1 /* Unix NT password database implementation, version 0.6.
3 * This program is free software; you can redistribute it and/or modify it under
4 * the terms of the GNU General Public License as published by the Free
5 * Software Foundation; either version 2 of the License, or (at your option)
8 * This program is distributed in the hope that it will be useful, but WITHOUT
9 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
13 * You should have received a copy of the GNU General Public License along with
14 * this program; if not, write to the Free Software Foundation, Inc., 675
15 * Mass Ave, Cambridge, MA 02139, USA.
24 #define _pam_overwrite(x) \
26 register char *__xx__; \
33 * Don't just free it, forget it too.
36 #define _pam_drop(X) \
44 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
48 for (reply_i=0; reply_i<replies; ++reply_i) { \
49 if (reply[reply_i].resp) { \
50 _pam_overwrite(reply[reply_i].resp); \
51 free(reply[reply_i].resp); \
59 int converse(pam_handle_t *, int, int, struct pam_message **,
60 struct pam_response **);
61 int make_remark(pam_handle_t *, unsigned int, int, const char *);
62 void _cleanup(pam_handle_t *, void *, int);
63 char *_pam_delete(register char *);
65 /* syslogging function for errors and other information */
67 void _log_err( int err, const char *format, ... )
71 va_start( args, format );
72 openlog( "PAM_smbpass", LOG_CONS | LOG_PID, LOG_AUTH );
73 vsyslog( err, format, args );
78 /* this is a front-end for module-application conversations */
80 int converse( pam_handle_t * pamh, int ctrl, int nargs
81 , struct pam_message **message
82 , struct pam_response **response )
85 struct pam_conv *conv;
87 retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
88 if (retval == PAM_SUCCESS) {
90 retval = conv->conv(nargs, (const struct pam_message **) message
91 ,response, conv->appdata_ptr);
93 if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) {
94 _log_err(LOG_DEBUG, "conversation failure [%s]"
95 ,pam_strerror(pamh, retval));
98 _log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
99 ,pam_strerror(pamh, retval));
102 return retval; /* propagate error status */
105 int make_remark( pam_handle_t * pamh, unsigned int ctrl
106 , int type, const char *text )
108 if (off(SMB__QUIET, ctrl)) {
109 struct pam_message *pmsg[1], msg[1];
110 struct pam_response *resp;
114 msg[0].msg_style = type;
117 return converse(pamh, ctrl, 1, pmsg, &resp);
123 /* set the control flags for the SMB module. */
125 int set_ctrl( int flags, int argc, const char **argv )
128 static pstring servicesf = dyn_CONFIGFILE;
129 const char *service_file = servicesf;
132 ctrl = SMB_DEFAULTS; /* the default selection of options */
134 /* set some flags manually */
136 /* A good, sane default (matches Samba's behavior). */
137 set( SMB__NONULL, ctrl );
139 if (flags & PAM_SILENT) {
140 set( SMB__QUIET, ctrl );
143 /* Run through the arguments once, looking for an alternate smb config
148 for (j = 0; j < SMB_CTRLS_; ++j) {
149 if (smb_args[j].token
150 && !strncmp(argv[i], smb_args[j].token, strlen(smb_args[j].token)))
156 if (j == SMB_CONF_FILE) {
157 service_file = argv[i] + 8;
162 /* Read some options from the Samba config. Can be overridden by
164 if(lp_load(service_file,True,False,False) == False) {
165 _log_err( LOG_ERR, "Error loading service file %s", service_file );
168 if (lp_null_passwords()) {
169 set( SMB__NULLOK, ctrl );
172 /* now parse the rest of the arguments to this module */
177 for (j = 0; j < SMB_CTRLS_; ++j) {
178 if (smb_args[j].token
179 && !strncmp(*argv, smb_args[j].token, strlen(smb_args[j].token)))
185 if (j >= SMB_CTRLS_) {
186 _log_err( LOG_ERR, "unrecognized option [%s]", *argv );
188 ctrl &= smb_args[j].mask; /* for turning things off */
189 ctrl |= smb_args[j].flag; /* for turning things on */
192 ++argv; /* step to next argument */
195 /* auditing is a more sensitive version of debug */
197 if (on( SMB_AUDIT, ctrl )) {
198 set( SMB_DEBUG, ctrl );
200 /* return the set of flags */
205 /* use this to free strings. ESPECIALLY password strings */
207 char * _pam_delete( register char *xx )
209 _pam_overwrite( xx );
214 void _cleanup( pam_handle_t * pamh, void *x, int error_status )
216 x = _pam_delete( (char *) x );
220 * Safe duplication of character strings. "Paranoid"; don't leave
221 * evidence of old token around for later stack analysis.
224 char * smb_xstrdup( const char *x )
226 register char *new = NULL;
231 for (i = 0; x[i]; ++i); /* length of string */
232 if ((new = malloc(++i)) == NULL) {
234 _log_err( LOG_CRIT, "out of memory in smb_xstrdup" );
242 return new; /* return the duplicate or NULL on error */
245 /* ************************************************************** *
246 * Useful non-trivial functions *
247 * ************************************************************** */
249 void _cleanup_failures( pam_handle_t * pamh, void *fl, int err )
252 const char *service = NULL;
253 struct _pam_failed_auth *failure;
255 #ifdef PAM_DATA_SILENT
256 quiet = err & PAM_DATA_SILENT; /* should we log something? */
260 #ifdef PAM_DATA_REPLACE
261 err &= PAM_DATA_REPLACE; /* are we just replacing data? */
263 failure = (struct _pam_failed_auth *) fl;
265 if (failure != NULL) {
267 #ifdef PAM_DATA_SILENT
268 if (!quiet && !err) { /* under advisement from Sun,may go away */
270 if (!quiet) { /* under advisement from Sun,may go away */
273 /* log the number of authentication failures */
274 if (failure->count != 0) {
275 pam_get_item( pamh, PAM_SERVICE, (const void **) &service );
277 , "%d authentication %s "
278 "from %s for service %s as %s(%d)"
280 , failure->count == 1 ? "failure" : "failures"
282 , service == NULL ? "**unknown**" : service
283 , failure->user, failure->id );
284 if (failure->count > SMB_MAX_RETRIES) {
286 , "service(%s) ignoring max retries; %d > %d"
287 , service == NULL ? "**unknown**" : service
293 _pam_delete( failure->agent ); /* tidy up */
294 _pam_delete( failure->user ); /* tidy up */
299 int _smb_verify_password( pam_handle_t * pamh
300 , const struct smb_passwd *smb_pwent
301 , const char *p, unsigned int ctrl )
313 name = smb_pwent->smb_name;
315 #ifdef HAVE_PAM_FAIL_DELAY
316 if (off( SMB_NODELAY, ctrl )) {
317 (void) pam_fail_delay( pamh, 1000000 ); /* 1 sec delay for on failure */
321 if (!smb_pwent->smb_passwd)
323 _log_err( LOG_DEBUG, "user %s has null SMB password"
326 if (off( SMB__NONULL, ctrl )
327 && (smb_pwent->acct_ctrl & ACB_PWNOTREQ))
328 { /* this means we've succeeded */
333 pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
335 , "failed auth request by %s for service %s as %s(%d)"
336 , uidtoname( getuid() )
337 , service ? service : "**unknown**", name
338 , smb_pwent->smb_userid );
343 data_name = (char *) malloc( sizeof(FAIL_PREFIX)
345 if (data_name == NULL) {
346 _log_err( LOG_CRIT, "no memory for data-name" );
348 strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) );
349 strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 );
351 /* First we check whether we've been given the password in already
353 if (strlen( p ) == 16 || (strlen( p ) == 32
354 && pdb_gethexpwd( p, (char *) hash_pass ))) {
356 if (!memcmp( hash_pass, smb_pwent->smb_passwd, 16 )
357 || (smb_pwent->smb_nt_passwd
358 && !memcmp( hash_pass, smb_pwent->smb_nt_passwd, 16 )))
360 retval = PAM_SUCCESS;
361 if (data_name) { /* reset failures */
362 pam_set_data( pamh, data_name, NULL, _cleanup_failures );
364 _pam_delete( data_name );
365 memset( hash_pass, '\0', 16 );
372 * The password we were given wasn't an encrypted password, or it
373 * didn't match the one we have. We encrypt the password now and try
377 nt_lm_owf_gen(p, nt_pw, lm_pw);
379 /* the moment of truth -- do we agree with the password? */
381 if (!memcmp( nt_pw, smb_pwent->smb_nt_passwd, 16 )) {
383 retval = PAM_SUCCESS;
384 if (data_name) { /* reset failures */
385 pam_set_data(pamh, data_name, NULL, _cleanup_failures);
391 pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
393 if (data_name != NULL) {
394 struct _pam_failed_auth *new = NULL;
395 const struct _pam_failed_auth *old = NULL;
397 /* get a failure recorder */
399 new = (struct _pam_failed_auth *)
400 malloc( sizeof(struct _pam_failed_auth) );
404 /* any previous failures for this user ? */
405 pam_get_data(pamh, data_name, (const void **) &old);
408 new->count = old->count + 1;
409 if (new->count >= SMB_MAX_RETRIES) {
410 retval = PAM_MAXTRIES;
414 , "failed auth request by %s for service %s as %s(%d)"
415 , uidtoname( getuid() )
416 , service ? service : "**unknown**", name
417 , smb_pwent->smb_userid );
420 new->user = smb_xstrdup( name );
421 new->id = smb_pwent->smb_userid;
422 new->agent = smb_xstrdup( uidtoname( getuid() ) );
423 pam_set_data( pamh, data_name, new, _cleanup_failures );
426 _log_err( LOG_CRIT, "no memory for failure recorder" );
428 , "failed auth request by %s for service %s as %s(%d)"
429 , uidtoname( getuid() )
430 , service ? service : "**unknown**", name
431 , smb_pwent->smb_userid );
435 , "failed auth request by %s for service %s as %s(%d)"
436 , uidtoname( getuid() )
437 , service ? service : "**unknown**", name
438 , smb_pwent->smb_userid );
439 retval = PAM_AUTH_ERR;
443 _pam_delete( data_name );
450 * _smb_blankpasswd() is a quick check for a blank password
452 * returns TRUE if user does not have a password
453 * - to avoid prompting for one in such cases (CG)
456 int _smb_blankpasswd( unsigned int ctrl, const struct smb_passwd *smb_pwent )
461 * This function does not have to be too smart if something goes
462 * wrong, return FALSE and let this case to be treated somewhere
466 if (on( SMB__NONULL, ctrl ))
467 return 0; /* will fail but don't let on yet */
469 if (smb_pwent->smb_passwd == NULL)
478 * obtain a password from the user
481 int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl
482 , const char *comment, const char *prompt1
483 , const char *prompt2, const char *data_name
484 , const char **pass )
488 const char *item = NULL;
491 struct pam_message msg[3], *pmsg[3];
492 struct pam_response *resp;
496 /* make sure nothing inappropriate gets returned */
498 *pass = token = NULL;
500 /* which authentication token are we getting? */
502 authtok_flag = on(SMB__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK;
504 /* should we obtain the password from a PAM item ? */
506 if (on(SMB_TRY_FIRST_PASS, ctrl) || on(SMB_USE_FIRST_PASS, ctrl)) {
507 retval = pam_get_item( pamh, authtok_flag, (const void **) &item );
508 if (retval != PAM_SUCCESS) {
511 , "pam_get_item returned error to smb_read_password" );
513 } else if (item != NULL) { /* we have a password! */
517 } else if (on( SMB_USE_FIRST_PASS, ctrl )) {
518 return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */
519 } else if (on( SMB_USE_AUTHTOK, ctrl )
520 && off( SMB__OLD_PASSWD, ctrl ))
522 return PAM_AUTHTOK_RECOVER_ERR;
527 * getting here implies we will have to get the password from the
531 /* prepare to converse */
532 if (comment != NULL && off(SMB__QUIET, ctrl)) {
534 msg[0].msg_style = PAM_TEXT_INFO;
535 msg[0].msg = comment;
542 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
543 msg[i++].msg = prompt1;
545 if (prompt2 != NULL) {
547 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
548 msg[i++].msg = prompt2;
555 retval = converse( pamh, ctrl, i, pmsg, &resp );
558 int j = comment ? 1 : 0;
559 /* interpret the response */
561 if (retval == PAM_SUCCESS) { /* a good conversation */
563 token = smb_xstrdup(resp[j++].resp);
566 /* verify that password entered correctly */
567 if (!resp[j].resp || strcmp( token, resp[j].resp )) {
568 _pam_delete( token );
569 retval = PAM_AUTHTOK_RECOVER_ERR;
570 make_remark( pamh, ctrl, PAM_ERROR_MSG
575 _log_err(LOG_NOTICE, "could not recover authentication token");
580 _pam_drop_reply( resp, expect );
583 retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval;
586 if (retval != PAM_SUCCESS) {
587 if (on( SMB_DEBUG, ctrl ))
588 _log_err( LOG_DEBUG, "unable to obtain a password" );
591 /* 'token' is the entered password */
593 if (off( SMB_NOT_SET_PASS, ctrl )) {
595 /* we store this password as an item */
597 retval = pam_set_item( pamh, authtok_flag, (const void *)token );
598 _pam_delete( token ); /* clean it up */
599 if (retval != PAM_SUCCESS
600 || (retval = pam_get_item( pamh, authtok_flag
601 ,(const void **)&item )) != PAM_SUCCESS)
603 _log_err( LOG_CRIT, "error manipulating password" );
608 * then store it as data specific to this module. pam_end()
609 * will arrange to clean it up.
612 retval = pam_set_data( pamh, data_name, (void *) token, _cleanup );
613 if (retval != PAM_SUCCESS
614 || (retval = pam_get_data( pamh, data_name, (const void **)&item ))
617 _log_err( LOG_CRIT, "error manipulating password data [%s]"
618 , pam_strerror( pamh, retval ));
619 _pam_delete( token );
623 token = NULL; /* break link to password */
627 item = NULL; /* break link to password */
632 int _pam_smb_approve_pass(pam_handle_t * pamh
634 ,const char *pass_old
635 ,const char *pass_new)
638 /* Further checks should be handled through module stacking. -SRL */
639 if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new )))
641 if (on(SMB_DEBUG, ctrl)) {
643 "passwd: bad authentication token (null or unchanged)" );
645 make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
646 "No password supplied" : "Password unchanged" );
647 return PAM_AUTHTOK_ERR;