root/daemons/based/based_remote.c

/* [previous][next][first][last][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. debug_log
  2. remote_connection_destroy
  3. init_remote_listener
  4. check_group_membership
  5. cib_remote_auth
  6. remote_auth_timeout_cb
  7. cib_remote_listen
  8. cib_remote_connection_destroy
  9. cib_handle_remote_msg
  10. cib_remote_msg
  11. construct_pam_passwd
  12. authenticate_user

   1 /*
   2  * Copyright 2004-2020 the Pacemaker project contributors
   3  *
   4  * The version control history for this file may have further details.
   5  *
   6  * This source code is licensed under the GNU General Public License version 2
   7  * or later (GPLv2+) WITHOUT ANY WARRANTY.
   8  */
   9 
  10 #include <crm_internal.h>
  11 #include <crm/crm.h>
  12 
  13 #include <sys/param.h>
  14 #include <stdio.h>
  15 #include <sys/types.h>
  16 #include <sys/stat.h>
  17 #include <unistd.h>
  18 #include <sys/socket.h>
  19 #include <arpa/inet.h>
  20 
  21 #include <netinet/ip.h>
  22 
  23 #include <stdlib.h>
  24 #include <errno.h>
  25 #include <glib.h>
  26 
  27 #include <crm/msg_xml.h>
  28 #include <crm/common/ipc.h>
  29 #include <crm/common/ipc_internal.h>
  30 #include <crm/common/xml.h>
  31 #include <crm/common/remote_internal.h>
  32 #include <crm/cib/internal.h>
  33 
  34 #include "pacemaker-based.h"
  35 
  36 /* #undef HAVE_PAM_PAM_APPL_H */
  37 /* #undef HAVE_GNUTLS_GNUTLS_H */
  38 
  39 #ifdef HAVE_GNUTLS_GNUTLS_H
  40 #  undef KEYFILE
  41 #  include <gnutls/gnutls.h>
  42 #endif
  43 
  44 #include <pwd.h>
  45 #include <grp.h>
  46 #if HAVE_SECURITY_PAM_APPL_H
  47 #  include <security/pam_appl.h>
  48 #  define HAVE_PAM 1
  49 #else
  50 #  if HAVE_PAM_PAM_APPL_H
  51 #    include <pam/pam_appl.h>
  52 #    define HAVE_PAM 1
  53 #  endif
  54 #endif
  55 
  56 extern int remote_tls_fd;
  57 extern gboolean cib_shutdown_flag;
  58 
  59 int init_remote_listener(int port, gboolean encrypted);
  60 void cib_remote_connection_destroy(gpointer user_data);
  61 
  62 #ifdef HAVE_GNUTLS_GNUTLS_H
  63 gnutls_dh_params_t dh_params;
  64 gnutls_anon_server_credentials_t anon_cred_s;
  65 static void
  66 debug_log(int level, const char *str)
     /* [previous][next][first][last][top][bottom][index][help] */
  67 {
  68     fputs(str, stderr);
  69 }
  70 #endif
  71 
  72 #define REMOTE_AUTH_TIMEOUT 10000
  73 
  74 int num_clients;
  75 int authenticate_user(const char *user, const char *passwd);
  76 static int cib_remote_listen(gpointer data);
  77 static int cib_remote_msg(gpointer data);
  78 
  79 static void
  80 remote_connection_destroy(gpointer user_data)
     /* [previous][next][first][last][top][bottom][index][help] */
  81 {
  82     crm_info("No longer listening for remote connections");
  83     return;
  84 }
  85 
  86 int
  87 init_remote_listener(int port, gboolean encrypted)
     /* [previous][next][first][last][top][bottom][index][help] */
  88 {
  89     int rc;
  90     int *ssock = NULL;
  91     struct sockaddr_in saddr;
  92     int optval;
  93 
  94     static struct mainloop_fd_callbacks remote_listen_fd_callbacks = {
  95         .dispatch = cib_remote_listen,
  96         .destroy = remote_connection_destroy,
  97     };
  98 
  99     if (port <= 0) {
 100         /* don't start it */
 101         return 0;
 102     }
 103 
 104     if (encrypted) {
 105 #ifndef HAVE_GNUTLS_GNUTLS_H
 106         crm_warn("TLS support is not available");
 107         return 0;
 108 #else
 109         crm_notice("Starting TLS listener on port %d", port);
 110         crm_gnutls_global_init();
 111         /* gnutls_global_set_log_level (10); */
 112         gnutls_global_set_log_function(debug_log);
 113         if (pcmk__init_tls_dh(&dh_params) != pcmk_rc_ok) {
 114             return -1;
 115         }
 116         gnutls_anon_allocate_server_credentials(&anon_cred_s);
 117         gnutls_anon_set_server_dh_params(anon_cred_s, dh_params);
 118 #endif
 119     } else {
 120         crm_warn("Starting plain-text listener on port %d", port);
 121     }
 122 #ifndef HAVE_PAM
 123     crm_warn("PAM is _not_ enabled!");
 124 #endif
 125 
 126     /* create server socket */
 127     ssock = malloc(sizeof(int));
 128     if(ssock == NULL) {
 129         crm_perror(LOG_ERR, "Listener socket allocation failed");
 130         return -1;
 131     }
 132 
 133     *ssock = socket(AF_INET, SOCK_STREAM, 0);
 134     if (*ssock == -1) {
 135         crm_perror(LOG_ERR, "Listener socket creation failed");
 136         free(ssock);
 137         return -1;
 138     }
 139 
 140     /* reuse address */
 141     optval = 1;
 142     rc = setsockopt(*ssock, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval));
 143     if (rc < 0) {
 144         crm_perror(LOG_WARNING,
 145                    "Local address reuse not allowed on listener socket");
 146     }
 147 
 148     /* bind server socket */
 149     memset(&saddr, '\0', sizeof(saddr));
 150     saddr.sin_family = AF_INET;
 151     saddr.sin_addr.s_addr = INADDR_ANY;
 152     saddr.sin_port = htons(port);
 153     if (bind(*ssock, (struct sockaddr *)&saddr, sizeof(saddr)) == -1) {
 154         crm_perror(LOG_ERR, "Cannot bind to listener socket");
 155         close(*ssock);
 156         free(ssock);
 157         return -2;
 158     }
 159     if (listen(*ssock, 10) == -1) {
 160         crm_perror(LOG_ERR, "Cannot listen on socket");
 161         close(*ssock);
 162         free(ssock);
 163         return -3;
 164     }
 165 
 166     mainloop_add_fd("cib-remote", G_PRIORITY_DEFAULT, *ssock, ssock, &remote_listen_fd_callbacks);
 167     crm_debug("Started listener on port %d", port);
 168 
 169     return *ssock;
 170 }
 171 
 172 static int
 173 check_group_membership(const char *usr, const char *grp)
     /* [previous][next][first][last][top][bottom][index][help] */
 174 {
 175     int index = 0;
 176     struct passwd *pwd = NULL;
 177     struct group *group = NULL;
 178 
 179     CRM_CHECK(usr != NULL, return FALSE);
 180     CRM_CHECK(grp != NULL, return FALSE);
 181 
 182     pwd = getpwnam(usr);
 183     if (pwd == NULL) {
 184         crm_err("No user named '%s' exists!", usr);
 185         return FALSE;
 186     }
 187 
 188     group = getgrgid(pwd->pw_gid);
 189     if (group != NULL && pcmk__str_eq(grp, group->gr_name, pcmk__str_none)) {
 190         return TRUE;
 191     }
 192 
 193     group = getgrnam(grp);
 194     if (group == NULL) {
 195         crm_err("No group named '%s' exists!", grp);
 196         return FALSE;
 197     }
 198 
 199     while (TRUE) {
 200         char *member = group->gr_mem[index++];
 201 
 202         if (member == NULL) {
 203             break;
 204 
 205         } else if (pcmk__str_eq(usr, member, pcmk__str_none)) {
 206             return TRUE;
 207         }
 208     };
 209 
 210     return FALSE;
 211 }
 212 
 213 static gboolean
 214 cib_remote_auth(xmlNode * login)
     /* [previous][next][first][last][top][bottom][index][help] */
 215 {
 216     const char *user = NULL;
 217     const char *pass = NULL;
 218     const char *tmp = NULL;
 219 
 220     crm_log_xml_info(login, "Login: ");
 221     if (login == NULL) {
 222         return FALSE;
 223     }
 224 
 225     tmp = crm_element_name(login);
 226     if (!pcmk__str_eq(tmp, "cib_command", pcmk__str_casei)) {
 227         crm_err("Wrong tag: %s", tmp);
 228         return FALSE;
 229     }
 230 
 231     tmp = crm_element_value(login, "op");
 232     if (!pcmk__str_eq(tmp, "authenticate", pcmk__str_casei)) {
 233         crm_err("Wrong operation: %s", tmp);
 234         return FALSE;
 235     }
 236 
 237     user = crm_element_value(login, "user");
 238     pass = crm_element_value(login, "password");
 239 
 240     if (!user || !pass) {
 241         crm_err("missing auth credentials");
 242         return FALSE;
 243     }
 244 
 245     /* Non-root daemons can only validate the password of the
 246      * user they're running as
 247      */
 248     if (check_group_membership(user, CRM_DAEMON_GROUP) == FALSE) {
 249         crm_err("User is not a member of the required group");
 250         return FALSE;
 251 
 252     } else if (authenticate_user(user, pass) == FALSE) {
 253         crm_err("PAM auth failed");
 254         return FALSE;
 255     }
 256 
 257     return TRUE;
 258 }
 259 
 260 static gboolean
 261 remote_auth_timeout_cb(gpointer data)
     /* [previous][next][first][last][top][bottom][index][help] */
 262 {
 263     pcmk__client_t *client = data;
 264 
 265     client->remote->auth_timeout = 0;
 266 
 267     if (client->remote->authenticated == TRUE) {
 268         return FALSE;
 269     }
 270 
 271     mainloop_del_fd(client->remote->source);
 272     crm_err("Remote client authentication timed out");
 273 
 274     return FALSE;
 275 }
 276 
 277 static int
 278 cib_remote_listen(gpointer data)
     /* [previous][next][first][last][top][bottom][index][help] */
 279 {
 280     int csock = 0;
 281     unsigned laddr;
 282     struct sockaddr_storage addr;
 283     char ipstr[INET6_ADDRSTRLEN];
 284     int ssock = *(int *)data;
 285     int rc;
 286 
 287     pcmk__client_t *new_client = NULL;
 288 
 289     static struct mainloop_fd_callbacks remote_client_fd_callbacks = {
 290         .dispatch = cib_remote_msg,
 291         .destroy = cib_remote_connection_destroy,
 292     };
 293 
 294     /* accept the connection */
 295     laddr = sizeof(addr);
 296     memset(&addr, 0, sizeof(addr));
 297     csock = accept(ssock, (struct sockaddr *)&addr, &laddr);
 298     if (csock == -1) {
 299         crm_perror(LOG_ERR, "Could not accept socket connection");
 300         return TRUE;
 301     }
 302 
 303     pcmk__sockaddr2str(&addr, ipstr);
 304     crm_debug("New %s connection from %s",
 305               ((ssock == remote_tls_fd)? "secure" : "clear-text"), ipstr);
 306 
 307     rc = pcmk__set_nonblocking(csock);
 308     if (rc != pcmk_rc_ok) {
 309         crm_err("Could not set socket non-blocking: %s " CRM_XS " rc=%d",
 310                 pcmk_rc_str(rc), rc);
 311         close(csock);
 312         return TRUE;
 313     }
 314 
 315     num_clients++;
 316 
 317     new_client = pcmk__new_unauth_client(NULL);
 318     new_client->remote = calloc(1, sizeof(pcmk__remote_t));
 319 
 320     if (ssock == remote_tls_fd) {
 321 #ifdef HAVE_GNUTLS_GNUTLS_H
 322         pcmk__set_client_flags(new_client, pcmk__client_tls);
 323 
 324         /* create gnutls session for the server socket */
 325         new_client->remote->tls_session = pcmk__new_tls_session(csock,
 326                                                                 GNUTLS_SERVER,
 327                                                                 GNUTLS_CRD_ANON,
 328                                                                 anon_cred_s);
 329         if (new_client->remote->tls_session == NULL) {
 330             close(csock);
 331             return TRUE;
 332         }
 333 #endif
 334     } else {
 335         pcmk__set_client_flags(new_client, pcmk__client_tcp);
 336         new_client->remote->tcp_socket = csock;
 337     }
 338 
 339     // Require the client to authenticate within this time
 340     new_client->remote->auth_timeout = g_timeout_add(REMOTE_AUTH_TIMEOUT,
 341                                                      remote_auth_timeout_cb,
 342                                                      new_client);
 343     crm_info("Remote CIB client pending authentication "
 344              CRM_XS " %p id: %s", new_client, new_client->id);
 345 
 346     new_client->remote->source =
 347         mainloop_add_fd("cib-remote-client", G_PRIORITY_DEFAULT, csock, new_client,
 348                         &remote_client_fd_callbacks);
 349 
 350     return TRUE;
 351 }
 352 
 353 void
 354 cib_remote_connection_destroy(gpointer user_data)
     /* [previous][next][first][last][top][bottom][index][help] */
 355 {
 356     pcmk__client_t *client = user_data;
 357     int csock = 0;
 358 
 359     if (client == NULL) {
 360         return;
 361     }
 362 
 363     crm_trace("Cleaning up after client disconnect: %s/%s", crm_str(client->name), client->id);
 364 
 365     num_clients--;
 366     crm_trace("Num unfree'd clients: %d", num_clients);
 367 
 368     switch (PCMK__CLIENT_TYPE(client)) {
 369         case pcmk__client_tcp:
 370             csock = client->remote->tcp_socket;
 371             break;
 372 #ifdef HAVE_GNUTLS_GNUTLS_H
 373         case pcmk__client_tls:
 374             if (client->remote->tls_session) {
 375                 void *sock_ptr = gnutls_transport_get_ptr(*client->remote->tls_session);
 376 
 377                 csock = GPOINTER_TO_INT(sock_ptr);
 378                 if (client->remote->tls_handshake_complete) {
 379                     gnutls_bye(*client->remote->tls_session, GNUTLS_SHUT_WR);
 380                 }
 381                 gnutls_deinit(*client->remote->tls_session);
 382                 gnutls_free(client->remote->tls_session);
 383                 client->remote->tls_session = NULL;
 384             }
 385             break;
 386 #endif
 387         default:
 388             crm_warn("Unknown transport for %s " CRM_XS " flags=0x%llx",
 389                      pcmk__client_name(client),
 390                      (unsigned long long) client->flags);
 391     }
 392 
 393     if (csock > 0) {
 394         close(csock);
 395     }
 396 
 397     pcmk__free_client(client);
 398 
 399     crm_trace("Freed the cib client");
 400 
 401     if (cib_shutdown_flag) {
 402         cib_shutdown(0);
 403     }
 404     return;
 405 }
 406 
 407 static void
 408 cib_handle_remote_msg(pcmk__client_t *client, xmlNode *command)
     /* [previous][next][first][last][top][bottom][index][help] */
 409 {
 410     const char *value = NULL;
 411 
 412     value = crm_element_name(command);
 413     if (!pcmk__str_eq(value, "cib_command", pcmk__str_casei)) {
 414         crm_log_xml_trace(command, "Bad command: ");
 415         return;
 416     }
 417 
 418     if (client->name == NULL) {
 419         value = crm_element_value(command, F_CLIENTNAME);
 420         if (value == NULL) {
 421             client->name = strdup(client->id);
 422         } else {
 423             client->name = strdup(value);
 424         }
 425     }
 426 
 427     if (client->userdata == NULL) {
 428         value = crm_element_value(command, F_CIB_CALLBACK_TOKEN);
 429         if (value != NULL) {
 430             client->userdata = strdup(value);
 431             crm_trace("Callback channel for %s is %s", client->id, (char*)client->userdata);
 432 
 433         } else {
 434             client->userdata = strdup(client->id);
 435         }
 436     }
 437 
 438     /* unset dangerous options */
 439     xml_remove_prop(command, F_ORIG);
 440     xml_remove_prop(command, F_CIB_HOST);
 441     xml_remove_prop(command, F_CIB_GLOBAL_UPDATE);
 442 
 443     crm_xml_add(command, F_TYPE, T_CIB);
 444     crm_xml_add(command, F_CIB_CLIENTID, client->id);
 445     crm_xml_add(command, F_CIB_CLIENTNAME, client->name);
 446 #if ENABLE_ACL
 447     crm_xml_add(command, F_CIB_USER, client->user);
 448 #endif
 449 
 450     if (crm_element_value(command, F_CIB_CALLID) == NULL) {
 451         char *call_uuid = crm_generate_uuid();
 452 
 453         /* fix the command */
 454         crm_xml_add(command, F_CIB_CALLID, call_uuid);
 455         free(call_uuid);
 456     }
 457 
 458     if (crm_element_value(command, F_CIB_CALLOPTS) == NULL) {
 459         crm_xml_add_int(command, F_CIB_CALLOPTS, 0);
 460     }
 461 
 462     crm_log_xml_trace(command, "Remote command: ");
 463     cib_common_callback_worker(0, 0, command, client, TRUE);
 464 }
 465 
 466 static int
 467 cib_remote_msg(gpointer data)
     /* [previous][next][first][last][top][bottom][index][help] */
 468 {
 469     xmlNode *command = NULL;
 470     pcmk__client_t *client = data;
 471     int rc;
 472     int timeout = client->remote->authenticated ? -1 : 1000;
 473 
 474     crm_trace("Remote %s message received for %s",
 475               pcmk__client_type_str(PCMK__CLIENT_TYPE(client)),
 476               pcmk__client_name(client));
 477 
 478 #ifdef HAVE_GNUTLS_GNUTLS_H
 479     if ((PCMK__CLIENT_TYPE(client) == pcmk__client_tls)
 480         && !(client->remote->tls_handshake_complete)) {
 481 
 482         int rc = pcmk__read_handshake_data(client);
 483 
 484         if (rc == EAGAIN) {
 485             /* No more data is available at the moment. Just return for now;
 486              * we'll get invoked again once the client sends more.
 487              */
 488             return 0;
 489         } else if (rc != pcmk_rc_ok) {
 490             return -1;
 491         }
 492 
 493         crm_debug("TLS handshake with remote CIB client completed");
 494         client->remote->tls_handshake_complete = TRUE;
 495         if (client->remote->auth_timeout) {
 496             g_source_remove(client->remote->auth_timeout);
 497         }
 498 
 499         // Require the client to authenticate within this time
 500         client->remote->auth_timeout = g_timeout_add(REMOTE_AUTH_TIMEOUT,
 501                                                      remote_auth_timeout_cb,
 502                                                      client);
 503         return 0;
 504     }
 505 #endif
 506 
 507     rc = pcmk__read_remote_message(client->remote, timeout);
 508 
 509     /* must pass auth before we will process anything else */
 510     if (client->remote->authenticated == FALSE) {
 511         xmlNode *reg;
 512 
 513 #if ENABLE_ACL
 514         const char *user = NULL;
 515 #endif
 516         command = pcmk__remote_message_xml(client->remote);
 517         if (cib_remote_auth(command) == FALSE) {
 518             free_xml(command);
 519             return -1;
 520         }
 521 
 522         crm_notice("Remote CIB client connection accepted");
 523         client->remote->authenticated = TRUE;
 524         g_source_remove(client->remote->auth_timeout);
 525         client->remote->auth_timeout = 0;
 526         client->name = crm_element_value_copy(command, "name");
 527 
 528 #if ENABLE_ACL
 529         user = crm_element_value(command, "user");
 530         if (user) {
 531             client->user = strdup(user);
 532         }
 533 #endif
 534 
 535         /* send ACK */
 536         reg = create_xml_node(NULL, "cib_result");
 537         crm_xml_add(reg, F_CIB_OPERATION, CRM_OP_REGISTER);
 538         crm_xml_add(reg, F_CIB_CLIENTID, client->id);
 539         pcmk__remote_send_xml(client->remote, reg);
 540         free_xml(reg);
 541         free_xml(command);
 542     }
 543 
 544     command = pcmk__remote_message_xml(client->remote);
 545     while (command) {
 546         crm_trace("Remote client message received");
 547         cib_handle_remote_msg(client, command);
 548         free_xml(command);
 549         command = pcmk__remote_message_xml(client->remote);
 550     }
 551 
 552     if (rc == ENOTCONN) {
 553         crm_trace("Remote CIB client disconnected while reading from it");
 554         return -1;
 555     }
 556 
 557     return 0;
 558 }
 559 
 560 #ifdef HAVE_PAM
 561 static int
 562 construct_pam_passwd(int num_msg, const struct pam_message **msg,
     /* [previous][next][first][last][top][bottom][index][help] */
 563                      struct pam_response **response, void *data)
 564 {
 565     int count = 0;
 566     struct pam_response *reply;
 567     char *string = (char *)data;
 568 
 569     CRM_CHECK(data, return PAM_CONV_ERR);
 570     CRM_CHECK(num_msg == 1, return PAM_CONV_ERR);       /* We only want to handle one message */
 571 
 572     reply = calloc(1, sizeof(struct pam_response));
 573     CRM_ASSERT(reply != NULL);
 574 
 575     for (count = 0; count < num_msg; ++count) {
 576         switch (msg[count]->msg_style) {
 577             case PAM_TEXT_INFO:
 578                 crm_info("PAM: %s", msg[count]->msg);
 579                 break;
 580             case PAM_PROMPT_ECHO_OFF:
 581             case PAM_PROMPT_ECHO_ON:
 582                 reply[count].resp_retcode = 0;
 583                 reply[count].resp = string;     /* We already made a copy */
 584             case PAM_ERROR_MSG:
 585                 /* In theory we'd want to print this, but then
 586                  * we see the password prompt in the logs
 587                  */
 588                 /* crm_err("PAM error: %s", msg[count]->msg); */
 589                 break;
 590             default:
 591                 crm_err("Unhandled conversation type: %d", msg[count]->msg_style);
 592                 goto bail;
 593         }
 594     }
 595 
 596     *response = reply;
 597     reply = NULL;
 598 
 599     return PAM_SUCCESS;
 600 
 601   bail:
 602     for (count = 0; count < num_msg; ++count) {
 603         if (reply[count].resp != NULL) {
 604             switch (msg[count]->msg_style) {
 605                 case PAM_PROMPT_ECHO_ON:
 606                 case PAM_PROMPT_ECHO_OFF:
 607                     /* Erase the data - it contained a password */
 608                     while (*(reply[count].resp)) {
 609                         *(reply[count].resp)++ = '\0';
 610                     }
 611                     free(reply[count].resp);
 612                     break;
 613             }
 614             reply[count].resp = NULL;
 615         }
 616     }
 617     free(reply);
 618     reply = NULL;
 619 
 620     return PAM_CONV_ERR;
 621 }
 622 #endif
 623 
 624 int
 625 authenticate_user(const char *user, const char *passwd)
     /* [previous][next][first][last][top][bottom][index][help] */
 626 {
 627 #ifndef HAVE_PAM
 628     gboolean pass = TRUE;
 629 #else
 630     int rc = 0;
 631     gboolean pass = FALSE;
 632     const void *p_user = NULL;
 633 
 634     struct pam_conv p_conv;
 635     struct pam_handle *pam_h = NULL;
 636     static const char *pam_name = NULL;
 637 
 638     if (pam_name == NULL) {
 639         pam_name = getenv("CIB_pam_service");
 640     }
 641     if (pam_name == NULL) {
 642         pam_name = "login";
 643     }
 644 
 645     p_conv.conv = construct_pam_passwd;
 646     p_conv.appdata_ptr = strdup(passwd);
 647 
 648     rc = pam_start(pam_name, user, &p_conv, &pam_h);
 649     if (rc != PAM_SUCCESS) {
 650         crm_err("Could not initialize PAM: %s (%d)", pam_strerror(pam_h, rc), rc);
 651         goto bail;
 652     }
 653 
 654     rc = pam_authenticate(pam_h, 0);
 655     if (rc != PAM_SUCCESS) {
 656         crm_err("Authentication failed for %s: %s (%d)", user, pam_strerror(pam_h, rc), rc);
 657         goto bail;
 658     }
 659 
 660     /* Make sure we authenticated the user we wanted to authenticate.
 661      * Since we also run as non-root, it might be worth pre-checking
 662      * the user has the same EID as us, since that the only user we
 663      * can authenticate.
 664      */
 665     rc = pam_get_item(pam_h, PAM_USER, &p_user);
 666     if (rc != PAM_SUCCESS) {
 667         crm_err("Internal PAM error: %s (%d)", pam_strerror(pam_h, rc), rc);
 668         goto bail;
 669 
 670     } else if (p_user == NULL) {
 671         crm_err("Unknown user authenticated.");
 672         goto bail;
 673 
 674     } else if (!pcmk__str_eq(p_user, user, pcmk__str_casei)) {
 675         crm_err("User mismatch: %s vs. %s.", (const char *)p_user, (const char *)user);
 676         goto bail;
 677     }
 678 
 679     rc = pam_acct_mgmt(pam_h, 0);
 680     if (rc != PAM_SUCCESS) {
 681         crm_err("Access denied: %s (%d)", pam_strerror(pam_h, rc), rc);
 682         goto bail;
 683     }
 684     pass = TRUE;
 685 
 686   bail:
 687     pam_end(pam_h, rc);
 688 #endif
 689     return pass;
 690 }

/* [previous][next][first][last][top][bottom][index][help] */