Enough that it's likely to authenticate. Though, lots of TODOs at this point

1 files changed, 139 insertions, 1 deletions

diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c
index 539cd0d..edf9eca 100644
--- a/src/pam-freerdp.c
+++ b/src/pam-freerdp.c
@@ -1,12 +1,150 @@
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/wait.h>
+
 #include <security/pam_modules.h>
 #include <security/pam_modutil.h>
+#include <security/pam_appl.h>
+
+#define PAM_TYPE_DOMAIN  1234
+
+/* Either grab a value or prompt for it */
+static char *
+get_item (pam_handle_t * pamh, int type)
+{
+	/* Check to see if we just have the value.  If we do, great
+	   let's dup it some we're consitently allocating memory */
+	if (type != PAM_TYPE_DOMAIN) {
+		char * value;
+		if (pam_get_item(pamh, type, (const void **)&value) == PAM_SUCCESS) {
+			return strdup(value);
+		}
+	}
+	/* Now we need to prompt */
+
+	/* Build up the message we're prompting for */
+	struct pam_message message[1];
+	message[0].msg_style = PAM_PROMPT_ECHO_ON;
+
+	switch (type) {
+	case PAM_USER:
+		message[0].msg = "login:";
+		break;
+	case PAM_RUSER:
+		message[0].msg = "remote login:";
+		break;
+	case PAM_RHOST:
+		message[0].msg = "remote host:";
+		break;
+	case PAM_AUTHTOK:
+		message[0].msg = "password:";
+		message[0].msg_style = PAM_PROMPT_ECHO_OFF;
+		break;
+	case PAM_TYPE_DOMAIN:
+		message[0].msg = "domain:";
+		break;
+	default:
+		return NULL;
+	}
+
+	struct pam_conv conv;
+	if (pam_get_item(pamh, PAM_CONV, (const void **)&conv) != PAM_SUCCESS) {
+		return NULL;
+	}
+
+	struct pam_response * responses = NULL;
+	if (conv.conv(1, (const struct pam_message **)&message, &responses, conv.appdata_ptr) != PAM_SUCCESS) {
+		return NULL;
+	}
+
+	char * retval = responses->resp;
+	free(responses);
+	return retval;
+}
+
+#define GET_ITEM(val, type) \
+	if ((val = get_item(pamh, type)) == NULL) { \
+		retval = PAM_AUTH_ERR; \
+		goto done; \
+	}
+
+/* TODO: Make this a build thing */
+#define XFREERDP "/usr/bin/xfreerdp"
 
 /* Authenticate.  We need to make sure we have a user account, that
    there are remote accounts and then verify them with FreeRDP */
 PAM_EXTERN int
 pam_sm_authenticate (pam_handle_t *pamh, int flags, int argc, const char **argv)
 {
-	return PAM_IGNORE;
+	char * username = NULL;
+	char * password = NULL;
+	char * ruser = NULL;
+	char * rhost = NULL;
+	char * rdomain = NULL;
+	int retval = PAM_IGNORE;
+
+	/* Get all the values, or prompt for them, or return with
+	   an auth error */
+	GET_ITEM(username, PAM_USER);
+	GET_ITEM(ruser,    PAM_RUSER);
+	GET_ITEM(rhost,    PAM_RHOST);
+	GET_ITEM(rdomain,  PAM_TYPE_DOMAIN);
+	GET_ITEM(password, PAM_AUTHTOK);
+
+	/* At this point we should have the values, let's check the auth */
+	pid_t pid;
+	switch (pid = fork()) {
+	case 0: { /* child */
+		char * args[13];
+		args[0] = XFREERDP;
+		args[1] = "--plugin";
+		args[2] = "rdpsnd.so";
+		args[3] = "--no-nla";
+		args[4] = "-f";
+		args[5] = "--ignore-certificate"; /* TODO: Change when we set the home directory properly */
+		
+		/* TODO: Use stdin */
+		args[6] = "-u";
+		args[7] = ruser;
+		args[8] = "-p";
+		args[9] = password;
+		args[10] = "-d";
+		args[11] = rdomain;
+
+		args[12] = NULL;
+
+		/* TODO: Drop privs */
+		/* TODO: Home directory environment to user's home */
+		execvp(args[0], args);
+		_exit(EXIT_FAILURE);
+		break;
+	}
+	case -1: { /* fork'n error! */
+		retval = PAM_SYSTEM_ERR;
+		break;
+	}
+	default: {
+		int forkret = 0;
+		if (waitpid(pid, &forkret, 0) < 0) {
+			retval = PAM_SYSTEM_ERR;
+		} else if (forkret == 0) {
+			retval = PAM_SUCCESS;
+		} else {
+			retval = PAM_AUTH_ERR;
+		}
+	}
+	}
+
+	/* Free Memory and return our status */
+done:
+	if (username != NULL) { free(username); }
+	if (password != NULL) { free(password); }
+	if (ruser != NULL)    { free(ruser); }
+	if (rhost != NULL)    { free(rhost); }
+	if (rdomain != NULL)  { free(rdomain); }
+
+	return retval;
 }
 
 /* Open Session.  Here we need to fork a little process so that we can