| OLD | NEW |
|---|
| 1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // This is supposed to be defined before the pam includes. | 5 // This is supposed to be defined before the pam includes. |
| 6 #define PAM_SM_AUTH | 6 #define PAM_SM_AUTH |
| 7 | 7 |
| 8 #include <sys/types.h> | 8 #include "pam_offline/pam_prompt_wrapper.h" |
| 9 #include <sys/stat.h> | 9 #include "pam_offline/username_password_fetcher.h" |
| 10 #include "pam_offline/utils.h" |
| 11 |
| 12 #include <dbus/dbus-glib.h> |
| 10 #include <fcntl.h> | 13 #include <fcntl.h> |
| 11 | 14 #include <glib-object.h> |
| 12 #include <base/command_line.h> | |
| 13 #include <base/logging.h> | |
| 14 #include <security/_pam_macros.h> | 15 #include <security/_pam_macros.h> |
| 16 #include <security/pam_ext.h> |
| 15 #include <security/pam_modules.h> | 17 #include <security/pam_modules.h> |
| 16 #include <security/pam_ext.h> | |
| 17 #include <stdio.h> | 18 #include <stdio.h> |
| 18 #include <stdlib.h> | 19 #include <stdlib.h> |
| 20 #include <sys/stat.h> |
| 21 #include <sys/types.h> |
| 19 | 22 |
| 20 #include "pam_offline/credentials.h" | 23 #include "base/command_line.h" |
| 21 #include "pam_offline/authenticator.h" | 24 #include "base/logging.h" |
| 22 #include "pam_offline/pam_prompt_wrapper.h" | 25 #include "cros/chromeos_cros_api.h" |
| 23 #include "pam_offline/username_password_fetcher.h" | 26 #include "cros/chromeos_cryptohome.h" |
| 24 | 27 |
| 25 const char kUserName[] = "chronos"; | 28 const char kUserName[] = "chronos"; |
| 26 | 29 |
| 27 static void setcred_free(pam_handle_t *pamh /*unused*/, | 30 static void setcred_free(pam_handle_t *pamh /*unused*/, |
| 28 void *ptr, | 31 void *ptr, |
| 29 int err /*unused*/) { | 32 int err /*unused*/) { |
| 30 if (ptr) { | 33 if (ptr) { |
| 31 int *intptr = reinterpret_cast<int*>(ptr); | 34 int *intptr = reinterpret_cast<int*>(ptr); |
| 32 delete intptr; | 35 delete intptr; |
| 33 } | 36 } |
| 34 } | 37 } |
| 35 | 38 |
| 39 static bool pam_offline_libcros_loaded = false; |
| 40 static bool ensure_libcros() { |
| 41 if(!pam_offline_libcros_loaded) { |
| 42 ::g_type_init(); |
| 43 std::string load_error; |
| 44 pam_offline_libcros_loaded = |
| 45 chromeos::LoadLibcros(chromeos::kCrosDefaultPath, load_error); |
| 46 } |
| 47 return pam_offline_libcros_loaded; |
| 48 } |
| 49 |
| 36 // PAM framework looks for these entry-points to pass control to the | 50 // PAM framework looks for these entry-points to pass control to the |
| 37 // authentication module. | 51 // authentication module. |
| 38 | 52 |
| 39 // pam_sm_authenticate() will decrypt something using the given creds | 53 // pam_sm_authenticate() will decrypt something using the given creds |
| 40 // and return success if the something decrypts successfully, failure | 54 // and return success if the something decrypts successfully, failure |
| 41 // otherwise. | 55 // otherwise. |
| 42 PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, | 56 PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, |
| 43 int argc, const char **argv) { | 57 int argc, const char **argv) { |
| 44 // "flags" can contain PAM_SILENT, which means we shouldn't emit | 58 // "flags" can contain PAM_SILENT, which means we shouldn't emit |
| 45 // any messages, and PAM_DISALLOW_NULL_AUTHTOK, which means that | 59 // any messages, and PAM_DISALLOW_NULL_AUTHTOK, which means that |
| 46 // unknown users should NOT be silently logged in. | 60 // unknown users should NOT be silently logged in. |
| 47 // | 61 // |
| 48 // TODO(cmasone): support PAM_SILENT | 62 // TODO(cmasone): support PAM_SILENT |
| 49 // TODO(cmasone): Should we behave as though DISALLOW_NULL_AUTHTOK | 63 // TODO(cmasone): Should we behave as though DISALLOW_NULL_AUTHTOK |
| 50 // is always set? I think so... | 64 // is always set? I think so... |
| 51 | 65 |
| 52 // ret_data points to some space that we use to store our return | 66 // ret_data points to some space that we use to store our return |
| 53 // value for later use in pam_sm_setcred | 67 // value for later use in pam_sm_setcred |
| 54 int retval = PAM_AUTH_ERR; | 68 int retval = PAM_AUTH_ERR; |
| 55 int *ret_data = new int; | 69 int *ret_data = new int; |
| 56 | 70 |
| 57 pam_offline::PamPromptWrapper pam; | 71 pam_offline::PamPromptWrapper pam; |
| 58 pam_offline::UsernamePasswordFetcher fetcher(&pam); | 72 pam_offline::UsernamePasswordFetcher fetcher(&pam); |
| 59 pam_offline::Credentials *credentials = fetcher.FetchCredentials(pamh); | 73 pam_offline::Credentials *credentials = fetcher.FetchCredentials(pamh); |
| 60 | 74 |
| 61 // If fetcher.FetchCredentials times out you get NULL credentials | 75 // If fetcher.FetchCredentials times out you get NULL credentials |
| 62 if (credentials) { | 76 if (credentials) { |
| 63 pam_offline::Authenticator auth; | |
| 64 | 77 |
| 65 if (auth.Init()) { | 78 if (ensure_libcros()) { |
| 66 if (auth.TestAllMasterKeys(*credentials)) { | 79 char username[pam_offline::kMaxUsernameLength]; |
| 67 retval = PAM_SUCCESS; | 80 memset(username, 0, sizeof(username)); |
| 68 pam_set_item(pamh, PAM_USER, | 81 credentials->GetFullUsername(username, sizeof(username)); |
| 69 reinterpret_cast<const void*>(kUserName)); | 82 pam_offline::Blob salt = chromeos::CryptohomeGetSystemSalt(); |
| 83 if(salt.size() != 0) { |
| 84 if(chromeos::CryptohomeCheckKey(username, |
| 85 credentials->GetPasswordWeakHash(salt).c
_str())) { |
| 86 retval = PAM_SUCCESS; |
| 87 pam_set_item(pamh, PAM_USER, |
| 88 reinterpret_cast<const void*>(kUserName)); |
| 89 } else { |
| 90 LOG(INFO) << "Invalid credentials."; |
| 91 } |
| 70 } else { | 92 } else { |
| 71 LOG(INFO) << "Invalid credentials."; | 93 LOG(INFO) << "Unable to get system salt."; |
| 72 } | 94 } |
| 73 } else { | 95 } else { |
| 74 LOG(ERROR) << "Authenticator failed to Init()."; | 96 LOG(ERROR) << "libcros load failed."; |
| 75 } | 97 } |
| 76 | 98 |
| 77 delete credentials; | 99 delete credentials; |
| 78 } else { | 100 } else { |
| 79 LOG(INFO) << "FetchCredentials returned NULL."; | 101 LOG(INFO) << "FetchCredentials returned NULL."; |
| 80 } | 102 } |
| 81 | 103 |
| 82 *ret_data = retval; | 104 *ret_data = retval; |
| 83 pam_set_data(pamh, "unix_setcred_return", | 105 pam_set_data(pamh, "unix_setcred_return", |
| 84 reinterpret_cast<void *>(ret_data), setcred_free); | 106 reinterpret_cast<void *>(ret_data), setcred_free); |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 117 struct pam_module _pam_offline_modstruct = { | 139 struct pam_module _pam_offline_modstruct = { |
| 118 "pam_offline", | 140 "pam_offline", |
| 119 pam_sm_authenticate, | 141 pam_sm_authenticate, |
| 120 pam_sm_setcred, | 142 pam_sm_setcred, |
| 121 NULL, | 143 NULL, |
| 122 NULL, | 144 NULL, |
| 123 NULL, | 145 NULL, |
| 124 NULL, | 146 NULL, |
| 125 }; | 147 }; |
| 126 #endif | 148 #endif |
| OLD | NEW |
|---|
Chromium Code Reviews
