]>
Commit | Line | Data |
---|---|---|
5bb4e06a DM |
1 | package PVE::Auth::PAM; |
2 | ||
3 | use strict; | |
7c410d63 DM |
4 | use warnings; |
5 | ||
5bb4e06a DM |
6 | use PVE::Tools qw(run_command); |
7 | use PVE::Auth::Plugin; | |
8 | use Authen::PAM qw(:constants); | |
9 | ||
10 | use base qw(PVE::Auth::Plugin); | |
11 | ||
12 | sub type { | |
13 | return 'pam'; | |
14 | } | |
15 | ||
16 | sub options { | |
17 | return { | |
18 | default => { optional => 1 }, | |
19 | comment => { optional => 1 }, | |
20 | }; | |
21 | } | |
22 | ||
23 | sub authenticate_user { | |
24 | my ($class, $config, $realm, $username, $password) = @_; | |
25 | ||
26 | # user (www-data) need to be able to read /etc/passwd /etc/shadow | |
27 | die "no password\n" if !$password; | |
28 | ||
29 | my $pamh = new Authen::PAM('common-auth', $username, sub { | |
30 | my @res; | |
31 | while(@_) { | |
32 | my $msg_type = shift; | |
33 | my $msg = shift; | |
34 | push @res, (0, $password); | |
35 | } | |
36 | push @res, 0; | |
37 | return @res; | |
38 | }); | |
39 | ||
40 | if (!ref ($pamh)) { | |
41 | my $err = $pamh->pam_strerror($pamh); | |
42 | die "error during PAM init: $err"; | |
43 | } | |
44 | ||
45 | my $res; | |
46 | ||
47 | if (($res = $pamh->pam_authenticate(0)) != PAM_SUCCESS) { | |
48 | my $err = $pamh->pam_strerror($res); | |
49 | die "$err\n"; | |
50 | } | |
51 | ||
52 | if (($res = $pamh->pam_acct_mgmt (0)) != PAM_SUCCESS) { | |
53 | my $err = $pamh->pam_strerror($res); | |
54 | die "$err\n"; | |
55 | } | |
56 | ||
57 | $pamh = 0; # call destructor | |
58 | ||
59 | return 1; | |
60 | } | |
61 | ||
62 | ||
63 | sub store_password { | |
64 | my ($class, $config, $realm, $username, $password) = @_; | |
65 | ||
66 | my $cmd = ['usermod']; | |
67 | ||
68 | my $epw = PVE::Auth::Plugin::encrypt_pw($password); | |
69 | ||
70 | push @$cmd, '-p', $epw, $username; | |
71 | ||
72 | run_command($cmd, errmsg => 'change password failed'); | |
73 | } | |
74 | ||
75 | 1; |