From: Daniel Rocher <daniel.rocher@adella.org>
To: "Dmitry V. Levin" <ldv@altlinux.org>,
"ALT Linux users (in English only)"
<community-en@lists.altlinux.org>
Cc: Motsyo Gennadi aka Drool <motsyo@gmail.com>
Subject: Re: [Comm-en] PAM with ALT Linux
Date: Fri, 9 Nov 2007 20:58:57 +0100
Message-ID: <200711092059.05147.daniel.rocher@adella.org> (raw)
In-Reply-To: <20071109172301.GA31932@basalt.office.altlinux.org>
[-- Attachment #1.1: Type: text/plain, Size: 981 bytes --]
Le vendredi 9 novembre 2007, Dmitry V. Levin a écrit :
>
> Could you provide more details how it doesn't work, please?
> Where it fails, how it fails, credentials of process which fails,
> log message (in /var/log/auth/all) if any, etc.
QtSmbstatus was designed as a client/server. I use PAM to check
login/password.
I Use this code since 2004: pam.cpp and pam.h (attached).
When I want to check a login/password, my prog return (only in Alt linux):
User could not be authenticated: Authentication service cannot retrieve
authentication info
Yet the login and password are correct.
attached:
/etc/pam.d/qtsmbstatusd
/etc/qtsmbstatusd/qtsmbstatusd.users
/var/log/auth/all
greetings
--
____________________________________________
Daniel Rocher
@ mail : daniel.rocher@adella.org
Jabber : daniel.rocher@jabber.org
web : http://rocher.daniel.free.fr
GPG ID : 0x19E0980E
____________________________________________
[-- Attachment #1.2: pam.cpp --]
[-- Type: text/x-c++src, Size: 2852 bytes --]
#include "pam.h"
// most of this code I got from Rene Mayrhofer (rmayr@debian.org)
/* Global variables for PAM authentication. */
static char *pamUsername, *pamPassword;
/* This is the PAM conversation function, it uses the global variables
pamUsername and pamPassword, they have to be initialized before using this
function.
It simply feeds the password to the PAM library in response to a
PAM_PROMPT_ECHO_OFF message */
static int pamConversationFunction(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr) {
struct pam_response *r;
int count;
// alloc the response
r = (struct pam_response*) malloc(sizeof(struct pam_response) * num_msg);
if (r == NULL)
return PAM_CONV_ERR;
for (count=0; count<num_msg; count++) {
switch ((*msg)[count].msg_style) {
case PAM_PROMPT_ECHO_ON:
r[count].resp = (char*) malloc(PAM_MAX_RESP_SIZE);
strncpy(r->resp, pamUsername, PAM_MAX_RESP_SIZE);
break;
case PAM_PROMPT_ECHO_OFF:
r[count].resp = (char*) malloc(PAM_MAX_RESP_SIZE);
strncpy(r[count].resp, pamPassword, PAM_MAX_RESP_SIZE);
r[count].resp_retcode = PAM_SUCCESS;
break;
default:
free(r);
return PAM_CONV_ERR;
}
}
*resp = r;
return PAM_SUCCESS;
}
/* pamUsername and pamPassword must be set before calling this method.
Returns 0 when not successful, 1 when successful; */
int checkUserPass_real() {
struct pam_conv pam_conversation;
pam_handle_t *pam_h;
int pamretval, ret=0;
pam_conversation.conv = pamConversationFunction;
pam_conversation.appdata_ptr = NULL;
pamretval = pam_start(PAM_SERVICE_NAME, pamUsername, &pam_conversation, &pam_h);
if (pamretval != PAM_SUCCESS) {
printf("Error initializing PAM library: %s\n", pam_strerror(pam_h, pamretval));
return 0;
}
pamretval = pam_authenticate(pam_h, PAM_SILENT);
if (pamretval != PAM_SUCCESS) {
printf("User could not be authenticated: %s\n", pam_strerror(pam_h, pamretval));
ret = 0;
}
else {
pamretval = pam_acct_mgmt(pam_h, 0);
if (pamretval != PAM_SUCCESS) {
printf("User not healthy: %s\n", pam_strerror(pam_h, pamretval));
ret = 0;
}
else
ret = 1;
}
if (pam_end(pam_h, pamretval) != PAM_SUCCESS) {
printf("Error releasing PAM library: %s\n", pam_strerror(pam_h, pamretval));
return 0;
}
return ret;
}
/* authenticate vs pam. Notice: PAM_SERVICE_NAME: pam service has to exist and be set up correctly*/
int auth(char *username, char *passwd) {
if (!username)
return 0;
if (!passwd)
return 0;
pamUsername = strdup(username);
pamPassword = strdup(passwd);
if (checkUserPass_real())
return 1;
else
return 0;
}
[-- Attachment #1.3: pam.h --]
[-- Type: text/x-chdr, Size: 258 bytes --]
#include <pwd.h>
#include <grp.h>
#include <sys/types.h>
#include <string.h>
#include <stdio.h>
extern "C" {
#include <security/pam_appl.h>
#include <security/pam_misc.h>
}
#define PAM_SERVICE_NAME "qtsmbstatusd"
int auth(char *username,char* passwd);
[-- Attachment #1.4: qtsmbstatusd --]
[-- Type: text/plain, Size: 293 bytes --]
#
# The PAM configuration file for the qtsmbstatusd daemon
#
auth required pam_unix.so nullok
auth required pam_listfile.so file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
account required pam_unix.so
session required pam_unix.so
password required pam_unix.so
[-- Attachment #1.5: qtsmbstatusd.users --]
[-- Type: text/plain, Size: 5 bytes --]
root
[-- Attachment #1.6: all --]
[-- Type: text/plain, Size: 342 bytes --]
Nov 9 20:32:12 localhost qtsmbstatusd: pam_unix(qtsmbstatusd:auth): Credentials for user root unknown
Nov 9 20:32:13 localhost qtsmbstatusd: pam_unix(qtsmbstatusd:auth): Authentication failed for UNKNOWN USER from (uid=0)
Nov 9 20:35:49 localhost qtsmbstatusd: pam_unix(qtsmbstatusd:auth): Authentication failed for UNKNOWN USER from (uid=0)
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
prev parent reply other threads:[~2007-11-09 19:58 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-09 13:56 Daniel Rocher
2007-11-09 17:23 ` Dmitry V. Levin
2007-11-09 19:07 ` Alexander Bokovoy
2007-11-09 20:21 ` Daniel Rocher
2007-11-09 21:04 ` Michael Shigorin
2007-11-09 21:30 ` [Comm-en] Help Unsubbing Rachel Ramey
2007-11-09 22:01 ` [Comm-en] PAM with ALT Linux Daniel Rocher
2007-11-09 19:58 ` Daniel Rocher [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200711092059.05147.daniel.rocher@adella.org \
--to=daniel.rocher@adella.org \
--cc=community-en@lists.altlinux.org \
--cc=ldv@altlinux.org \
--cc=motsyo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux users (in English only)
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community-en/0 community-en/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community-en community-en/ http://lore.altlinux.org/community-en \
community-en@lists.altlinux.org community-en@lists.altlinux.ru community-en@lists.altlinux.com
public-inbox-index community-en
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community-en
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git