If OpenVPN signals deferred authentication support (by setting the
internal environment variable "auth_control_file"), do not wait
for PAM stack to finish. Instead, the privileged PAM process
returns RESPONSE_DEFER via the control socket, which gets turned
into OPENVPN_PLUGIN_FUNC_DEFERRED towards openvpn.
The PAM process will then fork() and handle all the PAM auth in the
new process, signalling success/failure back by means of the
auth_control_file (forking twice, to simplify wait() handling).
With the extra fork(), multiple deferred authentications can run at
the same time - otherwise the first one would block the next auth
call (because the child would not be ready again to read from the
control socket).
Lightly tested on Linux.
Signed-off-by: Gert Doering <g...@greenie.muc.de>
---
src/plugins/auth-pam/auth-pam.c | 88 ++++++++++++++++++++++++++++++++-
1 file changed, 86 insertions(+), 2 deletions(-)
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index 9a11876d..777957fa 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ b/src/plugins/auth-pam/auth-pam.c
@@ -62,6 +62,7 @@
#define RESPONSE_INIT_FAILED 11
#define RESPONSE_VERIFY_SUCCEEDED 12
#define RESPONSE_VERIFY_FAILED 13
+#define RESPONSE_DEFER 14
/* Pointers to functions exported from openvpn */
static plugin_log_t plugin_log = NULL;
@@ -524,12 +525,21 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle,
const int type, const cha
const char *password = get_env("password", envp);
const char *common_name = get_env("common_name", envp) ?
get_env("common_name", envp) : "";
+ /* get auth_control_file filename from envp string array*/
+ const char *auth_control_file = get_env("auth_control_file", envp);
+ if ( auth_control_file == NULL )
+ {
+ auth_control_file = "";
+ }
+ plugin_log(PLOG_NOTE, MODULE, "deferred auth '%s'", auth_control_file);
+
if (username && strlen(username) > 0 && password)
{
if (send_control(context->foreground_fd, COMMAND_VERIFY) == -1
|| send_string(context->foreground_fd, username) == -1
|| send_string(context->foreground_fd, password) == -1
- || send_string(context->foreground_fd, common_name) == -1)
+ || send_string(context->foreground_fd, common_name) == -1
+ || send_string(context->foreground_fd, auth_control_file) ==
-1)
{
plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Error sending auth
info to background process");
}
@@ -540,6 +550,11 @@ openvpn_plugin_func_v1(openvpn_plugin_handle_t handle,
const int type, const cha
{
return OPENVPN_PLUGIN_FUNC_SUCCESS;
}
+ if (status == RESPONSE_DEFER)
+ {
+ plugin_log(PLOG_NOTE, MODULE, "deferred authentication
active");
+ return OPENVPN_PLUGIN_FUNC_DEFERRED;
+ }
if (status == -1)
{
plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "Error receiving
auth confirmation from background process");
@@ -789,6 +804,7 @@ static void
pam_server(int fd, const char *service, int verb, const struct name_value_list
*name_value_list)
{
struct user_pass up;
+ char ac_file_name[PATH_MAX];
int command;
#ifdef USE_PAM_DLOPEN
static const char pam_so[] = "libpam.so";
@@ -847,7 +863,8 @@ pam_server(int fd, const char *service, int verb, const
struct name_value_list *
case COMMAND_VERIFY:
if (recv_string(fd, up.username, sizeof(up.username)) == -1
|| recv_string(fd, up.password, sizeof(up.password)) == -1
- || recv_string(fd, up.common_name, sizeof(up.common_name))
== -1)
+ || recv_string(fd, up.common_name, sizeof(up.common_name))
== -1
+ || recv_string(fd, ac_file_name, sizeof(ac_file_name)) ==
-1)
{
plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND: read
error on command channel: code=%d, exiting",
command);
@@ -867,6 +884,73 @@ pam_server(int fd, const char *service, int verb, const
struct name_value_list *
/* If password is of the form SCRV1:base64:base64 split it up
*/
split_scrv1_password(&up);
+ /* client wants deferred auth
+ * TODO: put this into its own function
+ */
+ if ( strlen(ac_file_name) > 0 )
+ {
+ if (send_control(fd, RESPONSE_DEFER) == -1)
+ {
+ plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND:
write error on response socket [4]");
+ goto done;
+ }
+
+ /* double forking so we do not need to wait() for
+ * async auth kids
+ */
+ pid_t p1 = fork();
+
+ if ( p1 < 0 )
+ {
+ plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND:
fork(1) failed");
+ goto done;
+ }
+ if ( p1 != 0 ) /* parent */
+ {
+ waitpid(p1, NULL, 0);
+ /* plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: fork(1),
parent=%d, waitpid(%d) done, loop on", (int) getpid(), (int) p1 ); */
+ break;
+ }
+
+ /* child */
+ pid_t p2 = fork();
+
+ if ( p2 < 0 )
+ {
+ plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "BACKGROUND:
fork(2) failed");
+ goto done;
+ }
+
+ if ( p2 != 0 ) /* parent-child */
+ {
+ /* plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: fork(2),
mid=%d, exiting", (int) getpid() ); */
+ exit(0);
+ }
+
+ /* grandchild */
+ plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: deferred auth
handler, pid=%d", (int) getpid() );
+
+ /* simple: do PAM, write status byte to file, done */
+ int ac_fd = open( ac_file_name, O_WRONLY );
+ if ( ac_fd < 0 )
+ {
+ plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "cannot open
'%s' for writing", ac_file_name );
+ exit(1);
+ }
+ int pam_success = pam_auth(service, &up);
+
+ if ( write( ac_fd, pam_success? "1": "0", 1 ) != 1 )
+ {
+ plugin_log(PLOG_ERR|PLOG_ERRNO, MODULE, "cannot write
to '%s'", ac_file_name );
+ }
+ close(ac_fd);
+ plugin_log(PLOG_NOTE, MODULE, "BACKGROUND: deferred auth
finished" );
+ exit(0);
+ }
+
+ /* non-deferred auth: wait for pam result and send
+ * result back via control socketpair
+ */
if (pam_auth(service, &up)) /* Succeeded */
{
if (send_control(fd, RESPONSE_VERIFY_SUCCEEDED) == -1)
--
2.26.2
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
