Authen-SimplePam
view release on metacpan or search on metacpan
SimplePam.pm view on Meta::CPAN
$self->service('passwd');
}
if (defined ($user))
{
$self->username($user);
}
if (defined ($old_password))
{
$self->password($old_password);
}
if (defined ($new_password))
{
$self->new_password($new_password);
}
unless ($self->service)
{
$self->service('passwd');
}
$self->{used_old_password} = 0;
$self->_abort_on_error(0);
$self->_call_type("change_password");
$self->{conv_failure} = 0;
print "DEBUG: change_password:\n" .
"username: " . $self->username . ", old password: " . $self->password if $DEBUG;
print " new password: " . $self->new_password if $DEBUG;
print " service: " . $self->service . "\n" if $DEBUG;
$pam = new Authen::PAM ($self->service,
$self->username,
sub {
return $self->_general_pam_conv ( @_ );
}
);
return 0
unless ref($pam);
$pam_result = $pam->pam_chauthtok();
$self->{_pam_result} = $pam_result;
print "DEBUG: RESULT is $pam_result\n" if $DEBUG;
$self->{_module_result} = _pam2result($pam_result);
return $self->{_module_result};
}
sub result2string {
my ($self, $result) = @_;
$result = $self->{_module_result}
unless (defined ($result));
if ( $result == 0 ) { return "Authen::PAM error" }
elsif ( $result == 1 ) { return "success" }
elsif ( $result == 2 ) { return "failure" }
elsif ( $result == 3 ) { return "insuficient credentials" }
elsif ( $result == 4 ) { return "authentication information unavailable" }
elsif ( $result == 5 ) { return "user unknown" }
elsif ( $result == 6 ) { return "maximum tries" }
elsif ( $result == 7 ) { return "unknown error" }
elsif ( $result == 8 ) { return "authentication error" }
elsif ( $result == 9 ) { return "authentication information cannot be recovered" }
elsif ( $result == 10 ) { return "authentication locked busy" }
elsif ( $result == 11 ) { return "authentication aging disable" }
elsif ( $result == 12 ) { return "permission denied" }
elsif ( $result == 13 ) { return "try again" }
elsif ( $result == 14 ) { return "dlopen error" }
elsif ( $result == 15 ) { return "symbol not found" }
elsif ( $result == 16 ) { return "memory buffer error" }
elsif ( $result == 17 ) { return "the password should be changed" }
elsif ( $result == 18 ) { return "user account has expired" }
elsif ( $result == 19 ) { return "cannot make/remove an entry for the specified session" }
elsif ( $result == 20 ) { return "cannot retrieve users credentials" }
elsif ( $result == 21 ) { return "user credentials expired" }
elsif ( $result == 22 ) { return "no pam module specific data is present" }
elsif ( $result == 23 ) { return "conversation error" }
elsif ( $result == 24 ) { return "ignore underlying account module" }
elsif ( $result == 25 ) { return "critical error" }
elsif ( $result == 26 ) { return "user authentication has expired" }
elsif ( $result == 27 ) { return "pam module is unknown" }
elsif ( $result == 28 ) { return "bad item passed to pam" }
elsif ( $result == 29 ) { return "conversation function is event driven and data is not available yet" }
elsif ( $result == 30 ) { return "call this function again to complete authentication stack" }
elsif ( $result == 31 ) { return "error in service module" }
elsif ( $result == 32 ) { return "system error" }
elsif ( $result == 33 ) { return "failure setting user credential" }
else { return "invalid result number: $result" }
}
#returns the EUID that is running this module
sub _get_username {
#we use the EFECTIVE USER ID (EUID),
#not the REAL USER ID ( UID )
my $name = getpwuid($<);
return $name;
}
#checks the meaning os a message
#Returns the state of a message:
#undef means a unknown message.
#0: old password
#1: new password (1st time)
#2: new password (2nsd time)
sub _check_msg {
my ($message) = @_;
unless (defined ($PAM_MESSAGES->{$message})) {
warn __PACKAGE__ . " warning!\n";
warn "Unclassified message: '$message' .\n";
warn "Please contact the author at <raul\@dias.com.br> in order to improve SimplePam.\n";
warn "Version used: $VERSION .\n";
return undef;
}
return $PAM_MESSAGES->{$message};
}
#Converts a error message to its code.
sub _check_error_msg {
my ($message) = @_;
$message =~ s/^BAD PASSWORD: //;
unless (defined ($PAM_ERROR_MESSAGES->{$message})) {
warn __PACKAGE__ . " warning!\n";
warn "Unclassified error message: '$message' .\n";
warn "Please contact the author at <raul\@dias.com.br> in order to improve this module.\n";
warn "Version used: $VERSION .\n";
return undef;
}
return $PAM_ERROR_MESSAGES->{$message};
}
SimplePam.pm view on Meta::CPAN
otherwise returns the error message.
Note that the error message is the pam
message give to a PAM_ERROR_MSG call.
Other error might have happened, but did not
set PAM_ERROR_MSG, but is in the result code
from the functions B<auth_user ()> and
B<change_password ()>.
=item * B<auth_user ($user, $password, $service)>
Authenticates a user $user, with the passwod $password agains
service $service.
Note that $user, $password and $service are optional.
If given they will overwrite any previously given one.
If no $serice has being yet specified, it will defaults
to the service 'login'.
If no $username has being yet specified, it will defaults
to the current EFECTIVE USER ID (EUID).
It will return Authen::SimplePam own result code.
If you would like to know the real PAM result code,
use B< pam_result() > to get it.
To get and string representation of the result, use
B<result2string () >.
=item * B<result2string ($result)>
Converts a result returned by B<auth_user()>
or B<change_password ()> to a string.
=back
=head1 RETURN CODES
These are the return codes returned by
B<auth_user> and B<change_password>.
=over 4
=item 0 Error using the Authen::PAM module.
Usually broken installation.
=item 1 Success.
The password match.
=item 2 Error.
The password does not match.
=item 3 Insufficient Credentials.
For some reason the application does not have enough credentials to authenticate the user.
E.g. A non-root user trying to authenticate/validate the root user password.
=item 4 Authentication information unavailable.
The modules were not able to access the authentication information. This might be due to a network or hardware failure etc.
=item 5 User Unknown.
The supplied username is not known to the authentication service
=item 6 Maximum tries.
One or more of the authentication modules has reached its limit of
tries authenticating the user. Do not try again.
=item 7 Unknown error.
Some unpredictable error happened.
=item 8 Authentication manipulation error.
Some error regarding the authentication happened. Usually the B<service>
being used is invalid or is not well configured or requires some kind of
special behaviour from Authen::SimplePam.
=item *TODO* Finish description of return values.
=back
=head1 NOTES
=head2 MODULES
It is important to know that the way PAM will act depends on the underlying modules
being used and how they are stacked on the services.
So far, theis module has being tested with pam modules pam_pwdb.so (which is
a newer version of pam_unix.so) and pam_cracklib.so which tests the stregth
of new passwords.
Other modules might ask for different data and give different errors.
Authen::SimplePAM is written in a way that it is simple to insert this
new authentication modules.
=head2 SERVICES
Different services might have different results.
e.g. It is common to deny login to the user root if he is not using a console
if the service is 'login', however other services (like kde) might allow this.
If you use different PAM configuration and Authen::SimplePam is not working,
you can try to contact the author and provide as much information as possible
in order to let him understand what is missing and improve the module.
=head2 CHANGING PASSWORD
It is important to understand that changing passwords might not be
as simple as it seem and you probably can not do it unless you
( run in 1.065 second using v1.01-cache-2.11-cpan-cdf2f3d4e48 )