E-MailRelay
|
A thin interface to the system PAM library, with two pure virtual methods that derived classes should implement: the converse() method supplies passwords etc. More...
#include <gpam.h>
Classes | |
class | Error |
An exception class for G::Pam. More... | |
struct | Item |
A structure used by G::Pam to hold conversation items. More... | |
Public Types | |
using | ItemArray = std::vector< Item > |
Public Member Functions | |
Pam (const std::string &app, const std::string &user, bool silent) | |
Constructor. More... | |
virtual | ~Pam () |
Destructor. | |
bool | authenticate (bool require_token) |
Authenticates the user. More... | |
std::string | name () const |
Returns the authenticated user name. More... | |
void | checkAccount (bool require_token) |
Does "account management", checking that the authenticated user is currently allowed to use the system. More... | |
void | establishCredentials () |
Embues the authenticated user with their credentials, such as "tickets" in the form of environment variables etc. More... | |
void | openSession () |
Starts a session. More... | |
void | closeSession () |
Closes a session. More... | |
void | deleteCredentials () |
Deletes credentials. More... | |
void | reinitialiseCredentials () |
Reinitialises credentials. More... | |
void | refreshCredentials () |
Refreshes credentials. More... | |
virtual void | converse (ItemArray &)=0 |
Called to pass a message to the user, or request a password etc. More... | |
virtual void | delay (unsigned int usec)=0 |
Called when the pam library wants the application to introduce a delay to prevent brute-force attacks. More... | |
Pam (const Pam &)=delete | |
Pam (Pam &&)=delete | |
void | operator= (const Pam &)=delete |
void | operator= (Pam &&)=delete |
A thin interface to the system PAM library, with two pure virtual methods that derived classes should implement: the converse() method supplies passwords etc.
and delay() implements an optional anti-brute-force delay.
As per the PAM model the user code should authenticate(), then checkAccount(), then establishCredentials() and finally openSession().
Usage:
G::Pam::Pam | ( | const std::string & | app, |
const std::string & | user, | ||
bool | silent | ||
) |
Constructor.
Definition at line 362 of file gpam_linux.cpp.
bool G::Pam::authenticate | ( | bool | require_token | ) |
Authenticates the user.
Typically issues a challenge, such as password request, using the converse() callback.
Returns false if it needs to be called again because converse() did not fill in all the prompted values. Returns true if authenticated. Throws on error.
Definition at line 370 of file gpam_linux.cpp.
void G::Pam::checkAccount | ( | bool | require_token | ) |
Does "account management", checking that the authenticated user is currently allowed to use the system.
Definition at line 376 of file gpam_linux.cpp.
void G::Pam::closeSession | ( | ) |
Closes a session.
Definition at line 394 of file gpam_linux.cpp.
|
pure virtual |
Called to pass a message to the user, or request a password etc.
Typically the array is a single password prompt. The password should then be put into the 'out' string and the boolean flag set.
For each item in the array which is a prompt the implementation is required to supply a response value.
In an event-driven environment the response values can be left unassigned, in which case the outer authenticate() call will return false. The authenticate() can then be called a second time once the requested information is available.
Implemented in GAuth::PamImp.
|
pure virtual |
Called when the pam library wants the application to introduce a delay to prevent brute-force attacks.
The parameter may be zero.
Typically called from within authenticate(), ie. before authenticate returns.
A default implementation is provided (sic) that does a sleep.
In an event-driven application the implementation of this method should start a timer and avoid initiating any new authentication while the timer is running.
Implemented in GAuth::PamImp.
Definition at line 415 of file gpam_linux.cpp.
void G::Pam::deleteCredentials | ( | ) |
Deletes credentials.
Definition at line 400 of file gpam_linux.cpp.
void G::Pam::establishCredentials | ( | ) |
Embues the authenticated user with their credentials, such as "tickets" in the form of environment variables etc.
Definition at line 382 of file gpam_linux.cpp.
std::string G::Pam::name | ( | ) | const |
Returns the authenticated user name.
In principle this can be different from the requesting user name passed in the constructor.
Definition at line 429 of file gpam_linux.cpp.
void G::Pam::openSession | ( | ) |
Starts a session.
Definition at line 388 of file gpam_linux.cpp.
void G::Pam::refreshCredentials | ( | ) |
Refreshes credentials.
Definition at line 410 of file gpam_linux.cpp.
void G::Pam::reinitialiseCredentials | ( | ) |
Reinitialises credentials.
Definition at line 405 of file gpam_linux.cpp.