diff options
Diffstat (limited to 'modules/pam_userdb')
| -rw-r--r-- | modules/pam_userdb/Makefile.am | 1 | ||||
| -rw-r--r-- | modules/pam_userdb/conv.c | 125 | ||||
| -rw-r--r-- | modules/pam_userdb/pam_userdb.c | 156 | ||||
| -rw-r--r-- | modules/pam_userdb/pam_userdb.h | 3 |
4 files changed, 88 insertions, 197 deletions
diff --git a/modules/pam_userdb/Makefile.am b/modules/pam_userdb/Makefile.am index 3c87f1aa..5d7e8017 100644 --- a/modules/pam_userdb/Makefile.am +++ b/modules/pam_userdb/Makefile.am @@ -22,5 +22,4 @@ if HAVE_LIBDB securelib_LTLIBRARIES = pam_userdb.la endif -pam_userdb_la_SOURCES = pam_userdb.c conv.c noinst_HEADERS = pam_userdb.h diff --git a/modules/pam_userdb/conv.c b/modules/pam_userdb/conv.c deleted file mode 100644 index 33923851..00000000 --- a/modules/pam_userdb/conv.c +++ /dev/null @@ -1,125 +0,0 @@ -/* - * Conversation related functions - */ - -/* $Id */ -/* Copyright at the end of the file */ - -#include <stdlib.h> -#include <string.h> - -#include <security/pam_modules.h> -#include <security/_pam_macros.h> - -#include "pam_userdb.h" - -/* - * dummy conversation function sending exactly one prompt - * and expecting exactly one response from the other party - */ -static int converse(pam_handle_t *pamh, - struct pam_message **message, - struct pam_response **response) -{ - int retval; - const void* void_conv; - const struct pam_conv *conv; - - retval = pam_get_item(pamh, PAM_CONV, &void_conv ) ; - conv = void_conv; - if (retval == PAM_SUCCESS) - retval = conv->conv(1, (const struct pam_message **)message, - response, conv->appdata_ptr); - - return retval; /* propagate error status */ -} - - -static char *_pam_delete(register char *xx) -{ - _pam_overwrite(xx); - _pam_drop(xx); - return NULL; -} - -/* - * This is a conversation function to obtain the user's password - */ -int conversation(pam_handle_t *pamh) -{ - struct pam_message msg[2],*pmsg[2]; - struct pam_response *resp; - int retval; - char * token = NULL; - - pmsg[0] = &msg[0]; - msg[0].msg_style = PAM_PROMPT_ECHO_OFF; - msg[0].msg = "Password: "; - - /* so call the conversation expecting i responses */ - resp = NULL; - retval = converse(pamh, pmsg, &resp); - - if (resp != NULL) { - const void *item; - /* interpret the response */ - if (retval == PAM_SUCCESS) { /* a good conversation */ - token = x_strdup(resp[0].resp); - if (token == NULL) { - return PAM_AUTHTOK_RECOVER_ERR; - } - } - - /* set the auth token */ - retval = pam_set_item(pamh, PAM_AUTHTOK, token); - token = _pam_delete(token); /* clean it up */ - if ( (retval != PAM_SUCCESS) || - (retval = pam_get_item(pamh, PAM_AUTHTOK, &item)) - != PAM_SUCCESS ) { - return retval; - } - - _pam_drop_reply(resp, 1); - } else { - retval = (retval == PAM_SUCCESS) - ? PAM_AUTHTOK_RECOVER_ERR:retval ; - } - - return retval; -} - -/* - * Copyright (c) Cristian Gafton <gafton@redhat.com>, 1999 - * All rights reserved - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, and the entire permission notice in its entirety, - * including the disclaimer of warranties. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * ALTERNATIVELY, this product may be distributed under the terms of - * the GNU Public License, in which case the provisions of the GPL are - * required INSTEAD OF the above restrictions. (This clause is - * necessary due to a potential bad interaction between the GPL and - * the restrictions contained in a BSD-style copyright.) - * - * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED - * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES - * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE - * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, - * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES - * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR - * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - */ diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index 87a6ffd5..61b0da86 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -46,22 +46,45 @@ #define PAM_SM_ACCOUNT #include <security/pam_modules.h> +#include <security/pam_ext.h> +#include <security/_pam_macros.h> -/* some syslogging */ - -static void _pam_log(int err, const char *format, ...) +/* + * Conversation function to obtain the user's password + */ +static int +obtain_authtok(pam_handle_t *pamh) { - va_list args; + char *resp; + const void *item; + int retval; + + retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &resp, "Password: "); + + if (retval != PAM_SUCCESS) + return retval; + + if (resp == NULL) + return PAM_AUTHTOK_RECOVER_ERR; - va_start(args, format); - openlog(MODULE_NAME, LOG_CONS|LOG_PID, LOG_AUTH); - vsyslog(err, format, args); - va_end(args); - closelog(); + /* set the auth token */ + retval = pam_set_item(pamh, PAM_AUTHTOK, resp); + + /* clean it up */ + _pam_overwrite(resp); + _pam_drop(resp); + + if ( (retval != PAM_SUCCESS) || + (retval = pam_get_item(pamh, PAM_AUTHTOK, &item)) + != PAM_SUCCESS ) { + return retval; + } + + return retval; } static int -_pam_parse (int argc, const char **argv, +_pam_parse (pam_handle_t *pamh, int argc, const char **argv, char **database, char **cryptmode) { int ctrl; @@ -88,21 +111,19 @@ _pam_parse (int argc, const char **argv, { *database = strdup((*argv) + 3); if ((*database == NULL) || (strlen (*database) == 0)) - _pam_log(LOG_ERR, - "pam_parse: could not parse argument \"%s\"", - *argv); + pam_syslog(pamh, LOG_ERR, + "could not parse argument \"%s\"", *argv); } else if (!strncasecmp(*argv,"crypt=", 6)) { *cryptmode = strdup((*argv) + 6); if ((*cryptmode == NULL) || (strlen (*cryptmode) == 0)) - _pam_log(LOG_ERR, - "pam_parse: could not parse argument \"%s\"", - *argv); + pam_syslog(pamh, LOG_ERR, + "could not parse argument \"%s\"", *argv); } else { - _pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv); + pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv); } } @@ -120,7 +141,7 @@ _pam_parse (int argc, const char **argv, * -2 = System error */ static int -user_lookup (const char *database, const char *cryptmode, +user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, const char *user, const char *pass, int ctrl) { DBM *dbm; @@ -129,19 +150,20 @@ user_lookup (const char *database, const char *cryptmode, /* Open the DB file. */ dbm = dbm_open(database, O_RDONLY, 0644); if (dbm == NULL) { - _pam_log(LOG_ERR, "user_lookup: could not open database `%s'", - database); + pam_syslog(pamh, LOG_ERR, + "user_lookup: could not open database `%s': %m", database); return -2; } /* dump out the database contents for debugging */ if (ctrl & PAM_DUMP_ARG) { - _pam_log(LOG_INFO, "Database dump:"); + pam_syslog(pamh, LOG_INFO, "Database dump:"); for (key = dbm_firstkey(dbm); key.dptr != NULL; key = dbm_nextkey(dbm)) { data = dbm_fetch(dbm, key); - _pam_log(LOG_INFO, "key[len=%d] = `%s', data[len=%d] = `%s'", - key.dsize, key.dptr, data.dsize, data.dptr); + pam_syslog(pamh, LOG_INFO, + "key[len=%d] = `%s', data[len=%d] = `%s'", + key.dsize, key.dptr, data.dsize, data.dptr); } } @@ -164,8 +186,9 @@ user_lookup (const char *database, const char *cryptmode, } if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_INFO, "password in database is [%p]`%.*s', len is %d", - data.dptr, data.dsize, (char *) data.dptr, data.dsize); + pam_syslog(pamh, LOG_INFO, + "password in database is [%p]`%.*s', len is %d", + data.dptr, data.dsize, (char *) data.dptr, data.dsize); } if (data.dptr != NULL) { @@ -199,7 +222,7 @@ user_lookup (const char *database, const char *cryptmode, } else { compare = -2; if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_INFO, "crypt() returned NULL"); + pam_syslog(pamh, LOG_INFO, "crypt() returned NULL"); } }; @@ -221,9 +244,9 @@ user_lookup (const char *database, const char *cryptmode, if (cryptmode && strncasecmp(cryptmode, "none", 4) && (ctrl & PAM_DEBUG_ARG)) { - _pam_log(LOG_INFO, "invalid value for crypt parameter: %s", - cryptmode); - _pam_log(LOG_INFO, "defaulting to plaintext password mode"); + pam_syslog(pamh, LOG_INFO, "invalid value for crypt parameter: %s", + cryptmode); + pam_syslog(pamh, LOG_INFO, "defaulting to plaintext password mode"); } } @@ -237,8 +260,7 @@ user_lookup (const char *database, const char *cryptmode, int saw_user = 0; if (ctrl & PAM_DEBUG_ARG) { - _pam_log(LOG_INFO, "error returned by dbm_fetch: %s", - strerror(errno)); + pam_syslog(pamh, LOG_INFO, "error returned by dbm_fetch: %m"); } /* probably we should check dbm_error() here */ @@ -294,9 +316,9 @@ user_lookup (const char *database, const char *cryptmode, /* --- authentication management functions (only) --- */ -PAM_EXTERN -int pam_sm_authenticate(pam_handle_t *pamh, int flags, - int argc, const char **argv) +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { const char *username; const void *password; @@ -305,26 +327,24 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, int retval = PAM_AUTH_ERR, ctrl; /* parse arguments */ - ctrl = _pam_parse(argc, argv, &database, &cryptmode); + ctrl = _pam_parse(pamh, argc, argv, &database, &cryptmode); if ((database == NULL) || (strlen(database) == 0)) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"can not get the database name"); + pam_syslog(pamh, LOG_ERR, "can not get the database name"); return PAM_SERVICE_ERR; } /* Get the username */ retval = pam_get_user(pamh, &username, NULL); if ((retval != PAM_SUCCESS) || (!username)) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"can not get the username"); + pam_syslog(pamh, LOG_ERR, "can not get the username"); return PAM_SERVICE_ERR; } /* Converse just to be sure we have a password */ - retval = conversation(pamh); + retval = obtain_authtok(pamh); if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR, "could not obtain password for `%s'", - username); + pam_syslog(pamh, LOG_ERR, "could not obtain password for `%s'", + username); return PAM_CONV_ERR; } @@ -335,10 +355,10 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, * do so again. */ retval = pam_get_item(pamh, PAM_AUTHTOK, &password); if ((retval != PAM_SUCCESS) && ((ctrl & PAM_USE_AUTHTOK_ARG) != 0)) { - retval = conversation(pamh); + retval = obtain_authtok(pamh); if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR, "could not obtain password for `%s'", - username); + pam_syslog(pamh, LOG_ERR, "could not obtain password for `%s'", + username); return PAM_CONV_ERR; } } @@ -346,39 +366,39 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* Get the password */ retval = pam_get_item(pamh, PAM_AUTHTOK, &password); if (retval != PAM_SUCCESS) { - _pam_log(LOG_ERR, "Could not retrieve user's password"); + pam_syslog(pamh, LOG_ERR, "Could not retrieve user's password"); return -2; } if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_INFO, "Verify user `%s' with password `%s'", - username, password); + pam_syslog(pamh, LOG_INFO, "Verify user `%s' with password `%s'", + username, (const char *)password); /* Now use the username to look up password in the database file */ - retval = user_lookup(database, cryptmode, username, password, ctrl); + retval = user_lookup(pamh, database, cryptmode, username, password, ctrl); switch (retval) { case -2: /* some sort of system error. The log was already printed */ return PAM_SERVICE_ERR; case -1: /* incorrect password */ - _pam_log(LOG_WARNING, - "user `%s' denied access (incorrect password)", - username); + pam_syslog(pamh, LOG_WARNING, + "user `%s' denied access (incorrect password)", + username); return PAM_AUTH_ERR; case 1: /* the user does not exist in the database */ if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_NOTICE, "user `%s' not found in the database", - username); + pam_syslog(pamh, LOG_NOTICE, + "user `%s' not found in the database", username); return PAM_USER_UNKNOWN; case 0: /* Otherwise, the authentication looked good */ - _pam_log(LOG_NOTICE, "user '%s' granted acces", username); + pam_syslog(pamh, LOG_NOTICE, "user '%s' granted acces", username); return PAM_SUCCESS; default: /* we don't know anything about this return value */ - _pam_log(LOG_ERR, + pam_syslog(pamh, LOG_ERR, "internal module error (retval = %d, user = `%s'", retval, username); return PAM_SERVICE_ERR; @@ -388,15 +408,16 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, return PAM_IGNORE; } -PAM_EXTERN -int pam_sm_setcred(pam_handle_t *pamh, int flags, - int argc, const char **argv) +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) { return PAM_SUCCESS; } -PAM_EXTERN -int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) { const char *username; char *database = NULL; @@ -404,18 +425,17 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) int retval = PAM_AUTH_ERR, ctrl; /* parse arguments */ - ctrl = _pam_parse(argc, argv, &database, &cryptmode); + ctrl = _pam_parse(pamh, argc, argv, &database, &cryptmode); /* Get the username */ retval = pam_get_user(pamh, &username, NULL); if ((retval != PAM_SUCCESS) || (!username)) { - if (ctrl & PAM_DEBUG_ARG) - _pam_log(LOG_DEBUG,"can not get the username"); + pam_syslog(pamh, LOG_ERR,"can not get the username"); return PAM_SERVICE_ERR; } /* Now use the username to look up password in the database file */ - retval = user_lookup(database, cryptmode, username, "", ctrl); + retval = user_lookup(pamh, database, cryptmode, username, "", ctrl); switch (retval) { case -2: /* some sort of system error. The log was already printed */ @@ -431,9 +451,9 @@ int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_USER_UNKNOWN; default: /* we don't know anything about this return value */ - _pam_log(LOG_ERR, - "internal module error (retval = %d, user = `%s'", - retval, username); + pam_syslog(pamh, LOG_ERR, + "internal module error (retval = %d, user = `%s'", + retval, username); return PAM_SERVICE_ERR; } diff --git a/modules/pam_userdb/pam_userdb.h b/modules/pam_userdb/pam_userdb.h index a371fa9f..8fb2e653 100644 --- a/modules/pam_userdb/pam_userdb.h +++ b/modules/pam_userdb/pam_userdb.h @@ -22,9 +22,6 @@ #define MODULE_NAME "pam_userdb" #endif /* MODULE_NAME */ -/* function prototypes */ -int conversation(pam_handle_t *); - #endif /* _PAM_USERSDB_H */ /* |