1 /* Unix NT password database implementation, version 0.6.
3 * This program is free software; you can redistribute it and/or modify it under
4 * the terms of the GNU General Public License as published by the Free
5 * Software Foundation; either version 3 of the License, or (at your option)
8 * This program is distributed in the hope that it will be useful, but WITHOUT
9 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
13 * You should have received a copy of the GNU General Public License along with
14 * this program; if not, see <http://www.gnu.org/licenses/>.
23 #include "../libcli/auth/libcli_auth.h"
24 #if defined(HAVE_SECURITY_PAM_EXT_H)
25 #include <security/pam_ext.h>
26 #elif defined(HAVE_PAM_PAM_EXT_H)
27 #include <pam/pam_ext.h>
30 #if defined(HAVE_SECURITY__PAM_MACROS_H)
31 #include <security/_pam_macros.h>
32 #elif defined(HAVE_PAM__PAM_MACROS_H)
33 #include <pam/_pam_macros.h>
40 #define _pam_overwrite(x) \
42 register char *__xx__; \
49 * Don't just free it, forget it too.
52 #define _pam_drop(X) \
60 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
64 for (reply_i=0; reply_i<replies; ++reply_i) { \
65 if (reply[reply_i].resp) { \
66 _pam_overwrite(reply[reply_i].resp); \
67 free(reply[reply_i].resp); \
75 int converse(pam_handle_t *, int, int, struct pam_message **,
76 struct pam_response **);
77 int make_remark(pam_handle_t *, unsigned int, int, const char *);
78 void _cleanup(pam_handle_t *, void *, int);
79 char *_pam_delete(register char *);
81 /* syslogging function for errors and other information */
82 #ifdef HAVE_PAM_VSYSLOG
83 void _log_err( pam_handle_t *pamh, int err, const char *format, ... )
87 va_start(args, format);
88 pam_vsyslog(pamh, err, format, args);
92 void _log_err( pam_handle_t *pamh, int err, const char *format, ... )
95 const char tag[] = "(pam_smbpass) ";
98 mod_format = SMB_MALLOC_ARRAY(char, sizeof(tag) + strlen(format));
99 /* try really, really hard to log something, since this may have
100 been a message about a malloc() failure... */
101 if (mod_format == NULL) {
102 va_start(args, format);
103 vsyslog(err | LOG_AUTH, format, args);
108 strncpy(mod_format, tag, strlen(tag)+1);
109 strlcat(mod_format, format, strlen(format)+1);
111 va_start(args, format);
112 vsyslog(err | LOG_AUTH, mod_format, args);
119 /* this is a front-end for module-application conversations */
121 int converse( pam_handle_t * pamh, int ctrl, int nargs
122 , struct pam_message **message
123 , struct pam_response **response )
126 struct pam_conv *conv;
128 retval = _pam_get_item(pamh, PAM_CONV, &conv);
129 if (retval == PAM_SUCCESS) {
131 retval = conv->conv(nargs, (const struct pam_message **) message
132 ,response, conv->appdata_ptr);
134 if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) {
135 _log_err(pamh, LOG_DEBUG, "conversation failure [%s]"
136 ,pam_strerror(pamh, retval));
139 _log_err(pamh, LOG_ERR, "couldn't obtain coversation function [%s]"
140 ,pam_strerror(pamh, retval));
143 return retval; /* propagate error status */
146 int make_remark( pam_handle_t * pamh, unsigned int ctrl
147 , int type, const char *text )
149 if (off(SMB__QUIET, ctrl)) {
150 struct pam_message *pmsg[1], msg[1];
151 struct pam_response *resp;
154 msg[0].msg = CONST_DISCARD(char *, text);
155 msg[0].msg_style = type;
158 return converse(pamh, ctrl, 1, pmsg, &resp);
164 /* set the control flags for the SMB module. */
166 int set_ctrl( pam_handle_t *pamh, int flags, int argc, const char **argv )
169 const char *service_file = NULL;
172 ctrl = SMB_DEFAULTS; /* the default selection of options */
174 /* set some flags manually */
176 /* A good, sane default (matches Samba's behavior). */
177 set( SMB__NONULL, ctrl );
179 /* initialize service file location */
180 service_file=get_dyn_CONFIGFILE();
182 if (flags & PAM_SILENT) {
183 set( SMB__QUIET, ctrl );
186 /* Run through the arguments once, looking for an alternate smb config
191 for (j = 0; j < SMB_CTRLS_; ++j) {
192 if (smb_args[j].token
193 && !strncmp(argv[i], smb_args[j].token, strlen(smb_args[j].token)))
199 if (j == SMB_CONF_FILE) {
200 service_file = argv[i] + 8;
205 /* Read some options from the Samba config. Can be overridden by
207 if(lp_load(service_file,True,False,False,True) == False) {
208 _log_err(pamh, LOG_ERR, "Error loading service file %s", service_file);
213 if (lp_null_passwords()) {
214 set( SMB__NULLOK, ctrl );
217 /* now parse the rest of the arguments to this module */
222 for (j = 0; j < SMB_CTRLS_; ++j) {
223 if (smb_args[j].token
224 && !strncmp(*argv, smb_args[j].token, strlen(smb_args[j].token)))
230 if (j >= SMB_CTRLS_) {
231 _log_err(pamh, LOG_ERR, "unrecognized option [%s]", *argv);
233 ctrl &= smb_args[j].mask; /* for turning things off */
234 ctrl |= smb_args[j].flag; /* for turning things on */
237 ++argv; /* step to next argument */
240 /* auditing is a more sensitive version of debug */
242 if (on( SMB_AUDIT, ctrl )) {
243 set( SMB_DEBUG, ctrl );
245 /* return the set of flags */
250 /* use this to free strings. ESPECIALLY password strings */
252 char * _pam_delete( register char *xx )
254 _pam_overwrite( xx );
259 void _cleanup( pam_handle_t * pamh, void *x, int error_status )
261 x = _pam_delete( (char *) x );
266 * Safe duplication of character strings. "Paranoid"; don't leave
267 * evidence of old token around for later stack analysis.
270 char * smbpXstrDup( pam_handle_t *pamh, const char *x )
272 register char *newstr = NULL;
277 for (i = 0; x[i]; ++i); /* length of string */
278 if ((newstr = SMB_MALLOC_ARRAY(char, ++i)) == NULL) {
280 _log_err(pamh, LOG_CRIT, "out of memory in smbpXstrDup");
288 return newstr; /* return the duplicate or NULL on error */
291 /* ************************************************************** *
292 * Useful non-trivial functions *
293 * ************************************************************** */
295 void _cleanup_failures( pam_handle_t * pamh, void *fl, int err )
298 const char *service = NULL;
299 struct _pam_failed_auth *failure;
301 #ifdef PAM_DATA_SILENT
302 quiet = err & PAM_DATA_SILENT; /* should we log something? */
306 #ifdef PAM_DATA_REPLACE
307 err &= PAM_DATA_REPLACE; /* are we just replacing data? */
309 failure = (struct _pam_failed_auth *) fl;
311 if (failure != NULL) {
313 #ifdef PAM_DATA_SILENT
314 if (!quiet && !err) { /* under advisement from Sun,may go away */
316 if (!quiet) { /* under advisement from Sun,may go away */
319 /* log the number of authentication failures */
320 if (failure->count != 0) {
321 _pam_get_item( pamh, PAM_SERVICE, &service );
322 _log_err(pamh, LOG_NOTICE
323 , "%d authentication %s "
324 "from %s for service %s as %s(%d)"
326 , failure->count == 1 ? "failure" : "failures"
328 , service == NULL ? "**unknown**" : service
329 , failure->user, failure->id );
330 if (failure->count > SMB_MAX_RETRIES) {
331 _log_err(pamh, LOG_ALERT
332 , "service(%s) ignoring max retries; %d > %d"
333 , service == NULL ? "**unknown**" : service
339 _pam_delete( failure->agent ); /* tidy up */
340 _pam_delete( failure->user ); /* tidy up */
341 SAFE_FREE( failure );
345 int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass,
346 const char *p, unsigned int ctrl )
350 int retval = PAM_AUTH_ERR;
357 name = pdb_get_username(sampass);
359 #ifdef HAVE_PAM_FAIL_DELAY
360 if (off( SMB_NODELAY, ctrl )) {
361 (void) pam_fail_delay( pamh, 1000000 ); /* 1 sec delay for on failure */
365 if (!pdb_get_nt_passwd(sampass))
367 _log_err(pamh, LOG_DEBUG, "user %s has null SMB password", name);
369 if (off( SMB__NONULL, ctrl )
370 && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
371 { /* this means we've succeeded */
376 _pam_get_item( pamh, PAM_SERVICE, &service );
377 _log_err(pamh, LOG_NOTICE, "failed auth request by %s for service %s as %s",
378 uidtoname(getuid()), service ? service : "**unknown**", name);
383 data_name = SMB_MALLOC_ARRAY(char, sizeof(FAIL_PREFIX) + strlen( name ));
384 if (data_name == NULL) {
385 _log_err(pamh, LOG_CRIT, "no memory for data-name" );
388 strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) );
389 strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 );
392 * The password we were given wasn't an encrypted password, or it
393 * didn't match the one we have. We encrypt the password now and try
397 nt_lm_owf_gen(p, nt_pw, lm_pw);
399 /* the moment of truth -- do we agree with the password? */
401 if (!memcmp( nt_pw, pdb_get_nt_passwd(sampass), 16 )) {
403 retval = PAM_SUCCESS;
404 if (data_name) { /* reset failures */
405 pam_set_data(pamh, data_name, NULL, _cleanup_failures);
411 _pam_get_item( pamh, PAM_SERVICE, &service );
413 if (data_name != NULL) {
414 struct _pam_failed_auth *newauth = NULL;
415 const struct _pam_failed_auth *old = NULL;
417 /* get a failure recorder */
419 newauth = SMB_MALLOC_P( struct _pam_failed_auth );
421 if (newauth != NULL) {
423 /* any previous failures for this user ? */
424 _pam_get_data(pamh, data_name, &old);
427 newauth->count = old->count + 1;
428 if (newauth->count >= SMB_MAX_RETRIES) {
429 retval = PAM_MAXTRIES;
432 _log_err(pamh, LOG_NOTICE,
433 "failed auth request by %s for service %s as %s",
435 service ? service : "**unknown**", name);
438 if (!sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id))) {
439 _log_err(pamh, LOG_NOTICE,
440 "failed auth request by %s for service %s as %s",
442 service ? service : "**unknown**", name);
444 newauth->user = smbpXstrDup( pamh, name );
445 newauth->agent = smbpXstrDup( pamh, uidtoname( getuid() ) );
446 pam_set_data( pamh, data_name, newauth, _cleanup_failures );
449 _log_err(pamh, LOG_CRIT, "no memory for failure recorder" );
450 _log_err(pamh, LOG_NOTICE,
451 "failed auth request by %s for service %s as %s(%d)",
453 service ? service : "**unknown**", name);
456 _log_err(pamh, LOG_NOTICE,
457 "failed auth request by %s for service %s as %s(%d)",
459 service ? service : "**unknown**", name);
460 retval = PAM_AUTH_ERR;
463 _pam_delete( data_name );
470 * _smb_blankpasswd() is a quick check for a blank password
472 * returns TRUE if user does not have a password
473 * - to avoid prompting for one in such cases (CG)
476 int _smb_blankpasswd( unsigned int ctrl, struct samu *sampass )
481 * This function does not have to be too smart if something goes
482 * wrong, return FALSE and let this case to be treated somewhere
486 if (on( SMB__NONULL, ctrl ))
487 return 0; /* will fail but don't let on yet */
489 if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
492 if (pdb_get_nt_passwd(sampass) == NULL)
501 * obtain a password from the user
504 int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
505 const char *comment, const char *prompt1,
506 const char *prompt2, const char *data_name, char **pass )
513 struct pam_message msg[3], *pmsg[3];
514 struct pam_response *resp;
518 /* make sure nothing inappropriate gets returned */
520 *pass = token = NULL;
522 /* which authentication token are we getting? */
524 authtok_flag = on(SMB__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK;
526 /* should we obtain the password from a PAM item ? */
528 if (on(SMB_TRY_FIRST_PASS, ctrl) || on(SMB_USE_FIRST_PASS, ctrl)) {
529 retval = _pam_get_item( pamh, authtok_flag, &item );
530 if (retval != PAM_SUCCESS) {
532 _log_err(pamh, LOG_ALERT,
533 "pam_get_item returned error to smb_read_password");
535 } else if (item != NULL) { /* we have a password! */
539 } else if (on( SMB_USE_FIRST_PASS, ctrl )) {
540 return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */
541 } else if (on( SMB_USE_AUTHTOK, ctrl )
542 && off( SMB__OLD_PASSWD, ctrl ))
544 return PAM_AUTHTOK_RECOVER_ERR;
549 * getting here implies we will have to get the password from the
553 /* prepare to converse */
554 if (comment != NULL && off(SMB__QUIET, ctrl)) {
556 msg[0].msg_style = PAM_TEXT_INFO;
557 msg[0].msg = CONST_DISCARD(char *, comment);
564 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
565 msg[i++].msg = CONST_DISCARD(char *, prompt1);
567 if (prompt2 != NULL) {
569 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
570 msg[i++].msg = CONST_DISCARD(char *, prompt2);
577 retval = converse( pamh, ctrl, i, pmsg, &resp );
580 int j = comment ? 1 : 0;
581 /* interpret the response */
583 if (retval == PAM_SUCCESS) { /* a good conversation */
585 token = smbpXstrDup(pamh, resp[j++].resp);
588 /* verify that password entered correctly */
589 if (!resp[j].resp || strcmp( token, resp[j].resp )) {
590 _pam_delete( token );
591 retval = PAM_AUTHTOK_RECOVER_ERR;
592 make_remark( pamh, ctrl, PAM_ERROR_MSG
597 _log_err(pamh, LOG_NOTICE,
598 "could not recover authentication token");
603 _pam_drop_reply( resp, expect );
606 retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval;
609 if (retval != PAM_SUCCESS) {
610 if (on( SMB_DEBUG, ctrl ))
611 _log_err(pamh, LOG_DEBUG, "unable to obtain a password");
614 /* 'token' is the entered password */
616 if (off( SMB_NOT_SET_PASS, ctrl )) {
618 /* we store this password as an item */
620 retval = pam_set_item( pamh, authtok_flag, (const void *)token );
621 _pam_delete( token ); /* clean it up */
622 if (retval != PAM_SUCCESS
623 || (retval = _pam_get_item( pamh, authtok_flag
624 ,&item )) != PAM_SUCCESS)
626 _log_err(pamh, LOG_CRIT, "error manipulating password");
631 * then store it as data specific to this module. pam_end()
632 * will arrange to clean it up.
635 retval = pam_set_data( pamh, data_name, (void *) token, _cleanup );
636 if (retval != PAM_SUCCESS
637 || (retval = _pam_get_data( pamh, data_name, &item ))
640 _log_err(pamh, LOG_CRIT, "error manipulating password data [%s]",
641 pam_strerror( pamh, retval ));
642 _pam_delete( token );
646 token = NULL; /* break link to password */
650 item = NULL; /* break link to password */
655 int _pam_smb_approve_pass(pam_handle_t * pamh,
657 const char *pass_old,
658 const char *pass_new )
661 /* Further checks should be handled through module stacking. -SRL */
662 if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new )))
664 if (on(SMB_DEBUG, ctrl)) {
665 _log_err(pamh, LOG_DEBUG,
666 "passwd: bad authentication token (null or unchanged)");
668 make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
669 "No password supplied" : "Password unchanged" );
670 return PAM_AUTHTOK_ERR;
677 * Work around the pam API that has functions with void ** as parameters
678 * These lead to strict aliasing warnings with gcc.
680 int _pam_get_item(const pam_handle_t *pamh,
684 const void **item = (const void **)_item;
685 return pam_get_item(pamh, item_type, item);
688 int _pam_get_data(const pam_handle_t *pamh,
689 const char *module_data_name,
692 const void **data = (const void **)_data;
693 return pam_get_data(pamh, module_data_name, data);
git.samba.org / nivanova / samba-autobuild / .git / blob