From 1bdbf53a2a3fda4108634267acf4b801867e50be Mon Sep 17 00:00:00 2001 From: Seraphim Mellos Date: Sun, 15 Jun 2008 11:36:46 +0300 Subject: Started work on Makefiles --- modules/pam_unix/pam_unix.c~ | 257 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 257 insertions(+) create mode 100644 modules/pam_unix/pam_unix.c~ (limited to 'modules/pam_unix/pam_unix.c~') diff --git a/modules/pam_unix/pam_unix.c~ b/modules/pam_unix/pam_unix.c~ new file mode 100644 index 0000000..c65ec10 --- /dev/null +++ b/modules/pam_unix/pam_unix.c~ @@ -0,0 +1,257 @@ +/* #include */ +#include +#include +#include +#include + + +#ifndef MAXHOSTNAMELEN +# define MAXHOSTNAMELEN 256 +#endif + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_PASSWORD + +#ifndef __linux__ +#include +#endif + + +#include +#include +#include + +/* + * User authentication + */ + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc , const char **argv ) { + +#ifndef __linux__ + login_cap_t *lc; +#endif + struct spwd *pwd; + const char *pass, *crypt_pass, *user; + int pam_err; + + /* identify user */ + + if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { + PAM_LOG("Authenticating as self."); + pwd = getspnam(getlogin()); + } else { + if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { + PAM_ERROR("Authenticating with uname %s failed.", user); + return (pam_err); + } + + pwd = getspnam(user); + } + + PAM_LOG("Authenticating user: %s", user); + + /* get password */ + + if (pwd != NULL) { + PAM_LOG("Doing real authentication"); + pass = pwd->sp_pwdp; + if (pass[0] == '\0') { + if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && + openpam_get_option(pamh, PAM_OPT_NULLOK)){ + PAM_ERROR("Authentication failed. Empty passwd not allowed"); + return (PAM_SUCCESS); + } + + pass = "*"; + } +#ifndef __linux__ + lc = login_getpwclass(pwd); +#endif + } else { + PAM_LOG("Doing dummy authentication"); + pass = "*"; +#ifndef __linux__ + lc = login_getpwclass(NULL); +#endif + } + +#ifndef __linux__ + prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); + pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); + login_close(lc); +#else + pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **) &pass, NULL); +#endif + PAM_LOG("Got password for user %s", user); + + if (pam_err == PAM_CONV_ERR) + return (pam_err); + if (pam_err != PAM_SUCCESS) + return (PAM_AUTH_ERR); + + /* check shadow */ + + crypt_pass = crypt(pass, pwd->sp_pwdp); + if ( strcmp(crypt_pass, pwd->sp_pwdp) != 0 ) { + PAM_ERROR("Wrong password. Authentication failed."); + pam_err = PAM_AUTH_ERR; + } else { + PAM_LOG("Authentication completed succesfully"); + pam_err = PAM_SUCCESS; + } + + return (pam_err); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh , int flags , + int argc , const char *argv[] ) { + + /* + * This functions takes care of renewing/initializing + * user credentials as well as gid/uids. Someday, it + * will be completed. For now, it's not very urgent. + */ + + return (PAM_SUCCESS); +} + + +/* + * Account Management + */ + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , + int argc , const char *argv[] ) { + + + +#ifndef __linux__ + login_cap_t *lc; +#endif + + struct spwd *pwd; + int pam_err; + const char *user; + time_t curtime; + +#ifndef __linux__ + const void *rhost, *tty; + char rhostip[MAXHOSTNAMELEN] = ""; +#endif + + /* Sanity checks for uname,pwd,tty,host etc */ + + pam_err = pam_get_user(pamh, &user, NULL); + + if (pam_err != PAM_SUCCESS) + return (pam_err); + + if (user == NULL || (pwd = getspnam(user)) == NULL) + return (PAM_SERVICE_ERR); +#ifndef __linux__ + + /* + * tty/host info are provided by login classes + * and cannot be used out of the box under Linux + * for sanity checking (BSD only). May need to + * be ported/rewritten to work on Linux as well. + * Time will tell... + */ + pam_err = pam_get_item(pamh, PAM_RHOST, &rhost); + + if (pam_err != PAM_SUCCESS) + return (pam_err); + + pam_err = pam_get_item(pamh, PAM_TTY, &tty); + + if (pam_err != PAM_SUCCESS) + return (pam_err); +#endif + if (*pwd->sp_pwdp == '\0' && + (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) + return (PAM_NEW_AUTHTOK_REQD); + +#ifndef __linux__ + lc = login_getpwclass(pwd); + + if (lc == NULL) { + return (PAM_SERVICE_ERR); + + } +#endif + /* Check if pw_lstchg or pw_expire is set */ + + if (pwd->sp_lstchg || pwd->sp_expire) + curtime = time(NULL) / (60 * 60 * 24); + if (pwd->sp_expire) { + if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) { +#ifndef __linux__ + login_close(lc); +#endif + return (PAM_ACCT_EXPIRED); + } else if ( ( pwd->sp_expire - curtime < pwd->sp_warn) ) { +// pam_error(pamh, "Warning: your account expires on %s", +// ctime(&pwd->pw_expire)); + } + } + + if (pwd->sp_lstchg == 0 ) { + return (PAM_NEW_AUTHTOK_REQD); + } + + /* check all other possibilities (mostly stolen from pam_tcb) */ + + if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) && + (pwd->sp_max != -1) && (pwd->sp_inact != -1) && + (pwd->sp_lstchg != 0)) + return (PAM_ACCT_EXPIRED); + + if (((pwd->sp_lstchg + pwd->sp_max) < curtime) && + (pwd->sp_max != -1)) + return (PAM_ACCT_EXPIRED); + + if ((curtime - pwd->sp_lstchg > pwd->sp_max) + && (curtime - pwd->sp_lstchg > pwd->sp_inact) + && (curtime - pwd->sp_lstchg > pwd->sp_max + pwd->sp_inact) + && (pwd->sp_max != -1) && (pwd->sp_inact != -1)) + return (PAM_ACCT_EXPIRED); + + pam_err = (PAM_SUCCESS); + +#ifndef __linux__ + + /* validate tty/host/time */ + + if (!auth_hostok(lc, rhost, rhostip) || + !auth_ttyok(lc, tty) || + !auth_timeok(lc, time(NULL))) + pam_err = PAM_AUTH_ERR; + + + login_close(lc); +#endif + + return (pam_err); + +} + +/* + * Password Management + */ + +PAM_EXTERN int +pam_sm_chautok(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) +{ + + + +} + + +PAM_MODULE_ENTRY("pam_unix") -- cgit v1.2.3-65-gdbad