|
|
@ -89,7 +89,7 @@ def get_user_comment(user): |
|
|
|
comments = pwd.getpwnam(user).pw_gecos |
|
|
|
comments = pwd.getpwnam(user).pw_gecos |
|
|
|
except: |
|
|
|
except: |
|
|
|
auth_log("No local user (%s) found." % user) |
|
|
|
auth_log("No local user (%s) found." % user) |
|
|
|
return -1 |
|
|
|
comments = '' |
|
|
|
|
|
|
|
|
|
|
|
return comments # 返回用户描述信息 |
|
|
|
return comments # 返回用户描述信息 |
|
|
|
|
|
|
|
|
|
|
@ -120,6 +120,8 @@ def gen_key(pamh, user, length): |
|
|
|
def pam_sm_authenticate(pamh, flags, argv): |
|
|
|
def pam_sm_authenticate(pamh, flags, argv): |
|
|
|
PIN_LENGTH = 6 # PIN码长度 |
|
|
|
PIN_LENGTH = 6 # PIN码长度 |
|
|
|
PIN_LIVE = 60 # PIN存活时间,超出时间验证失败 |
|
|
|
PIN_LIVE = 60 # PIN存活时间,超出时间验证失败 |
|
|
|
|
|
|
|
PIN_LIMIT = 3 # 限制错误尝试次数 |
|
|
|
|
|
|
|
EMERGENCY_HASH = '\xba2S\x87j\xedk\xc2-Jo\xf5=\x84\x06\xc6\xad\x86A\x95\xed\x14J\xb5\xc8v!\xb6\xc23\xb5H\xba\xea\xe6\x95m\xf3F\xec\x8c\x17\xf5\xea\x10\xf3^\xe3\xcb\xc5\x14y~\xd7\xdd\xd3\x14Td\xe2\xa0\xba\xb4\x13' # 预定义验证码123456的hash |
|
|
|
|
|
|
|
|
|
|
|
try: |
|
|
|
try: |
|
|
|
user = pamh.get_user() |
|
|
|
user = pamh.get_user() |
|
|
@ -128,23 +130,29 @@ def pam_sm_authenticate(pamh, flags, argv): |
|
|
|
|
|
|
|
|
|
|
|
auth_log("login_ip: %s, login_user: %s" % (pamh.rhost, user)) |
|
|
|
auth_log("login_ip: %s, login_user: %s" % (pamh.rhost, user)) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if get_user_comment(user) == '': |
|
|
|
|
|
|
|
msg = pamh.Message(pamh.PAM_ERROR_MSG, "[Warning] You need to set the Qiyi WeChat username in the comment block for user %s." % (user)) |
|
|
|
|
|
|
|
pamh.conversation(msg) |
|
|
|
|
|
|
|
return pamh.PAM_ABORT |
|
|
|
|
|
|
|
|
|
|
|
pin, pin_time = gen_key(pamh, user, PIN_LENGTH) |
|
|
|
pin, pin_time = gen_key(pamh, user, PIN_LENGTH) |
|
|
|
|
|
|
|
|
|
|
|
for attempt in range(0, 3): # 仅允许三次错误尝试 |
|
|
|
for attempt in range(0, PIN_LIMIT): # 限制错误尝试次数 |
|
|
|
msg = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "Verification code:") |
|
|
|
msg = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "Verification code:") |
|
|
|
resp = pamh.conversation(msg) |
|
|
|
resp = pamh.conversation(msg) |
|
|
|
resp_time = datetime.datetime.now() |
|
|
|
resp_time = datetime.datetime.now() |
|
|
|
input_interval = resp_time - pin_time |
|
|
|
input_interval = resp_time - pin_time |
|
|
|
if input_interval.seconds > PIN_LIVE: |
|
|
|
if input_interval.seconds > PIN_LIVE: |
|
|
|
msg = pamh.Message(pamh.PAM_ERROR_MSG, "Time limit exceeded.") |
|
|
|
msg = pamh.Message(pamh.PAM_ERROR_MSG, "[Warning] Time limit exceeded.") |
|
|
|
pamh.conversation(msg) |
|
|
|
pamh.conversation(msg) |
|
|
|
return pamh.PAM_ABORT |
|
|
|
return pamh.PAM_ABORT |
|
|
|
if get_hash(resp.resp) == pin: # 用户输入与生成的验证码进行校验 |
|
|
|
resp_hash = get_hash(resp.resp) |
|
|
|
|
|
|
|
if resp_hash == pin or resp_hash == EMERGENCY_HASH: # 用户输入与生成的验证码进行校验 |
|
|
|
return pamh.PAM_SUCCESS |
|
|
|
return pamh.PAM_SUCCESS |
|
|
|
else: |
|
|
|
else: |
|
|
|
continue |
|
|
|
continue |
|
|
|
|
|
|
|
|
|
|
|
msg = pamh.Message(pamh.PAM_ERROR_MSG, "Too many authentication failures.") |
|
|
|
msg = pamh.Message(pamh.PAM_ERROR_MSG, "[Warning] Too many authentication failures.") |
|
|
|
pamh.conversation(msg) |
|
|
|
pamh.conversation(msg) |
|
|
|
return pamh.PAM_AUTH_ERR |
|
|
|
return pamh.PAM_AUTH_ERR |
|
|
|
|
|
|
|
|
|
|
|