*
* This program is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License as published by the Free
- * Software Foundation; either version 2 of the License, or (at your option)
+ * Software Foundation; either version 3 of the License, or (at your option)
* any later version.
*
* This program is distributed in the hope that it will be useful, but WITHOUT
* more details.
*
* You should have received a copy of the GNU General Public License along with
- * this program; if not, write to the Free Software Foundation, Inc., 675
- * Mass Ave, Cambridge, MA 02139, USA.
+ * this program; if not, see <http://www.gnu.org/licenses/>.
*/
+#include "config.h"
#include "includes.h"
#include "general.h"
#include "support.h"
+#include "../libcli/auth/libcli_auth.h"
+
#define _pam_overwrite(x) \
do { \
register char *__xx__; \
if ((__xx__=(x))) \
- while (*__xx__) \
- *__xx__++ = '\0'; \
+ while (*__xx__) \
+ *__xx__++ = '\0'; \
} while (0)
/*
#define _pam_drop(X) \
do { \
if (X) { \
- free(X); \
- X=NULL; \
+ free(X); \
+ X=NULL; \
} \
} while (0)
#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
do { \
int reply_i; \
- \
+ \
for (reply_i=0; reply_i<replies; ++reply_i) { \
- if (reply[reply_i].resp) { \
- _pam_overwrite(reply[reply_i].resp); \
- free(reply[reply_i].resp); \
- } \
+ if (reply[reply_i].resp) { \
+ _pam_overwrite(reply[reply_i].resp); \
+ free(reply[reply_i].resp); \
+ } \
} \
if (reply) \
- free(reply); \
+ free(reply); \
} while (0)
char *_pam_delete(register char *);
/* syslogging function for errors and other information */
+#ifdef HAVE_PAM_VSYSLOG
+void _log_err( pam_handle_t *pamh, int err, const char *format, ... )
+{
+ va_list args;
-void _log_err( int err, const char *format, ... )
+ va_start(args, format);
+ pam_vsyslog(pamh, err, format, args);
+ va_end(args);
+}
+#else
+void _log_err( pam_handle_t *pamh, int err, const char *format, ... )
{
- va_list args;
+ va_list args;
+ const char tag[] = "(pam_smbpass) ";
+ char *mod_format;
+
+ mod_format = SMB_MALLOC_ARRAY(char, sizeof(tag) + strlen(format));
+ /* try really, really hard to log something, since this may have
+ been a message about a malloc() failure... */
+ if (mod_format == NULL) {
+ va_start(args, format);
+ vsyslog(err | LOG_AUTH, format, args);
+ va_end(args);
+ return;
+ }
- va_start( args, format );
- openlog( "PAM_smbpass", LOG_CONS | LOG_PID, LOG_AUTH );
- vsyslog( err, format, args );
- va_end( args );
- closelog();
+ strncpy(mod_format, tag, strlen(tag)+1);
+ strncat(mod_format, format, strlen(format));
+
+ va_start(args, format);
+ vsyslog(err | LOG_AUTH, mod_format, args);
+ va_end(args);
+
+ free(mod_format);
}
+#endif
/* this is a front-end for module-application conversations */
int converse( pam_handle_t * pamh, int ctrl, int nargs
- , struct pam_message **message
- , struct pam_response **response )
+ , struct pam_message **message
+ , struct pam_response **response )
{
int retval;
struct pam_conv *conv;
- retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
+ retval = _pam_get_item(pamh, PAM_CONV, &conv);
if (retval == PAM_SUCCESS) {
retval = conv->conv(nargs, (const struct pam_message **) message
,response, conv->appdata_ptr);
if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) {
- _log_err(LOG_DEBUG, "conversation failure [%s]"
+ _log_err(pamh, LOG_DEBUG, "conversation failure [%s]"
,pam_strerror(pamh, retval));
}
} else {
- _log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
+ _log_err(pamh, LOG_ERR, "couldn't obtain coversation function [%s]"
,pam_strerror(pamh, retval));
}
}
int make_remark( pam_handle_t * pamh, unsigned int ctrl
- , int type, const char *text )
+ , int type, const char *text )
{
if (off(SMB__QUIET, ctrl)) {
struct pam_message *pmsg[1], msg[1];
struct pam_response *resp;
pmsg[0] = &msg[0];
- msg[0].msg = text;
+ msg[0].msg = CONST_DISCARD(char *, text);
msg[0].msg_style = type;
resp = NULL;
/* set the control flags for the SMB module. */
-int set_ctrl( int flags, int argc, const char **argv )
+int set_ctrl( pam_handle_t *pamh, int flags, int argc, const char **argv )
{
int i = 0;
- static pstring servicesf = dyn_CONFIGFILE;
- const char *service_file = servicesf;
+ const char *service_file = NULL;
unsigned int ctrl;
ctrl = SMB_DEFAULTS; /* the default selection of options */
/* A good, sane default (matches Samba's behavior). */
set( SMB__NONULL, ctrl );
+ /* initialize service file location */
+ service_file=get_dyn_CONFIGFILE();
+
if (flags & PAM_SILENT) {
set( SMB__QUIET, ctrl );
}
/* Read some options from the Samba config. Can be overridden by
the PAM config. */
- if(lp_load(service_file,True,False,False) == False) {
- _log_err( LOG_ERR, "Error loading service file %s", service_file );
+ if(lp_load(service_file,True,False,False,True) == False) {
+ _log_err(pamh, LOG_ERR, "Error loading service file %s", service_file);
}
+ secrets_init();
+
if (lp_null_passwords()) {
set( SMB__NULLOK, ctrl );
}
}
if (j >= SMB_CTRLS_) {
- _log_err( LOG_ERR, "unrecognized option [%s]", *argv );
+ _log_err(pamh, LOG_ERR, "unrecognized option [%s]", *argv);
} else {
ctrl &= smb_args[j].mask; /* for turning things off */
ctrl |= smb_args[j].flag; /* for turning things on */
x = _pam_delete( (char *) x );
}
-/*
+/* JHT
+ *
* Safe duplication of character strings. "Paranoid"; don't leave
* evidence of old token around for later stack analysis.
+ *
*/
-
-char * smb_xstrdup( const char *x )
+char * smbpXstrDup( pam_handle_t *pamh, const char *x )
{
- register char *new = NULL;
+ register char *newstr = NULL;
if (x != NULL) {
register int i;
for (i = 0; x[i]; ++i); /* length of string */
- if ((new = malloc(++i)) == NULL) {
+ if ((newstr = SMB_MALLOC_ARRAY(char, ++i)) == NULL) {
i = 0;
- _log_err( LOG_CRIT, "out of memory in smb_xstrdup" );
+ _log_err(pamh, LOG_CRIT, "out of memory in smbpXstrDup");
} else {
while (i-- > 0) {
- new[i] = x[i];
+ newstr[i] = x[i];
}
}
x = NULL;
}
- return new; /* return the duplicate or NULL on error */
+ return newstr; /* return the duplicate or NULL on error */
}
/* ************************************************************** *
/* log the number of authentication failures */
if (failure->count != 0) {
- pam_get_item( pamh, PAM_SERVICE, (const void **) &service );
- _log_err( LOG_NOTICE
+ _pam_get_item( pamh, PAM_SERVICE, &service );
+ _log_err(pamh, LOG_NOTICE
, "%d authentication %s "
"from %s for service %s as %s(%d)"
, failure->count
, service == NULL ? "**unknown**" : service
, failure->user, failure->id );
if (failure->count > SMB_MAX_RETRIES) {
- _log_err( LOG_ALERT
+ _log_err(pamh, LOG_ALERT
, "service(%s) ignoring max retries; %d > %d"
, service == NULL ? "**unknown**" : service
, failure->count
}
_pam_delete( failure->agent ); /* tidy up */
_pam_delete( failure->user ); /* tidy up */
- free( failure );
+ SAFE_FREE( failure );
}
}
-int _smb_verify_password( pam_handle_t * pamh
- , const struct smb_passwd *smb_pwent
- , const char *p, unsigned int ctrl )
+int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass,
+ const char *p, unsigned int ctrl )
{
- uchar hash_pass[16];
uchar lm_pw[16];
uchar nt_pw[16];
- int retval;
+ int retval = PAM_AUTH_ERR;
char *data_name;
const char *name;
- if (!smb_pwent)
+ if (!sampass)
return PAM_ABORT;
- name = smb_pwent->smb_name;
+ name = pdb_get_username(sampass);
#ifdef HAVE_PAM_FAIL_DELAY
if (off( SMB_NODELAY, ctrl )) {
}
#endif
- if (!smb_pwent->smb_passwd)
+ if (!pdb_get_nt_passwd(sampass))
{
- _log_err( LOG_DEBUG, "user %s has null SMB password"
- , name );
+ _log_err(pamh, LOG_DEBUG, "user %s has null SMB password", name);
if (off( SMB__NONULL, ctrl )
- && (smb_pwent->acct_ctrl & ACB_PWNOTREQ))
+ && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
{ /* this means we've succeeded */
return PAM_SUCCESS;
} else {
const char *service;
- pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , smb_pwent->smb_userid );
+ _pam_get_item( pamh, PAM_SERVICE, &service );
+ _log_err(pamh, LOG_NOTICE, "failed auth request by %s for service %s as %s",
+ uidtoname(getuid()), service ? service : "**unknown**", name);
return PAM_AUTH_ERR;
}
}
- data_name = (char *) malloc( sizeof(FAIL_PREFIX)
- + strlen( name ));
+ data_name = SMB_MALLOC_ARRAY(char, sizeof(FAIL_PREFIX) + strlen( name ));
if (data_name == NULL) {
- _log_err( LOG_CRIT, "no memory for data-name" );
+ _log_err(pamh, LOG_CRIT, "no memory for data-name" );
+ return PAM_AUTH_ERR;
}
strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) );
strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 );
- /* First we check whether we've been given the password in already
- encrypted form. */
- if (strlen( p ) == 16 || (strlen( p ) == 32
- && pdb_gethexpwd( p, (char *) hash_pass ))) {
-
- if (!memcmp( hash_pass, smb_pwent->smb_passwd, 16 )
- || (smb_pwent->smb_nt_passwd
- && !memcmp( hash_pass, smb_pwent->smb_nt_passwd, 16 )))
- {
- retval = PAM_SUCCESS;
- if (data_name) { /* reset failures */
- pam_set_data( pamh, data_name, NULL, _cleanup_failures );
- }
- _pam_delete( data_name );
- memset( hash_pass, '\0', 16 );
- smb_pwent = NULL;
- return retval;
- }
- }
-
/*
* The password we were given wasn't an encrypted password, or it
* didn't match the one we have. We encrypt the password now and try
/* the moment of truth -- do we agree with the password? */
- if (!memcmp( nt_pw, smb_pwent->smb_nt_passwd, 16 )) {
+ if (!memcmp( nt_pw, pdb_get_nt_passwd(sampass), 16 )) {
retval = PAM_SUCCESS;
if (data_name) { /* reset failures */
const char *service;
- pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
+ _pam_get_item( pamh, PAM_SERVICE, &service );
if (data_name != NULL) {
- struct _pam_failed_auth *new = NULL;
+ struct _pam_failed_auth *newauth = NULL;
const struct _pam_failed_auth *old = NULL;
/* get a failure recorder */
- new = (struct _pam_failed_auth *)
- malloc( sizeof(struct _pam_failed_auth) );
+ newauth = SMB_MALLOC_P( struct _pam_failed_auth );
- if (new != NULL) {
+ if (newauth != NULL) {
/* any previous failures for this user ? */
- pam_get_data(pamh, data_name, (const void **) &old);
+ _pam_get_data(pamh, data_name, &old);
if (old != NULL) {
- new->count = old->count + 1;
- if (new->count >= SMB_MAX_RETRIES) {
+ newauth->count = old->count + 1;
+ if (newauth->count >= SMB_MAX_RETRIES) {
retval = PAM_MAXTRIES;
}
} else {
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , smb_pwent->smb_userid );
- new->count = 1;
+ _log_err(pamh, LOG_NOTICE,
+ "failed auth request by %s for service %s as %s",
+ uidtoname(getuid()),
+ service ? service : "**unknown**", name);
+ newauth->count = 1;
}
- new->user = smb_xstrdup( name );
- new->id = smb_pwent->smb_userid;
- new->agent = smb_xstrdup( uidtoname( getuid() ) );
- pam_set_data( pamh, data_name, new, _cleanup_failures );
+ if (!sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id))) {
+ _log_err(pamh, LOG_NOTICE,
+ "failed auth request by %s for service %s as %s",
+ uidtoname(getuid()),
+ service ? service : "**unknown**", name);
+ }
+ newauth->user = smbpXstrDup( pamh, name );
+ newauth->agent = smbpXstrDup( pamh, uidtoname( getuid() ) );
+ pam_set_data( pamh, data_name, newauth, _cleanup_failures );
} else {
- _log_err( LOG_CRIT, "no memory for failure recorder" );
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , smb_pwent->smb_userid );
+ _log_err(pamh, LOG_CRIT, "no memory for failure recorder" );
+ _log_err(pamh, LOG_NOTICE,
+ "failed auth request by %s for service %s as %s(%d)",
+ uidtoname(getuid()),
+ service ? service : "**unknown**", name);
}
- } else {
- _log_err( LOG_NOTICE
- , "failed auth request by %s for service %s as %s(%d)"
- , uidtoname( getuid() )
- , service ? service : "**unknown**", name
- , smb_pwent->smb_userid );
- retval = PAM_AUTH_ERR;
}
+ _log_err(pamh, LOG_NOTICE,
+ "failed auth request by %s for service %s as %s(%d)",
+ uidtoname(getuid()),
+ service ? service : "**unknown**", name);
+ retval = PAM_AUTH_ERR;
}
_pam_delete( data_name );
- smb_pwent = NULL;
+
return retval;
}
* - to avoid prompting for one in such cases (CG)
*/
-int _smb_blankpasswd( unsigned int ctrl, const struct smb_passwd *smb_pwent )
+int _smb_blankpasswd( unsigned int ctrl, struct samu *sampass )
{
int retval;
if (on( SMB__NONULL, ctrl ))
return 0; /* will fail but don't let on yet */
- if (smb_pwent->smb_passwd == NULL)
+ if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
+ return 0;
+
+ if (pdb_get_nt_passwd(sampass) == NULL)
retval = 1;
else
retval = 0;
* obtain a password from the user
*/
-int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl
- , const char *comment, const char *prompt1
- , const char *prompt2, const char *data_name
- , const char **pass )
+int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
+ const char *comment, const char *prompt1,
+ const char *prompt2, const char *data_name, char **pass )
{
int authtok_flag;
int retval;
- const char *item = NULL;
+ char *item = NULL;
char *token;
struct pam_message msg[3], *pmsg[3];
/* should we obtain the password from a PAM item ? */
if (on(SMB_TRY_FIRST_PASS, ctrl) || on(SMB_USE_FIRST_PASS, ctrl)) {
- retval = pam_get_item( pamh, authtok_flag, (const void **) &item );
+ retval = _pam_get_item( pamh, authtok_flag, &item );
if (retval != PAM_SUCCESS) {
/* very strange. */
- _log_err( LOG_ALERT
- , "pam_get_item returned error to smb_read_password" );
+ _log_err(pamh, LOG_ALERT,
+ "pam_get_item returned error to smb_read_password");
return retval;
} else if (item != NULL) { /* we have a password! */
*pass = item;
if (comment != NULL && off(SMB__QUIET, ctrl)) {
pmsg[0] = &msg[0];
msg[0].msg_style = PAM_TEXT_INFO;
- msg[0].msg = comment;
+ msg[0].msg = CONST_DISCARD(char *, comment);
i = 1;
} else {
i = 0;
pmsg[i] = &msg[i];
msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
- msg[i++].msg = prompt1;
+ msg[i++].msg = CONST_DISCARD(char *, prompt1);
if (prompt2 != NULL) {
pmsg[i] = &msg[i];
msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
- msg[i++].msg = prompt2;
+ msg[i++].msg = CONST_DISCARD(char *, prompt2);
expect = 2;
} else
expect = 1;
if (retval == PAM_SUCCESS) { /* a good conversation */
- token = smb_xstrdup(resp[j++].resp);
+ token = smbpXstrDup(pamh, resp[j++].resp);
if (token != NULL) {
if (expect == 2) {
/* verify that password entered correctly */
}
}
} else {
- _log_err(LOG_NOTICE, "could not recover authentication token");
+ _log_err(pamh, LOG_NOTICE,
+ "could not recover authentication token");
}
}
if (retval != PAM_SUCCESS) {
if (on( SMB_DEBUG, ctrl ))
- _log_err( LOG_DEBUG, "unable to obtain a password" );
+ _log_err(pamh, LOG_DEBUG, "unable to obtain a password");
return retval;
}
/* 'token' is the entered password */
retval = pam_set_item( pamh, authtok_flag, (const void *)token );
_pam_delete( token ); /* clean it up */
if (retval != PAM_SUCCESS
- || (retval = pam_get_item( pamh, authtok_flag
- ,(const void **)&item )) != PAM_SUCCESS)
+ || (retval = _pam_get_item( pamh, authtok_flag
+ ,&item )) != PAM_SUCCESS)
{
- _log_err( LOG_CRIT, "error manipulating password" );
+ _log_err(pamh, LOG_CRIT, "error manipulating password");
return retval;
}
} else {
retval = pam_set_data( pamh, data_name, (void *) token, _cleanup );
if (retval != PAM_SUCCESS
- || (retval = pam_get_data( pamh, data_name, (const void **)&item ))
+ || (retval = _pam_get_data( pamh, data_name, &item ))
!= PAM_SUCCESS)
{
- _log_err( LOG_CRIT, "error manipulating password data [%s]"
- , pam_strerror( pamh, retval ));
+ _log_err(pamh, LOG_CRIT, "error manipulating password data [%s]",
+ pam_strerror( pamh, retval ));
_pam_delete( token );
item = NULL;
return retval;
return PAM_SUCCESS;
}
-int _pam_smb_approve_pass(pam_handle_t * pamh
- ,unsigned int ctrl
- ,const char *pass_old
- ,const char *pass_new)
+int _pam_smb_approve_pass(pam_handle_t * pamh,
+ unsigned int ctrl,
+ const char *pass_old,
+ const char *pass_new )
{
/* Further checks should be handled through module stacking. -SRL */
if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new )))
{
if (on(SMB_DEBUG, ctrl)) {
- _log_err( LOG_DEBUG,
- "passwd: bad authentication token (null or unchanged)" );
+ _log_err(pamh, LOG_DEBUG,
+ "passwd: bad authentication token (null or unchanged)");
}
make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
"No password supplied" : "Password unchanged" );
return PAM_SUCCESS;
}
+
+/*
+ * Work around the pam API that has functions with void ** as parameters
+ * These lead to strict aliasing warnings with gcc.
+ */
+int _pam_get_item(const pam_handle_t *pamh,
+ int item_type,
+ const void *_item)
+{
+ const void **item = (const void **)_item;
+ return pam_get_item(pamh, item_type, item);
+}
+
+int _pam_get_data(const pam_handle_t *pamh,
+ const char *module_data_name,
+ const void *_data)
+{
+ const void **data = (const void **)_data;
+ return pam_get_data(pamh, module_data_name, data);
+}