summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorThorsten Kukuk <kukuk@thkukuk.de>2006-02-10 18:33:54 +0000
committerThorsten Kukuk <kukuk@thkukuk.de>2006-02-10 18:33:54 +0000
commit2c388144eb7c68aa31c20c00f6c054c219bf72a2 (patch)
tree0469cc1f27d1696ba062a670ea4f4b625e7e4052 /modules
parent486d687f4c63d5712a850807952383e785e387ba (diff)
Relevant BUGIDs:
Purpose of commit: Commit summary: --------------- Remove pam_pwdb and all references to it. 2006-02-10 Thorsten Kukuk <kukuk@thkukuk.de> * configure.in: Remove pam_pwdb support. * modules/Makefile.am: remove pam_pwdb. * modules/pam_pwdb: Remove complete directory. * libpam/Makefile.am: Remove LIBPWDB references. * libpam/pam_static_modules.h: Remove pam_pwdb references. * doc/modules/pam_pwdb.sgml: Removed. * po/POTFILES.in: Remove modules/pam_pwdb/*.c entries. * doc/pam_source.sgml: Remove references to libpwdb. * doc/modules/pam_limits.sgml: Remove wrong reference to libpwdb. * doc/modules/pam_group.sgml: Likewise. * doc/modules/pam_cracklib.sgml: Replace pam_pwdb with pam_unix. * doc/modules/pam_userdb.sgml: Likewise. * modules/pam_cracklib/pam_cracklib.8.xml: Replace pam_pwdb with pam_unix. * modules/pam_mkhomedir/pam_mkhomedir.c: Likewise. * modules/pam_group/pam_group.c: Remove dead code for libpwdb.
Diffstat (limited to 'modules')
-rw-r--r--modules/Makefile.am2
-rw-r--r--modules/pam_cracklib/README2
-rw-r--r--modules/pam_cracklib/pam_cracklib.84
-rw-r--r--modules/pam_cracklib/pam_cracklib.8.xml2
-rw-r--r--modules/pam_group/pam_group.c43
-rw-r--r--modules/pam_mkhomedir/pam_mkhomedir.c8
-rw-r--r--modules/pam_pwdb/.cvsignore7
-rw-r--r--modules/pam_pwdb/BUGS3
-rw-r--r--modules/pam_pwdb/CHANGELOG10
-rw-r--r--modules/pam_pwdb/Makefile.am30
-rw-r--r--modules/pam_pwdb/README41
-rw-r--r--modules/pam_pwdb/TODO34
-rw-r--r--modules/pam_pwdb/bigcrypt.-c114
-rw-r--r--modules/pam_pwdb/md5.c255
-rw-r--r--modules/pam_pwdb/md5.h30
-rw-r--r--modules/pam_pwdb/md5_broken.c4
-rw-r--r--modules/pam_pwdb/md5_crypt.c154
-rw-r--r--modules/pam_pwdb/md5_good.c5
-rw-r--r--modules/pam_pwdb/pam_pwdb.c251
-rw-r--r--modules/pam_pwdb/pam_unix_acct.-c272
-rw-r--r--modules/pam_pwdb/pam_unix_auth.-c131
-rw-r--r--modules/pam_pwdb/pam_unix_md.-c73
-rw-r--r--modules/pam_pwdb/pam_unix_passwd.-c373
-rw-r--r--modules/pam_pwdb/pam_unix_pwupd.-c260
-rw-r--r--modules/pam_pwdb/pam_unix_sess.-c98
-rw-r--r--modules/pam_pwdb/pwdb_chkpwd.c221
-rw-r--r--modules/pam_pwdb/support.-c960
27 files changed, 9 insertions, 3378 deletions
diff --git a/modules/Makefile.am b/modules/Makefile.am
index a259d738..075eb58d 100644
--- a/modules/Makefile.am
+++ b/modules/Makefile.am
@@ -5,7 +5,7 @@
SUBDIRS = pam_access pam_cracklib pam_debug pam_deny pam_echo \
pam_env pam_filter pam_ftp pam_group pam_issue pam_lastlog \
pam_limits pam_listfile pam_localuser pam_mail pam_mkhomedir \
- pam_motd pam_nologin pam_permit pam_pwdb pam_rhosts pam_rootok \
+ pam_motd pam_nologin pam_permit pam_rhosts pam_rootok \
pam_securetty pam_selinux pam_shells pam_stress pam_succeed_if \
pam_tally pam_time pam_umask pam_unix pam_userdb pam_warn \
pam_wheel pam_xauth pam_exec
diff --git a/modules/pam_cracklib/README b/modules/pam_cracklib/README
index 756b7f48..89e80318 100644
--- a/modules/pam_cracklib/README
+++ b/modules/pam_cracklib/README
@@ -203,7 +203,7 @@ And here is another example in case you don't want to use credits:
#
password required pam_cracklib.so \
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
-password required pam_pwdb.so use_authtok nullok md5
+password required pam_unix.so use_authtok nullok md5
AUTHOR
diff --git a/modules/pam_cracklib/pam_cracklib.8 b/modules/pam_cracklib/pam_cracklib.8
index 5f120d10..e5d21020 100644
--- a/modules/pam_cracklib/pam_cracklib.8
+++ b/modules/pam_cracklib/pam_cracklib.8
@@ -2,7 +2,7 @@
.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
.\" Instead of manually editing it, you probably should edit the DocBook XML
.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "PAM_CRACKLIB" "8" "02/03/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_CRACKLIB" "8" "02/10/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
@@ -234,7 +234,7 @@ And here is another example in case you don't want to use credits:
#
password required pam_cracklib.so \\
dcredit=\-1 ucredit=\-1 ocredit=\-1 lcredit=0 minlen=8
-password required pam_pwdb.so use_authtok nullok md5
+password required pam_unix.so use_authtok nullok md5
.fi
.sp
diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml
index 74c66e09..7edabe0f 100644
--- a/modules/pam_cracklib/pam_cracklib.8.xml
+++ b/modules/pam_cracklib/pam_cracklib.8.xml
@@ -464,7 +464,7 @@ password required pam_unix.so use_authtok nullok md5
#
password required pam_cracklib.so \
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
-password required pam_pwdb.so use_authtok nullok md5
+password required pam_unix.so use_authtok nullok md5
</programlisting>
</para>
diff --git a/modules/pam_group/pam_group.c b/modules/pam_group/pam_group.c
index bc40912b..28527e38 100644
--- a/modules/pam_group/pam_group.c
+++ b/modules/pam_group/pam_group.c
@@ -555,33 +555,6 @@ static int mkgrplist(pam_handle_t *pamh, char *buf, gid_t **list, int len)
D(("found group: %s",buf+at));
/* this is where we convert a group name to a gid_t */
-#ifdef WANT_PWDB
- {
- int retval;
- const struct pwdb *pw=NULL;
-
- retval = pwdb_locate("group", PWDB_DEFAULT, buf+at
- , PWDB_ID_UNKNOWN, &pw);
- if (retval != PWDB_SUCCESS) {
- pam_syslog(pamh, LOG_ERR, "bad group: %s; %s",
- buf+at, pwdb_strerror(retval));
- } else {
- const struct pwdb_entry *pwe=NULL;
-
- D(("group %s exists", buf+at));
- retval = pwdb_get_entry(pw, "gid", &pwe);
- if (retval == PWDB_SUCCESS) {
- D(("gid = %d [%p]",* (const gid_t *) pwe->value,list));
- (*list)[len++] = * (const gid_t *) pwe->value;
- pwdb_entry_delete(&pwe); /* tidy up */
- } else {
- pam_syslog(pamh, LOG_ERR, "%s group entry is bad; %s",
- pwdb_strerror(retval));
- }
- pw = NULL; /* break link - cached for later use */
- }
- }
-#else
{
const struct group *grp;
@@ -593,7 +566,6 @@ static int mkgrplist(pam_handle_t *pamh, char *buf, gid_t **list, int len)
(*list)[len++] = grp->gr_gid;
}
}
-#endif
/* next entry along */
@@ -842,22 +814,7 @@ pam_sm_setcred (pam_handle_t *pamh, int flags,
D(("user=%s", user));
D(("tty=%s", tty));
-#ifdef WANT_PWDB
-
- /* We initialize the pwdb library and check the account */
- retval = pwdb_start(); /* initialize */
- if (retval == PWDB_SUCCESS) {
- retval = check_account(pamh, service,tty,user); /* get groups */
- (void) pwdb_end(); /* tidy up */
- } else {
- D(("failed to initialize pwdb; %s", pwdb_strerror(retval)));
- pam_syslog(pamh, LOG_ERR, "unable to initialize libpwdb");
- retval = PAM_ABORT;
- }
-
-#else /* WANT_PWDB */
retval = check_account(pamh,service,tty,user); /* get groups */
-#endif /* WANT_PWDB */
return retval;
}
diff --git a/modules/pam_mkhomedir/pam_mkhomedir.c b/modules/pam_mkhomedir/pam_mkhomedir.c
index ec4af88e..799d19fc 100644
--- a/modules/pam_mkhomedir/pam_mkhomedir.c
+++ b/modules/pam_mkhomedir/pam_mkhomedir.c
@@ -10,16 +10,16 @@
auth requisite pam_securetty.so
auth sufficient pam_ldap.so
- auth required pam_pwdb.so
+ auth required pam_unix.so
auth optional pam_group.so
auth optional pam_mail.so
account requisite pam_time.so
account sufficient pam_ldap.so
- account required pam_pwdb.so
+ account required pam_unix.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
- session required pam_pwdb.so
+ session required pam_unix.so
session optional pam_lastlog.so
- password required pam_pwdb.so
+ password required pam_unix.so
Released under the GNU LGPL version 2 or later
Originally written by Jason Gunthorpe <jgg@debian.org> Feb 1999
diff --git a/modules/pam_pwdb/.cvsignore b/modules/pam_pwdb/.cvsignore
deleted file mode 100644
index 0d5e633b..00000000
--- a/modules/pam_pwdb/.cvsignore
+++ /dev/null
@@ -1,7 +0,0 @@
-*.la
-*.lo
-.deps
-.libs
-Makefile
-Makefile.in
-pwdb_chkpwd
diff --git a/modules/pam_pwdb/BUGS b/modules/pam_pwdb/BUGS
deleted file mode 100644
index a3608a7c..00000000
--- a/modules/pam_pwdb/BUGS
+++ /dev/null
@@ -1,3 +0,0 @@
-$Id$
-
-As of Linux-PAM-0.52 this is new. No known bugs yet.
diff --git a/modules/pam_pwdb/CHANGELOG b/modules/pam_pwdb/CHANGELOG
deleted file mode 100644
index 7bad5cd8..00000000
--- a/modules/pam_pwdb/CHANGELOG
+++ /dev/null
@@ -1,10 +0,0 @@
-$Id$
-
-Tue Apr 23 12:28:09 EDT 1996 (Alexander O. Yuriev alex@bach.cis.temple.edu)
-
- * PAM_DISALLOW_NULL_AUTHTOK implemented in the authentication module
- * pam_sm_open_session() and pam_sm_close_session() implemented
- A new "trace" flag added to flags of /etc/pam.conf. Using this
- flag system administrator is able to make pam_unix module provide
- very extensive audit trail sent so syslog with LOG_AUTHPRIV level.
- * pam_sm_set_cred() is done
diff --git a/modules/pam_pwdb/Makefile.am b/modules/pam_pwdb/Makefile.am
deleted file mode 100644
index d7c2a221..00000000
--- a/modules/pam_pwdb/Makefile.am
+++ /dev/null
@@ -1,30 +0,0 @@
-#
-# Copyright (c) 2005 Thorsten Kukuk <kukuk@suse.de>
-#
-
-CLEANFILES = *~
-
-EXTRA_DIST = TODO README md5.c md5_crypt.c bigcrypt.-c pam_unix_acct.-c \
- pam_unix_auth.-c pam_unix_md.-c pam_unix_passwd.-c \
- pam_unix_pwupd.-c pam_unix_sess.-c support.-c BUGS CHANGELOG
-
-noinst_HEADERS = md5.h
-
-securelibdir = $(SECUREDIR)
-secureconfdir = $(SCONFIGDIR)
-
-AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
- -DCHKPWD_HELPER=\"$(sbindir)/$(CHKPWD)\"
-AM_LDFLAGS = -no-undefined -avoid-version -module \
- -L$(top_builddir)/libpam -lpam @LIBCRYPT@ @LIBPWDB@
-if HAVE_VERSIONING
- AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
-endif
-
-if HAVE_LIBPWDB
- securelib_LTLIBRARIES = pam_pwdb.la
- sbin_BINARIES = pwdb_chkpwd
-endif
-
-pam_pwdb_la_SOURCES = md5_good.c md5_broken.c pam_pwdb.c
-pwdb_checkpwd_SOURCES = md5_good.c md5_broken.c pwdb_chkpwd.c
diff --git a/modules/pam_pwdb/README b/modules/pam_pwdb/README
deleted file mode 100644
index 4f420855..00000000
--- a/modules/pam_pwdb/README
+++ /dev/null
@@ -1,41 +0,0 @@
-This is the pam_unix module. It has been significantly rewritten since
-.51 was released (due mostly to the efforts of Cristian Gafton), and
-now takes more options and correctly updates vanilla UNIX/shadow/md5
-passwords.
-
-[Please read the source and make a note of all the warnings there, as
-the license suggests -- use at your own risk.]
-
-So far as I am concerned this module is now pretty stable. If you find
-any bugs, PLEASE tell me! <morgan@linux.kernel.org>
-
-Options recognized by this module are as follows:
-
- debug - log more debugging info
- audit - a little more extreme than debug
- use_first_pass - don't prompt the user for passwords
- take them from PAM_ items instead
- try_first_pass - don't prompt the user for the passwords
- unless PAM_(OLD)AUTHTOK is unset
- use_authtok - like try_first_pass, but *fail* if the new
- PAM_AUTHTOK has not been previously set.
- (intended for stacking password modules only)
- not_set_pass - don't set the PAM_ items with the passwords
- used by this module.
- shadow - try to maintian a shadow based system.
- unix - when changing passwords, they are placed
- in the /etc/passwd file
- md5 - when a user changes their password next,
- encrypt it with the md5 algorithm.
- bigcrypt - when a user changes their password next,
- excrypt it with the DEC C2-algorithm(0).
- nodelay - used to prevent failed authentication
- resulting in a delay of about 1 second.
-
-There is some support for building a shadow file on-the-fly from an
-/etc/passwd file. This is VERY alpha. If you want to play with it you
-should read the source to find the appropriate #define that you will
-need.
-
----------------------
-Andrew Morgan <morgan@linux.kernel.org>
diff --git a/modules/pam_pwdb/TODO b/modules/pam_pwdb/TODO
deleted file mode 100644
index 9dc7fc7e..00000000
--- a/modules/pam_pwdb/TODO
+++ /dev/null
@@ -1,34 +0,0 @@
-$Id$
-
- * get NIS working
- * .. including "nonis" argument
- * add helper binary
-
-Wed Sep 4 23:40:09 PDT 1996 Andrew G. Morgan
-
- * verify that it works for everyone
- * look more seriously at the issue of generating a shadow
- system on the fly
- * add some more password flavors
-
-Thu Aug 29 06:26:42 PDT 1996 Andrew G. Morgan
-
- * check that complete rewrite works! ;^)
- * complete shadow support to the password changing code.
- Also some code needed here for session managment?
- (both pam.conf argument to turn it on/off, and some
- conditional compilation.)
- * md5 passwords...
- * make the exclusive nature of the arguments work. That is,
- only recognize the flags when appropriate.
-
-Wed May 8 19:08:49 EDT 1996 Alexander O. Yuriev
-
- * support.c should go.
-
-Tue Apr 23 21:43:55 EDT 1996 Alexander O. Yuriev
-
- * pam_sm_chauth_tok() should be written
- * QUICK FIX: pam_sm_setcred() probably returns incorrect error code
-
-
diff --git a/modules/pam_pwdb/bigcrypt.-c b/modules/pam_pwdb/bigcrypt.-c
deleted file mode 100644
index 321f2491..00000000
--- a/modules/pam_pwdb/bigcrypt.-c
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * This function implements the "bigcrypt" algorithm specifically for
- * Linux-PAM.
- *
- * This algorithm is algorithm 0 (default) shipped with the C2 secure
- * implementation of Digital UNIX.
- *
- * Disclaimer: This work is not based on the source code to Digital
- * UNIX, nor am I connected to Digital Equipment Corp, in any way
- * other than as a customer. This code is based on published
- * interfaces and reasonable guesswork.
- *
- * Description: The cleartext is divided into blocks of SEGMENT_SIZE=8
- * characters or less. Each block is encrypted using the standard UNIX
- * libc crypt function. The result of the encryption for one block
- * provides the salt for the suceeding block.
- *
- * Restrictions: The buffer used to hold the encrypted result is
- * statically allocated. (see MAX_PASS_LEN below). This is necessary,
- * as the returned pointer points to "static data that are overwritten
- * by each call", (XPG3: XSI System Interface + Headers pg 109), and
- * this is a drop in replacement for crypt();
- *
- * Andy Phillips <atp@mssl.ucl.ac.uk>
- */
-
-/*
- * Max cleartext password length in segments of 8 characters this
- * function can deal with (16 segments of 8 chars= max 128 character
- * password).
- */
-
-#define MAX_PASS_LEN 16
-#define SEGMENT_SIZE 8
-#define SALT_SIZE 2
-#define KEYBUF_SIZE ((MAX_PASS_LEN*SEGMENT_SIZE)+SALT_SIZE)
-#define ESEGMENT_SIZE 11
-#define CBUF_SIZE ((MAX_PASS_LEN*ESEGMENT_SIZE)+SALT_SIZE+1)
-
-static char *bigcrypt(const char *key, const char *salt)
-{
- static char dec_c2_cryptbuf[CBUF_SIZE]; /* static storage area */
-
- unsigned long int keylen,n_seg,j;
- char *cipher_ptr,*plaintext_ptr,*tmp_ptr,*salt_ptr;
- char keybuf[KEYBUF_SIZE+1];
-
- D(("called with key='%s', salt='%s'.", key, salt));
-
- /* reset arrays */
- memset(keybuf, 0, KEYBUF_SIZE+1);
- memset(dec_c2_cryptbuf, 0, CBUF_SIZE);
-
- /* fill KEYBUF_SIZE with key */
- strncpy(keybuf, key, KEYBUF_SIZE);
-
- /* deal with case that we are doing a password check for a
- conventially encrypted password: the salt will be
- SALT_SIZE+ESEGMENT_SIZE long. */
- if (strlen(salt) == (SALT_SIZE+ESEGMENT_SIZE))
- keybuf[SEGMENT_SIZE] = '\0'; /* terminate password early(?) */
-
- keylen = strlen(keybuf);
-
- if (!keylen) {
- n_seg = 1;
- } else {
- /* work out how many segments */
- n_seg = 1 + ((keylen-1)/SEGMENT_SIZE);
- }
-
- if (n_seg > MAX_PASS_LEN)
- n_seg = MAX_PASS_LEN; /* truncate at max length */
-
- /* set up some pointers */
- cipher_ptr = dec_c2_cryptbuf;
- plaintext_ptr = keybuf;
-
- /* do the first block with supplied salt */
- tmp_ptr = crypt(plaintext_ptr,salt); /* libc crypt() */
-
- /* and place in the static area */
- strncpy(cipher_ptr, tmp_ptr, 13);
- cipher_ptr += ESEGMENT_SIZE + SALT_SIZE;
- plaintext_ptr += SEGMENT_SIZE; /* first block of SEGMENT_SIZE */
-
- /* change the salt (1st 2 chars of previous block) - this was found
- by dowsing */
-
- salt_ptr = cipher_ptr - ESEGMENT_SIZE;
-
- /* so far this is identical to "return crypt(key, salt);", if
- there is more than one block encrypt them... */
-
- if (n_seg > 1) {
- for (j=2; j <= n_seg; j++) {
-
- tmp_ptr = crypt(plaintext_ptr, salt_ptr);
-
- /* skip the salt for seg!=0 */
- strncpy(cipher_ptr, (tmp_ptr+SALT_SIZE), ESEGMENT_SIZE);
-
- cipher_ptr += ESEGMENT_SIZE;
- plaintext_ptr += SEGMENT_SIZE;
- salt_ptr = cipher_ptr - ESEGMENT_SIZE;
- }
- }
-
- D(("key=|%s|, salt=|%s|\nbuf=|%s|\n", key, salt, dec_c2_cryptbuf));
-
- /* this is the <NUL> terminated encrypted password */
-
- return dec_c2_cryptbuf;
-}
diff --git a/modules/pam_pwdb/md5.c b/modules/pam_pwdb/md5.c
deleted file mode 100644
index 335908df..00000000
--- a/modules/pam_pwdb/md5.c
+++ /dev/null
@@ -1,255 +0,0 @@
-/* $Id$
- *
- * This code implements the MD5 message-digest algorithm.
- * The algorithm is due to Ron Rivest. This code was
- * written by Colin Plumb in 1993, no copyright is claimed.
- * This code is in the public domain; do with it what you wish.
- *
- * Equivalent code is available from RSA Data Security, Inc.
- * This code has been tested against that, and is equivalent,
- * except that you don't need to include two pages of legalese
- * with every copy.
- *
- * To compute the message digest of a chunk of bytes, declare an
- * MD5Context structure, pass it to MD5Init, call MD5Update as
- * needed on buffers full of bytes, and then call MD5Final, which
- * will fill a supplied 16-byte array with the digest.
- *
- */
-
-#include <string.h>
-#include "md5.h"
-
-#ifndef HIGHFIRST
-#define byteReverse(buf, len) /* Nothing */
-#else
-static void byteReverse(unsigned char *buf, unsigned longs);
-
-#ifndef ASM_MD5
-/*
- * Note: this code is harmless on little-endian machines.
- */
-static void byteReverse(unsigned char *buf, unsigned longs)
-{
- uint32 t;
- do {
- t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 |
- ((unsigned) buf[1] << 8 | buf[0]);
- *(uint32 *) buf = t;
- buf += 4;
- } while (--longs);
-}
-#endif
-#endif
-
-/*
- * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious
- * initialization constants.
- */
-void MD5Name(MD5Init)(struct MD5Context *ctx)
-{
- ctx->buf[0] = 0x67452301U;
- ctx->buf[1] = 0xefcdab89U;
- ctx->buf[2] = 0x98badcfeU;
- ctx->buf[3] = 0x10325476U;
-
- ctx->bits[0] = 0;
- ctx->bits[1] = 0;
-}
-
-/*
- * Update context to reflect the concatenation of another buffer full
- * of bytes.
- */
-void MD5Name(MD5Update)(struct MD5Context *ctx, unsigned const char *buf, unsigned len)
-{
- uint32 t;
-
- /* Update bitcount */
-
- t = ctx->bits[0];
- if ((ctx->bits[0] = t + ((uint32) len << 3)) < t)
- ctx->bits[1]++; /* Carry from low to high */
- ctx->bits[1] += len >> 29;
-
- t = (t >> 3) & 0x3f; /* Bytes already in shsInfo->data */
-
- /* Handle any leading odd-sized chunks */
-
- if (t) {
- unsigned char *p = (unsigned char *) ctx->in + t;
-
- t = 64 - t;
- if (len < t) {
- memcpy(p, buf, len);
- return;
- }
- memcpy(p, buf, t);
- byteReverse(ctx->in, 16);
- MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
- buf += t;
- len -= t;
- }
- /* Process data in 64-byte chunks */
-
- while (len >= 64) {
- memcpy(ctx->in, buf, 64);
- byteReverse(ctx->in, 16);
- MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
- buf += 64;
- len -= 64;
- }
-
- /* Handle any remaining bytes of data. */
-
- memcpy(ctx->in, buf, len);
-}
-
-/*
- * Final wrapup - pad to 64-byte boundary with the bit pattern
- * 1 0* (64-bit count of bits processed, MSB-first)
- */
-void MD5Name(MD5Final)(unsigned char digest[16], struct MD5Context *ctx)
-{
- unsigned count;
- unsigned char *p;
-
- /* Compute number of bytes mod 64 */
- count = (ctx->bits[0] >> 3) & 0x3F;
-
- /* Set the first char of padding to 0x80. This is safe since there is
- always at least one byte free */
- p = ctx->in + count;
- *p++ = 0x80;
-
- /* Bytes of padding needed to make 64 bytes */
- count = 64 - 1 - count;
-
- /* Pad out to 56 mod 64 */
- if (count < 8) {
- /* Two lots of padding: Pad the first block to 64 bytes */
- memset(p, 0, count);
- byteReverse(ctx->in, 16);
- MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
-
- /* Now fill the next block with 56 bytes */
- memset(ctx->in, 0, 56);
- } else {
- /* Pad block to 56 bytes */
- memset(p, 0, count - 8);
- }
- byteReverse(ctx->in, 14);
-
- /* Append length in bits and transform */
- ((uint32 *) ctx->in)[14] = ctx->bits[0];
- ((uint32 *) ctx->in)[15] = ctx->bits[1];
-
- MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
- byteReverse((unsigned char *) ctx->buf, 4);
- memcpy(digest, ctx->buf, 16);
- memset(ctx, 0, sizeof(ctx)); /* In case it's sensitive */
-}
-
-#ifndef ASM_MD5
-
-/* The four core functions - F1 is optimized somewhat */
-
-/* #define F1(x, y, z) (x & y | ~x & z) */
-#define F1(x, y, z) (z ^ (x & (y ^ z)))
-#define F2(x, y, z) F1(z, x, y)
-#define F3(x, y, z) (x ^ y ^ z)
-#define F4(x, y, z) (y ^ (x | ~z))
-
-/* This is the central step in the MD5 algorithm. */
-#define MD5STEP(f, w, x, y, z, data, s) \
- ( w += f(x, y, z) + data, w = w<<s | w>>(32-s), w += x )
-
-/*
- * The core of the MD5 algorithm, this alters an existing MD5 hash to
- * reflect the addition of 16 longwords of new data. MD5Update blocks
- * the data and converts bytes into longwords for this routine.
- */
-void MD5Name(MD5Transform)(uint32 buf[4], uint32 const in[16])
-{
- register uint32 a, b, c, d;
-
- a = buf[0];
- b = buf[1];
- c = buf[2];
- d = buf[3];
-
- MD5STEP(F1, a, b, c, d, in[0] + 0xd76aa478U, 7);
- MD5STEP(F1, d, a, b, c, in[1] + 0xe8c7b756U, 12);
- MD5STEP(F1, c, d, a, b, in[2] + 0x242070dbU, 17);
- MD5STEP(F1, b, c, d, a, in[3] + 0xc1bdceeeU, 22);
- MD5STEP(F1, a, b, c, d, in[4] + 0xf57c0fafU, 7);
- MD5STEP(F1, d, a, b, c, in[5] + 0x4787c62aU, 12);
- MD5STEP(F1, c, d, a, b, in[6] + 0xa8304613U, 17);
- MD5STEP(F1, b, c, d, a, in[7] + 0xfd469501U, 22);
- MD5STEP(F1, a, b, c, d, in[8] + 0x698098d8U, 7);
- MD5STEP(F1, d, a, b, c, in[9] + 0x8b44f7afU, 12);
- MD5STEP(F1, c, d, a, b, in[10] + 0xffff5bb1U, 17);
- MD5STEP(F1, b, c, d, a, in[11] + 0x895cd7beU, 22);
- MD5STEP(F1, a, b, c, d, in[12] + 0x6b901122U, 7);
- MD5STEP(F1, d, a, b, c, in[13] + 0xfd987193U, 12);
- MD5STEP(F1, c, d, a, b, in[14] + 0xa679438eU, 17);
- MD5STEP(F1, b, c, d, a, in[15] + 0x49b40821U, 22);
-
- MD5STEP(F2, a, b, c, d, in[1] + 0xf61e2562U, 5);
- MD5STEP(F2, d, a, b, c, in[6] + 0xc040b340U, 9);
- MD5STEP(F2, c, d, a, b, in[11] + 0x265e5a51U, 14);
- MD5STEP(F2, b, c, d, a, in[0] + 0xe9b6c7aaU, 20);
- MD5STEP(F2, a, b, c, d, in[5] + 0xd62f105dU, 5);
- MD5STEP(F2, d, a, b, c, in[10] + 0x02441453U, 9);
- MD5STEP(F2, c, d, a, b, in[15] + 0xd8a1e681U, 14);
- MD5STEP(F2, b, c, d, a, in[4] + 0xe7d3fbc8U, 20);
- MD5STEP(F2, a, b, c, d, in[9] + 0x21e1cde6U, 5);
- MD5STEP(F2, d, a, b, c, in[14] + 0xc33707d6U, 9);
- MD5STEP(F2, c, d, a, b, in[3] + 0xf4d50d87U, 14);
- MD5STEP(F2, b, c, d, a, in[8] + 0x455a14edU, 20);
- MD5STEP(F2, a, b, c, d, in[13] + 0xa9e3e905U, 5);
- MD5STEP(F2, d, a, b, c, in[2] + 0xfcefa3f8U, 9);
- MD5STEP(F2, c, d, a, b, in[7] + 0x676f02d9U, 14);
- MD5STEP(F2, b, c, d, a, in[12] + 0x8d2a4c8aU, 20);
-
- MD5STEP(F3, a, b, c, d, in[5] + 0xfffa3942U, 4);
- MD5STEP(F3, d, a, b, c, in[8] + 0x8771f681U, 11);
- MD5STEP(F3, c, d, a, b, in[11] + 0x6d9d6122U, 16);
- MD5STEP(F3, b, c, d, a, in[14] + 0xfde5380cU, 23);
- MD5STEP(F3, a, b, c, d, in[1] + 0xa4beea44U, 4);
- MD5STEP(F3, d, a, b, c, in[4] + 0x4bdecfa9U, 11);
- MD5STEP(F3, c, d, a, b, in[7] + 0xf6bb4b60U, 16);
- MD5STEP(F3, b, c, d, a, in[10] + 0xbebfbc70U, 23);
- MD5STEP(F3, a, b, c, d, in[13] + 0x289b7ec6U, 4);
- MD5STEP(F3, d, a, b, c, in[0] + 0xeaa127faU, 11);
- MD5STEP(F3, c, d, a, b, in[3] + 0xd4ef3085U, 16);
- MD5STEP(F3, b, c, d, a, in[6] + 0x04881d05U, 23);
- MD5STEP(F3, a, b, c, d, in[9] + 0xd9d4d039U, 4);
- MD5STEP(F3, d, a, b, c, in[12] + 0xe6db99e5U, 11);
- MD5STEP(F3, c, d, a, b, in[15] + 0x1fa27cf8U, 16);
- MD5STEP(F3, b, c, d, a, in[2] + 0xc4ac5665U, 23);
-
- MD5STEP(F4, a, b, c, d, in[0] + 0xf4292244U, 6);
- MD5STEP(F4, d, a, b, c, in[7] + 0x432aff97U, 10);
- MD5STEP(F4, c, d, a, b, in[14] + 0xab9423a7U, 15);
- MD5STEP(F4, b, c, d, a, in[5] + 0xfc93a039U, 21);
- MD5STEP(F4, a, b, c, d, in[12] + 0x655b59c3U, 6);
- MD5STEP(F4, d, a, b, c, in[3] + 0x8f0ccc92U, 10);
- MD5STEP(F4, c, d, a, b, in[10] + 0xffeff47dU, 15);
- MD5STEP(F4, b, c, d, a, in[1] + 0x85845dd1U, 21);
- MD5STEP(F4, a, b, c, d, in[8] + 0x6fa87e4fU, 6);
- MD5STEP(F4, d, a, b, c, in[15] + 0xfe2ce6e0U, 10);
- MD5STEP(F4, c, d, a, b, in[6] + 0xa3014314U, 15);
- MD5STEP(F4, b, c, d, a, in[13] + 0x4e0811a1U, 21);
- MD5STEP(F4, a, b, c, d, in[4] + 0xf7537e82U, 6);
- MD5STEP(F4, d, a, b, c, in[11] + 0xbd3af235U, 10);
- MD5STEP(F4, c, d, a, b, in[2] + 0x2ad7d2bbU, 15);
- MD5STEP(F4, b, c, d, a, in[9] + 0xeb86d391U, 21);
-
- buf[0] += a;
- buf[1] += b;
- buf[2] += c;
- buf[3] += d;
-}
-
-#endif
diff --git a/modules/pam_pwdb/md5.h b/modules/pam_pwdb/md5.h
deleted file mode 100644
index 75c4dbac..00000000
--- a/modules/pam_pwdb/md5.h
+++ /dev/null
@@ -1,30 +0,0 @@
-#ifndef MD5_H
-#define MD5_H
-
-typedef unsigned int uint32;
-
-struct MD5Context {
- uint32 buf[4];
- uint32 bits[2];
- unsigned char in[64];
-};
-
-void GoodMD5Init(struct MD5Context *);
-void GoodMD5Update(struct MD5Context *, unsigned const char *, unsigned);
-void GoodMD5Final(unsigned char digest[16], struct MD5Context *);
-void GoodMD5Transform(uint32 buf[4], uint32 const in[16]);
-void BrokenMD5Init(struct MD5Context *);
-void BrokenMD5Update(struct MD5Context *, unsigned const char *, unsigned);
-void BrokenMD5Final(unsigned char digest[16], struct MD5Context *);
-void BrokenMD5Transform(uint32 buf[4], uint32 const in[16]);
-
-char *Goodcrypt_md5(const char *pw, const char *salt);
-char *Brokencrypt_md5(const char *pw, const char *salt);
-
-/*
-* This is needed to make RSAREF happy on some MS-DOS compilers.
-*/
-
-typedef struct MD5Context MD5_CTX;
-
-#endif /* MD5_H */
diff --git a/modules/pam_pwdb/md5_broken.c b/modules/pam_pwdb/md5_broken.c
deleted file mode 100644
index 193daebb..00000000
--- a/modules/pam_pwdb/md5_broken.c
+++ /dev/null
@@ -1,4 +0,0 @@
-#define MD5Name(x) Broken##x
-
-#include "md5.c"
-#include "md5_crypt.c"
diff --git a/modules/pam_pwdb/md5_crypt.c b/modules/pam_pwdb/md5_crypt.c
deleted file mode 100644
index 53972fcc..00000000
--- a/modules/pam_pwdb/md5_crypt.c
+++ /dev/null
@@ -1,154 +0,0 @@
-/*
- * $Id$
- *
- * ----------------------------------------------------------------------------
- * "THE BEER-WARE LICENSE" (Revision 42):
- * <phk@login.dknet.dk> wrote this file. As long as you retain this notice you
- * can do whatever you want with this stuff. If we meet some day, and you think
- * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
- * ----------------------------------------------------------------------------
- *
- * Origin: Id: crypt.c,v 1.3 1995/05/30 05:42:22 rgrimes Exp
- *
- */
-
-#include <string.h>
-#include <stdlib.h>
-#include "md5.h"
-
-static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
-"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
-
-static void to64(char *s, unsigned long v, int n)
-{
- while (--n >= 0) {
- *s++ = itoa64[v & 0x3f];
- v >>= 6;
- }
-}
-
-/*
- * UNIX password
- *
- * Use MD5 for what it is best at...
- */
-
-char *MD5Name(crypt_md5)(const char *pw, const char *salt)
-{
- const char *magic = "$1$";
- /* This string is magic for this algorithm. Having
- * it this way, we can get get better later on */
- char *passwd, *p;
- const char *sp, *ep;
- unsigned char final[16];
- int sl, pl, i, j;
- MD5_CTX ctx, ctx1;
- unsigned long l;
-
- /* Refine the Salt first */
- sp = salt;
-
- /* TODO: now that we're using malloc'ed memory, get rid of the
- strange constant buffer size. */
- passwd = malloc(120);
-
- /* If it starts with the magic string, then skip that */
- if (!strncmp(sp, magic, strlen(magic)))
- sp += strlen(magic);
-
- /* It stops at the first '$', max 8 chars */
- for (ep = sp; *ep && *ep != '$' && ep < (sp + 8); ep++)
- continue;
-
- /* get the length of the true salt */
- sl = ep - sp;
-
- MD5Name(MD5Init)(&ctx);
-
- /* The password first, since that is what is most unknown */
- MD5Name(MD5Update)(&ctx,(unsigned const char *)pw,strlen(pw));
-
- /* Then our magic string */
- MD5Name(MD5Update)(&ctx,(unsigned const char *)magic,strlen(magic));
-
- /* Then the raw salt */
- MD5Name(MD5Update)(&ctx,(unsigned const char *)sp,sl);
-
- /* Then just as many characters of the MD5(pw,salt,pw) */
- MD5Name(MD5Init)(&ctx1);
- MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
- MD5Name(MD5Update)(&ctx1,(unsigned const char *)sp,sl);
- MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
- MD5Name(MD5Final)(final,&ctx1);
- for (pl = strlen(pw); pl > 0; pl -= 16)
- MD5Name(MD5Update)(&ctx,(unsigned const char *)final,pl>16 ? 16 : pl);
-
- /* Don't leave anything around in vm they could use. */
- memset(final, 0, sizeof final);
-
- /* Then something really weird... */
- for (j = 0, i = strlen(pw); i; i >>= 1)
- if (i & 1)
- MD5Name(MD5Update)(&ctx, (unsigned const char *)final+j, 1);
- else
- MD5Name(MD5Update)(&ctx, (unsigned const char *)pw+j, 1);
-
- /* Now make the output string */
- strcpy(passwd, magic);
- strncat(passwd, sp, sl);
- strcat(passwd, "$");
-
- MD5Name(MD5Final)(final,&ctx);
-
- /*
- * and now, just to make sure things don't run too fast
- * On a 60 Mhz Pentium this takes 34 msec, so you would
- * need 30 seconds to build a 1000 entry dictionary...
- */
- for (i = 0; i < 1000; i++) {
- MD5Name(MD5Init)(&ctx1);
- if (i & 1)
- MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
- else
- MD5Name(MD5Update)(&ctx1,(unsigned const char *)final,16);
-
- if (i % 3)
- MD5Name(MD5Update)(&ctx1,(unsigned const char *)sp,sl);
-
- if (i % 7)
- MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
-
- if (i & 1)
- MD5Name(MD5Update)(&ctx1,(unsigned const char *)final,16);
- else
- MD5Name(MD5Update)(&ctx1,(unsigned const char *)pw,strlen(pw));
- MD5Name(MD5Final)(final,&ctx1);
- }
-
- p = passwd + strlen(passwd);
-
- l = (final[0] << 16) | (final[6] << 8) | final[12];
- to64(p, l, 4);
- p += 4;
- l = (final[1] << 16) | (final[7] << 8) | final[13];
- to64(p, l, 4);
- p += 4;
- l = (final[2] << 16) | (final[8] << 8) | final[14];
- to64(p, l, 4);
- p += 4;
- l = (final[3] << 16) | (final[9] << 8) | final[15];
- to64(p, l, 4);
- p += 4;
- l = (final[4] << 16) | (final[10] << 8) | final[5];
- to64(p, l, 4);
- p += 4;
- l = final[11];
- to64(p, l, 2);
- p += 2;
- *p = '\0';
-
- /* Don't leave anything around in vm they could use. */
- memset(final, 0, sizeof final);
-
- return passwd;
-}
diff --git a/modules/pam_pwdb/md5_good.c b/modules/pam_pwdb/md5_good.c
deleted file mode 100644
index 131e4516..00000000
--- a/modules/pam_pwdb/md5_good.c
+++ /dev/null
@@ -1,5 +0,0 @@
-#define HIGHFIRST
-#define MD5Name(x) Good##x
-
-#include "md5.c"
-#include "md5_crypt.c"
diff --git a/modules/pam_pwdb/pam_pwdb.c b/modules/pam_pwdb/pam_pwdb.c
deleted file mode 100644
index 31467684..00000000
--- a/modules/pam_pwdb/pam_pwdb.c
+++ /dev/null
@@ -1,251 +0,0 @@
-/*
- * $Id$
- *
- * This is the single file that will be compiled for pam_unix.
- * it includes each of the modules that have beed defined in the .-c
- * files in this directory.
- *
- * It is a little ugly to do it this way, but it is a simple way of
- * defining static functions only once, and yet keeping the separate
- * files modular. If you can think of something better, please email
- * Andrew Morgan <morgan@linux.kernel.org>
- *
- * See the end of this file for Copyright information.
- */
-
-static const char rcsid[] =
-"$Id$\n"
-" - PWDB Pluggable Authentication module. <morgan@linux.kernel.org>"
-;
-
-/* #define DEBUG */
-
-#include "config.h"
-
-#include <sys/types.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <errno.h>
-#include <string.h>
-#include <syslog.h>
-#include <time.h> /* for time() */
-#include <fcntl.h>
-#include <ctype.h>
-
-#include <sys/time.h>
-#include <unistd.h>
-
-#include <pwdb/pwdb_public.h>
-
-/* indicate the following groups are defined */
-
-#define PAM_SM_AUTH
-#define PAM_SM_ACCOUNT
-#define PAM_SM_SESSION
-#define PAM_SM_PASSWORD
-
-#include <security/_pam_macros.h>
-#include <security/pam_modules.h>
-
-#ifndef LINUX_PAM
-#include <security/pam_appl.h>
-#endif /* LINUX_PAM */
-
-#include "./support.-c"
-
-/*
- * PAM framework looks for these entry-points to pass control to the
- * authentication module.
- */
-
-#include "./pam_unix_auth.-c"
-
-PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags
- , int argc, const char **argv)
-{
- unsigned int ctrl;
- int retval;
-
- D(("called."));
-
- pwdb_start();
- ctrl = set_ctrl(flags, argc, argv);
- retval = _unix_auth( pamh, ctrl );
- pwdb_end();
-
- if ( on(UNIX_LIKE_AUTH, ctrl) ) {
- D(("recording return code for next time [%d]", retval));
- pam_set_data(pamh, "pwdb_setcred_return", (void *) retval, NULL);
- }
-
- D(("done. [%s]", pam_strerror(pamh, retval)));
-
- return retval;
-}
-
-PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags
- , int argc, const char **argv)
-{
- unsigned int ctrl;
- int retval;
-
- D(("called."));
-
- pwdb_start();
- ctrl = set_ctrl(flags, argc, argv);
- retval = _unix_set_credentials(pamh, ctrl);
- pwdb_end();
-
- if ( on(UNIX_LIKE_AUTH, ctrl) ) {
- const void *pretval = NULL;
-
- D(("recovering return code from auth call"));
- if ( pam_get_data(pamh, "pwdb_setcred_return", &pretval)
- == PAM_SUCCESS ) {
- retval = (int)(long)pretval;
- D(("recovered data indicates that old retval was %d", retval));
- }
- }
-
- return retval;
-}
-
-/*
- * PAM framework looks for these entry-points to pass control to the
- * account management module.
- */
-
-#include "./pam_unix_acct.-c"
-
-PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- unsigned int ctrl;
- int retval;
-
- D(("called."));
-
- pwdb_start();
- ctrl = set_ctrl(flags, argc, argv);
- retval = _unix_acct_mgmt(pamh, ctrl);
- pwdb_end();
-
- D(("done."));
-
- return retval;
-}
-
-/*
- * PAM framework looks for these entry-points to pass control to the
- * session module.
- */
-
-#include "./pam_unix_sess.-c"
-
-PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- unsigned int ctrl;
- int retval;
-
- D(("called."));
-
- pwdb_start();
- ctrl = set_ctrl(flags, argc, argv);
- retval = _unix_open_session(pamh, ctrl);
- pwdb_end();
-
- return retval;
-}
-
-PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- unsigned int ctrl;
- int retval;
-
- D(("called."));
-
- pwdb_start();
- ctrl = set_ctrl(flags, argc, argv);
- retval = _unix_close_session(pamh, ctrl);
- pwdb_end();
-
- return retval;
-}
-
-/*
- * PAM framework looks for these entry-points to pass control to the
- * password changing module.
- */
-
-#include "./pam_unix_passwd.-c"
-
-PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
- int argc, const char **argv)
-{
- unsigned int ctrl;
- int retval;
-
- D(("called."));
-
- pwdb_start();
- ctrl = set_ctrl(flags, argc, argv);
- retval = _unix_chauthtok(pamh, ctrl);
- pwdb_end();
-
- D(("done."));
-
- return retval;
-}
-
-/* static module data */
-
-#ifdef PAM_STATIC
-struct pam_module _pam_pwdb_modstruct = {
- "pam_pwdb",
- pam_sm_authenticate,
- pam_sm_setcred,
- pam_sm_acct_mgmt,
- pam_sm_open_session,
- pam_sm_close_session,
- pam_sm_chauthtok
-};
-
-#endif
-
-/*
- * Copyright (c) Andrew G. Morgan, 1996. All rights reserved
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/modules/pam_pwdb/pam_unix_acct.-c b/modules/pam_pwdb/pam_unix_acct.-c
deleted file mode 100644
index 0ee3b3d5..00000000
--- a/modules/pam_pwdb/pam_unix_acct.-c
+++ /dev/null
@@ -1,272 +0,0 @@
-/*
- * $Id$
- *
- * See end of file for copyright information
- */
-
-static const char rcsid_acct[] =
-"$Id$\n"
-" - PAM_PWDB account management <gafton@redhat.com>";
-
-/* the shadow suite has accout managment.. */
-
-static int _shadow_acct_mgmt_exp(pam_handle_t *pamh, unsigned int ctrl,
- const struct pwdb *pw, const char *uname)
-{
- const struct pwdb_entry *pwe = NULL;
- time_t curdays;
- int last_change, max_change;
- int retval;
-
- D(("called."));
-
- /* Now start the checks */
-
- curdays = time(NULL)/(60*60*24); /* today */
-
- /* First: has account expired ? (CG)
- * - expire < curdays
- * - or (last_change + max_change + defer_change) < curdays
- * - in both cases, deny access
- */
-
- D(("pwdb_get_entry"));
- retval = pwdb_get_entry(pw, "expire", &pwe);
- if (retval == PWDB_SUCCESS) {
- int expire;
-
- expire = *( (const int *) pwe->value );
- (void) pwdb_entry_delete(&pwe); /* no longer needed */
-
- if ((curdays > expire) && (expire > 0)) {
-
- _log_err(LOG_NOTICE
- , "acct: account %s has expired (account expired)"
- , uname);
- make_remark(pamh, ctrl, PAM_ERROR_MSG
- , "Your account has expired; "
- "please contact your system administrator");
-
- D(("account expired"));
- return PAM_ACCT_EXPIRED;
- }
- }
-
- D(("pwdb_get_entry"));
- retval = pwdb_get_entry(pw, "last_change", &pwe);
- if ( retval == PWDB_SUCCESS ) {
- last_change = *( (const int *) pwe->value );
- } else {
- last_change = curdays;
- }
- (void) pwdb_entry_delete(&pwe);
-
- D(("pwdb_get_entry"));
- retval = pwdb_get_entry(pw, "max_change", &pwe);
- if ( retval == PWDB_SUCCESS ) {
- max_change = *( (const int *) pwe->value );
- } else {
- max_change = -1;
- }
- (void) pwdb_entry_delete(&pwe);
-
- D(("pwdb_get_entry"));
- retval = pwdb_get_entry(pw, "defer_change", &pwe);
- if (retval == PWDB_SUCCESS) {
- int defer_change;
-
- defer_change = *( (const int *) pwe->value );
- (void) pwdb_entry_delete(&pwe);
-
- if ((curdays > (last_change + max_change + defer_change))
- && (max_change != -1) && (defer_change != -1)
- && (last_change > 0)) {
-
- if ( on(UNIX_DEBUG, ctrl) ) {
- _log_err(LOG_NOTICE, "acct: account %s has expired "
- "(failed to change password)", uname);
- }
- make_remark(pamh, ctrl, PAM_ERROR_MSG
- , "Your password has expired; "
- "please see your system administrator");
-
- D(("account expired2"));
- return PAM_ACCT_EXPIRED;
- }
- }
-
- /* Now test if the password is expired, but the user still can
- * change their password. (CG)
- * - last_change = 0
- * - last_change + max_change < curdays
- */
-
- D(("when was the last change"));
- if (last_change == 0) {
-
- if ( on(UNIX_DEBUG, ctrl) ) {
- _log_err(LOG_NOTICE
- , "acct: expired password for user %s (root enforced)"
- , uname);
- }
- make_remark(pamh, ctrl, PAM_ERROR_MSG
- , "You are required to change your password immediately"
- );
-
- D(("need a new password"));
- return PAM_NEW_AUTHTOK_REQD;
- }
-
- if (((last_change + max_change) < curdays) &&
- (max_change < 99999) && (max_change > 0)) {
-
- if ( on(UNIX_DEBUG, ctrl) ) {
- _log_err(LOG_DEBUG
- , "acct: expired password for user %s (password aged)"
- , uname);
- }
- make_remark(pamh, ctrl, PAM_ERROR_MSG
- , "Your password has expired; please change it!");
-
- D(("need a new password 2"));
- return PAM_NEW_AUTHTOK_REQD;
- }
-
- /*
- * Now test if the password is about to expire (CG)
- * - last_change + max_change - curdays <= warn_change
- */
-
- retval = pwdb_get_entry(pw, "warn_change", &pwe);
- if ( retval == PWDB_SUCCESS ) {
- int warn_days, daysleft;
-
- daysleft = last_change + max_change - curdays;
- warn_days = *((const int *) pwe->value);
- (void) pwdb_entry_delete(&pwe);
-
- if ((daysleft <= warn_days) && (warn_days > 0)) {
- char *s;
-
- if ( on(UNIX_DEBUG, ctrl) ) {
- _log_err(LOG_DEBUG
- , "acct: password for user %s will expire in %d days"
- , uname, daysleft);
- }
-
-#define LocalComment "Warning: your password will expire in %d day%s"
- if ((s = (char *) malloc(30+sizeof(LocalComment))) == NULL) {
- _log_err(LOG_CRIT, "malloc failure in " __FILE__);
- retval = PAM_BUF_ERR;
- } else {
-
- sprintf(s, LocalComment, daysleft, daysleft == 1 ? "":"s");
-
- make_remark(pamh, ctrl, PAM_TEXT_INFO, s);
- free(s);
- }
-#undef LocalComment
- }
- } else {
- retval = PAM_SUCCESS;
- }
-
- D(("all done"));
- return retval;
-}
-
-
-/*
- * this function checks for the account details. The user may not be
- * permitted to log in at this time etc.. Within the context of
- * vanilla Unix, this function simply does nothing. The shadow suite
- * added password/account expiry, but PWDB takes care of this
- * transparently.
- */
-
-static int _unix_acct_mgmt(pam_handle_t *pamh, unsigned int ctrl)
-{
- const struct pwdb *pw = NULL;
-
- char *uname=NULL;
- int retval;
-
- D(("called."));
-
- /* identify user */
-
- retval = pam_get_item(pamh,PAM_USER,(const void **)&uname);
- D(("user = `%s'", uname));
- if (retval != PAM_SUCCESS || uname == NULL) {
- _log_err(LOG_ALERT
- , "acct; could not identify user (from uid=%d)"
- , getuid());
- return PAM_USER_UNKNOWN;
- }
-
- /* get database information for user */
-
- retval = pwdb_locate("user", PWDB_DEFAULT, uname, PWDB_ID_UNKNOWN, &pw);
- if (retval != PWDB_SUCCESS || pw == NULL) {
-
- _log_err(LOG_ALERT, "acct; %s (%s from uid=%d)"
- , pwdb_strerror(retval), uname, getuid());
- if ( pw ) {
- (void) pwdb_delete(&pw);
- }
- return PAM_USER_UNKNOWN;
- }
-
- /* now check the user's times etc.. */
-
- retval = _shadow_acct_mgmt_exp(pamh, ctrl, pw, uname);
- if (retval != PAM_SUCCESS) {
- _log_err(LOG_NOTICE, "expiry check failed for '%s'", uname);
- }
-
- /* Done with pw */
-
- (void) pwdb_delete(&pw);
-
- /* all done */
-
- D(("done."));
- return retval;
-}
-
-/*
- * Copyright (c) Elliot Lee, 1996.
- * Copyright (c) Andrew Morgan <morgan@parc.power.net> 1996.
- * Copyright (c) Cristian Gafton <gafton@redhat.com> 1996.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/modules/pam_pwdb/pam_unix_auth.-c b/modules/pam_pwdb/pam_unix_auth.-c
deleted file mode 100644
index e4dfe136..00000000
--- a/modules/pam_pwdb/pam_unix_auth.-c
+++ /dev/null
@@ -1,131 +0,0 @@
-/*
- * $Id$
- *
- * See end of file for Copyright information.
- */
-
-static const char rcsid_auth[] =
-"$Id$: pam_unix_auth.-c,v 1.2 1996/09/05 06:46:53 morgan Exp morgan $\n"
-" - PAM_PWDB authentication functions. <morgan@parc.power.net>";
-
-/*
- * _unix_auth() is a front-end for UNIX/shadow authentication
- *
- * First, obtain the password from the user. Then use a
- * routine in 'support.-c' to authenticate the user.
- */
-
-#define _UNIX_AUTHTOK "-UN*X-PASS"
-
-static int _unix_auth(pam_handle_t *pamh, unsigned int ctrl)
-{
- int retval;
- const char *name, *p;
-
- D(("called."));
-
- /* get the user'name' */
-
- retval = _unix_get_user(pamh, ctrl, NULL, &name);
- if (retval != PAM_SUCCESS ) {
- if (retval != PAM_CONV_AGAIN) {
- if ( on(UNIX_DEBUG,ctrl) ) {
- _log_err(LOG_DEBUG, "auth could not identify user");
- }
- } else {
- D(("pam_get_user/conv() function is not ready yet"));
- /* it is safe to resume this function so we translate this
- retval to the value that indicates we're happy to resume. */
- retval = PAM_INCOMPLETE;
- }
- return retval;
- }
-
- /* if this user does not have a password... */
-
- if ( _unix_blankpasswd(ctrl, name) ) {
- D(("user '%s' has blank passwd", name));
- name = NULL;
- return PAM_SUCCESS;
- }
-
- /* get this user's authentication token */
-
- retval = _unix_read_password(pamh, ctrl, NULL, "Password: ", NULL
- , _UNIX_AUTHTOK, &p);
- if (retval != PAM_SUCCESS) {
- if (retval != PAM_CONV_AGAIN) {
- _log_err(LOG_CRIT, "auth could not identify password for [%s]"
- , name);
- } else {
- D(("conversation function is not ready yet"));
- /* it is safe to resume this function so we translate this
- retval to the value that indicates we're happy to resume. */
- retval = PAM_INCOMPLETE;
- }
- name = NULL;
- return retval;
- }
- D(("user=%s, password=[%s]", name, p));
-
- /* verify the password of this user */
- retval = _unix_verify_password(pamh, name, p, ctrl);
- name = p = NULL;
-
- D(("done [%d]", retval));
-
- return retval;
-}
-
-/*
- * This function is for setting unix credentials. Sun has indicated
- * that there are *NO* authentication credentials for unix. The
- * obvious credentials would be the group membership of the user as
- * listed in the /etc/group file. However, Sun indicates that it is
- * the responsibility of the application to set these.
- */
-
-static int _unix_set_credentials(pam_handle_t *pamh, unsigned int ctrl)
-{
- D(("called <empty function> returning."));
-
- return PAM_SUCCESS;
-}
-
-/********************************************************************
- * Copyright (c) Alexander O. Yuriev, 1996.
- * Copyright (c) Andrew G. Morgan <morgan@parc.power.net> 1996
- * Copyright (c) Cristian Gafton <gafton@redhat.com> 1996, 1997
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
diff --git a/modules/pam_pwdb/pam_unix_md.-c b/modules/pam_pwdb/pam_unix_md.-c
deleted file mode 100644
index 65476732..00000000
--- a/modules/pam_pwdb/pam_unix_md.-c
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * This function is a front-end for the message digest algorithms used
- * to compute the user's encrypted passwords. No reversible encryption
- * is used here and I intend to keep it that way.
- *
- * While there are many sources of encryption outside the United
- * States, it *may* be illegal to re-export reversible encryption
- * computer code. Until such time as it is legal to export encryption
- * software freely from the US, please do not send me any. (AGM)
- */
-
-/* this should have been defined in a header file.. Why wasn't it? AGM */
-extern char *crypt(const char *key, const char *salt);
-
-#include "md5.h"
-#include "bigcrypt.-c"
-
-struct cfns {
- const char *salt;
- int len;
- char * (* mdfn)(const char *key, const char *salt);
-};
-
-/* array of non-standard digest algorithms available */
-
-#define N_MDS 1
-const static struct cfns cfn_list[N_MDS] = {
- { "$1$", 3, Goodcrypt_md5 },
-};
-
-static char *_pam_md(const char *key, const char *salt)
-{
- char *x,*e=NULL;
- int i;
-
- D(("called with key='%s', salt='%s'", key, salt));
-
- /* check for non-standard salts */
-
- for (i=0; i<N_MDS; ++i) {
- if ( !strncmp(cfn_list[i].salt, salt, cfn_list[i].len) ) {
- e = cfn_list[i].mdfn(key, salt);
- break;
- }
- }
-
- if ( i >= N_MDS ) {
- e = bigcrypt(key, salt); /* (defaults to standard algorithm) */
- }
-
- x = x_strdup(e); /* put e in malloc()ed memory */
- _pam_overwrite(e); /* clean up */
- return x; /* this must be deleted elsewhere */
-}
-
-#ifndef PWDB_NO_MD_COMPAT
-static char *_pam_md_compat(const char *key, const char *salt)
-{
- char *x,*e=NULL;
-
- D(("called with key='%s', salt='%s'", key, salt));
-
- if ( !strncmp("$1$", salt, 3) ) {
- e = Brokencrypt_md5(key, salt);
- x = x_strdup(e); /* put e in malloc()ed memory */
- _pam_overwrite(e); /* clean up */
- } else {
- x = x_strdup(""); /* called from only one place so this is safe */
- }
-
- return x; /* this must be deleted elsewhere */
-}
-#endif /* PWDB_NO_MD_COMPAT */
diff --git a/modules/pam_pwdb/pam_unix_passwd.-c b/modules/pam_pwdb/pam_unix_passwd.-c
deleted file mode 100644
index 0949af7f..00000000
--- a/modules/pam_pwdb/pam_unix_passwd.-c
+++ /dev/null
@@ -1,373 +0,0 @@
-/* $Id$ */
-
-static const char rcsid_pass[] =
-"$Id$\n"
-" - PAM_PWDB password module <morgan@parc.power.net>"
-;
-
-#include "pam_unix_pwupd.-c"
-
-/* passwd/salt conversion macros */
-
-#define ascii_to_bin(c) ((c)>='a'?(c-59):(c)>='A'?((c)-53):(c)-'.')
-#define bin_to_ascii(c) ((c)>=38?((c)-38+'a'):(c)>=12?((c)-12+'A'):(c)+'.')
-
-/* data tokens */
-
-#define _UNIX_OLD_AUTHTOK "-UN*X-OLD-PASS"
-#define _UNIX_NEW_AUTHTOK "-UN*X-NEW-PASS"
-
-/* Implementation */
-
-/*
- * i64c - convert an integer to a radix 64 character
- */
-static int i64c(int i)
-{
- if (i < 0)
- return ('.');
- else if (i > 63)
- return ('z');
- if (i == 0)
- return ('.');
- if (i == 1)
- return ('/');
- if (i >= 2 && i <= 11)
- return ('0' - 2 + i);
- if (i >= 12 && i <= 37)
- return ('A' - 12 + i);
- if (i >= 38 && i <= 63)
- return ('a' - 38 + i);
- return ('\0');
-}
-
-/*
- * FUNCTION: _pam_unix_chauthtok()
- *
- * this function works in two passes. The first, when UNIX__PRELIM is
- * set, obtains the previous password. It sets the PAM_OLDAUTHTOK item
- * or stores it as a data item. The second function obtains a new
- * password (verifying if necessary, that the user types it the same a
- * second time.) depending on the 'ctrl' flags this new password may
- * be stored in the PAM_AUTHTOK item or a private data item.
- *
- * Having obtained a new password. The function updates the
- * /etc/passwd (and optionally the /etc/shadow) file(s).
- *
- * Provision is made for the creation of a blank shadow file if none
- * is available, but one is required to update the shadow file -- the
- * intention being for shadow passwords to be seamlessly implemented
- * from the generic UNIX scheme. -- THIS BIT IS PRE-ALPHA.. and included
- * in this release (.52) mostly for the purpose of discussion.
- */
-
-static int _unix_chauthtok(pam_handle_t *pamh, unsigned int ctrl)
-{
- int retval;
- unsigned int lctrl;
-
- /* <DO NOT free() THESE> */
- const char *user;
- const char *pass_old, *pass_new;
- /* </DO NOT free() THESE> */
-
- D(("called"));
-
- /*
- * First get the name of a user
- */
-
- retval = _unix_get_user( pamh, ctrl, "Username: ", &user );
- if ( retval != PAM_SUCCESS ) {
- if ( on(UNIX_DEBUG,ctrl) ) {
- _log_err(LOG_DEBUG, "password - could not identify user");
- }
- return retval;
- }
-
- if ( on(UNIX__PRELIM, ctrl) ) {
- /*
- * obtain and verify the current password (OLDAUTHTOK) for
- * the user.
- */
-
- char *Announce;
-
- D(("prelim check"));
-
- if ( _unix_blankpasswd(ctrl, user) ) {
-
- return PAM_SUCCESS;
-
- } else if ( off(UNIX__IAMROOT, ctrl) ) {
-
- /* instruct user what is happening */
-#define greeting "Changing password for "
- Announce = (char *) malloc(sizeof(greeting)+strlen(user));
- if (Announce == NULL) {
- _log_err(LOG_CRIT, "password - out of memory");
- return PAM_BUF_ERR;
- }
- (void) strcpy(Announce, greeting);
- (void) strcpy(Announce+sizeof(greeting)-1, user);
-#undef greeting
-
- lctrl = ctrl;
- set(UNIX__OLD_PASSWD, lctrl);
- retval = _unix_read_password( pamh, lctrl
- , Announce
- , "(current) UNIX password: "
- , NULL
- , _UNIX_OLD_AUTHTOK
- , &pass_old );
- free(Announce);
-
- if ( retval != PAM_SUCCESS ) {
- _log_err(LOG_NOTICE
- , "password - (old) token not obtained");
- return retval;
- }
-
- /* verify that this is the password for this user */
-
- retval = _unix_verify_password(pamh, user, pass_old, ctrl);
- } else {
- D(("process run by root so do nothing this time around"));
- pass_old = NULL;
- retval = PAM_SUCCESS; /* root doesn't have too */
- }
-
- if ( retval != PAM_SUCCESS ) {
- D(("Authentication failed"));
- pass_old = NULL;
- return retval;
- }
-
- retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old);
- pass_old = NULL;
- if ( retval != PAM_SUCCESS ) {
- _log_err(LOG_CRIT, "failed to set PAM_OLDAUTHTOK");
- }
-
- } else if ( on( UNIX__UPDATE, ctrl ) ) {
- /* tpass is used below to store the _pam_md() return; it
- * should be _pam_delete()'d. */
-
- char *tpass=NULL;
-
- /*
- * obtain the proposed password
- */
-
- D(("do update"));
-
- /*
- * get the old token back. NULL was ok only if root [at this
- * point we assume that this has already been enforced on a
- * previous call to this function].
- */
-
- if ( off(UNIX_NOT_SET_PASS, ctrl) ) {
- retval = pam_get_item(pamh, PAM_OLDAUTHTOK
- , (const void **)&pass_old);
- } else {
- retval = pam_get_data(pamh, _UNIX_OLD_AUTHTOK
- , (const void **)&pass_old);
- if (retval == PAM_NO_MODULE_DATA) {
- retval = PAM_SUCCESS;
- pass_old = NULL;
- }
- }
-
- if (retval != PAM_SUCCESS) {
- _log_err(LOG_NOTICE, "user not authenticated");
- return retval;
- }
-
- D(("get new password now"));
-
- lctrl = ctrl;
-
- /*
- * use_authtok is to force the use of a previously entered
- * password -- needed for pluggable password strength checking
- */
-
- if ( on(UNIX_USE_AUTHTOK, lctrl) ) {
- set(UNIX_USE_FIRST_PASS, lctrl);
- }
-
- retval = _unix_read_password( pamh, lctrl
- , NULL
- , "Enter new UNIX password: "
- , "Retype new UNIX password: "
- , _UNIX_NEW_AUTHTOK
- , &pass_new );
-
- if ( retval != PAM_SUCCESS ) {
- if ( on(UNIX_DEBUG,ctrl) ) {
- _log_err(LOG_ALERT
- , "password - new password not obtained");
- }
- pass_old = NULL; /* tidy up */
- return retval;
- }
-
- D(("returned to _unix_chauthtok"));
-
- /*
- * At this point we know who the user is and what they
- * propose as their new password. Verify that the new
- * password is acceptable.
- */
-
- if (pass_new[0] == '\0') { /* "\0" password = NULL */
- pass_new = NULL;
- }
-
- retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new);
-
- if (retval != PAM_SUCCESS) {
- _log_err(LOG_NOTICE, "new password not acceptable");
- pass_new = pass_old = NULL; /* tidy up */
- return retval;
- }
-
- /*
- * By reaching here we have approved the passwords and must now
- * rebuild the password database file.
- *
- * This includes the fact that the password is _not_ NULL.
- */
-
- /*
- * First we encrypt the new password.
- *
- * XXX - this is where we might need some code for RADIUS types
- * of password handling... no encryption needed..
- */
-
- if ( on(UNIX_MD5_PASS, ctrl) ) {
-
- /*
- * Code lifted from Marek Michalkiewicz's shadow suite. (CG)
- * removed use of static variables (AGM)
- */
-
- struct timeval tv;
- MD5_CTX ctx;
- unsigned char result[16];
- char *cp = (char *)result;
- unsigned char tmp[16];
- int i;
-
- GoodMD5Init(&ctx);
- gettimeofday(&tv, (struct timezone *) 0);
- GoodMD5Update(&ctx, (void *) &tv, sizeof tv);
- i = getpid();
- GoodMD5Update(&ctx, (void *) &i, sizeof i);
- i = clock();
- GoodMD5Update(&ctx, (void *) &i, sizeof i);
- GoodMD5Update(&ctx, result, sizeof result);
- GoodMD5Final(tmp, &ctx);
- strcpy(cp, "$1$"); /* magic for the MD5 */
- cp += strlen(cp);
- for (i = 0; i < 8; i++)
- *cp++ = i64c(tmp[i] & 077);
- *cp = '\0';
-
- /* no longer need cleartext */
- pass_new = tpass = _pam_md(pass_new, (const char *)result);
-
- } else {
- /*
- * Salt manipulation is stolen from Rick Faith's passwd
- * program. Sorry Rick :) -- alex
- */
-
- time_t tm;
- char salt[3];
-
- time(&tm);
- salt[0] = bin_to_ascii(tm & 0x3f);
- salt[1] = bin_to_ascii((tm >> 6) & 0x3f);
- salt[2] = '\0';
-
- if ( off(UNIX_BIGCRYPT, ctrl) && strlen(pass_new) > 8 ) {
- /* to avoid using the _extensions_ of the bigcrypt()
- function we truncate the newly entered password */
- char *temp = malloc(9);
-
- if (temp == NULL) {
- _log_err(LOG_CRIT, "out of memory for password");
- pass_new = pass_old = NULL; /* tidy up */
- return PAM_BUF_ERR;
- }
-
- /* copy first 8 bytes of password */
- strncpy(temp, pass_new, 8);
- temp[8] = '\0';
-
- /* no longer need cleartext */
- pass_new = tpass = _pam_md( temp, salt );
-
- _pam_delete(temp); /* tidy up */
- } else {
- /* no longer need cleartext */
- pass_new = tpass = _pam_md( pass_new, salt );
- }
- }
-
- D(("password processed"));
-
- /* update the password database(s) -- race conditions..? */
-
- retval = unix_update_db(pamh, ctrl, user, pass_old, pass_new);
- pass_old = pass_new = NULL;
-
- } else { /* something has broken with the module */
-
- _log_err(LOG_ALERT, "password received unknown request");
- retval = PAM_ABORT;
-
- }
-
- return retval;
-}
-
-/* ******************************************************************
- * Copyright (c) Alexander O. Yuriev (alex@bach.cis.temple.edu), 1996.
- * Copyright (c) Andrew Morgan <morgan@parc.power.net> 1996, 1997.
- * Copyright (c) Cristian Gafton, <gafton@redhat.com> 1996, 1997.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/modules/pam_pwdb/pam_unix_pwupd.-c b/modules/pam_pwdb/pam_unix_pwupd.-c
deleted file mode 100644
index 0f646369..00000000
--- a/modules/pam_pwdb/pam_unix_pwupd.-c
+++ /dev/null
@@ -1,260 +0,0 @@
-/*
- * $Id$
- *
- * This file contains the routines to update the passwd databases.
- */
-
-/* Implementation */
-
-static int unix_update_db(pam_handle_t *pamh, int ctrl, const char *user,
- const char *pass_old, const char *pass_new)
-{
- const struct pwdb *pw=NULL;
- const struct pwdb_entry *pwe=NULL;
- pwdb_flag flag;
- int retval, i;
-
- D(("called."));
-
- /* obtain default user record */
-
- retval = pwdb_locate("user", PWDB_DEFAULT, user, PWDB_ID_UNKNOWN, &pw);
- if (retval == PWDB_PASS_PHRASE_REQD) {
- retval = pwdb_set_entry(pw, "pass_phrase"
- , pass_old, 1+strlen(pass_old)
- , NULL, NULL, 0);
- if (retval == PWDB_SUCCESS)
- retval = pwdb_locate("user", pw->source, user
- , PWDB_ID_UNKNOWN, &pw);
- }
- pass_old = NULL;
-
- if ( retval != PWDB_SUCCESS ) {
- _log_err(LOG_ALERT, "cannot identify user %s (uid=%d)"
- , user, getuid() );
- pass_new = NULL;
- if (pw)
- (void) pwdb_delete(&pw);
- return PAM_USER_UNKNOWN;
- }
-
- /* check that we can update all of the default databases */
-
- retval = pwdb_flags("user", pw->source, &flag);
-
- if ( retval != PWDB_SUCCESS || ( pwdb_on(flag,PWDB_F_NOUPDATE) ) ) {
- _log_err(LOG_ERR, "cannot update default database for user %s"
- , user );
- pass_new = NULL;
- if (pw)
- (void) pwdb_delete(&pw);
- return PAM_PERM_DENIED;
- }
-
- /* If there was one, we delete the "last_change" entry */
- retval = pwdb_get_entry(pw, "last_change", &pwe);
- if (retval == PWDB_SUCCESS) {
- (void) pwdb_entry_delete(&pwe);
- pwdb_set_entry(pw, "last_change", NULL, -1, NULL, NULL, 0);
- }
-
- /*
- * next check for pam.conf specified databases: shadow etc... [In
- * other words, pam.conf indicates which database the password is
- * to be subsequently placed in: this is password migration].
- */
-
- if ( on(UNIX__SET_DB, ctrl) ) {
- const char *db_token;
- pwdb_type pt = _PWDB_MAX_TYPES;
-
- if ( on(UNIX_UNIX, ctrl) ) {
- db_token = "U"; /* XXX - should be macro */
- pt = PWDB_UNIX;
- } else if ( on(UNIX_SHADOW, ctrl) ) {
- db_token = "x"; /* XXX - should be macro */
- pt = PWDB_SHADOW;
- } else if ( on(UNIX_RADIUS, ctrl) ) {
- db_token = "R"; /* XXX - is this ok? */
- pt = PWDB_RADIUS;
- } else {
- _log_err(LOG_ALERT
- , "cannot determine database to use for authtok");
- pass_new = NULL;
- if (pw)
- (void) pwdb_delete(&pw);
- return PAM_ABORT; /* we're in trouble */
- }
-
- /*
- * Attempt to update the indicated database (only)
- */
-
- {
- pwdb_type tpt[2];
- tpt[0] = pt;
- tpt[1] = _PWDB_MAX_TYPES;
-
- /* Can we set entry in database? */
- retval = pwdb_flags("user", tpt, &flag);
- if (retval == PWDB_SUCCESS && !pwdb_on(flag,PWDB_F_NOUPDATE)) {
- /* YES. This database is available.. */
-
- /* Only update if it is not already in the default list */
- for (i=0; pw->source[i] != _PWDB_MAX_TYPES
- && pw->source[i] != pt ; ++i);
- if (pw->source[i] == _PWDB_MAX_TYPES) {
- const struct pwdb *tpw=NULL;
-
- /* copy database entry */
- if ((retval = pwdb_new(&tpw, 10)) != PWDB_SUCCESS
- || (retval = pwdb_merge(tpw, pw, PWDB_TRUE))
- != PWDB_SUCCESS) {
- _log_err(LOG_CRIT, "failed to obtain new pwdb: %s"
- , pwdb_strerror(retval));
- retval = PAM_ABORT;
- } else
- retval = PAM_SUCCESS;
-
- /* set db_token */
- if (retval == PAM_SUCCESS) {
- retval = pwdb_set_entry(tpw, "defer_pass", db_token
- , 1+strlen(db_token)
- , NULL, NULL, 0);
- if (retval != PWDB_SUCCESS) {
- _log_err(LOG_ALERT, "set defer_pass -> %s"
- , pwdb_strerror(retval));
- retval = PAM_PERM_DENIED;
- } else
- retval = PAM_SUCCESS;
- }
-
- /* update specific database */
- if (retval == PAM_SUCCESS) {
- retval = pwdb_replace("user", tpt
- , user, PWDB_ID_UNKNOWN, &tpw);
- if (retval != PWDB_SUCCESS) {
- const char *service=NULL;
- (void) pam_get_item(pamh, PAM_SERVICE
- , (const void **)&service);
- _log_err(LOG_ALERT
- , "(%s) specified database failed: %s"
- , service
- , pwdb_strerror(retval));
- retval = PAM_PERM_DENIED;
- } else {
- retval = PAM_SUCCESS;
- }
- }
-
- /* clean up temporary pwdb */
- if (tpw)
- (void) pwdb_delete(&tpw);
- }
-
- /* we can properly adopt new defer_pass */
- if (retval == PAM_SUCCESS) {
- /* failing here will mean we go back to former
- password location */
- (void) pwdb_set_entry(pw, "defer_pass", db_token
- , 1+strlen(db_token), NULL, NULL, 0);
- }
- }
- }
- }
-
- /*
- * the password will now be placed in appropriate (perhaps original) db
- */
-
- retval = pwdb_get_entry(pw, "uid", &pwe);
- if (retval != PWDB_SUCCESS) {
- _log_err(LOG_ALERT, "no uid!? (%s); %s", user, pwdb_strerror(retval));
- pass_new = NULL;
- if (pw)
- (void) pwdb_delete(&pw);
- return PAM_USER_UNKNOWN;
- }
-
- /* insert the passwd into the 'pw' structure */
-
- retval = pwdb_set_entry(pw, "passwd", pass_new, 1+strlen(pass_new)
- , NULL, NULL, 0);
- pass_new = NULL;
- if (retval != PWDB_SUCCESS) {
- _log_err(LOG_ALERT, "set2 failed; %s", pwdb_strerror(retval));
- if (pw)
- (void) pwdb_delete(&pw);
- return PAM_AUTHTOK_LOCK_BUSY;
- }
-
- retval = pwdb_replace("user", pw->source, user
- , *((uid_t *)pwe->value), &pw);
- if (retval != PWDB_SUCCESS) {
- _log_err(LOG_ALERT, "user (%s/%d) update failed; %s"
- , user, *((uid_t *)pwe->value), pwdb_strerror(retval));
- if (pw)
- (void) pwdb_delete(&pw);
- (void) pwdb_entry_delete(&pwe);
- return PAM_ABORT;
- }
-
- if (retval != PWDB_SUCCESS) {
-
- _log_err(LOG_ALERT, "user (%s/%d) update failed; %s"
- , user, *((uid_t *)pwe->value), pwdb_strerror(retval));
- retval = PAM_ABORT;
-
- } else {
- /* password updated */
-
- _log_err(LOG_INFO, "password for (%s/%d) changed by (%s/%d)"
- , user, *((uid_t *)pwe->value), getlogin(), getuid());
- retval = PAM_SUCCESS;
- }
-
- /* tidy up */
-
- (void) pwdb_entry_delete(&pwe);
- if (pw)
- (void) pwdb_delete(&pw);
-
- return retval;
-}
-
-/* ******************************************************************
- * Copyright (c) Andrew Morgan <morgan@parc.power.net> 1996,1997.
- * Copyright (c) Cristian Gafton, <gafton@redhat.com> 1996, 1997.
- * All rights reserved
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/modules/pam_pwdb/pam_unix_sess.-c b/modules/pam_pwdb/pam_unix_sess.-c
deleted file mode 100644
index 8f862eae..00000000
--- a/modules/pam_pwdb/pam_unix_sess.-c
+++ /dev/null
@@ -1,98 +0,0 @@
-/*
- * $Id$
- *
- * See end for Copyright information
- */
-
-static const char rcsid_sess[] =
-"$Id$\n"
-" - PAM_PWDB session management. morgan@parc.power.net";
-
-/* Define internal functions */
-
-static int _unix_open_session(pam_handle_t *pamh, unsigned int ctrl)
-{
- int retval;
- char *user_name, *service;
-
- D(("called."));
-
- retval = pam_get_item( pamh, PAM_USER, (void *) &user_name );
- if ( user_name == NULL || retval != PAM_SUCCESS ) {
- _log_err(LOG_CRIT, "open_session - error recovering username");
- return PAM_SESSION_ERR;
- }
-
- retval = pam_get_item( pamh, PAM_SERVICE, (void*) &service );
- if ( service == NULL || retval != PAM_SUCCESS ) {
- _log_err(LOG_CRIT, "open_session - error recovering service");
- return PAM_SESSION_ERR;
- }
-
- _log_err(LOG_INFO, "(%s) session opened for user %s by %s(uid=%d)"
- , service, user_name
- , getlogin() == NULL ? "":getlogin(), getuid() );
-
- return PAM_SUCCESS;
-}
-
-static int _unix_close_session(pam_handle_t *pamh, unsigned int ctrl)
-{
- int retval;
- char *user_name, *service;
-
- D(("called."));
-
- retval = pam_get_item( pamh, PAM_USER, (void*) &user_name );
- if ( user_name == NULL || retval != PAM_SUCCESS ) {
- _log_err(LOG_CRIT, "close_session - error recovering username");
- return PAM_SESSION_ERR;
- }
-
- retval = pam_get_item( pamh, PAM_SERVICE, (void*) &service );
- if ( service == NULL || retval != PAM_SUCCESS ) {
- _log_err(LOG_CRIT, "close_session - error recovering service");
- return PAM_SESSION_ERR;
- }
-
- _log_err(LOG_INFO, "(%s) session closed for user %s"
- , service, user_name );
-
- return PAM_SUCCESS;
-}
-
-/*
- * Copyright (c) Alexander O. Yuriev, 1996. All rights reserved.
- * Copyright (c) Andrew G. Morgan, 1996, <morgan@parc.power.net>
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/modules/pam_pwdb/pwdb_chkpwd.c b/modules/pam_pwdb/pwdb_chkpwd.c
deleted file mode 100644
index a4da0e13..00000000
--- a/modules/pam_pwdb/pwdb_chkpwd.c
+++ /dev/null
@@ -1,221 +0,0 @@
-/*
- * $Id$
- *
- * This program is designed to run setuid(root) or with sufficient
- * privilege to read all of the unix password databases. It is designed
- * to provide a mechanism for the current user (defined by this
- * process' real uid) to verify their own password.
- *
- * The password is read from the standard input. The exit status of
- * this program indicates whether the user is authenticated or not.
- *
- * Copyright information is located at the end of the file.
- *
- */
-
-#include "config.h"
-
-#ifdef MEMORY_DEBUG
-# undef exit
-# undef strdup
-# undef free
-#endif /* MEMORY_DEBUG */
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <unistd.h>
-
-#include <security/_pam_macros.h>
-
-#define MAXPASS 200 /* the maximum length of a password */
-
-#define UNIX_PASSED (PWDB_SUCCESS)
-#define UNIX_FAILED (PWDB_SUCCESS+1)
-
-#include <pwdb/pwdb_public.h>
-
-/* syslogging function for errors and other information */
-
-static void _log_err(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("pwdb_chkpwd", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-#define PWDB_NO_MD_COMPAT
-#include "pam_unix_md.-c"
-
-static int _unix_verify_passwd(const char *salt, const char *p)
-{
- char *pp=NULL;
- int retval;
-
- if (p == NULL) {
- if (*salt == '\0') {
- retval = UNIX_PASSED;
- } else {
- retval = UNIX_FAILED;
- }
- } else {
- pp = _pam_md(p, salt);
- p = NULL; /* no longer needed here */
-
- if ( strcmp( pp, salt ) == 0 ) {
- retval = UNIX_PASSED;
- } else {
- retval = UNIX_FAILED;
- }
- }
-
- /* clean up */
- {
- char *tp = pp;
- if (pp != NULL) {
- while(tp && *tp)
- *tp++ = '\0';
- free(pp);
- pp = tp = NULL;
- }
- }
-
- return retval;
-}
-
-int main(int argc, char **argv)
-{
- const struct pwdb *pw=NULL;
- const struct pwdb_entry *pwe=NULL;
- char pass[MAXPASS+1];
- int npass, force_failure=0;
- int retval=UNIX_FAILED;
-
- /*
- * we establish that this program is running with non-tty stdin.
- * this is to discourage casual use. It does *NOT* prevent an
- * intruder from repeatadly running this program to determine the
- * password of the current user (brute force attack, but one for
- * which the attacker must already have gained access to the user's
- * account).
- */
-
- if ( isatty(STDIN_FILENO) ) {
- _log_err(LOG_NOTICE
- , "inappropriate use of PWDB helper binary [UID=%d]"
- , getuid() );
- fprintf(stderr,
- "This program is not designed for running in this way\n"
- "-- the system administrator has been informed\n");
- exit(UNIX_FAILED);
- }
-
- /*
- * determine the current user's name:
- */
-
- retval = pwdb_start();
- if (retval != PWDB_SUCCESS) {
- _log_err(LOG_ALERT, "failed to open pwdb");
- retval = UNIX_FAILED;
- }
- if (retval != UNIX_FAILED) {
- retval = pwdb_locate("user", PWDB_DEFAULT, PWDB_NAME_UNKNOWN,
- getuid(), &pw);
- }
- if (retval != PWDB_SUCCESS) {
- _log_err(LOG_ALERT, "could not identify user");
- while (pwdb_end() != PWDB_SUCCESS);
- exit(UNIX_FAILED);
- }
- if (argc == 2) {
- if (pwdb_get_entry(pw, "user", &pwe) == PWDB_SUCCESS) {
- if (pwe == NULL) {
- force_failure = 1;
- } else {
- if (strcmp((const char *) pwe->value, argv[1])) {
- force_failure = 1;
- }
- pwdb_entry_delete(&pwe);
- }
- }
- }
-
- /* read the password from stdin (a pipe from the pam_pwdb module) */
-
- npass = read(STDIN_FILENO, pass, MAXPASS);
-
- if (npass < 0) { /* is it a valid password? */
- _log_err(LOG_DEBUG, "no password supplied");
- retval = UNIX_FAILED;
- } else if (npass >= MAXPASS-1) {
- _log_err(LOG_DEBUG, "password too long");
- retval = UNIX_FAILED;
- } else if (pwdb_get_entry(pw, "passwd", &pwe) != PWDB_SUCCESS) {
- _log_err(LOG_WARNING, "password not found");
- retval = UNIX_FAILED;
- } else {
- if (npass <= 0) {
- /* the password is NULL */
-
- retval = _unix_verify_passwd((const char *)(pwe->value), NULL);
- } else {
- /* does pass agree with the official one? */
-
- pass[npass] = '\0'; /* NUL terminate */
- retval = _unix_verify_passwd((const char *)(pwe->value), pass);
- }
- }
-
- memset(pass, '\0', MAXPASS); /* clear memory of the password */
- while (pwdb_end() != PWDB_SUCCESS);
-
- if ((retval != UNIX_FAILED) && force_failure) {
- retval = UNIX_FAILED;
- }
-
- /* return pass or fail */
-
- exit(retval);
-}
-
-/*
- * Copyright (c) Andrew G. Morgan, 1997. All rights reserved
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */
diff --git a/modules/pam_pwdb/support.-c b/modules/pam_pwdb/support.-c
deleted file mode 100644
index 6ba831e2..00000000
--- a/modules/pam_pwdb/support.-c
+++ /dev/null
@@ -1,960 +0,0 @@
-/*
- * Copyright information at end of file.
- */
-
-/*
- * here is the string to inform the user that the new passwords they
- * typed were not the same.
- */
-
-#define MISTYPED_PASS "Sorry, passwords do not match"
-
-/* type definition for the control options */
-
-typedef struct {
- const char *token;
- unsigned int mask; /* shall assume 32 bits of flags */
- unsigned int flag;
-} UNIX_Ctrls;
-
-/*
- * macro to determine if a given flag is on
- */
-
-#define on(x,ctrl) (unix_args[x].flag & ctrl)
-
-/*
- * macro to determine that a given flag is NOT on
- */
-
-#define off(x,ctrl) (!on(x,ctrl))
-
-/*
- * macro to turn on/off a ctrl flag manually
- */
-
-#define set(x,ctrl) (ctrl = ((ctrl)&unix_args[x].mask)|unix_args[x].flag)
-#define unset(x,ctrl) (ctrl &= ~(unix_args[x].flag))
-
-/* the generic mask */
-
-#define _ALL_ON_ (~0U)
-
-/* end of macro definitions definitions for the control flags */
-
-/* ****************************************************************** *
- * ctrl flags proper..
- */
-
-/*
- * here are the various options recognized by the unix module. They
- * are enumerated here and then defined below. Internal arguments are
- * given NULL tokens.
- */
-
-#define UNIX__OLD_PASSWD 0 /* internal */
-#define UNIX__VERIFY_PASSWD 1 /* internal */
-#define UNIX__IAMROOT 2 /* internal */
-
-#define UNIX_AUDIT 3 /* print more things than debug..
- some information may be sensitive */
-#define UNIX_USE_FIRST_PASS 4
-#define UNIX_TRY_FIRST_PASS 5
-#define UNIX_NOT_SET_PASS 6 /* don't set the AUTHTOK items */
-
-#define UNIX__PRELIM 7 /* internal */
-#define UNIX__UPDATE 8 /* internal */
-#define UNIX__NONULL 9 /* internal */
-#define UNIX__QUIET 10 /* internal */
-#define UNIX_USE_AUTHTOK 11 /* insist on reading PAM_AUTHTOK */
-#define UNIX_SHADOW 12 /* signal shadow on */
-#define UNIX_MD5_PASS 13 /* force the use of MD5 passwords */
-#define UNIX__NULLOK 14 /* Null token ok */
-#define UNIX_RADIUS 15 /* wish to use RADIUS for password */
-#define UNIX__SET_DB 16 /* internal - signals redirect to db */
-#define UNIX_DEBUG 17 /* send more info to syslog(3) */
-#define UNIX_NODELAY 18 /* admin does not want a fail-delay */
-#define UNIX_UNIX 19 /* wish to use /etc/passwd for pwd */
-#define UNIX_BIGCRYPT 20 /* use DEC-C2 crypt()^x function */
-#define UNIX_LIKE_AUTH 21 /* need to auth for setcred to work */
-#define UNIX_NOREAP 22 /* don't reap child process */
-/* -------------- */
-#define UNIX_CTRLS_ 23 /* number of ctrl arguments defined */
-
-
-static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = {
-/* symbol token name ctrl mask ctrl *
- * ------------------ ------------------ -------------- ---------- */
-
-/* UNIX__OLD_PASSWD */ { NULL, _ALL_ON_, 01 },
-/* UNIX__VERIFY_PASSWD */ { NULL, _ALL_ON_, 02 },
-/* UNIX__IAMROOT */ { NULL, _ALL_ON_, 04 },
-/* UNIX_AUDIT */ { "audit", _ALL_ON_, 010 },
-/* UNIX_USE_FIRST_PASS */ { "use_first_pass", _ALL_ON_^(060), 020 },
-/* UNIX_TRY_FIRST_PASS */ { "try_first_pass", _ALL_ON_^(060), 040 },
-/* UNIX_NOT_SET_PASS */ { "not_set_pass", _ALL_ON_, 0100 },
-/* UNIX__PRELIM */ { NULL, _ALL_ON_^(0600), 0200 },
-/* UNIX__UPDATE */ { NULL, _ALL_ON_^(0600), 0400 },
-/* UNIX__NONULL */ { NULL, _ALL_ON_, 01000 },
-/* UNIX__QUIET */ { NULL, _ALL_ON_, 02000 },
-/* UNIX_USE_AUTHTOK */ { "use_authtok", _ALL_ON_, 04000 },
-/* UNIX_SHADOW */ { "shadow", _ALL_ON_^(0140000), 010000 },
-/* UNIX_MD5_PASS */ { "md5", _ALL_ON_^(02000000), 020000 },
-/* UNIX__NULLOK */ { "nullok", _ALL_ON_^(01000), 0 },
-/* UNIX_RADIUS */ { "radius", _ALL_ON_^(0110000), 040000 },
-/* UNIX__SET_DB */ { NULL, _ALL_ON_, 0100000 },
-/* UNIX_DEBUG */ { "debug", _ALL_ON_, 0200000 },
-/* UNIX_NODELAY */ { "nodelay", _ALL_ON_, 0400000 },
-/* UNIX_UNIX */ { "unix", _ALL_ON_^(050000), 01000000 },
-/* UNIX_BIGCRYPT */ { "bigcrypt", _ALL_ON_^(020000), 02000000 },
-/* UNIX_LIKE_AUTH */ { "likeauth", _ALL_ON_, 04000000 },
-/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 010000000 },
-};
-
-#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
-
-/* syslogging function for errors and other information */
-
-static void _log_err(int err, const char *format, ...)
-{
- va_list args;
-
- va_start(args, format);
- openlog("PAM_pwdb", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
-/* this is a front-end for module-application conversations */
-
-static int converse(pam_handle_t *pamh, int ctrl, int nargs
- , struct pam_message **message
- , struct pam_response **response)
-{
- int retval;
- struct pam_conv *conv;
-
- D(("begin to converse"));
-
- retval = pam_get_item( pamh, PAM_CONV, (const void **) &conv ) ;
- if ( retval == PAM_SUCCESS ) {
-
- retval = conv->conv(nargs, ( const struct pam_message ** ) message
- , response, conv->appdata_ptr);
-
- D(("returned from application's conversation function"));
-
- if (retval != PAM_SUCCESS && on(UNIX_DEBUG,ctrl) ) {
- _log_err(LOG_DEBUG, "conversation failure [%s]"
- , pam_strerror(pamh, retval));
- }
-
- } else if (retval != PAM_CONV_AGAIN) {
- _log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
- , pam_strerror(pamh, retval));
- }
-
- D(("ready to return from module conversation"));
-
- return retval; /* propagate error status */
-}
-
-static int make_remark(pam_handle_t *pamh, unsigned int ctrl
- , int type, const char *text)
-{
- int retval=PAM_SUCCESS;
-
- if ( off(UNIX__QUIET, ctrl) ) {
- struct pam_message *pmsg[1], msg[1];
- struct pam_response *resp;
-
- pmsg[0] = &msg[0];
- msg[0].msg = text;
- msg[0].msg_style = type;
-
- resp = NULL;
- retval = converse(pamh, ctrl, 1, pmsg, &resp);
-
- if (resp) {
- _pam_drop_reply(resp, 1);
- }
- }
- return retval;
-}
-
-/*
- * set the control flags for the UNIX module.
- */
-
-static int set_ctrl(int flags, int argc, const char **argv)
-{
- unsigned int ctrl;
-
- D(("called."));
-
- ctrl = UNIX_DEFAULTS; /* the default selection of options */
-
- /* set some flags manually */
-
- if ( getuid() == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK) ) {
- set(UNIX__IAMROOT, ctrl);
- }
- if ( flags & PAM_UPDATE_AUTHTOK ) {
- set(UNIX__UPDATE, ctrl);
- }
- if ( flags & PAM_PRELIM_CHECK ) {
- set(UNIX__PRELIM, ctrl);
- }
- if ( flags & PAM_DISALLOW_NULL_AUTHTOK ) {
- set(UNIX__NONULL, ctrl);
- }
- if ( flags & PAM_SILENT ) {
- set(UNIX__QUIET, ctrl);
- }
-
- /* now parse the arguments to this module */
-
- while (argc-- > 0) {
- int j;
-
- D(("pam_pwdb arg: %s",*argv));
-
- for (j=0; j<UNIX_CTRLS_; ++j) {
- if (unix_args[j].token
- && ! strcmp(*argv, unix_args[j].token) ) {
- break;
- }
- }
-
- if ( j >= UNIX_CTRLS_ ) {
- _log_err(LOG_ERR, "unrecognized option [%s]",*argv);
- } else {
- ctrl &= unix_args[j].mask; /* for turning things off */
- ctrl |= unix_args[j].flag; /* for turning things on */
- }
-
- ++argv; /* step to next argument */
- }
-
- /* these are used for updating passwords in specific places */
-
- if (on(UNIX_SHADOW,ctrl) || on(UNIX_RADIUS,ctrl) || on(UNIX_UNIX,ctrl)) {
- set(UNIX__SET_DB, ctrl);
- }
-
- /* auditing is a more sensitive version of debug */
-
- if ( on(UNIX_AUDIT,ctrl) ) {
- set(UNIX_DEBUG, ctrl);
- }
-
- /* return the set of flags */
-
- D(("done."));
- return ctrl;
-}
-
-/* use this to free strings. ESPECIALLY password strings */
-
-static char *_pam_delete(register char *xx)
-{
- _pam_overwrite(xx);
- _pam_drop(xx);
- return NULL;
-}
-
-static void _cleanup(pam_handle_t *pamh, void *x, int error_status)
-{
- x = _pam_delete( (char *) x );
-}
-
-/* ************************************************************** *
- * Useful non-trivial functions *
- * ************************************************************** */
-
-#include "pam_unix_md.-c"
-
-/*
- * the following is used to keep track of the number of times a user fails
- * to authenticate themself.
- */
-
-#define FAIL_PREFIX "-UN*X-FAIL-"
-#define UNIX_MAX_RETRIES 3
-
-struct _pam_failed_auth {
- char *user; /* user that's failed to be authenticated */
- char *name; /* attempt from user with name */
- int id; /* uid of name'd user */
- int count; /* number of failures so far */
-};
-
-#ifndef PAM_DATA_REPLACE
-#error "Need to get an updated libpam 0.52 or better"
-#endif
-
-static void _cleanup_failures(pam_handle_t *pamh, void *fl, int err)
-{
- int quiet;
- const char *service=NULL;
- struct _pam_failed_auth *failure;
-
- D(("called"));
-
- quiet = err & PAM_DATA_SILENT; /* should we log something? */
- err &= PAM_DATA_REPLACE; /* are we just replacing data? */
- failure = (struct _pam_failed_auth *) fl;
-
- if ( failure != NULL ) {
-
- if ( !quiet && !err ) { /* under advisement from Sun,may go away */
-
- /* log the number of authentication failures */
- if ( failure->count > 1 ) {
- (void) pam_get_item(pamh, PAM_SERVICE
- , (const void **)&service);
- _log_err(LOG_NOTICE
- , "%d more authentication failure%s; %s(uid=%d) -> "
- "%s for %s service"
- , failure->count-1, failure->count==2 ? "":"s"
- , failure->name
- , failure->id
- , failure->user
- , service == NULL ? "**unknown**":service
- );
- if ( failure->count > UNIX_MAX_RETRIES ) {
- _log_err(LOG_ALERT
- , "service(%s) ignoring max retries; %d > %d"
- , service == NULL ? "**unknown**":service
- , failure->count
- , UNIX_MAX_RETRIES );
- }
- }
- }
- failure->user = _pam_delete(failure->user); /* tidy up */
- failure->name = _pam_delete(failure->name); /* tidy up */
- free(failure);
- }
-}
-
-/*
- * verify the password of a user
- */
-
-#include <signal.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-
-static int pwdb_run_helper_binary(pam_handle_t *pamh, const char *passwd,
- unsigned int ctrl, const char *user)
-{
- int retval, child, fds[2];
- void (*sighandler)(int) = NULL;
-
- D(("called."));
- /* create a pipe for the password */
- if (pipe(fds) != 0) {
- D(("could not make pipe"));
- return PAM_AUTH_ERR;
- }
-
- if (off(UNIX_NOREAP, ctrl)) {
- /*
- * This code arranges that the demise of the child does not cause
- * the application to receive a signal it is not expecting - which
- * may kill the application or worse.
- *
- * The "noreap" module argument is provided so that the admin can
- * override this behavior.
- */
- sighandler = signal(SIGCHLD, SIG_DFL);
- }
-
- /* fork */
- child = fork();
- if (child == 0) {
- static char *args[] = { NULL, NULL, NULL };
- static char *envp[] = { NULL };
-
- /* XXX - should really tidy up PAM here too */
- while (pwdb_end() == PWDB_SUCCESS);
-
- /* reopen stdin as pipe */
- close(fds[1]);
- dup2(fds[0], STDIN_FILENO);
-
- /* exec binary helper */
- args[0] = x_strdup(CHKPWD_HELPER);
- args[1] = x_strdup(user);
-
- execve(CHKPWD_HELPER, args, envp);
-
- /* should not get here: exit with error */
- D(("helper binary is not available"));
- exit(PWDB_SUCCESS+1);
- } else if (child > 0) {
- /* wait for child */
- if (passwd != NULL) { /* send the password to the child */
- write(fds[1], passwd, strlen(passwd)+1);
- passwd = NULL;
- } else {
- write(fds[1], "", 1); /* blank password */
- }
- close(fds[0]); /* we close this after the write because we want
- to avoid a possible SIGPIPE. */
- close(fds[1]);
- (void) waitpid(child, &retval, 0); /* wait for helper to complete */
- retval = (retval == PWDB_SUCCESS) ? PAM_SUCCESS:PAM_AUTH_ERR;
- } else {
- D(("fork failed"));
- retval = PAM_AUTH_ERR;
- }
-
- if (sighandler != NULL) {
- (void) signal(SIGCHLD, sighandler); /* restore old signal handler */
- }
-
- D(("returning %d", retval));
- return retval;
-}
-
-static int _unix_verify_password(pam_handle_t *pamh, const char *name,
- const char *p, unsigned int ctrl)
-{
- const struct pwdb *pw=NULL;
- const struct pwdb_entry *pwe=NULL;
-
- const char *salt;
- char *pp;
- char *data_name;
- int retval;
- int verify_result;
-
- D(("called"));
-
-#ifdef HAVE_PAM_FAIL_DELAY
- if ( off(UNIX_NODELAY, ctrl) ) {
- D(("setting delay"));
- (void) pam_fail_delay(pamh, 1000000); /* 1 sec delay for on failure */
- }
-#endif
-
- /* locate the entry for this user */
-
- D(("locating user's record"));
- retval = pwdb_locate("user", PWDB_DEFAULT, name, PWDB_ID_UNKNOWN, &pw);
- if (retval == PWDB_PASS_PHRASE_REQD) {
- /*
- * give the password to the pwdb library. It may be needed to
- * access the database
- */
-
- retval = pwdb_set_entry( pw, "pass_phrase", p, 1+strlen(p)
- , NULL, NULL, 0);
- if (retval != PWDB_SUCCESS) {
- _log_err(LOG_ALERT, "find pass; %s", pwdb_strerror(retval));
- (void) pwdb_delete(&pw);
- p = NULL;
- return PAM_CRED_INSUFFICIENT;
- }
-
- retval = pwdb_locate("user", pw->source, name, PWDB_ID_UNKNOWN, &pw);
- }
-
- if (retval != PWDB_SUCCESS) {
- D(("user's record unavailable"));
- if ( on(UNIX_AUDIT, ctrl) ) {
- /* this might be a typo and the user has given a password
- instead of a username. Careful with this. */
- _log_err(LOG_ALERT, "check pass; user (%s) unknown", name);
- } else {
- _log_err(LOG_ALERT, "check pass; user unknown");
- }
- (void) pwdb_delete(&pw);
- p = NULL;
- return PAM_USER_UNKNOWN;
- }
-
- /*
- * courtesy of PWDB the password for the user is stored in
- * encrypted form in the "passwd" entry of pw.
- */
-
- retval = pwdb_get_entry(pw, "passwd", &pwe);
- if (retval != PWDB_SUCCESS) {
- if (geteuid()) {
- /* we are not root perhaps this is the reason? Run helper */
- D(("running helper binary"));
- retval = pwdb_run_helper_binary(pamh, p, ctrl, name);
- } else {
- retval = PAM_AUTHINFO_UNAVAIL;
- _log_err(LOG_ALERT, "get passwd; %s", pwdb_strerror(retval));
- }
- (void) pwdb_delete(&pw);
- p = NULL;
- return retval;
- }
- salt = (const char *) pwe->value;
-
- /*
- * XXX: Cristian, the above is not the case for RADIUS(?) Some
- * lines should be added for RADIUS to verify the password in
- * clear text...
- */
-
- data_name = (char *) malloc(sizeof(FAIL_PREFIX)+strlen(name));
- if ( data_name == NULL ) {
- _log_err(LOG_CRIT, "no memory for data-name");
- }
- strcpy(data_name, FAIL_PREFIX);
- strcpy(data_name + sizeof(FAIL_PREFIX)-1, name);
-
- if ( !( (salt && *salt) || (p && *p) ) ) {
-
- D(("two null passwords to compare"));
-
- /* the stored password is NULL */
- pp = NULL;
- if ( off(UNIX__NONULL, ctrl ) ) { /* this means we've succeeded */
- verify_result = PAM_SUCCESS;
- } else {
- verify_result = PAM_AUTH_ERR;
- }
-
- } else if ( !( salt && p ) ) {
-
- D(("one of the two to compare are NULL"));
-
- pp = NULL;
- verify_result = PAM_AUTH_ERR;
-
- } else {
-
- /* there is no way that p can be NULL (one can be "") */
- pp = _pam_md(p, salt);
-
- /* the moment of truth -- do we agree with the password? */
- D(("comparing state of pp[%s] and salt[%s]", pp, salt));
-
- if ( strcmp( pp, salt ) == 0 ) {
- verify_result = PAM_SUCCESS;
- } else {
- _pam_delete(pp);
- pp = _pam_md_compat(p, salt);
- if ( strcmp( pp, salt ) == 0 ) {
- verify_result = PAM_SUCCESS;
- } else {
- verify_result = PAM_AUTH_ERR;
- }
- }
-
- p = NULL; /* no longer needed here */
-
- }
-
- if ( verify_result == PAM_SUCCESS ) {
-
- retval = PAM_SUCCESS;
- if (data_name) { /* reset failures */
- pam_set_data(pamh, data_name, NULL, _cleanup_failures);
- }
-
- } else {
-
- retval = PAM_AUTH_ERR;
- if (data_name != NULL) {
- struct _pam_failed_auth *new=NULL;
- const struct _pam_failed_auth *old=NULL;
-
- /* get a failure recorder */
-
- new = (struct _pam_failed_auth *)
- malloc(sizeof(struct _pam_failed_auth));
-
- if (new != NULL) {
-
- new->user = x_strdup(name);
- new->id = getuid();
- new->name = x_strdup(getlogin() ? getlogin():"" );
-
- /* any previous failures for this user ? */
- pam_get_data(pamh, data_name, (const void **)&old );
-
- if (old != NULL) {
- new->count = old->count +1;
- if (new->count >= UNIX_MAX_RETRIES) {
- retval = PAM_MAXTRIES;
- }
- } else {
- const char *service=NULL;
- (void) pam_get_item(pamh, PAM_SERVICE
- , (const void **)&service);
- _log_err(LOG_NOTICE
- , "authentication failure; %s(uid=%d) -> "
- "%s for %s service"
- , new->name
- , new->id
- , new->user
- , service == NULL ? "**unknown**":service
- );
- new->count = 1;
- }
-
- pam_set_data(pamh, data_name, new, _cleanup_failures);
-
- } else {
- _log_err(LOG_CRIT, "no memory for failure recorder");
- }
- }
-
- }
-
- (void) pwdb_entry_delete(&pwe);
- (void) pwdb_delete(&pw);
- salt = NULL;
- _pam_delete(data_name);
- _pam_delete(pp);
-
- D(("done [%d].", retval));
-
- return retval;
-}
-
-/*
- * this function obtains the name of the current user and ensures
- * that the PAM_USER item is set to this value
- */
-
-static int _unix_get_user(pam_handle_t *pamh, unsigned int ctrl
- , const char *prompt, const char **user)
-{
- int retval;
-
- D(("called"));
-
- retval = pam_get_user(pamh, user, prompt);
- if (retval != PAM_SUCCESS) {
- D(("trouble reading username"));
- return retval;
- }
-
- /*
- * Various libraries at various times have had bugs related to
- * '+' or '-' as the first character of a user name. Don't take
- * any chances here. Require that the username starts with an
- * alphanumeric character.
- */
-
- if (*user == NULL || !isalnum(**user)) {
- D(("bad username"));
- if (on(UNIX_DEBUG,ctrl)) {
- _log_err(LOG_ERR, "bad username [%s]", *user);
- }
- return PAM_USER_UNKNOWN;
- }
-
- if (retval == PAM_SUCCESS && on(UNIX_DEBUG,ctrl)) {
- _log_err(LOG_DEBUG, "username [%s] obtained", *user);
- }
-
- return retval;
-}
-
-/*
- * _unix_blankpasswd() is a quick check for a blank password
- *
- * returns TRUE if user does not have a password
- * - to avoid prompting for one in such cases (CG)
- */
-
-static int _unix_blankpasswd(unsigned int ctrl, const char *name)
-{
- const struct pwdb *pw=NULL;
- const struct pwdb_entry *pwe=NULL;
- int retval;
-
- D(("called"));
-
- /*
- * This function does not have to be too smart if something goes
- * wrong, return FALSE and let this case to be treated somewhere
- * else (CG)
- */
-
- if ( on(UNIX__NONULL, ctrl) )
- return 0; /* will fail but don't let on yet */
-
- /* find the user's database entry */
-
- retval = pwdb_locate("user", PWDB_DEFAULT, name, PWDB_ID_UNKNOWN, &pw);
- if (retval != PWDB_SUCCESS || pw == NULL ) {
-
- retval = 0;
-
- } else {
-
- /* Does this user have a password? */
-
- retval = pwdb_get_entry(pw, "passwd", &pwe);
- if ( retval != PWDB_SUCCESS || pwe == NULL )
- retval = 0;
- else if ( pwe->value == NULL || ((char *)pwe->value)[0] == '\0' )
- retval = 1;
- else
- retval = 0;
-
- }
-
- /* tidy up */
-
- if ( pw ) {
- (void) pwdb_delete(&pw);
- if ( pwe )
- (void) pwdb_entry_delete(&pwe);
- }
-
- return retval;
-}
-
-/*
- * obtain a password from the user
- */
-
-static int _unix_read_password( pam_handle_t *pamh
- , unsigned int ctrl
- , const char *comment
- , const char *prompt1
- , const char *prompt2
- , const char *data_name
- , const char **pass )
-{
- int authtok_flag;
- int retval;
- const char *item;
- char *token;
-
- D(("called"));
-
- /*
- * make sure nothing inappropriate gets returned
- */
-
- *pass = token = NULL;
-
- /*
- * which authentication token are we getting?
- */
-
- authtok_flag = on(UNIX__OLD_PASSWD,ctrl) ? PAM_OLDAUTHTOK:PAM_AUTHTOK ;
-
- /*
- * should we obtain the password from a PAM item ?
- */
-
- if ( on(UNIX_TRY_FIRST_PASS,ctrl) || on(UNIX_USE_FIRST_PASS,ctrl) ) {
- retval = pam_get_item(pamh, authtok_flag, (const void **) &item);
- if (retval != PAM_SUCCESS ) {
- /* very strange. */
- _log_err(LOG_ALERT
- , "pam_get_item returned error to unix-read-password"
- );
- return retval;
- } else if (item != NULL) { /* we have a password! */
- *pass = item;
- item = NULL;
- return PAM_SUCCESS;
- } else if (on(UNIX_USE_FIRST_PASS,ctrl)) {
- return PAM_AUTHTOK_RECOVERY_ERR; /* didn't work */
- } else if (on(UNIX_USE_AUTHTOK, ctrl)
- && off(UNIX__OLD_PASSWD, ctrl)) {
- return PAM_AUTHTOK_RECOVERY_ERR;
- }
- }
-
- /*
- * getting here implies we will have to get the password from the
- * user directly.
- */
-
- {
- struct pam_message msg[3],*pmsg[3];
- struct pam_response *resp;
- int i, replies;
-
- /* prepare to converse */
-
- if ( comment != NULL && off(UNIX__QUIET, ctrl) ) {
- pmsg[0] = &msg[0];
- msg[0].msg_style = PAM_TEXT_INFO;
- msg[0].msg = comment;
- i = 1;
- } else {
- i = 0;
- }
-
- pmsg[i] = &msg[i];
- msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
- msg[i++].msg = prompt1;
- replies = 1;
-
- if ( prompt2 != NULL ) {
- pmsg[i] = &msg[i];
- msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
- msg[i++].msg = prompt2;
- ++replies;
- }
-
- /* so call the conversation expecting i responses */
- resp = NULL;
- retval = converse(pamh, ctrl, i, pmsg, &resp);
-
- if (resp != NULL) {
-
- /* interpret the response */
-
- if (retval == PAM_SUCCESS) { /* a good conversation */
-
- token = x_strdup(resp[i-replies].resp);
- if (token != NULL) {
- if (replies == 2) {
-
- /* verify that password entered correctly */
- if (!resp[i-1].resp
- || strcmp(token,resp[i-1].resp)) {
- token = _pam_delete(token); /* mistyped */
- retval = PAM_AUTHTOK_RECOVERY_ERR;
- make_remark(pamh, ctrl
- , PAM_ERROR_MSG, MISTYPED_PASS);
- }
- }
-
- } else {
- _log_err(LOG_NOTICE
- , "could not recover authentication token");
- }
-
- }
-
- /*
- * tidy up the conversation (resp_retcode) is ignored
- * -- what is it for anyway? AGM
- */
-
- _pam_drop_reply(resp, i);
-
- } else {
- retval = (retval == PAM_SUCCESS)
- ? PAM_AUTHTOK_RECOVERY_ERR:retval ;
- }
- }
-
- if (retval != PAM_SUCCESS) {
- if ( on(UNIX_DEBUG,ctrl) )
- _log_err(LOG_DEBUG,"unable to obtain a password");
- return retval;
- }
-
- /* 'token' is the entered password */
-
- if ( off(UNIX_NOT_SET_PASS, ctrl) ) {
-
- /* we store this password as an item */
-
- retval = pam_set_item(pamh, authtok_flag, token);
- token = _pam_delete(token); /* clean it up */
- if ( retval != PAM_SUCCESS
- || (retval = pam_get_item(pamh, authtok_flag
- , (const void **)&item))
- != PAM_SUCCESS ) {
-
- _log_err(LOG_CRIT, "error manipulating password");
- return retval;
-
- }
-
- } else {
- /*
- * then store it as data specific to this module. pam_end()
- * will arrange to clean it up.
- */
-
- retval = pam_set_data(pamh, data_name, (void *) token, _cleanup);
- if (retval != PAM_SUCCESS) {
- _log_err(LOG_CRIT, "error manipulating password data [%s]"
- , pam_strerror(pamh, retval) );
- token = _pam_delete(token);
- return retval;
- }
- item = token;
- token = NULL; /* break link to password */
- }
-
- *pass = item;
- item = NULL; /* break link to password */
-
- return PAM_SUCCESS;
-}
-
-static int _pam_unix_approve_pass(pam_handle_t *pamh
- , unsigned int ctrl
- , const char *pass_old
- , const char *pass_new)
-{
- D(("&new=%p, &old=%p",pass_old,pass_new));
- D(("new=[%s]",pass_new));
- D(("old=[%s]",pass_old));
-
- if (pass_new == NULL || (pass_old && !strcmp(pass_old,pass_new))) {
- if ( on(UNIX_DEBUG, ctrl) ) {
- _log_err(LOG_DEBUG, "bad authentication token");
- }
- make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
- "No password supplied":"Password unchanged" );
- return PAM_AUTHTOK_ERR;
- }
-
- /*
- * if one wanted to hardwire authentication token strength
- * checking this would be the place - AGM
- */
-
- return PAM_SUCCESS;
-}
-
-/* ****************************************************************** *
- * Copyright (c) Andrew G. Morgan 1996-8.
- * Copyright (c) Alex O. Yuriev, 1996.
- * Copyright (c) Cristian Gafton 1996.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */