From 48df96792e41ff14f101fbb9829a059b0cdd3879 Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Tue, 28 Aug 2012 08:58:18 -0500 Subject: Saving the values once we get them --- src/pam-freerdp.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'src/pam-freerdp.c') diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c index d1a6578..63b6baf 100644 --- a/src/pam-freerdp.c +++ b/src/pam-freerdp.c @@ -32,6 +32,8 @@ #define PAM_TYPE_DOMAIN 1234 +static char * global_domain = NULL; + /* Either grab a value or prompt for it */ static char * get_item (pam_handle_t * pamh, int type) @@ -43,6 +45,10 @@ get_item (pam_handle_t * pamh, int type) if (pam_get_item(pamh, type, (const void **)&value) == PAM_SUCCESS && value != NULL) { return strdup(value); } + } else { + if (global_domain != NULL) { + return strdup(global_domain); + } } /* Now we need to prompt */ @@ -103,6 +109,17 @@ get_item (pam_handle_t * pamh, int type) } } + if (retval != NULL) { /* Can't believe it really would be at this point, but let's be sure */ + if (type != PAM_TYPE_DOMAIN) { + pam_set_item(pamh, type, (const void *)retval); + } else { + if (global_domain != NULL) { + free(global_domain); + } + global_domain = strdup(retval); + } + } + return retval; } -- cgit v1.2.3 From edbe36fbccacebc2de6d15d0bfa3d480dd69a135 Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Tue, 28 Aug 2012 09:00:55 -0500 Subject: Remove an unused define (cleanup) --- src/pam-freerdp.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'src/pam-freerdp.c') diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c index 63b6baf..00b84db 100644 --- a/src/pam-freerdp.c +++ b/src/pam-freerdp.c @@ -129,9 +129,6 @@ get_item (pam_handle_t * pamh, int type) goto done; \ } -/* TODO: Make this a build thing */ -#define XFREERDP "/usr/bin/xfreerdp" - /* Authenticate. We need to make sure we have a user account, that there are remote accounts and then verify them with FreeRDP */ PAM_EXTERN int -- cgit v1.2.3 From 645af42abcb4b3ac922705751d134d31d8959912 Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Tue, 28 Aug 2012 10:07:02 -0500 Subject: Protecting from a crazy thing that LightDM does --- src/pam-freerdp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/pam-freerdp.c') diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c index 00b84db..8331a27 100644 --- a/src/pam-freerdp.c +++ b/src/pam-freerdp.c @@ -86,7 +86,7 @@ get_item (pam_handle_t * pamh, int type) } struct pam_response * responses = NULL; - if (conv->conv(1, &pmessage, &responses, conv->appdata_ptr) != PAM_SUCCESS) { + if (conv->conv(1, &pmessage, &responses, conv->appdata_ptr) != PAM_SUCCESS || responses == NULL) { return NULL; } -- cgit v1.2.3 From 817ff829b60891959d4b947fbd79c7bd3e2e67dd Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Tue, 28 Aug 2012 14:17:50 -0500 Subject: Caching the password between authenticate and open_session --- src/pam-freerdp.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'src/pam-freerdp.c') diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c index 8331a27..e284619 100644 --- a/src/pam-freerdp.c +++ b/src/pam-freerdp.c @@ -33,6 +33,11 @@ #define PAM_TYPE_DOMAIN 1234 static char * global_domain = NULL; +/* FIXME? This is a work around to the fact that PAM seems to be clearing + the auth token between authorize and open_session. Which then requires + us to save it. Seems like we're the wrong people to do it, but we have + no choice */ +static char * global_password = NULL; /* Either grab a value or prompt for it */ static char * @@ -45,6 +50,9 @@ get_item (pam_handle_t * pamh, int type) if (pam_get_item(pamh, type, (const void **)&value) == PAM_SUCCESS && value != NULL) { return strdup(value); } + if (type == PAM_AUTHTOK && global_password != NULL) { + return strdup(global_password); + } } else { if (global_domain != NULL) { return strdup(global_domain); @@ -118,6 +126,12 @@ get_item (pam_handle_t * pamh, int type) } global_domain = strdup(retval); } + if (type == PAM_AUTHTOK) { + if (global_password != NULL) { + free(global_password); + } + global_password = strdup(retval); + } } return retval; -- cgit v1.2.3 From 6e7601e14089a79aec2accfa800c259049449b8e Mon Sep 17 00:00:00 2001 From: Ted Gould Date: Tue, 28 Aug 2012 14:24:43 -0500 Subject: Now that we have long running memory with a password in it, we need to lock it down --- src/pam-freerdp.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'src/pam-freerdp.c') diff --git a/src/pam-freerdp.c b/src/pam-freerdp.c index e284619..f635162 100644 --- a/src/pam-freerdp.c +++ b/src/pam-freerdp.c @@ -23,6 +23,7 @@ #include #include #include +#include #include #include @@ -128,9 +129,12 @@ get_item (pam_handle_t * pamh, int type) } if (type == PAM_AUTHTOK) { if (global_password != NULL) { + memset(global_password, 0, strlen(global_password)); + munlock(global_password, strlen(global_password)); free(global_password); } global_password = strdup(retval); + mlock(global_password, strlen(global_password)); } } -- cgit v1.2.3