Allowing socket based IPC for X11 on pam_auth

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Allowing socket based IPC for X11 on pam_auth

Dirk-Willem van Gulik
On some system a socket/IPC can be used for the local display (as opposed to the more traditional linux localhost:0.0). OSX is one example (as are more modern X11 installs)

Tiny patch below may be of use. Also contains a small signature update for OpenPAM >= 20071221.
   
Dw.

https://github.com/OpenSC/pam_pkcs11/commit/21c6f331e519c703d77d03691f30e423ec5c7047

8  src/pam_pkcs11/pam_pkcs11.c
@@ -72,7 +72,7 @@ static int is_spaced_str(const char *str) {
 /*
  * implement pam utilities for older versions of pam.
  */
-static int pam_prompt(pam_handle_t *pamh, int style, char **response, char *fmt, ...)
+int pam_prompt(const pam_handle_t *pamh, int style, char **response, const char *fmt, ...)
 {
   int rv;
   struct pam_conv *conv;
@@ -216,12 +216,12 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
 
   /* Either slot_description or slot_num, but not both, needs to be used */
   if ((configuration->slot_description != NULL && configuration->slot_num != -1) || (configuration->slot_description == NULL && configuration->slot_num == -1)) {
- ERR("Error setting configuration parameters");
+ ERR("Error setting configuration parameters (no slot numbers or slot descriptions found)");
  return PAM_AUTHINFO_UNAVAIL;
   }
 
   /* fail if we are using a remote server
-   * local login: DISPLAY=:0
+   * local login: DISPLAY=:0 (linux) or a <path>:0 (Solaris, OSX)
    * XDMCP login: DISPLAY=host:0 */
   {
   char *display = getenv("DISPLAY");
@@ -229,7 +229,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
   if (display)
   {
   if (strncmp(display, "localhost:", 10) != 0 && (display[0] != ':')
-  && (display[0] != '\0')) {
+  && (display[0] != '\0' && display[0] != '/')) {
   ERR1("Remote login (from %s) is not (yet) supported", display);
   pam_syslog(pamh, LOG_ERR,
   "Remote login (from %s) is not (yet) supported", display);
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Allowing socket based IPC for X11 on pam_auth

Frank Morgner
Is it necessary to have a non static signature of pam_prompt?

Am 23. April 2015 09:14:53 MESZ, schrieb Dirk-Willem van Gulik <[hidden email]>:
On some system a socket/IPC can be used for the local display (as opposed to the more traditional linux localhost:0.0). OSX is one example (as are more modern X11 installs)

Tiny patch below may be of use. Also contains a small signature update for OpenPAM >= 20071221.

Dw.

https://github.com/OpenSC/pam_pkcs11/commit/21c6f331e519c703d77d03691f30e423ec5c7047

8  src/pam_pkcs11/pam_pkcs11.c
@@ -72,7 +72,7 @@ static int is_spaced_str(const char *str) {
/*
* implement pam utilities for older versions of pam.
*/
-static int pam_prompt(pam_handle_t *pamh, int style, char **response, char *fmt, ...)
+int pam_prompt(const pam_handle_t *pamh, int style, char **response, const char *fmt, ...)
{
int rv;
struct pam_conv *conv;
@@ -216,12 +216,12 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons

/* Either slot_description or slot_num, but not both, needs to be used */
if ((configuration->slot_description != NULL && configuration->slot_num != -1) || (configuration->slot_description == NULL && configuration->slot_num == -1)) {
- ERR("Error setting configuration parameters");
+ ERR("Error setting configuration parameters (no slot numbers or slot descriptions found)");
return PAM_AUTHINFO_UNAVAIL;
}

/* fail if we are using a remote server
- * local login: DISPLAY=:0
+ * local login: DISPLAY=:0 (linux) or a <path>:0 (Solaris, OSX)
* XDMCP login: DISPLAY=host:0 */
{
char *display = getenv("DISPLAY");
@@ -229,7 +229,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
if (display)
{
if (strncmp(display, "localhost:", 10) != 0 && (display[0] != ':')
- && (display[0] != '\0')) {
+ && (display[0] != '\0' && display[0] != '/')) {
ERR1("Remote login (from %s) is not (yet) supported", display);
pam_syslog(pamh, LOG_ERR,
"Remote login (from %s) is not (yet) supported", display);


BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF


Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


--
Frank Morgner
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Allowing socket based IPC for X11 on pam_auth

Ludovic Rousseau
In reply to this post by Dirk-Willem van Gulik
2015-04-23 9:14 GMT+02:00 Dirk-Willem van Gulik <[hidden email]>:
> On some system a socket/IPC can be used for the local display (as opposed to the more traditional linux localhost:0.0). OSX is one example (as are more modern X11 installs)
>
> Tiny patch below may be of use. Also contains a small signature update for OpenPAM >= 20071221.

Thanks for the patch Dirk.

I don't have time to take care of PAM PKCS#11 myself.
I just created a pam_pkcs11-maintainers team [1] and invited you to join.

If you need more access rights just tell me.
Feel free to make a new release of PAM PKCS#11 when you want.

Regards,

[1] https://github.com/orgs/OpenSC/teams/pam_pkcs11-maintainers

--
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Allowing socket based IPC for X11 on pam_auth

Dirk-Willem van Gulik
In reply to this post by Frank Morgner

> On 23 Apr 2015, at 09:26, Frank Morgner <[hidden email]> wrote:
>
> Is it necessary to have a non static signature of pam_prompt?

You are right - I guess we could rename this function as not to clash with the PKCS define function of equivalent functionality; and hence avoid the compiler Werror’s.

Dw.


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel