218
219
char *display = getenv("DISPLAY");
220
if (display && (display[0] != ':') && (display[0] != '\0'))
222
ERR1("Remote login (from %s) is not (yet) supported", display);
223
pam_syslog(pamh, LOG_ERR,
224
"Remote login (from %s) is not (yet) supported",
226
return PAM_AUTHINFO_UNAVAIL;
223
if (strncmp(display, "localhost:", 10) != 0 && (display[0] != ':')
224
&& (display[0] != '\0')) {
225
ERR1("Remote login (from %s) is not (yet) supported", display);
226
pam_syslog(pamh, LOG_ERR,
227
"Remote login (from %s) is not (yet) supported", display);
228
return PAM_AUTHINFO_UNAVAIL;
275
278
pkcs11_pam_fail = PAM_CRED_INSUFFICIENT;
277
280
/* look to see if username is already set */
278
rv = pam_get_item(pamh, PAM_USER, (const void **) &user);
281
rv = pam_get_item(pamh, PAM_USER, &user);
280
283
DBG1("explicit username = [%s]", user);
283
rv = pam_get_item(pamh, PAM_USER, (const void **) &user);
286
rv = pam_get_item(pamh, PAM_USER, &user);
284
287
if (rv != PAM_SUCCESS || user == NULL || user[0] == '\0') {
285
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
288
snprintf(password_prompt, sizeof(password_prompt),
286
289
_("Please insert your %s or enter your username."),
287
290
_(configuration->token_type));
291
pam_prompt(pamh, PAM_TEXT_INFO, NULL, password_prompt);
288
292
/* get user name */
289
293
rv = pam_get_user(pamh, &user, NULL);
378
383
/* we haven't prompted for the user yet, get the user and see if
379
384
* the smart card has been inserted in the mean time */
380
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
385
snprintf(password_prompt, sizeof(password_prompt),
381
386
_("Please insert your %s or enter your username."),
382
387
_(configuration->token_type));
388
pam_prompt(pamh, PAM_TEXT_INFO, NULL, password_prompt);
383
389
rv = pam_get_user(pamh, &user, NULL);
385
391
/* check one last time for the smart card before bouncing to the next
418
425
pam_syslog(pamh, LOG_ERR, "get_slot_login_required() failed: %s", get_error());
419
426
return pkcs11_pam_fail;
421
char password_prompt[70];
423
428
/* get password */
424
pam_prompt(pamh, PAM_TEXT_INFO, NULL, _("Welcome %.32s!"),
425
get_slot_tokenlabel(ph));
426
sprintf(password_prompt, _("%s PIN: "), _(configuration->token_type));
427
if (configuration->use_first_pass) {
428
rv = pam_get_pwd(pamh, &password, NULL, PAM_AUTHTOK, 0);
429
} else if (configuration->try_first_pass) {
430
rv = pam_get_pwd(pamh, &password, password_prompt, PAM_AUTHTOK,
433
rv = pam_get_pwd(pamh, &password, password_prompt, 0, PAM_AUTHTOK);
435
if (rv != PAM_SUCCESS) {
436
release_pkcs11_module(ph);
437
pam_syslog(pamh, LOG_ERR,
438
"pam_get_pwd() failed: %s", pam_strerror(pamh, rv));
439
return pkcs11_pam_fail;
429
snprintf(password_prompt, sizeof(password_prompt),
430
_("Welcome %.32s!"), get_slot_tokenlabel(ph));
431
pam_prompt(pamh, PAM_TEXT_INFO, NULL, password_prompt);
433
/* no CKF_PROTECTED_AUTHENTICATION_PATH */
434
rv = get_slot_protected_authentication_path(ph);
435
if ((-1 == rv) || (0 == rv))
437
sprintf(password_prompt, _("%s PIN: "), _(configuration->token_type));
438
if (configuration->use_first_pass) {
439
rv = pam_get_pwd(pamh, &password, NULL, PAM_AUTHTOK, 0);
440
} else if (configuration->try_first_pass) {
441
rv = pam_get_pwd(pamh, &password, password_prompt, PAM_AUTHTOK,
444
rv = pam_get_pwd(pamh, &password, password_prompt, 0, PAM_AUTHTOK);
446
if (rv != PAM_SUCCESS) {
447
release_pkcs11_module(ph);
448
pam_syslog(pamh, LOG_ERR,
449
"pam_get_pwd() failed: %s", pam_strerror(pamh, rv));
450
return pkcs11_pam_fail;
441
452
#ifndef DEBUG_HIDE_PASSWORD
442
DBG1("password = [%s]", password);
453
DBG1("password = [%s]", password);
445
/* check password length */
446
if (!configuration->nullok && strlen(password) == 0) {
447
release_pkcs11_module(ph);
448
memset(password, 0, strlen(password));
450
pam_syslog(pamh, LOG_ERR,
451
"password length is zero but the 'nullok' argument was not defined.");
456
/* check password length */
457
if (!configuration->nullok && strlen(password) == 0) {
458
release_pkcs11_module(ph);
459
memset(password, 0, strlen(password));
461
pam_syslog(pamh, LOG_ERR,
462
"password length is zero but the 'nullok' argument was not defined.");
468
pam_prompt(pamh, PAM_TEXT_INFO, NULL,
469
_("Enter your %s PIN on the pinpad"), _(configuration->token_type));
455
474
/* call pkcs#11 login to ensure that the user is the real owner of the card
456
475
* we need to do thise before get_certificate_list because some tokens
457
476
* can not read their certificates until the token is authenticated */
458
477
rv = pkcs11_login(ph, password);
459
478
/* erase and free in-memory password data asap */
460
memset(password, 0, strlen(password));
481
memset(password, 0, strlen(password));
463
485
ERR1("open_pkcs11_login() failed: %s", get_error());
464
486
if (!configuration->quiet)