1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
|
#pragma once
#include <security/pam_appl.h>
#include <boost/utility/string_view.hpp>
#include <cstring>
#include <memory>
// function used to get user input
inline int pamFunctionConversation(int numMsg, const struct pam_message** msg,
struct pam_response** resp, void* appdataPtr)
{
if (appdataPtr == nullptr)
{
return PAM_AUTH_ERR;
}
char* appPass = reinterpret_cast<char*>(appdataPtr);
size_t appPassSize = std::strlen(appPass);
char* pass = reinterpret_cast<char*>(malloc(appPassSize + 1));
if (pass == nullptr)
{
return PAM_AUTH_ERR;
}
std::strcpy(pass, appPass);
*resp = reinterpret_cast<pam_response*>(
calloc(static_cast<size_t>(numMsg), sizeof(struct pam_response)));
if (resp == nullptr)
{
return PAM_AUTH_ERR;
}
for (int i = 0; i < numMsg; ++i)
{
/* Ignore all PAM messages except prompting for hidden input */
if (msg[i]->msg_style != PAM_PROMPT_ECHO_OFF)
{
continue;
}
/* Assume PAM is only prompting for the password as hidden input */
resp[i]->resp = pass;
}
return PAM_SUCCESS;
}
/**
* @brief Attempt username/password authentication via PAM.
* @param username The provided username aka account name.
* @param password The provided password.
* @returns PAM error code or PAM_SUCCESS for success. */
inline int pamAuthenticateUser(const std::string_view username,
const std::string_view password)
{
std::string userStr(username);
std::string passStr(password);
const struct pam_conv localConversation = {
pamFunctionConversation, const_cast<char*>(passStr.c_str())};
pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start
int retval = pam_start("webserver", userStr.c_str(), &localConversation,
&localAuthHandle);
if (retval != PAM_SUCCESS)
{
return retval;
}
retval = pam_authenticate(localAuthHandle,
PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK);
if (retval != PAM_SUCCESS)
{
pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval
return retval;
}
/* check that the account is healthy */
retval = pam_acct_mgmt(localAuthHandle, PAM_DISALLOW_NULL_AUTHTOK);
if (retval != PAM_SUCCESS)
{
pam_end(localAuthHandle, PAM_SUCCESS); // ignore retval
return retval;
}
return pam_end(localAuthHandle, PAM_SUCCESS);
}
inline int pamUpdatePassword(const std::string& username,
const std::string& password)
{
const struct pam_conv localConversation = {
pamFunctionConversation, const_cast<char*>(password.c_str())};
pam_handle_t* localAuthHandle = nullptr; // this gets set by pam_start
int retval = pam_start("webserver", username.c_str(), &localConversation,
&localAuthHandle);
if (retval != PAM_SUCCESS)
{
return retval;
}
retval = pam_chauthtok(localAuthHandle, PAM_SILENT);
if (retval != PAM_SUCCESS)
{
pam_end(localAuthHandle, PAM_SUCCESS);
return retval;
}
return pam_end(localAuthHandle, PAM_SUCCESS);
}
|
