Changeset 455 in openpam


Ignore:
Timestamp:
Oct 29, 2011, 6:31:11 PM (4 years ago)
Author:
des
Message:

Add a new API function, openpam_subst(3), which replaces substitution
codes in a string with the values of selected PAM items. Use it for
prompts.

Furthermore, modify pam_get_user(3) and pam_get_authtok(3) to look for
module options named {user,authtok,oldauthtok}_prompt, as appropriate.
If found, these options take precedence over both the caller's prompt
and the PAM_{USER,AUTHTOK,OLDAUTHTOK}_PROMPT items. The usefulness of
these options is somewhat limited by the fact that the policy file
parser does not support quoted strings; that's next on the todo list.

Location:
trunk
Files:
1 added
6 edited

Legend:

Unmodified
Added
Removed
  • trunk/HISTORY

    r453 r455  
    33 - ENHANCE: removed static build autodetection, which didn't work anyway.
    44   Use an explicit, user-specified preprocessor variable instead.
     5
     6 - ENHANCE: cleaned up the documentation a bit.
     7
     8 - ENHANCE: added openpam_subst(3), allowing certain PAM items to be
     9   embedded in strings such as prompts.  Apply it to the prompts used
     10   by pam_get_user(3) and pam_get_authtok(3).
     11
     12 - ENHANCE: add support for the user_prompt, authtok_prompt and
     13   oldauthtok_prompt module options, which override the prompts passed
     14   by the module to pam_set_user(3) and pam_get_authtok(3).
    515============================================================================
    616OpenPAM Hydrangea                                               2007-12-21
  • trunk/doc/man/Makefile.am

    r449 r455  
    4545        openpam_restore_cred.3 \
    4646        openpam_set_option.3 \
     47        openpam_subst.3 \
    4748        openpam_ttyconv.3 \
    4849        pam_error.3 \
  • trunk/include/security/openpam.h

    r437 r455  
    6060        OPENPAM_NONNULL((1,2));
    6161
     62int
     63openpam_subst(const pam_handle_t *_pamh,
     64        char *_buf,
     65        size_t *_bufsize,
     66        const char *_template);
     67
    6268void
    6369openpam_free_data(pam_handle_t *_pamh,
  • trunk/lib/Makefile.am

    r429 r455  
    2525        openpam_set_option.c \
    2626        openpam_static.c \
     27        openpam_subst.c \
    2728        openpam_ttyconv.c \
    2829        pam_acct_mgmt.c \
  • trunk/lib/pam_get_authtok.c

    r437 r455  
    6666        const char *prompt)
    6767{
     68        char prompt_buf[1024];
     69        size_t prompt_size;
    6870        const void *oldauthtok, *prevauthtok, *promptp;
    69         const char *default_prompt;
     71        const char *prompt_option, *default_prompt;
    7072        char *resp, *resp2;
    7173        int pitem, r, style, twice;
     
    7981        case PAM_AUTHTOK:
    8082                pitem = PAM_AUTHTOK_PROMPT;
     83                prompt_option = "authtok_prompt";
    8184                default_prompt = authtok_prompt;
    8285                r = pam_get_item(pamh, PAM_OLDAUTHTOK, &oldauthtok);
     
    8891        case PAM_OLDAUTHTOK:
    8992                pitem = PAM_OLDAUTHTOK_PROMPT;
     93                prompt_option = "oldauthtok_prompt";
    9094                default_prompt = oldauthtok_prompt;
    9195                twice = 0;
     
    104108                        RETURNC(r == PAM_SUCCESS ? PAM_AUTH_ERR : r);
    105109        }
    106         if (prompt == NULL) {
    107                 r = pam_get_item(pamh, pitem, &promptp);
    108                 if (r != PAM_SUCCESS || promptp == NULL)
    109                         prompt = default_prompt;
    110                 else
     110        /* pam policy overrides the module's choice */
     111        if ((promptp = openpam_get_option(pamh, prompt_option)) != NULL)
     112                prompt = promptp;
     113        /* no prompt provided, see if there is one tucked away somewhere */
     114        if (prompt == NULL)
     115                if (pam_get_item(pamh, pitem, &promptp) && promptp != NULL)
    111116                        prompt = promptp;
    112         }
     117        /* fall back to hardcoded default */
     118        if (prompt == NULL)
     119                prompt = default_prompt;
     120        /* expand */
     121        prompt_size = sizeof prompt_buf;
     122        r = openpam_subst(pamh, prompt_buf, &prompt_size, prompt);
     123        if (r == PAM_SUCCESS && prompt_size <= sizeof prompt_buf)
     124                prompt = prompt_buf;
    113125        style = openpam_get_option(pamh, "echo_pass") ?
    114126            PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
     
    165177 * as appropriate, will be used.
    166178 * If that item is also =NULL, a hardcoded default prompt will be used.
     179 * Either way, the prompt is expanded using =openpam_subst before it is
     180 * passed to the conversation function.
     181 *
     182 * If =pam_get_authtok is called from a module and the ;authtok_prompt /
     183 * ;oldauthtok_prompt option is set in the policy file, the value of that
     184 * option takes precedence over both the =prompt argument and the
     185 * =PAM_AUTHTOK_PROMPT / =PAM_OLDAUTHTOK_PROMPT item.
    167186 *
    168187 * If =item is set to =PAM_AUTHTOK and there is a non-null =PAM_OLDAUTHTOK
     
    173192 * >pam_get_item
    174193 * >pam_get_user
     194 * >openpam_subst
    175195 */
  • trunk/lib/pam_get_user.c

    r437 r455  
    6363        const char *prompt)
    6464{
     65        char prompt_buf[1024];
     66        size_t prompt_size;
    6567        const void *promptp;
    6668        char *resp;
     
    7375        if (r == PAM_SUCCESS && *user != NULL)
    7476                RETURNC(PAM_SUCCESS);
    75         if (prompt == NULL) {
    76                 r = pam_get_item(pamh, PAM_USER_PROMPT, &promptp);
    77                 if (r != PAM_SUCCESS || promptp == NULL)
    78                         prompt = user_prompt;
    79                 else
     77        /* pam policy overrides the module's choice */
     78        if ((promptp = openpam_get_option(pamh, "user_prompt")) != NULL)
     79                prompt = promptp;
     80        /* no prompt provided, see if there is one tucked away somewhere */
     81        if (prompt == NULL)
     82                if (pam_get_item(pamh, PAM_USER_PROMPT, &promptp) &&
     83                    promptp != NULL)
    8084                        prompt = promptp;
    81         }
     85        /* fall back to hardcoded default */
     86        if (prompt == NULL)
     87                prompt = user_prompt;
     88        /* expand */
     89        prompt_size = sizeof prompt_buf;
     90        r = openpam_subst(pamh, prompt_buf, &prompt_size, prompt);
     91        if (r == PAM_SUCCESS && prompt_size <= sizeof prompt_buf)
     92                prompt = prompt_buf;
    8293        r = pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &resp, "%s", prompt);
    8394        if (r != PAM_SUCCESS)
     
    110121 * The =prompt argument specifies a prompt to use if no user name is
    111122 * cached.
    112  * If it is =NULL, the =PAM_USER_PROMPT will be used.
     123 * If it is =NULL, the =PAM_USER_PROMPT item will be used.
    113124 * If that item is also =NULL, a hardcoded default prompt will be used.
     125 * Either way, the prompt is expanded using =openpam_subst before it is
     126 * passed to the conversation function.
     127 *
     128 * If =pam_get_user is called from a module and the ;user_prompt option is
     129 * set in the policy file, the value of that option takes precedence over
     130 * both the =prompt argument and the =PAM_USER_PROMPT item.
    114131 *
    115132 * >pam_get_item
    116133 * >pam_get_authtok
     134 * >openpam_subst
    117135 */
Note: See TracChangeset for help on using the changeset viewer.