/* Unix NT password database implementation, version 0.6. * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free * Software Foundation; either version 3 of the License, or (at your option) * any later version. * * This program is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * more details. * * You should have received a copy of the GNU General Public License along with * this program; if not, see <http://www.gnu.org/licenses/>. */ #include "config.h" #include "includes.h" #include "general.h" #include "support.h" #include "secrets.h" #include "../libcli/auth/libcli_auth.h" #if defined(HAVE_SECURITY_PAM_EXT_H) #include <security/pam_ext.h> #elif defined(HAVE_PAM_PAM_EXT_H) #include <pam/pam_ext.h> #endif #if defined(HAVE_SECURITY__PAM_MACROS_H) #include <security/_pam_macros.h> #elif defined(HAVE_PAM__PAM_MACROS_H) #include <pam/_pam_macros.h> #endif #ifdef HAVE_SYSLOG_H #include <syslog.h> #endif #define _pam_overwrite(x) \ do { \ register char *__xx__; \ if ((__xx__=(x))) \ while (*__xx__) \ *__xx__++ = '\0'; \ } while (0) /* * Don't just free it, forget it too. */ #define _pam_drop(X) \ do { \ if (X) { \ free(X); \ X=NULL; \ } \ } while (0) #define _pam_drop_reply(/* struct pam_response * */ reply, /* int */ replies) \ do { \ int reply_i; \ \ for (reply_i=0; reply_i<replies; ++reply_i) { \ if (reply[reply_i].resp) { \ _pam_overwrite(reply[reply_i].resp); \ free(reply[reply_i].resp); \ } \ } \ if (reply) \ free(reply); \ } while (0) int converse(pam_handle_t *, int, int, struct pam_message **, struct pam_response **); int make_remark(pam_handle_t *, unsigned int, int, const char *); void _cleanup(pam_handle_t *, void *, int); char *_pam_delete(register char *); /* syslogging function for errors and other information */ #ifdef HAVE_PAM_VSYSLOG void _log_err( pam_handle_t *pamh, int err, const char *format, ... ) { va_list args; va_start(args, format); pam_vsyslog(pamh, err, format, args); va_end(args); } #else void _log_err( pam_handle_t *pamh, int err, const char *format, ... ) { va_list args; const char tag[] = "(pam_smbpass) "; char *mod_format; mod_format = SMB_MALLOC_ARRAY(char, sizeof(tag) + strlen(format)); /* try really, really hard to log something, since this may have been a message about a malloc() failure... */ if (mod_format == NULL) { va_start(args, format); vsyslog(err | LOG_AUTH, format, args); va_end(args); return; } strncpy(mod_format, tag, strlen(tag)+1); strlcat(mod_format, format, strlen(format)+1); va_start(args, format); vsyslog(err | LOG_AUTH, mod_format, args); va_end(args); free(mod_format); } #endif /* this is a front-end for module-application conversations */ int converse( pam_handle_t * pamh, int ctrl, int nargs , struct pam_message **message , struct pam_response **response ) { int retval; struct pam_conv *conv; retval = _pam_get_item(pamh, PAM_CONV, &conv); if (retval == PAM_SUCCESS) { retval = conv->conv(nargs, (const struct pam_message **) message ,response, conv->appdata_ptr); if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) { _log_err(pamh, LOG_DEBUG, "conversation failure [%s]" ,pam_strerror(pamh, retval)); } } else { _log_err(pamh, LOG_ERR, "couldn't obtain coversation function [%s]" ,pam_strerror(pamh, retval)); } return retval; /* propagate error status */ } int make_remark( pam_handle_t * pamh, unsigned int ctrl , int type, const char *text ) { if (off(SMB__QUIET, ctrl)) { struct pam_message *pmsg[1], msg[1]; struct pam_response *resp; pmsg[0] = &msg[0]; msg[0].msg = CONST_DISCARD(char *, text); msg[0].msg_style = type; resp = NULL; return converse(pamh, ctrl, 1, pmsg, &resp); } return PAM_SUCCESS; } /* set the control flags for the SMB module. */ int set_ctrl( pam_handle_t *pamh, int flags, int argc, const char **argv ) { int i = 0; const char *service_file = NULL; unsigned int ctrl; ctrl = SMB_DEFAULTS; /* the default selection of options */ /* set some flags manually */ /* A good, sane default (matches Samba's behavior). */ set( SMB__NONULL, ctrl ); /* initialize service file location */ service_file=get_dyn_CONFIGFILE(); if (flags & PAM_SILENT) { set( SMB__QUIET, ctrl ); } /* Run through the arguments once, looking for an alternate smb config file location */ while (i < argc) { int j; for (j = 0; j < SMB_CTRLS_; ++j) { if (smb_args[j].token && !strncmp(argv[i], smb_args[j].token, strlen(smb_args[j].token))) { break; } } if (j == SMB_CONF_FILE) { service_file = argv[i] + 8; } i++; } /* Read some options from the Samba config. Can be overridden by the PAM config. */ if(lp_load(service_file,True,False,False,True) == False) { _log_err(pamh, LOG_ERR, "Error loading service file %s", service_file); } secrets_init(); if (lp_null_passwords()) { set( SMB__NULLOK, ctrl ); } /* now parse the rest of the arguments to this module */ while (argc-- > 0) { int j; for (j = 0; j < SMB_CTRLS_; ++j) { if (smb_args[j].token && !strncmp(*argv, smb_args[j].token, strlen(smb_args[j].token))) { break; } } if (j >= SMB_CTRLS_) { _log_err(pamh, LOG_ERR, "unrecognized option [%s]", *argv); } else { ctrl &= smb_args[j].mask; /* for turning things off */ ctrl |= smb_args[j].flag; /* for turning things on */ } ++argv; /* step to next argument */ } /* auditing is a more sensitive version of debug */ if (on( SMB_AUDIT, ctrl )) { set( SMB_DEBUG, ctrl ); } /* return the set of flags */ return ctrl; } /* use this to free strings. ESPECIALLY password strings */ char * _pam_delete( register char *xx ) { _pam_overwrite( xx ); _pam_drop( xx ); return NULL; } void _cleanup( pam_handle_t * pamh, void *x, int error_status ) { x = _pam_delete( (char *) x ); } /* JHT * * Safe duplication of character strings. "Paranoid"; don't leave * evidence of old token around for later stack analysis. * */ char * smbpXstrDup( pam_handle_t *pamh, const char *x ) { register char *newstr = NULL; if (x != NULL) { register int i; for (i = 0; x[i]; ++i); /* length of string */ if ((newstr = SMB_MALLOC_ARRAY(char, ++i)) == NULL) { i = 0; _log_err(pamh, LOG_CRIT, "out of memory in smbpXstrDup"); } else { while (i-- > 0) { newstr[i] = x[i]; } } x = NULL; } return newstr; /* return the duplicate or NULL on error */ } /* ************************************************************** * * Useful non-trivial functions * * ************************************************************** */ void _cleanup_failures( pam_handle_t * pamh, void *fl, int err ) { int quiet; const char *service = NULL; struct _pam_failed_auth *failure; #ifdef PAM_DATA_SILENT quiet = err & PAM_DATA_SILENT; /* should we log something? */ #else quiet = 0; #endif #ifdef PAM_DATA_REPLACE err &= PAM_DATA_REPLACE; /* are we just replacing data? */ #endif failure = (struct _pam_failed_auth *) fl; if (failure != NULL) { #ifdef PAM_DATA_SILENT if (!quiet && !err) { /* under advisement from Sun,may go away */ #else if (!quiet) { /* under advisement from Sun,may go away */ #endif /* log the number of authentication failures */ if (failure->count != 0) { _pam_get_item( pamh, PAM_SERVICE, &service ); _log_err(pamh, LOG_NOTICE , "%d authentication %s " "from %s for service %s as %s(%d)" , failure->count , failure->count == 1 ? "failure" : "failures" , failure->agent , service == NULL ? "**unknown**" : service , failure->user, failure->id ); if (failure->count > SMB_MAX_RETRIES) { _log_err(pamh, LOG_ALERT , "service(%s) ignoring max retries; %d > %d" , service == NULL ? "**unknown**" : service , failure->count , SMB_MAX_RETRIES ); } } } _pam_delete( failure->agent ); /* tidy up */ _pam_delete( failure->user ); /* tidy up */ SAFE_FREE( failure ); } } int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass, const char *p, unsigned int ctrl ) { uchar lm_pw[16]; uchar nt_pw[16]; int retval = PAM_AUTH_ERR; char *data_name; const char *name; if (!sampass) return PAM_ABORT; name = pdb_get_username(sampass); #ifdef HAVE_PAM_FAIL_DELAY if (off( SMB_NODELAY, ctrl )) { (void) pam_fail_delay( pamh, 1000000 ); /* 1 sec delay for on failure */ } #endif if (!pdb_get_nt_passwd(sampass)) { _log_err(pamh, LOG_DEBUG, "user %s has null SMB password", name); if (off( SMB__NONULL, ctrl ) && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) { /* this means we've succeeded */ return PAM_SUCCESS; } else { const char *service; _pam_get_item( pamh, PAM_SERVICE, &service ); _log_err(pamh, LOG_NOTICE, "failed auth request by %s for service %s as %s", uidtoname(getuid()), service ? service : "**unknown**", name); return PAM_AUTH_ERR; } } data_name = SMB_MALLOC_ARRAY(char, sizeof(FAIL_PREFIX) + strlen( name )); if (data_name == NULL) { _log_err(pamh, LOG_CRIT, "no memory for data-name" ); return PAM_AUTH_ERR; } strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) ); strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 ); /* * The password we were given wasn't an encrypted password, or it * didn't match the one we have. We encrypt the password now and try * again. */ nt_lm_owf_gen(p, nt_pw, lm_pw); /* the moment of truth -- do we agree with the password? */ if (!memcmp( nt_pw, pdb_get_nt_passwd(sampass), 16 )) { retval = PAM_SUCCESS; if (data_name) { /* reset failures */ pam_set_data(pamh, data_name, NULL, _cleanup_failures); } } else { const char *service; _pam_get_item( pamh, PAM_SERVICE, &service ); if (data_name != NULL) { struct _pam_failed_auth *newauth = NULL; const struct _pam_failed_auth *old = NULL; /* get a failure recorder */ newauth = SMB_MALLOC_P( struct _pam_failed_auth ); if (newauth != NULL) { /* any previous failures for this user ? */ _pam_get_data(pamh, data_name, &old); if (old != NULL) { newauth->count = old->count + 1; if (newauth->count >= SMB_MAX_RETRIES) { retval = PAM_MAXTRIES; } } else { _log_err(pamh, LOG_NOTICE, "failed auth request by %s for service %s as %s", uidtoname(getuid()), service ? service : "**unknown**", name); newauth->count = 1; } if (!sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id))) { _log_err(pamh, LOG_NOTICE, "failed auth request by %s for service %s as %s", uidtoname(getuid()), service ? service : "**unknown**", name); } newauth->user = smbpXstrDup( pamh, name ); newauth->agent = smbpXstrDup( pamh, uidtoname( getuid() ) ); pam_set_data( pamh, data_name, newauth, _cleanup_failures ); } else { _log_err(pamh, LOG_CRIT, "no memory for failure recorder" ); _log_err(pamh, LOG_NOTICE, "failed auth request by %s for service %s as %s(%d)", uidtoname(getuid()), service ? service : "**unknown**", name); } } _log_err(pamh, LOG_NOTICE, "failed auth request by %s for service %s as %s(%d)", uidtoname(getuid()), service ? service : "**unknown**", name); retval = PAM_AUTH_ERR; } _pam_delete( data_name ); return retval; } /* * _smb_blankpasswd() is a quick check for a blank password * * returns TRUE if user does not have a password * - to avoid prompting for one in such cases (CG) */ int _smb_blankpasswd( unsigned int ctrl, struct samu *sampass ) { int retval; /* * This function does not have to be too smart if something goes * wrong, return FALSE and let this case to be treated somewhere * else (CG) */ if (on( SMB__NONULL, ctrl )) return 0; /* will fail but don't let on yet */ if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) return 0; if (pdb_get_nt_passwd(sampass) == NULL) retval = 1; else retval = 0; return retval; } /* * obtain a password from the user */ int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl, const char *comment, const char *prompt1, const char *prompt2, const char *data_name, char **pass ) { int authtok_flag; int retval; char *item = NULL; char *token; struct pam_message msg[3], *pmsg[3]; struct pam_response *resp; int i, expect; /* make sure nothing inappropriate gets returned */ *pass = token = NULL; /* which authentication token are we getting? */ authtok_flag = on(SMB__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK; /* should we obtain the password from a PAM item ? */ if (on(SMB_TRY_FIRST_PASS, ctrl) || on(SMB_USE_FIRST_PASS, ctrl)) { retval = _pam_get_item( pamh, authtok_flag, &item ); if (retval != PAM_SUCCESS) { /* very strange. */ _log_err(pamh, LOG_ALERT, "pam_get_item returned error to smb_read_password"); return retval; } else if (item != NULL) { /* we have a password! */ *pass = item; item = NULL; return PAM_SUCCESS; } else if (on( SMB_USE_FIRST_PASS, ctrl )) { return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */ } else if (on( SMB_USE_AUTHTOK, ctrl ) && off( SMB__OLD_PASSWD, ctrl )) { return PAM_AUTHTOK_RECOVER_ERR; } } /* * getting here implies we will have to get the password from the * user directly. */ /* prepare to converse */ if (comment != NULL && off(SMB__QUIET, ctrl)) { pmsg[0] = &msg[0]; msg[0].msg_style = PAM_TEXT_INFO; msg[0].msg = CONST_DISCARD(char *, comment); i = 1; } else { i = 0; } pmsg[i] = &msg[i]; msg[i].msg_style = PAM_PROMPT_ECHO_OFF; msg[i++].msg = CONST_DISCARD(char *, prompt1); if (prompt2 != NULL) { pmsg[i] = &msg[i]; msg[i].msg_style = PAM_PROMPT_ECHO_OFF; msg[i++].msg = CONST_DISCARD(char *, prompt2); expect = 2; } else expect = 1; resp = NULL; retval = converse( pamh, ctrl, i, pmsg, &resp ); if (resp != NULL) { int j = comment ? 1 : 0; /* interpret the response */ if (retval == PAM_SUCCESS) { /* a good conversation */ token = smbpXstrDup(pamh, resp[j++].resp); if (token != NULL) { if (expect == 2) { /* verify that password entered correctly */ if (!resp[j].resp || strcmp( token, resp[j].resp )) { _pam_delete( token ); retval = PAM_AUTHTOK_RECOVER_ERR; make_remark( pamh, ctrl, PAM_ERROR_MSG , MISTYPED_PASS ); } } } else { _log_err(pamh, LOG_NOTICE, "could not recover authentication token"); } } /* tidy up */ _pam_drop_reply( resp, expect ); } else { retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval; } if (retval != PAM_SUCCESS) { if (on( SMB_DEBUG, ctrl )) _log_err(pamh, LOG_DEBUG, "unable to obtain a password"); return retval; } /* 'token' is the entered password */ if (off( SMB_NOT_SET_PASS, ctrl )) { /* we store this password as an item */ retval = pam_set_item( pamh, authtok_flag, (const void *)token ); _pam_delete( token ); /* clean it up */ if (retval != PAM_SUCCESS || (retval = _pam_get_item( pamh, authtok_flag ,&item )) != PAM_SUCCESS) { _log_err(pamh, LOG_CRIT, "error manipulating password"); return retval; } } else { /* * then store it as data specific to this module. pam_end() * will arrange to clean it up. */ retval = pam_set_data( pamh, data_name, (void *) token, _cleanup ); if (retval != PAM_SUCCESS || (retval = _pam_get_data( pamh, data_name, &item )) != PAM_SUCCESS) { _log_err(pamh, LOG_CRIT, "error manipulating password data [%s]", pam_strerror( pamh, retval )); _pam_delete( token ); item = NULL; return retval; } token = NULL; /* break link to password */ } *pass = item; item = NULL; /* break link to password */ return PAM_SUCCESS; } int _pam_smb_approve_pass(pam_handle_t * pamh, unsigned int ctrl, const char *pass_old, const char *pass_new ) { /* Further checks should be handled through module stacking. -SRL */ if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new ))) { if (on(SMB_DEBUG, ctrl)) { _log_err(pamh, LOG_DEBUG, "passwd: bad authentication token (null or unchanged)"); } make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ? "No password supplied" : "Password unchanged" ); return PAM_AUTHTOK_ERR; } return PAM_SUCCESS; } /* * Work around the pam API that has functions with void ** as parameters * These lead to strict aliasing warnings with gcc. */ int _pam_get_item(const pam_handle_t *pamh, int item_type, const void *_item) { const void **item = (const void **)_item; return pam_get_item(pamh, item_type, item); } int _pam_get_data(const pam_handle_t *pamh, const char *module_data_name, const void *_data) { const void **data = (const void **)_data; return pam_get_data(pamh, module_data_name, data); }