ipsilon

Clone
Source Code
GIT

#360 Improve the PAM login plugin
Merged 2 years ago by ngompa. Opened 2 years ago by abompard.
abompard/ipsilon otp-field  into  master

file modified
+1 
@@ -17,6 +17,7 @@ 
 

      def POST(self, *args, **kwargs):
 

          username = kwargs.get("login_name")
 

          password = kwargs.get("login_password")
 

+         password += kwargs.get("login_otp", "")
 

          error = None
 

  

          if username and password:

file modified
+13 -29 
@@ -6,49 +6,33 @@ 
 

  from ipsilon.util import config as pconfig
 

  import pam
 

  import subprocess
 

- if 'pam' in dir(pam):
 

-     # Try to use newer API
 

-     pam_authenticate = pam.pam().authenticate  # pylint: disable=no-member
 

- elif 'authenticate' in dir(pam):
 

-     # This is an older, but supported, version
 

-     pam_authenticate = pam.authenticate  # pylint: disable=no-member
 

- else:
 

-     # We have never seen this version, let's abort early
 

-     raise ImportError('Python-PAM API unsupported')
 

  

  

  class Pam(LoginFormBase):
 

  

-     def _authenticate(self, username, password):
 

-         if self.lm.service_name:
 

-             ok = pam_authenticate(username, password, self.lm.service_name)
 

-         else:
 

-             ok = pam_authenticate(username, password)
 

- 

-         if ok:
 

-             self.log("User %s successfully authenticated." % username)
 

-             return username
 

- 

-         self.log("User %s failed authentication." % username)
 

-         return None
 

- 

      def POST(self, *args, **kwargs):
 

          username = kwargs.get("login_name")
 

          password = kwargs.get("login_password")
 

          password += kwargs.get("login_otp", "")
 

-         user = None
 

          error = None
 

  

          if username and password:
 

-             user = self._authenticate(username, password)
 

-             if user:
 

-                 return self.lm.auth_successful(self.trans, user, 'password')
 

+             pam_auth = pam.pam()
 

+             result = pam_auth.authenticate(
 

+                 username, password, service=self.lm.service_name
 

+             )
 

+             if result:
 

+                 self.log("User %s successfully authenticated." % username)
 

+                 return self.lm.auth_successful(
 

+                     self.trans, username, 'password'
 

+                 )
 

              else:
 

-                 error = "Authentication failed"
 

-                 self.error(error)
 

+                 error = pam_auth.reason
 

+                 self.error("Error %s: %s" % (pam_auth.code, error))
 

+                 return self.lm.auth_failed(self.trans, error)
 

          else:
 

              error = "Username or password is missing"
 

-             self.error("Error: " + error)
 

+             self.error("Error: %s" % error)
 

  

          context = self.create_tmpl_context(
 

              username=username,

With these changes, the PAM login module works again with python-pam in its latest version and with the next unreleased version that will support 2FA.

The error message on auth failure is also improved.

:thumbsup:

@simo Could you take a look at this please?

Well, then, I guess this is good enough to merge...

Pull-Request has been merged by ngompa
2 years ago
Metadata
None
No Tags
Changes Summary 2
+1 -0
file changed
ipsilon/login/authfas.py
+13 -29
file changed
ipsilon/login/authpam.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.