diff options
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | debian/control | 2 | ||||
-rw-r--r-- | debian/postinst | 10 | ||||
-rw-r--r-- | debian/prerm | 12 | ||||
-rwxr-xr-x | debian/rules | 5 | ||||
-rw-r--r-- | debian/tacplus | 15 | ||||
-rw-r--r-- | pam_tacplus.h | 2 | ||||
-rw-r--r-- | support.c | 74 |
9 files changed, 102 insertions, 31 deletions
@@ -1,9 +1,11 @@ 1.3.6 +* Added libpam-runtime support for debian +* Added use_first_pass and try_first_pass option, thanks to Luc Ducazu <lducazu@gmail.com> * Changed e-mail adres to jeroen@jeroennijhof.nl -* Improved accounting, added cmd attribute for command logging. +* Improved accounting, added cmd attribute for command logging * Added tac_acct_flag2str() * Renamed tac_account_read, tac_account_send to tac_acct_read and tac_acct_send -* pam_tacplus.spec.in: fixed static library path and pam_tacplus.so location. +* pam_tacplus.spec.in: fixed static library path and pam_tacplus.so location * Debian packaging improvements 1.3.5 diff --git a/debian/changelog b/debian/changelog index d13493c..153ed8b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libpam-tacplus (1.3.6-1) unstable; urgency=low + + * New upstream release. + * Added libpam-runtime support. + + -- Jeroen Nijhof <jeroen@jeroennijhof.nl> Mon, 7 May 2012 21:21:00 +0100 + libpam-tacplus (1.3.5-1) unstable; urgency=low * First version of pam_tacplus debian package. Closes: #588172 diff --git a/debian/control b/debian/control index 9e4a9c2..69fc805 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ Homepage: http://sourceforge.net/projects/tacplus Package: libpam-tacplus Architecture: any -Depends: ${shlibs:Depends}, ${misc:Depends} +Depends: ${shlibs:Depends}, ${misc:Depends}, libpam-runtime Description: PAM module for using TACACS+ as an authentication service This PAM module support authentication, authorization (account management) and accounting (session management) performed using TACACS+ protocol designed by diff --git a/debian/postinst b/debian/postinst new file mode 100644 index 0000000..bc65706 --- /dev/null +++ b/debian/postinst @@ -0,0 +1,10 @@ +#!/bin/sh +# postinst script for libpam-tacplus +# +# see: dh_installdeb(1) + +set -e + +pam-auth-update --package + +#DEBHELPER# diff --git a/debian/prerm b/debian/prerm new file mode 100644 index 0000000..f0ab388 --- /dev/null +++ b/debian/prerm @@ -0,0 +1,12 @@ +#!/bin/sh +# prerm script for libpam-tacplus +# +# see: dh_installdeb(1) + +set -e + +if [ "$1" = remove ]; then + pam-auth-update --package --remove tacplus +fi + +#DEBHELPER# diff --git a/debian/rules b/debian/rules index e73e9db..feba227 100755 --- a/debian/rules +++ b/debian/rules @@ -19,3 +19,8 @@ override_dh_clean: override_dh_auto_configure: dh_auto_configure -- --libdir=/lib --docdir=/usr/share/doc/libpam-tacplus +override_dh_install: + mkdir debian/libpam-tacplus/usr/share/pam-configs + cp debian/tacplus debian/libpam-tacplus/usr/share/pam-configs/ + dh_install + diff --git a/debian/tacplus b/debian/tacplus new file mode 100644 index 0000000..bd7a2e3 --- /dev/null +++ b/debian/tacplus @@ -0,0 +1,15 @@ +Name: Tacacs+ authentication +Default: yes +Priority: 257 +Auth-Type: Primary +Auth: + sufficient pam_tacplus.so +Account-Type: Primary +Account: + sufficient pam_tacplus.so +Password-Type: Primary +Password: + sufficient pam_tacplus.so +Session-Type: Primary +Session: + sufficient pam_tacplus.so diff --git a/pam_tacplus.h b/pam_tacplus.h index e41b56c..afeeef5 100644 --- a/pam_tacplus.h +++ b/pam_tacplus.h @@ -22,6 +22,8 @@ /* pam_tacplus command line options */ #define PAM_TAC_DEBUG 0x01 #define PAM_TAC_ACCT 0x02 /* account on all specified servers */ +#define PAM_TAC_USE_FIRST_PASS 0x04 +#define PAM_TAC_TRY_FIRST_PASS 0x08 /* pam_tacplus major, minor and patchlevel version numbers */ #define PAM_TAC_VMAJ 1 @@ -137,41 +137,55 @@ int converse(pam_handle_t * pamh, int nargs int tacacs_get_password (pam_handle_t * pamh, int flags ,int ctrl, char **password) { + const void *pam_pass; char *pass = NULL; - struct pam_message msg[1], *pmsg[1]; - struct pam_response *resp; - int retval; if (ctrl & PAM_TAC_DEBUG) syslog (LOG_DEBUG, "%s: called", __FUNCTION__); - /* set up conversation call */ - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_PROMPT_ECHO_OFF; - - if (!tac_prompt) { - msg[0].msg = "Password: "; + if ( (ctrl & (PAM_TAC_TRY_FIRST_PASS | PAM_TAC_USE_FIRST_PASS)) + && (pam_get_item(pamh, PAM_AUTHTOK, &pam_pass) == PAM_SUCCESS) + && (pam_pass != NULL) ) { + if ((pass = strdup(pam_pass)) == NULL) + return PAM_BUF_ERR; + } else if ((ctrl & PAM_TAC_USE_FIRST_PASS)) { + _pam_log(LOG_WARNING, "no forwarded password"); + return PAM_PERM_DENIED; } else { - msg[0].msg = tac_prompt; + struct pam_message msg[1], *pmsg[1]; + struct pam_response *resp; + int retval; + + /* set up conversation call */ + pmsg[0] = &msg[0]; + msg[0].msg_style = PAM_PROMPT_ECHO_OFF; + + if (!tac_prompt) { + msg[0].msg = "Password: "; + } else { + msg[0].msg = tac_prompt; + } + resp = NULL; + + if ((retval = converse (pamh, 1, pmsg, &resp)) != PAM_SUCCESS) + return retval; + + if (resp) { + if ((resp[0].resp == NULL) && (ctrl & PAM_TAC_DEBUG)) + _pam_log (LOG_DEBUG, "pam_sm_authenticate: NULL authtok given"); + + pass = resp[0].resp; /* remember this! */ + resp[0].resp = NULL; + } else { + if (ctrl & PAM_TAC_DEBUG) { + _pam_log (LOG_DEBUG, "pam_sm_authenticate: no error reported"); + _pam_log (LOG_DEBUG, "getting password, but NULL returned!?"); + } + return PAM_CONV_ERR; + } + free(resp); + resp = NULL; } - resp = NULL; - - if ((retval = converse (pamh, 1, pmsg, &resp)) != PAM_SUCCESS) - return retval; - - if (resp) { - if ((resp[0].resp == NULL) && (ctrl & PAM_TAC_DEBUG)) - _pam_log (LOG_DEBUG, "pam_sm_authenticate: NULL authtok given"); - pass = resp[0].resp; /* remember this! */ - resp[0].resp = NULL; - } else if (ctrl & PAM_TAC_DEBUG) { - _pam_log (LOG_DEBUG, "pam_sm_authenticate: no error reported"); - _pam_log (LOG_DEBUG, "getting password, but NULL returned!?"); - return PAM_CONV_ERR; - } - - free(resp); - resp = NULL; *password = pass; /* this *MUST* be free()'d by this module */ @@ -191,6 +205,10 @@ int _pam_parse (int argc, const char **argv) { for (ctrl = 0; argc-- > 0; ++argv) { if (!strcmp (*argv, "debug")) { /* all */ ctrl |= PAM_TAC_DEBUG; + } else if (!strcmp (*argv, "use_first_pass")) { + ctrl |= PAM_TAC_USE_FIRST_PASS; + } else if (!strcmp (*argv, "try_first_pass")) { + ctrl |= PAM_TAC_TRY_FIRST_PASS; } else if (!strncmp (*argv, "service=", 8)) { /* author & acct */ tac_service = (char *) _xcalloc (strlen (*argv + 8) + 1); strcpy (tac_service, *argv + 8); |