| 1 | #include "../librpc/gen_ndr/samr.h"
|
|---|
| 2 | #include "../libcli/auth/pam_errors.h"
|
|---|
| 3 | #include "passdb.h"
|
|---|
| 4 |
|
|---|
| 5 | #ifndef LINUX
|
|---|
| 6 | /* This is only needed by modules in the Sun implementation. */
|
|---|
| 7 | #if defined(HAVE_SECURITY_PAM_APPL_H)
|
|---|
| 8 | #include <security/pam_appl.h>
|
|---|
| 9 | #elif defined(HAVE_PAM_PAM_APPL_H)
|
|---|
| 10 | #include <pam/pam_appl.h>
|
|---|
| 11 | #endif
|
|---|
| 12 | #endif /* LINUX */
|
|---|
| 13 |
|
|---|
| 14 | #if defined(HAVE_SECURITY_PAM_MODULES_H)
|
|---|
| 15 | #include <security/pam_modules.h>
|
|---|
| 16 | #elif defined(HAVE_PAM_PAM_MODULES_H)
|
|---|
| 17 | #include <pam/pam_modules.h>
|
|---|
| 18 | #endif
|
|---|
| 19 |
|
|---|
| 20 | #ifndef PAM_AUTHTOK_RECOVER_ERR
|
|---|
| 21 | #define PAM_AUTHTOK_RECOVER_ERR PAM_AUTHTOK_RECOVERY_ERR
|
|---|
| 22 | #endif
|
|---|
| 23 |
|
|---|
| 24 | #include <stdio.h>
|
|---|
| 25 | #include <stdlib.h>
|
|---|
| 26 | #include <syslog.h>
|
|---|
| 27 | #include <unistd.h>
|
|---|
| 28 | #include <sys/types.h>
|
|---|
| 29 | #include <sys/stat.h>
|
|---|
| 30 | #include <sys/wait.h>
|
|---|
| 31 |
|
|---|
| 32 | /*
|
|---|
| 33 | * here is the string to inform the user that the new passwords they
|
|---|
| 34 | * typed were not the same.
|
|---|
| 35 | */
|
|---|
| 36 |
|
|---|
| 37 | #define MISTYPED_PASS "Sorry, passwords do not match"
|
|---|
| 38 |
|
|---|
| 39 | /* type definition for the control options */
|
|---|
| 40 |
|
|---|
| 41 | typedef struct {
|
|---|
| 42 | const char *token;
|
|---|
| 43 | unsigned int mask; /* shall assume 32 bits of flags */
|
|---|
| 44 | unsigned int flag;
|
|---|
| 45 | } SMB_Ctrls;
|
|---|
| 46 |
|
|---|
| 47 | #ifndef False
|
|---|
| 48 | #define False (0)
|
|---|
| 49 | #endif
|
|---|
| 50 |
|
|---|
| 51 | #ifndef True
|
|---|
| 52 | #define True (1)
|
|---|
| 53 | #endif
|
|---|
| 54 |
|
|---|
| 55 | /* macro to determine if a given flag is on */
|
|---|
| 56 | #define on(x,ctrl) (smb_args[x].flag & ctrl)
|
|---|
| 57 |
|
|---|
| 58 | /* macro to determine that a given flag is NOT on */
|
|---|
| 59 | #define off(x,ctrl) (!on(x,ctrl))
|
|---|
| 60 |
|
|---|
| 61 | /* macro to turn on/off a ctrl flag manually */
|
|---|
| 62 | #define set(x,ctrl) (ctrl = ((ctrl)&smb_args[x].mask)|smb_args[x].flag)
|
|---|
| 63 | #define unset(x,ctrl) (ctrl &= ~(smb_args[x].flag))
|
|---|
| 64 |
|
|---|
| 65 | /* the generic mask */
|
|---|
| 66 | #define _ALL_ON_ (~0U)
|
|---|
| 67 |
|
|---|
| 68 | /* end of macro definitions definitions for the control flags */
|
|---|
| 69 |
|
|---|
| 70 | /*
|
|---|
| 71 | * These are the options supported by the smb password module, very
|
|---|
| 72 | * similar to the pwdb options
|
|---|
| 73 | */
|
|---|
| 74 |
|
|---|
| 75 | #define SMB__OLD_PASSWD 0 /* internal */
|
|---|
| 76 | #define SMB__VERIFY_PASSWD 1 /* internal */
|
|---|
| 77 |
|
|---|
| 78 | #define SMB_AUDIT 2 /* print more things than debug..
|
|---|
| 79 | some information may be sensitive */
|
|---|
| 80 | #define SMB_USE_FIRST_PASS 3
|
|---|
| 81 | #define SMB_TRY_FIRST_PASS 4
|
|---|
| 82 | #define SMB_NOT_SET_PASS 5 /* don't set the AUTHTOK items */
|
|---|
| 83 |
|
|---|
| 84 | #define SMB__NONULL 6 /* internal */
|
|---|
| 85 | #define SMB__QUIET 7 /* internal */
|
|---|
| 86 | #define SMB_USE_AUTHTOK 8 /* insist on reading PAM_AUTHTOK */
|
|---|
| 87 | #define SMB__NULLOK 9 /* Null token ok */
|
|---|
| 88 | #define SMB_DEBUG 10 /* send more info to syslog(3) */
|
|---|
| 89 | #define SMB_NODELAY 11 /* admin does not want a fail-delay */
|
|---|
| 90 | #define SMB_MIGRATE 12 /* Does no authentication, just
|
|---|
| 91 | updates the smb database. */
|
|---|
| 92 | #define SMB_CONF_FILE 13 /* Alternate location of smb.conf */
|
|---|
| 93 |
|
|---|
| 94 | #define SMB_CTRLS_ 14 /* number of ctrl arguments defined */
|
|---|
| 95 |
|
|---|
| 96 | static const SMB_Ctrls smb_args[SMB_CTRLS_] = {
|
|---|
| 97 | /* symbol token name ctrl mask ctrl *
|
|---|
| 98 | * ------------------ ------------------ -------------- ---------- */
|
|---|
| 99 |
|
|---|
| 100 | /* SMB__OLD_PASSWD */ { NULL, _ALL_ON_, 01 },
|
|---|
| 101 | /* SMB__VERIFY_PASSWD */ { NULL, _ALL_ON_, 02 },
|
|---|
| 102 | /* SMB_AUDIT */ { "audit", _ALL_ON_, 04 },
|
|---|
| 103 | /* SMB_USE_FIRST_PASS */ { "use_first_pass", _ALL_ON_^(030), 010 },
|
|---|
| 104 | /* SMB_TRY_FIRST_PASS */ { "try_first_pass", _ALL_ON_^(030), 020 },
|
|---|
| 105 | /* SMB_NOT_SET_PASS */ { "not_set_pass", _ALL_ON_, 040 },
|
|---|
| 106 | /* SMB__NONULL */ { "nonull", _ALL_ON_, 0100 },
|
|---|
| 107 | /* SMB__QUIET */ { NULL, _ALL_ON_, 0200 },
|
|---|
| 108 | /* SMB_USE_AUTHTOK */ { "use_authtok", _ALL_ON_, 0400 },
|
|---|
| 109 | /* SMB__NULLOK */ { "nullok", _ALL_ON_^(0100), 0 },
|
|---|
| 110 | /* SMB_DEBUG */ { "debug", _ALL_ON_, 01000 },
|
|---|
| 111 | /* SMB_NODELAY */ { "nodelay", _ALL_ON_, 02000 },
|
|---|
| 112 | /* SMB_MIGRATE */ { "migrate", _ALL_ON_^(0100), 04000 },
|
|---|
| 113 | /* SMB_CONF_FILE */ { "smbconf=", _ALL_ON_, 0 },
|
|---|
| 114 | };
|
|---|
| 115 |
|
|---|
| 116 | #define SMB_DEFAULTS (smb_args[SMB__NONULL].flag)
|
|---|
| 117 |
|
|---|
| 118 | /*
|
|---|
| 119 | * the following is used to keep track of the number of times a user fails
|
|---|
| 120 | * to authenticate themself.
|
|---|
| 121 | */
|
|---|
| 122 |
|
|---|
| 123 | #define SMB_MAX_RETRIES 3
|
|---|
| 124 |
|
|---|
| 125 | struct _pam_failed_auth {
|
|---|
| 126 | char *user; /* user that's failed to be authenticated */
|
|---|
| 127 | uid_t id; /* uid of requested user */
|
|---|
| 128 | char *agent; /* attempt from user with name */
|
|---|
| 129 | int count; /* number of failures so far */
|
|---|
| 130 | };
|
|---|
| 131 |
|
|---|
| 132 | /*
|
|---|
| 133 | * General use functions go here
|
|---|
| 134 | */
|
|---|
| 135 |
|
|---|
| 136 | /* from support.c */
|
|---|
| 137 | int make_remark(pam_handle_t *, unsigned int, int, const char *);
|
|---|
