diff options
Diffstat (limited to 'modules/pam_userdb')
-rw-r--r-- | modules/pam_userdb/Makefile.am | 4 | ||||
-rw-r--r-- | modules/pam_userdb/Makefile.in | 15 | ||||
-rw-r--r-- | modules/pam_userdb/README.xml | 32 | ||||
-rw-r--r-- | modules/pam_userdb/pam_userdb.8 | 26 | ||||
-rw-r--r-- | modules/pam_userdb/pam_userdb.8.xml | 67 | ||||
-rw-r--r-- | modules/pam_userdb/pam_userdb.c | 7 |
6 files changed, 76 insertions, 75 deletions
diff --git a/modules/pam_userdb/Makefile.am b/modules/pam_userdb/Makefile.am index aa70e7de..e31d9ccc 100644 --- a/modules/pam_userdb/Makefile.am +++ b/modules/pam_userdb/Makefile.am @@ -15,7 +15,11 @@ dist_check_SCRIPTS = tst-pam_userdb TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) +if HAVE_VENDORDIR +secureconfdir = $(VENDOR_SCONFIGDIR) +else secureconfdir = $(SCONFIGDIR) +endif AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_userdb/Makefile.in b/modules/pam_userdb/Makefile.in index 6eb785f0..c19b4231 100644 --- a/modules/pam_userdb/Makefile.in +++ b/modules/pam_userdb/Makefile.in @@ -431,6 +431,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLTOOL = @DLLTOOL@ +DOCBOOK_RNG = @DOCBOOK_RNG@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -443,11 +444,13 @@ EXEEXT = @EXEEXT@ EXE_CFLAGS = @EXE_CFLAGS@ EXE_LDFLAGS = @EXE_LDFLAGS@ FGREP = @FGREP@ +FILECMD = @FILECMD@ FO2PDF = @FO2PDF@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ +HTML_STYLESHEET = @HTML_STYLESHEET@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ @@ -479,12 +482,14 @@ LIBSELINUX = @LIBSELINUX@ LIBTOOL = @LIBTOOL@ LIPO = @LIPO@ LN_S = @LN_S@ +LOGIND_CFLAGS = @LOGIND_CFLAGS@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ MAKEINFO = @MAKEINFO@ MANIFEST_TOOL = @MANIFEST_TOOL@ +MAN_STYLESHEET = @MAN_STYLESHEET@ MKDIR_P = @MKDIR_P@ MSGFMT = @MSGFMT@ MSGFMT_015 = @MSGFMT_015@ @@ -507,6 +512,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PDF_STYLESHEET = @PDF_STYLESHEET@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ @@ -517,12 +523,16 @@ SECUREDIR = @SECUREDIR@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ -STRINGPARAM_HMAC = @STRINGPARAM_HMAC@ +STRINGPARAM_PROFILECONDITIONS = @STRINGPARAM_PROFILECONDITIONS@ STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@ STRIP = @STRIP@ +SYSTEMD_CFLAGS = @SYSTEMD_CFLAGS@ +SYSTEMD_LIBS = @SYSTEMD_LIBS@ TIRPC_CFLAGS = @TIRPC_CFLAGS@ TIRPC_LIBS = @TIRPC_LIBS@ +TXT_STYLESHEET = @TXT_STYLESHEET@ USE_NLS = @USE_NLS@ +VENDOR_SCONFIGDIR = @VENDOR_SCONFIGDIR@ VERSION = @VERSION@ WARN_CFLAGS = @WARN_CFLAGS@ XGETTEXT = @XGETTEXT@ @@ -596,7 +606,8 @@ XMLS = README.xml pam_userdb.8.xml dist_check_SCRIPTS = tst-pam_userdb TESTS = $(dist_check_SCRIPTS) securelibdir = $(SECUREDIR) -secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_FALSE@secureconfdir = $(SCONFIGDIR) +@HAVE_VENDORDIR_TRUE@secureconfdir = $(VENDOR_SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ $(WARN_CFLAGS) diff --git a/modules/pam_userdb/README.xml b/modules/pam_userdb/README.xml index b22c09e7..4e8f8ee7 100644 --- a/modules/pam_userdb/README.xml +++ b/modules/pam_userdb/README.xml @@ -1,41 +1,27 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" -"http://www.docbook.org/xml/4.3/docbookx.dtd" -[ -<!-- -<!ENTITY pamaccess SYSTEM "pam_userdb.8.xml"> ---> -]> +<article xmlns="http://docbook.org/ns/docbook" version="5.0"> -<article> - - <articleinfo> + <info> <title> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_userdb-name"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-name")/*)'/> </title> - </articleinfo> + </info> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-description"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-description")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-options"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-options")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-examples"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-examples")/*)'/> </section> <section> - <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" - href="pam_userdb.8.xml" xpointer='xpointer(//refsect1[@id = "pam_userdb-author"]/*)'/> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="pam_userdb.8.xml" xpointer='xpointer(id("pam_userdb-author")/*)'/> </section> -</article> +</article>
\ No newline at end of file diff --git a/modules/pam_userdb/pam_userdb.8 b/modules/pam_userdb/pam_userdb.8 index fc002787..c6397723 100644 --- a/modules/pam_userdb/pam_userdb.8 +++ b/modules/pam_userdb/pam_userdb.8 @@ -1,13 +1,13 @@ '\" t .\" Title: pam_userdb .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 09/03/2021 +.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> +.\" Date: 05/07/2023 .\" Manual: Linux-PAM Manual -.\" Source: Linux-PAM Manual +.\" Source: Linux-PAM .\" Language: English .\" -.TH "PAM_USERDB" "8" "09/03/2021" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_USERDB" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -37,7 +37,7 @@ pam_userdb \- PAM module to authenticate against a db database The pam_userdb module is used to verify a username/password pair against values stored in a Berkeley DB database\&. The database is indexed by the username, and the data fields corresponding to the username keys are the passwords\&. .SH "OPTIONS" .PP -\fBcrypt=[crypt|none]\fR +crypt=[crypt|none] .RS 4 Indicates whether encrypted or plaintext passwords are stored in the database\&. If it is \fBcrypt\fR, passwords should be stored in the database in @@ -47,7 +47,7 @@ form\&. If is selected, passwords should be stored in the database as plaintext\&. .RE .PP -\fBdb=\fR\fB\fI/path/database\fR\fR +db=/path/database .RS 4 Use the /path/database @@ -58,37 +58,37 @@ if no database is provided\&. Note that the path to the database file should be suffix\&. .RE .PP -\fBdebug\fR +debug .RS 4 Print debug information\&. Note that password hashes, both from db and computed, will be printed to syslog\&. .RE .PP -\fBdump\fR +dump .RS 4 Dump all the entries in the database to the log\&. Don\*(Aqt do this by default! .RE .PP -\fBicase\fR +icase .RS 4 Make the password verification to be case insensitive (ie when working with registration numbers and such)\&. Only works with plaintext password storage\&. .RE .PP -\fBtry_first_pass\fR +try_first_pass .RS 4 Use the authentication token previously obtained by another module that did the conversation with the application\&. If this token can not be obtained then the module will try to converse\&. This option can be used for stacking different modules that need to deal with the authentication tokens\&. .RE .PP -\fBuse_first_pass\fR +use_first_pass .RS 4 Use the authentication token previously obtained by another module that did the conversation with the application\&. If this token can not be obtained then the module will fail\&. This option can be used for stacking different modules that need to deal with the authentication tokens\&. .RE .PP -\fBunknown_ok\fR +unknown_ok .RS 4 Do not return error when checking for a user that is not in the database\&. This can be used to stack more than one pam_userdb module that will check a username/password pair in more than a database\&. .RE .PP -\fBkey_only\fR +key_only .RS 4 The username and password are concatenated together in the database hash as \*(Aqusername\-password\*(Aq with a random value\&. if the concatenation of the username and password with a dash in the middle returns any result, the user is valid\&. this is useful in cases where the username may not be unique but the username and password pair are\&. .RE diff --git a/modules/pam_userdb/pam_userdb.8.xml b/modules/pam_userdb/pam_userdb.8.xml index bce92850..0f964102 100644 --- a/modules/pam_userdb/pam_userdb.8.xml +++ b/modules/pam_userdb/pam_userdb.8.xml @@ -1,54 +1,51 @@ -<?xml version="1.0" encoding='UTF-8'?> -<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" - "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> - -<refentry id="pam_userdb"> +<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pam_userdb"> <refmeta> <refentrytitle>pam_userdb</refentrytitle> <manvolnum>8</manvolnum> - <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + <refmiscinfo class="source">Linux-PAM</refmiscinfo> + <refmiscinfo class="manual">Linux-PAM Manual</refmiscinfo> </refmeta> - <refnamediv id="pam_userdb-name"> + <refnamediv xml:id="pam_userdb-name"> <refname>pam_userdb</refname> <refpurpose>PAM module to authenticate against a db database</refpurpose> </refnamediv> <refsynopsisdiv> - <cmdsynopsis id="pam_userdb-cmdsynopsis"> + <cmdsynopsis xml:id="pam_userdb-cmdsynopsis" sepchar=" "> <command>pam_userdb.so</command> - <arg choice="plain"> + <arg choice="plain" rep="norepeat"> db=<replaceable>/path/database</replaceable> </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> debug </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> crypt=[crypt|none] </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> icase </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> dump </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> try_first_pass </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> use_first_pass </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> unknown_ok </arg> - <arg choice="opt"> + <arg choice="opt" rep="norepeat"> key_only </arg> </cmdsynopsis> </refsynopsisdiv> - <refsect1 id="pam_userdb-description"> + <refsect1 xml:id="pam_userdb-description"> <title>DESCRIPTION</title> @@ -60,13 +57,13 @@ </para> </refsect1> - <refsect1 id="pam_userdb-options"> + <refsect1 xml:id="pam_userdb-options"> <title>OPTIONS</title> <variablelist> <varlistentry> <term> - <option>crypt=[crypt|none]</option> + crypt=[crypt|none] </term> <listitem> <para> @@ -82,13 +79,13 @@ </varlistentry> <varlistentry> <term> - <option>db=<replaceable>/path/database</replaceable></option> + db=/path/database </term> <listitem> <para> Use the <filename>/path/database</filename> database for performing lookup. There is no default; the module will - return <emphasis remap='B'>PAM_IGNORE</emphasis> if no + return <emphasis remap="B">PAM_IGNORE</emphasis> if no database is provided. Note that the path to the database file should be specified without the <filename>.db</filename> suffix. </para> @@ -96,7 +93,7 @@ </varlistentry> <varlistentry> <term> - <option>debug</option> + debug </term> <listitem> <para> @@ -107,7 +104,7 @@ </varlistentry> <varlistentry> <term> - <option>dump</option> + dump </term> <listitem> <para> @@ -118,7 +115,7 @@ </varlistentry> <varlistentry> <term> - <option>icase</option> + icase </term> <listitem> <para> @@ -131,7 +128,7 @@ <varlistentry> <term> - <option>try_first_pass</option> + try_first_pass </term> <listitem> <para> @@ -146,7 +143,7 @@ </varlistentry> <varlistentry> <term> - <option>use_first_pass</option> + use_first_pass </term> <listitem> <para> @@ -161,7 +158,7 @@ </varlistentry> <varlistentry> <term> - <option>unknown_ok</option> + unknown_ok </term> <listitem> <para> @@ -174,7 +171,7 @@ </varlistentry> <varlistentry> <term> - <option>key_only</option> + key_only </term> <listitem> <para> @@ -191,7 +188,7 @@ </variablelist> </refsect1> - <refsect1 id="pam_userdb-types"> + <refsect1 xml:id="pam_userdb-types"> <title>MODULE TYPES PROVIDED</title> <para> The <option>auth</option> and <option>account</option> module @@ -199,7 +196,7 @@ </para> </refsect1> - <refsect1 id='pam_userdb-return_values'> + <refsect1 xml:id="pam_userdb-return_values"> <title>RETURN VALUES</title> <variablelist> <varlistentry> @@ -259,14 +256,14 @@ </variablelist> </refsect1> - <refsect1 id='pam_userdb-examples'> + <refsect1 xml:id="pam_userdb-examples"> <title>EXAMPLES</title> <programlisting> auth sufficient pam_userdb.so icase db=/etc/dbtest </programlisting> </refsect1> - <refsect1 id='pam_userdb-see_also'> + <refsect1 xml:id="pam_userdb-see_also"> <title>SEE ALSO</title> <para> <citerefentry> @@ -284,11 +281,11 @@ auth sufficient pam_userdb.so icase db=/etc/dbtest </para> </refsect1> - <refsect1 id='pam_userdb-author'> + <refsect1 xml:id="pam_userdb-author"> <title>AUTHOR</title> <para> pam_userdb was written by Cristian Gafton >gafton@redhat.com<. </para> </refsect1> -</refentry> +</refentry>
\ No newline at end of file diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index f467ea4c..297403b0 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -62,7 +62,7 @@ obtain_authtok(pam_handle_t *pamh) retval = pam_set_item(pamh, PAM_AUTHTOK, resp); /* clean it up */ - _pam_overwrite(resp); + pam_overwrite_string(resp); _pam_drop(resp); if ( (retval != PAM_SUCCESS) || @@ -181,7 +181,7 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, if (key.dptr) { data = dbm_fetch(dbm, key); - memset(key.dptr, 0, key.dsize); + pam_overwrite_n(key.dptr, key.dsize); free(key.dptr); } @@ -247,8 +247,11 @@ user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode, free(cdata); #endif } + pam_overwrite_string(pwhash); free(pwhash); } + + pam_overwrite_string(cryptpw); } else { /* Unknown password encryption method - |