From: Thorsten Kukuk <kukuk@thkukuk.de>
Date: Tue, 14 Sep 2004 14:22:39 +0000 (+0000)
Subject: Relevant BUGIDs:
X-Git-Tag: Linux-PAM-0-78-Beta1~16
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=Linux-PAM-0-77-28-g0b3e583;p=linux-pam

Relevant BUGIDs:

Purpose of commit:

Commit summary:
---------------

bugfix: merge with BerliOS
---

diff --git a/CHANGELOG b/CHANGELOG
index e510a164..40f7a2c9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -86,6 +86,11 @@ BerliOS Bugs are marked with (BerliOS #XXXX).
   contains only one character (Bug 1027903 - kukuk)
 * libpam/pam_start.c: All service names should be files below /etc/pam.d
   and nothing else. Forbid paths. (Bug 1027912 - kukuk)
+* pam_cracklib: Fix error in distance algorithm in the 0.9 pam_cracklib
+  module (Bug 1010142 - toady)
+* pam_userdb: applied patch from Paul Walmsley <paul@booyaka.com>
+  it now indicates whether encrypted or plaintext passwords are stored
+  in the database needed for pam_userdb. (Bug XXXXXX - toady)
 
 
 0.77: Mon Sep 23 10:25:42 PDT 2002
diff --git a/libpamc/test/modules/pam_secret.c b/libpamc/test/modules/pam_secret.c
index 7efa8c23..830f1a78 100644
--- a/libpamc/test/modules/pam_secret.c
+++ b/libpamc/test/modules/pam_secret.c
@@ -206,6 +206,7 @@ char *identify_secret(char *identity, const char *user)
     pwd = getpwnam(user);
     if ((pwd == NULL) || (pwd->pw_dir == NULL)) {
 	D(("user [%s] is not known", user));
+	return NULL;
     }
 
     length_id = strlen(pwd->pw_dir) + sizeof(SECRET_FILE_FORMAT);
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 4005c93b..854b1506 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -41,6 +41,7 @@
 #include <errno.h>
 #include <ctype.h>
 #include <sys/utsname.h>
+#include <rpcsvc/ypclnt.h>
 
 #ifndef BROKEN_NETWORK_MATCH
 # include <netdb.h>
@@ -262,16 +263,11 @@ static char * myhostname(void)
 
 static int netgroup_match(char *group, char *machine, char *user)
 {
-#ifdef NIS
-    static char *mydomain = 0;
+    static char *mydomain = NULL;
 
     if (mydomain == 0)
 	yp_get_default_domain(&mydomain);
     return (innetgr(group, machine, user, mydomain));
-#else
-    _log_err("NIS netgroup support not configured");
-    return (NO);
-#endif
 }
 
 /* user_match - match a username against one token */
diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c
index bc98d2f6..ff2c61f9 100644
--- a/modules/pam_cracklib/pam_cracklib.c
+++ b/modules/pam_cracklib/pam_cracklib.c
@@ -258,12 +258,12 @@ static int distdifferent(const char *old, const char *new, int i, int j)
 {
     char c, d;
 
-    if ((i == 0) || (strlen(old) <= i)) {
+    if ((i == 0) || (strlen(old) < i)) {
 	c = 0;
     } else {
 	c = old[i - 1];
     }
-    if ((j == 0) || (strlen(new) <= i)) {
+    if ((j == 0) || (strlen(new) < j)) {
 	d = 0;
     } else {
 	d = new[j - 1];
diff --git a/modules/pam_userdb/Makefile b/modules/pam_userdb/Makefile
index b53ac436..bbecaae1 100644
--- a/modules/pam_userdb/Makefile
+++ b/modules/pam_userdb/Makefile
@@ -24,6 +24,10 @@ else
 endif
 endif
 
+ifeq ($(HAVE_LIBCRYPT),yes)
+  MODULE_SIMPLE_EXTRALIBS += -lcrypt
+endif
+
 ifeq ($(WHICH_DB),none)
 
 include ../dont_makefile
diff --git a/modules/pam_userdb/README b/modules/pam_userdb/README
index 09d65edd..9fa6519d 100644
--- a/modules/pam_userdb/README
+++ b/modules/pam_userdb/README
@@ -10,8 +10,16 @@ RECOGNIZED ARGUMENTS:
 			is no default; the module will return PAM_IGNORE if
 			no database is provided.
 			
+	crypt=[mode]	indicates whether encrypted or plaintext passwords
+	                are stored in the database.  If [mode] is "crypt", 
+			passwords should be stored in the database in 
+		        crypt(3) form.	If [mode] is "none" or any other 
+	                value, passwords should be stored in the database in
+			plaintext.
+
 	icase		make the password verification to be case insensitive
 			(ie when working with registration numbers and such)
+			only works with plaintext password storage.
 
 	dump		dump all the entries in the database to the log (eek,
 			don't do this by default!)
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
index 519ee898..30f1e578 100644
--- a/modules/pam_userdb/pam_userdb.c
+++ b/modules/pam_userdb/pam_userdb.c
@@ -57,6 +57,7 @@ static void _pam_log(int err, const char *format, ...)
 }
 
 char * database	 = NULL;
+char * cryptmode = NULL;
 static int ctrl	 = 0;
 
 static int _pam_parse(int argc, const char **argv)
@@ -77,6 +78,11 @@ static int _pam_parse(int argc, const char **argv)
 	      if (database == NULL)
 		  _pam_log(LOG_ERR, "pam_parse: could not parse argument \"%s\"",
 			   *argv);
+	  } else if (!strncasecmp(*argv,"crypt=", 6)) {
+	      cryptmode = strdup((*argv) + 6);
+	      if (cryptmode == NULL)
+		  _pam_log(LOG_ERR, "pam_parse: could not parse argument \"%s\"",
+			   *argv);
 	  } else {
                _pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv);
           }
@@ -139,6 +145,40 @@ static int user_lookup(const char *user, const char *pass)
     if (data.dptr != NULL) {
 	int compare = 0;
 	
+	if (strncasecmp(cryptmode, "crypt", 5) == 0) {
+
+	  /* crypt(3) password storage */
+
+	  char *cryptpw;
+	  char salt[2];
+
+	  if (data.dsize != 13) {
+	    compare = -2;
+	  } else if (ctrl & PAM_ICASE_ARG) {
+	    compare = -2;
+	  } else {
+	    salt[0] = *data.dptr;
+	    salt[1] = *(data.dptr + 1);
+
+	    cryptpw = crypt (pass, salt);
+
+	    if (cryptpw) {
+	      compare = strncasecmp (data.dptr, cryptpw, data.dsize);
+	    } else {
+	      compare = -2;
+	      if (ctrl & PAM_DEBUG_ARG) {    
+		_pam_log(LOG_INFO, "crypt() returned NULL");
+	      }
+	    };
+
+	  };
+
+	} else {
+	  
+	  /* Unknown password encryption method -
+	   * default to plaintext password storage
+	   */
+
 	if (strlen(pass) != data.dsize) {
 	    compare = 1;
 	} else if (ctrl & PAM_ICASE_ARG) {
@@ -146,6 +186,15 @@ static int user_lookup(const char *user, const char *pass)
 	} else {
 	    compare = strncmp(data.dptr, pass, data.dsize);
 	}
+
+	  if (strncasecmp(cryptmode, "none", 4) && ctrl & PAM_DEBUG_ARG) {    
+	    _pam_log(LOG_INFO, "invalid value for crypt parameter: %s",
+		     cryptmode);
+	    _pam_log(LOG_INFO, "defaulting to plaintext password mode");
+	  }
+
+	}
+
 	dbm_close(dbm);
 	if (compare == 0)
 	    return 0; /* match */