1/* $NetBSD: pam_unix.c,v 1.13 2009/06/14 23:23:54 tonnerre Exp $ */ 2 3/*- 4 * Copyright 1998 Juniper Networks, Inc. 5 * All rights reserved. 6 * Copyright (c) 2002-2003 Networks Associates Technology, Inc. 7 * All rights reserved. 8 * 9 * Portions of this software was developed for the FreeBSD Project by 10 * ThinkSec AS and NAI Labs, the Security Research Division of Network 11 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 12 * ("CBOSS"), as part of the DARPA CHATS research program. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 1. Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * 2. Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * 3. The name of the author may not be used to endorse or promote 23 * products derived from this software without specific prior written 24 * permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 */ 38 39#include <sys/cdefs.h> 40#ifdef __FreeBSD__ 41__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.49 2004/02/10 10:13:21 des Exp $"); 42#else 43__RCSID("$NetBSD: pam_unix.c,v 1.13 2009/06/14 23:23:54 tonnerre Exp $"); 44#endif 45 46 47#include <sys/types.h> 48 49#include <ctype.h> 50#include <errno.h> 51#include <fcntl.h> 52#include <pwd.h> 53#include <grp.h> 54#include <limits.h> 55#include <stdlib.h> 56#include <string.h> 57#include <stdio.h> 58#include <login_cap.h> 59#include <time.h> 60#include <tzfile.h> 61#include <unistd.h> 62 63#include <util.h> 64 65#ifdef YP 66#include <rpc/rpc.h> 67#include <rpcsvc/ypclnt.h> 68#include <rpcsvc/yppasswd.h> 69#endif 70 71#define PAM_SM_AUTH 72#define PAM_SM_ACCOUNT 73#define PAM_SM_PASSWORD 74 75#include <security/pam_appl.h> 76#include <security/pam_modules.h> 77#include <security/pam_mod_misc.h> 78 79/* 80 * authentication management 81 */ 82PAM_EXTERN int 83/*ARGSUSED*/ 84pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 85 int argc __unused, const char *argv[] __unused) 86{ 87 login_cap_t *lc; 88 struct passwd *pwd, pwres; 89 int retval; 90 const char *pass, *user, *realpw; 91 char pwbuf[1024]; 92 93 pwd = NULL; 94 if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { 95 (void) getpwnam_r(getlogin(), &pwres, pwbuf, sizeof(pwbuf), 96 &pwd); 97 } else { 98 retval = pam_get_user(pamh, &user, NULL); 99 if (retval != PAM_SUCCESS) 100 return (retval); 101 PAM_LOG("Got user: %s", user); 102 (void) getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd); 103 } 104 105 if (pwd != NULL) { 106 PAM_LOG("Doing real authentication"); 107 realpw = pwd->pw_passwd; 108 if (realpw[0] == '\0') { 109 if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && 110 openpam_get_option(pamh, PAM_OPT_NULLOK)) 111 return (PAM_SUCCESS); 112 realpw = "*"; 113 } 114 lc = login_getpwclass(pwd); 115 } else { 116 PAM_LOG("Doing dummy authentication"); 117 realpw = "*"; 118 lc = login_getclass(NULL); 119 } 120 retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL); 121 login_close(lc); 122 if (retval != PAM_SUCCESS) 123 return (retval); 124 PAM_LOG("Got password"); 125 if (strcmp(crypt(pass, realpw), realpw) == 0) 126 return (PAM_SUCCESS); 127 128 PAM_VERBOSE_ERROR("UNIX authentication refused"); 129 return (PAM_AUTH_ERR); 130} 131 132PAM_EXTERN int 133/*ARGSUSED*/ 134pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 135 int argc __unused, const char *argv[] __unused) 136{ 137 138 return (PAM_SUCCESS); 139} 140 141/* 142 * account management 143 */ 144PAM_EXTERN int 145/*ARGSUSED*/ 146pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, 147 int argc __unused, const char *argv[] __unused) 148{ 149 struct passwd *pwd, pwres; 150 struct timeval now; 151 login_cap_t *lc; 152 time_t warntime; 153 int retval; 154 const char *user; 155 char pwbuf[1024]; 156 157 retval = pam_get_user(pamh, &user, NULL); 158 if (retval != PAM_SUCCESS) 159 return (retval); 160 161 if (user == NULL || 162 getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0 || 163 pwd == NULL) 164 return (PAM_SERVICE_ERR); 165 166 PAM_LOG("Got user: %s", user); 167 168 if (*pwd->pw_passwd == '\0' && 169 (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) 170 return (PAM_NEW_AUTHTOK_REQD); 171 172 lc = login_getpwclass(pwd); 173 if (lc == NULL) { 174 PAM_LOG("Unable to get login class for user %s", user); 175 return (PAM_SERVICE_ERR); 176 } 177 178 PAM_LOG("Got login_cap"); 179 180 if (pwd->pw_change || pwd->pw_expire) 181 (void) gettimeofday(&now, NULL); 182 183 warntime = (time_t)login_getcaptime(lc, "password-warn", 184 (quad_t)(_PASSWORD_WARNDAYS * SECSPERDAY), 185 (quad_t)(_PASSWORD_WARNDAYS * SECSPERDAY)); 186 187 /* 188 * Check pw_expire before pw_change - no point in letting the 189 * user change the password on an expired account. 190 */ 191 192 if (pwd->pw_expire) { 193 if (now.tv_sec >= pwd->pw_expire) { 194 login_close(lc); 195 return (PAM_ACCT_EXPIRED); 196 } else if (pwd->pw_expire - now.tv_sec < warntime && 197 (flags & PAM_SILENT) == 0) { 198 pam_error(pamh, "Warning: your account expires on %s", 199 ctime(&pwd->pw_expire)); 200 } 201 } 202 203 if (pwd->pw_change) { 204 /* XXX How to handle _PASSWORD_CHGNOW? --thorpej */ 205 if (now.tv_sec >= pwd->pw_change) { 206 login_close(lc); 207 return (PAM_NEW_AUTHTOK_REQD); 208 } else if (pwd->pw_change - now.tv_sec < warntime && 209 (flags & PAM_SILENT) == 0) { 210 pam_error(pamh, "Warning: your password expires on %s", 211 ctime(&pwd->pw_change)); 212 } 213 } 214 215 login_close(lc); 216 217 return (PAM_SUCCESS); 218} 219 220#ifdef YP 221/* 222 * yp_check_user: 223 * 224 * Helper function; check that a user exists in the NIS 225 * password map. 226 */ 227static int 228yp_check_user(const char *domain, const char *user) 229{ 230 char *val; 231 int reason, vallen; 232 233 val = NULL; 234 reason = yp_match(domain, "passwd.byname", user, (int)strlen(user), 235 &val, &vallen); 236 if (reason != 0) { 237 if (val != NULL) 238 free(val); 239 return (0); 240 } 241 free(val); 242 return (1); 243} 244 245static int 246/*ARGSUSED*/ 247yp_set_password(pam_handle_t *pamh, struct passwd *opwd, 248 struct passwd *pwd, const char *old_pass, const char *domain) 249{ 250 char *master; 251 int r, rpcport, status; 252 struct yppasswd yppwd; 253 CLIENT *client; 254 uid_t uid; 255 int retval = PAM_SERVICE_ERR; 256 struct timeval tv; 257 258 /* 259 * Find the master for the passwd map; it should be running 260 * rpc.yppasswdd. 261 */ 262 if ((r = yp_master(domain, "passwd.byname", &master)) != 0) { 263 pam_error(pamh, "Can't find master NIS server. Reason: %s", 264 yperr_string(r)); 265 return (PAM_SERVICE_ERR); 266 } 267 268 /* 269 * Ask the portmapper for the port of rpc.yppasswdd. 270 */ 271 if ((rpcport = getrpcport(master, YPPASSWDPROG, 272 YPPASSWDPROC_UPDATE, IPPROTO_UDP)) == 0) { 273 pam_error(pamh, 274 "Master NIS server not runing yppasswd daemon.\n\t" 275 "Can't change NIS password."); 276 return (PAM_SERVICE_ERR); 277 } 278 279 /* 280 * Be sure the port is privileged. 281 */ 282 if (rpcport >= IPPORT_RESERVED) { 283 pam_error(pamh, "yppasswd daemon is on an invalid port."); 284 return (PAM_SERVICE_ERR); 285 } 286 287 uid = getuid(); 288 if (uid != 0 && uid != pwd->pw_uid) { 289 pam_error(pamh, "You may only change your own password: %s", 290 strerror(EACCES)); 291 return (PAM_SERVICE_ERR); 292 } 293 294 /* 295 * Fill in the yppasswd structure for yppasswdd. 296 */ 297 memset(&yppwd, 0, sizeof(yppwd)); 298 yppwd.oldpass = strdup(old_pass); 299 if ((yppwd.newpw.pw_passwd = strdup(pwd->pw_passwd)) == NULL) 300 goto malloc_failure; 301 if ((yppwd.newpw.pw_name = strdup(pwd->pw_name)) == NULL) 302 goto malloc_failure; 303 yppwd.newpw.pw_uid = pwd->pw_uid; 304 yppwd.newpw.pw_gid = pwd->pw_gid; 305 if ((yppwd.newpw.pw_gecos = strdup(pwd->pw_gecos)) == NULL) 306 goto malloc_failure; 307 if ((yppwd.newpw.pw_dir = strdup(pwd->pw_dir)) == NULL) 308 goto malloc_failure; 309 if ((yppwd.newpw.pw_shell = strdup(pwd->pw_shell)) == NULL) 310 goto malloc_failure; 311 312 client = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp"); 313 if (client == NULL) { 314 pam_error(pamh, "Can't contact yppasswdd on %s: Reason: %s", 315 master, yperr_string(YPERR_YPBIND)); 316 goto out; 317 } 318 319 client->cl_auth = authunix_create_default(); 320 tv.tv_sec = 2; 321 tv.tv_usec = 0; 322 r = clnt_call(client, YPPASSWDPROC_UPDATE, 323 xdr_yppasswd, &yppwd, xdr_int, &status, tv); 324 if (r) 325 pam_error(pamh, "RPC to yppasswdd failed."); 326 else if (status) 327 pam_error(pamh, "Couldn't change NIS password."); 328 else { 329 pam_info(pamh, "The NIS password has been changed on %s, " 330 "the master NIS passwd server.", master); 331 retval = PAM_SUCCESS; 332 } 333 334 out: 335 if (yppwd.oldpass != NULL) 336 free(yppwd.oldpass); 337 if (yppwd.newpw.pw_passwd != NULL) 338 free(yppwd.newpw.pw_passwd); 339 if (yppwd.newpw.pw_name != NULL) 340 free(yppwd.newpw.pw_name); 341 if (yppwd.newpw.pw_gecos != NULL) 342 free(yppwd.newpw.pw_gecos); 343 if (yppwd.newpw.pw_dir != NULL) 344 free(yppwd.newpw.pw_dir); 345 if (yppwd.newpw.pw_shell != NULL) 346 free(yppwd.newpw.pw_shell); 347 return (retval); 348 349 malloc_failure: 350 pam_error(pamh, "memory allocation failure"); 351 goto out; 352} 353#endif /* YP */ 354 355static int 356local_set_password(pam_handle_t *pamh, struct passwd *opwd, 357 struct passwd *pwd) 358{ 359 char errbuf[200]; 360 int tfd, pfd; 361 362 pw_init(); 363 tfd = pw_lock(0); 364 if (tfd < 0) { 365 pam_error(pamh, "The password file is busy, waiting..."); 366 tfd = pw_lock(10); 367 if (tfd < 0) { 368 pam_error(pamh, "The password file is still busy, " 369 "try again later."); 370 return (PAM_SERVICE_ERR); 371 } 372 } 373 374 pfd = open(_PATH_MASTERPASSWD, O_RDONLY, 0); 375 if (pfd < 0) { 376 pam_error(pamh, "%s: %s", _PATH_MASTERPASSWD, strerror(errno)); 377 pw_abort(); 378 return (PAM_SERVICE_ERR); 379 } 380 381 if (pw_copyx(pfd, tfd, pwd, opwd, errbuf, sizeof(errbuf)) == 0) { 382 pam_error(pamh, "Unable to update password entry: %s", 383 errbuf); 384 pw_abort(); 385 return (PAM_SERVICE_ERR); 386 } 387 388 if (pw_mkdb(pwd->pw_name, opwd->pw_change == pwd->pw_change) < 0) { 389 pam_error(pamh, "Unable to rebuild local password database."); 390 pw_abort(); 391 return (PAM_SERVICE_ERR); 392 } 393 394 return (PAM_SUCCESS); 395} 396 397/* 398 * password management 399 * 400 * standard Unix and NIS password changing 401 */ 402PAM_EXTERN int 403/*ARGSUSED*/ 404pam_sm_chauthtok(pam_handle_t *pamh, int flags, 405 int argc __unused, const char *argv[] __unused) 406{ 407 struct passwd *pwd, new_pwd, old_pwd; 408 login_cap_t *lc; 409 const char *user, *passwd_db, *new_pass, *old_pass, *p; 410 int retval, tries, min_pw_len = 0, pw_expiry = 0; 411 char salt[_PASSWORD_LEN+1]; 412 char old_pwbuf[1024]; 413#ifdef YP 414 char *domain; 415 int r; 416#endif 417 418 pwd = NULL; 419 if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { 420 if ((user = getlogin()) == NULL) { 421 pam_error(pamh, "Unable to determine user."); 422 return (PAM_SERVICE_ERR); 423 } 424 (void) getpwnam_r(user, &old_pwd, old_pwbuf, 425 sizeof(old_pwbuf), &pwd); 426 } else { 427 retval = pam_get_user(pamh, &user, NULL); 428 if (retval != PAM_SUCCESS) 429 return (retval); 430 (void) getpwnam_r(user, &old_pwd, old_pwbuf, 431 sizeof(old_pwbuf), &pwd); 432 } 433 434 if (pwd == NULL) 435 return (PAM_AUTHTOK_RECOVERY_ERR); 436 437 PAM_LOG("Got user: %s", user); 438 439 /* 440 * Determine which password type we're going to change, and 441 * remember it. 442 * 443 * NOTE: domain does not need to be freed; its storage is 444 * allocated statically in libc. 445 */ 446 passwd_db = openpam_get_option(pamh, "passwd_db"); 447 if (passwd_db == NULL) { 448#ifdef YP 449 /* Prefer YP, if configured. */ 450 if (_yp_check(NULL)) { 451 /* If _yp_check() succeeded, then this must. */ 452 if ((r = yp_get_default_domain(&domain)) != 0) { 453 pam_error(pamh, 454 "Unable to get NIS domain, reason: %s", 455 yperr_string(r)); 456 return (PAM_SERVICE_ERR); 457 } 458 if (yp_check_user(domain, user)) 459 passwd_db = "nis"; 460 } 461#endif 462 /* Otherwise we always use local files. */ 463 if (passwd_db == NULL) { 464 /* XXX Any validation to do here? */ 465 passwd_db = "files"; 466 } 467 468 if ((retval = openpam_set_option(pamh, "passwd_db", 469 passwd_db)) != PAM_SUCCESS) { 470 return (retval); 471 } 472 } else { 473 /* Check to see if the specified password DB is usable. */ 474#ifdef YP 475 if (strcmp(passwd_db, "nis") == 0) { 476 if (_yp_check(NULL) == 0) { 477 pam_error(pamh, "NIS not in use."); 478 return (PAM_SERVICE_ERR); 479 } 480 if ((r = yp_get_default_domain(&domain)) != 0) { 481 pam_error(pamh, 482 "Unable to get NIS domain, reason: %s", 483 yperr_string(r)); 484 return (PAM_SERVICE_ERR); 485 } 486 if (yp_check_user(domain, user) == 0) { 487 pam_error(pamh, 488 "User %s does not exist in NIS.", user); 489 return (PAM_USER_UNKNOWN); 490 } 491 goto known_passwd_db; 492 } 493#endif 494 if (strcmp(passwd_db, "files") == 0) { 495 /* XXX Any validation to do here? */ 496 goto known_passwd_db; 497 } 498 pam_error(pamh, "Unknown Unix password DB: %s", passwd_db); 499 return (PAM_SERVICE_ERR); 500 } 501 known_passwd_db: 502 503 if (flags & PAM_PRELIM_CHECK) { 504 PAM_LOG("PRELIM round"); 505 506 if (strcmp(passwd_db, "files") == 0) { 507 if (getuid() == 0) { 508 /* Root doesn't need the old password. */ 509 return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); 510 } 511 /* 512 * Apparently we're not root, so let's forbid editing 513 * root. 514 * XXX Check for some flag to indicate if this 515 * XXX is the desired behavior. 516 */ 517 if (pwd->pw_uid == 0) 518 return (PAM_PERM_DENIED); 519 } 520 521 if (pwd->pw_passwd[0] == '\0') { 522 /* 523 * No password case. 524 * XXX Are we giviing too much away by not prompting 525 * XXX for a password? 526 * XXX Check PAM_DISALLOW_NULL_AUTHTOK 527 */ 528 return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); 529 } else { 530 retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, 531 &old_pass, NULL); 532 if (retval != PAM_SUCCESS) 533 return (retval); 534 if (strcmp(crypt(old_pass, pwd->pw_passwd), 535 pwd->pw_passwd) != 0) 536 return (PAM_PERM_DENIED); 537 return (PAM_SUCCESS); 538 } 539 } 540 541 if (flags & PAM_UPDATE_AUTHTOK) { 542 char option[LINE_MAX], *key, *opt; 543 544 PAM_LOG("UPDATE round"); 545 546 if ((lc = login_getclass(pwd->pw_class)) != NULL) { 547 min_pw_len = (int) login_getcapnum(lc, 548 "minpasswordlen", (quad_t)0, (quad_t)0); 549 pw_expiry = (int) login_getcapnum(lc, 550 "passwordtime", (quad_t)0, (quad_t)0); 551 login_close(lc); 552 } 553 554 retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &old_pass, NULL); 555 if (retval != PAM_SUCCESS) 556 return (retval); 557 558 /* Get the new password. */ 559 for (tries = 0;;) { 560 retval = pam_get_authtok(pamh, PAM_AUTHTOK, &new_pass, 561 NULL); 562 if (retval == PAM_TRY_AGAIN) { 563 pam_error(pamh, 564 "Mismatch; try again, EOF to quit."); 565 continue; 566 } 567 if (retval != PAM_SUCCESS) { 568 PAM_VERBOSE_ERROR("Unable to get new password"); 569 return (retval); 570 } 571 /* Successfully got new password. */ 572 if (new_pass[0] == '\0') { 573 pam_info(pamh, "Password unchanged."); 574 return (PAM_SUCCESS); 575 } 576 if (min_pw_len > 0 && strlen(new_pass) < (size_t)min_pw_len) { 577 pam_error(pamh, "Password is too short."); 578 goto retry; 579 } 580 if (strlen(new_pass) <= 5 && ++tries < 2) { 581 pam_error(pamh, 582 "Please enter a longer password."); 583 goto retry; 584 } 585 for (p = new_pass; *p && islower((unsigned char)*p); ++p); 586 if (!*p && ++tries < 2) { 587 pam_error(pamh, 588 "Please don't use an all-lower case " 589 "password.\nUnusual capitalization, " 590 "control characters or digits are " 591 "suggested."); 592 goto retry; 593 } 594 /* Password is OK. */ 595 break; 596retry: 597 pam_set_item(pamh, PAM_AUTHTOK, NULL); 598 } 599 pw_getpwconf(option, sizeof(option), pwd, 600#ifdef YP 601 strcmp(passwd_db, "nis") == 0 ? "ypcipher" : 602#endif 603 "localcipher"); 604 opt = option; 605 key = strsep(&opt, ","); 606 607 if (pw_gensalt(salt, _PASSWORD_LEN, key, opt) == -1) { 608 pam_error(pamh, "Couldn't generate salt."); 609 return (PAM_SERVICE_ERR); 610 } 611 612 new_pwd = old_pwd; 613 pwd = &new_pwd; 614 pwd->pw_passwd = crypt(new_pass, salt); 615 pwd->pw_change = pw_expiry ? pw_expiry + time(NULL) : 0; 616 617 retval = PAM_SERVICE_ERR; 618 if (strcmp(passwd_db, "files") == 0) 619 retval = local_set_password(pamh, &old_pwd, pwd); 620#ifdef YP 621 if (strcmp(passwd_db, "nis") == 0) 622 retval = yp_set_password(pamh, &old_pwd, pwd, old_pass, 623 domain); 624#endif 625 return (retval); 626 } 627 628 PAM_LOG("Illegal flags argument"); 629 return (PAM_ABORT); 630} 631 632PAM_MODULE_ENTRY("pam_unix"); 633