pam_unix.c revision 95516
1/*- 2 * Copyright 1998 Juniper Networks, Inc. 3 * All rights reserved. 4 * Copyright (c) 2002 Networks Associates Technology, Inc. 5 * All rights reserved. 6 * 7 * Portions of this software was developed for the FreeBSD Project by 8 * ThinkSec AS and NAI Labs, the Security Research Division of Network 9 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 10 * ("CBOSS"), as part of the DARPA CHATS research program. 11 * 12 * Redistribution and use in source and binary forms, with or without 13 * modification, are permitted provided that the following conditions 14 * are met: 15 * 1. Redistributions of source code must retain the above copyright 16 * notice, this list of conditions and the following disclaimer. 17 * 2. Redistributions in binary form must reproduce the above copyright 18 * notice, this list of conditions and the following disclaimer in the 19 * documentation and/or other materials provided with the distribution. 20 * 3. The name of the author may not be used to endorse or promote 21 * products derived from this software without specific prior written 22 * permission. 23 * 24 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 25 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 28 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 */ 36 37#include <sys/cdefs.h> 38__FBSDID("$FreeBSD: head/lib/libpam/modules/pam_unix/pam_unix.c 95516 2002-04-26 19:28:17Z des $"); 39 40#include <sys/param.h> 41#include <sys/socket.h> 42#include <sys/time.h> 43#include <netinet/in.h> 44#include <arpa/inet.h> 45 46#include <login_cap.h> 47#include <netdb.h> 48#include <pwd.h> 49#include <stdlib.h> 50#include <string.h> 51#include <stdio.h> 52#include <syslog.h> 53#include <unistd.h> 54 55#include <pw_copy.h> 56#include <pw_util.h> 57 58#ifdef YP 59#include <ypclnt.h> 60#endif 61 62#define PAM_SM_AUTH 63#define PAM_SM_ACCOUNT 64#define PAM_SM_PASSWORD 65 66#include <security/pam_appl.h> 67#include <security/pam_modules.h> 68#include <security/pam_mod_misc.h> 69 70#define PASSWORD_HASH "md5" 71#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ 72#define SALTSIZE 32 73 74static void makesalt(char []); 75 76static char password_hash[] = PASSWORD_HASH; 77 78enum { 79 PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX, 80 PAM_OPT_NULLOK, 81 PAM_OPT_LOCAL_PASS, 82 PAM_OPT_NIS_PASS 83}; 84 85static struct opttab other_options[] = { 86 { "auth_as_self", PAM_OPT_AUTH_AS_SELF }, 87 { "nullok", PAM_OPT_NULLOK }, 88 { "local_pass", PAM_OPT_LOCAL_PASS }, 89 { "nis_pass", PAM_OPT_NIS_PASS }, 90 { NULL, 0 } 91}; 92 93char *tempname = NULL; 94 95/* 96 * authentication management 97 */ 98PAM_EXTERN int 99pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 100 int argc, const char *argv[]) 101{ 102 login_cap_t *lc; 103 struct options options; 104 struct passwd *pwd; 105 int retval; 106 const char *pass, *user, *realpw, *prompt; 107 108 pam_std_option(&options, other_options, argc, argv); 109 110 PAM_LOG("Options processed"); 111 112 if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { 113 pwd = getpwnam(getlogin()); 114 } else { 115 retval = pam_get_user(pamh, &user, NULL); 116 if (retval != PAM_SUCCESS) 117 return (retval); 118 pwd = getpwnam(user); 119 } 120 121 PAM_LOG("Got user: %s", user); 122 123 if (pwd != NULL) { 124 PAM_LOG("Doing real authentication"); 125 realpw = pwd->pw_passwd; 126 if (realpw[0] == '\0') { 127 if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && 128 pam_test_option(&options, PAM_OPT_NULLOK, NULL)) 129 return (PAM_SUCCESS); 130 realpw = "*"; 131 } 132 lc = login_getpwclass(pwd); 133 } else { 134 PAM_LOG("Doing dummy authentication"); 135 realpw = "*"; 136 lc = login_getclass(NULL); 137 } 138 prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); 139 retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); 140 login_close(lc); 141 if (retval != PAM_SUCCESS) 142 return (retval); 143 PAM_LOG("Got password"); 144 if (strcmp(crypt(pass, realpw), realpw) == 0) 145 return (PAM_SUCCESS); 146 147 PAM_VERBOSE_ERROR("UNIX authentication refused"); 148 return (PAM_AUTH_ERR); 149} 150 151PAM_EXTERN int 152pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 153 int argc __unused, const char *argv[] __unused) 154{ 155 156 return (PAM_SUCCESS); 157} 158 159/* 160 * account management 161 */ 162PAM_EXTERN int 163pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, 164 int argc, const char *argv[]) 165{ 166 struct addrinfo hints, *res; 167 struct options options; 168 struct passwd *pwd; 169 struct timeval tp; 170 login_cap_t *lc; 171 time_t warntime; 172 int retval; 173 const char *rhost, *tty, *user; 174 char rhostip[MAXHOSTNAMELEN]; 175 176 pam_std_option(&options, other_options, argc, argv); 177 178 PAM_LOG("Options processed"); 179 180 retval = pam_get_user(pamh, &user, NULL); 181 if (retval != PAM_SUCCESS) 182 return (retval); 183 184 if (user == NULL || (pwd = getpwnam(user)) == NULL) 185 return (PAM_SERVICE_ERR); 186 187 PAM_LOG("Got user: %s", user); 188 189 retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); 190 if (retval != PAM_SUCCESS) 191 return (retval); 192 193 retval = pam_get_item(pamh, PAM_TTY, (const void **)&tty); 194 if (retval != PAM_SUCCESS) 195 return (retval); 196 197 if (*pwd->pw_passwd == '\0' && 198 (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) 199 return (PAM_NEW_AUTHTOK_REQD); 200 201 lc = login_getpwclass(pwd); 202 if (lc == NULL) { 203 PAM_LOG("Unable to get login class for user %s", user); 204 return (PAM_SERVICE_ERR); 205 } 206 207 PAM_LOG("Got login_cap"); 208 209 if (pwd->pw_change || pwd->pw_expire) 210 gettimeofday(&tp, NULL); 211 212 /* 213 * Check pw_expire before pw_change - no point in letting the 214 * user change the password on an expired account. 215 */ 216 217 if (pwd->pw_expire) { 218 warntime = login_getcaptime(lc, "warnexpire", 219 DEFAULT_WARN, DEFAULT_WARN); 220 if (tp.tv_sec >= pwd->pw_expire) { 221 login_close(lc); 222 return (PAM_ACCT_EXPIRED); 223 } else if (pwd->pw_expire - tp.tv_sec < warntime && 224 (flags & PAM_SILENT) == 0) { 225 pam_error(pamh, "Warning: your account expires on %s", 226 ctime(&pwd->pw_expire)); 227 } 228 } 229 230 retval = PAM_SUCCESS; 231 if (pwd->pw_change) { 232 warntime = login_getcaptime(lc, "warnpassword", 233 DEFAULT_WARN, DEFAULT_WARN); 234 if (tp.tv_sec >= pwd->pw_change) { 235 retval = PAM_NEW_AUTHTOK_REQD; 236 } else if (pwd->pw_change - tp.tv_sec < warntime && 237 (flags & PAM_SILENT) == 0) { 238 pam_error(pamh, "Warning: your password expires on %s", 239 ctime(&pwd->pw_change)); 240 } 241 } 242 243 /* 244 * From here on, we must leave retval untouched (unless we 245 * know we're going to fail), because we need to remember 246 * whether we're supposed to return PAM_SUCCESS or 247 * PAM_NEW_AUTHTOK_REQD. 248 */ 249 250 if (rhost) { 251 memset(&hints, 0, sizeof(hints)); 252 hints.ai_family = AF_UNSPEC; 253 if (getaddrinfo(rhost, NULL, &hints, &res) == 0) { 254 getnameinfo(res->ai_addr, res->ai_addrlen, 255 rhostip, sizeof(rhostip), NULL, 0, 256 NI_NUMERICHOST|NI_WITHSCOPEID); 257 } 258 if (res != NULL) 259 freeaddrinfo(res); 260 } 261 262 /* 263 * Check host / tty / time-of-day restrictions 264 */ 265 266 if (!auth_hostok(lc, rhost, rhostip) || 267 !auth_ttyok(lc, tty) || 268 !auth_timeok(lc, time(NULL))) 269 retval = PAM_AUTH_ERR; 270 271 login_close(lc); 272 273 return (retval); 274} 275 276/* 277 * password management 278 * 279 * standard Unix and NIS password changing 280 */ 281PAM_EXTERN int 282pam_sm_chauthtok(pam_handle_t *pamh, int flags, 283 int argc, const char *argv[]) 284{ 285#ifdef YP 286 struct ypclnt *ypclnt; 287 const char *yp_domain, *yp_server; 288#endif 289 struct options options; 290 char salt[SALTSIZE + 1]; 291 login_cap_t * lc; 292 struct passwd *pwd; 293 const char *user, *old_pass, *new_pass; 294 char *encrypted; 295 int pfd, tfd, retval; 296 297 pam_std_option(&options, other_options, argc, argv); 298 299 PAM_LOG("Options processed"); 300 301 if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) 302 pwd = getpwnam(getlogin()); 303 else { 304 retval = pam_get_user(pamh, &user, NULL); 305 if (retval != PAM_SUCCESS) 306 return (retval); 307 pwd = getpwnam(user); 308 } 309 310 PAM_LOG("Got user: %s", user); 311 312 if (flags & PAM_PRELIM_CHECK) { 313 314 PAM_LOG("PRELIM round"); 315 316 if (getuid() == 0 && 317 (pwd->pw_fields & _PWF_SOURCE) == _PWF_FILES) 318 /* root doesn't need the old password */ 319 return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); 320 321 if (pwd->pw_passwd[0] == '\0' 322 && pam_test_option(&options, PAM_OPT_NULLOK, NULL)) { 323 /* 324 * No password case. XXX Are we giving too much away 325 * by not prompting for a password? 326 * XXX check PAM_DISALLOW_NULL_AUTHTOK 327 */ 328 old_pass = ""; 329 } else { 330 retval = pam_get_authtok(pamh, 331 PAM_OLDAUTHTOK, &old_pass, NULL); 332 if (retval != PAM_SUCCESS) 333 return (retval); 334 } 335 PAM_LOG("Got old password"); 336 /* always encrypt first */ 337 encrypted = crypt(old_pass, pwd->pw_passwd); 338 if ((old_pass[0] == '\0' && pwd->pw_passwd[0] != '\0') || 339 strcmp(encrypted, pwd->pw_passwd) != 0) 340 return (PAM_PERM_DENIED); 341 } 342 else if (flags & PAM_UPDATE_AUTHTOK) { 343 PAM_LOG("UPDATE round"); 344 345 retval = pam_get_authtok(pamh, 346 PAM_OLDAUTHTOK, &old_pass, NULL); 347 if (retval != PAM_SUCCESS) 348 return (retval); 349 PAM_LOG("Got old password"); 350 351 /* get new password */ 352 for (;;) { 353 retval = pam_get_authtok(pamh, 354 PAM_AUTHTOK, &new_pass, NULL); 355 if (retval != PAM_TRY_AGAIN) 356 break; 357 pam_error(pamh, "Mismatch; try again, EOF to quit."); 358 } 359 PAM_LOG("Got new password"); 360 if (retval != PAM_SUCCESS) { 361 PAM_VERBOSE_ERROR("Unable to get new password"); 362 return (retval); 363 } 364 365 pwd->pw_change = 0; 366 lc = login_getclass(NULL); 367 if (login_setcryptfmt(lc, password_hash, NULL) == NULL) 368 openpam_log(PAM_LOG_ERROR, 369 "can't set password cipher, relying on default"); 370 login_close(lc); 371 makesalt(salt); 372 pwd->pw_passwd = crypt(new_pass, salt); 373 retval = PAM_SUCCESS; 374#ifdef YP 375 switch (pwd->pw_fields & _PWF_SOURCE) { 376 case _PWF_FILES: 377#endif 378 pfd = pw_lock(); 379 tfd = pw_tmp(); 380 pw_copy(pfd, tfd, pwd, NULL); 381 if (!pw_mkdb(user)) 382 retval = PAM_SERVICE_ERR; 383#ifdef YP 384 break; 385 case _PWF_NIS: 386 yp_domain = yp_server = NULL; 387 (void)pam_get_data(pamh, 388 "yp_domain", (const void **)&yp_domain); 389 (void)pam_get_data(pamh, 390 "yp_server", (const void **)&yp_server); 391 ypclnt = ypclnt_new(yp_domain, 392 "passwd.byname", yp_server); 393 if (ypclnt == NULL) 394 return (PAM_BUF_ERR); 395 if (ypclnt_connect(ypclnt) == -1 || 396 ypclnt_passwd(ypclnt, pwd, old_pass) == -1) { 397 openpam_log(PAM_LOG_ERROR, "%s", ypclnt->error); 398 retval = PAM_SERVICE_ERR; 399 } 400 ypclnt_free(ypclnt); 401 break; 402 default: 403 openpam_log(PAM_LOG_ERROR, "unsupported source 0x%x", 404 pwd->pw_fields & _PWF_SOURCE); 405 retval = PAM_SERVICE_ERR; 406 } 407#endif 408 } 409 else { 410 /* Very bad juju */ 411 retval = PAM_ABORT; 412 PAM_LOG("Illegal 'flags'"); 413 } 414 415 return (retval); 416} 417 418/* Mostly stolen from passwd(1)'s local_passwd.c - markm */ 419 420static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ 421 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 422 423static void 424to64(char *s, long v, int n) 425{ 426 while (--n >= 0) { 427 *s++ = itoa64[v&0x3f]; 428 v >>= 6; 429 } 430} 431 432/* Salt suitable for traditional DES and MD5 */ 433void 434makesalt(char salt[SALTSIZE]) 435{ 436 int i; 437 438 /* These are not really random numbers, they are just 439 * numbers that change to thwart construction of a 440 * dictionary. This is exposed to the public. 441 */ 442 for (i = 0; i < SALTSIZE; i += 4) 443 to64(&salt[i], arc4random(), 4); 444 salt[SALTSIZE] = '\0'; 445} 446 447PAM_MODULE_ENTRY("pam_unix"); 448