]>
git.proxmox.com Git - pve-access-control.git/blob - PVE/Auth/PAM.pm
1 package PVE
::Auth
::PAM
;
6 use PVE
::Tools
qw(run_command);
8 use Authen
::PAM
qw(:constants);
10 use base
qw(PVE::Auth::Plugin);
18 default => { optional
=> 1 },
19 comment
=> { optional
=> 1 },
20 tfa
=> { optional
=> 1 },
24 sub authenticate_user
{
25 my ($class, $config, $realm, $username, $password) = @_;
27 # user (www-data) need to be able to read /etc/passwd /etc/shadow
28 die "no password\n" if !$password;
30 my $pamh = new Authen
::PAM
('common-auth', $username, sub {
35 push @res, (0, $password);
42 my $err = $pamh->pam_strerror($pamh);
43 die "error during PAM init: $err";
48 if (($res = $pamh->pam_authenticate(0)) != PAM_SUCCESS
) {
49 my $err = $pamh->pam_strerror($res);
53 if (($res = $pamh->pam_acct_mgmt (0)) != PAM_SUCCESS
) {
54 my $err = $pamh->pam_strerror($res);
58 $pamh = 0; # call destructor
65 my ($class, $config, $realm, $username, $password) = @_;
67 my $cmd = ['usermod'];
69 my $epw = PVE
::Tools
::encrypt_pw
($password);
71 push @$cmd, '-p', $epw, $username;
73 run_command
($cmd, errmsg
=> 'change password failed');