From bd76c13333b1d40cfe163b74d7a5e9cc852eb618 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Sun, 28 Mar 1999 18:50:25 +0000 Subject: [PATCH] Simplify PAM code and fix a PAM-related warning on Linux --- check.c | 49 ++++++++++++++++++------------------------------- config.h.in | 7 +++++++ 2 files changed, 25 insertions(+), 31 deletions(-) diff --git a/check.c b/check.c index e9accd0a3..1a5373a98 100644 --- a/check.c +++ b/check.c @@ -122,7 +122,8 @@ static int verify_krb_v5_tgt __P((krb5_ccache)); #ifdef HAVE_PAM static void pam_attempt_auth __P((void)); static int pam_auth __P((char *, char *)); -static int PAM_conv __P((int, struct pam_message **, +static int PAM_conv __P((int, + PAM_CONST struct pam_message **, struct pam_response **, void *)); #endif /* HAVE_PAM */ #ifdef HAVE_SKEY @@ -940,14 +941,14 @@ cleanup: * * Try to authenticate the user using Pluggable Authentication * Modules (PAM). Added 9/11/98 by Gary J. Calvin - * Reworked for stock PAM by Amos Elberg based on samba code. + * Reworked for stock PAM by Amos Elberg and Todd Miller */ static char *PAM_username; static char *PAM_password; static int PAM_conv(num_msg, msg, resp, appdata_ptr) int num_msg; - struct pam_message **msg; + PAM_CONST struct pam_message **msg; struct pam_response **resp; void *appdata_ptr; { @@ -982,7 +983,7 @@ static int PAM_conv(num_msg, msg, resp, appdata_ptr) break; default: /* Must be an error of some sort... */ - free (reply); + free(reply); return(PAM_CONV_ERR); } } @@ -996,24 +997,15 @@ static int pam_auth(user, password) char *user; char *password; { + struct pam_conv PAM_conversation; pam_handle_t *pamh; - int pam_error; - static struct pam_conv PAM_conversation = { - &PAM_conv, - NULL - }; - - /* - * Now use PAM to do authentication. For now, we won't worry about - * session logging, only authentication. Bail out if there are any - * errors. - */ -#define PAM_BAIL if (pam_error != PAM_SUCCESS) { pam_end(pamh, 0); return(0); } + /* Initialize our variables for PAM */ + PAM_conversation.conv = PAM_conv; + PAM_conversation.appdata_ptr = NULL; PAM_password = password; PAM_username = user; - pam_error = pam_start("sudo", user, &PAM_conversation, &pamh); - PAM_BAIL; + /* * Setting PAM_SILENT stops generation of error messages to syslog * to enable debugging on Red Hat Linux set: @@ -1021,20 +1013,15 @@ static int pam_auth(user, password) * auth required /lib/security/pam_pwdb.so shadow nullok audit * _OR_ change PAM_SILENT to 0 to force detailed reporting (logging) */ - pam_error = pam_authenticate(pamh, PAM_SILENT); - PAM_BAIL; -#if 0 - /* - * It is not clear to me that account management is the right thing - * to do, but it is not clear that it isn't, either. This can be - * removed if no account management should be done. Alternately, - * put a pam_allow.so entry in /etc/pam.conf for account handling. - */ - pam_error = pam_acct_mgmt(pamh, PAM_SILENT); - PAM_BAIL; -#endif + if (pam_start("sudo", user, &PAM_conversation, &pamh) != PAM_SUCCESS || + pam_authenticate(pamh, PAM_SILENT) != PAM_SUCCESS) { + pam_end(pamh, 0); + return(0); + } + + /* User authenticated successfully */ pam_end(pamh, PAM_SUCCESS); - /* If this point is reached, the user has been authenticated. */ + return(1); } diff --git a/config.h.in b/config.h.in index 922ccd9b5..15941bdca 100644 --- a/config.h.in +++ b/config.h.in @@ -83,6 +83,13 @@ /* Define to be nil if C compiler doesn't support "const." */ #undef const +/* Solaris doesn't use const qualifiers in PAM. */ +#ifdef sun +#define PAM_CONST +#else +#define PAM_CONST const +#endif + /* Define as the return type of signal handlers (int or void). */ #undef RETSIGTYPE -- 2.50.1