pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp - diff

Return to PAMBasicAuthenticatorUnix.cpp CVS log

Up to [Pegasus] / pegasus / src / Pegasus / Security / Authentication

Diff for /pegasus/src/Pegasus/Security/Authentication/PAMBasicAuthenticatorUnix.cpp between version 1.11.6.1 and 1.36.2.1

version 1.11.6.1, 2002/12/19 19:35:27

version 1.36.2.1, 2007/03/23 21:53:54

Line 1

//%/////////////////////////////////////////////////////////////////////////////

//%2006////////////////////////////////////////////////////////////////////////

// The Open Group, Tivoli Systems

// Company, L.P.; IBM Corp.; The Open Group; Tivoli Systems.

// IBM Corp.; EMC Corporation, The Open Group.

// IBM Corp.; EMC Corporation; VERITAS Software Corporation; The Open Group.

// EMC Corporation; VERITAS Software Corporation; The Open Group.

// EMC Corporation; Symantec Corporation; The Open Group.

// Permission is hereby granted, free of charge, to any person obtaining a copy

// of this software and associated documentation files (the "Software"), to

Line 21

Line 29

//==============================================================================

// Author: Nag Boranna, Hewlett-Packard Company(nagaraja_boranna@hp.com)

// Modified By: Yi Zhou, Hewlett-Packard Company(yi_zhou@hp.com)

//%/////////////////////////////////////////////////////////////////////////////

#include <Pegasus/Common/System.h>

#include <Pegasus/Common/Executor.h>

#include <Pegasus/Common/Tracer.h>

#include <Pegasus/Common/Destroyer.h>

#include <Pegasus/Config/ConfigManager.h>

#include <Pegasus/Common/Tracer.h>

#ifdef PEGASUS_OS_HPUX

#include <pwd.h>

#include <prot.h>

#endif

#include "PAMBasicAuthenticator.h"

PEGASUS_USING_STD;

PEGASUS_NAMESPACE_BEGIN

#include <security/pam_appl.h>

#define BUFFERLEN 1024

/**

Constant representing the Basic authentication challenge header.

static const String BASIC_CHALLENGE_HEADER = "WWW-Authenticate: Basic \"";

/** Service name for pam_start */

const char *service = "wbem";

typedef struct

{

CString userPassword;

} APP_DATA;

/* constructor. */

PAMBasicAuthenticator::PAMBasicAuthenticator()

{

PEG_METHOD_ENTER(TRC_AUTHENTICATION,

"PAMBasicAuthenticator::PAMBasicAuthenticator()");

// Build up realm: <hostname>:<port>

// get the local system name

_realm.assign(System::getHostName());

// get the configured port number

ConfigManager* configManager = ConfigManager::getInstance();

String port = configManager->getCurrentValue("httpPort");

Line 86

Line 59

_realm.append(":");

_realm.append(port);

#ifdef PEGASUS_OS_HPUX

// get the configured usePAMAuthentication flag

if (String::equal(

configManager->getCurrentValue("usePAMAuthentication"), "true"))

{

_usePAM = true;

}

else

{

_usePAM = false;

}

#endif

PEG_METHOD_EXIT();

}

/* destructor. */

PAMBasicAuthenticator::~PAMBasicAuthenticator()

{

PEG_METHOD_ENTER(TRC_AUTHENTICATION,

Line 117

Line 72

Boolean PAMBasicAuthenticator::authenticate(

const String& userName,

const String& password)

const String& password,

SessionKey& sessionKey)

{

PEG_METHOD_ENTER(TRC_AUTHENTICATION,

"PAMBasicAuthenticator::authenticate()");

Boolean authenticated;

if (Executor::authenticatePassword(

userName.getCString(), password.getCString(), sessionKey) != 0)

#ifndef PEGASUS_OS_HPUX

authenticated = _authenticateByPAM(userName, password);

#else

if (_usePAM)

{

authenticated = _authenticateByPAM(userName, password);

}

else

{

authenticated = _authenticateByPwnam(userName.getCString(), password);

return false;

}

#endif

PEG_METHOD_EXIT();

return (authenticated);

return true;

}

Boolean PAMBasicAuthenticator::_authenticateByPAM(

Boolean PAMBasicAuthenticator::validateUser(const String& userName)

const String& userName,

const String& password)

{

PEG_METHOD_ENTER(TRC_AUTHENTICATION,

"PAMBasicAuthenticator::_authenticateByPAM()");

"PAMBasicAuthenticator::validateUser()");

Boolean authenticated = false;

if (Executor::validateUser(userName.getCString()) != 0)

struct pam_conv pconv;

return false;

pam_handle_t *phandle;

char *name;

APP_DATA mydata;

// Store the password for PAM authentication

mydata.userPassword = password.getCString();

pconv.conv = PAMBasicAuthenticator::PAMCallback;

pconv.appdata_ptr = &mydata;

// WARNING: Should only be uncommented for debugging in a secure environment.

// Tracer::trace(TRC_AUTHENTICATION, Tracer::LEVEL4,

// "PAMBasicAuthenticator::_authenticateByPAM() - userName = %s; userPassword = %s",

// (const char *)userName.getCString(), (const char *)password.getCString());

//Call pam_start since you need to before making any other PAM calls

if ( ( pam_start(service,

(const char *)userName.getCString(), &pconv, &phandle) ) != PAM_SUCCESS )

{

PEG_METHOD_EXIT();

return (authenticated);

return true;

}

//Call pam_authenticate to authenticate the user

if ( ( pam_authenticate(phandle, 0) ) == PAM_SUCCESS )

{

Tracer::trace(TRC_AUTHENTICATION, Tracer::LEVEL4,

"PAMBasicAuthenticator::_authenticateByPAM() pam_authenticate successful.");

//Call pam_acct_mgmt, to check if the user account is valid. This includes

//checking for password and account expiration, as well as verifying access

//hour restrictions.

if ( ( pam_acct_mgmt(phandle, 0) ) == PAM_SUCCESS )

{

Tracer::trace(TRC_AUTHENTICATION, Tracer::LEVEL4,

"PAMBasicAuthenticator::_authenticateByPAM() pam_acct_mgmt successful.");

authenticated = true;

}

//Call pam_end to end our PAM work

pam_end(phandle, 0);

PEG_METHOD_EXIT();

return (authenticated);

}

#ifdef PEGASUS_OS_HPUX

Boolean PAMBasicAuthenticator::_authenticateByPwnam(

const char * userName,

const String& password)

{

PEG_METHOD_ENTER(TRC_AUTHENTICATION,

"PAMBasicAuthenticator::_authenticateByPwnam()");

Boolean authenticated = false;

String currPassword = String::EMPTY;

String encryptedPassword = String::EMPTY;

String saltStr = String::EMPTY;

// check if the system has been converted to a trusted system.

if (iscomsec())

{

// system is a trusted system

// use interface getprpwnam to get pr_passwd structure

struct pr_passwd * pwd;

char* _userName = strcpy(new char[strlen(userName) + 1], userName);

// getprpwnam returns a pointer to a pr_passwd structure upon success

if ( (pwd = getprpwnam(_userName)) != NULL)

{

Tracer::trace(TRC_AUTHENTICATION, Tracer::LEVEL4,

"PAMBasicAuthenticator::_authenticateByPwnam() getprpwnam successful.");

// get user's password from pr_passwd structure

currPassword = pwd->ufld.fd_encrypt;

}

delete [] _userName;

}

else

{

// system is not a trusted system

// use reentrant interface getpwnam_r to get password structure

struct passwd pwd;

struct passwd *result;

char pwdBuffer[BUFFERLEN];

// getpwnam_r returns zero upon success

if (getpwnam_r(userName, &pwd, pwdBuffer, BUFFERLEN, &result) == 0)

{

Tracer::trace(TRC_AUTHENTICATION, Tracer::LEVEL4,

"PAMBasicAuthenticator::_authenticateByPwnam() getpwnam_r successful.");

// get user's password from password file

currPassword = pwd.pw_passwd;

}

// Check if the specified password mathches user's password

saltStr = currPassword.subString(0,2);

encryptedPassword = System::encryptPassword(password.getCString(),

saltStr.getCString());

if (String::equal(currPassword, encryptedPassword))

{

authenticated = true;

}

PEG_METHOD_EXIT();

return (authenticated);

}

#endif

// Create authentication response header

String PAMBasicAuthenticator::getAuthResponseHeader()

{

PEG_METHOD_ENTER(TRC_AUTHENTICATION,

"PAMBasicAuthenticator::getAuthResponseHeader()");

// Build response header: WWW-Authenticate: Basic "<hostname>:<port>"

// build response header using realm

String responseHeader = "WWW-Authenticate: Basic \"";

String responseHeader = BASIC_CHALLENGE_HEADER;

responseHeader.append(_realm);

responseHeader.append("\"");

PEG_METHOD_EXIT();

return responseHeader;

return (responseHeader);

}

#if defined PEGASUS_OS_LINUX

Sint32 PAMBasicAuthenticator::PAMCallback(Sint32 num_msg, const struct pam_message **msg,

struct pam_response **resp, void *appdata_ptr)

#else

Sint32 PAMBasicAuthenticator::PAMCallback(Sint32 num_msg, struct pam_message **msg,

struct pam_response **resp, void *appdata_ptr)

#endif

{

PEG_METHOD_ENTER(TRC_AUTHENTICATION,

"PAMBasicAuthenticator::PAMCallback()");

for ( Sint32 i = 0; i < num_msg; i++ )

{

if ( msg[i]->msg_style != PAM_PROMPT_ECHO_OFF )

{

PEG_METHOD_EXIT();

return PAM_CONV_ERR;

}

// Copy the application specific data from the PAM structure.

APP_DATA *mydata;

mydata = (APP_DATA *) appdata_ptr;

// Allocate the response buffers

if ( num_msg > 0 )

{

*resp = (struct pam_response *)malloc(sizeof(struct pam_response)*num_msg);

if ( *resp == NULL )

{

PEG_METHOD_EXIT();

return PAM_BUF_ERR;

}

else

{

PEG_METHOD_EXIT();

return PAM_CONV_ERR;

}

for ( Sint32 i = 0; i < num_msg; i++ )

{

// We get here only if msg[i]->msg_style == PAM_PROMPT_ECHO_OFF,

// no need to check again.

// copy the user password

resp[i]->resp = (char *)malloc(PAM_MAX_MSG_SIZE);

strcpy(resp[i]->resp, mydata->userPassword);

resp[i]->resp_retcode = 0;

}

PEG_METHOD_EXIT();

return PAM_SUCCESS;

}

PEGASUS_NAMESPACE_END

Legend:

Removed from v.1.11.6.1
changed lines
	Added in v.1.36.2.1

No CVS admin address has been configured