Changeset 535

Timestamp:

12/22/06 00:24:15 (2 years ago)

Author:

alo

Message:

Files:

cherokee/trunk/ChangeLog (modified) (1 diff)
cherokee/trunk/cherokee/validator_pam.c (modified) (2 diffs)
cherokee/trunk/configure.in (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

cherokee/trunk/ChangeLog

r534	r535
	1	2006-12-22 Alvaro Lopez Ortega <alvaro@alobbs.com>
	2
	3	* configure.in: Added test for the _pam_dispatch() function in the
	4	libpam library. It defines the HAVE_PAM_DISPATCH macro.
	5
	6	* cherokee/validator_pam.c (cherokee_validator_pam_check): Now it
	7	uses pam_fail_delay() and pam_authenticate() rather than
	8	_pam_dispatch() if available. Patch by Marcus Rueckert
	9	<darix@web.de>
	10
1	11	2006-12-21 A.D.F <adefacc@tin.it>
2	12

cherokee/trunk/cherokee/validator_pam.c

r476	r535
155	155	}
156	156
157		/* NOTE:
158		* First of all, it's a really awful hack. Said that, let's
159		* see the right way to authenticate a user is call:
160		*
161		* ret = pam_authenticate (pamhandle, 0);
162		*
163		* Instead of it, this validator is calling:
164		*
165		* ret = _pam_dispatch (pamhandle, 0, 1);
	157	/* Try to authenticate user:
	158	*/
	159	#ifdef HAVE_PAM_FAIL_DELAY
	160	ret = pam_fail_delay (pamhandle, 0);
	161	if (ret != PAM_SUCCESS) {
	162	cherokee_buffer_t msg = CHEROKEE_BUF_INIT;
	163
	164	cherokee_buffer_add_str (&msg, "Setting pam fail delay failed");
	165	cherokee_logger_write_string (CONN_VSRV(conn)->logger, "%s", msg.buf);
	166	cherokee_buffer_mrproper (&msg);
	167
	168	conn->error_code = http_internal_error;
	169	return ret_error;
	170	}
	171
	172	ret = pam_authenticate (pamhandle, 0);
	173
	174	#elif defined(HAVE_PAM_DISPATCH)
	175
	176	/* If you can't set the delay to zero, you try to call one of
	177	* the PAM internal functions. It is nasty, but reached this
	178	* point it's the only thing you can do.
166	179	*
167		* It is because pam_uthenticate() does a long delay if the
168		* user is not authenticated sucesfuly. It is a huge problem
169		* if Cherokee is compiled without threading support because
170		* it will be frozen for some time until pam_authenticate()
171		* comes back.
172		*
173		* The second parameter: 0, is the flags
174		* The last one: 1, is PAM_AUTHENTICATE
175		*/
176
177		/* Try to authenticate user:
	180	* Parameters: The second one, 0, are the flags. The third
	181	* means PAM_AUTHENTICATE
178	182	*/
179	183	ret = _pam_dispatch (pamhandle, 0, 1);
	184
	185	#else
	186	PRINT_ERROR_S ("Unsupported PAM library\n");
	187	goto unauthorized;
	188	#endif
	189
180	190	if (ret != PAM_SUCCESS) {
181		~~CHEROKEE_NEW(msg, buffer)~~;
182
183		cherokee_buffer_add ~~(msg, "PAM: user '", 11~~);
184		cherokee_buffer_add_buffer (msg, &conn->validator->user);
185		cherokee_buffer_add_va (msg, "' - not authenticated: %s", pam_strerror(pamhandle, ret));
186
187		cherokee_logger_write_string (CONN_VSRV(conn)->logger, "%s", msg->buf);
188
189		cherokee_buffer_free (msg);
	191	cherokee_buffer_t msg = CHEROKEE_BUF_INIT;
	192
	193	cherokee_buffer_add_str (&msg, "PAM: user '");
	194	cherokee_buffer_add_buffer (&msg, &conn->validator->user);
	195	cherokee_buffer_add_va (&msg, "' - not authenticated: %s", pam_strerror(pamhandle, ret));
	196
	197	cherokee_logger_write_string (CONN_VSRV(conn)->logger, "%s", msg.buf);
	198	cherokee_buffer_mrproper (&msg);
	199
190	200	goto unauthorized;
191	201	}
…	…
195	205	ret = pam_acct_mgmt (pamhandle, PAM_DISALLOW_NULL_AUTHTOK);
196	206	if (ret != PAM_SUCCESS) {
197		~~CHEROKEE_NEW(msg, buffer)~~;
198
199		cherokee_buffer_add ~~(msg, "PAM: user '", 11~~);
200		cherokee_buffer_add_buffer (msg, &conn->validator->user);
201		cherokee_buffer_add_va (msg, "' - invalid account: %s", pam_strerror(pamhandle, ret));
202
203		cherokee_logger_write_string (CONN_VSRV(conn)->logger, "%s", msg->buf);
204
205		cherokee_buffer_free (msg);
	207	cherokee_buffer_t msg = CHEROKEE_BUF_INIT;
	208
	209	cherokee_buffer_add_str (&msg, "PAM: user '");
	210	cherokee_buffer_add_buffer (&msg, &conn->validator->user);
	211	cherokee_buffer_add_va (&msg, "' - invalid account: %s", pam_strerror(pamhandle, ret));
	212
	213	cherokee_logger_write_string (CONN_VSRV(conn)->logger, "%s", msg.buf);
	214	cherokee_buffer_mrproper (&msg);
	215
206	216	goto unauthorized;
207	217	}

cherokee/trunk/configure.in

r529	r535
803	803	AC_ARG_ENABLE(pam, AC_HELP_STRING([--disable-pam],[Disable PAM support]), use_pam="$enableval", use_pam="yes")
804	804	if test "x$use_pam" = "xyes"; then
805		AC_CHECK_LIB(pam, _pam_dispatch, have_pam=yes, have_pam=no)
	805	AC_CHECK_LIB(pam, pam_start, have_pam=yes, have_pam=no)
	806	AC_CHECK_LIB(pam, _pam_dispatch, have_pam_dispatch=yes, have_pam_dispatch=no)
806	807	AC_CHECK_HEADER(security/pam_modules.h, have_pam_include=yes, have_pam_include=no)
807	808	AC_CHECK_HEADERS(security/_pam_macros.h security/pam_appl.h)
808	809	fi
	810
809	811	AM_CONDITIONAL(HAVE_PAM, test "$have_pam $have_pam_include" = "yes yes")
	812
	813	if test "$have_pam_dispatch" = "yes"; then
	814	AC_DEFINE(HAVE_PAM_DISPATCH, 1, [Have _pam_dispatch function])
	815	fi
	816
810	817
811	818	dnl

Navigation

Changeset 535

Legend:

cherokee/trunk/ChangeLog

cherokee/trunk/cherokee/validator_pam.c

cherokee/trunk/configure.in