Unix SMB/CIFS implementation.
Samba utility functions
Copyright (C) Andrew Tridgell 1992-1998
- Copyright (C) Andrew Bartlett 2001-2002
+ Copyright (C) Andrew Bartlett 2001-2004
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
+/* These comments regard the code to change the user's unix password: */
+
/* fork a child process to exec passwd and write to its
* tty to change a users password. This is running as the
* user who is attempting to change the password.
* was included as a client to change passwords using the 'passwd' program
* on the remote machine.
*
- * This routine is called by set_user_password() in password.c only if ALLOW_PASSWORD_CHANGE
- * is defined in the compiler directives located in the Makefile.
- *
* This code has been hacked by Bob Nance (nance@niehs.nih.gov) and Evan Patterson
* (patters2@niehs.nih.gov) at the National Institute of Environmental Health Sciences
* and rights to modify, distribute or incorporate this change to the CAP suite or
#include "includes.h"
-#include <crack.h>
-
-#ifndef HAVE_CRACKLIB_DICTPATH
-#ifndef CRACKLIB_DICTPATH
-#define CRACKLIB_DICTPATH SAMBA_CRACKLIB_DICTPATH
-#endif
-#endif
-
extern struct passdb_ops pdb_ops;
static NTSTATUS check_oem_password(const char *user,
- uchar * lmdata, const uchar * lmhash,
- const uchar * ntdata, const uchar * nthash,
- SAM_ACCOUNT **hnd, char *new_passwd,
- int new_passwd_size);
+ uchar password_encrypted_with_lm_hash[516],
+ const uchar old_lm_hash_encrypted[16],
+ uchar password_encrypted_with_nt_hash[516],
+ const uchar old_nt_hash_encrypted[16],
+ SAM_ACCOUNT **hnd, char *new_passwd,
+ int new_passwd_size);
#if ALLOW_CHANGE_PASSWORD
return (count > 0);
}
-static BOOL chat_with_program(char *passwordprogram, struct passwd *pass,
+static BOOL chat_with_program(char *passwordprogram, const struct passwd *pass,
char *chatsequence, BOOL as_root)
{
char *slavedev;
if (as_root) {
/* The password program *must* contain the user name to work. Fail if not. */
- if (strstr(passwordprogram, "%u") == NULL) {
+ if (strstr_m(passwordprogram, "%u") == NULL) {
DEBUG(0,("chgpasswd: Running as root the 'passwd program' parameter *MUST* contain \
the string %%u, and the given string %s does not.\n", passwordprogram ));
return False;
BOOL chgpasswd(const char *name, const struct passwd *pass,
const char *oldpass, const char *newpass, BOOL as_root)
{
- DEBUG(0, ("chgpasswd: Password changing not compiled in (user=%s)\n", name));
+ DEBUG(0, ("chgpasswd: Unix Password changing not compiled in (user=%s)\n", name));
return (False);
}
#endif /* ALLOW_CHANGE_PASSWORD */
************************************************************/
NTSTATUS pass_oem_change(char *user,
- uchar * lmdata, uchar * lmhash,
- uchar * ntdata, uchar * nthash)
+ uchar password_encrypted_with_lm_hash[516],
+ const uchar old_lm_hash_encrypted[16],
+ uchar password_encrypted_with_nt_hash[516],
+ const uchar old_nt_hash_encrypted[16])
{
- fstring new_passwd;
+ pstring new_passwd;
SAM_ACCOUNT *sampass = NULL;
- NTSTATUS nt_status = check_oem_password(user, lmdata, lmhash, ntdata, nthash,
- &sampass, new_passwd, sizeof(new_passwd));
-
+ NTSTATUS nt_status = check_oem_password(user, password_encrypted_with_lm_hash,
+ old_lm_hash_encrypted,
+ password_encrypted_with_nt_hash,
+ old_nt_hash_encrypted,
+ &sampass, new_passwd, sizeof(new_passwd));
+
if (!NT_STATUS_IS_OK(nt_status))
return nt_status;
}
/***********************************************************
- Code to check the OEM hashed password.
+ Decrypt and verify a user password change.
- this function ignores the 516 byte nt OEM hashed password
- but does use the lm OEM password to check the nt hashed-hash.
+ The 516 byte long buffers are encrypted with the old NT and
+ old LM passwords, and if the NT passwords are present, both
+ buffers contain a unicode string.
+ After decrypting the buffers, check the password is correct by
+ matching the old hashed passwords with the passwords in the passdb.
+
************************************************************/
static NTSTATUS check_oem_password(const char *user,
- uchar * lmdata, const uchar * lmhash,
- const uchar * ntdata, const uchar * nthash,
- SAM_ACCOUNT **hnd, char *new_passwd,
- int new_passwd_size)
+ uchar password_encrypted_with_lm_hash[516],
+ const uchar old_lm_hash_encrypted[16],
+ uchar password_encrypted_with_nt_hash[516],
+ const uchar old_nt_hash_encrypted[16],
+ SAM_ACCOUNT **hnd, char *new_passwd,
+ int new_passwd_size)
{
static uchar null_pw[16];
static uchar null_ntpw[16];
SAM_ACCOUNT *sampass = NULL;
+ char *password_encrypted;
+ const char *encryption_key;
const uint8 *lanman_pw, *nt_pw;
uint16 acct_ctrl;
- int new_pw_len;
- uchar new_ntp16[16];
- uchar unenc_old_ntpw[16];
- uchar new_p16[16];
- uchar unenc_old_pw[16];
+ uint32 new_pw_len;
+ uchar new_nt_hash[16];
+ uchar old_nt_hash_plain[16];
+ uchar new_lm_hash[16];
+ uchar old_lm_hash_plain[16];
char no_pw[2];
BOOL ret;
- BOOL nt_pass_set = (ntdata != NULL && nthash != NULL);
+ BOOL nt_pass_set = (password_encrypted_with_nt_hash && old_nt_hash_encrypted);
+ BOOL lm_pass_set = (password_encrypted_with_lm_hash && old_lm_hash_encrypted);
*hnd = NULL;
if (ret == False) {
DEBUG(0, ("check_oem_password: getsmbpwnam returned NULL\n"));
pdb_free_sam(&sampass);
- return NT_STATUS_WRONG_PASSWORD;
- /*
- TODO: check what Win2k returns for this:
- return NT_STATUS_NO_SUCH_USER;
- */
+ return NT_STATUS_NO_SUCH_USER;
}
acct_ctrl = pdb_get_acct_ctrl(sampass);
if (acct_ctrl & ACB_DISABLED) {
- DEBUG(0,("check_lanman_password: account %s disabled.\n", user));
+ DEBUG(2,("check_lanman_password: account %s disabled.\n", user));
pdb_free_sam(&sampass);
return NT_STATUS_ACCOUNT_DISABLED;
}
- /* construct a null password (in case one is needed */
- no_pw[0] = 0;
- no_pw[1] = 0;
- nt_lm_owf_gen(no_pw, null_ntpw, null_pw);
+ if (acct_ctrl & ACB_PWNOTREQ && lp_null_passwords()) {
+ /* construct a null password (in case one is needed */
+ no_pw[0] = 0;
+ no_pw[1] = 0;
+ nt_lm_owf_gen(no_pw, null_ntpw, null_pw);
+ lanman_pw = null_pw;
+ nt_pw = null_pw;
- /* save pointers to passwords so we don't have to keep looking them up */
- lanman_pw = pdb_get_lanman_passwd(sampass);
- nt_pw = pdb_get_nt_passwd(sampass);
-
- /* check for null passwords */
- if (lanman_pw == NULL) {
- if (!(acct_ctrl & ACB_PWNOTREQ)) {
- DEBUG(0,("check_oem_password: no lanman password !\n"));
- pdb_free_sam(&sampass);
- return NT_STATUS_WRONG_PASSWORD;
+ } else {
+ /* save pointers to passwords so we don't have to keep looking them up */
+ if (lp_lanman_auth()) {
+ lanman_pw = pdb_get_lanman_passwd(sampass);
+ } else {
+ lanman_pw = NULL;
}
+ nt_pw = pdb_get_nt_passwd(sampass);
}
-
- if (pdb_get_nt_passwd(sampass) == NULL && nt_pass_set) {
- if (!(acct_ctrl & ACB_PWNOTREQ)) {
- DEBUG(0,("check_oem_password: no ntlm password !\n"));
- pdb_free_sam(&sampass);
- return NT_STATUS_WRONG_PASSWORD;
- }
+
+ if (nt_pw && nt_pass_set) {
+ /* IDEAL Case: passwords are in unicode, and we can
+ * read use the password encrypted with the NT hash
+ */
+ password_encrypted = password_encrypted_with_nt_hash;
+ encryption_key = nt_pw;
+ } else if (lanman_pw && lm_pass_set) {
+ /* password may still be in unicode, but use LM hash version */
+ password_encrypted = password_encrypted_with_lm_hash;
+ encryption_key = lanman_pw;
+ } else if (nt_pass_set) {
+ DEBUG(1, ("NT password change supplied for user %s, but we have no NT password to check it with\n",
+ user));
+ pdb_free_sam(&sampass);
+ return NT_STATUS_WRONG_PASSWORD;
+ } else if (lm_pass_set) {
+ DEBUG(1, ("LM password change supplied for user %s, but we have no LanMan password to check it with\n",
+ user));
+ pdb_free_sam(&sampass);
+ return NT_STATUS_WRONG_PASSWORD;
+ } else {
+ DEBUG(1, ("password change requested for user %s, but no password supplied!\n",
+ user));
+ pdb_free_sam(&sampass);
+ return NT_STATUS_WRONG_PASSWORD;
}
-
- /*
- * Call the hash function to get the new password.
- */
- SamOEMhash( lmdata, lanman_pw, 516);
/*
- * The length of the new password is in the last 4 bytes of
- * the data buffer.
+ * Decrypt the password with the key
*/
+ SamOEMhash( password_encrypted, encryption_key, 516);
- new_pw_len = IVAL(lmdata, 512);
-
- if (new_pw_len < 0 || new_pw_len > new_passwd_size - 1) {
- DEBUG(0,("check_oem_password: incorrect password length (%d).\n", new_pw_len));
+ if ( !decode_pw_buffer(password_encrypted, new_passwd, new_passwd_size, &new_pw_len,
+ nt_pass_set ? STR_UNICODE : STR_ASCII)) {
pdb_free_sam(&sampass);
return NT_STATUS_WRONG_PASSWORD;
}
- if (nt_pass_set) {
- /*
- * nt passwords are in unicode
- */
- pull_ucs2(NULL, new_passwd,
- (const smb_ucs2_t *)&lmdata[512 - new_pw_len],
- new_passwd_size, new_pw_len, 0);
- } else {
- memcpy(new_passwd, &lmdata[512 - new_pw_len], new_pw_len);
- new_passwd[new_pw_len] = 0;
- }
-
/*
* To ensure we got the correct new password, hash it and
* use it as a key to test the passed old password.
*/
- nt_lm_owf_gen(new_passwd, new_ntp16, new_p16);
+ if (nt_pass_set) {
+ /* NT passwords, verify the NT hash. */
+
+ /* Calculate the MD4 hash (NT compatible) of the password */
+ memset(new_nt_hash, '\0', 16);
+ E_md4hash(new_passwd, new_nt_hash);
+
+ if (nt_pw) {
+ /*
+ * Now use new_nt_hash as the key to see if the old
+ * password matches.
+ */
+ D_P16(new_nt_hash, old_nt_hash_encrypted, old_nt_hash_plain);
+
+ if (memcmp(nt_pw, old_nt_hash_plain, 16)) {
+ DEBUG(0,("check_oem_password: old lm password doesn't match.\n"));
+ pdb_free_sam(&sampass);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
+ /* We could check the LM password here, but there is
+ * little point, we already know the password is
+ * correct, and the LM password might not even be
+ * present. */
+
+ /* Further, LM hash generation algorithms
+ * differ with charset, so we could
+ * incorrectly fail a perfectly valid password
+ * change */
+#ifdef DEBUG_PASSWORD
+ DEBUG(100,
+ ("check_oem_password: password %s ok\n", new_passwd));
+#endif
+ *hnd = sampass;
+ return NT_STATUS_OK;
+ }
+
+ if (lanman_pw) {
+ /*
+ * Now use new_nt_hash as the key to see if the old
+ * LM password matches.
+ */
+ D_P16(new_nt_hash, old_lm_hash_encrypted, old_lm_hash_plain);
+
+ if (memcmp(lanman_pw, old_lm_hash_plain, 16)) {
+ DEBUG(0,("check_oem_password: old lm password doesn't match.\n"));
+ pdb_free_sam(&sampass);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+#ifdef DEBUG_PASSWORD
+ DEBUG(100,
+ ("check_oem_password: password %s ok\n", new_passwd));
+#endif
+ *hnd = sampass;
+ return NT_STATUS_OK;
+ }
+ }
+
+ if (lanman_pw && lm_pass_set) {
+
+ E_deshash(new_passwd, new_lm_hash);
- if (!nt_pass_set) {
/*
- * Now use new_p16 as the key to see if the old
+ * Now use new_lm_hash as the key to see if the old
* password matches.
*/
- D_P16(new_p16, lmhash, unenc_old_pw);
-
- if (memcmp(lanman_pw, unenc_old_pw, 16)) {
+ D_P16(new_lm_hash, old_lm_hash_encrypted, old_lm_hash_plain);
+
+ if (memcmp(lanman_pw, old_lm_hash_plain, 16)) {
DEBUG(0,("check_oem_password: old lm password doesn't match.\n"));
pdb_free_sam(&sampass);
return NT_STATUS_WRONG_PASSWORD;
}
-
+
#ifdef DEBUG_PASSWORD
DEBUG(100,
("check_oem_password: password %s ok\n", new_passwd));
return NT_STATUS_OK;
}
- /*
- * Now use new_p16 as the key to see if the old
- * password matches.
- */
- D_P16(new_ntp16, lmhash, unenc_old_pw);
- D_P16(new_ntp16, nthash, unenc_old_ntpw);
+ /* should not be reached */
+ pdb_free_sam(&sampass);
+ return NT_STATUS_WRONG_PASSWORD;
+}
- if (memcmp(lanman_pw, unenc_old_pw, 16)) {
- DEBUG(0,("check_oem_password: old lm password doesn't match.\n"));
- pdb_free_sam(&sampass);
- return NT_STATUS_WRONG_PASSWORD;
+/***********************************************************
+ This routine takes the given password and checks it against
+ the password history. Returns True if this password has been
+ found in the history list.
+************************************************************/
+
+static BOOL check_passwd_history(SAM_ACCOUNT *sampass, const char *plaintext)
+{
+ uchar new_nt_p16[NT_HASH_LEN];
+ uchar zero_md5_nt_pw[SALTED_MD5_HASH_LEN];
+ const uint8 *nt_pw;
+ const uint8 *pwhistory;
+ BOOL found = False;
+ int i, pwHisLen, curr_pwHisLen;
+
+ account_policy_get(AP_PASSWORD_HISTORY, &pwHisLen);
+ if (pwHisLen == 0) {
+ return False;
}
- if (memcmp(nt_pw, unenc_old_ntpw, 16)) {
- DEBUG(0,("check_oem_password: old nt password doesn't match.\n"));
- pdb_free_sam(&sampass);
- return NT_STATUS_WRONG_PASSWORD;
+ pwhistory = pdb_get_pw_history(sampass, &curr_pwHisLen);
+ if (!pwhistory || curr_pwHisLen == 0) {
+ return False;
}
-#ifdef DEBUG_PASSWORD
- DEBUG(100, ("check_oem_password: password %s ok\n", new_passwd));
-#endif
- *hnd = sampass;
- return NT_STATUS_OK;
+ /* Only examine the minimum of the current history len and
+ the stored history len. Avoids race conditions. */
+ pwHisLen = MIN(pwHisLen,curr_pwHisLen);
+
+ nt_pw = pdb_get_nt_passwd(sampass);
+
+ E_md4hash(plaintext, new_nt_p16);
+
+ if (!memcmp(nt_pw, new_nt_p16, NT_HASH_LEN)) {
+ DEBUG(10,("check_passwd_history: proposed new password for user %s is the same as the current password !\n",
+ pdb_get_username(sampass) ));
+ return True;
+ }
+
+ dump_data(100, new_nt_p16, NT_HASH_LEN);
+ dump_data(100, pwhistory, PW_HISTORY_ENTRY_LEN*pwHisLen);
+
+ memset(zero_md5_nt_pw, '\0', SALTED_MD5_HASH_LEN);
+ for (i=0; i<pwHisLen; i++) {
+ uchar new_nt_pw_salted_md5_hash[SALTED_MD5_HASH_LEN];
+ const uchar *current_salt = &pwhistory[i*PW_HISTORY_ENTRY_LEN];
+ const uchar *old_nt_pw_salted_md5_hash = &pwhistory[(i*PW_HISTORY_ENTRY_LEN)+
+ PW_HISTORY_SALT_LEN];
+ if (!memcmp(zero_md5_nt_pw, old_nt_pw_salted_md5_hash, SALTED_MD5_HASH_LEN)) {
+ /* Ignore zero valued entries. */
+ continue;
+ }
+ /* Create salted versions of new to compare. */
+ E_md5hash(current_salt, new_nt_p16, new_nt_pw_salted_md5_hash);
+
+ if (!memcmp(new_nt_pw_salted_md5_hash, old_nt_pw_salted_md5_hash, SALTED_MD5_HASH_LEN)) {
+ DEBUG(1,("check_passwd_history: proposed new password for user %s found in history list !\n",
+ pdb_get_username(sampass) ));
+ found = True;
+ break;
+ }
+ }
+ return found;
}
/***********************************************************
NTSTATUS change_oem_password(SAM_ACCOUNT *hnd, char *old_passwd, char *new_passwd, BOOL as_root)
{
- struct passwd *pass;
-
BOOL ret;
uint32 min_len;
+ struct passwd *pass = NULL;
+ const char *username = pdb_get_username(hnd);
+ time_t can_change_time = pdb_get_pass_can_change_time(hnd);
- if (time(NULL) < pdb_get_pass_can_change_time(hnd)) {
+ if ((can_change_time != 0) && (time(NULL) < can_change_time)) {
DEBUG(1, ("user %s cannot change password now, must wait until %s\n",
- pdb_get_username(hnd), http_timestring(pdb_get_pass_can_change_time(hnd))));
- return NT_STATUS_PASSWORD_RESTRICTION;
+ username, http_timestring(can_change_time)));
+ return NT_STATUS_ACCOUNT_RESTRICTION;
}
if (account_policy_get(AP_MIN_PASSWORD_LEN, &min_len) && (strlen(new_passwd) < min_len)) {
DEBUG(1, ("user %s cannot change password - password too short\n",
- pdb_get_username(hnd)));
+ username));
DEBUGADD(1, (" account policy min password len = %d\n", min_len));
return NT_STATUS_PASSWORD_RESTRICTION;
/* return NT_STATUS_PWD_TOO_SHORT; */
if (strlen(new_passwd) < lp_min_passwd_length()) {
/* too short, must be at least MINPASSWDLENGTH */
DEBUG(1, ("Password Change: user %s, New password is shorter than minimum password length = %d\n",
- pdb_get_username(hnd), lp_min_passwd_length()));
+ username, lp_min_passwd_length()));
return NT_STATUS_PASSWORD_RESTRICTION;
/* return NT_STATUS_PWD_TOO_SHORT; */
}
- pass = Get_Pwnam(pdb_get_username(hnd));
+ if (check_passwd_history(hnd,new_passwd)) {
+ return NT_STATUS_PASSWORD_RESTRICTION;
+ }
+
+ pass = Get_Pwnam(username);
if (!pass) {
- DEBUG(1, ("check_oem_password: Username does not exist in system !?!\n"));
+ DEBUG(1, ("check_oem_password: Username %s does not exist in system !?!\n", username));
+ return NT_STATUS_ACCESS_DENIED;
}
-#ifdef HAVE_WORKING_CRACKLIB
- if (pass) {
- /* if we can, become the user to overcome internal cracklib sillyness */
- if (!push_sec_ctx())
- return NT_STATUS_UNSUCCESSFUL;
-
- set_sec_ctx(pass->pw_uid, pass->pw_gid, 0, NULL, NULL);
- set_re_uid();
- }
-
- if (lp_use_cracklib()) {
- const char *crack_check_reason;
- DEBUG(4, ("change_oem_password: Checking password for user [%s]"
- " against cracklib. \n", pdb_get_username(hnd)));
- DEBUGADD(4, ("If this is your last message, then something is "
- "wrong with cracklib, it might be missing it's "
- "dictionaries at %s\n",
- CRACKLIB_DICTPATH));
- dbgflush();
-
- crack_check_reason = FascistCheck(new_passwd, (char *)CRACKLIB_DICTPATH);
- if (crack_check_reason) {
- DEBUG(1, ("Password Change: user [%s], "
- "New password failed cracklib test - %s\n",
- pdb_get_username(hnd), crack_check_reason));
-
- /* get back to where we should be */
- if (pass)
- pop_sec_ctx();
+ /* Use external script to check password complexity */
+ if (lp_check_password_script()) {
+ int check_ret;
+
+ check_ret = smbrunsecret(lp_check_password_script(), new_passwd);
+ DEBUG(5, ("change_oem_password: check password script (%s) returned [%d]\n", lp_check_password_script(), check_ret));
+
+ if (check_ret != 0) {
+ DEBUG(1, ("change_oem_password: check password script said new password is not good enough!\n"));
return NT_STATUS_PASSWORD_RESTRICTION;
}
}
- if (pass)
- pop_sec_ctx();
-#endif
-
/*
* If unix password sync was requested, attempt to change
* the /etc/passwd database first. Return failure if this cannot
*/
if(lp_unix_password_sync() &&
- !chgpasswd(pdb_get_username(hnd), pass, old_passwd, new_passwd, as_root)) {
+ !chgpasswd(username, pass, old_passwd, new_passwd, as_root)) {
return NT_STATUS_ACCESS_DENIED;
}
git.samba.org / sfrench / samba-autobuild / .git / blobdiff