function authenticate($username, $passwd)
{
if (pam_auth($username, get_magic_quotes_gpc() ? stripslashes($passwd) : $passwd, $error)) {
return True;
} else {
return False;
}
}
/**
* Perform RSA SecurID authentication. In the current implementation, we rely on a correctly configured PAM setup
* on the server.
*
* @param Mfa_OtpdeviceDao $otpDevice
* @param Mfa_ApitokenDao $token
* @return bool
* @throws Zend_Exception
*/
protected function _pamAuth($otpDevice, $token)
{
if (!function_exists('pam_auth')) {
throw new Zend_Exception('PAM is not enabled on the server');
}
$err = '';
return pam_auth($otpDevice->getSecret(), $token, $err, false);
}
/**
* Find out if a set of login credentials are valid.
*
* @param string $userId The userId to check.
* @param array $credentials An array of login credentials.
*
* @throws Horde_Auth_Exception
*/
protected function _authenticate($userId, $credentials)
{
if (empty($credentials['password'])) {
throw new Horde_Auth_Exception('', Horde_Auth::REASON_BADLOGIN);
}
$error = null;
if (!pam_auth($userId, $credentials['password'], $error)) {
throw new Horde_Auth_Exception($error);
}
}
public function checkCredentials($user, $pass)
{
if ($this->app['debug'] && !function_exists('ICFS\\Model\\pam_auth') && !function_exists('pam_auth')) {
function pam_auth($user, $pass)
{
if ($user == 'dm1911' && $pass == "sexy" || $user == 'txl11' && $pass == "sexy") {
return true;
}
return false;
}
}
return pam_auth($user, $pass);
}
/**
* Returns true if the username and password work and false if they are
* wrong or don't exist.
*
* @param string $username The username
* @param string $password The password
* @return bool Authentication success or failure.
*/
function user_login($username, $password)
{
// variable to store possible errors during authentication
$errormessage = str_repeat(' ', 2048);
// just for testing and debugging
// error_reporting(E_ALL);
// call_time_pass_reference of errormessage is deprecated - throws warnings in multiauth
//if (pam_auth($username, $password, &$errormessage)) {
if (pam_auth($username, $password)) {
return true;
} else {
$this->lasterror = $errormessage;
return false;
}
}
/**
* PAM Password Driver
*
* @version 1.0
* @author Aleksander Machniak
*/
function password_save($currpass, $newpass)
{
$user = $_SESSION['username'];
if (extension_loaded('pam')) {
if (pam_auth($user, $currpass, $error, false)) {
if (pam_chpass($user, $currpass, $newpass)) {
return PASSWORD_SUCCESS;
}
} else {
raise_error(array('code' => 600, 'type' => 'php', 'file' => __FILE__, 'message' => "Password plugin: PAM authentication failed for user {$user}: {$error}"), true, false);
}
} else {
raise_error(array('code' => 600, 'type' => 'php', 'file' => __FILE__, 'message' => "Password plugin: PECL-PAM module not loaded"), true, false);
}
return PASSWORD_ERROR;
}
function _valid_pam($name, $pass, $admin_auser = 0)
{
global $pam_email_suffix;
$exists = 0;
if ($admin_auser) {
$exists = 1;
}
if ($exists || pam_auth($name, $pass, &$error)) {
$x = array();
$x[user] = $name;
$x[pass] = $pass;
$x[type] = "stud";
$x[email] = $name . '@' . $pam_email_suffix;
$x[method] = 'pam';
$x[fullname] = $name;
$x = _auth_check_db($x, 1);
return $x;
} else {
return 0;
}
}
/**
* @param $username
* @param $password
* @return bool
*/
protected function pamAuth($username, $password)
{
return pam_auth($username, $password);
}
function authPAM($login, $pwd)
{
if (function_exists('pam_auth')) {
//if (pam_auth($login, $pwd, &$this->authMessage)) {
if (pam_auth($login, $pwd, $this->authMessage)) {
// HVZM
$this->dbg("authPAM: pam_auth", $login, "OK");
return array($this->localAccount["gecos"], $this->localAccount["name"], $this->localAccount["uid"]);
}
$this->dbg("authPAM: pam_auth", $login, $this->authMessage);
} else {
$this->dbg("authPAM: pam_auth is not installed");
}
}
# SSO Code for HTTPAUTH PassTrough by Juergen Vigna
$form_pass = $_POST['pass'];
$pass = hash("sha256", "NeDi" . $user . $_POST['pass']);
# Salt & pw
$link = DbConnect($dbhost, $dbuser, $dbpass, $dbname);
if ($guiauth == 'none') {
$uok = 1;
$query = GenQuery('users', 's', '*', '', '', array('usrname'), array('='), array($user));
$res = DbQuery($query, $link);
} elseif (strstr($guiauth, 'pam') && $user != "admin") {
# PAM code by Owen Brotherhood & Bruberg
if (!extension_loaded('pam_auth')) {
dl('pam_auth.so');
}
# dl removed in PHP5.3?
$uok = pam_auth($user, $_POST['pass']);
$query = GenQuery('users', 's', '*', '', '', array('usrname'), array('='), array($user));
$res = DbQuery($query, $link);
} elseif (strstr($guiauth, 'radius') && $user != "admin") {
# Radius code by Till Elsner
$radres = radius_auth_open();
if (!$radres) {
$raderr = "Error while preparing RADIUS authentication: " . radius_strerror($radres);
}
foreach ($radsrv as $rs) {
if (!radius_add_server($radres, $rs[0], $rs[1], $rs[2], $rs[3], $rs[4])) {
echo "<h4>RADIUS: " . radius_strerror($radres) . "</h4>";
}
}
if (!radius_create_request($radres, RADIUS_ACCESS_REQUEST)) {
$raderr = "RADIUS create: " . radius_strerror($radres);
function validate_user_pam($user, $pass)
{
global $tikilib, $prefs;
// just make sure we're supposed to be here
if ($prefs['auth_method'] != 'pam')
return false;
// Read page AuthPAM at tw.o, it says about a php module required.
// maybe and if extension line could be added here... module requires $error
// as reference.
$error = '';
if (pam_auth($user, $pass, $error)) {
return USER_VALID;
} else {
// Uncomment the following to see errors on that
// error_log("TIKI ERROR PAM: $error User: $user Pass: $pass");
return PASSWORD_INCORRECT;
}
}
/**
* pam_auth
*
* Check to make sure the pam_auth function is implemented (module is
* installed), then check the credentials.
*/
private static function pam_auth($username, $password)
{
$results = array();
if (!function_exists('pam_auth')) {
$results['success'] = false;
$results['error'] = 'The PAM PHP module is not installed';
return $results;
}
$password = scrub_in($password);
if (pam_auth($username, $password)) {
$results['success'] = true;
$results['type'] = 'pam';
$results['username'] = $username;
} else {
$results['success'] = false;
$results['error'] = 'PAM login attempt failed';
}
return $results;
}
include_once 'inc/libcsv.php';
} else {
print 'Backend not configured!';
die;
}
$_POST = sanitize($_POST);
$failed = 0;
if (isset($_POST['user'])) {
$pass = md5($_POST['pass']);
$link = @DbConnect($dbhost, $dbuser, $dbpass, $dbname);
if (stristr('p', $guiauth) && $_POST['user'] != "admin") {
# PAM code by Owen Brotherhood & bruberg
if (!extension_loaded('pam_auth')) {
dl("pam_auth.so");
}
$uok = pam_auth($_POST['user'], $_POST['pass']);
$query = GenQuery('user', 's', '*', '', '', array('name'), array('='), array($_POST[user]));
$res = @DbQuery($query, $link);
} else {
$pass = md5($_POST['pass']);
$query = GenQuery('user', 's', '*', '', '', array('name', 'password'), array('=', '='), array($_POST['user'], $pass), array('AND'));
$res = @DbQuery($query, $link);
$uok = @DbNumRows($res);
}
if ($uok == 1) {
$usr = @DbFetchRow($res);
session_start();
$_SESSION['user'] = $_POST['user'];
$_SESSION['group'] = "usr,";
if ($usr[2]) {
$_SESSION['group'] .= "adm,";
public static function isValidPamUser($login, $pwd)
{
echo "<hr><h3>IN PAM</h3>";
if (self::$password_ok) {
return FALSE;
}
// if (!self::_authenticated()) return FALSE;
echo "b";
if (empty($login) || empty($pwd)) {
echo "<p class='bold red'>Invalid login or pwd</p>";
}
if (empty($login) || empty($pwd)) {
return FALSE;
}
echo "c";
debug::rr(posix_getpwnam($login));
if (function_exists('pam_auth')) {
echo "<p>AUTHENTICATED? ";
var_dump(pam_auth($login, $pwd, self::$authMessage));
self::$authMessage = "";
if (pam_auth($login, $pwd, self::$authMessage)) {
echo "e";
echo "<p class='bold green'>Accepted pam_auth for {$login} from " . $_SERVER["REMOTE_ADDR"] . "</p>";
if (self::$checkPwdOnly) {
return TRUE;
}
/*
// So far so good... The authentication is OK, now lets find the Avatar.
// This might be a problem if the user might belong to multiple realms,
// so lets try all of them
self::$localAccount = posix_getpwnam($login); // array or FALSE
if (self::$localAccount) self::$av = bForm_Avatar::hook(array('av_identity'=>$login),'basic');
if (is_object(self::$av)){
$dbg_txt = "<br>YES - identity '$login'<br>";
} else {
foreach (self::$imapServers as $domain=>$s){
foreach(array_merge(array($domain),$s['alias']) as $d) {
if (self::$av = bForm_Avatar::hook($email="$login@$d",'basic')) {
$dbg_txt = "<br>YES - $email<br>";
break 2;
}
}
}
}
if (is_object(self::$av)){
self::$password_ok = TRUE;
//self::dbg($dbg_txt);
return $this->_setUser('pam_auth',self::$av->name());
}
echo("<br>$login is authenticated by pam_auth, but Avatar is not found. AUTHENTICATION CANCELED<br>");
*/
} else {
echo "<p class='bold red'>Authentication failed<br>MESSAGE: " . self::$authMessage . "</p>";
return FALSE;
}
//self::dbg(False);
} else {
echo "<p class='bold red'>WARNING pam_auth is not installed</p>";
}
}
function AuthUserPAM($pagename, $id, $pw, $pwlist)
{
if (strlen($id) <= 2 || strlen($pw) <= 2) {
return false;
}
return pam_auth($id, $pw) && in_array($id, $pwlist);
}
<html>
<head>
</head>
<body>
<?php
if (isset($_POST['user']) && isset($_POST['pwd'])) {
$username = $_POST['user'];
$password = $_POST['pwd'];
if (pam_auth($username, $password, &$error)) {
echo "Yeah baby, we're authenticated!";
} else {
echo "<h3>Error: {$error}</h3>";
renderForm();
}
} else {
renderForm();
}
function renderForm()
{
$form = <<<EOT
<h3>Login</h3>
<form action="test-pam.php" method="POST">
\t<input name="user" type="text"/>
\t<input name="pwd" type="password" />
\t<input type="submit"/>
</form>
EOT;
echo $form;
}
?>
</body>
/**
* Login the user.
*/
function login($username, $password)
{
$error = NULL;
$res = pam_auth($username, $password, $error);
if (!$res) {
$this->showLoginForm($error);
}
$_SESSION["email"] = $username . "@" . $this->config["actorDomain"];
$this->redirect();
}
function validate_user_pam($user, $pass)
{
global $tikilib;
// just make sure we're supposed to be here
if ($tikilib->get_preference("auth_method", "tiki") != "pam") {
return false;
}
// get all of the PAM options from the database
$pam_service = $tikilib->get_preference("pam_service", "tikiwiki");
// Read page AuthPAM at tw.o, it says about a php module required.
// maybe and if extension line could be added here... module requires $error
// as reference.
if (pam_auth($user, $pass, $error)) {
return USER_VALID;
} else {
// Uncomment the following to see errors on that
// error_log("TIKI ERROR PAM: $error User: $user Pass: $pass");
return PASSWORD_INCORRECT;
}
}
function authPAM($login, $pwd)
{
if (function_exists("pam_auth")) {
if (pam_auth($login, $pwd, $this->authMessage)) {
$_SESSION["auth"]["type"] = "pam_auth";
core_syslog("Accepted pam_auth for " . $login . " from " . $_SERVER["REMOTE_ADDR"]);
return array($this->localAccount["gecos"], $this->localAccount["name"], $this->localAccount["uid"]);
} else {
core_syslog("Failed password for " . $login . " from " . $_SERVER["REMOTE_ADDR"] . ", " . "engine pam_auth, " . $this->authMessage);
}
} else {
core_syslog("WARNING pam_auth is not installed");
}
}
