From f8f94534d481e75848b1b1dc5775e9c22c1aef01 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 5 Mar 2019 12:53:59 +0100
Subject: [PATCH] src/api2/access.rs: authenticate_user() - add ticket login

---
 src/api2/access.rs | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/api2/access.rs b/src/api2/access.rs
index 21d52a42..ee094624 100644
--- a/src/api2/access.rs
+++ b/src/api2/access.rs
@@ -12,6 +12,18 @@ use serde_json::{json, Value};
 
 fn authenticate_user(username: &str, password: &str) -> Result<(), Error> {
 
+    let ticket_lifetime = tools::ticket::TICKET_LIFETIME;
+
+    if password.starts_with("PBS:") {
+        if let Ok((_age, Some(ticket_username))) = tools::ticket::verify_rsa_ticket(public_auth_key(), "PBS", password, None, -300, ticket_lifetime) {
+            if ticket_username == username {
+                return Ok(());
+            } else {
+                bail!("ticket login failed - wrong username");
+            }
+        }
+    }
+
     if username == "root@pam" {
         let mut auth = pam::Authenticator::with_password("proxmox-backup-auth").unwrap();
         auth.get_handler().set_credentials("root", password);