From 1bdbf53a2a3fda4108634267acf4b801867e50be Mon Sep 17 00:00:00 2001 From: Seraphim Mellos Date: Sun, 15 Jun 2008 11:36:46 +0300 Subject: Started work on Makefiles --- Make.defs | 13 ++ Makefile | 2 + modules/pam_nologin/pam_nologin.c | 0 modules/pam_rootok/pam_rootok.c | 0 modules/pam_securetty/pam_securetty.c | 0 modules/pam_shells/pam_shells.c | 0 modules/pam_unix/Makefile | 42 ++++++ modules/pam_unix/Makefile~ | 41 ++++++ modules/pam_unix/pam_unix.c | 257 ++++++++++++++++++++++++++++++++++ modules/pam_unix/pam_unix.c~ | 257 ++++++++++++++++++++++++++++++++++ modules/pam_wheel/pam_wheel.c | 0 src/pam_nologin/pam_nologin.c | 0 src/pam_rootok/pam_rootok.c | 0 src/pam_securetty/pam_securetty.c | 0 src/pam_shells/pam_shells.c | 0 src/pam_unix/pam_unix.c | 257 ---------------------------------- src/pam_unix/pam_unix.c~ | 249 -------------------------------- src/pam_wheel/pam_wheel.c | 0 18 files changed, 612 insertions(+), 506 deletions(-) create mode 100644 Make.defs create mode 100644 Makefile create mode 100644 modules/pam_nologin/pam_nologin.c create mode 100644 modules/pam_rootok/pam_rootok.c create mode 100644 modules/pam_securetty/pam_securetty.c create mode 100644 modules/pam_shells/pam_shells.c create mode 100644 modules/pam_unix/Makefile create mode 100644 modules/pam_unix/Makefile~ create mode 100644 modules/pam_unix/pam_unix.c create mode 100644 modules/pam_unix/pam_unix.c~ create mode 100644 modules/pam_wheel/pam_wheel.c delete mode 100644 src/pam_nologin/pam_nologin.c delete mode 100644 src/pam_rootok/pam_rootok.c delete mode 100644 src/pam_securetty/pam_securetty.c delete mode 100644 src/pam_shells/pam_shells.c delete mode 100644 src/pam_unix/pam_unix.c delete mode 100644 src/pam_unix/pam_unix.c~ delete mode 100644 src/pam_wheel/pam_wheel.c diff --git a/Make.defs b/Make.defs new file mode 100644 index 0000000..cb36475 --- /dev/null +++ b/Make.defs @@ -0,0 +1,13 @@ +# +## Copyright (c) 2008 by Seraphim Mellos. See LICENSE. +# + +CC = gcc +LD = $(CC) +RM = rm -f +MKDIR = mkdir -p +INSTALL = install -c +CFLAGS = -Wall -c -g -fPIC -I../../include -I/opt/local/include -O2 +LDFLAGS = --shared -L/opt/local/lib -Wl,$(LINKEROPTS) +LINKEROPTS = +LDLIBS = -lpam -lcrypt diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..9b34d2b --- /dev/null +++ b/Makefile @@ -0,0 +1,2 @@ +all install clean: + $(MAKE) -C modules $@ diff --git a/modules/pam_nologin/pam_nologin.c b/modules/pam_nologin/pam_nologin.c new file mode 100644 index 0000000..e69de29 diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c new file mode 100644 index 0000000..e69de29 diff --git a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c new file mode 100644 index 0000000..e69de29 diff --git a/modules/pam_shells/pam_shells.c b/modules/pam_shells/pam_shells.c new file mode 100644 index 0000000..e69de29 diff --git a/modules/pam_unix/Makefile b/modules/pam_unix/Makefile new file mode 100644 index 0000000..314c0e0 --- /dev/null +++ b/modules/pam_unix/Makefile @@ -0,0 +1,42 @@ +# +## Copyright (c) 2008 by Seraphim Mellos. See LICENSE. +# + +include ../../Make.defs + +TITLE = pam_unix +PAM_SO_SUFFIX = +LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX) +SHLIBMODE = 755 +MAN8 = $(TITLE).8 +MANMODE = 644 +#SECUREDIR = /lib/security +#MANDIR = /usr/share/man +#DESTDIR = + + + +PROJ = $(LIBSHARED) +OBJS = pam_unix.c + +all: + case "`uname -s`" in \ + Linux) $(MAKE) -I$(INCDIR) CFLAGS="$(CFLAGS) -DHAVE_SHADOW" \ + -L$(LDDIR) LDFLAGS="$(LDFLAGS)" LDLIBS="$(LDLIBS)" \ + $(PROJ);;\ + FreeBSD) echo "Not yet supported.";;\ + *) echo "OS not supported.";;\ + esac + +$(LIBSHARED): $(OBJS) $(MAP) + $(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED) + +.c.o: + $(CC) $(CFLAGS) -c $*.c + + +clean: + $(RM) $(PROJ) *.o + + + diff --git a/modules/pam_unix/Makefile~ b/modules/pam_unix/Makefile~ new file mode 100644 index 0000000..1d449ed --- /dev/null +++ b/modules/pam_unix/Makefile~ @@ -0,0 +1,41 @@ +# +## Copyright (c) 2008 by Seraphim Mellos. See LICENSE. +# + +include ../../Makefile +TITLE = pam_unix +PAM_SO_SUFFIX = +LIBSHARED = $(TITLE).so$(PAM_SO_SUFFIX) +SHLIBMODE = 755 +MAN8 = $(TITLE).8 +MANMODE = 644 +#SECUREDIR = /lib/security +#MANDIR = /usr/share/man +#DESTDIR = + + + +PROJ = $(LIBSHARED) +OBJS = pam_unix.c + +all: + case "`uname -s`" in \ + Linux) $(MAKE) -I$(INCDIR) CFLAGS="$(CFLAGS) -DHAVE_SHADOW" \ + -L$(LDDIR) LDFLAGS="$(LDFLAGS)" LDLIBS="$(LDLIBS)" \ + $(PROJ);;\ + FreeBSD) echo "Not yet supported.";;\ + *) echo "OS not supported.";;\ + esac + +$(LIBSHARED): $(OBJS) $(MAP) + $(LD) $(LDFLAGS) $(OBJS) $(LDLIBS) -o $(LIBSHARED) + +.c.o: + $(CC) $(CFLAGS) -c $*.c + + +clean: + $(RM) $(PROJ) *.o + + + diff --git a/modules/pam_unix/pam_unix.c b/modules/pam_unix/pam_unix.c new file mode 100644 index 0000000..7a8aca3 --- /dev/null +++ b/modules/pam_unix/pam_unix.c @@ -0,0 +1,257 @@ +/* #include */ +#include +#include +#include +#include + + +#ifndef MAXHOSTNAMELEN +# define MAXHOSTNAMELEN 256 +#endif + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_PASSWORD + +#ifndef __linux__ +#include +#endif + + +#include +#include +#include + +/* + * User authentication + */ + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc , const char **argv ) { + +#ifndef __linux__ + login_cap_t *lc; +#endif + struct spwd *pwd; + const char *pass, *crypt_pass, *user; + int pam_err; + + /* identify user */ + + if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { + PAM_LOG("Authenticating as self."); + pwd = getspnam(getlogin()); + } else { + if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { + PAM_ERROR("Authenticating with uname %s failed.", user); + return (pam_err); + } + + pwd = getspnam(user); + } + + PAM_LOG("Authenticating user: %s", user); + + /* get password */ + + if (pwd != NULL) { + PAM_LOG("Doing real authentication"); + pass = pwd->sp_pwdp; + if (pass[0] == '\0') { + if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && + openpam_get_option(pamh, PAM_OPT_NULLOK)){ + PAM_ERROR("Authentication failed. Empty passwd not allowed."); + return (PAM_SUCCESS); + } + + pass = "*"; + } +#ifndef __linux__ + lc = login_getpwclass(pwd); +#endif + } else { + PAM_LOG("Doing dummy authentication."); + pass = "*"; +#ifndef __linux__ + lc = login_getpwclass(NULL); +#endif + } + +#ifndef __linux__ + prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); + pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); + login_close(lc); +#else + pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **) &pass, NULL); +#endif + PAM_LOG("Got password for user %s", user); + + if (pam_err == PAM_CONV_ERR) + return (pam_err); + if (pam_err != PAM_SUCCESS) + return (PAM_AUTH_ERR); + + /* check shadow */ + + crypt_pass = crypt(pass, pwd->sp_pwdp); + if ( strcmp(crypt_pass, pwd->sp_pwdp) != 0 ) { + PAM_ERROR("Wrong password. Authentication failed."); + pam_err = PAM_AUTH_ERR; + } else { + PAM_LOG("Authentication completed succesfully."); + pam_err = PAM_SUCCESS; + } + + return (pam_err); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh , int flags , + int argc , const char *argv[] ) { + + /* + * This functions takes care of renewing/initializing + * user credentials as well as gid/uids. Someday, it + * will be completed. For now, it's not very urgent. + */ + + return (PAM_SUCCESS); +} + + +/* + * Account Management + */ + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , + int argc , const char *argv[] ) { + + + +#ifndef __linux__ + login_cap_t *lc; +#endif + + struct spwd *pwd; + int pam_err; + const char *user; + time_t curtime; + +#ifndef __linux__ + const void *rhost, *tty; + char rhostip[MAXHOSTNAMELEN] = ""; +#endif + + /* Sanity checks for uname,pwd,tty,host etc */ + + pam_err = pam_get_user(pamh, &user, NULL); + + if (pam_err != PAM_SUCCESS) + return (pam_err); + + if (user == NULL || (pwd = getspnam(user)) == NULL) + return (PAM_SERVICE_ERR); +#ifndef __linux__ + + /* + * tty/host info are provided by login classes + * and cannot be used out of the box under Linux + * for sanity checking (BSD only). May need to + * be ported/rewritten to work on Linux as well. + * Time will tell... + */ + pam_err = pam_get_item(pamh, PAM_RHOST, &rhost); + + if (pam_err != PAM_SUCCESS) + return (pam_err); + + pam_err = pam_get_item(pamh, PAM_TTY, &tty); + + if (pam_err != PAM_SUCCESS) + return (pam_err); +#endif + if (*pwd->sp_pwdp == '\0' && + (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) + return (PAM_NEW_AUTHTOK_REQD); + +#ifndef __linux__ + lc = login_getpwclass(pwd); + + if (lc == NULL) { + return (PAM_SERVICE_ERR); + + } +#endif + /* Check if pw_lstchg or pw_expire is set */ + + if (pwd->sp_lstchg || pwd->sp_expire) + curtime = time(NULL) / (60 * 60 * 24); + if (pwd->sp_expire) { + if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) { +#ifndef __linux__ + login_close(lc); +#endif + return (PAM_ACCT_EXPIRED); + } else if ( ( pwd->sp_expire - curtime < pwd->sp_warn) ) { +// pam_error(pamh, "Warning: your account expires on %s", +// ctime(&pwd->pw_expire)); + } + } + + if (pwd->sp_lstchg == 0 ) { + return (PAM_NEW_AUTHTOK_REQD); + } + + /* check all other possibilities (mostly stolen from pam_tcb) */ + + if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) && + (pwd->sp_max != -1) && (pwd->sp_inact != -1) && + (pwd->sp_lstchg != 0)) + return (PAM_ACCT_EXPIRED); + + if (((pwd->sp_lstchg + pwd->sp_max) < curtime) && + (pwd->sp_max != -1)) + return (PAM_ACCT_EXPIRED); + + if ((curtime - pwd->sp_lstchg > pwd->sp_max) + && (curtime - pwd->sp_lstchg > pwd->sp_inact) + && (curtime - pwd->sp_lstchg > pwd->sp_max + pwd->sp_inact) + && (pwd->sp_max != -1) && (pwd->sp_inact != -1)) + return (PAM_ACCT_EXPIRED); + + pam_err = (PAM_SUCCESS); + +#ifndef __linux__ + + /* validate tty/host/time */ + + if (!auth_hostok(lc, rhost, rhostip) || + !auth_ttyok(lc, tty) || + !auth_timeok(lc, time(NULL))) + pam_err = PAM_AUTH_ERR; + + + login_close(lc); +#endif + + return (pam_err); + +} + +/* + * Password Management + */ + +PAM_EXTERN int +pam_sm_chautok(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) +{ + + + +} + + +PAM_MODULE_ENTRY("pam_unix") diff --git a/modules/pam_unix/pam_unix.c~ b/modules/pam_unix/pam_unix.c~ new file mode 100644 index 0000000..c65ec10 --- /dev/null +++ b/modules/pam_unix/pam_unix.c~ @@ -0,0 +1,257 @@ +/* #include */ +#include +#include +#include +#include + + +#ifndef MAXHOSTNAMELEN +# define MAXHOSTNAMELEN 256 +#endif + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_PASSWORD + +#ifndef __linux__ +#include +#endif + + +#include +#include +#include + +/* + * User authentication + */ + +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh, int flags, + int argc , const char **argv ) { + +#ifndef __linux__ + login_cap_t *lc; +#endif + struct spwd *pwd; + const char *pass, *crypt_pass, *user; + int pam_err; + + /* identify user */ + + if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { + PAM_LOG("Authenticating as self."); + pwd = getspnam(getlogin()); + } else { + if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { + PAM_ERROR("Authenticating with uname %s failed.", user); + return (pam_err); + } + + pwd = getspnam(user); + } + + PAM_LOG("Authenticating user: %s", user); + + /* get password */ + + if (pwd != NULL) { + PAM_LOG("Doing real authentication"); + pass = pwd->sp_pwdp; + if (pass[0] == '\0') { + if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && + openpam_get_option(pamh, PAM_OPT_NULLOK)){ + PAM_ERROR("Authentication failed. Empty passwd not allowed"); + return (PAM_SUCCESS); + } + + pass = "*"; + } +#ifndef __linux__ + lc = login_getpwclass(pwd); +#endif + } else { + PAM_LOG("Doing dummy authentication"); + pass = "*"; +#ifndef __linux__ + lc = login_getpwclass(NULL); +#endif + } + +#ifndef __linux__ + prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); + pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); + login_close(lc); +#else + pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **) &pass, NULL); +#endif + PAM_LOG("Got password for user %s", user); + + if (pam_err == PAM_CONV_ERR) + return (pam_err); + if (pam_err != PAM_SUCCESS) + return (PAM_AUTH_ERR); + + /* check shadow */ + + crypt_pass = crypt(pass, pwd->sp_pwdp); + if ( strcmp(crypt_pass, pwd->sp_pwdp) != 0 ) { + PAM_ERROR("Wrong password. Authentication failed."); + pam_err = PAM_AUTH_ERR; + } else { + PAM_LOG("Authentication completed succesfully"); + pam_err = PAM_SUCCESS; + } + + return (pam_err); +} + +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh , int flags , + int argc , const char *argv[] ) { + + /* + * This functions takes care of renewing/initializing + * user credentials as well as gid/uids. Someday, it + * will be completed. For now, it's not very urgent. + */ + + return (PAM_SUCCESS); +} + + +/* + * Account Management + */ + +PAM_EXTERN int +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , + int argc , const char *argv[] ) { + + + +#ifndef __linux__ + login_cap_t *lc; +#endif + + struct spwd *pwd; + int pam_err; + const char *user; + time_t curtime; + +#ifndef __linux__ + const void *rhost, *tty; + char rhostip[MAXHOSTNAMELEN] = ""; +#endif + + /* Sanity checks for uname,pwd,tty,host etc */ + + pam_err = pam_get_user(pamh, &user, NULL); + + if (pam_err != PAM_SUCCESS) + return (pam_err); + + if (user == NULL || (pwd = getspnam(user)) == NULL) + return (PAM_SERVICE_ERR); +#ifndef __linux__ + + /* + * tty/host info are provided by login classes + * and cannot be used out of the box under Linux + * for sanity checking (BSD only). May need to + * be ported/rewritten to work on Linux as well. + * Time will tell... + */ + pam_err = pam_get_item(pamh, PAM_RHOST, &rhost); + + if (pam_err != PAM_SUCCESS) + return (pam_err); + + pam_err = pam_get_item(pamh, PAM_TTY, &tty); + + if (pam_err != PAM_SUCCESS) + return (pam_err); +#endif + if (*pwd->sp_pwdp == '\0' && + (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) + return (PAM_NEW_AUTHTOK_REQD); + +#ifndef __linux__ + lc = login_getpwclass(pwd); + + if (lc == NULL) { + return (PAM_SERVICE_ERR); + + } +#endif + /* Check if pw_lstchg or pw_expire is set */ + + if (pwd->sp_lstchg || pwd->sp_expire) + curtime = time(NULL) / (60 * 60 * 24); + if (pwd->sp_expire) { + if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) { +#ifndef __linux__ + login_close(lc); +#endif + return (PAM_ACCT_EXPIRED); + } else if ( ( pwd->sp_expire - curtime < pwd->sp_warn) ) { +// pam_error(pamh, "Warning: your account expires on %s", +// ctime(&pwd->pw_expire)); + } + } + + if (pwd->sp_lstchg == 0 ) { + return (PAM_NEW_AUTHTOK_REQD); + } + + /* check all other possibilities (mostly stolen from pam_tcb) */ + + if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) && + (pwd->sp_max != -1) && (pwd->sp_inact != -1) && + (pwd->sp_lstchg != 0)) + return (PAM_ACCT_EXPIRED); + + if (((pwd->sp_lstchg + pwd->sp_max) < curtime) && + (pwd->sp_max != -1)) + return (PAM_ACCT_EXPIRED); + + if ((curtime - pwd->sp_lstchg > pwd->sp_max) + && (curtime - pwd->sp_lstchg > pwd->sp_inact) + && (curtime - pwd->sp_lstchg > pwd->sp_max + pwd->sp_inact) + && (pwd->sp_max != -1) && (pwd->sp_inact != -1)) + return (PAM_ACCT_EXPIRED); + + pam_err = (PAM_SUCCESS); + +#ifndef __linux__ + + /* validate tty/host/time */ + + if (!auth_hostok(lc, rhost, rhostip) || + !auth_ttyok(lc, tty) || + !auth_timeok(lc, time(NULL))) + pam_err = PAM_AUTH_ERR; + + + login_close(lc); +#endif + + return (pam_err); + +} + +/* + * Password Management + */ + +PAM_EXTERN int +pam_sm_chautok(pam_handle_t *pamh, int flags, + int argc, const char *argv[]) +{ + + + +} + + +PAM_MODULE_ENTRY("pam_unix") diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c new file mode 100644 index 0000000..e69de29 diff --git a/src/pam_nologin/pam_nologin.c b/src/pam_nologin/pam_nologin.c deleted file mode 100644 index e69de29..0000000 diff --git a/src/pam_rootok/pam_rootok.c b/src/pam_rootok/pam_rootok.c deleted file mode 100644 index e69de29..0000000 diff --git a/src/pam_securetty/pam_securetty.c b/src/pam_securetty/pam_securetty.c deleted file mode 100644 index e69de29..0000000 diff --git a/src/pam_shells/pam_shells.c b/src/pam_shells/pam_shells.c deleted file mode 100644 index e69de29..0000000 diff --git a/src/pam_unix/pam_unix.c b/src/pam_unix/pam_unix.c deleted file mode 100644 index c65ec10..0000000 --- a/src/pam_unix/pam_unix.c +++ /dev/null @@ -1,257 +0,0 @@ -/* #include */ -#include -#include -#include -#include - - -#ifndef MAXHOSTNAMELEN -# define MAXHOSTNAMELEN 256 -#endif - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_PASSWORD - -#ifndef __linux__ -#include -#endif - - -#include -#include -#include - -/* - * User authentication - */ - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags, - int argc , const char **argv ) { - -#ifndef __linux__ - login_cap_t *lc; -#endif - struct spwd *pwd; - const char *pass, *crypt_pass, *user; - int pam_err; - - /* identify user */ - - if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { - PAM_LOG("Authenticating as self."); - pwd = getspnam(getlogin()); - } else { - if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { - PAM_ERROR("Authenticating with uname %s failed.", user); - return (pam_err); - } - - pwd = getspnam(user); - } - - PAM_LOG("Authenticating user: %s", user); - - /* get password */ - - if (pwd != NULL) { - PAM_LOG("Doing real authentication"); - pass = pwd->sp_pwdp; - if (pass[0] == '\0') { - if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && - openpam_get_option(pamh, PAM_OPT_NULLOK)){ - PAM_ERROR("Authentication failed. Empty passwd not allowed"); - return (PAM_SUCCESS); - } - - pass = "*"; - } -#ifndef __linux__ - lc = login_getpwclass(pwd); -#endif - } else { - PAM_LOG("Doing dummy authentication"); - pass = "*"; -#ifndef __linux__ - lc = login_getpwclass(NULL); -#endif - } - -#ifndef __linux__ - prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); - pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); - login_close(lc); -#else - pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **) &pass, NULL); -#endif - PAM_LOG("Got password for user %s", user); - - if (pam_err == PAM_CONV_ERR) - return (pam_err); - if (pam_err != PAM_SUCCESS) - return (PAM_AUTH_ERR); - - /* check shadow */ - - crypt_pass = crypt(pass, pwd->sp_pwdp); - if ( strcmp(crypt_pass, pwd->sp_pwdp) != 0 ) { - PAM_ERROR("Wrong password. Authentication failed."); - pam_err = PAM_AUTH_ERR; - } else { - PAM_LOG("Authentication completed succesfully"); - pam_err = PAM_SUCCESS; - } - - return (pam_err); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh , int flags , - int argc , const char *argv[] ) { - - /* - * This functions takes care of renewing/initializing - * user credentials as well as gid/uids. Someday, it - * will be completed. For now, it's not very urgent. - */ - - return (PAM_SUCCESS); -} - - -/* - * Account Management - */ - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , - int argc , const char *argv[] ) { - - - -#ifndef __linux__ - login_cap_t *lc; -#endif - - struct spwd *pwd; - int pam_err; - const char *user; - time_t curtime; - -#ifndef __linux__ - const void *rhost, *tty; - char rhostip[MAXHOSTNAMELEN] = ""; -#endif - - /* Sanity checks for uname,pwd,tty,host etc */ - - pam_err = pam_get_user(pamh, &user, NULL); - - if (pam_err != PAM_SUCCESS) - return (pam_err); - - if (user == NULL || (pwd = getspnam(user)) == NULL) - return (PAM_SERVICE_ERR); -#ifndef __linux__ - - /* - * tty/host info are provided by login classes - * and cannot be used out of the box under Linux - * for sanity checking (BSD only). May need to - * be ported/rewritten to work on Linux as well. - * Time will tell... - */ - pam_err = pam_get_item(pamh, PAM_RHOST, &rhost); - - if (pam_err != PAM_SUCCESS) - return (pam_err); - - pam_err = pam_get_item(pamh, PAM_TTY, &tty); - - if (pam_err != PAM_SUCCESS) - return (pam_err); -#endif - if (*pwd->sp_pwdp == '\0' && - (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) - return (PAM_NEW_AUTHTOK_REQD); - -#ifndef __linux__ - lc = login_getpwclass(pwd); - - if (lc == NULL) { - return (PAM_SERVICE_ERR); - - } -#endif - /* Check if pw_lstchg or pw_expire is set */ - - if (pwd->sp_lstchg || pwd->sp_expire) - curtime = time(NULL) / (60 * 60 * 24); - if (pwd->sp_expire) { - if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) { -#ifndef __linux__ - login_close(lc); -#endif - return (PAM_ACCT_EXPIRED); - } else if ( ( pwd->sp_expire - curtime < pwd->sp_warn) ) { -// pam_error(pamh, "Warning: your account expires on %s", -// ctime(&pwd->pw_expire)); - } - } - - if (pwd->sp_lstchg == 0 ) { - return (PAM_NEW_AUTHTOK_REQD); - } - - /* check all other possibilities (mostly stolen from pam_tcb) */ - - if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) && - (pwd->sp_max != -1) && (pwd->sp_inact != -1) && - (pwd->sp_lstchg != 0)) - return (PAM_ACCT_EXPIRED); - - if (((pwd->sp_lstchg + pwd->sp_max) < curtime) && - (pwd->sp_max != -1)) - return (PAM_ACCT_EXPIRED); - - if ((curtime - pwd->sp_lstchg > pwd->sp_max) - && (curtime - pwd->sp_lstchg > pwd->sp_inact) - && (curtime - pwd->sp_lstchg > pwd->sp_max + pwd->sp_inact) - && (pwd->sp_max != -1) && (pwd->sp_inact != -1)) - return (PAM_ACCT_EXPIRED); - - pam_err = (PAM_SUCCESS); - -#ifndef __linux__ - - /* validate tty/host/time */ - - if (!auth_hostok(lc, rhost, rhostip) || - !auth_ttyok(lc, tty) || - !auth_timeok(lc, time(NULL))) - pam_err = PAM_AUTH_ERR; - - - login_close(lc); -#endif - - return (pam_err); - -} - -/* - * Password Management - */ - -PAM_EXTERN int -pam_sm_chautok(pam_handle_t *pamh, int flags, - int argc, const char *argv[]) -{ - - - -} - - -PAM_MODULE_ENTRY("pam_unix") diff --git a/src/pam_unix/pam_unix.c~ b/src/pam_unix/pam_unix.c~ deleted file mode 100644 index c5215b9..0000000 --- a/src/pam_unix/pam_unix.c~ +++ /dev/null @@ -1,249 +0,0 @@ -/* #include */ -#include -#include -#include -#include - - -#ifndef MAXHOSTNAMELEN -# define MAXHOSTNAMELEN 256 -#endif - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_PASSWORD - -#ifndef __linux__ -#include -#endif - - -#include -#include -#include - -/* - * User authentication - */ - -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh, int flags, - int argc , const char **argv ) { - -#ifndef __linux__ - login_cap_t *lc; -#endif - struct spwd *pwd; - const char *pass, *crypt_pass, *user; - int pam_err; - - /* identify user */ - - if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { - puts("POULOS1"); - PAM_LOG("Authenticating as self"); - pwd = getspnam(getlogin()); - } else { - if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { - puts("POULOS2"); - PAM_LOG("Authenticating with uname failed"); - return (pam_err); - } - - pwd = getspnam(user); - } - puts("POULOS3"); - /* get password */ - - if (pwd != NULL) { - pass = pwd->sp_pwdp; - if (pass[0] == '\0') { - if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && - openpam_get_option(pamh, PAM_OPT_NULLOK)) - return (PAM_SUCCESS); - - pass = "*"; - } -#ifndef __linux__ - lc = login_getpwclass(pwd); -#endif - } else { - pass = "*"; -#ifndef __linux__ - lc = login_getpwclass(NULL); -#endif - } - -#ifndef __linux__ - prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); - pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); - login_close(lc); -#else - pam_err = pam_get_authtok(pamh, PAM_AUTHTOK, (const char **) &pass, NULL); -#endif - - if (pam_err == PAM_CONV_ERR) - return (pam_err); - if (pam_err != PAM_SUCCESS) - return (PAM_AUTH_ERR); - - /* check shadow */ - - crypt_pass = crypt(pass, pwd->sp_pwdp); - if ( strcmp(crypt_pass, pwd->sp_pwdp) != 0 ) - pam_err = PAM_AUTH_ERR; - else - pam_err = PAM_SUCCESS; - - return (pam_err); -} - -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh , int flags , - int argc , const char *argv[] ) { - - /* - * This functions takes care of renewing/initializing - * user credentials as well as gid/uids. Someday, it - * will be completed. For now, it's not very urgent. - */ - - return (PAM_SUCCESS); -} - - -/* - * Account Management - */ - -PAM_EXTERN int -pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , - int argc , const char *argv[] ) { - - - -#ifndef __linux__ - login_cap_t *lc; -#endif - - struct spwd *pwd; - int pam_err; - const char *user; - time_t curtime; - -#ifndef __linux__ - const void *rhost, *tty; - char rhostip[MAXHOSTNAMELEN] = ""; -#endif - - /* Sanity checks for uname,pwd,tty,host etc */ - - pam_err = pam_get_user(pamh, &user, NULL); - - if (pam_err != PAM_SUCCESS) - return (pam_err); - - if (user == NULL || (pwd = getspnam(user)) == NULL) - return (PAM_SERVICE_ERR); -#ifndef __linux__ - - /* - * tty/host info are provided by login classes - * and cannot be used out of the box under Linux - * for sanity checking (BSD only). May need to - * be ported/rewritten to work on Linux as well. - * Time will tell... - */ - pam_err = pam_get_item(pamh, PAM_RHOST, &rhost); - - if (pam_err != PAM_SUCCESS) - return (pam_err); - - pam_err = pam_get_item(pamh, PAM_TTY, &tty); - - if (pam_err != PAM_SUCCESS) - return (pam_err); -#endif - if (*pwd->sp_pwdp == '\0' && - (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) - return (PAM_NEW_AUTHTOK_REQD); - -#ifndef __linux__ - lc = login_getpwclass(pwd); - - if (lc == NULL) { - return (PAM_SERVICE_ERR); - - } -#endif - /* Check if pw_lstchg or pw_expire is set */ - - if (pwd->sp_lstchg || pwd->sp_expire) - curtime = time(NULL) / (60 * 60 * 24); - if (pwd->sp_expire) { - if ( (curtime > pwd->sp_expire ) && ( pwd->sp_expire != -1 ) ) { -#ifndef __linux__ - login_close(lc); -#endif - return (PAM_ACCT_EXPIRED); - } else if ( ( pwd->sp_expire - curtime < pwd->sp_warn) ) { -// pam_error(pamh, "Warning: your account expires on %s", -// ctime(&pwd->pw_expire)); - } - } - - if (pwd->sp_lstchg == 0 ) { - return (PAM_NEW_AUTHTOK_REQD); - } - - /* check all other possibilities (mostly stolen from pam_tcb) */ - - if ((curtime > (pwd->sp_lstchg + pwd->sp_max + pwd->sp_inact)) && - (pwd->sp_max != -1) && (pwd->sp_inact != -1) && - (pwd->sp_lstchg != 0)) - return (PAM_ACCT_EXPIRED); - - if (((pwd->sp_lstchg + pwd->sp_max) < curtime) && - (pwd->sp_max != -1)) - return (PAM_ACCT_EXPIRED); - - if ((curtime - pwd->sp_lstchg > pwd->sp_max) - && (curtime - pwd->sp_lstchg > pwd->sp_inact) - && (curtime - pwd->sp_lstchg > pwd->sp_max + pwd->sp_inact) - && (pwd->sp_max != -1) && (pwd->sp_inact != -1)) - return (PAM_ACCT_EXPIRED); - - pam_err = (PAM_SUCCESS); - -#ifndef __linux__ - - /* validate tty/host/time */ - - if (!auth_hostok(lc, rhost, rhostip) || - !auth_ttyok(lc, tty) || - !auth_timeok(lc, time(NULL))) - pam_err = PAM_AUTH_ERR; - - - login_close(lc); -#endif - - return (pam_err); - -} - -/* - * Password Management - */ - -PAM_EXTERN int -pam_sm_chautok(pam_handle_t *pamh, int flags, - int argc, const char *argv[]) -{ - - - -} - - -PAM_MODULE_ENTRY("pam_unix") diff --git a/src/pam_wheel/pam_wheel.c b/src/pam_wheel/pam_wheel.c deleted file mode 100644 index e69de29..0000000 -- cgit v1.2.3-65-gdbad