/**************************************************************************** core of password checking routine ****************************************************************************/ BOOL password_check(char *password) { #ifdef USE_PAM /* This falls through if the password check fails - if NO_CRYPT is defined this causes an error msg saying Warning - no crypt available - if NO_CRYPT is NOT defined this is a potential security hole as it may authenticate via the crypt call when PAM settings say it should fail. if (pam_auth(this_user,password)) return(True); Hence we make a direct return to avoid a second chance!!! */ return (pam_auth(this_user,password)); #endif #ifdef AFS_AUTH if (afs_auth(this_user,password)) return(True); #endif #ifdef DFS_AUTH if (dfs_auth(this_user,password)) return(True); #endif #ifdef KRB5_AUTH if (krb5_auth(this_user,password)) return(True); #endif #ifdef KRB4_AUTH if (krb4_auth(this_user,password)) return(True); #endif #ifdef PWDAUTH if (pwdauth(this_user,password) == 0) return(True); #endif #ifdef OSF1_ENH_SEC { BOOL ret = (strcmp(osf1_bigcrypt(password,this_salt),this_crypted) == 0); if(!ret) { DEBUG(2,("password_check: OSF1_ENH_SEC failed. Trying normal crypt.\n")); ret = (strcmp((char *)crypt(password,this_salt),this_crypted) == 0); } return ret; } #endif #ifdef ULTRIX_AUTH return (strcmp((char *)crypt16(password, this_salt ),this_crypted) == 0); #endif #ifdef LINUX_BIGCRYPT return(linux_bigcrypt(password,this_salt,this_crypted)); #endif #ifdef HPUX_10_TRUSTED return(strcmp(bigcrypt(password,this_salt),this_crypted) == 0); #endif #ifdef NO_CRYPT DEBUG(1,("Warning - no crypt available\n")); return(False); #else return(strcmp((char *)crypt(password,this_salt),this_crypted) == 0); #endif }
int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) { char *user; int ret; struct pam_conv *conv; struct passwd *pw; uid_t uid = -1; const char *name, *inst; char realm[REALM_SZ]; realm[0] = 0; parse_ctrl(argc, argv); ENTRY("pam_sm_authenticate"); ret = pam_get_user(pamh, &user, "login: "******"root") == 0) return PAM_AUTHINFO_UNAVAIL; ret = pam_get_item(pamh, PAM_CONV, (void*)&conv); if (ret != PAM_SUCCESS) return ret; pw = getpwnam(user); if (pw != 0) { uid = pw->pw_uid; set_tkt_string(uid); } if (strcmp(user, "root") == 0 && getuid() != 0) { pw = getpwuid(getuid()); if (pw != 0) { name = strdup(pw->pw_name); inst = "root"; } } else { name = user; inst = ""; } ret = krb4_auth(pamh, flags, name, inst, conv); /* * The realm was lost inside krb_verify_user() so we can't simply do * a krb_kuserok() when inst != "". */ if (ret == PAM_SUCCESS && inst[0] != 0) { uid_t old_euid = geteuid(); uid_t old_ruid = getuid(); setreuid(0, 0); /* To read ticket file. */ if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS) ret = PAM_SERVICE_ERR; else if (krb_kuserok(name, inst, realm, user) != KSUCCESS) { setreuid(0, uid); /* To read ~/.klogin. */ if (krb_kuserok(name, inst, realm, user) != KSUCCESS) ret = PAM_PERM_DENIED; } if (ret != PAM_SUCCESS) { dest_tkt(); /* Passwd known, ok to kill ticket. */ psyslog(LOG_NOTICE, "%s.%s@%s is not allowed to log in as %s", name, inst, realm, user); } setreuid(old_ruid, old_euid); if (getuid() != old_ruid || geteuid() != old_euid) { psyslog(LOG_ALERT , "setreuid(%d, %d) failed at line %d", old_ruid, old_euid, __LINE__); exit(1); } } if (ret == PAM_SUCCESS) { psyslog(LOG_INFO, "%s.%s@%s authenticated as user %s", name, inst, realm, user); if (chown(tkt_string(), uid, -1) == -1) { dest_tkt(); psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid); exit(1); } } /* * Kludge alert!!! Sun dtlogin unlock screen fails to call * pam_setcred(3) with PAM_REFRESH_CRED after a successful * authentication attempt, sic. * * This hack is designed as a workaround to that problem. */ if (ctrl_on(KRB4_REAFSLOG)) if (ret == PAM_SUCCESS) pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv); return ret; }