454
497
* gethostbyname() is not 100% reliable (the remote host may
455
498
* be unknown, etc.). --marekm
457
if ((he = gethostbyname (hostname))) {
500
he = gethostbyname (hostname);
458
502
utent.ut_addr = *((int32_t *) (he->h_addr_list[0]));
461
strncpy (utent.ut_host, hostname,
462
sizeof (utent.ut_host));
506
strncpy (utent.ut_host, hostname, sizeof (utent.ut_host));
465
strncpy (utxent.ut_host, hostname,
466
sizeof (utxent.ut_host));
509
strncpy (utxent.ut_host, hostname, sizeof (utxent.ut_host));
469
* Add remote hostname to the environment. I think
470
* (not sure) I saw it once on Irix. --marekm
472
addenv ("REMOTEHOST", hostname);
512
* Add remote hostname to the environment. I think
513
* (not sure) I saw it once on Irix. --marekm
515
addenv ("REMOTEHOST", hostname);
476
* workaround for init/getty leaving junk in ut_host at least in
477
* some version of RedHat. --marekm
480
memzero (utent.ut_host, sizeof utent.ut_host);
519
* workaround for init/getty leaving junk in ut_host at least in
520
* some version of RedHat. --marekm
523
memzero (utent.ut_host, sizeof utent.ut_host);
488
&& do_rlogin (hostname, username, sizeof username,
534
username = malloc (32 * sizeof (char));
535
if (do_rlogin (hostname, username, 32, term, sizeof term)) {
498
umask (getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
502
* Use the ULIMIT in the login.defs file, and if
503
* there isn't one, use the default value. The
504
* user may have one for themselves, but otherwise,
505
* just take what you get.
507
long limit = getdef_long ("ULIMIT", -1L);
510
set_filesize_limit (limit);
515
* The entire environment will be preserved if the -p flag
549
umask (getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
553
* Use the ULIMIT in the login.defs file, and if
554
* there isn't one, use the default value. The
555
* user may have one for themselves, but otherwise,
556
* just take what you get.
519
while (*envp) /* add inherited environment, */
520
addenv (*envp++, NULL); /* some variables change later */
558
long limit = getdef_long ("ULIMIT", -1L);
561
set_filesize_limit (limit);
567
* The entire environment will be preserved if the -p flag
571
while (NULL != *envp) { /* add inherited environment, */
572
addenv (*envp, NULL); /* some variables change later */
524
addenv ("TERM", term);
527
/* preserve TERM from getty */
528
if (!pflg && (tmp = getenv ("TERM")))
529
addenv ("TERM", tmp);
533
if (optind < argc) { /* get the user name */
534
if (rflg || (fflg && username[0]))
537
STRFCPY (username, argv[optind]);
538
strzero (argv[optind]);
578
if (term[0] != '\0') {
579
addenv ("TERM", term);
583
/* preserve TERM from getty */
585
tmp = getenv ("TERM");
587
addenv ("TERM", tmp);
541
if (optind < argc) /* now set command line variables */
542
set_env (argc - optind, &argv[optind]);
594
if (optind < argc) { /* now set command line variables */
595
set_env (argc - optind, &argv[optind]);
601
/* FIXME: What is the priority:
602
* UT_HOST or HAVE_UTMPX_H? */
548
if (utent.ut_host[0])
604
if ('\0' != utent.ut_host[0]) {
549
605
cp = utent.ut_host;
553
if (utxent.ut_host[0])
609
if ('\0' != utxent.ut_host[0]) {
554
610
cp = utxent.ut_host;
560
snprintf (fromhost, sizeof fromhost,
561
" on '%.100s' from '%.200s'", tty, cp);
563
snprintf (fromhost, sizeof fromhost,
564
" on '%.100s'", tty);
567
/* only allow ALARM sec. for login */
568
signal (SIGALRM, alarm_handler);
569
timeout = getdef_num ("LOGIN_TIMEOUT", ALARM);
573
environ = newenvp; /* make new environment active */
574
delay = getdef_num ("FAIL_DELAY", 1);
575
retries = getdef_num ("LOGIN_RETRIES", RETRIES);
619
snprintf (fromhost, sizeof fromhost,
620
" on '%.100s' from '%.200s'", tty, cp);
622
snprintf (fromhost, sizeof fromhost,
623
" on '%.100s'", tty);
627
/* only allow ALARM sec. for login */
628
(void) signal (SIGALRM, alarm_handler);
629
timeout = getdef_num ("LOGIN_TIMEOUT", ALARM);
634
environ = newenvp; /* make new environment active */
635
delay = getdef_num ("FAIL_DELAY", 1);
636
retries = getdef_num ("LOGIN_RETRIES", RETRIES);
578
retcode = pam_start ("login", username, &conv, &pamh);
579
if (retcode != PAM_SUCCESS) {
581
_("login: PAM Failure, aborting: %s\n"),
582
pam_strerror (pamh, retcode));
583
SYSLOG ((LOG_ERR, "Couldn't initialize PAM: %s",
584
pam_strerror (pamh, retcode)));
639
retcode = pam_start ("login", username, &conv, &pamh);
640
if (retcode != PAM_SUCCESS) {
642
_("login: PAM Failure, aborting: %s\n"),
643
pam_strerror (pamh, retcode));
644
SYSLOG ((LOG_ERR, "Couldn't initialize PAM: %s",
645
pam_strerror (pamh, retcode)));
650
* hostname & tty are either set to NULL or their correct values,
651
* depending on how much we know. We also set PAM's fail delay to
654
retcode = pam_set_item (pamh, PAM_RHOST, hostname);
656
retcode = pam_set_item (pamh, PAM_TTY, tty);
658
#ifdef HAS_PAM_FAIL_DELAY
659
retcode = pam_fail_delay (pamh, 1000000 * delay);
662
/* if fflg, then the user has already been authenticated */
663
if (!fflg || (getuid () != 0)) {
666
char loginprompt[256]; /* That's one hell of a prompt :) */
668
/* Make the login prompt look like we want it */
669
if (gethostname (hostn, sizeof (hostn)) == 0) {
670
snprintf (loginprompt,
671
sizeof (loginprompt),
672
_("%s login: "), hostn);
674
snprintf (loginprompt,
675
sizeof (loginprompt), _("login: "));
678
retcode = pam_set_item (pamh, PAM_USER_PROMPT, loginprompt);
681
/* if we didn't get a user on the command line,
683
retcode = pam_get_item (pamh, PAM_USER, (const void **)ptr_pam_user);
685
if ((NULL != pam_user) && ('\0' == pam_user[0])) {
686
retcode = pam_set_item (pamh, PAM_USER, NULL);
589
* hostname & tty are either set to NULL or their correct values,
590
* depending on how much we know. We also set PAM's fail delay to
691
* There may be better ways to deal with some of
692
* these conditions, but at least this way I don't
693
* think we'll be giving away information. Perhaps
694
* someday we can trust that all PAM modules will
695
* pay attention to failure count and get rid of
593
retcode = pam_set_item (pamh, PAM_RHOST, hostname);
595
retcode = pam_set_item (pamh, PAM_TTY, tty);
597
#ifdef HAVE_PAM_FAIL_DELAY
598
retcode = pam_fail_delay (pamh, 1000000 * delay);
700
const char *failent_user;
704
#ifdef HAS_PAM_FAIL_DELAY
706
retcode = pam_fail_delay(pamh, 1000000*delay);
601
/* if fflg == 1, then the user has already been authenticated */
602
if (!fflg || (getuid () != 0)) {
605
char loginprompt[256]; /* That's one hell of a prompt :) */
607
/* Make the login prompt look like we want it */
608
if (!gethostname (hostn, sizeof (hostn)))
609
snprintf (loginprompt,
610
sizeof (loginprompt),
611
_("%s login: "), hostn);
613
snprintf (loginprompt,
614
sizeof (loginprompt), _("login: "));
617
pam_set_item (pamh, PAM_USER_PROMPT, loginprompt);
620
/* if we didn't get a user on the command line,
622
pam_get_item (pamh, PAM_USER,
623
(const void **)ptr_pam_user);
624
if (pam_user[0] == '\0')
625
pam_set_item (pamh, PAM_USER, NULL);
628
* There may be better ways to deal with some of
629
* these conditions, but at least this way I don't
630
* think we'll be giving away information. Perhaps
631
* someday we can trust that all PAM modules will
632
* pay attention to failure count and get rid of
637
const char *failent_user;
642
retcode = pam_fail_delay(pamh, 1000000*delay);
644
retcode = pam_authenticate (pamh, 0);
646
pam_get_item (pamh, PAM_USER,
647
(const void **) ptr_pam_user);
649
if (pam_user && pam_user[0]) {
650
pwd = xgetpwnam(pam_user);
653
failent_user = pwent.pw_name;
655
if (getdef_bool("LOG_UNKFAIL_ENAB") && pam_user)
656
failent_user = pam_user;
658
failent_user = "UNKNOWN";
662
failent_user = "UNKNOWN";
665
if (retcode == PAM_MAXTRIES || failcount >= retries) {
667
"TOO MANY LOGIN TRIES (%d)%s FOR `%s'",
668
failcount, fromhost, failent_user));
670
_("Maximum number of tries exceeded (%d)\n"),
674
} else if (retcode == PAM_ABORT) {
675
/* Serious problems, quit now */
676
fputs (_("login: abort requested by PAM\n"),stderr);
677
SYSLOG ((LOG_ERR,"PAM_ABORT returned from pam_authenticate()"));
680
} else if (retcode != PAM_SUCCESS) {
681
SYSLOG ((LOG_NOTICE,"FAILED LOGIN (%d)%s FOR `%s', %s",
682
failcount, fromhost, failent_user,
683
pam_strerror (pamh, retcode)));
695
audit_fd = audit_open ();
696
/* local, no need for xgetpwnam */
697
pw = getpwnam (username);
699
snprintf (buf, sizeof (buf),
700
"uid=%d", pw->pw_uid);
701
audit_log_user_message
702
(audit_fd, AUDIT_USER_LOGIN,
711
retcode = pam_authenticate (pamh, 0);
714
int saved_retcode = retcode;
715
retcode = pam_get_item (pamh, PAM_USER,
716
(const void **) ptr_pam_user);
718
retcode = saved_retcode;
721
if ((NULL != pam_user) && ('\0' != pam_user[0])) {
722
pwd = xgetpwnam(pam_user);
725
failent_user = pwent.pw_name;
727
if ( getdef_bool("LOG_UNKFAIL_ENAB")
728
&& (NULL != pam_user)) {
729
failent_user = pam_user;
706
snprintf (buf, sizeof (buf),
707
"acct=%s", username);
708
audit_log_user_message
709
(audit_fd, AUDIT_USER_LOGIN,
731
failent_user = "UNKNOWN";
736
failent_user = "UNKNOWN";
739
if (retcode == PAM_MAXTRIES) {
741
"TOO MANY LOGIN TRIES (%d)%s FOR '%s'",
742
failcount, fromhost, failent_user));
744
_("Maximum number of tries exceeded (%d)\n"),
748
} else if (retcode == PAM_ABORT) {
749
/* Serious problems, quit now */
750
fputs (_("login: abort requested by PAM\n"),stderr);
751
SYSLOG ((LOG_ERR,"PAM_ABORT returned from pam_authenticate()"));
754
} else if (retcode != PAM_SUCCESS) {
755
SYSLOG ((LOG_NOTICE,"FAILED LOGIN (%d)%s FOR '%s', %s",
756
failcount, fromhost, failent_user,
757
pam_strerror (pamh, retcode)));
766
audit_fd = audit_open ();
767
audit_log_acct_message (audit_fd,
769
NULL, /* Prog. name */
715
778
#endif /* WITH_AUDIT */
717
fprintf(stderr,"\nLogin incorrect\n");
719
/* Let's give it another go around */
720
pam_set_item(pamh,PAM_USER,NULL);
723
/* We don't get here unless they were authenticated above */
725
retcode = pam_acct_mgmt (pamh, 0);
727
if (retcode == PAM_NEW_AUTHTOK_REQD) {
730
PAM_CHANGE_EXPIRED_AUTHTOK);
736
/* Grab the user information out of the password file for future usage
737
First get the username that we are actually using, though.
740
pam_get_item (pamh, PAM_USER, (const void **)ptr_pam_user);
742
pwd = xgetpwnam (pam_user);
744
SYSLOG ((LOG_ERR, "xgetpwnam(%s) failed",
745
getdef_bool ("LOG_UNKFAIL_ENAB") ?
746
pam_user : "UNKNOWN"));
751
retcode = pam_acct_mgmt (pamh, 0);
755
if (setup_groups (pwd))
760
retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
763
retcode = pam_open_session (pamh,
764
hushed (&pwent) ? PAM_SILENT : 0);
780
fprintf (stderr, "\nLogin incorrect\n");
782
if (failcount >= retries) {
784
"TOO MANY LOGIN TRIES (%d)%s FOR '%s'",
785
failcount, fromhost, failent_user));
787
_("Maximum number of tries exceeded (%d)\n"),
794
* Let's give it another go around.
795
* Even if a username was given on the command
796
* line, prompt again for the username.
798
retcode = pam_set_item (pamh, PAM_USER, NULL);
802
/* We don't get here unless they were authenticated above */
804
retcode = pam_acct_mgmt (pamh, 0);
806
if (retcode == PAM_NEW_AUTHTOK_REQD) {
807
retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
813
/* Grab the user information out of the password file for future usage
814
First get the username that we are actually using, though.
816
retcode = pam_get_item (pamh, PAM_USER, (const void **)ptr_pam_user);
818
if (NULL != username) {
821
username = xstrdup (pam_user);
823
pwd = xgetpwnam (username);
825
SYSLOG ((LOG_ERR, "xgetpwnam(%s) failed",
826
getdef_bool ("LOG_UNKFAIL_ENAB") ?
827
username : "UNKNOWN"));
832
retcode = pam_acct_mgmt (pamh, 0);
836
if (setup_groups (pwd) != 0) {
842
retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
845
retcode = pam_open_session (pamh, hushed (&pwent) ? PAM_SILENT : 0);
767
848
#else /* ! USE_PAM */
768
while (1) { /* repeatedly get login/password pairs */
769
failed = 0; /* haven't failed authentication yet */
770
if (!username[0]) { /* need to get a login id */
776
login_prompt (_("\n%s login: "), username,
849
while (true) { /* repeatedly get login/password pairs */
850
failed = false; /* haven't failed authentication yet */
851
if (NULL == username) { /* need to get a login id */
856
preauth_flag = false;
857
username = malloc (32);
858
login_prompt (_("\n%s login: "), username, 32);
860
if ('\0' == username) {
861
/* Prompt for a new login */
780
#endif /* ! USE_PAM */
783
if (!(pwd = xgetpwnam (pam_user))) {
784
pwent.pw_name = pam_user;
786
if (!(pwd = xgetpwnam (username))) {
868
pwd = xgetpwnam (username);
787
870
pwent.pw_name = username;
789
871
strcpy (temp_pw, "!");
790
872
pwent.pw_passwd = temp_pw;
791
873
pwent.pw_shell = temp_shell;
875
preauth_flag = false;
800
if (pwd && strcmp (pwd->pw_passwd, SHADOW_PASSWD_STRING) == 0) {
883
&& (strcmp (pwd->pw_passwd, SHADOW_PASSWD_STRING) == 0)) {
801
884
/* !USE_PAM, no need for xgetspnam */
802
885
spwd = getspnam (username);
804
887
pwent.pw_passwd = spwd->sp_pwdp;
806
889
SYSLOG ((LOG_WARN,
807
"no shadow password for `%s'%s",
808
username, fromhost));
890
"no shadow password for '%s'%s",
891
username, fromhost));