Pam-Handler added

bareos · May 29, 2018 · be62daa · be62daa
1 parent e5cda3f
commit be62daa
Show file tree

Hide file tree

Showing 11 changed files with 162 additions and 25 deletions.
diff --git a/core/cmake/BareosFindAllLibraries.cmake b/core/cmake/BareosFindAllLibraries.cmake
@@ -58,6 +58,8 @@ BareosFindLibraryAndHeaders("cap" "sys/capability.h")
 BareosFindLibraryAndHeaders("gfapi" "glusterfs/api/glfs.h")
 BareosFindLibraryAndHeaders("droplet" "droplet.h")
 
+BareosFindLibraryAndHeaders("pam" "security/pam_appl.h")
+
 BareosFindLibraryAndHeaders("lzo2" "lzo/lzoconf.h")
 if (${LZO2_FOUND})
    SET(HAVE_LZO 1)

diff --git a/core/src/dird/CMakeLists.txt b/core/src/dird/CMakeLists.txt
@@ -68,7 +68,7 @@ set(BAREOS_DIR_LIBRARIES
    bareosfind
    ${LMDB_LIBS}
    ${NDMP_LIBS}
-   )
+)
 
 IF(HAVE_WIN32)
    LIST(APPEND BAREOS_DIR_LIBRARIES
@@ -98,7 +98,6 @@ target_link_libraries(bareos-dbcheck
 #                      jansson ${OPENSSL_LIBS} acl cap lzo2
 #)
 
-
 INSTALL(TARGETS bareos-dir bareos-dbcheck DESTINATION "${sbindir}")
 INSTALL(FILES query.sql DESTINATION "${scriptdir}")
 

diff --git a/core/src/dird/dird.cc b/core/src/dird/dird.cc
@@ -689,9 +689,9 @@ static int me_psk_server_callback(const char *identity,
    return result;
 }
 
-static int ConsPskServerCallback(const char *identity, unsigned char *psk, unsigned int max_psk_len) {
+static int cons_psk_server_callback(const char *identity, unsigned char *psk, unsigned int max_psk_len) {
 
-   Dmsg0(100, "ConsPskServerCallback");
+   Dmsg0(100, "cons_psk_server_callback");
    Dmsg1(100, "Received identity '%s'\n", identity);
 
    char *psk_key = (char *)"1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A1A";

diff --git a/core/src/dird/socket_server.cc b/core/src/dird/socket_server.cc
@@ -62,7 +62,7 @@ ConnectionPool *get_client_connections()
    return client_connections;
 }
 
-static void *handle_connection_request(void *arg)
+static void *HandleConnectionRequest(void *arg)
 {
    BareosSocket *bs = (BareosSocket *)arg;
    char name[MAX_NAME_LENGTH];
@@ -95,10 +95,10 @@ static void *handle_connection_request(void *arg)
    if ((sscanf(bs->msg, hello_client_with_version, name, &fd_protocol_version) == 2) ||
        (sscanf(bs->msg, hello_client, name) == 1)) {
       Dmsg1(110, "Got a FD connection at %s\n", bstrftimes(tbuf, sizeof(tbuf), (utime_t)time(NULL)));
-      return handle_filed_connection(client_connections, bs, name, fd_protocol_version);
+      return HandleFiledConnection(client_connections, bs, name, fd_protocol_version);
    }
 
-   return handle_UA_client_request(bs);
+   return HandleUserAgentClientRequest(bs);
 }
 
 extern "C" void *connect_thread(void *arg)
@@ -115,7 +115,7 @@ extern "C" void *connect_thread(void *arg)
                           sock_fds,
                           &socket_workq,
                           me->nokeepalive,
-                          handle_connection_request);
+                          HandleConnectionRequest);
 
    return NULL;
 }

diff --git a/core/src/dird/ua_server.cc b/core/src/dird/ua_server.cc
@@ -38,6 +38,7 @@
 #include "dird/ua_output.h"
 #include "dird/ua_server.h"
 #include "lib/bnet.h"
+#include "lib/pam_handler.h"
 
 /* Imported variables */
 
@@ -75,7 +76,7 @@ JobControlRecord *new_control_jcr(const char *base_name, int job_type)
 /**
  * Handle Director User Agent commands
  */
-void *handle_UA_client_request(BareosSocket *user)
+void *HandleUserAgentClientRequest(BareosSocket *user_agent_socket)
 {
    int status;
    UaContext *ua;
@@ -86,19 +87,24 @@ void *handle_UA_client_request(BareosSocket *user)
    jcr = new_control_jcr("-Console-", JT_CONSOLE);
 
    ua = new_ua_context(jcr);
-   ua->UA_sock = user;
+   ua->UA_sock = user_agent_socket;
    SetJcrInTsd(INVALID_JCR);
 
    if (!AuthenticateUserAgent(ua)) {
       goto getout;
    }
 
+   if (!pam_authenticate_useragent("user", "passwocht")) {
+      goto getout;
+   }
+
+
    while (!ua->quit) {
       if (ua->api) {
-         user->signal(BNET_MAIN_PROMPT);
+         user_agent_socket->signal(BNET_MAIN_PROMPT);
       }
 
-      status = user->recv();
+      status = user_agent_socket->recv();
       if (status >= 0) {
          PmStrcpy(ua->cmd, ua->UA_sock->msg);
          ParseUaArgs(ua);
@@ -114,30 +120,30 @@ void *handle_UA_client_request(BareosSocket *user)
                   ua->user_notified_msg_pending = false;
                } else if (!ua->gui && !ua->user_notified_msg_pending && console_msg_pending) {
                   if (ua->api) {
-                     user->signal(BNET_MSGS_PENDING);
+                     user_agent_socket->signal(BNET_MSGS_PENDING);
                   } else {
                      bsendmsg(ua, _("You have messages.\n"));
                   }
                   ua->user_notified_msg_pending = true;
                }
             }
             if (!ua->api) {
-               user->signal(BNET_EOD); /* send end of command */
+               user_agent_socket->signal(BNET_EOD); /* send end of command */
             }
          }
       } else if (IsBnetStop(user)) {
          ua->quit = true;
       } else { /* signal */
-         user->signal(BNET_POLL);
+         user_agent_socket->signal(BNET_POLL);
       }
    }
 
 getout:
    CloseDb(ua);
    FreeUaContext(ua);
    FreeJcr(jcr);
-   user->close();
-   delete user;
+   user_agent_socket->close();
+   delete user_agent_socket;
 
    return NULL;
 }

diff --git a/core/src/filed/filed.cc b/core/src/filed/filed.cc
@@ -37,7 +37,7 @@
 #include "lib/bsignal.h"
 
 /* Imported Functions */
-extern void *handle_connection_request(void *dir_sock);
+extern void *HandleConnectionRequest(void *dir_sock);
 extern void PrintMessage(void *sock, const char *fmt, ...);
 
 /* Forward referenced functions */

diff --git a/core/src/filed/socket_server.cc b/core/src/filed/socket_server.cc
@@ -51,7 +51,7 @@ static alist *sock_fds = NULL;
  *  - If it was a connection from an SD, call handle_stored_connection()
  *  - Otherwise it was a connection from the DIR, call handle_director_connection()
  */
-static void *handle_connection_request(void *arg)
+static void *HandleConnectionRequest(void *arg)
 {
    BareosSocket *bs = (BareosSocket *)arg;
    char tbuf[100];
@@ -109,7 +109,7 @@ void StartSocketServer(dlist *addrs)
                           sock_fds,
                           &socket_workq,
                           me->nokeepalive,
-                          handle_connection_request);
+                          HandleConnectionRequest);
 }
 
 void StopSocketServer(bool wait)

diff --git a/core/src/lib/CMakeLists.txt b/core/src/lib/CMakeLists.txt
@@ -26,7 +26,8 @@ include_directories(../include ..
    ${LZO2_INCLUDE_DIRS}
    ${CAP_INCLUDE_DIRS}
    ${WRAP_INCLUDE_DIRS}
-   )
+   ${PAM_INCLUDE_DIRS}
+)
 
 set(INCLUDE_FILES ../include/baconfig.h ../include/bareos.h
 		../include/bc_types.h ../include/config.h
@@ -55,7 +56,7 @@ set (BAREOS_SRCS  address_conf.cc alist.cc attr.cc attribs.cc base64.cc
    queue.cc rblist.cc runscript.cc rwlock.cc scan.cc scsi_crypto.cc  scsi_lli.cc
    sellist.cc serial.cc sha1.cc signal.cc  smartall.cc
    tls_gnutls.cc tls_none.cc tls_nss.cc tls_conf.cc tls_openssl.cc tree.cc util.cc var.cc
-   watchdog.cc workq.cc)
+   watchdog.cc workq.cc pam_handler.cc pam_handler.h)
 
 IF(HAVE_WIN32)
    LIST(APPEND BAREOS_SRCS
@@ -74,7 +75,7 @@ add_library(bareos SHARED ${BAREOS_SRCS})
 target_link_libraries(bareos
    ${OPENSSL_LIBRARIES} ${PTHREAD_LIBRARIES} ${FASTLZ_LIBRARIES} ${ZLIB_LIBRARIES}
    ${ACL_LIBRARIES} ${LZO2_LIBRARIES} ${CAP_LIBRARIES} ${WRAP_LIBRARIES} ${CAM_LIBRARIES}
-   ${WINDOWS_LIBRARIES} ${JANSSON_LIBRARIES})
+   ${WINDOWS_LIBRARIES} ${JANSSON_LIBRARIES} ${PAM_LIBRARIES})
 
 set (BAREOSCFG_SRCS ini.cc lex.cc parse_bsr.cc )
 

diff --git a/core/src/lib/pam_handler.cc b/core/src/lib/pam_handler.cc
@@ -0,0 +1,121 @@
+//
+// Created by torsten on 17.04.18.
+//
+#include "pam_handler.h"
+
+#include "bareos.h"
+#include <cstring>
+#include <security/pam_appl.h>
+
+static const int debuglevel = 200;
+
+static const std::string service_name("bareos");
+
+
+class PamData {
+   std::string username_;
+   std::string password_;
+
+public:
+   PamData(std::string username, std::string password) {
+      username_ = username;
+      password_ = password;
+   }
+
+private:
+   inline int callback(int num_msg, const struct pam_message **msg, struct pam_response **resp) const;
+   bool send(struct pam_response **response, const char *data) const;
+};
+
+/// this is the PAM Handler Callback
+int PamData::callback(
+   int num_msg,
+   const struct pam_message **msg,
+   struct pam_response **resp
+) const {
+   if (!msg || !*msg || !resp) {
+      return PAM_BUF_ERR;
+   }
+
+   const pam_message *m = *msg;
+
+   if ((*resp = static_cast<pam_response *>(calloc(num_msg, sizeof(struct pam_response)))) == nullptr) {
+      return PAM_BUF_ERR;
+   }
+
+   switch ((*msg)->msg_style) {
+      case PAM_PROMPT_ECHO_OFF: {
+         return send(resp, password_.c_str()) ? PAM_SUCCESS : PAM_CONV_ERR;
+      }
+      case PAM_PROMPT_ECHO_ON: {
+         return send(resp, username_.c_str()) ? PAM_SUCCESS : PAM_CONV_ERR;
+      }
+      case PAM_ERROR_MSG:
+      case PAM_TEXT_INFO:
+      default: {
+         (void) fprintf(stderr, "message[%d]: unknown type %d/val=\"%s\"\n",
+                        1, m->msg_style, m->msg);
+         /* error, service module won't clean up */
+      }
+   }
+   free(resp);
+   *resp = NULL;
+   return PAM_CONV_ERR;
+}
+
+bool PamData::send(
+   struct pam_response **response,
+   const char *data) const {
+   struct pam_response *resp =
+      (struct pam_response *) calloc(1, sizeof(struct pam_response));
+
+   if (!resp) {
+      return false;
+   }
+   resp->resp = bstrdup(data);
+   resp->resp_retcode = resp->resp ? PAM_SUCCESS : PAM_BUF_ERR;
+   *response = resp;
+   return true;
+}
+
+/// PAM-Callback calls Bareos PAM-Handler
+static int conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) {
+   const pam_message *m = *msg;
+   struct pam_response *r;
+
+   PamData *pam_data = reinterpret_cast<PamData *>(appdata_ptr);
+
+}
+
+bool pam_authenticate_useragent(std::string username, std::string password) {
+
+   PamData pam_data(username, password);
+
+   const struct pam_conv pam_conversation = {conv, (void *) &pam_data};
+
+   pam_handle_t *pamh = nullptr;
+
+   /* START */
+   int err = pam_start(service_name.c_str(),
+                       username.c_str(),
+                       &pam_conversation,
+                       &pamh);
+   if (err != PAM_SUCCESS) {
+      Dmsg1(debuglevel, "PAM start failed: %s", pam_strerror(pamh, err));
+   }
+
+   /* AUTHENTICATE */
+   err = pam_authenticate(pamh, 0);
+   if (err != PAM_SUCCESS) {
+      Dmsg1(debuglevel, "PAM authentication failed: %s", pam_strerror(pamh, err));
+   }
+
+   /* END */
+   err = pam_end(pamh, err);
+   if (err != PAM_SUCCESS) {
+      Dmsg1(debuglevel, "PAM end failed: %s", pam_strerror(pamh, err));
+   }
+
+   return err == 0;
+}
+
diff --git a/core/src/lib/pam_handler.h b/core/src/lib/pam_handler.h
@@ -0,0 +1,8 @@
+#ifndef BAREOS_PAM_H
+#define BAREOS_PAM_H
+
+#include <string>
+
+bool pam_authenticate_useragent(std::string username, std::string password);
+
+#endif //BAREOS_PAM_H
diff --git a/core/src/stored/socket_server.cc b/core/src/stored/socket_server.cc
@@ -57,7 +57,7 @@ static pthread_t tcp_server_tid;
  *  - If it was a connection from another SD, call handle_stored_connection()
  *  - Otherwise it was a connection from the DIR, call handle_director_connection()
  */
-static void *handle_connection_request(void *arg)
+static void *HandleConnectionRequest(void *arg)
 {
    BareosSocket *bs = (BareosSocket *)arg;
    char name[MAX_NAME_LENGTH];
@@ -123,7 +123,7 @@ void StartSocketServer(dlist *addrs)
                           sock_fds,
                           &socket_workq,
                           me->nokeepalive,
-                          handle_connection_request);
+                          HandleConnectionRequest);
 }
 
 void StopSocketServer()