19a10bb17SJohn Polstra /*- 29a10bb17SJohn Polstra * Copyright 1998 Juniper Networks, Inc. 39a10bb17SJohn Polstra * All rights reserved. 44d6991c6SDag-Erling Smørgrav * Copyright (c) 2002-2003 Networks Associates Technology, Inc. 5e9cc7b1dSDag-Erling Smørgrav * All rights reserved. 6e9cc7b1dSDag-Erling Smørgrav * 7e9cc7b1dSDag-Erling Smørgrav * Portions of this software was developed for the FreeBSD Project by 8e9cc7b1dSDag-Erling Smørgrav * ThinkSec AS and NAI Labs, the Security Research Division of Network 9e9cc7b1dSDag-Erling Smørgrav * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 10e9cc7b1dSDag-Erling Smørgrav * ("CBOSS"), as part of the DARPA CHATS research program. 119a10bb17SJohn Polstra * 129a10bb17SJohn Polstra * Redistribution and use in source and binary forms, with or without 139a10bb17SJohn Polstra * modification, are permitted provided that the following conditions 149a10bb17SJohn Polstra * are met: 159a10bb17SJohn Polstra * 1. Redistributions of source code must retain the above copyright 169a10bb17SJohn Polstra * notice, this list of conditions and the following disclaimer. 179a10bb17SJohn Polstra * 2. Redistributions in binary form must reproduce the above copyright 189a10bb17SJohn Polstra * notice, this list of conditions and the following disclaimer in the 199a10bb17SJohn Polstra * documentation and/or other materials provided with the distribution. 20e9cc7b1dSDag-Erling Smørgrav * 3. The name of the author may not be used to endorse or promote 21e9cc7b1dSDag-Erling Smørgrav * products derived from this software without specific prior written 22e9cc7b1dSDag-Erling Smørgrav * permission. 239a10bb17SJohn Polstra * 249a10bb17SJohn Polstra * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 259a10bb17SJohn Polstra * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 269a10bb17SJohn Polstra * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 279a10bb17SJohn Polstra * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 289a10bb17SJohn Polstra * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 299a10bb17SJohn Polstra * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 309a10bb17SJohn Polstra * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 319a10bb17SJohn Polstra * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 329a10bb17SJohn Polstra * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 339a10bb17SJohn Polstra * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 349a10bb17SJohn Polstra * SUCH DAMAGE. 359a10bb17SJohn Polstra */ 369a10bb17SJohn Polstra 37ceaf33f5SMatthew Dillon #include <sys/cdefs.h> 38ceaf33f5SMatthew Dillon __FBSDID("$FreeBSD$"); 39ceaf33f5SMatthew Dillon 40e9cc7b1dSDag-Erling Smørgrav #include <sys/param.h> 41e9cc7b1dSDag-Erling Smørgrav #include <sys/socket.h> 42d65b34dbSJohn Polstra #include <sys/time.h> 43e9cc7b1dSDag-Erling Smørgrav #include <netinet/in.h> 44e9cc7b1dSDag-Erling Smørgrav #include <arpa/inet.h> 45e9cc7b1dSDag-Erling Smørgrav 46d65b34dbSJohn Polstra #include <login_cap.h> 47e9cc7b1dSDag-Erling Smørgrav #include <netdb.h> 489a10bb17SJohn Polstra #include <pwd.h> 499a10bb17SJohn Polstra #include <stdlib.h> 509a10bb17SJohn Polstra #include <string.h> 51d65b34dbSJohn Polstra #include <stdio.h> 527f28386aSDag-Erling Smørgrav #include <syslog.h> 539a10bb17SJohn Polstra #include <unistd.h> 549a10bb17SJohn Polstra 55f1d05925SDag-Erling Smørgrav #include <libutil.h> 563d55a6c0SMark Murray 573d55a6c0SMark Murray #ifdef YP 58c82bffaaSDag-Erling Smørgrav #include <ypclnt.h> 593d55a6c0SMark Murray #endif 603d55a6c0SMark Murray 619a10bb17SJohn Polstra #define PAM_SM_AUTH 62d65b34dbSJohn Polstra #define PAM_SM_ACCOUNT 633d55a6c0SMark Murray #define PAM_SM_PASSWORD 643d55a6c0SMark Murray 658c66575dSDag-Erling Smørgrav #include <security/pam_appl.h> 669a10bb17SJohn Polstra #include <security/pam_modules.h> 678c66575dSDag-Erling Smørgrav #include <security/pam_mod_misc.h> 689a10bb17SJohn Polstra 693d55a6c0SMark Murray #define PASSWORD_HASH "md5" 701642eb1aSMark Murray #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ 718c3ea588SMark Murray #define SALTSIZE 32 728c3ea588SMark Murray 738c3ea588SMark Murray static void makesalt(char []); 741642eb1aSMark Murray 75ac569969SMark Murray static char password_hash[] = PASSWORD_HASH; 76ac569969SMark Murray 77545aa471SDag-Erling Smørgrav #define PAM_OPT_LOCAL_PASS "local_pass" 78545aa471SDag-Erling Smørgrav #define PAM_OPT_NIS_PASS "nis_pass" 799a10bb17SJohn Polstra 803d55a6c0SMark Murray char *tempname = NULL; 813d55a6c0SMark Murray 82d65b34dbSJohn Polstra /* 83d65b34dbSJohn Polstra * authentication management 84d65b34dbSJohn Polstra */ 859a10bb17SJohn Polstra PAM_EXTERN int 8624fe7ba0SDag-Erling Smørgrav pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 87545aa471SDag-Erling Smørgrav int argc __unused, const char *argv[] __unused) 889a10bb17SJohn Polstra { 893d55a6c0SMark Murray login_cap_t *lc; 909a10bb17SJohn Polstra struct passwd *pwd; 911642eb1aSMark Murray int retval; 92f2f306b6SRuslan Ermilov const char *pass, *user, *realpw, *prompt; 939a10bb17SJohn Polstra 94545aa471SDag-Erling Smørgrav if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { 953d55a6c0SMark Murray pwd = getpwnam(getlogin()); 9650000f00SDag-Erling Smørgrav } else { 971642eb1aSMark Murray retval = pam_get_user(pamh, &user, NULL); 981642eb1aSMark Murray if (retval != PAM_SUCCESS) 9924fe7ba0SDag-Erling Smørgrav return (retval); 1004448b21cSMark Murray pwd = getpwnam(user); 1014448b21cSMark Murray } 1021642eb1aSMark Murray 1031642eb1aSMark Murray PAM_LOG("Got user: %s", user); 1041642eb1aSMark Murray 1054448b21cSMark Murray if (pwd != NULL) { 1061642eb1aSMark Murray PAM_LOG("Doing real authentication"); 10750000f00SDag-Erling Smørgrav realpw = pwd->pw_passwd; 10850000f00SDag-Erling Smørgrav if (realpw[0] == '\0') { 10950000f00SDag-Erling Smørgrav if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && 110545aa471SDag-Erling Smørgrav openpam_get_option(pamh, PAM_OPT_NULLOK)) 11124fe7ba0SDag-Erling Smørgrav return (PAM_SUCCESS); 11250000f00SDag-Erling Smørgrav realpw = "*"; 1131642eb1aSMark Murray } 114a8b1e59eSDag-Erling Smørgrav lc = login_getpwclass(pwd); 11550000f00SDag-Erling Smørgrav } else { 1161642eb1aSMark Murray PAM_LOG("Doing dummy authentication"); 11750000f00SDag-Erling Smørgrav realpw = "*"; 118a8b1e59eSDag-Erling Smørgrav lc = login_getclass(NULL); 11950000f00SDag-Erling Smørgrav } 12050000f00SDag-Erling Smørgrav prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); 12150000f00SDag-Erling Smørgrav retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); 122a8b1e59eSDag-Erling Smørgrav login_close(lc); 1231642eb1aSMark Murray if (retval != PAM_SUCCESS) 12424fe7ba0SDag-Erling Smørgrav return (retval); 1251642eb1aSMark Murray PAM_LOG("Got password"); 12650000f00SDag-Erling Smørgrav if (strcmp(crypt(pass, realpw), realpw) == 0) 12724fe7ba0SDag-Erling Smørgrav return (PAM_SUCCESS); 1281642eb1aSMark Murray 1293d55a6c0SMark Murray PAM_VERBOSE_ERROR("UNIX authentication refused"); 13024fe7ba0SDag-Erling Smørgrav return (PAM_AUTH_ERR); 1319a10bb17SJohn Polstra } 1329a10bb17SJohn Polstra 1339a10bb17SJohn Polstra PAM_EXTERN int 13424fe7ba0SDag-Erling Smørgrav pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 13524fe7ba0SDag-Erling Smørgrav int argc __unused, const char *argv[] __unused) 1369a10bb17SJohn Polstra { 1373d55a6c0SMark Murray 13824fe7ba0SDag-Erling Smørgrav return (PAM_SUCCESS); 1399a10bb17SJohn Polstra } 1409294327dSJohn Polstra 141d65b34dbSJohn Polstra /* 142d65b34dbSJohn Polstra * account management 143d65b34dbSJohn Polstra */ 1443d55a6c0SMark Murray PAM_EXTERN int 14524fe7ba0SDag-Erling Smørgrav pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, 146545aa471SDag-Erling Smørgrav int argc __unused, const char *argv[] __unused) 147d65b34dbSJohn Polstra { 148e9cc7b1dSDag-Erling Smørgrav struct addrinfo hints, *res; 149e9cc7b1dSDag-Erling Smørgrav struct passwd *pwd; 150d65b34dbSJohn Polstra struct timeval tp; 1511642eb1aSMark Murray login_cap_t *lc; 152d65b34dbSJohn Polstra time_t warntime; 153d65b34dbSJohn Polstra int retval; 154e9cc7b1dSDag-Erling Smørgrav const char *rhost, *tty, *user; 1558f303102SDag-Erling Smørgrav char rhostip[MAXHOSTNAMELEN] = ""; 1561642eb1aSMark Murray 157111ccd25SDag-Erling Smørgrav retval = pam_get_user(pamh, &user, NULL); 158e9cc7b1dSDag-Erling Smørgrav if (retval != PAM_SUCCESS) 15924fe7ba0SDag-Erling Smørgrav return (retval); 160d65b34dbSJohn Polstra 161e9cc7b1dSDag-Erling Smørgrav if (user == NULL || (pwd = getpwnam(user)) == NULL) 16224fe7ba0SDag-Erling Smørgrav return (PAM_SERVICE_ERR); 1631642eb1aSMark Murray 1641642eb1aSMark Murray PAM_LOG("Got user: %s", user); 165d65b34dbSJohn Polstra 166e9cc7b1dSDag-Erling Smørgrav retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); 167e9cc7b1dSDag-Erling Smørgrav if (retval != PAM_SUCCESS) 16824fe7ba0SDag-Erling Smørgrav return (retval); 169d65b34dbSJohn Polstra 170e9cc7b1dSDag-Erling Smørgrav retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty); 171e9cc7b1dSDag-Erling Smørgrav if (retval != PAM_SUCCESS) 17224fe7ba0SDag-Erling Smørgrav return (retval); 173d65b34dbSJohn Polstra 174e9cc7b1dSDag-Erling Smørgrav if (*pwd->pw_passwd == '\0' && 175e9cc7b1dSDag-Erling Smørgrav (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) 176e9cc7b1dSDag-Erling Smørgrav return (PAM_NEW_AUTHTOK_REQD); 177e9cc7b1dSDag-Erling Smørgrav 178e9cc7b1dSDag-Erling Smørgrav lc = login_getpwclass(pwd); 179e9cc7b1dSDag-Erling Smørgrav if (lc == NULL) { 180e9cc7b1dSDag-Erling Smørgrav PAM_LOG("Unable to get login class for user %s", user); 181e9cc7b1dSDag-Erling Smørgrav return (PAM_SERVICE_ERR); 182e9cc7b1dSDag-Erling Smørgrav } 183d65b34dbSJohn Polstra 1841642eb1aSMark Murray PAM_LOG("Got login_cap"); 1851642eb1aSMark Murray 186e9cc7b1dSDag-Erling Smørgrav if (pwd->pw_change || pwd->pw_expire) 187e9cc7b1dSDag-Erling Smørgrav gettimeofday(&tp, NULL); 188d65b34dbSJohn Polstra 189e9cc7b1dSDag-Erling Smørgrav /* 190e9cc7b1dSDag-Erling Smørgrav * Check pw_expire before pw_change - no point in letting the 191e9cc7b1dSDag-Erling Smørgrav * user change the password on an expired account. 192e9cc7b1dSDag-Erling Smørgrav */ 193d65b34dbSJohn Polstra 194e9cc7b1dSDag-Erling Smørgrav if (pwd->pw_expire) { 195e9cc7b1dSDag-Erling Smørgrav warntime = login_getcaptime(lc, "warnexpire", 196e9cc7b1dSDag-Erling Smørgrav DEFAULT_WARN, DEFAULT_WARN); 197e9cc7b1dSDag-Erling Smørgrav if (tp.tv_sec >= pwd->pw_expire) { 198e9cc7b1dSDag-Erling Smørgrav login_close(lc); 19924fe7ba0SDag-Erling Smørgrav return (PAM_ACCT_EXPIRED); 200e9cc7b1dSDag-Erling Smørgrav } else if (pwd->pw_expire - tp.tv_sec < warntime && 201e9cc7b1dSDag-Erling Smørgrav (flags & PAM_SILENT) == 0) { 202519b6a4cSDag-Erling Smørgrav pam_error(pamh, "Warning: your account expires on %s", 203e9cc7b1dSDag-Erling Smørgrav ctime(&pwd->pw_expire)); 204d65b34dbSJohn Polstra } 205d65b34dbSJohn Polstra } 206d65b34dbSJohn Polstra 207e9cc7b1dSDag-Erling Smørgrav retval = PAM_SUCCESS; 208e9cc7b1dSDag-Erling Smørgrav if (pwd->pw_change) { 209e9cc7b1dSDag-Erling Smørgrav warntime = login_getcaptime(lc, "warnpassword", 210e9cc7b1dSDag-Erling Smørgrav DEFAULT_WARN, DEFAULT_WARN); 211e9cc7b1dSDag-Erling Smørgrav if (tp.tv_sec >= pwd->pw_change) { 212e9cc7b1dSDag-Erling Smørgrav retval = PAM_NEW_AUTHTOK_REQD; 213e9cc7b1dSDag-Erling Smørgrav } else if (pwd->pw_change - tp.tv_sec < warntime && 214e9cc7b1dSDag-Erling Smørgrav (flags & PAM_SILENT) == 0) { 215519b6a4cSDag-Erling Smørgrav pam_error(pamh, "Warning: your password expires on %s", 216e9cc7b1dSDag-Erling Smørgrav ctime(&pwd->pw_change)); 217e9cc7b1dSDag-Erling Smørgrav } 218e9cc7b1dSDag-Erling Smørgrav } 219e9cc7b1dSDag-Erling Smørgrav 220e9cc7b1dSDag-Erling Smørgrav /* 221e9cc7b1dSDag-Erling Smørgrav * From here on, we must leave retval untouched (unless we 222e9cc7b1dSDag-Erling Smørgrav * know we're going to fail), because we need to remember 223e9cc7b1dSDag-Erling Smørgrav * whether we're supposed to return PAM_SUCCESS or 224e9cc7b1dSDag-Erling Smørgrav * PAM_NEW_AUTHTOK_REQD. 225e9cc7b1dSDag-Erling Smørgrav */ 226e9cc7b1dSDag-Erling Smørgrav 227ccd703cfSDag-Erling Smørgrav if (rhost && *rhost) { 228e9cc7b1dSDag-Erling Smørgrav memset(&hints, 0, sizeof(hints)); 229e9cc7b1dSDag-Erling Smørgrav hints.ai_family = AF_UNSPEC; 230e9cc7b1dSDag-Erling Smørgrav if (getaddrinfo(rhost, NULL, &hints, &res) == 0) { 231e9cc7b1dSDag-Erling Smørgrav getnameinfo(res->ai_addr, res->ai_addrlen, 232e9cc7b1dSDag-Erling Smørgrav rhostip, sizeof(rhostip), NULL, 0, 233e9cc7b1dSDag-Erling Smørgrav NI_NUMERICHOST|NI_WITHSCOPEID); 234e9cc7b1dSDag-Erling Smørgrav } 235e9cc7b1dSDag-Erling Smørgrav if (res != NULL) 236e9cc7b1dSDag-Erling Smørgrav freeaddrinfo(res); 237e9cc7b1dSDag-Erling Smørgrav } 238e9cc7b1dSDag-Erling Smørgrav 239e9cc7b1dSDag-Erling Smørgrav /* 240e9cc7b1dSDag-Erling Smørgrav * Check host / tty / time-of-day restrictions 241e9cc7b1dSDag-Erling Smørgrav */ 242e9cc7b1dSDag-Erling Smørgrav 243e9cc7b1dSDag-Erling Smørgrav if (!auth_hostok(lc, rhost, rhostip) || 244e9cc7b1dSDag-Erling Smørgrav !auth_ttyok(lc, tty) || 245e9cc7b1dSDag-Erling Smørgrav !auth_timeok(lc, time(NULL))) 246e9cc7b1dSDag-Erling Smørgrav retval = PAM_AUTH_ERR; 247e9cc7b1dSDag-Erling Smørgrav 248d65b34dbSJohn Polstra login_close(lc); 2491642eb1aSMark Murray 25024fe7ba0SDag-Erling Smørgrav return (retval); 2513d55a6c0SMark Murray } 2523d55a6c0SMark Murray 2533d55a6c0SMark Murray /* 2543d55a6c0SMark Murray * password management 2553d55a6c0SMark Murray * 2563d55a6c0SMark Murray * standard Unix and NIS password changing 2573d55a6c0SMark Murray */ 2583d55a6c0SMark Murray PAM_EXTERN int 25924fe7ba0SDag-Erling Smørgrav pam_sm_chauthtok(pam_handle_t *pamh, int flags, 260545aa471SDag-Erling Smørgrav int argc __unused, const char *argv[] __unused) 2613d55a6c0SMark Murray { 262ff1bc287SDag-Erling Smørgrav #ifdef YP 263ff1bc287SDag-Erling Smørgrav struct ypclnt *ypclnt; 264ff1bc287SDag-Erling Smørgrav const char *yp_domain, *yp_server; 265ff1bc287SDag-Erling Smørgrav #endif 266ff1bc287SDag-Erling Smørgrav char salt[SALTSIZE + 1]; 267ff1bc287SDag-Erling Smørgrav login_cap_t * lc; 268f1d05925SDag-Erling Smørgrav struct passwd *pwd, *old_pwd; 269ff1bc287SDag-Erling Smørgrav const char *user, *old_pass, *new_pass; 270ff1bc287SDag-Erling Smørgrav char *encrypted; 271ff1bc287SDag-Erling Smørgrav int pfd, tfd, retval; 2723d55a6c0SMark Murray 273545aa471SDag-Erling Smørgrav if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) 2743d55a6c0SMark Murray pwd = getpwnam(getlogin()); 2753d55a6c0SMark Murray else { 2763d55a6c0SMark Murray retval = pam_get_user(pamh, &user, NULL); 2773d55a6c0SMark Murray if (retval != PAM_SUCCESS) 27824fe7ba0SDag-Erling Smørgrav return (retval); 2793d55a6c0SMark Murray pwd = getpwnam(user); 2803d55a6c0SMark Murray } 2813d55a6c0SMark Murray 282f1d05925SDag-Erling Smørgrav if (pwd == NULL) 283f1d05925SDag-Erling Smørgrav return (PAM_AUTHTOK_RECOVERY_ERR); 284f1d05925SDag-Erling Smørgrav 2853d55a6c0SMark Murray PAM_LOG("Got user: %s", user); 2863d55a6c0SMark Murray 2873d55a6c0SMark Murray if (flags & PAM_PRELIM_CHECK) { 2883d55a6c0SMark Murray 2897b733689SDag-Erling Smørgrav PAM_LOG("PRELIM round"); 2903d55a6c0SMark Murray 2910f6517b7SDag-Erling Smørgrav if (getuid() == 0 && 2920f6517b7SDag-Erling Smørgrav (pwd->pw_fields & _PWF_SOURCE) == _PWF_FILES) 2930f6517b7SDag-Erling Smørgrav /* root doesn't need the old password */ 2940f6517b7SDag-Erling Smørgrav return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); 295dd01398dSMartin Blapp #ifdef YP 296dd01398dSMartin Blapp if (getuid() == 0 && 297dd01398dSMartin Blapp (pwd->pw_fields & _PWF_SOURCE) == _PWF_NIS) { 2980f6517b7SDag-Erling Smørgrav 299dd01398dSMartin Blapp yp_domain = yp_server = NULL; 300dd01398dSMartin Blapp (void)pam_get_data(pamh, 301dd01398dSMartin Blapp "yp_domain", (const void **)&yp_domain); 302dd01398dSMartin Blapp (void)pam_get_data(pamh, 303dd01398dSMartin Blapp "yp_server", (const void **)&yp_server); 304dd01398dSMartin Blapp 305dd01398dSMartin Blapp ypclnt = ypclnt_new(yp_domain, "passwd.byname", yp_server); 306dd01398dSMartin Blapp if (ypclnt == NULL) 307dd01398dSMartin Blapp return (PAM_BUF_ERR); 308dd01398dSMartin Blapp 309dd01398dSMartin Blapp if (ypclnt_connect(ypclnt) == -1) { 310dd01398dSMartin Blapp ypclnt_free(ypclnt); 311dd01398dSMartin Blapp return (PAM_SERVICE_ERR); 312dd01398dSMartin Blapp } 313dd01398dSMartin Blapp 314dd01398dSMartin Blapp retval = ypclnt_havepasswdd(ypclnt); 315dd01398dSMartin Blapp ypclnt_free(ypclnt); 316dd01398dSMartin Blapp if (retval == 1) 317dd01398dSMartin Blapp return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); 318dd01398dSMartin Blapp else if (retval == -1) 319dd01398dSMartin Blapp return (PAM_SERVICE_ERR); 320dd01398dSMartin Blapp } 321dd01398dSMartin Blapp #endif 3223d55a6c0SMark Murray if (pwd->pw_passwd[0] == '\0' 323545aa471SDag-Erling Smørgrav && openpam_get_option(pamh, PAM_OPT_NULLOK)) { 3243d55a6c0SMark Murray /* 3253d55a6c0SMark Murray * No password case. XXX Are we giving too much away 3263d55a6c0SMark Murray * by not prompting for a password? 327111ccd25SDag-Erling Smørgrav * XXX check PAM_DISALLOW_NULL_AUTHTOK 3283d55a6c0SMark Murray */ 329ff1bc287SDag-Erling Smørgrav old_pass = ""; 330ff1bc287SDag-Erling Smørgrav } else { 331111ccd25SDag-Erling Smørgrav retval = pam_get_authtok(pamh, 332ff1bc287SDag-Erling Smørgrav PAM_OLDAUTHTOK, &old_pass, NULL); 3333d55a6c0SMark Murray if (retval != PAM_SUCCESS) 33424fe7ba0SDag-Erling Smørgrav return (retval); 3353d55a6c0SMark Murray } 336111ccd25SDag-Erling Smørgrav PAM_LOG("Got old password"); 337ff1bc287SDag-Erling Smørgrav /* always encrypt first */ 338ff1bc287SDag-Erling Smørgrav encrypted = crypt(old_pass, pwd->pw_passwd); 339be01d58dSDag-Erling Smørgrav if (old_pass[0] == '\0' && 340545aa471SDag-Erling Smørgrav !openpam_get_option(pamh, PAM_OPT_NULLOK)) 341be01d58dSDag-Erling Smørgrav return (PAM_PERM_DENIED); 342be01d58dSDag-Erling Smørgrav if (strcmp(encrypted, pwd->pw_passwd) != 0) 343ff1bc287SDag-Erling Smørgrav return (PAM_PERM_DENIED); 3447b733689SDag-Erling Smørgrav } 3457b733689SDag-Erling Smørgrav else if (flags & PAM_UPDATE_AUTHTOK) { 3467b733689SDag-Erling Smørgrav PAM_LOG("UPDATE round"); 3477b733689SDag-Erling Smørgrav 3487b733689SDag-Erling Smørgrav retval = pam_get_authtok(pamh, 3490f6517b7SDag-Erling Smørgrav PAM_OLDAUTHTOK, &old_pass, NULL); 3507b733689SDag-Erling Smørgrav if (retval != PAM_SUCCESS) 3517b733689SDag-Erling Smørgrav return (retval); 3527b733689SDag-Erling Smørgrav PAM_LOG("Got old password"); 3533d55a6c0SMark Murray 354ff1bc287SDag-Erling Smørgrav /* get new password */ 355111ccd25SDag-Erling Smørgrav for (;;) { 356111ccd25SDag-Erling Smørgrav retval = pam_get_authtok(pamh, 357111ccd25SDag-Erling Smørgrav PAM_AUTHTOK, &new_pass, NULL); 358111ccd25SDag-Erling Smørgrav if (retval != PAM_TRY_AGAIN) 3593d55a6c0SMark Murray break; 360111ccd25SDag-Erling Smørgrav pam_error(pamh, "Mismatch; try again, EOF to quit."); 3613d55a6c0SMark Murray } 362ff1bc287SDag-Erling Smørgrav PAM_LOG("Got new password"); 363c8c20c52SDag-Erling Smørgrav if (retval != PAM_SUCCESS) { 364111ccd25SDag-Erling Smørgrav PAM_VERBOSE_ERROR("Unable to get new password"); 365ff1bc287SDag-Erling Smørgrav return (retval); 366c8c20c52SDag-Erling Smørgrav } 367ff1bc287SDag-Erling Smørgrav 368be01d58dSDag-Erling Smørgrav if (getuid() != 0 && new_pass[0] == '\0' && 369545aa471SDag-Erling Smørgrav !openpam_get_option(pamh, PAM_OPT_NULLOK)) 370be01d58dSDag-Erling Smørgrav return (PAM_PERM_DENIED); 371be01d58dSDag-Erling Smørgrav 372f1d05925SDag-Erling Smørgrav if ((old_pwd = pw_dup(pwd)) == NULL) 373f1d05925SDag-Erling Smørgrav return (PAM_BUF_ERR); 374f1d05925SDag-Erling Smørgrav 375ff1bc287SDag-Erling Smørgrav pwd->pw_change = 0; 376ff1bc287SDag-Erling Smørgrav lc = login_getclass(NULL); 377ff1bc287SDag-Erling Smørgrav if (login_setcryptfmt(lc, password_hash, NULL) == NULL) 378ff1bc287SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, 379ff1bc287SDag-Erling Smørgrav "can't set password cipher, relying on default"); 380ff1bc287SDag-Erling Smørgrav login_close(lc); 381ff1bc287SDag-Erling Smørgrav makesalt(salt); 382ff1bc287SDag-Erling Smørgrav pwd->pw_passwd = crypt(new_pass, salt); 3833d55a6c0SMark Murray #ifdef YP 384f1d05925SDag-Erling Smørgrav switch (old_pwd->pw_fields & _PWF_SOURCE) { 385ff1bc287SDag-Erling Smørgrav case _PWF_FILES: 386ff1bc287SDag-Erling Smørgrav #endif 387ff1bc287SDag-Erling Smørgrav retval = PAM_SERVICE_ERR; 388f1d05925SDag-Erling Smørgrav if (pw_init(NULL, NULL)) 389f1d05925SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, "pw_init() failed"); 390f1d05925SDag-Erling Smørgrav else if ((pfd = pw_lock()) == -1) 391f1d05925SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, "pw_lock() failed"); 392f1d05925SDag-Erling Smørgrav else if ((tfd = pw_tmp(-1)) == -1) 393f1d05925SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, "pw_tmp() failed"); 394f1d05925SDag-Erling Smørgrav else if (pw_copy(pfd, tfd, pwd, old_pwd) == -1) 395f1d05925SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, "pw_copy() failed"); 396f1d05925SDag-Erling Smørgrav else if (pw_mkdb(pwd->pw_name) == -1) 397f1d05925SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, "pw_mkdb() failed"); 398f1d05925SDag-Erling Smørgrav else 399f1d05925SDag-Erling Smørgrav retval = PAM_SUCCESS; 400f1d05925SDag-Erling Smørgrav pw_fini(); 401ff1bc287SDag-Erling Smørgrav #ifdef YP 402ff1bc287SDag-Erling Smørgrav break; 403ff1bc287SDag-Erling Smørgrav case _PWF_NIS: 404ff1bc287SDag-Erling Smørgrav yp_domain = yp_server = NULL; 405ff1bc287SDag-Erling Smørgrav (void)pam_get_data(pamh, 406ff1bc287SDag-Erling Smørgrav "yp_domain", (const void **)&yp_domain); 407ff1bc287SDag-Erling Smørgrav (void)pam_get_data(pamh, 408ff1bc287SDag-Erling Smørgrav "yp_server", (const void **)&yp_server); 409ff1bc287SDag-Erling Smørgrav ypclnt = ypclnt_new(yp_domain, 410ff1bc287SDag-Erling Smørgrav "passwd.byname", yp_server); 411f1d05925SDag-Erling Smørgrav if (ypclnt == NULL) { 412f1d05925SDag-Erling Smørgrav retval = PAM_BUF_ERR; 413f1d05925SDag-Erling Smørgrav } else if (ypclnt_connect(ypclnt) == -1 || 414ff1bc287SDag-Erling Smørgrav ypclnt_passwd(ypclnt, pwd, old_pass) == -1) { 415ff1bc287SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, "%s", ypclnt->error); 416ff1bc287SDag-Erling Smørgrav retval = PAM_SERVICE_ERR; 417f1d05925SDag-Erling Smørgrav } else { 418f1d05925SDag-Erling Smørgrav retval = PAM_SUCCESS; 4193d55a6c0SMark Murray } 420ff1bc287SDag-Erling Smørgrav ypclnt_free(ypclnt); 421ff1bc287SDag-Erling Smørgrav break; 422ff1bc287SDag-Erling Smørgrav default: 423ff1bc287SDag-Erling Smørgrav openpam_log(PAM_LOG_ERROR, "unsupported source 0x%x", 424ff1bc287SDag-Erling Smørgrav pwd->pw_fields & _PWF_SOURCE); 425ff1bc287SDag-Erling Smørgrav retval = PAM_SERVICE_ERR; 4263d55a6c0SMark Murray } 4273d55a6c0SMark Murray #endif 428816c6c91SJuli Mallett free(old_pwd); 4293d55a6c0SMark Murray } 4303d55a6c0SMark Murray else { 4313d55a6c0SMark Murray /* Very bad juju */ 4323d55a6c0SMark Murray retval = PAM_ABORT; 4333d55a6c0SMark Murray PAM_LOG("Illegal 'flags'"); 4343d55a6c0SMark Murray } 4353d55a6c0SMark Murray 43624fe7ba0SDag-Erling Smørgrav return (retval); 4373d55a6c0SMark Murray } 4383d55a6c0SMark Murray 4393d55a6c0SMark Murray /* Mostly stolen from passwd(1)'s local_passwd.c - markm */ 4403d55a6c0SMark Murray 4413d55a6c0SMark Murray static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ 4423d55a6c0SMark Murray "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 4433d55a6c0SMark Murray 4443d55a6c0SMark Murray static void 4453d55a6c0SMark Murray to64(char *s, long v, int n) 4463d55a6c0SMark Murray { 4473d55a6c0SMark Murray while (--n >= 0) { 4483d55a6c0SMark Murray *s++ = itoa64[v&0x3f]; 4493d55a6c0SMark Murray v >>= 6; 4503d55a6c0SMark Murray } 4513d55a6c0SMark Murray } 4523d55a6c0SMark Murray 4538c3ea588SMark Murray /* Salt suitable for traditional DES and MD5 */ 4548c3ea588SMark Murray void 4558c3ea588SMark Murray makesalt(char salt[SALTSIZE]) 4568c3ea588SMark Murray { 4578c3ea588SMark Murray int i; 4588c3ea588SMark Murray 4598c3ea588SMark Murray /* These are not really random numbers, they are just 4608c3ea588SMark Murray * numbers that change to thwart construction of a 4618c3ea588SMark Murray * dictionary. This is exposed to the public. 4628c3ea588SMark Murray */ 4638c3ea588SMark Murray for (i = 0; i < SALTSIZE; i += 4) 4648c3ea588SMark Murray to64(&salt[i], arc4random(), 4); 4658c3ea588SMark Murray salt[SALTSIZE] = '\0'; 4668c3ea588SMark Murray } 4678c3ea588SMark Murray 4689294327dSJohn Polstra PAM_MODULE_ENTRY("pam_unix"); 469