]>
Commit | Line | Data |
---|---|---|
5bb4e06a DM |
1 | package PVE::Auth::PAM; |
2 | ||
3 | use strict; | |
4 | use PVE::Tools qw(run_command); | |
5 | use PVE::Auth::Plugin; | |
6 | use Authen::PAM qw(:constants); | |
7 | ||
8 | use base qw(PVE::Auth::Plugin); | |
9 | ||
10 | sub type { | |
11 | return 'pam'; | |
12 | } | |
13 | ||
14 | sub options { | |
15 | return { | |
16 | default => { optional => 1 }, | |
17 | comment => { optional => 1 }, | |
18 | }; | |
19 | } | |
20 | ||
21 | sub authenticate_user { | |
22 | my ($class, $config, $realm, $username, $password) = @_; | |
23 | ||
24 | # user (www-data) need to be able to read /etc/passwd /etc/shadow | |
25 | die "no password\n" if !$password; | |
26 | ||
27 | my $pamh = new Authen::PAM('common-auth', $username, sub { | |
28 | my @res; | |
29 | while(@_) { | |
30 | my $msg_type = shift; | |
31 | my $msg = shift; | |
32 | push @res, (0, $password); | |
33 | } | |
34 | push @res, 0; | |
35 | return @res; | |
36 | }); | |
37 | ||
38 | if (!ref ($pamh)) { | |
39 | my $err = $pamh->pam_strerror($pamh); | |
40 | die "error during PAM init: $err"; | |
41 | } | |
42 | ||
43 | my $res; | |
44 | ||
45 | if (($res = $pamh->pam_authenticate(0)) != PAM_SUCCESS) { | |
46 | my $err = $pamh->pam_strerror($res); | |
47 | die "$err\n"; | |
48 | } | |
49 | ||
50 | if (($res = $pamh->pam_acct_mgmt (0)) != PAM_SUCCESS) { | |
51 | my $err = $pamh->pam_strerror($res); | |
52 | die "$err\n"; | |
53 | } | |
54 | ||
55 | $pamh = 0; # call destructor | |
56 | ||
57 | return 1; | |
58 | } | |
59 | ||
60 | ||
61 | sub store_password { | |
62 | my ($class, $config, $realm, $username, $password) = @_; | |
63 | ||
64 | my $cmd = ['usermod']; | |
65 | ||
66 | my $epw = PVE::Auth::Plugin::encrypt_pw($password); | |
67 | ||
68 | push @$cmd, '-p', $epw, $username; | |
69 | ||
70 | run_command($cmd, errmsg => 'change password failed'); | |
71 | } | |
72 | ||
73 | 1; |