]> git.proxmox.com Git - pve-access-control.git/blob - PVE/Auth/PAM.pm
projects / pve-access-control.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
allow dots in access paths
[pve-access-control.git] / PVE / Auth / PAM.pm
1 package PVE::Auth::PAM;
2
3 use strict;
4 use warnings;
5
6 use PVE::Tools qw(run_command);
7 use PVE::Auth::Plugin;
8 use Authen::PAM qw(:constants);
9
10 use base qw(PVE::Auth::Plugin);
11
12 sub type {
13 return 'pam';
14 }
15
16 sub options {
17 return {
18 default => { optional => 1 },
19 comment => { optional => 1 },
20 };
21 }
22
23 sub authenticate_user {
24 my ($class, $config, $realm, $username, $password) = @_;
25
26 # user (www-data) need to be able to read /etc/passwd /etc/shadow
27 die "no password\n" if !$password;
28
29 my $pamh = new Authen::PAM('common-auth', $username, sub {
30 my @res;
31 while(@_) {
32 my $msg_type = shift;
33 my $msg = shift;
34 push @res, (0, $password);
35 }
36 push @res, 0;
37 return @res;
38 });
39
40 if (!ref ($pamh)) {
41 my $err = $pamh->pam_strerror($pamh);
42 die "error during PAM init: $err";
43 }
44
45 my $res;
46
47 if (($res = $pamh->pam_authenticate(0)) != PAM_SUCCESS) {
48 my $err = $pamh->pam_strerror($res);
49 die "$err\n";
50 }
51
52 if (($res = $pamh->pam_acct_mgmt (0)) != PAM_SUCCESS) {
53 my $err = $pamh->pam_strerror($res);
54 die "$err\n";
55 }
56
57 $pamh = 0; # call destructor
58
59 return 1;
60 }
61
62
63 sub store_password {
64 my ($class, $config, $realm, $username, $password) = @_;
65
66 my $cmd = ['usermod'];
67
68 my $epw = PVE::Auth::Plugin::encrypt_pw($password);
69
70 push @$cmd, '-p', $epw, $username;
71
72 run_command($cmd, errmsg => 'change password failed');
73 }
74
75 1;
Access control framework