The following patch suggestion upgrades the PAM module
"pam_shishi.so" with initial logging support, as well
as the basics for option handling. Invocation is now
extended to allow
auth sufficient pam_shishi.so debug realm=EX.ORG
although the present debugging output is restricted
to telling
Acting on `[email protected]'.
The code is at present adapted to Linux PAM and to OpenPAM.
The intention, as a primary goal, is to get a module that
works with "login" and "ssh" in all capacities that are
possible with "pam_krb5.so". The present changes are only
a humble beginning.
Best regards,
Mats Erik Andersson
>From 28dc4fe5477f976935314046cf0b3ecd40256f46 Mon Sep 17 00:00:00 2001
From: Mats Erik Andersson <[email protected]>
Date: Fri, 26 Oct 2012 14:30:20 +0200
Subject: [PATCH 1/2] pam_shishi: Basic logging and first options.
---
configure.ac | 7 ++++-
extra/pam_shishi/pam_shishi.c | 49 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 54 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 919fcfc..f1e9a12 100644
--- a/configure.ac
+++ b/configure.ac
@@ -119,9 +119,12 @@ AM_CONDITIONAL(ENABLE_SHISHID, test "$ac_cv_search_syslog" != "no")
AC_ARG_ENABLE(pam,
AC_HELP_STRING([--disable-pam], [Don't use PAM even if available]))
if test "$enable_pam" != "no"; then
- AC_CHECK_HEADERS(security/pam_appl.h)
- AC_CHECK_HEADERS(security/pam_modules.h, [], [],
+ AC_CHECK_HEADERS([security/pam_appl.h security/pam_ext.h])
+ AC_CHECK_HEADERS([security/pam_modules.h security/openpam.h], [], [],
[
+#if HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
#if HAVE_SECURITY_PAM_APPL_H
#include <security/pam_appl.h>
#endif
diff --git a/extra/pam_shishi/pam_shishi.c b/extra/pam_shishi/pam_shishi.c
index 6380f51..446998b 100644
--- a/extra/pam_shishi/pam_shishi.c
+++ b/extra/pam_shishi/pam_shishi.c
@@ -29,6 +29,7 @@
#include <stdlib.h>
#include <stdarg.h>
#include <ctype.h>
+#include <string.h>
#endif
#include <shishi.h>
@@ -44,6 +45,10 @@
#define PAM_SM_SESSION
#define PAM_SM_PASSWORD
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+
#ifdef HAVE_SECURITY_PAM_APPL_H
#include <security/pam_appl.h>
#endif
@@ -51,6 +56,17 @@
#include <security/pam_modules.h>
#endif
+#ifdef HAVE_SECURITY_PAM_EXT_H
+#include <syslog.h>
+#include <security/pam_ext.h>
+#define LINUXPAM_LOGGING 1
+#endif
+#ifdef HAVE_SECURITY_OPENPAM_H
+#include <security/openpam.h>
+#define OPENPAM_LOGGING 1
+#endif
+
+
#if defined DEBUG_PAM && defined HAVE_SECURITY__PAM_MACROS_H
#define DEBUG
#include <security/_pam_macros.h>
@@ -66,6 +82,23 @@
#endif
#endif
+int debug;
+const char *realm;
+
+void
+parse_argv (int argc, const char **argv)
+{
+ int i;
+
+ for (i = 0; i < argc; i++)
+ {
+ if (!strcmp ("debug", argv[i]))
+ debug++;
+ else if (!strncmp ("realm=", argv[i], strlen ("realm=")))
+ realm = argv[i] + strlen ("realm=");
+ }
+}
+
PAM_EXTERN int
pam_sm_authenticate (pam_handle_t * pamh,
int flags, int argc, const char **argv)
@@ -87,6 +120,8 @@ pam_sm_authenticate (pam_handle_t * pamh,
for (i = 0; i < argc; i++)
D (("argv[%d]=%s", i, argv[i]));
+ parse_argv (argc, argv);
+
rc = shishi_init (&h);
if (rc != SHISHI_OK)
{
@@ -106,6 +141,20 @@ pam_sm_authenticate (pam_handle_t * pamh,
shishi_principal_default_set (h, user);
+ if (realm && *realm)
+ shishi_realm_default_set (h, realm);
+
+ if (debug)
+ {
+#if defined LINUXPAM_LOGGING
+ pam_syslog (pamh, LOG_INFO, "Acting on `%s@%s'.",
+ shishi_principal_default (h), shishi_realm_default (h));
+#elif defined OPENPAM_LOGGING
+ openpam_log (PAM_LOG_VERBOSE, "Acting on `%s@%s'.",
+ shishi_principal_default (h), shishi_realm_default (h));
+#endif
+ }
+
retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);
if (retval != PAM_SUCCESS)
{
--
1.7.2.5
_______________________________________________
Help-shishi mailing list
[email protected]
https://lists.gnu.org/mailman/listinfo/help-shishi
