rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-07 18:54:20 +01:00
Code Issues Projects Releases Wiki Activity

A more precise handling of user-token match errors

Browse Source 
Signed-off-by: Pierre-Alain Dupont <pad@melix.net>
This commit is contained in:
Pierre-Alain Dupont 2013-01-26 15:59:23 +00:00
parent dc03f4b713
commit 21c4dd3fa3
1 changed files with 25 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
pam_yubico.c
View File

@ -123,7 +123,7 @@ struct cfg
/* /*
* This function will look for users name with valid user token id. It * This function will look for users name with valid user token id. It
* will returns 0 for failure and 1 for success. * will returns -2 if the user is unknown, -1 if the token do not match the user line, 0 for internal failure and 1 for success.
* *
* File format is as follows: * File format is as follows:
* <user-name>:<token_id>:<token_id> * <user-name>:<token_id>:<token_id>
@ -168,6 +168,7 @@ check_user_token (struct cfg *cfg,
return retval; return retval;
} }
retval = -2;
while (fgets (buf, 1024, opwfile)) while (fgets (buf, 1024, opwfile))
{ {
if (buf[strlen (buf) - 1] == '\n') if (buf[strlen (buf) - 1] == '\n')
@ -177,6 +178,7 @@ check_user_token (struct cfg *cfg,
if (s_user && strcmp (username, s_user) == 0) if (s_user && strcmp (username, s_user) == 0)
{ {
DBG (("Matched user: %s", s_user)); DBG (("Matched user: %s", s_user));
retval = -1; //We found at least one line for the user
do do
{ {
s_token = strtok (NULL, ":"); s_token = strtok (NULL, ":");
@ -194,12 +196,12 @@ check_user_token (struct cfg *cfg,
fclose (opwfile); fclose (opwfile);
return 0; return retval;
} }
/* /*
* Authorize authenticated OTP_ID for login as USERNAME using * Authorize authenticated OTP_ID for login as USERNAME using
* AUTHFILE. Return 0 on failures, otherwise success. * AUTHFILE. Return -2 if the user is unknown, -1 if the OTP_ID does not match, 0 on internal failures, otherwise success.
*/ */
static int static int
authorize_user_token (struct cfg *cfg, authorize_user_token (struct cfg *cfg,
@ -368,9 +370,11 @@ authorize_user_token_ldap (struct cfg *cfg,
if (e == NULL) if (e == NULL)
{ {
DBG (("No result from LDAP search")); DBG (("No result from LDAP search"));
retval = -2;
} }
else else
{ {
retval = -1;
/* Iterate through each returned attribute. */ /* Iterate through each returned attribute. */
for (a = ldap_first_attribute (ld, e, &ber); for (a = ldap_first_attribute (ld, e, &ber);
a != NULL; a = ldap_next_attribute (ld, e, ber)) a != NULL; a = ldap_next_attribute (ld, e, ber))
@ -980,14 +984,27 @@ pam_sm_authenticate (pam_handle_t * pamh,
else else
valid_token = authorize_user_token (cfg, user, otp_id, pamh); valid_token = authorize_user_token (cfg, user, otp_id, pamh);
if (valid_token == 0) switch(valid_token)
{ {
DBG (("Yubikey not authorized to login as user")); case 1:
retval = PAM_AUTHINFO_UNAVAIL;
goto done;
}
retval = PAM_SUCCESS; retval = PAM_SUCCESS;
break;
case 0:
DBG (("Internal error while validating user"));
retval = PAM_AUTHINFO_UNAVAIL;
break;
case -1:
DBG (("Unauthorized token for this user"));
retval = PAM_AUTH_ERR;
break;
case -2:
DBG (("Unknown user"));
retval = PAM_USER_UNKNOWN;
break;
default:
DBG (("Unhandled value for token-user validation"))
retval = PAM_AUTHINFO_UNAVAIL;
}
done: done:
if (ykc) if (ykc)