| |
@@ -6,49 +6,33 @@
|
| |
from ipsilon.util import config as pconfig
|
| |
import pam
|
| |
import subprocess
|
| |
- if 'pam' in dir(pam):
|
| |
- # Try to use newer API
|
| |
- pam_authenticate = pam.pam().authenticate # pylint: disable=no-member
|
| |
- elif 'authenticate' in dir(pam):
|
| |
- # This is an older, but supported, version
|
| |
- pam_authenticate = pam.authenticate # pylint: disable=no-member
|
| |
- else:
|
| |
- # We have never seen this version, let's abort early
|
| |
- raise ImportError('Python-PAM API unsupported')
|
| |
|
| |
|
| |
class Pam(LoginFormBase):
|
| |
|
| |
- def _authenticate(self, username, password):
|
| |
- if self.lm.service_name:
|
| |
- ok = pam_authenticate(username, password, self.lm.service_name)
|
| |
- else:
|
| |
- ok = pam_authenticate(username, password)
|
| |
-
|
| |
- if ok:
|
| |
- self.log("User %s successfully authenticated." % username)
|
| |
- return username
|
| |
-
|
| |
- self.log("User %s failed authentication." % username)
|
| |
- return None
|
| |
-
|
| |
def POST(self, *args, **kwargs):
|
| |
username = kwargs.get("login_name")
|
| |
password = kwargs.get("login_password")
|
| |
password += kwargs.get("login_otp", "")
|
| |
- user = None
|
| |
error = None
|
| |
|
| |
if username and password:
|
| |
- user = self._authenticate(username, password)
|
| |
- if user:
|
| |
- return self.lm.auth_successful(self.trans, user, 'password')
|
| |
+ pam_auth = pam.pam()
|
| |
+ result = pam_auth.authenticate(
|
| |
+ username, password, service=self.lm.service_name
|
| |
+ )
|
| |
+ if result:
|
| |
+ self.log("User %s successfully authenticated." % username)
|
| |
+ return self.lm.auth_successful(
|
| |
+ self.trans, username, 'password'
|
| |
+ )
|
| |
else:
|
| |
- error = "Authentication failed"
|
| |
- self.error(error)
|
| |
+ error = pam_auth.reason
|
| |
+ self.error("Error %s: %s" % (pam_auth.code, error))
|
| |
+ return self.lm.auth_failed(self.trans, error)
|
| |
else:
|
| |
error = "Username or password is missing"
|
| |
- self.error("Error: " + error)
|
| |
+ self.error("Error: %s" % error)
|
| |
|
| |
context = self.create_tmpl_context(
|
| |
username=username,
|
| |
With these changes, the PAM login module works again with python-pam in its latest version and with the next unreleased version that will support 2FA.
The error message on auth failure is also improved.