176 lines
5.8 KiB
C++
176 lines
5.8 KiB
C++
/*
|
|
* Copyright (c) 2019 MariaDB Corporation Ab
|
|
*
|
|
* Use of this software is governed by the Business Source License included
|
|
* in the LICENSE.TXT file and at www.mariadb.com/bsl11.
|
|
*
|
|
* Change Date: 2025-01-01
|
|
*
|
|
* On the date above, in accordance with the Business Source License, use
|
|
* of this software will be governed by version 2 or later of the General
|
|
* Public License.
|
|
*/
|
|
|
|
#include <maxbase/pam_utils.hh>
|
|
|
|
#include <security/pam_appl.h>
|
|
#include <maxbase/alloc.h>
|
|
#include <maxbase/log.hh>
|
|
#include <maxbase/format.hh>
|
|
|
|
using std::string;
|
|
|
|
namespace
|
|
{
|
|
|
|
const char GENERAL_ERRMSG[] = "Only simple password-based PAM authentication with one call "
|
|
"to the conversation function is supported.";
|
|
|
|
/** Used by the PAM conversation function */
|
|
class ConversationData
|
|
{
|
|
public:
|
|
string m_client;
|
|
string m_password;
|
|
int m_counter {0};
|
|
string m_expected_msg;
|
|
|
|
ConversationData(const string& client, const string& password, const string& expected_msg)
|
|
: m_client(client)
|
|
, m_password(password)
|
|
, m_expected_msg(expected_msg)
|
|
{
|
|
}
|
|
};
|
|
|
|
/**
|
|
* PAM conversation function. The implementation "cheats" by not actually doing
|
|
* I/O with the client. This should only be called once per client when
|
|
* authenticating. See
|
|
* http://www.linux-pam.org/Linux-PAM-html/adg-interface-of-app-expected.html#adg-pam_conv
|
|
* for more information.
|
|
*/
|
|
int conversation_func(int num_msg,
|
|
const struct pam_message** msg,
|
|
struct pam_response** resp_out,
|
|
void* appdata_ptr)
|
|
{
|
|
MXB_DEBUG("Entering PAM conversation function.");
|
|
int rval = PAM_CONV_ERR;
|
|
ConversationData* data = static_cast<ConversationData*>(appdata_ptr);
|
|
data->m_counter++;
|
|
if (data->m_counter > 1)
|
|
{
|
|
MXB_ERROR("Multiple calls to conversation function for client '%s'. %s",
|
|
data->m_client.c_str(), GENERAL_ERRMSG);
|
|
}
|
|
else if (num_msg != 1)
|
|
{
|
|
MXB_ERROR("Conversation function received '%d' messages from API. Only singular messages are "
|
|
"supported.", num_msg);
|
|
}
|
|
else
|
|
{
|
|
pam_message first = *msg[0];
|
|
// Check that the first message from the PAM system is as expected.
|
|
if (first.msg_style != PAM_PROMPT_ECHO_OFF && first.msg_style != PAM_PROMPT_ECHO_ON)
|
|
{
|
|
MXB_ERROR("Unexpected PAM message type '%i' when '%i' or '%i' was expected.",
|
|
first.msg_style, PAM_PROMPT_ECHO_OFF, PAM_PROMPT_ECHO_ON);
|
|
}
|
|
else if (!data->m_expected_msg.empty() && data->m_expected_msg != first.msg)
|
|
{
|
|
MXB_ERROR("Unexpected PAM message contents '%s' when '%s' was expected.",
|
|
first.msg, data->m_expected_msg.c_str());
|
|
}
|
|
else
|
|
{
|
|
pam_response* response = static_cast<pam_response*>(MXS_MALLOC(sizeof(pam_response)));
|
|
if (response)
|
|
{
|
|
response->resp_retcode = 0;
|
|
response->resp = MXS_STRDUP(data->m_password.c_str());
|
|
*resp_out = response;
|
|
rval = PAM_SUCCESS;
|
|
}
|
|
}
|
|
}
|
|
return rval;
|
|
}
|
|
|
|
}
|
|
|
|
namespace maxbase
|
|
{
|
|
|
|
PamResult pam_authenticate(const string& user, const string& password, const string& service,
|
|
const string& expected_msg)
|
|
{
|
|
const char PAM_START_ERR_MSG[] = "Failed to start PAM authentication of user '%s': '%s'.";
|
|
const char PAM_AUTH_ERR_MSG[] = "PAM authentication of user '%s' to service '%s' failed: '%s'.";
|
|
const char PAM_ACC_ERR_MSG[] = "PAM account check of user '%s' to service '%s' failed: '%s'.";
|
|
|
|
ConversationData appdata(user, password, expected_msg);
|
|
pam_conv conv_struct = {conversation_func, &appdata};
|
|
|
|
PamResult result;
|
|
bool authenticated = false;
|
|
pam_handle_t* pam_handle = NULL;
|
|
|
|
int pam_status = pam_start(service.c_str(), user.c_str(), &conv_struct, &pam_handle);
|
|
if (pam_status == PAM_SUCCESS)
|
|
{
|
|
pam_status = pam_authenticate(pam_handle, 0);
|
|
switch (pam_status)
|
|
{
|
|
case PAM_SUCCESS:
|
|
authenticated = true;
|
|
MXB_DEBUG("pam_authenticate returned success.");
|
|
break;
|
|
|
|
case PAM_USER_UNKNOWN:
|
|
case PAM_AUTH_ERR:
|
|
// Normal failure, username or password was wrong.
|
|
result.type = PamResult::Result::WRONG_USER_PW;
|
|
result.error = mxb::string_printf(PAM_AUTH_ERR_MSG, user.c_str(), service.c_str(),
|
|
pam_strerror(pam_handle, pam_status));
|
|
break;
|
|
|
|
default:
|
|
// More exotic error
|
|
result.type = PamResult::Result::MISC_ERROR;
|
|
result.error = mxb::string_printf(PAM_AUTH_ERR_MSG, user.c_str(), service.c_str(),
|
|
pam_strerror(pam_handle, pam_status));
|
|
break;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
result.type = PamResult::Result::MISC_ERROR;
|
|
result.error = mxb::string_printf(PAM_START_ERR_MSG,
|
|
user.c_str(), pam_strerror(pam_handle, pam_status));
|
|
}
|
|
|
|
if (authenticated)
|
|
{
|
|
pam_status = pam_acct_mgmt(pam_handle, 0);
|
|
switch (pam_status)
|
|
{
|
|
case PAM_SUCCESS:
|
|
result.type = PamResult::Result::SUCCESS;
|
|
break;
|
|
|
|
default:
|
|
// Credentials have already been checked to be ok, so this is a somewhat unexpected error.
|
|
result.type = PamResult::Result::ACCOUNT_INVALID;
|
|
result.error = mxb::string_printf(PAM_ACC_ERR_MSG, user.c_str(), service.c_str(),
|
|
pam_strerror(pam_handle, pam_status));
|
|
break;
|
|
}
|
|
}
|
|
pam_end(pam_handle, pam_status);
|
|
return result;
|
|
}
|
|
|
|
}
|