static int check_client_and_password(struct conf **globalcs, const char *password, struct conf **cconfs) { const char *cname; int password_check; // Cannot load it until here, because we need to have the name of the // client. if(conf_load_clientconfdir(globalcs, cconfs)) return -1; cname=get_string(cconfs[OPT_CNAME]); password_check=get_int(cconfs[OPT_PASSWORD_CHECK]); if(!get_string(cconfs[OPT_SSL_PEER_CN])) { logp("ssl_peer_cn unset"); if(cname) { logp("Falling back to using '%s'\n", cname); if(set_string(cconfs[OPT_SSL_PEER_CN], cname)) return -1; } } cname=get_string(cconfs[OPT_CNAME]); if(password_check) { const char *conf_passwd=get_string(cconfs[OPT_PASSWD]); const char *conf_password=get_string(cconfs[OPT_PASSWORD]); if(!conf_password && !conf_passwd) { logp("password rejected for client %s\n", cname); return -1; } // check against plain text if(conf_password && compare_password(conf_password, password)) { logp("password rejected for client %s\n", cname); return -1; } // check against encypted passwd if(conf_passwd && !check_passwd(conf_passwd, password)) { logp("password rejected for client %s\n", cname); return -1; } } if(!get_strlist(cconfs[OPT_KEEP])) { logp("%s: you cannot set the keep value for a client to 0!\n", cname); return -1; } return 0; }
static #endif int check_passwd(const char *passwd, const char *plain_text) { #ifndef HAVE_OPENBSD_OS #ifdef HAVE_CRYPT const char *encrypted=NULL; if(!plain_text || !passwd || strlen(passwd)<13) return 0; encrypted=crypt(plain_text, passwd); if (encrypted == NULL) { logp("crypt function failed: %s\n", strerror(errno)); return -1; } return !compare_password(passwd, encrypted); #endif #endif logp("Server compiled without crypt support - cannot use passwd option\n"); return -1; }
/* Check, if the new password is already in the opasswd file. */ int check_old_pass (pam_handle_t *pamh, const char *user, const char *newpass, int debug) { int retval = PAM_SUCCESS; FILE *oldpf; char *buf = NULL; size_t buflen = 0; opwd entry; int found = 0; if ((oldpf = fopen (OLD_PASSWORDS_FILE, "r")) == NULL) { if (errno != ENOENT) pam_syslog (pamh, LOG_ERR, "Cannot open %s: %m", OLD_PASSWORDS_FILE); return PAM_SUCCESS; } while (!feof (oldpf)) { char *cp, *tmp; #if defined(HAVE_GETLINE) ssize_t n = getline (&buf, &buflen, oldpf); #elif defined (HAVE_GETDELIM) ssize_t n = getdelim (&buf, &buflen, '\n', oldpf); #else ssize_t n; if (buf == NULL) { buflen = DEFAULT_BUFLEN; buf = malloc (buflen); if (buf == NULL) return PAM_BUF_ERR; } buf[0] = '\0'; fgets (buf, buflen - 1, oldpf); n = strlen (buf); #endif /* HAVE_GETLINE / HAVE_GETDELIM */ cp = buf; if (n < 1) break; tmp = strchr (cp, '#'); /* remove comments */ if (tmp) *tmp = '\0'; while (isspace ((int)*cp)) /* remove spaces and tabs */ ++cp; if (*cp == '\0') /* ignore empty lines */ continue; if (cp[strlen (cp) - 1] == '\n') cp[strlen (cp) - 1] = '\0'; if (strncmp (cp, user, strlen (user)) == 0 && cp[strlen (user)] == ':') { /* We found the line we needed */ if (parse_entry (cp, &entry) == 0) { found = 1; break; } } } fclose (oldpf); if (found && entry.old_passwords) { const char delimiters[] = ","; char *running; char *oldpass; running = entry.old_passwords; do { oldpass = strsep (&running, delimiters); if (oldpass && strlen (oldpass) > 0 && compare_password(newpass, oldpass) ) { if (debug) pam_syslog (pamh, LOG_DEBUG, "New password already used"); retval = PAM_AUTHTOK_ERR; break; } } while (oldpass != NULL); } if (buf) free (buf); return retval; }