[dragonfly.git] / lib / pam_module / pam_unix / pam_unix.c

/*-
 * Copyright 1998 Juniper Networks, Inc.
 * All rights reserved.
 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
 * All rights reserved.
 *
 * Portions of this software was developed for the FreeBSD Project by
 * ThinkSec AS and NAI Labs, the Security Research Division of Network
 * Associates, Inc.  under DARPA/SPAWAR contract N66001-01-C-8035
 * ("CBOSS"), as part of the DARPA CHATS research program.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote
 *    products derived from this software without specific prior written
 *    permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.53 2007/12/21 12:00:16 des Exp $
 * $DragonFly: src/lib/pam_module/pam_unix/pam_unix.c,v 1.1 2005/08/01 16:15:19 joerg Exp $
 */

#include <sys/param.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#include <login_cap.h>
#include <netdb.h>
#include <pwd.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <syslog.h>
#include <unistd.h>

#include <libutil.h>

#ifdef YP
#include <ypclnt.h>
#endif

#define PAM_SM_AUTH
#define PAM_SM_ACCOUNT
#define	PAM_SM_PASSWORD

#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>

#define PASSWORD_HASH		"sha256"
#define DEFAULT_WARN		(2L * 7L * 86400L)  /* Two weeks */
#define	SALTSIZE		32

#define	LOCKED_PREFIX		"*LOCKED*"
#define	LOCKED_PREFIX_LEN	(sizeof(LOCKED_PREFIX) - 1)

static void makesalt(char []);

static char password_hash[] =		PASSWORD_HASH;

#define PAM_OPT_LOCAL_PASS	"local_pass"
#define PAM_OPT_NIS_PASS	"nis_pass"

char *tempname = NULL;

/*
 * authentication management
 */
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
    int argc __unused, const char *argv[] __unused)
{
	login_cap_t *lc;
	struct passwd *pwd;
	int retval;
	const char *pass, *user, *realpw, *prompt;

	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
		pwd = getpwnam(getlogin());
	} else {
		retval = pam_get_user(pamh, &user, NULL);
		if (retval != PAM_SUCCESS)
			return (retval);
		pwd = getpwnam(user);
	}

	PAM_LOG("Got user: %s", user);

	if (pwd != NULL) {
		PAM_LOG("Doing real authentication");
		realpw = pwd->pw_passwd;
		if (realpw[0] == '\0') {
			if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
			    openpam_get_option(pamh, PAM_OPT_NULLOK))
				return (PAM_SUCCESS);
			realpw = "*";
		}
		lc = login_getpwclass(pwd);
	} else {
		PAM_LOG("Doing dummy authentication");
		realpw = "*";
		lc = login_getclass(NULL);
	}
	prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL);
	retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
	login_close(lc);
	if (retval != PAM_SUCCESS)
		return (retval);
	PAM_LOG("Got password");
	if (strcmp(crypt(pass, realpw), realpw) == 0)
		return (PAM_SUCCESS);

	PAM_VERBOSE_ERROR("UNIX authentication refused");
	return (PAM_AUTH_ERR);
}

PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
    int argc __unused, const char *argv[] __unused)
{

	return (PAM_SUCCESS);
}

/*
 * account management
 */
PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
    int argc __unused, const char *argv[] __unused)
{
	struct addrinfo hints, *res;
	struct passwd *pwd;
	struct timeval tp;
	login_cap_t *lc;
	time_t warntime;
	int retval;
	const char *user;
	const void *rhost, *tty;
	char rhostip[MAXHOSTNAMELEN] = "";

	retval = pam_get_user(pamh, &user, NULL);
	if (retval != PAM_SUCCESS)
		return (retval);

	if (user == NULL || (pwd = getpwnam(user)) == NULL)
		return (PAM_SERVICE_ERR);

	PAM_LOG("Got user: %s", user);

	retval = pam_get_item(pamh, PAM_RHOST, &rhost);
	if (retval != PAM_SUCCESS)
		return (retval);

	retval = pam_get_item(pamh, PAM_TTY, &tty);
	if (retval != PAM_SUCCESS)
		return (retval);

	if (*pwd->pw_passwd == '\0' &&
	    (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0)
		return (PAM_NEW_AUTHTOK_REQD);

	if (strncmp(pwd->pw_passwd, LOCKED_PREFIX, LOCKED_PREFIX_LEN) == 0)
		return (PAM_AUTH_ERR);

	lc = login_getpwclass(pwd);
	if (lc == NULL) {
		PAM_LOG("Unable to get login class for user %s", user);
		return (PAM_SERVICE_ERR);
	}

	PAM_LOG("Got login_cap");

	if (pwd->pw_change || pwd->pw_expire)
		gettimeofday(&tp, NULL);

	/*
	 * Check pw_expire before pw_change - no point in letting the
	 * user change the password on an expired account.
	 */

	if (pwd->pw_expire) {
		warntime = login_getcaptime(lc, "warnexpire",
		    DEFAULT_WARN, DEFAULT_WARN);
		if (tp.tv_sec >= pwd->pw_expire) {
			login_close(lc);
			return (PAM_ACCT_EXPIRED);
		} else if (pwd->pw_expire - tp.tv_sec < warntime &&
		    (flags & PAM_SILENT) == 0) {
			pam_error(pamh, "Warning: your account expires on %s",
			    ctime(&pwd->pw_expire));
		}
	}

	retval = PAM_SUCCESS;
	if (pwd->pw_change) {
		warntime = login_getcaptime(lc, "warnpassword",
		    DEFAULT_WARN, DEFAULT_WARN);
		if (tp.tv_sec >= pwd->pw_change) {
			retval = PAM_NEW_AUTHTOK_REQD;
		} else if (pwd->pw_change - tp.tv_sec < warntime &&
		    (flags & PAM_SILENT) == 0) {
			pam_error(pamh, "Warning: your password expires on %s",
			    ctime(&pwd->pw_change));
		}
	}

	/*
	 * From here on, we must leave retval untouched (unless we
	 * know we're going to fail), because we need to remember
	 * whether we're supposed to return PAM_SUCCESS or
	 * PAM_NEW_AUTHTOK_REQD.
	 */

	if (rhost && *(const char *)rhost != '\0') {
		memset(&hints, 0, sizeof(hints));
		hints.ai_family = AF_UNSPEC;
		if (getaddrinfo(rhost, NULL, &hints, &res) == 0) {
			getnameinfo(res->ai_addr, res->ai_addrlen,
			    rhostip, sizeof(rhostip), NULL, 0,
			    NI_NUMERICHOST);
		}
		if (res != NULL)
			freeaddrinfo(res);
	}

	/*
	 * Check host / tty / time-of-day restrictions
	 */

	if (!auth_hostok(lc, rhost, rhostip) ||
	    !auth_ttyok(lc, tty) ||
	    !auth_timeok(lc, time(NULL)))
		retval = PAM_AUTH_ERR;

	login_close(lc);

	return (retval);
}

/*
 * password management
 *
 * standard Unix and NIS password changing
 */
PAM_EXTERN int
pam_sm_chauthtok(pam_handle_t *pamh, int flags,
    int argc __unused, const char *argv[] __unused)
{
#ifdef YP
	struct ypclnt *ypclnt;
	const void *yp_domain, *yp_server;
#endif
	char salt[SALTSIZE + 1];
	login_cap_t * lc;
	struct passwd *pwd, *old_pwd;
	const char *user, *old_pass, *new_pass;
	char *encrypted;
	int pfd, tfd, retval;

	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
		pwd = getpwnam(getlogin());
	else {
		retval = pam_get_user(pamh, &user, NULL);
		if (retval != PAM_SUCCESS)
			return (retval);
		pwd = getpwnam(user);
	}

	if (pwd == NULL)
		return (PAM_AUTHTOK_RECOVERY_ERR);

	PAM_LOG("Got user: %s", user);

	if (flags & PAM_PRELIM_CHECK) {

		PAM_LOG("PRELIM round");

		if (getuid() == 0 &&
		    (pwd->pw_fields & _PWF_SOURCE) == _PWF_FILES)
			/* root doesn't need the old password */
			return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
#ifdef YP
		if (getuid() == 0 &&
		    (pwd->pw_fields & _PWF_SOURCE) == _PWF_NIS) {

			yp_domain = yp_server = NULL;
			pam_get_data(pamh, "yp_domain", &yp_domain);
			pam_get_data(pamh, "yp_server", &yp_server);

			ypclnt = ypclnt_new(yp_domain, "passwd.byname", yp_server);
			if (ypclnt == NULL)
				return (PAM_BUF_ERR);

			if (ypclnt_connect(ypclnt) == -1) {
				ypclnt_free(ypclnt);
				return (PAM_SERVICE_ERR);
			}

			retval = ypclnt_havepasswdd(ypclnt);
			ypclnt_free(ypclnt);
			if (retval == 1)
				return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
			else if (retval == -1)
				return (PAM_SERVICE_ERR);
		}
#endif
		if (pwd->pw_passwd[0] == '\0'
		    && openpam_get_option(pamh, PAM_OPT_NULLOK)) {
			/*
			 * No password case. XXX Are we giving too much away
			 * by not prompting for a password?
			 * XXX check PAM_DISALLOW_NULL_AUTHTOK
			 */
			old_pass = "";
		} else {
			retval = pam_get_authtok(pamh,
			    PAM_OLDAUTHTOK, &old_pass, NULL);
			if (retval != PAM_SUCCESS)
				return (retval);
		}
		PAM_LOG("Got old password");
		/* always encrypt first */
		encrypted = crypt(old_pass, pwd->pw_passwd);
		if (old_pass[0] == '\0' &&
		    !openpam_get_option(pamh, PAM_OPT_NULLOK))
			return (PAM_PERM_DENIED);
		if (strcmp(encrypted, pwd->pw_passwd) != 0)
			return (PAM_PERM_DENIED);
	}
	else if (flags & PAM_UPDATE_AUTHTOK) {
		PAM_LOG("UPDATE round");

		retval = pam_get_authtok(pamh,
		    PAM_OLDAUTHTOK, &old_pass, NULL);
		if (retval != PAM_SUCCESS)
			return (retval);
		PAM_LOG("Got old password");

		/* get new password */
		for (;;) {
			retval = pam_get_authtok(pamh,
			    PAM_AUTHTOK, &new_pass, NULL);
			if (retval != PAM_TRY_AGAIN)
				break;
			pam_error(pamh, "Mismatch; try again, EOF to quit.");
		}
		PAM_LOG("Got new password");
		if (retval != PAM_SUCCESS) {
			PAM_VERBOSE_ERROR("Unable to get new password");
			return (retval);
		}

		if (getuid() != 0 && new_pass[0] == '\0' &&
		    !openpam_get_option(pamh, PAM_OPT_NULLOK))
			return (PAM_PERM_DENIED);

		if ((old_pwd = pw_dup(pwd)) == NULL)
			return (PAM_BUF_ERR);

		pwd->pw_change = 0;
		lc = login_getclass(pwd->pw_class);
		if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
			openpam_log(PAM_LOG_ERROR,
			    "can't set password cipher, relying on default");
		login_close(lc);
		makesalt(salt);
		pwd->pw_passwd = crypt(new_pass, salt);
#ifdef YP
		switch (old_pwd->pw_fields & _PWF_SOURCE) {
		case _PWF_FILES:
#endif
			retval = PAM_SERVICE_ERR;
			if (pw_init(NULL, NULL))
				openpam_log(PAM_LOG_ERROR, "pw_init() failed");
			else if ((pfd = pw_lock()) == -1)
				openpam_log(PAM_LOG_ERROR, "pw_lock() failed");
			else if ((tfd = pw_tmp(-1)) == -1)
				openpam_log(PAM_LOG_ERROR, "pw_tmp() failed");
			else if (pw_copy(pfd, tfd, pwd, old_pwd) == -1)
				openpam_log(PAM_LOG_ERROR, "pw_copy() failed");
			else if (pw_mkdb(pwd->pw_name) == -1)
				openpam_log(PAM_LOG_ERROR, "pw_mkdb() failed");
			else
				retval = PAM_SUCCESS;
			pw_fini();
#ifdef YP
			break;
		case _PWF_NIS:
			yp_domain = yp_server = NULL;
			pam_get_data(pamh, "yp_domain", &yp_domain);
			pam_get_data(pamh, "yp_server", &yp_server);
			ypclnt = ypclnt_new(yp_domain,
			    "passwd.byname", yp_server);
			if (ypclnt == NULL) {
				retval = PAM_BUF_ERR;
			} else if (ypclnt_connect(ypclnt) == -1 ||
			    ypclnt_passwd(ypclnt, pwd, old_pass) == -1) {
				openpam_log(PAM_LOG_ERROR, "%s", ypclnt->error);
				retval = PAM_SERVICE_ERR;
			} else {
				retval = PAM_SUCCESS;
			}
			ypclnt_free(ypclnt);
			break;
		default:
			openpam_log(PAM_LOG_ERROR, "unsupported source 0x%x",
			    pwd->pw_fields & _PWF_SOURCE);
			retval = PAM_SERVICE_ERR;
		}
#endif
		free(old_pwd);
	}
	else {
		/* Very bad juju */
		retval = PAM_ABORT;
		PAM_LOG("Illegal 'flags'");
	}

	return (retval);
}

/* Mostly stolen from passwd(1)'s local_passwd.c - markm */

static unsigned char itoa64[] =		/* 0 ... 63 => ascii - 64 */
	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";

static void
to64(char *s, long v, int n)
{
	while (--n >= 0) {
		*s++ = itoa64[v&0x3f];
		v >>= 6;
	}
}

/* Salt suitable for traditional DES and MD5 */
void
makesalt(char salt[SALTSIZE])
{
	int i;

	/* These are not really random numbers, they are just
	 * numbers that change to thwart construction of a
	 * dictionary. This is exposed to the public.
	 */
	for (i = 0; i < SALTSIZE; i += 4)
		to64(&salt[i], arc4random(), 4);
	salt[SALTSIZE] = '\0';
}

PAM_MODULE_ENTRY("pam_unix");
Commit	Line	Data
863a10dd JS	1	/*-
	2	* Copyright 1998 Juniper Networks, Inc.
	3	* All rights reserved.
	4	* Copyright (c) 2002-2003 Networks Associates Technology, Inc.
	5	* All rights reserved.
	6	*
	7	* Portions of this software was developed for the FreeBSD Project by
	8	* ThinkSec AS and NAI Labs, the Security Research Division of Network
	9	* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
	10	* ("CBOSS"), as part of the DARPA CHATS research program.
	11	*
	12	* Redistribution and use in source and binary forms, with or without
	13	* modification, are permitted provided that the following conditions
	14	* are met:
	15	* 1. Redistributions of source code must retain the above copyright
	16	* notice, this list of conditions and the following disclaimer.
	17	* 2. Redistributions in binary form must reproduce the above copyright
	18	* notice, this list of conditions and the following disclaimer in the
	19	* documentation and/or other materials provided with the distribution.
	20	* 3. The name of the author may not be used to endorse or promote
	21	* products derived from this software without specific prior written
	22	* permission.
	23	*
	24	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
	25	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	26	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	27	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
	28	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	29	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	30	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	31	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	32	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	33	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	34	* SUCH DAMAGE.
	35	*
0d96fe5a	36	* $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.53 2007/12/21 12:00:16 des Exp $
863a10dd JS	37	* $DragonFly: src/lib/pam_module/pam_unix/pam_unix.c,v 1.1 2005/08/01 16:15:19 joerg Exp $
	38	*/
	39
	40	#include <sys/param.h>
	41	#include <sys/socket.h>
	42	#include <sys/time.h>
	43	#include <netinet/in.h>
	44	#include <arpa/inet.h>
	45
	46	#include <login_cap.h>
	47	#include <netdb.h>
	48	#include <pwd.h>
	49	#include <stdlib.h>
	50	#include <string.h>
	51	#include <stdio.h>
	52	#include <syslog.h>
	53	#include <unistd.h>
	54
	55	#include <libutil.h>
	56
	57	#ifdef YP
	58	#include <ypclnt.h>
	59	#endif
	60
	61	#define PAM_SM_AUTH
	62	#define PAM_SM_ACCOUNT
	63	#define PAM_SM_PASSWORD
	64
	65	#include <security/pam_appl.h>
	66	#include <security/pam_modules.h>
	67	#include <security/pam_mod_misc.h>
	68
6737f3b9	69	#define PASSWORD_HASH "sha256"
863a10dd JS	70	#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */
	71	#define SALTSIZE 32
	72
0d96fe5a PA	73	#define LOCKED_PREFIX "LOCKED"
	74	#define LOCKED_PREFIX_LEN (sizeof(LOCKED_PREFIX) - 1)
	75
863a10dd JS	76	static void makesalt(char []);
	77
	78	static char password_hash[] = PASSWORD_HASH;
	79
	80	#define PAM_OPT_LOCAL_PASS "local_pass"
	81	#define PAM_OPT_NIS_PASS "nis_pass"
	82
	83	char *tempname = NULL;
	84
	85	/*
	86	* authentication management
	87	*/
	88	PAM_EXTERN int
	89	pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
	90	int argc __unused, const char *argv[] __unused)
	91	{
	92	login_cap_t *lc;
	93	struct passwd *pwd;
	94	int retval;
	95	const char pass, user, realpw, prompt;
	96
	97	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
	98	pwd = getpwnam(getlogin());
	99	} else {
	100	retval = pam_get_user(pamh, &user, NULL);
	101	if (retval != PAM_SUCCESS)
	102	return (retval);
	103	pwd = getpwnam(user);
	104	}
	105
	106	PAM_LOG("Got user: %s", user);
	107
	108	if (pwd != NULL) {
	109	PAM_LOG("Doing real authentication");
	110	realpw = pwd->pw_passwd;
	111	if (realpw[0] == '\0') {
	112	if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
	113	openpam_get_option(pamh, PAM_OPT_NULLOK))
	114	return (PAM_SUCCESS);
	115	realpw = "*";
	116	}
	117	lc = login_getpwclass(pwd);
	118	} else {
	119	PAM_LOG("Doing dummy authentication");
	120	realpw = "*";
	121	lc = login_getclass(NULL);
	122	}
	123	prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL);
	124	retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
	125	login_close(lc);
	126	if (retval != PAM_SUCCESS)
	127	return (retval);
	128	PAM_LOG("Got password");
	129	if (strcmp(crypt(pass, realpw), realpw) == 0)
	130	return (PAM_SUCCESS);
	131
0d96fe5a	132	PAM_VERBOSE_ERROR("UNIX authentication refused");
863a10dd JS	133	return (PAM_AUTH_ERR);
	134	}
	135
	136	PAM_EXTERN int
	137	pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
	138	int argc __unused, const char *argv[] __unused)
	139	{
	140
	141	return (PAM_SUCCESS);
	142	}
	143
	144	/*
	145	* account management
	146	*/
	147	PAM_EXTERN int
	148	pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
	149	int argc __unused, const char *argv[] __unused)
	150	{
	151	struct addrinfo hints, *res;
	152	struct passwd *pwd;
	153	struct timeval tp;
	154	login_cap_t *lc;
	155	time_t warntime;
	156	int retval;
	157	const char *user;
	158	const void rhost, tty;
	159	char rhostip[MAXHOSTNAMELEN] = "";
	160
	161	retval = pam_get_user(pamh, &user, NULL);
	162	if (retval != PAM_SUCCESS)
	163	return (retval);
	164
	165	if (user == NULL \|\| (pwd = getpwnam(user)) == NULL)
	166	return (PAM_SERVICE_ERR);
	167
	168	PAM_LOG("Got user: %s", user);
	169
	170	retval = pam_get_item(pamh, PAM_RHOST, &rhost);
	171	if (retval != PAM_SUCCESS)
	172	return (retval);
	173
	174	retval = pam_get_item(pamh, PAM_TTY, &tty);
	175	if (retval != PAM_SUCCESS)
	176	return (retval);
	177
	178	if (*pwd->pw_passwd == '\0' &&
	179	(flags & PAM_DISALLOW_NULL_AUTHTOK) != 0)
	180	return (PAM_NEW_AUTHTOK_REQD);
	181
0d96fe5a PA	182	if (strncmp(pwd->pw_passwd, LOCKED_PREFIX, LOCKED_PREFIX_LEN) == 0)
	183	return (PAM_AUTH_ERR);
	184
863a10dd JS	185	lc = login_getpwclass(pwd);
	186	if (lc == NULL) {
	187	PAM_LOG("Unable to get login class for user %s", user);
	188	return (PAM_SERVICE_ERR);
	189	}
	190
	191	PAM_LOG("Got login_cap");
	192
	193	if (pwd->pw_change \|\| pwd->pw_expire)
	194	gettimeofday(&tp, NULL);
	195
	196	/*
	197	* Check pw_expire before pw_change - no point in letting the
	198	* user change the password on an expired account.
	199	*/
	200
	201	if (pwd->pw_expire) {
	202	warntime = login_getcaptime(lc, "warnexpire",
	203	DEFAULT_WARN, DEFAULT_WARN);
	204	if (tp.tv_sec >= pwd->pw_expire) {
	205	login_close(lc);
	206	return (PAM_ACCT_EXPIRED);
	207	} else if (pwd->pw_expire - tp.tv_sec < warntime &&
	208	(flags & PAM_SILENT) == 0) {
	209	pam_error(pamh, "Warning: your account expires on %s",
	210	ctime(&pwd->pw_expire));
	211	}
	212	}
	213
	214	retval = PAM_SUCCESS;
	215	if (pwd->pw_change) {
	216	warntime = login_getcaptime(lc, "warnpassword",
	217	DEFAULT_WARN, DEFAULT_WARN);
	218	if (tp.tv_sec >= pwd->pw_change) {
	219	retval = PAM_NEW_AUTHTOK_REQD;
	220	} else if (pwd->pw_change - tp.tv_sec < warntime &&
	221	(flags & PAM_SILENT) == 0) {
	222	pam_error(pamh, "Warning: your password expires on %s",
	223	ctime(&pwd->pw_change));
	224	}
	225	}
	226
	227	/*
	228	* From here on, we must leave retval untouched (unless we
	229	* know we're going to fail), because we need to remember
	230	* whether we're supposed to return PAM_SUCCESS or
	231	* PAM_NEW_AUTHTOK_REQD.
	232	*/
	233
	234	if (rhost && (const char )rhost != '\0') {
	235	memset(&hints, 0, sizeof(hints));
	236	hints.ai_family = AF_UNSPEC;
	237	if (getaddrinfo(rhost, NULL, &hints, &res) == 0) {
	238	getnameinfo(res->ai_addr, res->ai_addrlen,
	239	rhostip, sizeof(rhostip), NULL, 0,
	240	NI_NUMERICHOST);
	241	}
	242	if (res != NULL)
	243	freeaddrinfo(res);
	244	}
	245
	246	/*
	247	* Check host / tty / time-of-day restrictions
	248	*/
249
250	if (!auth_hostok(lc, rhost, rhostip) \|\|
251	!auth_ttyok(lc, tty) \|\|
252	!auth_timeok(lc, time(NULL)))
253	retval = PAM_AUTH_ERR;
254
255	login_close(lc);
256
257	return (retval);
258	}
259
260	/*
261	* password management
262	*
263	* standard Unix and NIS password changing
264	*/
265	PAM_EXTERN int
266	pam_sm_chauthtok(pam_handle_t *pamh, int flags,
267	int argc __unused, const char *argv[] __unused)
268	{
269	#ifdef YP
270	struct ypclnt *ypclnt;
210bf96c	271	const void yp_domain, yp_server;
863a10dd JS	272	#endif
	273	char salt[SALTSIZE + 1];
	274	login_cap_t * lc;
	275	struct passwd pwd, old_pwd;
	276	const char user, old_pass, *new_pass;
	277	char *encrypted;
0d96fe5a	278	int pfd, tfd, retval;
863a10dd JS	279
	280	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
	281	pwd = getpwnam(getlogin());
	282	else {
	283	retval = pam_get_user(pamh, &user, NULL);
	284	if (retval != PAM_SUCCESS)
	285	return (retval);
	286	pwd = getpwnam(user);
	287	}
	288
	289	if (pwd == NULL)
	290	return (PAM_AUTHTOK_RECOVERY_ERR);
	291
	292	PAM_LOG("Got user: %s", user);
	293
	294	if (flags & PAM_PRELIM_CHECK) {
	295
	296	PAM_LOG("PRELIM round");
	297
0d96fe5a PA	298	if (getuid() == 0 &&
0d96fe5a PA	299	(pwd->pw_fields & _PWF_SOURCE) == _PWF_FILES)
863a10dd JS	300	/* root doesn't need the old password */
	301	return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
	302	#ifdef YP
0d96fe5a PA	303	if (getuid() == 0 &&
0d96fe5a PA	304	(pwd->pw_fields & _PWF_SOURCE) == _PWF_NIS) {
863a10dd JS	305
863a10dd JS	306	yp_domain = yp_server = NULL;
0d96fe5a PA	307	pam_get_data(pamh, "yp_domain", &yp_domain);
0d96fe5a PA	308	pam_get_data(pamh, "yp_server", &yp_server);
863a10dd JS	309
	310	ypclnt = ypclnt_new(yp_domain, "passwd.byname", yp_server);
	311	if (ypclnt == NULL)
	312	return (PAM_BUF_ERR);
	313
	314	if (ypclnt_connect(ypclnt) == -1) {
	315	ypclnt_free(ypclnt);
	316	return (PAM_SERVICE_ERR);
	317	}
	318
	319	retval = ypclnt_havepasswdd(ypclnt);
	320	ypclnt_free(ypclnt);
	321	if (retval == 1)
	322	return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
	323	else if (retval == -1)
	324	return (PAM_SERVICE_ERR);
	325	}
	326	#endif
	327	if (pwd->pw_passwd[0] == '\0'
	328	&& openpam_get_option(pamh, PAM_OPT_NULLOK)) {
	329	/*
	330	* No password case. XXX Are we giving too much away
	331	* by not prompting for a password?
	332	* XXX check PAM_DISALLOW_NULL_AUTHTOK
	333	*/
	334	old_pass = "";
	335	} else {
	336	retval = pam_get_authtok(pamh,
	337	PAM_OLDAUTHTOK, &old_pass, NULL);
	338	if (retval != PAM_SUCCESS)
	339	return (retval);
	340	}
	341	PAM_LOG("Got old password");
	342	/* always encrypt first */
	343	encrypted = crypt(old_pass, pwd->pw_passwd);
	344	if (old_pass[0] == '\0' &&
	345	!openpam_get_option(pamh, PAM_OPT_NULLOK))
	346	return (PAM_PERM_DENIED);
	347	if (strcmp(encrypted, pwd->pw_passwd) != 0)
	348	return (PAM_PERM_DENIED);
	349	}
	350	else if (flags & PAM_UPDATE_AUTHTOK) {
	351	PAM_LOG("UPDATE round");
	352
	353	retval = pam_get_authtok(pamh,
	354	PAM_OLDAUTHTOK, &old_pass, NULL);
	355	if (retval != PAM_SUCCESS)
	356	return (retval);
	357	PAM_LOG("Got old password");
	358
	359	/* get new password */
	360	for (;;) {
	361	retval = pam_get_authtok(pamh,
	362	PAM_AUTHTOK, &new_pass, NULL);
	363	if (retval != PAM_TRY_AGAIN)
	364	break;
	365	pam_error(pamh, "Mismatch; try again, EOF to quit.");
	366	}
	367	PAM_LOG("Got new password");
	368	if (retval != PAM_SUCCESS) {
	369	PAM_VERBOSE_ERROR("Unable to get new password");
	370	return (retval);
	371	}
	372
373	if (getuid() != 0 && new_pass[0] == '\0' &&
374	!openpam_get_option(pamh, PAM_OPT_NULLOK))
375	return (PAM_PERM_DENIED);
376
377	if ((old_pwd = pw_dup(pwd)) == NULL)
378	return (PAM_BUF_ERR);
379
380	pwd->pw_change = 0;
381	lc = login_getclass(pwd->pw_class);
382	if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
383	openpam_log(PAM_LOG_ERROR,
384	"can't set password cipher, relying on default");
385	login_close(lc);
386	makesalt(salt);
387	pwd->pw_passwd = crypt(new_pass, salt);
388	#ifdef YP
389	switch (old_pwd->pw_fields & _PWF_SOURCE) {
390	case _PWF_FILES:
391	#endif
392	retval = PAM_SERVICE_ERR;
393	if (pw_init(NULL, NULL))
394	openpam_log(PAM_LOG_ERROR, "pw_init() failed");
395	else if ((pfd = pw_lock()) == -1)
396	openpam_log(PAM_LOG_ERROR, "pw_lock() failed");
397	else if ((tfd = pw_tmp(-1)) == -1)
398	openpam_log(PAM_LOG_ERROR, "pw_tmp() failed");
399	else if (pw_copy(pfd, tfd, pwd, old_pwd) == -1)
400	openpam_log(PAM_LOG_ERROR, "pw_copy() failed");
401	else if (pw_mkdb(pwd->pw_name) == -1)
402	openpam_log(PAM_LOG_ERROR, "pw_mkdb() failed");
403	else
404	retval = PAM_SUCCESS;
405	pw_fini();
406	#ifdef YP
407	break;
408	case _PWF_NIS:
409	yp_domain = yp_server = NULL;
0d96fe5a PA	410	pam_get_data(pamh, "yp_domain", &yp_domain);
0d96fe5a PA	411	pam_get_data(pamh, "yp_server", &yp_server);
863a10dd JS	412	ypclnt = ypclnt_new(yp_domain,
	413	"passwd.byname", yp_server);
	414	if (ypclnt == NULL) {
	415	retval = PAM_BUF_ERR;
	416	} else if (ypclnt_connect(ypclnt) == -1 \|\|
	417	ypclnt_passwd(ypclnt, pwd, old_pass) == -1) {
	418	openpam_log(PAM_LOG_ERROR, "%s", ypclnt->error);
	419	retval = PAM_SERVICE_ERR;
	420	} else {
	421	retval = PAM_SUCCESS;
	422	}
	423	ypclnt_free(ypclnt);
	424	break;
	425	default:
	426	openpam_log(PAM_LOG_ERROR, "unsupported source 0x%x",
	427	pwd->pw_fields & _PWF_SOURCE);
	428	retval = PAM_SERVICE_ERR;
	429	}
	430	#endif
	431	free(old_pwd);
	432	}
	433	else {
	434	/* Very bad juju */
	435	retval = PAM_ABORT;
	436	PAM_LOG("Illegal 'flags'");
	437	}
	438
	439	return (retval);
	440	}
	441
	442	/* Mostly stolen from passwd(1)'s local_passwd.c - markm */
	443
	444	static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
	445	"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
	446
	447	static void
	448	to64(char *s, long v, int n)
	449	{
	450	while (--n >= 0) {
	451	*s++ = itoa64[v&0x3f];
	452	v >>= 6;
	453	}
	454	}
	455
	456	/* Salt suitable for traditional DES and MD5 */
	457	void
	458	makesalt(char salt[SALTSIZE])
	459	{
	460	int i;
	461
	462	/* These are not really random numbers, they are just
	463	* numbers that change to thwart construction of a
	464	* dictionary. This is exposed to the public.
	465	*/
	466	for (i = 0; i < SALTSIZE; i += 4)
	467	to64(&salt[i], arc4random(), 4);
	468	salt[SALTSIZE] = '\0';
	469	}
	470
	471	PAM_MODULE_ENTRY("pam_unix");