1*10b5fe87SSascha Wildner /*- 2*10b5fe87SSascha Wildner * Copyright (c) 2002-2003 Networks Associates Technology, Inc. 3*10b5fe87SSascha Wildner * Copyright (c) 2004-2017 Dag-Erling Smørgrav 4*10b5fe87SSascha Wildner * All rights reserved. 5*10b5fe87SSascha Wildner * 6*10b5fe87SSascha Wildner * This software was developed for the FreeBSD Project by ThinkSec AS and 7*10b5fe87SSascha Wildner * Network Associates Laboratories, the Security Research Division of 8*10b5fe87SSascha Wildner * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 9*10b5fe87SSascha Wildner * ("CBOSS"), as part of the DARPA CHATS research program. 10*10b5fe87SSascha Wildner * 11*10b5fe87SSascha Wildner * Redistribution and use in source and binary forms, with or without 12*10b5fe87SSascha Wildner * modification, are permitted provided that the following conditions 13*10b5fe87SSascha Wildner * are met: 14*10b5fe87SSascha Wildner * 1. Redistributions of source code must retain the above copyright 15*10b5fe87SSascha Wildner * notice, this list of conditions and the following disclaimer. 16*10b5fe87SSascha Wildner * 2. Redistributions in binary form must reproduce the above copyright 17*10b5fe87SSascha Wildner * notice, this list of conditions and the following disclaimer in the 18*10b5fe87SSascha Wildner * documentation and/or other materials provided with the distribution. 19*10b5fe87SSascha Wildner * 3. The name of the author may not be used to endorse or promote 20*10b5fe87SSascha Wildner * products derived from this software without specific prior written 21*10b5fe87SSascha Wildner * permission. 22*10b5fe87SSascha Wildner * 23*10b5fe87SSascha Wildner * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 24*10b5fe87SSascha Wildner * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25*10b5fe87SSascha Wildner * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26*10b5fe87SSascha Wildner * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 27*10b5fe87SSascha Wildner * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28*10b5fe87SSascha Wildner * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29*10b5fe87SSascha Wildner * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30*10b5fe87SSascha Wildner * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31*10b5fe87SSascha Wildner * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32*10b5fe87SSascha Wildner * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33*10b5fe87SSascha Wildner * SUCH DAMAGE. 34*10b5fe87SSascha Wildner * 35*10b5fe87SSascha Wildner * $OpenPAM: pam_get_authtok.c 938 2017-04-30 21:34:42Z des $ 36*10b5fe87SSascha Wildner */ 37*10b5fe87SSascha Wildner 38*10b5fe87SSascha Wildner #ifdef HAVE_CONFIG_H 39*10b5fe87SSascha Wildner # include "config.h" 40*10b5fe87SSascha Wildner #endif 41*10b5fe87SSascha Wildner 42*10b5fe87SSascha Wildner #include <sys/param.h> 43*10b5fe87SSascha Wildner 44*10b5fe87SSascha Wildner #include <stdlib.h> 45*10b5fe87SSascha Wildner #include <string.h> 46*10b5fe87SSascha Wildner 47*10b5fe87SSascha Wildner #include <security/pam_appl.h> 48*10b5fe87SSascha Wildner #include <security/openpam.h> 49*10b5fe87SSascha Wildner 50*10b5fe87SSascha Wildner #include "openpam_impl.h" 51*10b5fe87SSascha Wildner #include "openpam_strlset.h" 52*10b5fe87SSascha Wildner 53*10b5fe87SSascha Wildner static const char authtok_prompt[] = "Password:"; 54*10b5fe87SSascha Wildner static const char authtok_prompt_remote[] = "Password for %u@%h:"; 55*10b5fe87SSascha Wildner static const char oldauthtok_prompt[] = "Old Password:"; 56*10b5fe87SSascha Wildner static const char newauthtok_prompt[] = "New Password:"; 57*10b5fe87SSascha Wildner 58*10b5fe87SSascha Wildner /* 59*10b5fe87SSascha Wildner * OpenPAM extension 60*10b5fe87SSascha Wildner * 61*10b5fe87SSascha Wildner * Retrieve authentication token 62*10b5fe87SSascha Wildner */ 63*10b5fe87SSascha Wildner 64*10b5fe87SSascha Wildner int 65*10b5fe87SSascha Wildner pam_get_authtok(pam_handle_t *pamh, 66*10b5fe87SSascha Wildner int item, 67*10b5fe87SSascha Wildner const char **authtok, 68*10b5fe87SSascha Wildner const char *prompt) 69*10b5fe87SSascha Wildner { 70*10b5fe87SSascha Wildner char prompt_buf[1024]; 71*10b5fe87SSascha Wildner size_t prompt_size; 72*10b5fe87SSascha Wildner const void *oldauthtok, *prevauthtok, *promptp; 73*10b5fe87SSascha Wildner const char *prompt_option, *default_prompt; 74*10b5fe87SSascha Wildner const void *lhost, *rhost; 75*10b5fe87SSascha Wildner char *resp, *resp2; 76*10b5fe87SSascha Wildner int pitem, r, style, twice; 77*10b5fe87SSascha Wildner 78*10b5fe87SSascha Wildner ENTER(); 79*10b5fe87SSascha Wildner *authtok = NULL; 80*10b5fe87SSascha Wildner twice = 0; 81*10b5fe87SSascha Wildner switch (item) { 82*10b5fe87SSascha Wildner case PAM_AUTHTOK: 83*10b5fe87SSascha Wildner pitem = PAM_AUTHTOK_PROMPT; 84*10b5fe87SSascha Wildner prompt_option = "authtok_prompt"; 85*10b5fe87SSascha Wildner default_prompt = authtok_prompt; 86*10b5fe87SSascha Wildner r = pam_get_item(pamh, PAM_RHOST, &rhost); 87*10b5fe87SSascha Wildner if (r == PAM_SUCCESS && rhost != NULL) { 88*10b5fe87SSascha Wildner r = pam_get_item(pamh, PAM_HOST, &lhost); 89*10b5fe87SSascha Wildner if (r == PAM_SUCCESS && lhost != NULL) { 90*10b5fe87SSascha Wildner if (strcmp(rhost, lhost) != 0) 91*10b5fe87SSascha Wildner default_prompt = authtok_prompt_remote; 92*10b5fe87SSascha Wildner } 93*10b5fe87SSascha Wildner } 94*10b5fe87SSascha Wildner r = pam_get_item(pamh, PAM_OLDAUTHTOK, &oldauthtok); 95*10b5fe87SSascha Wildner if (r == PAM_SUCCESS && oldauthtok != NULL) { 96*10b5fe87SSascha Wildner default_prompt = newauthtok_prompt; 97*10b5fe87SSascha Wildner twice = 1; 98*10b5fe87SSascha Wildner } 99*10b5fe87SSascha Wildner break; 100*10b5fe87SSascha Wildner case PAM_OLDAUTHTOK: 101*10b5fe87SSascha Wildner pitem = PAM_OLDAUTHTOK_PROMPT; 102*10b5fe87SSascha Wildner prompt_option = "oldauthtok_prompt"; 103*10b5fe87SSascha Wildner default_prompt = oldauthtok_prompt; 104*10b5fe87SSascha Wildner twice = 0; 105*10b5fe87SSascha Wildner break; 106*10b5fe87SSascha Wildner default: 107*10b5fe87SSascha Wildner RETURNC(PAM_BAD_CONSTANT); 108*10b5fe87SSascha Wildner } 109*10b5fe87SSascha Wildner if (openpam_get_option(pamh, "try_first_pass") || 110*10b5fe87SSascha Wildner openpam_get_option(pamh, "use_first_pass")) { 111*10b5fe87SSascha Wildner r = pam_get_item(pamh, item, &prevauthtok); 112*10b5fe87SSascha Wildner if (r == PAM_SUCCESS && prevauthtok != NULL) { 113*10b5fe87SSascha Wildner *authtok = prevauthtok; 114*10b5fe87SSascha Wildner RETURNC(PAM_SUCCESS); 115*10b5fe87SSascha Wildner } else if (openpam_get_option(pamh, "use_first_pass")) { 116*10b5fe87SSascha Wildner RETURNC(r == PAM_SUCCESS ? PAM_AUTH_ERR : r); 117*10b5fe87SSascha Wildner } 118*10b5fe87SSascha Wildner } 119*10b5fe87SSascha Wildner /* pam policy overrides the module's choice */ 120*10b5fe87SSascha Wildner if ((promptp = openpam_get_option(pamh, prompt_option)) != NULL) 121*10b5fe87SSascha Wildner prompt = promptp; 122*10b5fe87SSascha Wildner /* no prompt provided, see if there is one tucked away somewhere */ 123*10b5fe87SSascha Wildner if (prompt == NULL) { 124*10b5fe87SSascha Wildner r = pam_get_item(pamh, pitem, &promptp); 125*10b5fe87SSascha Wildner if (r == PAM_SUCCESS && promptp != NULL) 126*10b5fe87SSascha Wildner prompt = promptp; 127*10b5fe87SSascha Wildner } 128*10b5fe87SSascha Wildner /* fall back to hardcoded default */ 129*10b5fe87SSascha Wildner if (prompt == NULL) 130*10b5fe87SSascha Wildner prompt = default_prompt; 131*10b5fe87SSascha Wildner /* expand */ 132*10b5fe87SSascha Wildner prompt_size = sizeof prompt_buf; 133*10b5fe87SSascha Wildner r = openpam_subst(pamh, prompt_buf, &prompt_size, prompt); 134*10b5fe87SSascha Wildner if (r == PAM_SUCCESS && prompt_size <= sizeof prompt_buf) 135*10b5fe87SSascha Wildner prompt = prompt_buf; 136*10b5fe87SSascha Wildner style = openpam_get_option(pamh, "echo_pass") ? 137*10b5fe87SSascha Wildner PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF; 138*10b5fe87SSascha Wildner r = pam_prompt(pamh, style, &resp, "%s", prompt); 139*10b5fe87SSascha Wildner if (r != PAM_SUCCESS) 140*10b5fe87SSascha Wildner RETURNC(r); 141*10b5fe87SSascha Wildner if (twice) { 142*10b5fe87SSascha Wildner r = pam_prompt(pamh, style, &resp2, "Retype %s", prompt); 143*10b5fe87SSascha Wildner if (r != PAM_SUCCESS) { 144*10b5fe87SSascha Wildner strlset(resp, 0, PAM_MAX_RESP_SIZE); 145*10b5fe87SSascha Wildner FREE(resp); 146*10b5fe87SSascha Wildner RETURNC(r); 147*10b5fe87SSascha Wildner } 148*10b5fe87SSascha Wildner if (strcmp(resp, resp2) != 0) { 149*10b5fe87SSascha Wildner strlset(resp, 0, PAM_MAX_RESP_SIZE); 150*10b5fe87SSascha Wildner FREE(resp); 151*10b5fe87SSascha Wildner } 152*10b5fe87SSascha Wildner strlset(resp2, 0, PAM_MAX_RESP_SIZE); 153*10b5fe87SSascha Wildner FREE(resp2); 154*10b5fe87SSascha Wildner } 155*10b5fe87SSascha Wildner if (resp == NULL) 156*10b5fe87SSascha Wildner RETURNC(PAM_TRY_AGAIN); 157*10b5fe87SSascha Wildner r = pam_set_item(pamh, item, resp); 158*10b5fe87SSascha Wildner strlset(resp, 0, PAM_MAX_RESP_SIZE); 159*10b5fe87SSascha Wildner FREE(resp); 160*10b5fe87SSascha Wildner if (r != PAM_SUCCESS) 161*10b5fe87SSascha Wildner RETURNC(r); 162*10b5fe87SSascha Wildner r = pam_get_item(pamh, item, (const void **)authtok); 163*10b5fe87SSascha Wildner RETURNC(r); 164*10b5fe87SSascha Wildner } 165*10b5fe87SSascha Wildner 166*10b5fe87SSascha Wildner /* 167*10b5fe87SSascha Wildner * Error codes: 168*10b5fe87SSascha Wildner * 169*10b5fe87SSascha Wildner * =pam_get_item 170*10b5fe87SSascha Wildner * =pam_prompt 171*10b5fe87SSascha Wildner * =pam_set_item 172*10b5fe87SSascha Wildner * !PAM_SYMBOL_ERR 173*10b5fe87SSascha Wildner * PAM_BAD_CONSTANT 174*10b5fe87SSascha Wildner * PAM_TRY_AGAIN 175*10b5fe87SSascha Wildner */ 176*10b5fe87SSascha Wildner 177*10b5fe87SSascha Wildner /** 178*10b5fe87SSascha Wildner * The =pam_get_authtok function either prompts the user for an 179*10b5fe87SSascha Wildner * authentication token or retrieves a cached authentication token, 180*10b5fe87SSascha Wildner * depending on circumstances. 181*10b5fe87SSascha Wildner * Either way, a pointer to the authentication token is stored in the 182*10b5fe87SSascha Wildner * location pointed to by the =authtok argument, and the corresponding PAM 183*10b5fe87SSascha Wildner * item is updated. 184*10b5fe87SSascha Wildner * 185*10b5fe87SSascha Wildner * The =item argument must have one of the following values: 186*10b5fe87SSascha Wildner * 187*10b5fe87SSascha Wildner * =PAM_AUTHTOK: 188*10b5fe87SSascha Wildner * Returns the current authentication token, or the new token 189*10b5fe87SSascha Wildner * when changing authentication tokens. 190*10b5fe87SSascha Wildner * =PAM_OLDAUTHTOK: 191*10b5fe87SSascha Wildner * Returns the previous authentication token when changing 192*10b5fe87SSascha Wildner * authentication tokens. 193*10b5fe87SSascha Wildner * 194*10b5fe87SSascha Wildner * The =prompt argument specifies a prompt to use if no token is cached. 195*10b5fe87SSascha Wildner * If it is =NULL, the =PAM_AUTHTOK_PROMPT or =PAM_OLDAUTHTOK_PROMPT item, 196*10b5fe87SSascha Wildner * as appropriate, will be used. 197*10b5fe87SSascha Wildner * If that item is also =NULL, a hardcoded default prompt will be used. 198*10b5fe87SSascha Wildner * Additionally, when =pam_get_authtok is called from a service module, 199*10b5fe87SSascha Wildner * the prompt may be affected by module options as described below. 200*10b5fe87SSascha Wildner * The prompt is then expanded using =openpam_subst before it is passed to 201*10b5fe87SSascha Wildner * the conversation function. 202*10b5fe87SSascha Wildner * 203*10b5fe87SSascha Wildner * If =item is set to =PAM_AUTHTOK and there is a non-null =PAM_OLDAUTHTOK 204*10b5fe87SSascha Wildner * item, =pam_get_authtok will ask the user to confirm the new token by 205*10b5fe87SSascha Wildner * retyping it. 206*10b5fe87SSascha Wildner * If there is a mismatch, =pam_get_authtok will return =PAM_TRY_AGAIN. 207*10b5fe87SSascha Wildner * 208*10b5fe87SSascha Wildner * MODULE OPTIONS 209*10b5fe87SSascha Wildner * 210*10b5fe87SSascha Wildner * When called by a service module, =pam_get_authtok will recognize the 211*10b5fe87SSascha Wildner * following module options: 212*10b5fe87SSascha Wildner * 213*10b5fe87SSascha Wildner * ;authtok_prompt: 214*10b5fe87SSascha Wildner * Prompt to use when =item is set to =PAM_AUTHTOK. 215*10b5fe87SSascha Wildner * This option overrides both the =prompt argument and the 216*10b5fe87SSascha Wildner * =PAM_AUTHTOK_PROMPT item. 217*10b5fe87SSascha Wildner * ;echo_pass: 218*10b5fe87SSascha Wildner * If the application's conversation function allows it, this 219*10b5fe87SSascha Wildner * lets the user see what they are typing. 220*10b5fe87SSascha Wildner * This should only be used for non-reusable authentication 221*10b5fe87SSascha Wildner * tokens. 222*10b5fe87SSascha Wildner * ;oldauthtok_prompt: 223*10b5fe87SSascha Wildner * Prompt to use when =item is set to =PAM_OLDAUTHTOK. 224*10b5fe87SSascha Wildner * This option overrides both the =prompt argument and the 225*10b5fe87SSascha Wildner * =PAM_OLDAUTHTOK_PROMPT item. 226*10b5fe87SSascha Wildner * ;try_first_pass: 227*10b5fe87SSascha Wildner * If the requested item is non-null, return it without 228*10b5fe87SSascha Wildner * prompting the user. 229*10b5fe87SSascha Wildner * Typically, the service module will verify the token, and 230*10b5fe87SSascha Wildner * if it does not match, clear the item before calling 231*10b5fe87SSascha Wildner * =pam_get_authtok a second time. 232*10b5fe87SSascha Wildner * ;use_first_pass: 233*10b5fe87SSascha Wildner * Do not prompt the user at all; just return the cached 234*10b5fe87SSascha Wildner * value, or =PAM_AUTH_ERR if there is none. 235*10b5fe87SSascha Wildner * 236*10b5fe87SSascha Wildner * >pam_conv 237*10b5fe87SSascha Wildner * >pam_get_item 238*10b5fe87SSascha Wildner * >pam_get_user 239*10b5fe87SSascha Wildner * >openpam_get_option 240*10b5fe87SSascha Wildner * >openpam_subst 241*10b5fe87SSascha Wildner */ 242