search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r14664: r13868@cabra: derrell | 2006-03-22 17:04:30 -0500
[Samba.git] / source3 / pam_smbpass / support.c
blobc318a5c3ed165edb3b001498d709505c7b126663
1 /* Unix NT password database implementation, version 0.6.
2 *
3 * This program is free software; you can redistribute it and/or modify it under
4 * the terms of the GNU General Public License as published by the Free
5 * Software Foundation; either version 2 of the License, or (at your option)
6 * any later version.
7 *
8 * This program is distributed in the hope that it will be useful, but WITHOUT
9 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
11 * more details.
12 *
13 * You should have received a copy of the GNU General Public License along with
14 * this program; if not, write to the Free Software Foundation, Inc., 675
15 * Mass Ave, Cambridge, MA 02139, USA.
16 */
17
18 #include "includes.h"
19 #include "general.h"
20
21 #include "support.h"
22
23
24 #define _pam_overwrite(x) \
25 do { \
26 register char *__xx__; \
27 if ((__xx__=(x))) \
28 while (*__xx__) \
29 *__xx__++ = '\0'; \
30 } while (0)
31
32 /*
33 * Don't just free it, forget it too.
34 */
35
36 #define _pam_drop(X) \
37 do { \
38 if (X) { \
39 free(X); \
40 X=NULL; \
41 } \
42 } while (0)
43
44 #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \
45 do { \
46 int reply_i; \
47 \
48 for (reply_i=0; reply_i<replies; ++reply_i) { \
49 if (reply[reply_i].resp) { \
50 _pam_overwrite(reply[reply_i].resp); \
51 free(reply[reply_i].resp); \
52 } \
53 } \
54 if (reply) \
55 free(reply); \
56 } while (0)
57
58
59 int converse(pam_handle_t *, int, int, struct pam_message **,
60 struct pam_response **);
61 int make_remark(pam_handle_t *, unsigned int, int, const char *);
62 void _cleanup(pam_handle_t *, void *, int);
63 char *_pam_delete(register char *);
64
65 /* default configuration file location */
66
67 char *servicesf = dyn_CONFIGFILE;
68
69 /* syslogging function for errors and other information */
70
71 void _log_err( int err, const char *format, ... )
72 {
73 va_list args;
74
75 va_start( args, format );
76 openlog( "PAM_smbpass", LOG_CONS | LOG_PID, LOG_AUTH );
77 vsyslog( err, format, args );
78 va_end( args );
79 closelog();
80 }
81
82 /* this is a front-end for module-application conversations */
83
84 int converse( pam_handle_t * pamh, int ctrl, int nargs
85 , struct pam_message **message
86 , struct pam_response **response )
87 {
88 int retval;
89 struct pam_conv *conv;
90
91 retval = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
92 if (retval == PAM_SUCCESS) {
93
94 retval = conv->conv(nargs, (const struct pam_message **) message
95 ,response, conv->appdata_ptr);
96
97 if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) {
98 _log_err(LOG_DEBUG, "conversation failure [%s]"
99 ,pam_strerror(pamh, retval));
100 }
101 } else {
102 _log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
103 ,pam_strerror(pamh, retval));
104 }
105
106 return retval; /* propagate error status */
107 }
108
109 int make_remark( pam_handle_t * pamh, unsigned int ctrl
110 , int type, const char *text )
111 {
112 if (off(SMB__QUIET, ctrl)) {
113 struct pam_message *pmsg[1], msg[1];
114 struct pam_response *resp;
115
116 pmsg[0] = &msg[0];
117 msg[0].msg = text;
118 msg[0].msg_style = type;
119 resp = NULL;
120
121 return converse(pamh, ctrl, 1, pmsg, &resp);
122 }
123 return PAM_SUCCESS;
124 }
125
126
127 /* set the control flags for the SMB module. */
128
129 int set_ctrl( int flags, int argc, const char **argv )
130 {
131 int i = 0;
132 const char *service_file = dyn_CONFIGFILE;
133 unsigned int ctrl;
134
135 ctrl = SMB_DEFAULTS; /* the default selection of options */
136
137 /* set some flags manually */
138
139 /* A good, sane default (matches Samba's behavior). */
140 set( SMB__NONULL, ctrl );
141
142 /* initialize service file location */
143 service_file=servicesf;
144
145 if (flags & PAM_SILENT) {
146 set( SMB__QUIET, ctrl );
147 }
148
149 /* Run through the arguments once, looking for an alternate smb config
150 file location */
151 while (i < argc) {
152 int j;
153
154 for (j = 0; j < SMB_CTRLS_; ++j) {
155 if (smb_args[j].token
156 && !strncmp(argv[i], smb_args[j].token, strlen(smb_args[j].token)))
157 {
158 break;
159 }
160 }
161
162 if (j == SMB_CONF_FILE) {
163 service_file = argv[i] + 8;
164 }
165 i++;
166 }
167
168 /* Read some options from the Samba config. Can be overridden by
169 the PAM config. */
170 if(lp_load(service_file,True,False,False,True) == False) {
171 _log_err( LOG_ERR, "Error loading service file %s", service_file );
172 }
173
174 secrets_init();
175
176 if (lp_null_passwords()) {
177 set( SMB__NULLOK, ctrl );
178 }
179
180 /* now parse the rest of the arguments to this module */
181
182 while (argc-- > 0) {
183 int j;
184
185 for (j = 0; j < SMB_CTRLS_; ++j) {
186 if (smb_args[j].token
187 && !strncmp(*argv, smb_args[j].token, strlen(smb_args[j].token)))
188 {
189 break;
190 }
191 }
192
193 if (j >= SMB_CTRLS_) {
194 _log_err( LOG_ERR, "unrecognized option [%s]", *argv );
195 } else {
196 ctrl &= smb_args[j].mask; /* for turning things off */
197 ctrl |= smb_args[j].flag; /* for turning things on */
198 }
199
200 ++argv; /* step to next argument */
201 }
202
203 /* auditing is a more sensitive version of debug */
204
205 if (on( SMB_AUDIT, ctrl )) {
206 set( SMB_DEBUG, ctrl );
207 }
208 /* return the set of flags */
209
210 return ctrl;
211 }
212
213 /* use this to free strings. ESPECIALLY password strings */
214
215 char * _pam_delete( register char *xx )
216 {
217 _pam_overwrite( xx );
218 _pam_drop( xx );
219 return NULL;
220 }
221
222 void _cleanup( pam_handle_t * pamh, void *x, int error_status )
223 {
224 x = _pam_delete( (char *) x );
225 }
226
227 /* JHT
228 *
229 * Safe duplication of character strings. "Paranoid"; don't leave
230 * evidence of old token around for later stack analysis.
231 *
232 */
233 char * smbpXstrDup( const char *x )
234 {
235 register char *newstr = NULL;
236
237 if (x != NULL) {
238 register int i;
239
240 for (i = 0; x[i]; ++i); /* length of string */
241 if ((newstr = SMB_MALLOC_ARRAY(char, ++i)) == NULL) {
242 i = 0;
243 _log_err( LOG_CRIT, "out of memory in smbpXstrDup" );
244 } else {
245 while (i-- > 0) {
246 newstr[i] = x[i];
247 }
248 }
249 x = NULL;
250 }
251 return newstr; /* return the duplicate or NULL on error */
252 }
253
254 /* ************************************************************** *
255 * Useful non-trivial functions *
256 * ************************************************************** */
257
258 void _cleanup_failures( pam_handle_t * pamh, void *fl, int err )
259 {
260 int quiet;
261 const char *service = NULL;
262 struct _pam_failed_auth *failure;
263
264 #ifdef PAM_DATA_SILENT
265 quiet = err & PAM_DATA_SILENT; /* should we log something? */
266 #else
267 quiet = 0;
268 #endif
269 #ifdef PAM_DATA_REPLACE
270 err &= PAM_DATA_REPLACE; /* are we just replacing data? */
271 #endif
272 failure = (struct _pam_failed_auth *) fl;
273
274 if (failure != NULL) {
275
276 #ifdef PAM_DATA_SILENT
277 if (!quiet && !err) { /* under advisement from Sun,may go away */
278 #else
279 if (!quiet) { /* under advisement from Sun,may go away */
280 #endif
281
282 /* log the number of authentication failures */
283 if (failure->count != 0) {
284 pam_get_item( pamh, PAM_SERVICE, (const void **) &service );
285 _log_err( LOG_NOTICE
286 , "%d authentication %s "
287 "from %s for service %s as %s(%d)"
288 , failure->count
289 , failure->count == 1 ? "failure" : "failures"
290 , failure->agent
291 , service == NULL ? "**unknown**" : service
292 , failure->user, failure->id );
293 if (failure->count > SMB_MAX_RETRIES) {
294 _log_err( LOG_ALERT
295 , "service(%s) ignoring max retries; %d > %d"
296 , service == NULL ? "**unknown**" : service
297 , failure->count
298 , SMB_MAX_RETRIES );
299 }
300 }
301 }
302 _pam_delete( failure->agent ); /* tidy up */
303 _pam_delete( failure->user ); /* tidy up */
304 SAFE_FREE( failure );
305 }
306 }
307
308 int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass,
309 const char *p, unsigned int ctrl )
310 {
311 uchar lm_pw[16];
312 uchar nt_pw[16];
313 int retval = PAM_AUTH_ERR;
314 char *data_name;
315 const char *name;
316
317 if (!sampass)
318 return PAM_ABORT;
319
320 name = pdb_get_username(sampass);
321
322 #ifdef HAVE_PAM_FAIL_DELAY
323 if (off( SMB_NODELAY, ctrl )) {
324 (void) pam_fail_delay( pamh, 1000000 ); /* 1 sec delay for on failure */
325 }
326 #endif
327
328 if (!pdb_get_lanman_passwd(sampass))
329 {
330 _log_err( LOG_DEBUG, "user %s has null SMB password"
331 , name );
332
333 if (off( SMB__NONULL, ctrl )
334 && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
335 { /* this means we've succeeded */
336 return PAM_SUCCESS;
337 } else {
338 const char *service;
339
340 pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
341 _log_err( LOG_NOTICE, "failed auth request by %s for service %s as %s",
342 uidtoname(getuid()), service ? service : "**unknown**", name);
343 return PAM_AUTH_ERR;
344 }
345 }
346
347 data_name = SMB_MALLOC_ARRAY(char, sizeof(FAIL_PREFIX) + strlen( name ));
348 if (data_name == NULL) {
349 _log_err( LOG_CRIT, "no memory for data-name" );
350 }
351 strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) );
352 strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 );
353
354 /*
355 * The password we were given wasn't an encrypted password, or it
356 * didn't match the one we have. We encrypt the password now and try
357 * again.
358 */
359
360 nt_lm_owf_gen(p, nt_pw, lm_pw);
361
362 /* the moment of truth -- do we agree with the password? */
363
364 if (!memcmp( nt_pw, pdb_get_nt_passwd(sampass), 16 )) {
365
366 retval = PAM_SUCCESS;
367 if (data_name) { /* reset failures */
368 pam_set_data(pamh, data_name, NULL, _cleanup_failures);
369 }
370 } else {
371
372 const char *service;
373
374 pam_get_item( pamh, PAM_SERVICE, (const void **)&service );
375
376 if (data_name != NULL) {
377 struct _pam_failed_auth *newauth = NULL;
378 const struct _pam_failed_auth *old = NULL;
379
380 /* get a failure recorder */
381
382 newauth = SMB_MALLOC_P( struct _pam_failed_auth );
383
384 if (newauth != NULL) {
385
386 /* any previous failures for this user ? */
387 pam_get_data(pamh, data_name, (const void **) &old);
388
389 if (old != NULL) {
390 newauth->count = old->count + 1;
391 if (newauth->count >= SMB_MAX_RETRIES) {
392 retval = PAM_MAXTRIES;
393 }
394 } else {
395 _log_err(LOG_NOTICE,
396 "failed auth request by %s for service %s as %s",
397 uidtoname(getuid()),
398 service ? service : "**unknown**", name);
399 newauth->count = 1;
400 }
401 if (!sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id))) {
402 _log_err(LOG_NOTICE,
403 "failed auth request by %s for service %s as %s",
404 uidtoname(getuid()),
405 service ? service : "**unknown**", name);
406 }
407 newauth->user = smbpXstrDup( name );
408 newauth->agent = smbpXstrDup( uidtoname( getuid() ) );
409 pam_set_data( pamh, data_name, newauth, _cleanup_failures );
410
411 } else {
412 _log_err( LOG_CRIT, "no memory for failure recorder" );
413 _log_err(LOG_NOTICE,
414 "failed auth request by %s for service %s as %s(%d)",
415 uidtoname(getuid()),
416 service ? service : "**unknown**", name);
417 }
418 } else {
419 _log_err(LOG_NOTICE,
420 "failed auth request by %s for service %s as %s(%d)",
421 uidtoname(getuid()),
422 service ? service : "**unknown**", name);
423 retval = PAM_AUTH_ERR;
424 }
425 }
426
427 _pam_delete( data_name );
428
429 return retval;
430 }
431
432
433 /*
434 * _smb_blankpasswd() is a quick check for a blank password
435 *
436 * returns TRUE if user does not have a password
437 * - to avoid prompting for one in such cases (CG)
438 */
439
440 int _smb_blankpasswd( unsigned int ctrl, struct samu *sampass )
441 {
442 int retval;
443
444 /*
445 * This function does not have to be too smart if something goes
446 * wrong, return FALSE and let this case to be treated somewhere
447 * else (CG)
448 */
449
450 if (on( SMB__NONULL, ctrl ))
451 return 0; /* will fail but don't let on yet */
452
453 if (pdb_get_lanman_passwd(sampass) == NULL)
454 retval = 1;
455 else
456 retval = 0;
457
458 return retval;
459 }
460
461 /*
462 * obtain a password from the user
463 */
464
465 int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
466 const char *comment, const char *prompt1,
467 const char *prompt2, const char *data_name, char **pass )
468 {
469 int authtok_flag;
470 int retval;
471 char *item = NULL;
472 char *token;
473
474 struct pam_message msg[3], *pmsg[3];
475 struct pam_response *resp;
476 int i, expect;
477
478
479 /* make sure nothing inappropriate gets returned */
480
481 *pass = token = NULL;
482
483 /* which authentication token are we getting? */
484
485 authtok_flag = on(SMB__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK;
486
487 /* should we obtain the password from a PAM item ? */
488
489 if (on(SMB_TRY_FIRST_PASS, ctrl) || on(SMB_USE_FIRST_PASS, ctrl)) {
490 retval = pam_get_item( pamh, authtok_flag, (const void **) &item );
491 if (retval != PAM_SUCCESS) {
492 /* very strange. */
493 _log_err( LOG_ALERT
494 , "pam_get_item returned error to smb_read_password" );
495 return retval;
496 } else if (item != NULL) { /* we have a password! */
497 *pass = item;
498 item = NULL;
499 return PAM_SUCCESS;
500 } else if (on( SMB_USE_FIRST_PASS, ctrl )) {
501 return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */
502 } else if (on( SMB_USE_AUTHTOK, ctrl )
503 && off( SMB__OLD_PASSWD, ctrl ))
504 {
505 return PAM_AUTHTOK_RECOVER_ERR;
506 }
507 }
508
509 /*
510 * getting here implies we will have to get the password from the
511 * user directly.
512 */
513
514 /* prepare to converse */
515 if (comment != NULL && off(SMB__QUIET, ctrl)) {
516 pmsg[0] = &msg[0];
517 msg[0].msg_style = PAM_TEXT_INFO;
518 msg[0].msg = comment;
519 i = 1;
520 } else {
521 i = 0;
522 }
523
524 pmsg[i] = &msg[i];
525 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
526 msg[i++].msg = prompt1;
527
528 if (prompt2 != NULL) {
529 pmsg[i] = &msg[i];
530 msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
531 msg[i++].msg = prompt2;
532 expect = 2;
533 } else
534 expect = 1;
535
536 resp = NULL;
537
538 retval = converse( pamh, ctrl, i, pmsg, &resp );
539
540 if (resp != NULL) {
541 int j = comment ? 1 : 0;
542 /* interpret the response */
543
544 if (retval == PAM_SUCCESS) { /* a good conversation */
545
546 token = smbpXstrDup(resp[j++].resp);
547 if (token != NULL) {
548 if (expect == 2) {
549 /* verify that password entered correctly */
550 if (!resp[j].resp || strcmp( token, resp[j].resp )) {
551 _pam_delete( token );
552 retval = PAM_AUTHTOK_RECOVER_ERR;
553 make_remark( pamh, ctrl, PAM_ERROR_MSG
554 , MISTYPED_PASS );
555 }
556 }
557 } else {
558 _log_err(LOG_NOTICE, "could not recover authentication token");
559 }
560 }
561
562 /* tidy up */
563 _pam_drop_reply( resp, expect );
564
565 } else {
566 retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval;
567 }
568
569 if (retval != PAM_SUCCESS) {
570 if (on( SMB_DEBUG, ctrl ))
571 _log_err( LOG_DEBUG, "unable to obtain a password" );
572 return retval;
573 }
574 /* 'token' is the entered password */
575
576 if (off( SMB_NOT_SET_PASS, ctrl )) {
577
578 /* we store this password as an item */
579
580 retval = pam_set_item( pamh, authtok_flag, (const void *)token );
581 _pam_delete( token ); /* clean it up */
582 if (retval != PAM_SUCCESS
583 || (retval = pam_get_item( pamh, authtok_flag
584 ,(const void **)&item )) != PAM_SUCCESS)
585 {
586 _log_err( LOG_CRIT, "error manipulating password" );
587 return retval;
588 }
589 } else {
590 /*
591 * then store it as data specific to this module. pam_end()
592 * will arrange to clean it up.
593 */
594
595 retval = pam_set_data( pamh, data_name, (void *) token, _cleanup );
596 if (retval != PAM_SUCCESS
597 || (retval = pam_get_data( pamh, data_name, (const void **)&item ))
598 != PAM_SUCCESS)
599 {
600 _log_err( LOG_CRIT, "error manipulating password data [%s]"
601 , pam_strerror( pamh, retval ));
602 _pam_delete( token );
603 item = NULL;
604 return retval;
605 }
606 token = NULL; /* break link to password */
607 }
608
609 *pass = item;
610 item = NULL; /* break link to password */
611
612 return PAM_SUCCESS;
613 }
614
615 int _pam_smb_approve_pass(pam_handle_t * pamh,
616 unsigned int ctrl,
617 const char *pass_old,
618 const char *pass_new )
619 {
620
621 /* Further checks should be handled through module stacking. -SRL */
622 if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new )))
623 {
624 if (on(SMB_DEBUG, ctrl)) {
625 _log_err( LOG_DEBUG,
626 "passwd: bad authentication token (null or unchanged)" );
627 }
628 make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
629 "No password supplied" : "Password unchanged" );
630 return PAM_AUTHTOK_ERR;
631 }
632
633 return PAM_SUCCESS;
634 }
Samba GIT mirror