}
#endif
#ifdef UT_HOST
- strncpy (utent.ut_host, hostname,
- sizeof (utent.ut_host));
+ strncpy (utent.ut_host, hostname, sizeof (utent.ut_host));
#endif
#if HAVE_UTMPX_H
- strncpy (utxent.ut_host, hostname,
- sizeof (utxent.ut_host));
+ strncpy (utxent.ut_host, hostname, sizeof (utxent.ut_host));
#endif
- /*
- * Add remote hostname to the environment. I think
- * (not sure) I saw it once on Irix. --marekm
- */
- addenv ("REMOTEHOST", hostname);
- }
-#ifdef __linux__
/*
- * workaround for init/getty leaving junk in ut_host at least in
- * some version of RedHat. --marekm
+ * Add remote hostname to the environment. I think
+ * (not sure) I saw it once on Irix. --marekm
*/
- else if (amroot) {
- memzero (utent.ut_host, sizeof utent.ut_host);
- }
+ addenv ("REMOTEHOST", hostname);
+ }
+#ifdef __linux__
+ /*
+ * workaround for init/getty leaving junk in ut_host at least in
+ * some version of RedHat. --marekm
+ */
+ else if (amroot) {
+ memzero (utent.ut_host, sizeof utent.ut_host);
+ }
#endif
- if (fflg) {
- preauth_flag = true;
- }
- if (hflg) {
- reason = PW_RLOGIN;
- }
+ if (fflg) {
+ preauth_flag = true;
+ }
+ if (hflg) {
+ reason = PW_RLOGIN;
+ }
#ifdef RLOGIN
- if ( rflg
- && do_rlogin (hostname, username, sizeof username,
- term, sizeof term)) {
- preauth_flag = true;
- }
+ if ( rflg
+ && do_rlogin (hostname, username, sizeof username,
+ term, sizeof term)) {
+ preauth_flag = true;
+ }
#endif
- OPENLOG ("login");
+ OPENLOG ("login");
- setup_tty ();
+ setup_tty ();
#ifndef USE_PAM
- umask (getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
+ umask (getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
- {
- /*
- * Use the ULIMIT in the login.defs file, and if
- * there isn't one, use the default value. The
- * user may have one for themselves, but otherwise,
- * just take what you get.
- */
- long limit = getdef_long ("ULIMIT", -1L);
+ {
+ /*
+ * Use the ULIMIT in the login.defs file, and if
+ * there isn't one, use the default value. The
+ * user may have one for themselves, but otherwise,
+ * just take what you get.
+ */
+ long limit = getdef_long ("ULIMIT", -1L);
- if (limit != -1) {
- set_filesize_limit (limit);
- }
+ if (limit != -1) {
+ set_filesize_limit (limit);
}
+ }
#endif
- /*
- * The entire environment will be preserved if the -p flag
- * is used.
- */
- if (pflg) {
- while (NULL != *envp) { /* add inherited environment, */
- addenv (*envp, NULL); /* some variables change later */
- envp++;
- }
+ /*
+ * The entire environment will be preserved if the -p flag
+ * is used.
+ */
+ if (pflg) {
+ while (NULL != *envp) { /* add inherited environment, */
+ addenv (*envp, NULL); /* some variables change later */
+ envp++;
}
+ }
#ifdef RLOGIN
- if (term[0] != '\0') {
- addenv ("TERM", term);
- } else
+ if (term[0] != '\0') {
+ addenv ("TERM", term);
+ } else
#endif
- {
- /* preserve TERM from getty */
- if (!pflg) {
- tmp = getenv ("TERM");
- if (NULL != tmp) {
- addenv ("TERM", tmp);
- }
+ {
+ /* preserve TERM from getty */
+ if (!pflg) {
+ tmp = getenv ("TERM");
+ if (NULL != tmp) {
+ addenv ("TERM", tmp);
}
}
+ }
- init_env ();
-
- if (optind < argc) { /* get the user name */
- if (rflg || (fflg && ('\0' != username[0]))) {
- usage ();
- }
+ init_env ();
- STRFCPY (username, argv[optind]);
- strzero (argv[optind]);
- ++optind;
- }
- if (optind < argc) { /* now set command line variables */
- set_env (argc - optind, &argv[optind]);
+ if (optind < argc) { /* get the user name */
+ if (rflg || (fflg && ('\0' != username[0]))) {
+ usage ();
}
- if (rflg || hflg) {
- cp = hostname;
- } else {
- /* FIXME: What is the priority:
- * UT_HOST or HAVE_UTMPX_H? */
+ STRFCPY (username, argv[optind]);
+ strzero (argv[optind]);
+ ++optind;
+ }
+ if (optind < argc) { /* now set command line variables */
+ set_env (argc - optind, &argv[optind]);
+ }
+
+ if (rflg || hflg) {
+ cp = hostname;
+ } else {
+ /* FIXME: What is the priority:
+ * UT_HOST or HAVE_UTMPX_H? */
#ifdef UT_HOST
- if ('\0' != utent.ut_host[0]) {
- cp = utent.ut_host;
- } else
+ if ('\0' != utent.ut_host[0]) {
+ cp = utent.ut_host;
+ } else
#endif
#if HAVE_UTMPX_H
- if ('\0' != utxent.ut_host[0]) {
- cp = utxent.ut_host;
- } else
+ if ('\0' != utxent.ut_host[0]) {
+ cp = utxent.ut_host;
+ } else
#endif
- {
- cp = "";
- }
+ {
+ cp = "";
}
+ }
- if ('\0' != *cp) {
- snprintf (fromhost, sizeof fromhost,
- " on '%.100s' from '%.200s'", tty, cp);
- } else {
- snprintf (fromhost, sizeof fromhost,
- " on '%.100s'", tty);
- }
+ if ('\0' != *cp) {
+ snprintf (fromhost, sizeof fromhost,
+ " on '%.100s' from '%.200s'", tty, cp);
+ } else {
+ snprintf (fromhost, sizeof fromhost,
+ " on '%.100s'", tty);
+ }
- top:
- /* only allow ALARM sec. for login */
- (void) signal (SIGALRM, alarm_handler);
- timeout = getdef_num ("LOGIN_TIMEOUT", ALARM);
- if (timeout > 0) {
- alarm (timeout);
- }
+ top:
+ /* only allow ALARM sec. for login */
+ (void) signal (SIGALRM, alarm_handler);
+ timeout = getdef_num ("LOGIN_TIMEOUT", ALARM);
+ if (timeout > 0) {
+ alarm (timeout);
+ }
- environ = newenvp; /* make new environment active */
- delay = getdef_num ("FAIL_DELAY", 1);
- retries = getdef_num ("LOGIN_RETRIES", RETRIES);
+ environ = newenvp; /* make new environment active */
+ delay = getdef_num ("FAIL_DELAY", 1);
+ retries = getdef_num ("LOGIN_RETRIES", RETRIES);
#ifdef USE_PAM
- retcode = pam_start ("login", username, &conv, &pamh);
- if (retcode != PAM_SUCCESS) {
- fprintf (stderr,
- _("login: PAM Failure, aborting: %s\n"),
- pam_strerror (pamh, retcode));
- SYSLOG ((LOG_ERR, "Couldn't initialize PAM: %s",
- pam_strerror (pamh, retcode)));
- exit (99);
- }
+ retcode = pam_start ("login", username, &conv, &pamh);
+ if (retcode != PAM_SUCCESS) {
+ fprintf (stderr,
+ _("login: PAM Failure, aborting: %s\n"),
+ pam_strerror (pamh, retcode));
+ SYSLOG ((LOG_ERR, "Couldn't initialize PAM: %s",
+ pam_strerror (pamh, retcode)));
+ exit (99);
+ }
- /*
- * hostname & tty are either set to NULL or their correct values,
- * depending on how much we know. We also set PAM's fail delay to
- * ours.
- */
- retcode = pam_set_item (pamh, PAM_RHOST, hostname);
- PAM_FAIL_CHECK;
- retcode = pam_set_item (pamh, PAM_TTY, tty);
- PAM_FAIL_CHECK;
+ /*
+ * hostname & tty are either set to NULL or their correct values,
+ * depending on how much we know. We also set PAM's fail delay to
+ * ours.
+ */
+ retcode = pam_set_item (pamh, PAM_RHOST, hostname);
+ PAM_FAIL_CHECK;
+ retcode = pam_set_item (pamh, PAM_TTY, tty);
+ PAM_FAIL_CHECK;
#ifdef HAS_PAM_FAIL_DELAY
- retcode = pam_fail_delay (pamh, 1000000 * delay);
- PAM_FAIL_CHECK;
+ retcode = pam_fail_delay (pamh, 1000000 * delay);
+ PAM_FAIL_CHECK;
#endif
- /* if fflg, then the user has already been authenticated */
- if (!fflg || (getuid () != 0)) {
- int failcount = 0;
- char hostn[256];
- char loginprompt[256]; /* That's one hell of a prompt :) */
-
- /* Make the login prompt look like we want it */
- if (gethostname (hostn, sizeof (hostn)) == 0) {
- snprintf (loginprompt,
- sizeof (loginprompt),
- _("%s login: "), hostn);
- } else {
- snprintf (loginprompt,
- sizeof (loginprompt), _("login: "));
- }
+ /* if fflg, then the user has already been authenticated */
+ if (!fflg || (getuid () != 0)) {
+ int failcount = 0;
+ char hostn[256];
+ char loginprompt[256]; /* That's one hell of a prompt :) */
+
+ /* Make the login prompt look like we want it */
+ if (gethostname (hostn, sizeof (hostn)) == 0) {
+ snprintf (loginprompt,
+ sizeof (loginprompt),
+ _("%s login: "), hostn);
+ } else {
+ snprintf (loginprompt,
+ sizeof (loginprompt), _("login: "));
+ }
- retcode =
- pam_set_item (pamh, PAM_USER_PROMPT, loginprompt);
- PAM_FAIL_CHECK;
+ retcode = pam_set_item (pamh, PAM_USER_PROMPT, loginprompt);
+ PAM_FAIL_CHECK;
- /* if we didn't get a user on the command line,
- set it to NULL */
- pam_get_item (pamh, PAM_USER,
- (const void **)ptr_pam_user);
- if (pam_user[0] == '\0') {
- pam_set_item (pamh, PAM_USER, NULL);
- }
+ /* if we didn't get a user on the command line,
+ set it to NULL */
+ pam_get_item (pamh, PAM_USER, (const void **)ptr_pam_user);
+ if (pam_user[0] == '\0') {
+ pam_set_item (pamh, PAM_USER, NULL);
+ }
- /*
- * There may be better ways to deal with some of
- * these conditions, but at least this way I don't
- * think we'll be giving away information. Perhaps
- * someday we can trust that all PAM modules will
- * pay attention to failure count and get rid of
- * MAX_LOGIN_TRIES?
- */
- failcount = 0;
- while (true) {
- const char *failent_user;
- failed = false;
+ /*
+ * There may be better ways to deal with some of
+ * these conditions, but at least this way I don't
+ * think we'll be giving away information. Perhaps
+ * someday we can trust that all PAM modules will
+ * pay attention to failure count and get rid of
+ * MAX_LOGIN_TRIES?
+ */
+ failcount = 0;
+ while (true) {
+ const char *failent_user;
+ failed = false;
- failcount++;
+ failcount++;
#ifdef HAS_PAM_FAIL_DELAY
- if (delay > 0) {
- retcode = pam_fail_delay(pamh, 1000000*delay);
- }
+ if (delay > 0) {
+ retcode = pam_fail_delay(pamh, 1000000*delay);
+ }
#endif
- retcode = pam_authenticate (pamh, 0);
-
- pam_get_item (pamh, PAM_USER,
- (const void **) ptr_pam_user);
-
- if ((NULL != pam_user) && ('\0' != pam_user[0])) {
- pwd = xgetpwnam(pam_user);
- if (NULL != pwd) {
- pwent = *pwd;
- failent_user = pwent.pw_name;
- } else {
- if ( getdef_bool("LOG_UNKFAIL_ENAB")
- && (NULL != pam_user)) {
- failent_user = pam_user;
- } else {
- failent_user = "UNKNOWN";
- }
- }
- } else {
- pwd = NULL;
- failent_user = "UNKNOWN";
- }
-
- if (retcode == PAM_MAXTRIES || failcount >= retries) {
- SYSLOG ((LOG_NOTICE,
- "TOO MANY LOGIN TRIES (%d)%s FOR '%s'",
- failcount, fromhost, failent_user));
- fprintf(stderr,
- _("Maximum number of tries exceeded (%d)\n"),
- failcount);
- PAM_END;
- exit(0);
- } else if (retcode == PAM_ABORT) {
- /* Serious problems, quit now */
- fputs (_("login: abort requested by PAM\n"),stderr);
- SYSLOG ((LOG_ERR,"PAM_ABORT returned from pam_authenticate()"));
- PAM_END;
- exit(99);
- } else if (retcode != PAM_SUCCESS) {
- SYSLOG ((LOG_NOTICE,"FAILED LOGIN (%d)%s FOR '%s', %s",
- failcount, fromhost, failent_user,
- pam_strerror (pamh, retcode)));
- failed = true;
- }
-
- if (!failed) {
- break;
- }
-
-#ifdef WITH_AUDIT
- audit_fd = audit_open ();
- audit_log_acct_message (audit_fd,
- AUDIT_USER_LOGIN,
- NULL, /* Prog. name */
- "login",
- failent_user,
- AUDIT_NO_ID,
- hostname,
- NULL, /* addr */
- tty,
- 0); /* result */
- close (audit_fd);
-#endif /* WITH_AUDIT */
+ retcode = pam_authenticate (pamh, 0);
- fprintf (stderr, "\nLogin incorrect\n");
+ pam_get_item (pamh, PAM_USER,
+ (const void **) ptr_pam_user);
- /* Let's give it another go around */
- pam_set_item (pamh, PAM_USER, NULL);
+ if ((NULL != pam_user) && ('\0' != pam_user[0])) {
+ pwd = xgetpwnam(pam_user);
+ if (NULL != pwd) {
+ pwent = *pwd;
+ failent_user = pwent.pw_name;
+ } else {
+ if ( getdef_bool("LOG_UNKFAIL_ENAB")
+ && (NULL != pam_user)) {
+ failent_user = pam_user;
+ } else {
+ failent_user = "UNKNOWN";
+ }
+ }
+ } else {
+ pwd = NULL;
+ failent_user = "UNKNOWN";
}
- /* We don't get here unless they were authenticated above */
- alarm (0);
- retcode = pam_acct_mgmt (pamh, 0);
+ if (retcode == PAM_MAXTRIES || failcount >= retries) {
+ SYSLOG ((LOG_NOTICE,
+ "TOO MANY LOGIN TRIES (%d)%s FOR '%s'",
+ failcount, fromhost, failent_user));
+ fprintf(stderr,
+ _("Maximum number of tries exceeded (%d)\n"),
+ failcount);
+ PAM_END;
+ exit(0);
+ } else if (retcode == PAM_ABORT) {
+ /* Serious problems, quit now */
+ fputs (_("login: abort requested by PAM\n"),stderr);
+ SYSLOG ((LOG_ERR,"PAM_ABORT returned from pam_authenticate()"));
+ PAM_END;
+ exit(99);
+ } else if (retcode != PAM_SUCCESS) {
+ SYSLOG ((LOG_NOTICE,"FAILED LOGIN (%d)%s FOR '%s', %s",
+ failcount, fromhost, failent_user,
+ pam_strerror (pamh, retcode)));
+ failed = true;
+ }
- if (retcode == PAM_NEW_AUTHTOK_REQD) {
- retcode =
- pam_chauthtok (pamh,
- PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (!failed) {
+ break;
}
- PAM_FAIL_CHECK;
- }
+#ifdef WITH_AUDIT
+ audit_fd = audit_open ();
+ audit_log_acct_message (audit_fd,
+ AUDIT_USER_LOGIN,
+ NULL, /* Prog. name */
+ "login",
+ failent_user,
+ AUDIT_NO_ID,
+ hostname,
+ NULL, /* addr */
+ tty,
+ 0); /* result */
+ close (audit_fd);
+#endif /* WITH_AUDIT */
- /* Grab the user information out of the password file for future usage
- First get the username that we are actually using, though.
- */
- retcode =
- pam_get_item (pamh, PAM_USER, (const void **)ptr_pam_user);
- pwd = xgetpwnam (pam_user);
- if (NULL == pwd) {
- SYSLOG ((LOG_ERR, "xgetpwnam(%s) failed",
- getdef_bool ("LOG_UNKFAIL_ENAB") ?
- pam_user : "UNKNOWN"));
- exit (1);
- }
+ fprintf (stderr, "\nLogin incorrect\n");
- if (fflg) {
- retcode = pam_acct_mgmt (pamh, 0);
- PAM_FAIL_CHECK;
+ /* Let's give it another go around */
+ pam_set_item (pamh, PAM_USER, NULL);
}
- if (setup_groups (pwd) != 0) {
- exit (1);
- }
+ /* We don't get here unless they were authenticated above */
+ alarm (0);
+ retcode = pam_acct_mgmt (pamh, 0);
- pwent = *pwd;
+ if (retcode == PAM_NEW_AUTHTOK_REQD) {
+ retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ }
- retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
PAM_FAIL_CHECK;
+ }
+
+ /* Grab the user information out of the password file for future usage
+ First get the username that we are actually using, though.
+ */
+ retcode = pam_get_item (pamh, PAM_USER, (const void **)ptr_pam_user);
+ pwd = xgetpwnam (pam_user);
+ if (NULL == pwd) {
+ SYSLOG ((LOG_ERR, "xgetpwnam(%s) failed",
+ getdef_bool ("LOG_UNKFAIL_ENAB") ?
+ pam_user : "UNKNOWN"));
+ exit (1);
+ }
- retcode = pam_open_session (pamh,
- hushed (&pwent) ? PAM_SILENT : 0);
+ if (fflg) {
+ retcode = pam_acct_mgmt (pamh, 0);
PAM_FAIL_CHECK;
+ }
- pwd = xgetpwnam (pam_user);
- if (NULL == pwd) {
- pwent.pw_name = pam_user;
- strcpy (temp_pw, "!");
- pwent.pw_passwd = temp_pw;
- pwent.pw_shell = temp_shell;
+ if (setup_groups (pwd) != 0) {
+ exit (1);
+ }
- preauth_flag = false;
- failed = true;
- } else {
- pwent = *pwd;
- }
+ pwent = *pwd;
+
+ retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
+ PAM_FAIL_CHECK;
+
+ retcode = pam_open_session (pamh, hushed (&pwent) ? PAM_SILENT : 0);
+ PAM_FAIL_CHECK;
+
+ pwd = xgetpwnam (pam_user);
+ if (NULL == pwd) {
+ pwent.pw_name = pam_user;
+ strcpy (temp_pw, "!");
+ pwent.pw_passwd = temp_pw;
+ pwent.pw_shell = temp_shell;
+
+ preauth_flag = false;
+ failed = true;
+ } else {
+ pwent = *pwd;
+ }
#else /* ! USE_PAM */
- while (true) { /* repeatedly get login/password pairs */
- failed = false; /* haven't failed authentication yet */
- if ('\0' == username[0]) { /* need to get a login id */
- if (subroot) {
- closelog ();
- exit (1);
- }
- preauth_flag = false;
- login_prompt (_("\n%s login: "), username,
- sizeof username);
- continue;
+ while (true) { /* repeatedly get login/password pairs */
+ failed = false; /* haven't failed authentication yet */
+ if ('\0' == username[0]) { /* need to get a login id */
+ if (subroot) {
+ closelog ();
+ exit (1);
}
+ preauth_flag = false;
+ login_prompt (_("\n%s login: "), username,
+ sizeof username);
+ continue;
+ }
pwd = xgetpwnam (username);
if (NULL == pwd) {
pwent.pw_passwd = spwd->sp_pwdp;
} else {
SYSLOG ((LOG_WARN,
- "no shadow password for '%s'%s",
- username, fromhost));
+ "no shadow password for '%s'%s",
+ username, fromhost));
}
}
* for those who really want to log them. --marekm
*/
SYSLOG ((LOG_WARN, "invalid password for '%s' %s",
- ( (NULL != pwd)
- || getdef_bool ("LOG_UNKFAIL_ENAB")) ?
- username : "UNKNOWN", fromhost));
+ ( (NULL != pwd)
+ || getdef_bool ("LOG_UNKFAIL_ENAB")) ?
+ username : "UNKNOWN", fromhost));
failed = true;
auth_ok:
if ( !failed
&& !login_access (username, *hostname ? hostname : tty)) {
SYSLOG ((LOG_WARN, "LOGIN '%s' REFUSED %s",
- username, fromhost));
+ username, fromhost));
failed = true;
}
if ( (NULL != pwd)
&& getdef_bool ("FAILLOG_ENAB")
&& !failcheck (pwent.pw_uid, &faillog, failed)) {
SYSLOG ((LOG_CRIT,
- "exceeded failure limit for '%s' %s",
- username, fromhost));
+ "exceeded failure limit for '%s' %s",
+ username, fromhost));
failed = true;
}
if (!failed) {
}
}
strncpy (failent.ut_user, failent_user,
- sizeof (failent.ut_user));
+ sizeof (failent.ut_user));
failent.ut_type = USER_PROCESS;
failtmp (&failent);
}
retries--;
if (retries <= 0) {
SYSLOG ((LOG_CRIT, "REPEATED login failures%s",
- fromhost));
+ fromhost));
}
/*
* If this was a passwordless account and we get here, login
if ( getdef_bool ("PORTTIME_CHECKS_ENAB")
&& !isttytime (pwent.pw_name, tty, time ((time_t *) 0))) {
SYSLOG ((LOG_WARN, "invalid login time for '%s'%s",
- username, fromhost));
+ username, fromhost));
closelog ();
bad_time_notify ();
exit (1);
if (child < 0) {
/* error in fork() */
fprintf (stderr, _("%s: failure forking: %s"),
- Prog, strerror (errno));
+ Prog, strerror (errno));
PAM_END;
exit (0);
} else if (child != 0) {
puts (_
("Warning: login re-enabled after temporary lockout."));
SYSLOG ((LOG_WARN,
- "login '%s' re-enabled after temporary lockout (%d failures)",
- username, (int) faillog.fail_cnt));
+ "login '%s' re-enabled after temporary lockout (%d failures)",
+ username, (int) faillog.fail_cnt));
}
}
if ( getdef_bool ("LASTLOG_ENAB")
#ifdef HAVE_STRFTIME
strftime (ptime, sizeof (ptime),
- "%a %b %e %H:%M:%S %z %Y",
- localtime (&ll_time));
+ "%a %b %e %H:%M:%S %z %Y",
+ localtime (&ll_time));
printf (_("Last login: %s on %s"),
- ptime, lastlog.ll_line);
+ ptime, lastlog.ll_line);
#else
printf (_("Last login: %.19s on %s"),
- ctime (&ll_time), lastlog.ll_line);
+ ctime (&ll_time), lastlog.ll_line);
#endif
#ifdef HAVE_LL_HOST /* __linux__ || SUN4 */
if ('\0' != lastlog.ll_host[0]) {
printf (_(" from %.*s"),
- (int) sizeof lastlog.
- ll_host, lastlog.ll_host);
+ (int) sizeof lastlog.
+ ll_host, lastlog.ll_host);
}
#endif
printf (".\n");
projects / shadow / commitdiff