From: Peter Avalos Date: Sat, 24 Dec 2011 21:14:25 +0000 (-0800) Subject: pam_unix: Respect passwordtime from login.conf if set. X-Git-Tag: v3.0.0~301 X-Git-Url: https://gitweb.dragonflybsd.org/dragonfly.git/commitdiff_plain/fcb45d59ca171ba5028f7af87d9870b78128e2bc pam_unix: Respect passwordtime from login.conf if set. Rewrap a lot of really short lines in pam_unix.8. Note that pam_unix(8) does not respect PAM_CHANGE_EXPIRED_AUTHTOK. Obtained-from: FreeBSD --- diff --git a/lib/pam_module/pam_unix/pam_unix.8 b/lib/pam_module/pam_unix/pam_unix.8 index 62947a3681..a7102e5967 100644 --- a/lib/pam_module/pam_unix/pam_unix.8 +++ b/lib/pam_module/pam_unix/pam_unix.8 @@ -32,10 +32,9 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.8,v 1.13 2007/03/27 09:59:15 yar Exp $ -.\" $DragonFly: src/lib/pam_module/pam_unix/pam_unix.8,v 1.1 2005/08/01 16:15:19 joerg Exp $ +.\" $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.8,v 1.17 2011/11/02 23:40:21 des Exp $ .\" -.Dd March 27, 2007 +.Dd June 20, 2009 .Dt PAM_UNIX 8 .Os .Sh NAME @@ -53,8 +52,7 @@ The authentication service module for PAM, .Nm provides functionality for three PAM categories: -authentication, -account management, and password management. +authentication, account management, and password management. In terms of the .Ar module-type parameter, they are the @@ -67,14 +65,13 @@ It also provides a null function for session management. .Ss Ux Ss Authentication Module The .Ux -authentication component -provides functions to verify the identity of a user +authentication component provides functions to verify the identity of +a user .Pq Fn pam_sm_authenticate , which obtains the relevant .Xr passwd 5 entry. -It prompts the user for a password -and verifies that this is correct with +It prompts the user for a password and verifies that this is correct with .Xr crypt 3 . .Pp The following options may be passed to the authentication module: @@ -85,66 +82,57 @@ debugging information at .Dv LOG_DEBUG level. .It Cm use_first_pass -If the authentication module -is not the first in the stack, -and a previous module -obtained the user's password, -that password is used -to authenticate the user. -If this fails, -the authentication module returns failure -without prompting the user for a password. -This option has no effect -if the authentication module -is the first in the stack, -or if no previous modules -obtained the user's password. +If the authentication module is not the first in the stack, and a +previous module obtained the user's password, that password is used to +authenticate the user. +If this fails, the authentication module returns failure without +prompting the user for a password. +This option has no effect if the authentication module is the first in +the stack, or if no previous modules obtained the user's password. .It Cm try_first_pass This option is similar to the .Cm use_first_pass -option, -except that if the previously obtained password fails, -the user is prompted for another password. +option, except that if the previously obtained password fails, the +user is prompted for another password. .It Cm auth_as_self -This option will require the user -to authenticate himself as the user -given by -.Xr getlogin 2 , -not as the account they are attempting to access. +This option will require the user to authenticate themselves as +themselves, not as the account they are attempting to access. This is primarily for services like .Xr su 1 , -where the user's ability to retype -their own password -might be deemed sufficient. +where the user's ability to retype their own password might be deemed +sufficient. .It Cm nullok -If the password database -has no password -for the entity being authenticated, -then this option -will forgo password prompting, -and silently allow authentication to succeed. +If the password database has no password for the entity being +authenticated, then this option will forgo password prompting, and +silently allow authentication to succeed. +.Pp +.Sy NOTE: +If +.Nm +is invoked by a process that does not have the privileges required to +access the password database (in most cases, this means root +privileges), the +.Cm nullok +option may cause +.Nm +to allow any user to log in with any password. .It Cm local_pass -Use only the local password database, -even if NIS is in use. -This will cause an authentication failure -if the system is configured +Use only the local password database, even if NIS is in use. +This will cause an authentication failure if the system is configured to only use NIS. .It Cm nis_pass Use only the NIS password database. -This will cause an authentication failure -if the system is not configured -to use NIS. +This will cause an authentication failure if the system is not +configured to use NIS. .El .Ss Ux Ss Account Management Module The .Ux -account management component -provides a function to perform account management, +account management component provides a function to perform account +management, .Fn pam_sm_acct_mgmt . -The function verifies -that the authenticated user -is allowed to log into the local user account -by checking the following criteria: +The function verifies that the authenticated user is allowed to log +into the local user account by checking the following criteria: .Bl -dash -offset indent .It locked status of the account compatible with @@ -169,8 +157,8 @@ level. .Ss Ux Ss Password Management Module The .Ux -password management component -provides a function to perform password management, +password management component provides a function to perform password +management, .Fn pam_sm_chauthtok . The function changes the user's password. @@ -184,17 +172,14 @@ debugging information at level. .It Cm no_warn suppress warning messages to the user. -These messages include -reasons why the user's -authentication attempt was declined. +These messages include reasons why the user's authentication attempt +was declined. .It Cm local_pass -forces the password module -to change a local password -in favour of a NIS one. +forces the password module to change a local password in favour of a +NIS one. .It Cm nis_pass -forces the password module -to change a NIS password -in favour of a local one. +forces the password module to change a NIS password in favour of a +local one. .El .Sh FILES .Bl -tag -width ".Pa /etc/master.passwd" -compact @@ -214,3 +199,9 @@ password database. .Xr pam 8 , .Xr pw 8 , .Xr yp 8 +.Sh BUGS +The +.Nm +module ignores the +.Dv PAM_CHANGE_EXPIRED_AUTHTOK +flag. diff --git a/lib/pam_module/pam_unix/pam_unix.c b/lib/pam_module/pam_unix/pam_unix.c index b7f135996b..af8051814a 100644 --- a/lib/pam_module/pam_unix/pam_unix.c +++ b/lib/pam_module/pam_unix/pam_unix.c @@ -33,8 +33,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.53 2007/12/21 12:00:16 des Exp $ - * $DragonFly: src/lib/pam_module/pam_unix/pam_unix.c,v 1.1 2005/08/01 16:15:19 joerg Exp $ + * $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.56 2011/11/05 10:00:29 ed Exp $ */ #include @@ -50,6 +49,7 @@ #include #include #include +#include #include #include @@ -80,8 +80,6 @@ static char password_hash[] = PASSWORD_HASH; #define PAM_OPT_LOCAL_PASS "local_pass" #define PAM_OPT_NIS_PASS "nis_pass" -char *tempname = NULL; - /* * authentication management */ @@ -271,10 +269,11 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, const void *yp_domain, *yp_server; #endif char salt[SALTSIZE + 1]; - login_cap_t * lc; + login_cap_t *lc; struct passwd *pwd, *old_pwd; const char *user, *old_pass, *new_pass; char *encrypted; + time_t passwordtime; int pfd, tfd, retval; if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) @@ -377,11 +376,17 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, if ((old_pwd = pw_dup(pwd)) == NULL) return (PAM_BUF_ERR); - pwd->pw_change = 0; lc = login_getclass(pwd->pw_class); if (login_setcryptfmt(lc, password_hash, NULL) == NULL) openpam_log(PAM_LOG_ERROR, "can't set password cipher, relying on default"); + + /* set password expiry date */ + pwd->pw_change = 0; + passwordtime = login_getcaptime(lc, "passwordtime", 0, 0); + if (passwordtime > 0) + pwd->pw_change = time(NULL) + passwordtime; + login_close(lc); makesalt(salt); pwd->pw_passwd = crypt(new_pass, salt);