diff options
author | Seraphim Mellos <mellos@ceid.upatras.gr> | 2008-06-29 15:47:16 +0300 |
---|---|---|
committer | Seraphim Mellos <mellos@ceid.upatras.gr> | 2008-06-29 15:47:16 +0300 |
commit | c7c4c0336cacd5e8f680c7acbe8d656d2d90e492 (patch) | |
tree | 2de8f4433931273bc5e842bbf09411198d23cf8f /modules/pam_unix/pam_unix.c | |
parent | Completed pam_nologin (diff) | |
download | openpam-modules-c7c4c0336cacd5e8f680c7acbe8d656d2d90e492.tar.gz openpam-modules-c7c4c0336cacd5e8f680c7acbe8d656d2d90e492.tar.bz2 openpam-modules-c7c4c0336cacd5e8f680c7acbe8d656d2d90e492.zip |
Linux only branch. All BSD code removed
Diffstat (limited to 'modules/pam_unix/pam_unix.c')
-rw-r--r-- | modules/pam_unix/pam_unix.c | 160 |
1 files changed, 12 insertions, 148 deletions
diff --git a/modules/pam_unix/pam_unix.c b/modules/pam_unix/pam_unix.c index e516162..4072938 100644 --- a/modules/pam_unix/pam_unix.c +++ b/modules/pam_unix/pam_unix.c @@ -7,7 +7,7 @@ #include <unistd.h> #include <time.h> #include <string.h> - +#include <shadow.h> #ifndef MAXHOSTNAMELEN # define MAXHOSTNAMELEN 256 @@ -18,12 +18,7 @@ #define PAM_SM_PASSWORD #define PAM_SM_SESSION -#ifndef __linux__ -#include <login_cap.h> /* for BSD login classes */ -#include <util.h> /* libutil functions */ -#else -#include <shadow.h> -#endif + #define PASSWORD_HASH "md5" #define MAX_RETRIES 3 @@ -41,13 +36,11 @@ * Helper functions for internal use */ -#ifdef __linux__ static int update_shadow( pam_handle_t * pamh , const char * user , const char * newhashedpwd ); static int update_passwd( pam_handle_t * pamh , const char * user ,const char * newhashedpwd ); static char * read_shadow(const char * user) ; -#endif static void to64(char *s, long v, int n); void makesalt(char salt[SALTSIZE]); @@ -59,10 +52,6 @@ void makesalt(char salt[SALTSIZE]); PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc , const char *argv[] ) { - -#ifndef __linux__ - login_cap_t *lc; -#endif struct passwd *pwd; const char *pass, *crypt_pass, *real_hash, *user; int pam_err; @@ -78,7 +67,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, return (pam_err); } - pwd = getpwnam(user); + pwd = getpwnam(user); } PAM_LOG("Authenticating user: [%s]", user); @@ -86,7 +75,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, if (pwd != NULL) { PAM_LOG("Doing real authentication"); - pass = pwd->pw_passwd; + pass = pwd->pw_passwd; if (pass[0] == '\0') { if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && openpam_get_option(pamh, PAM_OPT_NULLOK)){ @@ -94,30 +83,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, Authentication succesfull.", user); return (PAM_SUCCESS); } - - real_hash = "*"; - } - -#ifndef __linux__ - lc = login_getpwclass(pwd); -#endif - } else { - PAM_LOG("Doing dummy authentication."); + } + real_hash = "*"; -#ifndef __linux__ - lc = login_getpwclass(NULL); -#endif + } else { + PAM_LOG("Doing dummy authentication."); + real_hash = "x"; } - -#ifndef __linux__ - prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); - pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); - login_close(lc); -#else pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **) &pass, NULL); -#endif PAM_LOG("Got password for user [%s]", user); if (pam_err == PAM_CONV_ERR) @@ -125,15 +100,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, if (pam_err != PAM_SUCCESS) return (PAM_AUTH_ERR); - /* check passwd entry */ - if ( strncmp(real_hash, "*", sizeof(char)) !=0 ) { -#ifndef __linux__ - real_hash = pwd->pw_passwd; -#else + if ( strncmp(real_hash, "x", sizeof(char)) != 0 ) { real_hash = read_shadow(user); -#endif } crypt_pass = crypt(pass,real_hash); @@ -170,20 +140,11 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , int argc , const char *argv[] ) { -#ifndef __linux__ - login_cap_t *lc; -#endif - struct spwd *pwd; int pam_err; const char *user; time_t curtime; -#ifndef __linux__ - const void *rhost, *tty; - char rhostip[MAXHOSTNAMELEN] = ""; -#endif - /* Sanity checks for uname,pwd,tty,host etc */ pam_err = pam_get_user(pamh, &user, NULL); @@ -196,47 +157,18 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , PAM_LOG("Got user [%s]" , user ); -#ifndef __linux__ - - /* - * tty/host info are provided by login classes - * and cannot be used out of the box under Linux - * for sanity checking (BSD only). May need to - * be ported/rewritten to work on Linux as well. - * Time will tell... - */ - pam_err = pam_get_item(pamh, PAM_RHOST, &rhost); - - if (pam_err != PAM_SUCCESS) - return (pam_err); - - pam_err = pam_get_item(pamh, PAM_TTY, &tty); - - if (pam_err != PAM_SUCCESS) - return (pam_err); -#endif + if (*pwd->sp_pwdp == '\0' && (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) return (PAM_NEW_AUTHTOK_REQD); -#ifndef __linux__ - lc = login_getpwclass(pwd); - - if (lc == NULL) { - PAM_ERROR("Unable to get login class for user [%s]"); - return (PAM_SERVICE_ERR); - } -#endif /* Calculate current time */ curtime = time(NULL) / (60 * 60 * 24); /* Check for account expiration */ if (pwd->sp_expire > 0) { fprintf(stdout, "Account expiration data value is %ld\n", pwd->sp_expire); - if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) { -#ifndef __linux__ - login_close(lc); -#endif + if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) { PAM_ERROR("Account has expired!"); return (PAM_ACCT_EXPIRED); } else if ( ( pwd->sp_expire - curtime < DEFAULT_WARN) ) { @@ -275,19 +207,6 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , } pam_err = (PAM_SUCCESS); -#ifndef __linux__ - - /* validate tty/host/time */ - - if (!auth_hostok(lc, rhost, rhostip) || - !auth_ttyok(lc, tty) || - !auth_timeok(lc, time(NULL))) - pam_err = PAM_AUTH_ERR; - - - login_close(lc); -#endif - return (pam_err); } @@ -309,11 +228,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, const char *user, *old_pass, *new_pass; char *hashedpwd, salt[SALTSIZE+1]; -#ifndef __linux__ - struct passwd *new_pwd; - login_cap_t * lc; - int pfd, tfd; -#endif int pam_err, retries; /* identify user */ @@ -358,7 +272,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, if (flags & PAM_PRELIM_CHECK) { PAM_LOG("Doing preliminary actions."); - if (getuid() == 0 ) { /* root doesn't need old passwd */ return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); @@ -392,7 +305,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, } else if ( flags & PAM_UPDATE_AUTHTOK ) { PAM_LOG("Doing actual update."); - pam_err= pam_get_authtok(pamh, PAM_OLDAUTHTOK ,&old_pass, NULL); if (pam_err != PAM_SUCCESS) @@ -429,44 +341,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, !openpam_get_option(pamh, PAM_OPT_NULLOK)) return (PAM_PERM_DENIED); -#ifndef __linux__ - - /* - * The BSD way to update the passwd entry. Taken as is - * from the freebsd-lib module pam_unix. Unfortunately, - * the following won't work under Linux. - */ - - if ((new_pwd = pw_dup(old_pwd)) == NULL) - return (PAM_BUF_ERR); - - new_pwd->pw_change = 0; - lc = login_getclass(new_pwd->pw_class); - if (login_setcryptfmt(lc, password_hash, NULL) == NULL) - openpam_log(PAM_LOG_ERROR, - "can't set password cipher, relying on default"); - - login_close(lc); - makesalt(salt); - new_pwd->pw_passwd = crypt(new_pass, salt); - - - pam_err = PAM_SERVICE_ERR; - if (pw_init(NULL, NULL)) - openpam_log(PAM_LOG_ERROR, "pw_init() failed"); - else if ((pfd = pw_lock()) == -1) - openpam_log(PAM_LOG_ERROR, "pw_lock() failed"); - else if ((tfd = pw_tmp(-1)) == -1) - openpam_log(PAM_LOG_ERROR, "pw_tmp() failed"); - else if (pw_copy(pfd, tfd, new_pwd, old_pwd) == -1) - openpam_log(PAM_LOG_ERROR, "pw_copy() failed"); - else if (pw_mkdb(new_pwd->pw_name) == -1) - openpam_log(PAM_LOG_ERROR, "pw_mkdb() failed"); - else - pam_err = PAM_SUCCESS; - pw_fini(); - -#else makesalt(salt); /* Update shadow/passwd entries for Linux */ pam_err = update_shadow( pamh ,user,crypt(new_pass, salt)); @@ -477,8 +351,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, update_passwd( pamh ,user,"x"); if ( pam_err != PAM_SUCCESS) return (pam_err); - -#endif PAM_LOG("Password changed for user [%s]", user); } else { @@ -542,8 +414,6 @@ pam_sm_close_session( pam_handle_t * pamh, int flags, return PAM_SUCCESS; } -#ifdef __linux__ - #define NEW_SHADOW "/etc/.shadow" /* * Update shadow with new user password @@ -758,7 +628,6 @@ static char * read_shadow(const char * user) { } -#endif /* * Mostly stolen from freebsd-lib's pam_unix module which was mostly @@ -787,12 +656,7 @@ makesalt(char salt[SALTSIZE]) { */ for (i = 0; i < SALTSIZE; i += 4) - -#ifndef __linux__ - to64(&salt[i], arc4random(), 4); -#else to64(&salt[i], random(), 4); -#endif salt[SALTSIZE] = '\0'; } |