Added allowed usernames check
Ignore entries without the objectClass=member attribute
This commit is contained in:
parent
d6c554d5de
commit
89463b4460
|
@ -1,3 +1,10 @@
|
||||||
|
libpam-csc (1.3) stable testing; urgency=low
|
||||||
|
|
||||||
|
* Added allowed usernames check
|
||||||
|
* Ignore entries without the objectClass=member attribute
|
||||||
|
|
||||||
|
-- David Bartley <dtbartle@csclub.uwaterloo.ca> Thu, 09 Aug 2007 04:03:37 -0400
|
||||||
|
|
||||||
libpam-csc (1.2) stable testing; urgency=low
|
libpam-csc (1.2) stable testing; urgency=low
|
||||||
|
|
||||||
* Optimized querying by using single query and using asynch functions
|
* Optimized querying by using single query and using asynch functions
|
||||||
|
|
23
pam_csc.c
23
pam_csc.c
|
@ -36,6 +36,7 @@
|
||||||
#define PAM_CSC_CSCF_SASL_REALM "STUDENT.CS.UWATERLOO.CA"
|
#define PAM_CSC_CSCF_SASL_REALM "STUDENT.CS.UWATERLOO.CA"
|
||||||
#define PAM_CSC_LDAP_TIMEOUT 5
|
#define PAM_CSC_LDAP_TIMEOUT 5
|
||||||
#define PAM_CSC_MINIMUM_UID 1000
|
#define PAM_CSC_MINIMUM_UID 1000
|
||||||
|
#define PAM_CSC_ALLOWED_USERNAMES {"nobody"}
|
||||||
#define PAM_CSC_EXPIRED_MSG \
|
#define PAM_CSC_EXPIRED_MSG \
|
||||||
"*****************************************************************************\n" \
|
"*****************************************************************************\n" \
|
||||||
"* *\n" \
|
"* *\n" \
|
||||||
|
@ -49,6 +50,8 @@
|
||||||
"(pam_csc): %s was not registered for current term or previous term - denying login\n"
|
"(pam_csc): %s was not registered for current term or previous term - denying login\n"
|
||||||
#define PAM_CSC_SYSLOG_EXPIRED_ERROR \
|
#define PAM_CSC_SYSLOG_EXPIRED_ERROR \
|
||||||
"(pam_csc): %s was not registered for current term but was registered for previous term - permitting login\n"
|
"(pam_csc): %s was not registered for current term but was registered for previous term - permitting login\n"
|
||||||
|
#define PAM_CSC_SYSLOG_NOT_A_MEMBER \
|
||||||
|
"(pam_csc): %s is not a member account - permitting login\n"
|
||||||
#define PAM_CSC_SYSLOG_CSCF_DISALLOWED \
|
#define PAM_CSC_SYSLOG_CSCF_DISALLOWED \
|
||||||
"(pam_csc): %s is using a CSCF machine but is not enrolled in CS - denying login\n"
|
"(pam_csc): %s is using a CSCF machine but is not enrolled in CS - denying login\n"
|
||||||
#define PAM_CSC_SYSLOG_SASL_UNRECOGNIZED_CALLBACK \
|
#define PAM_CSC_SYSLOG_SASL_UNRECOGNIZED_CALLBACK \
|
||||||
|
@ -162,6 +165,8 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
|
||||||
int retval = PAM_SUCCESS;
|
int retval = PAM_SUCCESS;
|
||||||
const char* username;
|
const char* username;
|
||||||
struct passwd* pwd;
|
struct passwd* pwd;
|
||||||
|
const char* allowed_usernames[] = PAM_CSC_ALLOWED_USERNAMES;
|
||||||
|
int i;
|
||||||
time_t cur_time;
|
time_t cur_time;
|
||||||
struct tm* local_time;
|
struct tm* local_time;
|
||||||
int long_term;
|
int long_term;
|
||||||
|
@ -194,6 +199,15 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
|
||||||
return PAM_SUCCESS;
|
return PAM_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* check username */
|
||||||
|
for(i = 0; i < sizeof(allowed_usernames) / sizeof(char*); i++)
|
||||||
|
{
|
||||||
|
if(strcmp(allowed_usernames[i], username) == 0)
|
||||||
|
{
|
||||||
|
return PAM_SUCCESS;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* escape username */
|
/* escape username */
|
||||||
WARN_ZERO( username_escaped = pam_csc_escape_ldap_string(username) );
|
WARN_ZERO( username_escaped = pam_csc_escape_ldap_string(username) );
|
||||||
|
|
||||||
|
@ -270,7 +284,14 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t* pamh, int flags, int argc, const c
|
||||||
|
|
||||||
/* get CSC entry */
|
/* get CSC entry */
|
||||||
WARN_ZERO( entry = ldap_first_entry(ld_csc, res_csc) )
|
WARN_ZERO( entry = ldap_first_entry(ld_csc, res_csc) )
|
||||||
WARN_ZERO( values = ldap_get_values(ld_csc, entry, "term") )
|
values = ldap_get_values(ld_csc, entry, "term");
|
||||||
|
if(!values)
|
||||||
|
{
|
||||||
|
syslog(LOG_AUTHPRIV | LOG_NOTICE, PAM_CSC_SYSLOG_NOT_A_MEMBER,
|
||||||
|
username);
|
||||||
|
retval = PAM_SUCCESS;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
/* iterate through term attributes */
|
/* iterate through term attributes */
|
||||||
expired = true;
|
expired = true;
|
||||||
|
|
Loading…
Reference in New Issue