Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 1 | #pragma once |
| 2 | |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 3 | #include <security/pam_appl.h> |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 4 | |
| 5 | #include <boost/utility/string_view.hpp> |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 6 | #include <cstring> |
Ed Tanous | e0d918b | 2018-03-27 17:41:04 -0700 | [diff] [blame] | 7 | #include <memory> |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 8 | |
| 9 | // function used to get user input |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame] | 10 | inline int pamFunctionConversation(int numMsg, const struct pam_message** msg, |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 11 | struct pam_response** resp, void* appdataPtr) |
| 12 | { |
| 13 | if (appdataPtr == nullptr) |
| 14 | { |
| 15 | return PAM_AUTH_ERR; |
| 16 | } |
| 17 | auto* pass = reinterpret_cast<char*>( |
| 18 | malloc(std::strlen(reinterpret_cast<char*>(appdataPtr)) + 1)); |
| 19 | std::strcpy(pass, reinterpret_cast<char*>(appdataPtr)); |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 20 | |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 21 | *resp = reinterpret_cast<pam_response*>( |
| 22 | calloc(numMsg, sizeof(struct pam_response))); |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 23 | |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 24 | for (int i = 0; i < numMsg; ++i) |
| 25 | { |
| 26 | /* Ignore all PAM messages except prompting for hidden input */ |
| 27 | if (msg[i]->msg_style != PAM_PROMPT_ECHO_OFF) |
| 28 | { |
| 29 | continue; |
| 30 | } |
| 31 | |
| 32 | /* Assume PAM is only prompting for the password as hidden input */ |
| 33 | resp[i]->resp = pass; |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 34 | } |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 35 | |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 36 | return PAM_SUCCESS; |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 37 | } |
| 38 | |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame] | 39 | inline bool pamAuthenticateUser(const boost::string_view username, |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 40 | const boost::string_view password) |
| 41 | { |
| 42 | std::string userStr(username); |
| 43 | std::string passStr(password); |
| 44 | const struct pam_conv localConversation = { |
| 45 | pamFunctionConversation, const_cast<char*>(passStr.c_str())}; |
| 46 | pam_handle_t* localAuthHandle = NULL; // this gets set by pam_start |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 47 | |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 48 | if (pam_start("webserver", userStr.c_str(), &localConversation, |
| 49 | &localAuthHandle) != PAM_SUCCESS) |
| 50 | { |
| 51 | return false; |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 52 | } |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 53 | int retval = pam_authenticate(localAuthHandle, |
| 54 | PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 55 | |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 56 | if (retval != PAM_SUCCESS) |
| 57 | { |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 58 | pam_end(localAuthHandle, PAM_SUCCESS); |
| 59 | return false; |
| 60 | } |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 61 | |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 62 | /* check that the account is healthy */ |
| 63 | if (pam_acct_mgmt(localAuthHandle, PAM_DISALLOW_NULL_AUTHTOK) != |
| 64 | PAM_SUCCESS) |
| 65 | { |
| 66 | pam_end(localAuthHandle, PAM_SUCCESS); |
| 67 | return false; |
| 68 | } |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 69 | |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 70 | if (pam_end(localAuthHandle, PAM_SUCCESS) != PAM_SUCCESS) |
| 71 | { |
| 72 | return false; |
| 73 | } |
| 74 | |
| 75 | return true; |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 76 | } |
Ed Tanous | a840879 | 2018-09-05 16:08:38 -0700 | [diff] [blame] | 77 | |
| 78 | inline bool pamUpdatePassword(const std::string& username, |
| 79 | const std::string& password) |
| 80 | { |
| 81 | const struct pam_conv localConversation = { |
| 82 | pamFunctionConversation, const_cast<char*>(password.c_str())}; |
| 83 | pam_handle_t* localAuthHandle = NULL; // this gets set by pam_start |
| 84 | |
| 85 | if (pam_start("passwd", username.c_str(), &localConversation, |
| 86 | &localAuthHandle) != PAM_SUCCESS) |
| 87 | { |
| 88 | return false; |
| 89 | } |
| 90 | int retval = pam_chauthtok(localAuthHandle, PAM_SILENT); |
| 91 | |
| 92 | if (retval != PAM_SUCCESS) |
| 93 | { |
| 94 | pam_end(localAuthHandle, PAM_SUCCESS); |
| 95 | return false; |
| 96 | } |
| 97 | |
| 98 | if (pam_end(localAuthHandle, PAM_SUCCESS) != PAM_SUCCESS) |
| 99 | { |
| 100 | return false; |
| 101 | } |
| 102 | |
| 103 | return true; |
| 104 | } |