+
+#define PAM_SM_ACCOUNT
+
+#include <stdio.h>
+#include <unistd.h>
+#include <stdarg.h>
+#include <string.h>
+#include <syslog.h>
+#include <security/pam_modules.h>
+
+#include "itkacl.h"
+
+/* --- authentication management functions --- */
+
+PAM_EXTERN int pam_sm_authenticate(pam_handle_t * pamh, int flags,
+ int argc, const char **argv)
+{
+ return PAM_AUTH_ERR;
+}
+
+PAM_EXTERN int pam_sm_setcred(pam_handle_t * pamh, int flags, int argc,
+ const char **argv)
+{
+
+ return PAM_CRED_UNAVAIL;
+}
+
+/* --- account management functions --- */
+
+PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t * pamh, int flags, int argc,
+ const char **argv)
+{
+ char realm[256], errmsg[256];
+ const char *username;
+ int ret;
+
+ openlog("pam_itkacl", 0, LOG_AUTHPRIV);
+
+ /* We want and need exactly one argument: realm='whatever' */
+ if (argc != 1) {
+ syslog(LOG_CRIT, "wrong number of arguments: expected 1, got %d", argc);
+ return PAM_SERVICE_ERR;
+ }
+ if (sscanf(argv[0], "realm='%[^']'", realm) != 1) {
+ syslog(LOG_CRIT, "realm in bad format: got %s, expected realm='/foo/bar'", argv[0]);
+ return PAM_SERVICE_ERR;
+ }
+
+ /* Get the user name from PAM */
+ ret = pam_get_item(pamh, PAM_USER, (const void **)&username);
+ if (ret != PAM_SUCCESS || username == NULL) {
+ syslog(LOG_CRIT, "Couldn't get username from PAM");
+ return PAM_USER_UNKNOWN;
+ }
+
+ /* Root should always be able to log in */
+ if (strcmp(username, "root") == 0)
+ return PAM_SUCCESS;
+
+ ret = itkacl_check(realm, username, errmsg, 256);
+ if (ret == -1) {
+ syslog(LOG_ERR, "itkacl_check() returned an error: %s", errmsg);
+ return PAM_SERVICE_ERR;
+ }
+
+ if (ret == 0) {
+ return PAM_SUCCESS;
+ } else {
+ return PAM_ACCT_EXPIRED;
+ }
+}
+
+/* --- password management --- */
+
+PAM_EXTERN int pam_sm_chauthtok(pam_handle_t * pamh, int flags, int argc,
+ const char **argv)
+{
+ return PAM_AUTHTOK_ERR;
+}
+
+/* --- session management --- */
+
+PAM_EXTERN int pam_sm_open_session(pam_handle_t * pamh, int flags,
+ int argc, const char **argv)
+{
+ return PAM_SYSTEM_ERR;
+}
+
+PAM_EXTERN int pam_sm_close_session(pam_handle_t * pamh, int flags,
+ int argc, const char **argv)
+{
+ return PAM_SYSTEM_ERR;
+}
+
+/* end of module definition */
+
+/* static module data */
+#ifdef PAM_STATIC
+struct pam_module _pam_itkacl_modstruct = {
+ "pam_itkacl",
+ pam_sm_authenticate,
+ pam_sm_setcred,
+ pam_sm_acct_mgmt,
+ pam_sm_open_session,
+ pam_sm_close_session,
+ pam_sm_chauthtok
+};
+#endif