1
/* Unix NT password database implementation, version 0.6.
3
* This program is free software; you can redistribute it and/or modify it under
4
* the terms of the GNU General Public License as published by the Free
5
* Software Foundation; either version 3 of the License, or (at your option)
8
* This program is distributed in the hope that it will be useful, but WITHOUT
9
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
13
* You should have received a copy of the GNU General Public License along with
14
* this program; if not, see <http://www.gnu.org/licenses/>.
23
#if defined(HAVE_SECURITY_PAM_EXT_H)
24
#include <security/pam_ext.h>
25
#elif defined(HAVE_PAM_PAM_EXT_H)
26
#include <pam/pam_ext.h>
29
#if defined(HAVE_SECURITY__PAM_MACROS_H)
30
#include <security/_pam_macros.h>
31
#elif defined(HAVE_PAM__PAM_MACROS_H)
32
#include <pam/_pam_macros.h>
39
#define _pam_overwrite(x) \
41
register char *__xx__; \
48
* Don't just free it, forget it too.
51
#define _pam_drop(X) \
59
#define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
63
for (reply_i=0; reply_i<replies; ++reply_i) { \
64
if (reply[reply_i].resp) { \
65
_pam_overwrite(reply[reply_i].resp); \
66
free(reply[reply_i].resp); \
74
int converse(pam_handle_t *, int, int, struct pam_message **,
75
struct pam_response **);
76
int make_remark(pam_handle_t *, unsigned int, int, const char *);
77
void _cleanup(pam_handle_t *, void *, int);
78
char *_pam_delete(register char *);
80
/* syslogging function for errors and other information */
81
#ifdef HAVE_PAM_VSYSLOG
82
void _log_err( pam_handle_t *pamh, int err, const char *format, ... )
86
va_start(args, format);
87
pam_vsyslog(pamh, err, format, args);
91
void _log_err( pam_handle_t *pamh, int err, const char *format, ... )
94
const char tag[] = "(pam_smbpass) ";
97
mod_format = SMB_MALLOC_ARRAY(char, sizeof(tag) + strlen(format));
98
/* try really, really hard to log something, since this may have
99
been a message about a malloc() failure... */
100
if (mod_format == NULL) {
101
va_start(args, format);
102
vsyslog(err | LOG_AUTH, format, args);
107
strncpy(mod_format, tag, strlen(tag)+1);
108
strlcat(mod_format, format, strlen(format)+1);
110
va_start(args, format);
111
vsyslog(err | LOG_AUTH, mod_format, args);
118
/* this is a front-end for module-application conversations */
120
int converse( pam_handle_t * pamh, int ctrl, int nargs
121
, struct pam_message **message
122
, struct pam_response **response )
125
struct pam_conv *conv;
127
retval = _pam_get_item(pamh, PAM_CONV, &conv);
128
if (retval == PAM_SUCCESS) {
130
retval = conv->conv(nargs, (const struct pam_message **) message
131
,response, conv->appdata_ptr);
133
if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) {
134
_log_err(pamh, LOG_DEBUG, "conversation failure [%s]"
135
,pam_strerror(pamh, retval));
138
_log_err(pamh, LOG_ERR, "couldn't obtain coversation function [%s]"
139
,pam_strerror(pamh, retval));
142
return retval; /* propagate error status */
145
int make_remark( pam_handle_t * pamh, unsigned int ctrl
146
, int type, const char *text )
148
if (off(SMB__QUIET, ctrl)) {
149
struct pam_message *pmsg[1], msg[1];
150
struct pam_response *resp;
153
msg[0].msg = CONST_DISCARD(char *, text);
154
msg[0].msg_style = type;
157
return converse(pamh, ctrl, 1, pmsg, &resp);
163
/* set the control flags for the SMB module. */
165
int set_ctrl( pam_handle_t *pamh, int flags, int argc, const char **argv )
168
const char *service_file = NULL;
171
ctrl = SMB_DEFAULTS; /* the default selection of options */
173
/* set some flags manually */
175
/* A good, sane default (matches Samba's behavior). */
176
set( SMB__NONULL, ctrl );
178
/* initialize service file location */
179
service_file=get_dyn_CONFIGFILE();
181
if (flags & PAM_SILENT) {
182
set( SMB__QUIET, ctrl );
185
/* Run through the arguments once, looking for an alternate smb config
190
for (j = 0; j < SMB_CTRLS_; ++j) {
191
if (smb_args[j].token
192
&& !strncmp(argv[i], smb_args[j].token, strlen(smb_args[j].token)))
198
if (j == SMB_CONF_FILE) {
199
service_file = argv[i] + 8;
204
/* Read some options from the Samba config. Can be overridden by
206
if(lp_load(service_file,True,False,False,True) == False) {
207
_log_err(pamh, LOG_ERR, "Error loading service file %s", service_file);
212
if (lp_null_passwords()) {
213
set( SMB__NULLOK, ctrl );
216
/* now parse the rest of the arguments to this module */
221
for (j = 0; j < SMB_CTRLS_; ++j) {
222
if (smb_args[j].token
223
&& !strncmp(*argv, smb_args[j].token, strlen(smb_args[j].token)))
229
if (j >= SMB_CTRLS_) {
230
_log_err(pamh, LOG_ERR, "unrecognized option [%s]", *argv);
232
ctrl &= smb_args[j].mask; /* for turning things off */
233
ctrl |= smb_args[j].flag; /* for turning things on */
236
++argv; /* step to next argument */
239
/* auditing is a more sensitive version of debug */
241
if (on( SMB_AUDIT, ctrl )) {
242
set( SMB_DEBUG, ctrl );
244
/* return the set of flags */
249
/* use this to free strings. ESPECIALLY password strings */
251
char * _pam_delete( register char *xx )
253
_pam_overwrite( xx );
258
void _cleanup( pam_handle_t * pamh, void *x, int error_status )
260
x = _pam_delete( (char *) x );
265
* Safe duplication of character strings. "Paranoid"; don't leave
266
* evidence of old token around for later stack analysis.
269
char * smbpXstrDup( pam_handle_t *pamh, const char *x )
271
register char *newstr = NULL;
276
for (i = 0; x[i]; ++i); /* length of string */
277
if ((newstr = SMB_MALLOC_ARRAY(char, ++i)) == NULL) {
279
_log_err(pamh, LOG_CRIT, "out of memory in smbpXstrDup");
287
return newstr; /* return the duplicate or NULL on error */
290
/* ************************************************************** *
291
* Useful non-trivial functions *
292
* ************************************************************** */
294
void _cleanup_failures( pam_handle_t * pamh, void *fl, int err )
297
const char *service = NULL;
298
struct _pam_failed_auth *failure;
300
#ifdef PAM_DATA_SILENT
301
quiet = err & PAM_DATA_SILENT; /* should we log something? */
305
#ifdef PAM_DATA_REPLACE
306
err &= PAM_DATA_REPLACE; /* are we just replacing data? */
308
failure = (struct _pam_failed_auth *) fl;
310
if (failure != NULL) {
312
#ifdef PAM_DATA_SILENT
313
if (!quiet && !err) { /* under advisement from Sun,may go away */
315
if (!quiet) { /* under advisement from Sun,may go away */
318
/* log the number of authentication failures */
319
if (failure->count != 0) {
320
_pam_get_item( pamh, PAM_SERVICE, &service );
321
_log_err(pamh, LOG_NOTICE
322
, "%d authentication %s "
323
"from %s for service %s as %s(%d)"
325
, failure->count == 1 ? "failure" : "failures"
327
, service == NULL ? "**unknown**" : service
328
, failure->user, failure->id );
329
if (failure->count > SMB_MAX_RETRIES) {
330
_log_err(pamh, LOG_ALERT
331
, "service(%s) ignoring max retries; %d > %d"
332
, service == NULL ? "**unknown**" : service
338
_pam_delete( failure->agent ); /* tidy up */
339
_pam_delete( failure->user ); /* tidy up */
340
SAFE_FREE( failure );
344
int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass,
345
const char *p, unsigned int ctrl )
349
int retval = PAM_AUTH_ERR;
356
name = pdb_get_username(sampass);
358
#ifdef HAVE_PAM_FAIL_DELAY
359
if (off( SMB_NODELAY, ctrl )) {
360
(void) pam_fail_delay( pamh, 1000000 ); /* 1 sec delay for on failure */
364
if (!pdb_get_nt_passwd(sampass))
366
_log_err(pamh, LOG_DEBUG, "user %s has null SMB password", name);
368
if (off( SMB__NONULL, ctrl )
369
&& (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
370
{ /* this means we've succeeded */
375
_pam_get_item( pamh, PAM_SERVICE, &service );
376
_log_err(pamh, LOG_NOTICE, "failed auth request by %s for service %s as %s",
377
uidtoname(getuid()), service ? service : "**unknown**", name);
382
data_name = SMB_MALLOC_ARRAY(char, sizeof(FAIL_PREFIX) + strlen( name ));
383
if (data_name == NULL) {
384
_log_err(pamh, LOG_CRIT, "no memory for data-name" );
387
strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) );
388
strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 );
391
* The password we were given wasn't an encrypted password, or it
392
* didn't match the one we have. We encrypt the password now and try
396
nt_lm_owf_gen(p, nt_pw, lm_pw);
398
/* the moment of truth -- do we agree with the password? */
400
if (!memcmp( nt_pw, pdb_get_nt_passwd(sampass), 16 )) {
402
retval = PAM_SUCCESS;
403
if (data_name) { /* reset failures */
404
pam_set_data(pamh, data_name, NULL, _cleanup_failures);
410
_pam_get_item( pamh, PAM_SERVICE, &service );
412
if (data_name != NULL) {
413
struct _pam_failed_auth *newauth = NULL;
414
const struct _pam_failed_auth *old = NULL;
416
/* get a failure recorder */
418
newauth = SMB_MALLOC_P( struct _pam_failed_auth );
420
if (newauth != NULL) {
422
/* any previous failures for this user ? */
423
_pam_get_data(pamh, data_name, &old);
426
newauth->count = old->count + 1;
427
if (newauth->count >= SMB_MAX_RETRIES) {
428
retval = PAM_MAXTRIES;
431
_log_err(pamh, LOG_NOTICE,
432
"failed auth request by %s for service %s as %s",
434
service ? service : "**unknown**", name);
437
if (!sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id))) {
438
_log_err(pamh, LOG_NOTICE,
439
"failed auth request by %s for service %s as %s",
441
service ? service : "**unknown**", name);
443
newauth->user = smbpXstrDup( pamh, name );
444
newauth->agent = smbpXstrDup( pamh, uidtoname( getuid() ) );
445
pam_set_data( pamh, data_name, newauth, _cleanup_failures );
448
_log_err(pamh, LOG_CRIT, "no memory for failure recorder" );
449
_log_err(pamh, LOG_NOTICE,
450
"failed auth request by %s for service %s as %s(%d)",
452
service ? service : "**unknown**", name);
455
_log_err(pamh, LOG_NOTICE,
456
"failed auth request by %s for service %s as %s(%d)",
458
service ? service : "**unknown**", name);
459
retval = PAM_AUTH_ERR;
462
_pam_delete( data_name );
469
* _smb_blankpasswd() is a quick check for a blank password
471
* returns TRUE if user does not have a password
472
* - to avoid prompting for one in such cases (CG)
475
int _smb_blankpasswd( unsigned int ctrl, struct samu *sampass )
480
* This function does not have to be too smart if something goes
481
* wrong, return FALSE and let this case to be treated somewhere
485
if (on( SMB__NONULL, ctrl ))
486
return 0; /* will fail but don't let on yet */
488
if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
491
if (pdb_get_nt_passwd(sampass) == NULL)
500
* obtain a password from the user
503
int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
504
const char *comment, const char *prompt1,
505
const char *prompt2, const char *data_name, char **pass )
512
struct pam_message msg[3], *pmsg[3];
513
struct pam_response *resp;
517
/* make sure nothing inappropriate gets returned */
519
*pass = token = NULL;
521
/* which authentication token are we getting? */
523
authtok_flag = on(SMB__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK;
525
/* should we obtain the password from a PAM item ? */
527
if (on(SMB_TRY_FIRST_PASS, ctrl) || on(SMB_USE_FIRST_PASS, ctrl)) {
528
retval = _pam_get_item( pamh, authtok_flag, &item );
529
if (retval != PAM_SUCCESS) {
531
_log_err(pamh, LOG_ALERT,
532
"pam_get_item returned error to smb_read_password");
534
} else if (item != NULL) { /* we have a password! */
538
} else if (on( SMB_USE_FIRST_PASS, ctrl )) {
539
return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */
540
} else if (on( SMB_USE_AUTHTOK, ctrl )
541
&& off( SMB__OLD_PASSWD, ctrl ))
543
return PAM_AUTHTOK_RECOVER_ERR;
548
* getting here implies we will have to get the password from the
552
/* prepare to converse */
553
if (comment != NULL && off(SMB__QUIET, ctrl)) {
555
msg[0].msg_style = PAM_TEXT_INFO;
556
msg[0].msg = CONST_DISCARD(char *, comment);
563
msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
564
msg[i++].msg = CONST_DISCARD(char *, prompt1);
566
if (prompt2 != NULL) {
568
msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
569
msg[i++].msg = CONST_DISCARD(char *, prompt2);
576
retval = converse( pamh, ctrl, i, pmsg, &resp );
579
int j = comment ? 1 : 0;
580
/* interpret the response */
582
if (retval == PAM_SUCCESS) { /* a good conversation */
584
token = smbpXstrDup(pamh, resp[j++].resp);
587
/* verify that password entered correctly */
588
if (!resp[j].resp || strcmp( token, resp[j].resp )) {
589
_pam_delete( token );
590
retval = PAM_AUTHTOK_RECOVER_ERR;
591
make_remark( pamh, ctrl, PAM_ERROR_MSG
596
_log_err(pamh, LOG_NOTICE,
597
"could not recover authentication token");
602
_pam_drop_reply( resp, expect );
605
retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval;
608
if (retval != PAM_SUCCESS) {
609
if (on( SMB_DEBUG, ctrl ))
610
_log_err(pamh, LOG_DEBUG, "unable to obtain a password");
613
/* 'token' is the entered password */
615
if (off( SMB_NOT_SET_PASS, ctrl )) {
617
/* we store this password as an item */
619
retval = pam_set_item( pamh, authtok_flag, (const void *)token );
620
_pam_delete( token ); /* clean it up */
621
if (retval != PAM_SUCCESS
622
|| (retval = _pam_get_item( pamh, authtok_flag
623
,&item )) != PAM_SUCCESS)
625
_log_err(pamh, LOG_CRIT, "error manipulating password");
630
* then store it as data specific to this module. pam_end()
631
* will arrange to clean it up.
634
retval = pam_set_data( pamh, data_name, (void *) token, _cleanup );
635
if (retval != PAM_SUCCESS
636
|| (retval = _pam_get_data( pamh, data_name, &item ))
639
_log_err(pamh, LOG_CRIT, "error manipulating password data [%s]",
640
pam_strerror( pamh, retval ));
641
_pam_delete( token );
645
token = NULL; /* break link to password */
649
item = NULL; /* break link to password */
654
int _pam_smb_approve_pass(pam_handle_t * pamh,
656
const char *pass_old,
657
const char *pass_new )
660
/* Further checks should be handled through module stacking. -SRL */
661
if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new )))
663
if (on(SMB_DEBUG, ctrl)) {
664
_log_err(pamh, LOG_DEBUG,
665
"passwd: bad authentication token (null or unchanged)");
667
make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
668
"No password supplied" : "Password unchanged" );
669
return PAM_AUTHTOK_ERR;
676
* Work around the pam API that has functions with void ** as parameters
677
* These lead to strict aliasing warnings with gcc.
679
int _pam_get_item(const pam_handle_t *pamh,
683
const void **item = (const void **)_item;
684
return pam_get_item(pamh, item_type, item);
687
int _pam_get_data(const pam_handle_t *pamh,
688
const char *module_data_name,
691
const void **data = (const void **)_data;
692
return pam_get_data(pamh, module_data_name, data);