From 246253c3790657b9ef8c627ae6887979bcd37353 Mon Sep 17 00:00:00 2001 From: Simon Josefsson Date: Mon, 11 May 2009 10:05:20 +0000 Subject: [PATCH] Add new key parameter to set verification key. --- README | 21 +++++++++++++++------ configure.ac | 5 ++--- pam_yubico.c | 17 +++++++++++++---- 3 files changed, 30 insertions(+), 13 deletions(-) diff --git a/README b/README index 4d4db6a..407c356 100644 --- a/README +++ b/README @@ -91,8 +91,12 @@ For more information, see the project Wiki page. Supported PAM module parameters are: {{{ - "id": to indicate your client identity, - "debug": to enable debug output to stdout, + "id": to indicate your client identity. + + "key": to indicate your client key in base64 format. + + "debug": to enable debug output to stdout. + "alwaysok": to enable that all authentication attempts should succeed (aka presentation mode). @@ -110,10 +114,15 @@ Supported PAM module parameters are: "url": specify the URL template to use, this is set by calling yubikey_client_set_url_template, which uses by default: http://api.yubico.com/wsapi/verify?id=%d&otp=%s - "ldapserver": specifiy the ldap server host (default ldap port is used) - "ldapdn": specify the dn where the users are stored (eg: ou=users,dc=domain,dc=com) - "user_attr": specify the attribute used to store usernames (eg:cn) - "yubi_attr": specify the attribute used to store the yubikey id + + "ldapserver": specifiy the ldap server host (default ldap port is used). + + "ldapdn": specify the dn where the users are stored + (eg: ou=users,dc=domain,dc=com). + + "user_attr": specify the attribute used to store usernames (eg:cn). + + "yubi_attr": specify the attribute used to store the yubikey id. }}} If you are using "debug" you may find it useful to create a diff --git a/configure.ac b/configure.ac index 50f0acd..3cc6c24 100644 --- a/configure.ac +++ b/configure.ac @@ -40,7 +40,6 @@ AC_CHECK_HEADERS([security/pam_appl.h], [], AC_CHECK_HEADERS([security/pam_modules.h security/_pam_macros.h], [], [], [#include ]) - AC_ARG_WITH([ldap], [AS_HELP_STRING([--without-ldap], [disable support for ldap])], @@ -60,9 +59,9 @@ AC_ARG_WITH([ldap], AC_LIB_HAVE_LINKFLAGS([ykclient],, [#include ], - [ykclient_init (0);]) + [ykclient_set_client_b64 (0, 0, 0);]) if test "$ac_cv_libykclient" != yes; then - AC_MSG_ERROR([[Libykclient not found, get it from http://code.google.com/p/yubico-c-client/]]) + AC_MSG_ERROR([[Libykclient v2.3+ required, see http://code.google.com/p/yubico-c-client/]]) fi AC_SUBST(PAMDIR, "\$(exec_prefix)/lib/security") diff --git a/pam_yubico.c b/pam_yubico.c index c735ac4..64d3cb1 100644 --- a/pam_yubico.c +++ b/pam_yubico.c @@ -70,7 +70,6 @@ #define PORT_NUMBER LDAP_PORT #endif - #ifndef PAM_EXTERN #ifdef PAM_STATIC #define PAM_EXTERN static @@ -79,8 +78,6 @@ #endif #endif - - #include #include @@ -306,6 +303,7 @@ authorize_user_token_ldap (const char *ldapserver, struct cfg { int client_id; + char *client_key; int debug; int alwaysok; int try_first_pass; @@ -339,6 +337,8 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg) { if (strncmp (argv[i], "id=", 3) == 0) sscanf (argv[i], "id=%d", &cfg->client_id); + if (strncmp (argv[i], "key=", 4) == 0) + cfg->client_key = (char *) argv[i] + 4; if (strcmp (argv[i], "debug") == 0) cfg->debug = 1; if (strcmp (argv[i], "alwaysok") == 0) @@ -368,6 +368,7 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg) for (i = 0; i < argc; i++) D (("argv[%d]=%s", i, argv[i])); D (("id=%d", cfg->client_id)); + D (("key=%s", cfg->client_key ? cfg->client_key : "(null)")); D (("debug=%d", cfg->debug)); D (("alwaysok=%d", cfg->alwaysok)); D (("try_first_pass=%d", cfg->try_first_pass)); @@ -437,7 +438,15 @@ pam_sm_authenticate (pam_handle_t * pamh, goto done; } - ykclient_set_client (ykc, cfg.client_id, 0, NULL); + rc = ykclient_set_client_b64 (ykc, cfg.client_id, cfg.client_key); + if (rc != YKCLIENT_OK) + { + DBG (("ykclient_set_client_b64() failed (%d): %s", + rc, ykclient_strerror (rc))); + retval = PAM_AUTHINFO_UNAVAIL; + goto done; + } + if (cfg.url) ykclient_set_url_template (ykc, cfg.url);