Context Navigation

source: branches/samba-3.3.x/source/pam_smbpass/support.c

Visit:

Last change on this file was 342, checked in by Herwig Bauernfeind, 16 years ago
Update 3.3 to 3.3.9
File size: 19.0 KB

Line
1	/* Unix NT password database implementation, version 0.6.
2	*
3	* This program is free software; you can redistribute it and/or modify it under
4	* the terms of the GNU General Public License as published by the Free
5	* Software Foundation; either version 3 of the License, or (at your option)
6	* any later version.
7	*
8	* This program is distributed in the hope that it will be useful, but WITHOUT
9	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
10	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
11	* more details.
12	*
13	* You should have received a copy of the GNU General Public License along with
14	* this program; if not, see <http://www.gnu.org/licenses/>.
15	*/
16
17	#include "includes.h"
18	#include "general.h"
19
20	#include "support.h"
21
22
23	#define _pam_overwrite(x) \
24	do { \
25	register char *__xx__; \
26	if ((__xx__=(x))) \
27	while (*__xx__) \
28	*__xx__++ = '\0'; \
29	} while (0)
30
31	/*
32	* Don't just free it, forget it too.
33	*/
34
35	#define _pam_drop(X) \
36	do { \
37	if (X) { \
38	free(X); \
39	X=NULL; \
40	} \
41	} while (0)
42
43	#define _pam_drop_reply(/* struct pam_response * / reply, / int */ replies) \
44	do { \
45	int reply_i; \
46	\
47	for (reply_i=0; reply_i<replies; ++reply_i) { \
48	if (reply[reply_i].resp) { \
49	_pam_overwrite(reply[reply_i].resp); \
50	free(reply[reply_i].resp); \
51	} \
52	} \
53	if (reply) \
54	free(reply); \
55	} while (0)
56
57
58	int converse(pam_handle_t , int, int, struct pam_message *,
59	struct pam_response **);
60	int make_remark(pam_handle_t , unsigned int, int, const char );
61	void _cleanup(pam_handle_t , void , int);
62	char _pam_delete(register char );
63
64	/* syslogging function for errors and other information */
65
66	void _log_err( int err, const char *format, ... )
67	{
68	va_list args;
69
70	va_start( args, format );
71	openlog( "PAM_smbpass", LOG_CONS \| LOG_PID, LOG_AUTH );
72	vsyslog( err, format, args );
73	va_end( args );
74	closelog();
75	}
76
77	/* this is a front-end for module-application conversations */
78
79	int converse( pam_handle_t * pamh, int ctrl, int nargs
80	, struct pam_message **message
81	, struct pam_response **response )
82	{
83	int retval;
84	struct pam_conv *conv;
85
86	retval = _pam_get_item(pamh, PAM_CONV, &conv);
87	if (retval == PAM_SUCCESS) {
88
89	retval = conv->conv(nargs, (const struct pam_message **) message
90	,response, conv->appdata_ptr);
91
92	if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) {
93	_log_err(LOG_DEBUG, "conversation failure [%s]"
94	,pam_strerror(pamh, retval));
95	}
96	} else {
97	_log_err(LOG_ERR, "couldn't obtain coversation function [%s]"
98	,pam_strerror(pamh, retval));
99	}
100
101	return retval; /* propagate error status */
102	}
103
104	int make_remark( pam_handle_t * pamh, unsigned int ctrl
105	, int type, const char *text )
106	{
107	if (off(SMB__QUIET, ctrl)) {
108	struct pam_message *pmsg[1], msg[1];
109	struct pam_response *resp;
110
111	pmsg[0] = &msg[0];
112	msg[0].msg = CONST_DISCARD(char *, text);
113	msg[0].msg_style = type;
114	resp = NULL;
115
116	return converse(pamh, ctrl, 1, pmsg, &resp);
117	}
118	return PAM_SUCCESS;
119	}
120
121
122	/* set the control flags for the SMB module. */
123
124	int set_ctrl( int flags, int argc, const char **argv )
125	{
126	int i = 0;
127	const char *service_file = NULL;
128	unsigned int ctrl;
129
130	ctrl = SMB_DEFAULTS; /* the default selection of options */
131
132	/* set some flags manually */
133
134	/* A good, sane default (matches Samba's behavior). */
135	set( SMB__NONULL, ctrl );
136
137	/* initialize service file location */
138	service_file=get_dyn_CONFIGFILE();
139
140	if (flags & PAM_SILENT) {
141	set( SMB__QUIET, ctrl );
142	}
143
144	/* Run through the arguments once, looking for an alternate smb config
145	file location */
146	while (i < argc) {
147	int j;
148
149	for (j = 0; j < SMB_CTRLS_; ++j) {
150	if (smb_args[j].token
151	&& !strncmp(argv[i], smb_args[j].token, strlen(smb_args[j].token)))
152	{
153	break;
154	}
155	}
156
157	if (j == SMB_CONF_FILE) {
158	service_file = argv[i] + 8;
159	}
160	i++;
161	}
162
163	/* Read some options from the Samba config. Can be overridden by
164	the PAM config. */
165	if(lp_load(service_file,True,False,False,True) == False) {
166	_log_err( LOG_ERR, "Error loading service file %s", service_file );
167	}
168
169	secrets_init();
170
171	if (lp_null_passwords()) {
172	set( SMB__NULLOK, ctrl );
173	}
174
175	/* now parse the rest of the arguments to this module */
176
177	while (argc-- > 0) {
178	int j;
179
180	for (j = 0; j < SMB_CTRLS_; ++j) {
181	if (smb_args[j].token
182	&& !strncmp(*argv, smb_args[j].token, strlen(smb_args[j].token)))
183	{
184	break;
185	}
186	}
187
188	if (j >= SMB_CTRLS_) {
189	_log_err( LOG_ERR, "unrecognized option [%s]", *argv );
190	} else {
191	ctrl &= smb_args[j].mask; /* for turning things off */
192	ctrl \|= smb_args[j].flag; /* for turning things on */
193	}
194
195	++argv; /* step to next argument */
196	}
197
198	/* auditing is a more sensitive version of debug */
199
200	if (on( SMB_AUDIT, ctrl )) {
201	set( SMB_DEBUG, ctrl );
202	}
203	/* return the set of flags */
204
205	return ctrl;
206	}
207
208	/* use this to free strings. ESPECIALLY password strings */
209
210	char * _pam_delete( register char *xx )
211	{
212	_pam_overwrite( xx );
213	_pam_drop( xx );
214	return NULL;
215	}
216
217	void _cleanup( pam_handle_t * pamh, void *x, int error_status )
218	{
219	x = _pam_delete( (char *) x );
220	}
221
222	/* JHT
223	*
224	* Safe duplication of character strings. "Paranoid"; don't leave
225	* evidence of old token around for later stack analysis.
226	*
227	*/
228	char * smbpXstrDup( const char *x )
229	{
230	register char *newstr = NULL;
231
232	if (x != NULL) {
233	register int i;
234
235	for (i = 0; x[i]; ++i); /* length of string */
236	if ((newstr = SMB_MALLOC_ARRAY(char, ++i)) == NULL) {
237	i = 0;
238	_log_err( LOG_CRIT, "out of memory in smbpXstrDup" );
239	} else {
240	while (i-- > 0) {
241	newstr[i] = x[i];
242	}
243	}
244	x = NULL;
245	}
246	return newstr; /* return the duplicate or NULL on error */
247	}
248
249	/* ************************************************************** *
250	* Useful non-trivial functions *
251	* ************************************************************** */
252
253	void _cleanup_failures( pam_handle_t * pamh, void *fl, int err )
254	{
255	int quiet;
256	const char *service = NULL;
257	struct _pam_failed_auth *failure;
258
259	#ifdef PAM_DATA_SILENT
260	quiet = err & PAM_DATA_SILENT; /* should we log something? */
261	#else
262	quiet = 0;
263	#endif
264	#ifdef PAM_DATA_REPLACE
265	err &= PAM_DATA_REPLACE; /* are we just replacing data? */
266	#endif
267	failure = (struct _pam_failed_auth *) fl;
268
269	if (failure != NULL) {
270
271	#ifdef PAM_DATA_SILENT
272	if (!quiet && !err) { /* under advisement from Sun,may go away */
273	#else
274	if (!quiet) { /* under advisement from Sun,may go away */
275	#endif
276
277	/* log the number of authentication failures */
278	if (failure->count != 0) {
279	_pam_get_item( pamh, PAM_SERVICE, &service );
280	_log_err( LOG_NOTICE
281	, "%d authentication %s "
282	"from %s for service %s as %s(%d)"
283	, failure->count
284	, failure->count == 1 ? "failure" : "failures"
285	, failure->agent
286	, service == NULL ? "unknown" : service
287	, failure->user, failure->id );
288	if (failure->count > SMB_MAX_RETRIES) {
289	_log_err( LOG_ALERT
290	, "service(%s) ignoring max retries; %d > %d"
291	, service == NULL ? "unknown" : service
292	, failure->count
293	, SMB_MAX_RETRIES );
294	}
295	}
296	}
297	_pam_delete( failure->agent ); /* tidy up */
298	_pam_delete( failure->user ); /* tidy up */
299	SAFE_FREE( failure );
300	}
301	}
302
303	int _smb_verify_password( pam_handle_t * pamh, struct samu *sampass,
304	const char *p, unsigned int ctrl )
305	{
306	uchar lm_pw[16];
307	uchar nt_pw[16];
308	int retval = PAM_AUTH_ERR;
309	char *data_name;
310	const char *name;
311
312	if (!sampass)
313	return PAM_ABORT;
314
315	name = pdb_get_username(sampass);
316
317	#ifdef HAVE_PAM_FAIL_DELAY
318	if (off( SMB_NODELAY, ctrl )) {
319	(void) pam_fail_delay( pamh, 1000000 ); /* 1 sec delay for on failure */
320	}
321	#endif
322
323	if (!pdb_get_nt_passwd(sampass))
324	{
325	_log_err( LOG_DEBUG, "user %s has null SMB password"
326	, name );
327
328	if (off( SMB__NONULL, ctrl )
329	&& (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
330	{ /* this means we've succeeded */
331	return PAM_SUCCESS;
332	} else {
333	const char *service;
334
335	_pam_get_item( pamh, PAM_SERVICE, &service );
336	_log_err( LOG_NOTICE, "failed auth request by %s for service %s as %s",
337	uidtoname(getuid()), service ? service : "unknown", name);
338	return PAM_AUTH_ERR;
339	}
340	}
341
342	data_name = SMB_MALLOC_ARRAY(char, sizeof(FAIL_PREFIX) + strlen( name ));
343	if (data_name == NULL) {
344	_log_err( LOG_CRIT, "no memory for data-name" );
345	return PAM_AUTH_ERR;
346	}
347	strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) );
348	strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 );
349
350	/*
351	* The password we were given wasn't an encrypted password, or it
352	* didn't match the one we have. We encrypt the password now and try
353	* again.
354	*/
355
356	nt_lm_owf_gen(p, nt_pw, lm_pw);
357
358	/* the moment of truth -- do we agree with the password? */
359
360	if (!memcmp( nt_pw, pdb_get_nt_passwd(sampass), 16 )) {
361
362	retval = PAM_SUCCESS;
363	if (data_name) { /* reset failures */
364	pam_set_data(pamh, data_name, NULL, _cleanup_failures);
365	}
366	} else {
367
368	const char *service;
369
370	_pam_get_item( pamh, PAM_SERVICE, &service );
371
372	if (data_name != NULL) {
373	struct _pam_failed_auth *newauth = NULL;
374	const struct _pam_failed_auth *old = NULL;
375
376	/* get a failure recorder */
377
378	newauth = SMB_MALLOC_P( struct _pam_failed_auth );
379
380	if (newauth != NULL) {
381
382	/* any previous failures for this user ? */
383	_pam_get_data(pamh, data_name, &old);
384
385	if (old != NULL) {
386	newauth->count = old->count + 1;
387	if (newauth->count >= SMB_MAX_RETRIES) {
388	retval = PAM_MAXTRIES;
389	}
390	} else {
391	_log_err(LOG_NOTICE,
392	"failed auth request by %s for service %s as %s",
393	uidtoname(getuid()),
394	service ? service : "unknown", name);
395	newauth->count = 1;
396	}
397	if (!sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id))) {
398	_log_err(LOG_NOTICE,
399	"failed auth request by %s for service %s as %s",
400	uidtoname(getuid()),
401	service ? service : "unknown", name);
402	}
403	newauth->user = smbpXstrDup( name );
404	newauth->agent = smbpXstrDup( uidtoname( getuid() ) );
405	pam_set_data( pamh, data_name, newauth, _cleanup_failures );
406
407	} else {
408	_log_err( LOG_CRIT, "no memory for failure recorder" );
409	_log_err(LOG_NOTICE,
410	"failed auth request by %s for service %s as %s(%d)",
411	uidtoname(getuid()),
412	service ? service : "unknown", name);
413	}
414	}
415	_log_err(LOG_NOTICE,
416	"failed auth request by %s for service %s as %s(%d)",
417	uidtoname(getuid()),
418	service ? service : "unknown", name);
419	retval = PAM_AUTH_ERR;
420	}
421
422	_pam_delete( data_name );
423
424	return retval;
425	}
426
427
428	/*
429	* _smb_blankpasswd() is a quick check for a blank password
430	*
431	* returns TRUE if user does not have a password
432	* - to avoid prompting for one in such cases (CG)
433	*/
434
435	int _smb_blankpasswd( unsigned int ctrl, struct samu *sampass )
436	{
437	int retval;
438
439	/*
440	* This function does not have to be too smart if something goes
441	* wrong, return FALSE and let this case to be treated somewhere
442	* else (CG)
443	*/
444
445	if (on( SMB__NONULL, ctrl ))
446	return 0; /* will fail but don't let on yet */
447
448	if (!(pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ))
449	return 0;
450
451	if (pdb_get_nt_passwd(sampass) == NULL)
452	retval = 1;
453	else
454	retval = 0;
455
456	return retval;
457	}
458
459	/*
460	* obtain a password from the user
461	*/
462
463	int _smb_read_password( pam_handle_t * pamh, unsigned int ctrl,
464	const char comment, const char prompt1,
465	const char prompt2, const char data_name, char **pass )
466	{
467	int authtok_flag;
468	int retval;
469	char *item = NULL;
470	char *token;
471
472	struct pam_message msg[3], *pmsg[3];
473	struct pam_response *resp;
474	int i, expect;
475
476
477	/* make sure nothing inappropriate gets returned */
478
479	*pass = token = NULL;
480
481	/* which authentication token are we getting? */
482
483	authtok_flag = on(SMB__OLD_PASSWD, ctrl) ? PAM_OLDAUTHTOK : PAM_AUTHTOK;
484
485	/* should we obtain the password from a PAM item ? */
486
487	if (on(SMB_TRY_FIRST_PASS, ctrl) \|\| on(SMB_USE_FIRST_PASS, ctrl)) {
488	retval = _pam_get_item( pamh, authtok_flag, &item );
489	if (retval != PAM_SUCCESS) {
490	/* very strange. */
491	_log_err( LOG_ALERT
492	, "pam_get_item returned error to smb_read_password" );
493	return retval;
494	} else if (item != NULL) { /* we have a password! */
495	*pass = item;
496	item = NULL;
497	return PAM_SUCCESS;
498	} else if (on( SMB_USE_FIRST_PASS, ctrl )) {
499	return PAM_AUTHTOK_RECOVER_ERR; /* didn't work */
500	} else if (on( SMB_USE_AUTHTOK, ctrl )
501	&& off( SMB__OLD_PASSWD, ctrl ))
502	{
503	return PAM_AUTHTOK_RECOVER_ERR;
504	}
505	}
506
507	/*
508	* getting here implies we will have to get the password from the
509	* user directly.
510	*/
511
512	/* prepare to converse */
513	if (comment != NULL && off(SMB__QUIET, ctrl)) {
514	pmsg[0] = &msg[0];
515	msg[0].msg_style = PAM_TEXT_INFO;
516	msg[0].msg = CONST_DISCARD(char *, comment);
517	i = 1;
518	} else {
519	i = 0;
520	}
521
522	pmsg[i] = &msg[i];
523	msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
524	msg[i++].msg = CONST_DISCARD(char *, prompt1);
525
526	if (prompt2 != NULL) {
527	pmsg[i] = &msg[i];
528	msg[i].msg_style = PAM_PROMPT_ECHO_OFF;
529	msg[i++].msg = CONST_DISCARD(char *, prompt2);
530	expect = 2;
531	} else
532	expect = 1;
533
534	resp = NULL;
535
536	retval = converse( pamh, ctrl, i, pmsg, &resp );
537
538	if (resp != NULL) {
539	int j = comment ? 1 : 0;
540	/* interpret the response */
541
542	if (retval == PAM_SUCCESS) { /* a good conversation */
543
544	token = smbpXstrDup(resp[j++].resp);
545	if (token != NULL) {
546	if (expect == 2) {
547	/* verify that password entered correctly */
548	if (!resp[j].resp \|\| strcmp( token, resp[j].resp )) {
549	_pam_delete( token );
550	retval = PAM_AUTHTOK_RECOVER_ERR;
551	make_remark( pamh, ctrl, PAM_ERROR_MSG
552	, MISTYPED_PASS );
553	}
554	}
555	} else {
556	_log_err(LOG_NOTICE, "could not recover authentication token");
557	}
558	}
559
560	/* tidy up */
561	_pam_drop_reply( resp, expect );
562
563	} else {
564	retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVER_ERR : retval;
565	}
566
567	if (retval != PAM_SUCCESS) {
568	if (on( SMB_DEBUG, ctrl ))
569	_log_err( LOG_DEBUG, "unable to obtain a password" );
570	return retval;
571	}
572	/* 'token' is the entered password */
573
574	if (off( SMB_NOT_SET_PASS, ctrl )) {
575
576	/* we store this password as an item */
577
578	retval = pam_set_item( pamh, authtok_flag, (const void *)token );
579	_pam_delete( token ); /* clean it up */
580	if (retval != PAM_SUCCESS
581	\|\| (retval = _pam_get_item( pamh, authtok_flag
582	,&item )) != PAM_SUCCESS)
583	{
584	_log_err( LOG_CRIT, "error manipulating password" );
585	return retval;
586	}
587	} else {
588	/*
589	* then store it as data specific to this module. pam_end()
590	* will arrange to clean it up.
591	*/
592
593	retval = pam_set_data( pamh, data_name, (void *) token, _cleanup );
594	if (retval != PAM_SUCCESS
595	\|\| (retval = _pam_get_data( pamh, data_name, &item ))
596	!= PAM_SUCCESS)
597	{
598	_log_err( LOG_CRIT, "error manipulating password data [%s]"
599	, pam_strerror( pamh, retval ));
600	_pam_delete( token );
601	item = NULL;
602	return retval;
603	}
604	token = NULL; /* break link to password */
605	}
606
607	*pass = item;
608	item = NULL; /* break link to password */
609
610	return PAM_SUCCESS;
611	}
612
613	int _pam_smb_approve_pass(pam_handle_t * pamh,
614	unsigned int ctrl,
615	const char *pass_old,
616	const char *pass_new )
617	{
618
619	/* Further checks should be handled through module stacking. -SRL */
620	if (pass_new == NULL \|\| (pass_old && !strcmp( pass_old, pass_new )))
621	{
622	if (on(SMB_DEBUG, ctrl)) {
623	_log_err( LOG_DEBUG,
624	"passwd: bad authentication token (null or unchanged)" );
625	}
626	make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
627	"No password supplied" : "Password unchanged" );
628	return PAM_AUTHTOK_ERR;
629	}
630
631	return PAM_SUCCESS;
632	}
633
634	/*
635	* Work around the pam API that has functions with void ** as parameters
636	* These lead to strict aliasing warnings with gcc.
637	*/
638	int _pam_get_item(const pam_handle_t *pamh,
639	int item_type,
640	const void *_item)
641	{
642	const void item = (const void )_item;
643	return pam_get_item(pamh, item_type, item);
644	}
645
646	int _pam_get_data(const pam_handle_t *pamh,
647	const char *module_data_name,
648	const void *_data)
649	{
650	const void data = (const void )_data;
651	return pam_get_data(pamh, module_data_name, data);
652	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: