1 /* $NetBSD: pam_unix.c,v 1.2 2004/12/12 08:17:56 christos Exp $ */ 2 3 /*- 4 * Copyright 1998 Juniper Networks, Inc. 5 * All rights reserved. 6 * Copyright (c) 2002-2003 Networks Associates Technology, Inc. 7 * All rights reserved. 8 * 9 * Portions of this software was developed for the FreeBSD Project by 10 * ThinkSec AS and NAI Labs, the Security Research Division of Network 11 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 12 * ("CBOSS"), as part of the DARPA CHATS research program. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 1. Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * 2. Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * 3. The name of the author may not be used to endorse or promote 23 * products derived from this software without specific prior written 24 * permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 */ 38 39 #include <sys/cdefs.h> 40 #ifdef __FreeBSD__ 41 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.49 2004/02/10 10:13:21 des Exp $"); 42 #else 43 __RCSID("$NetBSD: pam_unix.c,v 1.2 2004/12/12 08:17:56 christos Exp $"); 44 #endif 45 46 47 #include <sys/types.h> 48 49 #include <ctype.h> 50 #include <errno.h> 51 #include <fcntl.h> 52 #include <pwd.h> 53 #include <grp.h> 54 #include <limits.h> 55 #include <stdlib.h> 56 #include <string.h> 57 #include <stdio.h> 58 #include <login_cap.h> 59 #include <time.h> 60 #include <tzfile.h> 61 #include <unistd.h> 62 63 #include <util.h> 64 65 #ifdef YP 66 #include <rpc/rpc.h> 67 #include <rpcsvc/ypclnt.h> 68 #include <rpcsvc/yppasswd.h> 69 #endif 70 71 #define PAM_SM_AUTH 72 #define PAM_SM_ACCOUNT 73 #define PAM_SM_PASSWORD 74 75 #include <security/pam_appl.h> 76 #include <security/pam_modules.h> 77 #include <security/pam_mod_misc.h> 78 79 /* 80 * authentication management 81 */ 82 PAM_EXTERN int 83 /*ARGSUSED*/ 84 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 85 int argc __unused, const char *argv[] __unused) 86 { 87 login_cap_t *lc; 88 struct passwd *pwd; 89 int retval; 90 const char *pass, *user, *realpw; 91 92 if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { 93 pwd = getpwnam(getlogin()); 94 } else { 95 retval = pam_get_user(pamh, &user, NULL); 96 if (retval != PAM_SUCCESS) 97 return (retval); 98 PAM_LOG("Got user: %s", user); 99 pwd = getpwnam(user); 100 } 101 102 if (pwd != NULL) { 103 PAM_LOG("Doing real authentication"); 104 realpw = pwd->pw_passwd; 105 if (realpw[0] == '\0') { 106 if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && 107 openpam_get_option(pamh, PAM_OPT_NULLOK)) 108 return (PAM_SUCCESS); 109 realpw = "*"; 110 } 111 lc = login_getpwclass(pwd); 112 } else { 113 PAM_LOG("Doing dummy authentication"); 114 realpw = "*"; 115 lc = login_getclass(NULL); 116 } 117 retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL); 118 login_close(lc); 119 if (retval != PAM_SUCCESS) 120 return (retval); 121 PAM_LOG("Got password"); 122 if (strcmp(crypt(pass, realpw), realpw) == 0) 123 return (PAM_SUCCESS); 124 125 PAM_VERBOSE_ERROR("UNIX authentication refused"); 126 return (PAM_AUTH_ERR); 127 } 128 129 PAM_EXTERN int 130 /*ARGSUSED*/ 131 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 132 int argc __unused, const char *argv[] __unused) 133 { 134 135 return (PAM_SUCCESS); 136 } 137 138 /* 139 * account management 140 */ 141 PAM_EXTERN int 142 /*ARGSUSED*/ 143 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, 144 int argc __unused, const char *argv[] __unused) 145 { 146 struct passwd *pwd; 147 struct timeval now; 148 login_cap_t *lc; 149 time_t warntime; 150 int retval; 151 const char *user; 152 153 retval = pam_get_user(pamh, &user, NULL); 154 if (retval != PAM_SUCCESS) 155 return (retval); 156 157 if (user == NULL || (pwd = getpwnam(user)) == NULL) 158 return (PAM_SERVICE_ERR); 159 160 PAM_LOG("Got user: %s", user); 161 162 if (*pwd->pw_passwd == '\0' && 163 (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) 164 return (PAM_NEW_AUTHTOK_REQD); 165 166 lc = login_getpwclass(pwd); 167 if (lc == NULL) { 168 PAM_LOG("Unable to get login class for user %s", user); 169 return (PAM_SERVICE_ERR); 170 } 171 172 PAM_LOG("Got login_cap"); 173 174 if (pwd->pw_change || pwd->pw_expire) 175 (void) gettimeofday(&now, NULL); 176 177 warntime = (time_t)login_getcaptime(lc, "password-warn", 178 (quad_t)(_PASSWORD_WARNDAYS * SECSPERDAY), 179 (quad_t)(_PASSWORD_WARNDAYS * SECSPERDAY)); 180 181 /* 182 * Check pw_expire before pw_change - no point in letting the 183 * user change the password on an expired account. 184 */ 185 186 if (pwd->pw_expire) { 187 if (now.tv_sec >= pwd->pw_expire) { 188 login_close(lc); 189 return (PAM_ACCT_EXPIRED); 190 } else if (pwd->pw_expire - now.tv_sec < warntime && 191 (flags & PAM_SILENT) == 0) { 192 pam_error(pamh, "Warning: your account expires on %s", 193 ctime(&pwd->pw_expire)); 194 } 195 } 196 197 if (pwd->pw_change) { 198 /* XXX How to handle _PASSWORD_CHGNOW? --thorpej */ 199 if (now.tv_sec >= pwd->pw_change) { 200 login_close(lc); 201 return (PAM_NEW_AUTHTOK_REQD); 202 } else if (pwd->pw_change - now.tv_sec < warntime && 203 (flags & PAM_SILENT) == 0) { 204 pam_error(pamh, "Warning: your password expires on %s", 205 ctime(&pwd->pw_change)); 206 } 207 } 208 209 login_close(lc); 210 211 return (PAM_SUCCESS); 212 } 213 214 static int pwd_gensalt(char *, int, struct passwd *, char); 215 216 #ifdef YP 217 /* 218 * yp_check_user: 219 * 220 * Helper function; check that a user exists in the NIS 221 * password map. 222 */ 223 static int 224 yp_check_user(const char *domain, const char *user) 225 { 226 char *val; 227 int reason, vallen; 228 229 val = NULL; 230 reason = yp_match(domain, "passwd.byname", user, (int)strlen(user), 231 &val, &vallen); 232 if (reason != 0) { 233 if (val != NULL) 234 free(val); 235 return (0); 236 } 237 free(val); 238 return (1); 239 } 240 241 static int 242 /*ARGSUSED*/ 243 yp_set_password(pam_handle_t *pamh, struct passwd *opwd, 244 struct passwd *pwd, const char *old_pass, const char *domain) 245 { 246 char *master; 247 int r, rpcport, status; 248 struct yppasswd yppwd; 249 CLIENT *client; 250 uid_t uid; 251 int retval = PAM_SERVICE_ERR; 252 struct timeval tv; 253 254 /* 255 * Find the master for the passwd map; it should be running 256 * rpc.yppasswdd. 257 */ 258 if ((r = yp_master(domain, "passwd.byname", &master)) != 0) { 259 pam_error(pamh, "Can't find master NIS server. Reason: %s", 260 yperr_string(r)); 261 return (PAM_SERVICE_ERR); 262 } 263 264 /* 265 * Ask the portmapper for the port of rpc.yppasswdd. 266 */ 267 if ((rpcport = getrpcport(master, YPPASSWDPROG, 268 YPPASSWDPROC_UPDATE, IPPROTO_UDP)) == 0) { 269 pam_error(pamh, 270 "Master NIS server not runing yppasswd daemon.\n\t" 271 "Can't change NIS password."); 272 return (PAM_SERVICE_ERR); 273 } 274 275 /* 276 * Be sure the port is privileged. 277 */ 278 if (rpcport >= IPPORT_RESERVED) { 279 pam_error(pamh, "yppasswd daemon is on an invalid port."); 280 return (PAM_SERVICE_ERR); 281 } 282 283 uid = getuid(); 284 if (uid != 0 && uid != pwd->pw_uid) { 285 pam_error(pamh, "You may only change your own password: %s", 286 strerror(EACCES)); 287 return (PAM_SERVICE_ERR); 288 } 289 290 /* 291 * Fill in the yppasswd structure for yppasswdd. 292 */ 293 memset(&yppwd, 0, sizeof(yppwd)); 294 if ((yppwd.newpw.pw_passwd = strdup(pwd->pw_passwd)) == NULL) 295 goto malloc_failure; 296 if ((yppwd.newpw.pw_name = strdup(pwd->pw_name)) == NULL) 297 goto malloc_failure; 298 yppwd.newpw.pw_uid = pwd->pw_uid; 299 yppwd.newpw.pw_gid = pwd->pw_gid; 300 if ((yppwd.newpw.pw_gecos = strdup(pwd->pw_gecos)) == NULL) 301 goto malloc_failure; 302 if ((yppwd.newpw.pw_dir = strdup(pwd->pw_dir)) == NULL) 303 goto malloc_failure; 304 if ((yppwd.newpw.pw_shell = strdup(pwd->pw_shell)) == NULL) 305 goto malloc_failure; 306 307 client = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp"); 308 if (client == NULL) { 309 pam_error(pamh, "Can't contact yppasswdd on %s: Reason: %s", 310 master, yperr_string(YPERR_YPBIND)); 311 goto out; 312 } 313 314 client->cl_auth = authunix_create_default(); 315 tv.tv_sec = 2; 316 tv.tv_usec = 0; 317 r = clnt_call(client, YPPASSWDPROC_UPDATE, 318 xdr_yppasswd, &yppwd, xdr_int, &status, tv); 319 if (r) 320 pam_error(pamh, "RPC to yppasswdd failed."); 321 else if (status) 322 pam_error(pamh, "Couldn't change NIS password."); 323 else { 324 pam_info(pamh, "The NIS password has been changed on %s, " 325 "the master NIS passwd server.", master); 326 retval = PAM_SUCCESS; 327 } 328 329 out: 330 if (yppwd.newpw.pw_passwd != NULL) 331 free(yppwd.newpw.pw_passwd); 332 if (yppwd.newpw.pw_name != NULL) 333 free(yppwd.newpw.pw_name); 334 if (yppwd.newpw.pw_gecos != NULL) 335 free(yppwd.newpw.pw_gecos); 336 if (yppwd.newpw.pw_dir != NULL) 337 free(yppwd.newpw.pw_dir); 338 if (yppwd.newpw.pw_shell != NULL) 339 free(yppwd.newpw.pw_shell); 340 return (retval); 341 342 malloc_failure: 343 pam_error(pamh, "memory allocation failure"); 344 goto out; 345 } 346 #endif /* YP */ 347 348 static int 349 local_set_password(pam_handle_t *pamh, struct passwd *opwd, 350 struct passwd *pwd) 351 { 352 char errbuf[200]; 353 int tfd, pfd; 354 355 pw_init(); 356 tfd = pw_lock(0); 357 if (tfd < 0) { 358 pam_error(pamh, "The password file is busy, waiting..."); 359 tfd = pw_lock(10); 360 if (tfd < 0) { 361 pam_error(pamh, "The password file is still busy, " 362 "try again later."); 363 return (PAM_SERVICE_ERR); 364 } 365 } 366 367 pfd = open(_PATH_MASTERPASSWD, O_RDONLY, 0); 368 if (pfd < 0) { 369 pam_error(pamh, "%s: %s", _PATH_MASTERPASSWD, strerror(errno)); 370 pw_abort(); 371 return (PAM_SERVICE_ERR); 372 } 373 374 if (pw_copyx(pfd, tfd, pwd, opwd, errbuf, sizeof(errbuf)) == 0) { 375 pam_error(pamh, "Unable to update password entry: %s", 376 errbuf); 377 pw_abort(); 378 return (PAM_SERVICE_ERR); 379 } 380 381 if (pw_mkdb(pwd->pw_name, opwd->pw_change == pwd->pw_change) < 0) { 382 pam_error(pamh, "Unable to rebuild local password database."); 383 pw_abort(); 384 return (PAM_SERVICE_ERR); 385 } 386 387 return (PAM_SUCCESS); 388 } 389 390 /* 391 * password management 392 * 393 * standard Unix and NIS password changing 394 */ 395 PAM_EXTERN int 396 /*ARGSUSED*/ 397 pam_sm_chauthtok(pam_handle_t *pamh, int flags, 398 int argc __unused, const char *argv[] __unused) 399 { 400 struct passwd *pwd, old_pwd; 401 login_cap_t *lc; 402 const char *user, *passwd_db, *new_pass, *old_pass, *p; 403 int retval, tries, min_pw_len = 0, pw_expiry = 0; 404 char salt[_PASSWORD_LEN+1]; 405 #ifdef YP 406 char *domain; 407 int r; 408 #endif 409 410 if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) 411 pwd = getpwnam(getlogin()); 412 else { 413 retval = pam_get_user(pamh, &user, NULL); 414 if (retval != PAM_SUCCESS) 415 return (retval); 416 pwd = getpwnam(user); 417 } 418 419 if (pwd == NULL) 420 return (PAM_AUTHTOK_RECOVERY_ERR); 421 422 old_pwd = *pwd; 423 424 PAM_LOG("Got user: %s", user); 425 426 /* 427 * Determine which password type we're going to change, and 428 * remember it. 429 * 430 * NOTE: domain does not need to be freed; its storage is 431 * allocated statically in libc. 432 */ 433 passwd_db = openpam_get_option(pamh, "passwd_db"); 434 if (passwd_db == NULL) { 435 #ifdef YP 436 /* Prefer YP, if configured. */ 437 if (_yp_check(NULL)) { 438 /* If _yp_check() succeeded, then this must. */ 439 if ((r = yp_get_default_domain(&domain)) != 0) { 440 pam_error(pamh, 441 "Unable to get NIS domain, reason: %s", 442 yperr_string(r)); 443 return (PAM_SERVICE_ERR); 444 } 445 if (yp_check_user(domain, user)) 446 passwd_db = "nis"; 447 } 448 #endif 449 /* Otherwise we always use local files. */ 450 if (passwd_db == NULL) { 451 /* XXX Any validation to do here? */ 452 passwd_db = "files"; 453 } 454 455 if (passwd_db == NULL) { 456 pam_error(pamh, "Unable to determine Unix password DB"); 457 return (PAM_SERVICE_ERR); 458 } else if ((retval = openpam_set_option(pamh, "passwd_db", 459 passwd_db)) != PAM_SUCCESS) { 460 return (retval); 461 } 462 } else { 463 /* Check to see if the specified password DB is usable. */ 464 #ifdef YP 465 if (strcmp(passwd_db, "nis") == 0) { 466 if (_yp_check(NULL) == 0) { 467 pam_error(pamh, "NIS not in use."); 468 return (PAM_SERVICE_ERR); 469 } 470 if ((r = yp_get_default_domain(&domain)) != 0) { 471 pam_error(pamh, 472 "Unable to get NIS domain, reason: %s", 473 yperr_string(r)); 474 return (PAM_SERVICE_ERR); 475 } 476 if (yp_check_user(domain, user) == 0) { 477 pam_error(pamh, 478 "User %s does not exist in NIS.", user); 479 return (PAM_USER_UNKNOWN); 480 } 481 goto known_passwd_db; 482 } 483 #endif 484 if (strcmp(passwd_db, "files") == 0) { 485 /* XXX Any validation to do here? */ 486 goto known_passwd_db; 487 } 488 pam_error(pamh, "Unknown Unix password DB: %s", passwd_db); 489 return (PAM_SERVICE_ERR); 490 } 491 known_passwd_db: 492 493 if (flags & PAM_PRELIM_CHECK) { 494 PAM_LOG("PRELIM round"); 495 496 if (strcmp(passwd_db, "files") == 0) { 497 if (getuid() == 0) { 498 /* Root doesn't need the old password. */ 499 return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); 500 } 501 } 502 503 if (pwd->pw_passwd[0] == '\0') { 504 /* 505 * No password case. 506 * XXX Are we giviing too much away by not prompting 507 * XXX for a password? 508 * XXX Check PAM_DISALLOW_NULL_AUTHTOK 509 */ 510 return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); 511 } else { 512 retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, 513 &old_pass, NULL); 514 if (retval != PAM_SUCCESS) 515 return (retval); 516 if (strcmp(crypt(old_pass, pwd->pw_passwd), 517 pwd->pw_passwd) != 0) 518 return (PAM_PERM_DENIED); 519 return (PAM_SUCCESS); 520 } 521 } 522 523 if (flags & PAM_UPDATE_AUTHTOK) { 524 PAM_LOG("UPDATE round"); 525 526 if ((lc = login_getclass(pwd->pw_class)) != NULL) { 527 min_pw_len = (int) login_getcapnum(lc, 528 "minpasswordlen", (quad_t)0, (quad_t)0); 529 pw_expiry = (int) login_getcapnum(lc, 530 "passwordtime", (quad_t)0, (quad_t)0); 531 login_close(lc); 532 } 533 534 retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &old_pass, NULL); 535 if (retval != PAM_SUCCESS) 536 return (retval); 537 538 /* Get the new password. */ 539 for (tries = 0;;) { 540 retval = pam_get_authtok(pamh, PAM_AUTHTOK, &new_pass, 541 NULL); 542 if (retval == PAM_TRY_AGAIN) { 543 pam_error(pamh, 544 "Mismatch; try again, EOF to quit."); 545 continue; 546 } 547 if (retval != PAM_SUCCESS) { 548 PAM_VERBOSE_ERROR("Unable to get new password"); 549 return (retval); 550 } 551 /* Successfully got new password. */ 552 if (new_pass[0] == '\0') { 553 pam_info(pamh, "Password unchanged."); 554 return (PAM_SUCCESS); 555 } 556 if (min_pw_len > 0 && strlen(new_pass) < min_pw_len) { 557 pam_error(pamh, "Password is too short."); 558 continue; 559 } 560 if (strlen(new_pass) <= 5 && ++tries < 2) { 561 pam_error(pamh, 562 "Please enter a longer password."); 563 continue; 564 } 565 for (p = new_pass; *p && islower((unsigned char)*p); ++p); 566 if (!*p && ++tries < 2) { 567 pam_error(pamh, 568 "Please don't use an all-lower case " 569 "password.\nUnusual capitalization, " 570 "control characters or digits are " 571 "suggested."); 572 continue; 573 } 574 /* Password is OK. */ 575 break; 576 } 577 578 if (pwd_gensalt(salt, _PASSWORD_LEN, pwd, 579 #ifdef YP 580 strcmp(passwd_db, "nis") == 0 ? 'y' : 581 #endif 582 'l') == 0) { 583 pam_error(pamh, "Couldn't generate salt."); 584 return (PAM_SERVICE_ERR); 585 } 586 587 pwd->pw_passwd = crypt(new_pass, salt); 588 pwd->pw_change = pw_expiry ? pw_expiry + time(NULL) : 0; 589 590 retval = PAM_SERVICE_ERR; 591 if (strcmp(passwd_db, "files") == 0) 592 retval = local_set_password(pamh, &old_pwd, pwd); 593 #ifdef YP 594 if (strcmp(passwd_db, "nis") == 0) 595 retval = yp_set_password(pamh, &old_pwd, pwd, old_pass, 596 domain); 597 #endif 598 return (retval); 599 } 600 601 PAM_LOG("Illegal flags argument"); 602 return (PAM_ABORT); 603 } 604 605 PAM_MODULE_ENTRY("pam_unix"); 606 607 /* 608 * Copyright 1997 Niels Provos <provos@physnet.uni-hamburg.de> 609 * All rights reserved. 610 * 611 * Redistribution and use in source and binary forms, with or without 612 * modification, are permitted provided that the following conditions 613 * are met: 614 * 1. Redistributions of source code must retain the above copyright 615 * notice, this list of conditions and the following disclaimer. 616 * 2. Redistributions in binary form must reproduce the above copyright 617 * notice, this list of conditions and the following disclaimer in the 618 * documentation and/or other materials provided with the distribution. 619 * 3. All advertising materials mentioning features or use of this software 620 * must display the following acknowledgement: 621 * This product includes software developed by Niels Provos. 622 * 4. The name of the author may not be used to endorse or promote products 623 * derived from this software without specific prior written permission. 624 * 625 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 626 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 627 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 628 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 629 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 630 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 631 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 632 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 633 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 634 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 635 */ 636 637 static const unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ 638 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 639 640 static void 641 to64(char *s, uint32_t v, int n) 642 { 643 644 645 while (--n >= 0) { 646 *s++ = itoa64[v & 0x3f]; 647 v >>= 6; 648 } 649 } 650 651 static int 652 pwd_gensalt(char *salt, int max, struct passwd *pwd, char type) 653 { 654 char option[LINE_MAX], *next, *now, grpkey[LINE_MAX]; 655 const char *cipher; 656 int rounds; 657 struct group *grp; 658 659 *salt = '\0'; 660 661 switch (type) { 662 case 'y': 663 cipher = "ypcipher"; 664 break; 665 case 'l': 666 default: 667 cipher = "localcipher"; 668 break; 669 } 670 671 pw_getconf(option, sizeof(option), pwd->pw_name, cipher); 672 673 /* Try to find an entry for the group */ 674 if (*option == 0) { 675 if ((grp = getgrgid(pwd->pw_gid)) != NULL) { 676 snprintf(grpkey, sizeof(grpkey), ":%s", grp->gr_name); 677 pw_getconf(option, sizeof(option), grpkey, cipher); 678 } 679 if (*option == 0) 680 pw_getconf(option, sizeof(option), "default", cipher); 681 } 682 683 next = option; 684 now = strsep(&next, ","); 685 if (strcmp(now, "old") == 0) { 686 if (max < 3) 687 return (0); 688 to64(&salt[0], arc4random(), 2); 689 salt[2] = '\0'; 690 } else if (strcmp(now, "newsalt") == 0) { 691 rounds = atol(next); 692 if (max < 10) 693 return (0); 694 /* Check rounds, 24 bit is max */ 695 if (rounds < 7250) 696 rounds = 7250; 697 else if (rounds > 0xffffff) 698 rounds = 0xffffff; 699 salt[0] = _PASSWORD_EFMT1; 700 to64(&salt[1], (u_int32_t)rounds, 4); 701 to64(&salt[5], arc4random(), 4); 702 salt[9] = '\0'; 703 } else if (strcmp(now, "md5") == 0) { 704 if (max < 13) /* $1$8salt$\0 */ 705 return (0); 706 salt[0] = _PASSWORD_NONDES; 707 salt[1] = '1'; 708 salt[2] = '$'; 709 to64(&salt[3], arc4random(), 4); 710 to64(&salt[7], arc4random(), 4); 711 salt[11] = '$'; 712 salt[12] = '\0'; 713 } else if (strcmp(now, "blowfish") == 0) { 714 rounds = atoi(next); 715 if (rounds < 4) 716 rounds = 4; 717 strlcpy(salt, bcrypt_gensalt(rounds), (size_t)max); 718 } else { 719 strlcpy(salt, ":", (size_t)max); 720 #if 0 721 /* XXX pam_error()? */ 722 warnx("Unknown option %s.", now); 723 #endif 724 } 725 726 return (1); 727 } 728