1 /* 2 * CDDL HEADER START 3 * 4 * The contents of this file are subject to the terms of the 5 * Common Development and Distribution License (the "License"). 6 * You may not use this file except in compliance with the License. 7 * 8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 9 * or http://www.opensolaris.org/os/licensing. 10 * See the License for the specific language governing permissions 11 * and limitations under the License. 12 * 13 * When distributing Covered Code, include this CDDL HEADER in each 14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 15 * If applicable, add the following below this CDDL HEADER, with the 16 * fields enclosed by brackets "[]" replaced with your own identifying 17 * information: Portions Copyright [yyyy] [name of copyright owner] 18 * 19 * CDDL HEADER END 20 */ 21 /* 22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved. 23 * Use is subject to license terms. 24 */ 25 26 #include <sys/types.h> 27 #include <sys/varargs.h> 28 #include <string.h> 29 #include <stdlib.h> 30 #include <syslog.h> 31 #include <unistd.h> 32 #include <crypt.h> 33 #include <pwd.h> 34 #include <libintl.h> 35 36 #include <security/pam_appl.h> 37 #include <security/pam_modules.h> 38 #include <security/pam_impl.h> 39 40 #include <passwdutil.h> 41 42 #include <sys/note.h> 43 44 /*PRINTFLIKE3*/ 45 void 46 error(int nowarn, pam_handle_t *pamh, char *fmt, ...) 47 { 48 va_list ap; 49 char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE]; 50 51 va_start(ap, fmt); 52 (void) vsnprintf(messages[0], sizeof (messages[0]), fmt, ap); 53 if (nowarn == 0) 54 (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages, 55 NULL); 56 va_end(ap); 57 } 58 59 /* 60 * int pam_sm_authenticate(pamh, flags, argc, argv) 61 * 62 * Read authentication token from user. 63 */ 64 int 65 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) 66 { 67 68 char *user; 69 char *password; 70 char *service; 71 int i; 72 int debug = 0; 73 int nowarn = 0; 74 int res; 75 char prompt[PAM_MAX_MSG_SIZE]; 76 char *auth_user = NULL; 77 int retval; 78 int privileged; 79 char *rep_passwd = NULL; 80 char *repository_name = NULL; 81 attrlist al[8]; 82 int min; 83 int max; 84 int lstchg; 85 int server_policy = 0; 86 87 pam_repository_t *auth_rep = NULL; 88 pwu_repository_t *pwu_rep = NULL; 89 90 for (i = 0; i < argc; i++) { 91 if (strcmp(argv[i], "debug") == 0) 92 debug = 1; 93 if (strcmp(argv[i], "nowarn") == 0) 94 nowarn = 1; 95 if (strcmp(argv[i], "server_policy") == 0) 96 server_policy = 1; 97 } 98 99 if (flags & PAM_SILENT) 100 nowarn = 1; 101 102 if ((res = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { 103 if (debug) 104 syslog(LOG_DEBUG, "pam_passwd_auth: " 105 "get user failed: %s", pam_strerror(pamh, res)); 106 return (res); 107 } 108 109 if (user == NULL || *user == '\0') { 110 syslog(LOG_ERR, "pam_passwd_auth: pam_sm_authenticate: " 111 "PAM_USER NULL or empty"); 112 return (PAM_SYSTEM_ERR); 113 } 114 115 res = pam_get_item(pamh, PAM_AUTHTOK, (void **)&password); 116 if (res != PAM_SUCCESS) 117 return (res); 118 119 if (password != NULL) 120 return (PAM_IGNORE); 121 122 res = pam_get_item(pamh, PAM_SERVICE, (void **)&service); 123 if (res != PAM_SUCCESS) 124 return (res); 125 126 res = pam_get_item(pamh, PAM_REPOSITORY, (void **)&auth_rep); 127 if (res != PAM_SUCCESS) { 128 syslog(LOG_ERR, "pam_passwd_auth: pam_sm_authenticate: " 129 "error getting repository"); 130 return (PAM_SYSTEM_ERR); 131 } 132 133 if (auth_rep == NULL) { 134 pwu_rep = PWU_DEFAULT_REP; 135 } else { 136 if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL) 137 return (PAM_BUF_ERR); 138 pwu_rep->type = auth_rep->type; 139 pwu_rep->scope = auth_rep->scope; 140 pwu_rep->scope_len = auth_rep->scope_len; 141 } 142 143 res = __user_to_authenticate(user, pwu_rep, &auth_user, &privileged); 144 if (res != PWU_SUCCESS) { 145 if (res == PWU_NOT_FOUND) 146 retval = PAM_USER_UNKNOWN; 147 else if (res == PWU_DENIED) 148 retval = PAM_PERM_DENIED; 149 else if (res == PWU_REPOSITORY_ERROR) { 150 syslog(LOG_NOTICE, 151 "pam_passwd_auth: detected unsupported " 152 "configuration in /etc/nsswitch.conf."); 153 error(nowarn, pamh, dgettext(TEXT_DOMAIN, "%s: " 154 "Unsupported nsswitch entry for \"passwd:\"." 155 " Use \"-r repository \"."), service); 156 retval = PAM_SYSTEM_ERR; 157 } else 158 retval = PAM_SYSTEM_ERR; 159 if (debug) 160 syslog(LOG_DEBUG, "passwd_auth: __user_to_authenticate " 161 "returned %d", retval); 162 goto out; 163 } 164 165 if (auth_user == NULL) { /* No authentication needed */ 166 if (debug) 167 syslog(LOG_DEBUG, 168 "passwd_auth: no authentication needed."); 169 retval = PAM_SUCCESS; 170 goto out; 171 } 172 173 /* 174 * The password prompt differs between users updating their 175 * own password, and users updating other an user's password 176 */ 177 if (privileged) { 178 /* 179 * TRANSLATION_NOTE 180 * The following string has a single space at the end 181 */ 182 (void) snprintf(prompt, sizeof (prompt), 183 dgettext(TEXT_DOMAIN, "Enter %s's password: "), 184 auth_user); 185 } else { 186 /* 187 * TRANSLATION_NOTE 188 * The following string has a single space at the end 189 */ 190 (void) snprintf(prompt, sizeof (prompt), 191 dgettext(TEXT_DOMAIN, "Enter existing login password: ")); 192 } 193 194 retval = __pam_get_authtok(pamh, PAM_PROMPT, PAM_AUTHTOK, prompt, 195 &password); 196 if (retval != PAM_SUCCESS) 197 goto out; 198 199 if (password == NULL) { 200 syslog(LOG_ERR, "pam_passwd_auth: pam_sm_authenticate: " 201 "got NULL password from get_authtok()"); 202 retval = PAM_AUTH_ERR; 203 goto out; 204 } 205 206 /* Privileged users can skip the tests that follow */ 207 if (privileged) 208 goto setitem; 209 210 /* 211 * Non privileged user: so we need to check the old password 212 * and possible restrictions on password changes. 213 */ 214 215 /* Get password and it's age from the repository specified */ 216 al[0].type = ATTR_PASSWD; al[0].next = &al[1]; 217 al[1].type = ATTR_MIN; al[1].next = &al[2]; 218 al[2].type = ATTR_MAX; al[2].next = &al[3]; 219 al[3].type = ATTR_LSTCHG; al[3].next = &al[4]; 220 al[4].type = ATTR_WARN; al[4].next = &al[5]; 221 al[5].type = ATTR_INACT; al[5].next = &al[6]; 222 al[6].type = ATTR_EXPIRE; al[6].next = &al[7]; 223 al[7].type = ATTR_REP_NAME; al[7].next = NULL; 224 225 res = __get_authtoken_attr(auth_user, pwu_rep, al); 226 227 if (res != PWU_SUCCESS) { 228 retval = PAM_SYSTEM_ERR; 229 goto out; 230 } 231 232 repository_name = al[7].data.val_s; 233 234 /* 235 * if repository isn't files|nis|nisplus, and 236 * user wants to follow server policy, 237 * return PAM_IGNORE 238 */ 239 if (server_policy && 240 strcmp(repository_name, "files") != 0 && 241 strcmp(repository_name, "nis") != 0 && 242 strcmp(repository_name, "nisplus") != 0) { 243 retval = PAM_IGNORE; 244 goto out; 245 } 246 247 rep_passwd = al[0].data.val_s; 248 249 /* 250 * Chop off old SunOS-style password aging information. 251 * 252 * Note: old style password aging is only defined for UNIX-style 253 * crypt strings, hence the comma will always be at position 14. 254 * Note: This code is here because some other vendors might still 255 * support this style of password aging. If we don't remove 256 * the age field, users won't be able to change their password. 257 * XXX yank this code when we're certain this "compatibility" 258 * isn't needed anymore. 259 */ 260 if (rep_passwd != NULL && rep_passwd[0] != '$' && 261 strlen(rep_passwd) > 13 && rep_passwd[13] == ',') 262 rep_passwd[13] = '\0'; 263 264 if (strcmp(crypt(password, rep_passwd), rep_passwd) != 0) { 265 retval = PAM_AUTH_ERR; 266 goto out; 267 } 268 269 /* 270 * Now check to see if the user is allowed to change 271 * the password. 272 */ 273 min = al[1].data.val_i; 274 max = al[2].data.val_i; 275 lstchg = al[3].data.val_i; 276 277 if (max != -1 && lstchg != 0) { 278 /* aging is turned on, and a change is not forced */ 279 time_t daynow = DAY_NOW_32; 280 if ((time_t)lstchg <= daynow) { 281 /* Aged enough? */ 282 if (daynow < (time_t)(lstchg + min)) { 283 error(nowarn, pamh, dgettext(TEXT_DOMAIN, 284 "%s: Sorry: less than %d days " 285 "since the last change."), 286 service, min); 287 retval = PAM_PERM_DENIED; 288 goto out; 289 } 290 291 /* 292 * users with min>max are not allowed to 293 * change their password. 294 */ 295 if (min > max) { 296 error(nowarn, pamh, dgettext(TEXT_DOMAIN, 297 "%s: You may not change " 298 "this password."), service); 299 retval = PAM_PERM_DENIED; 300 goto out; 301 } 302 } 303 } 304 305 setitem: 306 307 retval = pam_set_item(pamh, PAM_AUTHTOK, (void *)password); 308 309 out: 310 if (password) { 311 (void) memset(password, 0, strlen(password)); 312 free(password); 313 } 314 if (rep_passwd) { 315 (void) memset(rep_passwd, 0, strlen(rep_passwd)); 316 free(rep_passwd); 317 } 318 if (pwu_rep) 319 free(pwu_rep); 320 if (auth_user) 321 free(auth_user); 322 if (repository_name) 323 free(repository_name); 324 325 return (retval); 326 } 327 328 /*ARGSUSED*/ 329 int 330 pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) 331 { 332 return (PAM_IGNORE); 333 } 334
Indexes created Tue Nov 24 03:15:15 UTC 2009
Terms of Use |
Privacy |
Trademarks |
Copyright Policy |
Site Guidelines |
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
Copyright © 1995-2008 Sun Microsystems, Inc.