4  * Copyright 2005-2009, 2020 Russ Allbery <eagle@eyrie.org>
8  * Copyright 1999-2000 Frank Cusack <fcusack@fcusack.com>
10  * SPDX-License-Identifier: BSD-3-clause or GPL-1+
21 #include <pam-util/args.h>
22 #include <pam-util/logging.h>
40     /* Use the password from a previous module, if so configured. */  in pamk5_password_prompt()
43     if (args->config->use_authtok) {  in pamk5_password_prompt()
44         pamret = pam_get_item(args->pamh, PAM_AUTHTOK, &tmp);  in pamk5_password_prompt()
50         if (strlen(tmp) > PAM_MAX_RESP_SIZE - 1) {  in pamk5_password_prompt()
52                         PAM_MAX_RESP_SIZE - 1);  in pamk5_password_prompt()
67         if (strlen(pass1) > PAM_MAX_RESP_SIZE - 1) {  in pamk5_password_prompt()
69                         PAM_MAX_RESP_SIZE - 1);  in pamk5_password_prompt()
97         pamret = pam_set_item(args->pamh, PAM_AUTHTOK, pass1);  in pamk5_password_prompt()
132     if (args == NULL || args->config == NULL || args->config->ctx == NULL  in change_password()
133         || args->config->ctx->creds == NULL)  in change_password()
135     ctx = args->config->ctx;  in change_password()
153      * principal for Heimdal.  So we're stuck with an #ifdef.  in change_password()
157         krb5_set_password(ctx->context, ctx->creds, (char *) pass, NULL,  in change_password()
161         krb5_set_password(ctx->context, ctx->creds, (char *) pass, ctx->princ,  in change_password()
168         message = krb5_get_error_message(ctx->context, retval);  in change_password()
170         krb5_free_error_message(ctx->context, message);  in change_password()
193     krb5_free_data_contents(ctx->context, &result_string);  in change_password()
194     krb5_free_data_contents(ctx->context, &result_code_string);  in change_password()
199      * so that subsequent password change PAM modules configured with  in change_password()
201      * fixed once the pre-check function runs, subsequent modules would  in change_password()
204     if (retval != PAM_SUCCESS && args->config->clear_on_fail) {  in change_password()
205         if (pam_set_item(args->pamh, PAM_AUTHTOK, NULL))  in change_password()
215  * called from pam_sm_authenticate if we're working around a library that
224     struct context *ctx = args->config->ctx;  in pamk5_password_change()
231     if (ctx->creds == NULL) {  in pamk5_password_change()
232         pamret = pamk5_password_auth(args, "kadmin/changepw", &ctx->creds);  in pamk5_password_change()
240      * Now, get the new password and change it unless we're just doing the  in pamk5_password_change()
250         pam_syslog(args->pamh, LOG_INFO, "user %s changed Kerberos password",  in pamk5_password_change()
251                    ctx->name);  in pamk5_password_change()
282      * If we do ignore this user, and we're not in the preliminary check  in pamk5_password()
285      * stacked behind pam-krb5 with use_authtok and have it still work for  in pamk5_password()
292     if (args->config->ignore_root || args->config->minimum_uid > 0) {  in pamk5_password()
293         status = pam_get_user(args->pamh, &user, NULL);  in pamk5_password()
296                 if (args->config->banner != NULL) {  in pamk5_password()
297                     free(args->config->banner);  in pamk5_password()
298                     args->config->banner = NULL;  in pamk5_password()
308      * If we weren't able to find an existing context to use, we're going  in pamk5_password()
311     if (args->config->ctx == NULL) {  in pamk5_password()
318         pamret = pam_set_data(args->pamh, "pam_krb5", args->config->ctx,  in pamk5_password()
327     ctx = args->config->ctx;  in pamk5_password()
330      * Tell the user what's going on if we're handling an expiration, but not  in pamk5_password()
331      * if we were configured to use the same password as an earlier module in  in pamk5_password()
337     if (ctx->expired && ctx->creds == NULL)  in pamk5_password()
338         if (!args->config->force_first_pass && !args->config->use_first_pass)  in pamk5_password()
343      * Do the password change.  This may only get tickets if we're doing the  in pamk5_password()
355     if (pamret == PAM_SUCCESS && ctx->expired) {  in pamk5_password()
361         args->config->force_first_pass = 1;  in pamk5_password()
365         retval = krb5_unparse_name(ctx->context, ctx->princ, &principal);  in pamk5_password()
368             pam_syslog(args->pamh, LOG_INFO,  in pamk5_password()
369                        "user %s authenticated as UNKNOWN", ctx->name);  in pamk5_password()
371             pam_syslog(args->pamh, LOG_INFO, "user %s authenticated as %s",  in pamk5_password()
372                        ctx->name, principal);  in pamk5_password()
373             krb5_free_unparsed_name(ctx->context, principal);  in pamk5_password()
375         ctx->expired = false;  in pamk5_password()
377         krb5_free_cred_contents(ctx->context, creds);  in pamk5_password()
392         args->ctx = NULL;  in pamk5_password()