static int check_client_and_password(struct conf **globalcs,
const char *password, struct conf **cconfs)
{
const char *cname;
int password_check;
// Cannot load it until here, because we need to have the name of the
// client.
if(conf_load_clientconfdir(globalcs, cconfs)) return -1;
cname=get_string(cconfs[OPT_CNAME]);
password_check=get_int(cconfs[OPT_PASSWORD_CHECK]);
if(!get_string(cconfs[OPT_SSL_PEER_CN]))
{
logp("ssl_peer_cn unset");
if(cname)
{
logp("Falling back to using '%s'\n", cname);
if(set_string(cconfs[OPT_SSL_PEER_CN], cname))
return -1;
}
}
cname=get_string(cconfs[OPT_CNAME]);
if(password_check)
{
const char *conf_passwd=get_string(cconfs[OPT_PASSWD]);
const char *conf_password=get_string(cconfs[OPT_PASSWORD]);
if(!conf_password && !conf_passwd)
{
logp("password rejected for client %s\n", cname);
return -1;
}
// check against plain text
if(conf_password && compare_password(conf_password, password))
{
logp("password rejected for client %s\n", cname);
return -1;
}
// check against encypted passwd
if(conf_passwd && !check_passwd(conf_passwd, password))
{
logp("password rejected for client %s\n", cname);
return -1;
}
}
if(!get_strlist(cconfs[OPT_KEEP]))
{
logp("%s: you cannot set the keep value for a client to 0!\n",
cname);
return -1;
}
return 0;
}
static
#endif
int check_passwd(const char *passwd, const char *plain_text)
{
#ifndef HAVE_OPENBSD_OS
#ifdef HAVE_CRYPT
const char *encrypted=NULL;
if(!plain_text || !passwd || strlen(passwd)<13)
return 0;
encrypted=crypt(plain_text, passwd);
if (encrypted == NULL) {
logp("crypt function failed: %s\n", strerror(errno));
return -1;
}
return !compare_password(passwd, encrypted);
#endif
#endif
logp("Server compiled without crypt support - cannot use passwd option\n");
return -1;
}
/* Check, if the new password is already in the opasswd file. */
int
check_old_pass (pam_handle_t *pamh, const char *user,
const char *newpass, int debug)
{
int retval = PAM_SUCCESS;
FILE *oldpf;
char *buf = NULL;
size_t buflen = 0;
opwd entry;
int found = 0;
if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL)
{
if (errno != ENOENT)
pam_syslog (pamh, LOG_ERR, "Cannot open %s: %m", OLD_PASSWORDS_FILE);
return PAM_SUCCESS;
}
while (!feof (oldpf))
{
char *cp, *tmp;
#if defined(HAVE_GETLINE)
ssize_t n = getline (&buf, &buflen, oldpf);
#elif defined (HAVE_GETDELIM)
ssize_t n = getdelim (&buf, &buflen, '\n', oldpf);
#else
ssize_t n;
if (buf == NULL)
{
buflen = DEFAULT_BUFLEN;
buf = malloc (buflen);
if (buf == NULL)
return PAM_BUF_ERR;
}
buf[0] = '\0';
fgets (buf, buflen - 1, oldpf);
n = strlen (buf);
#endif /* HAVE_GETLINE / HAVE_GETDELIM */
cp = buf;
if (n < 1)
break;
tmp = strchr (cp, '#'); /* remove comments */
if (tmp)
*tmp = '\0';
while (isspace ((int)*cp)) /* remove spaces and tabs */
++cp;
if (*cp == '\0') /* ignore empty lines */
continue;
if (cp[strlen (cp) - 1] == '\n')
cp[strlen (cp) - 1] = '\0';
if (strncmp (cp, user, strlen (user)) == 0 &&
cp[strlen (user)] == ':')
{
/* We found the line we needed */
if (parse_entry (cp, &entry) == 0)
{
found = 1;
break;
}
}
}
fclose (oldpf);
if (found && entry.old_passwords)
{
const char delimiters[] = ",";
char *running;
char *oldpass;
running = entry.old_passwords;
do {
oldpass = strsep (&running, delimiters);
if (oldpass && strlen (oldpass) > 0 &&
compare_password(newpass, oldpass) )
{
if (debug)
pam_syslog (pamh, LOG_DEBUG, "New password already used");
retval = PAM_AUTHTOK_ERR;
break;
}
} while (oldpass != NULL);
}
if (buf)
free (buf);
return retval;
}
