Back to index

citadel  8.12
auth.c
Go to the documentation of this file.
00001 /*
00002  * system-level password checking for host auth mode
00003  * by Nathan Bryant, March 1999
00004  * updated by Trey van Riper, June 2005
00005  *
00006  * Copyright (c) 1999-2009 by the citadel.org team
00007  *
00008  * This program is open source software; you can redistribute it and/or modify
00009  * it under the terms of the GNU General Public License as published by
00010  * the Free Software Foundation; either version 3 of the License, or
00011  * (at your option) any later version.
00012  *
00013  * This program is distributed in the hope that it will be useful,
00014  * but WITHOUT ANY WARRANTY; without even the implied warranty of
00015  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00016  * GNU General Public License for more details.
00017  *
00018  * You should have received a copy of the GNU General Public License
00019  * along with this program; if not, write to the Free Software
00020  * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
00021  */
00022 
00023 #if defined(__linux) || defined(__sun) /* needed for crypt(): */
00024 #define _XOPEN_SOURCE
00025 #define _XOPEN_SOURCE_EXTENDED 1
00026 #endif
00027 
00028 #include <pwd.h>
00029 #include <stdlib.h>
00030 #include <string.h>
00031 #include <unistd.h>
00032 #include <sys/types.h>
00033 
00034 #include "auth.h"
00035 #include "sysdep.h"
00036 
00037 #ifdef HAVE_GETSPNAM
00038 #include <shadow.h>
00039 #endif
00040 
00041 #ifdef HAVE_PAM_START
00042 #include <security/pam_appl.h>
00043 
00044 /*
00045  * struct appdata: passed to the conversation function
00046  */
00047 
00048 struct appdata
00049 {
00050   const char *name;
00051   const char *pw;
00052 };
00053 
00054 /*
00055  * conv(): the PAM conversation function. this assumes that a
00056  * PAM_PROMPT_ECHO_ON is asking for a username, and a PAM_PROMPT_ECHO_OFF is
00057  * asking for a password. esoteric authentication modules will fail with this
00058  * code, but we can't really support them with the existing client protocol
00059  * anyway. the failure mode should be to deny access, in any case.
00060  */
00061 
00062 static int conv(int num_msg, const struct pam_message **msg,
00063               struct pam_response **resp, void *appdata_ptr)
00064 {
00065   struct pam_response *temp_resp;
00066   struct appdata *data = appdata_ptr;
00067 
00068   if ((temp_resp = malloc(sizeof(struct pam_response[num_msg]))) == NULL)
00069     return PAM_CONV_ERR;
00070 
00071   while (num_msg--)
00072     {
00073       switch ((*msg)[num_msg].msg_style)
00074        {
00075        case PAM_PROMPT_ECHO_ON:
00076          temp_resp[num_msg].resp = strdup(data->name);
00077          break;
00078        case PAM_PROMPT_ECHO_OFF:
00079          temp_resp[num_msg].resp = strdup(data->pw);
00080          break;
00081        default:
00082          temp_resp[num_msg].resp = NULL;
00083        }
00084       temp_resp[num_msg].resp_retcode = 0;
00085     }
00086 
00087   *resp = temp_resp;
00088   return PAM_SUCCESS;
00089 }
00090 #endif /* HAVE_PAM_START */
00091 
00092 
00093 /*
00094  * check that `pass' is the correct password for `uid'
00095  * returns zero if no, nonzero if yes
00096  */
00097 
00098 int validate_password(uid_t uid, const char *pass)
00099 {
00100 #ifdef HAVE_PAM_START
00101        struct pam_conv pc;
00102        struct appdata data;
00103        pam_handle_t *ph;
00104        int i;
00105 #else
00106        char *crypted_pwd;
00107 #ifdef HAVE_GETSPNAM
00108        struct spwd *sp;
00109 #endif
00110 #endif
00111        struct passwd *pw;
00112        int retval = 0;
00113        int flags = 0;
00114 
00115 #ifdef PAM_DATA_SILENT
00116        flags = PAM_DATA_SILENT;
00117 #else
00118        flags = 0;
00119 #endif /* PAM_DATA_SILENT */
00120 
00121        if ((pw = getpwuid(uid)) == NULL) {
00122               return retval;
00123        }
00124 
00125 #ifdef HAVE_PAM_START
00126        pc.conv = conv;
00127        pc.appdata_ptr = &data;
00128        data.name = pw->pw_name;
00129        data.pw = pass;
00130        if (pam_start("citadel", pw->pw_name, &pc, &ph) != PAM_SUCCESS)
00131               return retval;
00132 
00133        if ((i = pam_authenticate(ph, flags)) == PAM_SUCCESS)
00134               if ((i = pam_acct_mgmt(ph, flags)) == PAM_SUCCESS)
00135                      retval = -1;
00136 
00137        pam_end(ph, i | flags);
00138 #else
00139        crypted_pwd = pw->pw_passwd;
00140 
00141 #ifdef HAVE_GETSPNAM
00142        if ((sp = getspnam(pw->pw_name)) != NULL)
00143               crypted_pwd = sp->sp_pwdp;
00144 #endif
00145 
00146        if (!strcmp(crypt(pass, crypted_pwd), crypted_pwd))
00147               retval = -1;
00148 #endif                      /* HAVE_PAM_START */
00149 
00150        return retval;
00151 }