diff options
| author | jsorg71 <jay.sorg@gmail.com> | 2015-04-01 22:15:17 -0700 |
|---|---|---|
| committer | jsorg71 <jay.sorg@gmail.com> | 2015-04-01 22:15:17 -0700 |
| commit | b55231f18a08e116e521e64199739f0e3be20316 (patch) | |
| tree | f07f492384cb8d3150ab8c0ee059fe857338a403 | |
| parent | 33167a7c746de49e735e76c5662d1e6c36bd10ed (diff) | |
| parent | 283a16115a074eb2d655ae3bc5008c7aef53b24f (diff) | |
| download | xrdp-proprietary-b55231f18a08e116e521e64199739f0e3be20316.tar.gz xrdp-proprietary-b55231f18a08e116e521e64199739f0e3be20316.zip | |
Merge pull request #226 from metalefty/freebsd/openpam
xrdp: xrdp_mm.c detect and use OpenPAM
| -rw-r--r-- | configure.ac | 9 | ||||
| -rw-r--r-- | xrdp/xrdp_mm.c | 119 |
2 files changed, 127 insertions, 1 deletions
diff --git a/configure.ac b/configure.ac index 78553305..f436d9f8 100644 --- a/configure.ac +++ b/configure.ac @@ -84,6 +84,15 @@ AC_CHECK_HEADER([openssl/rc4.h], [], [AC_MSG_ERROR([please install libssl-dev or openssl-devel])], [#include <stdlib.h>]) +# checking for pam variation +# Linux-PAM is used in Linux systems +# OpenPAM is used by FreeBSD, NetBSD, DragonFly BSD and OS X +# OpenBSD uses BSD Authentication rather than both PAMs +AC_CHECK_HEADER([security/_pam_types.h], + [AC_DEFINE([HAVE__PAM_TYPES_H], 1, [Using Linux-PAM], [])]) +AC_CHECK_HEADER([security/pam_constants.h], + [AC_DEFINE([HAVE_PAM_CONSTANTS_H], 1, [Using OpenPAM], [])]) + # checking if pam should be autodetected. if test "x$enable_pam" = "xyes" then diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c index 8d67016b..a2e7446c 100644 --- a/xrdp/xrdp_mm.c +++ b/xrdp/xrdp_mm.c @@ -24,11 +24,18 @@ #define ACCESS #include "xrdp.h" #include "log.h" + #ifdef ACCESS #ifndef USE_NOPAM +#if defined(HAVE__PAM_TYPES_H) +#define LINUXPAM 1 #include "security/_pam_types.h" +#elif defined(HAVE_PAM_CONSTANTS_H) +#define OPENPAM 1 +#include <security/pam_constants.h> #endif -#endif +#endif /* USE_NOPAM */ +#endif /* ACCESS */ #include "xrdp_encoder.h" @@ -1540,6 +1547,7 @@ getPAMError(const int pamError, char *text, int text_bytes) { switch (pamError) { +#if defined(LINUXPAM) case PAM_SUCCESS: return "Success"; case PAM_OPEN_ERR: @@ -1605,6 +1613,71 @@ getPAMError(const int pamError, char *text, int text_bytes) default: g_snprintf(text, text_bytes, "Not defined PAM error:%d", pamError); return text; +#elif defined(OPENPAM) + case PAM_SUCCESS: /* 0 */ + return "Success"; + case PAM_OPEN_ERR: + return "dlopen() failure"; + case PAM_SYMBOL_ERR: + return "Symbol not found"; + case PAM_SERVICE_ERR: + return "Error in service module"; + case PAM_SYSTEM_ERR: + return "System error"; + case PAM_BUF_ERR: + return "Memory buffer error"; + case PAM_CONV_ERR: + return "Conversation error"; + case PAM_PERM_DENIED: + return "Permission denied"; + case PAM_MAXTRIES: + return "Have exhausted maximum number of retries for service."; + case PAM_AUTH_ERR: + return "Authentication failure"; + case PAM_NEW_AUTHTOK_REQD: /* 10 */ + return "Authentication token is no longer valid; new one required."; + case PAM_CRED_INSUFFICIENT: + return "Insufficient credentials to access authentication data"; + case PAM_AUTHINFO_UNAVAIL: + return "Authentication service cannot retrieve authentication info."; + case PAM_USER_UNKNOWN: + return "User not known to the underlying authentication module"; + case PAM_CRED_UNAVAIL: + return "Authentication service cannot retrieve user credentials"; + case PAM_CRED_EXPIRED: + return "User credentials expired"; + case PAM_CRED_ERR: + return "Failure setting user credentials"; + case PAM_ACCT_EXPIRED: + return "User account has expired"; + case PAM_AUTHTOK_EXPIRED: + return "Authentication token expired"; + case PAM_SESSION_ERR: + return "Session failure"; + case PAM_AUTHTOK_ERR: /* 20 */ + return "Authentication token manipulation error"; + case PAM_AUTHTOK_RECOVERY_ERR: + return "Failed to recover old authentication token"; + case PAM_AUTHTOK_LOCK_BUSY: + return "Authentication token lock busy"; + case PAM_AUTHTOK_DISABLE_AGING: + return "Authentication token aging disabled"; + case PAM_NO_MODULE_DATA: + return "No module specific data is present"; + case PAM_IGNORE: + return "Please ignore underlying account module"; + case PAM_ABORT: + return "General failure"; + case PAM_TRY_AGAIN: + return "Failed preliminary check by password service"; + case PAM_MODULE_UNKNOWN: + return "Module is unknown"; + case PAM_DOMAIN_UNKNOWN: /* 29 */ + return "Unknown authentication domain"; + default: + g_snprintf(text, text_bytes, "Not defined PAM error:%d", pamError); + return text; +#endif } } @@ -1613,6 +1686,7 @@ getPAMAdditionalErrorInfo(const int pamError, struct xrdp_mm *self) { switch (pamError) { +#if defined(LINUXPAM) case PAM_SUCCESS: return NULL; case PAM_OPEN_ERR: @@ -1656,6 +1730,49 @@ getPAMAdditionalErrorInfo(const int pamError, struct xrdp_mm *self) } default: return "No expected error"; +#elif defined(OPENPAM) + case PAM_SUCCESS: /* 0 */ + return NULL; + case PAM_OPEN_ERR: + case PAM_SYMBOL_ERR: + case PAM_SERVICE_ERR: + case PAM_SYSTEM_ERR: + case PAM_BUF_ERR: + case PAM_CONV_ERR: + case PAM_PERM_DENIED: + case PAM_MAXTRIES: + case PAM_AUTH_ERR: + case PAM_NEW_AUTHTOK_REQD: /* 10 */ + case PAM_CRED_INSUFFICIENT: + case PAM_AUTHINFO_UNAVAIL: + case PAM_USER_UNKNOWN: + case PAM_CRED_UNAVAIL: + case PAM_CRED_EXPIRED: + case PAM_CRED_ERR: + case PAM_ACCT_EXPIRED: + case PAM_AUTHTOK_EXPIRED: + case PAM_SESSION_ERR: + case PAM_AUTHTOK_ERR: /* 20 */ + case PAM_AUTHTOK_RECOVERY_ERR: + case PAM_AUTHTOK_LOCK_BUSY: + case PAM_AUTHTOK_DISABLE_AGING: + case PAM_NO_MODULE_DATA: + case PAM_IGNORE: + case PAM_ABORT: + case PAM_TRY_AGAIN: + case PAM_MODULE_UNKNOWN: + case PAM_DOMAIN_UNKNOWN: /* 29 */ + if (self->wm->pamerrortxt[0]) + { + return self->wm->pamerrortxt; + } + else + { + return "Authentication error - Verify that user/password is valid"; + } + default: + return "No expected error"; +#endif } } #endif |