19a10bb17SJohn Polstra /*- 2*5e53a4f9SPedro F. Giffuni * SPDX-License-Identifier: BSD-3-Clause 3*5e53a4f9SPedro F. Giffuni * 49a10bb17SJohn Polstra * Copyright 1998 Juniper Networks, Inc. 59a10bb17SJohn Polstra * All rights reserved. 64d6991c6SDag-Erling Smørgrav * Copyright (c) 2002-2003 Networks Associates Technology, Inc. 7e9cc7b1dSDag-Erling Smørgrav * All rights reserved. 8e9cc7b1dSDag-Erling Smørgrav * 9e9cc7b1dSDag-Erling Smørgrav * Portions of this software was developed for the FreeBSD Project by 10e9cc7b1dSDag-Erling Smørgrav * ThinkSec AS and NAI Labs, the Security Research Division of Network 11e9cc7b1dSDag-Erling Smørgrav * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 12e9cc7b1dSDag-Erling Smørgrav * ("CBOSS"), as part of the DARPA CHATS research program. 139a10bb17SJohn Polstra * 149a10bb17SJohn Polstra * Redistribution and use in source and binary forms, with or without 159a10bb17SJohn Polstra * modification, are permitted provided that the following conditions 169a10bb17SJohn Polstra * are met: 179a10bb17SJohn Polstra * 1. Redistributions of source code must retain the above copyright 189a10bb17SJohn Polstra * notice, this list of conditions and the following disclaimer. 199a10bb17SJohn Polstra * 2. Redistributions in binary form must reproduce the above copyright 209a10bb17SJohn Polstra * notice, this list of conditions and the following disclaimer in the 219a10bb17SJohn Polstra * documentation and/or other materials provided with the distribution. 22e9cc7b1dSDag-Erling Smørgrav * 3. The name of the author may not be used to endorse or promote 23e9cc7b1dSDag-Erling Smørgrav * products derived from this software without specific prior written 24e9cc7b1dSDag-Erling Smørgrav * permission. 259a10bb17SJohn Polstra * 269a10bb17SJohn Polstra * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 279a10bb17SJohn Polstra * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 289a10bb17SJohn Polstra * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 299a10bb17SJohn Polstra * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 309a10bb17SJohn Polstra * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 319a10bb17SJohn Polstra * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 329a10bb17SJohn Polstra * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 339a10bb17SJohn Polstra * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 349a10bb17SJohn Polstra * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 359a10bb17SJohn Polstra * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 369a10bb17SJohn Polstra * SUCH DAMAGE. 379a10bb17SJohn Polstra */ 389a10bb17SJohn Polstra 39ceaf33f5SMatthew Dillon #include <sys/cdefs.h> 40ceaf33f5SMatthew Dillon __FBSDID("$FreeBSD$"); 41ceaf33f5SMatthew Dillon 42e9cc7b1dSDag-Erling Smørgrav #include <sys/param.h> 43e9cc7b1dSDag-Erling Smørgrav #include <sys/socket.h> 44d65b34dbSJohn Polstra #include <sys/time.h> 45e9cc7b1dSDag-Erling Smørgrav #include <netinet/in.h> 46e9cc7b1dSDag-Erling Smørgrav #include <arpa/inet.h> 47e9cc7b1dSDag-Erling Smørgrav 48d65b34dbSJohn Polstra #include <login_cap.h> 49e9cc7b1dSDag-Erling Smørgrav #include <netdb.h> 509a10bb17SJohn Polstra #include <pwd.h> 519a10bb17SJohn Polstra #include <stdlib.h> 529a10bb17SJohn Polstra #include <string.h> 53d65b34dbSJohn Polstra #include <stdio.h> 547f28386aSDag-Erling Smørgrav #include <syslog.h> 55beb8ef4aSDag-Erling Smørgrav #include <time.h> 569a10bb17SJohn Polstra #include <unistd.h> 579a10bb17SJohn Polstra 58f1d05925SDag-Erling Smørgrav #include <libutil.h> 593d55a6c0SMark Murray 603d55a6c0SMark Murray #ifdef YP 61c82bffaaSDag-Erling Smørgrav #include <ypclnt.h> 623d55a6c0SMark Murray #endif 633d55a6c0SMark Murray 649a10bb17SJohn Polstra #define PAM_SM_AUTH 65d65b34dbSJohn Polstra #define PAM_SM_ACCOUNT 663d55a6c0SMark Murray #define PAM_SM_PASSWORD 673d55a6c0SMark Murray 688c66575dSDag-Erling Smørgrav #include <security/pam_appl.h> 699a10bb17SJohn Polstra #include <security/pam_modules.h> 708c66575dSDag-Erling Smørgrav #include <security/pam_mod_misc.h> 719a10bb17SJohn Polstra 723d55a6c0SMark Murray #define PASSWORD_HASH "md5" 731642eb1aSMark Murray #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ 748c3ea588SMark Murray #define SALTSIZE 32 758c3ea588SMark Murray 76cf21ead5SYaroslav Tykhiy #define LOCKED_PREFIX "*LOCKED*" 77cf21ead5SYaroslav Tykhiy #define LOCKED_PREFIX_LEN (sizeof(LOCKED_PREFIX) - 1) 78cf21ead5SYaroslav Tykhiy 798c3ea588SMark Murray static void makesalt(char []); 801642eb1aSMark Murray 81ac569969SMark Murray static char password_hash[] = PASSWORD_HASH; 82ac569969SMark Murray 83545aa471SDag-Erling Smørgrav #define PAM_OPT_LOCAL_PASS "local_pass" 84545aa471SDag-Erling Smørgrav #define PAM_OPT_NIS_PASS "nis_pass" 859a10bb17SJohn Polstra 86d65b34dbSJohn Polstra /* 87d65b34dbSJohn Polstra * authentication management 88d65b34dbSJohn Polstra */ 899a10bb17SJohn Polstra PAM_EXTERN int 9024fe7ba0SDag-Erling Smørgrav pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 91545aa471SDag-Erling Smørgrav int argc __unused, const char *argv[] __unused) 929a10bb17SJohn Polstra { 933d55a6c0SMark Murray login_cap_t *lc; 949a10bb17SJohn Polstra struct passwd *pwd; 951642eb1aSMark Murray int retval; 96f2f306b6SRuslan Ermilov const char *pass, *user, *realpw, *prompt; 979a10bb17SJohn Polstra 98545aa471SDag-Erling Smørgrav if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { 991843e23cSDimitry Andric user = getlogin(); 10050000f00SDag-Erling Smørgrav } else { 1011642eb1aSMark Murray retval = pam_get_user(pamh, &user, NULL); 1021642eb1aSMark Murray if (retval != PAM_SUCCESS) 10324fe7ba0SDag-Erling Smørgrav return (retval); 1044448b21cSMark Murray } 1051843e23cSDimitry Andric pwd = getpwnam(user); 1061642eb1aSMark Murray 1071642eb1aSMark Murray PAM_LOG("Got user: %s", user); 1081642eb1aSMark Murray 1094448b21cSMark Murray if (pwd != NULL) { 1101642eb1aSMark Murray PAM_LOG("Doing real authentication"); 11150000f00SDag-Erling Smørgrav realpw = pwd->pw_passwd; 11250000f00SDag-Erling Smørgrav if (realpw[0] == '\0') { 11350000f00SDag-Erling Smørgrav if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && 114545aa471SDag-Erling Smørgrav openpam_get_option(pamh, PAM_OPT_NULLOK)) 11524fe7ba0SDag-Erling Smørgrav return (PAM_SUCCESS); 11679b67c8dSDag-Erling Smørgrav PAM_LOG("Password is empty, using fake password"); 11750000f00SDag-Erling Smørgrav realpw = "*"; 1181642eb1aSMark Murray } 119a8b1e59eSDag-Erling Smørgrav lc = login_getpwclass(pwd); 12050000f00SDag-Erling Smørgrav } else { 1211642eb1aSMark Murray PAM_LOG("Doing dummy authentication"); 12250000f00SDag-Erling Smørgrav realpw = "*"; 123a8b1e59eSDag-Erling Smørgrav lc = login_getclass(NULL); 12450000f00SDag-Erling Smørgrav } 12550000f00SDag-Erling Smørgrav prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); 12650000f00SDag-Erling Smørgrav retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); 127a8b1e59eSDag-Erling Smørgrav login_close(lc); 1281642eb1aSMark Murray if (retval != PAM_SUCCESS) 12924fe7ba0SDag-Erling Smørgrav return (retval); 1301642eb1aSMark Murray PAM_LOG("Got password"); 13179b67c8dSDag-Erling Smørgrav if (strnlen(pass, _PASSWORD_LEN + 1) > _PASSWORD_LEN) { 13279b67c8dSDag-Erling Smørgrav PAM_LOG("Password is too long, using fake password"); 13379b67c8dSDag-Erling Smørgrav realpw = "*"; 13479b67c8dSDag-Erling Smørgrav } 13550000f00SDag-Erling Smørgrav if (strcmp(crypt(pass, realpw), realpw) == 0) 13624fe7ba0SDag-Erling Smørgrav return (PAM_SUCCESS); 1371642eb1aSMark Murray 1383d55a6c0SMark Murray PAM_VERBOSE_ERROR("UNIX authentication refused"); 13924fe7ba0SDag-Erling Smørgrav return (PAM_AUTH_ERR); 1409a10bb17SJohn Polstra } 1419a10bb17SJohn Polstra 1429a10bb17SJohn Polstra PAM_EXTERN int 14324fe7ba0SDag-Erling Smørgrav pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 14424fe7ba0SDag-Erling Smørgrav int argc __unused, const char *argv[] __unused) 1459a10bb17SJohn Polstra { 1463d55a6c0SMark Murray 14724fe7ba0SDag-Erling Smørgrav return (PAM_SUCCESS); 1489a10bb17SJohn Polstra } 1499294327dSJohn Polstra 150d65b34dbSJohn Polstra /* 151d65b34dbSJohn Polstra * account management 152d65b34dbSJohn Polstra */ 1533d55a6c0SMark Murray PAM_EXTERN int 15424fe7ba0SDag-Erling Smørgrav pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, 155545aa471SDag-Erling Smørgrav int argc __unused, const char *argv[] __unused) 156d65b34dbSJohn Polstra { 157e9cc7b1dSDag-Erling Smørgrav struct addrinfo hints, *res; 158e9cc7b1dSDag-Erling Smørgrav struct passwd *pwd; 159d65b34dbSJohn Polstra struct timeval tp; 1601642eb1aSMark Murray login_cap_t *lc; 161d65b34dbSJohn Polstra time_t warntime; 162d65b34dbSJohn Polstra int retval; 16391e93869SDag-Erling Smørgrav const char *user; 16491e93869SDag-Erling Smørgrav const void *rhost, *tty; 1658f303102SDag-Erling Smørgrav char rhostip[MAXHOSTNAMELEN] = ""; 1661642eb1aSMark Murray 167111ccd25SDag-Erling Smørgrav retval = pam_get_user(pamh, &user, NULL); 168e9cc7b1dSDag-Erling Smørgrav if (retval != PAM_SUCCESS) 16924fe7ba0SDag-Erling Smørgrav return (retval); 170d65b34dbSJohn Polstra 171e9cc7b1dSDag-Erling Smørgrav if (user == NULL || (pwd = getpwnam(user)) == NULL) 17224fe7ba0SDag-Erling Smørgrav return (PAM_SERVICE_ERR); 1731642eb1aSMark Murray 1741642eb1aSMark Murray PAM_LOG("Got user: %s", user); 175d65b34dbSJohn Polstra 17691e93869SDag-Erling Smørgrav retval = pam_get_item(pamh, PAM_RHOST, &rhost); 177e9cc7b1dSDag-Erling Smørgrav if (retval != PAM_SUCCESS) 17824fe7ba0SDag-Erling Smørgrav return (retval); 179d65b34dbSJohn Polstra 18091e93869SDag-Erling Smørgrav retval = pam_get_item(pamh, PAM_TTY, &tty); 181e9cc7b1dSDag-Erling Smørgrav if (retval != PAM_SUCCESS) 18224fe7ba0SDag-Erling Smørgrav return (retval); 183d65b34dbSJohn Polstra 184e9cc7b1dSDag-Erling Smørgrav if (*pwd->pw_passwd == '\0' && 185e9cc7b1dSDag-Erling Smørgrav (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) 186e9cc7b1dSDag-Erling Smørgrav return (PAM_NEW_AUTHTOK_REQD); 187e9cc7b1dSDag-Erling Smørgrav 188cf21ead5SYaroslav Tykhiy if (strncmp(pwd->pw_passwd, LOCKED_PREFIX, LOCKED_PREFIX_LEN) == 0) 189cf21ead5SYaroslav Tykhiy return (PAM_AUTH_ERR); 190cf21ead5SYaroslav Tykhiy 191e9cc7b1dSDag-Erling Smørgrav lc = login_getpwclass(pwd); 192e9cc7b1dSDag-Erling Smørgrav if (lc == NULL) { 193e9cc7b1dSDag-Erling Smørgrav PAM_LOG("Unable to get login class for user %s", user); 194e9cc7b1dSDag-Erling Smørgrav return (PAM_SERVICE_ERR); 195e9cc7b1dSDag-Erling Smørgrav } 196d65b34dbSJohn Polstra 1971642eb1aSMark Murray PAM_LOG("Got login_cap"); 1981642eb1aSMark Murray 199e9cc7b1dSDag-Erling Smørgrav if (pwd->pw_change || pwd->pw_expire) 200e9cc7b1dSDag-Erling Smørgrav gettimeofday(&tp, NULL); 201d65b34dbSJohn Polstra 202e9cc7b1dSDag-Erling Smørgrav /* 203e9cc7b1dSDag-Erling Smørgrav * Check pw_expire before pw_change - no point in letting the 204e9cc7b1dSDag-Erling Smørgrav * user change the password on an expired account. 205e9cc7b1dSDag-Erling Smørgrav */ 206d65b34dbSJohn Polstra 207e9cc7b1dSDag-Erling Smørgrav if (pwd->pw_expire) { 208e9cc7b1dSDag-Erling Smørgrav warntime = login_getcaptime(lc, "warnexpire", 209e9cc7b1dSDag-Erling Smørgrav DEFAULT_WARN, DEFAULT_WARN); 210e9cc7b1dSDag-Erling Smørgrav if (tp.tv_sec >= pwd->pw_expire) { 211e9cc7b1dSDag-Erling Smørgrav login_close(lc); 21224fe7ba0SDag-Erling Smørgrav return (PAM_ACCT_EXPIRED); 213e9cc7b1dSDag-Erling Smørgrav } else if (pwd->pw_expire - tp.tv_sec < warntime && 214e9cc7b1dSDag-Erling Smørgrav (flags & PAM_SILENT) == 0) { 215519b6a4cSDag-Erling Smørgrav pam_error(pamh, "Warning: your account expires on %s", 216e9cc7b1dSDag-Erling Smørgrav ctime(&pwd->pw_expire)); 217d65b34dbSJohn Polstra } 218d65b34dbSJohn Polstra } 219d65b34dbSJohn Polstra 220e9cc7b1dSDag-Erling Smørgrav retval = PAM_SUCCESS; 221e9cc7b1dSDag-Erling Smørgrav if (pwd->pw_change) { 222e9cc7b1dSDag-Erling Smørgrav warntime = login_getcaptime(lc, "warnpassword", 223e9cc7b1dSDag-Erling Smørgrav DEFAULT_WARN, DEFAULT_WARN); 224e9cc7b1dSDag-Erling Smørgrav if (tp.tv_sec >= pwd->pw_change) { 225e9cc7b1dSDag-Erling Smørgrav retval = PAM_NEW_AUTHTOK_REQD; 226e9cc7b1dSDag-Erling Smørgrav } else if (pwd->pw_change - tp.tv_sec < warntime && 227e9cc7b1dSDag-Erling Smørgrav (flags & PAM_SILENT) == 0) { 228519b6a4cSDag-Erling Smørgrav pam_error(pamh, "Warning: your password expires on %s", 229e9cc7b1dSDag-Erling Smørgrav ctime(&pwd->pw_change)); 230e9cc7b1dSDag-Erling Smørgrav } 231e9cc7b1dSDag-Erling Smørgrav } 232e9cc7b1dSDag-Erling Smørgrav 233e9cc7b1dSDag-Erling Smørgrav /* 234e9cc7b1dSDag-Erling Smørgrav * From here on, we must leave retval untouched (unless we 235e9cc7b1dSDag-Erling Smørgrav * know we're going to fail), because we need to remember 236e9cc7b1dSDag-Erling Smørgrav * whether we're supposed to return PAM_SUCCESS or 237e9cc7b1dSDag-Erling Smørgrav * PAM_NEW_AUTHTOK_REQD. 238e9cc7b1dSDag-Erling Smørgrav */ 239e9cc7b1dSDag-Erling Smørgrav 24091e93869SDag-Erling Smørgrav if (rhost && *(const char *)rhost != '\0') { 241e9cc7b1dSDag-Erling Smørgrav memset(&hints, 0, sizeof(hints)); 242e9cc7b1dSDag-Erling Smørgrav hints.ai_family = AF_UNSPEC; 243e9cc7b1dSDag-Erling Smørgrav if (getaddrinfo(rhost, NULL, &hints, &res) == 0) { 244e9cc7b1dSDag-Erling Smørgrav getnameinfo(res->ai_addr, res->ai_addrlen, 245e9cc7b1dSDag-Erling Smørgrav rhostip, sizeof(rhostip), NULL, 0, 246d928d41cSHajimu UMEMOTO NI_NUMERICHOST); 247e9cc7b1dSDag-Erling Smørgrav } 248e9cc7b1dSDag-Erling Smørgrav if (res != NULL) 249e9cc7b1dSDag-Erling Smørgrav freeaddrinfo(res); 250e9cc7b1dSDag-Erling Smørgrav } 251e9cc7b1dSDag-Erling Smørgrav 252e9cc7b1dSDag-Erling Smørgrav /* 253e9cc7b1dSDag-Erling Smørgrav * Check host / tty / time-of-day restrictions 254e9cc7b1dSDag-Erling Smørgrav */ 255e9cc7b1dSDag-Erling Smørgrav 256e9cc7b1dSDag-Erling Smørgrav if (!auth_hostok(lc, rhost, rhostip) || 257e9cc7b1dSDag-Erling Smørgrav !auth_ttyok(lc, tty) || 258e9cc7b1dSDag-Erling Smørgrav !auth_timeok(lc, time(NULL))) 259e9cc7b1dSDag-Erling Smørgrav retval = PAM_AUTH_ERR; 260e9cc7b1dSDag-Erling Smørgrav 261d65b34dbSJohn Polstra login_close(lc); 2621642eb1aSMark Murray 26324fe7ba0SDag-Erling Smørgrav return (retval); 2643d55a6c0SMark Murray } 2653d55a6c0SMark Murray 2663d55a6c0SMark Murray /* 2673d55a6c0SMark Murray * password management 2683d55a6c0SMark Murray * 2693d55a6c0SMark Murray * standard Unix and NIS password changing 2703d55a6c0SMark Murray */ 2713d55a6c0SMark Murray PAM_EXTERN int 27224fe7ba0SDag-Erling Smørgrav pam_sm_chauthtok(pam_handle_t *pamh, int flags, 273545aa471SDag-Erling Smørgrav int argc __unused, const char *argv[] __unused) 2743d55a6c0SMark Murray { 275ff1bc287SDag-Erling Smørgrav #ifdef YP 276ff1bc287SDag-Erling Smørgrav struct ypclnt *ypclnt; 27764dbe1a7SDag-Erling Smørgrav const void *yp_domain, *yp_server; 278ff1bc287SDag-Erling Smørgrav #endif 279ff1bc287SDag-Erling Smørgrav char salt[SALTSIZE + 1]; 280ff1bc287SDag-Erling Smørgrav login_cap_t *lc; 281f1d05925SDag-Erling Smørgrav struct passwd *pwd, *old_pwd; 282ff1bc287SDag-Erling Smørgrav const char *user, *old_pass, *new_pass; 283ff1bc287SDag-Erling Smørgrav char *encrypted; 284cc5c81f8SDag-Erling Smørgrav time_t passwordtime; 285ff1bc287SDag-Erling Smørgrav int pfd, tfd, retval; 2863d55a6c0SMark Murray 287545aa471SDag-Erling Smørgrav if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) 288653d2f36SDon Lewis user = getlogin(); 2893d55a6c0SMark Murray else { 2903d55a6c0SMark Murray retval = pam_get_user(pamh, &user, NULL); 2913d55a6c0SMark Murray if (retval != PAM_SUCCESS) 29224fe7ba0SDag-Erling Smørgrav return (retval); 2933d55a6c0SMark Murray } 294653d2f36SDon Lewis pwd = getpwnam(user); 2953d55a6c0SMark Murray 296f1d05925SDag-Erling Smørgrav if (pwd == NULL) 297f1d05925SDag-Erling Smørgrav return (PAM_AUTHTOK_RECOVERY_ERR); 298f1d05925SDag-Erling Smørgrav 2993d55a6c0SMark Murray PAM_LOG("Got user: %s", user); 3003d55a6c0SMark Murray 3013d55a6c0SMark Murray if (flags & PAM_PRELIM_CHECK) { 3023d55a6c0SMark Murray 3037b733689SDag-Erling Smørgrav PAM_LOG("PRELIM round"); 3043d55a6c0SMark Murray 3050f6517b7SDag-Erling Smørgrav if (getuid() == 0 && 3060f6517b7SDag-Erling Smørgrav (pwd->pw_fields & _PWF_SOURCE) == _PWF_FILES) 3070f6517b7SDag-Erling Smørgrav /* root doesn't need the old password */ 3080f6517b7SDag-Erling Smørgrav return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); 309dd01398dSMartin Blapp #ifdef YP 310dd01398dSMartin Blapp if (getuid() == 0 && 311dd01398dSMartin Blapp (pwd->pw_fields & _PWF_SOURCE) == _PWF_NIS) { 3120f6517b7SDag-Erling Smørgrav 313dd01398dSMartin Blapp yp_domain = yp_server = NULL; 31491e93869SDag-Erling Smørgrav (void)pam_get_data(pamh, "yp_domain", &yp_domain); 31591e93869SDag-Erling Smørgrav (void)pam_get_data(pamh, "yp_server", &yp_server); 316dd01398dSMartin Blapp 317dd01398dSMartin Blapp ypclnt = ypclnt_new(yp_domain, "passwd.byname", yp_server); 318dd01398dSMartin Blapp if (ypclnt == NULL) 319dd01398dSMartin Blapp return (PAM_BUF_ERR); 320dd01398dSMartin Blapp 321dd01398dSMartin Blapp if (ypclnt_connect(ypclnt) == -1) { 322dd01398dSMartin Blapp ypclnt_free(ypclnt); 323dd01398dSMartin Blapp return (PAM_SERVICE_ERR); 324dd01398dSMartin Blapp } 325dd01398dSMartin Blapp 326dd01398dSMartin Blapp retval = ypclnt_havepasswdd(ypclnt); 327dd01398dSMartin Blapp ypclnt_free(ypclnt); 328dd01398dSMartin Blapp if (retval == 1) 329dd01398dSMartin Blapp return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); 330dd01398dSMartin Blapp else if (retval == -1) 331dd01398dSMartin Blapp return (PAM_SERVICE_ERR); 332dd01398dSMartin Blapp } 333dd01398dSMartin Blapp #endif 3343d55a6c0SMark Murray if (pwd->pw_passwd[0] == '\0' 335545aa471SDag-Erling Smørgrav && openpam_get_option(pamh, PAM_OPT_NULLOK)) { 3363d55a6c0SMark Murray /* 3373d55a6c0SMark Murray * No password case. XXX Are we giving too much away 3383d55a6c0SMark Murray * by not prompting for a password? 339111ccd25SDag-Erling Smørgrav * XXX check PAM_DISALLOW_NULL_AUTHTOK 3403d55a6c0SMark Murray */ 341ff1bc287SDag-Erling Smørgrav old_pass = ""; 34230f64800SDon Lewis retval = PAM_SUCCESS; 343ff1bc287SDag-Erling Smørgrav } else { 344111ccd25SDag-Erling Smørgrav retval = pam_get_authtok(pamh, 345ff1bc287SDag-Erling Smørgrav PAM_OLDAUTHTOK, &old_pass, NULL); 3463d55a6c0SMark Murray if (retval != PAM_SUCCESS) 34724fe7ba0SDag-Erling Smørgrav return (retval); 3483d55a6c0SMark Murray } 349111ccd25SDag-Erling Smørgrav PAM_LOG("Got old password"); 350ff1bc287SDag-Erling Smørgrav /* always encrypt first */ 351ff1bc287SDag-Erling Smørgrav encrypted = crypt(old_pass, pwd->pw_passwd); 352be01d58dSDag-Erling Smørgrav if (old_pass[0] == '\0' && 353545aa471SDag-Erling Smørgrav !openpam_get_option(pamh, PAM_OPT_NULLOK)) 354be01d58dSDag-Erling Smørgrav return (PAM_PERM_DENIED); 355be01d58dSDag-Erling Smørgrav if (strcmp(encrypted, pwd->pw_passwd) != 0) 356ff1bc287SDag-Erling Smørgrav return (PAM_PERM_DENIED); 3577b733689SDag-Erling Smørgrav } 3587b733689SDag-Erling Smørgrav else if (flags & PAM_UPDATE_AUTHTOK) { 3597b733689SDag-Erling Smørgrav PAM_LOG("UPDATE round"); 3607b733689SDag-Erling Smørgrav 3617b733689SDag-Erling Smørgrav retval = pam_get_authtok(pamh, 3620f6517b7SDag-Erling Smørgrav PAM_OLDAUTHTOK, &old_pass, NULL); 3637b733689SDag-Erling Smørgrav if (retval != PAM_SUCCESS) 3647b733689SDag-Erling Smørgrav return (retval); 3657b733689SDag-Erling Smørgrav PAM_LOG("Got old password"); 3663d55a6c0SMark Murray 367ff1bc287SDag-Erling Smørgrav /* get new password */ 368111ccd25SDag-Erling Smørgrav for (;;) { 369111ccd25SDag-Erling Smørgrav retval = pam_get_authtok(pamh, 370111ccd25SDag-Erling Smørgrav PAM_AUTHTOK, &new_pass, NULL); 371111ccd25SDag-Erling Smørgrav if (retval != PAM_TRY_AGAIN) 3723d55a6c0SMark Murray break; 373111ccd25SDag-Erling Smørgrav pam_error(pamh, "Mismatch; try again, EOF to quit."); 3743d55a6c0SMark Murray } 375ff1bc287SDag-Erling Smørgrav PAM_LOG("Got new password"); 376c8c20c52SDag-Erling Smørgrav if (retval != PAM_SUCCESS) { 377111ccd25SDag-Erling Smørgrav PAM_VERBOSE_ERROR("Unable to get new password"); 378ff1bc287SDag-Erling Smørgrav return (retval); 379c8c20c52SDag-Erling Smørgrav } 380ff1bc287SDag-Erling Smørgrav 381be01d58dSDag-Erling Smørgrav if (getuid() != 0 && new_pass[0] == '\0' && 382545aa471SDag-Erling Smørgrav !openpam_get_option(pamh, PAM_OPT_NULLOK)) 383be01d58dSDag-Erling Smørgrav return (PAM_PERM_DENIED); 384be01d58dSDag-Erling Smørgrav 385f1d05925SDag-Erling Smørgrav if ((old_pwd = pw_dup(pwd)) == NULL) 386f1d05925SDag-Erling Smørgrav return (PAM_BUF_ERR); 387f1d05925SDag-Erling Smørgrav 388d3cf5f15SDag-Erling Smørgrav lc = login_getclass(pwd->pw_class); 389ff1bc287SDag-Erling Smørgrav if (login_setcryptfmt(lc, password_hash, NULL) == NULL) 390ff1bc287SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, 391ff1bc287SDag-Erling Smørgrav "can't set password cipher, relying on default"); 392cc5c81f8SDag-Erling Smørgrav 393cc5c81f8SDag-Erling Smørgrav /* set password expiry date */ 394cc5c81f8SDag-Erling Smørgrav pwd->pw_change = 0; 395cc5c81f8SDag-Erling Smørgrav passwordtime = login_getcaptime(lc, "passwordtime", 0, 0); 396cc5c81f8SDag-Erling Smørgrav if (passwordtime > 0) 397cc5c81f8SDag-Erling Smørgrav pwd->pw_change = time(NULL) + passwordtime; 398cc5c81f8SDag-Erling Smørgrav 399ff1bc287SDag-Erling Smørgrav login_close(lc); 400ff1bc287SDag-Erling Smørgrav makesalt(salt); 401ff1bc287SDag-Erling Smørgrav pwd->pw_passwd = crypt(new_pass, salt); 4023d55a6c0SMark Murray #ifdef YP 403f1d05925SDag-Erling Smørgrav switch (old_pwd->pw_fields & _PWF_SOURCE) { 404ff1bc287SDag-Erling Smørgrav case _PWF_FILES: 405ff1bc287SDag-Erling Smørgrav #endif 406ff1bc287SDag-Erling Smørgrav retval = PAM_SERVICE_ERR; 407f1d05925SDag-Erling Smørgrav if (pw_init(NULL, NULL)) 408f1d05925SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, "pw_init() failed"); 409f1d05925SDag-Erling Smørgrav else if ((pfd = pw_lock()) == -1) 410f1d05925SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, "pw_lock() failed"); 411f1d05925SDag-Erling Smørgrav else if ((tfd = pw_tmp(-1)) == -1) 412f1d05925SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, "pw_tmp() failed"); 413f1d05925SDag-Erling Smørgrav else if (pw_copy(pfd, tfd, pwd, old_pwd) == -1) 414f1d05925SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, "pw_copy() failed"); 415f1d05925SDag-Erling Smørgrav else if (pw_mkdb(pwd->pw_name) == -1) 416f1d05925SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, "pw_mkdb() failed"); 417f1d05925SDag-Erling Smørgrav else 418f1d05925SDag-Erling Smørgrav retval = PAM_SUCCESS; 419f1d05925SDag-Erling Smørgrav pw_fini(); 420ff1bc287SDag-Erling Smørgrav #ifdef YP 421ff1bc287SDag-Erling Smørgrav break; 422ff1bc287SDag-Erling Smørgrav case _PWF_NIS: 423ff1bc287SDag-Erling Smørgrav yp_domain = yp_server = NULL; 42491e93869SDag-Erling Smørgrav (void)pam_get_data(pamh, "yp_domain", &yp_domain); 42591e93869SDag-Erling Smørgrav (void)pam_get_data(pamh, "yp_server", &yp_server); 426ff1bc287SDag-Erling Smørgrav ypclnt = ypclnt_new(yp_domain, 427ff1bc287SDag-Erling Smørgrav "passwd.byname", yp_server); 428f1d05925SDag-Erling Smørgrav if (ypclnt == NULL) { 429f1d05925SDag-Erling Smørgrav retval = PAM_BUF_ERR; 430f1d05925SDag-Erling Smørgrav } else if (ypclnt_connect(ypclnt) == -1 || 431ff1bc287SDag-Erling Smørgrav ypclnt_passwd(ypclnt, pwd, old_pass) == -1) { 432ff1bc287SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, "%s", ypclnt->error); 433ff1bc287SDag-Erling Smørgrav retval = PAM_SERVICE_ERR; 434f1d05925SDag-Erling Smørgrav } else { 435f1d05925SDag-Erling Smørgrav retval = PAM_SUCCESS; 4363d55a6c0SMark Murray } 437ff1bc287SDag-Erling Smørgrav ypclnt_free(ypclnt); 438ff1bc287SDag-Erling Smørgrav break; 439ff1bc287SDag-Erling Smørgrav default: 440ff1bc287SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, "unsupported source 0x%x", 441ff1bc287SDag-Erling Smørgrav pwd->pw_fields & _PWF_SOURCE); 442ff1bc287SDag-Erling Smørgrav retval = PAM_SERVICE_ERR; 4433d55a6c0SMark Murray } 4443d55a6c0SMark Murray #endif 445816c6c91SJuli Mallett free(old_pwd); 4463d55a6c0SMark Murray } 4473d55a6c0SMark Murray else { 4483d55a6c0SMark Murray /* Very bad juju */ 4493d55a6c0SMark Murray retval = PAM_ABORT; 4503d55a6c0SMark Murray PAM_LOG("Illegal 'flags'"); 4513d55a6c0SMark Murray } 4523d55a6c0SMark Murray 45324fe7ba0SDag-Erling Smørgrav return (retval); 4543d55a6c0SMark Murray } 4553d55a6c0SMark Murray 4563d55a6c0SMark Murray /* Mostly stolen from passwd(1)'s local_passwd.c - markm */ 4573d55a6c0SMark Murray 4583d55a6c0SMark Murray static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ 4593d55a6c0SMark Murray "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 4603d55a6c0SMark Murray 4613d55a6c0SMark Murray static void 4623d55a6c0SMark Murray to64(char *s, long v, int n) 4633d55a6c0SMark Murray { 4643d55a6c0SMark Murray while (--n >= 0) { 4653d55a6c0SMark Murray *s++ = itoa64[v&0x3f]; 4663d55a6c0SMark Murray v >>= 6; 4673d55a6c0SMark Murray } 4683d55a6c0SMark Murray } 4693d55a6c0SMark Murray 4708c3ea588SMark Murray /* Salt suitable for traditional DES and MD5 */ 471068f3d2fSJung-uk Kim static void 472068f3d2fSJung-uk Kim makesalt(char salt[SALTSIZE + 1]) 4738c3ea588SMark Murray { 4748c3ea588SMark Murray int i; 4758c3ea588SMark Murray 4768c3ea588SMark Murray /* These are not really random numbers, they are just 4778c3ea588SMark Murray * numbers that change to thwart construction of a 478068f3d2fSJung-uk Kim * dictionary. 4798c3ea588SMark Murray */ 4808c3ea588SMark Murray for (i = 0; i < SALTSIZE; i += 4) 4818c3ea588SMark Murray to64(&salt[i], arc4random(), 4); 4828c3ea588SMark Murray salt[SALTSIZE] = '\0'; 4838c3ea588SMark Murray } 4848c3ea588SMark Murray 4859294327dSJohn Polstra PAM_MODULE_ENTRY("pam_unix"); 486