Changeset 455 in openpam for trunk/lib/pam_get_authtok.c


Ignore:
Timestamp:
Oct 29, 2011, 6:31:11 PM (8 years ago)
Author:
Dag-Erling Smørgrav
Message:

Add a new API function, openpam_subst(3), which replaces substitution
codes in a string with the values of selected PAM items. Use it for
prompts.

Furthermore, modify pam_get_user(3) and pam_get_authtok(3) to look for
module options named {user,authtok,oldauthtok}_prompt, as appropriate.
If found, these options take precedence over both the caller's prompt
and the PAM_{USER,AUTHTOK,OLDAUTHTOK}_PROMPT items. The usefulness of
these options is somewhat limited by the fact that the policy file
parser does not support quoted strings; that's next on the todo list.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/lib/pam_get_authtok.c

    r437 r455  
    6666        const char *prompt)
    6767{
     68        char prompt_buf[1024];
     69        size_t prompt_size;
    6870        const void *oldauthtok, *prevauthtok, *promptp;
    69         const char *default_prompt;
     71        const char *prompt_option, *default_prompt;
    7072        char *resp, *resp2;
    7173        int pitem, r, style, twice;
     
    7981        case PAM_AUTHTOK:
    8082                pitem = PAM_AUTHTOK_PROMPT;
     83                prompt_option = "authtok_prompt";
    8184                default_prompt = authtok_prompt;
    8285                r = pam_get_item(pamh, PAM_OLDAUTHTOK, &oldauthtok);
     
    8891        case PAM_OLDAUTHTOK:
    8992                pitem = PAM_OLDAUTHTOK_PROMPT;
     93                prompt_option = "oldauthtok_prompt";
    9094                default_prompt = oldauthtok_prompt;
    9195                twice = 0;
     
    104108                        RETURNC(r == PAM_SUCCESS ? PAM_AUTH_ERR : r);
    105109        }
    106         if (prompt == NULL) {
    107                 r = pam_get_item(pamh, pitem, &promptp);
    108                 if (r != PAM_SUCCESS || promptp == NULL)
    109                         prompt = default_prompt;
    110                 else
     110        /* pam policy overrides the module's choice */
     111        if ((promptp = openpam_get_option(pamh, prompt_option)) != NULL)
     112                prompt = promptp;
     113        /* no prompt provided, see if there is one tucked away somewhere */
     114        if (prompt == NULL)
     115                if (pam_get_item(pamh, pitem, &promptp) && promptp != NULL)
    111116                        prompt = promptp;
    112         }
     117        /* fall back to hardcoded default */
     118        if (prompt == NULL)
     119                prompt = default_prompt;
     120        /* expand */
     121        prompt_size = sizeof prompt_buf;
     122        r = openpam_subst(pamh, prompt_buf, &prompt_size, prompt);
     123        if (r == PAM_SUCCESS && prompt_size <= sizeof prompt_buf)
     124                prompt = prompt_buf;
    113125        style = openpam_get_option(pamh, "echo_pass") ?
    114126            PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF;
     
    165177 * as appropriate, will be used.
    166178 * If that item is also =NULL, a hardcoded default prompt will be used.
     179 * Either way, the prompt is expanded using =openpam_subst before it is
     180 * passed to the conversation function.
     181 *
     182 * If =pam_get_authtok is called from a module and the ;authtok_prompt /
     183 * ;oldauthtok_prompt option is set in the policy file, the value of that
     184 * option takes precedence over both the =prompt argument and the
     185 * =PAM_AUTHTOK_PROMPT / =PAM_OLDAUTHTOK_PROMPT item.
    167186 *
    168187 * If =item is set to =PAM_AUTHTOK and there is a non-null =PAM_OLDAUTHTOK
     
    173192 * >pam_get_item
    174193 * >pam_get_user
     194 * >openpam_subst
    175195 */
Note: See TracChangeset for help on using the changeset viewer.