Add deferred authentication support to plugin-auth-pam

If OpenVPN signals deferred authentication support (by setting
the internal environment variables "auth_control_file" and
"deferred_auth_pam"), do not wait for PAM stack to finish.  Instead,
the privileged PAM process returns RESPONSE_DEFER via the control
socket, which gets turned into OPENVPN_PLUGIN_FUNC_DEFERRED towards
openvpn.

The PAM process will then fork() and handle all the PAM auth in
the new process, signalling success/failure back by means of the
auth_control_file (forking twice, to simplify wait() handling).

With the extra fork(), multiple deferred authentications can run at
the same time - otherwise the first one would block the next auth
call (because the child would not be ready again to read from the
control socket).

Lightly tested on Linux.

Signed-off-by: Gert Doering <gert@greenie.muc.de>

--
v2:
  - only do deferred auth if "deferred_auth_pam" is set (env)
  - put deferred auth logic into do_deferred_pam_auth()
  - line-wrap lines where needed
  - close "background end" of socketpair in deferred auth process
  - remove leftover /* plugin_log() */ lines from initial testing
  - tested over a few hundred "15s delayed" authentication cycles

v3:
  - uncrustify new code
  - do not abort background process if do_deferred_pam_auth() fails
    (this can only happen if fork() fails, which is assumed to be
    temporary, or if something is wrong with the socketpair which we
    should notice on the next read()) --> change do_deferred_pam_auth()
    to "void"
  - add documentation to README.auth-pam and Changes.rst
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20200715090105.22296-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20361.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

0 files changed, 0 insertions, 0 deletions