fix typo in oathkeygen: randon -> random
[pve-access-control.git] / PVE / Auth / PAM.pm
1 package PVE::Auth::PAM;
2
3 use strict;
4 use warnings;
5
6 use PVE::Tools qw(run_command);
7 use PVE::Auth::Plugin;
8 use Authen::PAM qw(:constants);
9
10 use base qw(PVE::Auth::Plugin);
11
12 sub type {
13 return 'pam';
14 }
15
16 sub options {
17 return {
18 default => { optional => 1 },
19 comment => { optional => 1 },
20 tfa => { optional => 1 },
21 };
22 }
23
24 sub authenticate_user {
25 my ($class, $config, $realm, $username, $password) = @_;
26
27 # user (www-data) need to be able to read /etc/passwd /etc/shadow
28 die "no password\n" if !$password;
29
30 my $pamh = new Authen::PAM('proxmox-ve-auth', $username, sub {
31 my @res;
32 while(@_) {
33 my $msg_type = shift;
34 my $msg = shift;
35 push @res, (0, $password);
36 }
37 push @res, 0;
38 return @res;
39 });
40
41 if (!ref ($pamh)) {
42 my $err = $pamh->pam_strerror($pamh);
43 die "error during PAM init: $err";
44 }
45
46 my $res;
47
48 if (($res = $pamh->pam_authenticate(0)) != PAM_SUCCESS) {
49 my $err = $pamh->pam_strerror($res);
50 die "$err\n";
51 }
52
53 if (($res = $pamh->pam_acct_mgmt (0)) != PAM_SUCCESS) {
54 my $err = $pamh->pam_strerror($res);
55 die "$err\n";
56 }
57
58 $pamh = 0; # call destructor
59
60 return 1;
61 }
62
63
64 sub store_password {
65 my ($class, $config, $realm, $username, $password) = @_;
66
67 my $cmd = ['usermod'];
68
69 my $epw = PVE::Tools::encrypt_pw($password);
70
71 push @$cmd, '-p', $epw, $username;
72
73 run_command($cmd, errmsg => 'change password failed');
74 }
75
76 1;