Simplify PAM code and fix a PAM-related warning on Linux

diff --git a/check.c b/check.c
index e9accd0a3711e1bfcd64f92274808d43d6aa4132..1a5373a98ec735213dd157db005725d0db493d9c 100644 (file)
--- a/check.c
+++ b/check.c
@@ -122,7 +122,8 @@ static int   verify_krb_v5_tgt              __P((krb5_ccache));
 #ifdef HAVE_PAM
 static void pam_attempt_auth            __P((void));
 static int pam_auth                            __P((char *, char *));
-static int PAM_conv                    __P((int, struct pam_message **,
+static int PAM_conv                    __P((int,
+                                            PAM_CONST struct pam_message **,
                                             struct pam_response **, void *));
 #endif /* HAVE_PAM */
 #ifdef HAVE_SKEY
@@ -940,14 +941,14 @@ cleanup:
  *
  *  Try to authenticate the user using Pluggable Authentication
  *  Modules (PAM). Added 9/11/98 by Gary J. Calvin
- *  Reworked for stock PAM by Amos Elberg based on samba code.
+ *  Reworked for stock PAM by Amos Elberg and Todd Miller
  */
 static char *PAM_username;
 static char *PAM_password;
 
 static int PAM_conv(num_msg, msg, resp, appdata_ptr)
     int num_msg;
-    struct pam_message **msg;
+    PAM_CONST struct pam_message **msg;
     struct pam_response **resp;
     void *appdata_ptr;
 {
@@ -982,7 +983,7 @@ static int PAM_conv(num_msg, msg, resp, appdata_ptr)
            break;
        default:
            /* Must be an error of some sort... */
-           free (reply);
+           free(reply);
            return(PAM_CONV_ERR);
        }
     }
@@ -996,24 +997,15 @@ static int pam_auth(user, password)
     char *user;
     char *password;
 {
+    struct pam_conv PAM_conversation;
     pam_handle_t *pamh;
-    int pam_error;
-    static struct pam_conv PAM_conversation = {
-       &PAM_conv,
-       NULL
-    };
-
-    /*
-     * Now use PAM to do authentication.  For now, we won't worry about
-     * session logging, only authentication.  Bail out if there are any
-     * errors.
-     */
-#define PAM_BAIL if (pam_error != PAM_SUCCESS) { pam_end(pamh, 0); return(0); }
 
+    /* Initialize our variables for PAM */
+    PAM_conversation.conv = PAM_conv;
+    PAM_conversation.appdata_ptr = NULL;
     PAM_password = password;
     PAM_username = user;
-    pam_error = pam_start("sudo", user, &PAM_conversation, &pamh);
-    PAM_BAIL;
+
     /*
      * Setting PAM_SILENT stops generation of error messages to syslog
      * to enable debugging on Red Hat Linux set:
@@ -1021,20 +1013,15 @@ static int pam_auth(user, password)
      *      auth required /lib/security/pam_pwdb.so shadow nullok audit
      * _OR_ change PAM_SILENT to 0 to force detailed reporting (logging)
      */
-    pam_error = pam_authenticate(pamh, PAM_SILENT);
-    PAM_BAIL;
-#if 0
-    /*
-     * It is not clear to me that account management is the right thing
-     * to do, but it is not clear that it isn't, either.  This can be
-     * removed if no account management should be done.  Alternately,
-     * put a pam_allow.so entry in /etc/pam.conf for account handling.
-     */
-    pam_error = pam_acct_mgmt(pamh, PAM_SILENT);
-    PAM_BAIL;
-#endif
+    if (pam_start("sudo", user, &PAM_conversation, &pamh) != PAM_SUCCESS ||
+       pam_authenticate(pamh, PAM_SILENT) != PAM_SUCCESS) {
+       pam_end(pamh, 0);
+       return(0);
+    }
+
+    /* User authenticated successfully */
     pam_end(pamh, PAM_SUCCESS);
-    /* If this point is reached, the user has been authenticated. */
+
     return(1);
 }
 

diff --git a/config.h.in b/config.h.in
index 922ccd9b586d5a71bada8e20d4ed5d6c1bb533c5..15941bdca2f1c1ac1358fd9766b47e2c6c75a9f8 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -83,6 +83,13 @@
 /* Define to be nil if C compiler doesn't support "const."  */
 #undef const
 
+/* Solaris doesn't use const qualifiers in PAM. */
+#ifdef sun
+#define PAM_CONST
+#else
+#define PAM_CONST      const
+#endif
+
 /* Define as the return type of signal handlers (int or void).  */
 #undef RETSIGTYPE