1 /* Unix NT password database implementation, version 0.6.
3 * This program is free software; you can redistribute it and/or modify it under
4 * the terms of the GNU General Public License as published by the Free
5 * Software Foundation; either version 3 of the License, or (at your option)
8 * This program is distributed in the hope that it will be useful, but WITHOUT
9 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
13 * You should have received a copy of the GNU General Public License along with
14 * this program; if not, see <http://www.gnu.org/licenses/>.
23 #if defined(HAVE_SECURITY_PAM_EXT_H)
24 #include <security/pam_ext.h>
25 #elif defined(HAVE_PAM_PAM_EXT_H)
26 #include <pam/pam_ext.h>
29 #if defined(HAVE_SECURITY__PAM_MACROS_H)
30 #include <security/_pam_macros.h>
31 #elif defined(HAVE_PAM__PAM_MACROS_H)
32 #include <pam/_pam_macros.h>
39 #define _pam_overwrite(x) \
41 register char *__xx__; \
48 * Don't just free it, forget it too.
51 #define _pam_drop(X) \
59 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
63 for (reply_i=0; reply_i<replies; ++reply_i) { \
64 if (reply[reply_i].resp) { \
65 _pam_overwrite(reply[reply_i].resp); \
66 free(reply[reply_i].resp); \
74 int converse(pam_handle_t
*, int, int, struct pam_message
**,
75 struct pam_response
**);
76 int make_remark(pam_handle_t
*, unsigned int, int, const char *);
77 void _cleanup(pam_handle_t
*, void *, int);
78 char *_pam_delete(register char *);
80 /* syslogging function for errors and other information */
81 #ifdef HAVE_PAM_VSYSLOG
82 void _log_err( pam_handle_t
*pamh
, int err
, const char *format
, ... )
86 va_start(args
, format
);
87 pam_vsyslog(pamh
, err
, format
, args
);
91 void _log_err( pam_handle_t
*pamh
, int err
, const char *format
, ... )
94 const char tag
[] = "(pam_smbpass) ";
97 mod_format
= SMB_MALLOC_ARRAY(char, sizeof(tag
) + strlen(format
));
98 /* try really, really hard to log something, since this may have
99 been a message about a malloc() failure... */
100 if (mod_format
== NULL
) {
101 va_start(args
, format
);
102 vsyslog(err
| LOG_AUTH
, format
, args
);
107 strncpy(mod_format
, tag
, strlen(tag
)+1);
108 strlcat(mod_format
, format
, strlen(format
)+1);
110 va_start(args
, format
);
111 vsyslog(err
| LOG_AUTH
, mod_format
, args
);
118 /* this is a front-end for module-application conversations */
120 int converse( pam_handle_t
* pamh
, int ctrl
, int nargs
121 , struct pam_message
**message
122 , struct pam_response
**response
)
125 struct pam_conv
*conv
;
127 retval
= _pam_get_item(pamh
, PAM_CONV
, &conv
);
128 if (retval
== PAM_SUCCESS
) {
130 retval
= conv
->conv(nargs
, (const struct pam_message
**) message
131 ,response
, conv
->appdata_ptr
);
133 if (retval
!= PAM_SUCCESS
&& on(SMB_DEBUG
, ctrl
)) {
134 _log_err(pamh
, LOG_DEBUG
, "conversation failure [%s]"
135 ,pam_strerror(pamh
, retval
));
138 _log_err(pamh
, LOG_ERR
, "couldn't obtain coversation function [%s]"
139 ,pam_strerror(pamh
, retval
));
142 return retval
; /* propagate error status */
145 int make_remark( pam_handle_t
* pamh
, unsigned int ctrl
146 , int type
, const char *text
)
148 if (off(SMB__QUIET
, ctrl
)) {
149 struct pam_message
*pmsg
[1], msg
[1];
150 struct pam_response
*resp
;
153 msg
[0].msg
= CONST_DISCARD(char *, text
);
154 msg
[0].msg_style
= type
;
157 return converse(pamh
, ctrl
, 1, pmsg
, &resp
);
163 /* set the control flags for the SMB module. */
165 int set_ctrl( pam_handle_t
*pamh
, int flags
, int argc
, const char **argv
)
168 const char *service_file
= NULL
;
171 ctrl
= SMB_DEFAULTS
; /* the default selection of options */
173 /* set some flags manually */
175 /* A good, sane default (matches Samba's behavior). */
176 set( SMB__NONULL
, ctrl
);
178 /* initialize service file location */
179 service_file
=get_dyn_CONFIGFILE();
181 if (flags
& PAM_SILENT
) {
182 set( SMB__QUIET
, ctrl
);
185 /* Run through the arguments once, looking for an alternate smb config
190 for (j
= 0; j
< SMB_CTRLS_
; ++j
) {
191 if (smb_args
[j
].token
192 && !strncmp(argv
[i
], smb_args
[j
].token
, strlen(smb_args
[j
].token
)))
198 if (j
== SMB_CONF_FILE
) {
199 service_file
= argv
[i
] + 8;
204 /* Read some options from the Samba config. Can be overridden by
206 if(lp_load(service_file
,True
,False
,False
,True
) == False
) {
207 _log_err(pamh
, LOG_ERR
, "Error loading service file %s", service_file
);
212 if (lp_null_passwords()) {
213 set( SMB__NULLOK
, ctrl
);
216 /* now parse the rest of the arguments to this module */
221 for (j
= 0; j
< SMB_CTRLS_
; ++j
) {
222 if (smb_args
[j
].token
223 && !strncmp(*argv
, smb_args
[j
].token
, strlen(smb_args
[j
].token
)))
229 if (j
>= SMB_CTRLS_
) {
230 _log_err(pamh
, LOG_ERR
, "unrecognized option [%s]", *argv
);
232 ctrl
&= smb_args
[j
].mask
; /* for turning things off */
233 ctrl
|= smb_args
[j
].flag
; /* for turning things on */
236 ++argv
; /* step to next argument */
239 /* auditing is a more sensitive version of debug */
241 if (on( SMB_AUDIT
, ctrl
)) {
242 set( SMB_DEBUG
, ctrl
);
244 /* return the set of flags */
249 /* use this to free strings. ESPECIALLY password strings */
251 char * _pam_delete( register char *xx
)
253 _pam_overwrite( xx
);
258 void _cleanup( pam_handle_t
* pamh
, void *x
, int error_status
)
260 x
= _pam_delete( (char *) x
);
265 * Safe duplication of character strings. "Paranoid"; don't leave
266 * evidence of old token around for later stack analysis.
269 char * smbpXstrDup( pam_handle_t
*pamh
, const char *x
)
271 register char *newstr
= NULL
;
276 for (i
= 0; x
[i
]; ++i
); /* length of string */
277 if ((newstr
= SMB_MALLOC_ARRAY(char, ++i
)) == NULL
) {
279 _log_err(pamh
, LOG_CRIT
, "out of memory in smbpXstrDup");
287 return newstr
; /* return the duplicate or NULL on error */
290 /* ************************************************************** *
291 * Useful non-trivial functions *
292 * ************************************************************** */
294 void _cleanup_failures( pam_handle_t
* pamh
, void *fl
, int err
)
297 const char *service
= NULL
;
298 struct _pam_failed_auth
*failure
;
300 #ifdef PAM_DATA_SILENT
301 quiet
= err
& PAM_DATA_SILENT
; /* should we log something? */
305 #ifdef PAM_DATA_REPLACE
306 err
&= PAM_DATA_REPLACE
; /* are we just replacing data? */
308 failure
= (struct _pam_failed_auth
*) fl
;
310 if (failure
!= NULL
) {
312 #ifdef PAM_DATA_SILENT
313 if (!quiet
&& !err
) { /* under advisement from Sun,may go away */
315 if (!quiet
) { /* under advisement from Sun,may go away */
318 /* log the number of authentication failures */
319 if (failure
->count
!= 0) {
320 _pam_get_item( pamh
, PAM_SERVICE
, &service
);
321 _log_err(pamh
, LOG_NOTICE
322 , "%d authentication %s "
323 "from %s for service %s as %s(%d)"
325 , failure
->count
== 1 ? "failure" : "failures"
327 , service
== NULL
? "**unknown**" : service
328 , failure
->user
, failure
->id
);
329 if (failure
->count
> SMB_MAX_RETRIES
) {
330 _log_err(pamh
, LOG_ALERT
331 , "service(%s) ignoring max retries; %d > %d"
332 , service
== NULL
? "**unknown**" : service
338 _pam_delete( failure
->agent
); /* tidy up */
339 _pam_delete( failure
->user
); /* tidy up */
340 SAFE_FREE( failure
);
344 int _smb_verify_password( pam_handle_t
* pamh
, struct samu
*sampass
,
345 const char *p
, unsigned int ctrl
)
349 int retval
= PAM_AUTH_ERR
;
356 name
= pdb_get_username(sampass
);
358 #ifdef HAVE_PAM_FAIL_DELAY
359 if (off( SMB_NODELAY
, ctrl
)) {
360 (void) pam_fail_delay( pamh
, 1000000 ); /* 1 sec delay for on failure */
364 if (!pdb_get_nt_passwd(sampass
))
366 _log_err(pamh
, LOG_DEBUG
, "user %s has null SMB password", name
);
368 if (off( SMB__NONULL
, ctrl
)
369 && (pdb_get_acct_ctrl(sampass
) & ACB_PWNOTREQ
))
370 { /* this means we've succeeded */
375 _pam_get_item( pamh
, PAM_SERVICE
, &service
);
376 _log_err(pamh
, LOG_NOTICE
, "failed auth request by %s for service %s as %s",
377 uidtoname(getuid()), service
? service
: "**unknown**", name
);
382 data_name
= SMB_MALLOC_ARRAY(char, sizeof(FAIL_PREFIX
) + strlen( name
));
383 if (data_name
== NULL
) {
384 _log_err(pamh
, LOG_CRIT
, "no memory for data-name" );
387 strncpy( data_name
, FAIL_PREFIX
, sizeof(FAIL_PREFIX
) );
388 strncpy( data_name
+ sizeof(FAIL_PREFIX
) - 1, name
, strlen( name
) + 1 );
391 * The password we were given wasn't an encrypted password, or it
392 * didn't match the one we have. We encrypt the password now and try
396 nt_lm_owf_gen(p
, nt_pw
, lm_pw
);
398 /* the moment of truth -- do we agree with the password? */
400 if (!memcmp( nt_pw
, pdb_get_nt_passwd(sampass
), 16 )) {
402 retval
= PAM_SUCCESS
;
403 if (data_name
) { /* reset failures */
404 pam_set_data(pamh
, data_name
, NULL
, _cleanup_failures
);
410 _pam_get_item( pamh
, PAM_SERVICE
, &service
);
412 if (data_name
!= NULL
) {
413 struct _pam_failed_auth
*newauth
= NULL
;
414 const struct _pam_failed_auth
*old
= NULL
;
416 /* get a failure recorder */
418 newauth
= SMB_MALLOC_P( struct _pam_failed_auth
);
420 if (newauth
!= NULL
) {
422 /* any previous failures for this user ? */
423 _pam_get_data(pamh
, data_name
, &old
);
426 newauth
->count
= old
->count
+ 1;
427 if (newauth
->count
>= SMB_MAX_RETRIES
) {
428 retval
= PAM_MAXTRIES
;
431 _log_err(pamh
, LOG_NOTICE
,
432 "failed auth request by %s for service %s as %s",
434 service
? service
: "**unknown**", name
);
437 if (!sid_to_uid(pdb_get_user_sid(sampass
), &(newauth
->id
))) {
438 _log_err(pamh
, LOG_NOTICE
,
439 "failed auth request by %s for service %s as %s",
441 service
? service
: "**unknown**", name
);
443 newauth
->user
= smbpXstrDup( pamh
, name
);
444 newauth
->agent
= smbpXstrDup( pamh
, uidtoname( getuid() ) );
445 pam_set_data( pamh
, data_name
, newauth
, _cleanup_failures
);
448 _log_err(pamh
, LOG_CRIT
, "no memory for failure recorder" );
449 _log_err(pamh
, LOG_NOTICE
,
450 "failed auth request by %s for service %s as %s(%d)",
452 service
? service
: "**unknown**", name
);
455 _log_err(pamh
, LOG_NOTICE
,
456 "failed auth request by %s for service %s as %s(%d)",
458 service
? service
: "**unknown**", name
);
459 retval
= PAM_AUTH_ERR
;
462 _pam_delete( data_name
);
469 * _smb_blankpasswd() is a quick check for a blank password
471 * returns TRUE if user does not have a password
472 * - to avoid prompting for one in such cases (CG)
475 int _smb_blankpasswd( unsigned int ctrl
, struct samu
*sampass
)
480 * This function does not have to be too smart if something goes
481 * wrong, return FALSE and let this case to be treated somewhere
485 if (on( SMB__NONULL
, ctrl
))
486 return 0; /* will fail but don't let on yet */
488 if (!(pdb_get_acct_ctrl(sampass
) & ACB_PWNOTREQ
))
491 if (pdb_get_nt_passwd(sampass
) == NULL
)
500 * obtain a password from the user
503 int _smb_read_password( pam_handle_t
* pamh
, unsigned int ctrl
,
504 const char *comment
, const char *prompt1
,
505 const char *prompt2
, const char *data_name
, char **pass
)
512 struct pam_message msg
[3], *pmsg
[3];
513 struct pam_response
*resp
;
517 /* make sure nothing inappropriate gets returned */
519 *pass
= token
= NULL
;
521 /* which authentication token are we getting? */
523 authtok_flag
= on(SMB__OLD_PASSWD
, ctrl
) ? PAM_OLDAUTHTOK
: PAM_AUTHTOK
;
525 /* should we obtain the password from a PAM item ? */
527 if (on(SMB_TRY_FIRST_PASS
, ctrl
) || on(SMB_USE_FIRST_PASS
, ctrl
)) {
528 retval
= _pam_get_item( pamh
, authtok_flag
, &item
);
529 if (retval
!= PAM_SUCCESS
) {
531 _log_err(pamh
, LOG_ALERT
,
532 "pam_get_item returned error to smb_read_password");
534 } else if (item
!= NULL
) { /* we have a password! */
538 } else if (on( SMB_USE_FIRST_PASS
, ctrl
)) {
539 return PAM_AUTHTOK_RECOVER_ERR
; /* didn't work */
540 } else if (on( SMB_USE_AUTHTOK
, ctrl
)
541 && off( SMB__OLD_PASSWD
, ctrl
))
543 return PAM_AUTHTOK_RECOVER_ERR
;
548 * getting here implies we will have to get the password from the
552 /* prepare to converse */
553 if (comment
!= NULL
&& off(SMB__QUIET
, ctrl
)) {
555 msg
[0].msg_style
= PAM_TEXT_INFO
;
556 msg
[0].msg
= CONST_DISCARD(char *, comment
);
563 msg
[i
].msg_style
= PAM_PROMPT_ECHO_OFF
;
564 msg
[i
++].msg
= CONST_DISCARD(char *, prompt1
);
566 if (prompt2
!= NULL
) {
568 msg
[i
].msg_style
= PAM_PROMPT_ECHO_OFF
;
569 msg
[i
++].msg
= CONST_DISCARD(char *, prompt2
);
576 retval
= converse( pamh
, ctrl
, i
, pmsg
, &resp
);
579 int j
= comment
? 1 : 0;
580 /* interpret the response */
582 if (retval
== PAM_SUCCESS
) { /* a good conversation */
584 token
= smbpXstrDup(pamh
, resp
[j
++].resp
);
587 /* verify that password entered correctly */
588 if (!resp
[j
].resp
|| strcmp( token
, resp
[j
].resp
)) {
589 _pam_delete( token
);
590 retval
= PAM_AUTHTOK_RECOVER_ERR
;
591 make_remark( pamh
, ctrl
, PAM_ERROR_MSG
596 _log_err(pamh
, LOG_NOTICE
,
597 "could not recover authentication token");
602 _pam_drop_reply( resp
, expect
);
605 retval
= (retval
== PAM_SUCCESS
) ? PAM_AUTHTOK_RECOVER_ERR
: retval
;
608 if (retval
!= PAM_SUCCESS
) {
609 if (on( SMB_DEBUG
, ctrl
))
610 _log_err(pamh
, LOG_DEBUG
, "unable to obtain a password");
613 /* 'token' is the entered password */
615 if (off( SMB_NOT_SET_PASS
, ctrl
)) {
617 /* we store this password as an item */
619 retval
= pam_set_item( pamh
, authtok_flag
, (const void *)token
);
620 _pam_delete( token
); /* clean it up */
621 if (retval
!= PAM_SUCCESS
622 || (retval
= _pam_get_item( pamh
, authtok_flag
623 ,&item
)) != PAM_SUCCESS
)
625 _log_err(pamh
, LOG_CRIT
, "error manipulating password");
630 * then store it as data specific to this module. pam_end()
631 * will arrange to clean it up.
634 retval
= pam_set_data( pamh
, data_name
, (void *) token
, _cleanup
);
635 if (retval
!= PAM_SUCCESS
636 || (retval
= _pam_get_data( pamh
, data_name
, &item
))
639 _log_err(pamh
, LOG_CRIT
, "error manipulating password data [%s]",
640 pam_strerror( pamh
, retval
));
641 _pam_delete( token
);
645 token
= NULL
; /* break link to password */
649 item
= NULL
; /* break link to password */
654 int _pam_smb_approve_pass(pam_handle_t
* pamh
,
656 const char *pass_old
,
657 const char *pass_new
)
660 /* Further checks should be handled through module stacking. -SRL */
661 if (pass_new
== NULL
|| (pass_old
&& !strcmp( pass_old
, pass_new
)))
663 if (on(SMB_DEBUG
, ctrl
)) {
664 _log_err(pamh
, LOG_DEBUG
,
665 "passwd: bad authentication token (null or unchanged)");
667 make_remark( pamh
, ctrl
, PAM_ERROR_MSG
, pass_new
== NULL
?
668 "No password supplied" : "Password unchanged" );
669 return PAM_AUTHTOK_ERR
;
676 * Work around the pam API that has functions with void ** as parameters
677 * These lead to strict aliasing warnings with gcc.
679 int _pam_get_item(const pam_handle_t
*pamh
,
683 const void **item
= (const void **)_item
;
684 return pam_get_item(pamh
, item_type
, item
);
687 int _pam_get_data(const pam_handle_t
*pamh
,
688 const char *module_data_name
,
691 const void **data
= (const void **)_data
;
692 return pam_get_data(pamh
, module_data_name
, data
);