Aggressive cleanup of warnings + authtok-related code in preparation for

PAMifying passwd(1).

Sponsored by:	DARPA, NAI Labs.
This commit is contained in:
Dag-Erling Smørgrav 2002-04-06 19:30:04 +00:00
parent cbd5aec83b
commit 111ccd256c
8 changed files with 113 additions and 151 deletions

View File

@ -14,7 +14,7 @@ MODULES += pam_login_access
MODULES += pam_nologin
MODULES += pam_opie
MODULES += pam_opieaccess
MODULES += pam_passwdqc
#MODULES += pam_passwdqc
MODULES += pam_permit
MODULES += pam_radius
MODULES += pam_rootok

View File

@ -2,7 +2,14 @@
* Copyright 2001 Mark R V Murray
* Copyright Frank Cusack fcusack@fcusack.com 1999-2000
* All rights reserved
* Copyright (c) 2002 Networks Associates Technology, Inc.
* All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
* ThinkSec AS and NAI Labs, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
* ("CBOSS"), as part of the DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@ -200,7 +207,7 @@ __FBSDID("$FreeBSD$");
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
@ -229,7 +236,6 @@ static void compat_free_data_contents(krb5_context, krb5_data *);
#define USER_PROMPT "Username: "
#define PASSWORD_PROMPT "Password:"
#define NEW_PASSWORD_PROMPT "New Password:"
#define NEW_PASSWORD_PROMPT_2 "New Password (again):"
enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX, PAM_OPT_CCACHE, PAM_OPT_FORWARDABLE, PAM_OPT_NO_CCACHE, PAM_OPT_REUSE_CCACHE };
@ -258,7 +264,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
struct passwd *pwd;
int retval;
const char *sourceuser, *user, *pass, *service;
char *principal, *princ_name, *cache_name, luser[32];
char *principal, *princ_name, *cache_name, luser[32], *srvdup;
pam_std_option(&options, other_options, argc, argv);
@ -339,7 +345,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
PAM_LOG("Got principal: %s", princ_name);
/* Get password */
retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, &options);
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
if (retval != PAM_SUCCESS)
goto cleanup2;
@ -420,8 +426,14 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
PAM_LOG("Credentials stashed");
/* Verify them */
if (verify_krb_v5_tgt(pam_context, ccache, (char *)service,
pam_test_option(&options, PAM_OPT_FORWARDABLE, NULL)) == -1) {
if ((srvdup = strdup(service)) == NULL) {
retval = PAM_BUF_ERR;
goto cleanup;
}
krbret = verify_krb_v5_tgt(pam_context, ccache, srvdup,
pam_test_option(&options, PAM_OPT_FORWARDABLE, NULL));
free(srvdup);
if (krbret == -1) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
krb5_cc_destroy(pam_context, ccache);
retval = PAM_AUTH_ERR;
@ -809,8 +821,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
krb5_data result_code_string, result_string;
struct options options;
int result_code, retval;
const char *user, *pass, *pass2;
char *princ_name;
const char *user, *pass;
char *princ_name, *passdup;
pam_std_option(&options, other_options, argc, argv);
@ -857,7 +869,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
PAM_LOG("Got principal: %s", princ_name);
/* Get password */
retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, &options);
retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass, PASSWORD_PROMPT);
if (retval != PAM_SUCCESS)
goto cleanup2;
@ -876,27 +888,26 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
PAM_LOG("Credentials established");
/* Now get the new password */
retval = pam_get_pass(pamh, &pass, NEW_PASSWORD_PROMPT, &options);
if (retval != PAM_SUCCESS)
goto cleanup;
retval = pam_get_pass(pamh, &pass2, NEW_PASSWORD_PROMPT_2, &options);
if (retval != PAM_SUCCESS)
goto cleanup;
PAM_LOG("Got new password twice");
if (strcmp(pass, pass2) != 0) {
PAM_LOG("Error strcmp(): passwords are different");
retval = PAM_AUTHTOK_ERR;
goto cleanup;
for (;;) {
retval = pam_get_authtok(pamh,
PAM_AUTHTOK, &pass, NEW_PASSWORD_PROMPT);
if (retval != PAM_TRY_AGAIN)
break;
pam_error(pamh, "Mismatch; try again, EOF to quit.");
}
if (retval != PAM_SUCCESS)
goto cleanup;
PAM_LOG("New passwords are the same");
PAM_LOG("Got new password");
/* Change it */
krbret = krb5_change_password(pam_context, &creds, (char *)pass,
if ((passdup = strdup(pass)) == NULL) {
retval = PAM_BUF_ERR;
goto cleanup;
}
krbret = krb5_change_password(pam_context, &creds, passdup,
&result_code, &result_code_string, &result_string);
free(passdup);
if (krbret != 0) {
PAM_LOG("Error krb5_change_password(): %s",
error_message(krbret));

View File

@ -2,9 +2,7 @@
* Copyright 2000 James Bloom
* All rights reserved.
* Based upon code Copyright 1998 Juniper Networks, Inc.
* Copyright (c) 2001 Networks Associates Technology, Inc.
* All rights reserved.
* Copyright (c) 2002 Networks Associates Technology, Inc.
* Copyright (c) 2001,2002 Networks Associates Technology, Inc.
* All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
@ -124,7 +122,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
for (i = 0; i < 2; i++) {
snprintf(prompt, sizeof prompt, promptstr[i], challenge);
retval = pam_get_authtok(pamh, &response, prompt);
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &response, prompt);
if (retval != PAM_SUCCESS) {
opieunlock();
PAM_RETURN(retval);

View File

@ -1,7 +1,7 @@
/*-
* Copyright 1998 Juniper Networks, Inc.
* All rights reserved.
* Copyright (c) 2001 Networks Associates Technology, Inc.
* Copyright (c) 2001,2002 Networks Associates Technology, Inc.
* All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
@ -63,7 +63,7 @@ static struct opttab other_options[] = {
};
#define MAX_CHALLENGE_MSGS 10
#define PASSWORD_PROMPT "RADIUS password:"
#define PASSWORD_PROMPT "RADIUS Password:"
static int build_access_request(struct rad_handle *, const char *,
const char *, const void *, size_t);
@ -237,7 +237,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
PAM_LOG("Got user: %s", user);
retval = pam_get_authtok(pamh, &pass, PASSWORD_PROMPT);
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);

View File

@ -1,7 +1,7 @@
/*-
* Copyright (c) 2001 Mark R V Murray
* All rights reserved.
* Copyright (c) 2001 Networks Associates Technology, Inc.
* Copyright (c) 2001,2002 Networks Associates Technology, Inc.
* All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
@ -74,7 +74,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
PAM_LOG("Options processed");
pam_err = pam_get_item(pamh, PAM_USER, (const void **)&luser);
pam_err = pam_get_user(pamh, &luser, NULL);
if (pam_err != PAM_SUCCESS)
PAM_RETURN(pam_err);
if (luser == NULL || (pwd = getpwnam(luser)) == NULL)

View File

@ -1,7 +1,7 @@
/*-
* Copyright (c) 1999, 2000 Andrew J. Korty
* All rights reserved.
* Copyright (c) 2001 Networks Associates Technology, Inc.
* Copyright (c) 2001,2002 Networks Associates Technology, Inc.
* All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
@ -69,12 +69,15 @@ __FBSDID("$FreeBSD$");
#include "log.h"
#include "pam_ssh.h"
static void key_cleanup(pam_handle_t *, void *, int);
static void ssh_cleanup(pam_handle_t *, void *, int);
/*
* Generic cleanup function for OpenSSH "Key" type.
*/
void
key_cleanup(pam_handle_t *pamh, void *data, int error_status)
static void
key_cleanup(pam_handle_t *pamh __unused, void *data, int err __unused)
{
if (data)
key_free(data);
@ -85,8 +88,8 @@ key_cleanup(pam_handle_t *pamh, void *data, int error_status)
* Generic PAM cleanup function for this module.
*/
void
ssh_cleanup(pam_handle_t *pamh, void *data, int error_status)
static void
ssh_cleanup(pam_handle_t *pamh __unused, void *data, int err __unused)
{
if (data)
free(data);
@ -107,7 +110,7 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
{
char *comment; /* private key comment */
char *data_name; /* PAM state */
static int index = 0; /* for saved keys */
static int key_idx = 0; /* for saved keys */
Key *key; /* user's key */
char *path; /* to key files */
int retval; /* from calls */
@ -140,7 +143,7 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
/* save the key and comment to pass to ssh-agent in the session
phase */
if (!asprintf(&data_name, "ssh_private_key_%d", index)) {
if (!asprintf(&data_name, "ssh_private_key_%d", key_idx)) {
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
free(comment);
return PAM_SERVICE_ERR;
@ -152,7 +155,7 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
free(comment);
return retval;
}
if (!asprintf(&data_name, "ssh_key_comment_%d", index)) {
if (!asprintf(&data_name, "ssh_key_comment_%d", key_idx)) {
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
free(comment);
return PAM_SERVICE_ERR;
@ -164,7 +167,7 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
return retval;
}
++index;
++key_idx;
return PAM_SUCCESS;
}
@ -175,13 +178,13 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
*/
static int
add_keys(pam_handle_t *pamh, char *socket)
add_keys(pam_handle_t *pamh)
{
AuthenticationConnection *ac; /* connection to ssh-agent */
char *comment; /* private key comment */
char *data_name; /* PAM state */
int final; /* final return value */
int index; /* for saved keys */
int key_idx; /* for saved keys */
Key *key; /* user's private key */
int retval; /* from calls */
@ -217,8 +220,8 @@ add_keys(pam_handle_t *pamh, char *socket)
/* hand off each private key to the agent */
final = 0;
for (index = 0; ; index++) {
if (!asprintf(&data_name, "ssh_private_key_%d", index)) {
for (key_idx = 0; ; key_idx++) {
if (!asprintf(&data_name, "ssh_private_key_%d", key_idx)) {
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
ssh_close_authentication_connection(ac);
return PAM_SERVICE_ERR;
@ -227,7 +230,7 @@ add_keys(pam_handle_t *pamh, char *socket)
free(data_name);
if (retval != PAM_SUCCESS)
break;
if (!asprintf(&data_name, "ssh_key_comment_%d", index)) {
if (!asprintf(&data_name, "ssh_key_comment_%d", key_idx)) {
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
ssh_close_authentication_connection(ac);
return PAM_SERVICE_ERR;
@ -248,8 +251,8 @@ add_keys(pam_handle_t *pamh, char *socket)
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
const char **argv)
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
int argc, const char **argv)
{
int authenticated; /* user authenticated? */
char *dotdir; /* .ssh dir name */
@ -262,7 +265,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
int retval; /* from calls */
const char *user; /* username */
keyfiles = DEF_KEYFILES;
keyfiles = NULL;
options = 0;
for (; argc; argc--, argv++)
if (strncmp(*argv, OPT_KEYFILES "=", sizeof OPT_KEYFILES)
@ -282,8 +285,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
/* pass prompt message to application and receive passphrase */
if ((retval = pam_get_authtok(pamh, &pass, NEED_PASSPHRASE))
!= PAM_SUCCESS)
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NEED_PASSPHRASE);
if (retval != PAM_SUCCESS)
return retval;
OpenSSL_add_all_algorithms(); /* required for DSA */
@ -297,7 +300,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
return PAM_SERVICE_ERR;
}
authenticated = 0;
keyfiles = strdup(keyfiles);
keyfiles = strdup(keyfiles ? keyfiles : DEF_KEYFILES);
for (file = strtok(keyfiles, SEP_KEYFILES); file;
file = strtok(NULL, SEP_KEYFILES))
if (auth_via_key(pamh, file, dotdir, pwent, pass) ==
@ -327,15 +330,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
int argc __unused, const char **argv __unused)
{
return PAM_SUCCESS;
}
PAM_EXTERN int
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
const char **argv)
pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
int argc __unused, const char **argv __unused)
{
char *agent_socket; /* agent socket */
char *env_end; /* end of env */
@ -525,7 +529,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
if (!agent_socket)
return PAM_SESSION_ERR;
if (start_agent && (retval = add_keys(pamh, agent_socket))
if (start_agent && (retval = add_keys(pamh))
!= PAM_SUCCESS)
return retval;
free(agent_socket);
@ -565,8 +569,8 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
PAM_EXTERN int
pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
const char **argv)
pam_sm_close_session(pam_handle_t *pamh, int flags __unused,
int argc __unused, const char **argv __unused)
{
const char *env_file; /* ssh-agent environment */
pid_t pid; /* ssh-agent process id */
@ -600,7 +604,7 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
just call kill(). */
pid = atoi(ssh_agent_pid);
if (ssh_agent_pid <= 0)
if (pid <= 0)
return PAM_SESSION_ERR;
if (kill(pid, SIGTERM) != 0) {
openpam_log(PAM_LOG_ERROR, "%s: %s: %m", MODULE_NAME,
@ -612,15 +616,15 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
}
PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
const char **argv)
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused,
int argc __unused, const char **argv __unused)
{
return (PAM_IGNORE);
}
PAM_EXTERN int
pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc,
const char **argv)
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused,
int argc __unused, const char **argv __unused)
{
return (PAM_IGNORE);
}

View File

@ -1,7 +1,7 @@
/*-
* Copyright 1998 Juniper Networks, Inc.
* All rights reserved.
* Copyright (c) 2001 Networks Associates Technology, Inc.
* Copyright (c) 2001,2002 Networks Associates Technology, Inc.
* All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
@ -226,11 +226,11 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
PAM_RETURN(PAM_SERVICE_ERR);
if (status == TAC_AUTHEN_STATUS_GETUSER)
retval = pam_get_user(pamh, &user_msg,
srvr_msg[0] != '\0' ? srvr_msg : NULL);
*srvr_msg ? srvr_msg : NULL);
else if (status == TAC_AUTHEN_STATUS_GETPASS)
retval = pam_get_authtok(pamh, &user_msg,
srvr_msg[0] != '\0' ? srvr_msg :
"Password:");
retval = pam_get_authtok(pamh,
PAM_AUTHTOK, &user_msg,
*srvr_msg ? srvr_msg : "Password:");
free(srvr_msg);
if (retval != PAM_SUCCESS) {
/* XXX - send a TACACS+ abort packet */
@ -247,9 +247,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
retval = pam_prompt(pamh,
pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL)
? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF,
&data_msg,
"%s",
srvr_msg[0] != '\0' ? srvr_msg : "Data:");
&data_msg, "%s", *srvr_msg ? srvr_msg : "Data:");
free(srvr_msg);
if (retval != PAM_SUCCESS) {
/* XXX - send a TACACS+ abort packet */

View File

@ -76,21 +76,13 @@ __FBSDID("$FreeBSD$");
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>
#define USER_PROMPT "Username: "
#define PASSWORD_PROMPT "Password:"
#define PASSWORD_PROMPT_EXPIRED "\nPassword expired\nOld Password:"
#define NEW_PASSWORD_PROMPT_1 "New Password:"
#define NEW_PASSWORD_PROMPT_2 "New Password (again):"
#define PASSWORD_HASH "md5"
#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
#define MAX_TRIES 3
#define SALTSIZE 32
static void makesalt(char []);
static char password_prompt_def[] = PASSWORD_PROMPT;
static char password_hash[] = PASSWORD_HASH;
static char blank[] = "";
static char colon[] = ":";
enum {
@ -149,7 +141,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
lc = login_getclass(NULL);
password_prompt = login_getcapstr(lc, "passwd_prompt",
password_prompt_def, password_prompt_def);
password_prompt, NULL);
login_close(lc);
lc = NULL;
@ -167,7 +159,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
PAM_RETURN(PAM_SUCCESS);
}
else {
retval = pam_get_authtok(pamh, &pass, password_prompt);
retval = pam_get_authtok(pamh, PAM_AUTHTOK,
&pass, password_prompt);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Got password");
@ -190,7 +183,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
* User unknown.
* Encrypt a dummy password so as to not give away too much.
*/
retval = pam_get_authtok(pamh, &pass, password_prompt);
retval = pam_get_authtok(pamh,
PAM_AUTHTOK, &pass, password_prompt);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Got password");
@ -240,7 +234,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **
PAM_LOG("Options processed");
retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
@ -375,9 +369,9 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
{
struct options options;
struct passwd *pwd;
int retval, retry, res, got;
const char *user, *pass;
char *new_pass, *new_pass_, *encrypted, *usrdup;
const char *user, *pass, *new_pass;
char *encrypted, *usrdup;
int retval, res;
pam_std_option(&options, other_options, argc, argv);
@ -403,83 +397,48 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
/*
* No password case. XXX Are we giving too much away
* by not prompting for a password?
* XXX check PAM_DISALLOW_NULL_AUTHTOK
*/
PAM_LOG("No password, and null password OK");
PAM_LOG("Got password");
PAM_RETURN(PAM_SUCCESS);
}
else {
retval = pam_get_authtok(pamh, &pass,
PASSWORD_PROMPT_EXPIRED);
retval = pam_get_authtok(pamh,
PAM_OLDAUTHTOK, &pass, NULL);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Got password: %s", pass);
PAM_LOG("Got password");
}
encrypted = crypt(pass, pwd->pw_passwd);
if (pass[0] == '\0' && pwd->pw_passwd[0] != '\0')
encrypted = colon;
PAM_LOG("Encrypted password 1 is: %s", encrypted);
PAM_LOG("Encrypted password 2 is: %s", pwd->pw_passwd);
if (strcmp(encrypted, pwd->pw_passwd) != 0)
if (strcmp(encrypted, pwd->pw_passwd) != 0) {
pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
PAM_RETURN(PAM_AUTH_ERR);
retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *)pass);
pass = NULL;
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Stashed old password");
retval = pam_set_item(pamh, PAM_AUTHTOK, (const void *)pass);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Voided old password");
}
PAM_RETURN(PAM_SUCCESS);
}
else if (flags & PAM_UPDATE_AUTHTOK) {
PAM_LOG("UPDATE round; checking user password");
retval = pam_get_item(pamh, PAM_OLDAUTHTOK,
(const void **)&pass);
retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass, NULL);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Got old password: %s", pass);
PAM_LOG("Got old password");
got = 0;
retry = 0;
while (retry++ < MAX_TRIES) {
new_pass = NULL;
retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF,
&new_pass, "%s", NEW_PASSWORD_PROMPT_1);
if (new_pass == NULL)
new_pass = blank;
if (retval == PAM_SUCCESS) {
new_pass_ = NULL;
retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF,
&new_pass_, "%s", NEW_PASSWORD_PROMPT_2);
if (new_pass_ == NULL)
new_pass_ = blank;
if (retval == PAM_SUCCESS) {
if (strcmp(new_pass, new_pass_) == 0) {
got = 1;
break;
}
else
PAM_VERBOSE_ERROR("Password mismatch");
}
}
for (;;) {
retval = pam_get_authtok(pamh,
PAM_AUTHTOK, &new_pass, NULL);
if (retval != PAM_TRY_AGAIN)
break;
pam_error(pamh, "Mismatch; try again, EOF to quit.");
}
if (!got) {
PAM_VERBOSE_ERROR("Unable to get valid password");
if (retval != PAM_SUCCESS) {
PAM_VERBOSE_ERROR("Unable to get new password");
PAM_RETURN(PAM_PERM_DENIED);
}
@ -523,10 +482,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
#else
retval = local_passwd(user, new_pass);
#endif
/* XXX wipe the mem as well */
pass = NULL;
new_pass = NULL;
}
else {
/* Very bad juju */
@ -556,7 +511,6 @@ local_passwd(const char *user, const char *pass)
{
login_cap_t * lc;
struct passwd *pwd;
struct timeval tv;
int pfd, tfd;
char *crypt_type, salt[SALTSIZE + 1];
@ -598,16 +552,13 @@ local_passwd(const char *user, const char *pass)
int
yp_passwd(const char *user __unused, const char *pass)
{
struct yppasswd yppwd;
struct master_yppasswd master_yppwd;
struct passwd *pwd;
struct rpc_err err;
struct timeval tv;
struct yppasswd yppwd;
CLIENT *clnt;
login_cap_t *lc;
int *status;
gid_t gid;
pid_t pid;
uid_t uid;
char *master, sockname[] = YP_SOCKNAME, salt[SALTSIZE + 1];