aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoe Patterson <j.m.patterson@gmail.com>2011-03-21 18:02:59 -0400
committerDavid Sommerseth <davids@redhat.com>2011-03-25 09:38:48 +0100
commit6cfada268122fe54ce6d211d96c744e91d41248c (patch)
treeda73d788fcc20bb7c59d6609e71d036a008f3f44
parentFixed typo in plugin.h (diff)
downloadopenvpn-6cfada268122fe54ce6d211d96c744e91d41248c.tar.xz
common_name passing in auth_pam plugin
Added the ability to have "COMMONNAME" replaced with certificate common name in pam conversation. Signed-off-by: Joe Patterson <j.m.patterson@gmail.com> Acked-By: David Sommerseth <davids@redhat.com> Signed-off-by: David Sommerseth <davids@redhat.com>
-rw-r--r--plugin/auth-pam/README2
-rw-r--r--plugin/auth-pam/auth-pam.c11
2 files changed, 10 insertions, 3 deletions
diff --git a/plugin/auth-pam/README b/plugin/auth-pam/README
index c957c02..e123690 100644
--- a/plugin/auth-pam/README
+++ b/plugin/auth-pam/README
@@ -48,7 +48,7 @@ For example, suppose you were using a PAM module called
plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"
-While "USERNAME" and "PASSWORD" are special strings which substitute
+While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute
to client-supplied values, it is also possible to name literal values
to use as PAM module query responses. For example, suppose that the
login module queried for a third parameter, "domain" which
diff --git a/plugin/auth-pam/auth-pam.c b/plugin/auth-pam/auth-pam.c
index 5a8e269..a06a48e 100644
--- a/plugin/auth-pam/auth-pam.c
+++ b/plugin/auth-pam/auth-pam.c
@@ -81,6 +81,7 @@ struct auth_pam_context
*
* "USERNAME" -- substitute client-supplied username
* "PASSWORD" -- substitute client-specified password
+ * "COMMONNAME" -- substitute client certificate common name
*/
#define N_NAME_VALUE 16
@@ -104,6 +105,7 @@ struct user_pass {
char username[128];
char password[128];
+ char common_name[128];
const struct name_value_list *name_value_list;
};
@@ -470,12 +472,14 @@ openvpn_plugin_func_v1 (openvpn_plugin_handle_t handle, const int type, const ch
/* get username/password from envp string array */
const char *username = get_env ("username", envp);
const char *password = get_env ("password", envp);
+ const char *common_name = get_env ("common_name", envp) ? get_env ("common_name", envp) : "";
if (username && strlen (username) > 0 && password)
{
if (send_control (context->foreground_fd, COMMAND_VERIFY) == -1
|| send_string (context->foreground_fd, username) == -1
- || send_string (context->foreground_fd, password) == -1)
+ || send_string (context->foreground_fd, password) == -1
+ || send_string (context->foreground_fd, common_name) == -1)
{
fprintf (stderr, "AUTH-PAM: Error sending auth info to background process\n");
}
@@ -592,6 +596,8 @@ my_conv (int n, const struct pam_message **msg_array,
aresp[i].resp = searchandreplace(match_value, "USERNAME", up->username);
else if (strstr(match_value, "PASSWORD"))
aresp[i].resp = searchandreplace(match_value, "PASSWORD", up->password);
+ else if (strstr(match_value, "COMMONNAME"))
+ aresp[i].resp = searchandreplace(match_value, "COMMONNAME", up->common_name);
else
aresp[i].resp = strdup (match_value);
@@ -737,7 +743,8 @@ pam_server (int fd, const char *service, int verb, const struct name_value_list
{
case COMMAND_VERIFY:
if (recv_string (fd, up.username, sizeof (up.username)) == -1
- || recv_string (fd, up.password, sizeof (up.password)) == -1)
+ || recv_string (fd, up.password, sizeof (up.password)) == -1
+ || recv_string (fd, up.common_name, sizeof (up.common_name)) == -1)
{
fprintf (stderr, "AUTH-PAM: BACKGROUND: read error on command channel: code=%d, exiting\n",
command);