Fix parsing of password+otp into id/otp/passwd. Fix return codes. Fix setcred.

2025-01-20 01:52:17 +01:00 · 2009-03-24 15:11:54 +00:00 · 2009-03-24 15:11:54 +00:00 · d20569dcc3
commit d20569dcc3
parent 7f1a398141
1 changed files with 67 additions and 76 deletions
--- a/pam_yubico.c
+++ b/pam_yubico.c
@ -143,8 +143,9 @@ check_user_token (const char *authfile,
 * list or from user home directory
 */
 static int
-validate_user_token (const char *authfile,
+authorize_user_token (const char *authfile,
-		     const char *username, const char *usertoken)
+		      const char *username,
 		      const char *usertoken)
 {
  int retval = 0;
@ -199,7 +200,7 @@ validate_user_token (const char *authfile,
 *
 */
 static int
-validate_user_token_ldap (const char *ldapserver,
+authorize_user_token_ldap (const char *ldapserver,
 			   const char *ldapdn, const char *user_attr,
 			   const char *yubi_attr, const char *user,
 			   const char *token_id)
@ -383,13 +384,10 @@ pam_sm_authenticate (pam_handle_t * pamh,
  int retval, rc;
  const char *user = NULL;
  const char *password = NULL;
-  const char *token_otp[TOKEN_LEN + 1] = { 0 };
+  char otp[TOKEN_LEN + 1] = { 0 };
-  const char *token_id[TOKEN_ID_LEN + 1] = { 0 };
+  char otp_id[TOKEN_ID_LEN + 1] = { 0 };
  char *token_otp_with_password = NULL;
  char *token_password = NULL;
  int password_len = 0;
  int valid_token = 0;
  int i;
  struct pam_conv *conv;
  struct pam_message *pmsg[1], msg[1];
  struct pam_response *resp;
@ -484,81 +482,73 @@ pam_sm_authenticate (pam_handle_t * pamh,
      DBG (("conv returned: %s", resp->resp));
      password = resp->resp;
    }
-      retval = pam_set_item (pamh, PAM_AUTHTOK, password);
+  password_len = strlen (password);
  if (password_len < TOKEN_LEN)
    {
      DBG (("OTP too short: %s", password));
      retval = PAM_AUTH_ERR;
      goto done;
    }
  strncpy (otp, password + (password_len - TOKEN_LEN), TOKEN_LEN);
  strncpy (otp_id, password + (password_len - TOKEN_LEN), TOKEN_ID_LEN);
  DBG (("OTP: %s ID: %s ", otp, otp_id));
  /* user entered their system password followed by generated OTP? */
  if (password_len > TOKEN_LEN)
    {
      char *onlypasswd = strdup (password);
      onlypasswd[password_len - TOKEN_LEN] = '\0';
      DBG (("Password: %s ", onlypasswd));
      retval = pam_set_item (pamh, PAM_AUTHTOK, onlypasswd);
      free (onlypasswd);
      if (retval != PAM_SUCCESS)
 	{
 	  DBG (("set_item returned error: %s", pam_strerror (pamh, retval)));
 	  goto done;
 	}
    }
  /* user will enter there system paasword followed by generated OTP */
  token_otp_with_password = (char *) password;
  password_len = strlen (token_otp_with_password);
  /* Getting Token value and SSH password */
  strncpy ((char *) token_otp,
 	   token_otp_with_password + (password_len - TOKEN_LEN), TOKEN_LEN);
  token_password = malloc ((password_len - TOKEN_LEN) + 1);
  if (token_password != NULL)
    {
      strncpy (token_password, token_otp_with_password,
 	       (password_len - TOKEN_LEN));
      token_password[(password_len - TOKEN_LEN)] = 0;
      password = token_password;
    }
  strncpy ((char *) token_id,
 	   token_otp_with_password + (password_len - TOKEN_LEN),
 	   TOKEN_ID_LEN);
  DBG ((" Token is : %s and password is %s ", token_otp, password));
  DBG ((" Token ID is: %s ", token_id));
  /* validate the user with supplied token id */
  if (cfg.ldapserver != NULL)
    {
      valid_token = validate_user_token_ldap ((const char *) cfg.ldapserver,
 					      (const char *) cfg.ldapdn,
 					      (const char *) cfg.user_attr,
 					      (const char *) cfg.yubi_attr,
 					      (const char *) user,
 					      (const char *) token_id);
    }
  else
-    {
+    password = NULL;
      valid_token = validate_user_token (cfg.auth_file, (const char *) user,
 					 (const char *) token_id);
    }
  if (password != NULL)
    {
      retval = pam_set_item (pamh, PAM_AUTHTOK, password);
      if (retval != PAM_SUCCESS)
 	{
 	  DBG (("set_item returned error: %s", pam_strerror (pamh, retval)));
 	  goto done;
 	}
    }
-  if (valid_token == 0)
+  rc = yubikey_client_request (ykc, otp);
    {
      DBG (("Invalid Token for user "));
      retval = PAM_SERVICE_ERR;
      goto done;
    }
  rc = yubikey_client_request (ykc, (const char *) token_otp);
  DBG (("libyubikey-client return value (%d): %s", rc,
 	yubikey_client_strerror (rc)));
-  if (token_password != NULL)
+  switch (rc)
    free (token_password);
  if (rc != YUBIKEY_CLIENT_OK)
    {
-      retval = PAM_SERVICE_ERR;
+    case YUBIKEY_CLIENT_OK:
      break;
    case YUBIKEY_CLIENT_BAD_OTP:
    case YUBIKEY_CLIENT_REPLAYED_OTP:
      retval = PAM_AUTH_ERR;
      goto done;
    default:
      retval = PAM_AUTHINFO_UNAVAIL;
      goto done;
    }
  /* authorize the user with supplied token id */
  if (cfg.ldapserver != NULL)
    valid_token = authorize_user_token_ldap (cfg.ldapserver, cfg.ldapdn,
 					     cfg.user_attr, cfg.yubi_attr,
 					     user, otp_id);
  else
    valid_token = authorize_user_token (cfg.auth_file, user, otp_id);
  if (valid_token == 0)
    {
      DBG (("Yubikey not authorized to login as user"));
      retval = PAM_AUTHINFO_UNAVAIL;
      goto done;
    }
@ -573,7 +563,7 @@ done:
      retval = PAM_SUCCESS;
    }
  DBG (("done. [%s]", pam_strerror (pamh, retval)));
-  pam_set_data (pamh, "yubico_setcred_return", &retval, NULL);
+  pam_set_data (pamh, "yubico_setcred_return", (void*) (intptr_t) retval, NULL);
  return retval;
 }
@ -590,6 +580,7 @@ pam_sm_setcred (pam_handle_t * pamh, int flags, int argc, const char **argv)
  retval = pam_get_data (pamh, "yubico_setcred_return",
 			 &auth_retval);
  D (("retval: %d", auth_retval));
  if (retval != PAM_SUCCESS)
    return PAM_CRED_UNAVAIL;