10Sstevel@tonic-gate /*
20Sstevel@tonic-gate * CDDL HEADER START
30Sstevel@tonic-gate *
40Sstevel@tonic-gate * The contents of this file are subject to the terms of the
52330Srm88369 * Common Development and Distribution License (the "License").
62330Srm88369 * You may not use this file except in compliance with the License.
70Sstevel@tonic-gate *
80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
100Sstevel@tonic-gate * See the License for the specific language governing permissions
110Sstevel@tonic-gate * and limitations under the License.
120Sstevel@tonic-gate *
130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
180Sstevel@tonic-gate *
190Sstevel@tonic-gate * CDDL HEADER END
200Sstevel@tonic-gate */
210Sstevel@tonic-gate /*
228563SKenjiro.Tsuji@Sun.COM * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
230Sstevel@tonic-gate * Use is subject to license terms.
240Sstevel@tonic-gate */
250Sstevel@tonic-gate
260Sstevel@tonic-gate
270Sstevel@tonic-gate #include <stdlib.h>
280Sstevel@tonic-gate #include <pwd.h>
290Sstevel@tonic-gate #include <shadow.h>
300Sstevel@tonic-gate #include <syslog.h>
310Sstevel@tonic-gate #include <errno.h>
320Sstevel@tonic-gate #include <string.h>
330Sstevel@tonic-gate #include <crypt.h>
340Sstevel@tonic-gate #include <unistd.h>
350Sstevel@tonic-gate #include <user_attr.h>
360Sstevel@tonic-gate #include <auth_attr.h>
370Sstevel@tonic-gate #include <userdefs.h>
380Sstevel@tonic-gate #include <deflt.h>
390Sstevel@tonic-gate #include <sys/stat.h>
400Sstevel@tonic-gate #include <sys/param.h>
410Sstevel@tonic-gate #include <stdarg.h>
420Sstevel@tonic-gate
430Sstevel@tonic-gate #include <security/pam_appl.h>
440Sstevel@tonic-gate #include <security/pam_modules.h>
450Sstevel@tonic-gate #include <security/pam_impl.h>
460Sstevel@tonic-gate
470Sstevel@tonic-gate #include <libintl.h>
480Sstevel@tonic-gate
490Sstevel@tonic-gate #include <passwdutil.h>
500Sstevel@tonic-gate
510Sstevel@tonic-gate #define LOGINADMIN "/etc/default/login"
520Sstevel@tonic-gate #define MAXTRYS 5
530Sstevel@tonic-gate
540Sstevel@tonic-gate /*PRINTFLIKE2*/
550Sstevel@tonic-gate void
error(pam_handle_t * pamh,char * fmt,...)560Sstevel@tonic-gate error(pam_handle_t *pamh, char *fmt, ...)
570Sstevel@tonic-gate {
580Sstevel@tonic-gate va_list ap;
590Sstevel@tonic-gate char messages[1][PAM_MAX_MSG_SIZE];
600Sstevel@tonic-gate
610Sstevel@tonic-gate va_start(ap, fmt);
620Sstevel@tonic-gate (void) vsnprintf(messages[0], sizeof (messages[0]), fmt, ap);
630Sstevel@tonic-gate (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages, NULL);
640Sstevel@tonic-gate va_end(ap);
650Sstevel@tonic-gate }
660Sstevel@tonic-gate
670Sstevel@tonic-gate static int
get_max_failed(char * user)680Sstevel@tonic-gate get_max_failed(char *user)
690Sstevel@tonic-gate {
700Sstevel@tonic-gate char *val = NULL;
710Sstevel@tonic-gate userattr_t *uattr;
720Sstevel@tonic-gate int do_lock = 0;
730Sstevel@tonic-gate int retval = 0;
740Sstevel@tonic-gate char *p;
758563SKenjiro.Tsuji@Sun.COM void *defp;
760Sstevel@tonic-gate
770Sstevel@tonic-gate if ((uattr = getusernam(user)) != NULL)
780Sstevel@tonic-gate val = kva_match(uattr->attr, USERATTR_LOCK_AFTER_RETRIES_KW);
790Sstevel@tonic-gate
808563SKenjiro.Tsuji@Sun.COM if (val != NULL) {
810Sstevel@tonic-gate do_lock = (strcasecmp(val, "yes") == 0);
828563SKenjiro.Tsuji@Sun.COM } else if ((defp = defopen_r(AUTH_POLICY)) != NULL) {
830Sstevel@tonic-gate int flags;
848563SKenjiro.Tsuji@Sun.COM flags = defcntl_r(DC_GETFLAGS, 0, defp);
850Sstevel@tonic-gate TURNOFF(flags, DC_CASE);
868563SKenjiro.Tsuji@Sun.COM (void) defcntl_r(DC_SETFLAGS, flags, defp);
878563SKenjiro.Tsuji@Sun.COM if ((p = defread_r("LOCK_AFTER_RETRIES=", defp)) != NULL)
880Sstevel@tonic-gate do_lock = (strcasecmp(p, "yes") == 0);
898563SKenjiro.Tsuji@Sun.COM defclose_r(defp);
900Sstevel@tonic-gate }
910Sstevel@tonic-gate
920Sstevel@tonic-gate if (uattr != NULL)
930Sstevel@tonic-gate free_userattr(uattr);
940Sstevel@tonic-gate
950Sstevel@tonic-gate if (do_lock) {
960Sstevel@tonic-gate retval = MAXTRYS;
978563SKenjiro.Tsuji@Sun.COM if ((defp = defopen_r(LOGINADMIN)) != NULL) {
988563SKenjiro.Tsuji@Sun.COM if ((p = defread_r("RETRIES=", defp)) != NULL)
990Sstevel@tonic-gate retval = atoi(p);
1008563SKenjiro.Tsuji@Sun.COM defclose_r(defp);
1010Sstevel@tonic-gate }
1020Sstevel@tonic-gate }
1030Sstevel@tonic-gate
1040Sstevel@tonic-gate return (retval);
1050Sstevel@tonic-gate }
1060Sstevel@tonic-gate
1070Sstevel@tonic-gate static void
display_warning(pam_handle_t * pamh,int failures,char * homedir)1080Sstevel@tonic-gate display_warning(pam_handle_t *pamh, int failures, char *homedir)
1090Sstevel@tonic-gate {
1100Sstevel@tonic-gate char hushpath[MAXPATHLEN];
1110Sstevel@tonic-gate struct stat buf;
1120Sstevel@tonic-gate
1130Sstevel@tonic-gate (void) snprintf(hushpath, sizeof (hushpath), "%s/.hushlogin", homedir);
1140Sstevel@tonic-gate if (stat(hushpath, &buf) == 0)
1150Sstevel@tonic-gate return;
1160Sstevel@tonic-gate
1170Sstevel@tonic-gate if (failures == 1)
1180Sstevel@tonic-gate error(pamh, "Warning: 1 failed login attempt since last "
1190Sstevel@tonic-gate "successful login.");
1200Sstevel@tonic-gate else if (failures < FAILCOUNT_MASK)
1210Sstevel@tonic-gate error(pamh, "Warning: %d failed login attempts since last "
1220Sstevel@tonic-gate "successful login.", failures);
1230Sstevel@tonic-gate else
1240Sstevel@tonic-gate error(pamh, "Warning: at least %d failed login attempts since "
1250Sstevel@tonic-gate "last successful login.", failures);
1260Sstevel@tonic-gate }
1270Sstevel@tonic-gate
1280Sstevel@tonic-gate /*
1290Sstevel@tonic-gate * int pam_sm_authenticate(pamh, flags, arc, argv)
1300Sstevel@tonic-gate *
1310Sstevel@tonic-gate * This routine verifies that the password as stored in the
1320Sstevel@tonic-gate * PAM_AUTHTOK item is indeed the password that belongs to the user
1330Sstevel@tonic-gate * as stored in PAM_USER.
1340Sstevel@tonic-gate *
135*11262SRajagopal.Andra@Sun.COM * This routine will not establish Secure RPC Credentials, the pam_dhkeys
136*11262SRajagopal.Andra@Sun.COM * module should be stacked before us if Secure RPC Credentials are needed
137*11262SRajagopal.Andra@Sun.COM * to obtain passwords.
1380Sstevel@tonic-gate */
1390Sstevel@tonic-gate int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)1400Sstevel@tonic-gate pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
1410Sstevel@tonic-gate {
1420Sstevel@tonic-gate int i;
1430Sstevel@tonic-gate int debug = 0;
1440Sstevel@tonic-gate int nowarn = (flags & PAM_SILENT) != 0;
1450Sstevel@tonic-gate char *user;
1460Sstevel@tonic-gate char *passwd;
1470Sstevel@tonic-gate char *rep_passwd;
1482330Srm88369 char *crypt_passwd;
1490Sstevel@tonic-gate char *repository_name;
1500Sstevel@tonic-gate struct pam_repository *auth_rep;
1510Sstevel@tonic-gate pwu_repository_t *pwu_rep;
1520Sstevel@tonic-gate attrlist attr_pw[4];
1530Sstevel@tonic-gate int result;
1540Sstevel@tonic-gate int server_policy = 0;
1550Sstevel@tonic-gate int old_failed_count;
1560Sstevel@tonic-gate char *homedir = NULL;
1570Sstevel@tonic-gate int dolock = 1;
1580Sstevel@tonic-gate
1590Sstevel@tonic-gate for (i = 0; i < argc; i++) {
1600Sstevel@tonic-gate if (strcmp(argv[i], "debug") == 0)
1610Sstevel@tonic-gate debug = 1;
1620Sstevel@tonic-gate else if (strcmp(argv[i], "nowarn") == 0)
1630Sstevel@tonic-gate nowarn = 1;
1640Sstevel@tonic-gate else if (strcmp(argv[i], "server_policy") == 0)
1650Sstevel@tonic-gate server_policy = 1;
1660Sstevel@tonic-gate else if (strcmp(argv[i], "nolock") == 0)
1670Sstevel@tonic-gate dolock = 0;
1680Sstevel@tonic-gate }
1690Sstevel@tonic-gate
1700Sstevel@tonic-gate if (debug)
1718126SJoep.Vesseur@Sun.COM __pam_log(LOG_AUTH | LOG_DEBUG,
1720Sstevel@tonic-gate "pam_unix_auth: entering pam_sm_authenticate()");
1730Sstevel@tonic-gate
1740Sstevel@tonic-gate if (pam_get_item(pamh, PAM_USER, (void **)&user) != PAM_SUCCESS) {
1758126SJoep.Vesseur@Sun.COM __pam_log(LOG_AUTH | LOG_DEBUG, "pam_unix_auth: USER not set");
1760Sstevel@tonic-gate return (PAM_SYSTEM_ERR);
1770Sstevel@tonic-gate }
1780Sstevel@tonic-gate
1790Sstevel@tonic-gate if (user == NULL || *user == '\0') {
1808126SJoep.Vesseur@Sun.COM __pam_log(LOG_AUTH | LOG_DEBUG,
1818126SJoep.Vesseur@Sun.COM "pam_unix_auth: USER NULL or empty!\n");
1820Sstevel@tonic-gate return (PAM_USER_UNKNOWN);
1830Sstevel@tonic-gate }
1840Sstevel@tonic-gate
1850Sstevel@tonic-gate if (pam_get_item(pamh, PAM_AUTHTOK, (void **)&passwd) != PAM_SUCCESS) {
1868126SJoep.Vesseur@Sun.COM __pam_log(LOG_AUTH | LOG_DEBUG,
1878126SJoep.Vesseur@Sun.COM "pam_unix_auth: AUTHTOK not set!\n");
1880Sstevel@tonic-gate return (PAM_SYSTEM_ERR);
1890Sstevel@tonic-gate }
1900Sstevel@tonic-gate
1910Sstevel@tonic-gate result = pam_get_item(pamh, PAM_REPOSITORY, (void **)&auth_rep);
1920Sstevel@tonic-gate if (result == PAM_SUCCESS && auth_rep != NULL) {
1930Sstevel@tonic-gate if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL)
1940Sstevel@tonic-gate return (PAM_BUF_ERR);
1950Sstevel@tonic-gate pwu_rep->type = auth_rep->type;
1960Sstevel@tonic-gate pwu_rep->scope = auth_rep->scope;
1970Sstevel@tonic-gate pwu_rep->scope_len = auth_rep->scope_len;
1980Sstevel@tonic-gate } else {
1990Sstevel@tonic-gate pwu_rep = PWU_DEFAULT_REP;
2000Sstevel@tonic-gate }
2010Sstevel@tonic-gate
2020Sstevel@tonic-gate /*
2030Sstevel@tonic-gate * Get password and the name of the repository where the
2040Sstevel@tonic-gate * password resides.
2050Sstevel@tonic-gate */
2060Sstevel@tonic-gate attr_pw[0].type = ATTR_PASSWD; attr_pw[0].next = &attr_pw[1];
2070Sstevel@tonic-gate attr_pw[1].type = ATTR_REP_NAME; attr_pw[1].next = &attr_pw[2];
2080Sstevel@tonic-gate /*
2090Sstevel@tonic-gate * Also get the current number of failed logins; we use
2100Sstevel@tonic-gate * this later to determine whether we need to reset the count
2110Sstevel@tonic-gate * on a succesful authentication. We use the home-directory
2120Sstevel@tonic-gate * to look for .hushlogin in order to optionaly surpress the
2130Sstevel@tonic-gate * "failed attempts" message.
2140Sstevel@tonic-gate */
2150Sstevel@tonic-gate attr_pw[2].type = ATTR_FAILED_LOGINS; attr_pw[2].next = &attr_pw[3];
2160Sstevel@tonic-gate attr_pw[3].type = ATTR_HOMEDIR; attr_pw[3].next = NULL;
2170Sstevel@tonic-gate
2180Sstevel@tonic-gate result = __get_authtoken_attr(user, pwu_rep, attr_pw);
2190Sstevel@tonic-gate
2200Sstevel@tonic-gate if (pwu_rep != PWU_DEFAULT_REP)
2210Sstevel@tonic-gate free(pwu_rep);
2220Sstevel@tonic-gate
2230Sstevel@tonic-gate if (result == PWU_NOT_FOUND) {
2248126SJoep.Vesseur@Sun.COM __pam_log(LOG_AUTH | LOG_DEBUG,
2258126SJoep.Vesseur@Sun.COM "pam_unix_auth: user %s not found\n", user);
2260Sstevel@tonic-gate return (PAM_USER_UNKNOWN);
2270Sstevel@tonic-gate }
2280Sstevel@tonic-gate
2290Sstevel@tonic-gate if (result == PWU_DENIED) {
2308126SJoep.Vesseur@Sun.COM __pam_log(LOG_AUTH | LOG_DEBUG,
2318126SJoep.Vesseur@Sun.COM "pam_unix_auth: failed to obtain attributes");
2320Sstevel@tonic-gate return (PAM_PERM_DENIED);
2330Sstevel@tonic-gate }
2340Sstevel@tonic-gate
2350Sstevel@tonic-gate if (result != PWU_SUCCESS)
2360Sstevel@tonic-gate return (PAM_SYSTEM_ERR);
2370Sstevel@tonic-gate
2380Sstevel@tonic-gate rep_passwd = attr_pw[0].data.val_s;
2390Sstevel@tonic-gate repository_name = attr_pw[1].data.val_s;
2400Sstevel@tonic-gate old_failed_count = attr_pw[2].data.val_i;
2410Sstevel@tonic-gate homedir = attr_pw[3].data.val_s;
2420Sstevel@tonic-gate
2430Sstevel@tonic-gate /*
2440Sstevel@tonic-gate * Chop off old SunOS-style password aging information.
2450Sstevel@tonic-gate *
2460Sstevel@tonic-gate * Note: old style password aging is only defined for UNIX-style
2470Sstevel@tonic-gate * crypt strings, hence the comma will always be at position 14.
2480Sstevel@tonic-gate * Note: This code is here because some other vendors might still
2490Sstevel@tonic-gate * support this style of password aging. If we don't remove
2500Sstevel@tonic-gate * the age field, no one will be able to login.
2510Sstevel@tonic-gate * XXX yank this code when we're certain this "compatibility"
2520Sstevel@tonic-gate * isn't needed anymore.
2530Sstevel@tonic-gate */
2540Sstevel@tonic-gate if (rep_passwd != NULL && rep_passwd[0] != '$' &&
2550Sstevel@tonic-gate strlen(rep_passwd) > 13 && rep_passwd[13] == ',')
2560Sstevel@tonic-gate rep_passwd[13] = '\0';
2570Sstevel@tonic-gate
2580Sstevel@tonic-gate /* Is a password check required? */
2590Sstevel@tonic-gate if (rep_passwd == NULL || *rep_passwd == '\0') {
2600Sstevel@tonic-gate if (flags & PAM_DISALLOW_NULL_AUTHTOK) {
2610Sstevel@tonic-gate result = PAM_AUTH_ERR;
2628126SJoep.Vesseur@Sun.COM __pam_log(LOG_AUTH | LOG_NOTICE,
2638126SJoep.Vesseur@Sun.COM "pam_unix_auth: empty password for %s not allowed.",
2648126SJoep.Vesseur@Sun.COM user);
2650Sstevel@tonic-gate goto out;
2660Sstevel@tonic-gate } else {
2670Sstevel@tonic-gate result = PAM_SUCCESS;
2680Sstevel@tonic-gate goto out;
2690Sstevel@tonic-gate }
2700Sstevel@tonic-gate }
2710Sstevel@tonic-gate
2720Sstevel@tonic-gate /*
2730Sstevel@tonic-gate * Password check *is* required. Make sure we have a valid
2740Sstevel@tonic-gate * pointer in PAM_AUTHTOK
2750Sstevel@tonic-gate */
2760Sstevel@tonic-gate if (passwd == NULL) {
2770Sstevel@tonic-gate result = PAM_AUTH_ERR;
2780Sstevel@tonic-gate goto out;
2790Sstevel@tonic-gate }
2800Sstevel@tonic-gate
2810Sstevel@tonic-gate if (server_policy &&
2820Sstevel@tonic-gate strcmp(repository_name, "files") != 0 &&
283*11262SRajagopal.Andra@Sun.COM strcmp(repository_name, "nis") != 0) {
2840Sstevel@tonic-gate result = PAM_IGNORE;
2850Sstevel@tonic-gate goto out;
2860Sstevel@tonic-gate }
2870Sstevel@tonic-gate
2880Sstevel@tonic-gate /* Now check the entered password */
2892330Srm88369 if ((crypt_passwd = crypt(passwd, rep_passwd)) == NULL) {
2902330Srm88369 switch (errno) {
2912330Srm88369 case ENOMEM:
2922330Srm88369 result = PAM_BUF_ERR;
2932330Srm88369 break;
2942330Srm88369 case ELIBACC:
2952330Srm88369 result = PAM_OPEN_ERR;
2962330Srm88369 break;
2972330Srm88369 default:
2982330Srm88369 result = PAM_SYSTEM_ERR;
2992330Srm88369 }
3002330Srm88369 goto out;
3012330Srm88369 }
3022330Srm88369
3032330Srm88369 if (strcmp(crypt_passwd, rep_passwd) == 0)
3040Sstevel@tonic-gate result = PAM_SUCCESS;
3050Sstevel@tonic-gate else
3060Sstevel@tonic-gate result = PAM_AUTH_ERR;
3070Sstevel@tonic-gate
3080Sstevel@tonic-gate /* Clear or increment failed failed count */
3090Sstevel@tonic-gate if (dolock && (result == PAM_SUCCESS && old_failed_count > 0)) {
3100Sstevel@tonic-gate old_failed_count = __rst_failed_count(user, repository_name);
3110Sstevel@tonic-gate if (nowarn == 0 && old_failed_count > 0)
3120Sstevel@tonic-gate display_warning(pamh, old_failed_count, homedir);
3130Sstevel@tonic-gate } else if (dolock && result == PAM_AUTH_ERR) {
3140Sstevel@tonic-gate int max_failed = get_max_failed(user);
3155774Sgww if (max_failed != 0) {
3165774Sgww if (__incr_failed_count(user, repository_name,
3175774Sgww max_failed) == PWU_ACCOUNT_LOCKED)
3185774Sgww result = PAM_MAXTRIES;
3195774Sgww }
3200Sstevel@tonic-gate }
3210Sstevel@tonic-gate out:
3220Sstevel@tonic-gate if (rep_passwd)
3230Sstevel@tonic-gate free(rep_passwd);
3240Sstevel@tonic-gate if (repository_name)
3250Sstevel@tonic-gate free(repository_name);
3260Sstevel@tonic-gate if (homedir)
3270Sstevel@tonic-gate free(homedir);
3280Sstevel@tonic-gate return (result);
3290Sstevel@tonic-gate }
3300Sstevel@tonic-gate
3310Sstevel@tonic-gate /*ARGSUSED*/
3320Sstevel@tonic-gate int
pam_sm_setcred(pam_handle_t * pamh,int flags,int argc,const char ** argv)3330Sstevel@tonic-gate pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
3340Sstevel@tonic-gate {
3350Sstevel@tonic-gate return (PAM_IGNORE);
3360Sstevel@tonic-gate }
337