#include <security/pam_appl.h>
-#include "includes.h"
+#include "openbsd.h"
+#include "doas.h"
#ifndef HOST_NAME_MAX
#define HOST_NAME_MAX _POSIX_HOST_NAME_MAX
for (i = 0; i < nmsgs; i++) {
if (rsp[i].resp == NULL)
continue;
- switch (style = msgs[i]->msg_style) {
+ switch (msgs[i]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
case PAM_PROMPT_ECHO_ON:
explicit_bzero(rsp[i].resp, strlen(rsp[i].resp));
}
rsp[i].resp = NULL;
}
+ free(rsp);
return PAM_CONV_ERR;
}
exit(status);
}
-void
+int
pamauth(const char *user, const char *myname, int interactive, int nopass, int persist)
{
static const struct pam_conv conv = {
#endif
if (!user || !myname)
- errx(1, "Authorization failed");
+ return(5);
ret = pam_start(PAM_SERVICE_NAME, myname, &conv, &pamh);
if (ret != PAM_SUCCESS)
if (!nopass) {
if (!interactive)
- errx(1, "Authorization required");
+ return(5);
/* doas style prompt for pam */
char host[HOST_NAME_MAX + 1];
if (ret != PAM_SUCCESS) {
pamcleanup(ret, sess, cred);
syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
- errx(1, "Authorization failed");
+ return(5);
}
}
if (ret != PAM_SUCCESS) {
pamcleanup(ret, sess, cred);
syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
- errx(1, "Authorization failed");
+ return(5);
}
/* set PAM_USER to the user we want to be */
warn("pam_set_item(?, PAM_USER, \"%s\"): %s", user,
pam_strerror(pamh, ret));
- ret = pam_setcred(pamh, PAM_ESTABLISH_CRED);
+ ret = pam_setcred(pamh, PAM_REINITIALIZE_CRED);
if (ret != PAM_SUCCESS)
- warn("pam_setcred(?, PAM_ESTABLISH_CRED): %s", pam_strerror(pamh, ret));
+ warn("pam_setcred(?, PAM_REINITIALIZE_CRED): %s", pam_strerror(pamh, ret));
else
cred = 1;
}
#endif
watchsession(child, sess, cred);
+ return(0);
}