summaryrefslogtreecommitdiff
path: root/source3/passdb
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2001-04-22 07:20:24 +0000
committerJeremy Allison <jra@samba.org>2001-04-22 07:20:24 +0000
commite277c08631316ccda875a09a67ebb220c495c5a9 (patch)
treeee9941fd02f0d9e551691de1719eb0a2205fb81b /source3/passdb
parent130f31f5713d43ea2f237cfe0fc142a171eeb82f (diff)
downloadsamba-e277c08631316ccda875a09a67ebb220c495c5a9.tar.gz
samba-e277c08631316ccda875a09a67ebb220c495c5a9.tar.bz2
samba-e277c08631316ccda875a09a67ebb220c495c5a9.zip
Commit of a modified version of Andrew Bartlett's patch that removes the
horrid utmp hostname parameter - now uses the client name instead. Also tidies up some of the unencrypted password checking when PAM is compiled in. FIXME ! An pam_accountcheck() is being called even when smb encrypted passwords are negotiated. Is this the correct thing to do when winbindd is running ! This needs *SEVERE* testing.... Jeremy. (This used to be commit 071c799f479dd25efdb9c41745fc8f2beea7b568)
Diffstat (limited to 'source3/passdb')
-rw-r--r--source3/passdb/pampass.c181
-rw-r--r--source3/passdb/pass_check.c19
2 files changed, 101 insertions, 99 deletions
diff --git a/source3/passdb/pampass.c b/source3/passdb/pampass.c
index bf1aca1e2c..e84a045d49 100644
--- a/source3/passdb/pampass.c
+++ b/source3/passdb/pampass.c
@@ -61,8 +61,7 @@ static char *PAM_password;
static BOOL pam_error_handler(pam_handle_t *pamh, int pam_error, char *msg, int dbglvl)
{
- if( pam_error != PAM_SUCCESS)
- {
+ if( pam_error != PAM_SUCCESS) {
DEBUG(dbglvl, ("PAM: %s : %s\n", msg, pam_strerror(pamh, pam_error)));
return False;
}
@@ -87,10 +86,8 @@ static int PAM_conv(int num_msg,
if (!reply)
return PAM_CONV_ERR;
- for (replies = 0; replies < num_msg; replies++)
- {
- switch (msg[replies]->msg_style)
- {
+ for (replies = 0; replies < num_msg; replies++) {
+ switch (msg[replies]->msg_style) {
case PAM_PROMPT_ECHO_ON:
reply[replies].resp_retcode = PAM_SUCCESS;
reply[replies].resp =
@@ -135,58 +132,58 @@ static struct pam_conv PAM_conversation = {
*/
static BOOL proc_pam_end(pam_handle_t *pamh)
{
- int pam_error;
+ int pam_error;
- if( pamh != NULL )
- {
+ if( pamh != NULL ) {
pam_error = pam_end(pamh, 0);
if(pam_error_handler(pamh, pam_error, "End Cleanup Failed", 2) == True) {
DEBUG(4, ("PAM: PAM_END OK.\n"));
- return True;
+ return True;
}
- }
- DEBUG(2,("PAM: not initialised"));
- return False;
+ }
+ DEBUG(2,("PAM: not initialised"));
+ return False;
}
/*
* Start PAM authentication for specified account
*/
-static BOOL proc_pam_start(pam_handle_t **pamh, char *user)
+static BOOL proc_pam_start(pam_handle_t **pamh, char *user, char *rhost)
{
- int pam_error;
- char * rhost;
+ int pam_error;
- DEBUG(4,("PAM: Init user: %s\n", user));
+ DEBUG(4,("PAM: Init user: %s\n", user));
- pam_error = pam_start("samba", user, &PAM_conversation, pamh);
- if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) {
- proc_pam_end(*pamh);
- return False;
- }
+ pam_error = pam_start("samba", user, &PAM_conversation, pamh);
+ if( !pam_error_handler(*pamh, pam_error, "Init Failed", 0)) {
+ proc_pam_end(*pamh);
+ return False;
+ }
- rhost = client_name();
- if (strcmp(rhost,"UNKNOWN") == 0)
- rhost = client_addr();
+ if (rhost == NULL) {
+ rhost = client_name();
+ if (strequal(rhost,"UNKNOWN"))
+ rhost = client_addr();
+ }
#ifdef PAM_RHOST
- DEBUG(4,("PAM: setting rhost to: %s\n", rhost));
- pam_error = pam_set_item(*pamh, PAM_RHOST, rhost);
- if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) {
- proc_pam_end(*pamh);
- return False;
- }
+ DEBUG(4,("PAM: setting rhost to: %s\n", rhost));
+ pam_error = pam_set_item(*pamh, PAM_RHOST, rhost);
+ if(!pam_error_handler(*pamh, pam_error, "set rhost failed", 0)) {
+ proc_pam_end(*pamh);
+ return False;
+ }
#endif
#ifdef PAM_TTY
- DEBUG(4,("PAM: setting tty\n"));
- pam_error = pam_set_item(*pamh, PAM_TTY, "samba");
- if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) {
- proc_pam_end(*pamh);
- return False;
- }
+ DEBUG(4,("PAM: setting tty\n"));
+ pam_error = pam_set_item(*pamh, PAM_TTY, "samba");
+ if (!pam_error_handler(*pamh, pam_error, "set tty failed", 0)) {
+ proc_pam_end(*pamh);
+ return False;
+ }
#endif
- DEBUG(4,("PAM: Init passed for user: %s\n", user));
- return True;
+ DEBUG(4,("PAM: Init passed for user: %s\n", user));
+ return True;
}
/*
@@ -201,7 +198,7 @@ static BOOL pam_auth(pam_handle_t *pamh, char *user, char *password)
* auth required /lib/security/pam_pwdb.so nullok shadow audit
*/
- DEBUG(4,("PAM: Authenticate User: %s\n", user));
+ DEBUG(4,("PAM: Authenticate User: %s\n", user));
pam_error = pam_authenticate(pamh, PAM_SILENT); /* Can we authenticate user? */
switch( pam_error ){
case PAM_AUTH_ERR:
@@ -243,7 +240,7 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p
{
int pam_error;
- DEBUG(4,("PAM: Account Management for User: %s\n", user));
+ DEBUG(4,("PAM: Account Management for User: %s\n", user));
pam_error = pam_acct_mgmt(pamh, PAM_SILENT); /* Is user account enabled? */
switch( pam_error ) {
case PAM_AUTHTOK_EXPIRED:
@@ -285,7 +282,7 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p
* exporting an AFS cell, be able to /write/ to this cell.
*/
- DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user));
+ DEBUG(4,("PAM: Account Management SetCredentials for User: %s\n", user));
pam_error = pam_setcred(pamh, (PAM_ESTABLISH_CRED|PAM_SILENT));
switch( pam_error ) {
case PAM_CRED_UNAVAIL:
@@ -321,49 +318,46 @@ static BOOL pam_account(pam_handle_t *pamh, char * user, char * password, BOOL p
*/
static BOOL proc_pam_session(pam_handle_t *pamh, char *user, char *tty, BOOL flag)
{
- int pam_error;
+ int pam_error;
- PAM_password = NULL;
- PAM_username = user;
+ PAM_password = NULL;
+ PAM_username = user;
#ifdef PAM_TTY
- DEBUG(4,("PAM: tty set to: %s\n", tty));
- pam_error = pam_set_item(pamh, PAM_TTY, tty);
- if (!pam_error_handler(pamh, pam_error, "set tty failed", 0)) {
- proc_pam_end(pamh);
- return False;
- }
+ DEBUG(4,("PAM: tty set to: %s\n", tty));
+ pam_error = pam_set_item(pamh, PAM_TTY, tty);
+ if (!pam_error_handler(pamh, pam_error, "set tty failed", 0)) {
+ proc_pam_end(pamh);
+ return False;
+ }
#endif
- if (flag) {
- pam_error = pam_open_session(pamh, PAM_SILENT);
- if (!pam_error_handler(pamh, pam_error, "session setup failed", 0)) {
- proc_pam_end(pamh);
- return False;
- }
- }
- else
- {
- pam_error = pam_close_session(pamh, PAM_SILENT);
- if (!pam_error_handler(pamh, pam_error, "session close failed", 0)) {
- proc_pam_end(pamh);
- return False;
- }
- }
- return (True);
+ if (flag) {
+ pam_error = pam_open_session(pamh, PAM_SILENT);
+ if (!pam_error_handler(pamh, pam_error, "session setup failed", 0)) {
+ proc_pam_end(pamh);
+ return False;
+ }
+ } else {
+ pam_error = pam_close_session(pamh, PAM_SILENT);
+ if (!pam_error_handler(pamh, pam_error, "session close failed", 0)) {
+ proc_pam_end(pamh);
+ return False;
+ }
+ }
+ return (True);
}
/*
* PAM Externally accessible Session handler
*/
-BOOL pam_session(BOOL flag, const char *in_user, char *tty)
+BOOL pam_session(BOOL flag, const char *in_user, char *tty, char *rhost)
{
pam_handle_t *pamh = NULL;
char * user;
user = malloc(strlen(in_user)+1);
- if ( user == NULL )
- {
+ if ( user == NULL ) {
DEBUG(0, ("PAM: PAM_session Malloc Failed!\n"));
return False;
}
@@ -371,20 +365,16 @@ BOOL pam_session(BOOL flag, const char *in_user, char *tty)
/* This is freed by PAM */
StrnCpy(user, in_user, strlen(in_user)+1);
- if (!proc_pam_start(&pamh, user))
- {
- proc_pam_end(pamh);
- return False;
+ if (!proc_pam_start(&pamh, user, rhost)) {
+ proc_pam_end(pamh);
+ return False;
}
- if (proc_pam_session(pamh, user, tty, flag))
- {
- return proc_pam_end(pamh);
- }
- else
- {
- proc_pam_end(pamh);
- return False;
+ if (proc_pam_session(pamh, user, tty, flag)) {
+ return proc_pam_end(pamh);
+ } else {
+ proc_pam_end(pamh);
+ return False;
}
}
@@ -398,12 +388,10 @@ BOOL pam_accountcheck(char * user)
PAM_username = user;
PAM_password = NULL;
- if( proc_pam_start(&pamh, user))
- {
- if ( pam_account(pamh, user, NULL, False))
- {
- return( proc_pam_end(pamh));
- }
+ if( proc_pam_start(&pamh, user, NULL)) {
+ if ( pam_account(pamh, user, NULL, False)) {
+ return( proc_pam_end(pamh));
+ }
}
DEBUG(0, ("PAM: Account Validation Failed - Rejecting User!\n"));
return( False );
@@ -419,12 +407,9 @@ BOOL pam_passcheck(char * user, char * password)
PAM_username = user;
PAM_password = password;
- if( proc_pam_start(&pamh, user))
- {
- if ( pam_auth(pamh, user, password))
- {
- if ( pam_account(pamh, user, password, True))
- {
+ if( proc_pam_start(&pamh, user, NULL)) {
+ if ( pam_auth(pamh, user, password)) {
+ if ( pam_account(pamh, user, password, True)) {
return( proc_pam_end(pamh));
}
}
@@ -435,8 +420,10 @@ BOOL pam_passcheck(char * user, char * password)
#else
- /* Do *NOT* make this function static. Doing so breaks the compile on gcc */
-
- void pampass_dummy_function( void ) { } /*This stops compiler complaints */
+/* If PAM not used, no PAM restrictions on accounts. */
+ BOOL pam_accountcheck(char * user)
+{
+ return True;
+}
#endif /* WITH_PAM */
diff --git a/source3/passdb/pass_check.c b/source3/passdb/pass_check.c
index 236465bc90..08961e5099 100644
--- a/source3/passdb/pass_check.c
+++ b/source3/passdb/pass_check.c
@@ -681,12 +681,13 @@ the function pointer fn() points to a function to call when a successful
match is found and is used to update the encrypted password file
return True on correct match, False otherwise
****************************************************************************/
+
BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd,
BOOL (*fn) (char *, char *))
{
pstring pass2;
int level = lp_passwordlevel();
- struct passwd *pass;
+ struct passwd *pass = NULL;
if (password)
password[pwlen] = 0;
@@ -708,8 +709,20 @@ BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd,
pass = Get_Pwnam(user, True);
}
+#ifdef WITH_PAM
+
+ /*
+ * If we're using PAM we want to short-circuit all the
+ * checks below and dive straight into the PAM code.
+ */
+
+ fstrcpy(this_user, user);
+
+ DEBUG(4, ("pass_check: Checking (PAM) password for user %s (l=%d)\n", user, pwlen));
+
+#else /* Not using PAM */
- DEBUG(4, ("Checking password for user %s (l=%d)\n", user, pwlen));
+ DEBUG(4, ("pass_check: Checking password for user %s (l=%d)\n", user, pwlen));
if (!pass) {
DEBUG(3, ("Couldn't find user %s\n", user));
@@ -802,6 +815,8 @@ BOOL pass_check(char *user, char *password, int pwlen, struct passwd *pwd,
}
}
+#endif /* WITH_PAM */
+
/* try it as it came to us */
if (password_check(password)) {
if (fn)