unix_auth.c revision 66e150d7d3c0cb2de3c45c74612784ffd3e73de6
/*
* CDDL HEADER START
*
* The contents of this file are subject to the terms of the
* Common Development and Distribution License (the "License").
* You may not use this file except in compliance with the License.
*
* You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
* See the License for the specific language governing permissions
* and limitations under the License.
*
* When distributing Covered Code, include this CDDL HEADER in each
* file and include the License file at usr/src/OPENSOLARIS.LICENSE.
* If applicable, add the following below this CDDL HEADER, with the
* fields enclosed by brackets "[]" replaced with your own identifying
* information: Portions Copyright [yyyy] [name of copyright owner]
*
* CDDL HEADER END
*/
/*
* Copyright 2008 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*/
#include <stdlib.h>
#include <pwd.h>
#include <shadow.h>
#include <syslog.h>
#include <errno.h>
#include <string.h>
#include <crypt.h>
#include <unistd.h>
#include <user_attr.h>
#include <auth_attr.h>
#include <userdefs.h>
#include <deflt.h>
#include <stdarg.h>
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_impl.h>
#include <libintl.h>
#include <passwdutil.h>
#define LOGINADMIN "/etc/default/login"
#define MAXTRYS 5
/*PRINTFLIKE2*/
void
{
}
static int
get_max_failed(char *user)
{
int do_lock = 0;
int retval = 0;
char *p;
else if (defopen(AUTH_POLICY) == 0) {
int flags;
}
if (do_lock) {
if (defopen(LOGINADMIN) == 0) {
}
}
return (retval);
}
static void
{
char hushpath[MAXPATHLEN];
return;
if (failures == 1)
"successful login.");
else if (failures < FAILCOUNT_MASK)
"successful login.", failures);
else
"last successful login.", failures);
}
/*
* int pam_sm_authenticate(pamh, flags, arc, argv)
*
* This routine verifies that the password as stored in the
* PAM_AUTHTOK item is indeed the password that belongs to the user
* as stored in PAM_USER.
*
* This routine will not establish Secure RPC Credentials. If these
* credentials are needed to obtain the password from the NIS+ service,
* the pam_dhkeys module should be stacked before us!
*/
int
{
int i;
int debug = 0;
char *user;
char *passwd;
char *rep_passwd;
char *crypt_passwd;
char *repository_name;
struct pam_repository *auth_rep;
int result;
int server_policy = 0;
int old_failed_count;
int dolock = 1;
for (i = 0; i < argc; i++) {
debug = 1;
nowarn = 1;
server_policy = 1;
dolock = 0;
}
if (debug)
"pam_unix_auth: entering pam_sm_authenticate()");
return (PAM_SYSTEM_ERR);
}
return (PAM_USER_UNKNOWN);
}
return (PAM_SYSTEM_ERR);
}
return (PAM_BUF_ERR);
} else {
}
/*
* Get password and the name of the repository where the
* password resides.
*/
/*
* Also get the current number of failed logins; we use
* this later to determine whether we need to reset the count
* on a succesful authentication. We use the home-directory
* to look for .hushlogin in order to optionaly surpress the
* "failed attempts" message.
*/
if (pwu_rep != PWU_DEFAULT_REP)
if (result == PWU_NOT_FOUND) {
user);
return (PAM_USER_UNKNOWN);
}
if (result == PWU_DENIED) {
return (PAM_PERM_DENIED);
}
if (result != PWU_SUCCESS)
return (PAM_SYSTEM_ERR);
/*
* Chop off old SunOS-style password aging information.
*
* Note: old style password aging is only defined for UNIX-style
* crypt strings, hence the comma will always be at position 14.
* Note: This code is here because some other vendors might still
* support this style of password aging. If we don't remove
* the age field, no one will be able to login.
* XXX yank this code when we're certain this "compatibility"
* isn't needed anymore.
*/
/* Is a password check required? */
if (flags & PAM_DISALLOW_NULL_AUTHTOK) {
goto out;
} else {
goto out;
}
}
/*
* Password check *is* required. Make sure we have a valid
* pointer in PAM_AUTHTOK
*/
goto out;
}
/*
* "rep_passwd" holds the encrypted password.
* If, however, we detect that the password equals NOPWDRTR,
* while we've obtained it from NIS+, it
* means that the permissions on the NIS+ table are too tight
* for us to get the password without having Secure RPC
* Credentials. In that case, we syslog an error stating that
* the Secure RPC credential Module should be on the PAM stack
* before the unix_auth module. We also tell the user to go
* and inform the administrator of this error.
*/
"the pam_dhkeys module is on the PAM stack before "
"pam_unix_auth");
if (nowarn == 0) {
"NIS+ permissions are too tight. "
"Please inform your administrator."));
}
goto out;
}
if (server_policy &&
result = PAM_IGNORE;
goto out;
}
/* Now check the entered password */
switch (errno) {
case ENOMEM:
break;
case ELIBACC:
break;
default:
}
goto out;
}
else
/* Clear or increment failed failed count */
if (nowarn == 0 && old_failed_count > 0)
if (max_failed != 0) {
}
}
out:
if (rep_passwd)
if (repository_name)
if (homedir)
return (result);
}
/*ARGSUSED*/
int
{
return (PAM_IGNORE);
}