Aggressive cleanup of warnings + authtok-related code in preparation for
PAMifying passwd(1). Sponsored by: DARPA, NAI Labs.
This commit is contained in:
parent
7b72a8ff6c
commit
ce173531cb
@ -14,7 +14,7 @@ MODULES += pam_login_access
|
||||
MODULES += pam_nologin
|
||||
MODULES += pam_opie
|
||||
MODULES += pam_opieaccess
|
||||
MODULES += pam_passwdqc
|
||||
#MODULES += pam_passwdqc
|
||||
MODULES += pam_permit
|
||||
MODULES += pam_radius
|
||||
MODULES += pam_rootok
|
||||
|
@ -2,6 +2,13 @@
|
||||
* Copyright 2001 Mark R V Murray
|
||||
* Copyright Frank Cusack fcusack@fcusack.com 1999-2000
|
||||
* All rights reserved
|
||||
* Copyright (c) 2002 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Portions of this software were developed for the FreeBSD Project by
|
||||
* ThinkSec AS and NAI Labs, the Security Research Division of Network
|
||||
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
||||
* ("CBOSS"), as part of the DARPA CHATS research program.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
@ -200,7 +207,7 @@ __FBSDID("$FreeBSD$");
|
||||
#include <pwd.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <strings.h>
|
||||
#include <string.h>
|
||||
#include <syslog.h>
|
||||
#include <unistd.h>
|
||||
|
||||
@ -229,7 +236,6 @@ static void compat_free_data_contents(krb5_context, krb5_data *);
|
||||
#define USER_PROMPT "Username: "
|
||||
#define PASSWORD_PROMPT "Password:"
|
||||
#define NEW_PASSWORD_PROMPT "New Password:"
|
||||
#define NEW_PASSWORD_PROMPT_2 "New Password (again):"
|
||||
|
||||
enum { PAM_OPT_AUTH_AS_SELF=PAM_OPT_STD_MAX, PAM_OPT_CCACHE, PAM_OPT_FORWARDABLE, PAM_OPT_NO_CCACHE, PAM_OPT_REUSE_CCACHE };
|
||||
|
||||
@ -258,7 +264,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
struct passwd *pwd;
|
||||
int retval;
|
||||
const char *sourceuser, *user, *pass, *service;
|
||||
char *principal, *princ_name, *cache_name, luser[32];
|
||||
char *principal, *princ_name, *cache_name, luser[32], *srvdup;
|
||||
|
||||
pam_std_option(&options, other_options, argc, argv);
|
||||
|
||||
@ -339,7 +345,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
PAM_LOG("Got principal: %s", princ_name);
|
||||
|
||||
/* Get password */
|
||||
retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, &options);
|
||||
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
|
||||
if (retval != PAM_SUCCESS)
|
||||
goto cleanup2;
|
||||
|
||||
@ -420,8 +426,14 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
PAM_LOG("Credentials stashed");
|
||||
|
||||
/* Verify them */
|
||||
if (verify_krb_v5_tgt(pam_context, ccache, (char *)service,
|
||||
pam_test_option(&options, PAM_OPT_FORWARDABLE, NULL)) == -1) {
|
||||
if ((srvdup = strdup(service)) == NULL) {
|
||||
retval = PAM_BUF_ERR;
|
||||
goto cleanup;
|
||||
}
|
||||
krbret = verify_krb_v5_tgt(pam_context, ccache, srvdup,
|
||||
pam_test_option(&options, PAM_OPT_FORWARDABLE, NULL));
|
||||
free(srvdup);
|
||||
if (krbret == -1) {
|
||||
PAM_VERBOSE_ERROR("Kerberos 5 error");
|
||||
krb5_cc_destroy(pam_context, ccache);
|
||||
retval = PAM_AUTH_ERR;
|
||||
@ -809,8 +821,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
krb5_data result_code_string, result_string;
|
||||
struct options options;
|
||||
int result_code, retval;
|
||||
const char *user, *pass, *pass2;
|
||||
char *princ_name;
|
||||
const char *user, *pass;
|
||||
char *princ_name, *passdup;
|
||||
|
||||
pam_std_option(&options, other_options, argc, argv);
|
||||
|
||||
@ -857,7 +869,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
PAM_LOG("Got principal: %s", princ_name);
|
||||
|
||||
/* Get password */
|
||||
retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, &options);
|
||||
retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass, PASSWORD_PROMPT);
|
||||
if (retval != PAM_SUCCESS)
|
||||
goto cleanup2;
|
||||
|
||||
@ -876,27 +888,26 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
PAM_LOG("Credentials established");
|
||||
|
||||
/* Now get the new password */
|
||||
retval = pam_get_pass(pamh, &pass, NEW_PASSWORD_PROMPT, &options);
|
||||
if (retval != PAM_SUCCESS)
|
||||
goto cleanup;
|
||||
|
||||
retval = pam_get_pass(pamh, &pass2, NEW_PASSWORD_PROMPT_2, &options);
|
||||
if (retval != PAM_SUCCESS)
|
||||
goto cleanup;
|
||||
|
||||
PAM_LOG("Got new password twice");
|
||||
|
||||
if (strcmp(pass, pass2) != 0) {
|
||||
PAM_LOG("Error strcmp(): passwords are different");
|
||||
retval = PAM_AUTHTOK_ERR;
|
||||
goto cleanup;
|
||||
for (;;) {
|
||||
retval = pam_get_authtok(pamh,
|
||||
PAM_AUTHTOK, &pass, NEW_PASSWORD_PROMPT);
|
||||
if (retval != PAM_TRY_AGAIN)
|
||||
break;
|
||||
pam_error(pamh, "Mismatch; try again, EOF to quit.");
|
||||
}
|
||||
if (retval != PAM_SUCCESS)
|
||||
goto cleanup;
|
||||
|
||||
PAM_LOG("New passwords are the same");
|
||||
PAM_LOG("Got new password");
|
||||
|
||||
/* Change it */
|
||||
krbret = krb5_change_password(pam_context, &creds, (char *)pass,
|
||||
if ((passdup = strdup(pass)) == NULL) {
|
||||
retval = PAM_BUF_ERR;
|
||||
goto cleanup;
|
||||
}
|
||||
krbret = krb5_change_password(pam_context, &creds, passdup,
|
||||
&result_code, &result_code_string, &result_string);
|
||||
free(passdup);
|
||||
if (krbret != 0) {
|
||||
PAM_LOG("Error krb5_change_password(): %s",
|
||||
error_message(krbret));
|
||||
|
@ -2,9 +2,7 @@
|
||||
* Copyright 2000 James Bloom
|
||||
* All rights reserved.
|
||||
* Based upon code Copyright 1998 Juniper Networks, Inc.
|
||||
* Copyright (c) 2001 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
* Copyright (c) 2002 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2001,2002 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Portions of this software were developed for the FreeBSD Project by
|
||||
@ -124,7 +122,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
|
||||
for (i = 0; i < 2; i++) {
|
||||
snprintf(prompt, sizeof prompt, promptstr[i], challenge);
|
||||
retval = pam_get_authtok(pamh, &response, prompt);
|
||||
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &response, prompt);
|
||||
if (retval != PAM_SUCCESS) {
|
||||
opieunlock();
|
||||
PAM_RETURN(retval);
|
||||
|
@ -1,7 +1,7 @@
|
||||
/*-
|
||||
* Copyright 1998 Juniper Networks, Inc.
|
||||
* All rights reserved.
|
||||
* Copyright (c) 2001 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2001,2002 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Portions of this software were developed for the FreeBSD Project by
|
||||
@ -63,7 +63,7 @@ static struct opttab other_options[] = {
|
||||
};
|
||||
|
||||
#define MAX_CHALLENGE_MSGS 10
|
||||
#define PASSWORD_PROMPT "RADIUS password:"
|
||||
#define PASSWORD_PROMPT "RADIUS Password:"
|
||||
|
||||
static int build_access_request(struct rad_handle *, const char *,
|
||||
const char *, const void *, size_t);
|
||||
@ -237,7 +237,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
|
||||
PAM_LOG("Got user: %s", user);
|
||||
|
||||
retval = pam_get_authtok(pamh, &pass, PASSWORD_PROMPT);
|
||||
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, PASSWORD_PROMPT);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
/*-
|
||||
* Copyright (c) 2001 Mark R V Murray
|
||||
* All rights reserved.
|
||||
* Copyright (c) 2001 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2001,2002 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Portions of this software were developed for the FreeBSD Project by
|
||||
@ -74,7 +74,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
pam_err = pam_get_item(pamh, PAM_USER, (const void **)&luser);
|
||||
pam_err = pam_get_user(pamh, &luser, NULL);
|
||||
if (pam_err != PAM_SUCCESS)
|
||||
PAM_RETURN(pam_err);
|
||||
if (luser == NULL || (pwd = getpwnam(luser)) == NULL)
|
||||
|
@ -1,7 +1,7 @@
|
||||
/*-
|
||||
* Copyright (c) 1999, 2000 Andrew J. Korty
|
||||
* All rights reserved.
|
||||
* Copyright (c) 2001 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2001,2002 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Portions of this software were developed for the FreeBSD Project by
|
||||
@ -69,12 +69,15 @@ __FBSDID("$FreeBSD$");
|
||||
#include "log.h"
|
||||
#include "pam_ssh.h"
|
||||
|
||||
static void key_cleanup(pam_handle_t *, void *, int);
|
||||
static void ssh_cleanup(pam_handle_t *, void *, int);
|
||||
|
||||
/*
|
||||
* Generic cleanup function for OpenSSH "Key" type.
|
||||
*/
|
||||
|
||||
void
|
||||
key_cleanup(pam_handle_t *pamh, void *data, int error_status)
|
||||
static void
|
||||
key_cleanup(pam_handle_t *pamh __unused, void *data, int err __unused)
|
||||
{
|
||||
if (data)
|
||||
key_free(data);
|
||||
@ -85,8 +88,8 @@ key_cleanup(pam_handle_t *pamh, void *data, int error_status)
|
||||
* Generic PAM cleanup function for this module.
|
||||
*/
|
||||
|
||||
void
|
||||
ssh_cleanup(pam_handle_t *pamh, void *data, int error_status)
|
||||
static void
|
||||
ssh_cleanup(pam_handle_t *pamh __unused, void *data, int err __unused)
|
||||
{
|
||||
if (data)
|
||||
free(data);
|
||||
@ -107,7 +110,7 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
|
||||
{
|
||||
char *comment; /* private key comment */
|
||||
char *data_name; /* PAM state */
|
||||
static int index = 0; /* for saved keys */
|
||||
static int key_idx = 0; /* for saved keys */
|
||||
Key *key; /* user's key */
|
||||
char *path; /* to key files */
|
||||
int retval; /* from calls */
|
||||
@ -140,7 +143,7 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
|
||||
/* save the key and comment to pass to ssh-agent in the session
|
||||
phase */
|
||||
|
||||
if (!asprintf(&data_name, "ssh_private_key_%d", index)) {
|
||||
if (!asprintf(&data_name, "ssh_private_key_%d", key_idx)) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
|
||||
free(comment);
|
||||
return PAM_SERVICE_ERR;
|
||||
@ -152,7 +155,7 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
|
||||
free(comment);
|
||||
return retval;
|
||||
}
|
||||
if (!asprintf(&data_name, "ssh_key_comment_%d", index)) {
|
||||
if (!asprintf(&data_name, "ssh_key_comment_%d", key_idx)) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
|
||||
free(comment);
|
||||
return PAM_SERVICE_ERR;
|
||||
@ -164,7 +167,7 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
|
||||
return retval;
|
||||
}
|
||||
|
||||
++index;
|
||||
++key_idx;
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
@ -175,13 +178,13 @@ auth_via_key(pam_handle_t *pamh, const char *file, const char *dir,
|
||||
*/
|
||||
|
||||
static int
|
||||
add_keys(pam_handle_t *pamh, char *socket)
|
||||
add_keys(pam_handle_t *pamh)
|
||||
{
|
||||
AuthenticationConnection *ac; /* connection to ssh-agent */
|
||||
char *comment; /* private key comment */
|
||||
char *data_name; /* PAM state */
|
||||
int final; /* final return value */
|
||||
int index; /* for saved keys */
|
||||
int key_idx; /* for saved keys */
|
||||
Key *key; /* user's private key */
|
||||
int retval; /* from calls */
|
||||
|
||||
@ -217,8 +220,8 @@ add_keys(pam_handle_t *pamh, char *socket)
|
||||
/* hand off each private key to the agent */
|
||||
|
||||
final = 0;
|
||||
for (index = 0; ; index++) {
|
||||
if (!asprintf(&data_name, "ssh_private_key_%d", index)) {
|
||||
for (key_idx = 0; ; key_idx++) {
|
||||
if (!asprintf(&data_name, "ssh_private_key_%d", key_idx)) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
|
||||
ssh_close_authentication_connection(ac);
|
||||
return PAM_SERVICE_ERR;
|
||||
@ -227,7 +230,7 @@ add_keys(pam_handle_t *pamh, char *socket)
|
||||
free(data_name);
|
||||
if (retval != PAM_SUCCESS)
|
||||
break;
|
||||
if (!asprintf(&data_name, "ssh_key_comment_%d", index)) {
|
||||
if (!asprintf(&data_name, "ssh_key_comment_%d", key_idx)) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %m", MODULE_NAME);
|
||||
ssh_close_authentication_connection(ac);
|
||||
return PAM_SERVICE_ERR;
|
||||
@ -248,8 +251,8 @@ add_keys(pam_handle_t *pamh, char *socket)
|
||||
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
|
||||
const char **argv)
|
||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
|
||||
int argc, const char **argv)
|
||||
{
|
||||
int authenticated; /* user authenticated? */
|
||||
char *dotdir; /* .ssh dir name */
|
||||
@ -262,7 +265,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
|
||||
int retval; /* from calls */
|
||||
const char *user; /* username */
|
||||
|
||||
keyfiles = DEF_KEYFILES;
|
||||
keyfiles = NULL;
|
||||
options = 0;
|
||||
for (; argc; argc--, argv++)
|
||||
if (strncmp(*argv, OPT_KEYFILES "=", sizeof OPT_KEYFILES)
|
||||
@ -282,8 +285,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
|
||||
|
||||
/* pass prompt message to application and receive passphrase */
|
||||
|
||||
if ((retval = pam_get_authtok(pamh, &pass, NEED_PASSPHRASE))
|
||||
!= PAM_SUCCESS)
|
||||
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NEED_PASSPHRASE);
|
||||
if (retval != PAM_SUCCESS)
|
||||
return retval;
|
||||
|
||||
OpenSSL_add_all_algorithms(); /* required for DSA */
|
||||
@ -297,7 +300,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
|
||||
return PAM_SERVICE_ERR;
|
||||
}
|
||||
authenticated = 0;
|
||||
keyfiles = strdup(keyfiles);
|
||||
keyfiles = strdup(keyfiles ? keyfiles : DEF_KEYFILES);
|
||||
for (file = strtok(keyfiles, SEP_KEYFILES); file;
|
||||
file = strtok(NULL, SEP_KEYFILES))
|
||||
if (auth_via_key(pamh, file, dotdir, pwent, pass) ==
|
||||
@ -327,15 +330,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
|
||||
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char **argv __unused)
|
||||
{
|
||||
return PAM_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
|
||||
const char **argv)
|
||||
pam_sm_open_session(pam_handle_t *pamh, int flags __unused,
|
||||
int argc __unused, const char **argv __unused)
|
||||
{
|
||||
char *agent_socket; /* agent socket */
|
||||
char *env_end; /* end of env */
|
||||
@ -525,7 +529,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
|
||||
if (!agent_socket)
|
||||
return PAM_SESSION_ERR;
|
||||
|
||||
if (start_agent && (retval = add_keys(pamh, agent_socket))
|
||||
if (start_agent && (retval = add_keys(pamh))
|
||||
!= PAM_SUCCESS)
|
||||
return retval;
|
||||
free(agent_socket);
|
||||
@ -565,8 +569,8 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc,
|
||||
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
|
||||
const char **argv)
|
||||
pam_sm_close_session(pam_handle_t *pamh, int flags __unused,
|
||||
int argc __unused, const char **argv __unused)
|
||||
{
|
||||
const char *env_file; /* ssh-agent environment */
|
||||
pid_t pid; /* ssh-agent process id */
|
||||
@ -600,7 +604,7 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
|
||||
just call kill(). */
|
||||
|
||||
pid = atoi(ssh_agent_pid);
|
||||
if (ssh_agent_pid <= 0)
|
||||
if (pid <= 0)
|
||||
return PAM_SESSION_ERR;
|
||||
if (kill(pid, SIGTERM) != 0) {
|
||||
openpam_log(PAM_LOG_ERROR, "%s: %s: %m", MODULE_NAME,
|
||||
@ -612,15 +616,15 @@ pam_sm_close_session(pam_handle_t *pamh, int flags, int argc,
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
|
||||
const char **argv)
|
||||
pam_sm_acct_mgmt(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char **argv __unused)
|
||||
{
|
||||
return (PAM_IGNORE);
|
||||
}
|
||||
|
||||
PAM_EXTERN int
|
||||
pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc,
|
||||
const char **argv)
|
||||
pam_sm_chauthtok(pam_handle_t *pamh __unused, int flags __unused,
|
||||
int argc __unused, const char **argv __unused)
|
||||
{
|
||||
return (PAM_IGNORE);
|
||||
}
|
||||
|
@ -1,7 +1,7 @@
|
||||
/*-
|
||||
* Copyright 1998 Juniper Networks, Inc.
|
||||
* All rights reserved.
|
||||
* Copyright (c) 2001 Networks Associates Technology, Inc.
|
||||
* Copyright (c) 2001,2002 Networks Associates Technology, Inc.
|
||||
* All rights reserved.
|
||||
*
|
||||
* Portions of this software were developed for the FreeBSD Project by
|
||||
@ -226,11 +226,11 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
|
||||
PAM_RETURN(PAM_SERVICE_ERR);
|
||||
if (status == TAC_AUTHEN_STATUS_GETUSER)
|
||||
retval = pam_get_user(pamh, &user_msg,
|
||||
srvr_msg[0] != '\0' ? srvr_msg : NULL);
|
||||
*srvr_msg ? srvr_msg : NULL);
|
||||
else if (status == TAC_AUTHEN_STATUS_GETPASS)
|
||||
retval = pam_get_authtok(pamh, &user_msg,
|
||||
srvr_msg[0] != '\0' ? srvr_msg :
|
||||
"Password:");
|
||||
retval = pam_get_authtok(pamh,
|
||||
PAM_AUTHTOK, &user_msg,
|
||||
*srvr_msg ? srvr_msg : "Password:");
|
||||
free(srvr_msg);
|
||||
if (retval != PAM_SUCCESS) {
|
||||
/* XXX - send a TACACS+ abort packet */
|
||||
@ -247,9 +247,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc,
|
||||
retval = pam_prompt(pamh,
|
||||
pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL)
|
||||
? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF,
|
||||
&data_msg,
|
||||
"%s",
|
||||
srvr_msg[0] != '\0' ? srvr_msg : "Data:");
|
||||
&data_msg, "%s", *srvr_msg ? srvr_msg : "Data:");
|
||||
free(srvr_msg);
|
||||
if (retval != PAM_SUCCESS) {
|
||||
/* XXX - send a TACACS+ abort packet */
|
||||
|
@ -76,21 +76,13 @@ __FBSDID("$FreeBSD$");
|
||||
#include <security/pam_modules.h>
|
||||
#include <security/pam_mod_misc.h>
|
||||
|
||||
#define USER_PROMPT "Username: "
|
||||
#define PASSWORD_PROMPT "Password:"
|
||||
#define PASSWORD_PROMPT_EXPIRED "\nPassword expired\nOld Password:"
|
||||
#define NEW_PASSWORD_PROMPT_1 "New Password:"
|
||||
#define NEW_PASSWORD_PROMPT_2 "New Password (again):"
|
||||
#define PASSWORD_HASH "md5"
|
||||
#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
|
||||
#define MAX_TRIES 3
|
||||
#define SALTSIZE 32
|
||||
|
||||
static void makesalt(char []);
|
||||
|
||||
static char password_prompt_def[] = PASSWORD_PROMPT;
|
||||
static char password_hash[] = PASSWORD_HASH;
|
||||
static char blank[] = "";
|
||||
static char colon[] = ":";
|
||||
|
||||
enum {
|
||||
@ -149,7 +141,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
|
||||
lc = login_getclass(NULL);
|
||||
password_prompt = login_getcapstr(lc, "passwd_prompt",
|
||||
password_prompt_def, password_prompt_def);
|
||||
password_prompt, NULL);
|
||||
login_close(lc);
|
||||
lc = NULL;
|
||||
|
||||
@ -167,7 +159,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
else {
|
||||
retval = pam_get_authtok(pamh, &pass, password_prompt);
|
||||
retval = pam_get_authtok(pamh, PAM_AUTHTOK,
|
||||
&pass, password_prompt);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
PAM_LOG("Got password");
|
||||
@ -190,7 +183,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
|
||||
* User unknown.
|
||||
* Encrypt a dummy password so as to not give away too much.
|
||||
*/
|
||||
retval = pam_get_authtok(pamh, &pass, password_prompt);
|
||||
retval = pam_get_authtok(pamh,
|
||||
PAM_AUTHTOK, &pass, password_prompt);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
PAM_LOG("Got password");
|
||||
@ -240,7 +234,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char **
|
||||
|
||||
PAM_LOG("Options processed");
|
||||
|
||||
retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
|
||||
retval = pam_get_user(pamh, &user, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
|
||||
@ -375,9 +369,9 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
{
|
||||
struct options options;
|
||||
struct passwd *pwd;
|
||||
int retval, retry, res, got;
|
||||
const char *user, *pass;
|
||||
char *new_pass, *new_pass_, *encrypted, *usrdup;
|
||||
const char *user, *pass, *new_pass;
|
||||
char *encrypted, *usrdup;
|
||||
int retval, res;
|
||||
|
||||
pam_std_option(&options, other_options, argc, argv);
|
||||
|
||||
@ -403,83 +397,48 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
/*
|
||||
* No password case. XXX Are we giving too much away
|
||||
* by not prompting for a password?
|
||||
* XXX check PAM_DISALLOW_NULL_AUTHTOK
|
||||
*/
|
||||
PAM_LOG("No password, and null password OK");
|
||||
PAM_LOG("Got password");
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
else {
|
||||
retval = pam_get_authtok(pamh, &pass,
|
||||
PASSWORD_PROMPT_EXPIRED);
|
||||
retval = pam_get_authtok(pamh,
|
||||
PAM_OLDAUTHTOK, &pass, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
PAM_LOG("Got password: %s", pass);
|
||||
PAM_LOG("Got password");
|
||||
}
|
||||
encrypted = crypt(pass, pwd->pw_passwd);
|
||||
if (pass[0] == '\0' && pwd->pw_passwd[0] != '\0')
|
||||
encrypted = colon;
|
||||
|
||||
PAM_LOG("Encrypted password 1 is: %s", encrypted);
|
||||
PAM_LOG("Encrypted password 2 is: %s", pwd->pw_passwd);
|
||||
|
||||
if (strcmp(encrypted, pwd->pw_passwd) != 0)
|
||||
if (strcmp(encrypted, pwd->pw_passwd) != 0) {
|
||||
pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
|
||||
PAM_RETURN(PAM_AUTH_ERR);
|
||||
|
||||
retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *)pass);
|
||||
pass = NULL;
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
|
||||
PAM_LOG("Stashed old password");
|
||||
|
||||
retval = pam_set_item(pamh, PAM_AUTHTOK, (const void *)pass);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
|
||||
PAM_LOG("Voided old password");
|
||||
}
|
||||
|
||||
PAM_RETURN(PAM_SUCCESS);
|
||||
}
|
||||
else if (flags & PAM_UPDATE_AUTHTOK) {
|
||||
PAM_LOG("UPDATE round; checking user password");
|
||||
|
||||
retval = pam_get_item(pamh, PAM_OLDAUTHTOK,
|
||||
(const void **)&pass);
|
||||
retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &pass, NULL);
|
||||
if (retval != PAM_SUCCESS)
|
||||
PAM_RETURN(retval);
|
||||
|
||||
PAM_LOG("Got old password: %s", pass);
|
||||
PAM_LOG("Got old password");
|
||||
|
||||
got = 0;
|
||||
retry = 0;
|
||||
while (retry++ < MAX_TRIES) {
|
||||
new_pass = NULL;
|
||||
retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF,
|
||||
&new_pass, "%s", NEW_PASSWORD_PROMPT_1);
|
||||
|
||||
if (new_pass == NULL)
|
||||
new_pass = blank;
|
||||
|
||||
if (retval == PAM_SUCCESS) {
|
||||
new_pass_ = NULL;
|
||||
retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF,
|
||||
&new_pass_, "%s", NEW_PASSWORD_PROMPT_2);
|
||||
|
||||
if (new_pass_ == NULL)
|
||||
new_pass_ = blank;
|
||||
|
||||
if (retval == PAM_SUCCESS) {
|
||||
if (strcmp(new_pass, new_pass_) == 0) {
|
||||
got = 1;
|
||||
break;
|
||||
}
|
||||
else
|
||||
PAM_VERBOSE_ERROR("Password mismatch");
|
||||
}
|
||||
}
|
||||
for (;;) {
|
||||
retval = pam_get_authtok(pamh,
|
||||
PAM_AUTHTOK, &new_pass, NULL);
|
||||
if (retval != PAM_TRY_AGAIN)
|
||||
break;
|
||||
pam_error(pamh, "Mismatch; try again, EOF to quit.");
|
||||
}
|
||||
|
||||
if (!got) {
|
||||
PAM_VERBOSE_ERROR("Unable to get valid password");
|
||||
if (retval != PAM_SUCCESS) {
|
||||
PAM_VERBOSE_ERROR("Unable to get new password");
|
||||
PAM_RETURN(PAM_PERM_DENIED);
|
||||
}
|
||||
|
||||
@ -523,10 +482,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
|
||||
#else
|
||||
retval = local_passwd(user, new_pass);
|
||||
#endif
|
||||
|
||||
/* XXX wipe the mem as well */
|
||||
pass = NULL;
|
||||
new_pass = NULL;
|
||||
}
|
||||
else {
|
||||
/* Very bad juju */
|
||||
@ -556,7 +511,6 @@ local_passwd(const char *user, const char *pass)
|
||||
{
|
||||
login_cap_t * lc;
|
||||
struct passwd *pwd;
|
||||
struct timeval tv;
|
||||
int pfd, tfd;
|
||||
char *crypt_type, salt[SALTSIZE + 1];
|
||||
|
||||
@ -598,16 +552,13 @@ local_passwd(const char *user, const char *pass)
|
||||
int
|
||||
yp_passwd(const char *user __unused, const char *pass)
|
||||
{
|
||||
struct yppasswd yppwd;
|
||||
struct master_yppasswd master_yppwd;
|
||||
struct passwd *pwd;
|
||||
struct rpc_err err;
|
||||
struct timeval tv;
|
||||
struct yppasswd yppwd;
|
||||
CLIENT *clnt;
|
||||
login_cap_t *lc;
|
||||
int *status;
|
||||
gid_t gid;
|
||||
pid_t pid;
|
||||
uid_t uid;
|
||||
char *master, sockname[] = YP_SOCKNAME, salt[SALTSIZE + 1];
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user