Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 1 | #pragma once |
| 2 | |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 3 | #include <security/pam_appl.h> |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 4 | #include <cstring> |
Ed Tanous | e0d918b | 2018-03-27 17:41:04 -0700 | [diff] [blame] | 5 | #include <memory> |
| 6 | #include <boost/utility/string_view.hpp> |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 7 | |
| 8 | // function used to get user input |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame^] | 9 | inline int pamFunctionConversation(int numMsg, const struct pam_message** msg, |
| 10 | struct pam_response** resp, |
| 11 | void* appdataPtr) { |
| 12 | if (appdataPtr == nullptr) { |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 13 | return PAM_AUTH_ERR; |
| 14 | } |
| 15 | auto* pass = reinterpret_cast<char*>( |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame^] | 16 | malloc(std::strlen(reinterpret_cast<char*>(appdataPtr)) + 1)); |
| 17 | std::strcpy(pass, reinterpret_cast<char*>(appdataPtr)); |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 18 | |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 19 | *resp = reinterpret_cast<pam_response*>( |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame^] | 20 | calloc(numMsg, sizeof(struct pam_response))); |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 21 | |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame^] | 22 | for (int i = 0; i < numMsg; ++i) { |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 23 | /* Ignore all PAM messages except prompting for hidden input */ |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 24 | if (msg[i]->msg_style != PAM_PROMPT_ECHO_OFF) { |
| 25 | continue; |
| 26 | } |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 27 | |
| 28 | /* Assume PAM is only prompting for the password as hidden input */ |
| 29 | resp[i]->resp = pass; |
| 30 | } |
| 31 | |
| 32 | return PAM_SUCCESS; |
| 33 | } |
| 34 | |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame^] | 35 | inline bool pamAuthenticateUser(const boost::string_view username, |
| 36 | const boost::string_view password) { |
| 37 | std::string userStr(username); |
| 38 | std::string passStr(password); |
| 39 | const struct pam_conv localConversation = { |
| 40 | pamFunctionConversation, const_cast<char*>(passStr.c_str())}; |
| 41 | pam_handle_t* localAuthHandle = NULL; // this gets set by pam_start |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 42 | |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame^] | 43 | if (pam_start("webserver", userStr.c_str(), &localConversation, |
| 44 | &localAuthHandle) != PAM_SUCCESS) { |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 45 | return false; |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 46 | } |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame^] | 47 | int retval = |
| 48 | pam_authenticate(localAuthHandle, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 49 | |
| 50 | if (retval != PAM_SUCCESS) { |
| 51 | if (retval == PAM_AUTH_ERR) { |
| 52 | // printf("Authentication failure.\n"); |
| 53 | } else { |
| 54 | // printf("pam_authenticate returned %d\n", retval); |
| 55 | } |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame^] | 56 | pam_end(localAuthHandle, PAM_SUCCESS); |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 57 | return false; |
| 58 | } |
| 59 | |
| 60 | /* check that the account is healthy */ |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame^] | 61 | if (pam_acct_mgmt(localAuthHandle, PAM_DISALLOW_NULL_AUTHTOK) != |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 62 | PAM_SUCCESS) { |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame^] | 63 | pam_end(localAuthHandle, PAM_SUCCESS); |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 64 | return false; |
| 65 | } |
| 66 | |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame^] | 67 | if (pam_end(localAuthHandle, PAM_SUCCESS) != PAM_SUCCESS) { |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 68 | return false; |
| 69 | } |
| 70 | |
| 71 | return true; |
| 72 | } |