rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-26 21:54:15 +01:00
Code Issues Projects Releases Wiki Activity

refactor the debug mode

Browse Source 
add a debug_file option for where to write debug info (default to stdout)
stop compiling with DEBUG_PAM and PAM_DEBUG
make debugging behave the same way on linux-pam and openpam
This commit is contained in:
Klas Lindfors 2016-06-16 09:02:49 +02:00
parent 914fa62eb4
commit fc9a4255f0
6 changed files with 195 additions and 195 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile.am
View File

@ -49,8 +49,6 @@ libpam_util_la_LIBADD = @LTLIBYUBIKEY@ @YKPERS_LIBS@
libpam_real_la_SOURCES = pam_yubico.c libpam_real_la_SOURCES = pam_yubico.c
DEFS = -DDEBUG_PAM -DPAM_DEBUG @DEFS@
# The command line tools. # The command line tools.
if YKPERS if YKPERS

277
pam_yubico.c
View File

@ -127,12 +127,13 @@ struct cfg
unsigned int token_id_length; unsigned int token_id_length;
enum key_mode mode; enum key_mode mode;
const char *chalresp_path; const char *chalresp_path;
FILE *debug_file;
}; };
#ifdef DBG #ifdef DBG
#undef DBG #undef DBG
#endif #endif
#define DBG(x) if (cfg->debug) { D(x); } #define DBG(x...) if (cfg->debug) { D(cfg->debug_file, x); }
/* /*
* Authorize authenticated OTP_ID for login as USERNAME using * Authorize authenticated OTP_ID for login as USERNAME using
@ -151,8 +152,8 @@ authorize_user_token (struct cfg *cfg,
/* Administrator had configured the file and specified is name /* Administrator had configured the file and specified is name
as an argument for this module. as an argument for this module.
*/ */
DBG (("Using system-wide auth_file %s", cfg->auth_file)); DBG ("Using system-wide auth_file %s", cfg->auth_file);
retval = check_user_token (cfg->auth_file, username, otp_id, cfg->debug); retval = check_user_token (cfg->auth_file, username, otp_id, cfg->debug, cfg->debug_file);
} }
else else
{ {
@ -165,7 +166,7 @@ authorize_user_token (struct cfg *cfg,
pwres = getpwnam_r (username, &pass, buf, buflen, &p); pwres = getpwnam_r (username, &pass, buf, buflen, &p);
if (p == NULL) { if (p == NULL) {
DBG (("getpwnam_r: %s", strerror(pwres))); DBG ("getpwnam_r: %s", strerror(pwres));
return 0; return 0;
} }
@ -173,18 +174,18 @@ authorize_user_token (struct cfg *cfg,
..... i.e. ~/.yubico/authorized_yubikeys ..... i.e. ~/.yubico/authorized_yubikeys
*/ */
if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", p, &userfile)) { if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", p, &userfile)) {
D (("Failed figuring out per-user cfgfile")); DBG ("Failed figuring out per-user cfgfile");
return 0; return 0;
} }
DBG (("Dropping privileges")); DBG ("Dropping privileges");
if(pam_modutil_drop_priv(pamh, &privs, p)) { if(pam_modutil_drop_priv(pamh, &privs, p)) {
DBG (("could not drop privileges")); DBG ("could not drop privileges");
retval = 0; retval = 0;
goto free_out; goto free_out;
} }
retval = check_user_token (userfile, username, otp_id, cfg->debug); retval = check_user_token (userfile, username, otp_id, cfg->debug, cfg->debug_file);
if(pam_modutil_regain_priv(pamh, &privs)) { if(pam_modutil_regain_priv(pamh, &privs)) {
DBG (("could not restore privileges")); DBG (("could not restore privileges"));
@ -259,7 +260,7 @@ authorize_user_token_ldap (struct cfg *cfg,
rc = ldap_initialize (&ld, cfg->ldap_uri); rc = ldap_initialize (&ld, cfg->ldap_uri);
if (rc != LDAP_SUCCESS) if (rc != LDAP_SUCCESS)
{ {
DBG (("ldap_initialize: %s", ldap_err2string (rc))); DBG ("ldap_initialize: %s", ldap_err2string (rc));
retval = 0; retval = 0;
goto done; goto done;
} }
@ -268,7 +269,7 @@ authorize_user_token_ldap (struct cfg *cfg,
{ {
if ((ld = ldap_init (cfg->ldapserver, PORT_NUMBER)) == NULL) if ((ld = ldap_init (cfg->ldapserver, PORT_NUMBER)) == NULL)
{ {
DBG (("ldap_init")); DBG ("ldap_init");
retval = 0; retval = 0;
goto done; goto done;
} }
@ -283,16 +284,15 @@ authorize_user_token_ldap (struct cfg *cfg,
} }
/* Bind anonymously to the LDAP server. */ /* Bind anonymously to the LDAP server. */
if (cfg->ldap_bind_user && cfg->ldap_bind_password) { if (cfg->ldap_bind_user && cfg->ldap_bind_password) {
DBG (("try bind with: %s:[%s]", cfg->ldap_bind_user, cfg->ldap_bind_password)); DBG ("try bind with: %s:[%s]", cfg->ldap_bind_user, cfg->ldap_bind_password);
rc = ldap_simple_bind_s (ld, cfg->ldap_bind_user, cfg->ldap_bind_password); rc = ldap_simple_bind_s (ld, cfg->ldap_bind_user, cfg->ldap_bind_password);
} else { } else {
DBG (("try bind anonymous")); DBG ("try bind anonymous");
rc = ldap_simple_bind_s (ld, NULL, NULL); rc = ldap_simple_bind_s (ld, NULL, NULL);
} }
if (rc != LDAP_SUCCESS) if (rc != LDAP_SUCCESS)
{ {
DBG (("ldap_simple_bind_s: %s", ldap_err2string (rc))); DBG ("ldap_simple_bind_s: %s", ldap_err2string (rc));
retval = 0;
goto done; goto done;
} }
@ -300,7 +300,7 @@ authorize_user_token_ldap (struct cfg *cfg,
if (cfg->user_attr && cfg->yubi_attr && cfg->ldapdn) { if (cfg->user_attr && cfg->yubi_attr && cfg->ldapdn) {
i = (strlen(cfg->user_attr) + strlen(cfg->ldapdn) + strlen(user) + 3) * sizeof(char); i = (strlen(cfg->user_attr) + strlen(cfg->ldapdn) + strlen(user) + 3) * sizeof(char);
if ((find = malloc(i)) == NULL) { if ((find = malloc(i)) == NULL) {
DBG (("Failed allocating %zu bytes", i)); DBG ("Failed allocating %zu bytes", i);
retval = 0; retval = 0;
goto done; goto done;
} }
@ -315,15 +315,15 @@ authorize_user_token_ldap (struct cfg *cfg,
} }
attrs[0] = (char *) cfg->yubi_attr; attrs[0] = (char *) cfg->yubi_attr;
DBG(("LDAP : look up object base='%s' filter='%s', ask for attribute '%s'", find, DBG("LDAP : look up object base='%s' filter='%s', ask for attribute '%s'", find,
filter ? filter:"(null)", cfg->yubi_attr)); filter ? filter:"(null)", cfg->yubi_attr);
/* Search for the entry. */ /* Search for the entry. */
if ((rc = ldap_search_ext_s (ld, find, scope, if ((rc = ldap_search_ext_s (ld, find, scope,
filter, attrs, 0, NULL, NULL, LDAP_NO_LIMIT, filter, attrs, 0, NULL, NULL, LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result)) != LDAP_SUCCESS) LDAP_NO_LIMIT, &result)) != LDAP_SUCCESS)
{ {
DBG (("ldap_search_ext_s: %s", ldap_err2string (rc))); DBG ("ldap_search_ext_s: %s", ldap_err2string (rc));
retval = 0; retval = 0;
goto done; goto done;
@ -349,17 +349,17 @@ authorize_user_token_ldap (struct cfg *cfg,
/* Compare each value for the attribute against the token id. */ /* Compare each value for the attribute against the token id. */
for (i = 0; vals[i] != NULL; i++) for (i = 0; vals[i] != NULL; i++)
{ {
DBG(("LDAP : Found %i values - checking if any of them match '%s:%s:%s'", DBG("LDAP : Found %i values - checking if any of them match '%s:%s:%s'",
ldap_count_values_len(vals), ldap_count_values_len(vals),
vals[i]->bv_val, vals[i]->bv_val,
cfg->yubi_attr_prefix ? cfg->yubi_attr_prefix : "", token_id)); cfg->yubi_attr_prefix ? cfg->yubi_attr_prefix : "", token_id);
/* Only values containing this prefix are considered. */ /* Only values containing this prefix are considered. */
if ((!cfg->yubi_attr_prefix || !strncmp (cfg->yubi_attr_prefix, vals[i]->bv_val, yubi_attr_prefix_len))) if ((!cfg->yubi_attr_prefix || !strncmp (cfg->yubi_attr_prefix, vals[i]->bv_val, yubi_attr_prefix_len)))
{ {
if(!strncmp (token_id, vals[i]->bv_val + yubi_attr_prefix_len, strlen (token_id))) if(!strncmp (token_id, vals[i]->bv_val + yubi_attr_prefix_len, strlen (token_id)))
{ {
DBG (("Token Found :: %s", vals[i]->bv_val)); DBG ("Token Found :: %s", vals[i]->bv_val);
retval = 1; retval = 1;
} }
} }
@ -393,7 +393,7 @@ authorize_user_token_ldap (struct cfg *cfg,
#if HAVE_CR #if HAVE_CR
static int static int
display_error(pam_handle_t *pamh, const char *message) { display_error(pam_handle_t *pamh, const char *message, struct cfg *cfg) {
struct pam_conv *conv; struct pam_conv *conv;
const struct pam_message *pmsg[1]; const struct pam_message *pmsg[1];
struct pam_message msg[1]; struct pam_message msg[1];
@ -402,12 +402,12 @@ display_error(pam_handle_t *pamh, const char *message) {
retval = pam_get_item (pamh, PAM_CONV, (const void **) &conv); retval = pam_get_item (pamh, PAM_CONV, (const void **) &conv);
if (retval != PAM_SUCCESS) { if (retval != PAM_SUCCESS) {
D(("get conv returned error: %s", pam_strerror (pamh, retval))); DBG("get conv returned error: %s", pam_strerror (pamh, retval));
return retval; return retval;
} }
if(!conv || !conv->conv){ if(!conv || !conv->conv){
D(("conv() function invalid")); DBG("conv() function invalid");
return PAM_CONV_ERR; return PAM_CONV_ERR;
} }
pmsg[0] = &msg[0]; pmsg[0] = &msg[0];
@ -416,13 +416,13 @@ display_error(pam_handle_t *pamh, const char *message) {
retval = conv->conv(1, pmsg, &resp, conv->appdata_ptr); retval = conv->conv(1, pmsg, &resp, conv->appdata_ptr);
if (retval != PAM_SUCCESS) { if (retval != PAM_SUCCESS) {
D(("conv returned error: %s", pam_strerror (pamh, retval))); DBG("conv returned error: %s", pam_strerror (pamh, retval));
return retval; return retval;
} }
if (resp) if (resp)
{ {
D(("conv returned: '%s'", resp->resp)); DBG("conv returned: '%s'", resp->resp);
if (resp->resp) if (resp->resp)
free (resp->resp); free (resp->resp);
free (resp); free (resp);
@ -460,62 +460,62 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
ret = PAM_AUTH_ERR; ret = PAM_AUTH_ERR;
if (! init_yubikey(&yk)) { if (! init_yubikey(&yk)) {
DBG(("Failed initializing YubiKey")); DBG("Failed initializing YubiKey");
goto out; goto out;
} }
if (! check_firmware_version(yk, cfg->debug, true)) { if (! check_firmware_version(yk, cfg->debug, true, cfg->debug_file)) {
DBG(("YubiKey does not support Challenge-Response (version 2.2 required)")); DBG("YubiKey does not support Challenge-Response (version 2.2 required)");
goto out; goto out;
} }
pwres = getpwnam_r (username, &pass, pwbuf, pwbuflen, &p); pwres = getpwnam_r (username, &pass, pwbuf, pwbuflen, &p);
if (p == NULL) { if (p == NULL) {
DBG (("getpwnam_r: %s", strerror(pwres))); DBG ("getpwnam_r: %s", strerror(pwres));
goto out; goto out;
} }
if (! get_user_challenge_file (yk, cfg->chalresp_path, p, &userfile)) { if (! get_user_challenge_file (yk, cfg->chalresp_path, p, &userfile, cfg->debug_file)) {
DBG(("Failed getting user challenge file for user %s", username)); DBG("Failed getting user challenge file for user %s", username);
goto out; goto out;
} }
DBG(("Loading challenge from file %s", userfile)); DBG("Loading challenge from file %s", userfile);
/* Drop privileges before opening user file (if we're not using system-wide dir). */ /* Drop privileges before opening user file (if we're not using system-wide dir). */
if (!cfg->chalresp_path) { if (!cfg->chalresp_path) {
if (pam_modutil_drop_priv(pamh, &privs, p)) { if (pam_modutil_drop_priv(pamh, &privs, p)) {
DBG (("could not drop privileges")); DBG ("could not drop privileges");
goto out; goto out;
} }
} }
fd = open(userfile, O_RDONLY, 0); fd = open(userfile, O_RDONLY, 0);
if (fd < 0) { if (fd < 0) {
DBG (("Cannot open file: %s (%s)", userfile, strerror(errno))); DBG ("Cannot open file: %s (%s)", userfile, strerror(errno));
goto restpriv_out; goto restpriv_out;
} }
if (fstat(fd, &st) < 0) { if (fstat(fd, &st) < 0) {
DBG (("Cannot stat file: %s (%s)", userfile, strerror(errno))); DBG ("Cannot stat file: %s (%s)", userfile, strerror(errno));
close(fd); close(fd);
goto restpriv_out; goto restpriv_out;
} }
if (!S_ISREG(st.st_mode)) { if (!S_ISREG(st.st_mode)) {
DBG (("%s is not a regular file", userfile)); DBG ("%s is not a regular file", userfile);
close(fd); close(fd);
goto restpriv_out; goto restpriv_out;
} }
f = fdopen(fd, "r"); f = fdopen(fd, "r");
if (f == NULL) { if (f == NULL) {
DBG (("fdopen: %s", strerror(errno))); DBG ("fdopen: %s", strerror(errno));
close(fd); close(fd);
goto restpriv_out; goto restpriv_out;
} }
if (! load_chalresp_state(f, &state, cfg->debug)) if (! load_chalresp_state(f, &state, cfg->debug, cfg->debug_file))
goto restpriv_out; goto restpriv_out;
if (fclose(f) < 0) { if (fclose(f) < 0) {
@ -526,7 +526,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
if (!cfg->chalresp_path) { if (!cfg->chalresp_path) {
if (pam_modutil_regain_priv(pamh, &privs)) { if (pam_modutil_regain_priv(pamh, &privs)) {
DBG (("could not restore privileges")); DBG ("could not restore privileges");
goto out; goto out;
} }
} }
@ -534,7 +534,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
if (! challenge_response(yk, state.slot, state.challenge, state.challenge_len, if (! challenge_response(yk, state.slot, state.challenge, state.challenge_len,
true, true, false, true, true, false,
buf, sizeof(buf), &response_len)) { buf, sizeof(buf), &response_len)) {
DBG(("Challenge-response FAILED")); DBG("Challenge-response FAILED");
goto out; goto out;
} }
@ -552,15 +552,15 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
if (memcmp(buf, state.response, state.response_len) == 0) { if (memcmp(buf, state.response, state.response_len) == 0) {
ret = PAM_SUCCESS; ret = PAM_SUCCESS;
} else { } else {
DBG(("Unexpected C/R response : %s", response_hex)); DBG("Unexpected C/R response : %s", response_hex);
goto out; goto out;
} }
DBG(("Got the expected response, generating new challenge (%u bytes).", CR_CHALLENGE_SIZE)); DBG("Got the expected response, generating new challenge (%u bytes).", CR_CHALLENGE_SIZE);
errstr = "Error generating new challenge, please check syslog or contact your system administrator"; errstr = "Error generating new challenge, please check syslog or contact your system administrator";
if (generate_random(state.challenge, sizeof(state.challenge))) { if (generate_random(state.challenge, sizeof(state.challenge))) {
DBG(("Failed generating new challenge!")); DBG("Failed generating new challenge!");
goto out; goto out;
} }
@ -568,7 +568,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
if (! challenge_response(yk, state.slot, state.challenge, CR_CHALLENGE_SIZE, if (! challenge_response(yk, state.slot, state.challenge, CR_CHALLENGE_SIZE,
true, true, false, true, true, false,
buf, sizeof(buf), &response_len)) { buf, sizeof(buf), &response_len)) {
DBG(("Second challenge-response FAILED")); DBG("Second challenge-response FAILED");
goto out; goto out;
} }
@ -586,7 +586,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
* Write the challenge and response we will expect the next time to the state file. * Write the challenge and response we will expect the next time to the state file.
*/ */
if (response_len > sizeof(state.response)) { if (response_len > sizeof(state.response)) {
DBG(("Got too long response ??? (%u/%zu)", response_len, sizeof(state.response))); DBG("Got too long response ??? (%u/%zu)", response_len, sizeof(state.response));
goto out; goto out;
} }
memcpy (state.response, buf, response_len); memcpy (state.response, buf, response_len);
@ -597,7 +597,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
/* Drop privileges before creating new challenge file. */ /* Drop privileges before creating new challenge file. */
if (!cfg->chalresp_path) { if (!cfg->chalresp_path) {
if (pam_modutil_drop_priv(pamh, &privs, p)) { if (pam_modutil_drop_priv(pamh, &privs, p)) {
DBG (("could not drop privileges")); DBG ("could not drop privileges");
goto out; goto out;
} }
} }
@ -611,16 +611,16 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
fd = mkstemp(tmpfile); fd = mkstemp(tmpfile);
if (fd < 0) { if (fd < 0) {
DBG (("Cannot open file: %s (%s)", tmpfile, strerror(errno))); DBG ("Cannot open file: %s (%s)", tmpfile, strerror(errno));
goto restpriv_out; goto restpriv_out;
} }
if (fchmod (fd, st.st_mode) != 0) { if (fchmod (fd, st.st_mode) != 0) {
DBG (("could not set correct file permissions")); DBG ("could not set correct file permissions");
goto restpriv_out; goto restpriv_out;
} }
if (fchown (fd, st.st_uid, st.st_gid) != 0) { if (fchown (fd, st.st_uid, st.st_gid) != 0) {
DBG (("could not set correct file ownership")); DBG ("could not set correct file ownership");
goto restpriv_out; goto restpriv_out;
} }
@ -658,19 +658,19 @@ restpriv_out:
if (yk_errno) { if (yk_errno) {
if (yk_errno == YK_EUSBERR) { if (yk_errno == YK_EUSBERR) {
syslog(LOG_ERR, "USB error: %s", yk_usb_strerror()); syslog(LOG_ERR, "USB error: %s", yk_usb_strerror());
DBG(("USB error: %s", yk_usb_strerror())); DBG("USB error: %s", yk_usb_strerror());
} else { } else {
syslog(LOG_ERR, "Yubikey core error: %s", yk_strerror(yk_errno)); syslog(LOG_ERR, "Yubikey core error: %s", yk_strerror(yk_errno));
DBG(("Yubikey core error: %s", yk_strerror(yk_errno))); DBG("Yubikey core error: %s", yk_strerror(yk_errno));
} }
} }
if (errstr) if (errstr)
display_error(pamh, errstr); display_error(pamh, errstr, cfg);
if (errno) { if (errno) {
syslog(LOG_ERR, "Challenge response failed: %s", strerror(errno)); syslog(LOG_ERR, "Challenge response failed: %s", strerror(errno));
DBG(("Challenge response failed: %s", strerror(errno))); DBG("Challenge response failed: %s", strerror(errno));
} }
if (yk) if (yk)
@ -695,6 +695,7 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
cfg->client_id = 0; cfg->client_id = 0;
cfg->token_id_length = DEFAULT_TOKEN_ID_LEN; cfg->token_id_length = DEFAULT_TOKEN_ID_LEN;
cfg->mode = CLIENT; cfg->mode = CLIENT;
cfg->debug_file = stdout;
for (i = 0; i < argc; i++) for (i = 0; i < argc; i++)
{ {
@ -752,41 +753,53 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
cfg->mode = CLIENT; cfg->mode = CLIENT;
if (strncmp (argv[i], "chalresp_path=", 14) == 0) if (strncmp (argv[i], "chalresp_path=", 14) == 0)
cfg->chalresp_path = argv[i] + 14; cfg->chalresp_path = argv[i] + 14;
if (strncmp (argv[i], "debug_file=", 11) == 0)
{
if(strncmp (argv[i] + 11, "stderr", 6) == 0)
{
cfg->debug_file = stderr;
}
else
{
FILE *file = fopen(argv[1] + 11, "a+");
if(file)
{
cfg->debug_file = file;
}
}
}
} }
if (cfg->debug) DBG ("called.");
{ DBG ("flags %d argc %d", flags, argc);
D (("called.")); for (i = 0; i < argc; i++)
D (("flags %d argc %d", flags, argc)); DBG ("argv[%d]=%s", i, argv[i]);
for (i = 0; i < argc; i++) DBG ("id=%u", cfg->client_id);
D (("argv[%d]=%s", i, argv[i])); DBG ("key=%s", cfg->client_key ? cfg->client_key : "(null)");
D (("id=%u", cfg->client_id)); DBG ("debug=%d", cfg->debug);
D (("key=%s", cfg->client_key ? cfg->client_key : "(null)")); DBG ("alwaysok=%d", cfg->alwaysok);
D (("debug=%d", cfg->debug)); DBG ("verbose_otp=%d", cfg->verbose_otp);
D (("alwaysok=%d", cfg->alwaysok)); DBG ("try_first_pass=%d", cfg->try_first_pass);
D (("verbose_otp=%d", cfg->verbose_otp)); DBG ("use_first_pass=%d", cfg->use_first_pass);
D (("try_first_pass=%d", cfg->try_first_pass)); DBG ("authfile=%s", cfg->auth_file ? cfg->auth_file : "(null)");
D (("use_first_pass=%d", cfg->use_first_pass)); DBG ("ldapserver=%s", cfg->ldapserver ? cfg->ldapserver : "(null)");
D (("authfile=%s", cfg->auth_file ? cfg->auth_file : "(null)")); DBG ("ldap_uri=%s", cfg->ldap_uri ? cfg->ldap_uri : "(null)");
D (("ldapserver=%s", cfg->ldapserver ? cfg->ldapserver : "(null)")); DBG ("ldap_bind_user=%s", cfg->ldap_bind_user ? cfg->ldap_bind_user : "(null)");
D (("ldap_uri=%s", cfg->ldap_uri ? cfg->ldap_uri : "(null)")); DBG ("ldap_bind_password=%s", cfg->ldap_bind_password ? cfg->ldap_bind_password : "(null)");
D (("ldap_bind_user=%s", cfg->ldap_bind_user ? cfg->ldap_bind_user : "(null)")); DBG ("ldap_filter=%s", cfg->ldap_filter ? cfg->ldap_filter : "(null)");
D (("ldap_bind_password=%s", cfg->ldap_bind_password ? cfg->ldap_bind_password : "(null)")); DBG ("ldap_cacertfile=%s", cfg->ldap_cacertfile ? cfg->ldap_cacertfile : "(null)");
D (("ldap_filter=%s", cfg->ldap_filter ? cfg->ldap_filter : "(null)")); DBG ("ldapdn=%s", cfg->ldapdn ? cfg->ldapdn : "(null)");
D (("ldap_cacertfile=%s", cfg->ldap_cacertfile ? cfg->ldap_cacertfile : "(null)")); DBG ("user_attr=%s", cfg->user_attr ? cfg->user_attr : "(null)");
D (("ldapdn=%s", cfg->ldapdn ? cfg->ldapdn : "(null)")); DBG ("yubi_attr=%s", cfg->yubi_attr ? cfg->yubi_attr : "(null)");
D (("user_attr=%s", cfg->user_attr ? cfg->user_attr : "(null)")); DBG ("yubi_attr_prefix=%s", cfg->yubi_attr_prefix ? cfg->yubi_attr_prefix : "(null)");
D (("yubi_attr=%s", cfg->yubi_attr ? cfg->yubi_attr : "(null)")); DBG ("url=%s", cfg->url ? cfg->url : "(null)");
D (("yubi_attr_prefix=%s", cfg->yubi_attr_prefix ? cfg->yubi_attr_prefix : "(null)")); DBG ("urllist=%s", cfg->urllist ? cfg->urllist : "(null)");
D (("url=%s", cfg->url ? cfg->url : "(null)")); DBG ("capath=%s", cfg->capath ? cfg->capath : "(null)");
D (("urllist=%s", cfg->urllist ? cfg->urllist : "(null)")); DBG ("cainfo=%s", cfg->cainfo ? cfg->cainfo : "(null)");
D (("capath=%s", cfg->capath ? cfg->capath : "(null)")); DBG ("proxy=%s", cfg->proxy ? cfg->proxy : "(null)");
D (("cainfo=%s", cfg->cainfo ? cfg->cainfo : "(null)")); DBG ("token_id_length=%d", cfg->token_id_length);
D (("proxy=%s", cfg->proxy ? cfg->proxy : "(null)")); DBG ("mode=%s", cfg->mode == CLIENT ? "client" : "chresp" );
D (("token_id_length=%d", cfg->token_id_length)); DBG ("chalresp_path=%s", cfg->chalresp_path ? cfg->chalresp_path : "(null)");
D (("mode=%s", cfg->mode == CLIENT ? "client" : "chresp" ));
D (("chalresp_path=%s", cfg->chalresp_path ? cfg->chalresp_path : "(null)"));
}
} }
PAM_EXTERN int PAM_EXTERN int
@ -816,11 +829,11 @@ pam_sm_authenticate (pam_handle_t * pamh,
parse_cfg (flags, argc, argv, cfg); parse_cfg (flags, argc, argv, cfg);
DBG (("pam_yubico version: %s", VERSION)); DBG ("pam_yubico version: %s", VERSION);
if (cfg->token_id_length > MAX_TOKEN_ID_LEN) if (cfg->token_id_length > MAX_TOKEN_ID_LEN)
{ {
DBG (("configuration error: token_id_length too long. Maximum acceptable value : %u", MAX_TOKEN_ID_LEN)); DBG ("configuration error: token_id_length too long. Maximum acceptable value : %u", MAX_TOKEN_ID_LEN);
retval = PAM_AUTHINFO_UNAVAIL; retval = PAM_AUTHINFO_UNAVAIL;
goto done; goto done;
} }
@ -828,16 +841,16 @@ pam_sm_authenticate (pam_handle_t * pamh,
retval = pam_get_user (pamh, &user, NULL); retval = pam_get_user (pamh, &user, NULL);
if (retval != PAM_SUCCESS) if (retval != PAM_SUCCESS)
{ {
DBG (("get user returned error: %s", pam_strerror (pamh, retval))); DBG ("get user returned error: %s", pam_strerror (pamh, retval));
goto done; goto done;
} }
DBG (("get user returned: %s", user)); DBG ("get user returned: %s", user);
if (cfg->mode == CHRESP) { if (cfg->mode == CHRESP) {
#if HAVE_CR #if HAVE_CR
return do_challenge_response(pamh, cfg, user); return do_challenge_response(pamh, cfg, user);
#else #else
DBG (("no support for challenge/response")); DBG ("no support for challenge/response");
retval = PAM_AUTH_ERR; retval = PAM_AUTH_ERR;
goto done; goto done;
#endif #endif
@ -848,30 +861,30 @@ pam_sm_authenticate (pam_handle_t * pamh,
retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password); retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);
if (retval != PAM_SUCCESS) if (retval != PAM_SUCCESS)
{ {
DBG (("get password returned error: %s", DBG ("get password returned error: %s",
pam_strerror (pamh, retval))); pam_strerror (pamh, retval));
goto done; goto done;
} }
DBG (("get password returned: %s", password)); DBG ("get password returned: %s", password);
} }
if (cfg->use_first_pass && password == NULL) if (cfg->use_first_pass && password == NULL)
{ {
DBG (("use_first_pass set and no password, giving up")); DBG ("use_first_pass set and no password, giving up");
retval = PAM_AUTH_ERR; retval = PAM_AUTH_ERR;
goto done; goto done;
} }
if(ykclient_global_init() != YKCLIENT_OK) if(ykclient_global_init() != YKCLIENT_OK)
{ {
DBG (("Failed initializing ykclient library")); DBG ("Failed initializing ykclient library");
retval = PAM_AUTHINFO_UNAVAIL; retval = PAM_AUTHINFO_UNAVAIL;
goto done; goto done;
} }
rc = ykclient_init (&ykc); rc = ykclient_init (&ykc);
if (rc != YKCLIENT_OK) if (rc != YKCLIENT_OK)
{ {
DBG (("ykclient_init() failed (%d): %s", rc, ykclient_strerror (rc))); DBG ("ykclient_init() failed (%d): %s", rc, ykclient_strerror (rc));
retval = PAM_AUTHINFO_UNAVAIL; retval = PAM_AUTHINFO_UNAVAIL;
goto done; goto done;
} }
@ -879,8 +892,8 @@ pam_sm_authenticate (pam_handle_t * pamh,
rc = ykclient_set_client_b64 (ykc, cfg->client_id, cfg->client_key); rc = ykclient_set_client_b64 (ykc, cfg->client_id, cfg->client_key);
if (rc != YKCLIENT_OK) if (rc != YKCLIENT_OK)
{ {
DBG (("ykclient_set_client_b64() failed (%d): %s", DBG ("ykclient_set_client_b64() failed (%d): %s",
rc, ykclient_strerror (rc))); rc, ykclient_strerror (rc));
retval = PAM_AUTHINFO_UNAVAIL; retval = PAM_AUTHINFO_UNAVAIL;
goto done; goto done;
} }
@ -902,8 +915,8 @@ pam_sm_authenticate (pam_handle_t * pamh,
rc = ykclient_set_url_template (ykc, cfg->url); rc = ykclient_set_url_template (ykc, cfg->url);
if (rc != YKCLIENT_OK) if (rc != YKCLIENT_OK)
{ {
DBG (("ykclient_set_url_template() failed (%d): %s", DBG ("ykclient_set_url_template() failed (%d): %s",
rc, ykclient_strerror (rc))); rc, ykclient_strerror (rc));
retval = PAM_AUTHINFO_UNAVAIL; retval = PAM_AUTHINFO_UNAVAIL;
goto done; goto done;
} }
@ -919,7 +932,7 @@ pam_sm_authenticate (pam_handle_t * pamh,
{ {
if(templates == 10) if(templates == 10)
{ {
DBG (("maximum 10 urls supported in list.")); DBG ("maximum 10 urls supported in list.");
retval = PAM_AUTHINFO_UNAVAIL; retval = PAM_AUTHINFO_UNAVAIL;
goto done; goto done;
} }
@ -929,8 +942,8 @@ pam_sm_authenticate (pam_handle_t * pamh,
rc = ykclient_set_url_bases (ykc, templates, (const char **)urls); rc = ykclient_set_url_bases (ykc, templates, (const char **)urls);
if (rc != YKCLIENT_OK) if (rc != YKCLIENT_OK)
{ {
DBG (("ykclient_set_url_bases() failed (%d): %s", DBG ("ykclient_set_url_bases() failed (%d): %s",
rc, ykclient_strerror (rc))); rc, ykclient_strerror (rc));
retval = PAM_AUTHINFO_UNAVAIL; retval = PAM_AUTHINFO_UNAVAIL;
goto done; goto done;
} }
@ -941,7 +954,7 @@ pam_sm_authenticate (pam_handle_t * pamh,
retval = pam_get_item (pamh, PAM_CONV, (const void **) &conv); retval = pam_get_item (pamh, PAM_CONV, (const void **) &conv);
if (retval != PAM_SUCCESS) if (retval != PAM_SUCCESS)
{ {
DBG (("get conv returned error: %s", pam_strerror (pamh, retval))); DBG ("get conv returned error: %s", pam_strerror (pamh, retval));
goto done; goto done;
} }
@ -971,18 +984,18 @@ pam_sm_authenticate (pam_handle_t * pamh,
if (retval != PAM_SUCCESS) if (retval != PAM_SUCCESS)
{ {
DBG (("conv returned error: %s", pam_strerror (pamh, retval))); DBG ("conv returned error: %s", pam_strerror (pamh, retval));
goto done; goto done;
} }
if (resp->resp == NULL) if (resp->resp == NULL)
{ {
DBG (("conv returned NULL passwd?")); DBG ("conv returned NULL passwd?");
retval = PAM_AUTH_ERR; retval = PAM_AUTH_ERR;
goto done; goto done;
} }
DBG (("conv returned %zu bytes", strlen(resp->resp))); DBG ("conv returned %zu bytes", strlen(resp->resp));
password = resp->resp; password = resp->resp;
} }
@ -990,7 +1003,7 @@ pam_sm_authenticate (pam_handle_t * pamh,
password_len = strlen (password); password_len = strlen (password);
if (password_len < (cfg->token_id_length + TOKEN_OTP_LEN)) if (password_len < (cfg->token_id_length + TOKEN_OTP_LEN))
{ {
DBG (("OTP too short to be considered : %zu < %u", password_len, (cfg->token_id_length + TOKEN_OTP_LEN))); DBG ("OTP too short to be considered : %zu < %u", password_len, (cfg->token_id_length + TOKEN_OTP_LEN));
retval = PAM_AUTH_ERR; retval = PAM_AUTH_ERR;
goto done; goto done;
} }
@ -999,15 +1012,15 @@ pam_sm_authenticate (pam_handle_t * pamh,
"systempassword" when copying the token_id and OTP to separate buffers */ "systempassword" when copying the token_id and OTP to separate buffers */
skip_bytes = password_len - (cfg->token_id_length + TOKEN_OTP_LEN); skip_bytes = password_len - (cfg->token_id_length + TOKEN_OTP_LEN);
DBG (("Skipping first %i bytes. Length is %zu, token_id set to %u and token OTP always %u.", DBG ("Skipping first %i bytes. Length is %zu, token_id set to %u and token OTP always %u.",
skip_bytes, password_len, cfg->token_id_length, TOKEN_OTP_LEN)); skip_bytes, password_len, cfg->token_id_length, TOKEN_OTP_LEN);
/* Copy full YubiKey output (public ID + OTP) into otp */ /* Copy full YubiKey output (public ID + OTP) into otp */
strncpy (otp, password + skip_bytes, sizeof (otp) - 1); strncpy (otp, password + skip_bytes, sizeof (otp) - 1);
/* Copy only public ID into otp_id. Destination buffer is zeroed. */ /* Copy only public ID into otp_id. Destination buffer is zeroed. */
strncpy (otp_id, password + skip_bytes, cfg->token_id_length); strncpy (otp_id, password + skip_bytes, cfg->token_id_length);
DBG (("OTP: %s ID: %s ", otp, otp_id)); DBG ("OTP: %s ID: %s ", otp, otp_id);
/* user entered their system password followed by generated OTP? */ /* user entered their system password followed by generated OTP? */
if (password_len > TOKEN_OTP_LEN + cfg->token_id_length) if (password_len > TOKEN_OTP_LEN + cfg->token_id_length)
@ -1021,13 +1034,13 @@ pam_sm_authenticate (pam_handle_t * pamh,
onlypasswd[password_len - (TOKEN_OTP_LEN + cfg->token_id_length)] = '\0'; onlypasswd[password_len - (TOKEN_OTP_LEN + cfg->token_id_length)] = '\0';
DBG (("Extracted a probable system password entered before the OTP - " DBG ("Extracted a probable system password entered before the OTP - "
"setting item PAM_AUTHTOK")); "setting item PAM_AUTHTOK");
retval = pam_set_item (pamh, PAM_AUTHTOK, onlypasswd); retval = pam_set_item (pamh, PAM_AUTHTOK, onlypasswd);
if (retval != PAM_SUCCESS) if (retval != PAM_SUCCESS)
{ {
DBG (("set_item returned error: %s", pam_strerror (pamh, retval))); DBG ("set_item returned error: %s", pam_strerror (pamh, retval));
goto done; goto done;
} }
} }
@ -1036,9 +1049,9 @@ pam_sm_authenticate (pam_handle_t * pamh,
rc = ykclient_request (ykc, otp); rc = ykclient_request (ykc, otp);
DBG (("ykclient return value (%d): %s", rc, DBG ("ykclient return value (%d): %s", rc,
ykclient_strerror (rc))); ykclient_strerror (rc));
DBG (("ykclient url used: %s", ykclient_get_last_url(ykc))); DBG ("ykclient url used: %s", ykclient_get_last_url(ykc));
switch (rc) switch (rc)
{ {
@ -1067,19 +1080,19 @@ pam_sm_authenticate (pam_handle_t * pamh,
retval = PAM_SUCCESS; retval = PAM_SUCCESS;
break; break;
case 0: case 0:
DBG (("Internal error while validating user")); DBG ("Internal error while validating user");
retval = PAM_AUTHINFO_UNAVAIL; retval = PAM_AUTHINFO_UNAVAIL;
break; break;
case -1: case -1:
DBG (("Unauthorized token for this user")); DBG ("Unauthorized token for this user");
retval = PAM_AUTH_ERR; retval = PAM_AUTH_ERR;
break; break;
case -2: case -2:
DBG (("Unknown user")); DBG ("Unknown user");
retval = PAM_USER_UNKNOWN; retval = PAM_USER_UNKNOWN;
break; break;
default: default:
DBG (("Unhandled value for token-user validation")) DBG ("Unhandled value for token-user validation");
retval = PAM_AUTHINFO_UNAVAIL; retval = PAM_AUTHINFO_UNAVAIL;
} }
@ -1103,10 +1116,10 @@ done:
} }
if (cfg->alwaysok && retval != PAM_SUCCESS) if (cfg->alwaysok && retval != PAM_SUCCESS)
{ {
DBG (("alwaysok needed (otherwise return with %d)", retval)); DBG ("alwaysok needed (otherwise return with %d)", retval);
retval = PAM_SUCCESS; retval = PAM_SUCCESS;
} }
DBG (("done. [%s]", pam_strerror (pamh, retval))); DBG ("done. [%s]", pam_strerror (pamh, retval));
pam_set_data (pamh, "yubico_setcred_return", (void*)(intptr_t)retval, NULL); pam_set_data (pamh, "yubico_setcred_return", (void*)(intptr_t)retval, NULL);
if (resp) if (resp)
@ -1133,16 +1146,19 @@ pam_sm_setcred (
} }
PAM_EXTERN int PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __attribute__((unused)), pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
int argc __attribute__((unused)), const char **argv __attribute__((unused)))
{ {
struct cfg cfg_st;
struct cfg *cfg = &cfg_st; /* for DBG macro */
int retval; int retval;
int rc = pam_get_data(pamh, "yubico_setcred_return", (const void**)&retval); int rc = pam_get_data(pamh, "yubico_setcred_return", (const void**)&retval);
parse_cfg (flags, argc, argv, cfg);
if (rc == PAM_SUCCESS && retval == PAM_SUCCESS) { if (rc == PAM_SUCCESS && retval == PAM_SUCCESS) {
D (("pam_sm_acct_mgmt returing PAM_SUCCESS")); DBG ("pam_sm_acct_mgmt returing PAM_SUCCESS");
return PAM_SUCCESS; return PAM_SUCCESS;
} }
D (("pam_sm_acct_mgmt returing PAM_AUTH_ERR:%d", rc)); DBG ("pam_sm_acct_mgmt returing PAM_AUTH_ERR:%d", rc);
return PAM_AUTH_ERR; return PAM_AUTH_ERR;
} }
@ -1152,7 +1168,6 @@ pam_sm_open_session(
int argc __attribute__((unused)), const char *argv[] __attribute__((unused))) int argc __attribute__((unused)), const char *argv[] __attribute__((unused)))
{ {
D(("pam_sm_open_session"));
return (PAM_SUCCESS); return (PAM_SUCCESS);
} }
@ -1161,7 +1176,6 @@ pam_sm_close_session(
pam_handle_t *pamh __attribute__((unused)), int flags __attribute__((unused)), pam_handle_t *pamh __attribute__((unused)), int flags __attribute__((unused)),
int argc __attribute__((unused)), const char *argv[] __attribute__((unused))) int argc __attribute__((unused)), const char *argv[] __attribute__((unused)))
{ {
D(("pam_sm_close_session"));
return (PAM_SUCCESS); return (PAM_SUCCESS);
} }
@ -1170,7 +1184,6 @@ pam_sm_chauthtok(
pam_handle_t *pamh __attribute__((unused)), int flags __attribute__((unused)), pam_handle_t *pamh __attribute__((unused)), int flags __attribute__((unused)),
int argc __attribute__((unused)), const char *argv[] __attribute__((unused))) int argc __attribute__((unused)), const char *argv[] __attribute__((unused)))
{ {
D(("pam_sm_chauthtok"));
return (PAM_SERVICE_ERR); return (PAM_SERVICE_ERR);
} }

28
tests/util_test.c
View File

@ -74,27 +74,27 @@ static void test_check_user_token(void) {
fprintf(handle, "foo2:cccccccccccc\n"); fprintf(handle, "foo2:cccccccccccc\n");
fclose(handle); fclose(handle);
ret = check_user_token(file, "foobar", "hhhvhvhdhbid", 1); ret = check_user_token(file, "foobar", "hhhvhvhdhbid", 1, stdout);
assert(ret == 1); assert(ret == 1);
ret = check_user_token(file, "foobar", "hnhbhnhbhnhb", 1); ret = check_user_token(file, "foobar", "hnhbhnhbhnhb", 1, stdout);
assert(ret == 1); assert(ret == 1);
ret = check_user_token(file, "foobar", "hnhbhnhbhnhc", 1); ret = check_user_token(file, "foobar", "hnhbhnhbhnhc", 1, stdout);
assert(ret == -1); assert(ret == -1);
ret = check_user_token(file, "kaka", "hihbhdhrhbhj", 1); ret = check_user_token(file, "kaka", "hihbhdhrhbhj", 1, stdout);
assert(ret == 1); assert(ret == 1);
ret = check_user_token(file, "bar", "hnhbhnhbhnhb", 1); ret = check_user_token(file, "bar", "hnhbhnhbhnhb", 1, stdout);
assert(ret == 1); assert(ret == 1);
ret = check_user_token(file, "foo", "hdhrhbhjhvhu", 1); ret = check_user_token(file, "foo", "hdhrhbhjhvhu", 1, stdout);
assert(ret == -2); assert(ret == -2);
ret = check_user_token(file, "foo2", "cccccccccccc", 1); ret = check_user_token(file, "foo2", "cccccccccccc", 1, stdout);
assert(ret == 1); assert(ret == 1);
ret = check_user_token(file, "foo2", "vvvvvvvvvvvv", 1); ret = check_user_token(file, "foo2", "vvvvvvvvvvvv", 1, stdout);
assert(ret == 1); assert(ret == 1);
ret = check_user_token(file, "foo2", "vvvvvvvvvvcc", 1); ret = check_user_token(file, "foo2", "vvvvvvvvvvcc", 1, stdout);
assert(ret == -1); assert(ret == -1);
ret = check_user_token(file, "foo2", "", 1); ret = check_user_token(file, "foo2", "", 1, stdout);
assert(ret == -1); assert(ret == -1);
ret = check_user_token(file, "foo", "", 1); ret = check_user_token(file, "foo", "", 1, stdout);
assert(ret == -2); assert(ret == -2);
remove(file); remove(file);
} }
@ -115,7 +115,7 @@ static void test_load_chalresp_state(void) {
memset(&state, 0, sizeof(state)); memset(&state, 0, sizeof(state));
fprintf(file, "v2:%s:%s:%s:%d:%d\n", CHALLENGE1, RESPONSE1, SALT1, 1000, 2); fprintf(file, "v2:%s:%s:%s:%d:%d\n", CHALLENGE1, RESPONSE1, SALT1, 1000, 2);
rewind(file); rewind(file);
ret = load_chalresp_state(file, &state, true); ret = load_chalresp_state(file, &state, true, stdout);
assert(ret == 1); assert(ret == 1);
assert(state.iterations == 1000); assert(state.iterations == 1000);
assert(state.slot == 2); assert(state.slot == 2);
@ -127,7 +127,7 @@ static void test_load_chalresp_state(void) {
memset(&state, 0, sizeof(state)); memset(&state, 0, sizeof(state));
fprintf(file, "v1:%s:%s:%d\n", CHALLENGE2, RESPONSE2, 1); fprintf(file, "v1:%s:%s:%d\n", CHALLENGE2, RESPONSE2, 1);
rewind(file); rewind(file);
ret = load_chalresp_state(file, &state, true); ret = load_chalresp_state(file, &state, true, stdout);
assert(ret == 1); assert(ret == 1);
assert(state.iterations == CR_DEFAULT_ITERATIONS); assert(state.iterations == CR_DEFAULT_ITERATIONS);
assert(state.slot == 1); assert(state.slot == 1);
@ -139,7 +139,7 @@ static void test_load_chalresp_state(void) {
/* slot 3 should fail.. */ /* slot 3 should fail.. */
fprintf(file, "v2:%s:%s:%s:%d:%d\n", CHALLENGE1, RESPONSE1, SALT1, 1000, 3); fprintf(file, "v2:%s:%s:%s:%d:%d\n", CHALLENGE1, RESPONSE1, SALT1, 1000, 3);
rewind(file); rewind(file);
ret = load_chalresp_state(file, &state, true); ret = load_chalresp_state(file, &state, true, stdout);
assert(ret == 0); assert(ret == 0);
fclose(file); fclose(file);
} }

51
util.c
View File

@ -97,7 +97,8 @@ int
check_user_token (const char *authfile, check_user_token (const char *authfile,
const char *username, const char *username,
const char *otp_id, const char *otp_id,
int verbose) int verbose,
FILE *debug_file)
{ {
char buf[1024]; char buf[1024];
char *s_user, *s_token; char *s_user, *s_token;
@ -109,20 +110,20 @@ check_user_token (const char *authfile,
fd = open(authfile, O_RDONLY, 0); fd = open(authfile, O_RDONLY, 0);
if (fd < 0) { if (fd < 0) {
if(verbose) if(verbose)
D (("Cannot open file: %s (%s)", authfile, strerror(errno))); D (debug_file, "Cannot open file: %s (%s)", authfile, strerror(errno));
return retval; return retval;
} }
if (fstat(fd, &st) < 0) { if (fstat(fd, &st) < 0) {
if(verbose) if(verbose)
D (("Cannot stat file: %s (%s)", authfile, strerror(errno))); D (debug_file, "Cannot stat file: %s (%s)", authfile, strerror(errno));
close(fd); close(fd);
return retval; return retval;
} }
if (!S_ISREG(st.st_mode)) { if (!S_ISREG(st.st_mode)) {
if(verbose) if(verbose)
D (("%s is not a regular file", authfile)); D (debug_file, "%s is not a regular file", authfile);
close(fd); close(fd);
return retval; return retval;
} }
@ -130,7 +131,7 @@ check_user_token (const char *authfile,
opwfile = fdopen(fd, "r"); opwfile = fdopen(fd, "r");
if (opwfile == NULL) { if (opwfile == NULL) {
if(verbose) if(verbose)
D (("fdopen: %s", strerror(errno))); D (debug_file, "fdopen: %s", strerror(errno));
close(fd); close(fd);
return retval; return retval;
} }
@ -144,27 +145,26 @@ check_user_token (const char *authfile,
if (buf[0] == '#') { if (buf[0] == '#') {
/* This is a comment and we may skip it. */ /* This is a comment and we may skip it. */
if(verbose) if(verbose)
D (("Skipping comment line: %s", buf)); D (debug_file, "Skipping comment line: %s", buf);
continue; continue;
} }
if(verbose) if(verbose)
D (("Authorization line: %s", buf)); D (debug_file, "Authorization line: %s", buf);
s_user = strtok_r (buf, ":", &saveptr); s_user = strtok_r (buf, ":", &saveptr);
if (s_user && strcmp (username, s_user) == 0) if (s_user && strcmp (username, s_user) == 0)
{ {
if(verbose) if(verbose)
D (("Matched user: %s", s_user)); D (debug_file, "Matched user: %s", s_user);
retval = -1; //We found at least one line for the user retval = -1; //We found at least one line for the user
do do
{ {
s_token = strtok_r (NULL, ":", &saveptr); s_token = strtok_r (NULL, ":", &saveptr);
if(verbose) if(verbose)
D (("Authorization token: %s", s_token)); D (debug_file, "Authorization token: %s", s_token);
if (s_token && strcmp (otp_id, s_token) == 0) if (s_token && strcmp (otp_id, s_token) == 0)
{ {
if(verbose) if(verbose)
D (("Match user/token as %s/%s", username, otp_id)); D (debug_file, "Match user/token as %s/%s", username, otp_id);
fclose (opwfile);
return 1; return 1;
} }
} }
@ -196,7 +196,7 @@ int generate_random(void *buf, int len)
} }
int int
check_firmware_version(YK_KEY *yk, bool verbose, bool quiet) check_firmware_version(YK_KEY *yk, bool verbose, bool quiet, FILE *debug_file)
{ {
YK_STATUS *st = ykds_alloc(); YK_STATUS *st = ykds_alloc();
@ -206,11 +206,10 @@ check_firmware_version(YK_KEY *yk, bool verbose, bool quiet)
} }
if (verbose) { if (verbose) {
D(("YubiKey Firmware version: %d.%d.%d\n", D(debug_file, "YubiKey Firmware version: %d.%d.%d\n",
ykds_version_major(st), ykds_version_major(st),
ykds_version_minor(st), ykds_version_minor(st),
ykds_version_build(st))); ykds_version_build(st));
fflush(stdout);
} }
if (ykds_version_major(st) < 2 || if (ykds_version_major(st) < 2 ||
@ -282,7 +281,7 @@ int challenge_response(YK_KEY *yk, int slot,
} }
int int
get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct passwd *user, char **fn) get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct passwd *user, char **fn, FILE *debug_file)
{ {
/* Getting file from user home directory, i.e. ~/.yubico/challenge, or /* Getting file from user home directory, i.e. ~/.yubico/challenge, or
* from a system wide directory. * from a system wide directory.
@ -299,7 +298,7 @@ get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct pass
int ret; int ret;
if (! yk_get_serial(yk, 0, 0, &serial)) { if (! yk_get_serial(yk, 0, 0, &serial)) {
D (("Failed to read serial number (serial-api-visible disabled?).")); D (debug_file, "Failed to read serial number (serial-api-visible disabled?).");
if (! chalresp_path) if (! chalresp_path)
filename = "challenge"; filename = "challenge";
else else
@ -330,7 +329,7 @@ get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct pass
} }
int int
load_chalresp_state(FILE *f, CR_STATE *state, bool verbose) load_chalresp_state(FILE *f, CR_STATE *state, bool verbose, FILE *debug_file)
{ {
/* /*
* Load the current challenge and expected response information from a file handle. * Load the current challenge and expected response information from a file handle.
@ -354,13 +353,13 @@ load_chalresp_state(FILE *f, CR_STATE *state, bool verbose)
r = fscanf(f, "v2:%126[0-9a-z]:%40[0-9a-z]:%64[0-9a-z]:%d:%d", challenge_hex, response_hex, salt_hex, &iterations, &slot); r = fscanf(f, "v2:%126[0-9a-z]:%40[0-9a-z]:%64[0-9a-z]:%d:%d", challenge_hex, response_hex, salt_hex, &iterations, &slot);
if(r == 5) { if(r == 5) {
if (! yubikey_hex_p(salt_hex)) { if (! yubikey_hex_p(salt_hex)) {
D(("Invalid salt hex input : %s", salt_hex)); D(debug_file, "Invalid salt hex input : %s", salt_hex);
goto out; goto out;
} }
if(verbose) { if(verbose) {
D(("Challenge: %s, hashed response: %s, salt: %s, iterations: %d, slot: %d", D(debug_file, "Challenge: %s, hashed response: %s, salt: %s, iterations: %d, slot: %d",
challenge_hex, response_hex, salt_hex, iterations, slot)); challenge_hex, response_hex, salt_hex, iterations, slot);
} }
yubikey_hex_decode(state->salt, salt_hex, sizeof(state->salt)); yubikey_hex_decode(state->salt, salt_hex, sizeof(state->salt));
@ -369,12 +368,12 @@ load_chalresp_state(FILE *f, CR_STATE *state, bool verbose)
rewind(f); rewind(f);
r = fscanf(f, "v1:%126[0-9a-z]:%40[0-9a-z]:%d", challenge_hex, response_hex, &slot); r = fscanf(f, "v1:%126[0-9a-z]:%40[0-9a-z]:%d", challenge_hex, response_hex, &slot);
if (r != 3) { if (r != 3) {
D(("Could not parse contents of chalresp_state file (%i)", r)); D(debug_file, "Could not parse contents of chalresp_state file (%i)", r);
goto out; goto out;
} }
if (verbose) { if (verbose) {
D(("Challenge: %s, expected response: %s, slot: %d", challenge_hex, response_hex, slot)); D(debug_file, "Challenge: %s, expected response: %s, slot: %d", challenge_hex, response_hex, slot);
} }
iterations = CR_DEFAULT_ITERATIONS; iterations = CR_DEFAULT_ITERATIONS;
@ -384,17 +383,17 @@ load_chalresp_state(FILE *f, CR_STATE *state, bool verbose)
if (! yubikey_hex_p(challenge_hex)) { if (! yubikey_hex_p(challenge_hex)) {
D(("Invalid challenge hex input : %s", challenge_hex)); D(debug_file, "Invalid challenge hex input : %s", challenge_hex);
goto out; goto out;
} }
if (! yubikey_hex_p(response_hex)) { if (! yubikey_hex_p(response_hex)) {
D(("Invalid expected response hex input : %s", response_hex)); D(debug_file, "Invalid expected response hex input : %s", response_hex);
goto out; goto out;
} }
if (slot != 1 && slot != 2) { if (slot != 1 && slot != 2) {
D(("Invalid slot input : %i", slot)); D(debug_file, "Invalid slot input : %i", slot);
goto out; goto out;
} }

27
util.h
View File

@ -38,23 +38,14 @@
#include <stdint.h> #include <stdint.h>
#include <pwd.h> #include <pwd.h>
#if defined(DEBUG_PAM) #define D(file, x...) do { \
# if defined(HAVE_SECURITY__PAM_MACROS_H) fprintf (file, "debug: %s:%d (%s): ", __FILE__, __LINE__, __FUNCTION__); \
# define DEBUG fprintf (file, x); \
# include <security/_pam_macros.h> fprintf (file, "\n"); \
# else } while (0)
# define D(x) do { \
printf ("debug: %s:%d (%s): ", __FILE__, __LINE__, __FUNCTION__); \
printf x; \
printf ("\n"); \
} while (0)
# endif /* HAVE_SECURITY__PAM_MACROS_H */
#else
# define D(x)
#endif /* DEBUG_PAM */
int get_user_cfgfile_path(const char *common_path, const char *filename, const struct passwd *user, char **fn); int get_user_cfgfile_path(const char *common_path, const char *filename, const struct passwd *user, char **fn);
int check_user_token(const char *authfile, const char *username, const char *otp_id, int verbose); int check_user_token(const char *authfile, const char *username, const char *otp_id, int verbose, FILE *debug_file);
#if HAVE_CR #if HAVE_CR
#include <ykcore.h> #include <ykcore.h>
@ -83,13 +74,13 @@ typedef struct chalresp_state CR_STATE;
int generate_random(void *buf, int len); int generate_random(void *buf, int len);
int get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct passwd *user, char **fn); int get_user_challenge_file(YK_KEY *yk, const char *chalresp_path, const struct passwd *user, char **fn, FILE *debug_file);
int load_chalresp_state(FILE *f, CR_STATE *state, bool verbose); int load_chalresp_state(FILE *f, CR_STATE *state, bool verbose, FILE *debug_file);
int write_chalresp_state(FILE *f, CR_STATE *state); int write_chalresp_state(FILE *f, CR_STATE *state);
int init_yubikey(YK_KEY **yk); int init_yubikey(YK_KEY **yk);
int check_firmware_version(YK_KEY *yk, bool verbose, bool quiet); int check_firmware_version(YK_KEY *yk, bool verbose, bool quiet, FILE *debug_file);
int challenge_response(YK_KEY *yk, int slot, int challenge_response(YK_KEY *yk, int slot,
char *challenge, unsigned int len, char *challenge, unsigned int len,
bool hmac, bool may_block, bool verbose, bool hmac, bool may_block, bool verbose,

5
ykpamcfg.c
View File

@ -41,7 +41,6 @@
#include <ykpers.h> #include <ykpers.h>
#undef DEBUG_PAM
#include "util.h" #include "util.h"
#define ACTION_ADD_HMAC_CHALRESP "add_hmac_chalresp" #define ACTION_ADD_HMAC_CHALRESP "add_hmac_chalresp"
@ -185,7 +184,7 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u
} }
} }
if (! get_user_challenge_file(yk, output_dir, p, &fn)) { if (! get_user_challenge_file(yk, output_dir, p, &fn, stdout)) {
fprintf (stderr, "Failed getting chalresp state filename\n"); fprintf (stderr, "Failed getting chalresp state filename\n");
goto out; goto out;
} }
@ -294,7 +293,7 @@ main(int argc, char **argv)
if (! init_yubikey (&yk)) if (! init_yubikey (&yk))
goto err; goto err;
if (! check_firmware_version(yk, verbose, false)) if (! check_firmware_version(yk, verbose, false, stdout))
goto err; goto err;
if (! do_add_hmac_chalresp (yk, slot, verbose, output_dir, iterations, &exit_code)) if (! do_add_hmac_chalresp (yk, slot, verbose, output_dir, iterations, &exit_code))