Minimal PAM auth module

- Test without screen lock or input grab - CLI
2025-12-22 14:00:54 +05:30 · 2025-12-22 14:00:54 +05:30 · 89d53c4fe0
commit 89d53c4fe0
parent a544e4821e
3 changed files with 64 additions and 2 deletions
--- a/glock/Cargo.toml
+++ b/glock/Cargo.toml
@ -6,3 +6,6 @@ description = "Screen locker for your desktop"

 [dependencies]
 glock-conf = { version = "0.1.0", path = "../glock-conf" }
+pam = "0.8.0"
+rpassword = "7.4.0"
+uzers = "0.12.2"
--- a/glock/src/auth.rs
+++ b/glock/src/auth.rs
@ -0,0 +1,36 @@
+use pam::Client;
+use std::error::Error;
+use uzers::get_current_username;
+
+/// Authenticate the current user using PAM.
+///
+/// The caller provides the password. This function:
+/// - resolves the current username securely
+/// - runs PAM authentication
+/// - returns Ok on success
+/// - returns Err on failure
+///
+/// UI code should not care how PAM works internally.
+pub fn authenticate(password: &str) -> Result<(), Box<dyn Error>> {
+    // Resolve the current user via the kernel and NSS.
+    // Environment variables are not trusted.
+    let username = get_current_username()
+        .ok_or("Failed to resolve current username")?
+        .to_string_lossy()
+        .into_owned();
+
+    // Initialize PAM with the `login` service.
+    // This will later be replaced by a dedicated `glock` service.
+    let mut client = Client::with_password("login")?;
+
+    // Supply credentials to the PAM conversation.
+    // PAM will request these during authentication.
+    client
+        .conversation_mut()
+        .set_credentials(username, password.to_owned());
+
+    // Perform authentication.
+    client.authenticate()?;
+
+    Ok(())
+}
--- a/glock/src/main.rs
+++ b/glock/src/main.rs
@ -1,3 +1,26 @@
-fn main() {
-    println!("Hello, world!");
+use rpassword::prompt_password;
+use std::error::Error;
+
+mod auth;
+
+fn main() -> Result<(), Box<dyn Error>> {
+    println!("glock PAM test");
+
+    loop {
+        // Prompt for password without echo.
+        let password = prompt_password("Password: ")?;
+
+        // Authenticate.
+        match auth::authenticate(&password) {
+            Ok(()) => {
+                println!("Authentication successful");
+                break;
+            }
+            Err(_) => {
+                println!("Authentication failed\n");
+            }
+        }
+    }
+
+    Ok(())
 }