authtok_store.c revision 7c478bd95313f5f23a4c958a745db2134aa03244
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License, Version 1.0 only
* (the "License"). You may not use this file except in compliance
* with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2004 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include <string.h>
#include <syslog.h>
#include <stdlib.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_impl.h>
#include <libintl.h>
#include <passwdutil.h>
#define SUNW_OLDRPCPASS "SUNW-OLD-RPC-PASSWORD"
/*PRINTFLIKE3*/
void
{
if (nowarn == 0)
NULL);
}
#if defined(ENABLE_AGING)
/*
* test if authtok is aged.
* returns 1 if it is, 0 otherwise
*/
static int
{
(const void **)status) != PAM_SUCCESS)
return (0);
}
#endif
int
{
int i;
int debug = 0;
int nowarn = 0;
attrlist l;
char *user;
char *oldpw;
char *oldrpcpw = "*NP*";
char *newpw;
char *service;
struct pam_repository *auth_rep;
int res;
int updated_reps = 0;
int server_policy = 0;
for (i = 0; i < argc; i++) {
debug = 1;
nowarn = 1;
server_policy = 1;
}
if ((flags & PAM_PRELIM_CHECK) != 0)
return (PAM_IGNORE);
if ((flags & PAM_UPDATE_AUTHTOK) == 0)
return (PAM_SYSTEM_ERR);
if ((flags & PAM_SILENT) != 0)
nowarn = 1;
if (debug)
#if defined(ENABLE_AGING)
return (PAM_IGNORE)
}
#endif
if (res != PAM_SUCCESS) {
return (PAM_SYSTEM_ERR);
}
if (res != PAM_SUCCESS) {
return (PAM_SYSTEM_ERR);
}
return (PAM_USER_UNKNOWN);
}
if (res != PAM_SUCCESS) {
return (PAM_SYSTEM_ERR);
}
/*
* A module on the stack has removed PAM_AUTHTOK. We fail
*/
return (PAM_SYSTEM_ERR);
}
/*
* If the server_policy option is specified,
* use the special attribute, ATTR_PASSWD_SERVER_POLICY,
* to tell the update routine for each repository
* to perform the necessary special operations.
* For now, only the LDAP routine treats this attribute
* differently that ATTR_PASSWD. It will skip the
* crypting of the password before storing it in the LDAP
* server. NIS, NISPLUS, and FILES will handle
* ATTR_PASSWD_SERVER_POLICY the same as ATTR_PASSWD.
*/
if (server_policy)
else
l.type = ATTR_PASSWD;
if (res != PAM_SUCCESS) {
return (PAM_SYSTEM_ERR);
}
} else {
return (PAM_BUF_ERR);
}
/*
* The pam_dhkeys module might have set SUNW_OLDRPCPASS if it
* discovered that the user's old password doesn't decrypt the
* user's secure RPC credentials. In that case, the
* item SUNW_OLDRPCPASS contains the correct password to
* decrypt these credentials.
*/
return (PAM_SYSTEM_ERR);
}
&updated_reps);
if (pwu_rep != PWU_DEFAULT_REP)
/*
* now map the various passwdutil return states to user messages
* and PAM return codes.
*/
switch (res) {
case PWU_SUCCESS:
if ((updated_reps & i) == 0)
continue;
"%s: password successfully changed for %s"),
}
/*
* If we have updated NIS+, and we got SUCCESS (not one of
* the partial failures), this indicates that the credential
* update went well too... Inform the user
*/
if (updated_reps & REP_NISPLUS)
"%s: credential information changed for %s"),
res = PAM_SUCCESS;
break;
case PWU_BUSY:
"%s: Password database busy. Try again later."),
service);
break;
case PWU_STAT_FAILED:
break;
case PWU_OPEN_FAILED:
case PWU_WRITE_FAILED:
case PWU_CLOSE_FAILED:
case PWU_UPDATE_FAILED:
"%s: Unexpected failure. Password database unchanged."),
service);
break;
case PWU_NOT_FOUND:
/* Different error if repository was explicitly specified */
"%s: System error: no %s password for %s."),
} else {
}
break;
case PWU_NOMEM:
"%s: Internal memory allocation failure."), service);
res = PAM_BUF_ERR;
break;
case PWU_SERVER_ERROR:
break;
case PWU_SYSTEM_ERROR:
break;
case PWU_DENIED:
break;
case PWU_NO_CHANGE:
/*
* yppasswdd detected that we're not changing anything.
*/
"%s: Password information unchanged."), service);
res = PAM_SUCCESS;
break;
case PWU_REPOSITORY_ERROR:
"unsupported configuration in /etc/nsswitch.conf.");
"%s: System error: repository out of range."), service);
break;
case PWU_RECOVERY_ERR:
break;
case PWU_NO_PRIV_CRED_UPDATE:
/*
* A privileged process has updated a user's password.
* In this case, the password will be updated, but the
* credentials won't. This is not a failure, but we need
* to inform the user about it, and return PAM_SUCCESS
*/
/* First inform the user about the passsword update */
"%s: password successfully changed for %s"),
/* and now the bad news */
"The Secure RPC credential information for %s "
"will not be changed."), user);
"passwd for keylogin."));
"credentials with the"));
"after their next login."));
res = PAM_SUCCESS;
break;
case PWU_UPDATED_SOME_CREDS:
"%s: password successfully changed for %s"),
"WARNING: some but not all credentials were reencrypted "
"for user %s"), user);
res = PAM_SUCCESS;
break;
case PWU_PWD_TOO_SHORT:
break;
case PWU_PWD_INVALID:
service);
break;
case PWU_PWD_IN_HISTORY:
"allowed, the new password is in the history list."),
service);
break;
case PWU_CHANGE_NOT_ALLOWED:
"this password."), service);
break;
case PWU_WITHIN_MIN_AGE:
"%s: Password can not be changed yet, "
"not enough time has passed."), service);
break;
default:
break;
}
return (res);
}