diff --git a/core/src/dird/auth_pam.cc b/core/src/dird/auth_pam.cc index 021afd4bf2a..f777d0cb61a 100644 --- a/core/src/dird/auth_pam.cc +++ b/core/src/dird/auth_pam.cc @@ -139,7 +139,7 @@ static int PamConversionCallback(int num_msg, const struct pam_message **msgm, return PAM_SUCCESS; } -bool PamAuthenticateUseragent(BareosSocket *UA_sock, std::string username) +bool PamAuthenticateUseragent(BareosSocket *UA_sock, const std::string &username) { std::unique_ptr pam_callback_data(new PamData(UA_sock, username)); std::unique_ptr pam_conversation_container(new struct pam_conv); @@ -148,7 +148,8 @@ bool PamAuthenticateUseragent(BareosSocket *UA_sock, std::string username) pam_conversation_container->conv = PamConversionCallback; pam_conversation_container->appdata_ptr = pam_callback_data.get(); - int err = pam_start(service_name.c_str(), nullptr, pam_conversation_container.get(), &pamh); + int err = pam_start(service_name.c_str(), username.c_str(), + pam_conversation_container.get(), &pamh); if (err != PAM_SUCCESS) { Dmsg1(debuglevel, "PAM start failed: %s\n", pam_strerror(pamh, err)); } diff --git a/core/src/dird/auth_pam.h b/core/src/dird/auth_pam.h index 27b7c8106fa..f02607d38b0 100644 --- a/core/src/dird/auth_pam.h +++ b/core/src/dird/auth_pam.h @@ -25,6 +25,6 @@ #include class BareosSocket; -bool PamAuthenticateUseragent(BareosSocket *UA_sock, std::string username); +bool PamAuthenticateUseragent(BareosSocket *UA_sock, const std::string &username); #endif /* BAREOS_DIRD_AUTH_PAM_H_ */ diff --git a/core/src/dird/dird_conf.cc b/core/src/dird/dird_conf.cc index c0d86d84281..9c85ee8c331 100644 --- a/core/src/dird/dird_conf.cc +++ b/core/src/dird/dird_conf.cc @@ -124,6 +124,7 @@ static ResourceItem dir_items[] = { { "MaximumConnections", CFG_TYPE_PINT32, ITEM(res_dir.MaxConnections), 0, CFG_ITEM_DEFAULT, "30", NULL, NULL }, { "MaximumConsoleConnections", CFG_TYPE_PINT32, ITEM(res_dir.MaxConsoleConnections), 0, CFG_ITEM_DEFAULT, "20", NULL, NULL }, { "Password", CFG_TYPE_AUTOPASSWORD, ITEM(res_dir.password), 0, CFG_ITEM_REQUIRED, NULL, NULL, NULL }, + { "UsePamAuthentication", CFG_TYPE_BOOL, ITEM(res_dir.use_pam_authentication), 0, CFG_ITEM_DEFAULT, "false", NULL, NULL }, { "FdConnectTimeout", CFG_TYPE_TIME, ITEM(res_dir.FDConnectTimeout), 0, CFG_ITEM_DEFAULT, "180" /* 3 minutes */, NULL, NULL }, { "SdConnectTimeout", CFG_TYPE_TIME, ITEM(res_dir.SDConnectTimeout), 0, CFG_ITEM_DEFAULT, "1800" /* 30 minutes */, NULL, NULL }, { "HeartbeatInterval", CFG_TYPE_TIME, ITEM(res_dir.heartbeat_interval), 0, CFG_ITEM_DEFAULT, "0", NULL, NULL }, @@ -191,6 +192,7 @@ static ResourceItem con_items[] = { { "Name", CFG_TYPE_NAME, ITEM(res_con.hdr.name), 0, CFG_ITEM_REQUIRED, NULL, NULL, NULL }, { "Description", CFG_TYPE_STR, ITEM(res_con.hdr.desc), 0, 0, NULL, NULL, NULL }, { "Password", CFG_TYPE_AUTOPASSWORD, ITEM(res_con.password), 0, CFG_ITEM_REQUIRED, NULL, NULL, NULL }, + { "UsePamAuthentication", CFG_TYPE_BOOL, ITEM(res_con.ACL_lists), PluginOptions_ACL, 0, NULL, NULL, NULL }, { "JobACL", CFG_TYPE_ACL, ITEM(res_con.ACL_lists), Job_ACL, 0, NULL, NULL, NULL }, { "ClientACL", CFG_TYPE_ACL, ITEM(res_con.ACL_lists), Client_ACL, 0, NULL, NULL, NULL }, { "StorageACL", CFG_TYPE_ACL, ITEM(res_con.ACL_lists), Storage_ACL, 0, NULL, NULL, NULL }, diff --git a/core/src/dird/dird_conf.h b/core/src/dird/dird_conf.h index a640ac4397f..d6f01ddf068 100644 --- a/core/src/dird/dird_conf.h +++ b/core/src/dird/dird_conf.h @@ -139,6 +139,7 @@ class DirectorResource: public TlsResource { char *secure_erase_cmdline; /* Cmdline to execute to perform secure erase of file */ char *log_timestamp_format; /* Timestamp format to use in generic logging messages */ s_password keyencrkey; /* Key Encryption Key */ + bool use_pam_authentication; /**< Use Pam authentication instead of password */ DirectorResource() : TlsResource() {} }; @@ -207,6 +208,7 @@ class ConsoleResource : public TlsResource { public: alist *ACL_lists[Num_ACL]; /**< Pointers to ACLs */ alist *profiles; /**< Pointers to profile resources */ + bool use_pam_authentication; /**< Use Pam authentication instead of password */ }; /** diff --git a/core/src/dird/ua_server.cc b/core/src/dird/ua_server.cc index 8442e50534d..1f8ea1aaa9c 100644 --- a/core/src/dird/ua_server.cc +++ b/core/src/dird/ua_server.cc @@ -78,33 +78,44 @@ JobControlRecord *new_control_jcr(const char *base_name, int job_type) */ void *HandleUserAgentClientRequest(BareosSocket *user_agent_socket) { - int status; - UaContext *ua; - JobControlRecord *jcr; - pthread_detach(pthread_self()); - jcr = new_control_jcr("-Console-", JT_CONSOLE); + JobControlRecord *jcr = new_control_jcr("-Console-", JT_CONSOLE); - ua = new_ua_context(jcr); + UaContext *ua = new_ua_context(jcr); ua->UA_sock = user_agent_socket; SetJcrInTsd(INVALID_JCR); - if (!AuthenticateUserAgent(ua)) { - goto getout; - } + bool success = AuthenticateUserAgent(ua); + + if (success) { + bool use_pam = false; + if(ua->cons && ua->cons->use_pam_authentication) { /* named console */ + use_pam = true; + } + else if(me->use_pam_authentication) { /* general console */ + use_pam = true; + } - if (!PamAuthenticateUseragent(ua->UA_sock, ua->cons ? ua->cons->name() : std::string("user"))) { - goto getout; + if (use_pam) { + std::string username; + if (ua->cons) { + username = ua->cons->name(); + } + success = PamAuthenticateUseragent(ua->UA_sock, username); + } } + if (!success) { + ua->quit = true; + } while (!ua->quit) { if (ua->api) { user_agent_socket->signal(BNET_MAIN_PROMPT); } - status = user_agent_socket->recv(); + int status = user_agent_socket->recv(); if (status >= 0) { PmStrcpy(ua->cmd, ua->UA_sock->msg); ParseUaArgs(ua); @@ -136,9 +147,8 @@ void *HandleUserAgentClientRequest(BareosSocket *user_agent_socket) } else { /* signal */ user_agent_socket->signal(BNET_POLL); } - } + } /* while (!ua->quit) */ -getout: CloseDb(ua); FreeUaContext(ua); FreeJcr(jcr);