Lines Matching full:password
4 * The actual authentication work is done here, either via password or via
7 * authentication and the password groups.
139 * This function is used both for regular password authentication and for
213 * Retrieve the existing password (authtok) stored in the PAM data if
218 * authenticating or changing the password), and the place to store the
219 * password. Returns a PAM status code.
222 * password (if set). If force_first_pass is set, fail if the password is not
225 * The empty password has to be handled separately, since the Kerberos
226 * libraries may treat it as equivalent to no password and prompt when we
227 * don't want them to. We make the assumption here that the empty password is
244 putil_debug(args, "rejecting empty password"); in maybe_retrieve_password()
250 putil_debug(args, "rejecting password longer than %d", in maybe_retrieve_password()
255 putil_debug_pam(args, status, "no stored password"); in maybe_retrieve_password()
263 * Prompt for the password. Takes the PAM arguments, the authtok for which
265 * we're authenticating or changing the password), and the place to store the
266 * password. Returns a PAM status code.
268 * If we successfully get a password, store it in the PAM data, free it, and
269 * then return the password as retrieved from the PAM data so that we don't
272 * The empty password has to be handled separately, since the Kerberos
273 * libraries may treat it as equivalent to no password and prompt when we
274 * don't want them to. We make the assumption here that the empty password is
280 char *password; in prompt_password() local
285 status = pamk5_get_password(args, prompt, &password); in prompt_password()
287 putil_debug_pam(args, status, "error getting password"); in prompt_password()
290 if (password[0] == '\0') { in prompt_password()
291 putil_debug(args, "rejecting empty password"); in prompt_password()
292 free(password); in prompt_password()
295 if (strlen(password) > PAM_MAX_RESP_SIZE - 1) { in prompt_password()
296 putil_debug(args, "rejecting password longer than %d", in prompt_password()
298 explicit_bzero(password, strlen(password)); in prompt_password()
299 free(password); in prompt_password()
304 status = pam_set_item(args->pamh, authtok, password); in prompt_password()
305 explicit_bzero(password, strlen(password)); in prompt_password()
306 free(password); in prompt_password()
308 putil_err_pam(args, status, "error storing password"); in prompt_password()
312 /* Return the password retrieved from PAM. */ in prompt_password()
315 putil_err_pam(args, status, "error retrieving password"); in prompt_password()
323 * Authenticate via password.
326 * attempting to authenticate with and then attempt password authentication.
361 * Heimdal may return an expired key error even if the password is in password_auth()
362 * incorrect. To avoid accepting any incorrect password for the user in password_auth()
363 * in the fully correct password change case, confirm that we can get in password_auth()
364 * a password change ticket for the user using this password, and in password_auth()
365 * otherwise change the error to invalid password. in password_auth()
393 * provided password to try to authenticate as that user. If at any point we
458 * principal. Assume an invalid password error if there are no valid in k5login_password_auth()
540 * expects to be prompted for a password, which may not happen if the in pkinit_auth()
546 * We always ignore the input. If the user wants to use a password in pkinit_auth()
598 * Attempt authentication once with a given password. This is the core of the
601 * default TGT), the initial credential options, and the password, and returns
754 * Prompt the user for a password and authenticate the password with the KDC.
758 * is non-null, we look for the password in PAM_OLDAUTHOK and save it there
838 * Obtain the saved password, if appropriate and available, and determine in pamk5_password_auth()
840 * password and retry the authentication if the stored password didn't in pamk5_password_auth()
850 * If we had no stored password, we prompt for a password the first time in pamk5_password_auth()
851 * through. If try_first_pass is set and we had an old password, we try in pamk5_password_auth()
852 * with it. If the old password doesn't work, we loop once, prompt for a in pamk5_password_auth()
853 * password, and retry. If use_first_pass is set, we'll prompt once if in pamk5_password_auth()
854 * the password isn't already set but won't retry. in pamk5_password_auth()
856 * If we don't have a password but try_pkinit or no_prompt are true, we in pamk5_password_auth()
857 * don't attempt to prompt for a password and we go into the Kerberos in pamk5_password_auth()
858 * libraries with no password. We rely on the Kerberos libraries to do in pamk5_password_auth()
861 * password or other credentials the user might enter, so subsequent PAM in pamk5_password_auth()
879 * clear the password and then see if we should try again after in pamk5_password_auth()
880 * prompting for a password. in pamk5_password_auth()
900 * authenticating for password changes (or any other case where we're not in pamk5_password_auth()
1002 * The complexity arises if the password was expired (which means the in pamk5_authenticate()
1003 * Kerberos library was also unable to prompt for the password change in pamk5_authenticate()
1008 * password here and now. in pamk5_authenticate()
1023 * We would like to set the current password as PAM_OLDAUTHTOK so that in pamk5_authenticate()
1028 * In the force_pwchange case, try to use the password the user just in pamk5_authenticate()
1029 * entered to authenticate to the password changing service, but don't in pamk5_authenticate()
1031 * PAM_AUTHTOK to PAM_OLDAUTHTOK to be in the place where password in pamk5_authenticate()
1033 * the password to the same thing it was. in pamk5_authenticate()
1045 "user %s password expired, forcing password change", in pamk5_authenticate()
1047 pamk5_conv(args, "Password expired. You must change it now.", in pamk5_authenticate()
1057 putil_debug(args, "successfully changed expired password"); in pamk5_authenticate()