Addition of _pam_verify for using PAM auth in NMIS

Opmantek · Jul 9, 2019 · 767e8d7 · 767e8d7
1 parent 623be64
commit 767e8d7
Showing 1 changed file with 57 additions and 0 deletions.
diff --git a/lib/Auth.pm b/lib/Auth.pm
@@ -485,6 +485,9 @@ sub user_verify {
 		} elsif ( $auth eq "connectwise" ) {
 			$exit = $self->_connectwise_verify($u,$p);
 		}
+		  elsif ( $auth eq "pam" ) {
+			$exit = $self->_pam_verify($u,$p);
+		}
 
 		if ($exit) {
 			#Redundant logging
@@ -1199,6 +1202,60 @@ sub do_login_banner {
 # by Sinclair Internetworking Ltd Pty and covered under the GNU GPL.
 #
 
+sub _pam_verify 
+{
+	my ($self, $user, $password) = @_;
+
+	eval { require Authen::PAM; };
+	if ($@) 
+	{
+		logAuth("ERROR, failed to load Authen::PAM module: $@");
+		return 0;
+	}
+
+	# let's authenticate with the rules for our own service, 'nmis'; 
+	# pam falls back to the rules for service 'other' if n/a
+
+	# NOTE that if pam_unix is involved, then /etc/shadow must be readable by the
+	# calling user, ie. the webserver
+	my $pamhandle = Authen::PAM->new("nmis", $user,				# can also be passed via conversation function
+												 # use closure to control visilibity of the password
+												 sub { 
+													 my @messages = @_; # see man pam_conv
+													 my @responses;
+													 while (@messages)
+													 {
+														 my ($code, $msg) = (shift @messages, shift @messages);
+														 if ($msg =~ /login/i && $code == Authen::PAM::PAM_PROMPT_ECHO_ON())
+														 {
+															 push @responses, Authen::PAM::PAM_SUCCESS(), $user;
+														 }
+														 elsif ($msg =~ /password/i && $code == Authen::PAM::PAM_PROMPT_ECHO_OFF())
+														 {
+															 push @responses, Authen::PAM::PAM_SUCCESS(), $password;
+														 }
+													 }
+													 push @responses, Authen::PAM::PAM_SUCCESS();
+													 return @responses; 
+												 });
+	if (ref($pamhandle) ne "Authen::PAM")
+	{
+		logAuth("ERROR, failed to instantiate PAM object: ".Authen::PAM::pam_strerror($pamhandle));
+		return 0;
+	}
+
+	# failure of these two isn't vital for auth
+	$pamhandle->pam_set_item(Authen::PAM::PAM_RUSER(), $user);
+	$pamhandle->pam_set_item(Authen::PAM::PAM_RHOST(), CGI::remote_addr());
+
+	# time to go!
+	my $res = $pamhandle->pam_authenticate();
+	return 1 if ($res == Authen::PAM::PAM_SUCCESS());
+
+	logAuth("ERROR, PAM authentication failed: "
+			. $pamhandle->pam_strerror($res));
+	return 0;
+ }
 sub _radius_verify {
 	my $self = shift;
 	my($user, $pswd) = @_;