RANGER-842:PAM support for original crypt based auth Signed-off-by: sneethiraj <[email protected]>
Project: http://git-wip-us.apache.org/repos/asf/incubator-ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/incubator-ranger/commit/9ec52527 Tree: http://git-wip-us.apache.org/repos/asf/incubator-ranger/tree/9ec52527 Diff: http://git-wip-us.apache.org/repos/asf/incubator-ranger/diff/9ec52527 Branch: refs/heads/ranger-842-tester Commit: 9ec52527c27cb98d914aca764f38717d827ddd27 Parents: 57217d0 Author: rmani <[email protected]> Authored: Thu Jun 2 18:09:45 2016 -0700 Committer: sneethiraj <[email protected]> Committed: Tue Jun 7 15:37:25 2016 -0400 ---------------------------------------------------------------------- unixauthnative/pom.xml | 1 + unixauthnative/src/main/c/credValidator.c | 113 ++++++++++++++++--------- 2 files changed, 75 insertions(+), 39 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9ec52527/unixauthnative/pom.xml ---------------------------------------------------------------------- diff --git a/unixauthnative/pom.xml b/unixauthnative/pom.xml index 70d1469..0a5b7f2 100644 --- a/unixauthnative/pom.xml +++ b/unixauthnative/pom.xml @@ -47,6 +47,7 @@ </sources> <linkerEndOptions> <linkerEndOption>-lpam</linkerEndOption> + <linkerEndOption>-lcrypt</linkerEndOption> </linkerEndOptions> </configuration> </plugin> http://git-wip-us.apache.org/repos/asf/incubator-ranger/blob/9ec52527/unixauthnative/src/main/c/credValidator.c ---------------------------------------------------------------------- diff --git a/unixauthnative/src/main/c/credValidator.c b/unixauthnative/src/main/c/credValidator.c index ab19080..b645577 100644 --- a/unixauthnative/src/main/c/credValidator.c +++ b/unixauthnative/src/main/c/credValidator.c @@ -14,22 +14,14 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - - /* - You need to add the following (or equivalent) to the - /etc/pam.d/ranger-remote file: - # check authorization - auth required pam_unix.so - account required pam_unix.so - */ - #include <stdio.h> -#include <stdarg.h> #include <unistd.h> #include <stdlib.h> #include <pwd.h> +#include <shadow.h> #include <string.h> #include <sys/types.h> +#include <crypt.h> #include <security/pam_appl.h> int pamconv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) { @@ -52,6 +44,16 @@ int pamconv(int num_msg, const struct pam_message **msg, struct pam_response **r return ((*resp)[0].resp ? PAM_SUCCESS : PAM_CONV_ERR); } +int isPAMEnabled() { + if( access("/etc/pam.d/ranger-remote", F_OK ) != -1 ) { + return 1; + } else { + /* file doesn't exist */ + return 0; + } +} + + struct pam_conv conv = { pamconv, NULL }; int main(int ac, char **av, char **ev) @@ -59,46 +61,79 @@ int main(int ac, char **av, char **ev) char username[64] ; char password[64] ; char line[512] ; - - int retval; + struct passwd *pwp; + struct spwd *spwd ; + int retval; pam_handle_t *pamh = NULL; fgets(line,512,stdin) ; + sscanf(line, "LOGIN:%s %s",username,password) ; - conv.appdata_ptr = (char *) password; - retval = pam_start("ranger-remote", username, &conv, &pamh); - if (retval != PAM_SUCCESS) { - /* why expose this? */ - fprintf(stdout, "FAILED: [%s] does not exists.\n", username) ; - exit(1); - } + if (isPAMEnabled()) { + /* PAM Authentication */ + + conv.appdata_ptr = (char *) password; - retval = pam_authenticate(pamh, 0); - if (retval != PAM_SUCCESS) { - fprintf(stdout, "FAILED: Password did not match.\n") ; - exit(1); - } + retval = pam_start("ranger-remote", username, &conv, &pamh); + if (retval != PAM_SUCCESS) { + /* why expose this? */ + fprintf(stdout, "FAILED: [%s] does not exists.\n", username) ; + exit(1); + } - /* authorize */ - retval = pam_acct_mgmt(pamh, 0); - if (retval != PAM_SUCCESS) { - fprintf(stdout, "FAILED: [%s] is not authorized.\n", username) ; - exit(1); - } + retval = pam_authenticate(pamh, 0); + if (retval != PAM_SUCCESS) { + fprintf(stdout, "FAILED: Password did not match.\n") ; + exit(1); + } - /* establish the requested credentials */ - if ((retval = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { + /* authorize */ + retval = pam_acct_mgmt(pamh, 0); + if (retval != PAM_SUCCESS) { + fprintf(stdout, "FAILED: [%s] is not authorized.\n", username) ; + exit(1); + } + + /* establish the requested credentials */ + if ((retval = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) { fprintf(stdout, "FAILED: Error setting credentials for [%s].\n", username) ; exit(1); - } + } - /* not opening a session, as logout has not been implemented as a remote service */ - fprintf(stdout, "OK:\n") ; + /* not opening a session, as logout has not been implemented as a remote service */ + fprintf(stdout, "OK:\n") ; - if (pamh) { - pam_end(pamh, retval); - } + if (pamh) { + pam_end(pamh, retval); + } + } else { + /* crypt Authentication */ + pwp = getpwnam(username) ; + + if (pwp == (struct passwd *)NULL) { + fprintf(stdout, "FAILED: [%s] does not exists.\n", username) ; + exit(1) ; + } + + spwd = getspnam(pwp->pw_name) ; - exit(0) ; + if (spwd == (struct spwd *)NULL) { + fprintf(stdout, "FAILED: unable to get (shadow) password for %s\n", username) ; + exit(1) ; + } + else { + char *gen = crypt(password,spwd->sp_pwdp) ; + if (strcmp(spwd->sp_pwdp,gen) == 0) { + fprintf(stdout, "OK:\n") ; + exit(0); + } + else { + fprintf(stdout, "FAILED: Password did not match.\n") ; + exit(1) ; + } + } + } + exit(0); } +
