Edward Tomasz Napierala bfd8b9b826 pam: add option to not prompt for password if it's set to empty
Add a new option to pam_unix(8), "emptyok", which makes it not prompt
for password, if it's set to an empty one.  It is similar to "nullok",
which makes it not prompt for password if the hash itself is empty.

Reviewed By:	markj
Sponsored By:	NetApp, Inc.
Sponsored By:	Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D27569
2021-04-03 13:05:50 +01:00

496 lines
13 KiB
C

/*-
* SPDX-License-Identifier: BSD-3-Clause
*
* Copyright 1998 Juniper Networks, Inc.
* All rights reserved.
* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
* All rights reserved.
*
* Portions of this software was developed for the FreeBSD Project by
* ThinkSec AS and NAI Labs, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
* ("CBOSS"), as part of the DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <login_cap.h>
#include <netdb.h>
#include <pwd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <syslog.h>
#include <time.h>
#include <unistd.h>
#include <libutil.h>
#ifdef YP
#include <ypclnt.h>
#endif
#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
#define PAM_SM_PASSWORD
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>
#define PASSWORD_HASH "md5"
#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
#define SALTSIZE 32
#define LOCKED_PREFIX "*LOCKED*"
#define LOCKED_PREFIX_LEN (sizeof(LOCKED_PREFIX) - 1)
static void makesalt(char []);
static char password_hash[] = PASSWORD_HASH;
#define PAM_OPT_LOCAL_PASS "local_pass"
#define PAM_OPT_NIS_PASS "nis_pass"
/*
* authentication management
*/
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
int argc __unused, const char *argv[] __unused)
{
login_cap_t *lc;
struct passwd *pwd;
int retval;
const char *pass, *user, *realpw, *prompt;
const char *emptypasswd = "";
if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
user = getlogin();
} else {
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
return (retval);
}
pwd = getpwnam(user);
PAM_LOG("Got user: %s", user);
if (pwd != NULL) {
PAM_LOG("Doing real authentication");
realpw = pwd->pw_passwd;
if (realpw[0] == '\0') {
if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
openpam_get_option(pamh, PAM_OPT_NULLOK))
return (PAM_SUCCESS);
PAM_LOG("Password is empty, using fake password");
realpw = "*";
}
/*
* Check whether the saved password hash matches the one
* generated from an empty password - as opposed to empty
* saved password hash, which is handled above.
*/
if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
openpam_get_option(pamh, PAM_OPT_EMPTYOK) &&
strcmp(crypt(emptypasswd, realpw), realpw) == 0)
return (PAM_SUCCESS);
lc = login_getpwclass(pwd);
} else {
PAM_LOG("Doing dummy authentication");
realpw = "*";
lc = login_getclass(NULL);
}
prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL);
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
login_close(lc);
if (retval != PAM_SUCCESS)
return (retval);
PAM_LOG("Got password");
if (strnlen(pass, _PASSWORD_LEN + 1) > _PASSWORD_LEN) {
PAM_LOG("Password is too long, using fake password");
realpw = "*";
}
if (strcmp(crypt(pass, realpw), realpw) == 0)
return (PAM_SUCCESS);
PAM_VERBOSE_ERROR("UNIX authentication refused");
return (PAM_AUTH_ERR);
}
PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
int argc __unused, const char *argv[] __unused)
{
return (PAM_SUCCESS);
}
/*
* account management
*/
PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
int argc __unused, const char *argv[] __unused)
{
struct addrinfo hints, *res;
struct passwd *pwd;
struct timeval tp;
login_cap_t *lc;
time_t warntime;
int retval;
const char *user;
const void *rhost, *tty;
char rhostip[MAXHOSTNAMELEN] = "";
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
return (retval);
if (user == NULL || (pwd = getpwnam(user)) == NULL)
return (PAM_SERVICE_ERR);
PAM_LOG("Got user: %s", user);
retval = pam_get_item(pamh, PAM_RHOST, &rhost);
if (retval != PAM_SUCCESS)
return (retval);
retval = pam_get_item(pamh, PAM_TTY, &tty);
if (retval != PAM_SUCCESS)
return (retval);
if (*pwd->pw_passwd == '\0' &&
(flags & PAM_DISALLOW_NULL_AUTHTOK) != 0)
return (PAM_NEW_AUTHTOK_REQD);
if (strncmp(pwd->pw_passwd, LOCKED_PREFIX, LOCKED_PREFIX_LEN) == 0)
return (PAM_AUTH_ERR);
lc = login_getpwclass(pwd);
if (lc == NULL) {
PAM_LOG("Unable to get login class for user %s", user);
return (PAM_SERVICE_ERR);
}
PAM_LOG("Got login_cap");
if (pwd->pw_change || pwd->pw_expire)
gettimeofday(&tp, NULL);
/*
* Check pw_expire before pw_change - no point in letting the
* user change the password on an expired account.
*/
if (pwd->pw_expire) {
warntime = login_getcaptime(lc, "warnexpire",
DEFAULT_WARN, DEFAULT_WARN);
if (tp.tv_sec >= pwd->pw_expire) {
login_close(lc);
return (PAM_ACCT_EXPIRED);
} else if (pwd->pw_expire - tp.tv_sec < warntime &&
(flags & PAM_SILENT) == 0) {
pam_error(pamh, "Warning: your account expires on %s",
ctime(&pwd->pw_expire));
}
}
retval = PAM_SUCCESS;
if (pwd->pw_change) {
warntime = login_getcaptime(lc, "warnpassword",
DEFAULT_WARN, DEFAULT_WARN);
if (tp.tv_sec >= pwd->pw_change) {
retval = PAM_NEW_AUTHTOK_REQD;
} else if (pwd->pw_change - tp.tv_sec < warntime &&
(flags & PAM_SILENT) == 0) {
pam_error(pamh, "Warning: your password expires on %s",
ctime(&pwd->pw_change));
}
}
/*
* From here on, we must leave retval untouched (unless we
* know we're going to fail), because we need to remember
* whether we're supposed to return PAM_SUCCESS or
* PAM_NEW_AUTHTOK_REQD.
*/
if (rhost && *(const char *)rhost != '\0') {
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
if (getaddrinfo(rhost, NULL, &hints, &res) == 0) {
getnameinfo(res->ai_addr, res->ai_addrlen,
rhostip, sizeof(rhostip), NULL, 0,
NI_NUMERICHOST);
}
if (res != NULL)
freeaddrinfo(res);
}
/*
* Check host / tty / time-of-day restrictions
*/
if (!auth_hostok(lc, rhost, rhostip) ||
!auth_ttyok(lc, tty) ||
!auth_timeok(lc, time(NULL)))
retval = PAM_AUTH_ERR;
login_close(lc);
return (retval);
}
/*
* password management
*
* standard Unix and NIS password changing
*/
PAM_EXTERN int
pam_sm_chauthtok(pam_handle_t *pamh, int flags,
int argc __unused, const char *argv[] __unused)
{
#ifdef YP
struct ypclnt *ypclnt;
const void *yp_domain, *yp_server;
#endif
char salt[SALTSIZE + 1];
login_cap_t *lc;
struct passwd *pwd, *old_pwd;
const char *user, *old_pass, *new_pass;
char *encrypted;
time_t passwordtime;
int pfd, tfd, retval;
if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
user = getlogin();
else {
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
return (retval);
}
pwd = getpwnam(user);
if (pwd == NULL)
return (PAM_AUTHTOK_RECOVERY_ERR);
PAM_LOG("Got user: %s", user);
if (flags & PAM_PRELIM_CHECK) {
PAM_LOG("PRELIM round");
if (getuid() == 0 &&
(pwd->pw_fields & _PWF_SOURCE) == _PWF_FILES)
/* root doesn't need the old password */
return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
#ifdef YP
if (getuid() == 0 &&
(pwd->pw_fields & _PWF_SOURCE) == _PWF_NIS) {
yp_domain = yp_server = NULL;
(void)pam_get_data(pamh, "yp_domain", &yp_domain);
(void)pam_get_data(pamh, "yp_server", &yp_server);
ypclnt = ypclnt_new(yp_domain, "passwd.byname", yp_server);
if (ypclnt == NULL)
return (PAM_BUF_ERR);
if (ypclnt_connect(ypclnt) == -1) {
ypclnt_free(ypclnt);
return (PAM_SERVICE_ERR);
}
retval = ypclnt_havepasswdd(ypclnt);
ypclnt_free(ypclnt);
if (retval == 1)
return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
else if (retval == -1)
return (PAM_SERVICE_ERR);
}
#endif
if (pwd->pw_passwd[0] == '\0'
&& openpam_get_option(pamh, PAM_OPT_NULLOK)) {
/*
* No password case. XXX Are we giving too much away
* by not prompting for a password?
* XXX check PAM_DISALLOW_NULL_AUTHTOK
*/
old_pass = "";
retval = PAM_SUCCESS;
} else {
retval = pam_get_authtok(pamh,
PAM_OLDAUTHTOK, &old_pass, NULL);
if (retval != PAM_SUCCESS)
return (retval);
}
PAM_LOG("Got old password");
/* always encrypt first */
encrypted = crypt(old_pass, pwd->pw_passwd);
if (old_pass[0] == '\0' &&
!openpam_get_option(pamh, PAM_OPT_NULLOK))
return (PAM_PERM_DENIED);
if (strcmp(encrypted, pwd->pw_passwd) != 0)
return (PAM_PERM_DENIED);
}
else if (flags & PAM_UPDATE_AUTHTOK) {
PAM_LOG("UPDATE round");
retval = pam_get_authtok(pamh,
PAM_OLDAUTHTOK, &old_pass, NULL);
if (retval != PAM_SUCCESS)
return (retval);
PAM_LOG("Got old password");
/* get new password */
for (;;) {
retval = pam_get_authtok(pamh,
PAM_AUTHTOK, &new_pass, NULL);
if (retval != PAM_TRY_AGAIN)
break;
pam_error(pamh, "Mismatch; try again, EOF to quit.");
}
PAM_LOG("Got new password");
if (retval != PAM_SUCCESS) {
PAM_VERBOSE_ERROR("Unable to get new password");
return (retval);
}
if (getuid() != 0 && new_pass[0] == '\0' &&
!openpam_get_option(pamh, PAM_OPT_NULLOK))
return (PAM_PERM_DENIED);
if ((old_pwd = pw_dup(pwd)) == NULL)
return (PAM_BUF_ERR);
lc = login_getclass(pwd->pw_class);
if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
openpam_log(PAM_LOG_ERROR,
"can't set password cipher, relying on default");
/* set password expiry date */
pwd->pw_change = 0;
passwordtime = login_getcaptime(lc, "passwordtime", 0, 0);
if (passwordtime > 0)
pwd->pw_change = time(NULL) + passwordtime;
login_close(lc);
makesalt(salt);
pwd->pw_passwd = crypt(new_pass, salt);
#ifdef YP
switch (old_pwd->pw_fields & _PWF_SOURCE) {
case _PWF_FILES:
#endif
retval = PAM_SERVICE_ERR;
if (pw_init(NULL, NULL))
openpam_log(PAM_LOG_ERROR, "pw_init() failed");
else if ((pfd = pw_lock()) == -1)
openpam_log(PAM_LOG_ERROR, "pw_lock() failed");
else if ((tfd = pw_tmp(-1)) == -1)
openpam_log(PAM_LOG_ERROR, "pw_tmp() failed");
else if (pw_copy(pfd, tfd, pwd, old_pwd) == -1)
openpam_log(PAM_LOG_ERROR, "pw_copy() failed");
else if (pw_mkdb(pwd->pw_name) == -1)
openpam_log(PAM_LOG_ERROR, "pw_mkdb() failed");
else
retval = PAM_SUCCESS;
pw_fini();
#ifdef YP
break;
case _PWF_NIS:
yp_domain = yp_server = NULL;
(void)pam_get_data(pamh, "yp_domain", &yp_domain);
(void)pam_get_data(pamh, "yp_server", &yp_server);
ypclnt = ypclnt_new(yp_domain,
"passwd.byname", yp_server);
if (ypclnt == NULL) {
retval = PAM_BUF_ERR;
} else if (ypclnt_connect(ypclnt) == -1 ||
ypclnt_passwd(ypclnt, pwd, old_pass) == -1) {
openpam_log(PAM_LOG_ERROR, "%s", ypclnt->error);
retval = PAM_SERVICE_ERR;
} else {
retval = PAM_SUCCESS;
}
ypclnt_free(ypclnt);
break;
default:
openpam_log(PAM_LOG_ERROR, "unsupported source 0x%x",
pwd->pw_fields & _PWF_SOURCE);
retval = PAM_SERVICE_ERR;
}
#endif
free(old_pwd);
}
else {
/* Very bad juju */
retval = PAM_ABORT;
PAM_LOG("Illegal 'flags'");
}
return (retval);
}
/* Mostly stolen from passwd(1)'s local_passwd.c - markm */
static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
static void
to64(char *s, long v, int n)
{
while (--n >= 0) {
*s++ = itoa64[v&0x3f];
v >>= 6;
}
}
/* Salt suitable for traditional DES and MD5 */
static void
makesalt(char salt[SALTSIZE + 1])
{
int i;
/* These are not really random numbers, they are just
* numbers that change to thwart construction of a
* dictionary.
*/
for (i = 0; i < SALTSIZE; i += 4)
to64(&salt[i], arc4random(), 4);
salt[SALTSIZE] = '\0';
}
PAM_MODULE_ENTRY("pam_unix");