1 /* Unix NT password database implementation, version 0.6.
3 * This program is free software; you can redistribute it and/or modify it under
4 * the terms of the GNU General Public License as published by the Free
5 * Software Foundation; either version 3 of the License, or (at your option)
8 * This program is distributed in the hope that it will be useful, but WITHOUT
9 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
13 * You should have received a copy of the GNU General Public License along with
14 * this program; if not, see <http://www.gnu.org/licenses/>.
24 #include "../libcli/auth/libcli_auth.h"
25 #if defined(HAVE_SECURITY_PAM_EXT_H)
26 #include <security/pam_ext.h>
27 #elif defined(HAVE_PAM_PAM_EXT_H)
28 #include <pam/pam_ext.h>
31 #if defined(HAVE_SECURITY__PAM_MACROS_H)
32 #include <security/_pam_macros.h>
33 #elif defined(HAVE_PAM__PAM_MACROS_H)
34 #include <pam/_pam_macros.h>
41 #define _pam_overwrite(x) \
43 register char *__xx__; \
50 * Don't just free it, forget it too.
53 #define _pam_drop(X) \
61 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
65 for (reply_i=0; reply_i<replies; ++reply_i) { \
66 if (reply[reply_i].resp) { \
67 _pam_overwrite(reply[reply_i].resp); \
68 free(reply[reply_i].resp); \
76 int converse(pam_handle_t *, int, int, struct pam_message **,
77 struct pam_response **);
78 int make_remark(pam_handle_t *, unsigned int, int, const char *);
79 void _cleanup(pam_handle_t *, void *, int);
80 char *_pam_delete(register char *);
82 /* syslogging function for errors and other information */
83 #ifdef HAVE_PAM_VSYSLOG
84 void _log_err( pam_handle_t *pamh, int err, const char *format, ... )
88 va_start(args, format);
89 pam_vsyslog(pamh, err, format, args);
93 void _log_err( pam_handle_t *pamh, int err, const char *format, ... )
98 if (asprintf(&mod_format, "(pam_smbpass) %s", format) == -1) {
100 * try really, really hard to log something, since
101 * this may have been a message about a malloc()
104 va_start(args, format);
105 vsyslog(err | LOG_AUTH, format, args);
110 va_start(args, format);
111 vsyslog(err | LOG_AUTH, mod_format, args);
118 /* this is a front-end for module-application conversations */
120 int converse( pam_handle_t * pamh, int ctrl, int nargs
121 , struct pam_message **message
122 , struct pam_response **response )
125 struct pam_conv *conv;
127 retval = _pam_get_item(pamh, PAM_CONV, &conv);
128 if (retval == PAM_SUCCESS) {
130 retval = conv->conv(nargs, (const struct pam_message **) message
131 ,response, conv->appdata_ptr);
133 if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) {
134 _log_err(pamh, LOG_DEBUG, "conversation failure [%s]"
135 ,pam_strerror(pamh, retval));
138 _log_err(pamh, LOG_ERR, "couldn't obtain coversation function [%s]"
139 ,pam_strerror(pamh, retval));
142 return retval; /* propagate error status */
145 int make_remark( pam_handle_t * pamh, unsigned int ctrl
146 , int type, const char *text )
148 if (off(SMB__QUIET, ctrl)) {
149 struct pam_message *pmsg[1], msg[1];
150 struct pam_response *resp;
153 msg[0].msg = discard_const_p(char, text);
154 msg[0].msg_style = type;
157 return converse(pamh, ctrl, 1, pmsg, &resp);
163 /* set the control flags for the SMB module. */
165 int set_ctrl( pam_handle_t *pamh, int flags, int argc, const char **argv )
168 const char *service_file = NULL;
171 ctrl = SMB_DEFAULTS; /* the default selection of options */
173 /* set some flags manually */
175 /* A good, sane default (matches Samba's behavior). */
176 set( SMB__NONULL, ctrl );
178 /* initialize service file location */
179 service_file=get_dyn_CONFIGFILE();
181 if (flags & PAM_SILENT) {
182 set( SMB__QUIET, ctrl );
185 /* Run through the arguments once, looking for an alternate smb config
190 for (j = 0; j < SMB_CTRLS_; ++j) {
191 if (smb_args[j].token
192 && !strncmp(argv[i], smb_args[j].token, strlen(smb_args[j].token)))
198 if (j == SMB_CONF_FILE) {
199 service_file = argv[i] + 8;
204 /* Read some options from the Samba config. Can be overridden by
206 if(lp_load_client(service_file) == false) {
207 _log_err(pamh, LOG_ERR, "Error loading service file %s", service_file);
212 if (lp_null_passwords()) {
213 set( SMB__NULLOK, ctrl );
216 /* now parse the rest of the arguments to this module */
221 for (j = 0; j < SMB_CTRLS_; ++j) {
222 if (smb_args[j].token
223 && !strncmp(*argv, smb_args[j].token, strlen(smb_args[j].token)))
229 if (j >= SMB_CTRLS_) {
230 _log_err(pamh, LOG_ERR, "unrecognized option [%s]", *argv);
232 ctrl &= smb_args[j].mask; /* for turning things off */
233 ctrl |= smb_args[j].flag; /* for turning things on */
236 ++argv; /* step to next argument */
239 /* auditing is a more sensitive version of debug */
241 if (on( SMB_AUDIT, ctrl )) {
242 set( SMB_DEBUG, ctrl );
244 /* return the set of flags */
249 /* use this to free strings. ESPECIALLY password strings */
251 char * _pam_delete( register char *xx )
253 _pam_overwrite( xx );
258 void _cleanup( pam_handle_t * pamh, void *x, int error_status )
260 x = _pam_delete( (char *) x );
265 * Safe duplication of character strings. "Paranoid"; don't leave
266 * evidence of old token around for later stack analysis.
269 char * smbpXstrDup( pam_handle_t *pamh, const char *x )
271 register char *newstr = NULL;
276 for (i = 0; x[i]; ++i); /* length of string */
277 if ((newstr = SMB_MALLOC_ARRAY(char, ++i)) == NULL) {
279 _log_err(pamh, LOG_CRIT, "out of memory in smbpXstrDup");
287 return newstr; /* return the duplicate or NULL on error */
290 /* ************************************************************** *
291 * Useful non-trivial functions *
292 * ************************************************************** */
294 void _cleanup_failures( pam_handle_t * pamh, void *fl, int err )
297 const char *service = NULL;
298 struct _pam_failed_auth *failure;
300 #ifdef PAM_DATA_SILENT
301 quiet = err & PAM_DATA_SILENT; /* should we log something? */
305 #ifdef PAM_DATA_REPLACE
306 err &= PAM_DATA_REPLACE; /* are we just replacing data? */
308 failure = (struct _pam_failed_auth *) fl;
310 if (failure != NULL) {
312 #ifdef PAM_DATA_SILENT
313 if (!quiet && !err) { /* under advisement from Sun,may go away */
315 if (!quiet) { /* under advisement from Sun,may go away */
318 /* log the number of authentication failures */
319 if (failure->count != 0) {
320 _pam_get_item( pamh, PAM_SERVICE, &service );
321 _log_err(pamh, LOG_NOTICE
322 , "%d authentication %s "
323 "from %s for service %s as %s(%d)"
325 , failure->count == 1 ? "failure" : "failures"
327 , service == NULL ? "**unknown**" : service
328 , failure->user, failure->id );
329 if (failure->count > SMB_MAX_RETRIES) {
330 _log_err(pamh, LOG_ALERT
331 , "service(%s) ignoring max retries; %d > %d"
332 , service == NULL ? "**unknown**" : service
338 _pam_delete( failure->agent ); /* tidy up */
339 _pam_delete( failure->user ); /* tidy up */
340 SAFE_FREE( failure );
344 int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass,
345 const char *p, unsigned int ctrl )
349 int retval = PAM_AUTH_ERR;
356 name = pdb_get_username(sampass);
358 #ifdef HAVE_PAM_FAIL_DELAY
359 if (off( SMB_NODELAY, ctrl )) {
360 (void) pam_fail_delay( pamh, 1000000 ); /* 1 sec delay for on failure */
364 if (!pdb_get_nt_passwd(sampass))
366 _log_err(pamh, LOG_DEBUG, "user %s has null SMB password", name);
368 if (off( SMB__NONULL, ctrl )
369 && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
370 { /* this means we've succeeded */
375 _pam_get_item( pamh, PAM_SERVICE, &service );
376 _log_err(pamh, LOG_NOTICE, "failed auth request by %s for service %s as %s",
377 uidtoname(getuid()), service ? service : "**unknown**", name);
382 if (asprintf(&data_name, "-SMB-FAIL- %s", name) == -1) {
383 _log_err(pamh, LOG_CRIT, "no memory for data-name" );
388 * The password we were given wasn't an encrypted password, or it
389 * didn't match the one we have. We encrypt the password now and try
393 nt_lm_owf_gen(p, nt_pw, lm_pw);
395 /* the moment of truth -- do we agree with the password? */
397 if (!memcmp( nt_pw, pdb_get_nt_passwd(sampass), 16 )) {
399 retval = PAM_SUCCESS;
400 if (data_name) { /* reset failures */
401 pam_set_data(pamh, data_name, NULL, _cleanup_failures);
407 _pam_get_item( pamh, PAM_SERVICE, &service );
409 if (data_name != NULL) {
410 struct _pam_failed_auth *newauth = NULL;
411 const struct _pam_failed_auth *old = NULL;
413 /* get a failure recorder */
415 newauth = SMB_MALLOC_P( struct _pam_failed_auth );
417 if (newauth != NULL) {
419 /* any previous failures for this user ? */
420 _pam_get_data(pamh, data_name, &old);
423 newauth->count = old->count + 1;
424 if (newauth->count >= SMB_MAX_RETRIES) {
425 retval = PAM_MAXTRIES;
428 _log_err(pamh, LOG_NOTICE,
429 "failed auth request by %s for service %s as %s",
431 service ? service : "**unknown**", name);
434 if (!sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id))) {
435 _log_err(pamh, LOG_NOTICE,
436 "failed auth request by %s for service %s as %s",
438 service ? service : "**unknown**", name);
440 newauth->user = smbpXstrDup( pamh, name );
441 newauth->agent = smbpXstrDup( pamh, uidtoname( getuid() ) );
442 pam_set_data( pamh, data_name, newauth, _cleanup_failures );
445 _log_err(pamh, LOG_CRIT, "no memory for failure recorder" );
446 _log_err(pamh, LOG_NOTICE,
447 "failed auth request by %s for service %s as %s(%d)",
449 service ? service : "**unknown**", name);
452 _log_err(pamh, LOG_NOTICE,
453 "failed auth request by %s for service %s as %s(%d)",
455 service ? service : "**unknown**", name);
456 retval = PAM_AUTH_ERR;
459 _pam_delete( data_name );
466 * _smb_blankpasswd() is a quick check for a blank password
468 * returns TRUE if user does not have a password
469 * - to avoid prompting for one in such cases (CG)
472 int _smb_blankpasswd( unsigned int ctrl, struct samu *sampass )
477 * This function does not have to be too smart if something goes
478 * wrong, return FALSE and let this case to be treated somewhere
482 if (on( SMB__NONULL, ctrl ))
483 return 0; /* will fail but don't let on yet */
485 if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
488 if (pdb_get_nt_passwd(sampass) == NULL)
497 * obtain a password from the user
500 int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
501 const char *comment, const char *prompt1,
502 const char *prompt2, const char *data_name, char **pass )
509 struct pam_message msg[3], *pmsg[3];
510 struct pam_response *resp;
514 /* make sure nothing inappropriate gets returned */
516 *pass = token = NULL;
518 /* which authentication token are we getting? */
520 authtok_flag = on(SMB__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK;
522 /* should we obtain the password from a PAM item ? */
524 if (on(SMB_TRY_FIRST_PASS, ctrl) || on(SMB_USE_FIRST_PASS, ctrl)) {
525 retval = _pam_get_item( pamh, authtok_flag, &item );
526 if (retval != PAM_SUCCESS) {
528 _log_err(pamh, LOG_ALERT,
529 "pam_get_item returned error to smb_read_password");
531 } else if (item != NULL) { /* we have a password! */
535 } else if (on( SMB_USE_FIRST_PASS, ctrl )) {
536 return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */
537 } else if (on( SMB_USE_AUTHTOK, ctrl )
538 && off( SMB__OLD_PASSWD, ctrl ))
540 return PAM_AUTHTOK_RECOVER_ERR;
545 * getting here implies we will have to get the password from the
549 /* prepare to converse */
550 if (comment != NULL && off(SMB__QUIET, ctrl)) {
552 msg[0].msg_style = PAM_TEXT_INFO;
553 msg[0].msg = discard_const_p(char, comment);
560 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
561 msg[i++].msg = discard_const_p(char, prompt1);
563 if (prompt2 != NULL) {
565 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
566 msg[i++].msg = discard_const_p(char, prompt2);
573 retval = converse( pamh, ctrl, i, pmsg, &resp );
576 int j = comment ? 1 : 0;
577 /* interpret the response */
579 if (retval == PAM_SUCCESS) { /* a good conversation */
581 token = smbpXstrDup(pamh, resp[j++].resp);
584 /* verify that password entered correctly */
585 if (!resp[j].resp || strcmp( token, resp[j].resp )) {
586 _pam_delete( token );
587 retval = PAM_AUTHTOK_RECOVER_ERR;
588 make_remark( pamh, ctrl, PAM_ERROR_MSG
593 _log_err(pamh, LOG_NOTICE,
594 "could not recover authentication token");
599 _pam_drop_reply( resp, expect );
602 retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval;
605 if (retval != PAM_SUCCESS) {
606 if (on( SMB_DEBUG, ctrl ))
607 _log_err(pamh, LOG_DEBUG, "unable to obtain a password");
610 /* 'token' is the entered password */
612 if (off( SMB_NOT_SET_PASS, ctrl )) {
614 /* we store this password as an item */
616 retval = pam_set_item( pamh, authtok_flag, (const void *)token );
617 _pam_delete( token ); /* clean it up */
618 if (retval != PAM_SUCCESS
619 || (retval = _pam_get_item( pamh, authtok_flag
620 ,&item )) != PAM_SUCCESS)
622 _log_err(pamh, LOG_CRIT, "error manipulating password");
627 * then store it as data specific to this module. pam_end()
628 * will arrange to clean it up.
631 retval = pam_set_data( pamh, data_name, (void *) token, _cleanup );
632 if (retval != PAM_SUCCESS
633 || (retval = _pam_get_data( pamh, data_name, &item ))
636 _log_err(pamh, LOG_CRIT, "error manipulating password data [%s]",
637 pam_strerror( pamh, retval ));
638 _pam_delete( token );
642 token = NULL; /* break link to password */
646 item = NULL; /* break link to password */
651 int _pam_smb_approve_pass(pam_handle_t * pamh,
653 const char *pass_old,
654 const char *pass_new )
657 /* Further checks should be handled through module stacking. -SRL */
658 if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new )))
660 if (on(SMB_DEBUG, ctrl)) {
661 _log_err(pamh, LOG_DEBUG,
662 "passwd: bad authentication token (null or unchanged)");
664 make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
665 "No password supplied" : "Password unchanged" );
666 return PAM_AUTHTOK_ERR;
673 * Work around the pam API that has functions with void ** as parameters
674 * These lead to strict aliasing warnings with gcc.
676 int _pam_get_item(const pam_handle_t *pamh,
680 const void **item = (const void **)_item;
681 return pam_get_item(pamh, item_type, item);
684 int _pam_get_data(const pam_handle_t *pamh,
685 const char *module_data_name,
688 const void **data = (const void **)_data;
689 return pam_get_data(pamh, module_data_name, data);