Merge pull request #123 from jasperla/bsdauth
Add support for bsd_auth(3) as authentication backend
This commit is contained in:
commit
0bed914e8e
7
Makefile
7
Makefile
|
@ -1,4 +1,5 @@
|
|||
TOPDIR=$(shell pwd)
|
||||
UNAME=$(shell uname)
|
||||
|
||||
INSTALL=install
|
||||
PREFIX=/usr
|
||||
|
@ -16,10 +17,14 @@ CFLAGS += -Wall
|
|||
CPPFLAGS += -D_GNU_SOURCE
|
||||
CFLAGS += $(shell $(PKG_CONFIG) --cflags cairo xcb-composite xcb-xinerama xcb-atom xcb-image xcb-xkb xkbcommon xkbcommon-x11)
|
||||
LIBS += $(shell $(PKG_CONFIG) --libs cairo xcb-composite xcb-xinerama xcb-atom xcb-image xcb-xkb xkbcommon xkbcommon-x11)
|
||||
LIBS += -lpam
|
||||
LIBS += -lev
|
||||
LIBS += -lm
|
||||
|
||||
# OpenBSD lacks PAM, use bsd_auth(3) instead.
|
||||
ifneq ($(UNAME),OpenBSD)
|
||||
LIBS += -lpam
|
||||
endif
|
||||
|
||||
FILES:=$(wildcard *.c)
|
||||
FILES:=$(FILES:.c=.o)
|
||||
|
||||
|
|
|
@ -16,6 +16,7 @@ Many little improvements have been made to i3lock over time:
|
|||
- You can specify whether i3lock should bell upon a wrong password.
|
||||
|
||||
- i3lock uses PAM and therefore is compatible with LDAP etc.
|
||||
On OpenBSD i3lock uses the bsd_auth(3) framework.
|
||||
|
||||
Requirements
|
||||
------------
|
||||
|
@ -37,6 +38,9 @@ Running i3lock
|
|||
Simply invoke the 'i3lock' command. To get out of it, enter your password and
|
||||
press enter.
|
||||
|
||||
On OpenBSD the `i3lock` binary needs to be setgid `auth` to call the
|
||||
authentication helpers, e.g. `/usr/libexec/auth/login_passwd`.
|
||||
|
||||
Upstream
|
||||
--------
|
||||
Please submit pull requests to https://github.com/i3/i3lock
|
||||
|
|
79
i3lock.c
79
i3lock.c
|
@ -18,7 +18,11 @@
|
|||
#include <xcb/xkb.h>
|
||||
#include <err.h>
|
||||
#include <assert.h>
|
||||
#ifdef __OpenBSD__
|
||||
#include <bsd_auth.h>
|
||||
#else
|
||||
#include <security/pam_appl.h>
|
||||
#endif
|
||||
#include <getopt.h>
|
||||
#include <string.h>
|
||||
#include <ev.h>
|
||||
|
@ -28,6 +32,9 @@
|
|||
#include <xkbcommon/xkbcommon-x11.h>
|
||||
#include <cairo.h>
|
||||
#include <cairo/cairo-xcb.h>
|
||||
#ifdef __OpenBSD__
|
||||
#include <strings.h> /* explicit_bzero(3) */
|
||||
#endif
|
||||
|
||||
#include "i3lock.h"
|
||||
#include "xcb.h"
|
||||
|
@ -49,7 +56,9 @@ char color[7] = "ffffff";
|
|||
uint32_t last_resolution[2];
|
||||
xcb_window_t win;
|
||||
static xcb_cursor_t cursor;
|
||||
#ifndef __OpenBSD__
|
||||
static pam_handle_t *pam_handle;
|
||||
#endif
|
||||
int input_position = 0;
|
||||
/* Holds the password you enter (in UTF-8). */
|
||||
static char password[512];
|
||||
|
@ -59,11 +68,11 @@ bool unlock_indicator = true;
|
|||
char *modifier_string = NULL;
|
||||
static bool dont_fork = false;
|
||||
struct ev_loop *main_loop;
|
||||
static struct ev_timer *clear_pam_wrong_timeout;
|
||||
static struct ev_timer *clear_auth_wrong_timeout;
|
||||
static struct ev_timer *clear_indicator_timeout;
|
||||
static struct ev_timer *discard_passwd_timeout;
|
||||
extern unlock_state_t unlock_state;
|
||||
extern pam_state_t pam_state;
|
||||
extern auth_state_t auth_state;
|
||||
int failed_attempts = 0;
|
||||
bool show_failed_attempts = false;
|
||||
bool retry_verification = false;
|
||||
|
@ -158,6 +167,11 @@ static bool load_compose_table(const char *locale) {
|
|||
*
|
||||
*/
|
||||
static void clear_password_memory(void) {
|
||||
#ifdef __OpenBSD__
|
||||
/* Use explicit_bzero(3) which was explicitly designed not to be
|
||||
* optimized out by the compiler. */
|
||||
explicit_bzero(password, strlen(password));
|
||||
#else
|
||||
/* A volatile pointer to the password buffer to prevent the compiler from
|
||||
* optimizing this out. */
|
||||
volatile char *vpassword = password;
|
||||
|
@ -167,6 +181,7 @@ static void clear_password_memory(void) {
|
|||
* compiler from optimizing the calls away, since the value of 'beep'
|
||||
* is not known at compile-time. */
|
||||
vpassword[c] = c + (int)beep;
|
||||
#endif
|
||||
}
|
||||
|
||||
ev_timer *start_timer(ev_timer *timer_obj, ev_tstamp timeout, ev_callback_t callback) {
|
||||
|
@ -206,13 +221,13 @@ static void finish_input(void) {
|
|||
}
|
||||
|
||||
/*
|
||||
* Resets pam_state to STATE_PAM_IDLE 2 seconds after an unsuccessful
|
||||
* Resets auth_state to STATE_AUTH_IDLE 2 seconds after an unsuccessful
|
||||
* authentication event.
|
||||
*
|
||||
*/
|
||||
static void clear_pam_wrong(EV_P_ ev_timer *w, int revents) {
|
||||
DEBUG("clearing pam wrong\n");
|
||||
pam_state = STATE_PAM_IDLE;
|
||||
static void clear_auth_wrong(EV_P_ ev_timer *w, int revents) {
|
||||
DEBUG("clearing auth wrong\n");
|
||||
auth_state = STATE_AUTH_IDLE;
|
||||
redraw_screen();
|
||||
|
||||
/* Clear modifier string. */
|
||||
|
@ -222,9 +237,9 @@ static void clear_pam_wrong(EV_P_ ev_timer *w, int revents) {
|
|||
}
|
||||
|
||||
/* Now free this timeout. */
|
||||
STOP_TIMER(clear_pam_wrong_timeout);
|
||||
STOP_TIMER(clear_auth_wrong_timeout);
|
||||
|
||||
/* retry with input done during pam verification */
|
||||
/* retry with input done during auth verification */
|
||||
if (retry_verification) {
|
||||
retry_verification = false;
|
||||
finish_input();
|
||||
|
@ -248,11 +263,24 @@ static void discard_passwd_cb(EV_P_ ev_timer *w, int revents) {
|
|||
}
|
||||
|
||||
static void input_done(void) {
|
||||
STOP_TIMER(clear_pam_wrong_timeout);
|
||||
pam_state = STATE_PAM_VERIFY;
|
||||
STOP_TIMER(clear_auth_wrong_timeout);
|
||||
auth_state = STATE_AUTH_VERIFY;
|
||||
unlock_state = STATE_STARTED;
|
||||
redraw_screen();
|
||||
|
||||
#ifdef __OpenBSD__
|
||||
struct passwd *pw;
|
||||
|
||||
if (!(pw = getpwuid(getuid())))
|
||||
errx(1, "unknown uid %u.", getuid());
|
||||
|
||||
if (auth_userokay(pw->pw_name, NULL, NULL, password) != 0) {
|
||||
DEBUG("successfully authenticated\n");
|
||||
clear_password_memory();
|
||||
|
||||
exit(0);
|
||||
}
|
||||
#else
|
||||
if (pam_authenticate(pam_handle, 0) == PAM_SUCCESS) {
|
||||
DEBUG("successfully authenticated\n");
|
||||
clear_password_memory();
|
||||
|
@ -266,12 +294,13 @@ static void input_done(void) {
|
|||
|
||||
exit(0);
|
||||
}
|
||||
#endif
|
||||
|
||||
if (debug_mode)
|
||||
fprintf(stderr, "Authentication failure\n");
|
||||
|
||||
/* Get state of Caps and Num lock modifiers, to be displayed in
|
||||
* STATE_PAM_WRONG state */
|
||||
* STATE_AUTH_WRONG state */
|
||||
xkb_mod_index_t idx, num_mods;
|
||||
const char *mod_name;
|
||||
|
||||
|
@ -305,7 +334,7 @@ static void input_done(void) {
|
|||
}
|
||||
}
|
||||
|
||||
pam_state = STATE_PAM_WRONG;
|
||||
auth_state = STATE_AUTH_WRONG;
|
||||
failed_attempts += 1;
|
||||
clear_input();
|
||||
if (unlock_indicator)
|
||||
|
@ -314,7 +343,7 @@ static void input_done(void) {
|
|||
/* Clear this state after 2 seconds (unless the user enters another
|
||||
* password during that time). */
|
||||
ev_now_update(main_loop);
|
||||
START_TIMER(clear_pam_wrong_timeout, TSTAMP_N_SECS(2), clear_pam_wrong);
|
||||
START_TIMER(clear_auth_wrong_timeout, TSTAMP_N_SECS(2), clear_auth_wrong);
|
||||
|
||||
/* Cancel the clear_indicator_timeout, it would hide the unlock indicator
|
||||
* too early. */
|
||||
|
@ -393,7 +422,7 @@ static void handle_key_press(xcb_key_press_event_t *event) {
|
|||
if ((ksym == XKB_KEY_j || ksym == XKB_KEY_m) && !ctrl)
|
||||
break;
|
||||
|
||||
if (pam_state == STATE_PAM_WRONG) {
|
||||
if (auth_state == STATE_AUTH_WRONG) {
|
||||
retry_verification = true;
|
||||
return;
|
||||
}
|
||||
|
@ -597,6 +626,7 @@ void handle_screen_resize(void) {
|
|||
redraw_screen();
|
||||
}
|
||||
|
||||
#ifndef __OpenBSD__
|
||||
/*
|
||||
* Callback function for PAM. We only react on password request callbacks.
|
||||
*
|
||||
|
@ -627,6 +657,7 @@ static int conv_callback(int num_msg, const struct pam_message **msg,
|
|||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
/*
|
||||
* This callback is only a dummy, see xcb_prepare_cb and xcb_check_cb.
|
||||
|
@ -725,7 +756,7 @@ static void xcb_check_cb(EV_P_ ev_check *w, int revents) {
|
|||
/*
|
||||
* This function is called from a fork()ed child and will raise the i3lock
|
||||
* window when the window is obscured, even when the main i3lock process is
|
||||
* blocked due to PAM.
|
||||
* blocked due to the authentication backend.
|
||||
*
|
||||
*/
|
||||
static void raise_loop(xcb_window_t window) {
|
||||
|
@ -782,8 +813,10 @@ int main(int argc, char *argv[]) {
|
|||
struct passwd *pw;
|
||||
char *username;
|
||||
char *image_path = NULL;
|
||||
#ifndef __OpenBSD__
|
||||
int ret;
|
||||
struct pam_conv conv = {conv_callback, NULL};
|
||||
#endif
|
||||
int curs_choice = CURS_NONE;
|
||||
int o;
|
||||
int optind = 0;
|
||||
|
@ -877,17 +910,21 @@ int main(int argc, char *argv[]) {
|
|||
* the unlock indicator upon keypresses. */
|
||||
srand(time(NULL));
|
||||
|
||||
#ifndef __OpenBSD__
|
||||
/* Initialize PAM */
|
||||
if ((ret = pam_start("i3lock", username, &conv, &pam_handle)) != PAM_SUCCESS)
|
||||
errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret));
|
||||
|
||||
if ((ret = pam_set_item(pam_handle, PAM_TTY, getenv("DISPLAY"))) != PAM_SUCCESS)
|
||||
errx(EXIT_FAILURE, "PAM: %s", pam_strerror(pam_handle, ret));
|
||||
#endif
|
||||
|
||||
/* Using mlock() as non-super-user seems only possible in Linux. Users of other
|
||||
* operating systems should use encrypted swap/no swap (or remove the ifdef and
|
||||
* run i3lock as super-user). */
|
||||
#if defined(__linux__)
|
||||
/* Using mlock() as non-super-user seems only possible in Linux and OpenBSD.
|
||||
* Users of other operating systems should use encrypted swap/no swap
|
||||
* (or remove the ifdef and run i3lock as super-user).
|
||||
* NB: Alas, swap is encrypted by default on OpenBSD so swapping out
|
||||
* is not necessarily an issue. */
|
||||
#if defined(__linux__) || defined(__OpenBSD__)
|
||||
/* Lock the area where we store the password in memory, we don’t want it to
|
||||
* be swapped to disk. Since Linux 2.6.9, this does not require any
|
||||
* privileges, just enough bytes in the RLIMIT_MEMLOCK limit. */
|
||||
|
@ -985,7 +1022,7 @@ int main(int argc, char *argv[]) {
|
|||
cursor = create_cursor(conn, screen, win, curs_choice);
|
||||
|
||||
/* Display the "locking…" message while trying to grab the pointer/keyboard. */
|
||||
pam_state = STATE_PAM_LOCK;
|
||||
auth_state = STATE_AUTH_LOCK;
|
||||
grab_pointer_and_keyboard(conn, screen, cursor);
|
||||
|
||||
pid_t pid = fork();
|
||||
|
@ -1012,7 +1049,7 @@ int main(int argc, char *argv[]) {
|
|||
errx(EXIT_FAILURE, "Could not initialize libev. Bad LIBEV_FLAGS?\n");
|
||||
|
||||
/* Explicitly call the screen redraw in case "locking…" message was displayed */
|
||||
pam_state = STATE_PAM_IDLE;
|
||||
auth_state = STATE_AUTH_IDLE;
|
||||
redraw_screen();
|
||||
|
||||
struct ev_io *xcb_watcher = calloc(sizeof(struct ev_io), 1);
|
||||
|
|
|
@ -78,7 +78,7 @@ static xcb_visualtype_t *vistype;
|
|||
/* Maintain the current unlock/PAM state to draw the appropriate unlock
|
||||
* indicator. */
|
||||
unlock_state_t unlock_state;
|
||||
pam_state_t pam_state;
|
||||
auth_state_t auth_state;
|
||||
|
||||
/*
|
||||
* Returns the scaling factor of the current screen. E.g., on a 227 DPI MacBook
|
||||
|
@ -141,7 +141,7 @@ xcb_pixmap_t draw_image(uint32_t *resolution) {
|
|||
}
|
||||
|
||||
if (unlock_indicator &&
|
||||
(unlock_state >= STATE_KEY_PRESSED || pam_state > STATE_PAM_IDLE)) {
|
||||
(unlock_state >= STATE_KEY_PRESSED || auth_state > STATE_AUTH_IDLE)) {
|
||||
cairo_scale(ctx, scaling_factor(), scaling_factor());
|
||||
/* Draw a (centered) circle with transparent background. */
|
||||
cairo_set_line_width(ctx, 10.0);
|
||||
|
@ -154,12 +154,12 @@ xcb_pixmap_t draw_image(uint32_t *resolution) {
|
|||
|
||||
/* Use the appropriate color for the different PAM states
|
||||
* (currently verifying, wrong password, or default) */
|
||||
switch (pam_state) {
|
||||
case STATE_PAM_VERIFY:
|
||||
case STATE_PAM_LOCK:
|
||||
switch (auth_state) {
|
||||
case STATE_AUTH_VERIFY:
|
||||
case STATE_AUTH_LOCK:
|
||||
cairo_set_source_rgba(ctx, 0, 114.0 / 255, 255.0 / 255, 0.75);
|
||||
break;
|
||||
case STATE_PAM_WRONG:
|
||||
case STATE_AUTH_WRONG:
|
||||
case STATE_I3LOCK_LOCK_FAILED:
|
||||
cairo_set_source_rgba(ctx, 250.0 / 255, 0, 0, 0.75);
|
||||
break;
|
||||
|
@ -169,16 +169,16 @@ xcb_pixmap_t draw_image(uint32_t *resolution) {
|
|||
}
|
||||
cairo_fill_preserve(ctx);
|
||||
|
||||
switch (pam_state) {
|
||||
case STATE_PAM_VERIFY:
|
||||
case STATE_PAM_LOCK:
|
||||
switch (auth_state) {
|
||||
case STATE_AUTH_VERIFY:
|
||||
case STATE_AUTH_LOCK:
|
||||
cairo_set_source_rgb(ctx, 51.0 / 255, 0, 250.0 / 255);
|
||||
break;
|
||||
case STATE_PAM_WRONG:
|
||||
case STATE_AUTH_WRONG:
|
||||
case STATE_I3LOCK_LOCK_FAILED:
|
||||
cairo_set_source_rgb(ctx, 125.0 / 255, 51.0 / 255, 0);
|
||||
break;
|
||||
case STATE_PAM_IDLE:
|
||||
case STATE_AUTH_IDLE:
|
||||
cairo_set_source_rgb(ctx, 51.0 / 255, 125.0 / 255, 0);
|
||||
break;
|
||||
}
|
||||
|
@ -205,14 +205,14 @@ xcb_pixmap_t draw_image(uint32_t *resolution) {
|
|||
cairo_set_source_rgb(ctx, 0, 0, 0);
|
||||
cairo_select_font_face(ctx, "sans-serif", CAIRO_FONT_SLANT_NORMAL, CAIRO_FONT_WEIGHT_NORMAL);
|
||||
cairo_set_font_size(ctx, 28.0);
|
||||
switch (pam_state) {
|
||||
case STATE_PAM_VERIFY:
|
||||
switch (auth_state) {
|
||||
case STATE_AUTH_VERIFY:
|
||||
text = "verifying…";
|
||||
break;
|
||||
case STATE_PAM_LOCK:
|
||||
case STATE_AUTH_LOCK:
|
||||
text = "locking…";
|
||||
break;
|
||||
case STATE_PAM_WRONG:
|
||||
case STATE_AUTH_WRONG:
|
||||
text = "wrong!";
|
||||
break;
|
||||
case STATE_I3LOCK_LOCK_FAILED:
|
||||
|
@ -245,7 +245,7 @@ xcb_pixmap_t draw_image(uint32_t *resolution) {
|
|||
cairo_close_path(ctx);
|
||||
}
|
||||
|
||||
if (pam_state == STATE_PAM_WRONG && (modifier_string != NULL)) {
|
||||
if (auth_state == STATE_AUTH_WRONG && (modifier_string != NULL)) {
|
||||
cairo_text_extents_t extents;
|
||||
double x, y;
|
||||
|
||||
|
@ -334,7 +334,7 @@ xcb_pixmap_t draw_image(uint32_t *resolution) {
|
|||
*
|
||||
*/
|
||||
void redraw_screen(void) {
|
||||
DEBUG("redraw_screen(unlock_state = %d, pam_state = %d)\n", unlock_state, pam_state);
|
||||
DEBUG("redraw_screen(unlock_state = %d, auth_state = %d)\n", unlock_state, auth_state);
|
||||
xcb_pixmap_t bg_pixmap = draw_image(last_resolution);
|
||||
xcb_change_window_attributes(conn, win, XCB_CW_BACK_PIXMAP, (uint32_t[1]){bg_pixmap});
|
||||
/* XXX: Possible optimization: Only update the area in the middle of the
|
||||
|
|
|
@ -11,12 +11,12 @@ typedef enum {
|
|||
} unlock_state_t;
|
||||
|
||||
typedef enum {
|
||||
STATE_PAM_IDLE = 0, /* no PAM interaction at the moment */
|
||||
STATE_PAM_VERIFY = 1, /* currently verifying the password via PAM */
|
||||
STATE_PAM_LOCK = 2, /* currently locking the screen */
|
||||
STATE_PAM_WRONG = 3, /* the password was wrong */
|
||||
STATE_AUTH_IDLE = 0, /* no authenticator interaction at the moment */
|
||||
STATE_AUTH_VERIFY = 1, /* currently verifying the password via authenticator */
|
||||
STATE_AUTH_LOCK = 2, /* currently locking the screen */
|
||||
STATE_AUTH_WRONG = 3, /* the password was wrong */
|
||||
STATE_I3LOCK_LOCK_FAILED = 4 /* i3lock failed to load */
|
||||
} pam_state_t;
|
||||
} auth_state_t;
|
||||
|
||||
xcb_pixmap_t draw_image(uint32_t* resolution);
|
||||
void redraw_screen(void);
|
||||
|
|
4
xcb.c
4
xcb.c
|
@ -24,7 +24,7 @@
|
|||
#include "cursors.h"
|
||||
#include "unlock_indicator.h"
|
||||
|
||||
extern pam_state_t pam_state;
|
||||
extern auth_state_t auth_state;
|
||||
|
||||
xcb_connection_t *conn;
|
||||
xcb_screen_t *screen;
|
||||
|
@ -262,7 +262,7 @@ void grab_pointer_and_keyboard(xcb_connection_t *conn, xcb_screen_t *screen, xcb
|
|||
/* After trying for 10000 times, i3lock will display an error message
|
||||
* for 2 sec prior to terminate. */
|
||||
if (tries <= 0) {
|
||||
pam_state = STATE_I3LOCK_LOCK_FAILED;
|
||||
auth_state = STATE_I3LOCK_LOCK_FAILED;
|
||||
redraw_screen();
|
||||
sleep(1);
|
||||
errx(EXIT_FAILURE, "Cannot grab pointer/keyboard");
|
||||
|
|
Loading…
Reference in New Issue