10Sstevel@tonic-gate /* 20Sstevel@tonic-gate * CDDL HEADER START 30Sstevel@tonic-gate * 40Sstevel@tonic-gate * The contents of this file are subject to the terms of the 53641Ssemery * Common Development and Distribution License (the "License"). 63641Ssemery * You may not use this file except in compliance with the License. 70Sstevel@tonic-gate * 80Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 90Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 100Sstevel@tonic-gate * See the License for the specific language governing permissions 110Sstevel@tonic-gate * and limitations under the License. 120Sstevel@tonic-gate * 130Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 140Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 150Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 160Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 170Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 180Sstevel@tonic-gate * 190Sstevel@tonic-gate * CDDL HEADER END 200Sstevel@tonic-gate */ 210Sstevel@tonic-gate /* 22*5945Ssdussud * Copyright 2008 Sun Microsystems, Inc. All rights reserved. 230Sstevel@tonic-gate * Use is subject to license terms. 240Sstevel@tonic-gate */ 250Sstevel@tonic-gate 260Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 270Sstevel@tonic-gate 280Sstevel@tonic-gate #include <stdlib.h> 290Sstevel@tonic-gate #include <syslog.h> 300Sstevel@tonic-gate #include <errno.h> 310Sstevel@tonic-gate #include <string.h> 320Sstevel@tonic-gate #include <rpc/rpc.h> 330Sstevel@tonic-gate #include <unistd.h> 340Sstevel@tonic-gate #include <assert.h> 350Sstevel@tonic-gate #include <stdarg.h> 360Sstevel@tonic-gate #include <sys/types.h> 370Sstevel@tonic-gate #include <sys/wait.h> 380Sstevel@tonic-gate #include <limits.h> 394405Sjjj #include <signal.h> 404405Sjjj #include <pthread.h> 414405Sjjj #include <synch.h> 420Sstevel@tonic-gate 430Sstevel@tonic-gate #include <rpcsvc/nis.h> 440Sstevel@tonic-gate #include <rpcsvc/nispasswd.h> 450Sstevel@tonic-gate #include <rpcsvc/yppasswd.h> 460Sstevel@tonic-gate #include <rpcsvc/ypclnt.h> 470Sstevel@tonic-gate #include <rpc/key_prot.h> 480Sstevel@tonic-gate #include <rpc/rpc.h> 490Sstevel@tonic-gate #include <nfs/nfs.h> 500Sstevel@tonic-gate #include <nfs/nfssys.h> 510Sstevel@tonic-gate #include <nss_dbdefs.h> 520Sstevel@tonic-gate #include <nsswitch.h> 530Sstevel@tonic-gate #include <rpcsvc/nis_dhext.h> 540Sstevel@tonic-gate 550Sstevel@tonic-gate #include <security/pam_appl.h> 560Sstevel@tonic-gate #include <security/pam_modules.h> 570Sstevel@tonic-gate #include <security/pam_impl.h> 580Sstevel@tonic-gate 590Sstevel@tonic-gate #include <libintl.h> 600Sstevel@tonic-gate 610Sstevel@tonic-gate #include <sys/mman.h> 620Sstevel@tonic-gate 630Sstevel@tonic-gate #include <passwdutil.h> 640Sstevel@tonic-gate 650Sstevel@tonic-gate #include "key_call_uid.h" 660Sstevel@tonic-gate 670Sstevel@tonic-gate /* to keep track of codepath */ 680Sstevel@tonic-gate #define CODEPATH_PAM_SM_AUTHENTICATE 0 690Sstevel@tonic-gate #define CODEPATH_PAM_SM_SETCRED 1 700Sstevel@tonic-gate 710Sstevel@tonic-gate #define SUNW_OLDRPCPASS "SUNW-OLD-RPC-PASSWORD" 720Sstevel@tonic-gate 730Sstevel@tonic-gate extern int _nfssys(int, void *); 740Sstevel@tonic-gate 750Sstevel@tonic-gate /* 760Sstevel@tonic-gate * int msg(pamh, ...) 770Sstevel@tonic-gate * 780Sstevel@tonic-gate * display message to the user 790Sstevel@tonic-gate */ 800Sstevel@tonic-gate /*PRINTFLIKE2*/ 814405Sjjj static int 820Sstevel@tonic-gate msg(pam_handle_t *pamh, char *fmt, ...) 830Sstevel@tonic-gate { 840Sstevel@tonic-gate va_list ap; 850Sstevel@tonic-gate char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE]; 860Sstevel@tonic-gate 870Sstevel@tonic-gate va_start(ap, fmt); 880Sstevel@tonic-gate (void) vsnprintf(messages[0], sizeof (messages[0]), fmt, ap); 890Sstevel@tonic-gate va_end(ap); 900Sstevel@tonic-gate 910Sstevel@tonic-gate return (__pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages, NULL)); 920Sstevel@tonic-gate } 930Sstevel@tonic-gate 940Sstevel@tonic-gate 950Sstevel@tonic-gate /* 960Sstevel@tonic-gate * Get the secret key for the given netname, key length, and algorithm 970Sstevel@tonic-gate * type and send it to keyserv if the given pw decrypts it. Update the 980Sstevel@tonic-gate * following counter args as necessary: get_seckey_cnt, good_pw_cnt, and 990Sstevel@tonic-gate * set_seckey_cnt. 1000Sstevel@tonic-gate * 1010Sstevel@tonic-gate * Returns 0 on malloc failure, else 1. 1020Sstevel@tonic-gate */ 1030Sstevel@tonic-gate static int 1040Sstevel@tonic-gate get_and_set_seckey( 1050Sstevel@tonic-gate pam_handle_t *pamh, /* in */ 1060Sstevel@tonic-gate const char *netname, /* in */ 1070Sstevel@tonic-gate keylen_t keylen, /* in */ 1080Sstevel@tonic-gate algtype_t algtype, /* in */ 1090Sstevel@tonic-gate const char *pw, /* in */ 1100Sstevel@tonic-gate uid_t uid, /* in */ 1110Sstevel@tonic-gate gid_t gid, /* in */ 1120Sstevel@tonic-gate int *get_seckey_cnt, /* out */ 1130Sstevel@tonic-gate int *good_pw_cnt, /* out */ 1140Sstevel@tonic-gate int *set_seckey_cnt, /* out */ 1150Sstevel@tonic-gate int flags, /* in */ 1160Sstevel@tonic-gate int debug) /* in */ 1170Sstevel@tonic-gate { 1180Sstevel@tonic-gate char *skey; 1190Sstevel@tonic-gate int skeylen; 1200Sstevel@tonic-gate char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE]; 1210Sstevel@tonic-gate 1220Sstevel@tonic-gate skeylen = BITS2NIBBLES(keylen) + 1; 1230Sstevel@tonic-gate 1240Sstevel@tonic-gate if ((skey = malloc(skeylen)) == NULL) { 1250Sstevel@tonic-gate return (0); 1260Sstevel@tonic-gate } 1270Sstevel@tonic-gate 1280Sstevel@tonic-gate if (getsecretkey_g(netname, keylen, algtype, skey, skeylen, pw)) { 1290Sstevel@tonic-gate (*get_seckey_cnt)++; 1300Sstevel@tonic-gate 1310Sstevel@tonic-gate if (skey[0]) { 1320Sstevel@tonic-gate /* password does decrypt secret key */ 1330Sstevel@tonic-gate (*good_pw_cnt)++; 1340Sstevel@tonic-gate if (key_setnet_g_uid(netname, skey, keylen, NULL, 0, 1354405Sjjj algtype, uid, gid) >= 0) { 1360Sstevel@tonic-gate (*set_seckey_cnt)++; 1370Sstevel@tonic-gate } else { 1380Sstevel@tonic-gate if (debug) 1390Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: " 1404405Sjjj "get_and_set_seckey: could not " 1414405Sjjj "set secret key for keytype " 1424405Sjjj "%d-%d", keylen, algtype); 1430Sstevel@tonic-gate } 1440Sstevel@tonic-gate } else { 1450Sstevel@tonic-gate if (pamh && !(flags & PAM_SILENT)) { 1460Sstevel@tonic-gate (void) snprintf(messages[0], 1470Sstevel@tonic-gate sizeof (messages[0]), 1480Sstevel@tonic-gate dgettext(TEXT_DOMAIN, 1494405Sjjj "Password does not " 1504405Sjjj "decrypt secret key (type = %d-%d) " 1514405Sjjj "for '%s'."), keylen, algtype, netname); 1520Sstevel@tonic-gate (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, 1534405Sjjj messages, NULL); 1540Sstevel@tonic-gate } 1550Sstevel@tonic-gate } 1560Sstevel@tonic-gate } else { 1570Sstevel@tonic-gate if (debug) 1580Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: get_and_set_seckey: " 1594405Sjjj "could not get secret key for keytype %d-%d", 1604405Sjjj keylen, algtype); 1610Sstevel@tonic-gate } 1620Sstevel@tonic-gate 1630Sstevel@tonic-gate free(skey); 1640Sstevel@tonic-gate 1650Sstevel@tonic-gate return (1); 1660Sstevel@tonic-gate } 1670Sstevel@tonic-gate 1680Sstevel@tonic-gate /* 1690Sstevel@tonic-gate * int establish_key(pamh, flags, debug, netname) 1700Sstevel@tonic-gate * 171*5945Ssdussud * This routine establishes the Secure RPC Credentials for the 1720Sstevel@tonic-gate * user specified in PAM_USER, using the password in PAM_AUTHTOK. 1730Sstevel@tonic-gate * 174*5945Ssdussud * Establishing RPC credentials is considered a "helper" function for the PAM 175*5945Ssdussud * stack so we should only return failures or PAM_IGNORE. Returning PAM_SUCCESS 176*5945Ssdussud * may short circuit the stack and circumvent later critical checks. 177*5945Ssdussud * 1780Sstevel@tonic-gate * Because this routine is used for both pam_authenticate *and* 1790Sstevel@tonic-gate * pam_setcred, we have to be somewhat careful: 1800Sstevel@tonic-gate * 1810Sstevel@tonic-gate * - if called from pam_sm_authenticate: 182*5945Ssdussud * 1. if no NIS+, we don't set credentials and return PAM_IGNORE. 183*5945Ssdussud * 2. else, we try to establish credentials; 1840Sstevel@tonic-gate * 1850Sstevel@tonic-gate * - if called from pam_sm_setcred: 186*5945Ssdussud * 1. if we are root (uid == 0), we do nothing and return 187*5945Ssdussud * PAM_IGNORE. 188*5945Ssdussud * 2. else, we try to establish credentials. 189*5945Ssdussud * 190*5945Ssdussud * We return framework errors as appropriate such as PAM_USER_UNKNOWN, 191*5945Ssdussud * PAM_BUF_ERR, PAM_PERM_DENIED. 192*5945Ssdussud * 193*5945Ssdussud * If we succeed in establishing credentials we return PAM_IGNORE. 1940Sstevel@tonic-gate * 195*5945Ssdussud * If we fail to establish credentials then we return: 196*5945Ssdussud * - PAM_IGNORE if we are called from pam_sm_authenticate and we 197*5945Ssdussud * don't need credentials; 198*5945Ssdussud * - PAM_SERVICE_ERR (credentials needed) or PAM_SYSTEM_ERR 199*5945Ssdussud * (credentials not needed) if netname could not be created; 200*5945Ssdussud * - PAM_AUTH_ERR (credentials needed) or PAM_IGNORE (credentials 201*5945Ssdussud * not needed) if no credentials were retrieved; 202*5945Ssdussud * - PAM_AUTH_ERR if the password didn't decrypt the cred; 203*5945Ssdussud * - PAM_SYSTEM_ERR if the cred's could not be stored. 2040Sstevel@tonic-gate * 2050Sstevel@tonic-gate * This routine returns the user's netname in "netname". 2060Sstevel@tonic-gate * 2070Sstevel@tonic-gate * All tools--but the PAM stack--currently use getpass() to obtain 2080Sstevel@tonic-gate * the user's secure RPC password. We must make sure we don't use more than 2090Sstevel@tonic-gate * the first des_block (eight) characters of whatever is handed down to us. 2100Sstevel@tonic-gate * Therefore, we use a local variable "short_pass" to hold those 8 char's. 2110Sstevel@tonic-gate */ 2124405Sjjj static int 2130Sstevel@tonic-gate establish_key(pam_handle_t *pamh, int flags, int codepath, int debug, 2140Sstevel@tonic-gate char *netname) 2150Sstevel@tonic-gate { 2160Sstevel@tonic-gate char *user; 2170Sstevel@tonic-gate char *passwd; 2180Sstevel@tonic-gate char short_pass[sizeof (des_block)+1], *short_passp; 2190Sstevel@tonic-gate int result; 2200Sstevel@tonic-gate uid_t uid; 2210Sstevel@tonic-gate gid_t gid; 2220Sstevel@tonic-gate int err; 2230Sstevel@tonic-gate 2240Sstevel@tonic-gate struct passwd pw; /* Needed to obtain uid */ 2250Sstevel@tonic-gate char *scratch; 2260Sstevel@tonic-gate int scratchlen; 2270Sstevel@tonic-gate 228*5945Ssdussud /* 229*5945Ssdussud * Default is that credentials are needed until we explicitly 230*5945Ssdussud * check they are. This means all failure codes are returned 231*5945Ssdussud * until then. 232*5945Ssdussud */ 233*5945Ssdussud int need_cred = -1; 2345533Ssdussud int auth_cred_flags; 2355533Ssdussud /* 2365533Ssdussud * no_warn if creds not needed and 2375533Ssdussud * authenticating 2385533Ssdussud */ 2395533Ssdussud int auth_path = (codepath == CODEPATH_PAM_SM_AUTHENTICATE); 2400Sstevel@tonic-gate char *repository_name = NULL; /* which repository are we using */ 2410Sstevel@tonic-gate char *repository_pass = NULL; /* user's password from that rep */ 2420Sstevel@tonic-gate pwu_repository_t *pwu_rep; 2430Sstevel@tonic-gate struct pam_repository *auth_rep; 2440Sstevel@tonic-gate attrlist attr_pw[2]; 2450Sstevel@tonic-gate 2460Sstevel@tonic-gate mechanism_t **mechs; 2470Sstevel@tonic-gate mechanism_t **mpp; 2480Sstevel@tonic-gate int get_seckey_cnt = 0; 2490Sstevel@tonic-gate int set_seckey_cnt = 0; 2500Sstevel@tonic-gate int good_pw_cnt = 0; 2510Sstevel@tonic-gate int valid_mech_cnt = 0; 2520Sstevel@tonic-gate 2530Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_USER, (void **)&user); 2540Sstevel@tonic-gate 2550Sstevel@tonic-gate if (user == NULL || *user == '\0') { 2560Sstevel@tonic-gate if (debug) 2570Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: user NULL or empty"); 2580Sstevel@tonic-gate return (PAM_USER_UNKNOWN); 2590Sstevel@tonic-gate } 2600Sstevel@tonic-gate 2610Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&passwd); 2620Sstevel@tonic-gate 2630Sstevel@tonic-gate scratchlen = sysconf(_SC_GETPW_R_SIZE_MAX); 2640Sstevel@tonic-gate if ((scratch = malloc(scratchlen)) == NULL) 2650Sstevel@tonic-gate return (PAM_BUF_ERR); 2660Sstevel@tonic-gate 2670Sstevel@tonic-gate if (getpwnam_r(user, &pw, scratch, scratchlen) == NULL) { 2680Sstevel@tonic-gate result = PAM_USER_UNKNOWN; 2690Sstevel@tonic-gate goto out; 2700Sstevel@tonic-gate } 2710Sstevel@tonic-gate 2720Sstevel@tonic-gate uid = pw.pw_uid; 2730Sstevel@tonic-gate gid = pw.pw_gid; 2740Sstevel@tonic-gate 2750Sstevel@tonic-gate /* 2760Sstevel@tonic-gate * We don't set credentials when root logs in. 2770Sstevel@tonic-gate * We do, however, need to set the credentials if the NIS+ permissions 2780Sstevel@tonic-gate * require so. Thus, we only bail out if we're root and we're 2790Sstevel@tonic-gate * called from pam_setcred. 2800Sstevel@tonic-gate */ 2810Sstevel@tonic-gate if (uid == 0 && codepath == CODEPATH_PAM_SM_SETCRED) { 2820Sstevel@tonic-gate result = PAM_IGNORE; 2830Sstevel@tonic-gate goto out; 2840Sstevel@tonic-gate } 2850Sstevel@tonic-gate 2860Sstevel@tonic-gate /* 2870Sstevel@tonic-gate * Check to see if we REALLY need to set the credentials, i.e. 2880Sstevel@tonic-gate * whether not being able to do so is an error or whether we 2890Sstevel@tonic-gate * can ignore it. 2900Sstevel@tonic-gate * We need to get the password from the repository that we're 291*5945Ssdussud * currently authenticating against. If this is the auth_path 292*5945Ssdussud * and the repository isn't NIS+ we can skip establishing credentials. 293*5945Ssdussud * Otherwise, we will try to establish credentials but it's only 294*5945Ssdussud * critical iff the password is "*NP*" and the repository is NIS+. 2950Sstevel@tonic-gate */ 2960Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&auth_rep); 2970Sstevel@tonic-gate if (auth_rep != NULL) { 2980Sstevel@tonic-gate if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL) 2990Sstevel@tonic-gate return (PAM_BUF_ERR); 3000Sstevel@tonic-gate pwu_rep->type = auth_rep->type; 3010Sstevel@tonic-gate pwu_rep->scope = auth_rep->scope; 3020Sstevel@tonic-gate pwu_rep->scope_len = auth_rep->scope_len; 3030Sstevel@tonic-gate } else 3040Sstevel@tonic-gate pwu_rep = PWU_DEFAULT_REP; 3050Sstevel@tonic-gate 3060Sstevel@tonic-gate attr_pw[0].type = ATTR_PASSWD; attr_pw[0].next = &attr_pw[1]; 3070Sstevel@tonic-gate attr_pw[1].type = ATTR_REP_NAME; attr_pw[1].next = NULL; 3080Sstevel@tonic-gate result = __get_authtoken_attr(user, pwu_rep, attr_pw); 3090Sstevel@tonic-gate 3100Sstevel@tonic-gate if (pwu_rep != PWU_DEFAULT_REP) 3110Sstevel@tonic-gate free(pwu_rep); 3120Sstevel@tonic-gate 3130Sstevel@tonic-gate if (result == PWU_NOT_FOUND) { 3140Sstevel@tonic-gate if (debug) 3150Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: user %s not found", 3164405Sjjj user); 3170Sstevel@tonic-gate result = PAM_USER_UNKNOWN; 3180Sstevel@tonic-gate goto out; 3190Sstevel@tonic-gate } else if (result != PWU_SUCCESS) { 3200Sstevel@tonic-gate result = PAM_PERM_DENIED; 3210Sstevel@tonic-gate goto out; 3220Sstevel@tonic-gate } 3230Sstevel@tonic-gate 3240Sstevel@tonic-gate repository_name = attr_pw[1].data.val_s; 3250Sstevel@tonic-gate repository_pass = attr_pw[0].data.val_s; 3260Sstevel@tonic-gate 3275533Ssdussud if (auth_path && (strcmp(repository_name, "nisplus") != 0)) { 3280Sstevel@tonic-gate result = PAM_IGNORE; 3290Sstevel@tonic-gate goto out; 3300Sstevel@tonic-gate } 3310Sstevel@tonic-gate 332*5945Ssdussud need_cred = (strcmp(repository_name, "nisplus") == 0 && 333*5945Ssdussud strcmp(repository_pass, "*NP*") == 0); 3345533Ssdussud if (auth_path) { 3355533Ssdussud auth_cred_flags = 3365533Ssdussud (need_cred ? flags : flags | PAM_SILENT); 3375533Ssdussud } else { 3385533Ssdussud auth_cred_flags = flags; 3395533Ssdussud } 3405533Ssdussud 3410Sstevel@tonic-gate if (uid == 0) /* "root", need to create a host-netname */ 3420Sstevel@tonic-gate err = host2netname(netname, NULL, NULL); 3430Sstevel@tonic-gate else 3440Sstevel@tonic-gate err = user2netname(netname, uid, NULL); 3450Sstevel@tonic-gate 3460Sstevel@tonic-gate if (err != 1) { 3470Sstevel@tonic-gate if (debug) 3480Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: user2netname failed"); 3490Sstevel@tonic-gate if (need_cred) { 3500Sstevel@tonic-gate syslog(LOG_ALERT, "pam_dhkeys: user %s needs " 3510Sstevel@tonic-gate "Secure RPC Credentials to login.", user); 3520Sstevel@tonic-gate result = PAM_SERVICE_ERR; 3530Sstevel@tonic-gate } else 3540Sstevel@tonic-gate result = PAM_SYSTEM_ERR; 3550Sstevel@tonic-gate goto out; 3560Sstevel@tonic-gate } 3570Sstevel@tonic-gate 3580Sstevel@tonic-gate /* passwd can be NULL (no passwd or su as root) */ 3590Sstevel@tonic-gate if (passwd) { 3600Sstevel@tonic-gate (void) strlcpy(short_pass, passwd, sizeof (short_pass)); 3610Sstevel@tonic-gate short_passp = short_pass; 3620Sstevel@tonic-gate } else 3630Sstevel@tonic-gate short_passp = NULL; 3640Sstevel@tonic-gate 3650Sstevel@tonic-gate if (mechs = __nis_get_mechanisms(FALSE)) { 3660Sstevel@tonic-gate 3670Sstevel@tonic-gate for (mpp = mechs; *mpp; mpp++) { 3680Sstevel@tonic-gate mechanism_t *mp = *mpp; 3690Sstevel@tonic-gate 3700Sstevel@tonic-gate if (AUTH_DES_COMPAT_CHK(mp)) 3710Sstevel@tonic-gate break; /* fall through to AUTH_DES below */ 3720Sstevel@tonic-gate 3730Sstevel@tonic-gate if (!VALID_MECH_ENTRY(mp)) 3740Sstevel@tonic-gate continue; 3750Sstevel@tonic-gate 3760Sstevel@tonic-gate if (debug) 3770Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: trying " 3784405Sjjj "key type = %d-%d", mp->keylen, 3794405Sjjj mp->algtype); 3800Sstevel@tonic-gate valid_mech_cnt++; 3810Sstevel@tonic-gate if (!get_and_set_seckey(pamh, netname, mp->keylen, 3824405Sjjj mp->algtype, short_passp, uid, gid, 3834405Sjjj &get_seckey_cnt, &good_pw_cnt, &set_seckey_cnt, 3845533Ssdussud auth_cred_flags, debug)) { 3850Sstevel@tonic-gate result = PAM_BUF_ERR; 3860Sstevel@tonic-gate goto out; 3870Sstevel@tonic-gate } 3880Sstevel@tonic-gate } 3890Sstevel@tonic-gate __nis_release_mechanisms(mechs); 3900Sstevel@tonic-gate /* fall through to AUTH_DES below */ 3910Sstevel@tonic-gate } else { 3920Sstevel@tonic-gate /* 3930Sstevel@tonic-gate * No usable mechs found in NIS+ security cf thus 3940Sstevel@tonic-gate * fallback to AUTH_DES compat. 3950Sstevel@tonic-gate */ 3960Sstevel@tonic-gate if (debug) 3970Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: no valid mechs " 3984405Sjjj "found. Trying AUTH_DES."); 3990Sstevel@tonic-gate } 4000Sstevel@tonic-gate 4010Sstevel@tonic-gate /* 4020Sstevel@tonic-gate * We always perform AUTH_DES for the benefit of non-NIS+ 4030Sstevel@tonic-gate * services (e.g. NFS) that may depend on the classic des 4040Sstevel@tonic-gate * 192bit key being set. 4050Sstevel@tonic-gate */ 4060Sstevel@tonic-gate if (!get_and_set_seckey(pamh, netname, AUTH_DES_KEYLEN, 4070Sstevel@tonic-gate AUTH_DES_ALGTYPE, short_passp, uid, gid, &get_seckey_cnt, 4085533Ssdussud &good_pw_cnt, &set_seckey_cnt, auth_cred_flags, debug)) { 4090Sstevel@tonic-gate result = PAM_BUF_ERR; 4100Sstevel@tonic-gate goto out; 4110Sstevel@tonic-gate } 4120Sstevel@tonic-gate 4130Sstevel@tonic-gate if (debug) { 4140Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: mech key totals:\n"); 4150Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: %d valid mechanism(s)", 4164405Sjjj valid_mech_cnt); 4170Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: %d secret key(s) retrieved", 4184405Sjjj get_seckey_cnt); 4190Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: %d passwd decrypt successes", 4204405Sjjj good_pw_cnt); 4210Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: %d secret key(s) set", 4224405Sjjj set_seckey_cnt); 4230Sstevel@tonic-gate } 4240Sstevel@tonic-gate 4250Sstevel@tonic-gate if (get_seckey_cnt == 0) { /* No credentials */ 4260Sstevel@tonic-gate result = need_cred ? PAM_AUTH_ERR : PAM_IGNORE; 4270Sstevel@tonic-gate goto out; 4280Sstevel@tonic-gate } 4290Sstevel@tonic-gate 4300Sstevel@tonic-gate if (good_pw_cnt == 0) { /* wrong password */ 431*5945Ssdussud result = PAM_AUTH_ERR; 4320Sstevel@tonic-gate goto out; 4330Sstevel@tonic-gate } 4340Sstevel@tonic-gate 4350Sstevel@tonic-gate if (set_seckey_cnt == 0) { 436*5945Ssdussud result = PAM_SYSTEM_ERR; 4370Sstevel@tonic-gate goto out; 4380Sstevel@tonic-gate } 439*5945Ssdussud /* Credentials have been successfully establish, return PAM_IGNORE. */ 4400Sstevel@tonic-gate result = PAM_IGNORE; 4410Sstevel@tonic-gate out: 442*5945Ssdussud /* 443*5945Ssdussud * If we are authenticating we attempt to establish credentials 444*5945Ssdussud * where appropriate. Failure to do so is only an error if we 445*5945Ssdussud * definitely needed them. Thus always return PAM_IGNORE 446*5945Ssdussud * if we are authenticating and credentials were not needed. 447*5945Ssdussud */ 448*5945Ssdussud if (auth_path && !need_cred) 449*5945Ssdussud result = PAM_IGNORE; 4500Sstevel@tonic-gate if (repository_name) 4510Sstevel@tonic-gate free(repository_name); 4520Sstevel@tonic-gate if (repository_pass) 4530Sstevel@tonic-gate free(repository_pass); 4540Sstevel@tonic-gate 4550Sstevel@tonic-gate free(scratch); 4560Sstevel@tonic-gate 4570Sstevel@tonic-gate (void) memset(short_pass, '\0', sizeof (short_pass)); 4580Sstevel@tonic-gate 4590Sstevel@tonic-gate return (result); 4600Sstevel@tonic-gate } 4610Sstevel@tonic-gate 4620Sstevel@tonic-gate int 4630Sstevel@tonic-gate pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) 4640Sstevel@tonic-gate { 4650Sstevel@tonic-gate int i; 4660Sstevel@tonic-gate int debug = 0; 4670Sstevel@tonic-gate int result; 4680Sstevel@tonic-gate char netname[MAXNETNAMELEN + 1]; 4690Sstevel@tonic-gate 4700Sstevel@tonic-gate for (i = 0; i < argc; i++) { 4710Sstevel@tonic-gate if (strcmp(argv[i], "debug") == 0) 4720Sstevel@tonic-gate debug = 1; 4730Sstevel@tonic-gate else if (strcmp(argv[i], "nowarn") == 0) 4740Sstevel@tonic-gate flags |= PAM_SILENT; 4750Sstevel@tonic-gate } 4760Sstevel@tonic-gate 4770Sstevel@tonic-gate result = establish_key(pamh, flags, CODEPATH_PAM_SM_AUTHENTICATE, debug, 4784405Sjjj netname); 4790Sstevel@tonic-gate 4800Sstevel@tonic-gate return (result); 4810Sstevel@tonic-gate } 4820Sstevel@tonic-gate 4834405Sjjj 4844405Sjjj typedef struct argres { 4854405Sjjj uid_t uid; 4864405Sjjj int result; 4874405Sjjj } argres_t; 4884405Sjjj 4894405Sjjj /* 4904405Sjjj * Revoke NFS DES credentials. 4914405Sjjj * NFS may not be installed so we need to deal with SIGSYS 4924405Sjjj * when we call _nfssys(); we thus call _nfssys() in a seperate thread that 4934405Sjjj * is created specifically for this call. The thread specific signalmask 4944405Sjjj * is set to ignore SIGSYS. After the call to _nfssys(), the thread 4954405Sjjj * ceases to exist. 4964405Sjjj */ 4974405Sjjj static void * 4984405Sjjj revoke_nfs_cred(void *ap) 4994405Sjjj { 5004405Sjjj struct nfs_revauth_args nra; 5014405Sjjj sigset_t isigset; 5024405Sjjj argres_t *argres = (argres_t *)ap; 5034405Sjjj 5044405Sjjj nra.authtype = AUTH_DES; 5054405Sjjj nra.uid = argres->uid; 5064405Sjjj 5074405Sjjj (void) sigemptyset(&isigset); 5084405Sjjj (void) sigaddset(&isigset, SIGSYS); 5094405Sjjj 5104405Sjjj if (pthread_sigmask(SIG_BLOCK, &isigset, NULL) == 0) { 5114405Sjjj argres->result = _nfssys(NFS_REVAUTH, &nra); 5124405Sjjj if (argres->result < 0 && errno == ENOSYS) { 5134405Sjjj argres->result = 0; 5144405Sjjj } 5154405Sjjj } else { 5164405Sjjj argres->result = -1; 5174405Sjjj } 5184405Sjjj return (NULL); 5194405Sjjj } 5204405Sjjj 5214405Sjjj static int 5220Sstevel@tonic-gate remove_key(pam_handle_t *pamh, int flags, int debug) 5230Sstevel@tonic-gate { 5240Sstevel@tonic-gate int result; 5250Sstevel@tonic-gate char *uname; 5260Sstevel@tonic-gate attrlist attr_pw[2]; 5270Sstevel@tonic-gate struct pam_repository *auth_rep = NULL; 5280Sstevel@tonic-gate pwu_repository_t *pwu_rep; 5290Sstevel@tonic-gate uid_t uid; 5300Sstevel@tonic-gate gid_t gid; 5314405Sjjj argres_t argres; 5324405Sjjj thread_t tid; 5330Sstevel@tonic-gate 5340Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_USER, (void **)&uname); 5350Sstevel@tonic-gate if (uname == NULL || *uname == NULL) { 5360Sstevel@tonic-gate if (debug) 5370Sstevel@tonic-gate syslog(LOG_DEBUG, 5380Sstevel@tonic-gate "pam_dhkeys: user NULL or empty in remove_key()"); 5390Sstevel@tonic-gate return (PAM_USER_UNKNOWN); 5400Sstevel@tonic-gate } 5410Sstevel@tonic-gate 5420Sstevel@tonic-gate if (strcmp(uname, "root") == 0) { 5430Sstevel@tonic-gate if ((flags & PAM_SILENT) == 0) { 5440Sstevel@tonic-gate char msg[3][PAM_MAX_MSG_SIZE]; 5450Sstevel@tonic-gate (void) snprintf(msg[0], sizeof (msg[0]), 5460Sstevel@tonic-gate dgettext(TEXT_DOMAIN, 5474405Sjjj "removing root credentials would" 5484405Sjjj " break the rpc services that")); 5490Sstevel@tonic-gate (void) snprintf(msg[1], sizeof (msg[1]), 5500Sstevel@tonic-gate dgettext(TEXT_DOMAIN, 5514405Sjjj "use secure rpc on this host!")); 5520Sstevel@tonic-gate (void) snprintf(msg[2], sizeof (msg[2]), 5530Sstevel@tonic-gate dgettext(TEXT_DOMAIN, 5544405Sjjj "root may use keylogout -f to do" 5554405Sjjj " this (at your own risk)!")); 5560Sstevel@tonic-gate (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 3, 5570Sstevel@tonic-gate msg, NULL); 5580Sstevel@tonic-gate } 5590Sstevel@tonic-gate return (PAM_PERM_DENIED); 5600Sstevel@tonic-gate } 5610Sstevel@tonic-gate 5620Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&auth_rep); 5630Sstevel@tonic-gate if (auth_rep != NULL) { 5640Sstevel@tonic-gate if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL) 5650Sstevel@tonic-gate return (PAM_BUF_ERR); 5660Sstevel@tonic-gate pwu_rep->type = auth_rep->type; 5670Sstevel@tonic-gate pwu_rep->scope = auth_rep->scope; 5680Sstevel@tonic-gate pwu_rep->scope_len = auth_rep->scope_len; 5690Sstevel@tonic-gate } else 5700Sstevel@tonic-gate pwu_rep = PWU_DEFAULT_REP; 5710Sstevel@tonic-gate 5720Sstevel@tonic-gate /* Retrieve user's uid/gid from the password repository */ 5730Sstevel@tonic-gate attr_pw[0].type = ATTR_UID; attr_pw[0].next = &attr_pw[1]; 5740Sstevel@tonic-gate attr_pw[1].type = ATTR_GID; attr_pw[1].next = NULL; 5750Sstevel@tonic-gate 5760Sstevel@tonic-gate result = __get_authtoken_attr(uname, pwu_rep, attr_pw); 5770Sstevel@tonic-gate 5780Sstevel@tonic-gate if (pwu_rep != PWU_DEFAULT_REP) 5790Sstevel@tonic-gate free(pwu_rep); 5800Sstevel@tonic-gate 5810Sstevel@tonic-gate if (result == PWU_NOT_FOUND) 5820Sstevel@tonic-gate return (PAM_USER_UNKNOWN); 5830Sstevel@tonic-gate if (result == PWU_DENIED) 5840Sstevel@tonic-gate return (PAM_PERM_DENIED); 5850Sstevel@tonic-gate if (result != PWU_SUCCESS) 5860Sstevel@tonic-gate return (PAM_SYSTEM_ERR); 5870Sstevel@tonic-gate 5880Sstevel@tonic-gate uid = (uid_t)attr_pw[0].data.val_i; 5890Sstevel@tonic-gate gid = (gid_t)attr_pw[1].data.val_i; 5900Sstevel@tonic-gate 5910Sstevel@tonic-gate (void) key_removesecret_g_uid(uid, gid); 5920Sstevel@tonic-gate 5934405Sjjj argres.uid = uid; 5944405Sjjj argres.result = -1; 5950Sstevel@tonic-gate 5964405Sjjj if (pthread_create(&tid, NULL, revoke_nfs_cred, (void *)&argres) == 0) 5974405Sjjj (void) pthread_join(tid, NULL); 5984405Sjjj 5994405Sjjj if (argres.result < 0) { 6000Sstevel@tonic-gate if ((flags & PAM_SILENT) == 0) { 6010Sstevel@tonic-gate (void) msg(pamh, dgettext(TEXT_DOMAIN, 6024405Sjjj "Warning: NFS credentials not destroyed")); 6030Sstevel@tonic-gate } 6040Sstevel@tonic-gate return (PAM_AUTH_ERR); 6050Sstevel@tonic-gate } 6060Sstevel@tonic-gate 6070Sstevel@tonic-gate return (PAM_IGNORE); 6080Sstevel@tonic-gate } 6090Sstevel@tonic-gate 6100Sstevel@tonic-gate int 6110Sstevel@tonic-gate pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) 6120Sstevel@tonic-gate { 6130Sstevel@tonic-gate int i; 6140Sstevel@tonic-gate int debug = 0; 6150Sstevel@tonic-gate int result; 6160Sstevel@tonic-gate char netname[MAXNETNAMELEN + 1]; 6170Sstevel@tonic-gate 6180Sstevel@tonic-gate for (i = 0; i < argc; i++) { 6190Sstevel@tonic-gate if (strcmp(argv[i], "debug") == 0) 6200Sstevel@tonic-gate debug = 1; 6210Sstevel@tonic-gate else if (strcmp(argv[i], "nowarn") == 0) 6220Sstevel@tonic-gate flags |= PAM_SILENT; 6230Sstevel@tonic-gate } 6240Sstevel@tonic-gate 6250Sstevel@tonic-gate /* Check for invalid flags */ 6260Sstevel@tonic-gate if (flags && (flags & PAM_ESTABLISH_CRED) == 0 && 6274405Sjjj (flags & PAM_REINITIALIZE_CRED) == 0 && 6284405Sjjj (flags & PAM_REFRESH_CRED) == 0 && 6294405Sjjj (flags & PAM_DELETE_CRED) == 0 && 6304405Sjjj (flags & PAM_SILENT) == 0) { 6310Sstevel@tonic-gate syslog(LOG_ERR, "pam_dhkeys: pam_setcred: illegal flags %d", 6324405Sjjj flags); 6330Sstevel@tonic-gate return (PAM_SYSTEM_ERR); 6340Sstevel@tonic-gate } 6350Sstevel@tonic-gate 6360Sstevel@tonic-gate 6370Sstevel@tonic-gate if ((flags & PAM_REINITIALIZE_CRED) || (flags & PAM_REFRESH_CRED)) { 6380Sstevel@tonic-gate /* doesn't apply to UNIX */ 6390Sstevel@tonic-gate if (debug) 6400Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: cred reinit/refresh " 6410Sstevel@tonic-gate "ignored\n"); 6420Sstevel@tonic-gate return (PAM_IGNORE); 6430Sstevel@tonic-gate } 6440Sstevel@tonic-gate 6450Sstevel@tonic-gate if (flags & PAM_DELETE_CRED) { 6460Sstevel@tonic-gate if (debug) 6470Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: removing creds\n"); 6480Sstevel@tonic-gate result = remove_key(pamh, flags, debug); 6490Sstevel@tonic-gate } else { 6500Sstevel@tonic-gate result = establish_key(pamh, flags, CODEPATH_PAM_SM_SETCRED, 6514405Sjjj debug, netname); 6520Sstevel@tonic-gate /* Some diagnostics */ 6530Sstevel@tonic-gate if ((flags & PAM_SILENT) == 0) { 6540Sstevel@tonic-gate if (result == PAM_AUTH_ERR) 6550Sstevel@tonic-gate (void) msg(pamh, dgettext(TEXT_DOMAIN, 6560Sstevel@tonic-gate "Password does not decrypt any secret " 6570Sstevel@tonic-gate "keys for %s."), netname); 6580Sstevel@tonic-gate else if (result == PAM_SYSTEM_ERR && netname[0]) 6590Sstevel@tonic-gate (void) msg(pamh, dgettext(TEXT_DOMAIN, 6600Sstevel@tonic-gate "Could not set secret key(s) for %s. " 6610Sstevel@tonic-gate "The key server may be down."), netname); 6620Sstevel@tonic-gate } 6630Sstevel@tonic-gate 6640Sstevel@tonic-gate /* Not having credentials set is not an error... */ 6650Sstevel@tonic-gate result = PAM_IGNORE; 6660Sstevel@tonic-gate } 6670Sstevel@tonic-gate 6680Sstevel@tonic-gate return (result); 6690Sstevel@tonic-gate } 6700Sstevel@tonic-gate 6710Sstevel@tonic-gate /*ARGSUSED*/ 6720Sstevel@tonic-gate void 6730Sstevel@tonic-gate rpc_cleanup(pam_handle_t *pamh, void *data, int pam_status) 6740Sstevel@tonic-gate { 6750Sstevel@tonic-gate if (data) { 6760Sstevel@tonic-gate (void) memset(data, 0, strlen(data)); 6770Sstevel@tonic-gate free(data); 6780Sstevel@tonic-gate } 6790Sstevel@tonic-gate } 6800Sstevel@tonic-gate 6810Sstevel@tonic-gate int 6820Sstevel@tonic-gate pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) 6830Sstevel@tonic-gate { 6840Sstevel@tonic-gate int i; 6850Sstevel@tonic-gate int debug = 0; 6860Sstevel@tonic-gate int res; 6870Sstevel@tonic-gate pam_repository_t *pam_rep; 6880Sstevel@tonic-gate pwu_repository_t *pwu_rep; 6890Sstevel@tonic-gate char *oldpw; 6900Sstevel@tonic-gate char *user; 6910Sstevel@tonic-gate int tries; 6920Sstevel@tonic-gate int oldpw_ok; 6930Sstevel@tonic-gate char *oldrpcpw; 6940Sstevel@tonic-gate char *oldrpcpass; 6950Sstevel@tonic-gate char *data; 6960Sstevel@tonic-gate /* password truncated at 8 chars, see comment at establish_key() */ 6970Sstevel@tonic-gate char short_pass[sizeof (des_block)+1], *short_passp; 6980Sstevel@tonic-gate 6990Sstevel@tonic-gate for (i = 0; i < argc; i++) 7000Sstevel@tonic-gate if (strcmp(argv[i], "debug") == 0) 7010Sstevel@tonic-gate debug = 1; 7020Sstevel@tonic-gate 7030Sstevel@tonic-gate if (debug) 7040Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: entered pam_sm_chauthtok()"); 7050Sstevel@tonic-gate 7060Sstevel@tonic-gate if ((flags & PAM_PRELIM_CHECK) == 0) 7070Sstevel@tonic-gate return (PAM_IGNORE); 7080Sstevel@tonic-gate 7090Sstevel@tonic-gate /* 7100Sstevel@tonic-gate * See if the old secure-rpc password has already been set 7110Sstevel@tonic-gate */ 7120Sstevel@tonic-gate res = pam_get_data(pamh, SUNW_OLDRPCPASS, (const void **)&oldrpcpass); 7130Sstevel@tonic-gate if (res == PAM_SUCCESS) { 7140Sstevel@tonic-gate if (debug) 7150Sstevel@tonic-gate syslog(LOG_DEBUG, 7160Sstevel@tonic-gate "pam_dhkeys: OLDRPCPASS already set"); 7170Sstevel@tonic-gate return (PAM_IGNORE); 7180Sstevel@tonic-gate } 7190Sstevel@tonic-gate 7200Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&pam_rep); 7210Sstevel@tonic-gate 7220Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_USER, (void **)&user); 7230Sstevel@tonic-gate 7240Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&oldpw); 7250Sstevel@tonic-gate 7260Sstevel@tonic-gate if (user == NULL || *user == '\0') { 7270Sstevel@tonic-gate if (debug) 7280Sstevel@tonic-gate syslog(LOG_DEBUG, "pam_dhkeys: user NULL or empty"); 7290Sstevel@tonic-gate return (PAM_USER_UNKNOWN); 7300Sstevel@tonic-gate } 7310Sstevel@tonic-gate 7320Sstevel@tonic-gate /* oldpw can be NULL (eg. root changing someone's passwd) */ 7330Sstevel@tonic-gate if (oldpw) { 7340Sstevel@tonic-gate (void) strlcpy(short_pass, oldpw, sizeof (short_pass)); 7350Sstevel@tonic-gate short_passp = short_pass; 7360Sstevel@tonic-gate } else 7370Sstevel@tonic-gate short_passp = NULL; 7380Sstevel@tonic-gate 7390Sstevel@tonic-gate /* 7400Sstevel@tonic-gate * For NIS+ we need to check whether the old password equals 7410Sstevel@tonic-gate * the RPC password. If it doesn't, we won't be able to update 7420Sstevel@tonic-gate * the secure RPC credentials later on in the process. 7430Sstevel@tonic-gate */ 7440Sstevel@tonic-gate 7450Sstevel@tonic-gate if (pam_rep == NULL) 7460Sstevel@tonic-gate pwu_rep = PWU_DEFAULT_REP; 7470Sstevel@tonic-gate else { 7480Sstevel@tonic-gate if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL) 7490Sstevel@tonic-gate return (PAM_BUF_ERR); 7500Sstevel@tonic-gate pwu_rep->type = pam_rep->type; 7510Sstevel@tonic-gate pwu_rep->scope = pam_rep->scope; 7520Sstevel@tonic-gate pwu_rep->scope_len = pam_rep->scope_len; 7530Sstevel@tonic-gate } 7540Sstevel@tonic-gate 7550Sstevel@tonic-gate switch (__verify_rpc_passwd(user, short_passp, pwu_rep)) { 7560Sstevel@tonic-gate case PWU_SUCCESS: 7570Sstevel@tonic-gate /* oldpw matches RPC password, or no RPC password needed */ 7580Sstevel@tonic-gate 7590Sstevel@tonic-gate if (pwu_rep != PWU_DEFAULT_REP) 7600Sstevel@tonic-gate free(pwu_rep); 7610Sstevel@tonic-gate 7620Sstevel@tonic-gate if (short_passp) { 7630Sstevel@tonic-gate if ((data = strdup(short_pass)) == NULL) { 7640Sstevel@tonic-gate (void) memset(short_pass, '\0', 7650Sstevel@tonic-gate sizeof (short_pass)); 7660Sstevel@tonic-gate return (PAM_BUF_ERR); 7670Sstevel@tonic-gate } 7680Sstevel@tonic-gate } else 7690Sstevel@tonic-gate data = NULL; 7700Sstevel@tonic-gate 7710Sstevel@tonic-gate (void) pam_set_data(pamh, SUNW_OLDRPCPASS, data, rpc_cleanup); 7720Sstevel@tonic-gate return (PAM_IGNORE); 7730Sstevel@tonic-gate 7740Sstevel@tonic-gate case PWU_NOT_FOUND: 7750Sstevel@tonic-gate if (pwu_rep != PWU_DEFAULT_REP) 7760Sstevel@tonic-gate free(pwu_rep); 7770Sstevel@tonic-gate (void) memset(short_pass, '\0', sizeof (short_pass)); 7780Sstevel@tonic-gate return (PAM_USER_UNKNOWN); 7793641Ssemery case PWU_BAD_CREDPASS: 7800Sstevel@tonic-gate /* The old password does not decrypt any credentials */ 7810Sstevel@tonic-gate break; 7823641Ssemery case PWU_CRED_ERROR: 7833641Ssemery /* 7843641Ssemery * Indicates that the user's credentials could not be 7853641Ssemery * retrieved or removed. This could occur when a NIS+ 7863641Ssemery * user is in transition to another account authority. 7873641Ssemery */ 7883641Ssemery if (pwu_rep != PWU_DEFAULT_REP) 7893641Ssemery free(pwu_rep); 7903641Ssemery (void) memset(short_pass, '\0', sizeof (short_pass)); 7913641Ssemery return (PAM_AUTHTOK_ERR); 7920Sstevel@tonic-gate default: 7930Sstevel@tonic-gate if (pwu_rep != PWU_DEFAULT_REP) 7940Sstevel@tonic-gate free(pwu_rep); 7950Sstevel@tonic-gate (void) memset(short_pass, '\0', sizeof (short_pass)); 7960Sstevel@tonic-gate return (PAM_SYSTEM_ERR); 7970Sstevel@tonic-gate } 7980Sstevel@tonic-gate 7990Sstevel@tonic-gate /* 8000Sstevel@tonic-gate * We got here because the OLDAUTHTOK doesn't match the Secure RPC 8010Sstevel@tonic-gate * password. In compliance with the old behavior, we give the 8020Sstevel@tonic-gate * user two chances to get the password right. If that succeeds 8030Sstevel@tonic-gate * all is well; if it doesn't, we'll return an error. 8040Sstevel@tonic-gate */ 8050Sstevel@tonic-gate 8060Sstevel@tonic-gate (void) msg(pamh, dgettext(TEXT_DOMAIN, 8074405Sjjj "This password differs from your secure RPC password.")); 8080Sstevel@tonic-gate 8090Sstevel@tonic-gate tries = 0; 8100Sstevel@tonic-gate oldpw_ok = 0; 8110Sstevel@tonic-gate 8120Sstevel@tonic-gate while (oldpw_ok == 0 && ++tries < 3) { 8130Sstevel@tonic-gate if (tries > 1) 8140Sstevel@tonic-gate (void) msg(pamh, dgettext(TEXT_DOMAIN, 8154405Sjjj "This password does not decrypt your " 8164405Sjjj "secure RPC password.")); 8170Sstevel@tonic-gate res = __pam_get_authtok(pamh, PAM_PROMPT, 0, 8180Sstevel@tonic-gate dgettext(TEXT_DOMAIN, 8190Sstevel@tonic-gate "Please enter your old Secure RPC password: "), &oldpw); 8200Sstevel@tonic-gate if (res != PAM_SUCCESS) { 8210Sstevel@tonic-gate if (pwu_rep != PWU_DEFAULT_REP) 8220Sstevel@tonic-gate free(pwu_rep); 8230Sstevel@tonic-gate return (res); 8240Sstevel@tonic-gate } 8250Sstevel@tonic-gate (void) strlcpy(short_pass, oldpw, sizeof (short_pass)); 8260Sstevel@tonic-gate (void) memset(oldpw, 0, strlen(oldpw)); 8270Sstevel@tonic-gate free(oldpw); 8280Sstevel@tonic-gate oldpw = NULL; 8290Sstevel@tonic-gate if (__verify_rpc_passwd(user, short_pass, pwu_rep) == 8300Sstevel@tonic-gate PWU_SUCCESS) 8310Sstevel@tonic-gate oldpw_ok = 1; 8320Sstevel@tonic-gate } 8330Sstevel@tonic-gate 8340Sstevel@tonic-gate if (pwu_rep != PWU_DEFAULT_REP) 8350Sstevel@tonic-gate free(pwu_rep); 8360Sstevel@tonic-gate 8370Sstevel@tonic-gate if (oldpw_ok == 0) { 8380Sstevel@tonic-gate (void) memset(short_pass, '\0', sizeof (short_pass)); 8390Sstevel@tonic-gate return (PAM_AUTHTOK_ERR); 8400Sstevel@tonic-gate } 8410Sstevel@tonic-gate 8420Sstevel@tonic-gate /* 8430Sstevel@tonic-gate * Since the PAM framework only provides space for two different 8440Sstevel@tonic-gate * password (one old and one current), there is officially no 8450Sstevel@tonic-gate * place to put additional passwords (like our old rpc password). 8460Sstevel@tonic-gate * We have no choice but to stuff it in a data item, and hope it 8470Sstevel@tonic-gate * will be picked up by the password-update routines. 8480Sstevel@tonic-gate */ 8490Sstevel@tonic-gate 8500Sstevel@tonic-gate oldrpcpw = strdup(short_pass); 8510Sstevel@tonic-gate (void) memset(short_pass, '\0', sizeof (short_pass)); 8520Sstevel@tonic-gate 8530Sstevel@tonic-gate if (oldrpcpw == NULL) 8540Sstevel@tonic-gate return (PAM_BUF_ERR); 8550Sstevel@tonic-gate 8560Sstevel@tonic-gate res = pam_set_data(pamh, SUNW_OLDRPCPASS, oldrpcpw, rpc_cleanup); 8570Sstevel@tonic-gate 8580Sstevel@tonic-gate return (res); 8590Sstevel@tonic-gate } 860