auth-api: drop pam crate

it's too limited Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
2025-05-29 19:18:17 +00:00 · 2023-06-13 09:22:11 +02:00 · 2023-06-13 09:22:11 +02:00 · 8f08039e7e
commit 8f08039e7e
parent c8433e3219
4 changed files with 28 additions and 8 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -61,7 +61,6 @@ native-tls = "0.2"
 nix = "0.26.1"
 once_cell = "1.3.1"
 openssl = "0.10"
-pam = "0.7"
 pam-sys = "0.5"
 percent-encoding = "2.1"
 pin-utils = "0.1.0"
--- a/proxmox-auth-api/Cargo.toml
+++ b/proxmox-auth-api/Cargo.toml
@ -21,7 +21,6 @@ libc = { workspace = true, optional = true }
 log = { workspace = true, optional = true }
 http = { workspace = true, optional = true }
 openssl = { workspace = true, optional = true }
-pam = { workspace = true, optional = true }
 pam-sys = { workspace = true, optional = true }
 percent-encoding = { workspace = true, optional = true }
 regex = { workspace = true, optional = true }
@ -50,4 +49,4 @@ api = [
    "dep:proxmox-router",
    "dep:proxmox-tfa",
 ]
-pam-authenticator = [ "api", "dep:libc", "dep:log", "dep:pam", "dep:pam-sys" ]
+pam-authenticator = [ "api", "dep:libc", "dep:log", "dep:pam-sys" ]
--- a/proxmox-auth-api/debian/control
+++ b/proxmox-auth-api/debian/control
@ -90,7 +90,6 @@ Depends:
 librust-proxmox-auth-api+api-dev (= ${binary:Version}),
 librust-libc-0.2+default-dev (>= 0.2.107-~~),
 librust-log-0.4+default-dev (>= 0.4.17-~~),
- librust-pam-0.7+default-dev,
 librust-pam-sys-0.5+default-dev
 Provides:
 librust-proxmox-auth-api-0+pam-authenticator-dev (= ${binary:Version}),
--- a/proxmox-auth-api/src/pam_authenticator.rs
+++ b/proxmox-auth-api/src/pam_authenticator.rs
@ -25,10 +25,33 @@ impl crate::api::Authenticator for Pam {
        password: &'a str,
    ) -> Pin<Box<dyn Future<Output = Result<(), Error>> + Send + 'a>> {
        Box::pin(async move {
-            let mut auth = pam::Authenticator::with_password(self.service).unwrap();
-            auth.get_handler()
-                .set_credentials(username.as_str(), password);
-            auth.authenticate()?;
+            let mut password_conv = PasswordConv {
+                login: username.as_str(),
+                password,
+            };
+
+            let conv = pam_sys::types::PamConversation {
+                conv: Some(conv_fn),
+                data_ptr: &mut password_conv as *mut _ as *mut c_void,
+            };
+
+            let mut handle = std::ptr::null_mut();
+            let err =
+                pam_sys::wrapped::start(self.service, Some(username.as_str()), &conv, &mut handle);
+            if err != PamReturnCode::SUCCESS {
+                bail!("error opening pam - {err}");
+            }
+            let mut handle = PamGuard {
+                handle: unsafe { &mut *handle },
+                result: PamReturnCode::SUCCESS,
+            };
+
+            handle.result =
+                pam_sys::wrapped::authenticate(handle.handle, pam_sys::types::PamFlag::NONE);
+            if handle.result != PamReturnCode::SUCCESS {
+                bail!("authentication error - {err}");
+            }
+
            Ok(())
        })
    }