aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSeraphim Mellos <mellos@ceid.upatras.gr>2008-06-29 15:47:16 +0300
committerSeraphim Mellos <mellos@ceid.upatras.gr>2008-06-29 15:47:16 +0300
commitc7c4c0336cacd5e8f680c7acbe8d656d2d90e492 (patch)
tree2de8f4433931273bc5e842bbf09411198d23cf8f /modules/pam_unix/pam_unix.c
parentCompleted pam_nologin (diff)
downloadopenpam-modules-c7c4c0336cacd5e8f680c7acbe8d656d2d90e492.tar.gz
openpam-modules-c7c4c0336cacd5e8f680c7acbe8d656d2d90e492.tar.bz2
openpam-modules-c7c4c0336cacd5e8f680c7acbe8d656d2d90e492.zip
Linux only branch. All BSD code removed
Diffstat (limited to 'modules/pam_unix/pam_unix.c')
-rw-r--r--modules/pam_unix/pam_unix.c160
1 files changed, 12 insertions, 148 deletions
diff --git a/modules/pam_unix/pam_unix.c b/modules/pam_unix/pam_unix.c
index e516162..4072938 100644
--- a/modules/pam_unix/pam_unix.c
+++ b/modules/pam_unix/pam_unix.c
@@ -7,7 +7,7 @@
#include <unistd.h>
#include <time.h>
#include <string.h>
-
+#include <shadow.h>
#ifndef MAXHOSTNAMELEN
# define MAXHOSTNAMELEN 256
@@ -18,12 +18,7 @@
#define PAM_SM_PASSWORD
#define PAM_SM_SESSION
-#ifndef __linux__
-#include <login_cap.h> /* for BSD login classes */
-#include <util.h> /* libutil functions */
-#else
-#include <shadow.h>
-#endif
+
#define PASSWORD_HASH "md5"
#define MAX_RETRIES 3
@@ -41,13 +36,11 @@
* Helper functions for internal use
*/
-#ifdef __linux__
static int update_shadow( pam_handle_t * pamh ,
const char * user , const char * newhashedpwd );
static int update_passwd( pam_handle_t * pamh ,
const char * user ,const char * newhashedpwd );
static char * read_shadow(const char * user) ;
-#endif
static void to64(char *s, long v, int n);
void makesalt(char salt[SALTSIZE]);
@@ -59,10 +52,6 @@ void makesalt(char salt[SALTSIZE]);
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags,
int argc , const char *argv[] ) {
-
-#ifndef __linux__
- login_cap_t *lc;
-#endif
struct passwd *pwd;
const char *pass, *crypt_pass, *real_hash, *user;
int pam_err;
@@ -78,7 +67,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
return (pam_err);
}
- pwd = getpwnam(user);
+ pwd = getpwnam(user);
}
PAM_LOG("Authenticating user: [%s]", user);
@@ -86,7 +75,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
if (pwd != NULL) {
PAM_LOG("Doing real authentication");
- pass = pwd->pw_passwd;
+ pass = pwd->pw_passwd;
if (pass[0] == '\0') {
if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
openpam_get_option(pamh, PAM_OPT_NULLOK)){
@@ -94,30 +83,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
Authentication succesfull.", user);
return (PAM_SUCCESS);
}
-
- real_hash = "*";
- }
-
-#ifndef __linux__
- lc = login_getpwclass(pwd);
-#endif
- } else {
- PAM_LOG("Doing dummy authentication.");
+ }
+
real_hash = "*";
-#ifndef __linux__
- lc = login_getpwclass(NULL);
-#endif
+ } else {
+ PAM_LOG("Doing dummy authentication.");
+ real_hash = "x";
}
-
-#ifndef __linux__
- prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL);
- pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
- login_close(lc);
-#else
pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **) &pass, NULL);
-#endif
PAM_LOG("Got password for user [%s]", user);
if (pam_err == PAM_CONV_ERR)
@@ -125,15 +100,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
if (pam_err != PAM_SUCCESS)
return (PAM_AUTH_ERR);
-
/* check passwd entry */
- if ( strncmp(real_hash, "*", sizeof(char)) !=0 ) {
-#ifndef __linux__
- real_hash = pwd->pw_passwd;
-#else
+ if ( strncmp(real_hash, "x", sizeof(char)) != 0 ) {
real_hash = read_shadow(user);
-#endif
}
crypt_pass = crypt(pass,real_hash);
@@ -170,20 +140,11 @@ PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
int argc , const char *argv[] ) {
-#ifndef __linux__
- login_cap_t *lc;
-#endif
-
struct spwd *pwd;
int pam_err;
const char *user;
time_t curtime;
-#ifndef __linux__
- const void *rhost, *tty;
- char rhostip[MAXHOSTNAMELEN] = "";
-#endif
-
/* Sanity checks for uname,pwd,tty,host etc */
pam_err = pam_get_user(pamh, &user, NULL);
@@ -196,47 +157,18 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
PAM_LOG("Got user [%s]" , user );
-#ifndef __linux__
-
- /*
- * tty/host info are provided by login classes
- * and cannot be used out of the box under Linux
- * for sanity checking (BSD only). May need to
- * be ported/rewritten to work on Linux as well.
- * Time will tell...
- */
- pam_err = pam_get_item(pamh, PAM_RHOST, &rhost);
-
- if (pam_err != PAM_SUCCESS)
- return (pam_err);
-
- pam_err = pam_get_item(pamh, PAM_TTY, &tty);
-
- if (pam_err != PAM_SUCCESS)
- return (pam_err);
-#endif
+
if (*pwd->sp_pwdp == '\0' &&
(flags & PAM_DISALLOW_NULL_AUTHTOK) != 0)
return (PAM_NEW_AUTHTOK_REQD);
-#ifndef __linux__
- lc = login_getpwclass(pwd);
-
- if (lc == NULL) {
- PAM_ERROR("Unable to get login class for user [%s]");
- return (PAM_SERVICE_ERR);
- }
-#endif
/* Calculate current time */
curtime = time(NULL) / (60 * 60 * 24);
/* Check for account expiration */
if (pwd->sp_expire > 0) {
fprintf(stdout, "Account expiration data value is %ld\n", pwd->sp_expire);
- if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) {
-#ifndef __linux__
- login_close(lc);
-#endif
+ if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) {
PAM_ERROR("Account has expired!");
return (PAM_ACCT_EXPIRED);
} else if ( ( pwd->sp_expire - curtime < DEFAULT_WARN) ) {
@@ -275,19 +207,6 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
}
pam_err = (PAM_SUCCESS);
-#ifndef __linux__
-
- /* validate tty/host/time */
-
- if (!auth_hostok(lc, rhost, rhostip) ||
- !auth_ttyok(lc, tty) ||
- !auth_timeok(lc, time(NULL)))
- pam_err = PAM_AUTH_ERR;
-
-
- login_close(lc);
-#endif
-
return (pam_err);
}
@@ -309,11 +228,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
const char *user, *old_pass, *new_pass;
char *hashedpwd, salt[SALTSIZE+1];
-#ifndef __linux__
- struct passwd *new_pwd;
- login_cap_t * lc;
- int pfd, tfd;
-#endif
int pam_err, retries;
/* identify user */
@@ -358,7 +272,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
if (flags & PAM_PRELIM_CHECK) {
PAM_LOG("Doing preliminary actions.");
-
if (getuid() == 0 ) {
/* root doesn't need old passwd */
return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
@@ -392,7 +305,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
} else if ( flags & PAM_UPDATE_AUTHTOK ) {
PAM_LOG("Doing actual update.");
-
pam_err= pam_get_authtok(pamh, PAM_OLDAUTHTOK ,&old_pass, NULL);
if (pam_err != PAM_SUCCESS)
@@ -429,44 +341,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
!openpam_get_option(pamh, PAM_OPT_NULLOK))
return (PAM_PERM_DENIED);
-#ifndef __linux__
-
- /*
- * The BSD way to update the passwd entry. Taken as is
- * from the freebsd-lib module pam_unix. Unfortunately,
- * the following won't work under Linux.
- */
-
- if ((new_pwd = pw_dup(old_pwd)) == NULL)
- return (PAM_BUF_ERR);
-
- new_pwd->pw_change = 0;
- lc = login_getclass(new_pwd->pw_class);
- if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
- openpam_log(PAM_LOG_ERROR,
- "can't set password cipher, relying on default");
-
- login_close(lc);
- makesalt(salt);
- new_pwd->pw_passwd = crypt(new_pass, salt);
-
-
- pam_err = PAM_SERVICE_ERR;
- if (pw_init(NULL, NULL))
- openpam_log(PAM_LOG_ERROR, "pw_init() failed");
- else if ((pfd = pw_lock()) == -1)
- openpam_log(PAM_LOG_ERROR, "pw_lock() failed");
- else if ((tfd = pw_tmp(-1)) == -1)
- openpam_log(PAM_LOG_ERROR, "pw_tmp() failed");
- else if (pw_copy(pfd, tfd, new_pwd, old_pwd) == -1)
- openpam_log(PAM_LOG_ERROR, "pw_copy() failed");
- else if (pw_mkdb(new_pwd->pw_name) == -1)
- openpam_log(PAM_LOG_ERROR, "pw_mkdb() failed");
- else
- pam_err = PAM_SUCCESS;
- pw_fini();
-
-#else
makesalt(salt);
/* Update shadow/passwd entries for Linux */
pam_err = update_shadow( pamh ,user,crypt(new_pass, salt));
@@ -477,8 +351,6 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
update_passwd( pamh ,user,"x");
if ( pam_err != PAM_SUCCESS)
return (pam_err);
-
-#endif
PAM_LOG("Password changed for user [%s]", user);
} else {
@@ -542,8 +414,6 @@ pam_sm_close_session( pam_handle_t * pamh, int flags,
return PAM_SUCCESS;
}
-#ifdef __linux__
-
#define NEW_SHADOW "/etc/.shadow"
/*
* Update shadow with new user password
@@ -758,7 +628,6 @@ static char * read_shadow(const char * user) {
}
-#endif
/*
* Mostly stolen from freebsd-lib's pam_unix module which was mostly
@@ -787,12 +656,7 @@ makesalt(char salt[SALTSIZE]) {
*/
for (i = 0; i < SALTSIZE; i += 4)
-
-#ifndef __linux__
- to64(&salt[i], arc4random(), 4);
-#else
to64(&salt[i], random(), 4);
-#endif
salt[SALTSIZE] = '\0';
}