If the PAM module cannot update the challenge response file (due to permissions errors, usually), the incorrect error message is displayed "Error communicating with YubiKey...".
This patch makes it so the correct error message is sent to the PAM client, which makes resolving this issue a lot easier.
As raised in #174, ldap_bind_as_user cannot be used if this module is
set to get YubiKey+OTP because the initial ldap lookup fails (since the
password is not set yet). `always_prompt` will stil the initial lookup,
meaning that the user will be given the chance to enter their password.
This adds support for using a client cert/key to authenticate to an LDAP
server. It is separate from binding with a username and password and
can either be used alongside it or with an anonymous bind to the server.
This allows using the authenticating user's username and password to
bind to the LDAP server. This is desirable because it allows for
looking up the yubikey attributes without needing to create a service
account.
Compiler cannot find the declaration for pm_sm_authenticate and prints
the following warning (split due to long line):
pam_test.c:184:10: warning: implicit declaration of function
‘pam_sm_authenticate’; did you mean ‘pam_authenticate’?
[-Wimplicit-function-declaration]
This makes sure that file descriptors will be closed, even if the
fdopen() call failes, which was overlooked in some cases beforehand.
Should be not an issue in the real world, but let's be as clean as
possible.
strncpy() is _NOT_ a safe version of strcpy() and it should not be used
(ineffective and dangerous since a NUL termination might be missing).
Instead snprintf() the way to safely construct a string with a given
limit. This commit implements this for the action parsing in ykpamcfg.
This checks the return code of snprintf() and makes sure that fullpath
actually fits into a buffer of size PATH_MAX. Otherwise, it will output
an error and exit.
Instead of hardcoding the buffer size to 256, using PATH_MAX makes more
sense here, since this can be defined differently on different
platforms. This is not perfect, though, refer to [1] for some details.
In our case it should be good enough.
[1]: https://eklitzke.org/path-max-is-tricky
