rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-22 00:54:30 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #14 from BinetReseau/master

Browse Source 
No match between user and token detailed pam values
This commit is contained in:
Simon Josefsson 2013-09-27 02:11:20 -07:00
commit 387db3eba0
1 changed files with 25 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
pam_yubico.c
View File

@ -125,7 +125,7 @@ struct cfg
/* /*
* This function will look for users name with valid user token id. It * This function will look for users name with valid user token id. It
* will returns 0 for failure and 1 for success. * will returns -2 if the user is unknown, -1 if the token do not match the user line, 0 for internal failure and 1 for success.
* *
* File format is as follows: * File format is as follows:
* <user-name>:<token_id>:<token_id> * <user-name>:<token_id>:<token_id>
@ -170,6 +170,7 @@ check_user_token (struct cfg *cfg,
return retval; return retval;
} }
retval = -2;
while (fgets (buf, 1024, opwfile)) while (fgets (buf, 1024, opwfile))
{ {
if (buf[strlen (buf) - 1] == '\n') if (buf[strlen (buf) - 1] == '\n')
@ -179,6 +180,7 @@ check_user_token (struct cfg *cfg,
if (s_user && strcmp (username, s_user) == 0) if (s_user && strcmp (username, s_user) == 0)
{ {
DBG (("Matched user: %s", s_user)); DBG (("Matched user: %s", s_user));
retval = -1; //We found at least one line for the user
do do
{ {
s_token = strtok (NULL, ":"); s_token = strtok (NULL, ":");
@ -196,12 +198,12 @@ check_user_token (struct cfg *cfg,
fclose (opwfile); fclose (opwfile);
return 0; return retval;
} }
/* /*
* Authorize authenticated OTP_ID for login as USERNAME using * Authorize authenticated OTP_ID for login as USERNAME using
* AUTHFILE. Return 0 on failures, otherwise success. * AUTHFILE. Return -2 if the user is unknown, -1 if the OTP_ID does not match, 0 on internal failures, otherwise success.
*/ */
static int static int
authorize_user_token (struct cfg *cfg, authorize_user_token (struct cfg *cfg,
@ -374,9 +376,11 @@ authorize_user_token_ldap (struct cfg *cfg,
if (e == NULL) if (e == NULL)
{ {
DBG (("No result from LDAP search")); DBG (("No result from LDAP search"));
retval = -2;
} }
else else
{ {
retval = -1;
/* Iterate through each returned attribute. */ /* Iterate through each returned attribute. */
for (a = ldap_first_attribute (ld, e, &ber); for (a = ldap_first_attribute (ld, e, &ber);
a != NULL; a = ldap_next_attribute (ld, e, ber)) a != NULL; a = ldap_next_attribute (ld, e, ber))
@ -1001,15 +1005,28 @@ pam_sm_authenticate (pam_handle_t * pamh,
else else
valid_token = authorize_user_token (cfg, user, otp_id, pamh); valid_token = authorize_user_token (cfg, user, otp_id, pamh);
if (valid_token == 0) switch(valid_token)
{ {
DBG (("Yubikey not authorized to login as user")); case 1:
retval = PAM_SUCCESS;
break;
case 0:
DBG (("Internal error while validating user"));
retval = PAM_AUTHINFO_UNAVAIL;
break;
case -1:
DBG (("Unauthorized token for this user"));
retval = PAM_AUTH_ERR;
break;
case -2:
DBG (("Unknown user"));
retval = PAM_USER_UNKNOWN;
break;
default:
DBG (("Unhandled value for token-user validation"))
retval = PAM_AUTHINFO_UNAVAIL; retval = PAM_AUTHINFO_UNAVAIL;
goto done;
} }
retval = PAM_SUCCESS;
done: done:
if (ykc) if (ykc)
ykclient_done (&ykc); ykclient_done (&ykc);