summaryrefslogtreecommitdiff
path: root/modules/pam_pwdb/pam_unix_passwd.-c
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_pwdb/pam_unix_passwd.-c')
-rw-r--r--modules/pam_pwdb/pam_unix_passwd.-c373
1 files changed, 0 insertions, 373 deletions
diff --git a/modules/pam_pwdb/pam_unix_passwd.-c b/modules/pam_pwdb/pam_unix_passwd.-c
deleted file mode 100644
index 0949af7f..00000000
--- a/modules/pam_pwdb/pam_unix_passwd.-c
+++ /dev/null
@@ -1,373 +0,0 @@
-/* $Id$ */
-
-static const char rcsid_pass[] =
-"$Id$\n"
-" - PAM_PWDB password module <morgan@parc.power.net>"
-;
-
-#include "pam_unix_pwupd.-c"
-
-/* passwd/salt conversion macros */
-
-#define ascii_to_bin(c) ((c)>='a'?(c-59):(c)>='A'?((c)-53):(c)-'.')
-#define bin_to_ascii(c) ((c)>=38?((c)-38+'a'):(c)>=12?((c)-12+'A'):(c)+'.')
-
-/* data tokens */
-
-#define _UNIX_OLD_AUTHTOK "-UN*X-OLD-PASS"
-#define _UNIX_NEW_AUTHTOK "-UN*X-NEW-PASS"
-
-/* Implementation */
-
-/*
- * i64c - convert an integer to a radix 64 character
- */
-static int i64c(int i)
-{
- if (i < 0)
- return ('.');
- else if (i > 63)
- return ('z');
- if (i == 0)
- return ('.');
- if (i == 1)
- return ('/');
- if (i >= 2 && i <= 11)
- return ('0' - 2 + i);
- if (i >= 12 && i <= 37)
- return ('A' - 12 + i);
- if (i >= 38 && i <= 63)
- return ('a' - 38 + i);
- return ('\0');
-}
-
-/*
- * FUNCTION: _pam_unix_chauthtok()
- *
- * this function works in two passes. The first, when UNIX__PRELIM is
- * set, obtains the previous password. It sets the PAM_OLDAUTHTOK item
- * or stores it as a data item. The second function obtains a new
- * password (verifying if necessary, that the user types it the same a
- * second time.) depending on the 'ctrl' flags this new password may
- * be stored in the PAM_AUTHTOK item or a private data item.
- *
- * Having obtained a new password. The function updates the
- * /etc/passwd (and optionally the /etc/shadow) file(s).
- *
- * Provision is made for the creation of a blank shadow file if none
- * is available, but one is required to update the shadow file -- the
- * intention being for shadow passwords to be seamlessly implemented
- * from the generic UNIX scheme. -- THIS BIT IS PRE-ALPHA.. and included
- * in this release (.52) mostly for the purpose of discussion.
- */
-
-static int _unix_chauthtok(pam_handle_t *pamh, unsigned int ctrl)
-{
- int retval;
- unsigned int lctrl;
-
- /* <DO NOT free() THESE> */
- const char *user;
- const char *pass_old, *pass_new;
- /* </DO NOT free() THESE> */
-
- D(("called"));
-
- /*
- * First get the name of a user
- */
-
- retval = _unix_get_user( pamh, ctrl, "Username: ", &user );
- if ( retval != PAM_SUCCESS ) {
- if ( on(UNIX_DEBUG,ctrl) ) {
- _log_err(LOG_DEBUG, "password - could not identify user");
- }
- return retval;
- }
-
- if ( on(UNIX__PRELIM, ctrl) ) {
- /*
- * obtain and verify the current password (OLDAUTHTOK) for
- * the user.
- */
-
- char *Announce;
-
- D(("prelim check"));
-
- if ( _unix_blankpasswd(ctrl, user) ) {
-
- return PAM_SUCCESS;
-
- } else if ( off(UNIX__IAMROOT, ctrl) ) {
-
- /* instruct user what is happening */
-#define greeting "Changing password for "
- Announce = (char *) malloc(sizeof(greeting)+strlen(user));
- if (Announce == NULL) {
- _log_err(LOG_CRIT, "password - out of memory");
- return PAM_BUF_ERR;
- }
- (void) strcpy(Announce, greeting);
- (void) strcpy(Announce+sizeof(greeting)-1, user);
-#undef greeting
-
- lctrl = ctrl;
- set(UNIX__OLD_PASSWD, lctrl);
- retval = _unix_read_password( pamh, lctrl
- , Announce
- , "(current) UNIX password: "
- , NULL
- , _UNIX_OLD_AUTHTOK
- , &pass_old );
- free(Announce);
-
- if ( retval != PAM_SUCCESS ) {
- _log_err(LOG_NOTICE
- , "password - (old) token not obtained");
- return retval;
- }
-
- /* verify that this is the password for this user */
-
- retval = _unix_verify_password(pamh, user, pass_old, ctrl);
- } else {
- D(("process run by root so do nothing this time around"));
- pass_old = NULL;
- retval = PAM_SUCCESS; /* root doesn't have too */
- }
-
- if ( retval != PAM_SUCCESS ) {
- D(("Authentication failed"));
- pass_old = NULL;
- return retval;
- }
-
- retval = pam_set_item(pamh, PAM_OLDAUTHTOK, (const void *) pass_old);
- pass_old = NULL;
- if ( retval != PAM_SUCCESS ) {
- _log_err(LOG_CRIT, "failed to set PAM_OLDAUTHTOK");
- }
-
- } else if ( on( UNIX__UPDATE, ctrl ) ) {
- /* tpass is used below to store the _pam_md() return; it
- * should be _pam_delete()'d. */
-
- char *tpass=NULL;
-
- /*
- * obtain the proposed password
- */
-
- D(("do update"));
-
- /*
- * get the old token back. NULL was ok only if root [at this
- * point we assume that this has already been enforced on a
- * previous call to this function].
- */
-
- if ( off(UNIX_NOT_SET_PASS, ctrl) ) {
- retval = pam_get_item(pamh, PAM_OLDAUTHTOK
- , (const void **)&pass_old);
- } else {
- retval = pam_get_data(pamh, _UNIX_OLD_AUTHTOK
- , (const void **)&pass_old);
- if (retval == PAM_NO_MODULE_DATA) {
- retval = PAM_SUCCESS;
- pass_old = NULL;
- }
- }
-
- if (retval != PAM_SUCCESS) {
- _log_err(LOG_NOTICE, "user not authenticated");
- return retval;
- }
-
- D(("get new password now"));
-
- lctrl = ctrl;
-
- /*
- * use_authtok is to force the use of a previously entered
- * password -- needed for pluggable password strength checking
- */
-
- if ( on(UNIX_USE_AUTHTOK, lctrl) ) {
- set(UNIX_USE_FIRST_PASS, lctrl);
- }
-
- retval = _unix_read_password( pamh, lctrl
- , NULL
- , "Enter new UNIX password: "
- , "Retype new UNIX password: "
- , _UNIX_NEW_AUTHTOK
- , &pass_new );
-
- if ( retval != PAM_SUCCESS ) {
- if ( on(UNIX_DEBUG,ctrl) ) {
- _log_err(LOG_ALERT
- , "password - new password not obtained");
- }
- pass_old = NULL; /* tidy up */
- return retval;
- }
-
- D(("returned to _unix_chauthtok"));
-
- /*
- * At this point we know who the user is and what they
- * propose as their new password. Verify that the new
- * password is acceptable.
- */
-
- if (pass_new[0] == '\0') { /* "\0" password = NULL */
- pass_new = NULL;
- }
-
- retval = _pam_unix_approve_pass(pamh, ctrl, pass_old, pass_new);
-
- if (retval != PAM_SUCCESS) {
- _log_err(LOG_NOTICE, "new password not acceptable");
- pass_new = pass_old = NULL; /* tidy up */
- return retval;
- }
-
- /*
- * By reaching here we have approved the passwords and must now
- * rebuild the password database file.
- *
- * This includes the fact that the password is _not_ NULL.
- */
-
- /*
- * First we encrypt the new password.
- *
- * XXX - this is where we might need some code for RADIUS types
- * of password handling... no encryption needed..
- */
-
- if ( on(UNIX_MD5_PASS, ctrl) ) {
-
- /*
- * Code lifted from Marek Michalkiewicz's shadow suite. (CG)
- * removed use of static variables (AGM)
- */
-
- struct timeval tv;
- MD5_CTX ctx;
- unsigned char result[16];
- char *cp = (char *)result;
- unsigned char tmp[16];
- int i;
-
- GoodMD5Init(&ctx);
- gettimeofday(&tv, (struct timezone *) 0);
- GoodMD5Update(&ctx, (void *) &tv, sizeof tv);
- i = getpid();
- GoodMD5Update(&ctx, (void *) &i, sizeof i);
- i = clock();
- GoodMD5Update(&ctx, (void *) &i, sizeof i);
- GoodMD5Update(&ctx, result, sizeof result);
- GoodMD5Final(tmp, &ctx);
- strcpy(cp, "$1$"); /* magic for the MD5 */
- cp += strlen(cp);
- for (i = 0; i < 8; i++)
- *cp++ = i64c(tmp[i] & 077);
- *cp = '\0';
-
- /* no longer need cleartext */
- pass_new = tpass = _pam_md(pass_new, (const char *)result);
-
- } else {
- /*
- * Salt manipulation is stolen from Rick Faith's passwd
- * program. Sorry Rick :) -- alex
- */
-
- time_t tm;
- char salt[3];
-
- time(&tm);
- salt[0] = bin_to_ascii(tm & 0x3f);
- salt[1] = bin_to_ascii((tm >> 6) & 0x3f);
- salt[2] = '\0';
-
- if ( off(UNIX_BIGCRYPT, ctrl) && strlen(pass_new) > 8 ) {
- /* to avoid using the _extensions_ of the bigcrypt()
- function we truncate the newly entered password */
- char *temp = malloc(9);
-
- if (temp == NULL) {
- _log_err(LOG_CRIT, "out of memory for password");
- pass_new = pass_old = NULL; /* tidy up */
- return PAM_BUF_ERR;
- }
-
- /* copy first 8 bytes of password */
- strncpy(temp, pass_new, 8);
- temp[8] = '\0';
-
- /* no longer need cleartext */
- pass_new = tpass = _pam_md( temp, salt );
-
- _pam_delete(temp); /* tidy up */
- } else {
- /* no longer need cleartext */
- pass_new = tpass = _pam_md( pass_new, salt );
- }
- }
-
- D(("password processed"));
-
- /* update the password database(s) -- race conditions..? */
-
- retval = unix_update_db(pamh, ctrl, user, pass_old, pass_new);
- pass_old = pass_new = NULL;
-
- } else { /* something has broken with the module */
-
- _log_err(LOG_ALERT, "password received unknown request");
- retval = PAM_ABORT;
-
- }
-
- return retval;
-}
-
-/* ******************************************************************
- * Copyright (c) Alexander O. Yuriev (alex@bach.cis.temple.edu), 1996.
- * Copyright (c) Andrew Morgan <morgan@parc.power.net> 1996, 1997.
- * Copyright (c) Cristian Gafton, <gafton@redhat.com> 1996, 1997.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, and the entire permission notice in its entirety,
- * including the disclaimer of warranties.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote
- * products derived from this software without specific prior
- * written permission.
- *
- * ALTERNATIVELY, this product may be distributed under the terms of
- * the GNU Public License, in which case the provisions of the GPL are
- * required INSTEAD OF the above restrictions. (This clause is
- * necessary due to a potential bad interaction between the GPL and
- * the restrictions contained in a BSD-style copyright.)
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- */