Documentation
¶
Index ¶
- Constants
- Variables
- func EvaluateShellScript(raw string, timeout time.Duration, env map[string]string) (string, string, error)
- func EvaluateTextTemplate(rawTemplate string, data any) (string, error)
- func GetChallengeID() (string, error)
- func GetConfigPath() (string, error)
- func GetRemoteHost() (string, error)
- func GetRemoteUser() (string, error)
- func GetService() (string, error)
- func GetTTY() (string, error)
- func GetUsername() (string, error)
- func SaveConfig(config Config, name string, relative string, mode common.SafeOpenMode) error
- func SetChallengeID(challengeID string) error
- func SetConfigPath(configPath string) error
- func SwitchUser(user *Passwd) error
- type Config
- type InternalClient
- func (client *InternalClient) Close() error
- func (client InternalClient) GetChallengeInfo(id string) (string, map[string]string, error)
- func (client InternalClient) IssueChallenge(username string) (string, string, error)
- func (client InternalClient) VerifyChallenge(id string, code string) (bool, error)
- type InternalClientConfig
- type LogConfig
- type PamErrorWithCode
- type PamExitCode
- type PamSmType
- type Passwd
- type PromptConfig
Constants ¶
View Source
const ( // PAM_REMOTE_HOST_KEY is the environment variable key for the remote host PAM_REMOTE_HOST_KEY = "PAM_RHOST" // PAM_REMOTE_USER_KEY is the environment variable key for the remote user PAM_REMOTE_USER_KEY = "PAM_RUSER" // PAM_SERVICE_KEY is the environment variable key for the service PAM_SERVICE_KEY = "PAM_SERVICE" // PAM_TTY_KEY is the environment variable key for the tty PAM_TTY_KEY = "PAM_TTY" // PAM_USERNAME_KEY is the environment variable key for the username PAM_USERNAME_KEY = "PAM_USER" // PAM_TYPE_KEY is the environment variable key for the service module type PAM_TYPE_KEY = "PAM_TYPE" )
Passed from the PAM wrapper to the client
View Source
const ( // PAM_OAUTH_CONFIG is the environment variable key for the configuration path PAM_OAUTH_CONFIG = "PAM_OAUTH_CONFIG" // PAM_OAUTH_CHALLENGE_ID is the environment variable key for the challenge ID PAM_OAUTH_CHALLENGE_ID = "PAM_OAUTH_CHALLENGE_ID" )
Passed from the client to the PAM wrapper to the login shell
View Source
const (
// PAM_OAUTH_USERNAME is the environment variable key for the username
PAM_OAUTH_USERNAME = "PAM_OAUTH_USERNAME"
)
Passed from the client to the create user command
Variables ¶
View Source
var ( // ErrPAMRemoteHostNotFound is returned when the PAM remote host is not found ErrPAMRemoteHostNotFound = errors.New("PAM remote host not found") // ErrPAMRemoteUserNotFound is returned when the PAM remote user is not found ErrPAMRemoteUserNotFound = errors.New("PAM remote user not found") // ErrPAMServiceNotFound is returned when the PAM service is not found ErrPAMServiceNotFound = errors.New("PAM service not found") // ErrPAMTTYNotFound is returned when the PAM TTY is not found ErrPAMTTYNotFound = errors.New("PAM TTY not found") // ErrPAMUsernameNotFound is returned when the PAM username is not found ErrPAMUsernameNotFound = errors.New("PAM username not found") // ErrPAMTypeNotFound is returned when the PAM type is not found ErrPAMTypeNotFound = errors.New("PAM type not found") // ErrPAMTypeInvalid is returned when the PAM type is invalid ErrPAMTypeInvalid = errors.New("PAM type invalid") // ErrPAMOAuthConfigNotFound is returned when the PAM OAuth config is not found ErrPAMOAuthConfigNotFound = errors.New("PAM OAuth config not found") // ErrPAMOAuthChallengeIDNotFound is returned when the PAM OAuth challenge ID is not found ErrPAMOAuthChallengeIDNotFound = errors.New("PAM OAuth challenge ID not found") )
Functions ¶
func EvaluateShellScript ¶
func EvaluateShellScript(raw string, timeout time.Duration, env map[string]string) (string, string, error)
EvaluateShellScript evaluates the specified shell script with the specified timeout
func EvaluateTextTemplate ¶
EvaluateTextTemplate evaluates the specified text (i.e.: **NON-HTML**) template with the specified data
func GetChallengeID ¶
GetChallengeID returns the challenge ID from the environment
func GetConfigPath ¶
GetConfigPath returns the configuration path from the environment
func GetRemoteHost ¶
GetRemoteHost returns the remote host from the environment
func GetRemoteUser ¶
GetRemoteUser returns the remote user from the environment
func GetService ¶
GetService returns the service from the environment
func GetUsername ¶
GetUsername returns the username from the environment
func SaveConfig ¶
SaveConfig saves a configuration file
func SetChallengeID ¶
SetChallengeID sets the challenge ID in the PAM module environment
func SetConfigPath ¶
SetConfigPath sets the configuration path in the PAM module environment
func SwitchUser ¶
SwitchUser switches the current process to the specified user
Types ¶
type Config ¶
type Config struct {
Version *version.Version `toml:"version,omitempty" comment:"The configuration version (DO NOT CHANGE)"`
CreateUserCommand string `` /* 255-byte string literal not displayed */
InternalClientConfig InternalClientConfig `toml:"internal_client" comment:"Internal server client configuration"`
Log LogConfig `toml:"log" comment:"Logging configuration"`
Prompt PromptConfig `toml:"prompt" comment:"Prompt configuration"`
}
Config is the global client configuration
type InternalClient ¶
type InternalClient struct {
// contains filtered or unexported fields
}
InternalClient is the internal server client
func NewInternalClient ¶
func NewInternalClient(config InternalClientConfig) (*InternalClient, error)
NewInternalClient creates a new internal server client
func (*InternalClient) Close ¶
func (client *InternalClient) Close() error
Close closes the internal server client
func (InternalClient) GetChallengeInfo ¶
GetChallengeInfo gets challenge info
func (InternalClient) IssueChallenge ¶
func (client InternalClient) IssueChallenge(username string) (string, string, error)
IssueChallenge issues a challenge for the user to verify its identity
func (InternalClient) VerifyChallenge ¶
func (client InternalClient) VerifyChallenge(id string, code string) (bool, error)
VerifyChallenge verifies a challenge
type InternalClientConfig ¶
type InternalClientConfig struct {
Host string `toml:"host" comment:"The host (address/domain) of the internal server" default:"127.0.0.1"`
Port uint16 `toml:"port" comment:"The port of the internal server" default:"8081"`
ClientTlsCertPath string `toml:"client_cert" comment:"The path to the client TLS certificate file" default:"./internal-client.crt"`
ClientTlsKeyPath string `toml:"client_key" comment:"The path to the client TLS key file" default:"./internal-client.key"`
ServerTlsCertPath string `` /* 130-byte string literal not displayed */
Timeout int `toml:"timeout" comment:"The challenge timeout (in seconds)" default:"300"`
// The interal server client TLS kepair
ClientTlsKeypair *tls.Certificate `toml:"-"`
// The internal server TLS keypair
ServerTlsCert *x509.Certificate `toml:"-"`
}
InternalClientConfig is the internal server client configuration
type LogConfig ¶
type LogConfig struct {
File string `toml:"file" comment:"Log file (if output is file)" default:"/var/log/pam-oauth-client.log"`
Level common.LogLevel `toml:"level" comment:"Log level (One of debug, info, warn, or error)" default:"info"`
Output common.LogOutput `toml:"output" comment:"Log output (One of file, stdout, or stderr)" default:"stderr"`
}
LogConfig is the logging configuration
type PamErrorWithCode ¶
type PamErrorWithCode struct {
// contains filtered or unexported fields
}
PamErrorWithCode is an error with a PAM exit code
func NewPamErrorWithCode ¶
func NewPamErrorWithCode(code PamExitCode, err error) *PamErrorWithCode
NewPamErrorWithCode returns a new PamErrorWithCode
func (*PamErrorWithCode) Code ¶
func (err *PamErrorWithCode) Code() PamExitCode
Code returns the PAM exit code
func (*PamErrorWithCode) Error ¶
func (err *PamErrorWithCode) Error() string
Error returns the error message
func (*PamErrorWithCode) Unwrap ¶
func (err *PamErrorWithCode) Unwrap() error
Unwrap returns the underlying error
type PamExitCode ¶
type PamExitCode int
PamExitCode is the exit code returned by a pam_exec binary
const ( // Successful function return PAM_SUCCESS PamExitCode = 0 // dlopen() failure when dynamically loading a service module PAM_OPEN_ERR PamExitCode = 1 // Symbol not found PAM_SYMBOL_ERR PamExitCode = 2 // Error in service module PAM_SERVICE_ERR PamExitCode = 3 // System error PAM_SYSTEM_ERR PamExitCode = 4 // Memory buffer error PAM_BUF_ERR PamExitCode = 5 // Permission denied PAM_PERM_DENIED PamExitCode = 6 // Authentication failure PAM_AUTH_ERR PamExitCode = 7 // Can not access authentication data due to insufficient credentials PAM_CRED_INSUFFICIENT PamExitCode = 8 // Underlying authentication service can not retrieve authentication information PAM_AUTHINFO_UNAVAIL PamExitCode = 9 // User not known to the underlying authentication module PAM_USER_UNKNOWN PamExitCode = 10 // An authentication service has maintained a retry count which has been reached. No further retries should be attempted PAM_MAXTRIES PamExitCode = 11 // New authentication token required. This is normally returned if the machine security policies require that the password should be changed beccause the password is NULL or it has aged PAM_NEW_AUTHTOK_REQD PamExitCode = 12 // User account has expired PAM_ACCT_EXPIRED PamExitCode = 13 // Can not make/remove an entry for the specified session PAM_SESSION_ERR PamExitCode = 14 // Underlying authentication service can not retrieve user credentials unavailable PAM_CRED_UNAVAIL PamExitCode = 15 // User credentials expired PAM_CRED_EXPIRED PamExitCode = 16 // Failure setting user credentials PAM_CRED_ERR PamExitCode = 17 // No module specific data is present PAM_NO_MODULE_DATA PamExitCode = 18 // Conversation error PAM_CONV_ERR PamExitCode = 19 // Authentication token manipulation error PAM_AUTHTOK_ERR PamExitCode = 20 // Authentication information cannot be recovered PAM_AUTHTOK_RECOVERY_ERR PamExitCode = 21 // Authentication token lock busy PAM_AUTHTOK_LOCK_BUSY PamExitCode = 22 // Authentication token aging error PAM_AUTHTOK_DISABLE_AGING PamExitCode = 23 // Preliminary check by password service PAM_TRY_AGAIN PamExitCode = 24 // Ignore underlying account module regardless of whether the control flag is required, optional, or sufficient PAM_IGNORE PamExitCode = 25 // Critical error value (?module fail now request) PAM_ABORT PamExitCode = 26 // User's authentication token has expired PAM_AUTHTOK_EXPIRED PamExitCode = 27 // Module is not known PAM_MODULE_UNKNOWN PamExitCode = 28 // Bad item passed to pam_*_item() PAM_BAD_ITEM PamExitCode = 29 // Conversation function is event driven and data is not available yet PAM_CONV_AGAIN PamExitCode = 30 // Please call this function again to complete authentication stack. Before calling again, verify that conversation is completed PAM_INCOMPLETE PamExitCode = 31 )
type PamSmType ¶
type PamSmType string
PamSmType is the type of PAM service module type
const ( // User authentication PAM_SM_AUTHENTICATE PamSmType = "pam_sm_authenticate" // Alter credentials // #nosec G101 PAM_SM_SETCRED PamSmType = "pam_sm_setcred" // Account management PAM_SM_ACCT_MGMT PamSmType = "pam_sm_acct_mgmt" // Start session management PAM_SM_OPEN_SESSION PamSmType = "pam_sm_open_session" // Terminate session management PAM_SM_CLOSE_SESSION PamSmType = "pam_sm_close_session" // Alter the authentication token (password) PAM_SM_CHAUTHTOK PamSmType = "pam_sm_chauthtok" )
type Passwd ¶
type Passwd struct {
// Username
Name string
// Hashed passphrase, if shadow database not in use (see shadow.h)
Passwd string
// User ID
Uid int
// Group ID
Gid int
// Real name
Gecos string
// Home directory
Dir string
// Shell program
Shell string
}
Passwd is a record in the user database
type PromptConfig ¶
type PromptConfig struct {
Message string `` /* 320-byte string literal not displayed */
}
PromptConfig is the prompt configuration
Source Files
Click to show internal directories.
Click to hide internal directories.