]>
git.proxmox.com Git - pve-access-control.git/blob - src/PVE/Auth/PAM.pm
1 package PVE
::Auth
::PAM
;
6 use PVE
::Tools
qw(run_command);
8 use Authen
::PAM
qw(:constants);
10 use base
qw(PVE::Auth::Plugin);
18 default => { optional
=> 1 },
19 comment
=> { optional
=> 1 },
20 tfa
=> { optional
=> 1 },
24 sub authenticate_user
{
25 my ($class, $config, $realm, $username, $password) = @_;
27 # user (www-data) need to be able to read /etc/passwd /etc/shadow
28 die "no password\n" if !$password;
30 my $pamh = Authen
::PAM-
>new('proxmox-ve-auth', $username, sub {
35 push @res, (0, $password);
42 my $err = $pamh->pam_strerror($pamh);
43 die "error during PAM init: $err";
46 if (my $rpcenv = PVE
::RPCEnvironment
::get
()) {
47 if (my $ip = $rpcenv->get_client_ip()) {
48 $pamh->pam_set_item(PAM_RHOST
(), $ip);
54 if (($res = $pamh->pam_authenticate(0)) != PAM_SUCCESS
) {
55 my $err = $pamh->pam_strerror($res);
59 if (($res = $pamh->pam_acct_mgmt (0)) != PAM_SUCCESS
) {
60 my $err = $pamh->pam_strerror($res);
64 $pamh = 0; # call destructor
71 my ($class, $config, $realm, $username, $password) = @_;
73 my $cmd = ['usermod'];
75 my $epw = PVE
::Tools
::encrypt_pw
($password);
77 push @$cmd, '-p', $epw, $username;
79 run_command
($cmd, errmsg
=> 'change password failed');