xref: /illumos-gate/usr/src/lib/pam_modules/passwd_auth/passwd_auth.c (revision dc25fd745d311a1cf9d98d7b7897caa0877adff0)
1 /*
2  * CDDL HEADER START
3  *
4  * The contents of this file are subject to the terms of the
5  * Common Development and Distribution License (the "License").
6  * You may not use this file except in compliance with the License.
7  *
8  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9  * or http://www.opensolaris.org/os/licensing.
10  * See the License for the specific language governing permissions
11  * and limitations under the License.
12  *
13  * When distributing Covered Code, include this CDDL HEADER in each
14  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15  * If applicable, add the following below this CDDL HEADER, with the
16  * fields enclosed by brackets "[]" replaced with your own identifying
17  * information: Portions Copyright [yyyy] [name of copyright owner]
18  *
19  * CDDL HEADER END
20  */
21 /*
22  * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
23  * Use is subject to license terms.
24  */
25 
26 #include <sys/types.h>
27 #include <sys/varargs.h>
28 #include <string.h>
29 #include <stdlib.h>
30 #include <syslog.h>
31 #include <unistd.h>
32 #include <crypt.h>
33 #include <pwd.h>
34 #include <libintl.h>
35 
36 #include <security/pam_appl.h>
37 #include <security/pam_modules.h>
38 #include <security/pam_impl.h>
39 
40 #include <passwdutil.h>
41 
42 #include <sys/note.h>
43 
44 /*PRINTFLIKE3*/
45 void
46 error(int nowarn, pam_handle_t *pamh, char *fmt, ...)
47 {
48 	va_list ap;
49 	char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
50 
51 	va_start(ap, fmt);
52 	(void) vsnprintf(messages[0], sizeof (messages[0]), fmt, ap);
53 	if (nowarn == 0)
54 		(void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages,
55 		    NULL);
56 	va_end(ap);
57 }
58 
59 /*
60  * int pam_sm_authenticate(pamh, flags, argc, argv)
61  *
62  * Read authentication token from user.
63  */
64 int
65 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
66 {
67 
68 	char	*user;
69 	char	*password;
70 	char	*service;
71 	int	i;
72 	int	debug = 0;
73 	int	nowarn = 0;
74 	int	res;
75 	char	prompt[PAM_MAX_MSG_SIZE];
76 	char	*auth_user = NULL;
77 	int	retval;
78 	int	privileged;
79 	char	*rep_passwd = NULL;
80 	char	*repository_name = NULL;
81 	attrlist al[8];
82 	int	min;
83 	int	max;
84 	int	lstchg;
85 	int	server_policy = 0;
86 
87 	pam_repository_t *auth_rep = NULL;
88 	pwu_repository_t *pwu_rep = NULL;
89 
90 	for (i = 0; i < argc; i++) {
91 		if (strcmp(argv[i], "debug") == 0)
92 			debug = 1;
93 		if (strcmp(argv[i], "nowarn") == 0)
94 			nowarn = 1;
95 		if (strcmp(argv[i], "server_policy") == 0)
96 			server_policy = 1;
97 	}
98 
99 	if (flags & PAM_SILENT)
100 		nowarn = 1;
101 
102 	if ((res = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
103 		if (debug)
104 			syslog(LOG_DEBUG, "pam_passwd_auth: "
105 			    "get user failed: %s", pam_strerror(pamh, res));
106 		return (res);
107 	}
108 
109 	if (user == NULL || *user == '\0') {
110 		syslog(LOG_ERR, "pam_passwd_auth: pam_sm_authenticate: "
111 		    "PAM_USER NULL or empty");
112 		return (PAM_SYSTEM_ERR);
113 	}
114 
115 	res = pam_get_item(pamh, PAM_AUTHTOK, (void **)&password);
116 	if (res != PAM_SUCCESS)
117 		return (res);
118 
119 	if (password != NULL)
120 		return (PAM_IGNORE);
121 
122 	res = pam_get_item(pamh, PAM_SERVICE, (void **)&service);
123 	if (res != PAM_SUCCESS)
124 		return (res);
125 
126 	res = pam_get_item(pamh, PAM_REPOSITORY, (void **)&auth_rep);
127 	if (res != PAM_SUCCESS) {
128 		syslog(LOG_ERR, "pam_passwd_auth: pam_sm_authenticate: "
129 		    "error getting repository");
130 		return (PAM_SYSTEM_ERR);
131 	}
132 
133 	if (auth_rep == NULL) {
134 		pwu_rep = PWU_DEFAULT_REP;
135 	} else {
136 		if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL)
137 			return (PAM_BUF_ERR);
138 		pwu_rep->type = auth_rep->type;
139 		pwu_rep->scope = auth_rep->scope;
140 		pwu_rep->scope_len = auth_rep->scope_len;
141 	}
142 
143 	res = __user_to_authenticate(user, pwu_rep, &auth_user, &privileged);
144 	if (res != PWU_SUCCESS) {
145 		if (res == PWU_NOT_FOUND)
146 			retval = PAM_USER_UNKNOWN;
147 		else if (res == PWU_DENIED)
148 			retval = PAM_PERM_DENIED;
149 		else if (res == PWU_REPOSITORY_ERROR) {
150 			syslog(LOG_NOTICE,
151 			    "pam_passwd_auth: detected unsupported "
152 			    "configuration in /etc/nsswitch.conf.");
153 			error(nowarn, pamh, dgettext(TEXT_DOMAIN, "%s: "
154 			    "Unsupported nsswitch entry for \"passwd:\"."
155 			    " Use \"-r repository \"."), service);
156 			retval = PAM_SYSTEM_ERR;
157 		} else
158 			retval = PAM_SYSTEM_ERR;
159 		if (debug)
160 			syslog(LOG_DEBUG, "passwd_auth: __user_to_authenticate "
161 			    "returned %d", retval);
162 		goto out;
163 	}
164 
165 	if (auth_user == NULL) {		/* No authentication needed */
166 		if (debug)
167 			syslog(LOG_DEBUG,
168 			    "passwd_auth: no authentication needed.");
169 		retval = PAM_SUCCESS;
170 		goto out;
171 	}
172 
173 	/*
174 	 * The password prompt differs between users updating their
175 	 * own password, and users updating other an user's password
176 	 */
177 	if (privileged) {
178 		/*
179 		 * TRANSLATION_NOTE
180 		 * The following string has a single space at the end
181 		 */
182 		(void) snprintf(prompt, sizeof (prompt),
183 		    dgettext(TEXT_DOMAIN, "Enter %s's password: "),
184 		    auth_user);
185 	} else {
186 		/*
187 		 * TRANSLATION_NOTE
188 		 * The following string has a single space at the end
189 		 */
190 		(void) snprintf(prompt, sizeof (prompt),
191 		    dgettext(TEXT_DOMAIN, "Enter existing login password: "));
192 	}
193 
194 	retval = __pam_get_authtok(pamh, PAM_PROMPT, PAM_AUTHTOK, prompt,
195 	    &password);
196 	if (retval != PAM_SUCCESS)
197 		goto out;
198 
199 	if (password == NULL) {
200 		syslog(LOG_ERR, "pam_passwd_auth: pam_sm_authenticate: "
201 		    "got NULL password from get_authtok()");
202 		retval = PAM_AUTH_ERR;
203 		goto out;
204 	}
205 
206 	/* Privileged users can skip the tests that follow */
207 	if (privileged)
208 		goto setitem;
209 
210 	/*
211 	 * Non privileged user: so we need to check the old password
212 	 * and possible restrictions on password changes.
213 	 */
214 
215 	/* Get password and it's age from the repository specified */
216 	al[0].type = ATTR_PASSWD; al[0].next = &al[1];
217 	al[1].type = ATTR_MIN; al[1].next = &al[2];
218 	al[2].type = ATTR_MAX; al[2].next = &al[3];
219 	al[3].type = ATTR_LSTCHG; al[3].next = &al[4];
220 	al[4].type = ATTR_WARN; al[4].next = &al[5];
221 	al[5].type = ATTR_INACT; al[5].next = &al[6];
222 	al[6].type = ATTR_EXPIRE; al[6].next = &al[7];
223 	al[7].type = ATTR_REP_NAME; al[7].next = NULL;
224 
225 	res = __get_authtoken_attr(auth_user, pwu_rep, al);
226 
227 	if (res != PWU_SUCCESS) {
228 		retval = PAM_SYSTEM_ERR;
229 		goto out;
230 	}
231 
232 	repository_name = al[7].data.val_s;
233 
234 	/*
235 	 * if repository isn't files|nis, and user wants to follow server
236 	 * policy, return PAM_IGNORE
237 	 */
238 	if (server_policy &&
239 	    strcmp(repository_name, "files") != 0 &&
240 	    strcmp(repository_name, "nis") != 0) {
241 		retval = PAM_IGNORE;
242 		goto out;
243 	}
244 
245 	rep_passwd = al[0].data.val_s;
246 
247 	/*
248 	 * Chop off old SunOS-style password aging information.
249 	 *
250 	 * Note: old style password aging is only defined for UNIX-style
251 	 *	 crypt strings, hence the comma will always be at position 14.
252 	 * Note: This code is here because some other vendors might still
253 	 *	 support this style of password aging. If we don't remove
254 	 *	 the age field, users won't be able to change their password.
255 	 * XXX   yank this code when we're certain this "compatibility"
256 	 *	 isn't needed anymore.
257 	 */
258 	if (rep_passwd != NULL && rep_passwd[0] != '$' &&
259 	    strlen(rep_passwd) > 13 && rep_passwd[13] == ',')
260 		rep_passwd[13] = '\0';
261 
262 	if (strcmp(crypt(password, rep_passwd), rep_passwd) != 0) {
263 		retval = PAM_AUTH_ERR;
264 		goto out;
265 	}
266 
267 	/*
268 	 * Now check to see if the user is allowed to change
269 	 * the password.
270 	 */
271 	min = al[1].data.val_i;
272 	max = al[2].data.val_i;
273 	lstchg = al[3].data.val_i;
274 
275 	if (max != -1 && lstchg != 0) {
276 		/* aging is turned on, and a change is not forced */
277 		time_t daynow = DAY_NOW_32;
278 		if ((time_t)lstchg <= daynow) {
279 			/* Aged enough? */
280 			if (daynow < (time_t)(lstchg + min)) {
281 				error(nowarn, pamh, dgettext(TEXT_DOMAIN,
282 				    "%s: Sorry: less than %d days "
283 				    "since the last change."),
284 				    service, min);
285 				retval = PAM_PERM_DENIED;
286 				goto out;
287 			}
288 
289 			/*
290 			 * users with min>max are not allowed to
291 			 * change their password.
292 			 */
293 			if (min > max) {
294 				error(nowarn, pamh, dgettext(TEXT_DOMAIN,
295 				    "%s: You may not change "
296 				    "this password."), service);
297 				retval = PAM_PERM_DENIED;
298 				goto out;
299 			}
300 		}
301 	}
302 
303 setitem:
304 
305 	retval = pam_set_item(pamh, PAM_AUTHTOK, (void *)password);
306 
307 out:
308 	if (password) {
309 		(void) memset(password, 0, strlen(password));
310 		free(password);
311 	}
312 	if (rep_passwd) {
313 		(void) memset(rep_passwd, 0, strlen(rep_passwd));
314 		free(rep_passwd);
315 	}
316 	if (pwu_rep)
317 		free(pwu_rep);
318 	if (auth_user)
319 		free(auth_user);
320 	if (repository_name)
321 		free(repository_name);
322 
323 	return (retval);
324 }
325 
326 /*ARGSUSED*/
327 int
328 pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
329 {
330 	return (PAM_IGNORE);
331 }
332