director: added configuration parameter UsePamAuthentication

- general console
- named console

core/src/dird/auth_pam.cc

@@ -139,7 +139,7 @@ static int PamConversionCallback(int num_msg, const struct pam_message **msgm,
    return PAM_SUCCESS;
 }
 
-bool PamAuthenticateUseragent(BareosSocket *UA_sock, std::string username)
+bool PamAuthenticateUseragent(BareosSocket *UA_sock, const std::string &username)
 {
    std::unique_ptr<PamData> pam_callback_data(new PamData(UA_sock, username));
    std::unique_ptr<struct pam_conv> pam_conversation_container(new struct pam_conv);
@@ -148,7 +148,8 @@ bool PamAuthenticateUseragent(BareosSocket *UA_sock, std::string username)
    pam_conversation_container->conv = PamConversionCallback;
    pam_conversation_container->appdata_ptr = pam_callback_data.get();
 
-   int err = pam_start(service_name.c_str(), nullptr, pam_conversation_container.get(), &pamh);
+   int err = pam_start(service_name.c_str(), username.c_str(),
+                      pam_conversation_container.get(), &pamh);
    if (err != PAM_SUCCESS) {
       Dmsg1(debuglevel, "PAM start failed: %s\n", pam_strerror(pamh, err));
    }

core/src/dird/auth_pam.h

@@ -25,6 +25,6 @@
 #include <string>
 
 class BareosSocket;
-bool PamAuthenticateUseragent(BareosSocket *UA_sock, std::string username);
+bool PamAuthenticateUseragent(BareosSocket *UA_sock, const std::string &username);
 
 #endif /* BAREOS_DIRD_AUTH_PAM_H_ */

core/src/dird/dird_conf.cc

@@ -124,6 +124,7 @@ static ResourceItem dir_items[] = {
    { "MaximumConnections", CFG_TYPE_PINT32, ITEM(res_dir.MaxConnections), 0, CFG_ITEM_DEFAULT, "30", NULL, NULL },
    { "MaximumConsoleConnections", CFG_TYPE_PINT32, ITEM(res_dir.MaxConsoleConnections), 0, CFG_ITEM_DEFAULT, "20", NULL, NULL },
    { "Password", CFG_TYPE_AUTOPASSWORD, ITEM(res_dir.password), 0, CFG_ITEM_REQUIRED, NULL, NULL, NULL },
+   { "UsePamAuthentication", CFG_TYPE_BOOL, ITEM(res_dir.use_pam_authentication), 0, CFG_ITEM_DEFAULT, "false", NULL, NULL },
    { "FdConnectTimeout", CFG_TYPE_TIME, ITEM(res_dir.FDConnectTimeout), 0, CFG_ITEM_DEFAULT, "180" /* 3 minutes */, NULL, NULL },
    { "SdConnectTimeout", CFG_TYPE_TIME, ITEM(res_dir.SDConnectTimeout), 0, CFG_ITEM_DEFAULT, "1800" /* 30 minutes */, NULL, NULL },
    { "HeartbeatInterval", CFG_TYPE_TIME, ITEM(res_dir.heartbeat_interval), 0, CFG_ITEM_DEFAULT, "0", NULL, NULL },
@@ -191,6 +192,7 @@ static ResourceItem con_items[] = {
    { "Name", CFG_TYPE_NAME, ITEM(res_con.hdr.name), 0, CFG_ITEM_REQUIRED, NULL, NULL, NULL },
    { "Description", CFG_TYPE_STR, ITEM(res_con.hdr.desc), 0, 0, NULL, NULL, NULL },
    { "Password", CFG_TYPE_AUTOPASSWORD, ITEM(res_con.password), 0, CFG_ITEM_REQUIRED, NULL, NULL, NULL },
+   { "UsePamAuthentication", CFG_TYPE_BOOL, ITEM(res_con.ACL_lists), PluginOptions_ACL, 0, NULL, NULL, NULL },
    { "JobACL", CFG_TYPE_ACL, ITEM(res_con.ACL_lists), Job_ACL, 0, NULL, NULL, NULL },
    { "ClientACL", CFG_TYPE_ACL, ITEM(res_con.ACL_lists), Client_ACL, 0, NULL, NULL, NULL },
    { "StorageACL", CFG_TYPE_ACL, ITEM(res_con.ACL_lists), Storage_ACL, 0, NULL, NULL, NULL },

core/src/dird/dird_conf.h

@@ -139,6 +139,7 @@ class DirectorResource: public TlsResource {
    char *secure_erase_cmdline;        /* Cmdline to execute to perform secure erase of file */
    char *log_timestamp_format;        /* Timestamp format to use in generic logging messages */
    s_password keyencrkey;             /* Key Encryption Key */
+   bool use_pam_authentication;       /**< Use Pam authentication instead of password */
 
    DirectorResource() : TlsResource() {}
 };
@@ -207,6 +208,7 @@ class ConsoleResource : public TlsResource {
 public:
    alist *ACL_lists[Num_ACL];         /**< Pointers to ACLs */
    alist *profiles;                   /**< Pointers to profile resources */
+   bool use_pam_authentication;       /**< Use Pam authentication instead of password */
 };
 
 /**

core/src/dird/ua_server.cc

@@ -78,33 +78,44 @@ JobControlRecord *new_control_jcr(const char *base_name, int job_type)
  */
 void *HandleUserAgentClientRequest(BareosSocket *user_agent_socket)
 {
-   int status;
-   UaContext *ua;
-   JobControlRecord *jcr;
-
    pthread_detach(pthread_self());
 
-   jcr = new_control_jcr("-Console-", JT_CONSOLE);
+   JobControlRecord *jcr = new_control_jcr("-Console-", JT_CONSOLE);
 
-   ua = new_ua_context(jcr);
+   UaContext *ua = new_ua_context(jcr);
    ua->UA_sock = user_agent_socket;
    SetJcrInTsd(INVALID_JCR);
 
-   if (!AuthenticateUserAgent(ua)) {
-      goto getout;
-   }
+   bool success = AuthenticateUserAgent(ua);
+
+   if (success) {
+      bool use_pam = false;
+      if(ua->cons && ua->cons->use_pam_authentication) { /* named console */
+         use_pam = true;
+      }
+      else if(me->use_pam_authentication) { /* general console */
+         use_pam = true;
+      }
 
-   if (!PamAuthenticateUseragent(ua->UA_sock, ua->cons ? ua->cons->name() : std::string("user"))) {
-      goto getout;
+      if (use_pam) {
+         std::string username;
+         if (ua->cons) {
+            username = ua->cons->name();
+         }
+         success = PamAuthenticateUseragent(ua->UA_sock, username);
+      }
    }
 
+   if (!success) {
+      ua->quit = true;
+   }
 
    while (!ua->quit) {
       if (ua->api) {
          user_agent_socket->signal(BNET_MAIN_PROMPT);
       }
 
-      status = user_agent_socket->recv();
+      int status = user_agent_socket->recv();
       if (status >= 0) {
          PmStrcpy(ua->cmd, ua->UA_sock->msg);
          ParseUaArgs(ua);
@@ -136,9 +147,8 @@ void *HandleUserAgentClientRequest(BareosSocket *user_agent_socket)
       } else { /* signal */
          user_agent_socket->signal(BNET_POLL);
       }
-   }
+   } /* while (!ua->quit) */
 
-getout:
    CloseDb(ua);
    FreeUaContext(ua);
    FreeJcr(jcr);