summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThorsten Kukuk <kukuk@thkukuk.de>2004-09-14 14:22:39 +0000
committerThorsten Kukuk <kukuk@thkukuk.de>2004-09-14 14:22:39 +0000
commit0b3e58307f210514609115544899ebe42d57a5c9 (patch)
treed511eb5579416af602bafbef406f0041991d3c6a
parentff883e0d18e0c274da4689b6efa7064408d8c74b (diff)
Relevant BUGIDs:
Purpose of commit: Commit summary: --------------- bugfix: merge with BerliOS
-rw-r--r--CHANGELOG5
-rw-r--r--libpamc/test/modules/pam_secret.c1
-rw-r--r--modules/pam_access/pam_access.c8
-rw-r--r--modules/pam_cracklib/pam_cracklib.c4
-rw-r--r--modules/pam_userdb/Makefile4
-rw-r--r--modules/pam_userdb/README8
-rw-r--r--modules/pam_userdb/pam_userdb.c49
7 files changed, 71 insertions, 8 deletions
diff --git a/CHANGELOG b/CHANGELOG
index e510a164..40f7a2c9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -86,6 +86,11 @@ BerliOS Bugs are marked with (BerliOS #XXXX).
contains only one character (Bug 1027903 - kukuk)
* libpam/pam_start.c: All service names should be files below /etc/pam.d
and nothing else. Forbid paths. (Bug 1027912 - kukuk)
+* pam_cracklib: Fix error in distance algorithm in the 0.9 pam_cracklib
+ module (Bug 1010142 - toady)
+* pam_userdb: applied patch from Paul Walmsley <paul@booyaka.com>
+ it now indicates whether encrypted or plaintext passwords are stored
+ in the database needed for pam_userdb. (Bug XXXXXX - toady)
0.77: Mon Sep 23 10:25:42 PDT 2002
diff --git a/libpamc/test/modules/pam_secret.c b/libpamc/test/modules/pam_secret.c
index 7efa8c23..830f1a78 100644
--- a/libpamc/test/modules/pam_secret.c
+++ b/libpamc/test/modules/pam_secret.c
@@ -206,6 +206,7 @@ char *identify_secret(char *identity, const char *user)
pwd = getpwnam(user);
if ((pwd == NULL) || (pwd->pw_dir == NULL)) {
D(("user [%s] is not known", user));
+ return NULL;
}
length_id = strlen(pwd->pw_dir) + sizeof(SECRET_FILE_FORMAT);
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 4005c93b..854b1506 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -41,6 +41,7 @@
#include <errno.h>
#include <ctype.h>
#include <sys/utsname.h>
+#include <rpcsvc/ypclnt.h>
#ifndef BROKEN_NETWORK_MATCH
# include <netdb.h>
@@ -262,16 +263,11 @@ static char * myhostname(void)
static int netgroup_match(char *group, char *machine, char *user)
{
-#ifdef NIS
- static char *mydomain = 0;
+ static char *mydomain = NULL;
if (mydomain == 0)
yp_get_default_domain(&mydomain);
return (innetgr(group, machine, user, mydomain));
-#else
- _log_err("NIS netgroup support not configured");
- return (NO);
-#endif
}
/* user_match - match a username against one token */
diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c
index bc98d2f6..ff2c61f9 100644
--- a/modules/pam_cracklib/pam_cracklib.c
+++ b/modules/pam_cracklib/pam_cracklib.c
@@ -258,12 +258,12 @@ static int distdifferent(const char *old, const char *new, int i, int j)
{
char c, d;
- if ((i == 0) || (strlen(old) <= i)) {
+ if ((i == 0) || (strlen(old) < i)) {
c = 0;
} else {
c = old[i - 1];
}
- if ((j == 0) || (strlen(new) <= i)) {
+ if ((j == 0) || (strlen(new) < j)) {
d = 0;
} else {
d = new[j - 1];
diff --git a/modules/pam_userdb/Makefile b/modules/pam_userdb/Makefile
index b53ac436..bbecaae1 100644
--- a/modules/pam_userdb/Makefile
+++ b/modules/pam_userdb/Makefile
@@ -24,6 +24,10 @@ else
endif
endif
+ifeq ($(HAVE_LIBCRYPT),yes)
+ MODULE_SIMPLE_EXTRALIBS += -lcrypt
+endif
+
ifeq ($(WHICH_DB),none)
include ../dont_makefile
diff --git a/modules/pam_userdb/README b/modules/pam_userdb/README
index 09d65edd..9fa6519d 100644
--- a/modules/pam_userdb/README
+++ b/modules/pam_userdb/README
@@ -10,8 +10,16 @@ RECOGNIZED ARGUMENTS:
is no default; the module will return PAM_IGNORE if
no database is provided.
+ crypt=[mode] indicates whether encrypted or plaintext passwords
+ are stored in the database. If [mode] is "crypt",
+ passwords should be stored in the database in
+ crypt(3) form. If [mode] is "none" or any other
+ value, passwords should be stored in the database in
+ plaintext.
+
icase make the password verification to be case insensitive
(ie when working with registration numbers and such)
+ only works with plaintext password storage.
dump dump all the entries in the database to the log (eek,
don't do this by default!)
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
index 519ee898..30f1e578 100644
--- a/modules/pam_userdb/pam_userdb.c
+++ b/modules/pam_userdb/pam_userdb.c
@@ -57,6 +57,7 @@ static void _pam_log(int err, const char *format, ...)
}
char * database = NULL;
+char * cryptmode = NULL;
static int ctrl = 0;
static int _pam_parse(int argc, const char **argv)
@@ -77,6 +78,11 @@ static int _pam_parse(int argc, const char **argv)
if (database == NULL)
_pam_log(LOG_ERR, "pam_parse: could not parse argument \"%s\"",
*argv);
+ } else if (!strncasecmp(*argv,"crypt=", 6)) {
+ cryptmode = strdup((*argv) + 6);
+ if (cryptmode == NULL)
+ _pam_log(LOG_ERR, "pam_parse: could not parse argument \"%s\"",
+ *argv);
} else {
_pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv);
}
@@ -139,6 +145,40 @@ static int user_lookup(const char *user, const char *pass)
if (data.dptr != NULL) {
int compare = 0;
+ if (strncasecmp(cryptmode, "crypt", 5) == 0) {
+
+ /* crypt(3) password storage */
+
+ char *cryptpw;
+ char salt[2];
+
+ if (data.dsize != 13) {
+ compare = -2;
+ } else if (ctrl & PAM_ICASE_ARG) {
+ compare = -2;
+ } else {
+ salt[0] = *data.dptr;
+ salt[1] = *(data.dptr + 1);
+
+ cryptpw = crypt (pass, salt);
+
+ if (cryptpw) {
+ compare = strncasecmp (data.dptr, cryptpw, data.dsize);
+ } else {
+ compare = -2;
+ if (ctrl & PAM_DEBUG_ARG) {
+ _pam_log(LOG_INFO, "crypt() returned NULL");
+ }
+ };
+
+ };
+
+ } else {
+
+ /* Unknown password encryption method -
+ * default to plaintext password storage
+ */
+
if (strlen(pass) != data.dsize) {
compare = 1;
} else if (ctrl & PAM_ICASE_ARG) {
@@ -146,6 +186,15 @@ static int user_lookup(const char *user, const char *pass)
} else {
compare = strncmp(data.dptr, pass, data.dsize);
}
+
+ if (strncasecmp(cryptmode, "none", 4) && ctrl & PAM_DEBUG_ARG) {
+ _pam_log(LOG_INFO, "invalid value for crypt parameter: %s",
+ cryptmode);
+ _pam_log(LOG_INFO, "defaulting to plaintext password mode");
+ }
+
+ }
+
dbm_close(dbm);
if (compare == 0)
return 0; /* match */