diff options
Diffstat (limited to 'remote/modules')
-rwxr-xr-x | remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm index ff343d19..e86a5067 100755 --- a/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm +++ b/remote/modules/pam-bwidm/data/opt/openslx/scripts/pam_bwidm @@ -2,14 +2,20 @@ # # This script is to be called by PAM (specifically pam_exec). # -# some sanity checks -set -x +# fix PATH as PAM clears it export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/openslx/sbin:/opt/openslx/bin" if ! busybox which curl; then echo "'curl' missing. This script won't work without it." exit 1 fi +# grab the password from stdin asap, since there is no garantee some tool just reads it +if [ "x$PAM_TYPE" == "xauth" ]; then + read USER_PASSWORD + readonly USER_PASSWORD + [ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1 +fi + # sanity check on PAM_USER: contains '@'? if [ -z "$PAM_USER" ] || [ "x${PAM_USER}" == "x${PAM_USER%@*}" ]; then # no @ contained, invalid username, abort @@ -81,10 +87,6 @@ readonly SOAP_ENVELOPPE="/opt/openslx/bwidm_soap.xml" # now the pam-type specific part starts if [ "x$PAM_TYPE" == "xauth" ]; then - # pam exposes the password through stdin, lets get that - read USER_PASSWORD - [ -z "$USER_PASSWORD" ] && echo "No password given." && exit 1 - # now we are ready to actually send the credentials to the IdP # to be sure everything is working as expected # we will first send a wrong password (by repeating the given password) and expect a 401 |