aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--modules/Makefile8
-rw-r--r--modules/pam_unix/Makefile~41
-rw-r--r--modules/pam_unix/pam_unix.c92
-rw-r--r--modules/pam_unix/pam_unix.c~79
-rw-r--r--modules/pam_unix/pam_unix.obin0 -> 7780 bytes
-rwxr-xr-xmodules/pam_unix/pam_unix.sobin0 -> 10155 bytes
6 files changed, 166 insertions, 54 deletions
diff --git a/modules/Makefile b/modules/Makefile
new file mode 100644
index 0000000..e34ad20
--- /dev/null
+++ b/modules/Makefile
@@ -0,0 +1,8 @@
+all install clean:
+ $(MAKE) -C pam_unix $@
+ $(MAKE) -C pam_securetty $@
+ $(MAKE) -C pam_nologin $@
+ $(MAKE) -C pam_shells $@
+ $(MAKE) -C pam_wheel $@
+ $(MAKE) -C pam_rootok $@
+
diff --git a/modules/pam_unix/Makefile~ b/modules/pam_unix/Makefile~
deleted file mode 100644
index eb399cc..0000000
--- a/modules/pam_unix/Makefile~
+++ /dev/null
@@ -1,41 +0,0 @@
-#
-## Copyright (c) 2008 by Seraphim Mellos. See LICENSE.
-#
-
-include ../../Make.defs
-
-TITLE = pam_unix
-PAM_SO_SUFFIX =
-LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX)
-SHLIBMODE = 755
-MAN8 = $(TITLE).8
-MANMODE = 644
-#SECUREDIR = /lib/security
-#MANDIR = /usr/share/man
-#DESTDIR =
-
-
-
-PROJ = $(LIBSHARED)
-OBJS = pam_unix.o
-
-all:
- case "`uname -s`" in \
- Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \
- LDLIBS="$(LDLIBS)" $(PROJ);;\
- FreeBSD) echo "Not yet supported.";;\
- *) echo "OS not supported.";;\
- esac
-
-$(LIBSHARED): $(OBJS) $(MAP)
- $(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED)
-
-.c.o:
- $(CC) $(CFLAGS) -c $*.c
-
-
-clean:
- $(RM) $(PROJ) *.o
-
-
-
diff --git a/modules/pam_unix/pam_unix.c b/modules/pam_unix/pam_unix.c
index 31e98dd..b859512 100644
--- a/modules/pam_unix/pam_unix.c
+++ b/modules/pam_unix/pam_unix.c
@@ -1,8 +1,8 @@
#define _XOPEN_SOURCE
-/* #include <pwd.h> */
+#include <pwd.h>
#include <netdb.h>
-#include <shadow.h>
+/*#include <shadow.h> */
#include <sys/types.h>
#include <unistd.h>
#include <time.h>
@@ -37,7 +37,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
#ifndef __linux__
login_cap_t *lc;
#endif
- struct spwd *pwd;
+ struct passwd *pwd;
const char *pass, *crypt_pass, *user;
int pam_err;
@@ -45,17 +45,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
PAM_LOG("Authenticating as self.");
- pwd = getspnam(getlogin());
+ pwd = getpwnam(getlogin());
} else {
if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
- PAM_ERROR("Authenticating with uname %s failed.", user);
+ PAM_ERROR("Authenticating with uname [%s] failed.", user);
return (pam_err);
}
- pwd = getspnam(user);
+ pwd = getpwnam(user);
}
- PAM_LOG("Authenticating user: %s", user);
+ PAM_LOG("Authenticating user: [%s]", user);
/* get password */
@@ -89,7 +89,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
#else
pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **) &pass, NULL);
#endif
- PAM_LOG("Got password for user %s", user);
+ PAM_LOG("Got password for user [%s]", user);
if (pam_err == PAM_CONV_ERR)
return (pam_err);
@@ -138,7 +138,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
login_cap_t *lc;
#endif
- struct spwd *pwd;
+ struct passwd *pwd;
int pam_err;
const char *user;
time_t curtime;
@@ -155,7 +155,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags ,
if (pam_err != PAM_SUCCESS)
return (pam_err);
- if (user == NULL || (pwd = getspnam(user)) == NULL)
+ if (user == NULL || (pwd = getpwnam(user)) == NULL)
return (PAM_SERVICE_ERR);
#ifndef __linux__
@@ -253,8 +253,80 @@ pam_sm_chautok(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
{
+ /*
+ * NIS support will be left for future implementation.
+ * This is standard unix passwd changing function.
+ */
+ struct passwd *new_pwd, *old_pwd;
+ char oldprefix[HASH_PREFIX_SIZE];
+ const char *user, *old_pass, *new_pass;
+ char *hashedpwd;
+ int pam_err;
+
+ /* identify user */
+
+ if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
+ PAM_LOG("Authenticating as self.");
+ old_pwd = getpwnam(getlogin());
+ } else {
+ if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
+ PAM_ERROR("Authenticating with uname [%s] failed.", user);
+ return (pam_err);
+ }
+
+ old_pwd = getpwnam(user);
+ }
+
+ PAM_LOG("Got user: [%s]", user);
+
+ if (pwd == NULL) {
+ PAM_ERROR("User [%s] either has a corrupted passwd entry or \
+ is not in the selected database");
+ return (PAM_AUTHTOK_RECOVERY_ERR);
+ }
+
+ /*
+ * When looking through the LinuxPAM code, I came across this :
+ *
+ * ` Various libraries at various times have had bugs related to
+ * '+' or '-' as the first character of a user name. Don't
+ * allow them. `
+ *
+ * I don't know if the problem is still around but just in case...
+ */
+
+ if (user == NULL || user[0] == '-' || user[0] == '+' ) {
+ PAM_ERROR("Bad username [%s]", user);
+ return (PAM_USER_UNKNOWN);
+ }
+
+
+
+ if (flags & PAM_PRELIM_CHECK) {
+ PAM_LOG("PRELIM round");
+
+ if (getuid() == 0 ) {
+ /* root doesn't need old passwd */
+ return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
+ }
+
+ if ( (pwd->pw_passwd[0] == '\0' ) &&
+ ( openpam_get_option(pamh, PAM_OPT_NULLOK) ) &&
+ ( openpam_get_option(pamh,PAM_DISALLOW_NULL_AUTHTOK)) ) {
+
+ /*
+ * Something funny could happen here since we don't
+ * ask for a password.
+ */
+ old_pass = "";
+ }
+
+
+
+
return (PAM_SUCCESS);
+
}
diff --git a/modules/pam_unix/pam_unix.c~ b/modules/pam_unix/pam_unix.c~
index 20088ec..9ef7320 100644
--- a/modules/pam_unix/pam_unix.c~
+++ b/modules/pam_unix/pam_unix.c~
@@ -6,6 +6,7 @@
#include <sys/types.h>
#include <unistd.h>
#include <time.h>
+#include <string.h>
#ifndef MAXHOSTNAMELEN
@@ -47,14 +48,14 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
pwd = getspnam(getlogin());
} else {
if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
- PAM_ERROR("Authenticating with uname %s failed.", user);
+ PAM_ERROR("Authenticating with uname [%s] failed.", user);
return (pam_err);
}
pwd = getspnam(user);
}
- PAM_LOG("Authenticating user: %s", user);
+ PAM_LOG("Authenticating user: [%s]", user);
/* get password */
@@ -88,7 +89,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
#else
pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **) &pass, NULL);
#endif
- PAM_LOG("Got password for user %s", user);
+ PAM_LOG("Got password for user [%s]", user);
if (pam_err == PAM_CONV_ERR)
return (pam_err);
@@ -252,8 +253,80 @@ pam_sm_chautok(pam_handle_t *pamh, int flags,
int argc, const char *argv[])
{
+ /*
+ * NIS support will be left for future implementation.
+ * This is standard unix passwd changing function.
+ */
+ struct spwd *new_pwd, *old_pwd;
+ char oldprefix[HASH_PREFIX_SIZE];
+ const char *user, *old_pass, *new_pass;
+ char *hashedpwd;
+ int pam_err;
+
+ /* identify user */
+
+ if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
+ PAM_LOG("Authenticating as self.");
+ old_pwd = getspnam(getlogin());
+ } else {
+ if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
+ PAM_ERROR("Authenticating with uname [%s] failed.", user);
+ return (pam_err);
+ }
+
+ old_pwd = getspnam(user);
+ }
+
+ PAM_LOG("Got user: [%s]", user);
+
+ if (pwd == NULL) {
+ PAM_ERROR("User [%s] either has a corrupted passwd entry or \
+ is not in the selected database");
+ return (PAM_AUTHTOK_RECOVERY_ERR);
+ }
+
+ /*
+ * When looking through the LinuxPAM code, I came across this :
+ *
+ * ` Various libraries at various times have had bugs related to
+ * '+' or '-' as the first character of a user name. Don't
+ * allow them. `
+ *
+ * I don't know if the problem is still around but just in case...
+ */
+
+ if (user == NULL || user[0] == '-' || user[0] == '+' ) {
+ PAM_ERROR("Bad username [%s]", user);
+ return (PAM_USER_UNKNOWN);
+ }
+
+
+
+ if (flags & PAM_PRELIM_CHECK) {
+ PAM_LOG("PRELIM round");
+
+ if (getuid() == 0 ) {
+ /* root doesn't need old passwd */
+ return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
+ }
+
+ if ( (pwd->pw_passwd[0] == '\0' ) &&
+ ( openpam_get_option(pamh, PAM_OPT_NULLOK) ) &&
+ ( openpam_get_option(pamh,PAM_DISALLOW_NULL_AUTHTOK)) ) {
+
+ /*
+ * Something funny could happen here since we don't
+ * ask for a password.
+ */
+ old_pass = "";
+ }
+
+
+
+
return (PAM_SUCCESS);
+
}
diff --git a/modules/pam_unix/pam_unix.o b/modules/pam_unix/pam_unix.o
new file mode 100644
index 0000000..7380713
--- /dev/null
+++ b/modules/pam_unix/pam_unix.o
Binary files differ
diff --git a/modules/pam_unix/pam_unix.so b/modules/pam_unix/pam_unix.so
new file mode 100755
index 0000000..8a8c62e
--- /dev/null
+++ b/modules/pam_unix/pam_unix.so
Binary files differ