pam_unix.c revision 1.11.4.1
1 1.11.4.1 jdc /* $NetBSD: pam_unix.c,v 1.11.4.1 2009/06/17 20:12:31 jdc Exp $ */ 2 1.2 christos 3 1.1 christos /*- 4 1.1 christos * Copyright 1998 Juniper Networks, Inc. 5 1.1 christos * All rights reserved. 6 1.1 christos * Copyright (c) 2002-2003 Networks Associates Technology, Inc. 7 1.1 christos * All rights reserved. 8 1.1 christos * 9 1.1 christos * Portions of this software was developed for the FreeBSD Project by 10 1.1 christos * ThinkSec AS and NAI Labs, the Security Research Division of Network 11 1.1 christos * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 12 1.1 christos * ("CBOSS"), as part of the DARPA CHATS research program. 13 1.1 christos * 14 1.1 christos * Redistribution and use in source and binary forms, with or without 15 1.1 christos * modification, are permitted provided that the following conditions 16 1.1 christos * are met: 17 1.1 christos * 1. Redistributions of source code must retain the above copyright 18 1.1 christos * notice, this list of conditions and the following disclaimer. 19 1.1 christos * 2. Redistributions in binary form must reproduce the above copyright 20 1.1 christos * notice, this list of conditions and the following disclaimer in the 21 1.1 christos * documentation and/or other materials provided with the distribution. 22 1.1 christos * 3. The name of the author may not be used to endorse or promote 23 1.1 christos * products derived from this software without specific prior written 24 1.1 christos * permission. 25 1.1 christos * 26 1.1 christos * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 27 1.1 christos * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 1.1 christos * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 1.1 christos * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 30 1.1 christos * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 1.1 christos * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 1.1 christos * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 1.1 christos * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 1.1 christos * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 1.1 christos * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 1.1 christos * SUCH DAMAGE. 37 1.1 christos */ 38 1.1 christos 39 1.1 christos #include <sys/cdefs.h> 40 1.2 christos #ifdef __FreeBSD__ 41 1.1 christos __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.49 2004/02/10 10:13:21 des Exp $"); 42 1.2 christos #else 43 1.11.4.1 jdc __RCSID("$NetBSD: pam_unix.c,v 1.11.4.1 2009/06/17 20:12:31 jdc Exp $"); 44 1.2 christos #endif 45 1.2 christos 46 1.1 christos 47 1.2 christos #include <sys/types.h> 48 1.1 christos 49 1.2 christos #include <ctype.h> 50 1.2 christos #include <errno.h> 51 1.2 christos #include <fcntl.h> 52 1.1 christos #include <pwd.h> 53 1.2 christos #include <grp.h> 54 1.2 christos #include <limits.h> 55 1.1 christos #include <stdlib.h> 56 1.1 christos #include <string.h> 57 1.1 christos #include <stdio.h> 58 1.2 christos #include <login_cap.h> 59 1.2 christos #include <time.h> 60 1.2 christos #include <tzfile.h> 61 1.1 christos #include <unistd.h> 62 1.1 christos 63 1.2 christos #include <util.h> 64 1.1 christos 65 1.1 christos #ifdef YP 66 1.2 christos #include <rpc/rpc.h> 67 1.2 christos #include <rpcsvc/ypclnt.h> 68 1.2 christos #include <rpcsvc/yppasswd.h> 69 1.1 christos #endif 70 1.1 christos 71 1.1 christos #define PAM_SM_AUTH 72 1.1 christos #define PAM_SM_ACCOUNT 73 1.1 christos #define PAM_SM_PASSWORD 74 1.1 christos 75 1.1 christos #include <security/pam_appl.h> 76 1.1 christos #include <security/pam_modules.h> 77 1.1 christos #include <security/pam_mod_misc.h> 78 1.1 christos 79 1.1 christos /* 80 1.1 christos * authentication management 81 1.1 christos */ 82 1.1 christos PAM_EXTERN int 83 1.2 christos /*ARGSUSED*/ 84 1.1 christos pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 85 1.1 christos int argc __unused, const char *argv[] __unused) 86 1.1 christos { 87 1.1 christos login_cap_t *lc; 88 1.7 thorpej struct passwd *pwd, pwres; 89 1.1 christos int retval; 90 1.2 christos const char *pass, *user, *realpw; 91 1.7 thorpej char pwbuf[1024]; 92 1.1 christos 93 1.9 lukem pwd = NULL; 94 1.1 christos if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { 95 1.7 thorpej (void) getpwnam_r(getlogin(), &pwres, pwbuf, sizeof(pwbuf), 96 1.7 thorpej &pwd); 97 1.1 christos } else { 98 1.1 christos retval = pam_get_user(pamh, &user, NULL); 99 1.1 christos if (retval != PAM_SUCCESS) 100 1.1 christos return (retval); 101 1.2 christos PAM_LOG("Got user: %s", user); 102 1.7 thorpej (void) getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd); 103 1.1 christos } 104 1.1 christos 105 1.1 christos if (pwd != NULL) { 106 1.1 christos PAM_LOG("Doing real authentication"); 107 1.1 christos realpw = pwd->pw_passwd; 108 1.1 christos if (realpw[0] == '\0') { 109 1.1 christos if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && 110 1.1 christos openpam_get_option(pamh, PAM_OPT_NULLOK)) 111 1.1 christos return (PAM_SUCCESS); 112 1.1 christos realpw = "*"; 113 1.1 christos } 114 1.1 christos lc = login_getpwclass(pwd); 115 1.1 christos } else { 116 1.1 christos PAM_LOG("Doing dummy authentication"); 117 1.1 christos realpw = "*"; 118 1.1 christos lc = login_getclass(NULL); 119 1.1 christos } 120 1.2 christos retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL); 121 1.1 christos login_close(lc); 122 1.1 christos if (retval != PAM_SUCCESS) 123 1.1 christos return (retval); 124 1.1 christos PAM_LOG("Got password"); 125 1.1 christos if (strcmp(crypt(pass, realpw), realpw) == 0) 126 1.1 christos return (PAM_SUCCESS); 127 1.1 christos 128 1.1 christos PAM_VERBOSE_ERROR("UNIX authentication refused"); 129 1.1 christos return (PAM_AUTH_ERR); 130 1.1 christos } 131 1.1 christos 132 1.1 christos PAM_EXTERN int 133 1.2 christos /*ARGSUSED*/ 134 1.1 christos pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 135 1.1 christos int argc __unused, const char *argv[] __unused) 136 1.1 christos { 137 1.1 christos 138 1.1 christos return (PAM_SUCCESS); 139 1.1 christos } 140 1.1 christos 141 1.1 christos /* 142 1.1 christos * account management 143 1.1 christos */ 144 1.1 christos PAM_EXTERN int 145 1.2 christos /*ARGSUSED*/ 146 1.1 christos pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, 147 1.1 christos int argc __unused, const char *argv[] __unused) 148 1.1 christos { 149 1.7 thorpej struct passwd *pwd, pwres; 150 1.2 christos struct timeval now; 151 1.1 christos login_cap_t *lc; 152 1.1 christos time_t warntime; 153 1.1 christos int retval; 154 1.1 christos const char *user; 155 1.7 thorpej char pwbuf[1024]; 156 1.1 christos 157 1.1 christos retval = pam_get_user(pamh, &user, NULL); 158 1.1 christos if (retval != PAM_SUCCESS) 159 1.1 christos return (retval); 160 1.1 christos 161 1.7 thorpej if (user == NULL || 162 1.8 christos getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 || 163 1.8 christos pwd == NULL) 164 1.1 christos return (PAM_SERVICE_ERR); 165 1.1 christos 166 1.1 christos PAM_LOG("Got user: %s", user); 167 1.1 christos 168 1.1 christos if (*pwd->pw_passwd == '\0' && 169 1.1 christos (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) 170 1.1 christos return (PAM_NEW_AUTHTOK_REQD); 171 1.1 christos 172 1.1 christos lc = login_getpwclass(pwd); 173 1.1 christos if (lc == NULL) { 174 1.1 christos PAM_LOG("Unable to get login class for user %s", user); 175 1.1 christos return (PAM_SERVICE_ERR); 176 1.1 christos } 177 1.1 christos 178 1.1 christos PAM_LOG("Got login_cap"); 179 1.1 christos 180 1.1 christos if (pwd->pw_change || pwd->pw_expire) 181 1.2 christos (void) gettimeofday(&now, NULL); 182 1.2 christos 183 1.2 christos warntime = (time_t)login_getcaptime(lc, "password-warn", 184 1.2 christos (quad_t)(_PASSWORD_WARNDAYS * SECSPERDAY), 185 1.2 christos (quad_t)(_PASSWORD_WARNDAYS * SECSPERDAY)); 186 1.1 christos 187 1.1 christos /* 188 1.1 christos * Check pw_expire before pw_change - no point in letting the 189 1.1 christos * user change the password on an expired account. 190 1.1 christos */ 191 1.1 christos 192 1.1 christos if (pwd->pw_expire) { 193 1.2 christos if (now.tv_sec >= pwd->pw_expire) { 194 1.1 christos login_close(lc); 195 1.1 christos return (PAM_ACCT_EXPIRED); 196 1.2 christos } else if (pwd->pw_expire - now.tv_sec < warntime && 197 1.1 christos (flags & PAM_SILENT) == 0) { 198 1.1 christos pam_error(pamh, "Warning: your account expires on %s", 199 1.1 christos ctime(&pwd->pw_expire)); 200 1.1 christos } 201 1.1 christos } 202 1.1 christos 203 1.1 christos if (pwd->pw_change) { 204 1.2 christos /* XXX How to handle _PASSWORD_CHGNOW? --thorpej */ 205 1.2 christos if (now.tv_sec >= pwd->pw_change) { 206 1.2 christos login_close(lc); 207 1.2 christos return (PAM_NEW_AUTHTOK_REQD); 208 1.2 christos } else if (pwd->pw_change - now.tv_sec < warntime && 209 1.1 christos (flags & PAM_SILENT) == 0) { 210 1.1 christos pam_error(pamh, "Warning: your password expires on %s", 211 1.1 christos ctime(&pwd->pw_change)); 212 1.1 christos } 213 1.1 christos } 214 1.1 christos 215 1.2 christos login_close(lc); 216 1.2 christos 217 1.2 christos return (PAM_SUCCESS); 218 1.2 christos } 219 1.2 christos 220 1.2 christos #ifdef YP 221 1.2 christos /* 222 1.2 christos * yp_check_user: 223 1.2 christos * 224 1.2 christos * Helper function; check that a user exists in the NIS 225 1.2 christos * password map. 226 1.2 christos */ 227 1.2 christos static int 228 1.2 christos yp_check_user(const char *domain, const char *user) 229 1.2 christos { 230 1.2 christos char *val; 231 1.2 christos int reason, vallen; 232 1.2 christos 233 1.2 christos val = NULL; 234 1.2 christos reason = yp_match(domain, "passwd.byname", user, (int)strlen(user), 235 1.2 christos &val, &vallen); 236 1.2 christos if (reason != 0) { 237 1.2 christos if (val != NULL) 238 1.2 christos free(val); 239 1.2 christos return (0); 240 1.2 christos } 241 1.2 christos free(val); 242 1.2 christos return (1); 243 1.2 christos } 244 1.2 christos 245 1.2 christos static int 246 1.2 christos /*ARGSUSED*/ 247 1.2 christos yp_set_password(pam_handle_t *pamh, struct passwd *opwd, 248 1.2 christos struct passwd *pwd, const char *old_pass, const char *domain) 249 1.2 christos { 250 1.2 christos char *master; 251 1.2 christos int r, rpcport, status; 252 1.2 christos struct yppasswd yppwd; 253 1.2 christos CLIENT *client; 254 1.2 christos uid_t uid; 255 1.2 christos int retval = PAM_SERVICE_ERR; 256 1.2 christos struct timeval tv; 257 1.2 christos 258 1.2 christos /* 259 1.2 christos * Find the master for the passwd map; it should be running 260 1.2 christos * rpc.yppasswdd. 261 1.2 christos */ 262 1.2 christos if ((r = yp_master(domain, "passwd.byname", &master)) != 0) { 263 1.2 christos pam_error(pamh, "Can't find master NIS server. Reason: %s", 264 1.2 christos yperr_string(r)); 265 1.2 christos return (PAM_SERVICE_ERR); 266 1.2 christos } 267 1.2 christos 268 1.2 christos /* 269 1.2 christos * Ask the portmapper for the port of rpc.yppasswdd. 270 1.2 christos */ 271 1.2 christos if ((rpcport = getrpcport(master, YPPASSWDPROG, 272 1.2 christos YPPASSWDPROC_UPDATE, IPPROTO_UDP)) == 0) { 273 1.2 christos pam_error(pamh, 274 1.2 christos "Master NIS server not runing yppasswd daemon.\n\t" 275 1.2 christos "Can't change NIS password."); 276 1.2 christos return (PAM_SERVICE_ERR); 277 1.2 christos } 278 1.2 christos 279 1.1 christos /* 280 1.2 christos * Be sure the port is privileged. 281 1.1 christos */ 282 1.2 christos if (rpcport >= IPPORT_RESERVED) { 283 1.2 christos pam_error(pamh, "yppasswd daemon is on an invalid port."); 284 1.2 christos return (PAM_SERVICE_ERR); 285 1.2 christos } 286 1.1 christos 287 1.2 christos uid = getuid(); 288 1.2 christos if (uid != 0 && uid != pwd->pw_uid) { 289 1.2 christos pam_error(pamh, "You may only change your own password: %s", 290 1.2 christos strerror(EACCES)); 291 1.2 christos return (PAM_SERVICE_ERR); 292 1.1 christos } 293 1.1 christos 294 1.1 christos /* 295 1.2 christos * Fill in the yppasswd structure for yppasswdd. 296 1.1 christos */ 297 1.2 christos memset(&yppwd, 0, sizeof(yppwd)); 298 1.5 thorpej yppwd.oldpass = strdup(old_pass); 299 1.2 christos if ((yppwd.newpw.pw_passwd = strdup(pwd->pw_passwd)) == NULL) 300 1.2 christos goto malloc_failure; 301 1.2 christos if ((yppwd.newpw.pw_name = strdup(pwd->pw_name)) == NULL) 302 1.2 christos goto malloc_failure; 303 1.2 christos yppwd.newpw.pw_uid = pwd->pw_uid; 304 1.2 christos yppwd.newpw.pw_gid = pwd->pw_gid; 305 1.2 christos if ((yppwd.newpw.pw_gecos = strdup(pwd->pw_gecos)) == NULL) 306 1.2 christos goto malloc_failure; 307 1.2 christos if ((yppwd.newpw.pw_dir = strdup(pwd->pw_dir)) == NULL) 308 1.2 christos goto malloc_failure; 309 1.2 christos if ((yppwd.newpw.pw_shell = strdup(pwd->pw_shell)) == NULL) 310 1.2 christos goto malloc_failure; 311 1.2 christos 312 1.2 christos client = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp"); 313 1.2 christos if (client == NULL) { 314 1.2 christos pam_error(pamh, "Can't contact yppasswdd on %s: Reason: %s", 315 1.2 christos master, yperr_string(YPERR_YPBIND)); 316 1.2 christos goto out; 317 1.2 christos } 318 1.2 christos 319 1.2 christos client->cl_auth = authunix_create_default(); 320 1.2 christos tv.tv_sec = 2; 321 1.2 christos tv.tv_usec = 0; 322 1.2 christos r = clnt_call(client, YPPASSWDPROC_UPDATE, 323 1.2 christos xdr_yppasswd, &yppwd, xdr_int, &status, tv); 324 1.2 christos if (r) 325 1.2 christos pam_error(pamh, "RPC to yppasswdd failed."); 326 1.2 christos else if (status) 327 1.2 christos pam_error(pamh, "Couldn't change NIS password."); 328 1.2 christos else { 329 1.2 christos pam_info(pamh, "The NIS password has been changed on %s, " 330 1.2 christos "the master NIS passwd server.", master); 331 1.2 christos retval = PAM_SUCCESS; 332 1.2 christos } 333 1.2 christos 334 1.2 christos out: 335 1.5 thorpej if (yppwd.oldpass != NULL) 336 1.5 thorpej free(yppwd.oldpass); 337 1.2 christos if (yppwd.newpw.pw_passwd != NULL) 338 1.2 christos free(yppwd.newpw.pw_passwd); 339 1.2 christos if (yppwd.newpw.pw_name != NULL) 340 1.2 christos free(yppwd.newpw.pw_name); 341 1.2 christos if (yppwd.newpw.pw_gecos != NULL) 342 1.2 christos free(yppwd.newpw.pw_gecos); 343 1.2 christos if (yppwd.newpw.pw_dir != NULL) 344 1.2 christos free(yppwd.newpw.pw_dir); 345 1.2 christos if (yppwd.newpw.pw_shell != NULL) 346 1.2 christos free(yppwd.newpw.pw_shell); 347 1.2 christos return (retval); 348 1.2 christos 349 1.2 christos malloc_failure: 350 1.2 christos pam_error(pamh, "memory allocation failure"); 351 1.2 christos goto out; 352 1.2 christos } 353 1.2 christos #endif /* YP */ 354 1.2 christos 355 1.2 christos static int 356 1.2 christos local_set_password(pam_handle_t *pamh, struct passwd *opwd, 357 1.2 christos struct passwd *pwd) 358 1.2 christos { 359 1.2 christos char errbuf[200]; 360 1.2 christos int tfd, pfd; 361 1.2 christos 362 1.2 christos pw_init(); 363 1.2 christos tfd = pw_lock(0); 364 1.2 christos if (tfd < 0) { 365 1.2 christos pam_error(pamh, "The password file is busy, waiting..."); 366 1.2 christos tfd = pw_lock(10); 367 1.2 christos if (tfd < 0) { 368 1.2 christos pam_error(pamh, "The password file is still busy, " 369 1.2 christos "try again later."); 370 1.2 christos return (PAM_SERVICE_ERR); 371 1.2 christos } 372 1.2 christos } 373 1.1 christos 374 1.2 christos pfd = open(_PATH_MASTERPASSWD, O_RDONLY, 0); 375 1.2 christos if (pfd < 0) { 376 1.2 christos pam_error(pamh, "%s: %s", _PATH_MASTERPASSWD, strerror(errno)); 377 1.2 christos pw_abort(); 378 1.2 christos return (PAM_SERVICE_ERR); 379 1.2 christos } 380 1.2 christos 381 1.2 christos if (pw_copyx(pfd, tfd, pwd, opwd, errbuf, sizeof(errbuf)) == 0) { 382 1.2 christos pam_error(pamh, "Unable to update password entry: %s", 383 1.2 christos errbuf); 384 1.2 christos pw_abort(); 385 1.2 christos return (PAM_SERVICE_ERR); 386 1.2 christos } 387 1.1 christos 388 1.2 christos if (pw_mkdb(pwd->pw_name, opwd->pw_change == pwd->pw_change) < 0) { 389 1.2 christos pam_error(pamh, "Unable to rebuild local password database."); 390 1.2 christos pw_abort(); 391 1.2 christos return (PAM_SERVICE_ERR); 392 1.2 christos } 393 1.1 christos 394 1.2 christos return (PAM_SUCCESS); 395 1.1 christos } 396 1.1 christos 397 1.1 christos /* 398 1.1 christos * password management 399 1.1 christos * 400 1.1 christos * standard Unix and NIS password changing 401 1.1 christos */ 402 1.1 christos PAM_EXTERN int 403 1.2 christos /*ARGSUSED*/ 404 1.1 christos pam_sm_chauthtok(pam_handle_t *pamh, int flags, 405 1.1 christos int argc __unused, const char *argv[] __unused) 406 1.1 christos { 407 1.11 jnemeth struct passwd *pwd, new_pwd, old_pwd; 408 1.2 christos login_cap_t *lc; 409 1.2 christos const char *user, *passwd_db, *new_pass, *old_pass, *p; 410 1.2 christos int retval, tries, min_pw_len = 0, pw_expiry = 0; 411 1.2 christos char salt[_PASSWORD_LEN+1]; 412 1.7 thorpej char old_pwbuf[1024]; 413 1.1 christos #ifdef YP 414 1.2 christos char *domain; 415 1.2 christos int r; 416 1.1 christos #endif 417 1.1 christos 418 1.9 lukem pwd = NULL; 419 1.10 jnemeth if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { 420 1.10 jnemeth if ((user = getlogin()) == NULL) { 421 1.10 jnemeth pam_error(pamh, "Unable to determine user."); 422 1.10 jnemeth return (PAM_SERVICE_ERR); 423 1.10 jnemeth } 424 1.10 jnemeth (void) getpwnam_r(user, &old_pwd, old_pwbuf, 425 1.7 thorpej sizeof(old_pwbuf), &pwd); 426 1.10 jnemeth } else { 427 1.1 christos retval = pam_get_user(pamh, &user, NULL); 428 1.1 christos if (retval != PAM_SUCCESS) 429 1.1 christos return (retval); 430 1.7 thorpej (void) getpwnam_r(user, &old_pwd, old_pwbuf, 431 1.7 thorpej sizeof(old_pwbuf), &pwd); 432 1.1 christos } 433 1.1 christos 434 1.1 christos if (pwd == NULL) 435 1.1 christos return (PAM_AUTHTOK_RECOVERY_ERR); 436 1.1 christos 437 1.1 christos PAM_LOG("Got user: %s", user); 438 1.1 christos 439 1.2 christos /* 440 1.2 christos * Determine which password type we're going to change, and 441 1.2 christos * remember it. 442 1.2 christos * 443 1.2 christos * NOTE: domain does not need to be freed; its storage is 444 1.2 christos * allocated statically in libc. 445 1.2 christos */ 446 1.2 christos passwd_db = openpam_get_option(pamh, "passwd_db"); 447 1.2 christos if (passwd_db == NULL) { 448 1.2 christos #ifdef YP 449 1.2 christos /* Prefer YP, if configured. */ 450 1.2 christos if (_yp_check(NULL)) { 451 1.2 christos /* If _yp_check() succeeded, then this must. */ 452 1.2 christos if ((r = yp_get_default_domain(&domain)) != 0) { 453 1.2 christos pam_error(pamh, 454 1.2 christos "Unable to get NIS domain, reason: %s", 455 1.2 christos yperr_string(r)); 456 1.2 christos return (PAM_SERVICE_ERR); 457 1.2 christos } 458 1.2 christos if (yp_check_user(domain, user)) 459 1.2 christos passwd_db = "nis"; 460 1.2 christos } 461 1.2 christos #endif 462 1.2 christos /* Otherwise we always use local files. */ 463 1.2 christos if (passwd_db == NULL) { 464 1.2 christos /* XXX Any validation to do here? */ 465 1.2 christos passwd_db = "files"; 466 1.2 christos } 467 1.1 christos 468 1.10 jnemeth if ((retval = openpam_set_option(pamh, "passwd_db", 469 1.10 jnemeth passwd_db)) != PAM_SUCCESS) { 470 1.2 christos return (retval); 471 1.2 christos } 472 1.2 christos } else { 473 1.2 christos /* Check to see if the specified password DB is usable. */ 474 1.1 christos #ifdef YP 475 1.2 christos if (strcmp(passwd_db, "nis") == 0) { 476 1.2 christos if (_yp_check(NULL) == 0) { 477 1.2 christos pam_error(pamh, "NIS not in use."); 478 1.2 christos return (PAM_SERVICE_ERR); 479 1.2 christos } 480 1.2 christos if ((r = yp_get_default_domain(&domain)) != 0) { 481 1.2 christos pam_error(pamh, 482 1.2 christos "Unable to get NIS domain, reason: %s", 483 1.2 christos yperr_string(r)); 484 1.1 christos return (PAM_SERVICE_ERR); 485 1.1 christos } 486 1.2 christos if (yp_check_user(domain, user) == 0) { 487 1.2 christos pam_error(pamh, 488 1.2 christos "User %s does not exist in NIS.", user); 489 1.2 christos return (PAM_USER_UNKNOWN); 490 1.2 christos } 491 1.2 christos goto known_passwd_db; 492 1.2 christos } 493 1.2 christos #endif 494 1.2 christos if (strcmp(passwd_db, "files") == 0) { 495 1.2 christos /* XXX Any validation to do here? */ 496 1.2 christos goto known_passwd_db; 497 1.2 christos } 498 1.2 christos pam_error(pamh, "Unknown Unix password DB: %s", passwd_db); 499 1.2 christos return (PAM_SERVICE_ERR); 500 1.2 christos } 501 1.2 christos known_passwd_db: 502 1.2 christos 503 1.2 christos if (flags & PAM_PRELIM_CHECK) { 504 1.2 christos PAM_LOG("PRELIM round"); 505 1.1 christos 506 1.2 christos if (strcmp(passwd_db, "files") == 0) { 507 1.2 christos if (getuid() == 0) { 508 1.2 christos /* Root doesn't need the old password. */ 509 1.1 christos return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); 510 1.2 christos } 511 1.11.4.1 jdc /* 512 1.11.4.1 jdc * Apparently we're not root, so let's forbid editing 513 1.11.4.1 jdc * root. 514 1.11.4.1 jdc * XXX Check for some flag to indicate if this 515 1.11.4.1 jdc * XXX is the desired behavior. 516 1.11.4.1 jdc */ 517 1.11.4.1 jdc if (pwd->pw_uid == 0) 518 1.11.4.1 jdc return (PAM_PERM_DENIED); 519 1.1 christos } 520 1.2 christos 521 1.2 christos if (pwd->pw_passwd[0] == '\0') { 522 1.1 christos /* 523 1.2 christos * No password case. 524 1.2 christos * XXX Are we giviing too much away by not prompting 525 1.2 christos * XXX for a password? 526 1.2 christos * XXX Check PAM_DISALLOW_NULL_AUTHTOK 527 1.1 christos */ 528 1.2 christos return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); 529 1.1 christos } else { 530 1.2 christos retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, 531 1.2 christos &old_pass, NULL); 532 1.1 christos if (retval != PAM_SUCCESS) 533 1.1 christos return (retval); 534 1.2 christos if (strcmp(crypt(old_pass, pwd->pw_passwd), 535 1.2 christos pwd->pw_passwd) != 0) 536 1.2 christos return (PAM_PERM_DENIED); 537 1.2 christos return (PAM_SUCCESS); 538 1.1 christos } 539 1.1 christos } 540 1.2 christos 541 1.2 christos if (flags & PAM_UPDATE_AUTHTOK) { 542 1.4 christos char option[LINE_MAX], *key, *opt; 543 1.4 christos 544 1.1 christos PAM_LOG("UPDATE round"); 545 1.1 christos 546 1.2 christos if ((lc = login_getclass(pwd->pw_class)) != NULL) { 547 1.2 christos min_pw_len = (int) login_getcapnum(lc, 548 1.2 christos "minpasswordlen", (quad_t)0, (quad_t)0); 549 1.2 christos pw_expiry = (int) login_getcapnum(lc, 550 1.2 christos "passwordtime", (quad_t)0, (quad_t)0); 551 1.2 christos login_close(lc); 552 1.2 christos } 553 1.2 christos 554 1.2 christos retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &old_pass, NULL); 555 1.1 christos if (retval != PAM_SUCCESS) 556 1.1 christos return (retval); 557 1.1 christos 558 1.2 christos /* Get the new password. */ 559 1.2 christos for (tries = 0;;) { 560 1.6 christos pam_set_item(pamh, PAM_AUTHTOK, NULL); 561 1.2 christos retval = pam_get_authtok(pamh, PAM_AUTHTOK, &new_pass, 562 1.2 christos NULL); 563 1.2 christos if (retval == PAM_TRY_AGAIN) { 564 1.2 christos pam_error(pamh, 565 1.2 christos "Mismatch; try again, EOF to quit."); 566 1.2 christos continue; 567 1.2 christos } 568 1.2 christos if (retval != PAM_SUCCESS) { 569 1.2 christos PAM_VERBOSE_ERROR("Unable to get new password"); 570 1.2 christos return (retval); 571 1.2 christos } 572 1.2 christos /* Successfully got new password. */ 573 1.2 christos if (new_pass[0] == '\0') { 574 1.2 christos pam_info(pamh, "Password unchanged."); 575 1.2 christos return (PAM_SUCCESS); 576 1.2 christos } 577 1.2 christos if (min_pw_len > 0 && strlen(new_pass) < min_pw_len) { 578 1.2 christos pam_error(pamh, "Password is too short."); 579 1.2 christos continue; 580 1.2 christos } 581 1.2 christos if (strlen(new_pass) <= 5 && ++tries < 2) { 582 1.2 christos pam_error(pamh, 583 1.2 christos "Please enter a longer password."); 584 1.2 christos continue; 585 1.2 christos } 586 1.2 christos for (p = new_pass; *p && islower((unsigned char)*p); ++p); 587 1.2 christos if (!*p && ++tries < 2) { 588 1.2 christos pam_error(pamh, 589 1.2 christos "Please don't use an all-lower case " 590 1.2 christos "password.\nUnusual capitalization, " 591 1.2 christos "control characters or digits are " 592 1.2 christos "suggested."); 593 1.2 christos continue; 594 1.2 christos } 595 1.2 christos /* Password is OK. */ 596 1.2 christos break; 597 1.1 christos } 598 1.4 christos pw_getpwconf(option, sizeof(option), pwd, 599 1.2 christos #ifdef YP 600 1.4 christos strcmp(passwd_db, "nis") == 0 ? "ypcipher" : 601 1.2 christos #endif 602 1.4 christos "localcipher"); 603 1.4 christos opt = option; 604 1.4 christos key = strsep(&opt, ","); 605 1.4 christos 606 1.4 christos if (pw_gensalt(salt, _PASSWORD_LEN, key, opt) == -1) { 607 1.2 christos pam_error(pamh, "Couldn't generate salt."); 608 1.2 christos return (PAM_SERVICE_ERR); 609 1.2 christos } 610 1.1 christos 611 1.11 jnemeth new_pwd = old_pwd; 612 1.11 jnemeth pwd = &new_pwd; 613 1.2 christos pwd->pw_passwd = crypt(new_pass, salt); 614 1.2 christos pwd->pw_change = pw_expiry ? pw_expiry + time(NULL) : 0; 615 1.1 christos 616 1.2 christos retval = PAM_SERVICE_ERR; 617 1.2 christos if (strcmp(passwd_db, "files") == 0) 618 1.2 christos retval = local_set_password(pamh, &old_pwd, pwd); 619 1.1 christos #ifdef YP 620 1.2 christos if (strcmp(passwd_db, "nis") == 0) 621 1.2 christos retval = yp_set_password(pamh, &old_pwd, pwd, old_pass, 622 1.2 christos domain); 623 1.1 christos #endif 624 1.2 christos return (retval); 625 1.1 christos } 626 1.1 christos 627 1.2 christos PAM_LOG("Illegal flags argument"); 628 1.2 christos return (PAM_ABORT); 629 1.1 christos } 630 1.1 christos 631 1.2 christos PAM_MODULE_ENTRY("pam_unix"); 632
Indexes created Tue Sep 23 07:09:52 GMT 2025