21 #ifdef HAVE_SECURITY_PAM_APPL_H
22 # include <security/pam_appl.h>
24 #ifdef HAVE_SECURITY_PAM_MODULES_H
25 # include <security/pam_modules.h>
30 # define PAM_EXTERN static
32 # define PAM_EXTERN extern
36 static struct _auth_chunk
37 token_key(const unsigned char *challenge, const int challengesize)
39 struct _auth_chunk ho = {0};
41 int keysize = sizeof(ho.data);
43 if ((rc = pcsc_cr(challenge, challengesize, ho.data, &keysize))) {
44 ho.err = pcsc_errstr(rc);
49 static void update_nonce(char *nonce, const int nonsize)
53 sscanf(nonce, "%d", &n);
54 snprintf(nonce, nonsize, "%d", n+1);
61 void parse_cfg(struct _cfg * const cfg, int argc, const char *argv[])
65 for (i = 0; i < argc; i++) {
66 if (strchr(argv[i],':') && strchr(argv[i],'='))
68 else if (!strcmp(argv[i], "verbose")) cfg->verbose = 1;
73 pam_sm_authenticate(pam_handle_t *pamh, int flags,
74 int argc, const char *argv[])
77 const char *tokenid = NULL;
83 parse_cfg(&cfg, argc, argv);
85 if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
86 if (cfg.verbose) syslog(LOG_ERR, "get_user failed: %s",
87 pam_strerror(pamh, pam_err));
90 if (strspn(user, "0123456789") == strlen(user)) {
95 if (flags & PAM_DISALLOW_NULL_AUTHTOK) {
96 if ((pam_err = pam_get_item(pamh, PAM_AUTHTOK,
97 (const void **)&password))) {
98 if (cfg.verbose) syslog(LOG_ERR,
99 "get_authtok failed: %s",
100 pam_strerror(pamh, pam_err));
107 ao = authfile(tokenid, user, password, update_nonce,
108 NULL, 0, NULL, 0, token_key);
110 if (cfg.verbose) syslog(LOG_INFO, "authfile: %s", ao.err);
114 pam_set_item(pamh, PAM_USER, ao.data);
115 if (ao.payload && ao.payload[0])
116 pam_set_item(pamh, PAM_AUTHTOK, ao.payload);
122 pam_sm_setcred(pam_handle_t *pamh, int flags,
123 int argc, const char *argv[])
129 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
130 int argc, const char *argv[])
136 pam_sm_open_session(pam_handle_t *pamh, int flags,
137 int argc, const char *argv[])
143 pam_sm_close_session(pam_handle_t *pamh, int flags,
144 int argc, const char *argv[])
150 pam_sm_chauthtok(pam_handle_t *pamh, int flags,
151 int argc, const char *argv[])
153 return PAM_SERVICE_ERR;
156 #ifdef PAM_MODULE_ENTRY
157 PAM_MODULE_ENTRY("pam_unix");
161 struct pam_module _pam_pcsc_cr_modstruct = {
167 pam_sm_close_session,