458 char buf[CR_RESPONSE_SIZE + 16], response_hex[CR_RESPONSE_SIZE * 2 + 1];
459 int ret, fd;
460
461 unsigned int response_len = 0;
462 YK_KEY *yk = NULL;
463 CR_STATE state;
464
465 const char *errstr = NULL;
466
467 struct passwd pass, *p;
468 char pwbuf[1024];
469 size_t pwbuflen = sizeof(pwbuf);
470 int pwres;
471
472 struct stat st;
473
474 /* we must declare two sepparate privs structures as they can't be reused */
475 PAM_MODUTIL_DEF_PRIVS(privs);
476 PAM_MODUTIL_DEF_PRIVS(privs2);
477
478 ret = PAM_AUTH_ERR;
479
480 pwres = getpwnam_r (username, &pass, pwbuf, pwbuflen, &p);
481 if (p == NULL) {
482 if (pwres == 0) {
483 DBG ("User '%s' not found", username);
484 } else {
485 DBG ("getpwnam_r: %s", strerror(pwres));
486 }
487 goto out;
488 }
489
490 DBG("Checking for user challenge files");
491 switch(check_user_challenge_file(cfg->chalresp_path, p, cfg->debug_file)) {
492 case AUTH_FOUND:
493 DBG("Challenge files found");
494 break;
495 case AUTH_NOT_FOUND:
496 DBG("No challenge files found");
497 if (cfg->nullok) {
498 ret = PAM_IGNORE;
499 } else {
500 ret = PAM_USER_UNKNOWN;
501 }
502 goto out;
503 case AUTH_ERROR:
504 DBG ("Internal error while looking for user challenge files");
505 ret = PAM_AUTHINFO_UNAVAIL;
506 goto out;
507 default:
508 DBG ("Unhandled value while looking for user challenge files");
509 ret = PAM_AUTHINFO_UNAVAIL;
510 goto out;
511 }
512
513 if (! init_yubikey(&yk)) {
514 DBG("Failed initializing YubiKey");
515 goto out;
516 }
517
518 if (! check_firmware_version(yk, cfg->debug, true, cfg->debug_file)) {
519 DBG("YubiKey does not support Challenge-Response (version 2.2 required)");
520 goto out;
521 }
522
523 if (! get_user_challenge_file (yk, cfg->chalresp_path, p, &userfile, cfg->debug_file)) {
524 DBG("Failed getting user challenge file for user %s", username);
525 goto out;
526 }
527
528 DBG("Loading challenge from file %s", userfile);
529
530 /* Drop privileges before opening user file (if we're not using system-wide dir). */
531 if (!cfg->chalresp_path) {
532 if (pam_modutil_drop_priv(pamh, &privs, p)) {
533 DBG ("could not drop privileges");
534 goto out;
535 }
536 }
537
538 fd = open(userfile, O_RDONLY | O_CLOEXEC, 0);
539 if (fd < 0) {
540 DBG ("Cannot open file: %s (%s)", userfile, strerror(errno));
541 goto restpriv_out;
542 }
543
544 if (fstat(fd, &st) < 0) {
545 DBG ("Cannot stat file: %s (%s)", userfile, strerror(errno));
546 close(fd);
547 goto restpriv_out;
548 }
549
550 if (!S_ISREG(st.st_mode)) {
551 DBG ("%s is not a regular file", userfile);
552 close(fd);
553 goto restpriv_out;
554 }
555
556 f = fdopen(fd, "r");
557 if (f == NULL) {
558 DBG ("fdopen: %s", strerror(errno));
559 close(fd);
560 goto restpriv_out;
561 }
562
563 if (! load_chalresp_state(f, &state, cfg->debug, cfg->debug_file))
564 goto restpriv_out;
565
566 if (fclose(f) < 0) {
567 f = NULL;
568 goto restpriv_out;
569 }
570 f = NULL;
571
572 if (!cfg->chalresp_path) {
573 if (pam_modutil_regain_priv(pamh, &privs)) {
574 DBG ("could not restore privileges");
575 goto out;
576 }
577 }
578
579 if (! challenge_response(yk, state.slot, state.challenge, state.challenge_len,
580 true, true, false,
581 buf, sizeof(buf), &response_len)) {
582 DBG("Challenge-response FAILED");
583 goto out;
584 }
585
586 /*
587 * Check YubiKey response against the expected response
588 */
589
590 yubikey_hex_encode(response_hex, buf, response_len);
591 if(state.salt_len > 0) { /* the expected response has gone through pbkdf2 */
592 YK_PRF_METHOD prf_method = {20, yk_hmac_sha1};
593 yk_pbkdf2(response_hex, (unsigned char*)state.salt, state.salt_len, state.iterations,
594 (unsigned char*)buf, response_len, &prf_method);
595 }
596
597 if (memcmp(buf, state.response, state.response_len) == 0) {
598 ret = PAM_SUCCESS;
599 } else {
600 DBG("Unexpected C/R response : %s", response_hex);
601 goto out;
602 }
603
604 DBG("Got the expected response, generating new challenge (%u bytes).", CR_CHALLENGE_SIZE);
605
606 errstr = "Error generating new challenge, please check syslog or contact your system administrator";
607 if (generate_random(state.challenge, sizeof(state.challenge))) {
608 DBG("Failed generating new challenge!");
609 goto out;
610 }
611
612 errstr = "Error communicating with Yubikey, please check syslog or contact your system administrator";
613 if (! challenge_response(yk, state.slot, state.challenge, CR_CHALLENGE_SIZE,
614 true, true, false,
615 buf, sizeof(buf), &response_len)) {
616 DBG("Second challenge-response FAILED");
617 goto out;
618 }
619
620 /* There is a bug that makes the YubiKey 2.2 send the same response for all challenges
621 unless HMAC_LT64 is set, check for that here */
622 if (memcmp(buf, state.response, state.response_len) == 0) {
623 errstr = "Same response for second challenge, YubiKey should be reconfigured with the option HMAC_LT64";
624 goto out;
625 }
626
627 /* the yk_* functions leave 'junk' in errno */
628 errno = 0;
629
630 /*
631 * Write the challenge and response we will expect the next time to the state file.
632 */
633 if (response_len > sizeof(state.response)) {
634 DBG("Got too long response ??? (%u/%zu)", response_len, sizeof(state.response));
635 goto out;
636 }
637 memcpy (state.response, buf, response_len);
638 state.response_len = response_len;
639
640 /* point to the fresh privs structure.. */
641 privs = privs2;
642 /* Drop privileges before creating new challenge file. */
643 if (!cfg->chalresp_path) {
644 if (pam_modutil_drop_priv(pamh, &privs, p)) {
645 DBG ("could not drop privileges");
646 goto out;
647 }
648 }
649
650 /* Write out the new file */
651 tmpfile = malloc(strlen(userfile) + 1 + strlen(TMPFILE_SUFFIX));
652 if (! tmpfile)
653 goto restpriv_out;
654 strcpy(tmpfile, userfile);
655 strcat(tmpfile, TMPFILE_SUFFIX);
656
657 fd = mkostemp(tmpfile, O_CLOEXEC);
658 if (fd < 0) {
659 DBG ("Cannot open file: %s (%s)", tmpfile, strerror(errno));
660 goto restpriv_out;
661 }
662
663 if (fchmod (fd, st.st_mode) != 0) {
664 DBG ("could not set correct file permissions");
665 goto restpriv_out;
666 }
667 if (fchown (fd, st.st_uid, st.st_gid) != 0) {
668 DBG ("could not set correct file ownership");
669 goto restpriv_out;
670 }
671
672 f = fdopen(fd, "w");
673 if (! f) {
674 close(fd);
675 goto restpriv_out;
676 }
677
678 errstr = "Error updating Yubikey challenge, please check syslog or contact your system administrator";
679 if (! write_chalresp_state (f, &state))
680 goto out;
681 if (fclose(f) < 0) {
682 f = NULL;
683 goto restpriv_out;
684 }
685 f = NULL;
686 if (rename(tmpfile, userfile) < 0) {
687 goto restpriv_out;
688 }
689
690 DBG(("Challenge-response success!"));
691 errstr = NULL;
692 errno = 0;
693 yk_errno = 0;
694
695 restpriv_out:
696 if (!cfg->chalresp_path) {
697 if (pam_modutil_regain_priv(pamh, &privs)) {
698 DBG (("could not restore privileges"));
699 }
700 }
701
702 out:
703 if (yk_errno) {
704 if (yk_errno == YK_EUSBERR) {
705 syslog(LOG_ERR, "USB error: %s", yk_usb_strerror());
706 DBG("USB error: %s", yk_usb_strerror());
707 } else {
708 syslog(LOG_ERR, "Yubikey core error: %s", yk_strerror(yk_errno));
709 DBG("Yubikey core error: %s", yk_strerror(yk_errno));
710 }
711 }
712
713 if (errstr)
714 display_error(pamh, errstr, cfg);
715
716 if (errno) {
717 syslog(LOG_ERR, "Challenge response failed: %s", strerror(errno));
718 DBG("Challenge response failed: %s", strerror(errno));
719 }
720
721 if (yk)
722 yk_close_key(yk);
723 yk_release();
724
725 if (f)
726 fclose(f);
727
728 free(userfile);
729 free(tmpfile);
730 return ret;
731 }
732 #endif /* HAVE_CR */
733
734 static void
parse_cfg(int flags,int argc,const char ** argv,struct cfg * cfg)735 parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
736 {
737 int i;
738
739 memset (cfg, 0, sizeof(struct cfg));
740 cfg->client_id = 0;
741 cfg->token_id_length = DEFAULT_TOKEN_ID_LEN;
742 cfg->mode = CLIENT;
743 cfg->debug_file = stdout;
744
745 for (i = 0; i < argc; i++)
746 {
747 if (strncmp (argv[i], "id=", 3) == 0)
748 sscanf (argv[i], "id=%u", &cfg->client_id);
749 if (strncmp (argv[i], "key=", 4) == 0)
750 cfg->client_key = argv[i] + 4;
751 if (strcmp (argv[i], "debug") == 0)
752 cfg->debug = 1;
753 if (strcmp (argv[i], "alwaysok") == 0)
754 cfg->alwaysok = 1;
755 if (strcmp (argv[i], "verbose_otp") == 0)
756 cfg->verbose_otp = 1;
757 if (strcmp (argv[i], "try_first_pass") == 0)
758 cfg->try_first_pass = 1;
759 if (strcmp (argv[i], "use_first_pass") == 0)
760 cfg->use_first_pass = 1;
761 if (strcmp (argv[i], "nullok") == 0)
762 cfg->nullok = 1;
763 if (strncmp (argv[i], "authfile=", 9) == 0)
764 cfg->auth_file = argv[i] + 9;
765 if (strncmp (argv[i], "capath=", 7) == 0)
766 cfg->capath = argv[i] + 7;
767 if (strncmp (argv[i], "cainfo=", 7) == 0)
768 cfg->cainfo = argv[i] + 7;
769 if (strncmp (argv[i], "proxy=", 6) == 0)
770 cfg->proxy = argv[i] + 6;
771 if (strncmp (argv[i], "url=", 4) == 0)
772 cfg->url = argv[i] + 4;
773 if (strncmp (argv[i], "urllist=", 8) == 0)
774 cfg->urllist = argv[i] + 8;
775 if (strncmp (argv[i], "ldapserver=", 11) == 0)
776 cfg->ldapserver = argv[i] + 11;
777 if (strncmp (argv[i], "ldap_uri=", 9) == 0)
778 cfg->ldap_uri = argv[i] + 9;
779 if (strncmp (argv[i], "ldap_bind_user=", 15) == 0)
780 cfg->ldap_bind_user = argv[i] + 15;
781 if (strncmp (argv[i], "ldap_bind_password=", 19) == 0)
782 cfg->ldap_bind_password = argv[i] + 19;
783 if (strncmp (argv[i], "ldap_filter=", 12) == 0)
784 cfg->ldap_filter = argv[i] + 12;
785 if (strncmp (argv[i], "ldap_cacertfile=", 16) == 0)
786 cfg->ldap_cacertfile = argv[i] + 16;
787 if (strncmp (argv[i], "ldapdn=", 7) == 0)
788 cfg->ldapdn = argv[i] + 7;
789 if (strncmp (argv[i], "user_attr=", 10) == 0)
790 cfg->user_attr = argv[i] + 10;
791 if (strncmp (argv[i], "yubi_attr=", 10) == 0)
792 cfg->yubi_attr = argv[i] + 10;
793 if (strncmp (argv[i], "yubi_attr_prefix=", 17) == 0)
794 cfg->yubi_attr_prefix = argv[i] + 17;
795 if (strncmp (argv[i], "token_id_length=", 16) == 0)
796 sscanf (argv[i], "token_id_length=%u", &cfg->token_id_length);
797 if (strcmp (argv[i], "mode=challenge-response") == 0)
798 cfg->mode = CHRESP;
799 if (strcmp (argv[i], "mode=client") == 0)
800 cfg->mode = CLIENT;
801 if (strncmp (argv[i], "chalresp_path=", 14) == 0)
802 cfg->chalresp_path = argv[i] + 14;
803 if (strncmp (argv[i], "debug_file=", 11) == 0)
804 {
805 const char *filename = argv[i] + 11;
806 if(strncmp (filename, "stdout", 6) == 0)
807 {
808 cfg->debug_file = stdout;
809 }
810 else if(strncmp (filename, "stderr", 6) == 0)
811 {
812 cfg->debug_file = stderr;
813 }
814 else
815 {
816 struct stat st;
817 int fd;
818 FILE *file;
819 if(lstat(filename, &st) == 0)
820 {
821 if(S_ISREG(st.st_mode))
822 {
823 fd = open(filename, O_WRONLY | O_CREAT | O_APPEND | O_CLOEXEC, S_IRUSR | S_IWUSR | S_IRGRP);
824 if (fd >= 0)
825 {
826 file = fdopen(fd, "a");
827 if (file)
828 {
829 cfg->debug_file = file;
830 }
831 }
832 }
833 }
834 }
835 }
836 }
837
838 DBG ("called.");
839 DBG ("flags %d argc %d", flags, argc);
840 for (i = 0; i < argc; i++)
841 DBG ("argv[%d]=%s", i, argv[i]);
842 DBG ("id=%u", cfg->client_id);
843 DBG ("key=%s", cfg->client_key ? cfg->client_key : "(null)");
844 DBG ("debug=%d", cfg->debug);
845 DBG ("debug_file=%d", fileno(cfg->debug_file));
846 DBG ("alwaysok=%d", cfg->alwaysok);
847 DBG ("verbose_otp=%d", cfg->verbose_otp);
848 DBG ("try_first_pass=%d", cfg->try_first_pass);
849 DBG ("use_first_pass=%d", cfg->use_first_pass);
850 DBG ("nullok=%d", cfg->nullok);
851 DBG ("authfile=%s", cfg->auth_file ? cfg->auth_file : "(null)");
852 DBG ("ldapserver=%s", cfg->ldapserver ? cfg->ldapserver : "(null)");
853 DBG ("ldap_uri=%s", cfg->ldap_uri ? cfg->ldap_uri : "(null)");
854 DBG ("ldap_bind_user=%s", cfg->ldap_bind_user ? cfg->ldap_bind_user : "(null)");
855 DBG ("ldap_bind_password=%s", cfg->ldap_bind_password ? cfg->ldap_bind_password : "(null)");
856 DBG ("ldap_filter=%s", cfg->ldap_filter ? cfg->ldap_filter : "(null)");
857 DBG ("ldap_cacertfile=%s", cfg->ldap_cacertfile ? cfg->ldap_cacertfile : "(null)");
858 DBG ("ldapdn=%s", cfg->ldapdn ? cfg->ldapdn : "(null)");
859 DBG ("user_attr=%s", cfg->user_attr ? cfg->user_attr : "(null)");
860 DBG ("yubi_attr=%s", cfg->yubi_attr ? cfg->yubi_attr : "(null)");
861 DBG ("yubi_attr_prefix=%s", cfg->yubi_attr_prefix ? cfg->yubi_attr_prefix : "(null)");
862 DBG ("url=%s", cfg->url ? cfg->url : "(null)");
863 DBG ("urllist=%s", cfg->urllist ? cfg->urllist : "(null)");
864 DBG ("capath=%s", cfg->capath ? cfg->capath : "(null)");
865 DBG ("cainfo=%s", cfg->cainfo ? cfg->cainfo : "(null)");
866 DBG ("proxy=%s", cfg->proxy ? cfg->proxy : "(null)");
867 DBG ("token_id_length=%u", cfg->token_id_length);
868 DBG ("mode=%s", cfg->mode == CLIENT ? "client" : "chresp" );
869 DBG ("chalresp_path=%s", cfg->chalresp_path ? cfg->chalresp_path : "(null)");
870 }
871
872 PAM_EXTERN int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)873 pam_sm_authenticate (pam_handle_t * pamh,
874 int flags, int argc, const char **argv)
875 {
876 int retval, rc;
877 const char *user = NULL;
878 const char *password = NULL;
879 char otp[MAX_TOKEN_ID_LEN + TOKEN_OTP_LEN + 1] = { 0 };
880 char otp_id[MAX_TOKEN_ID_LEN + 1] = { 0 };
881 size_t password_len = 0;
882 int skip_bytes = 0;
883 int valid_token = 0;
884 struct pam_conv *conv;
885 const struct pam_message *pmsg[1];
886 struct pam_message msg[1] = {{0}};
887 struct pam_response *resp = NULL;
888 int nargs = 1;
889 ykclient_t *ykc = NULL;
890 struct cfg cfg_st;
891 struct cfg *cfg = &cfg_st; /* for DBG macro */
892 size_t templates = 0;
893 char *urls[10];
894 char *tmpurl = NULL;
895 char *onlypasswd = NULL;
896
897 parse_cfg (flags, argc, argv, cfg);
898
899 DBG ("pam_yubico version: %s", VERSION);
900
901 if (cfg->token_id_length > MAX_TOKEN_ID_LEN)
902 {
903 DBG ("configuration error: token_id_length too long. Maximum acceptable value : %u", MAX_TOKEN_ID_LEN);
904 retval = PAM_AUTHINFO_UNAVAIL;
905 goto done;
906 }
907
908 retval = pam_get_user (pamh, &user, NULL);
909 if (retval != PAM_SUCCESS)
910 {
911 DBG ("get user returned error: %s", pam_strerror (pamh, retval));
912 goto done;
913 }
914 DBG ("get user returned: %s", user);
915
916 if (cfg->mode == CHRESP) {
917 #if HAVE_CR
918 retval = do_challenge_response(pamh, cfg, user);
919 #else
920 DBG ("no support for challenge/response");
921 retval = PAM_AUTH_ERR;
922 #endif
923 goto done;
924 }
925
926 if (cfg->try_first_pass || cfg->use_first_pass)
927 {
928 retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);
929 if (retval != PAM_SUCCESS)
930 {
931 DBG ("get password returned error: %s",
932 pam_strerror (pamh, retval));
933 goto done;
934 }
935 DBG ("get password returned: %s", password);
936 }
937
938 if (cfg->use_first_pass && password == NULL)
939 {
940 DBG ("use_first_pass set and no password, giving up");
941 retval = PAM_AUTH_ERR;
942 goto done;
943 }
944
945 if(ykclient_global_init() != YKCLIENT_OK)
946 {
947 DBG ("Failed initializing ykclient library");
948 retval = PAM_AUTHINFO_UNAVAIL;
949 goto done;
950 }
951 rc = ykclient_init (&ykc);
952 if (rc != YKCLIENT_OK)
953 {
954 DBG ("ykclient_init() failed (%d): %s", rc, ykclient_strerror (rc));
955 retval = PAM_AUTHINFO_UNAVAIL;
956 goto done;
957 }
958
959 rc = ykclient_set_client_b64 (ykc, cfg->client_id, cfg->client_key);
960 if (rc != YKCLIENT_OK)
961 {
962 DBG ("ykclient_set_client_b64() failed (%d): %s",
963 rc, ykclient_strerror (rc));
964 retval = PAM_AUTHINFO_UNAVAIL;
965 goto done;
966 }
967
968 if (cfg->client_key)
969 ykclient_set_verify_signature (ykc, 1);
970
971 if (cfg->capath)
972 ykclient_set_ca_path (ykc, cfg->capath);
973
974 if (cfg->cainfo)
975 ykclient_set_ca_info (ykc, cfg->cainfo);
976
977 if (cfg->proxy)
978 ykclient_set_proxy (ykc, cfg->proxy);
979
980 if (cfg->url)
981 {
982 rc = ykclient_set_url_template (ykc, cfg->url);
983 if (rc != YKCLIENT_OK)
984 {
985 DBG ("ykclient_set_url_template() failed (%d): %s",
986 rc, ykclient_strerror (rc));
987 retval = PAM_AUTHINFO_UNAVAIL;
988 goto done;
989 }
990 }
991
992 if (cfg->urllist)
993 {
994 char *saveptr = NULL;
995 char *part = NULL;
996 tmpurl = strdup(cfg->urllist);
997
998 while ((part = strtok_r(templates == 0 ? tmpurl : NULL, ";", &saveptr)))
999 {
1000 if(templates == 10)
1001 {
1002 DBG ("maximum 10 urls supported in list.");
1003 retval = PAM_AUTHINFO_UNAVAIL;
1004 goto done;
1005 }
1006 urls[templates] = strdup(part);
1007 templates++;
1008 }
1009 rc = ykclient_set_url_bases (ykc, templates, (const char **)urls);
1010 if (rc != YKCLIENT_OK)
1011 {
1012 DBG ("ykclient_set_url_bases() failed (%d): %s",
1013 rc, ykclient_strerror (rc));
1014 retval = PAM_AUTHINFO_UNAVAIL;
1015 goto done;
1016 }
1017 }
1018 /* check if the user has at least one associated token id */
1019 /* we set otp_id to NULL so that no matches will ever be found
1020 * but AUTH_NO_TOKENS will be returned if there are no tokens for the user */
1021 if (cfg->ldapserver != NULL || cfg->ldap_uri != NULL)
1022 valid_token = authorize_user_token_ldap (cfg, user, NULL);
1023 else
1024 valid_token = authorize_user_token (cfg, user, NULL, pamh);
1025
1026 switch(valid_token)
1027 {
1028 case AUTH_ERROR:
1029 DBG ("Internal error while looking for user tokens");
1030 retval = PAM_AUTHINFO_UNAVAIL;
1031 goto done;
1032 case AUTH_NOT_FOUND:
1033 /* User has associated tokens, so continue */
1034 DBG ("Tokens found for user");
1035 break;
1036 case AUTH_NO_TOKENS:
1037 DBG ("No tokens found for user");
1038 if (cfg->nullok) {
1039 retval = PAM_IGNORE;
1040 } else {
1041 retval = PAM_USER_UNKNOWN;
1042 }
1043 goto done;
1044 default:
1045 DBG ("Unhandled value while looking for user tokens");
1046 retval = PAM_AUTHINFO_UNAVAIL;
1047 goto done;
1048 }
1049
1050 if (password == NULL)
1051 {
1052 retval = pam_get_item (pamh, PAM_CONV, (const void **) &conv);
1053 if (retval != PAM_SUCCESS)
1054 {
1055 DBG ("get conv returned error: %s", pam_strerror (pamh, retval));
1056 goto done;
1057 }
1058
1059 pmsg[0] = &msg[0];
1060 {
1061 #define QUERY_TEMPLATE "YubiKey for `%s': "
1062 size_t len = strlen (QUERY_TEMPLATE) + strlen (user);
1063 int wrote;
1064
1065 msg[0].msg = malloc (len);
1066 if (!msg[0].msg)
1067 {
1068 retval = PAM_BUF_ERR;
1069 goto done;
1070 }
1071
1072 wrote = snprintf ((char *) msg[0].msg, len, QUERY_TEMPLATE, user);
1073 if (wrote < 0 || wrote >= len)
1074 {
1075 retval = PAM_BUF_ERR;
1076 goto done;
1077 }
1078 }
1079 msg[0].msg_style = cfg->verbose_otp ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
1080
1081 retval = conv->conv (nargs, pmsg, &resp, conv->appdata_ptr);
1082
1083 if (retval != PAM_SUCCESS)
1084 {
1085 DBG ("conv returned error: %s", pam_strerror (pamh, retval));
1086 goto done;
1087 }
1088
1089 if (resp->resp == NULL)
1090 {
1091 DBG ("conv returned NULL passwd?");
1092 retval = PAM_AUTH_ERR;
1093 goto done;
1094 }
1095
1096 DBG ("conv returned %zu bytes", strlen(resp->resp));
1097
1098 password = resp->resp;
1099 }
1100
1101 password_len = strlen (password);
1102
1103 /* In case the input was systempassword+YubiKeyOTP, we want to skip over
1104 "systempassword" when copying the token_id and OTP to separate buffers */
1105 if(password_len > cfg->token_id_length + TOKEN_OTP_LEN)
1106 {
1107 skip_bytes = password_len - (cfg->token_id_length + TOKEN_OTP_LEN);
1108 }
1109
1110 DBG ("Skipping first %i bytes. Length is %zu, token_id set to %u and token OTP always %u.",
1111 skip_bytes, password_len, cfg->token_id_length, TOKEN_OTP_LEN);
1112
1113 /* Copy full YubiKey output (public ID + OTP) into otp */
1114 strncpy (otp, password + skip_bytes, sizeof (otp) - 1);
1115 /* Copy only public ID into otp_id. Destination buffer is zeroed. */
1116 strncpy (otp_id, password + skip_bytes, cfg->token_id_length);
1117
1118 DBG ("OTP: %s ID: %s ", otp, otp_id);
1119
1120 /* user entered their system password followed by generated OTP? */
1121 if (password_len > TOKEN_OTP_LEN + cfg->token_id_length)
1122 {
1123 onlypasswd = strdup (password);
1124
1125 if (! onlypasswd) {
1126 retval = PAM_BUF_ERR;
1127 goto done;
1128 }
1129
1130 onlypasswd[password_len - (TOKEN_OTP_LEN + cfg->token_id_length)] = '\0';
1131
1132 DBG ("Extracted a probable system password entered before the OTP - "
1133 "setting item PAM_AUTHTOK");
1134
1135 retval = pam_set_item (pamh, PAM_AUTHTOK, onlypasswd);
1136 if (retval != PAM_SUCCESS)
1137 {
1138 DBG ("set_item returned error: %s", pam_strerror (pamh, retval));
1139 goto done;
1140 }
1141 }
1142 else
1143 password = NULL;
1144
1145 /* authorize the user with supplied token id */
1146 if (cfg->ldapserver != NULL || cfg->ldap_uri != NULL)
1147 valid_token = authorize_user_token_ldap (cfg, user, otp_id);
1148 else
1149 valid_token = authorize_user_token (cfg, user, otp_id, pamh);
1150
1151 switch(valid_token)
1152 {
1153 case AUTH_FOUND:
1154 DBG ("Token is associated to the user. Validating the OTP...");
1155 rc = ykclient_request (ykc, otp);
1156 DBG ("ykclient return value (%d): %s", rc, ykclient_strerror (rc));
1157 DBG ("ykclient url used: %s", ykclient_get_last_url(ykc));
1158
1159 switch (rc)
1160 {
1161 case YKCLIENT_OK:
1162 retval = PAM_SUCCESS;
1163 break;
1164
1165 case YKCLIENT_BAD_OTP:
1166 case YKCLIENT_REPLAYED_OTP:
1167 retval = PAM_AUTH_ERR;
1168 break;
1169
1170 default:
1171 retval = PAM_AUTHINFO_UNAVAIL;
1172 break;
1173 }
1174 break;
1175 case AUTH_ERROR:
1176 DBG ("Internal error while looking for user tokens");
1177 retval = PAM_AUTHINFO_UNAVAIL;
1178 break;
1179 case AUTH_NOT_FOUND:
1180 DBG ("Unauthorized token for this user");
1181 retval = PAM_AUTH_ERR;
1182 break;
1183 case AUTH_NO_TOKENS:
1184 DBG ("No tokens found for user");
1185 if (cfg->nullok) {
1186 retval = PAM_IGNORE;
1187 } else {
1188 retval = PAM_USER_UNKNOWN;
1189 }
1190 break;
1191 default:
1192 DBG ("Unhandled value for token-user validation");
1193 retval = PAM_AUTHINFO_UNAVAIL;
1194 break;
1195 }
1196
1197 done:
1198 if (onlypasswd)
1199 free(onlypasswd);
1200 if (templates > 0)
1201 {
1202 size_t i;
1203 for(i = 0; i < templates; i++)
1204 {
1205 free(urls[i]);
1206 }
1207 }
1208 if (tmpurl)
1209 free(tmpurl);
1210 if (ykc)
1211 {
1212 ykclient_done (&ykc);
1213 ykclient_global_done();
1214 }
1215 if (cfg->alwaysok && retval != PAM_SUCCESS)
1216 {
1217 DBG ("alwaysok needed (otherwise return with %d)", retval);
1218 retval = PAM_SUCCESS;
1219 }
1220 DBG ("done. [%s]", pam_strerror (pamh, retval));
1221 pam_set_data (pamh, "yubico_setcred_return", (void*)(intptr_t)retval, NULL);
1222
1223 if (resp)
1224 {
1225 if (resp->resp)
1226 free (resp->resp);
1227 free (resp);
1228 }
1229
1230 if(msg[0].msg)
1231 {
1232 free((char*)msg[0].msg);
1233 }
1234
1235 if(cfg->debug_file != stderr && cfg->debug_file != stdout)
1236 {
1237 fclose(cfg->debug_file);
1238 }
1239
1240 return retval;
1241 }
1242
1243 PAM_EXTERN int
pam_sm_setcred(pam_handle_t * pamh,int flags,int argc,const char * argv[])1244 pam_sm_setcred (
1245 pam_handle_t *pamh __attribute__((unused)), int flags __attribute__((unused)),
1246 int argc __attribute__((unused)), const char *argv[] __attribute__((unused)))
1247 {
1248 return PAM_SUCCESS;
1249 }
1250
1251 PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t * pamh,int flags,int argc,const char ** argv)1252 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
1253 {
1254 struct cfg cfg_st;
1255 struct cfg *cfg = &cfg_st; /* for DBG macro */
1256 int retval;
1257 int rc = pam_get_data(pamh, "yubico_setcred_return", (const void**)&retval);
1258
1259 parse_cfg (flags, argc, argv, cfg);
1260 if (rc == PAM_SUCCESS && retval == PAM_SUCCESS) {
1261 DBG ("pam_sm_acct_mgmt returning PAM_SUCCESS");
1262 retval = PAM_SUCCESS;
1263 } else {
1264 DBG ("pam_sm_acct_mgmt returning PAM_AUTH_ERR:%d", rc);
1265 retval = PAM_AUTH_ERR;
1266 }
1267
1268 if(cfg->debug_file != stderr && cfg->debug_file != stdout) {
1269 fclose(cfg->debug_file);
1270 }
1271
1272 return retval;
1273 }
1274
1275 PAM_EXTERN int
pam_sm_open_session(pam_handle_t * pamh,int flags,int argc,const char * argv[])1276 pam_sm_open_session(
1277 pam_handle_t *pamh __attribute__((unused)), int flags __attribute__((unused)),
1278 int argc __attribute__((unused)), const char *argv[] __attribute__((unused)))
1279 {
1280
1281 return (PAM_SUCCESS);
1282 }
1283
1284 PAM_EXTERN int
pam_sm_close_session(pam_handle_t * pamh,int flags,int argc,const char * argv[])1285 pam_sm_close_session(
1286 pam_handle_t *pamh __attribute__((unused)), int flags __attribute__((unused)),
1287 int argc __attribute__((unused)), const char *argv[] __attribute__((unused)))
1288 {
1289 return (PAM_SUCCESS);
1290 }
1291
1292 PAM_EXTERN int
pam_sm_chauthtok(pam_handle_t * pamh,int flags,int argc,const char * argv[])1293 pam_sm_chauthtok(
1294 pam_handle_t *pamh __attribute__((unused)), int flags __attribute__((unused)),
1295 int argc __attribute__((unused)), const char *argv[] __attribute__((unused)))
1296 {
1297 return (PAM_SERVICE_ERR);
1298 }
1299
1300
1301 #ifdef PAM_STATIC
1302
1303 struct pam_module _pam_yubico_modstruct = {
1304 "pam_yubico",
1305 pam_sm_authenticate,
1306 pam_sm_setcred,
1307 pam_sm_acct_mgmt,
1308 pam_sm_open_session,
1309 pam_sm_close_session,
1310 pam_sm_chauthtok
1311 };
1312
1313 #endif
1314