pam_get_authtok.c revision 236099
191094Sdes/*- 2115619Sdes * Copyright (c) 2002-2003 Networks Associates Technology, Inc. 3228690Sdes * Copyright (c) 2004-2011 Dag-Erling Sm��rgrav 491094Sdes * All rights reserved. 591094Sdes * 691094Sdes * This software was developed for the FreeBSD Project by ThinkSec AS and 799158Sdes * Network Associates Laboratories, the Security Research Division of 899158Sdes * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 999158Sdes * ("CBOSS"), as part of the DARPA CHATS research program. 1091094Sdes * 1191094Sdes * Redistribution and use in source and binary forms, with or without 1291094Sdes * modification, are permitted provided that the following conditions 1391094Sdes * are met: 1491094Sdes * 1. Redistributions of source code must retain the above copyright 1591094Sdes * notice, this list of conditions and the following disclaimer. 1691094Sdes * 2. Redistributions in binary form must reproduce the above copyright 1791094Sdes * notice, this list of conditions and the following disclaimer in the 1891094Sdes * documentation and/or other materials provided with the distribution. 1991094Sdes * 3. The name of the author may not be used to endorse or promote 2091094Sdes * products derived from this software without specific prior written 2191094Sdes * permission. 2291094Sdes * 2391094Sdes * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 2491094Sdes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2591094Sdes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2691094Sdes * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2791094Sdes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2891094Sdes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2991094Sdes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 3091094Sdes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 3191094Sdes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 3291094Sdes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3391094Sdes * SUCH DAMAGE. 3491094Sdes * 35236099Sdes * $Id: pam_get_authtok.c 510 2011-12-31 13:14:23Z des $ 3691094Sdes */ 3791094Sdes 38228690Sdes#ifdef HAVE_CONFIG_H 39228690Sdes# include "config.h" 40228690Sdes#endif 41228690Sdes 4291094Sdes#include <sys/param.h> 4391094Sdes 4493982Sdes#include <stdlib.h> 4596364Sdes#include <string.h> 4693982Sdes 4791094Sdes#include <security/pam_appl.h> 4891094Sdes#include <security/openpam.h> 4991094Sdes 5091094Sdes#include "openpam_impl.h" 5191094Sdes 52117610Sdesstatic const char authtok_prompt[] = "Password:"; 53236099Sdesstatic const char authtok_prompt_remote[] = "Password for %u@%h:"; 54117610Sdesstatic const char oldauthtok_prompt[] = "Old Password:"; 55117610Sdesstatic const char newauthtok_prompt[] = "New Password:"; 5693982Sdes 5791094Sdes/* 5891094Sdes * OpenPAM extension 5991094Sdes * 6091094Sdes * Retrieve authentication token 6191094Sdes */ 6291094Sdes 6391094Sdesint 6491094Sdespam_get_authtok(pam_handle_t *pamh, 6593982Sdes int item, 6691094Sdes const char **authtok, 6791094Sdes const char *prompt) 6891094Sdes{ 69228690Sdes char prompt_buf[1024]; 70228690Sdes size_t prompt_size; 71125647Sdes const void *oldauthtok, *prevauthtok, *promptp; 72228690Sdes const char *prompt_option, *default_prompt; 73236099Sdes const void *lhost, *rhost; 7493982Sdes char *resp, *resp2; 7593982Sdes int pitem, r, style, twice; 7691094Sdes 77107937Sdes ENTER(); 7891094Sdes if (pamh == NULL || authtok == NULL) 79107937Sdes RETURNC(PAM_SYSTEM_ERR); 8093982Sdes *authtok = NULL; 8193982Sdes twice = 0; 8293982Sdes switch (item) { 8393982Sdes case PAM_AUTHTOK: 8493982Sdes pitem = PAM_AUTHTOK_PROMPT; 85228690Sdes prompt_option = "authtok_prompt"; 8693982Sdes default_prompt = authtok_prompt; 87236099Sdes r = pam_get_item(pamh, PAM_RHOST, &rhost); 88236099Sdes if (r == PAM_SUCCESS && rhost != NULL) { 89236099Sdes r = pam_get_item(pamh, PAM_HOST, &lhost); 90236099Sdes if (r == PAM_SUCCESS && lhost != NULL) { 91236099Sdes if (strcmp(rhost, lhost) != 0) 92236099Sdes default_prompt = authtok_prompt_remote; 93236099Sdes } 94236099Sdes } 9593982Sdes r = pam_get_item(pamh, PAM_OLDAUTHTOK, &oldauthtok); 9693982Sdes if (r == PAM_SUCCESS && oldauthtok != NULL) { 9793982Sdes default_prompt = newauthtok_prompt; 9893982Sdes twice = 1; 9993982Sdes } 10093982Sdes break; 10193982Sdes case PAM_OLDAUTHTOK: 10293982Sdes pitem = PAM_OLDAUTHTOK_PROMPT; 103228690Sdes prompt_option = "oldauthtok_prompt"; 10493982Sdes default_prompt = oldauthtok_prompt; 10593982Sdes twice = 0; 10693982Sdes break; 10793982Sdes default: 108107937Sdes RETURNC(PAM_SYMBOL_ERR); 10993982Sdes } 11091100Sdes if (openpam_get_option(pamh, "try_first_pass") || 11191100Sdes openpam_get_option(pamh, "use_first_pass")) { 112125647Sdes r = pam_get_item(pamh, item, &prevauthtok); 113125647Sdes if (r == PAM_SUCCESS && prevauthtok != NULL) { 114125647Sdes *authtok = prevauthtok; 115107937Sdes RETURNC(PAM_SUCCESS); 116125647Sdes } 11791100Sdes else if (openpam_get_option(pamh, "use_first_pass")) 118107937Sdes RETURNC(r == PAM_SUCCESS ? PAM_AUTH_ERR : r); 11991100Sdes } 120228690Sdes /* pam policy overrides the module's choice */ 121228690Sdes if ((promptp = openpam_get_option(pamh, prompt_option)) != NULL) 122228690Sdes prompt = promptp; 123228690Sdes /* no prompt provided, see if there is one tucked away somewhere */ 124228690Sdes if (prompt == NULL) 125228690Sdes if (pam_get_item(pamh, pitem, &promptp) && promptp != NULL) 126125647Sdes prompt = promptp; 127228690Sdes /* fall back to hardcoded default */ 128228690Sdes if (prompt == NULL) 129228690Sdes prompt = default_prompt; 130228690Sdes /* expand */ 131228690Sdes prompt_size = sizeof prompt_buf; 132228690Sdes r = openpam_subst(pamh, prompt_buf, &prompt_size, prompt); 133228690Sdes if (r == PAM_SUCCESS && prompt_size <= sizeof prompt_buf) 134228690Sdes prompt = prompt_buf; 13591100Sdes style = openpam_get_option(pamh, "echo_pass") ? 13691100Sdes PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF; 13793982Sdes r = pam_prompt(pamh, style, &resp, "%s", prompt); 13891094Sdes if (r != PAM_SUCCESS) 139107937Sdes RETURNC(r); 14093982Sdes if (twice) { 14193982Sdes r = pam_prompt(pamh, style, &resp2, "Retype %s", prompt); 14293982Sdes if (r != PAM_SUCCESS) { 143115619Sdes FREE(resp); 144107937Sdes RETURNC(r); 14593982Sdes } 146115619Sdes if (strcmp(resp, resp2) != 0) 147115619Sdes FREE(resp); 148115619Sdes FREE(resp2); 14993982Sdes } 15093982Sdes if (resp == NULL) 151107937Sdes RETURNC(PAM_TRY_AGAIN); 15294706Sdes r = pam_set_item(pamh, item, resp); 153115619Sdes FREE(resp); 15493982Sdes if (r != PAM_SUCCESS) 155107937Sdes RETURNC(r); 156110556Sdes r = pam_get_item(pamh, item, (const void **)authtok); 157110556Sdes RETURNC(r); 15891094Sdes} 15991100Sdes 16091100Sdes/* 16191100Sdes * Error codes: 16291100Sdes * 16391100Sdes * =pam_get_item 16491100Sdes * =pam_prompt 16591100Sdes * =pam_set_item 16691100Sdes * !PAM_SYMBOL_ERR 16793982Sdes * PAM_TRY_AGAIN 16891100Sdes */ 16993982Sdes 17093982Sdes/** 17193982Sdes * The =pam_get_authtok function returns the cached authentication token, 172141098Sdes * or prompts the user if no token is currently cached. 173141098Sdes * Either way, a pointer to the authentication token is stored in the 174141098Sdes * location pointed to by the =authtok argument. 17593982Sdes * 17693982Sdes * The =item argument must have one of the following values: 17793982Sdes * 17895908Sdes * =PAM_AUTHTOK: 17993982Sdes * Returns the current authentication token, or the new token 18093982Sdes * when changing authentication tokens. 18195908Sdes * =PAM_OLDAUTHTOK: 18293982Sdes * Returns the previous authentication token when changing 18393982Sdes * authentication tokens. 18493982Sdes * 18593982Sdes * The =prompt argument specifies a prompt to use if no token is cached. 18693982Sdes * If it is =NULL, the =PAM_AUTHTOK_PROMPT or =PAM_OLDAUTHTOK_PROMPT item, 187141098Sdes * as appropriate, will be used. 188141098Sdes * If that item is also =NULL, a hardcoded default prompt will be used. 189228690Sdes * Either way, the prompt is expanded using =openpam_subst before it is 190228690Sdes * passed to the conversation function. 19193982Sdes * 192228690Sdes * If =pam_get_authtok is called from a module and the ;authtok_prompt / 193228690Sdes * ;oldauthtok_prompt option is set in the policy file, the value of that 194228690Sdes * option takes precedence over both the =prompt argument and the 195228690Sdes * =PAM_AUTHTOK_PROMPT / =PAM_OLDAUTHTOK_PROMPT item. 196228690Sdes * 19793982Sdes * If =item is set to =PAM_AUTHTOK and there is a non-null =PAM_OLDAUTHTOK 19893982Sdes * item, =pam_get_authtok will ask the user to confirm the new token by 199141098Sdes * retyping it. 200141098Sdes * If there is a mismatch, =pam_get_authtok will return =PAM_TRY_AGAIN. 20193982Sdes * 20293982Sdes * >pam_get_item 20393982Sdes * >pam_get_user 204228690Sdes * >openpam_subst 20593982Sdes */ 206