Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 1 | #pragma once |
| 2 | |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 3 | #include <security/pam_appl.h> |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 4 | |
| 5 | #include <boost/utility/string_view.hpp> |
Gunnar Mills | 1214b7e | 2020-06-04 10:11:30 -0500 | [diff] [blame] | 6 | |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 7 | #include <cstring> |
Ed Tanous | e0d918b | 2018-03-27 17:41:04 -0700 | [diff] [blame] | 8 | #include <memory> |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 9 | |
| 10 | // function used to get user input |
Ed Tanous | 55c7b7a | 2018-05-22 15:27:24 -0700 | [diff] [blame] | 11 | inline int pamFunctionConversation(int numMsg, const struct pam_message** msg, |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 12 | struct pam_response** resp, void* appdataPtr) |
| 13 | { |
| 14 | if (appdataPtr == nullptr) |
| 15 | { |
| 16 | return PAM_AUTH_ERR; |
| 17 | } |
Ed Tanous | f1eebf0 | 2019-03-04 15:57:09 -0800 | [diff] [blame] | 18 | char* appPass = reinterpret_cast<char*>(appdataPtr); |
| 19 | size_t appPassSize = std::strlen(appPass); |
| 20 | char* pass = reinterpret_cast<char*>(malloc(appPassSize + 1)); |
Ed Tanous | 39e7750 | 2019-03-04 17:35:53 -0800 | [diff] [blame] | 21 | if (pass == nullptr) |
Ed Tanous | f1eebf0 | 2019-03-04 15:57:09 -0800 | [diff] [blame] | 22 | { |
| 23 | return PAM_AUTH_ERR; |
| 24 | } |
| 25 | |
Ed Tanous | eb7d3d5 | 2019-10-24 10:23:56 -0700 | [diff] [blame] | 26 | std::strncpy(pass, appPass, appPassSize + 1); |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 27 | |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 28 | *resp = reinterpret_cast<pam_response*>( |
Ed Tanous | 271584a | 2019-07-09 16:24:22 -0700 | [diff] [blame] | 29 | calloc(static_cast<size_t>(numMsg), sizeof(struct pam_response))); |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 30 | |
Ed Tanous | 39e7750 | 2019-03-04 17:35:53 -0800 | [diff] [blame] | 31 | if (resp == nullptr) |
Ed Tanous | f1eebf0 | 2019-03-04 15:57:09 -0800 | [diff] [blame] | 32 | { |
AppaRao Puli | 87f171a | 2020-08-07 01:37:28 +0530 | [diff] [blame^] | 33 | free(pass); |
Ed Tanous | f1eebf0 | 2019-03-04 15:57:09 -0800 | [diff] [blame] | 34 | return PAM_AUTH_ERR; |
| 35 | } |
| 36 | |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 37 | for (int i = 0; i < numMsg; ++i) |
| 38 | { |
| 39 | /* Ignore all PAM messages except prompting for hidden input */ |
| 40 | if (msg[i]->msg_style != PAM_PROMPT_ECHO_OFF) |
| 41 | { |
| 42 | continue; |
| 43 | } |
| 44 | |
| 45 | /* Assume PAM is only prompting for the password as hidden input */ |
| 46 | resp[i]->resp = pass; |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 47 | } |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 48 | |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 49 | return PAM_SUCCESS; |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 50 | } |
| 51 | |
Joseph Reynolds | d887fff | 2020-01-14 16:34:09 -0600 | [diff] [blame] | 52 | /** |
| 53 | * @brief Attempt username/password authentication via PAM. |
| 54 | * @param username The provided username aka account name. |
| 55 | * @param password The provided password. |
| 56 | * @returns PAM error code or PAM_SUCCESS for success. */ |
| 57 | inline int pamAuthenticateUser(const std::string_view username, |
| 58 | const std::string_view password) |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 59 | { |
| 60 | std::string userStr(username); |
| 61 | std::string passStr(password); |
| 62 | const struct pam_conv localConversation = { |
| 63 | pamFunctionConversation, const_cast<char*>(passStr.c_str())}; |
Ed Tanous | 99131cd | 2019-10-24 11:12:47 -0700 | [diff] [blame] | 64 | pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start |
Ed Tanous | f3d847c | 2017-06-12 16:01:42 -0700 | [diff] [blame] | 65 | |
Joseph Reynolds | d887fff | 2020-01-14 16:34:09 -0600 | [diff] [blame] | 66 | int retval = pam_start("webserver", userStr.c_str(), &localConversation, |
| 67 | &localAuthHandle); |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 68 | if (retval != PAM_SUCCESS) |
| 69 | { |
Joseph Reynolds | d887fff | 2020-01-14 16:34:09 -0600 | [diff] [blame] | 70 | return retval; |
| 71 | } |
| 72 | |
| 73 | retval = pam_authenticate(localAuthHandle, |
| 74 | PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); |
| 75 | if (retval != PAM_SUCCESS) |
| 76 | { |
| 77 | pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval |
| 78 | return retval; |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 79 | } |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 80 | |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 81 | /* check that the account is healthy */ |
Joseph Reynolds | d887fff | 2020-01-14 16:34:09 -0600 | [diff] [blame] | 82 | retval = pam_acct_mgmt(localAuthHandle, PAM_DISALLOW_NULL_AUTHTOK); |
| 83 | if (retval != PAM_SUCCESS) |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 84 | { |
Joseph Reynolds | d887fff | 2020-01-14 16:34:09 -0600 | [diff] [blame] | 85 | pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval |
| 86 | return retval; |
Ed Tanous | 1abe55e | 2018-09-05 08:30:59 -0700 | [diff] [blame] | 87 | } |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 88 | |
Joseph Reynolds | d887fff | 2020-01-14 16:34:09 -0600 | [diff] [blame] | 89 | return pam_end(localAuthHandle, PAM_SUCCESS); |
Ed Tanous | 911ac31 | 2017-08-15 09:37:42 -0700 | [diff] [blame] | 90 | } |
Ed Tanous | a840879 | 2018-09-05 16:08:38 -0700 | [diff] [blame] | 91 | |
jayaprakash Mutyala | 66b5ca7 | 2019-08-07 20:26:37 +0000 | [diff] [blame] | 92 | inline int pamUpdatePassword(const std::string& username, |
| 93 | const std::string& password) |
Ed Tanous | a840879 | 2018-09-05 16:08:38 -0700 | [diff] [blame] | 94 | { |
| 95 | const struct pam_conv localConversation = { |
| 96 | pamFunctionConversation, const_cast<char*>(password.c_str())}; |
Ed Tanous | 99131cd | 2019-10-24 11:12:47 -0700 | [diff] [blame] | 97 | pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start |
Ed Tanous | a840879 | 2018-09-05 16:08:38 -0700 | [diff] [blame] | 98 | |
Joseph Reynolds | 96b39e0 | 2019-12-05 17:53:35 -0600 | [diff] [blame] | 99 | int retval = pam_start("webserver", username.c_str(), &localConversation, |
jayaprakash Mutyala | 66b5ca7 | 2019-08-07 20:26:37 +0000 | [diff] [blame] | 100 | &localAuthHandle); |
Ed Tanous | a840879 | 2018-09-05 16:08:38 -0700 | [diff] [blame] | 101 | |
| 102 | if (retval != PAM_SUCCESS) |
| 103 | { |
jayaprakash Mutyala | 66b5ca7 | 2019-08-07 20:26:37 +0000 | [diff] [blame] | 104 | return retval; |
Ed Tanous | a840879 | 2018-09-05 16:08:38 -0700 | [diff] [blame] | 105 | } |
| 106 | |
jayaprakash Mutyala | 66b5ca7 | 2019-08-07 20:26:37 +0000 | [diff] [blame] | 107 | retval = pam_chauthtok(localAuthHandle, PAM_SILENT); |
| 108 | if (retval != PAM_SUCCESS) |
Ed Tanous | a840879 | 2018-09-05 16:08:38 -0700 | [diff] [blame] | 109 | { |
jayaprakash Mutyala | 66b5ca7 | 2019-08-07 20:26:37 +0000 | [diff] [blame] | 110 | pam_end(localAuthHandle, PAM_SUCCESS); |
| 111 | return retval; |
Ed Tanous | a840879 | 2018-09-05 16:08:38 -0700 | [diff] [blame] | 112 | } |
| 113 | |
jayaprakash Mutyala | 66b5ca7 | 2019-08-07 20:26:37 +0000 | [diff] [blame] | 114 | return pam_end(localAuthHandle, PAM_SUCCESS); |
Ed Tanous | a840879 | 2018-09-05 16:08:38 -0700 | [diff] [blame] | 115 | } |