From 1f47b1dfa29b07489e64b442d3a15b303e434546 Mon Sep 17 00:00:00 2001 From: Seraphim Mellos Date: Sun, 15 Jun 2008 16:08:08 +0300 Subject: Solved some issues with passwd/shadow --- modules/pam_unix/pam_unix.c | 36 ++++++++++++++++++---------------- modules/pam_unix/pam_unix.c~ | 45 +++++++++++++++++++++++-------------------- modules/pam_unix/pam_unix.o | Bin 7780 -> 9760 bytes modules/pam_unix/pam_unix.so | Bin 10155 -> 15088 bytes 4 files changed, 43 insertions(+), 38 deletions(-) diff --git a/modules/pam_unix/pam_unix.c b/modules/pam_unix/pam_unix.c index b859512..54b6f12 100644 --- a/modules/pam_unix/pam_unix.c +++ b/modules/pam_unix/pam_unix.c @@ -2,7 +2,7 @@ #include #include -/*#include */ +#include #include #include #include @@ -22,6 +22,11 @@ #endif +#define PASSWORD_HASH "md5" +#define DEFAULT_WARN (2L * 7L * 86400L) /* two weeks */ +#define SALTSIZE 32 + + #include #include #include @@ -61,7 +66,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, if (pwd != NULL) { PAM_LOG("Doing real authentication"); - pass = pwd->sp_pwdp; + pass = pwd->pw_passwd; if (pass[0] == '\0') { if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && openpam_get_option(pamh, PAM_OPT_NULLOK)){ @@ -96,10 +101,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, if (pam_err != PAM_SUCCESS) return (PAM_AUTH_ERR); - /* check shadow */ + /* check passwd entry */ - crypt_pass = crypt(pass, pwd->sp_pwdp); - if ( strcmp(crypt_pass, pwd->sp_pwdp) != 0 ) { + crypt_pass = crypt(pass, pwd->pw_passwd); + if ( strcmp(crypt_pass, pwd->pw_passwd) != 0 ) { PAM_ERROR("Wrong password. Authentication failed."); pam_err = PAM_AUTH_ERR; } else { @@ -138,7 +143,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , login_cap_t *lc; #endif - struct passwd *pwd; + struct spwd *pwd; int pam_err; const char *user; time_t curtime; @@ -188,7 +193,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , } #endif - /* Check if pw_lstchg or pw_expire is set */ + /* Check if pw_lstchg or sp_expire is set */ if (pwd->sp_lstchg || pwd->sp_expire) curtime = time(NULL) / (60 * 60 * 24); @@ -198,9 +203,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , login_close(lc); #endif return (PAM_ACCT_EXPIRED); - } else if ( ( pwd->sp_expire - curtime < pwd->sp_warn) ) { + } else if ( ( pwd->sp_expire - curtime < DEFAULT_WARN) ) { // pam_error(pamh, "Warning: your account expires on %s", -// ctime(&pwd->pw_expire)); +// ctime(&pwd->sp_expire)); } } @@ -258,7 +263,6 @@ pam_sm_chautok(pam_handle_t *pamh, int flags, * This is standard unix passwd changing function. */ struct passwd *new_pwd, *old_pwd; - char oldprefix[HASH_PREFIX_SIZE]; const char *user, *old_pass, *new_pass; char *hashedpwd; int pam_err; @@ -279,9 +283,9 @@ pam_sm_chautok(pam_handle_t *pamh, int flags, PAM_LOG("Got user: [%s]", user); - if (pwd == NULL) { + if (old_pwd == NULL) { PAM_ERROR("User [%s] either has a corrupted passwd entry or \ - is not in the selected database"); + is not in the selected database", user); return (PAM_AUTHTOK_RECOVERY_ERR); } @@ -310,18 +314,16 @@ pam_sm_chautok(pam_handle_t *pamh, int flags, return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); } - if ( (pwd->pw_passwd[0] == '\0' ) && + if ( (old_pwd->pw_passwd[0] == '\0' ) && ( openpam_get_option(pamh, PAM_OPT_NULLOK) ) && - ( openpam_get_option(pamh,PAM_DISALLOW_NULL_AUTHTOK)) ) { - + !(flags & PAM_DISALLOW_NULL_AUTHTOK) ) { /* * Something funny could happen here since we don't * ask for a password. */ old_pass = ""; } - - + } return (PAM_SUCCESS); diff --git a/modules/pam_unix/pam_unix.c~ b/modules/pam_unix/pam_unix.c~ index 9ef7320..72dbac0 100644 --- a/modules/pam_unix/pam_unix.c~ +++ b/modules/pam_unix/pam_unix.c~ @@ -1,6 +1,6 @@ #define _XOPEN_SOURCE -/* #include */ +#include #include #include #include @@ -22,6 +22,11 @@ #endif +#define PASSWORD_HASH "md5" +#define DEFAULT_WARN (2L * 7L * 86400L) /* two weeks */ +#define SALTSIZE 32 + + #include #include #include @@ -37,7 +42,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, #ifndef __linux__ login_cap_t *lc; #endif - struct spwd *pwd; + struct passwd *pwd; const char *pass, *crypt_pass, *user; int pam_err; @@ -45,14 +50,14 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { PAM_LOG("Authenticating as self."); - pwd = getspnam(getlogin()); + pwd = getpwnam(getlogin()); } else { if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { PAM_ERROR("Authenticating with uname [%s] failed.", user); return (pam_err); } - pwd = getspnam(user); + pwd = getpwnam(user); } PAM_LOG("Authenticating user: [%s]", user); @@ -61,7 +66,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, if (pwd != NULL) { PAM_LOG("Doing real authentication"); - pass = pwd->sp_pwdp; + pass = pwd->pw_passwd; if (pass[0] == '\0') { if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && openpam_get_option(pamh, PAM_OPT_NULLOK)){ @@ -96,10 +101,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, if (pam_err != PAM_SUCCESS) return (PAM_AUTH_ERR); - /* check shadow */ + /* check passwd entry */ - crypt_pass = crypt(pass, pwd->sp_pwdp); - if ( strcmp(crypt_pass, pwd->sp_pwdp) != 0 ) { + crypt_pass = crypt(pass, pwd->pw_passwd); + if ( strcmp(crypt_pass, pwd->pw_passwd) != 0 ) { PAM_ERROR("Wrong password. Authentication failed."); pam_err = PAM_AUTH_ERR; } else { @@ -155,7 +160,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , if (pam_err != PAM_SUCCESS) return (pam_err); - if (user == NULL || (pwd = getspnam(user)) == NULL) + if (user == NULL || (pwd = getpwnam(user)) == NULL) return (PAM_SERVICE_ERR); #ifndef __linux__ @@ -188,7 +193,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , } #endif - /* Check if pw_lstchg or pw_expire is set */ + /* Check if pw_lstchg or sp_expire is set */ if (pwd->sp_lstchg || pwd->sp_expire) curtime = time(NULL) / (60 * 60 * 24); @@ -198,9 +203,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , login_close(lc); #endif return (PAM_ACCT_EXPIRED); - } else if ( ( pwd->sp_expire - curtime < pwd->sp_warn) ) { + } else if ( ( pwd->sp_expire - curtime < DEFAULT_WARN) ) { // pam_error(pamh, "Warning: your account expires on %s", -// ctime(&pwd->pw_expire)); +// ctime(&pwd->sp_expire)); } } @@ -257,8 +262,7 @@ pam_sm_chautok(pam_handle_t *pamh, int flags, * NIS support will be left for future implementation. * This is standard unix passwd changing function. */ - struct spwd *new_pwd, *old_pwd; - char oldprefix[HASH_PREFIX_SIZE]; + struct passwd *new_pwd, *old_pwd; const char *user, *old_pass, *new_pass; char *hashedpwd; int pam_err; @@ -267,21 +271,21 @@ pam_sm_chautok(pam_handle_t *pamh, int flags, if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { PAM_LOG("Authenticating as self."); - old_pwd = getspnam(getlogin()); + old_pwd = getpwnam(getlogin()); } else { if ((pam_err = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { PAM_ERROR("Authenticating with uname [%s] failed.", user); return (pam_err); } - old_pwd = getspnam(user); + old_pwd = getpwnam(user); } PAM_LOG("Got user: [%s]", user); - if (pwd == NULL) { + if (old_pwd == NULL) { PAM_ERROR("User [%s] either has a corrupted passwd entry or \ - is not in the selected database"); + is not in the selected database", user); return (PAM_AUTHTOK_RECOVERY_ERR); } @@ -310,10 +314,9 @@ pam_sm_chautok(pam_handle_t *pamh, int flags, return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); } - if ( (pwd->pw_passwd[0] == '\0' ) && + if ( (old_pwd->pw_passwd[0] == '\0' ) && ( openpam_get_option(pamh, PAM_OPT_NULLOK) ) && - ( openpam_get_option(pamh,PAM_DISALLOW_NULL_AUTHTOK)) ) { - + !(flags & PAM_DISALLOW_NULL_AUTHTOK) ) { /* * Something funny could happen here since we don't * ask for a password. diff --git a/modules/pam_unix/pam_unix.o b/modules/pam_unix/pam_unix.o index 7380713..1dd928a 100644 Binary files a/modules/pam_unix/pam_unix.o and b/modules/pam_unix/pam_unix.o differ diff --git a/modules/pam_unix/pam_unix.so b/modules/pam_unix/pam_unix.so index 8a8c62e..6be3fac 100755 Binary files a/modules/pam_unix/pam_unix.so and b/modules/pam_unix/pam_unix.so differ -- cgit v1.2.3-65-gdbad