5 #ifndef _PAM_UNIX_SUPPORT_H
6 #define _PAM_UNIX_SUPPORT_H
11 * File to read value of ENCRYPT_METHOD from.
13 #define LOGIN_DEFS "/etc/login.defs"
17 * here is the string to inform the user that the new passwords they
18 * typed were not the same.
21 /* type definition for the control options */
25 unsigned int mask; /* shall assume 32 bits of flags */
27 unsigned int is_hash_algo;
31 * macro to determine if a given flag is on
34 #define on(x,ctrl) (unix_args[x].flag & ctrl)
37 * macro to determine that a given flag is NOT on
40 #define off(x,ctrl) (!on(x,ctrl))
43 * macro to turn on/off a ctrl flag manually
46 #define set(x,ctrl) (ctrl = ((ctrl)&unix_args[x].mask)|unix_args[x].flag)
47 #define unset(x,ctrl) (ctrl &= ~(unix_args[x].flag))
49 /* the generic mask */
51 #define _ALL_ON_ (~0U)
53 /* end of macro definitions definitions for the control flags */
55 /* ****************************************************************** *
60 * here are the various options recognized by the unix module. They
61 * are enumerated here and then defined below. Internal arguments are
65 #define UNIX__OLD_PASSWD 0 /* internal */
66 #define UNIX__VERIFY_PASSWD 1 /* internal */
67 #define UNIX__IAMROOT 2 /* internal */
69 #define UNIX_AUDIT 3 /* print more things than debug..
70 some information may be sensitive */
71 #define UNIX_USE_FIRST_PASS 4
72 #define UNIX_TRY_FIRST_PASS 5
73 #define UNIX_AUTHTOK_TYPE 6 /* TYPE for pam_get_authtok() */
75 #define UNIX__PRELIM 7 /* internal */
76 #define UNIX__UPDATE 8 /* internal */
77 #define UNIX__NONULL 9 /* internal */
78 #define UNIX__QUIET 10 /* internal */
79 #define UNIX_USE_AUTHTOK 11 /* insist on reading PAM_AUTHTOK */
80 #define UNIX_SHADOW 12 /* signal shadow on */
81 #define UNIX_MD5_PASS 13 /* force the use of MD5 passwords */
82 #define UNIX__NULLOK 14 /* Null token ok */
83 #define UNIX_DEBUG 15 /* send more info to syslog(3) */
84 #define UNIX_NODELAY 16 /* admin does not want a fail-delay */
85 #define UNIX_NIS 17 /* wish to use NIS for pwd */
86 #define UNIX_BIGCRYPT 18 /* use DEC-C2 crypt()^x function */
87 #define UNIX_LIKE_AUTH 19 /* need to auth for setcred to work */
88 #define UNIX_REMEMBER_PASSWD 20 /* Remember N previous passwords */
89 #define UNIX_NOREAP 21 /* don't reap child process */
90 #define UNIX_BROKEN_SHADOW 22 /* ignore errors reading password aging
91 * information during acct management */
92 #define UNIX_SHA256_PASS 23 /* new password hashes will use SHA256 */
93 #define UNIX_SHA512_PASS 24 /* new password hashes will use SHA512 */
94 #define UNIX_ALGO_ROUNDS 25 /* optional number of rounds for new
95 password hash algorithms */
96 #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
97 #define UNIX_MIN_PASS_LEN 27 /* min length for password */
98 #define UNIX_QUIET 28 /* Don't print informational messages */
99 #define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */
100 #define UNIX_DES 30 /* DES, default */
102 #define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
104 #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
106 static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
108 /* symbol token name ctrl mask ctrl *
109 * ----------------------- ------------------- --------------------- -------- */
111 /* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
112 /* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
113 /* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
114 /* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
115 /* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060), 020, 0},
116 /* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060), 040, 0},
117 /* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
118 /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200, 0},
119 /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400, 0},
120 /* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
121 /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
122 /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
123 /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
124 /* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(0260420000), 020000, 1},
125 /* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000), 0, 0},
126 /* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
127 /* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
128 /* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
129 /* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(0260420000), 0400000, 1},
130 /* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
131 /* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
132 /* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
133 /* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
134 /* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(0260420000), 020000000, 1},
135 /* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000, 1},
136 /* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
137 /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1},
138 /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
139 /* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
140 /* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
141 /* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1},
144 #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
146 /* use this to free strings. ESPECIALLY password strings */
148 #define _pam_delete(xx) \
150 _pam_overwrite(xx); \
154 extern int _make_remark(pam_handle_t * pamh, unsigned int ctrl
155 ,int type, const char *text);
156 extern int _set_ctrl(pam_handle_t * pamh, int flags, int *remember, int *rounds,
157 int *pass_min_len, int argc, const char **argv);
158 extern int _unix_getpwnam (pam_handle_t *pamh,
159 const char *name, int files, int nis,
160 struct passwd **ret);
161 extern int _unix_comesfromsource (pam_handle_t *pamh,
162 const char *name, int files, int nis);
163 extern int _unix_blankpasswd(pam_handle_t *pamh,unsigned int ctrl,
165 extern int _unix_verify_password(pam_handle_t * pamh, const char *name
166 ,const char *p, unsigned int ctrl);
167 extern int _unix_read_password(pam_handle_t * pamh
172 ,const char *data_name
175 extern int _unix_run_verify_binary(pam_handle_t *pamh,
176 unsigned int ctrl, const char *user, int *daysleft);
177 #endif /* _PAM_UNIX_SUPPORT_H */