1 /*- 2 * Copyright 1998 Juniper Networks, Inc. 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.4.2.4 2002/08/02 10:14:18 des Exp $ 27 */ 28 29 #include <sys/types.h> 30 #include <sys/time.h> 31 #include <login_cap.h> 32 #include <pwd.h> 33 #include <stdlib.h> 34 #include <string.h> 35 #include <stdio.h> 36 #include <unistd.h> 37 38 #define PAM_SM_AUTH 39 #define PAM_SM_ACCOUNT 40 #include <security/pam_modules.h> 41 42 #include <security/pam_mod_misc.h> 43 44 #define PASSWORD_PROMPT "Password:" 45 46 enum { 47 PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX, 48 PAM_OPT_NULLOK 49 }; 50 51 static struct opttab other_options[] = { 52 { "auth_as_self", PAM_OPT_AUTH_AS_SELF }, 53 { "nullok", PAM_OPT_NULLOK }, 54 { NULL, 0 } 55 }; 56 57 /* 58 * authentication management 59 */ 60 61 PAM_EXTERN int 62 pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, 63 const char **argv) 64 { 65 int retval; 66 const char *user; 67 const char *password, *realpw; 68 struct passwd *pwd; 69 struct options options; 70 71 pam_std_option(&options, other_options, argc, argv); 72 if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { 73 pwd = getpwnam(getlogin()); 74 } else { 75 retval = pam_get_user(pamh, &user, NULL); 76 if (retval != PAM_SUCCESS) 77 return retval; 78 pwd = getpwnam(user); 79 } 80 if (pwd != NULL) { 81 realpw = pwd->pw_passwd; 82 if (realpw[0] == '\0') { 83 if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && 84 pam_test_option(&options, PAM_OPT_NULLOK, NULL)) 85 return PAM_SUCCESS; 86 realpw = "*"; 87 } 88 } else { 89 realpw = "*"; 90 } 91 if ((retval = pam_get_pass(pamh, &password, PASSWORD_PROMPT, 92 &options)) != PAM_SUCCESS) 93 return retval; 94 if (strcmp(crypt(password, realpw), realpw) == 0) 95 return PAM_SUCCESS; 96 return PAM_AUTH_ERR; 97 } 98 99 PAM_EXTERN int 100 pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) 101 { 102 return PAM_SUCCESS; 103 } 104 105 /* 106 * account management 107 * 108 * check pw_change and pw_expire fields 109 */ 110 PAM_EXTERN 111 int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, 112 int argc, const char **argv) 113 { 114 const char *user; 115 struct passwd *pw; 116 struct timeval tp; 117 time_t warntime; 118 login_cap_t *lc = NULL; 119 char buf[128]; 120 int retval; 121 122 retval = pam_get_item(pamh, PAM_USER, (const void **)&user); 123 if (retval != PAM_SUCCESS || user == NULL) 124 /* some implementations return PAM_SUCCESS here */ 125 return PAM_USER_UNKNOWN; 126 127 if ((pw = getpwnam(user)) == NULL) 128 return PAM_USER_UNKNOWN; 129 130 retval = PAM_SUCCESS; 131 lc = login_getpwclass(pw); 132 133 if (pw->pw_change || pw->pw_expire) 134 gettimeofday(&tp, NULL); 135 136 #define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ 137 138 warntime = login_getcaptime(lc, "warnpassword", DEFAULT_WARN, 139 DEFAULT_WARN); 140 141 if (pw->pw_change) { 142 if (tp.tv_sec >= pw->pw_change) 143 /* some implementations return PAM_AUTHTOK_EXPIRED */ 144 retval = PAM_NEW_AUTHTOK_REQD; 145 else if (pw->pw_change - tp.tv_sec < warntime) { 146 snprintf(buf, sizeof(buf), 147 "Warning: your password expires on %s", 148 ctime(&pw->pw_change)); 149 pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL); 150 } 151 } 152 153 warntime = login_getcaptime(lc, "warnexpire", DEFAULT_WARN, 154 DEFAULT_WARN); 155 156 if (pw->pw_expire) { 157 if (tp.tv_sec >= pw->pw_expire) 158 retval = PAM_ACCT_EXPIRED; 159 else if (pw->pw_expire - tp.tv_sec < warntime) { 160 snprintf(buf, sizeof(buf), 161 "Warning: your account expires on %s", 162 ctime(&pw->pw_expire)); 163 pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL); 164 } 165 } 166 167 login_close(lc); 168 return retval; 169 } 170 171 PAM_MODULE_ENTRY("pam_unix"); 172