From 0b3e58307f210514609115544899ebe42d57a5c9 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Tue, 14 Sep 2004 14:22:39 +0000 Subject: [PATCH] Relevant BUGIDs: Purpose of commit: Commit summary: --------------- bugfix: merge with BerliOS --- CHANGELOG | 5 +++ libpamc/test/modules/pam_secret.c | 1 + modules/pam_access/pam_access.c | 8 ++--- modules/pam_cracklib/pam_cracklib.c | 4 +-- modules/pam_userdb/Makefile | 4 +++ modules/pam_userdb/README | 8 +++++ modules/pam_userdb/pam_userdb.c | 49 +++++++++++++++++++++++++++++ 7 files changed, 71 insertions(+), 8 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index e510a164..40f7a2c9 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -86,6 +86,11 @@ BerliOS Bugs are marked with (BerliOS #XXXX). contains only one character (Bug 1027903 - kukuk) * libpam/pam_start.c: All service names should be files below /etc/pam.d and nothing else. Forbid paths. (Bug 1027912 - kukuk) +* pam_cracklib: Fix error in distance algorithm in the 0.9 pam_cracklib + module (Bug 1010142 - toady) +* pam_userdb: applied patch from Paul Walmsley + it now indicates whether encrypted or plaintext passwords are stored + in the database needed for pam_userdb. (Bug XXXXXX - toady) 0.77: Mon Sep 23 10:25:42 PDT 2002 diff --git a/libpamc/test/modules/pam_secret.c b/libpamc/test/modules/pam_secret.c index 7efa8c23..830f1a78 100644 --- a/libpamc/test/modules/pam_secret.c +++ b/libpamc/test/modules/pam_secret.c @@ -206,6 +206,7 @@ char *identify_secret(char *identity, const char *user) pwd = getpwnam(user); if ((pwd == NULL) || (pwd->pw_dir == NULL)) { D(("user [%s] is not known", user)); + return NULL; } length_id = strlen(pwd->pw_dir) + sizeof(SECRET_FILE_FORMAT); diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 4005c93b..854b1506 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -41,6 +41,7 @@ #include #include #include +#include #ifndef BROKEN_NETWORK_MATCH # include @@ -262,16 +263,11 @@ static char * myhostname(void) static int netgroup_match(char *group, char *machine, char *user) { -#ifdef NIS - static char *mydomain = 0; + static char *mydomain = NULL; if (mydomain == 0) yp_get_default_domain(&mydomain); return (innetgr(group, machine, user, mydomain)); -#else - _log_err("NIS netgroup support not configured"); - return (NO); -#endif } /* user_match - match a username against one token */ diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c index bc98d2f6..ff2c61f9 100644 --- a/modules/pam_cracklib/pam_cracklib.c +++ b/modules/pam_cracklib/pam_cracklib.c @@ -258,12 +258,12 @@ static int distdifferent(const char *old, const char *new, int i, int j) { char c, d; - if ((i == 0) || (strlen(old) <= i)) { + if ((i == 0) || (strlen(old) < i)) { c = 0; } else { c = old[i - 1]; } - if ((j == 0) || (strlen(new) <= i)) { + if ((j == 0) || (strlen(new) < j)) { d = 0; } else { d = new[j - 1]; diff --git a/modules/pam_userdb/Makefile b/modules/pam_userdb/Makefile index b53ac436..bbecaae1 100644 --- a/modules/pam_userdb/Makefile +++ b/modules/pam_userdb/Makefile @@ -24,6 +24,10 @@ else endif endif +ifeq ($(HAVE_LIBCRYPT),yes) + MODULE_SIMPLE_EXTRALIBS += -lcrypt +endif + ifeq ($(WHICH_DB),none) include ../dont_makefile diff --git a/modules/pam_userdb/README b/modules/pam_userdb/README index 09d65edd..9fa6519d 100644 --- a/modules/pam_userdb/README +++ b/modules/pam_userdb/README @@ -10,8 +10,16 @@ RECOGNIZED ARGUMENTS: is no default; the module will return PAM_IGNORE if no database is provided. + crypt=[mode] indicates whether encrypted or plaintext passwords + are stored in the database. If [mode] is "crypt", + passwords should be stored in the database in + crypt(3) form. If [mode] is "none" or any other + value, passwords should be stored in the database in + plaintext. + icase make the password verification to be case insensitive (ie when working with registration numbers and such) + only works with plaintext password storage. dump dump all the entries in the database to the log (eek, don't do this by default!) diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c index 519ee898..30f1e578 100644 --- a/modules/pam_userdb/pam_userdb.c +++ b/modules/pam_userdb/pam_userdb.c @@ -57,6 +57,7 @@ static void _pam_log(int err, const char *format, ...) } char * database = NULL; +char * cryptmode = NULL; static int ctrl = 0; static int _pam_parse(int argc, const char **argv) @@ -77,6 +78,11 @@ static int _pam_parse(int argc, const char **argv) if (database == NULL) _pam_log(LOG_ERR, "pam_parse: could not parse argument \"%s\"", *argv); + } else if (!strncasecmp(*argv,"crypt=", 6)) { + cryptmode = strdup((*argv) + 6); + if (cryptmode == NULL) + _pam_log(LOG_ERR, "pam_parse: could not parse argument \"%s\"", + *argv); } else { _pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv); } @@ -139,6 +145,40 @@ static int user_lookup(const char *user, const char *pass) if (data.dptr != NULL) { int compare = 0; + if (strncasecmp(cryptmode, "crypt", 5) == 0) { + + /* crypt(3) password storage */ + + char *cryptpw; + char salt[2]; + + if (data.dsize != 13) { + compare = -2; + } else if (ctrl & PAM_ICASE_ARG) { + compare = -2; + } else { + salt[0] = *data.dptr; + salt[1] = *(data.dptr + 1); + + cryptpw = crypt (pass, salt); + + if (cryptpw) { + compare = strncasecmp (data.dptr, cryptpw, data.dsize); + } else { + compare = -2; + if (ctrl & PAM_DEBUG_ARG) { + _pam_log(LOG_INFO, "crypt() returned NULL"); + } + }; + + }; + + } else { + + /* Unknown password encryption method - + * default to plaintext password storage + */ + if (strlen(pass) != data.dsize) { compare = 1; } else if (ctrl & PAM_ICASE_ARG) { @@ -146,6 +186,15 @@ static int user_lookup(const char *user, const char *pass) } else { compare = strncmp(data.dptr, pass, data.dsize); } + + if (strncasecmp(cryptmode, "none", 4) && ctrl & PAM_DEBUG_ARG) { + _pam_log(LOG_INFO, "invalid value for crypt parameter: %s", + cryptmode); + _pam_log(LOG_INFO, "defaulting to plaintext password mode"); + } + + } + dbm_close(dbm); if (compare == 0) return 0; /* match */ -- 2.40.0