howdy/src/pam.py

# PAM interface in python, launches compare.py

# Import required modules
import subprocess
import sys
import os

# pam-python is running python 2, so we use the old module here
import ConfigParser

# Read config from disk
config = ConfigParser.ConfigParser()
config.read(os.path.dirname(os.path.abspath(__file__)) + "/config.ini")

def doAuth(pamh):
	"""Starts authentication in a seperate process"""

	# Abort is Howdy is disabled
	if config.getboolean("core", "disabled"):
		sys.exit(0)

	# Abort if we're in a remote SSH env
	if config.getboolean("core", "ignore_ssh"):
		if "SSH_CONNECTION" in os.environ or "SSH_CLIENT" in os.environ or "SSHD_OPTS" in os.environ:
			sys.exit(0)

	# Run compare as python3 subprocess to circumvent python version and import issues
	status = subprocess.call(["/usr/bin/python3", os.path.dirname(os.path.abspath(__file__)) + "/compare.py", pamh.get_user()])

	# Status 10 means we couldn't find any face models
	if status == 10:
		if not config.getboolean("core", "suppress_unknown"):
			pamh.conversation(pamh.Message(pamh.PAM_ERROR_MSG, "No face model known"))
		return pamh.PAM_USER_UNKNOWN
	# Status 11 means we exceded the maximum retry count
	elif status == 11:
		pamh.conversation(pamh.Message(pamh.PAM_ERROR_MSG, "Face detection timeout reached"))
		return pamh.PAM_AUTH_ERR
	# Status 12 means we aborted
	elif status == 12:
		return pamh.PAM_AUTH_ERR
	# Status 0 is a successful exit
	elif status == 0:
		# Show the success message if it isn't suppressed
		if not config.getboolean("core", "no_confirmation"):
			pamh.conversation(pamh.Message(pamh.PAM_TEXT_INFO, "Identified face as " + pamh.get_user()))

		# Try to dismiss the lock screen if enabled
		if config.get("core", "dismiss_lockscreen"):
			# Run it as root with a timeout of 1s, and never ask for a password through the UI
			subprocess.Popen(["sudo", "timeout", "1", "loginctl", "unlock-sessions", "--no-ask-password"])

		return pamh.PAM_SUCCESS

	# Otherwise, we can't discribe what happend but it wasn't successful
	pamh.conversation(pamh.Message(pamh.PAM_ERROR_MSG, "Unknown error: " + str(status)))
	return pamh.PAM_SYSTEM_ERR

def pam_sm_authenticate(pamh, flags, args):
	"""Called by PAM when the user wants to authenticate, in sudo for example"""
	return doAuth(pamh)

def pam_sm_open_session(pamh, flags, args):
	"""Called when starting a session, such as su"""
	return doAuth(pamh)

def pam_sm_close_session(pamh, flags, argv):
	"""We don't need to clean anyting up at the end of a session, so returns true"""
	return pamh.PAM_SUCCESS

def pam_sm_setcred(pamh, flags, argv):
	"""We don't need set any credentials, so returns true"""
	return pamh.PAM_SUCCESS
That's not how you spell compare 2018-02-10 12:40:26 +01:00			`# PAM interface in python, launches compare.py`
Cleanup 2018-01-05 16:37:00 +01:00
			`# Import required modules`
Added proof of concept 2018-01-05 01:59:44 +01:00			`import subprocess`
			`import sys`
			`import os`

Implemented conversations and better config 2018-01-17 21:28:10 +01:00			`# pam-python is running python 2, so we use the old module here`
			`import ConfigParser`

			`# Read config from disk`
			`config = ConfigParser.ConfigParser()`
Fixed old references to first config system, fixed typo 2018-02-01 16:01:17 +01:00			`config.read(os.path.dirname(os.path.abspath(__file__)) + "/config.ini")`
Implemented conversations and better config 2018-01-17 21:28:10 +01:00
Added config file and session auth 2018-01-05 02:41:56 +01:00			`def doAuth(pamh):`
Changes to compare and cli config command, proposed in #89 and #90 2018-11-09 11:49:03 +01:00			`"""Starts authentication in a seperate process"""`
Cleanup 2018-01-05 16:37:00 +01:00
Completed CLI rework 2018-04-13 21:19:28 +02:00			`# Abort is Howdy is disabled`
use ConfigParser.get*() function 2018-11-18 07:46:20 +01:00			`if config.getboolean("core", "disabled"):`
Completed CLI rework 2018-04-13 21:19:28 +02:00			`sys.exit(0)`

Fixed issue where remote sessions could be authenticated through howdy 2018-09-24 18:05:15 +02:00			`# Abort if we're in a remote SSH env`
use ConfigParser.get*() function 2018-11-18 07:46:20 +01:00			`if config.getboolean("core", "ignore_ssh"):`
Fixed issue where remote sessions could be authenticated through howdy 2018-09-24 18:05:15 +02:00			`if "SSH_CONNECTION" in os.environ or "SSH_CLIENT" in os.environ or "SSHD_OPTS" in os.environ:`
			`sys.exit(0)`

That's not how you spell compare 2018-02-10 12:40:26 +01:00			`# Run compare as python3 subprocess to circumvent python version and import issues`
Changes to compare and cli config command, proposed in #89 and #90 2018-11-09 11:49:03 +01:00			`status = subprocess.call(["/usr/bin/python3", os.path.dirname(os.path.abspath(__file__)) + "/compare.py", pamh.get_user()])`
Added proof of concept 2018-01-05 01:59:44 +01:00
Cleanup 2018-01-05 16:37:00 +01:00			`# Status 10 means we couldn't find any face models`
Added config file and session auth 2018-01-05 02:41:56 +01:00			`if status == 10:`
use ConfigParser.get*() function 2018-11-18 07:46:20 +01:00			`if not config.getboolean("core", "suppress_unknown"):`
Implemented conversations and better config 2018-01-17 21:28:10 +01:00			`pamh.conversation(pamh.Message(pamh.PAM_ERROR_MSG, "No face model known"))`
			`return pamh.PAM_USER_UNKNOWN`
Cleanup 2018-01-05 16:37:00 +01:00			`# Status 11 means we exceded the maximum retry count`
Fixed a few small things from PR #109 2018-12-13 20:10:08 +01:00			`elif status == 11:`
Implemented conversations and better config 2018-01-17 21:28:10 +01:00			`pamh.conversation(pamh.Message(pamh.PAM_ERROR_MSG, "Face detection timeout reached"))`
			`return pamh.PAM_AUTH_ERR`
Fixed a few small things from PR #109 2018-12-13 20:10:08 +01:00			`# Status 12 means we aborted`
			`elif status == 12:`
			`return pamh.PAM_AUTH_ERR`
Cleanup 2018-01-05 16:37:00 +01:00			`# Status 0 is a successful exit`
Fixed a few small things from PR #109 2018-12-13 20:10:08 +01:00			`elif status == 0:`
Fixed installer permissions and cli location, ignoring remote sessions 2018-03-13 21:17:49 +01:00			`# Show the success message if it isn't suppressed`
use ConfigParser.get*() function 2018-11-18 07:46:20 +01:00			`if not config.getboolean("core", "no_confirmation"):`
Implemented conversations and better config 2018-01-17 21:28:10 +01:00			`pamh.conversation(pamh.Message(pamh.PAM_TEXT_INFO, "Identified face as " + pamh.get_user()))`
Fixed installer permissions and cli location, ignoring remote sessions 2018-03-13 21:17:49 +01:00
			`# Try to dismiss the lock screen if enabled`
use ConfigParser.get*() function 2018-11-18 07:46:20 +01:00			`if config.get("core", "dismiss_lockscreen"):`
Fixed installer permissions and cli location, ignoring remote sessions 2018-03-13 21:17:49 +01:00			`# Run it as root with a timeout of 1s, and never ask for a password through the UI`
			`subprocess.Popen(["sudo", "timeout", "1", "loginctl", "unlock-sessions", "--no-ask-password"])`

Added proof of concept 2018-01-05 01:59:44 +01:00			`return pamh.PAM_SUCCESS`

Cleanup 2018-01-05 16:37:00 +01:00			`# Otherwise, we can't discribe what happend but it wasn't successful`
Implemented conversations and better config 2018-01-17 21:28:10 +01:00			`pamh.conversation(pamh.Message(pamh.PAM_ERROR_MSG, "Unknown error: " + str(status)))`
Added proof of concept 2018-01-05 01:59:44 +01:00			`return pamh.PAM_SYSTEM_ERR`
Added config file and session auth 2018-01-05 02:41:56 +01:00
			`def pam_sm_authenticate(pamh, flags, args):`
Cleanup 2018-01-05 16:37:00 +01:00			`"""Called by PAM when the user wants to authenticate, in sudo for example"""`
Added config file and session auth 2018-01-05 02:41:56 +01:00			`return doAuth(pamh)`

			`def pam_sm_open_session(pamh, flags, args):`
Cleanup 2018-01-05 16:37:00 +01:00			`"""Called when starting a session, such as su"""`
Added config file and session auth 2018-01-05 02:41:56 +01:00			`return doAuth(pamh)`

			`def pam_sm_close_session(pamh, flags, argv):`
Changes to compare and cli config command, proposed in #89 and #90 2018-11-09 11:49:03 +01:00			`"""We don't need to clean anyting up at the end of a session, so returns true"""`
Added config file and session auth 2018-01-05 02:41:56 +01:00			`return pamh.PAM_SUCCESS`

			`def pam_sm_setcred(pamh, flags, argv):`
Changes to compare and cli config command, proposed in #89 and #90 2018-11-09 11:49:03 +01:00			`"""We don't need set any credentials, so returns true"""`
Added config file and session auth 2018-01-05 02:41:56 +01:00			`return pamh.PAM_SUCCESS`