aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSeraphim Mellos <mellos@ceid.upatras.gr>2008-06-16 18:48:53 +0300
committerSeraphim Mellos <mellos@ceid.upatras.gr>2008-06-16 18:48:53 +0300
commit7e7b7c099fa15b0e2511253d999f214821765549 (patch)
tree7cf7708846e4a543e85a364f60c9bc57579d8bb5 /modules/pam_unix/pam_unix.c~
parentSolved some issues with passwd/shadow (diff)
downloadopenpam-modules-7e7b7c099fa15b0e2511253d999f214821765549.tar.gz
openpam-modules-7e7b7c099fa15b0e2511253d999f214821765549.tar.bz2
openpam-modules-7e7b7c099fa15b0e2511253d999f214821765549.zip
Worked on pam_chauthtok for pam_unix
Diffstat (limited to 'modules/pam_unix/pam_unix.c~')
-rw-r--r--modules/pam_unix/pam_unix.c~150
1 files changed, 146 insertions, 4 deletions
diff --git a/modules/pam_unix/pam_unix.c~ b/modules/pam_unix/pam_unix.c~
index 72dbac0..06f335c 100644
--- a/modules/pam_unix/pam_unix.c~
+++ b/modules/pam_unix/pam_unix.c~
@@ -23,6 +23,7 @@
#define PASSWORD_HASH "md5"
+#define MAX_RETRIES 3
#define DEFAULT_WARN (2L * 7L * 86400L) /* two weeks */
#define SALTSIZE 32
@@ -264,8 +265,11 @@ pam_sm_chautok(pam_handle_t *pamh, int flags,
*/
struct passwd *new_pwd, *old_pwd;
const char *user, *old_pass, *new_pass;
- char *hashedpwd;
- int pam_err;
+ char *hashedpwd ;
+#ifndef __linux__
+ login_cap_t * lc;
+#endif
+ int pam_err, retries;
/* identify user */
@@ -307,7 +311,7 @@ pam_sm_chautok(pam_handle_t *pamh, int flags,
if (flags & PAM_PRELIM_CHECK) {
- PAM_LOG("PRELIM round");
+ PAM_LOG("Doing preliminary actions.");
if (getuid() == 0 ) {
/* root doesn't need old passwd */
@@ -322,15 +326,153 @@ pam_sm_chautok(pam_handle_t *pamh, int flags,
* ask for a password.
*/
old_pass = "";
+ } else {
+ pam_err = pam_get_authtok(pamh,PAM_OLDAUTHTOK,
+ &old_pass, NULL);
+ if (pam_err != PAM_SUCCESS )
+ return (pam_err);
+
+ }
+
+ PAM_LOG("Got old token for user [%s].",user);
+
+ hashedpwd = crypt(old_pass, old_pwd->pw_passwd);
+
+ if (old_pass[0] == '\0' && !openpam_get_option(pamh, PAM_OPT_NULLOK))
+ return (PAM_PERM_DENIED);
+
+ if (strcmp(hashedpwd, old_pwd->pw_passwd) != 0)
+ return (PAM_PERM_DENIED);
+
+ } else if ( flags & PAM_UPDATE_AUTHTOK ) {
+
+ PAM_LOG("Doing actual update.");
+
+ pam_err= pam_get_authtok(pamh, PAM_OLDAUTHTOK ,&old_pass, NULL);
+
+ if (pam_err != PAM_SUCCESS)
+ return (pam_err);
+
+ PAM_LOG("Got old password");
+
+ retries = 0;
+ pam_err = PAM_AUTHTOK_ERR;
+
+ while ((pam_err != PAM_SUCCESS) && ( retries++ < MAX_RETRIES)) {
+
+ pam_err = pam_get_authtok(pamh, PAM_AUTHTOK,
+ &new_pass, NULL);
+
+ pam_error(pamh, "Unable to get new passwd. Please \
+ try again");
+
+ }
+
+ if (pam_err != PAM_SUCCESS) {
+ PAM_ERROR("Unable to get new password!");
+ return (pam_err);
}
+ PAM_LOG("Got new password");
+
+ /*
+ * checking has to be done (?) for the new passwd to
+ * verify it's not weak.
+ */
+
+ if (getuid() != 0 && new_pass[0] == '\0' &&
+ !openpam_get_option(pamh, PAM_OPT_NULLOK))
+ return (PAM_PERM_DENIED);
+
+
+
+
+#ifndef __linux__
+
+ /*
+ * The BSD way to update the passwd entry. Taken as is
+ * from the freebsd-lib module pam_unix. Unfortunately,
+ * the following won't work under Linux.
+ */
+
+ if ((new_pwd = pw_dup(old_pwd)) == NULL)
+ return (PAM_BUF_ERR);
+
+ new_pwd->pw_change = 0;
+ lc = login_getclass(new_pwd->pw_class);
+ if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
+ openpam_log(PAM_LOG_ERROR,
+ "can't set password cipher, relying on default");
+
+ login_close(lc);
+ makesalt(salt);
+ new_pwd->pw_passwd = crypt(new_pass, salt);
+
+
+ pam_err = PAM_SERVICE_ERR;
+ if (pw_init(NULL, NULL))
+ openpam_log(PAM_LOG_ERROR, "pw_init() failed");
+ else if ((pfd = pw_lock()) == -1)
+ openpam_log(PAM_LOG_ERROR, "pw_lock() failed");
+ else if ((tfd = pw_tmp(-1)) == -1)
+ openpam_log(PAM_LOG_ERROR, "pw_tmp() failed");
+ else if (pw_copy(pfd, tfd, new_pwd, old_pwd) == -1)
+ openpam_log(PAM_LOG_ERROR, "pw_copy() failed");
+ else if (pw_mkdb(new_pwd->pw_name) == -1)
+ openpam_log(PAM_LOG_ERROR, "pw_mkdb() failed");
+ else
+ pam_err = PAM_SUCCESS;
+ pw_fini();
+
+ free(old_pwd);
+#endif
+
+ /* Update shadow/passwd entries for Linux */
+
+
+ } else {
+ pam_err = PAM_ABORT;
+ PAM_ERROR("Unrecognized flags.");
+ return (pam_err);
+ }
+
-
return (PAM_SUCCESS);
}
+/*
+ * Mostly stolen from freebsd-lib's pam_unix module which was mostly
+ * stolen from passwd(1)'s local_passwd.c
+ *
+ * Good ideas are meant to be reused ;)
+ */
+
+static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
+ "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+
+static void to64(char *s, long v, int n) {
+ while (--n >= 0) {
+ *s++ = itoa64[v&0x3f];
+ v >>= 6;
+ }
+}
+
+/* Salt suitable for traditional DES and MD5 */
+void
+makesalt(char salt[SALTSIZE]) {
+ int i;
+ /* These are not really random numbers, they are just
+ * numbers that change to thwart construction of a
+ * dictionary. This is exposed to the public.
+ */
+
+ for (i = 0; i < SALTSIZE; i += 4)
+ to64(&salt[i], arc4random(), 4);
+ salt[SALTSIZE] = '\0';
+}
+
PAM_MODULE_ENTRY("pam_unix")