OLD | NEW |
1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. | 1 // Copyright (c) 2009-2010 The Chromium OS Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 // This is supposed to be defined before the pam includes. | 5 // This is supposed to be defined before the pam includes. |
6 #define PAM_SM_AUTH | 6 #define PAM_SM_AUTH |
7 | 7 |
8 #include <sys/types.h> | 8 #include "pam_offline/pam_prompt_wrapper.h" |
9 #include <sys/stat.h> | 9 #include "pam_offline/username_password_fetcher.h" |
| 10 #include "pam_offline/utils.h" |
| 11 |
| 12 #include <dbus/dbus-glib.h> |
10 #include <fcntl.h> | 13 #include <fcntl.h> |
11 | 14 #include <glib-object.h> |
12 #include <base/command_line.h> | |
13 #include <base/logging.h> | |
14 #include <security/_pam_macros.h> | 15 #include <security/_pam_macros.h> |
| 16 #include <security/pam_ext.h> |
15 #include <security/pam_modules.h> | 17 #include <security/pam_modules.h> |
16 #include <security/pam_ext.h> | |
17 #include <stdio.h> | 18 #include <stdio.h> |
18 #include <stdlib.h> | 19 #include <stdlib.h> |
| 20 #include <sys/stat.h> |
| 21 #include <sys/types.h> |
19 | 22 |
20 #include "pam_offline/credentials.h" | 23 #include "base/command_line.h" |
21 #include "pam_offline/authenticator.h" | 24 #include "base/logging.h" |
22 #include "pam_offline/pam_prompt_wrapper.h" | 25 #include "cros/chromeos_cros_api.h" |
23 #include "pam_offline/username_password_fetcher.h" | 26 #include "cros/chromeos_cryptohome.h" |
24 | 27 |
25 const char kUserName[] = "chronos"; | 28 const char kUserName[] = "chronos"; |
26 | 29 |
27 static void setcred_free(pam_handle_t *pamh /*unused*/, | 30 static void setcred_free(pam_handle_t *pamh /*unused*/, |
28 void *ptr, | 31 void *ptr, |
29 int err /*unused*/) { | 32 int err /*unused*/) { |
30 if (ptr) { | 33 if (ptr) { |
31 int *intptr = reinterpret_cast<int*>(ptr); | 34 int *intptr = reinterpret_cast<int*>(ptr); |
32 delete intptr; | 35 delete intptr; |
33 } | 36 } |
34 } | 37 } |
35 | 38 |
| 39 static bool pam_offline_libcros_loaded = false; |
| 40 static bool ensure_libcros() { |
| 41 if(!pam_offline_libcros_loaded) { |
| 42 ::g_type_init(); |
| 43 std::string load_error; |
| 44 pam_offline_libcros_loaded = |
| 45 chromeos::LoadLibcros(chromeos::kCrosDefaultPath, load_error); |
| 46 } |
| 47 return pam_offline_libcros_loaded; |
| 48 } |
| 49 |
36 // PAM framework looks for these entry-points to pass control to the | 50 // PAM framework looks for these entry-points to pass control to the |
37 // authentication module. | 51 // authentication module. |
38 | 52 |
39 // pam_sm_authenticate() will decrypt something using the given creds | 53 // pam_sm_authenticate() will decrypt something using the given creds |
40 // and return success if the something decrypts successfully, failure | 54 // and return success if the something decrypts successfully, failure |
41 // otherwise. | 55 // otherwise. |
42 PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, | 56 PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags, |
43 int argc, const char **argv) { | 57 int argc, const char **argv) { |
44 // "flags" can contain PAM_SILENT, which means we shouldn't emit | 58 // "flags" can contain PAM_SILENT, which means we shouldn't emit |
45 // any messages, and PAM_DISALLOW_NULL_AUTHTOK, which means that | 59 // any messages, and PAM_DISALLOW_NULL_AUTHTOK, which means that |
46 // unknown users should NOT be silently logged in. | 60 // unknown users should NOT be silently logged in. |
47 // | 61 // |
48 // TODO(cmasone): support PAM_SILENT | 62 // TODO(cmasone): support PAM_SILENT |
49 // TODO(cmasone): Should we behave as though DISALLOW_NULL_AUTHTOK | 63 // TODO(cmasone): Should we behave as though DISALLOW_NULL_AUTHTOK |
50 // is always set? I think so... | 64 // is always set? I think so... |
51 | 65 |
52 // ret_data points to some space that we use to store our return | 66 // ret_data points to some space that we use to store our return |
53 // value for later use in pam_sm_setcred | 67 // value for later use in pam_sm_setcred |
54 int retval = PAM_AUTH_ERR; | 68 int retval = PAM_AUTH_ERR; |
55 int *ret_data = new int; | 69 int *ret_data = new int; |
56 | 70 |
57 pam_offline::PamPromptWrapper pam; | 71 pam_offline::PamPromptWrapper pam; |
58 pam_offline::UsernamePasswordFetcher fetcher(&pam); | 72 pam_offline::UsernamePasswordFetcher fetcher(&pam); |
59 pam_offline::Credentials *credentials = fetcher.FetchCredentials(pamh); | 73 pam_offline::Credentials *credentials = fetcher.FetchCredentials(pamh); |
60 | 74 |
61 // If fetcher.FetchCredentials times out you get NULL credentials | 75 // If fetcher.FetchCredentials times out you get NULL credentials |
62 if (credentials) { | 76 if (credentials) { |
63 pam_offline::Authenticator auth; | |
64 | 77 |
65 if (auth.Init()) { | 78 if (ensure_libcros()) { |
66 if (auth.TestAllMasterKeys(*credentials)) { | 79 char username[pam_offline::kMaxUsernameLength]; |
67 retval = PAM_SUCCESS; | 80 memset(username, 0, sizeof(username)); |
68 pam_set_item(pamh, PAM_USER, | 81 credentials->GetFullUsername(username, sizeof(username)); |
69 reinterpret_cast<const void*>(kUserName)); | 82 pam_offline::Blob salt = chromeos::CryptohomeGetSystemSalt(); |
| 83 if(salt.size() != 0) { |
| 84 if(chromeos::CryptohomeCheckKey(username, |
| 85 credentials->GetPasswordWeakHash(salt).c
_str())) { |
| 86 retval = PAM_SUCCESS; |
| 87 pam_set_item(pamh, PAM_USER, |
| 88 reinterpret_cast<const void*>(kUserName)); |
| 89 } else { |
| 90 LOG(INFO) << "Invalid credentials."; |
| 91 } |
70 } else { | 92 } else { |
71 LOG(INFO) << "Invalid credentials."; | 93 LOG(INFO) << "Unable to get system salt."; |
72 } | 94 } |
73 } else { | 95 } else { |
74 LOG(ERROR) << "Authenticator failed to Init()."; | 96 LOG(ERROR) << "libcros load failed."; |
75 } | 97 } |
76 | 98 |
77 delete credentials; | 99 delete credentials; |
78 } else { | 100 } else { |
79 LOG(INFO) << "FetchCredentials returned NULL."; | 101 LOG(INFO) << "FetchCredentials returned NULL."; |
80 } | 102 } |
81 | 103 |
82 *ret_data = retval; | 104 *ret_data = retval; |
83 pam_set_data(pamh, "unix_setcred_return", | 105 pam_set_data(pamh, "unix_setcred_return", |
84 reinterpret_cast<void *>(ret_data), setcred_free); | 106 reinterpret_cast<void *>(ret_data), setcred_free); |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
117 struct pam_module _pam_offline_modstruct = { | 139 struct pam_module _pam_offline_modstruct = { |
118 "pam_offline", | 140 "pam_offline", |
119 pam_sm_authenticate, | 141 pam_sm_authenticate, |
120 pam_sm_setcred, | 142 pam_sm_setcred, |
121 NULL, | 143 NULL, |
122 NULL, | 144 NULL, |
123 NULL, | 145 NULL, |
124 NULL, | 146 NULL, |
125 }; | 147 }; |
126 #endif | 148 #endif |
OLD | NEW |