10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * CDDL HEADER START
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * The contents of this file are subject to the terms of the
59136SJoep.Vesseur@Sun.COM * Common Development and Distribution License (the "License").
69136SJoep.Vesseur@Sun.COM * You may not use this file except in compliance with the License.
70Sstevel@tonic-gate *
80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
100Sstevel@tonic-gate * See the License for the specific language governing permissions
110Sstevel@tonic-gate * and limitations under the License.
120Sstevel@tonic-gate *
130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
180Sstevel@tonic-gate *
190Sstevel@tonic-gate * CDDL HEADER END
200Sstevel@tonic-gate */
210Sstevel@tonic-gate /*
229136SJoep.Vesseur@Sun.COM * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
230Sstevel@tonic-gate * Use is subject to license terms.
240Sstevel@tonic-gate */
250Sstevel@tonic-gate
260Sstevel@tonic-gate #include <sys/types.h>
270Sstevel@tonic-gate #include <sys/varargs.h>
280Sstevel@tonic-gate #include <string.h>
290Sstevel@tonic-gate #include <stdlib.h>
300Sstevel@tonic-gate #include <syslog.h>
310Sstevel@tonic-gate #include <unistd.h>
320Sstevel@tonic-gate #include <crypt.h>
330Sstevel@tonic-gate #include <pwd.h>
340Sstevel@tonic-gate #include <libintl.h>
350Sstevel@tonic-gate
360Sstevel@tonic-gate #include <security/pam_appl.h>
370Sstevel@tonic-gate #include <security/pam_modules.h>
380Sstevel@tonic-gate #include <security/pam_impl.h>
390Sstevel@tonic-gate
400Sstevel@tonic-gate #include <passwdutil.h>
410Sstevel@tonic-gate
420Sstevel@tonic-gate #include <sys/note.h>
430Sstevel@tonic-gate
440Sstevel@tonic-gate /*PRINTFLIKE3*/
450Sstevel@tonic-gate void
error(int nowarn,pam_handle_t * pamh,char * fmt,...)460Sstevel@tonic-gate error(int nowarn, pam_handle_t *pamh, char *fmt, ...)
470Sstevel@tonic-gate {
480Sstevel@tonic-gate va_list ap;
490Sstevel@tonic-gate char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
500Sstevel@tonic-gate
510Sstevel@tonic-gate va_start(ap, fmt);
520Sstevel@tonic-gate (void) vsnprintf(messages[0], sizeof (messages[0]), fmt, ap);
530Sstevel@tonic-gate if (nowarn == 0)
540Sstevel@tonic-gate (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages,
550Sstevel@tonic-gate NULL);
560Sstevel@tonic-gate va_end(ap);
570Sstevel@tonic-gate }
580Sstevel@tonic-gate
590Sstevel@tonic-gate /*
600Sstevel@tonic-gate * int pam_sm_authenticate(pamh, flags, argc, argv)
610Sstevel@tonic-gate *
620Sstevel@tonic-gate * Read authentication token from user.
630Sstevel@tonic-gate */
640Sstevel@tonic-gate int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)650Sstevel@tonic-gate pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
660Sstevel@tonic-gate {
670Sstevel@tonic-gate
680Sstevel@tonic-gate char *user;
690Sstevel@tonic-gate char *password;
700Sstevel@tonic-gate char *service;
710Sstevel@tonic-gate int i;
720Sstevel@tonic-gate int debug = 0;
730Sstevel@tonic-gate int nowarn = 0;
740Sstevel@tonic-gate int res;
750Sstevel@tonic-gate char prompt[PAM_MAX_MSG_SIZE];
760Sstevel@tonic-gate char *auth_user = NULL;
770Sstevel@tonic-gate int retval;
780Sstevel@tonic-gate int privileged;
790Sstevel@tonic-gate char *rep_passwd = NULL;
800Sstevel@tonic-gate char *repository_name = NULL;
810Sstevel@tonic-gate attrlist al[8];
820Sstevel@tonic-gate int min;
830Sstevel@tonic-gate int max;
840Sstevel@tonic-gate int lstchg;
850Sstevel@tonic-gate int server_policy = 0;
860Sstevel@tonic-gate
870Sstevel@tonic-gate pam_repository_t *auth_rep = NULL;
880Sstevel@tonic-gate pwu_repository_t *pwu_rep = NULL;
890Sstevel@tonic-gate
900Sstevel@tonic-gate for (i = 0; i < argc; i++) {
910Sstevel@tonic-gate if (strcmp(argv[i], "debug") == 0)
920Sstevel@tonic-gate debug = 1;
930Sstevel@tonic-gate if (strcmp(argv[i], "nowarn") == 0)
940Sstevel@tonic-gate nowarn = 1;
950Sstevel@tonic-gate if (strcmp(argv[i], "server_policy") == 0)
960Sstevel@tonic-gate server_policy = 1;
970Sstevel@tonic-gate }
980Sstevel@tonic-gate
990Sstevel@tonic-gate if (flags & PAM_SILENT)
1000Sstevel@tonic-gate nowarn = 1;
1010Sstevel@tonic-gate
1020Sstevel@tonic-gate if ((res = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
1030Sstevel@tonic-gate if (debug)
1040Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_passwd_auth: "
1050Sstevel@tonic-gate "get user failed: %s", pam_strerror(pamh, res));
1060Sstevel@tonic-gate return (res);
1070Sstevel@tonic-gate }
1080Sstevel@tonic-gate
1090Sstevel@tonic-gate if (user == NULL || *user == '\0') {
1100Sstevel@tonic-gate syslog(LOG_ERR, "pam_passwd_auth: pam_sm_authenticate: "
1110Sstevel@tonic-gate "PAM_USER NULL or empty");
1120Sstevel@tonic-gate return (PAM_SYSTEM_ERR);
1130Sstevel@tonic-gate }
1140Sstevel@tonic-gate
1150Sstevel@tonic-gate res = pam_get_item(pamh, PAM_AUTHTOK, (void **)&password);
1160Sstevel@tonic-gate if (res != PAM_SUCCESS)
1170Sstevel@tonic-gate return (res);
1180Sstevel@tonic-gate
1190Sstevel@tonic-gate if (password != NULL)
1209136SJoep.Vesseur@Sun.COM return (PAM_IGNORE);
1210Sstevel@tonic-gate
1220Sstevel@tonic-gate res = pam_get_item(pamh, PAM_SERVICE, (void **)&service);
1230Sstevel@tonic-gate if (res != PAM_SUCCESS)
1240Sstevel@tonic-gate return (res);
1250Sstevel@tonic-gate
1260Sstevel@tonic-gate res = pam_get_item(pamh, PAM_REPOSITORY, (void **)&auth_rep);
1270Sstevel@tonic-gate if (res != PAM_SUCCESS) {
1280Sstevel@tonic-gate syslog(LOG_ERR, "pam_passwd_auth: pam_sm_authenticate: "
1290Sstevel@tonic-gate "error getting repository");
1300Sstevel@tonic-gate return (PAM_SYSTEM_ERR);
1310Sstevel@tonic-gate }
1320Sstevel@tonic-gate
1330Sstevel@tonic-gate if (auth_rep == NULL) {
1340Sstevel@tonic-gate pwu_rep = PWU_DEFAULT_REP;
1350Sstevel@tonic-gate } else {
1360Sstevel@tonic-gate if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL)
1370Sstevel@tonic-gate return (PAM_BUF_ERR);
1380Sstevel@tonic-gate pwu_rep->type = auth_rep->type;
1390Sstevel@tonic-gate pwu_rep->scope = auth_rep->scope;
1400Sstevel@tonic-gate pwu_rep->scope_len = auth_rep->scope_len;
1410Sstevel@tonic-gate }
1420Sstevel@tonic-gate
1430Sstevel@tonic-gate res = __user_to_authenticate(user, pwu_rep, &auth_user, &privileged);
1440Sstevel@tonic-gate if (res != PWU_SUCCESS) {
1450Sstevel@tonic-gate if (res == PWU_NOT_FOUND)
1460Sstevel@tonic-gate retval = PAM_USER_UNKNOWN;
1470Sstevel@tonic-gate else if (res == PWU_DENIED)
1480Sstevel@tonic-gate retval = PAM_PERM_DENIED;
1490Sstevel@tonic-gate else if (res == PWU_REPOSITORY_ERROR) {
1500Sstevel@tonic-gate syslog(LOG_NOTICE,
1510Sstevel@tonic-gate "pam_passwd_auth: detected unsupported "
1520Sstevel@tonic-gate "configuration in /etc/nsswitch.conf.");
1530Sstevel@tonic-gate error(nowarn, pamh, dgettext(TEXT_DOMAIN, "%s: "
1540Sstevel@tonic-gate "Unsupported nsswitch entry for \"passwd:\"."
1550Sstevel@tonic-gate " Use \"-r repository \"."), service);
1560Sstevel@tonic-gate retval = PAM_SYSTEM_ERR;
1570Sstevel@tonic-gate } else
1580Sstevel@tonic-gate retval = PAM_SYSTEM_ERR;
1590Sstevel@tonic-gate if (debug)
1600Sstevel@tonic-gate syslog(LOG_DEBUG, "passwd_auth: __user_to_authenticate "
1610Sstevel@tonic-gate "returned %d", retval);
1620Sstevel@tonic-gate goto out;
1630Sstevel@tonic-gate }
1640Sstevel@tonic-gate
1650Sstevel@tonic-gate if (auth_user == NULL) { /* No authentication needed */
1660Sstevel@tonic-gate if (debug)
1670Sstevel@tonic-gate syslog(LOG_DEBUG,
1680Sstevel@tonic-gate "passwd_auth: no authentication needed.");
1690Sstevel@tonic-gate retval = PAM_SUCCESS;
1700Sstevel@tonic-gate goto out;
1710Sstevel@tonic-gate }
1720Sstevel@tonic-gate
1730Sstevel@tonic-gate /*
1740Sstevel@tonic-gate * The password prompt differs between users updating their
1750Sstevel@tonic-gate * own password, and users updating other an user's password
1760Sstevel@tonic-gate */
1770Sstevel@tonic-gate if (privileged) {
1780Sstevel@tonic-gate /*
1790Sstevel@tonic-gate * TRANSLATION_NOTE
1800Sstevel@tonic-gate * The following string has a single space at the end
1810Sstevel@tonic-gate */
1820Sstevel@tonic-gate (void) snprintf(prompt, sizeof (prompt),
1830Sstevel@tonic-gate dgettext(TEXT_DOMAIN, "Enter %s's password: "),
1840Sstevel@tonic-gate auth_user);
1850Sstevel@tonic-gate } else {
1860Sstevel@tonic-gate /*
1870Sstevel@tonic-gate * TRANSLATION_NOTE
1880Sstevel@tonic-gate * The following string has a single space at the end
1890Sstevel@tonic-gate */
1900Sstevel@tonic-gate (void) snprintf(prompt, sizeof (prompt),
1910Sstevel@tonic-gate dgettext(TEXT_DOMAIN, "Enter existing login password: "));
1920Sstevel@tonic-gate }
1930Sstevel@tonic-gate
1940Sstevel@tonic-gate retval = __pam_get_authtok(pamh, PAM_PROMPT, PAM_AUTHTOK, prompt,
1950Sstevel@tonic-gate &password);
1960Sstevel@tonic-gate if (retval != PAM_SUCCESS)
1970Sstevel@tonic-gate goto out;
1980Sstevel@tonic-gate
1990Sstevel@tonic-gate if (password == NULL) {
2000Sstevel@tonic-gate syslog(LOG_ERR, "pam_passwd_auth: pam_sm_authenticate: "
2010Sstevel@tonic-gate "got NULL password from get_authtok()");
2020Sstevel@tonic-gate retval = PAM_AUTH_ERR;
2030Sstevel@tonic-gate goto out;
2040Sstevel@tonic-gate }
2050Sstevel@tonic-gate
2060Sstevel@tonic-gate /* Privileged users can skip the tests that follow */
2070Sstevel@tonic-gate if (privileged)
2080Sstevel@tonic-gate goto setitem;
2090Sstevel@tonic-gate
2100Sstevel@tonic-gate /*
2110Sstevel@tonic-gate * Non privileged user: so we need to check the old password
2120Sstevel@tonic-gate * and possible restrictions on password changes.
2130Sstevel@tonic-gate */
2140Sstevel@tonic-gate
2150Sstevel@tonic-gate /* Get password and it's age from the repository specified */
2160Sstevel@tonic-gate al[0].type = ATTR_PASSWD; al[0].next = &al[1];
2170Sstevel@tonic-gate al[1].type = ATTR_MIN; al[1].next = &al[2];
2180Sstevel@tonic-gate al[2].type = ATTR_MAX; al[2].next = &al[3];
2190Sstevel@tonic-gate al[3].type = ATTR_LSTCHG; al[3].next = &al[4];
2200Sstevel@tonic-gate al[4].type = ATTR_WARN; al[4].next = &al[5];
2210Sstevel@tonic-gate al[5].type = ATTR_INACT; al[5].next = &al[6];
2220Sstevel@tonic-gate al[6].type = ATTR_EXPIRE; al[6].next = &al[7];
2230Sstevel@tonic-gate al[7].type = ATTR_REP_NAME; al[7].next = NULL;
2240Sstevel@tonic-gate
2250Sstevel@tonic-gate res = __get_authtoken_attr(auth_user, pwu_rep, al);
2260Sstevel@tonic-gate
2270Sstevel@tonic-gate if (res != PWU_SUCCESS) {
2280Sstevel@tonic-gate retval = PAM_SYSTEM_ERR;
2290Sstevel@tonic-gate goto out;
2300Sstevel@tonic-gate }
2310Sstevel@tonic-gate
2320Sstevel@tonic-gate repository_name = al[7].data.val_s;
2330Sstevel@tonic-gate
2340Sstevel@tonic-gate /*
235*11262SRajagopal.Andra@Sun.COM * if repository isn't files|nis, and user wants to follow server
236*11262SRajagopal.Andra@Sun.COM * policy, return PAM_IGNORE
2370Sstevel@tonic-gate */
2380Sstevel@tonic-gate if (server_policy &&
2399136SJoep.Vesseur@Sun.COM strcmp(repository_name, "files") != 0 &&
240*11262SRajagopal.Andra@Sun.COM strcmp(repository_name, "nis") != 0) {
2410Sstevel@tonic-gate retval = PAM_IGNORE;
2420Sstevel@tonic-gate goto out;
2430Sstevel@tonic-gate }
2440Sstevel@tonic-gate
2450Sstevel@tonic-gate rep_passwd = al[0].data.val_s;
2460Sstevel@tonic-gate
247404Sjjj /*
248404Sjjj * Chop off old SunOS-style password aging information.
249404Sjjj *
250404Sjjj * Note: old style password aging is only defined for UNIX-style
251404Sjjj * crypt strings, hence the comma will always be at position 14.
252404Sjjj * Note: This code is here because some other vendors might still
253404Sjjj * support this style of password aging. If we don't remove
254404Sjjj * the age field, users won't be able to change their password.
255404Sjjj * XXX yank this code when we're certain this "compatibility"
256404Sjjj * isn't needed anymore.
257404Sjjj */
258404Sjjj if (rep_passwd != NULL && rep_passwd[0] != '$' &&
259404Sjjj strlen(rep_passwd) > 13 && rep_passwd[13] == ',')
260404Sjjj rep_passwd[13] = '\0';
261404Sjjj
2620Sstevel@tonic-gate if (strcmp(crypt(password, rep_passwd), rep_passwd) != 0) {
2630Sstevel@tonic-gate retval = PAM_AUTH_ERR;
2640Sstevel@tonic-gate goto out;
2650Sstevel@tonic-gate }
2660Sstevel@tonic-gate
2670Sstevel@tonic-gate /*
2680Sstevel@tonic-gate * Now check to see if the user is allowed to change
2690Sstevel@tonic-gate * the password.
2700Sstevel@tonic-gate */
2710Sstevel@tonic-gate min = al[1].data.val_i;
2720Sstevel@tonic-gate max = al[2].data.val_i;
2730Sstevel@tonic-gate lstchg = al[3].data.val_i;
2740Sstevel@tonic-gate
2750Sstevel@tonic-gate if (max != -1 && lstchg != 0) {
2760Sstevel@tonic-gate /* aging is turned on, and a change is not forced */
2770Sstevel@tonic-gate time_t daynow = DAY_NOW_32;
2780Sstevel@tonic-gate if ((time_t)lstchg <= daynow) {
2790Sstevel@tonic-gate /* Aged enough? */
2800Sstevel@tonic-gate if (daynow < (time_t)(lstchg + min)) {
2810Sstevel@tonic-gate error(nowarn, pamh, dgettext(TEXT_DOMAIN,
2820Sstevel@tonic-gate "%s: Sorry: less than %d days "
2830Sstevel@tonic-gate "since the last change."),
2840Sstevel@tonic-gate service, min);
2850Sstevel@tonic-gate retval = PAM_PERM_DENIED;
2860Sstevel@tonic-gate goto out;
2870Sstevel@tonic-gate }
2880Sstevel@tonic-gate
2890Sstevel@tonic-gate /*
2900Sstevel@tonic-gate * users with min>max are not allowed to
2910Sstevel@tonic-gate * change their password.
2920Sstevel@tonic-gate */
2930Sstevel@tonic-gate if (min > max) {
2940Sstevel@tonic-gate error(nowarn, pamh, dgettext(TEXT_DOMAIN,
2950Sstevel@tonic-gate "%s: You may not change "
2960Sstevel@tonic-gate "this password."), service);
2970Sstevel@tonic-gate retval = PAM_PERM_DENIED;
2980Sstevel@tonic-gate goto out;
2990Sstevel@tonic-gate }
3000Sstevel@tonic-gate }
3010Sstevel@tonic-gate }
3020Sstevel@tonic-gate
3030Sstevel@tonic-gate setitem:
3040Sstevel@tonic-gate
3050Sstevel@tonic-gate retval = pam_set_item(pamh, PAM_AUTHTOK, (void *)password);
3060Sstevel@tonic-gate
3070Sstevel@tonic-gate out:
3080Sstevel@tonic-gate if (password) {
3090Sstevel@tonic-gate (void) memset(password, 0, strlen(password));
3100Sstevel@tonic-gate free(password);
3110Sstevel@tonic-gate }
3120Sstevel@tonic-gate if (rep_passwd) {
3130Sstevel@tonic-gate (void) memset(rep_passwd, 0, strlen(rep_passwd));
3140Sstevel@tonic-gate free(rep_passwd);
3150Sstevel@tonic-gate }
3160Sstevel@tonic-gate if (pwu_rep)
3170Sstevel@tonic-gate free(pwu_rep);
3180Sstevel@tonic-gate if (auth_user)
3190Sstevel@tonic-gate free(auth_user);
3200Sstevel@tonic-gate if (repository_name)
3210Sstevel@tonic-gate free(repository_name);
3220Sstevel@tonic-gate
3230Sstevel@tonic-gate return (retval);
3240Sstevel@tonic-gate }
3250Sstevel@tonic-gate
3260Sstevel@tonic-gate /*ARGSUSED*/
3270Sstevel@tonic-gate int
pam_sm_setcred(pam_handle_t * pamh,int flags,int argc,const char ** argv)3280Sstevel@tonic-gate pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
3290Sstevel@tonic-gate {
3300Sstevel@tonic-gate return (PAM_IGNORE);
3310Sstevel@tonic-gate }
332