Changeset 455 in openpam


Ignore:
Timestamp:
Oct 29, 2011, 6:31:11 PM (3 years ago)
Author:
des
Message:

Add a new API function, openpam_subst(3), which replaces substitution
codes in a string with the values of selected PAM items. Use it for
prompts.

Furthermore, modify pam_get_user(3) and pam_get_authtok(3) to look for
module options named {user,authtok,oldauthtok}_prompt, as appropriate.
If found, these options take precedence over both the caller's prompt
and the PAM_{USER,AUTHTOK,OLDAUTHTOK}_PROMPT items. The usefulness of
these options is somewhat limited by the fact that the policy file
parser does not support quoted strings; that's next on the todo list.

Location:
trunk
Files:
1 added
6 edited

Legend:

Unmodified
Added
Removed
  • trunk/HISTORY

    r453 r455  
    33 - ENHANCE: removed static build autodetection, which didn't work anyway. 
    44   Use an explicit, user-specified preprocessor variable instead. 
     5 
     6 - ENHANCE: cleaned up the documentation a bit. 
     7 
     8 - ENHANCE: added openpam_subst(3), allowing certain PAM items to be 
     9   embedded in strings such as prompts.  Apply it to the prompts used 
     10   by pam_get_user(3) and pam_get_authtok(3). 
     11 
     12 - ENHANCE: add support for the user_prompt, authtok_prompt and 
     13   oldauthtok_prompt module options, which override the prompts passed 
     14   by the module to pam_set_user(3) and pam_get_authtok(3). 
    515============================================================================ 
    616OpenPAM Hydrangea                                               2007-12-21 
  • trunk/doc/man/Makefile.am

    r449 r455  
    4545        openpam_restore_cred.3 \ 
    4646        openpam_set_option.3 \ 
     47        openpam_subst.3 \ 
    4748        openpam_ttyconv.3 \ 
    4849        pam_error.3 \ 
  • trunk/include/security/openpam.h

    r437 r455  
    6060        OPENPAM_NONNULL((1,2)); 
    6161 
     62int 
     63openpam_subst(const pam_handle_t *_pamh, 
     64        char *_buf, 
     65        size_t *_bufsize, 
     66        const char *_template); 
     67 
    6268void 
    6369openpam_free_data(pam_handle_t *_pamh, 
  • trunk/lib/Makefile.am

    r429 r455  
    2525        openpam_set_option.c \ 
    2626        openpam_static.c \ 
     27        openpam_subst.c \ 
    2728        openpam_ttyconv.c \ 
    2829        pam_acct_mgmt.c \ 
  • trunk/lib/pam_get_authtok.c

    r437 r455  
    6666        const char *prompt) 
    6767{ 
     68        char prompt_buf[1024]; 
     69        size_t prompt_size; 
    6870        const void *oldauthtok, *prevauthtok, *promptp; 
    69         const char *default_prompt; 
     71        const char *prompt_option, *default_prompt; 
    7072        char *resp, *resp2; 
    7173        int pitem, r, style, twice; 
     
    7981        case PAM_AUTHTOK: 
    8082                pitem = PAM_AUTHTOK_PROMPT; 
     83                prompt_option = "authtok_prompt"; 
    8184                default_prompt = authtok_prompt; 
    8285                r = pam_get_item(pamh, PAM_OLDAUTHTOK, &oldauthtok); 
     
    8891        case PAM_OLDAUTHTOK: 
    8992                pitem = PAM_OLDAUTHTOK_PROMPT; 
     93                prompt_option = "oldauthtok_prompt"; 
    9094                default_prompt = oldauthtok_prompt; 
    9195                twice = 0; 
     
    104108                        RETURNC(r == PAM_SUCCESS ? PAM_AUTH_ERR : r); 
    105109        } 
    106         if (prompt == NULL) { 
    107                 r = pam_get_item(pamh, pitem, &promptp); 
    108                 if (r != PAM_SUCCESS || promptp == NULL) 
    109                         prompt = default_prompt; 
    110                 else 
     110        /* pam policy overrides the module's choice */ 
     111        if ((promptp = openpam_get_option(pamh, prompt_option)) != NULL) 
     112                prompt = promptp; 
     113        /* no prompt provided, see if there is one tucked away somewhere */ 
     114        if (prompt == NULL) 
     115                if (pam_get_item(pamh, pitem, &promptp) && promptp != NULL) 
    111116                        prompt = promptp; 
    112         } 
     117        /* fall back to hardcoded default */ 
     118        if (prompt == NULL) 
     119                prompt = default_prompt; 
     120        /* expand */ 
     121        prompt_size = sizeof prompt_buf; 
     122        r = openpam_subst(pamh, prompt_buf, &prompt_size, prompt); 
     123        if (r == PAM_SUCCESS && prompt_size <= sizeof prompt_buf) 
     124                prompt = prompt_buf; 
    113125        style = openpam_get_option(pamh, "echo_pass") ? 
    114126            PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF; 
     
    165177 * as appropriate, will be used. 
    166178 * If that item is also =NULL, a hardcoded default prompt will be used. 
     179 * Either way, the prompt is expanded using =openpam_subst before it is 
     180 * passed to the conversation function. 
     181 * 
     182 * If =pam_get_authtok is called from a module and the ;authtok_prompt / 
     183 * ;oldauthtok_prompt option is set in the policy file, the value of that 
     184 * option takes precedence over both the =prompt argument and the 
     185 * =PAM_AUTHTOK_PROMPT / =PAM_OLDAUTHTOK_PROMPT item. 
    167186 * 
    168187 * If =item is set to =PAM_AUTHTOK and there is a non-null =PAM_OLDAUTHTOK 
     
    173192 * >pam_get_item 
    174193 * >pam_get_user 
     194 * >openpam_subst 
    175195 */ 
  • trunk/lib/pam_get_user.c

    r437 r455  
    6363        const char *prompt) 
    6464{ 
     65        char prompt_buf[1024]; 
     66        size_t prompt_size; 
    6567        const void *promptp; 
    6668        char *resp; 
     
    7375        if (r == PAM_SUCCESS && *user != NULL) 
    7476                RETURNC(PAM_SUCCESS); 
    75         if (prompt == NULL) { 
    76                 r = pam_get_item(pamh, PAM_USER_PROMPT, &promptp); 
    77                 if (r != PAM_SUCCESS || promptp == NULL) 
    78                         prompt = user_prompt; 
    79                 else 
     77        /* pam policy overrides the module's choice */ 
     78        if ((promptp = openpam_get_option(pamh, "user_prompt")) != NULL) 
     79                prompt = promptp; 
     80        /* no prompt provided, see if there is one tucked away somewhere */ 
     81        if (prompt == NULL) 
     82                if (pam_get_item(pamh, PAM_USER_PROMPT, &promptp) && 
     83                    promptp != NULL) 
    8084                        prompt = promptp; 
    81         } 
     85        /* fall back to hardcoded default */ 
     86        if (prompt == NULL) 
     87                prompt = user_prompt; 
     88        /* expand */ 
     89        prompt_size = sizeof prompt_buf; 
     90        r = openpam_subst(pamh, prompt_buf, &prompt_size, prompt); 
     91        if (r == PAM_SUCCESS && prompt_size <= sizeof prompt_buf) 
     92                prompt = prompt_buf; 
    8293        r = pam_prompt(pamh, PAM_PROMPT_ECHO_ON, &resp, "%s", prompt); 
    8394        if (r != PAM_SUCCESS) 
     
    110121 * The =prompt argument specifies a prompt to use if no user name is 
    111122 * cached. 
    112  * If it is =NULL, the =PAM_USER_PROMPT will be used. 
     123 * If it is =NULL, the =PAM_USER_PROMPT item will be used. 
    113124 * If that item is also =NULL, a hardcoded default prompt will be used. 
     125 * Either way, the prompt is expanded using =openpam_subst before it is 
     126 * passed to the conversation function. 
     127 * 
     128 * If =pam_get_user is called from a module and the ;user_prompt option is 
     129 * set in the policy file, the value of that option takes precedence over 
     130 * both the =prompt argument and the =PAM_USER_PROMPT item. 
    114131 * 
    115132 * >pam_get_item 
    116133 * >pam_get_authtok 
     134 * >openpam_subst 
    117135 */ 
Note: See TracChangeset for help on using the changeset viewer.