2020-04-08 09:57:14 +00:00
|
|
|
//! Proxmox Backup Server Authentication
|
|
|
|
//!
|
|
|
|
//! This library contains helper to authenticate users.
|
|
|
|
|
|
|
|
use std::process::{Command, Stdio};
|
|
|
|
use std::io::Write;
|
|
|
|
use std::ffi::{CString, CStr};
|
|
|
|
|
2020-04-17 12:11:25 +00:00
|
|
|
use anyhow::{bail, format_err, Error};
|
2020-04-08 09:57:14 +00:00
|
|
|
use serde_json::json;
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
use crate::api2::types::{Userid, UsernameRef, RealmRef};
|
|
|
|
|
2020-04-08 09:57:14 +00:00
|
|
|
pub trait ProxmoxAuthenticator {
|
2020-08-06 13:46:01 +00:00
|
|
|
fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
|
|
|
|
fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error>;
|
2021-04-14 13:30:42 +00:00
|
|
|
fn remove_password(&self, username: &UsernameRef) -> Result<(), Error>;
|
2020-04-08 09:57:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
pub struct PAM();
|
|
|
|
|
|
|
|
impl ProxmoxAuthenticator for PAM {
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
|
2020-04-08 09:57:14 +00:00
|
|
|
let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();
|
2020-08-06 13:46:01 +00:00
|
|
|
auth.get_handler().set_credentials(username.as_str(), password);
|
2020-04-08 09:57:14 +00:00
|
|
|
auth.authenticate()?;
|
2020-10-14 09:18:26 +00:00
|
|
|
Ok(())
|
2020-04-08 09:57:14 +00:00
|
|
|
}
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
|
2020-04-08 09:57:14 +00:00
|
|
|
let mut child = Command::new("passwd")
|
2020-08-06 13:46:01 +00:00
|
|
|
.arg(username.as_str())
|
2020-04-08 09:57:14 +00:00
|
|
|
.stdin(Stdio::piped())
|
|
|
|
.stderr(Stdio::piped())
|
|
|
|
.spawn()
|
2020-08-06 13:46:01 +00:00
|
|
|
.map_err(|err| format_err!(
|
|
|
|
"unable to set password for '{}' - execute passwd failed: {}",
|
|
|
|
username.as_str(),
|
|
|
|
err,
|
|
|
|
))?;
|
2020-04-08 09:57:14 +00:00
|
|
|
|
|
|
|
// Note: passwd reads password twice from stdin (for verify)
|
|
|
|
writeln!(child.stdin.as_mut().unwrap(), "{}\n{}", password, password)?;
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
let output = child
|
|
|
|
.wait_with_output()
|
|
|
|
.map_err(|err| format_err!(
|
|
|
|
"unable to set password for '{}' - wait failed: {}",
|
|
|
|
username.as_str(),
|
|
|
|
err,
|
|
|
|
))?;
|
2020-04-08 09:57:14 +00:00
|
|
|
|
|
|
|
if !output.status.success() {
|
2020-08-06 13:46:01 +00:00
|
|
|
bail!(
|
|
|
|
"unable to set password for '{}' - {}",
|
|
|
|
username.as_str(),
|
|
|
|
String::from_utf8_lossy(&output.stderr),
|
|
|
|
);
|
2020-04-08 09:57:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
2021-04-14 13:30:42 +00:00
|
|
|
|
|
|
|
// do not remove password for pam users
|
|
|
|
fn remove_password(&self, _username: &UsernameRef) -> Result<(), Error> {
|
|
|
|
Ok(())
|
|
|
|
}
|
2020-04-08 09:57:14 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
pub struct PBS();
|
|
|
|
|
|
|
|
pub fn crypt(password: &[u8], salt: &str) -> Result<String, Error> {
|
|
|
|
|
|
|
|
#[link(name="crypt")]
|
|
|
|
extern "C" {
|
|
|
|
#[link_name = "crypt"]
|
|
|
|
fn __crypt(key: *const libc::c_char, salt: *const libc::c_char) -> * mut libc::c_char;
|
|
|
|
}
|
|
|
|
|
|
|
|
let salt = CString::new(salt)?;
|
|
|
|
let password = CString::new(password)?;
|
|
|
|
|
|
|
|
let res = unsafe {
|
|
|
|
CStr::from_ptr(
|
|
|
|
__crypt(
|
|
|
|
password.as_c_str().as_ptr(),
|
|
|
|
salt.as_c_str().as_ptr()
|
|
|
|
)
|
|
|
|
)
|
|
|
|
};
|
|
|
|
Ok(String::from(res.to_str()?))
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
pub fn encrypt_pw(password: &str) -> Result<String, Error> {
|
|
|
|
|
|
|
|
let salt = proxmox::sys::linux::random_data(8)?;
|
|
|
|
let salt = format!("$5${}$", base64::encode_config(&salt, base64::CRYPT));
|
|
|
|
|
|
|
|
crypt(password.as_bytes(), &salt)
|
|
|
|
}
|
|
|
|
|
|
|
|
pub fn verify_crypt_pw(password: &str, enc_password: &str) -> Result<(), Error> {
|
|
|
|
let verify = crypt(password.as_bytes(), enc_password)?;
|
2020-10-14 09:18:26 +00:00
|
|
|
if verify != enc_password {
|
2020-04-08 09:57:14 +00:00
|
|
|
bail!("invalid credentials");
|
|
|
|
}
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
const SHADOW_CONFIG_FILENAME: &str = configdir!("/shadow.json");
|
2020-04-08 09:57:14 +00:00
|
|
|
|
|
|
|
impl ProxmoxAuthenticator for PBS {
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
fn authenticate_user(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
|
2020-04-08 09:57:14 +00:00
|
|
|
let data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
|
2020-08-06 13:46:01 +00:00
|
|
|
match data[username.as_str()].as_str() {
|
2020-04-08 09:57:14 +00:00
|
|
|
None => bail!("no password set"),
|
|
|
|
Some(enc_password) => verify_crypt_pw(password, enc_password)?,
|
|
|
|
}
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
fn store_password(&self, username: &UsernameRef, password: &str) -> Result<(), Error> {
|
2020-04-08 09:57:14 +00:00
|
|
|
let enc_password = encrypt_pw(password)?;
|
|
|
|
let mut data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
|
2020-08-06 13:46:01 +00:00
|
|
|
data[username.as_str()] = enc_password.into();
|
2020-04-08 09:57:14 +00:00
|
|
|
|
|
|
|
let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
|
|
|
|
let options = proxmox::tools::fs::CreateOptions::new()
|
|
|
|
.perm(mode)
|
|
|
|
.owner(nix::unistd::ROOT)
|
|
|
|
.group(nix::unistd::Gid::from_raw(0));
|
|
|
|
|
|
|
|
let data = serde_json::to_vec_pretty(&data)?;
|
|
|
|
proxmox::tools::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
2021-04-14 13:30:42 +00:00
|
|
|
|
|
|
|
fn remove_password(&self, username: &UsernameRef) -> Result<(), Error> {
|
|
|
|
let mut data = proxmox::tools::fs::file_get_json(SHADOW_CONFIG_FILENAME, Some(json!({})))?;
|
|
|
|
if let Some(map) = data.as_object_mut() {
|
|
|
|
map.remove(username.as_str());
|
|
|
|
}
|
|
|
|
|
|
|
|
let mode = nix::sys::stat::Mode::from_bits_truncate(0o0600);
|
|
|
|
let options = proxmox::tools::fs::CreateOptions::new()
|
|
|
|
.perm(mode)
|
|
|
|
.owner(nix::unistd::ROOT)
|
|
|
|
.group(nix::unistd::Gid::from_raw(0));
|
|
|
|
|
|
|
|
let data = serde_json::to_vec_pretty(&data)?;
|
|
|
|
proxmox::tools::fs::replace_file(SHADOW_CONFIG_FILENAME, &data, options)?;
|
|
|
|
|
|
|
|
Ok(())
|
|
|
|
}
|
2020-04-08 09:57:14 +00:00
|
|
|
}
|
|
|
|
|
2020-04-16 08:01:59 +00:00
|
|
|
/// Lookup the autenticator for the specified realm
|
2020-08-06 13:46:01 +00:00
|
|
|
pub fn lookup_authenticator(realm: &RealmRef) -> Result<Box<dyn ProxmoxAuthenticator>, Error> {
|
|
|
|
match realm.as_str() {
|
2020-04-08 09:57:14 +00:00
|
|
|
"pam" => Ok(Box::new(PAM())),
|
|
|
|
"pbs" => Ok(Box::new(PBS())),
|
2020-08-06 13:46:01 +00:00
|
|
|
_ => bail!("unknown realm '{}'", realm.as_str()),
|
2020-04-08 09:57:14 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-04-16 08:01:59 +00:00
|
|
|
/// Authenticate users
|
2020-08-06 13:46:01 +00:00
|
|
|
pub fn authenticate_user(userid: &Userid, password: &str) -> Result<(), Error> {
|
2020-04-08 09:57:14 +00:00
|
|
|
|
2020-08-06 13:46:01 +00:00
|
|
|
lookup_authenticator(userid.realm())?
|
|
|
|
.authenticate_user(userid.name(), password)
|
2020-04-08 09:57:14 +00:00
|
|
|
}
|