使用用户名/密码凭证在Linux上对远程用户进行身份验证
[英]Authenticate remote user on linux with username/password credentials
问题描述
I'm planning a REST service for my own shutter control solution in a new house. 
我正在为新房子中的快门控制解决方案计划REST服务。 The service should run on a linux server, and as this is something that really should be available, I want to do it without any runtime dependencies except the OS itself and very few standard libraries. 该服务应该在linux服务器上运行,并且由于这确实是应该可用的,因此我希望在没有操作系统本身和很少的标准库的情况下,不依赖任何运行时依赖项来执行该服务。 So I'd prefer to do it in c . 所以我更喜欢用c来做。
So far, I found libasyncd which should give me a nice HTTPS host to work with. 到目前为止,我发现libasyncd应该可以给我一个不错的HTTPS主机。 My concern now is how to handle authentication. 我现在关心的是如何处理身份验证。 For simplicity, HTTP basic auth should do, but I'd like to authenticate against my system user store (which is an OpenLDAP directory at the moment). 为了简单起见,应该执行HTTP基本身份验证 ,但是我想针对我的系统用户存储(当前为OpenLDAP目录)进行身份验证。 Ideally, I'd like to have a solution that abstracts from this store. 理想情况下,我希望有一个从此商店中抽象出来的解决方案。
I first thought pam might be the way to go, but all examples I could find so far let pam do the password prompt and what I need instead is a function that takes username and password and tells me authenticated or not. 我最初以为pam可能是要走的路,但是到目前为止我能找到的所有示例都让pam进行密码提示,而我需要的是一个使用用户名和密码并告诉我是否通过身份验证的函数。 Is this even possible with pam ? pam甚至有可能吗? If so, where should I look for documentation? 如果是这样,我应该在哪里寻找文档? If not, could you suggest any alternatives? 如果没有,您能提出其他选择吗?
1 个解决方案
解决方案1
4
After continuing my research, I finally have some working example code giving me just the user/password checking using pam I was looking for. 继续我的研究之后,我终于有了一些可行的示例代码,该代码只提供了我正在寻找的pam的用户/密码检查功能。 I post it here as an answer for reference. 我将其张贴在这里作为参考答案。
#include <stdlib.h>
#include <stdbool.h>
#include <string.h>
#include <security/pam_appl.h>
static int pamconv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr)
{
char *pass = malloc(strlen(appdata_ptr)+1);
strcpy(pass, appdata_ptr);
int i;
*resp = calloc(num_msg, sizeof(struct pam_response));
for (i = 0; i < num_msg; ++i)
{
/* Ignore all PAM messages except prompting for hidden input */
if (msg[i]->msg_style != PAM_PROMPT_ECHO_OFF)
continue;
/* Assume PAM is only prompting for the password as hidden input */
resp[i]->resp = pass;
}
return PAM_SUCCESS;
}
bool checkAuthentication(const char *user, const char *pass)
{
/* use own PAM conversation function just responding with the
password passed here */
struct pam_conv conv = { &pamconv, (void *)pass };
pam_handle_t *handle;
int authResult;
pam_start("shutterd", user, &conv, &handle);
authResult = pam_authenticate(handle,
PAM_SILENT|PAM_DISALLOW_NULL_AUTHTOK);
pam_end(handle, authResult);
return (authResult == PAM_SUCCESS);
}
Of course, error checking has to be added everywhere for production quality. 当然,必须在所有地方都添加错误检查以提高生产质量。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.