diff options
Diffstat (limited to 'source4/pam_smbpass/pam_smb_passwd.c')
-rw-r--r-- | source4/pam_smbpass/pam_smb_passwd.c | 330 |
1 files changed, 0 insertions, 330 deletions
diff --git a/source4/pam_smbpass/pam_smb_passwd.c b/source4/pam_smbpass/pam_smb_passwd.c deleted file mode 100644 index 5e6d6060a4..0000000000 --- a/source4/pam_smbpass/pam_smb_passwd.c +++ /dev/null @@ -1,330 +0,0 @@ -/* Unix NT password database implementation, version 0.7.5. - * - * This program is free software; you can redistribute it and/or modify it under - * the terms of the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at your option) - * any later version. - * - * This program is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for - * more details. - * - * You should have received a copy of the GNU General Public License along with - * this program; if not, write to the Free Software Foundation, Inc., 675 - * Mass Ave, Cambridge, MA 02139, USA. -*/ - -/* indicate the following groups are defined */ -#define PAM_SM_PASSWORD - -#include "includes.h" - -#ifndef LINUX - -/* This is only used in the Sun implementation. */ -#include <security/pam_appl.h> - -#endif /* LINUX */ - -#include <security/pam_modules.h> - -#include "general.h" - -#include "support.h" - -int smb_update_db( pam_handle_t *pamh, int ctrl, const char *user, const char *pass_new ) -{ - int retval; - pstring err_str; - pstring msg_str; - - err_str[0] = '\0'; - msg_str[0] = '\0'; - - retval = local_password_change( user, 0, pass_new, err_str, sizeof(err_str), - msg_str, sizeof(msg_str) ); - - if (!retval) { - if (*err_str) { - err_str[PSTRING_LEN-1] = '\0'; - make_remark( pamh, ctrl, PAM_ERROR_MSG, err_str ); - } - - /* FIXME: what value is appropriate here? */ - retval = PAM_AUTHTOK_ERR; - } else { - if (*msg_str) { - msg_str[PSTRING_LEN-1] = '\0'; - make_remark( pamh, ctrl, PAM_TEXT_INFO, msg_str ); - } - retval = PAM_SUCCESS; - } - - return retval; - -} - - -/* data tokens */ - -#define _SMB_OLD_AUTHTOK "-SMB-OLD-PASS" -#define _SMB_NEW_AUTHTOK "-SMB-NEW-PASS" - -/* - * FUNCTION: pam_sm_chauthtok() - * - * This function is called twice by the PAM library, once with - * PAM_PRELIM_CHECK set, and then again with PAM_UPDATE_AUTHTOK set. With - * Linux-PAM, these two passes generally involve first checking the old - * token and then changing the token. This is what we do here. - * - * Having obtained a new password. The function updates the - * SMB_PASSWD_FILE file (normally, $(LIBDIR)/smbpasswd). - */ - -int pam_sm_chauthtok(pam_handle_t *pamh, int flags, - int argc, const char **argv) -{ - unsigned int ctrl; - int retval; - - extern BOOL in_client; - - SAM_ACCOUNT *sampass = NULL; - const char *user; - char *pass_old; - char *pass_new; - - NTSTATUS nt_status; - - /* Samba initialization. */ - setup_logging( "pam_smbpass", DEBUG_FILE ); - in_client = True; - - ctrl = set_ctrl(flags, argc, argv); - - /* - * First get the name of a user. No need to do anything if we can't - * determine this. - */ - - retval = pam_get_user( pamh, &user, "Username: " ); - if (retval != PAM_SUCCESS) { - if (on( SMB_DEBUG, ctrl )) { - _log_err( LOG_DEBUG, "password: could not identify user" ); - } - return retval; - } - if (on( SMB_DEBUG, ctrl )) { - _log_err( LOG_DEBUG, "username [%s] obtained", user ); - } - - if (!initialize_password_db(True)) { - _log_err( LOG_ALERT, "Cannot access samba password database" ); - return PAM_AUTHINFO_UNAVAIL; - } - - /* obtain user record */ - if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) { - return nt_status_to_pam(nt_status); - } - - if (!pdb_getsampwnam(sampass,user)) { - _log_err( LOG_ALERT, "Failed to find entry for user %s.", user ); - return PAM_USER_UNKNOWN; - } - - if (flags & PAM_PRELIM_CHECK) { - /* - * obtain and verify the current password (OLDAUTHTOK) for - * the user. - */ - - char *Announce; - - if (_smb_blankpasswd( ctrl, sampass )) { - - pdb_free_sam(&sampass); - return PAM_SUCCESS; - } - - /* Password change by root, or for an expired token, doesn't - require authentication. Is this a good choice? */ - if (getuid() != 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK)) { - - /* tell user what is happening */ -#define greeting "Changing password for " - Announce = (char *) malloc(sizeof(greeting)+strlen(user)); - if (Announce == NULL) { - _log_err(LOG_CRIT, "password: out of memory"); - pdb_free_sam(&sampass); - return PAM_BUF_ERR; - } - strncpy( Announce, greeting, sizeof(greeting) ); - strncpy( Announce+sizeof(greeting)-1, user, strlen(user)+1 ); -#undef greeting - - set( SMB__OLD_PASSWD, ctrl ); - retval = _smb_read_password( pamh, ctrl, Announce, "Current SMB password: ", - NULL, _SMB_OLD_AUTHTOK, &pass_old ); - SAFE_FREE( Announce ); - - if (retval != PAM_SUCCESS) { - _log_err( LOG_NOTICE - , "password - (old) token not obtained" ); - pdb_free_sam(&sampass); - return retval; - } - - /* verify that this is the password for this user */ - - retval = _smb_verify_password( pamh, sampass, pass_old, ctrl ); - - } else { - pass_old = NULL; - retval = PAM_SUCCESS; /* root doesn't have to */ - } - - pass_old = NULL; - pdb_free_sam(&sampass); - return retval; - - } else if (flags & PAM_UPDATE_AUTHTOK) { - -#if 0 - /* We used to return when this flag was set, but that breaks - password synchronization when /other/ tokens are expired. For - now, we change the password whenever we're asked. SRL */ - if (flags & PAM_CHANGE_EXPIRED_AUTHTOK) { - pdb_free_sam(&sampass); - return PAM_SUCCESS; - } -#endif - /* - * obtain the proposed password - */ - - /* - * get the old token back. NULL was ok only if root [at this - * point we assume that this has already been enforced on a - * previous call to this function]. - */ - - if (off( SMB_NOT_SET_PASS, ctrl )) { - retval = pam_get_item( pamh, PAM_OLDAUTHTOK, - (const void **)&pass_old ); - } else { - retval = pam_get_data( pamh, _SMB_OLD_AUTHTOK, - (const void **)&pass_old ); - if (retval == PAM_NO_MODULE_DATA) { - pass_old = NULL; - retval = PAM_SUCCESS; - } - } - - if (retval != PAM_SUCCESS) { - _log_err( LOG_NOTICE, "password: user not authenticated" ); - pdb_free_sam(&sampass); - return retval; - } - - /* - * use_authtok is to force the use of a previously entered - * password -- needed for pluggable password strength checking - * or other module stacking - */ - - if (on( SMB_USE_AUTHTOK, ctrl )) { - set( SMB_USE_FIRST_PASS, ctrl ); - } - - retval = _smb_read_password( pamh, ctrl - , NULL - , "Enter new SMB password: " - , "Retype new SMB password: " - , _SMB_NEW_AUTHTOK - , &pass_new ); - - if (retval != PAM_SUCCESS) { - if (on( SMB_DEBUG, ctrl )) { - _log_err( LOG_ALERT - , "password: new password not obtained" ); - } - pass_old = NULL; /* tidy up */ - pdb_free_sam(&sampass); - return retval; - } - - /* - * At this point we know who the user is and what they - * propose as their new password. Verify that the new - * password is acceptable. - */ - - if (pass_new[0] == '\0') { /* "\0" password = NULL */ - pass_new = NULL; - } - - retval = _pam_smb_approve_pass(pamh, ctrl, pass_old, pass_new); - - if (retval != PAM_SUCCESS) { - _log_err(LOG_NOTICE, "new password not acceptable"); - pass_new = pass_old = NULL; /* tidy up */ - pdb_free_sam(&sampass); - return retval; - } - - /* - * By reaching here we have approved the passwords and must now - * rebuild the smb password file. - */ - - /* update the password database */ - - retval = smb_update_db(pamh, ctrl, user, pass_new); - if (retval == PAM_SUCCESS) { - /* password updated */ - _log_err( LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)" - , user, pdb_get_uid(sampass), uidtoname( getuid() ) - , getuid() ); - } else { - _log_err( LOG_ERR, "password change failed for user %s" - , user ); - } - - pass_old = pass_new = NULL; - if (sampass) { - pdb_free_sam(&sampass); - sampass = NULL; - } - - } else { /* something has broken with the library */ - - _log_err( LOG_ALERT, "password received unknown request" ); - retval = PAM_ABORT; - - } - - if (sampass) { - pdb_free_sam(&sampass); - sampass = NULL; - } - - pdb_free_sam(&sampass); - return retval; -} - -/* static module data */ -#ifdef PAM_STATIC -struct pam_module _pam_smbpass_passwd_modstruct = { - "pam_smbpass", - NULL, - NULL, - NULL, - NULL, - NULL, - pam_sm_chauthtok -}; -#endif - |