|
|
|
@ -17,12 +17,15 @@
|
|
|
|
|
*
|
|
|
|
|
* module manager
|
|
|
|
|
*/
|
|
|
|
|
#include <config_ac.h>
|
|
|
|
|
#define ACCESS
|
|
|
|
|
#include "xrdp.h"
|
|
|
|
|
#include "log.h"
|
|
|
|
|
#ifdef ACCESS
|
|
|
|
|
#ifndef USE_NOPAM
|
|
|
|
|
#include "security/_pam_types.h"
|
|
|
|
|
#endif
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*****************************************************************************/
|
|
|
|
|
struct xrdp_mm *APP_CC
|
|
|
|
@ -1071,9 +1074,11 @@ xrdp_mm_sesman_data_in(struct trans *trans)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef ACCESS
|
|
|
|
|
#ifndef USE_NOPAM
|
|
|
|
|
/*********************************************************************/
|
|
|
|
|
/* return 0 on success */
|
|
|
|
|
int access_control(char *username, char *password, char *srv)
|
|
|
|
|
static int APP_CC
|
|
|
|
|
access_control(char *username, char *password, char *srv)
|
|
|
|
|
{
|
|
|
|
|
int reply;
|
|
|
|
|
int rec = 32+1; /* 32 is reserved for PAM failures this means connect failure */
|
|
|
|
@ -1183,12 +1188,14 @@ int access_control(char *username, char *password, char *srv)
|
|
|
|
|
return rec;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
/*****************************************************************************/
|
|
|
|
|
/* This routine clears all states to make sure that our next login will be
|
|
|
|
|
* as expected. If the user does not press ok on the log window and try to
|
|
|
|
|
* connect again we must make sure that no previous information is stored.*/
|
|
|
|
|
void cleanup_states(struct xrdp_mm *self)
|
|
|
|
|
static void APP_CC
|
|
|
|
|
cleanup_states(struct xrdp_mm *self)
|
|
|
|
|
{
|
|
|
|
|
if (self != NULL)
|
|
|
|
|
{
|
|
|
|
@ -1205,10 +1212,14 @@ void cleanup_states(struct xrdp_mm *self)
|
|
|
|
|
self-> usechansrv = 0; /* true if chansrvport is set in xrdp.ini or using sesman */
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef ACCESS
|
|
|
|
|
const char *getPAMError(const int pamError)
|
|
|
|
|
#ifndef USE_NOPAM
|
|
|
|
|
static const char * APP_CC
|
|
|
|
|
getPAMError(const int pamError, char *text, int text_bytes)
|
|
|
|
|
{
|
|
|
|
|
switch(pamError){
|
|
|
|
|
switch (pamError)
|
|
|
|
|
{
|
|
|
|
|
case PAM_SUCCESS:
|
|
|
|
|
return "Success";
|
|
|
|
|
case PAM_OPEN_ERR:
|
|
|
|
@ -1267,23 +1278,21 @@ const char *getPAMError(const int pamError)
|
|
|
|
|
return "Conversation is waiting for event";
|
|
|
|
|
case PAM_INCOMPLETE:
|
|
|
|
|
return "Application needs to call libpam again";
|
|
|
|
|
case 32+1:
|
|
|
|
|
case 32 + 1:
|
|
|
|
|
return "Error connecting to PAM";
|
|
|
|
|
case 32+3:
|
|
|
|
|
case 32 + 3:
|
|
|
|
|
return "Username okey but group problem";
|
|
|
|
|
default:{
|
|
|
|
|
char replytxt[80];
|
|
|
|
|
g_sprintf(replytxt,"Not defined PAM error:%d",pamError);
|
|
|
|
|
return replytxt ;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
g_snprintf(text, text_bytes, "Not defined PAM error:%d", pamError);
|
|
|
|
|
return text;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const char *getPAMAdditionalErrorInfo(const int pamError,struct xrdp_mm *self)
|
|
|
|
|
static const char * APP_CC
|
|
|
|
|
getPAMAdditionalErrorInfo(const int pamError, struct xrdp_mm *self)
|
|
|
|
|
{
|
|
|
|
|
switch(pamError){
|
|
|
|
|
switch (pamError)
|
|
|
|
|
{
|
|
|
|
|
case PAM_SUCCESS:
|
|
|
|
|
return NULL;
|
|
|
|
|
case PAM_OPEN_ERR:
|
|
|
|
@ -1309,30 +1318,28 @@ const char *getPAMAdditionalErrorInfo(const int pamError,struct xrdp_mm *self)
|
|
|
|
|
case PAM_MODULE_UNKNOWN:
|
|
|
|
|
case PAM_CONV_AGAIN:
|
|
|
|
|
case PAM_INCOMPLETE:
|
|
|
|
|
case _PAM_RETURN_VALUES+1:
|
|
|
|
|
case _PAM_RETURN_VALUES+3:
|
|
|
|
|
case _PAM_RETURN_VALUES + 1:
|
|
|
|
|
case _PAM_RETURN_VALUES + 3:
|
|
|
|
|
return NULL;
|
|
|
|
|
case PAM_MAXTRIES:
|
|
|
|
|
case PAM_NEW_AUTHTOK_REQD:
|
|
|
|
|
case PAM_ACCT_EXPIRED:
|
|
|
|
|
case PAM_CRED_EXPIRED:
|
|
|
|
|
case PAM_AUTHTOK_EXPIRED:
|
|
|
|
|
if(self->wm->pamerrortxt[0])
|
|
|
|
|
if (self->wm->pamerrortxt[0])
|
|
|
|
|
{
|
|
|
|
|
return self->wm->pamerrortxt;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
return "Authentication error - Verify that user/password is valid ";
|
|
|
|
|
return "Authentication error - Verify that user/password is valid";
|
|
|
|
|
}
|
|
|
|
|
default:{
|
|
|
|
|
return "No expected error" ;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
default:
|
|
|
|
|
return "No expected error";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
#endif
|
|
|
|
|
/*****************************************************************************/
|
|
|
|
|
int APP_CC
|
|
|
|
|
xrdp_mm_connect(struct xrdp_mm *self)
|
|
|
|
@ -1351,10 +1358,12 @@ xrdp_mm_connect(struct xrdp_mm *self)
|
|
|
|
|
char port[8];
|
|
|
|
|
char chansrvport[256];
|
|
|
|
|
#ifdef ACCESS
|
|
|
|
|
#ifndef USE_NOPAM
|
|
|
|
|
int use_pam_auth = 0;
|
|
|
|
|
char pam_auth_sessionIP[256];
|
|
|
|
|
char pam_auth_password[256];
|
|
|
|
|
char pam_auth_username[256];
|
|
|
|
|
#endif
|
|
|
|
|
char username[256];
|
|
|
|
|
char password[256];
|
|
|
|
|
username[0] = 0;
|
|
|
|
@ -1390,6 +1399,7 @@ xrdp_mm_connect(struct xrdp_mm *self)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef ACCESS
|
|
|
|
|
#ifndef USE_NOPAM
|
|
|
|
|
else if (g_strcasecmp(name, "pamusername") == 0)
|
|
|
|
|
{
|
|
|
|
|
use_pam_auth = 1;
|
|
|
|
@ -1403,6 +1413,7 @@ xrdp_mm_connect(struct xrdp_mm *self)
|
|
|
|
|
{
|
|
|
|
|
g_strncpy(pam_auth_password, value, 255);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
else if (g_strcasecmp(name, "password") == 0)
|
|
|
|
|
{
|
|
|
|
|
g_strncpy(password, value, 255);
|
|
|
|
@ -1421,12 +1432,13 @@ xrdp_mm_connect(struct xrdp_mm *self)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#ifdef ACCESS
|
|
|
|
|
|
|
|
|
|
#ifndef USE_NOPAM
|
|
|
|
|
if (use_pam_auth)
|
|
|
|
|
{
|
|
|
|
|
int reply;
|
|
|
|
|
char replytxt[80];
|
|
|
|
|
char *additionalError;
|
|
|
|
|
char replytxt[128];
|
|
|
|
|
char pam_error[128];
|
|
|
|
|
const char *additionalError;
|
|
|
|
|
xrdp_wm_log_msg(self->wm, "Please wait, we now perform access control...");
|
|
|
|
|
|
|
|
|
|
/* g_writeln("we use pam modules to check if we can approve this user"); */
|
|
|
|
@ -1445,16 +1457,18 @@ xrdp_mm_connect(struct xrdp_mm *self)
|
|
|
|
|
/* access_control return 0 on success */
|
|
|
|
|
reply = access_control(pam_auth_username, pam_auth_password, pam_auth_sessionIP);
|
|
|
|
|
|
|
|
|
|
g_sprintf(replytxt, "Reply from access control: %s", getPAMError(reply));
|
|
|
|
|
g_sprintf(replytxt, "Reply from access control: %s",
|
|
|
|
|
getPAMError(reply, pam_error, 127));
|
|
|
|
|
|
|
|
|
|
xrdp_wm_log_msg(self->wm, replytxt);
|
|
|
|
|
log_message(LOG_LEVEL_INFO, replytxt);
|
|
|
|
|
additionalError = getPAMAdditionalErrorInfo(reply,self);
|
|
|
|
|
if(additionalError)
|
|
|
|
|
additionalError = getPAMAdditionalErrorInfo(reply, self);
|
|
|
|
|
if (additionalError)
|
|
|
|
|
{
|
|
|
|
|
if(additionalError[0])
|
|
|
|
|
g_snprintf(replytxt, 127, "%s", additionalError);
|
|
|
|
|
if (replytxt[0])
|
|
|
|
|
{
|
|
|
|
|
xrdp_wm_log_msg(self->wm,additionalError);
|
|
|
|
|
xrdp_wm_log_msg(self->wm, replytxt);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
@ -1464,7 +1478,7 @@ xrdp_mm_connect(struct xrdp_mm *self)
|
|
|
|
|
return rv;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
if (self->sesman_controlled)
|
|
|
|
@ -2112,6 +2126,28 @@ int read_allowed_channel_names(struct list *names, struct list *values)
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* internal function return -1 if name is not in list
|
|
|
|
|
* otherwise return the index 0->count-1*/
|
|
|
|
|
int DEFAULT_CC
|
|
|
|
|
find_name_in_lists(char *inName, struct list *names)
|
|
|
|
|
{
|
|
|
|
|
int reply = -1; /*means not in the list*/
|
|
|
|
|
int index;
|
|
|
|
|
char *name;
|
|
|
|
|
|
|
|
|
|
for (index = 0; index < names->count; index++)
|
|
|
|
|
{
|
|
|
|
|
name = (char *)list_get_item(names, index);
|
|
|
|
|
if ( (name != 0) && (g_strncmp(name, inName, MAX_CHANNEL_NAME) == 0) )
|
|
|
|
|
{
|
|
|
|
|
reply = index;
|
|
|
|
|
break; /* stop loop - item found*/
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return reply;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#define CHANNEL_NAME_PREFIX "channel."
|
|
|
|
|
/* update the channel lists from connection specific overrides
|
|
|
|
|
* return 1 on success 0 on failure */
|
|
|
|
@ -2145,28 +2181,6 @@ int update_allowed_channel_names(struct xrdp_wm *wm, struct list *names, struct
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* internal function return -1 if name is not in list
|
|
|
|
|
* otherwise return the index 0->count-1*/
|
|
|
|
|
int DEFAULT_CC
|
|
|
|
|
find_name_in_lists(char *inName, struct list *names)
|
|
|
|
|
{
|
|
|
|
|
int reply = -1; /*means not in the list*/
|
|
|
|
|
int index;
|
|
|
|
|
char *name;
|
|
|
|
|
|
|
|
|
|
for (index = 0; index < names->count; index++)
|
|
|
|
|
{
|
|
|
|
|
name = (char *)list_get_item(names, index);
|
|
|
|
|
if ( (name != 0) && (g_strncmp(name, inName, MAX_CHANNEL_NAME) == 0) )
|
|
|
|
|
{
|
|
|
|
|
reply = index;
|
|
|
|
|
break; /* stop loop - item found*/
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return reply;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* internal function return 1 if name is in list of channels
|
|
|
|
|
* and if the value is allowed */
|
|
|
|
|
int DEFAULT_CC
|
|
|
|
|