17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate * CDDL HEADER START
37c478bd9Sstevel@tonic-gate *
47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the
53ed4a803SJoep Vesseur * Common Development and Distribution License (the "License").
63ed4a803SJoep Vesseur * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate *
87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate * and limitations under the License.
127c478bd9Sstevel@tonic-gate *
137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate *
197c478bd9Sstevel@tonic-gate * CDDL HEADER END
207c478bd9Sstevel@tonic-gate */
217c478bd9Sstevel@tonic-gate /*
223ed4a803SJoep Vesseur * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
237c478bd9Sstevel@tonic-gate * Use is subject to license terms.
247c478bd9Sstevel@tonic-gate */
257c478bd9Sstevel@tonic-gate
267c478bd9Sstevel@tonic-gate #include <sys/types.h>
277c478bd9Sstevel@tonic-gate #include <sys/varargs.h>
287c478bd9Sstevel@tonic-gate #include <string.h>
297c478bd9Sstevel@tonic-gate #include <stdlib.h>
307c478bd9Sstevel@tonic-gate #include <syslog.h>
317c478bd9Sstevel@tonic-gate #include <unistd.h>
327c478bd9Sstevel@tonic-gate #include <crypt.h>
337c478bd9Sstevel@tonic-gate #include <pwd.h>
347c478bd9Sstevel@tonic-gate #include <libintl.h>
357c478bd9Sstevel@tonic-gate
367c478bd9Sstevel@tonic-gate #include <security/pam_appl.h>
377c478bd9Sstevel@tonic-gate #include <security/pam_modules.h>
387c478bd9Sstevel@tonic-gate #include <security/pam_impl.h>
397c478bd9Sstevel@tonic-gate
407c478bd9Sstevel@tonic-gate #include <passwdutil.h>
417c478bd9Sstevel@tonic-gate
427c478bd9Sstevel@tonic-gate #include <sys/note.h>
437c478bd9Sstevel@tonic-gate
447c478bd9Sstevel@tonic-gate /*PRINTFLIKE3*/
457c478bd9Sstevel@tonic-gate void
error(int nowarn,pam_handle_t * pamh,char * fmt,...)467c478bd9Sstevel@tonic-gate error(int nowarn, pam_handle_t *pamh, char *fmt, ...)
477c478bd9Sstevel@tonic-gate {
487c478bd9Sstevel@tonic-gate va_list ap;
497c478bd9Sstevel@tonic-gate char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
507c478bd9Sstevel@tonic-gate
517c478bd9Sstevel@tonic-gate va_start(ap, fmt);
527c478bd9Sstevel@tonic-gate (void) vsnprintf(messages[0], sizeof (messages[0]), fmt, ap);
537c478bd9Sstevel@tonic-gate if (nowarn == 0)
547c478bd9Sstevel@tonic-gate (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages,
557c478bd9Sstevel@tonic-gate NULL);
567c478bd9Sstevel@tonic-gate va_end(ap);
577c478bd9Sstevel@tonic-gate }
587c478bd9Sstevel@tonic-gate
597c478bd9Sstevel@tonic-gate /*
607c478bd9Sstevel@tonic-gate * int pam_sm_authenticate(pamh, flags, argc, argv)
617c478bd9Sstevel@tonic-gate *
627c478bd9Sstevel@tonic-gate * Read authentication token from user.
637c478bd9Sstevel@tonic-gate */
647c478bd9Sstevel@tonic-gate int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)657c478bd9Sstevel@tonic-gate pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
667c478bd9Sstevel@tonic-gate {
677c478bd9Sstevel@tonic-gate
687c478bd9Sstevel@tonic-gate char *user;
697c478bd9Sstevel@tonic-gate char *password;
707c478bd9Sstevel@tonic-gate char *service;
717c478bd9Sstevel@tonic-gate int i;
727c478bd9Sstevel@tonic-gate int debug = 0;
737c478bd9Sstevel@tonic-gate int nowarn = 0;
747c478bd9Sstevel@tonic-gate int res;
757c478bd9Sstevel@tonic-gate char prompt[PAM_MAX_MSG_SIZE];
767c478bd9Sstevel@tonic-gate char *auth_user = NULL;
777c478bd9Sstevel@tonic-gate int retval;
787c478bd9Sstevel@tonic-gate int privileged;
797c478bd9Sstevel@tonic-gate char *rep_passwd = NULL;
807c478bd9Sstevel@tonic-gate char *repository_name = NULL;
817c478bd9Sstevel@tonic-gate attrlist al[8];
827c478bd9Sstevel@tonic-gate int min;
837c478bd9Sstevel@tonic-gate int max;
847c478bd9Sstevel@tonic-gate int lstchg;
857c478bd9Sstevel@tonic-gate int server_policy = 0;
867c478bd9Sstevel@tonic-gate
877c478bd9Sstevel@tonic-gate pam_repository_t *auth_rep = NULL;
887c478bd9Sstevel@tonic-gate pwu_repository_t *pwu_rep = NULL;
897c478bd9Sstevel@tonic-gate
907c478bd9Sstevel@tonic-gate for (i = 0; i < argc; i++) {
917c478bd9Sstevel@tonic-gate if (strcmp(argv[i], "debug") == 0)
927c478bd9Sstevel@tonic-gate debug = 1;
937c478bd9Sstevel@tonic-gate if (strcmp(argv[i], "nowarn") == 0)
947c478bd9Sstevel@tonic-gate nowarn = 1;
957c478bd9Sstevel@tonic-gate if (strcmp(argv[i], "server_policy") == 0)
967c478bd9Sstevel@tonic-gate server_policy = 1;
977c478bd9Sstevel@tonic-gate }
987c478bd9Sstevel@tonic-gate
997c478bd9Sstevel@tonic-gate if (flags & PAM_SILENT)
1007c478bd9Sstevel@tonic-gate nowarn = 1;
1017c478bd9Sstevel@tonic-gate
1027c478bd9Sstevel@tonic-gate if ((res = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
1037c478bd9Sstevel@tonic-gate if (debug)
1047c478bd9Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_passwd_auth: "
1057c478bd9Sstevel@tonic-gate "get user failed: %s", pam_strerror(pamh, res));
1067c478bd9Sstevel@tonic-gate return (res);
1077c478bd9Sstevel@tonic-gate }
1087c478bd9Sstevel@tonic-gate
1097c478bd9Sstevel@tonic-gate if (user == NULL || *user == '\0') {
1107c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "pam_passwd_auth: pam_sm_authenticate: "
1117c478bd9Sstevel@tonic-gate "PAM_USER NULL or empty");
1127c478bd9Sstevel@tonic-gate return (PAM_SYSTEM_ERR);
1137c478bd9Sstevel@tonic-gate }
1147c478bd9Sstevel@tonic-gate
1157c478bd9Sstevel@tonic-gate res = pam_get_item(pamh, PAM_AUTHTOK, (void **)&password);
1167c478bd9Sstevel@tonic-gate if (res != PAM_SUCCESS)
1177c478bd9Sstevel@tonic-gate return (res);
1187c478bd9Sstevel@tonic-gate
1197c478bd9Sstevel@tonic-gate if (password != NULL)
1203ed4a803SJoep Vesseur return (PAM_IGNORE);
1217c478bd9Sstevel@tonic-gate
1227c478bd9Sstevel@tonic-gate res = pam_get_item(pamh, PAM_SERVICE, (void **)&service);
1237c478bd9Sstevel@tonic-gate if (res != PAM_SUCCESS)
1247c478bd9Sstevel@tonic-gate return (res);
1257c478bd9Sstevel@tonic-gate
1267c478bd9Sstevel@tonic-gate res = pam_get_item(pamh, PAM_REPOSITORY, (void **)&auth_rep);
1277c478bd9Sstevel@tonic-gate if (res != PAM_SUCCESS) {
1287c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "pam_passwd_auth: pam_sm_authenticate: "
1297c478bd9Sstevel@tonic-gate "error getting repository");
1307c478bd9Sstevel@tonic-gate return (PAM_SYSTEM_ERR);
1317c478bd9Sstevel@tonic-gate }
1327c478bd9Sstevel@tonic-gate
1337c478bd9Sstevel@tonic-gate if (auth_rep == NULL) {
1347c478bd9Sstevel@tonic-gate pwu_rep = PWU_DEFAULT_REP;
1357c478bd9Sstevel@tonic-gate } else {
1367c478bd9Sstevel@tonic-gate if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL)
1377c478bd9Sstevel@tonic-gate return (PAM_BUF_ERR);
1387c478bd9Sstevel@tonic-gate pwu_rep->type = auth_rep->type;
1397c478bd9Sstevel@tonic-gate pwu_rep->scope = auth_rep->scope;
1407c478bd9Sstevel@tonic-gate pwu_rep->scope_len = auth_rep->scope_len;
1417c478bd9Sstevel@tonic-gate }
1427c478bd9Sstevel@tonic-gate
1437c478bd9Sstevel@tonic-gate res = __user_to_authenticate(user, pwu_rep, &auth_user, &privileged);
1447c478bd9Sstevel@tonic-gate if (res != PWU_SUCCESS) {
1457c478bd9Sstevel@tonic-gate if (res == PWU_NOT_FOUND)
1467c478bd9Sstevel@tonic-gate retval = PAM_USER_UNKNOWN;
1477c478bd9Sstevel@tonic-gate else if (res == PWU_DENIED)
1487c478bd9Sstevel@tonic-gate retval = PAM_PERM_DENIED;
1497c478bd9Sstevel@tonic-gate else if (res == PWU_REPOSITORY_ERROR) {
1507c478bd9Sstevel@tonic-gate syslog(LOG_NOTICE,
1517c478bd9Sstevel@tonic-gate "pam_passwd_auth: detected unsupported "
1527c478bd9Sstevel@tonic-gate "configuration in /etc/nsswitch.conf.");
1537c478bd9Sstevel@tonic-gate error(nowarn, pamh, dgettext(TEXT_DOMAIN, "%s: "
1547c478bd9Sstevel@tonic-gate "Unsupported nsswitch entry for \"passwd:\"."
1557c478bd9Sstevel@tonic-gate " Use \"-r repository \"."), service);
1567c478bd9Sstevel@tonic-gate retval = PAM_SYSTEM_ERR;
1577c478bd9Sstevel@tonic-gate } else
1587c478bd9Sstevel@tonic-gate retval = PAM_SYSTEM_ERR;
1597c478bd9Sstevel@tonic-gate if (debug)
1607c478bd9Sstevel@tonic-gate syslog(LOG_DEBUG, "passwd_auth: __user_to_authenticate "
1617c478bd9Sstevel@tonic-gate "returned %d", retval);
1627c478bd9Sstevel@tonic-gate goto out;
1637c478bd9Sstevel@tonic-gate }
1647c478bd9Sstevel@tonic-gate
1657c478bd9Sstevel@tonic-gate if (auth_user == NULL) { /* No authentication needed */
1667c478bd9Sstevel@tonic-gate if (debug)
1677c478bd9Sstevel@tonic-gate syslog(LOG_DEBUG,
1687c478bd9Sstevel@tonic-gate "passwd_auth: no authentication needed.");
1697c478bd9Sstevel@tonic-gate retval = PAM_SUCCESS;
1707c478bd9Sstevel@tonic-gate goto out;
1717c478bd9Sstevel@tonic-gate }
1727c478bd9Sstevel@tonic-gate
1737c478bd9Sstevel@tonic-gate /*
1747c478bd9Sstevel@tonic-gate * The password prompt differs between users updating their
1757c478bd9Sstevel@tonic-gate * own password, and users updating other an user's password
1767c478bd9Sstevel@tonic-gate */
1777c478bd9Sstevel@tonic-gate if (privileged) {
1787c478bd9Sstevel@tonic-gate /*
1797c478bd9Sstevel@tonic-gate * TRANSLATION_NOTE
1807c478bd9Sstevel@tonic-gate * The following string has a single space at the end
1817c478bd9Sstevel@tonic-gate */
1827c478bd9Sstevel@tonic-gate (void) snprintf(prompt, sizeof (prompt),
1837c478bd9Sstevel@tonic-gate dgettext(TEXT_DOMAIN, "Enter %s's password: "),
1847c478bd9Sstevel@tonic-gate auth_user);
1857c478bd9Sstevel@tonic-gate } else {
1867c478bd9Sstevel@tonic-gate /*
1877c478bd9Sstevel@tonic-gate * TRANSLATION_NOTE
1887c478bd9Sstevel@tonic-gate * The following string has a single space at the end
1897c478bd9Sstevel@tonic-gate */
1907c478bd9Sstevel@tonic-gate (void) snprintf(prompt, sizeof (prompt),
1917c478bd9Sstevel@tonic-gate dgettext(TEXT_DOMAIN, "Enter existing login password: "));
1927c478bd9Sstevel@tonic-gate }
1937c478bd9Sstevel@tonic-gate
1947c478bd9Sstevel@tonic-gate retval = __pam_get_authtok(pamh, PAM_PROMPT, PAM_AUTHTOK, prompt,
1957c478bd9Sstevel@tonic-gate &password);
1967c478bd9Sstevel@tonic-gate if (retval != PAM_SUCCESS)
1977c478bd9Sstevel@tonic-gate goto out;
1987c478bd9Sstevel@tonic-gate
1997c478bd9Sstevel@tonic-gate if (password == NULL) {
2007c478bd9Sstevel@tonic-gate syslog(LOG_ERR, "pam_passwd_auth: pam_sm_authenticate: "
2017c478bd9Sstevel@tonic-gate "got NULL password from get_authtok()");
2027c478bd9Sstevel@tonic-gate retval = PAM_AUTH_ERR;
2037c478bd9Sstevel@tonic-gate goto out;
2047c478bd9Sstevel@tonic-gate }
2057c478bd9Sstevel@tonic-gate
2067c478bd9Sstevel@tonic-gate /* Privileged users can skip the tests that follow */
2077c478bd9Sstevel@tonic-gate if (privileged)
2087c478bd9Sstevel@tonic-gate goto setitem;
2097c478bd9Sstevel@tonic-gate
2107c478bd9Sstevel@tonic-gate /*
2117c478bd9Sstevel@tonic-gate * Non privileged user: so we need to check the old password
2127c478bd9Sstevel@tonic-gate * and possible restrictions on password changes.
2137c478bd9Sstevel@tonic-gate */
2147c478bd9Sstevel@tonic-gate
2157c478bd9Sstevel@tonic-gate /* Get password and it's age from the repository specified */
2167c478bd9Sstevel@tonic-gate al[0].type = ATTR_PASSWD; al[0].next = &al[1];
2177c478bd9Sstevel@tonic-gate al[1].type = ATTR_MIN; al[1].next = &al[2];
2187c478bd9Sstevel@tonic-gate al[2].type = ATTR_MAX; al[2].next = &al[3];
2197c478bd9Sstevel@tonic-gate al[3].type = ATTR_LSTCHG; al[3].next = &al[4];
2207c478bd9Sstevel@tonic-gate al[4].type = ATTR_WARN; al[4].next = &al[5];
2217c478bd9Sstevel@tonic-gate al[5].type = ATTR_INACT; al[5].next = &al[6];
2227c478bd9Sstevel@tonic-gate al[6].type = ATTR_EXPIRE; al[6].next = &al[7];
2237c478bd9Sstevel@tonic-gate al[7].type = ATTR_REP_NAME; al[7].next = NULL;
2247c478bd9Sstevel@tonic-gate
2257c478bd9Sstevel@tonic-gate res = __get_authtoken_attr(auth_user, pwu_rep, al);
2267c478bd9Sstevel@tonic-gate
2277c478bd9Sstevel@tonic-gate if (res != PWU_SUCCESS) {
2287c478bd9Sstevel@tonic-gate retval = PAM_SYSTEM_ERR;
2297c478bd9Sstevel@tonic-gate goto out;
2307c478bd9Sstevel@tonic-gate }
2317c478bd9Sstevel@tonic-gate
2327c478bd9Sstevel@tonic-gate repository_name = al[7].data.val_s;
2337c478bd9Sstevel@tonic-gate
2347c478bd9Sstevel@tonic-gate /*
235*36e852a1SRaja Andra * if repository isn't files|nis, and user wants to follow server
236*36e852a1SRaja Andra * policy, return PAM_IGNORE
2377c478bd9Sstevel@tonic-gate */
2387c478bd9Sstevel@tonic-gate if (server_policy &&
2397c478bd9Sstevel@tonic-gate strcmp(repository_name, "files") != 0 &&
240*36e852a1SRaja Andra strcmp(repository_name, "nis") != 0) {
2417c478bd9Sstevel@tonic-gate retval = PAM_IGNORE;
2427c478bd9Sstevel@tonic-gate goto out;
2437c478bd9Sstevel@tonic-gate }
2447c478bd9Sstevel@tonic-gate
2457c478bd9Sstevel@tonic-gate rep_passwd = al[0].data.val_s;
2467c478bd9Sstevel@tonic-gate
247035f2e82Sjjj /*
248035f2e82Sjjj * Chop off old SunOS-style password aging information.
249035f2e82Sjjj *
250035f2e82Sjjj * Note: old style password aging is only defined for UNIX-style
251035f2e82Sjjj * crypt strings, hence the comma will always be at position 14.
252035f2e82Sjjj * Note: This code is here because some other vendors might still
253035f2e82Sjjj * support this style of password aging. If we don't remove
254035f2e82Sjjj * the age field, users won't be able to change their password.
255035f2e82Sjjj * XXX yank this code when we're certain this "compatibility"
256035f2e82Sjjj * isn't needed anymore.
257035f2e82Sjjj */
258035f2e82Sjjj if (rep_passwd != NULL && rep_passwd[0] != '$' &&
259035f2e82Sjjj strlen(rep_passwd) > 13 && rep_passwd[13] == ',')
260035f2e82Sjjj rep_passwd[13] = '\0';
261035f2e82Sjjj
2627c478bd9Sstevel@tonic-gate if (strcmp(crypt(password, rep_passwd), rep_passwd) != 0) {
2637c478bd9Sstevel@tonic-gate retval = PAM_AUTH_ERR;
2647c478bd9Sstevel@tonic-gate goto out;
2657c478bd9Sstevel@tonic-gate }
2667c478bd9Sstevel@tonic-gate
2677c478bd9Sstevel@tonic-gate /*
2687c478bd9Sstevel@tonic-gate * Now check to see if the user is allowed to change
2697c478bd9Sstevel@tonic-gate * the password.
2707c478bd9Sstevel@tonic-gate */
2717c478bd9Sstevel@tonic-gate min = al[1].data.val_i;
2727c478bd9Sstevel@tonic-gate max = al[2].data.val_i;
2737c478bd9Sstevel@tonic-gate lstchg = al[3].data.val_i;
2747c478bd9Sstevel@tonic-gate
2757c478bd9Sstevel@tonic-gate if (max != -1 && lstchg != 0) {
2767c478bd9Sstevel@tonic-gate /* aging is turned on, and a change is not forced */
2777c478bd9Sstevel@tonic-gate time_t daynow = DAY_NOW_32;
2787c478bd9Sstevel@tonic-gate if ((time_t)lstchg <= daynow) {
2797c478bd9Sstevel@tonic-gate /* Aged enough? */
2807c478bd9Sstevel@tonic-gate if (daynow < (time_t)(lstchg + min)) {
2817c478bd9Sstevel@tonic-gate error(nowarn, pamh, dgettext(TEXT_DOMAIN,
2827c478bd9Sstevel@tonic-gate "%s: Sorry: less than %d days "
2837c478bd9Sstevel@tonic-gate "since the last change."),
2847c478bd9Sstevel@tonic-gate service, min);
2857c478bd9Sstevel@tonic-gate retval = PAM_PERM_DENIED;
2867c478bd9Sstevel@tonic-gate goto out;
2877c478bd9Sstevel@tonic-gate }
2887c478bd9Sstevel@tonic-gate
2897c478bd9Sstevel@tonic-gate /*
2907c478bd9Sstevel@tonic-gate * users with min>max are not allowed to
2917c478bd9Sstevel@tonic-gate * change their password.
2927c478bd9Sstevel@tonic-gate */
2937c478bd9Sstevel@tonic-gate if (min > max) {
2947c478bd9Sstevel@tonic-gate error(nowarn, pamh, dgettext(TEXT_DOMAIN,
2957c478bd9Sstevel@tonic-gate "%s: You may not change "
2967c478bd9Sstevel@tonic-gate "this password."), service);
2977c478bd9Sstevel@tonic-gate retval = PAM_PERM_DENIED;
2987c478bd9Sstevel@tonic-gate goto out;
2997c478bd9Sstevel@tonic-gate }
3007c478bd9Sstevel@tonic-gate }
3017c478bd9Sstevel@tonic-gate }
3027c478bd9Sstevel@tonic-gate
3037c478bd9Sstevel@tonic-gate setitem:
3047c478bd9Sstevel@tonic-gate
3057c478bd9Sstevel@tonic-gate retval = pam_set_item(pamh, PAM_AUTHTOK, (void *)password);
3067c478bd9Sstevel@tonic-gate
3077c478bd9Sstevel@tonic-gate out:
3087c478bd9Sstevel@tonic-gate if (password) {
3097c478bd9Sstevel@tonic-gate (void) memset(password, 0, strlen(password));
3107c478bd9Sstevel@tonic-gate free(password);
3117c478bd9Sstevel@tonic-gate }
3127c478bd9Sstevel@tonic-gate if (rep_passwd) {
3137c478bd9Sstevel@tonic-gate (void) memset(rep_passwd, 0, strlen(rep_passwd));
3147c478bd9Sstevel@tonic-gate free(rep_passwd);
3157c478bd9Sstevel@tonic-gate }
3167c478bd9Sstevel@tonic-gate if (pwu_rep)
3177c478bd9Sstevel@tonic-gate free(pwu_rep);
3187c478bd9Sstevel@tonic-gate if (auth_user)
3197c478bd9Sstevel@tonic-gate free(auth_user);
3207c478bd9Sstevel@tonic-gate if (repository_name)
3217c478bd9Sstevel@tonic-gate free(repository_name);
3227c478bd9Sstevel@tonic-gate
3237c478bd9Sstevel@tonic-gate return (retval);
3247c478bd9Sstevel@tonic-gate }
3257c478bd9Sstevel@tonic-gate
3267c478bd9Sstevel@tonic-gate /*ARGSUSED*/
3277c478bd9Sstevel@tonic-gate int
pam_sm_setcred(pam_handle_t * pamh,int flags,int argc,const char ** argv)3287c478bd9Sstevel@tonic-gate pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
3297c478bd9Sstevel@tonic-gate {
3307c478bd9Sstevel@tonic-gate return (PAM_IGNORE);
3317c478bd9Sstevel@tonic-gate }
332