[strongSwan-dev] [PATCH] xauth_pam don't open/close PAM sessions
Andrea Bonomi
a.bonomi at endian.com
Sat Nov 2 11:07:57 CET 2013
Hello,
the following patch is a small improvement for the xauth_pam plugin.
The actual plugin performs the XAuth users authentication though PAM but
don't open/close the user sessions with the PAM
pam_open_session/pam_close_session methods.
Just as comparison, opening/closing the PAM session is the behavior of
L2TP (strongswan -> xl2tpd -> pppd -> pam).
Cheers,
Andrea
Signed-Off-By: Andrea Bonomi <a.bonomi at endian.com>
---
src/libcharon/plugins/xauth_pam/Makefile.am | 3 +-
.../plugins/xauth_pam/xauth_pam_listener.c | 156
++++++++++++++++++++
.../plugins/xauth_pam/xauth_pam_listener.h | 50 +++++++
src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c | 60 ++++++--
4 files changed, 258 insertions(+), 11 deletions(-)
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.am
b/src/libcharon/plugins/xauth_pam/Makefile.am
index a7d4f64..370661b 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.am
+++ b/src/libcharon/plugins/xauth_pam/Makefile.am
@@ -14,6 +14,7 @@ endif
libstrongswan_xauth_pam_la_SOURCES = \
xauth_pam_plugin.h xauth_pam_plugin.c \
- xauth_pam.h xauth_pam.c
+ xauth_pam.h xauth_pam.c \
+ xauth_pam_listener.h xauth_pam_listener.c
libstrongswan_xauth_pam_la_LDFLAGS = -module -avoid-version -lpam
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_listener.c
b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.c
new file mode 100644
index 0000000..236f6fa
--- /dev/null
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.c
@@ -0,0 +1,156 @@
+/*
+ * Copyright (C) 2013 Endian srl
+ * Author: Andrea Bonomi - <a.bonomi at endian.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#define _GNU_SOURCE
+#include <stdio.h>
+
+#include "xauth_pam_listener.h"
+
+#include <daemon.h>
+#include <library.h>
+
+#include <security/pam_appl.h>
+
+typedef struct private_xauth_pam_listener_t private_xauth_pam_listener_t;
+
+/**
+ * Private data of an xauth_pam_listener_t object.
+ */
+struct private_xauth_pam_listener_t {
+
+ /**
+ * Public xauth_pam_listener_t interface.
+ */
+ xauth_pam_listener_t public;
+
+};
+
+static struct pam_conv null_conv = {
+ NULL
+};
+
+static void open_close_session(private_xauth_pam_listener_t *this,
ike_sa_t *ike_sa, bool up)
+{
+ pam_handle_t *pamh = NULL;
+ char *user = NULL;
+ char *service = NULL;
+ int ret;
+ enumerator_t *enumerator;
+ host_t *vip;
+
+ /* Look for PAM service, with a legacy fallback for the eap-gtc plugin.
+ * Default to "login". */
+ service = lib->settings->get_str(lib->settings,
+ "%s.plugins.xauth-pam.pam_service",
+ lib->settings->get_str(lib->settings,
+ "%s.plugins.eap-gtc.pam_service",
+ "login", charon->name),
+ charon->name);
+
+ enumerator = ike_sa->create_virtual_ip_enumerator(ike_sa, FALSE);
+ while (enumerator->enumerate(enumerator, &vip))
+ {
+ if (asprintf(&user, "%Y", ike_sa->get_other_eap_id(ike_sa)) == -1)
+ {
+ user = NULL;
+ continue;
+ }
+ ret = pam_start(service, user, &null_conv, &pamh);
+
+ if (ret != PAM_SUCCESS)
+ {
+ DBG1(DBG_IKE, "XAuth pam_start for '%s' failed: %s",
+ user, pam_strerror(pamh, ret));
+ }
+ else if (up)
+ {
+ ret = pam_open_session(pamh, 0);
+ if (ret != PAM_SUCCESS)
+ {
+ DBG1(DBG_IKE, "XAuth pam_open_session for '%s' failed: %s",
+ user, pam_strerror(pamh, ret));
+ }
+ }
+ else
+ {
+ ret = pam_close_session(pamh, 0);
+ if (ret != PAM_SUCCESS)
+ {
+ DBG1(DBG_IKE, "XAuth pam_close_session for '%s' failed:
%s",
+ user, pam_strerror(pamh, ret));
+ }
+ }
+ pam_end(pamh, ret);
+ free(user);
+ }
+ enumerator->destroy(enumerator);
+
+ return TRUE;
+}
+
+METHOD(listener_t, message_hook, bool,
+ private_xauth_pam_listener_t *this, ike_sa_t *ike_sa,
+ message_t *message, bool incoming, bool plain)
+{
+ if (plain && ike_sa->get_state(ike_sa) == IKE_ESTABLISHED &&
+ !incoming && !message->get_request(message))
+ {
+ if (ike_sa->get_version(ike_sa) == IKEV1 &&
+ message->get_exchange_type(message) == TRANSACTION)
+ {
+ open_close_session(this, ike_sa, TRUE);
+ }
+ if (ike_sa->get_version(ike_sa) == IKEV2 &&
+ message->get_exchange_type(message) == IKE_AUTH)
+ {
+ open_close_session(this, ike_sa, TRUE);
+ }
+ }
+ return TRUE;
+}
+
+METHOD(listener_t, ike_updown, bool,
+ private_xauth_pam_listener_t *this, ike_sa_t *ike_sa, bool up)
+{
+ if (!up)
+ {
+ open_close_session(this, ike_sa, FALSE);
+ }
+ return TRUE;
+}
+
+METHOD(xauth_pam_listener_t, listener_destroy, void,
+ private_xauth_pam_listener_t *this)
+{
+ free(this);
+}
+
+xauth_pam_listener_t *xauth_pam_listener_create()
+{
+ private_xauth_pam_listener_t *this;
+
+ INIT(this,
+ .public = {
+ .listener = {
+ .message = _message_hook,
+ .ike_updown = _ike_updown,
+ },
+ .destroy = _listener_destroy,
+ },
+ );
+
+ return &this->public;
+}
+
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_listener.h
b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.h
new file mode 100644
index 0000000..6e25966
--- /dev/null
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_listener.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) 2013 Endian srl
+ * Author: Andrea Bonomi <a.bonomi at endian.com>
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup xauth_pam_i xauth_pam
+ * @{ @ingroup xauth_pam
+ */
+
+#ifndef XAUTH_PAM_LISENER_H_
+#define XAUTH_PAM_LISTENER_H_
+
+typedef struct xauth_pam_listener_t xauth_pam_listener_t;
+
+#include <bus/listeners/listener.h>
+
+/**
+ * Listener
+ */
+struct xauth_pam_listener_t {
+
+ /**
+ * Implements listener_t interface.
+ */
+ listener_t listener;
+
+ /**
+ * Destroy a xauth_pam_listener_t.
+ */
+ void (*destroy)(xauth_pam_listener_t *this);
+};
+
+/**
+ * Create a xauth_pam_listener instance.
+ */
+xauth_pam_listener_t *xauth_pam_listener_create();
+
+
+#endif /** XAUTH_PAM_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
index 2ef9a6c..6e13c0b 100644
--- a/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
+++ b/src/libcharon/plugins/xauth_pam/xauth_pam_plugin.c
@@ -15,6 +15,7 @@
#include "xauth_pam_plugin.h"
#include "xauth_pam.h"
+#include "xauth_pam_listener.h"
#include <daemon.h>
@@ -22,17 +23,53 @@
#define CAP_AUDIT_WRITE 29
#endif
+typedef struct private_xauth_pam_plugin_t private_xauth_pam_plugin_t;
+
+/**
+ * private data of xauth_pam plugin
+ */
+struct private_xauth_pam_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ xauth_pam_plugin_t public;
+
+ /**
+ * Listener
+ */
+ xauth_pam_listener_t *listener;
+
+};
+
+bool xauth_pam_method_register(private_xauth_pam_plugin_t *this,
plugin_feature_t *feature,
+ bool reg, void *data)
+{
+ /* (un-)register XAuth methods from plugin features */
+ xauth_method_register(this, feature, reg, data);
+ if (reg)
+ {
+ charon->bus->add_listener(charon->bus, &this->listener->listener);
+ }
+ else
+ {
+ charon->bus->remove_listener(charon->bus,
&this->listener->listener);
+ }
+ return TRUE;
+}
+
+
METHOD(plugin_t, get_name, char*,
- xauth_pam_plugin_t *this)
+ private_xauth_pam_plugin_t *this)
{
return "xauth-pam";
}
METHOD(plugin_t, get_features, int,
- xauth_pam_plugin_t *this, plugin_feature_t *features[])
+ private_xauth_pam_plugin_t *this, plugin_feature_t *features[])
{
static plugin_feature_t f[] = {
- PLUGIN_CALLBACK(xauth_method_register, xauth_pam_create_server),
+ PLUGIN_CALLBACK(xauth_pam_method_register,
xauth_pam_create_server),
PLUGIN_PROVIDE(XAUTH_SERVER, "pam"),
};
*features = f;
@@ -40,7 +77,7 @@ METHOD(plugin_t, get_features, int,
}
METHOD(plugin_t, destroy, void,
- xauth_pam_plugin_t *this)
+ private_xauth_pam_plugin_t *this)
{
free(this);
}
@@ -50,7 +87,7 @@ METHOD(plugin_t, destroy, void,
*/
plugin_t *xauth_pam_plugin_create()
{
- xauth_pam_plugin_t *this;
+ private_xauth_pam_plugin_t *this;
/* required for PAM authentication */
if (!lib->caps->keep(lib->caps, CAP_AUDIT_WRITE))
@@ -60,12 +97,15 @@ plugin_t *xauth_pam_plugin_create()
}
INIT(this,
- .plugin = {
- .get_name = _get_name,
- .get_features = _get_features,
- .destroy = _destroy,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .destroy = _destroy,
+ },
},
+ .listener = xauth_pam_listener_create(),
);
- return &this->plugin;
+ return &this->public.plugin;
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20131102/fd71fb7a/attachment.html>
More information about the Dev
mailing list