search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
create pidfile after forking
[Samba.git] / source / pam_smbpass / support.c
blob332b54f23b79c49ee18d96b4577dae3747f29d63
1 /* Unix NT password database implementation, version 0.6.
2 *
3 * This program is free software; you can redistribute it and/or modify it under
4 * the terms of the GNU General Public License as published by the Free
5 * Software Foundation; either version 2 of the License, or (at your option)
6 * any later version.
7 *
8 * This program is distributed in the hope that it will be useful, but WITHOUT
9 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
11 * more details.
12 *
13 * You should have received a copy of the GNU General Public License along with
14 * this program; if not, write to the Free Software Foundation, Inc., 675
15 * Mass Ave, Cambridge, MA 02139, USA.
16 */
17
18 #include "includes.h"
19 #include "general.h"
20
21 #include "support.h"
22
23
24 #define _pam_overwrite(x) \
25 do { \
26 register char *__xx__; \
27 if ((__xx__=(x))) \
28 while (*__xx__) \
29 *__xx__++ = '\0'; \
30 } while (0)
31
32 /*
33 * Don't just free it, forget it too.
34 */
35
36 #define _pam_drop(X) \
37 do { \
38 if (X) { \
39 free(X); \
40 X=NULL; \
41 } \
42 } while (0)
43
44 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
45 do { \
46 int reply_i; \
47 \
48 for (reply_i=0; reply_i<replies; ++reply_i) { \
49 if (reply[reply_i].resp) { \
50 _pam_overwrite(reply[reply_i].resp); \
51 free(reply[reply_i].resp); \
52 } \
53 } \
54 if (reply) \
55 free(reply); \
56 } while (0)
57
58
59 int converse(pam_handle_t *, int, int, struct pam_message **,
60 struct pam_response **);
61 int make_remark(pam_handle_t *, unsigned int, int, const char *);
62 void _cleanup(pam_handle_t *, void *, int);
63 char *_pam_delete(register char *);
64
65 /* default configuration file location */
66
67 pstring servicesf = CONFIGFILE;
68
69 /* syslogging function for errors and other information */
70
71 void _log_err( int err, const char *format, ... )
72 {
73 va_list args;
74
75 va_start( args, format );
76 openlog( "PAM_smbpass", LOG_CONS | LOG_PID, LOG_AUTH );
77 vsyslog( err, format, args );
78 va_end( args );
79 closelog();
80 }
81
82 /* this is a front-end for module-application conversations */
83
84 int converse( pam_handle_t * pamh, int ctrl, int nargs
85 , struct pam_message **message
86 , struct pam_response **response )
87 {
88 int retval;
89 struct pam_conv *conv;
90
91 retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
92 if (retval == PAM_SUCCESS) {
93
94 retval = conv->conv(nargs, (const struct pam_message **) message
95 ,response, conv->appdata_ptr);
96
97 if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) {
98 _log_err(LOG_DEBUG, "conversation failure [%s]"
99 ,pam_strerror(pamh, retval));
100 }
101 } else {
102 _log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
103 ,pam_strerror(pamh, retval));
104 }
105
106 return retval; /* propagate error status */
107 }
108
109 int make_remark( pam_handle_t * pamh, unsigned int ctrl
110 , int type, const char *text )
111 {
112 if (off(SMB__QUIET, ctrl)) {
113 struct pam_message *pmsg[1], msg[1];
114 struct pam_response *resp;
115
116 pmsg[0] = &msg[0];
117 msg[0].msg = text;
118 msg[0].msg_style = type;
119 resp = NULL;
120
121 return converse(pamh, ctrl, 1, pmsg, &resp);
122 }
123 return PAM_SUCCESS;
124 }
125
126
127 /* set the control flags for the SMB module. */
128
129 int set_ctrl( int flags, int argc, const char **argv )
130 {
131 int i = 0;
132 static pstring servicesf = CONFIGFILE;
133 const char *service_file = servicesf;
134 unsigned int ctrl;
135
136 ctrl = SMB_DEFAULTS; /* the default selection of options */
137
138 /* set some flags manually */
139
140 /* A good, sane default (matches Samba's behavior). */
141 set( SMB__NONULL, ctrl );
142
143 /* initialize service file location */
144 service_file=servicesf;
145
146 if (flags & PAM_SILENT) {
147 set( SMB__QUIET, ctrl );
148 }
149
150 /* Run through the arguments once, looking for an alternate smb config
151 file location */
152 while (i < argc) {
153 int j;
154
155 for (j = 0; j < SMB_CTRLS_; ++j) {
156 if (smb_args[j].token
157 && !strncmp(argv[i], smb_args[j].token, strlen(smb_args[j].token)))
158 {
159 break;
160 }
161 }
162
163 if (j == SMB_CONF_FILE) {
164 service_file = argv[i] + 8;
165 }
166 i++;
167 }
168
169 /* Read some options from the Samba config. Can be overridden by
170 the PAM config. */
171 if(lp_load(service_file,True,False,False) == False) {
172 _log_err( LOG_ERR, "Error loading service file %s", service_file );
173 }
174
175 secrets_init();
176
177 if (lp_null_passwords()) {
178 set( SMB__NULLOK, ctrl );
179 }
180
181 /* now parse the rest of the arguments to this module */
182
183 while (argc-- > 0) {
184 int j;
185
186 for (j = 0; j < SMB_CTRLS_; ++j) {
187 if (smb_args[j].token
188 && !strncmp(*argv, smb_args[j].token, strlen(smb_args[j].token)))
189 {
190 break;
191 }
192 }
193
194 if (j >= SMB_CTRLS_) {
195 _log_err( LOG_ERR, "unrecognized option [%s]", *argv );
196 } else {
197 ctrl &= smb_args[j].mask; /* for turning things off */
198 ctrl |= smb_args[j].flag; /* for turning things on */
199 }
200
201 ++argv; /* step to next argument */
202 }
203
204 /* auditing is a more sensitive version of debug */
205
206 if (on( SMB_AUDIT, ctrl )) {
207 set( SMB_DEBUG, ctrl );
208 }
209 /* return the set of flags */
210
211 return ctrl;
212 }
213
214 /* use this to free strings. ESPECIALLY password strings */
215
216 char * _pam_delete( register char *xx )
217 {
218 _pam_overwrite( xx );
219 _pam_drop( xx );
220 return NULL;
221 }
222
223 void _cleanup( pam_handle_t * pamh, void *x, int error_status )
224 {
225 x = _pam_delete( (char *) x );
226 }
227
228 /* JHT
229 *
230 * Safe duplication of character strings. "Paranoid"; don't leave
231 * evidence of old token around for later stack analysis.
232 *
233 */
234 char * smbpXstrDup( const char *x )
235 {
236 register char *new = NULL;
237
238 if (x != NULL) {
239 register int i;
240
241 for (i = 0; x[i]; ++i); /* length of string */
242 if ((new = malloc(++i)) == NULL) {
243 i = 0;
244 _log_err( LOG_CRIT, "out of memory in smbpXstrDup" );
245 } else {
246 while (i-- > 0) {
247 new[i] = x[i];
248 }
249 }
250 x = NULL;
251 }
252 return new; /* return the duplicate or NULL on error */
253 }
254
255 /* ************************************************************** *
256 * Useful non-trivial functions *
257 * ************************************************************** */
258
259 void _cleanup_failures( pam_handle_t * pamh, void *fl, int err )
260 {
261 int quiet;
262 const char *service = NULL;
263 struct _pam_failed_auth *failure;
264
265 #ifdef PAM_DATA_SILENT
266 quiet = err & PAM_DATA_SILENT; /* should we log something? */
267 #else
268 quiet = 0;
269 #endif
270 #ifdef PAM_DATA_REPLACE
271 err &= PAM_DATA_REPLACE; /* are we just replacing data? */
272 #endif
273 failure = (struct _pam_failed_auth *) fl;
274
275 if (failure != NULL) {
276
277 #ifdef PAM_DATA_SILENT
278 if (!quiet && !err) { /* under advisement from Sun,may go away */
279 #else
280 if (!quiet) { /* under advisement from Sun,may go away */
281 #endif
282
283 /* log the number of authentication failures */
284 if (failure->count != 0) {
285 pam_get_item( pamh, PAM_SERVICE, (const void **) &service );
286 _log_err( LOG_NOTICE
287 , "%d authentication %s "
288 "from %s for service %s as %s(%d)"
289 , failure->count
290 , failure->count == 1 ? "failure" : "failures"
291 , failure->agent
292 , service == NULL ? "**unknown**" : service
293 , failure->user, failure->id );
294 if (failure->count > SMB_MAX_RETRIES) {
295 _log_err( LOG_ALERT
296 , "service(%s) ignoring max retries; %d > %d"
297 , service == NULL ? "**unknown**" : service
298 , failure->count
299 , SMB_MAX_RETRIES );
300 }
301 }
302 }
303 _pam_delete( failure->agent ); /* tidy up */
304 _pam_delete( failure->user ); /* tidy up */
305 SAFE_FREE( failure );
306 }
307 }
308
309 int _smb_verify_password( pam_handle_t * pamh, SAM_ACCOUNT *sampass,
310 const char *p, unsigned int ctrl )
311 {
312 uchar hash_pass[16];
313 uchar lm_pw[16];
314 uchar nt_pw[16];
315 int retval = PAM_AUTH_ERR;
316 char *data_name;
317 const char *name;
318
319 if (!sampass)
320 return PAM_ABORT;
321
322 name = pdb_get_username(sampass);
323
324 #ifdef HAVE_PAM_FAIL_DELAY
325 if (off( SMB_NODELAY, ctrl )) {
326 (void) pam_fail_delay( pamh, 1000000 ); /* 1 sec delay for on failure */
327 }
328 #endif
329
330 if (!pdb_get_lanman_passwd(sampass))
331 {
332 _log_err( LOG_DEBUG, "user %s has null SMB password"
333 , name );
334
335 if (off( SMB__NONULL, ctrl )
336 && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
337 { /* this means we've succeeded */
338 return PAM_SUCCESS;
339 } else {
340 const char *service;
341
342 pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
343 _log_err( LOG_NOTICE
344 , "failed auth request by %s for service %s as %s(%d)"
345 , uidtoname( getuid() )
346 , service ? service : "**unknown**", name
347 , pdb_get_uid(sampass) );
348 return PAM_AUTH_ERR;
349 }
350 }
351
352 data_name = (char *) malloc( sizeof(FAIL_PREFIX) + strlen( name ));
353 if (data_name == NULL) {
354 _log_err( LOG_CRIT, "no memory for data-name" );
355 }
356 strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) );
357 strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 );
358
359 /* First we check whether we've been given the password in already
360 encrypted form. */
361 if (strlen( p ) == 16 || (strlen( p ) == 32
362 && pdb_gethexpwd( p, (char *) hash_pass ))) {
363
364 if (!memcmp( hash_pass, pdb_get_lanman_passwd(sampass), 16 )
365 || (pdb_get_nt_passwd(sampass)
366 && !memcmp( hash_pass, pdb_get_nt_passwd(sampass), 16 )))
367 {
368 retval = PAM_SUCCESS;
369 if (data_name) { /* reset failures */
370 pam_set_data( pamh, data_name, NULL, _cleanup_failures );
371 }
372 _pam_delete( data_name );
373 memset( hash_pass, '\0', 16 );
374 return retval;
375 }
376 }
377
378 /*
379 * The password we were given wasn't an encrypted password, or it
380 * didn't match the one we have. We encrypt the password now and try
381 * again.
382 */
383
384 nt_lm_owf_gen(p, nt_pw, lm_pw);
385
386 /* the moment of truth -- do we agree with the password? */
387
388 if (!memcmp( nt_pw, pdb_get_nt_passwd(sampass), 16 )) {
389
390 retval = PAM_SUCCESS;
391 if (data_name) { /* reset failures */
392 pam_set_data(pamh, data_name, NULL, _cleanup_failures);
393 }
394 } else {
395
396 const char *service;
397
398 pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
399
400 if (data_name != NULL) {
401 struct _pam_failed_auth *new = NULL;
402 const struct _pam_failed_auth *old = NULL;
403
404 /* get a failure recorder */
405
406 new = (struct _pam_failed_auth *)
407 malloc( sizeof(struct _pam_failed_auth) );
408
409 if (new != NULL) {
410
411 /* any previous failures for this user ? */
412 pam_get_data(pamh, data_name, (const void **) &old);
413
414 if (old != NULL) {
415 new->count = old->count + 1;
416 if (new->count >= SMB_MAX_RETRIES) {
417 retval = PAM_MAXTRIES;
418 }
419 } else {
420 _log_err( LOG_NOTICE
421 , "failed auth request by %s for service %s as %s(%d)"
422 , uidtoname( getuid() )
423 , service ? service : "**unknown**", name
424 , pdb_get_uid(sampass) );
425 new->count = 1;
426 }
427 new->user = smbpXstrDup( name );
428 new->id = pdb_get_uid(sampass);
429 new->agent = smbpXstrDup( uidtoname( getuid() ) );
430 pam_set_data( pamh, data_name, new, _cleanup_failures );
431
432 } else {
433 _log_err( LOG_CRIT, "no memory for failure recorder" );
434 _log_err( LOG_NOTICE
435 , "failed auth request by %s for service %s as %s(%d)"
436 , uidtoname( getuid() )
437 , service ? service : "**unknown**", name
438 , pdb_get_uid(sampass) );
439 }
440 } else {
441 _log_err( LOG_NOTICE
442 , "failed auth request by %s for service %s as %s(%d)"
443 , uidtoname( getuid() )
444 , service ? service : "**unknown**", name
445 , pdb_get_uid(sampass) );
446 retval = PAM_AUTH_ERR;
447 }
448 }
449
450 _pam_delete( data_name );
451
452 return retval;
453 }
454
455
456 /*
457 * _smb_blankpasswd() is a quick check for a blank password
458 *
459 * returns TRUE if user does not have a password
460 * - to avoid prompting for one in such cases (CG)
461 */
462
463 int _smb_blankpasswd( unsigned int ctrl, SAM_ACCOUNT *sampass )
464 {
465 int retval;
466
467 /*
468 * This function does not have to be too smart if something goes
469 * wrong, return FALSE and let this case to be treated somewhere
470 * else (CG)
471 */
472
473 if (on( SMB__NONULL, ctrl ))
474 return 0; /* will fail but don't let on yet */
475
476 if (pdb_get_lanman_passwd(sampass) == NULL)
477 retval = 1;
478 else
479 retval = 0;
480
481 return retval;
482 }
483
484 /*
485 * obtain a password from the user
486 */
487
488 int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
489 char *comment, char *prompt1,
490 char *prompt2, char *data_name, char **pass )
491 {
492 int authtok_flag;
493 int retval;
494 char *item = NULL;
495 char *token;
496
497 struct pam_message msg[3], *pmsg[3];
498 struct pam_response *resp;
499 int i, expect;
500
501
502 /* make sure nothing inappropriate gets returned */
503
504 *pass = token = NULL;
505
506 /* which authentication token are we getting? */
507
508 authtok_flag = on(SMB__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK;
509
510 /* should we obtain the password from a PAM item ? */
511
512 if (on(SMB_TRY_FIRST_PASS, ctrl) || on(SMB_USE_FIRST_PASS, ctrl)) {
513 retval = pam_get_item( pamh, authtok_flag, (const void **) &item );
514 if (retval != PAM_SUCCESS) {
515 /* very strange. */
516 _log_err( LOG_ALERT
517 , "pam_get_item returned error to smb_read_password" );
518 return retval;
519 } else if (item != NULL) { /* we have a password! */
520 *pass = item;
521 item = NULL;
522 return PAM_SUCCESS;
523 } else if (on( SMB_USE_FIRST_PASS, ctrl )) {
524 return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */
525 } else if (on( SMB_USE_AUTHTOK, ctrl )
526 && off( SMB__OLD_PASSWD, ctrl ))
527 {
528 return PAM_AUTHTOK_RECOVER_ERR;
529 }
530 }
531
532 /*
533 * getting here implies we will have to get the password from the
534 * user directly.
535 */
536
537 /* prepare to converse */
538 if (comment != NULL && off(SMB__QUIET, ctrl)) {
539 pmsg[0] = &msg[0];
540 msg[0].msg_style = PAM_TEXT_INFO;
541 msg[0].msg = comment;
542 i = 1;
543 } else {
544 i = 0;
545 }
546
547 pmsg[i] = &msg[i];
548 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
549 msg[i++].msg = prompt1;
550
551 if (prompt2 != NULL) {
552 pmsg[i] = &msg[i];
553 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
554 msg[i++].msg = prompt2;
555 expect = 2;
556 } else
557 expect = 1;
558
559 resp = NULL;
560
561 retval = converse( pamh, ctrl, i, pmsg, &resp );
562
563 if (resp != NULL) {
564 int j = comment ? 1 : 0;
565 /* interpret the response */
566
567 if (retval == PAM_SUCCESS) { /* a good conversation */
568
569 token = smbpXstrDup(resp[j++].resp);
570 if (token != NULL) {
571 if (expect == 2) {
572 /* verify that password entered correctly */
573 if (!resp[j].resp || strcmp( token, resp[j].resp )) {
574 _pam_delete( token );
575 retval = PAM_AUTHTOK_RECOVER_ERR;
576 make_remark( pamh, ctrl, PAM_ERROR_MSG
577 , MISTYPED_PASS );
578 }
579 }
580 } else {
581 _log_err(LOG_NOTICE, "could not recover authentication token");
582 }
583 }
584
585 /* tidy up */
586 _pam_drop_reply( resp, expect );
587
588 } else {
589 retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval;
590 }
591
592 if (retval != PAM_SUCCESS) {
593 if (on( SMB_DEBUG, ctrl ))
594 _log_err( LOG_DEBUG, "unable to obtain a password" );
595 return retval;
596 }
597 /* 'token' is the entered password */
598
599 if (off( SMB_NOT_SET_PASS, ctrl )) {
600
601 /* we store this password as an item */
602
603 retval = pam_set_item( pamh, authtok_flag, (const void *)token );
604 _pam_delete( token ); /* clean it up */
605 if (retval != PAM_SUCCESS
606 || (retval = pam_get_item( pamh, authtok_flag
607 ,(const void **)&item )) != PAM_SUCCESS)
608 {
609 _log_err( LOG_CRIT, "error manipulating password" );
610 return retval;
611 }
612 } else {
613 /*
614 * then store it as data specific to this module. pam_end()
615 * will arrange to clean it up.
616 */
617
618 retval = pam_set_data( pamh, data_name, (void *) token, _cleanup );
619 if (retval != PAM_SUCCESS
620 || (retval = pam_get_data( pamh, data_name, (const void **)&item ))
621 != PAM_SUCCESS)
622 {
623 _log_err( LOG_CRIT, "error manipulating password data [%s]"
624 , pam_strerror( pamh, retval ));
625 _pam_delete( token );
626 item = NULL;
627 return retval;
628 }
629 token = NULL; /* break link to password */
630 }
631
632 *pass = item;
633 item = NULL; /* break link to password */
634
635 return PAM_SUCCESS;
636 }
637
638 int _pam_smb_approve_pass(pam_handle_t * pamh,
639 unsigned int ctrl,
640 const char *pass_old,
641 const char *pass_new )
642 {
643
644 /* Further checks should be handled through module stacking. -SRL */
645 if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new )))
646 {
647 if (on(SMB_DEBUG, ctrl)) {
648 _log_err( LOG_DEBUG,
649 "passwd: bad authentication token (null or unchanged)" );
650 }
651 make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
652 "No password supplied" : "Password unchanged" );
653 return PAM_AUTHTOK_ERR;
654 }
655
656 return PAM_SUCCESS;
657 }
Samba GIT mirror