From e63def3331e1e82fb18f13850bac9543451cfe3b Mon Sep 17 00:00:00 2001 From: Seraphim Mellos Date: Sun, 15 Jun 2008 15:45:45 +0300 Subject: Trying to fall back to passwd --- modules/Makefile | 8 ++++ modules/pam_unix/Makefile~ | 41 ------------------- modules/pam_unix/pam_unix.c | 92 ++++++++++++++++++++++++++++++++++++++----- modules/pam_unix/pam_unix.c~ | 79 +++++++++++++++++++++++++++++++++++-- modules/pam_unix/pam_unix.o | Bin 0 -> 7780 bytes modules/pam_unix/pam_unix.so | Bin 0 -> 10155 bytes 6 files changed, 166 insertions(+), 54 deletions(-) create mode 100644 modules/Makefile delete mode 100644 modules/pam_unix/Makefile~ create mode 100644 modules/pam_unix/pam_unix.o create mode 100755 modules/pam_unix/pam_unix.so diff --git a/modules/Makefile b/modules/Makefile new file mode 100644 index 0000000..e34ad20 --- /dev/null +++ b/modules/Makefile @@ -0,0 +1,8 @@ +all install clean: + $(MAKE) -C pam_unix $@ + $(MAKE) -C pam_securetty $@ + $(MAKE) -C pam_nologin $@ + $(MAKE) -C pam_shells $@ + $(MAKE) -C pam_wheel $@ + $(MAKE) -C pam_rootok $@ + diff --git a/modules/pam_unix/Makefile~ b/modules/pam_unix/Makefile~ deleted file mode 100644 index eb399cc..0000000 --- a/modules/pam_unix/Makefile~ +++ /dev/null @@ -1,41 +0,0 @@ -# -## Copyright (c) 2008 by Seraphim Mellos. See LICENSE. -# - -include ../../Make.defs - -TITLE = pam_unix -PAM_SO_SUFFIX = -LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX) -SHLIBMODE = 755 -MAN8 = $(TITLE).8 -MANMODE = 644 -#SECUREDIR = /lib/security -#MANDIR = /usr/share/man -#DESTDIR = - - - -PROJ = $(LIBSHARED) -OBJS = pam_unix.o - -all: - case "`uname -s`" in \ - Linux) $(MAKE) CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ - LDLIBS="$(LDLIBS)" $(PROJ);;\ - FreeBSD) echo "Not yet supported.";;\ - *) echo "OS not supported.";;\ - esac - -$(LIBSHARED): $(OBJS) $(MAP) - $(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED) - -.c.o: - $(CC) $(CFLAGS) -c $*.c - - -clean: - $(RM) $(PROJ) *.o - - - diff --git a/modules/pam_unix/pam_unix.c b/modules/pam_unix/pam_unix.c index 31e98dd..b859512 100644 --- a/modules/pam_unix/pam_unix.c +++ b/modules/pam_unix/pam_unix.c @@ -1,8 +1,8 @@ #define _XOPEN_SOURCE -/* #include */ +#include #include -#include +/*#include */ #include #include #include @@ -37,7 +37,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, #ifndef __linux__ login_cap_t *lc; #endif - struct spwd *pwd; + struct passwd *pwd; const char *pass, *crypt_pass, *user; int pam_err; @@ -45,17 +45,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { PAM_LOG("Authenticating as self."); - pwd = getspnam(getlogin()); + pwd = getpwnam(getlogin()); } else { if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { - PAM_ERROR("Authenticating with uname %s failed.", user); + PAM_ERROR("Authenticating with uname [%s] failed.", user); return (pam_err); } - pwd = getspnam(user); + pwd = getpwnam(user); } - PAM_LOG("Authenticating user: %s", user); + PAM_LOG("Authenticating user: [%s]", user); /* get password */ @@ -89,7 +89,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, #else pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **) &pass, NULL); #endif - PAM_LOG("Got password for user %s", user); + PAM_LOG("Got password for user [%s]", user); if (pam_err == PAM_CONV_ERR) return (pam_err); @@ -138,7 +138,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , login_cap_t *lc; #endif - struct spwd *pwd; + struct passwd *pwd; int pam_err; const char *user; time_t curtime; @@ -155,7 +155,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , if (pam_err != PAM_SUCCESS) return (pam_err); - if (user == NULL || (pwd = getspnam(user)) == NULL) + if (user == NULL || (pwd = getpwnam(user)) == NULL) return (PAM_SERVICE_ERR); #ifndef __linux__ @@ -253,8 +253,80 @@ pam_sm_chautok(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { + /* + * NIS support will be left for future implementation. + * This is standard unix passwd changing function. + */ + struct passwd *new_pwd, *old_pwd; + char oldprefix[HASH_PREFIX_SIZE]; + const char *user, *old_pass, *new_pass; + char *hashedpwd; + int pam_err; + + /* identify user */ + + if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { + PAM_LOG("Authenticating as self."); + old_pwd = getpwnam(getlogin()); + } else { + if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { + PAM_ERROR("Authenticating with uname [%s] failed.", user); + return (pam_err); + } + + old_pwd = getpwnam(user); + } + + PAM_LOG("Got user: [%s]", user); + + if (pwd == NULL) { + PAM_ERROR("User [%s] either has a corrupted passwd entry or \ + is not in the selected database"); + return (PAM_AUTHTOK_RECOVERY_ERR); + } + + /* + * When looking through the LinuxPAM code, I came across this : + * + * ` Various libraries at various times have had bugs related to + * '+' or '-' as the first character of a user name. Don't + * allow them. ` + * + * I don't know if the problem is still around but just in case... + */ + + if (user == NULL || user[0] == '-' || user[0] == '+' ) { + PAM_ERROR("Bad username [%s]", user); + return (PAM_USER_UNKNOWN); + } + + + + if (flags & PAM_PRELIM_CHECK) { + PAM_LOG("PRELIM round"); + + if (getuid() == 0 ) { + /* root doesn't need old passwd */ + return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); + } + + if ( (pwd->pw_passwd[0] == '\0' ) && + ( openpam_get_option(pamh, PAM_OPT_NULLOK) ) && + ( openpam_get_option(pamh,PAM_DISALLOW_NULL_AUTHTOK)) ) { + + /* + * Something funny could happen here since we don't + * ask for a password. + */ + old_pass = ""; + } + + + + return (PAM_SUCCESS); + } diff --git a/modules/pam_unix/pam_unix.c~ b/modules/pam_unix/pam_unix.c~ index 20088ec..9ef7320 100644 --- a/modules/pam_unix/pam_unix.c~ +++ b/modules/pam_unix/pam_unix.c~ @@ -6,6 +6,7 @@ #include #include #include +#include #ifndef MAXHOSTNAMELEN @@ -47,14 +48,14 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, pwd = getspnam(getlogin()); } else { if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { - PAM_ERROR("Authenticating with uname %s failed.", user); + PAM_ERROR("Authenticating with uname [%s] failed.", user); return (pam_err); } pwd = getspnam(user); } - PAM_LOG("Authenticating user: %s", user); + PAM_LOG("Authenticating user: [%s]", user); /* get password */ @@ -88,7 +89,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, #else pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **) &pass, NULL); #endif - PAM_LOG("Got password for user %s", user); + PAM_LOG("Got password for user [%s]", user); if (pam_err == PAM_CONV_ERR) return (pam_err); @@ -252,8 +253,80 @@ pam_sm_chautok(pam_handle_t *pamh, int flags, int argc, const char *argv[]) { + /* + * NIS support will be left for future implementation. + * This is standard unix passwd changing function. + */ + struct spwd *new_pwd, *old_pwd; + char oldprefix[HASH_PREFIX_SIZE]; + const char *user, *old_pass, *new_pass; + char *hashedpwd; + int pam_err; + + /* identify user */ + + if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { + PAM_LOG("Authenticating as self."); + old_pwd = getspnam(getlogin()); + } else { + if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { + PAM_ERROR("Authenticating with uname [%s] failed.", user); + return (pam_err); + } + + old_pwd = getspnam(user); + } + + PAM_LOG("Got user: [%s]", user); + + if (pwd == NULL) { + PAM_ERROR("User [%s] either has a corrupted passwd entry or \ + is not in the selected database"); + return (PAM_AUTHTOK_RECOVERY_ERR); + } + + /* + * When looking through the LinuxPAM code, I came across this : + * + * ` Various libraries at various times have had bugs related to + * '+' or '-' as the first character of a user name. Don't + * allow them. ` + * + * I don't know if the problem is still around but just in case... + */ + + if (user == NULL || user[0] == '-' || user[0] == '+' ) { + PAM_ERROR("Bad username [%s]", user); + return (PAM_USER_UNKNOWN); + } + + + + if (flags & PAM_PRELIM_CHECK) { + PAM_LOG("PRELIM round"); + + if (getuid() == 0 ) { + /* root doesn't need old passwd */ + return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); + } + + if ( (pwd->pw_passwd[0] == '\0' ) && + ( openpam_get_option(pamh, PAM_OPT_NULLOK) ) && + ( openpam_get_option(pamh,PAM_DISALLOW_NULL_AUTHTOK)) ) { + + /* + * Something funny could happen here since we don't + * ask for a password. + */ + old_pass = ""; + } + + + + return (PAM_SUCCESS); + } diff --git a/modules/pam_unix/pam_unix.o b/modules/pam_unix/pam_unix.o new file mode 100644 index 0000000..7380713 Binary files /dev/null and b/modules/pam_unix/pam_unix.o differ diff --git a/modules/pam_unix/pam_unix.so b/modules/pam_unix/pam_unix.so new file mode 100755 index 0000000..8a8c62e Binary files /dev/null and b/modules/pam_unix/pam_unix.so differ -- cgit v1.2.3-65-gdbad