diff options
Diffstat (limited to 'libpam')
| -rw-r--r-- | libpam/Makefile.am | 5 | ||||
| -rw-r--r-- | libpam/Makefile.in | 64 | ||||
| -rw-r--r-- | libpam/include/security/_pam_types.h | 1 | ||||
| -rw-r--r-- | libpam/include/security/pam_ext.h | 5 | ||||
| -rw-r--r-- | libpam/libpam.map | 5 | ||||
| -rw-r--r-- | libpam/pam_dispatch.c | 20 | ||||
| -rw-r--r-- | libpam/pam_end.c | 5 | ||||
| -rw-r--r-- | libpam/pam_get_authtok.c | 170 | ||||
| -rw-r--r-- | libpam/pam_handlers.c | 56 | ||||
| -rw-r--r-- | libpam/pam_item.c | 12 | ||||
| -rw-r--r-- | libpam/pam_misc.c | 7 | ||||
| -rw-r--r-- | libpam/pam_modutil_getgrgid.c | 4 | ||||
| -rw-r--r-- | libpam/pam_modutil_getgrnam.c | 4 | ||||
| -rw-r--r-- | libpam/pam_modutil_getpwnam.c | 4 | ||||
| -rw-r--r-- | libpam/pam_modutil_getpwuid.c | 4 | ||||
| -rw-r--r-- | libpam/pam_modutil_getspnam.c | 4 | ||||
| -rw-r--r-- | libpam/pam_modutil_private.h | 7 | ||||
| -rw-r--r-- | libpam/pam_password.c | 10 | ||||
| -rw-r--r-- | libpam/pam_private.h | 4 | ||||
| -rw-r--r-- | libpam/pam_start.c | 9 | ||||
| -rw-r--r-- | libpam/pam_static_modules.h | 6 |
21 files changed, 317 insertions, 89 deletions
diff --git a/libpam/Makefile.am b/libpam/Makefile.am index 4d9cbe74..c38e1fee 100644 --- a/libpam/Makefile.am +++ b/libpam/Makefile.am @@ -20,7 +20,7 @@ include_HEADERS = include/security/_pam_compat.h \ noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ pam_modutil_private.h pam_static_modules.h -libpam_la_LDFLAGS = -no-undefined -version-info 81:12:81 +libpam_la_LDFLAGS = -no-undefined -version-info 82:1:82 libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@ if STATIC_MODULES @@ -34,7 +34,8 @@ endif lib_LTLIBRARIES = libpam.la libpam_la_SOURCES = pam_account.c pam_auth.c pam_data.c pam_delay.c \ - pam_dispatch.c pam_end.c pam_env.c pam_handlers.c pam_item.c \ + pam_dispatch.c pam_end.c pam_env.c pam_get_authtok.c \ + pam_handlers.c pam_item.c \ pam_misc.c pam_password.c pam_prelude.c \ pam_session.c pam_start.c pam_static.c pam_strerror.c \ pam_vprompt.c pam_syslog.c pam_dynamic.c pam_audit.c \ diff --git a/libpam/Makefile.in b/libpam/Makefile.in index ab57858e..f4d9c46b 100644 --- a/libpam/Makefile.in +++ b/libpam/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.10.1 from Makefile.am. +# Makefile.in generated by automake 1.10.2 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -47,13 +47,16 @@ DIST_COMMON = $(include_HEADERS) $(noinst_HEADERS) \ $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ + $(top_srcdir)/m4/japhar_grep_cflags.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \ $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libprelude.m4 \ - $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ - $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/acinclude.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/m4/nls.m4 \ + $(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \ $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) @@ -75,14 +78,14 @@ am__DEPENDENCIES_1 = libpam_la_DEPENDENCIES = $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_2) am_libpam_la_OBJECTS = pam_account.lo pam_auth.lo pam_data.lo \ pam_delay.lo pam_dispatch.lo pam_end.lo pam_env.lo \ - pam_handlers.lo pam_item.lo pam_misc.lo pam_password.lo \ - pam_prelude.lo pam_session.lo pam_start.lo pam_static.lo \ - pam_strerror.lo pam_vprompt.lo pam_syslog.lo pam_dynamic.lo \ - pam_audit.lo pam_modutil_cleanup.lo pam_modutil_getpwnam.lo \ - pam_modutil_ioloop.lo pam_modutil_getgrgid.lo \ - pam_modutil_getpwuid.lo pam_modutil_getgrnam.lo \ - pam_modutil_getspnam.lo pam_modutil_getlogin.lo \ - pam_modutil_ingroup.lo + pam_get_authtok.lo pam_handlers.lo pam_item.lo pam_misc.lo \ + pam_password.lo pam_prelude.lo pam_session.lo pam_start.lo \ + pam_static.lo pam_strerror.lo pam_vprompt.lo pam_syslog.lo \ + pam_dynamic.lo pam_audit.lo pam_modutil_cleanup.lo \ + pam_modutil_getpwnam.lo pam_modutil_ioloop.lo \ + pam_modutil_getgrgid.lo pam_modutil_getpwuid.lo \ + pam_modutil_getgrnam.lo pam_modutil_getspnam.lo \ + pam_modutil_getlogin.lo pam_modutil_ingroup.lo libpam_la_OBJECTS = $(am_libpam_la_OBJECTS) libpam_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ @@ -119,23 +122,19 @@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ -CXX = @CXX@ -CXXCPP = @CXXCPP@ -CXXDEPMODE = @CXXDEPMODE@ -CXXFLAGS = @CXXFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DSYMUTIL = @DSYMUTIL@ -ECHO = @ECHO@ +DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ -F77 = @F77@ -FFLAGS = @FFLAGS@ +FGREP = @FGREP@ FO2PDF = @FO2PDF@ +GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ @@ -147,6 +146,7 @@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ INTLLIBS = @INTLLIBS@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ LEXLIB = @LEXLIB@ @@ -170,6 +170,7 @@ LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ LIBS = @LIBS@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ LN_S = @LN_S@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ @@ -179,15 +180,18 @@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ MSGMERGE = @MSGMERGE@ +NM = @NM@ NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ -PAM_READ_BOTH_CONFS = @PAM_READ_BOTH_CONFS@ PATH_SEPARATOR = @PATH_SEPARATOR@ PIE_CFLAGS = @PIE_CFLAGS@ PIE_LDFLAGS = @PIE_LDFLAGS@ @@ -201,10 +205,9 @@ SHELL = @SHELL@ STRIP = @STRIP@ USE_NLS = @USE_NLS@ VERSION = @VERSION@ -WITH_DEBUG = @WITH_DEBUG@ -WITH_PAMLOCKING = @WITH_PAMLOCKING@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ +XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ XMLCATALOG = @XMLCATALOG@ XMLLINT = @XMLLINT@ XML_CATALOG_FILE = @XML_CATALOG_FILE@ @@ -216,8 +219,7 @@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ -ac_ct_CXX = @ac_ct_CXX@ -ac_ct_F77 = @ac_ct_F77@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -249,6 +251,7 @@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -263,6 +266,7 @@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AM_CFLAGS = -DDEFAULT_MODULE_PATH=\"$(SECUREDIR)/\" -DLIBPAM_COMPILE \ @@ -278,13 +282,14 @@ include_HEADERS = include/security/_pam_compat.h \ noinst_HEADERS = pam_prelude.h pam_private.h pam_tokens.h \ pam_modutil_private.h pam_static_modules.h -libpam_la_LDFLAGS = -no-undefined -version-info 81:12:81 \ +libpam_la_LDFLAGS = -no-undefined -version-info 82:1:82 \ $(am__append_3) libpam_la_LIBADD = @LIBAUDIT@ $(LIBPRELUDE_LIBS) @LIBDL@ \ $(am__append_2) lib_LTLIBRARIES = libpam.la libpam_la_SOURCES = pam_account.c pam_auth.c pam_data.c pam_delay.c \ - pam_dispatch.c pam_end.c pam_env.c pam_handlers.c pam_item.c \ + pam_dispatch.c pam_end.c pam_env.c pam_get_authtok.c \ + pam_handlers.c pam_item.c \ pam_misc.c pam_password.c pam_prelude.c \ pam_session.c pam_start.c pam_static.c pam_strerror.c \ pam_vprompt.c pam_syslog.c pam_dynamic.c pam_audit.c \ @@ -300,8 +305,8 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ @@ -370,6 +375,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_dynamic.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_end.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_env.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_get_authtok.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_handlers.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_item.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_misc.Plo@am__quote@ @@ -440,7 +446,7 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS diff --git a/libpam/include/security/_pam_types.h b/libpam/include/security/_pam_types.h index 2f7e807f..2d684bce 100644 --- a/libpam/include/security/_pam_types.h +++ b/libpam/include/security/_pam_types.h @@ -143,6 +143,7 @@ typedef struct pam_handle pam_handle_t; delays */ #define PAM_XDISPLAY 11 /* X display name */ #define PAM_XAUTHDATA 12 /* X server authentication data */ +#define PAM_AUTHTOK_TYPE 13 /* The type for pam_get_authtok */ /* -------------- Special defines used by Linux-PAM -------------- */ diff --git a/libpam/include/security/pam_ext.h b/libpam/include/security/pam_ext.h index 111dd633..26f7156c 100644 --- a/libpam/include/security/pam_ext.h +++ b/libpam/include/security/pam_ext.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2005, 2006 Thorsten Kukuk. + * Copyright (C) 2005, 2006, 2008 Thorsten Kukuk. * * <security/pam_ext.h> * @@ -74,6 +74,9 @@ pam_prompt (pam_handle_t *pamh, int style, char **response, #define pam_info(pamh, fmt...) pam_prompt(pamh, PAM_TEXT_INFO, NULL, fmt) #define pam_vinfo(pamh, fmt, args) pam_vprompt(pamh, PAM_TEXT_INFO, NULL, fmt, args) +extern int PAM_NONNULL((1,3)) +pam_get_authtok (pam_handle_t *pamh, int item, const char **authtok, + const char *prompt); #ifdef __cplusplus } #endif diff --git a/libpam/libpam.map b/libpam/libpam.map index e37fc356..227e8372 100644 --- a/libpam/libpam.map +++ b/libpam/libpam.map @@ -30,6 +30,11 @@ LIBPAM_EXTENSION_1.0 { pam_vsyslog; }; +LIBPAM_EXTENSION_1.1 { + global: + pam_get_authtok; +} LIBPAM_EXTENSION_1.0; + LIBPAM_MODUTIL_1.0 { global: pam_modutil_getpwnam; diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c index fa4e5ed4..98c69c60 100644 --- a/libpam/pam_dispatch.c +++ b/libpam/pam_dispatch.c @@ -87,7 +87,7 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, } /* remember state if we are entering a substack */ - if (prev_level < stack_level) { + if (prev_level < stack_level) { substates[stack_level].impression = impression; substates[stack_level].status = status; } @@ -105,8 +105,12 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, } else { D(("passing control to module...")); pamh->mod_name=h->mod_name; + pamh->mod_argc = h->argc; + pamh->mod_argv = h->argv; retval = h->func(pamh, flags, h->argc, h->argv); pamh->mod_name=NULL; + pamh->mod_argc = 0; + pamh->mod_argv = NULL; D(("module returned: %s", pam_strerror(pamh, retval))); } @@ -128,11 +132,10 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, } /* - * use_cached_chain is how we ensure that the setcred/close_session - * and chauthtok(2) modules are called in the same order as they did - * when they were invoked as auth/open_session/chauthtok(1). This - * feature was added in 0.75 to make the behavior of pam_setcred - * sane. It was debugged by release 0.76. + * use_cached_chain is how we ensure that the setcred and + * close_session modules are called in the same order as they did + * when they were invoked as auth/open_session. This feature was + * added in 0.75 to make the behavior of pam_setcred sane. */ if (use_cached_chain != _PAM_PLEASE_FREEZE) { @@ -286,7 +289,7 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h, } } continue; - + decision_made: /* by getting here we have made a decision */ while (h->next != NULL && h->next->stack_level >= stack_level) { h = h->next; @@ -354,9 +357,6 @@ int _pam_dispatch(pam_handle_t *pamh, int flags, int choice) break; case PAM_CHAUTHTOK: h = pamh->handlers.conf.chauthtok; - if (flags & PAM_UPDATE_AUTHTOK) { - use_cached_chain = _PAM_MUST_BE_FROZEN; - } break; default: pam_syslog(pamh, LOG_ERR, "undefined fn choice; %d", choice); diff --git a/libpam/pam_end.c b/libpam/pam_end.c index a2d94085..e136b08d 100644 --- a/libpam/pam_end.c +++ b/libpam/pam_end.c @@ -1,7 +1,7 @@ /* pam_end.c */ /* - * $Id: pam_end.c,v 1.7 2008/01/28 14:50:21 kukuk Exp $ + * $Id: pam_end.c,v 1.8 2008/12/11 19:41:49 kukuk Exp $ */ #include "pam_private.h" @@ -82,6 +82,9 @@ int pam_end(pam_handle_t *pamh, int pam_status) _pam_drop(pamh->xauth.data); _pam_overwrite_n((char *)&pamh->xauth, sizeof(pamh->xauth)); + _pam_overwrite(pamh->authtok_type); + _pam_drop(pamh->authtok_type); + /* and finally liberate the memory for the pam_handle structure */ _pam_drop(pamh); diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c new file mode 100644 index 00000000..9e9f8409 --- /dev/null +++ b/libpam/pam_get_authtok.c @@ -0,0 +1,170 @@ +/* + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "config.h" +#include "pam_private.h" + +#include <security/pam_ext.h> + +#define PROMPT _("Password: ") +/* For Translators: "%s%s" could be replaced with "<service> " or "". */ +#define PROMPT1 _("New %s%spassword: ") +/* For Translators: "%s%s" could be replaced with "<service> " or "". */ +#define PROMPT2 _("Retype new %s%spassword: ") +#define MISTYPED_PASS _("Sorry, passwords do not match.") + +static const char * +get_option (pam_handle_t *pamh, const char *option) +{ + int i; + size_t len; + + + if (option == NULL || pamh == NULL || + pamh->mod_argc == 0 || pamh->mod_argv == NULL) + return NULL; + + len = strlen (option); + + for (i = 0; i < pamh->mod_argc; i++) + { + if (strncmp (option, pamh->mod_argv[i], len) == 0) + { + if (pamh->mod_argv[i][len] == '=') + return &(pamh->mod_argv[i][len+1]); + else if (pamh->mod_argv[i][len] == '\0') + return ""; + } + } + return NULL; +} + + +int +pam_get_authtok (pam_handle_t *pamh, int item, const char **authtok, + const char *prompt) + +{ + char *resp[2] = {NULL, NULL}; + const void* prevauthtok; + const char *authtok_type = ""; + int ask_twice = 0; /* Password change, ask twice for it */ + int retval; + + if (authtok == NULL) + return PAM_SYSTEM_ERR; + + /* PAM_AUTHTOK in password stack returns new password, + which needs to be verified. */ + if (item == PAM_AUTHTOK && pamh->choice == PAM_CHAUTHTOK) + { + ask_twice = 1; + authtok_type = get_option (pamh, "authtok_type"); + if (authtok_type == NULL) + { + retval = pam_get_item (pamh, PAM_AUTHTOK_TYPE, (const void **)&authtok_type); + if (retval != PAM_SUCCESS || authtok_type == NULL) + authtok_type = ""; + } + } + + retval = pam_get_item (pamh, item, &prevauthtok); + if (retval == PAM_SUCCESS && prevauthtok != NULL) + { + *authtok = prevauthtok; + return PAM_SUCCESS; + } + else if (get_option (pamh, "use_first_pass") || + (ask_twice && get_option (pamh, "use_authtok"))) + { + if (prevauthtok == NULL) + { + if (ask_twice) + return PAM_AUTHTOK_ERR; + else + return PAM_AUTH_ERR; + } + else + return retval; + } + + if (prompt != NULL) + { + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], + "%s", prompt); + if (retval == PAM_SUCCESS && ask_twice && resp[0] != NULL) + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[1], + _("Retype %s"), prompt); + } + else if (ask_twice) + { + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], + PROMPT1, authtok_type, + strlen (authtok_type) > 0?" ":""); + if (retval == PAM_SUCCESS && ask_twice && resp[0] != NULL) + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[1], + PROMPT2, authtok_type, + strlen (authtok_type) > 0?" ":""); + } + else + retval = pam_prompt (pamh, PAM_PROMPT_ECHO_OFF, &resp[0], "%s", + PROMPT); + + if (resp[0] == NULL || (ask_twice && resp[1] == NULL)) + { + /* We want to abort the password change */ + pam_error (pamh, _("Password change aborted.")); + return PAM_AUTHTOK_ERR; + } + + if (ask_twice && strcmp (resp[0], resp[1]) != 0) + { + pam_error (pamh, MISTYPED_PASS); + _pam_overwrite (resp[0]); + _pam_drop (resp[0]); + _pam_overwrite (resp[1]); + _pam_drop (resp[1]); + return PAM_TRY_AGAIN; + } + + _pam_overwrite (resp[1]); + _pam_drop (resp[1]); + + retval = pam_set_item (pamh, item, resp[0]); + _pam_overwrite (resp[0]); + _pam_drop (resp[0]); + if (retval != PAM_SUCCESS) + return retval; + + return pam_get_item(pamh, item, (const void **)authtok); +} diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c index 848c4fa5..bca3dd31 100644 --- a/libpam/pam_handlers.c +++ b/libpam/pam_handlers.c @@ -109,22 +109,28 @@ static int _pam_parse_conf_file(pam_handle_t *pamh, FILE *f module_type = (requested_module_type != PAM_T_ANY) ? requested_module_type : PAM_T_AUTH; /* most sensitive */ handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */ - } else if (!strcasecmp("auth", tok)) { - module_type = PAM_T_AUTH; - } else if (!strcasecmp("session", tok)) { - module_type = PAM_T_SESS; - } else if (!strcasecmp("account", tok)) { - module_type = PAM_T_ACCT; - } else if (!strcasecmp("password", tok)) { - module_type = PAM_T_PASS; } else { - /* Illegal module type */ - D(("_pam_init_handlers: bad module type: %s", tok)); - pam_syslog(pamh, LOG_ERR, "(%s) illegal module type: %s", - this_service, tok); - module_type = (requested_module_type != PAM_T_ANY) ? - requested_module_type : PAM_T_AUTH; /* most sensitive */ - handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */ + if (tok[0] == '-') { /* do not log module load errors */ + handler_type = PAM_HT_SILENT_MODULE; + ++tok; + } + if (!strcasecmp("auth", tok)) { + module_type = PAM_T_AUTH; + } else if (!strcasecmp("session", tok)) { + module_type = PAM_T_SESS; + } else if (!strcasecmp("account", tok)) { + module_type = PAM_T_ACCT; + } else if (!strcasecmp("password", tok)) { + module_type = PAM_T_PASS; + } else { + /* Illegal module type */ + D(("_pam_init_handlers: bad module type: %s", tok)); + pam_syslog(pamh, LOG_ERR, "(%s) illegal module type: %s", + this_service, tok); + module_type = (requested_module_type != PAM_T_ANY) ? + requested_module_type : PAM_T_AUTH; /* most sensitive */ + handler_type = PAM_HT_MUST_FAIL; /* install as normal but fail when dispatched */ + } } D(("Using %s config entry: %s", handler_type?"BAD ":"", tok)); if (requested_module_type != PAM_T_ANY && @@ -609,7 +615,7 @@ extract_modulename(const char *mod_path) } static struct loaded_module * -_pam_load_module(pam_handle_t *pamh, const char *mod_path) +_pam_load_module(pam_handle_t *pamh, const char *mod_path, int handler_type) { int x = 0; int success; @@ -658,7 +664,8 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path) if (mod->dl_handle == NULL) { D(("_pam_load_module: unable to find static handler %s", mod_path)); - pam_syslog(pamh, LOG_ERR, + if (handler_type != PAM_HT_SILENT_MODULE) + pam_syslog(pamh, LOG_ERR, "unable to open static handler %s", mod_path); /* Didn't find module in dynamic or static..will mark bad */ } else { @@ -694,8 +701,9 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path) } if (mod->dl_handle == NULL) { D(("_pam_load_module: _pam_dlopen(%s) failed", mod_path)); - pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s): %s", mod_path, - _pam_dlerror()); + if (handler_type != PAM_HT_SILENT_MODULE) + pam_syslog(pamh, LOG_ERR, "unable to dlopen(%s): %s", mod_path, + _pam_dlerror()); /* Don't abort yet; static code may be able to find function. * But defaults to abort if nothing found below... */ } else { @@ -710,7 +718,8 @@ _pam_load_module(pam_handle_t *pamh, const char *mod_path) mod->dl_handle = NULL; mod->type = PAM_MT_FAULTY_MOD; pamh->handlers.modules_used++; - pam_syslog(pamh, LOG_ERR, "adding faulty module: %s", mod_path); + if (handler_type != PAM_HT_SILENT_MODULE) + pam_syslog(pamh, LOG_ERR, "adding faulty module: %s", mod_path); success = PAM_SUCCESS; /* We have successfully added a module */ } @@ -748,12 +757,13 @@ int _pam_add_handler(pam_handle_t *pamh D(("_pam_add_handler: adding type %d, handler_type %d, module `%s'", type, handler_type, mod_path)); - if (handler_type == PAM_HT_MODULE && mod_path != NULL) { + if ((handler_type == PAM_HT_MODULE || handler_type == PAM_HT_SILENT_MODULE) && + mod_path != NULL) { if (mod_path[0] == '/') { - mod = _pam_load_module(pamh, mod_path); + mod = _pam_load_module(pamh, mod_path, handler_type); } else if (asprintf(&mod_full_path, "%s%s", DEFAULT_MODULE_PATH, mod_path) >= 0) { - mod = _pam_load_module(pamh, mod_full_path); + mod = _pam_load_module(pamh, mod_full_path, handler_type); _pam_drop(mod_full_path); } else { pam_syslog(pamh, LOG_CRIT, "cannot malloc full mod path"); diff --git a/libpam/pam_item.c b/libpam/pam_item.c index 390f2519..29a81ed5 100644 --- a/libpam/pam_item.c +++ b/libpam/pam_item.c @@ -1,7 +1,7 @@ /* pam_item.c */ /* - * $Id: pam_item.c,v 1.16.2.1 2008/04/08 08:55:01 t8m Exp $ + * $Id: pam_item.c,v 1.18 2008/12/11 19:41:49 kukuk Exp $ */ #include "pam_private.h" @@ -151,7 +151,7 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) if ((pamh->xauth.name=_pam_strdup(pamh->xauth.name)) == NULL) { memset(&pamh->xauth, '\0', sizeof(pamh->xauth)); return PAM_BUF_ERR; - } + } if ((pamh->xauth.data=_pam_memdup(pamh->xauth.data, pamh->xauth.datalen)) == NULL) { _pam_overwrite(pamh->xauth.name); @@ -161,6 +161,10 @@ int pam_set_item (pam_handle_t *pamh, int item_type, const void *item) } break; + case PAM_AUTHTOK_TYPE: + TRY_SET(pamh->authtok_type, item); + break; + default: retval = PAM_BAD_ITEM; } @@ -251,6 +255,10 @@ int pam_get_item (const pam_handle_t *pamh, int item_type, const void **item) *item = &pamh->xauth; break; + case PAM_AUTHTOK_TYPE: + *item = pamh->authtok_type; + break; + default: retval = PAM_BAD_ITEM; } diff --git a/libpam/pam_misc.c b/libpam/pam_misc.c index 574a570e..b690fd3e 100644 --- a/libpam/pam_misc.c +++ b/libpam/pam_misc.c @@ -59,10 +59,11 @@ char *_pam_StrTok(char *from, const char *format, char **next) /* initialize table */ for (i=1; i<256; table[i++] = '\0'); - for (i=0; format[i] ; table[(int)format[i++]] = 'y'); + for (i=0; format[i] ; + table[(unsigned char)format[i++]] = 'y'); /* look for first non-format char */ - while (*from && table[(int)*from]) { + while (*from && table[(unsigned char)*from]) { ++from; } @@ -92,7 +93,7 @@ char *_pam_StrTok(char *from, const char *format, char **next) remains */ } else if (*from) { /* simply look for next blank char */ - for (end=from; *end && !table[(int)*end]; ++end); + for (end=from; *end && !table[(unsigned char)*end]; ++end); } else { return (*next = NULL); /* no tokens left */ } diff --git a/libpam/pam_modutil_getgrgid.c b/libpam/pam_modutil_getgrgid.c index 5b862872..fb7ced84 100644 --- a/libpam/pam_modutil_getgrgid.c +++ b/libpam/pam_modutil_getgrgid.c @@ -1,5 +1,5 @@ /* - * $Id: pam_modutil_getgrgid.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $ + * $Id: pam_modutil_getgrgid.c,v 1.3 2008/05/14 12:55:02 t8m Exp $ * * This function provides a thread safer version of getgrgid() for use * with PAM modules that care about this sort of thing. @@ -115,7 +115,7 @@ pam_modutil_getgrgid(pam_handle_t *pamh, gid_t gid) break; } - length <<= 2; + length <<= PWD_LENGTH_SHIFT; } while (length < PWD_ABSURD_PWD_LENGTH); diff --git a/libpam/pam_modutil_getgrnam.c b/libpam/pam_modutil_getgrnam.c index 99c90800..2f11b1e5 100644 --- a/libpam/pam_modutil_getgrnam.c +++ b/libpam/pam_modutil_getgrnam.c @@ -1,5 +1,5 @@ /* - * $Id: pam_modutil_getgrnam.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $ + * $Id: pam_modutil_getgrnam.c,v 1.3 2008/05/14 12:55:02 t8m Exp $ * * This function provides a thread safer version of getgrnam() for use * with PAM modules that care about this sort of thing. @@ -104,7 +104,7 @@ pam_modutil_getgrnam(pam_handle_t *pamh, const char *group) break; } - length <<= 2; + length <<= PWD_LENGTH_SHIFT; } while (length < PWD_ABSURD_PWD_LENGTH); diff --git a/libpam/pam_modutil_getpwnam.c b/libpam/pam_modutil_getpwnam.c index b81617d5..80f66caa 100644 --- a/libpam/pam_modutil_getpwnam.c +++ b/libpam/pam_modutil_getpwnam.c @@ -1,5 +1,5 @@ /* - * $Id: pam_modutil_getpwnam.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $ + * $Id: pam_modutil_getpwnam.c,v 1.3 2008/05/14 12:55:02 t8m Exp $ * * This function provides a thread safer version of getpwnam() for use * with PAM modules that care about this sort of thing. @@ -104,7 +104,7 @@ pam_modutil_getpwnam(pam_handle_t *pamh, const char *user) break; } - length <<= 2; + length <<= PWD_LENGTH_SHIFT; } while (length < PWD_ABSURD_PWD_LENGTH); diff --git a/libpam/pam_modutil_getpwuid.c b/libpam/pam_modutil_getpwuid.c index 3ea02488..96e8f240 100644 --- a/libpam/pam_modutil_getpwuid.c +++ b/libpam/pam_modutil_getpwuid.c @@ -1,5 +1,5 @@ /* - * $Id: pam_modutil_getpwuid.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $ + * $Id: pam_modutil_getpwuid.c,v 1.3 2008/05/14 12:55:02 t8m Exp $ * * This function provides a thread safer version of getpwuid() for use * with PAM modules that care about this sort of thing. @@ -115,7 +115,7 @@ pam_modutil_getpwuid(pam_handle_t *pamh, uid_t uid) break; } - length <<= 2; + length <<= PWD_LENGTH_SHIFT; } while (length < PWD_ABSURD_PWD_LENGTH); diff --git a/libpam/pam_modutil_getspnam.c b/libpam/pam_modutil_getspnam.c index 6c02e9c2..ac6833f1 100644 --- a/libpam/pam_modutil_getspnam.c +++ b/libpam/pam_modutil_getspnam.c @@ -1,5 +1,5 @@ /* - * $Id: pam_modutil_getspnam.c,v 1.2 2007/08/30 04:00:39 vorlon Exp $ + * $Id: pam_modutil_getspnam.c,v 1.3 2008/05/14 12:55:02 t8m Exp $ * * This function provides a thread safer version of getspnam() for use * with PAM modules that care about this sort of thing. @@ -104,7 +104,7 @@ pam_modutil_getspnam(pam_handle_t *pamh, const char *user) break; } - length <<= 2; + length <<= PWD_LENGTH_SHIFT; } while (length < PWD_ABSURD_PWD_LENGTH); diff --git a/libpam/pam_modutil_private.h b/libpam/pam_modutil_private.h index e118f599..554f0dff 100644 --- a/libpam/pam_modutil_private.h +++ b/libpam/pam_modutil_private.h @@ -2,7 +2,7 @@ #define PAMMODUTIL_PRIVATE_H /* - * $Id: pam_modutil_private.h,v 1.1 2005/09/21 10:00:58 t8m Exp $ + * $Id: pam_modutil_private.h,v 1.2 2008/05/14 12:55:02 t8m Exp $ * * Copyright (c) 2001 Andrew Morgan <morgan@kernel.org> */ @@ -13,8 +13,9 @@ #include <security/pam_modules.h> #include <security/pam_modutil.h> -#define PWD_INITIAL_LENGTH 0x100 -#define PWD_ABSURD_PWD_LENGTH 0x8000 +#define PWD_INITIAL_LENGTH 0x400 +#define PWD_ABSURD_PWD_LENGTH 0x40001 +#define PWD_LENGTH_SHIFT 4 /* 2^4 == 16 */ extern void pam_modutil_cleanup(pam_handle_t *pamh, void *data, diff --git a/libpam/pam_password.c b/libpam/pam_password.c index cd57f20b..7e1e47df 100644 --- a/libpam/pam_password.c +++ b/libpam/pam_password.c @@ -1,7 +1,7 @@ /* pam_password.c - PAM Password Management */ /* - * $Id: pam_password.c,v 1.5 2006/07/24 15:47:40 kukuk Exp $ + * $Id: pam_password.c,v 1.6 2009/02/18 21:25:51 kukuk Exp $ */ /* #define DEBUG */ @@ -24,6 +24,13 @@ int pam_chauthtok(pam_handle_t *pamh, int flags) return PAM_SYSTEM_ERR; } + /* applications are not allowed to set this flags */ + if (flags & (PAM_PRELIM_CHECK | PAM_UPDATE_AUTHTOK)) { + pam_syslog (pamh, LOG_ERR, + "PAM_PRELIM_CHECK or PAM_UPDATE_AUTHTOK set by application"); + return PAM_SYSTEM_ERR; + } + if (pamh->former.choice == PAM_NOT_STACKED) { _pam_start_timer(pamh); /* we try to make the time for a failure independent of the time it takes to @@ -58,4 +65,3 @@ int pam_chauthtok(pam_handle_t *pamh, int flags) return retval; } - diff --git a/libpam/pam_private.h b/libpam/pam_private.h index 333f4d0f..134dc726 100644 --- a/libpam/pam_private.h +++ b/libpam/pam_private.h @@ -60,6 +60,7 @@ struct handler { #define PAM_HT_MODULE 0 #define PAM_HT_MUST_FAIL 1 #define PAM_HT_SUBSTACK 2 +#define PAM_HT_SILENT_MODULE 3 struct loaded_module { char *name; @@ -153,6 +154,7 @@ struct pam_handle { char *ruser; char *tty; char *xdisplay; + char *authtok_type; /* PAM_AUTHTOK_TYPE */ struct pam_data *data; struct pam_environ *env; /* structure to maintain environment list */ struct _pam_fail_delay fail_delay; /* helper function for easy delays */ @@ -161,6 +163,8 @@ struct pam_handle { struct _pam_former_state former; /* library state - support for event driven applications */ const char *mod_name; /* Name of the module currently executed */ + int mod_argc; /* Number of module arguments */ + char **mod_argv; /* module arguments */ int choice; /* Which function we call from the module */ #ifdef HAVE_LIBAUDIT diff --git a/libpam/pam_start.c b/libpam/pam_start.c index d7198323..0156c61a 100644 --- a/libpam/pam_start.c +++ b/libpam/pam_start.c @@ -3,7 +3,7 @@ /* Creator Marc Ewing * Maintained by AGM * - * $Id: pam_start.c,v 1.10 2007/10/19 17:06:30 t8m Exp $ + * $Id: pam_start.c,v 1.11 2008/12/11 19:41:49 kukuk Exp $ * */ @@ -51,7 +51,7 @@ int pam_start ( else. Forbid paths. */ if (strrchr(service_name, '/') != NULL) service_name = strrchr(service_name, '/') + 1; - + /* Mark the caller as the application - permission to do certain things is limited to a module or an application */ @@ -92,6 +92,9 @@ int pam_start ( #ifdef HAVE_LIBAUDIT (*pamh)->audit_state = 0; #endif + (*pamh)->xdisplay = NULL; + (*pamh)->authtok_type = NULL; + memset (&((*pamh)->xauth), 0, sizeof ((*pamh)->xauth)); if (((*pamh)->pam_conversation = (struct pam_conv *) malloc(sizeof(struct pam_conv))) == NULL) { @@ -129,7 +132,7 @@ int pam_start ( _pam_drop(*pamh); return PAM_ABORT; } - + D(("exiting pam_start successfully")); return PAM_SUCCESS; diff --git a/libpam/pam_static_modules.h b/libpam/pam_static_modules.h index a66b486d..999adc2a 100644 --- a/libpam/pam_static_modules.h +++ b/libpam/pam_static_modules.h @@ -61,6 +61,7 @@ extern struct pam_module _pam_namespace_modstruct; #endif extern struct pam_module _pam_nologin_modstruct; extern struct pam_module _pam_permit_modstruct; +extern struct pam_module _pam_pwhistory_modstruct; extern struct pam_module _pam_rhosts_modstruct; extern struct pam_module _pam_rhosts_auth_modstruct; extern struct pam_module _pam_rootok_modstruct; @@ -73,7 +74,9 @@ extern struct pam_module _pam_shells_modstruct; extern struct pam_module _pam_stress_modstruct; extern struct pam_module _pam_succeed_if_modstruct; extern struct pam_module _pam_tally_modstruct; +extern struct pam_module _pam_tally2_modstruct; extern struct pam_module _pam_time_modstruct; +extern struct pam_module _pam_timestamp_modstruct; #ifdef HAVE_AUDIT_TTY_STATUS extern struct pam_module _pam_tty_audit_modstruct; #endif @@ -119,6 +122,7 @@ static struct pam_module *static_modules[] = { #endif &_pam_nologin_modstruct, &_pam_permit_modstruct, + &_pam_pwhistory_modstruct, &_pam_rhosts_modstruct, &_pam_rhosts_auth_modstruct, &_pam_rootok_modstruct, @@ -131,7 +135,9 @@ static struct pam_module *static_modules[] = { &_pam_stress_modstruct, &_pam_succeed_if_modstruct, &_pam_tally_modstruct, + &_pam_tally2_modstruct, &_pam_time_modstruct, + &_pam_timestamp_modstruct, #ifdef HAVE_AUDIT_TTY_STATUS &_pam_tty_audit_modstruct, #endif |