sra.c revision 81965
162587Sitojun/* $FreeBSD: head/contrib/telnet/libtelnet/sra.c 81965 2001-08-20 12:28:40Z markm $ */ 278064Sume 362587Sitojun#ifdef SRA 4139823Simp#include <sys/types.h> 554263Sshin#include <arpa/telnet.h> 654263Sshin#include <stdio.h> 754263Sshin#ifdef __STDC__ 854263Sshin#include <stdlib.h> 954263Sshin#endif 1054263Sshin#ifdef NO_STRING_H 1154263Sshin#include <strings.h> 1254263Sshin#else 1354263Sshin#include <string.h> 1454263Sshin#endif 1554263Sshin 1654263Sshin#if !defined(NOPAM) 1754263Sshin#include <security/pam_appl.h> 1854263Sshin#else 1954263Sshin#include <unistd.h> 2054263Sshin#endif 2154263Sshin 2254263Sshin#include <pwd.h> 2354263Sshin#include <syslog.h> 2454263Sshin#include <ttyent.h> 2554263Sshin 2654263Sshin#include "auth.h" 2754263Sshin#include "misc.h" 2854263Sshin#include "encrypt.h" 2954263Sshin#include "pk.h" 3054263Sshin 3154263Sshinchar pka[HEXKEYBYTES+1], ska[HEXKEYBYTES+1], pkb[HEXKEYBYTES+1]; 3254263Sshinchar *user,*pass,*xuser,*xpass; 3354263SshinDesData ck; 3462587SitojunIdeaData ik; 3554263Sshin 3654263Sshinextern int auth_debug_mode; 3754263Sshinextern char *line; 3854263Sshin 3954263Sshinstatic int sra_valid = 0; 4054263Sshinstatic int passwd_sent = 0; 4154263Sshin 4254263Sshinstatic unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, 4354263Sshin AUTHTYPE_SRA, }; 4454263Sshin 45105293Sume#define SRA_KEY 0 4654263Sshin#define SRA_USER 1 4762587Sitojun#define SRA_CONTINUE 2 4862587Sitojun#define SRA_PASS 3 4954263Sshin#define SRA_ACCEPT 4 5054263Sshin#define SRA_REJECT 5 5154263Sshin 5254263Sshinstatic int check_user(const char *, const char *); 5354263Sshin 5454263Sshin/* support routine to send out authentication message */ 5554263Sshinstatic int 5654263SshinData(Authenticator *ap, int type, void *d, int c) 5762587Sitojun{ 5862587Sitojun unsigned char *p = str_data + 4; 5955009Sshin unsigned char *cd = (unsigned char *)d; 6062587Sitojun 6154263Sshin if (c == -1) 6262587Sitojun c = strlen((char *)cd); 6354263Sshin 6454263Sshin if (auth_debug_mode) { 6554263Sshin printf("%s:%d: [%d] (%d)", 6654263Sshin str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY", 6754263Sshin str_data[3], 6854263Sshin type, c); 6962587Sitojun printd(d, c); 7054263Sshin printf("\r\n"); 71105293Sume } 72105293Sume *p++ = ap->type; 73105293Sume *p++ = ap->way; 74105293Sume *p++ = type; 75152242Sru while (c-- > 0) { 76152242Sru if ((*p++ = *cd++) == IAC) 77152242Sru *p++ = IAC; 78152242Sru } 79152242Sru *p++ = IAC; 80152242Sru *p++ = SE; 81152242Sru if (str_data[3] == TELQUAL_IS) 82152242Sru printsub('>', &str_data[2], p - (&str_data[2])); 83152242Sru return(net_write(str_data, p - str_data)); 84105293Sume} 85105293Sume 8691324Sbrooksint 8754263Sshinsra_init(Authenticator *ap, int server) 8854263Sshin{ 8954263Sshin if (server) 9054263Sshin str_data[3] = TELQUAL_REPLY; 91169454Srwatson else 9254263Sshin str_data[3] = TELQUAL_IS; 93147256Sbrooks 9454263Sshin user = (char *)malloc(256); 9554263Sshin xuser = (char *)malloc(513); 9654263Sshin pass = (char *)malloc(256); 9754263Sshin xpass = (char *)malloc(513); 98153621Sthompsa 9954263Sshin if (user == NULL || xuser == NULL || pass == NULL || xpass == 10054263Sshin NULL) 10154263Sshin return 0; /* malloc failed */ 102155037Sglebius 103155037Sglebius passwd_sent = 0; 10454263Sshin 10554263Sshin genkeys(pka,ska); 10654263Sshin return(1); 10754263Sshin} 10854263Sshin 10954263Sshin/* client received a go-ahead for sra */ 11054263Sshinint 11154263Sshinsra_send(Authenticator *ap) 11262587Sitojun{ 11354263Sshin /* send PKA */ 11454263Sshin 11554263Sshin if (auth_debug_mode) 11654263Sshin printf("Sent PKA to server.\r\n" ); 11754263Sshin printf("Trying SRA secure login:\r\n"); 11854263Sshin if (!Data(ap, SRA_KEY, (void *)pka, HEXKEYBYTES)) { 11954263Sshin if (auth_debug_mode) 12054263Sshin printf("Not enough room for authentication data\r\n"); 12154263Sshin return(0); 12254263Sshin } 12354263Sshin 12454263Sshin return(1); 12554263Sshin} 12654263Sshin 12795023Ssuz/* server received an IS -- could be SRA KEY, USER, or PASS */ 12854263Sshinvoid 12954263Sshinsra_is(Authenticator *ap, unsigned char *data, int cnt) 13054263Sshin{ 13162587Sitojun int valid; 13254263Sshin Session_Key skey; 13354263Sshin 13454263Sshin if (cnt-- < 1) 13554263Sshin goto bad; 13654263Sshin switch (*data++) { 13754263Sshin 13854263Sshin case SRA_KEY: 13954263Sshin if (cnt < HEXKEYBYTES) { 14054263Sshin Data(ap, SRA_REJECT, (void *)0, 0); 14154263Sshin auth_finished(ap, AUTH_USER); 14295023Ssuz if (auth_debug_mode) { 143153621Sthompsa printf("SRA user rejected for bad PKB\r\n"); 144153621Sthompsa } 145153621Sthompsa return; 146153621Sthompsa } 147153621Sthompsa if (auth_debug_mode) 148153621Sthompsa printf("Sent pka\r\n"); 149153621Sthompsa if (!Data(ap, SRA_KEY, (void *)pka, HEXKEYBYTES)) { 150153621Sthompsa if (auth_debug_mode) 151153621Sthompsa printf("Not enough room\r\n"); 152153621Sthompsa return; 153153621Sthompsa } 154153621Sthompsa memcpy(pkb,data,HEXKEYBYTES); 155153621Sthompsa pkb[HEXKEYBYTES] = '\0'; 156153621Sthompsa common_key(ska,pkb,&ik,&ck); 15754263Sshin return; 15862587Sitojun 15954263Sshin case SRA_USER: 16054263Sshin /* decode KAB(u) */ 16154263Sshin if (cnt > 512) /* Attempted buffer overflow */ 16254263Sshin break; 16354263Sshin memcpy(xuser,data,cnt); 16454263Sshin xuser[cnt] = '\0'; 16554263Sshin pk_decode(xuser,user,&ck); 16654263Sshin auth_encrypt_user(user); 16754263Sshin Data(ap, SRA_CONTINUE, (void *)0, 0); 16878064Sume 16978064Sume return; 17078064Sume 17178064Sume case SRA_PASS: 17278064Sume if (cnt > 512) /* Attempted buffer overflow */ 17378064Sume break; 17454263Sshin /* decode KAB(P) */ 17554263Sshin memcpy(xpass,data,cnt); 17654263Sshin xpass[cnt] = '\0'; 17754263Sshin pk_decode(xpass,pass,&ck); 17854263Sshin 179121684Sume /* check user's password */ 180121684Sume valid = check_user(user,pass); 18154263Sshin 18254263Sshin if(valid) { 183111119Simp Data(ap, SRA_ACCEPT, (void *)0, 0); 18454263Sshin#ifdef DES_ENCRYPTION 18554263Sshin skey.data = ck; 18654263Sshin skey.type = SK_DES; 18754263Sshin skey.length = 8; 18854263Sshin encrypt_session_key(&skey, 1); 18954263Sshin#endif 19062587Sitojun 19154263Sshin sra_valid = 1; 19254263Sshin auth_finished(ap, AUTH_VALID); 19354263Sshin if (auth_debug_mode) { 19454263Sshin printf("SRA user accepted\r\n"); 195130662Sbms } 19654263Sshin } 19754263Sshin else { 19854263Sshin Data(ap, SRA_CONTINUE, (void *)0, 0); 19954263Sshin/* 20054263Sshin Data(ap, SRA_REJECT, (void *)0, 0); 20154263Sshin sra_valid = 0; 20254263Sshin auth_finished(ap, AUTH_REJECT); 20362587Sitojun*/ 204147256Sbrooks if (auth_debug_mode) { 20562587Sitojun printf("SRA user failed\r\n"); 20654263Sshin } 20754263Sshin } 20854263Sshin return; 209128210Sluigi 21054263Sshin default: 21154263Sshin if (auth_debug_mode) 21254263Sshin printf("Unknown SRA option %d\r\n", data[-1]); 21354263Sshin } 21462587Sitojunbad: 21562587Sitojun Data(ap, SRA_REJECT, 0, 0); 21662587Sitojun sra_valid = 0; 21762587Sitojun auth_finished(ap, AUTH_REJECT); 21895023Ssuz} 21962587Sitojun 22062587Sitojun/* client received REPLY -- could be SRA KEY, CONTINUE, ACCEPT, or REJECT */ 22162587Sitojunvoid 22262587Sitojunsra_reply(Authenticator *ap, unsigned char *data, int cnt) 22362587Sitojun{ 22454263Sshin extern char *telnet_gets(); 22554263Sshin char uprompt[256],tuser[256]; 226105194Ssam Session_Key skey; 227138470Sglebius int i; 228147256Sbrooks 229138653Sglebius if (cnt-- < 1) 230138470Sglebius return; 231138470Sglebius switch (*data++) { 232138470Sglebius 233138470Sglebius case SRA_KEY: 234120885Sume /* calculate common key */ 23554263Sshin if (cnt < HEXKEYBYTES) { 23654263Sshin if (auth_debug_mode) { 23754263Sshin printf("SRA user rejected for bad PKB\r\n"); 238169454Srwatson } 23954263Sshin return; 24054263Sshin } 241147503Sbz memcpy(pkb,data,HEXKEYBYTES); 24254263Sshin pkb[HEXKEYBYTES] = '\0'; 24362587Sitojun 24455009Sshin common_key(ska,pkb,&ik,&ck); 24582884Sjulian 24654263Sshin enc_user: 24754263Sshin 24882884Sjulian /* encode user */ 24954263Sshin memset(tuser,0,sizeof(tuser)); 250147503Sbz sprintf(uprompt,"User (%s): ",UserNameRequested); 251147503Sbz telnet_gets(uprompt,tuser,255,1); 252147503Sbz if (tuser[0] == '\n' || tuser[0] == '\r' ) 253147503Sbz strcpy(user,UserNameRequested); 254147503Sbz else { 255147503Sbz /* telnet_gets leaves the newline on */ 25654263Sshin for(i=0;i<sizeof(tuser);i++) { 257147503Sbz if (tuser[i] == '\n') { 25862587Sitojun tuser[i] = '\0'; 25954263Sshin break; 26054263Sshin } 26154263Sshin } 26254263Sshin strcpy(user,tuser); 26354263Sshin } 26455009Sshin pk_encode(user,xuser,&ck); 26554263Sshin 26654263Sshin /* send it off */ 26754263Sshin if (auth_debug_mode) 26862587Sitojun printf("Sent KAB(U)\r\n"); 26954263Sshin if (!Data(ap, SRA_USER, (void *)xuser, strlen(xuser))) { 27054263Sshin if (auth_debug_mode) 27154263Sshin printf("Not enough room\r\n"); 27254263Sshin return; 27354263Sshin } 27454263Sshin break; 27554263Sshin 27654263Sshin case SRA_CONTINUE: 27754263Sshin if (passwd_sent) { 27854263Sshin passwd_sent = 0; 279121684Sume printf("[ SRA login failed ]\r\n"); 280121684Sume goto enc_user; 281121684Sume } 282121684Sume /* encode password */ 283121684Sume memset(pass,0,sizeof(pass)); 284121684Sume telnet_gets("Password: ",pass,255,0); 28554263Sshin pk_encode(pass,xpass,&ck); 28654263Sshin /* send it off */ 28762587Sitojun if (auth_debug_mode) 28854263Sshin printf("Sent KAB(P)\r\n"); 28954263Sshin if (!Data(ap, SRA_PASS, (void *)xpass, strlen(xpass))) { 29054263Sshin if (auth_debug_mode) 29154263Sshin printf("Not enough room\r\n"); 292121684Sume return; 293121684Sume } 29454263Sshin passwd_sent = 1; 29554263Sshin break; 29654263Sshin 29754263Sshin case SRA_REJECT: 29854263Sshin printf("[ SRA refuses authentication ]\r\n"); 29954263Sshin printf("Trying plaintext login:\r\n"); 30054263Sshin auth_finished(0,AUTH_REJECT); 301121684Sume return; 302121684Sume 303121684Sume case SRA_ACCEPT: 304121684Sume printf("[ SRA accepts you ]\r\n"); 305121684Sume#ifdef DES_ENCRYPTION 306121684Sume skey.data = ck; 307121684Sume skey.type = SK_DES; 308121684Sume skey.length = 8; 309121684Sume encrypt_session_key(&skey, 0); 310121684Sume#endif 311121684Sume 31254263Sshin auth_finished(ap, AUTH_VALID); 31354263Sshin return; 31454263Sshin default: 315153621Sthompsa if (auth_debug_mode) 316153621Sthompsa printf("Unknown SRA option %d\r\n", data[-1]); 317153621Sthompsa return; 318153621Sthompsa } 31954263Sshin} 32054263Sshin 32154263Sshinint 32254263Sshinsra_status(Authenticator *ap, char *name, int level) 32354263Sshin{ 32454263Sshin if (level < AUTH_USER) 32554263Sshin return(level); 32654263Sshin if (UserNameRequested && sra_valid) { 32762587Sitojun strcpy(name, UserNameRequested); 32862587Sitojun return(AUTH_VALID); 329105293Sume } else 33062587Sitojun return(AUTH_USER); 331105293Sume} 332169454Srwatson 33362587Sitojun#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);} 33462587Sitojun#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);} 33562587Sitojun 33662587Sitojunvoid 33762587Sitojunsra_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 33862587Sitojun{ 33962587Sitojun char lbuf[32]; 34062587Sitojun register int i; 341105293Sume 342105293Sume buf[buflen-1] = '\0'; /* make sure its NULL terminated */ 34362587Sitojun buflen -= 1; 34462587Sitojun 34562587Sitojun switch(data[3]) { 346105293Sume 34762587Sitojun case SRA_CONTINUE: 348105293Sume strncpy((char *)buf, " CONTINUE ", buflen); 34962587Sitojun goto common; 35062587Sitojun 35162587Sitojun case SRA_REJECT: /* Rejected (reason might follow) */ 35262587Sitojun strncpy((char *)buf, " REJECT ", buflen); 353120891Sume goto common; 35462587Sitojun 35562587Sitojun case SRA_ACCEPT: /* Accepted (name might follow) */ 356105293Sume strncpy((char *)buf, " ACCEPT ", buflen); 35762587Sitojun 35862587Sitojun common: 35962587Sitojun BUMP(buf, buflen); 36062587Sitojun if (cnt <= 4) 361147256Sbrooks break; 36262587Sitojun ADDC(buf, buflen, '"'); 36362587Sitojun for (i = 4; i < cnt; i++) 36462587Sitojun ADDC(buf, buflen, data[i]); 36562587Sitojun ADDC(buf, buflen, '"'); 36662587Sitojun ADDC(buf, buflen, '\0'); 36762587Sitojun break; 368105293Sume 36962587Sitojun case SRA_KEY: /* Authentication data follows */ 370105293Sume strncpy((char *)buf, " KEY ", buflen); 37178064Sume goto common2; 37278064Sume 373147256Sbrooks case SRA_USER: 37478064Sume strncpy((char *)buf, " USER ", buflen); 37578064Sume goto common2; 37678064Sume 37778064Sume case SRA_PASS: 37862587Sitojun strncpy((char *)buf, " PASS ", buflen); 37962587Sitojun goto common2; 38062587Sitojun 38162587Sitojun default: 38262587Sitojun sprintf(lbuf, " %d (unknown)", data[3]); 38378064Sume strncpy((char *)buf, lbuf, buflen); 38462587Sitojun common2: 385105293Sume BUMP(buf, buflen); 386105293Sume for (i = 4; i < cnt; i++) { 387105293Sume sprintf(lbuf, " %d", data[i]); 388105293Sume strncpy((char *)buf, lbuf, buflen); 389105293Sume BUMP(buf, buflen); 390105293Sume } 391169454Srwatson break; 392105293Sume } 393105293Sume} 394105293Sume 395105293Sumestruct passwd *pw; 396105293Sume 397105293Sume/* 398105293Sume * Helper function for sgetpwnam(). 399105293Sume */ 400105293Sumechar * 401105293Sumesgetsave(char *s) 402105293Sume{ 403105293Sume char *new = malloc((unsigned) strlen(s) + 1); 404105293Sume 405105293Sume if (new == NULL) { 406105293Sume return(NULL); 407105293Sume } 408169454Srwatson (void) strcpy(new, s); 409105293Sume return (new); 410105293Sume} 411105293Sume 412105293Sumestruct passwd * 413105293Sumesgetpwnam(char *name) 414105293Sume{ 415105293Sume static struct passwd save; 416105293Sume register struct passwd *p; 417105293Sume char *sgetsave(); 418169454Srwatson 419105293Sume if ((p = getpwnam(name)) == NULL) 420105293Sume return (p); 421105293Sume if (save.pw_name) { 422105293Sume free(save.pw_name); 423105293Sume free(save.pw_passwd); 424105293Sume free(save.pw_gecos); 425105293Sume free(save.pw_dir); 426105293Sume free(save.pw_shell); 427 } 428 save = *p; 429 save.pw_name = sgetsave(p->pw_name); 430 save.pw_passwd = sgetsave(p->pw_passwd); 431 save.pw_gecos = sgetsave(p->pw_gecos); 432 save.pw_dir = sgetsave(p->pw_dir); 433 save.pw_shell = sgetsave(p->pw_shell); 434#if 0 435syslog(LOG_WARNING,"%s\n",save.pw_name); 436syslog(LOG_WARNING,"%s\n",save.pw_passwd); 437syslog(LOG_WARNING,"%s\n",save.pw_gecos); 438syslog(LOG_WARNING,"%s\n",save.pw_dir); 439#endif 440#ifdef USE_SHADOW 441 { 442 struct spwd *sp; 443 sp = getspnam(name); 444 free(save.pw_passwd); 445 save.pw_passwd = sgetsave(sp->sp_pwdp); 446 } 447#endif 448 return (&save); 449} 450 451static int 452isroot(const char *user) 453{ 454 struct passwd *pw; 455 456 if ((pw=getpwnam(user))==NULL) 457 return 0; 458 return (!pw->pw_uid); 459} 460 461static int 462rootterm(char *ttyn) 463{ 464 struct ttyent *t; 465 466 return ((t = getttynam(ttyn)) && t->ty_status & TTY_SECURE); 467} 468 469#ifdef NOPAM 470static int 471check_user(const char *name, const char *pass) 472{ 473 register char *cp; 474 char *xpasswd, *salt; 475 476 if (isroot(name) && !rootterm(line)) 477 { 478 crypt("AA","*"); /* Waste some time to simulate success */ 479 return(0); 480 } 481 482 if (pw = sgetpwnam(name)) { 483 if (pw->pw_shell == NULL) { 484 pw = (struct passwd *) NULL; 485 return(0); 486 } 487 488 salt = pw->pw_passwd; 489 xpasswd = crypt(pass, salt); 490 /* The strcmp does not catch null passwords! */ 491 if (pw == NULL || *pw->pw_passwd == '\0' || 492 strcmp(xpasswd, pw->pw_passwd)) { 493 pw = (struct passwd *) NULL; 494 return(0); 495 } 496 return(1); 497 } 498 return(0); 499} 500#else 501 502/* 503 * The following is stolen from ftpd, which stole it from the imap-uw 504 * PAM module and login.c. It is needed because we can't really 505 * "converse" with the user, having already gone to the trouble of 506 * getting their username and password through an encrypted channel. 507 */ 508 509#define COPY_STRING(s) (s ? strdup(s):NULL) 510 511struct cred_t { 512 const char *uname; 513 const char *pass; 514}; 515typedef struct cred_t cred_t; 516 517int 518auth_conv(int num_msg, const struct pam_message **msg, 519 struct pam_response **resp, void *appdata) 520{ 521 int i; 522 cred_t *cred = (cred_t *) appdata; 523 struct pam_response *reply = 524 malloc(sizeof(struct pam_response) * num_msg); 525 526 if (reply == NULL) 527 return PAM_BUF_ERR; 528 529 for (i = 0; i < num_msg; i++) { 530 switch (msg[i]->msg_style) { 531 case PAM_PROMPT_ECHO_ON: /* assume want user name */ 532 reply[i].resp_retcode = PAM_SUCCESS; 533 reply[i].resp = COPY_STRING(cred->uname); 534 /* PAM frees resp. */ 535 break; 536 case PAM_PROMPT_ECHO_OFF: /* assume want password */ 537 reply[i].resp_retcode = PAM_SUCCESS; 538 reply[i].resp = COPY_STRING(cred->pass); 539 /* PAM frees resp. */ 540 break; 541 case PAM_TEXT_INFO: 542 case PAM_ERROR_MSG: 543 reply[i].resp_retcode = PAM_SUCCESS; 544 reply[i].resp = NULL; 545 break; 546 default: /* unknown message style */ 547 free(reply); 548 return PAM_CONV_ERR; 549 } 550 } 551 552 *resp = reply; 553 return PAM_SUCCESS; 554} 555 556/* 557 * The PAM version as a side effect may put a new username in *name. 558 */ 559static int 560check_user(const char *name, const char *pass) 561{ 562 pam_handle_t *pamh = NULL; 563 const void *item; 564 int rval; 565 int e; 566 cred_t auth_cred = { name, pass }; 567 struct pam_conv conv = { &auth_conv, &auth_cred }; 568 569 e = pam_start("telnetd", name, &conv, &pamh); 570 if (e != PAM_SUCCESS) { 571 syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e)); 572 return 0; 573 } 574 575#if 0 /* Where can we find this value? */ 576 e = pam_set_item(pamh, PAM_RHOST, remotehost); 577 if (e != PAM_SUCCESS) { 578 syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s", 579 pam_strerror(pamh, e)); 580 return 0; 581 } 582#endif 583 584 e = pam_authenticate(pamh, 0); 585 switch (e) { 586 case PAM_SUCCESS: 587 /* 588 * With PAM we support the concept of a "template" 589 * user. The user enters a login name which is 590 * authenticated by PAM, usually via a remote service 591 * such as RADIUS or TACACS+. If authentication 592 * succeeds, a different but related "template" name 593 * is used for setting the credentials, shell, and 594 * home directory. The name the user enters need only 595 * exist on the remote authentication server, but the 596 * template name must be present in the local password 597 * database. 598 * 599 * This is supported by two various mechanisms in the 600 * individual modules. However, from the application's 601 * point of view, the template user is always passed 602 * back as a changed value of the PAM_USER item. 603 */ 604 if ((e = pam_get_item(pamh, PAM_USER, &item)) == 605 PAM_SUCCESS) { 606 strcpy((char *) name, (const char *) item); 607 } else 608 syslog(LOG_ERR, "Couldn't get PAM_USER: %s", 609 pam_strerror(pamh, e)); 610 if (isroot(name) && !rootterm(line)) 611 rval = 0; 612 else 613 rval = 1; 614 break; 615 616 case PAM_AUTH_ERR: 617 case PAM_USER_UNKNOWN: 618 case PAM_MAXTRIES: 619 rval = 0; 620 break; 621 622 default: 623 syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e)); 624 rval = 0; 625 break; 626 } 627 628 if ((e = pam_end(pamh, e)) != PAM_SUCCESS) { 629 syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e)); 630 rval = 0; 631 } 632 return rval; 633} 634 635#endif 636 637#endif 638 639