2 * Copyright (c) 2002-2003 Networks Associates Technology, Inc.
3 * Copyright (c) 2004-2007 Dag-Erling Smørgrav
6 * This software was developed for the FreeBSD Project by ThinkSec AS and
7 * Network Associates Laboratories, the Security Research Division of
8 * Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
9 * ("CBOSS"), as part of the DARPA CHATS research program.
11 * Redistribution and use in source and binary forms, with or without
12 * modification, are permitted provided that the following conditions
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * 3. The name of the author may not be used to endorse or promote
20 * products derived from this software without specific prior written
23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * $Id: pam_get_authtok.c 408 2007-12-21 11:36:24Z des $
38 #include <sys/param.h>
43 #include <security/pam_appl.h>
44 #include <security/openpam.h>
46 #include "openpam_impl.h"
48 static const char authtok_prompt
[] = "Password:";
49 static const char oldauthtok_prompt
[] = "Old Password:";
50 static const char newauthtok_prompt
[] = "New Password:";
55 * Retrieve authentication token
59 pam_get_authtok(pam_handle_t
*pamh
,
64 const void *oldauthtok
, *prevauthtok
, *promptp
;
65 const char *default_prompt
;
67 int pitem
, r
, style
, twice
;
70 if (pamh
== NULL
|| authtok
== NULL
)
71 RETURNC(PAM_SYSTEM_ERR
);
76 pitem
= PAM_AUTHTOK_PROMPT
;
77 default_prompt
= authtok_prompt
;
78 r
= pam_get_item(pamh
, PAM_OLDAUTHTOK
, &oldauthtok
);
79 if (r
== PAM_SUCCESS
&& oldauthtok
!= NULL
) {
80 default_prompt
= newauthtok_prompt
;
85 pitem
= PAM_OLDAUTHTOK_PROMPT
;
86 default_prompt
= oldauthtok_prompt
;
90 RETURNC(PAM_SYMBOL_ERR
);
92 if (openpam_get_option(pamh
, "try_first_pass") ||
93 openpam_get_option(pamh
, "use_first_pass")) {
94 r
= pam_get_item(pamh
, item
, &prevauthtok
);
95 if (r
== PAM_SUCCESS
&& prevauthtok
!= NULL
) {
96 *authtok
= prevauthtok
;
99 else if (openpam_get_option(pamh
, "use_first_pass"))
100 RETURNC(r
== PAM_SUCCESS
? PAM_AUTH_ERR
: r
);
102 if (prompt
== NULL
) {
103 r
= pam_get_item(pamh
, pitem
, &promptp
);
104 if (r
!= PAM_SUCCESS
|| promptp
== NULL
)
105 prompt
= default_prompt
;
109 style
= openpam_get_option(pamh
, "echo_pass") ?
110 PAM_PROMPT_ECHO_ON
: PAM_PROMPT_ECHO_OFF
;
111 r
= pam_prompt(pamh
, style
, &resp
, "%s", prompt
);
112 if (r
!= PAM_SUCCESS
)
115 r
= pam_prompt(pamh
, style
, &resp2
, "Retype %s", prompt
);
116 if (r
!= PAM_SUCCESS
) {
120 if (strcmp(resp
, resp2
) != 0)
125 RETURNC(PAM_TRY_AGAIN
);
126 r
= pam_set_item(pamh
, item
, resp
);
128 if (r
!= PAM_SUCCESS
)
130 r
= pam_get_item(pamh
, item
, (const void **)authtok
);
145 * The =pam_get_authtok function returns the cached authentication token,
146 * or prompts the user if no token is currently cached.
147 * Either way, a pointer to the authentication token is stored in the
148 * location pointed to by the =authtok argument.
150 * The =item argument must have one of the following values:
153 * Returns the current authentication token, or the new token
154 * when changing authentication tokens.
156 * Returns the previous authentication token when changing
157 * authentication tokens.
159 * The =prompt argument specifies a prompt to use if no token is cached.
160 * If it is =NULL, the =PAM_AUTHTOK_PROMPT or =PAM_OLDAUTHTOK_PROMPT item,
161 * as appropriate, will be used.
162 * If that item is also =NULL, a hardcoded default prompt will be used.
164 * If =item is set to =PAM_AUTHTOK and there is a non-null =PAM_OLDAUTHTOK
165 * item, =pam_get_authtok will ask the user to confirm the new token by
167 * If there is a mismatch, =pam_get_authtok will return =PAM_TRY_AGAIN.