[pve-access-control.git] / PVE / Auth / PAM.pm

package PVE::Auth::PAM;

use strict;
use PVE::Tools qw(run_command);
use PVE::Auth::Plugin;
use Authen::PAM qw(:constants);

use base qw(PVE::Auth::Plugin);

sub type {
    return 'pam';
}

sub options {
    return {
	default => { optional => 1 },
	comment => { optional => 1 },
    };
}

sub authenticate_user {
    my ($class, $config, $realm, $username, $password) = @_;

    # user (www-data) need to be able to read /etc/passwd /etc/shadow
    die "no password\n" if !$password;

    my $pamh = new Authen::PAM('common-auth', $username, sub {
	my @res;
	while(@_) {
	    my $msg_type = shift;
	    my $msg = shift;
	    push @res, (0, $password);
	}
	push @res, 0;
	return @res;
    });

    if (!ref ($pamh)) {
	my $err = $pamh->pam_strerror($pamh);
	die "error during PAM init: $err";
    }

    my $res;

    if (($res = $pamh->pam_authenticate(0)) != PAM_SUCCESS) {
	my $err = $pamh->pam_strerror($res);
	die "$err\n";
    }

    if (($res = $pamh->pam_acct_mgmt (0)) != PAM_SUCCESS) {
	my $err = $pamh->pam_strerror($res);
	die "$err\n";
    }

    $pamh = 0; # call destructor

    return 1;
}


sub store_password {
    my ($class, $config, $realm, $username, $password) = @_;

    my $cmd = ['usermod'];

    my $epw = PVE::Auth::Plugin::encrypt_pw($password);

    push @$cmd, '-p', $epw, $username;

    run_command($cmd, errmsg => 'change password failed');
}

1;
Commit	Line	Data
5bb4e06a DM	1	package PVE::Auth::PAM;
	2
	3	use strict;
	4	use PVE::Tools qw(run_command);
	5	use PVE::Auth::Plugin;
	6	use Authen::PAM qw(:constants);
	7
	8	use base qw(PVE::Auth::Plugin);
	9
	10	sub type {
	11	return 'pam';
	12	}
	13
	14	sub options {
	15	return {
	16	default => { optional => 1 },
	17	comment => { optional => 1 },
	18	};
	19	}
	20
	21	sub authenticate_user {
	22	my ($class, $config, $realm, $username, $password) = @_;
	23
	24	# user (www-data) need to be able to read /etc/passwd /etc/shadow
	25	die "no password\n" if !$password;
	26
	27	my $pamh = new Authen::PAM('common-auth', $username, sub {
	28	my @res;
	29	while(@_) {
	30	my $msg_type = shift;
	31	my $msg = shift;
	32	push @res, (0, $password);
	33	}
	34	push @res, 0;
	35	return @res;
	36	});
	37
	38	if (!ref ($pamh)) {
	39	my $err = $pamh->pam_strerror($pamh);
	40	die "error during PAM init: $err";
	41	}
	42
	43	my $res;
	44
	45	if (($res = $pamh->pam_authenticate(0)) != PAM_SUCCESS) {
	46	my $err = $pamh->pam_strerror($res);
	47	die "$err\n";
	48	}
	49
	50	if (($res = $pamh->pam_acct_mgmt (0)) != PAM_SUCCESS) {
	51	my $err = $pamh->pam_strerror($res);
	52	die "$err\n";
	53	}
	54
	55	$pamh = 0; # call destructor
	56
	57	return 1;
	58	}
	59
	60
	61	sub store_password {
	62	my ($class, $config, $realm, $username, $password) = @_;
	63
	64	my $cmd = ['usermod'];
65
66	my $epw = PVE::Auth::Plugin::encrypt_pw($password);
67
68	push @$cmd, '-p', $epw, $username;
69
70	run_command($cmd, errmsg => 'change password failed');
71	}
72
73	1;