18953caf3SDaniel P. Berrange /* 28953caf3SDaniel P. Berrange * QEMU PAM authorization driver 38953caf3SDaniel P. Berrange * 48953caf3SDaniel P. Berrange * Copyright (c) 2018 Red Hat, Inc. 58953caf3SDaniel P. Berrange * 68953caf3SDaniel P. Berrange * This library is free software; you can redistribute it and/or 78953caf3SDaniel P. Berrange * modify it under the terms of the GNU Lesser General Public 88953caf3SDaniel P. Berrange * License as published by the Free Software Foundation; either 9*036a80cdSChetan Pant * version 2.1 of the License, or (at your option) any later version. 108953caf3SDaniel P. Berrange * 118953caf3SDaniel P. Berrange * This library is distributed in the hope that it will be useful, 128953caf3SDaniel P. Berrange * but WITHOUT ANY WARRANTY; without even the implied warranty of 138953caf3SDaniel P. Berrange * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 148953caf3SDaniel P. Berrange * Lesser General Public License for more details. 158953caf3SDaniel P. Berrange * 168953caf3SDaniel P. Berrange * You should have received a copy of the GNU Lesser General Public 178953caf3SDaniel P. Berrange * License along with this library; if not, see <http://www.gnu.org/licenses/>. 188953caf3SDaniel P. Berrange * 198953caf3SDaniel P. Berrange */ 208953caf3SDaniel P. Berrange 2158ea30f5SMarkus Armbruster #ifndef QAUTHZ_PAMACCT_H 2258ea30f5SMarkus Armbruster #define QAUTHZ_PAMACCT_H 238953caf3SDaniel P. Berrange 248953caf3SDaniel P. Berrange #include "authz/base.h" 25db1015e9SEduardo Habkost #include "qom/object.h" 268953caf3SDaniel P. Berrange 278953caf3SDaniel P. Berrange 288953caf3SDaniel P. Berrange #define TYPE_QAUTHZ_PAM "authz-pam" 298953caf3SDaniel P. Berrange 3030b5707cSEduardo Habkost OBJECT_DECLARE_SIMPLE_TYPE(QAuthZPAM, 31c734cd40SEduardo Habkost QAUTHZ_PAM) 328953caf3SDaniel P. Berrange 338953caf3SDaniel P. Berrange 348953caf3SDaniel P. Berrange 358953caf3SDaniel P. Berrange /** 368953caf3SDaniel P. Berrange * QAuthZPAM: 378953caf3SDaniel P. Berrange * 388953caf3SDaniel P. Berrange * This authorization driver provides a PAM mechanism 398953caf3SDaniel P. Berrange * for granting access by matching user names against a 408953caf3SDaniel P. Berrange * list of globs. Each match rule has an associated policy 418953caf3SDaniel P. Berrange * and a catch all policy applies if no rule matches 428953caf3SDaniel P. Berrange * 438953caf3SDaniel P. Berrange * To create an instance of this class via QMP: 448953caf3SDaniel P. Berrange * 458953caf3SDaniel P. Berrange * { 468953caf3SDaniel P. Berrange * "execute": "object-add", 478953caf3SDaniel P. Berrange * "arguments": { 488953caf3SDaniel P. Berrange * "qom-type": "authz-pam", 498953caf3SDaniel P. Berrange * "id": "authz0", 508953caf3SDaniel P. Berrange * "parameters": { 518953caf3SDaniel P. Berrange * "service": "qemu-vnc-tls" 528953caf3SDaniel P. Berrange * } 538953caf3SDaniel P. Berrange * } 548953caf3SDaniel P. Berrange * } 558953caf3SDaniel P. Berrange * 568953caf3SDaniel P. Berrange * The driver only uses the PAM "account" verification 578953caf3SDaniel P. Berrange * subsystem. The above config would require a config 588953caf3SDaniel P. Berrange * file /etc/pam.d/qemu-vnc-tls. For a simple file 598953caf3SDaniel P. Berrange * lookup it would contain 608953caf3SDaniel P. Berrange * 618953caf3SDaniel P. Berrange * account requisite pam_listfile.so item=user sense=allow \ 628953caf3SDaniel P. Berrange * file=/etc/qemu/vnc.allow 638953caf3SDaniel P. Berrange * 648953caf3SDaniel P. Berrange * The external file would then contain a list of usernames. 658953caf3SDaniel P. Berrange * If x509 cert was being used as the username, a suitable 668953caf3SDaniel P. Berrange * entry would match the distinguish name: 678953caf3SDaniel P. Berrange * 688953caf3SDaniel P. Berrange * CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB 698953caf3SDaniel P. Berrange * 708953caf3SDaniel P. Berrange * On the command line it can be created using 718953caf3SDaniel P. Berrange * 728953caf3SDaniel P. Berrange * -object authz-pam,id=authz0,service=qemu-vnc-tls 738953caf3SDaniel P. Berrange * 748953caf3SDaniel P. Berrange */ 758953caf3SDaniel P. Berrange struct QAuthZPAM { 768953caf3SDaniel P. Berrange QAuthZ parent_obj; 778953caf3SDaniel P. Berrange 788953caf3SDaniel P. Berrange char *service; 798953caf3SDaniel P. Berrange }; 808953caf3SDaniel P. Berrange 818953caf3SDaniel P. Berrange 828953caf3SDaniel P. Berrange 838953caf3SDaniel P. Berrange 848953caf3SDaniel P. Berrange QAuthZPAM *qauthz_pam_new(const char *id, 858953caf3SDaniel P. Berrange const char *service, 868953caf3SDaniel P. Berrange Error **errp); 878953caf3SDaniel P. Berrange 8858ea30f5SMarkus Armbruster #endif /* QAUTHZ_PAMACCT_H */ 89