1 /* $NetBSD: pam_unix.c,v 1.7 2005/03/31 15:11:54 thorpej Exp $ */ 2 3 /*- 4 * Copyright 1998 Juniper Networks, Inc. 5 * All rights reserved. 6 * Copyright (c) 2002-2003 Networks Associates Technology, Inc. 7 * All rights reserved. 8 * 9 * Portions of this software was developed for the FreeBSD Project by 10 * ThinkSec AS and NAI Labs, the Security Research Division of Network 11 * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 12 * ("CBOSS"), as part of the DARPA CHATS research program. 13 * 14 * Redistribution and use in source and binary forms, with or without 15 * modification, are permitted provided that the following conditions 16 * are met: 17 * 1. Redistributions of source code must retain the above copyright 18 * notice, this list of conditions and the following disclaimer. 19 * 2. Redistributions in binary form must reproduce the above copyright 20 * notice, this list of conditions and the following disclaimer in the 21 * documentation and/or other materials provided with the distribution. 22 * 3. The name of the author may not be used to endorse or promote 23 * products derived from this software without specific prior written 24 * permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 27 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 28 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 29 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 30 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 31 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 32 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 33 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 34 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 35 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 36 * SUCH DAMAGE. 37 */ 38 39 #include <sys/cdefs.h> 40 #ifdef __FreeBSD__ 41 __FBSDID("$FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.49 2004/02/10 10:13:21 des Exp $"); 42 #else 43 __RCSID("$NetBSD: pam_unix.c,v 1.7 2005/03/31 15:11:54 thorpej Exp $"); 44 #endif 45 46 47 #include <sys/types.h> 48 49 #include <ctype.h> 50 #include <errno.h> 51 #include <fcntl.h> 52 #include <pwd.h> 53 #include <grp.h> 54 #include <limits.h> 55 #include <stdlib.h> 56 #include <string.h> 57 #include <stdio.h> 58 #include <login_cap.h> 59 #include <time.h> 60 #include <tzfile.h> 61 #include <unistd.h> 62 63 #include <util.h> 64 65 #ifdef YP 66 #include <rpc/rpc.h> 67 #include <rpcsvc/ypclnt.h> 68 #include <rpcsvc/yppasswd.h> 69 #endif 70 71 #define PAM_SM_AUTH 72 #define PAM_SM_ACCOUNT 73 #define PAM_SM_PASSWORD 74 75 #include <security/pam_appl.h> 76 #include <security/pam_modules.h> 77 #include <security/pam_mod_misc.h> 78 79 /* 80 * authentication management 81 */ 82 PAM_EXTERN int 83 /*ARGSUSED*/ 84 pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, 85 int argc __unused, const char *argv[] __unused) 86 { 87 login_cap_t *lc; 88 struct passwd *pwd, pwres; 89 int retval; 90 const char *pass, *user, *realpw; 91 char pwbuf[1024]; 92 93 if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { 94 (void) getpwnam_r(getlogin(), &pwres, pwbuf, sizeof(pwbuf), 95 &pwd); 96 } else { 97 retval = pam_get_user(pamh, &user, NULL); 98 if (retval != PAM_SUCCESS) 99 return (retval); 100 PAM_LOG("Got user: %s", user); 101 (void) getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd); 102 } 103 104 if (pwd != NULL) { 105 PAM_LOG("Doing real authentication"); 106 realpw = pwd->pw_passwd; 107 if (realpw[0] == '\0') { 108 if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && 109 openpam_get_option(pamh, PAM_OPT_NULLOK)) 110 return (PAM_SUCCESS); 111 realpw = "*"; 112 } 113 lc = login_getpwclass(pwd); 114 } else { 115 PAM_LOG("Doing dummy authentication"); 116 realpw = "*"; 117 lc = login_getclass(NULL); 118 } 119 retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, NULL); 120 login_close(lc); 121 if (retval != PAM_SUCCESS) 122 return (retval); 123 PAM_LOG("Got password"); 124 if (strcmp(crypt(pass, realpw), realpw) == 0) 125 return (PAM_SUCCESS); 126 127 PAM_VERBOSE_ERROR("UNIX authentication refused"); 128 return (PAM_AUTH_ERR); 129 } 130 131 PAM_EXTERN int 132 /*ARGSUSED*/ 133 pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused, 134 int argc __unused, const char *argv[] __unused) 135 { 136 137 return (PAM_SUCCESS); 138 } 139 140 /* 141 * account management 142 */ 143 PAM_EXTERN int 144 /*ARGSUSED*/ 145 pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, 146 int argc __unused, const char *argv[] __unused) 147 { 148 struct passwd *pwd, pwres; 149 struct timeval now; 150 login_cap_t *lc; 151 time_t warntime; 152 int retval; 153 const char *user; 154 char pwbuf[1024]; 155 156 retval = pam_get_user(pamh, &user, NULL); 157 if (retval != PAM_SUCCESS) 158 return (retval); 159 160 if (user == NULL || 161 getpwnam_r(user, &pwres, pwbuf, sizeof(pwbuf), &pwd) != 0) 162 return (PAM_SERVICE_ERR); 163 164 PAM_LOG("Got user: %s", user); 165 166 if (*pwd->pw_passwd == '\0' && 167 (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) 168 return (PAM_NEW_AUTHTOK_REQD); 169 170 lc = login_getpwclass(pwd); 171 if (lc == NULL) { 172 PAM_LOG("Unable to get login class for user %s", user); 173 return (PAM_SERVICE_ERR); 174 } 175 176 PAM_LOG("Got login_cap"); 177 178 if (pwd->pw_change || pwd->pw_expire) 179 (void) gettimeofday(&now, NULL); 180 181 warntime = (time_t)login_getcaptime(lc, "password-warn", 182 (quad_t)(_PASSWORD_WARNDAYS * SECSPERDAY), 183 (quad_t)(_PASSWORD_WARNDAYS * SECSPERDAY)); 184 185 /* 186 * Check pw_expire before pw_change - no point in letting the 187 * user change the password on an expired account. 188 */ 189 190 if (pwd->pw_expire) { 191 if (now.tv_sec >= pwd->pw_expire) { 192 login_close(lc); 193 return (PAM_ACCT_EXPIRED); 194 } else if (pwd->pw_expire - now.tv_sec < warntime && 195 (flags & PAM_SILENT) == 0) { 196 pam_error(pamh, "Warning: your account expires on %s", 197 ctime(&pwd->pw_expire)); 198 } 199 } 200 201 if (pwd->pw_change) { 202 /* XXX How to handle _PASSWORD_CHGNOW? --thorpej */ 203 if (now.tv_sec >= pwd->pw_change) { 204 login_close(lc); 205 return (PAM_NEW_AUTHTOK_REQD); 206 } else if (pwd->pw_change - now.tv_sec < warntime && 207 (flags & PAM_SILENT) == 0) { 208 pam_error(pamh, "Warning: your password expires on %s", 209 ctime(&pwd->pw_change)); 210 } 211 } 212 213 login_close(lc); 214 215 return (PAM_SUCCESS); 216 } 217 218 #ifdef YP 219 /* 220 * yp_check_user: 221 * 222 * Helper function; check that a user exists in the NIS 223 * password map. 224 */ 225 static int 226 yp_check_user(const char *domain, const char *user) 227 { 228 char *val; 229 int reason, vallen; 230 231 val = NULL; 232 reason = yp_match(domain, "passwd.byname", user, (int)strlen(user), 233 &val, &vallen); 234 if (reason != 0) { 235 if (val != NULL) 236 free(val); 237 return (0); 238 } 239 free(val); 240 return (1); 241 } 242 243 static int 244 /*ARGSUSED*/ 245 yp_set_password(pam_handle_t *pamh, struct passwd *opwd, 246 struct passwd *pwd, const char *old_pass, const char *domain) 247 { 248 char *master; 249 int r, rpcport, status; 250 struct yppasswd yppwd; 251 CLIENT *client; 252 uid_t uid; 253 int retval = PAM_SERVICE_ERR; 254 struct timeval tv; 255 256 /* 257 * Find the master for the passwd map; it should be running 258 * rpc.yppasswdd. 259 */ 260 if ((r = yp_master(domain, "passwd.byname", &master)) != 0) { 261 pam_error(pamh, "Can't find master NIS server. Reason: %s", 262 yperr_string(r)); 263 return (PAM_SERVICE_ERR); 264 } 265 266 /* 267 * Ask the portmapper for the port of rpc.yppasswdd. 268 */ 269 if ((rpcport = getrpcport(master, YPPASSWDPROG, 270 YPPASSWDPROC_UPDATE, IPPROTO_UDP)) == 0) { 271 pam_error(pamh, 272 "Master NIS server not runing yppasswd daemon.\n\t" 273 "Can't change NIS password."); 274 return (PAM_SERVICE_ERR); 275 } 276 277 /* 278 * Be sure the port is privileged. 279 */ 280 if (rpcport >= IPPORT_RESERVED) { 281 pam_error(pamh, "yppasswd daemon is on an invalid port."); 282 return (PAM_SERVICE_ERR); 283 } 284 285 uid = getuid(); 286 if (uid != 0 && uid != pwd->pw_uid) { 287 pam_error(pamh, "You may only change your own password: %s", 288 strerror(EACCES)); 289 return (PAM_SERVICE_ERR); 290 } 291 292 /* 293 * Fill in the yppasswd structure for yppasswdd. 294 */ 295 memset(&yppwd, 0, sizeof(yppwd)); 296 yppwd.oldpass = strdup(old_pass); 297 if ((yppwd.newpw.pw_passwd = strdup(pwd->pw_passwd)) == NULL) 298 goto malloc_failure; 299 if ((yppwd.newpw.pw_name = strdup(pwd->pw_name)) == NULL) 300 goto malloc_failure; 301 yppwd.newpw.pw_uid = pwd->pw_uid; 302 yppwd.newpw.pw_gid = pwd->pw_gid; 303 if ((yppwd.newpw.pw_gecos = strdup(pwd->pw_gecos)) == NULL) 304 goto malloc_failure; 305 if ((yppwd.newpw.pw_dir = strdup(pwd->pw_dir)) == NULL) 306 goto malloc_failure; 307 if ((yppwd.newpw.pw_shell = strdup(pwd->pw_shell)) == NULL) 308 goto malloc_failure; 309 310 client = clnt_create(master, YPPASSWDPROG, YPPASSWDVERS, "udp"); 311 if (client == NULL) { 312 pam_error(pamh, "Can't contact yppasswdd on %s: Reason: %s", 313 master, yperr_string(YPERR_YPBIND)); 314 goto out; 315 } 316 317 client->cl_auth = authunix_create_default(); 318 tv.tv_sec = 2; 319 tv.tv_usec = 0; 320 r = clnt_call(client, YPPASSWDPROC_UPDATE, 321 xdr_yppasswd, &yppwd, xdr_int, &status, tv); 322 if (r) 323 pam_error(pamh, "RPC to yppasswdd failed."); 324 else if (status) 325 pam_error(pamh, "Couldn't change NIS password."); 326 else { 327 pam_info(pamh, "The NIS password has been changed on %s, " 328 "the master NIS passwd server.", master); 329 retval = PAM_SUCCESS; 330 } 331 332 out: 333 if (yppwd.oldpass != NULL) 334 free(yppwd.oldpass); 335 if (yppwd.newpw.pw_passwd != NULL) 336 free(yppwd.newpw.pw_passwd); 337 if (yppwd.newpw.pw_name != NULL) 338 free(yppwd.newpw.pw_name); 339 if (yppwd.newpw.pw_gecos != NULL) 340 free(yppwd.newpw.pw_gecos); 341 if (yppwd.newpw.pw_dir != NULL) 342 free(yppwd.newpw.pw_dir); 343 if (yppwd.newpw.pw_shell != NULL) 344 free(yppwd.newpw.pw_shell); 345 return (retval); 346 347 malloc_failure: 348 pam_error(pamh, "memory allocation failure"); 349 goto out; 350 } 351 #endif /* YP */ 352 353 static int 354 local_set_password(pam_handle_t *pamh, struct passwd *opwd, 355 struct passwd *pwd) 356 { 357 char errbuf[200]; 358 int tfd, pfd; 359 360 pw_init(); 361 tfd = pw_lock(0); 362 if (tfd < 0) { 363 pam_error(pamh, "The password file is busy, waiting..."); 364 tfd = pw_lock(10); 365 if (tfd < 0) { 366 pam_error(pamh, "The password file is still busy, " 367 "try again later."); 368 return (PAM_SERVICE_ERR); 369 } 370 } 371 372 pfd = open(_PATH_MASTERPASSWD, O_RDONLY, 0); 373 if (pfd < 0) { 374 pam_error(pamh, "%s: %s", _PATH_MASTERPASSWD, strerror(errno)); 375 pw_abort(); 376 return (PAM_SERVICE_ERR); 377 } 378 379 if (pw_copyx(pfd, tfd, pwd, opwd, errbuf, sizeof(errbuf)) == 0) { 380 pam_error(pamh, "Unable to update password entry: %s", 381 errbuf); 382 pw_abort(); 383 return (PAM_SERVICE_ERR); 384 } 385 386 if (pw_mkdb(pwd->pw_name, opwd->pw_change == pwd->pw_change) < 0) { 387 pam_error(pamh, "Unable to rebuild local password database."); 388 pw_abort(); 389 return (PAM_SERVICE_ERR); 390 } 391 392 return (PAM_SUCCESS); 393 } 394 395 /* 396 * password management 397 * 398 * standard Unix and NIS password changing 399 */ 400 PAM_EXTERN int 401 /*ARGSUSED*/ 402 pam_sm_chauthtok(pam_handle_t *pamh, int flags, 403 int argc __unused, const char *argv[] __unused) 404 { 405 struct passwd *pwd, old_pwd; 406 login_cap_t *lc; 407 const char *user, *passwd_db, *new_pass, *old_pass, *p; 408 int retval, tries, min_pw_len = 0, pw_expiry = 0; 409 char salt[_PASSWORD_LEN+1]; 410 char old_pwbuf[1024]; 411 #ifdef YP 412 char *domain; 413 int r; 414 #endif 415 416 if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) 417 (void) getpwnam_r(getlogin(), &old_pwd, old_pwbuf, 418 sizeof(old_pwbuf), &pwd); 419 else { 420 retval = pam_get_user(pamh, &user, NULL); 421 if (retval != PAM_SUCCESS) 422 return (retval); 423 (void) getpwnam_r(user, &old_pwd, old_pwbuf, 424 sizeof(old_pwbuf), &pwd); 425 } 426 427 if (pwd == NULL) 428 return (PAM_AUTHTOK_RECOVERY_ERR); 429 430 PAM_LOG("Got user: %s", user); 431 432 /* 433 * Determine which password type we're going to change, and 434 * remember it. 435 * 436 * NOTE: domain does not need to be freed; its storage is 437 * allocated statically in libc. 438 */ 439 passwd_db = openpam_get_option(pamh, "passwd_db"); 440 if (passwd_db == NULL) { 441 #ifdef YP 442 /* Prefer YP, if configured. */ 443 if (_yp_check(NULL)) { 444 /* If _yp_check() succeeded, then this must. */ 445 if ((r = yp_get_default_domain(&domain)) != 0) { 446 pam_error(pamh, 447 "Unable to get NIS domain, reason: %s", 448 yperr_string(r)); 449 return (PAM_SERVICE_ERR); 450 } 451 if (yp_check_user(domain, user)) 452 passwd_db = "nis"; 453 } 454 #endif 455 /* Otherwise we always use local files. */ 456 if (passwd_db == NULL) { 457 /* XXX Any validation to do here? */ 458 passwd_db = "files"; 459 } 460 461 if (passwd_db == NULL) { 462 pam_error(pamh, "Unable to determine Unix password DB"); 463 return (PAM_SERVICE_ERR); 464 } else if ((retval = openpam_set_option(pamh, "passwd_db", 465 passwd_db)) != PAM_SUCCESS) { 466 return (retval); 467 } 468 } else { 469 /* Check to see if the specified password DB is usable. */ 470 #ifdef YP 471 if (strcmp(passwd_db, "nis") == 0) { 472 if (_yp_check(NULL) == 0) { 473 pam_error(pamh, "NIS not in use."); 474 return (PAM_SERVICE_ERR); 475 } 476 if ((r = yp_get_default_domain(&domain)) != 0) { 477 pam_error(pamh, 478 "Unable to get NIS domain, reason: %s", 479 yperr_string(r)); 480 return (PAM_SERVICE_ERR); 481 } 482 if (yp_check_user(domain, user) == 0) { 483 pam_error(pamh, 484 "User %s does not exist in NIS.", user); 485 return (PAM_USER_UNKNOWN); 486 } 487 goto known_passwd_db; 488 } 489 #endif 490 if (strcmp(passwd_db, "files") == 0) { 491 /* XXX Any validation to do here? */ 492 goto known_passwd_db; 493 } 494 pam_error(pamh, "Unknown Unix password DB: %s", passwd_db); 495 return (PAM_SERVICE_ERR); 496 } 497 known_passwd_db: 498 499 if (flags & PAM_PRELIM_CHECK) { 500 PAM_LOG("PRELIM round"); 501 502 if (strcmp(passwd_db, "files") == 0) { 503 if (getuid() == 0) { 504 /* Root doesn't need the old password. */ 505 return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); 506 } 507 } 508 509 if (pwd->pw_passwd[0] == '\0') { 510 /* 511 * No password case. 512 * XXX Are we giviing too much away by not prompting 513 * XXX for a password? 514 * XXX Check PAM_DISALLOW_NULL_AUTHTOK 515 */ 516 return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); 517 } else { 518 retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, 519 &old_pass, NULL); 520 if (retval != PAM_SUCCESS) 521 return (retval); 522 if (strcmp(crypt(old_pass, pwd->pw_passwd), 523 pwd->pw_passwd) != 0) 524 return (PAM_PERM_DENIED); 525 return (PAM_SUCCESS); 526 } 527 } 528 529 if (flags & PAM_UPDATE_AUTHTOK) { 530 char option[LINE_MAX], *key, *opt; 531 532 PAM_LOG("UPDATE round"); 533 534 if ((lc = login_getclass(pwd->pw_class)) != NULL) { 535 min_pw_len = (int) login_getcapnum(lc, 536 "minpasswordlen", (quad_t)0, (quad_t)0); 537 pw_expiry = (int) login_getcapnum(lc, 538 "passwordtime", (quad_t)0, (quad_t)0); 539 login_close(lc); 540 } 541 542 retval = pam_get_authtok(pamh, PAM_OLDAUTHTOK, &old_pass, NULL); 543 if (retval != PAM_SUCCESS) 544 return (retval); 545 546 /* Get the new password. */ 547 for (tries = 0;;) { 548 pam_set_item(pamh, PAM_AUTHTOK, NULL); 549 retval = pam_get_authtok(pamh, PAM_AUTHTOK, &new_pass, 550 NULL); 551 if (retval == PAM_TRY_AGAIN) { 552 pam_error(pamh, 553 "Mismatch; try again, EOF to quit."); 554 continue; 555 } 556 if (retval != PAM_SUCCESS) { 557 PAM_VERBOSE_ERROR("Unable to get new password"); 558 return (retval); 559 } 560 /* Successfully got new password. */ 561 if (new_pass[0] == '\0') { 562 pam_info(pamh, "Password unchanged."); 563 return (PAM_SUCCESS); 564 } 565 if (min_pw_len > 0 && strlen(new_pass) < min_pw_len) { 566 pam_error(pamh, "Password is too short."); 567 continue; 568 } 569 if (strlen(new_pass) <= 5 && ++tries < 2) { 570 pam_error(pamh, 571 "Please enter a longer password."); 572 continue; 573 } 574 for (p = new_pass; *p && islower((unsigned char)*p); ++p); 575 if (!*p && ++tries < 2) { 576 pam_error(pamh, 577 "Please don't use an all-lower case " 578 "password.\nUnusual capitalization, " 579 "control characters or digits are " 580 "suggested."); 581 continue; 582 } 583 /* Password is OK. */ 584 break; 585 } 586 pw_getpwconf(option, sizeof(option), pwd, 587 #ifdef YP 588 strcmp(passwd_db, "nis") == 0 ? "ypcipher" : 589 #endif 590 "localcipher"); 591 opt = option; 592 key = strsep(&opt, ","); 593 594 if (pw_gensalt(salt, _PASSWORD_LEN, key, opt) == -1) { 595 pam_error(pamh, "Couldn't generate salt."); 596 return (PAM_SERVICE_ERR); 597 } 598 599 pwd->pw_passwd = crypt(new_pass, salt); 600 pwd->pw_change = pw_expiry ? pw_expiry + time(NULL) : 0; 601 602 retval = PAM_SERVICE_ERR; 603 if (strcmp(passwd_db, "files") == 0) 604 retval = local_set_password(pamh, &old_pwd, pwd); 605 #ifdef YP 606 if (strcmp(passwd_db, "nis") == 0) 607 retval = yp_set_password(pamh, &old_pwd, pwd, old_pass, 608 domain); 609 #endif 610 return (retval); 611 } 612 613 PAM_LOG("Illegal flags argument"); 614 return (PAM_ABORT); 615 } 616 617 PAM_MODULE_ENTRY("pam_unix"); 618