E-MailRelay
Classes | Public Types | Public Member Functions | List of all members
G::Pam Class Referenceabstract

A thin interface to the system PAM library, with two pure virtual methods that derived classes should implement: the converse() method supplies passwords etc. More...

#include <gpam.h>

+ Inheritance diagram for G::Pam:

Classes

class  Error
 An exception class for G::Pam. More...
 
struct  Item
 A structure used by G::Pam to hold conversation items. More...
 

Public Types

using ItemArray = std::vector< Item >
 

Public Member Functions

 Pam (const std::string &app, const std::string &user, bool silent)
 Constructor. More...
 
virtual ~Pam ()
 Destructor.
 
bool authenticate (bool require_token)
 Authenticates the user. More...
 
std::string name () const
 Returns the authenticated user name. More...
 
void checkAccount (bool require_token)
 Does "account management", checking that the authenticated user is currently allowed to use the system. More...
 
void establishCredentials ()
 Embues the authenticated user with their credentials, such as "tickets" in the form of environment variables etc. More...
 
void openSession ()
 Starts a session. More...
 
void closeSession ()
 Closes a session. More...
 
void deleteCredentials ()
 Deletes credentials. More...
 
void reinitialiseCredentials ()
 Reinitialises credentials. More...
 
void refreshCredentials ()
 Refreshes credentials. More...
 
virtual void converse (ItemArray &)=0
 Called to pass a message to the user, or request a password etc. More...
 
virtual void delay (unsigned int usec)=0
 Called when the pam library wants the application to introduce a delay to prevent brute-force attacks. More...
 
 Pam (const Pam &)=delete
 
 Pam (Pam &&)=delete
 
void operator= (const Pam &)=delete
 
void operator= (Pam &&)=delete
 

Detailed Description

A thin interface to the system PAM library, with two pure virtual methods that derived classes should implement: the converse() method supplies passwords etc.

and delay() implements an optional anti-brute-force delay.

As per the PAM model the user code should authenticate(), then checkAccount(), then establishCredentials() and finally openSession().

Usage:

Pam pam("foo","me");
bool complete = pam.authenticate() ;
if( !complete ) ...
pam.checkAccount() ;
pam.establishCredentials() ;
pam.openSession() ;
...
pam.closeSession() ;
Pam(const std::string &app, const std::string &user, bool silent)
Constructor.
Definition: gpam_linux.cpp:362

Definition at line 58 of file gpam.h.

Member Typedef Documentation

◆ ItemArray

using G::Pam::ItemArray = std::vector<Item>

Definition at line 74 of file gpam.h.

Constructor & Destructor Documentation

◆ Pam()

G::Pam::Pam ( const std::string &  app,
const std::string &  user,
bool  silent 
)

Constructor.

Definition at line 362 of file gpam_linux.cpp.

Member Function Documentation

◆ authenticate()

bool G::Pam::authenticate ( bool  require_token)

Authenticates the user.

Typically issues a challenge, such as password request, using the converse() callback.

Returns false if it needs to be called again because converse() did not fill in all the prompted values. Returns true if authenticated. Throws on error.

Definition at line 370 of file gpam_linux.cpp.

◆ checkAccount()

void G::Pam::checkAccount ( bool  require_token)

Does "account management", checking that the authenticated user is currently allowed to use the system.

Definition at line 376 of file gpam_linux.cpp.

◆ closeSession()

void G::Pam::closeSession ( )

Closes a session.

Definition at line 394 of file gpam_linux.cpp.

◆ converse()

virtual void G::Pam::converse ( ItemArray &  )
pure virtual

Called to pass a message to the user, or request a password etc.

Typically the array is a single password prompt. The password should then be put into the 'out' string and the boolean flag set.

For each item in the array which is a prompt the implementation is required to supply a response value.

In an event-driven environment the response values can be left unassigned, in which case the outer authenticate() call will return false. The authenticate() can then be called a second time once the requested information is available.

Implemented in GAuth::PamImp.

◆ delay()

void G::Pam::delay ( unsigned int  usec)
pure virtual

Called when the pam library wants the application to introduce a delay to prevent brute-force attacks.

The parameter may be zero.

Typically called from within authenticate(), ie. before authenticate returns.

A default implementation is provided (sic) that does a sleep.

In an event-driven application the implementation of this method should start a timer and avoid initiating any new authentication while the timer is running.

Implemented in GAuth::PamImp.

Definition at line 415 of file gpam_linux.cpp.

◆ deleteCredentials()

void G::Pam::deleteCredentials ( )

Deletes credentials.

Definition at line 400 of file gpam_linux.cpp.

◆ establishCredentials()

void G::Pam::establishCredentials ( )

Embues the authenticated user with their credentials, such as "tickets" in the form of environment variables etc.

Definition at line 382 of file gpam_linux.cpp.

◆ name()

std::string G::Pam::name ( ) const

Returns the authenticated user name.

In principle this can be different from the requesting user name passed in the constructor.

Definition at line 429 of file gpam_linux.cpp.

◆ openSession()

void G::Pam::openSession ( )

Starts a session.

Definition at line 388 of file gpam_linux.cpp.

◆ refreshCredentials()

void G::Pam::refreshCredentials ( )

Refreshes credentials.

Definition at line 410 of file gpam_linux.cpp.

◆ reinitialiseCredentials()

void G::Pam::reinitialiseCredentials ( )

Reinitialises credentials.

Definition at line 405 of file gpam_linux.cpp.


The documentation for this class was generated from the following files: