diff options
Diffstat (limited to 'usr/src/lib/pam_modules')
| -rw-r--r-- | usr/src/lib/pam_modules/authtok_get/authtok_get.c | 62 | ||||
| -rw-r--r-- | usr/src/lib/pam_modules/unix_account/unix_acct.c | 96 | ||||
| -rw-r--r-- | usr/src/lib/pam_modules/unix_auth/unix_auth.c | 25 |
3 files changed, 111 insertions, 72 deletions
diff --git a/usr/src/lib/pam_modules/authtok_get/authtok_get.c b/usr/src/lib/pam_modules/authtok_get/authtok_get.c index 7e1b13a063..692843a628 100644 --- a/usr/src/lib/pam_modules/authtok_get/authtok_get.c +++ b/usr/src/lib/pam_modules/authtok_get/authtok_get.c @@ -2,9 +2,8 @@ * CDDL HEADER START * * The contents of this file are subject to the terms of the - * Common Development and Distribution License, Version 1.0 only - * (the "License"). You may not use this file except in compliance - * with the License. + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. * * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE * or http://www.opensolaris.org/os/licensing. @@ -20,12 +19,10 @@ * CDDL HEADER END */ /* - * Copyright 2005 Sun Microsystems, Inc. All rights reserved. + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. * Use is subject to license terms. */ -#pragma ident "%Z%%M% %I% %E% SMI" - #include <sys/varargs.h> #include <string.h> #include <stdlib.h> @@ -77,13 +74,14 @@ read_authtok(pam_handle_t *pamh, int debug) return (res); if (authtok != NULL) { res = pam_set_item(pamh, PAM_OLDAUTHTOK, - (void *)authtok); + (void *)authtok); if (res == PAM_SUCCESS) res = pam_set_item(pamh, PAM_AUTHTOK, NULL); if (debug) - syslog(LOG_DEBUG, "read_authtok: Copied " - "AUTHTOK to OLDAUTHTOK"); + __pam_log(LOG_AUTH | LOG_DEBUG, + "read_authtok: Copied AUTHTOK to " + "OLDAUTHTOK"); if (res != PAM_SUCCESS) goto out; @@ -153,7 +151,8 @@ verify_authtok(pam_handle_t *pamh, int debug) char *pwd; if (debug) - syslog(LOG_DEBUG, "pam_authtok_get: verifying authtok"); + __pam_log(LOG_AUTH | LOG_DEBUG, + "pam_authtok_get: verifying authtok"); /* * All we need to do, is make sure that the user re-enters @@ -185,7 +184,8 @@ verify_authtok(pam_handle_t *pamh, int debug) } if (debug) - syslog(LOG_DEBUG, "pam_authtok_get: new password verified"); + __pam_log(LOG_AUTH | LOG_DEBUG, + "pam_authtok_get: new password verified"); (void) memset(pwd, 0, strlen(pwd)); free(pwd); @@ -236,20 +236,21 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) debug = 1; if (debug) - syslog(LOG_DEBUG, "pam_authtok_get:pam_sm_authenticate: " - "flags = %d", flags); + __pam_log(LOG_AUTH | LOG_DEBUG, + "pam_authtok_get:pam_sm_authenticate: flags = %d", flags); if ((res = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) { if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "pam_authtok_get: get user failed: %s", pam_strerror(pamh, res)); return (res); } if (user == NULL || *user == '\0') { - syslog(LOG_ERR, "pam_authtok_get: pam_sm_authenticate: " - "PAM_USER NULL or empty"); + __pam_log(LOG_AUTH | LOG_ERR, + "pam_authtok_get: pam_sm_authenticate: PAM_USER NULL or " + "empty"); return (PAM_SYSTEM_ERR); } @@ -267,7 +268,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) res = pam_get_item(pamh, PAM_REPOSITORY, (void **)&auth_rep); if (res != PAM_SUCCESS) { - syslog(LOG_ERR, "pam_authtok_get: error getting repository"); + __pam_log(LOG_AUTH | LOG_ERR, + "pam_authtok_get: error getting repository"); return (PAM_SYSTEM_ERR); } @@ -292,6 +294,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) if (res == PWU_SUCCESS && (al[0].data.val_s == NULL || al[0].data.val_s[0] == '\0')) { + char *service = NULL; + char *rhost = NULL; + /* * if PAM_DIASALLOW_NULL_AUTHTOK has not been set, we * simply return IGNORE @@ -300,11 +305,18 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) return (PAM_IGNORE); /* - * NULL authtoks are not allowed, so we need to - * fail. We will ask for a password to mask the - * failure however. + * NULL authtoks are not allowed, so we need to fail. + * We will ask for a password to mask the failure however. */ - + (void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost); + (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service); + if (service == NULL) + service = "unknown"; + if (rhost == NULL || *rhost == '\0') + rhost = "localhost"; + __pam_log(LOG_AUTH | LOG_NOTICE, + "pam_authtok_get: %s: empty password not allowed for " + "%s from %s.", service, user, rhost); fail = 1; } if (al[0].data.val_s != NULL) { @@ -322,12 +334,14 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) (void) memset(password, 0, strlen(password)); free(password); } else if (debug) { - syslog(LOG_DEBUG, "pam_authtok_get: pam_sm_authenticate: " - "got NULL password from get_authtok()"); + __pam_log(LOG_AUTH | LOG_DEBUG, + "pam_authtok_get: pam_sm_authenticate: " + "got NULL password from get_authtok()"); } if (fail) { - syslog(LOG_DEBUG, "pam_authtok_get:pam_sm_authenticate: " + __pam_log(LOG_AUTH | LOG_DEBUG, + "pam_authtok_get:pam_sm_authenticate: " "failing because NULL authtok not allowed"); return (PAM_AUTH_ERR); } else diff --git a/usr/src/lib/pam_modules/unix_account/unix_acct.c b/usr/src/lib/pam_modules/unix_account/unix_acct.c index 35a2ccf168..d064fc6bdb 100644 --- a/usr/src/lib/pam_modules/unix_account/unix_acct.c +++ b/usr/src/lib/pam_modules/unix_account/unix_acct.c @@ -102,7 +102,8 @@ check_for_login_inactivity( * Read the last login (ll) time */ if (llseek(fdl, offset, SEEK_SET) != offset) { - syslog(LOG_ERR, "pam_unix_acct: pam_sm_acct_mgmt: " + __pam_log(LOG_AUTH | LOG_ERR, + "pam_unix_acct: pam_sm_acct_mgmt: " "can't obtain last login info on uid %d " "(uid too large)", pw_uid); return (0); @@ -122,7 +123,7 @@ check_for_login_inactivity( * then account inactive too long and no access. */ if (((time_t)((ll.ll_time / DAY) + shpwd->sp_inact) - < DAY_NOW) && + < DAY_NOW) && (shpwd->sp_lstchg != 0) && (shpwd->sp_lstchg != -1) && ((shpwd->sp_lstchg + shpwd->sp_inact) < DAY_NOW)) { @@ -146,8 +147,7 @@ check_for_login_inactivity( */ static int -new_password_check(pw_uid, shpwd, flags) - uid_t pw_uid; +new_password_check(shpwd, flags) struct spwd *shpwd; int flags; { @@ -162,8 +162,7 @@ new_password_check(pw_uid, shpwd, flags) if ((flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) { if (shpwd->sp_pwdp[0] == '\0') { - if ((pw_uid != 0) && - ((shpwd->sp_max == -1) || + if (((shpwd->sp_max == -1) || ((time_t)shpwd->sp_lstchg > now) || ((now >= (time_t)(shpwd->sp_lstchg + shpwd->sp_min)) && @@ -254,20 +253,20 @@ warn_user_passwd_will_expire( days = (time_t)(shpwd.sp_lstchg + shpwd.sp_max) - now; if (days <= 0) (void) snprintf(messages[0], - sizeof (messages[0]), - dgettext(TEXT_DOMAIN, - "Your password will expire within 24 hours.")); + sizeof (messages[0]), + dgettext(TEXT_DOMAIN, + "Your password will expire within 24 hours.")); else if (days == 1) (void) snprintf(messages[0], - sizeof (messages[0]), - dgettext(TEXT_DOMAIN, - "Your password will expire in 1 day.")); + sizeof (messages[0]), + dgettext(TEXT_DOMAIN, + "Your password will expire in 1 day.")); else (void) snprintf(messages[0], - sizeof (messages[0]), - dgettext(TEXT_DOMAIN, - "Your password will expire in %d days."), - (int)days); + sizeof (messages[0]), + dgettext(TEXT_DOMAIN, + "Your password will expire in %d days."), + (int)days); (void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1, messages, NULL); @@ -306,18 +305,18 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) else if (strcasecmp(argv[i], "nowarn") == 0) { flags = flags | PAM_SILENT; } else { - syslog(LOG_ERR, - "ACCOUNT:pam_sm_acct_mgmt: illegal option %s", - argv[i]); + __pam_log(LOG_AUTH | LOG_ERR, + "ACCOUNT:pam_sm_acct_mgmt: illegal option %s", + argv[i]); } } if (debug) - syslog(LOG_AUTH | LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "pam_unix_account: entering pam_sm_acct_mgmt()"); if ((error = pam_get_item(pamh, PAM_USER, (void **)&user)) - != PAM_SUCCESS) + != PAM_SUCCESS) goto out; if (user == NULL) { @@ -327,7 +326,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) shpwd.sp_namp = user; if ((error = pam_get_item(pamh, PAM_REPOSITORY, (void **)&auth_rep)) - != PAM_SUCCESS) + != PAM_SUCCESS) goto out; if (auth_rep == NULL) { @@ -415,13 +414,13 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) pw = NOPWDRTR; if (result == PWU_DENIED) { - syslog(LOG_AUTH | LOG_DEBUG, - "pam_unix_account: %s: permission denied " - "to access password aging information. " - "Using defaults.", user); + __pam_log(LOG_AUTH | LOG_DEBUG, + "pam_unix_account: %s: permission denied " + "to access password aging information. " + "Using defaults.", user); } - syslog(LOG_AUTH | LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "%s Policy:Unix, pw=%s, lstchg=%d, min=%d, max=%d, " "warn=%d, inact=%d, expire=%d", user, pw, shpwd.sp_lstchg, shpwd.sp_min, shpwd.sp_max, @@ -464,6 +463,25 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) } /* + * Check for NULL password and, if so, see if such is allowed + */ + if (shpwd.sp_pwdp[0] == '\0' && + (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) { + char *service; + char *rhost = NULL; + + (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service); + (void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost); + + __pam_log(LOG_AUTH | LOG_NOTICE, + "pam_unix_account: %s: empty password not allowed for " + "account %s from %s", service, user, + (rhost != NULL && *rhost != '\0') ? rhost : "local host"); + error = PAM_PERM_DENIED; + goto out; + } + + /* * Check for account expiration */ if (shpwd.sp_expire > 0 && @@ -483,7 +501,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) /* * Check to see if the user needs to change their password */ - if (error = new_password_check(pw_uid, &shpwd, flags)) { + if (error = new_password_check(&shpwd, flags)) { goto out; } @@ -491,7 +509,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) * Check to make sure password aging information is okay */ if ((error = perform_passwd_aging_check(pamh, &shpwd, flags)) - != PAM_SUCCESS) { + != PAM_SUCCESS) { goto out; } @@ -514,10 +532,10 @@ out: unix_authtok_data *authtok_data; if (debug) { - syslog(LOG_AUTH | LOG_DEBUG, - "pam_unix_account: %s: %s", - (user == NULL)?"NULL":user, - pam_strerror(pamh, error)); + __pam_log(LOG_AUTH | LOG_DEBUG, + "pam_unix_account: %s: %s", + (user == NULL)?"NULL":user, + pam_strerror(pamh, error)); } if (repository_name) @@ -530,21 +548,21 @@ out: } /* store the password aging status in the pam handle */ - pam_res = pam_get_data( - pamh, UNIX_AUTHTOK_DATA, (const void **)&authtok_data); + pam_res = pam_get_data(pamh, UNIX_AUTHTOK_DATA, + (const void **)&authtok_data); - if ((status = (unix_authtok_data *)calloc - (1, sizeof (unix_authtok_data))) == NULL) { + if ((status = (unix_authtok_data *)calloc(1, + sizeof (unix_authtok_data))) == NULL) { return (PAM_BUF_ERR); } if (pam_res == PAM_SUCCESS) (void) memcpy(status, authtok_data, - sizeof (unix_authtok_data)); + sizeof (unix_authtok_data)); status->age_status = error; if (pam_set_data(pamh, UNIX_AUTHTOK_DATA, status, unix_cleanup) - != PAM_SUCCESS) { + != PAM_SUCCESS) { free(status); return (PAM_SERVICE_ERR); } diff --git a/usr/src/lib/pam_modules/unix_auth/unix_auth.c b/usr/src/lib/pam_modules/unix_auth/unix_auth.c index dd15958591..d0e8992279 100644 --- a/usr/src/lib/pam_modules/unix_auth/unix_auth.c +++ b/usr/src/lib/pam_modules/unix_auth/unix_auth.c @@ -168,21 +168,23 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) } if (debug) - syslog(LOG_DEBUG, + __pam_log(LOG_AUTH | LOG_DEBUG, "pam_unix_auth: entering pam_sm_authenticate()"); if (pam_get_item(pamh, PAM_USER, (void **)&user) != PAM_SUCCESS) { - syslog(LOG_DEBUG, "pam_unix_auth: USER not set"); + __pam_log(LOG_AUTH | LOG_DEBUG, "pam_unix_auth: USER not set"); return (PAM_SYSTEM_ERR); } if (user == NULL || *user == '\0') { - syslog(LOG_DEBUG, "pam_unix_auth: USER NULL or empty!\n"); + __pam_log(LOG_AUTH | LOG_DEBUG, + "pam_unix_auth: USER NULL or empty!\n"); return (PAM_USER_UNKNOWN); } if (pam_get_item(pamh, PAM_AUTHTOK, (void **)&passwd) != PAM_SUCCESS) { - syslog(LOG_DEBUG, "pam_unix_auth: AUTHTOK not set!\n"); + __pam_log(LOG_AUTH | LOG_DEBUG, + "pam_unix_auth: AUTHTOK not set!\n"); return (PAM_SYSTEM_ERR); } @@ -219,13 +221,14 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) free(pwu_rep); if (result == PWU_NOT_FOUND) { - syslog(LOG_DEBUG, "pam_unix_auth: user %s not found\n", - user); + __pam_log(LOG_AUTH | LOG_DEBUG, + "pam_unix_auth: user %s not found\n", user); return (PAM_USER_UNKNOWN); } if (result == PWU_DENIED) { - syslog(LOG_DEBUG, "pam_unix_auth: failed to obtain attributes"); + __pam_log(LOG_AUTH | LOG_DEBUG, + "pam_unix_auth: failed to obtain attributes"); return (PAM_PERM_DENIED); } @@ -256,6 +259,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) if (rep_passwd == NULL || *rep_passwd == '\0') { if (flags & PAM_DISALLOW_NULL_AUTHTOK) { result = PAM_AUTH_ERR; + __pam_log(LOG_AUTH | LOG_NOTICE, + "pam_unix_auth: empty password for %s not allowed.", + user); goto out; } else { result = PAM_SUCCESS; @@ -278,14 +284,15 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) * while we've obtained it from NIS+, it * means that the permissions on the NIS+ table are too tight * for us to get the password without having Secure RPC - * Credentials. In that case, we syslog an error stating that + * Credentials. In that case, we log an error stating that * the Secure RPC credential Module should be on the PAM stack * before the unix_auth module. We also tell the user to go * and inform the administrator of this error. */ if (strcmp(repository_name, "nisplus") == 0 && strcmp(rep_passwd, NOPWDRTR) == 0) { - syslog(LOG_ERR, "pam_unix_auth: NIS+ permissions require that" + __pam_log(LOG_AUTH | LOG_ERR, + "pam_unix_auth: NIS+ permissions require that" "the pam_dhkeys module is on the PAM stack before " "pam_unix_auth"); if (nowarn == 0) { |