Minimal PAM auth module
- Test without screen lock or input grab - CLI
This commit is contained in:
parent
a544e4821e
commit
89d53c4fe0
@ -6,3 +6,6 @@ description = "Screen locker for your desktop"
|
|||||||
|
|
||||||
[dependencies]
|
[dependencies]
|
||||||
glock-conf = { version = "0.1.0", path = "../glock-conf" }
|
glock-conf = { version = "0.1.0", path = "../glock-conf" }
|
||||||
|
pam = "0.8.0"
|
||||||
|
rpassword = "7.4.0"
|
||||||
|
uzers = "0.12.2"
|
||||||
|
|||||||
36
glock/src/auth.rs
Normal file
36
glock/src/auth.rs
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
use pam::Client;
|
||||||
|
use std::error::Error;
|
||||||
|
use uzers::get_current_username;
|
||||||
|
|
||||||
|
/// Authenticate the current user using PAM.
|
||||||
|
///
|
||||||
|
/// The caller provides the password. This function:
|
||||||
|
/// - resolves the current username securely
|
||||||
|
/// - runs PAM authentication
|
||||||
|
/// - returns Ok on success
|
||||||
|
/// - returns Err on failure
|
||||||
|
///
|
||||||
|
/// UI code should not care how PAM works internally.
|
||||||
|
pub fn authenticate(password: &str) -> Result<(), Box<dyn Error>> {
|
||||||
|
// Resolve the current user via the kernel and NSS.
|
||||||
|
// Environment variables are not trusted.
|
||||||
|
let username = get_current_username()
|
||||||
|
.ok_or("Failed to resolve current username")?
|
||||||
|
.to_string_lossy()
|
||||||
|
.into_owned();
|
||||||
|
|
||||||
|
// Initialize PAM with the `login` service.
|
||||||
|
// This will later be replaced by a dedicated `glock` service.
|
||||||
|
let mut client = Client::with_password("login")?;
|
||||||
|
|
||||||
|
// Supply credentials to the PAM conversation.
|
||||||
|
// PAM will request these during authentication.
|
||||||
|
client
|
||||||
|
.conversation_mut()
|
||||||
|
.set_credentials(username, password.to_owned());
|
||||||
|
|
||||||
|
// Perform authentication.
|
||||||
|
client.authenticate()?;
|
||||||
|
|
||||||
|
Ok(())
|
||||||
|
}
|
||||||
@ -1,3 +1,26 @@
|
|||||||
fn main() {
|
use rpassword::prompt_password;
|
||||||
println!("Hello, world!");
|
use std::error::Error;
|
||||||
|
|
||||||
|
mod auth;
|
||||||
|
|
||||||
|
fn main() -> Result<(), Box<dyn Error>> {
|
||||||
|
println!("glock PAM test");
|
||||||
|
|
||||||
|
loop {
|
||||||
|
// Prompt for password without echo.
|
||||||
|
let password = prompt_password("Password: ")?;
|
||||||
|
|
||||||
|
// Authenticate.
|
||||||
|
match auth::authenticate(&password) {
|
||||||
|
Ok(()) => {
|
||||||
|
println!("Authentication successful");
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
Err(_) => {
|
||||||
|
println!("Authentication failed\n");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user