2 * Copyright (c) 2015 Nathan Holstein <nathan.holstein@gmail.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 #include <sys/types.h>
25 #include <security/pam_appl.h>
29 #define PAM_SERVICE_NAME "doas"
32 pam_prompt(const char *msg, int echo_on, int *pam)
34 char buf[PAM_MAX_RESP_SIZE];
35 int flags = RPP_REQUIRE_TTY | (echo_on ? RPP_ECHO_ON : RPP_ECHO_OFF);
36 char *ret = readpassphrase(msg, buf, sizeof(buf), flags);
39 else if (!(ret = strdup(ret)))
41 explicit_bzero(buf, sizeof(buf));
46 pam_conv(int nmsgs, const struct pam_message **msgs,
47 struct pam_response **rsps, __UNUSED void *ptr)
49 struct pam_response *rsp;
51 int pam = PAM_SUCCESS;
53 if (!(rsp = calloc(nmsgs, sizeof(struct pam_response))))
54 errx(1, "couldn't malloc pam_response");
57 for (i = 0; i < nmsgs; i++) {
58 switch (style = msgs[i]->msg_style) {
59 case PAM_PROMPT_ECHO_OFF:
60 case PAM_PROMPT_ECHO_ON:
61 rsp[i].resp = pam_prompt(msgs[i]->msg,
62 style == PAM_PROMPT_ECHO_ON, &pam);
67 if (fprintf(style == PAM_ERROR_MSG ? stderr : stdout,
68 "%s\n", msgs[i]->msg) < 0)
73 errx(1, "invalid PAM msg_style %d", style);
81 auth_userokay(char *name, char *style, char *type, char *password)
83 static const struct pam_conv conv = {
89 pam_handle_t *pamh = NULL;
93 if (style || type || password)
94 errx(1, "auth_userokay(name, NULL, NULL, NULL)!\n");
96 ret = pam_start(PAM_SERVICE_NAME, name, &conv, &pamh);
97 if (ret != PAM_SUCCESS)
98 errx(1, "pam_start(\"%s\", \"%s\", ?, ?): failed\n",
99 PAM_SERVICE_NAME, name);
101 auth = pam_authenticate(pamh, 0);
103 ret = pam_open_session(pamh, 0);
104 if (ret != PAM_SUCCESS)
105 errx(1, "pam_open_session(): %s\n", pam_strerror(pamh, ret));
107 ret = pam_close_session(pamh, 0);
108 if (ret != PAM_SUCCESS)
109 errx(1, "pam_close_session(): %s\n", pam_strerror(pamh, ret));
111 return auth == PAM_SUCCESS;