From 739c7b2507b1c6c12c30822c3a0a3201644e52a5 Mon Sep 17 00:00:00 2001
From: Sascha Thomas Spreitzer <sspreitzer@fedoraproject.org>
Date: Sun, 24 May 2009 11:56:24 +0200
Subject: [PATCH] PSK checks on client side only, PSK should not be transmitted
 by client.

---
 apps/pam_url/examples/auth.php | 52 ++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 apps/pam_url/examples/auth.php

diff --git a/apps/pam_url/examples/auth.php b/apps/pam_url/examples/auth.php
new file mode 100644
index 0000000..74f1410
--- /dev/null
+++ b/apps/pam_url/examples/auth.php
@@ -0,0 +1,52 @@
+<?
+
+// we need at least 4 POST data elements. 
+// 1. Authentication mode -> PAM_AUTH, PAM_SESS, PAM_ACCT, PAM_PASS
+// 2. PSK, Pre Shared Key
+// 3. USER
+// 4. PASS
+
+// DO SOURCE IP REGION CHECKS HERE, OTHERWISE BRUTEFORCE attacks might occur!!
+
+$PSK = "hase";
+
+if( isset($_POST["user"]) && isset($_POST["pass"]) && isset($_POST["mode"]) )
+{
+	$ret=0;
+
+	switch($_POST["mode"])
+	{
+		case "PAM_AUTH";
+			// Perform authing here
+			break;
+
+		case "PAM_ACCT";
+			// Perform account aging here
+			break;
+
+		case "PAM_SESS";
+			// Perform session management here
+			break;
+
+		case "PAM_PASS";
+			// Perform password changes here
+			break;
+	}
+
+	if( 0 == $ret )
+	{
+		header("HTTP/1.1 200 OK");
+		echo $PSK;
+	}
+	else
+	{
+		header("HTTP/1.1 400 Bad Request");
+		echo "ACCESS DENIED";
+	}
+}
+else
+{
+	header("HTTP/1.1 403 Forbidden");
+	echo "ACCESS DENIED";
+}
+?>