diff options
| author | Jeroen Nijhof <jeroen@jeroennijhof.nl> | 2013-04-28 19:20:54 +0200 |
|---|---|---|
| committer | Jeroen Nijhof <jeroen@jeroennijhof.nl> | 2013-04-28 19:20:54 +0200 |
| commit | 94230d452c72f41c1ebe91e71660582d4cbb8b03 (patch) | |
| tree | 39f93854abea0dab3ce885d25660b784877d55c4 | |
| parent | 117013b4c159cad96d92a24d5ea53a5adf74c58b (diff) | |
| download | pam_tacplus-94230d452c72f41c1ebe91e71660582d4cbb8b03.tar.gz pam_tacplus-94230d452c72f41c1ebe91e71660582d4cbb8b03.zip | |
active_server can not be a pointer, data lost after authentication.
| -rw-r--r-- | pam_tacplus.c | 15 | ||||
| -rw-r--r-- | sample.pam | 2 |
2 files changed, 9 insertions, 8 deletions
diff --git a/pam_tacplus.c b/pam_tacplus.c index 7d3db51..4dff634 100644 --- a/pam_tacplus.c +++ b/pam_tacplus.c @@ -42,7 +42,7 @@ #endif /* address of server discovered by pam_sm_authenticate */ -static tacplus_server_t *active_server = NULL; +static tacplus_server_t active_server; /* accounting task identifier */ static short int task_id = 0; @@ -265,7 +265,6 @@ int pam_sm_authenticate (pam_handle_t * pamh, int flags, int status = PAM_AUTH_ERR; user = pass = tty = r_addr = NULL; - active_server = NULL; ctrl = _pam_parse (argc, argv); @@ -341,7 +340,8 @@ int pam_sm_authenticate (pam_handle_t * pamh, int flags, /* OK, we got authenticated; save the server that accepted us for pam_sm_acct_mgmt and exit the loop */ status = PAM_SUCCESS; - active_server = &tac_srv[srv_i]; + active_server.addr = tac_srv[srv_i].addr; + active_server.key = tac_srv[srv_i].key; close(tac_fd); if (ctrl & PAM_TAC_DEBUG) @@ -357,7 +357,8 @@ int pam_sm_authenticate (pam_handle_t * pamh, int flags, /* OK, we got authenticated; save the server that accepted us for pam_sm_acct_mgmt and exit the loop */ status = PAM_SUCCESS; - active_server = &tac_srv[srv_i]; + active_server.addr = tac_srv[srv_i].addr; + active_server.key = tac_srv[srv_i].key; close(tac_fd); if (ctrl & PAM_TAC_DEBUG) @@ -444,13 +445,13 @@ int pam_sm_acct_mgmt (pam_handle_t * pamh, int flags, by TACACS+; we cannot solely authorize user if it hasn't been authenticated or has been authenticated by method other than TACACS+ */ - if(active_server->addr == NULL) { + if(active_server.addr == NULL) { _pam_log (LOG_ERR, "user not authenticated by TACACS+"); return PAM_AUTH_ERR; } if (ctrl & PAM_TAC_DEBUG) syslog (LOG_DEBUG, "%s: active server is [%s]", __FUNCTION__, - tac_ntop(active_server->addr->ai_addr)); + tac_ntop(active_server.addr->ai_addr)); /* checks for specific data required by TACACS+, which should be supplied in command line */ @@ -466,7 +467,7 @@ int pam_sm_acct_mgmt (pam_handle_t * pamh, int flags, tac_add_attrib(&attr, "service", tac_service); tac_add_attrib(&attr, "protocol", tac_protocol); - tac_fd = tac_connect_single(active_server->addr, active_server->key); + tac_fd = tac_connect_single(active_server.addr, active_server.key); if(tac_fd < 0) { _pam_log (LOG_ERR, "TACACS+ server unavailable"); if(arep.msg != NULL) @@ -1,6 +1,6 @@ #%PAM-1.0 auth required /lib/security/pam_tacplus.so debug server=1.1.1.1 server=2.2.2.2:49 secret=SAME-SECRET -account required /lib/security/pam_tacplus.so debug secret=SAME-SECRET service=ppp protocol=lcp +account required /lib/security/pam_tacplus.so debug service=ppp protocol=lcp account sufficient /lib/security/pam_exec.so /usr/local/bin/showenv.sh password required /lib/security/pam_cracklib. password required /lib/security/pam_pwdb.so shadow use_authtok |