diff options
| -rw-r--r-- | user_channel/user_layer.cpp | 6 | ||||
| -rw-r--r-- | user_channel/user_layer.hpp | 11 | ||||
| -rw-r--r-- | user_channel/user_mgmt.cpp | 41 | ||||
| -rw-r--r-- | user_channel/user_mgmt.hpp | 10 |
4 files changed, 68 insertions, 0 deletions
diff --git a/user_channel/user_layer.cpp b/user_channel/user_layer.cpp index adfc656..00f6a7f 100644 --- a/user_channel/user_layer.cpp +++ b/user_channel/user_layer.cpp @@ -170,4 +170,10 @@ ipmi_ret_t ipmiUserSetPrivilegeAccess(const uint8_t userId, const uint8_t chNum, userId, chNum, userPrivAccess, otherPrivUpdates); } +bool ipmiUserPamAuthenticate(std::string_view userName, + std::string_view userPassword) +{ + return pamUserCheckAuthenticate(userName, userPassword); +} + } // namespace ipmi diff --git a/user_channel/user_layer.hpp b/user_channel/user_layer.hpp index 57f5317..7926c59 100644 --- a/user_channel/user_layer.hpp +++ b/user_channel/user_layer.hpp @@ -210,4 +210,15 @@ ipmi_ret_t ipmiUserSetPrivilegeAccess(const uint8_t userId, const uint8_t chNum, const PrivAccess& privAccess, const bool& otherPrivUpdate); +/** @brief check for user pam authentication. This is to determine, whether user + * is already locked out for failed login attempt + * + * @param[in] username - username + * @param[in] password - password + * + * @return status + */ +bool ipmiUserPamAuthenticate(std::string_view userName, + std::string_view userPassword); + } // namespace ipmi diff --git a/user_channel/user_mgmt.cpp b/user_channel/user_mgmt.cpp index a1d2443..9b40f6c 100644 --- a/user_channel/user_mgmt.cpp +++ b/user_channel/user_mgmt.cpp @@ -715,6 +715,47 @@ bool pamUpdatePasswd(const char* username, const char* password) return true; } +bool pamUserCheckAuthenticate(std::string_view username, + std::string_view password) +{ + const struct pam_conv localConversation = { + pamFunctionConversation, const_cast<char*>(password.data())}; + + pam_handle_t* localAuthHandle = NULL; // this gets set by pam_start + + if (pam_start("dropbear", username.data(), &localConversation, + &localAuthHandle) != PAM_SUCCESS) + { + log<level::ERR>("User Authentication Failure"); + return false; + } + + int retval = pam_authenticate(localAuthHandle, + PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK); + + if (retval != PAM_SUCCESS) + { + log<level::DEBUG>("pam_authenticate returned failure", + entry("ERROR=%d", retval)); + + pam_end(localAuthHandle, retval); + return false; + } + + if (pam_acct_mgmt(localAuthHandle, PAM_DISALLOW_NULL_AUTHTOK) != + PAM_SUCCESS) + { + pam_end(localAuthHandle, PAM_SUCCESS); + return false; + } + + if (pam_end(localAuthHandle, PAM_SUCCESS) != PAM_SUCCESS) + { + return false; + } + return true; +} + ipmi_ret_t UserAccess::setSpecialUserPassword(const std::string& userName, const std::string& userPassword) { diff --git a/user_channel/user_mgmt.hpp b/user_channel/user_mgmt.hpp index 8061482..8b650c8 100644 --- a/user_channel/user_mgmt.hpp +++ b/user_channel/user_mgmt.hpp @@ -87,6 +87,16 @@ struct UsersTbl UserInfo user[ipmiMaxUsers + 1]; }; +/** @brief PAM User Authentication check + * + * @param[in] username - username in string + * @param[in] password - password in string + * + * @return status + */ +bool pamUserCheckAuthenticate(std::string_view username, + std::string_view password); + class UserAccess; UserAccess& getUserAccessObject(); |
