rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-26 21:54:15 +01:00
Code Issues Projects Releases Wiki Activity

Merge branch 'pr-180'

Browse Source
This commit is contained in:
Klas Lindfors 2019-01-09 08:59:05 +01:00
commit 2b0756b5de
No known key found for this signature in database
GPG Key ID: BCA00FD4B2168C0A
3 changed files with 42 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README
View File

@ -171,6 +171,13 @@ stacked modules password and will never prompt the user - if no
password is available or the password is not appropriate, the user password is available or the password is not appropriate, the user
will be denied access. will be denied access.
always_prompt::
If set, don't attempt to do a lookup to determine if the user has a
YubiKey configured but instead prompt for one no matter what. This
is useful in the case where ldap_bind_as_user is enabled but this
module is being used to read the user's password (in a YubiKey+OTP
auth scenario).
nullok:: nullok::
If set, don't fail when there are no tokens declared for the user If set, don't fail when there are no tokens declared for the user
in the authorization mapping files or in LDAP. in the authorization mapping files or in LDAP.

3
pam_yubico.8.txt
View File

@ -41,6 +41,9 @@ Before prompting the user for their password, the module first tries the previou
*use_first_pass*:: *use_first_pass*::
Forces the module to use a previous stacked modules password and will never prompt the user - if no password is available or the password is not appropriate, the user will be denied access. Forces the module to use a previous stacked modules password and will never prompt the user - if no password is available or the password is not appropriate, the user will be denied access.
*always_prompt*::
If set, don't attempt to do a lookup to determine if the user has a YubiKey configured but instead prompt for one no matter what. This is useful in the case where ldap_bind_as_user is enabled but this module is being used to read the user's password (in a YubiKey+OTP auth scenario).
*nullok*:: *nullok*::
Dont fail when there are no tokens declared for the user in the authorization mapping files or in LDAP. This can be used to make YubiKey authentication optional unless the user has associated tokens. Dont fail when there are no tokens declared for the user in the authorization mapping files or in LDAP. This can be used to make YubiKey authentication optional unless the user has associated tokens.

58
pam_yubico.c
View File

@ -111,6 +111,7 @@ struct cfg
int verbose_otp; int verbose_otp;
int try_first_pass; int try_first_pass;
int use_first_pass; int use_first_pass;
int always_prompt;
int nullok; int nullok;
int ldap_starttls; int ldap_starttls;
int ldap_bind_as_user; int ldap_bind_as_user;
@ -805,6 +806,8 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
cfg->try_first_pass = 1; cfg->try_first_pass = 1;
if (strcmp (argv[i], "use_first_pass") == 0) if (strcmp (argv[i], "use_first_pass") == 0)
cfg->use_first_pass = 1; cfg->use_first_pass = 1;
if (strcmp (argv[i], "always_prompt") == 0)
cfg->always_prompt = 1;
if (strcmp (argv[i], "nullok") == 0) if (strcmp (argv[i], "nullok") == 0)
cfg->nullok = 1; cfg->nullok = 1;
if (strcmp (argv[i], "ldap_starttls") == 0) if (strcmp (argv[i], "ldap_starttls") == 0)
@ -904,6 +907,7 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
DBG ("verbose_otp=%d", cfg->verbose_otp); DBG ("verbose_otp=%d", cfg->verbose_otp);
DBG ("try_first_pass=%d", cfg->try_first_pass); DBG ("try_first_pass=%d", cfg->try_first_pass);
DBG ("use_first_pass=%d", cfg->use_first_pass); DBG ("use_first_pass=%d", cfg->use_first_pass);
DBG ("always_prompt=%d", cfg->always_prompt);
DBG ("nullok=%d", cfg->nullok); DBG ("nullok=%d", cfg->nullok);
DBG ("ldap_starttls=%d", cfg->ldap_starttls); DBG ("ldap_starttls=%d", cfg->ldap_starttls);
DBG ("ldap_bind_as_user=%d", cfg->ldap_bind_as_user); DBG ("ldap_bind_as_user=%d", cfg->ldap_bind_as_user);
@ -1080,34 +1084,36 @@ pam_sm_authenticate (pam_handle_t * pamh,
/* check if the user has at least one associated token id */ /* check if the user has at least one associated token id */
/* we set otp_id to NULL so that no matches will ever be found /* we set otp_id to NULL so that no matches will ever be found
* but AUTH_NO_TOKENS will be returned if there are no tokens for the user */ * but AUTH_NO_TOKENS will be returned if there are no tokens for the user */
if (cfg->ldapserver != NULL || cfg->ldap_uri != NULL) if (!cfg->always_prompt) {
valid_token = authorize_user_token_ldap (cfg, user, NULL, pamh); if (cfg->ldapserver != NULL || cfg->ldap_uri != NULL)
else valid_token = authorize_user_token_ldap (cfg, user, NULL, pamh);
valid_token = authorize_user_token (cfg, user, NULL, pamh); else
valid_token = authorize_user_token (cfg, user, NULL, pamh);
switch(valid_token) switch(valid_token)
{ {
case AUTH_ERROR: case AUTH_ERROR:
DBG ("Internal error while looking for user tokens"); DBG ("Internal error while looking for user tokens");
retval = PAM_AUTHINFO_UNAVAIL; retval = PAM_AUTHINFO_UNAVAIL;
goto done; goto done;
case AUTH_NOT_FOUND: case AUTH_NOT_FOUND:
/* User has associated tokens, so continue */ /* User has associated tokens, so continue */
DBG ("Tokens found for user"); DBG ("Tokens found for user");
break; break;
case AUTH_NO_TOKENS: case AUTH_NO_TOKENS:
DBG ("No tokens found for user"); DBG ("No tokens found for user");
if (cfg->nullok) { if (cfg->nullok) {
retval = PAM_IGNORE; retval = PAM_IGNORE;
} else { } else {
retval = PAM_USER_UNKNOWN; retval = PAM_USER_UNKNOWN;
}
goto done;
default:
DBG ("Unhandled value while looking for user tokens");
retval = PAM_AUTHINFO_UNAVAIL;
goto done;
} }
goto done; }
default:
DBG ("Unhandled value while looking for user tokens");
retval = PAM_AUTHINFO_UNAVAIL;
goto done;
}
if (password == NULL) if (password == NULL)
{ {