21 #ifdef HAVE_SECURITY_PAM_APPL_H
22 # include <security/pam_appl.h>
24 #ifdef HAVE_SECURITY_PAM_MODULES_H
25 # include <security/pam_modules.h>
30 # define PAM_EXTERN static
32 # define PAM_EXTERN extern
36 static struct _auth_chunk
37 token_key(const unsigned char *challenge, const int challengesize)
39 struct _auth_chunk ho = {0};
41 int keysize = sizeof(ho.data);
43 if ((rc = pcsc_cr(challenge, challengesize, ho.data, &keysize))) {
44 ho.err = pcsc_errstr(rc);
49 static void update_nonce(char *nonce, const int nonsize)
53 sscanf(nonce, "%d", &n);
54 snprintf(nonce, nonsize, "%d", n+1);
62 void parse_cfg(struct _cfg * const cfg, int argc, const char *argv[])
66 for (i = 0; i < argc; i++) {
67 if (strchr(argv[i],':') && strchr(argv[i],'='))
69 else if (!strcmp(argv[i], "verbose")) cfg->verbose = 1;
70 else if (!strcmp(argv[i], "noaskpass")) cfg->noaskpass = 1;
75 pam_sm_authenticate(pam_handle_t *pamh, int flags,
76 int argc, const char *argv[])
78 struct _cfg cfg = {0};
79 const char *tokenid = NULL;
85 parse_cfg(&cfg, argc, argv);
87 if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
88 if (cfg.verbose) syslog(LOG_ERR, "get_user failed: %s",
89 pam_strerror(pamh, pam_err));
92 if (strspn(user, "0123456789") == strlen(user)) {
99 pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
100 (const char **)&password, NULL);
102 struct pam_conv *conv;
103 struct pam_message msg;
104 const struct pam_message *msgp;
105 struct pam_response *resp;
107 if ((pam_err = pam_get_item(pamh, PAM_CONV,
108 (const void **)&conv))) {
109 if (cfg.verbose) syslog(LOG_ERR,
110 "get_item failed: %s",
111 pam_strerror(pamh, pam_err));
114 msg.msg_style = PAM_PROMPT_ECHO_OFF;
115 msg.msg = "Token password:";
118 pam_err = (*conv->conv)(1, &msgp, &resp, conv->appdata_ptr);
120 if (pam_err == PAM_SUCCESS) password = resp->resp;
121 else free(resp->resp);
125 if (pam_err) return pam_err;
130 ao = authfile(tokenid, user, password, update_nonce,
131 NULL, 0, NULL, 0, token_key);
133 if (cfg.verbose) syslog(LOG_INFO, "authfile: %s", ao.err);
137 pam_set_item(pamh, PAM_USER, ao.data);
138 if (ao.payload && ao.payload[0])
139 pam_set_item(pamh, PAM_AUTHTOK, ao.payload);
145 pam_sm_setcred(pam_handle_t *pamh, int flags,
146 int argc, const char *argv[])
152 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
153 int argc, const char *argv[])
159 pam_sm_open_session(pam_handle_t *pamh, int flags,
160 int argc, const char *argv[])
166 pam_sm_close_session(pam_handle_t *pamh, int flags,
167 int argc, const char *argv[])
173 pam_sm_chauthtok(pam_handle_t *pamh, int flags,
174 int argc, const char *argv[])
176 return PAM_SERVICE_ERR;
179 #ifdef PAM_MODULE_ENTRY
180 PAM_MODULE_ENTRY("pam_unix");
184 struct pam_module _pam_pcsc_cr_modstruct = {
190 pam_sm_close_session,