From: Todd C. Miller Date: Fri, 11 Sep 1998 23:19:53 +0000 (+0000) Subject: pam support, from Gary Calvin X-Git-Tag: SUDO_1_5_6~14 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=218e76a059803326e47d0baa8de9c9095891f022;p=sudo pam support, from Gary Calvin --- diff --git a/check.c b/check.c index 86d6de9e4..2af15c8c1 100644 --- a/check.c +++ b/check.c @@ -77,6 +77,10 @@ static char rcsid[] = "$Id$"; #ifdef HAVE_KERB4 # include #endif /* HAVE_KERB4 */ +#ifdef HAVE_PAM +# include +# include +#endif /* HAVE_PAM */ #ifdef HAVE_AFS # include # include @@ -112,6 +116,9 @@ static void reminder __P((void)); #ifdef HAVE_KERB4 static int sudo_krb_validate_user __P((struct passwd *, char *)); #endif /* HAVE_KERB4 */ +#ifdef HAVE_PAM +static void pam_attempt_auth __P((void)); +#endif /* HAVE_PAM */ #ifdef HAVE_SKEY static char *sudo_skeyprompt __P((struct skey *, char *)); #endif /* HAVE_SKEY */ @@ -131,6 +138,12 @@ union config_record configure; #ifdef HAVE_SKEY struct skey skey; #endif +#ifdef HAVE_PAM +static struct pam_conv conv = { + misc_conv, + NULL +}; +#endif #ifdef HAVE_OPIE struct opie opie; #endif @@ -164,7 +177,11 @@ void check_user() if (rtn == 2) reminder(); /* do the reminder if ticket file is new */ #endif /* NO_MESSAGE */ +#ifdef HAVE_PAM + pam_attempt_auth(); +#else /* !HAVE_PAM */ check_passwd(); +#endif /* HAVE_PAM */ } update_timestamp(); @@ -715,6 +732,53 @@ static int sudo_krb_validate_user(pw_ent, pass) } #endif /* HAVE_KERB4 */ +#ifdef HAVE_PAM +/******************************************************************** + * pam_attempt_auth() + * + * Try to authenticate the user using Pluggable Authentication + * Modules (PAM). Added 9/11/98 by Gary J. Calvin + */ +static void pam_attempt_auth() +{ + pam_handle_t *pamh=NULL; + int retval; + register int counter = TRIES_FOR_PASSWORD; + + /* printf("PAM Authentication\n"); */ + retval = pam_start("sudo", user_name, &conv, &pamh); + if (retval != PAM_SUCCESS) { + pam_end(pamh, retval); + exit(1); + } + while (counter > 0) { + retval = pam_authenticate(pamh, 0); + if (retval == PAM_SUCCESS) { + set_perms(PERM_USER, 0); + pam_end(pamh, retval); + return; + } + + --counter; +#ifdef USE_INSULTS + (void) fprintf(stderr, "%s\n", INSULT); +#else + (void) fprintf(stderr, "%s\n", INCORRECT_PASSWORD); +#endif /* USE_INSULTS */ + } + set_perms(PERM_USER, 0); + + if (counter > 0) { + log_error(PASSWORD_NOT_CORRECT); + inform_user(PASSWORD_NOT_CORRECT); + } else { + log_error(PASSWORDS_NOT_CORRECT); + inform_user(PASSWORDS_NOT_CORRECT); + } + pam_end(pamh, retval); + exit(1); +} +#endif /* HAVE_PAM */ #ifdef HAVE_SKEY /******************************************************************** diff --git a/config.h.in b/config.h.in index 4e0950124..d247f0dfe 100644 --- a/config.h.in +++ b/config.h.in @@ -111,6 +111,9 @@ # define HAVE_KERB4 #endif /* HAVE_KERB5 */ +/* Define if you use PAM. */ +#define HAVE_PAM + /* Define if you use AFS. */ #undef HAVE_AFS diff --git a/configure.in b/configure.in index 445a74aa7..8dbc298ef 100644 --- a/configure.in +++ b/configure.in @@ -135,6 +135,16 @@ AC_ARG_WITH(kerb5, [ --with-kerb5 enable kerberos v5 support], ;; esac]) +AC_ARG_WITH(pam, [ --with-pam enable PAM support], +[case $with_pam in + yes) AC_DEFINE(HAVE_PAM) + echo 'Configuring for use with PAM' + ;; + no) ;; + *) echo "Ignoring unknown argument to --with-pam: $with_pam" + ;; +esac]) + AC_ARG_WITH(AFS, [ --with-AFS enable AFS support], [case $with_AFS in yes) AC_DEFINE(HAVE_AFS) @@ -880,6 +890,13 @@ if test "$with_kerb4" = "yes" -o "$with_kerb5" = "yes"; then fi fi +dnl +dnl PAM libs and includes +dnl +if test "$with_pam" = "yes"; then + SUDO_LIBS="${SUDO_LIBS} -ldl -lpam -lpam_misc" +fi + dnl dnl extra AFS libs and includes dnl