diff options
author | jdp <jdp@FreeBSD.org> | 1999-05-08 01:59:27 +0000 |
---|---|---|
committer | jdp <jdp@FreeBSD.org> | 1999-05-08 01:59:27 +0000 |
commit | 3b1a00d745517ae78fdeed8c328a173d7aa54567 (patch) | |
tree | fb6786f4e5d3887076238f27347e4a1cf640c178 | |
parent | 6917b00bc8ee216542e93207dac41322d0fbbaf6 (diff) | |
download | FreeBSD-src-3b1a00d745517ae78fdeed8c328a173d7aa54567.zip FreeBSD-src-3b1a00d745517ae78fdeed8c328a173d7aa54567.tar.gz |
Revive the pam_deny and pam_permit modules from Linux-PAM. They are
simple enough to be trusted.
Add account management functionality to the pam_unix module.
These changes should make it possible to use PAM in some ports.
Submitted by: Max Khon <fjoe@iclub.nsu.ru>
-rw-r--r-- | contrib/libpam/modules/pam_deny/Makefile | 125 | ||||
-rw-r--r-- | contrib/libpam/modules/pam_deny/README | 4 | ||||
-rw-r--r-- | contrib/libpam/modules/pam_deny/pam_deny.c | 83 | ||||
-rw-r--r-- | contrib/libpam/modules/pam_permit/Makefile | 126 | ||||
-rw-r--r-- | contrib/libpam/modules/pam_permit/README | 4 | ||||
-rw-r--r-- | contrib/libpam/modules/pam_permit/pam_permit.c | 108 | ||||
-rw-r--r-- | lib/libpam/libpam/Makefile | 2 | ||||
-rw-r--r-- | lib/libpam/modules/Makefile | 2 | ||||
-rw-r--r-- | lib/libpam/modules/pam_deny/Makefile | 41 | ||||
-rw-r--r-- | lib/libpam/modules/pam_permit/Makefile | 42 | ||||
-rw-r--r-- | lib/libpam/modules/pam_unix/Makefile | 4 | ||||
-rw-r--r-- | lib/libpam/modules/pam_unix/pam_unix.c | 74 |
12 files changed, 613 insertions, 2 deletions
diff --git a/contrib/libpam/modules/pam_deny/Makefile b/contrib/libpam/modules/pam_deny/Makefile new file mode 100644 index 0000000..02506cb --- /dev/null +++ b/contrib/libpam/modules/pam_deny/Makefile @@ -0,0 +1,125 @@ +# +# $Id: Makefile,v 1.7 1997/04/05 06:43:41 morgan Exp morgan $ +# +# This Makefile controls a build process of $(TITLE) module for +# Linux-PAM. You should not modify this Makefile (unless you know +# what you are doing!). +# +# $Log: Makefile,v $ +# Revision 1.7 1997/04/05 06:43:41 morgan +# full-source-tree and fakeroot +# +# Revision 1.6 1997/02/15 19:04:27 morgan +# fixed email +# +# Revision 1.5 1996/11/10 20:11:48 morgan +# crossplatform support +# +# Revision 1.4 1996/09/05 06:50:12 morgan +# ld --> gcc +# +# Revision 1.3 1996/05/26 15:48:38 morgan +# make dynamic and static dirs +# +# Revision 1.2 1996/05/26 04:00:16 morgan +# changes for automated static/dynamic modules +# +# Revision 1.1 1996/03/16 17:47:36 morgan +# Initial revision +# +# +# Created by Andrew Morgan <morgan@parc.power.net> 1996/3/11 +# + +# Convenient defaults for compiling independently of the full source +# tree. +ifndef FULL_LINUX_PAM_SOURCE_TREE +export DYNAMIC=-DPAM_DYNAMIC +export CC=gcc +export CFLAGS=-O2 -Dlinux -DLINUX_PAM \ + -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ + -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ + -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ + -Wshadow -pedantic -fPIC +export MKDIR=mkdir -p +export LD_D=gcc -shared -Xlinker -x +endif + +# + +TITLE=pam_deny + +# + +LIBSRC = $(TITLE).c +LIBOBJ = $(TITLE).o +LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) +LIBOBJS = $(addprefix static/,$(LIBOBJ)) + +dynamic/%.o : %.c + $(CC) $(CFLAGS) $(DYNAMIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ + +static/%.o : %.c + $(CC) $(CFLAGS) $(STATIC) $(CPPFLAGS) $(TARGET_ARCH) -c $< -o $@ + + +ifdef DYNAMIC +LIBSHARED = $(TITLE).so +endif +ifdef STATIC +LIBSTATIC = lib$(TITLE).o +endif + +####################### don't edit below ####################### + +dummy: + @echo "**** This is not a top-level Makefile " + exit + +all: dirs $(LIBSHARED) $(LIBSTATIC) register + +dirs: +ifdef DYNAMIC + $(MKDIR) ./dynamic +endif +ifdef STATIC + $(MKDIR) ./static +endif + +register: +ifdef STATIC + ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) +endif + +ifdef DYNAMIC +$(LIBOBJD): $(LIBSRC) + +$(LIBSHARED): $(LIBOBJD) + $(LD_D) -o $@ $(LIBOBJD) +endif + +ifdef STATIC +$(LIBOBJS): $(LIBSRC) + +$(LIBSTATIC): $(LIBOBJS) + $(LD) -r -o $@ $(LIBOBJS) +endif + +install: all + $(MKDIR) $(FAKEROOT)$(SECUREDIR) +ifdef DYNAMIC + $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) +endif + +remove: + rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so + +clean: + rm -f $(LIBOBJD) $(LIBOBJS) core *~ + +extraclean: clean + rm -f *.a *.o *.so *.bak + +.c.o: + $(CC) $(CFLAGS) -c $< + diff --git a/contrib/libpam/modules/pam_deny/README b/contrib/libpam/modules/pam_deny/README new file mode 100644 index 0000000..4f7f6de --- /dev/null +++ b/contrib/libpam/modules/pam_deny/README @@ -0,0 +1,4 @@ +# $Id: README,v 1.1 1996/03/16 18:11:12 morgan Exp $ +# + +this module always fails, it ignores all options. diff --git a/contrib/libpam/modules/pam_deny/pam_deny.c b/contrib/libpam/modules/pam_deny/pam_deny.c new file mode 100644 index 0000000..01b2def --- /dev/null +++ b/contrib/libpam/modules/pam_deny/pam_deny.c @@ -0,0 +1,83 @@ +/* pam_deny module */ + +/* + * $Id: pam_deny.c,v 1.4 1997/02/15 19:05:15 morgan Exp $ + * + * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 + * + * $Log: pam_deny.c,v $ + * Revision 1.4 1997/02/15 19:05:15 morgan + * fixed email + * + * Revision 1.3 1996/06/02 08:06:19 morgan + * changes for new static protocol + * + * Revision 1.2 1996/05/26 04:01:12 morgan + * added static support + * + * Revision 1.1 1996/03/16 17:47:36 morgan + * Initial revision + * + */ + +/* + * here, we make definitions for the externally accessible functions + * in this file (these definitions are required for static modules + * but strongly encouraged generally) they are used to instruct the + * modules include file to define their prototypes. + */ + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + +#include <security/pam_modules.h> + +/* --- authentication management functions --- */ + +PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc + ,const char **argv) +{ + return PAM_AUTH_ERR; +} + +PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc + ,const char **argv) +{ + return PAM_CRED_UNAVAIL; +} + +/* --- account management functions --- */ + +PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc + ,const char **argv) +{ + return PAM_ACCT_EXPIRED; +} + +/* --- password management --- */ + +PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc + ,const char **argv) +{ + return PAM_AUTHTOK_ERR; +} + +/* --- session management --- */ + +PAM_EXTERN int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc + ,const char **argv) +{ + return PAM_SYSTEM_ERR; +} + +PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc + ,const char **argv) +{ + return PAM_SYSTEM_ERR; +} + +/* end of module definition */ + +PAM_MODULE_ENTRY("pam_deny"); diff --git a/contrib/libpam/modules/pam_permit/Makefile b/contrib/libpam/modules/pam_permit/Makefile new file mode 100644 index 0000000..823b624 --- /dev/null +++ b/contrib/libpam/modules/pam_permit/Makefile @@ -0,0 +1,126 @@ +# +# $Id: Makefile,v 1.8 1997/04/05 06:33:25 morgan Exp morgan $ +# +# This Makefile controls a build process of $(TITLE) module for +# Linux-PAM. You should not modify this Makefile (unless you know +# what you are doing!). +# +# $Log: Makefile,v $ +# Revision 1.8 1997/04/05 06:33:25 morgan +# fakeroot +# +# Revision 1.7 1997/02/15 19:02:27 morgan +# updated email address +# +# Revision 1.6 1996/11/10 20:14:34 morgan +# cross platform support +# +# Revision 1.5 1996/09/05 06:32:45 morgan +# ld --> gcc +# +# Revision 1.4 1996/05/26 15:49:25 morgan +# make dynamic and static dirs +# +# Revision 1.3 1996/05/26 04:04:26 morgan +# automated static support +# +# Revision 1.2 1996/03/16 17:56:38 morgan +# tidied up +# +# +# Created by Andrew Morgan <morgan@parc.power.net> 1996/3/11 +# + +# Convenient defaults for compiling independently of the full source +# tree. +ifndef FULL_LINUX_PAM_SOURCE_TREE +export DYNAMIC=-DPAM_DYNAMIC +export CC=gcc +export CFLAGS=-O2 -Dlinux -DLINUX_PAM \ + -ansi -D_POSIX_SOURCE -Wall -Wwrite-strings \ + -Wpointer-arith -Wcast-qual -Wcast-align -Wtraditional \ + -Wstrict-prototypes -Wmissing-prototypes -Wnested-externs -Winline \ + -Wshadow -pedantic -fPIC +export MKDIR=mkdir -p +export LD_D=gcc -shared -Xlinker -x +endif + +# +# + +TITLE=pam_permit + +# + +LIBSRC = $(TITLE).c +LIBOBJ = $(TITLE).o +LIBOBJD = $(addprefix dynamic/,$(LIBOBJ)) +LIBOBJS = $(addprefix static/,$(LIBOBJ)) + +ifdef DYNAMIC +LIBSHARED = $(TITLE).so +endif + +ifdef STATIC +LIBSTATIC = lib$(TITLE).o +endif + +####################### don't edit below ####################### + +all: dirs $(LIBSHARED) $(LIBSTATIC) register + +dynamic/%.o : %.c + $(CC) $(CFLAGS) $(DYNAMIC) $(TARGET_ARCH) -c $< -o $@ + +static/%.o : %.c + $(CC) $(CFLAGS) $(STATIC) $(TARGET_ARCH) -c $< -o $@ + +dirs: +ifdef DYNAMIC + $(MKDIR) ./dynamic +endif +ifdef STATIC + $(MKDIR) ./static +endif + +register: +ifdef STATIC + ( cd .. ; ./register_static $(TITLE) $(TITLE)/$(LIBSTATIC) ) +endif + +ifdef DYNAMIC +$(LIBOBJD): $(LIBSRC) +endif + +ifdef DYNAMIC +$(LIBSHARED): $(LIBOBJD) + $(LD_D) -o $@ $(LIBOBJD) +endif + +ifdef STATIC +$(LIBOBJS): $(LIBSRC) +endif + +ifdef STATIC +$(LIBSTATIC): $(LIBOBJS) + $(LD) -r -o $@ $(LIBOBJS) +endif + +install: all + $(MKDIR) $(FAKEROOT)$(SECUREDIR) +ifdef DYNAMIC + $(INSTALL) -m $(SHLIBMODE) $(LIBSHARED) $(FAKEROOT)$(SECUREDIR) +endif + +remove: + rm -f $(FAKEROOT)$(SECUREDIR)/$(TITLE).so + +clean: + rm -f $(LIBOBJD) $(LIBOBJS) core *~ + +extraclean: clean + rm -f *.a *.o *.so *.bak + +.c.o: + $(CC) $(CFLAGS) -c $< + diff --git a/contrib/libpam/modules/pam_permit/README b/contrib/libpam/modules/pam_permit/README new file mode 100644 index 0000000..da179a3 --- /dev/null +++ b/contrib/libpam/modules/pam_permit/README @@ -0,0 +1,4 @@ +# $Id: README,v 1.1 1996/03/16 18:12:51 morgan Exp $ +# + +this module always returns PAM_SUCCESS, it ignores all options. diff --git a/contrib/libpam/modules/pam_permit/pam_permit.c b/contrib/libpam/modules/pam_permit/pam_permit.c new file mode 100644 index 0000000..a01f9c2 --- /dev/null +++ b/contrib/libpam/modules/pam_permit/pam_permit.c @@ -0,0 +1,108 @@ +/* pam_permit module */ + +/* + * $Id: pam_permit.c,v 1.5 1997/02/15 19:03:15 morgan Exp $ + * + * Written by Andrew Morgan <morgan@parc.power.net> 1996/3/11 + * + * $Log: pam_permit.c,v $ + * Revision 1.5 1997/02/15 19:03:15 morgan + * fixed email address + * + * Revision 1.4 1997/02/15 16:03:10 morgan + * force a name for user + * + * Revision 1.3 1996/06/02 08:10:14 morgan + * updated for new static protocol + * + */ + +#define DEFAULT_USER "nobody" + +#include <stdio.h> + +/* + * here, we make definitions for the externally accessible functions + * in this file (these definitions are required for static modules + * but strongly encouraged generally) they are used to instruct the + * modules include file to define their prototypes. + */ + +#define PAM_SM_AUTH +#define PAM_SM_ACCOUNT +#define PAM_SM_SESSION +#define PAM_SM_PASSWORD + +#include <security/pam_modules.h> +#include <security/_pam_macros.h> + +/* --- authentication management functions --- */ + +PAM_EXTERN +int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc + ,const char **argv) +{ + int retval; + const char *user=NULL; + + /* + * authentication requires we know who the user wants to be + */ + retval = pam_get_user(pamh, &user, NULL); + if (retval != PAM_SUCCESS) { + D(("get user returned error: %s", pam_strerror(pamh,retval))); + return retval; + } + if (user == NULL || *user == '\0') { + D(("username not known")); + pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER); + } + user = NULL; /* clean up */ + + return PAM_SUCCESS; +} + +PAM_EXTERN +int pam_sm_setcred(pam_handle_t *pamh,int flags,int argc + ,const char **argv) +{ + return PAM_SUCCESS; +} + +/* --- account management functions --- */ + +PAM_EXTERN +int pam_sm_acct_mgmt(pam_handle_t *pamh,int flags,int argc + ,const char **argv) +{ + return PAM_SUCCESS; +} + +/* --- password management --- */ + +PAM_EXTERN +int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc + ,const char **argv) +{ + return PAM_SUCCESS; +} + +/* --- session management --- */ + +PAM_EXTERN +int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc + ,const char **argv) +{ + return PAM_SUCCESS; +} + +PAM_EXTERN +int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc + ,const char **argv) +{ + return PAM_SUCCESS; +} + +/* end of module definition */ + +PAM_MODULE_ENTRY("pam_permit"); diff --git a/lib/libpam/libpam/Makefile b/lib/libpam/libpam/Makefile index 7603a65..ddcc688 100644 --- a/lib/libpam/libpam/Makefile +++ b/lib/libpam/libpam/Makefile @@ -61,9 +61,11 @@ HDRS3= pam_mod_misc.h # Static PAM modules: STATIC_MODULES+= ${MODOBJDIR}/pam_cleartext_pass_ok/libpam_cleartext_pass_ok.a +STATIC_MODULES+= ${MODOBJDIR}/pam_deny/libpam_deny.a .if defined(MAKE_KERBEROS4) STATIC_MODULES+= ${MODOBJDIR}/pam_kerberosIV/libpam_kerberosIV.a .endif +STATIC_MODULES+= ${MODOBJDIR}/pam_permit/libpam_permit.a STATIC_MODULES+= ${MODOBJDIR}/pam_radius/libpam_radius.a STATIC_MODULES+= ${MODOBJDIR}/pam_skey/libpam_skey.a STATIC_MODULES+= ${MODOBJDIR}/pam_tacplus/libpam_tacplus.a diff --git a/lib/libpam/modules/Makefile b/lib/libpam/modules/Makefile index 5a3e3c1..74136ba 100644 --- a/lib/libpam/modules/Makefile +++ b/lib/libpam/modules/Makefile @@ -25,9 +25,11 @@ # $FreeBSD$ SUBDIR+= pam_cleartext_pass_ok +SUBDIR+= pam_deny .if defined(MAKE_KERBEROS4) SUBDIR+= pam_kerberosIV .endif +SUBDIR+= pam_permit SUBDIR+= pam_radius SUBDIR+= pam_skey SUBDIR+= pam_tacplus diff --git a/lib/libpam/modules/pam_deny/Makefile b/lib/libpam/modules/pam_deny/Makefile new file mode 100644 index 0000000..17b1447 --- /dev/null +++ b/lib/libpam/modules/pam_deny/Makefile @@ -0,0 +1,41 @@ +# Copyright 1999 Max Khon. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ + +PAMDIR= ${.CURDIR}/../../../../contrib/libpam + +.PATH: ${PAMDIR}/modules/pam_deny + +LIB= pam_deny +SHLIB_NAME= pam_deny.so +SRCS= pam_deny.c +CFLAGS+= -Wall +CFLAGS+= -I${PAMDIR}/libpam/include +DPADD+= ${LIBGCC_PIC} +LDADD+= -lgcc_pic +INTERNALLIB= yes +INTERNALSTATICLIB=yes + +.include <bsd.lib.mk> diff --git a/lib/libpam/modules/pam_permit/Makefile b/lib/libpam/modules/pam_permit/Makefile new file mode 100644 index 0000000..8863ff5 --- /dev/null +++ b/lib/libpam/modules/pam_permit/Makefile @@ -0,0 +1,42 @@ +# Copyright 1999 Max Khon. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $FreeBSD$ + +PAMDIR= ${.CURDIR}/../../../../contrib/libpam + +.PATH: ${PAMDIR}/modules/pam_permit + +LIB= pam_permit +SHLIB_NAME= pam_permit.so +SRCS= pam_permit.c +CFLAGS+= -Wall +CFLAGS+= -I${PAMDIR}/libpam/include +CFLAGS+= -I${.CURDIR}/../../libpam +DPADD+= ${LIBGCC_PIC} +LDADD+= -lgcc_pic +INTERNALLIB= yes +INTERNALSTATICLIB=yes + +.include <bsd.lib.mk> diff --git a/lib/libpam/modules/pam_unix/Makefile b/lib/libpam/modules/pam_unix/Makefile index d3bb689..d049e2b 100644 --- a/lib/libpam/modules/pam_unix/Makefile +++ b/lib/libpam/modules/pam_unix/Makefile @@ -32,8 +32,8 @@ SRCS= pam_unix.c CFLAGS+= -Wall CFLAGS+= -I${PAMDIR}/libpam/include CFLAGS+= -I${.CURDIR}/../../libpam -DPADD+= ${LIBGCC_PIC} -LDADD+= -lgcc_pic +DPADD+= ${LIBUTIL} ${LIBGCC_PIC} +LDADD+= -lutil -lgcc_pic INTERNALLIB= yes INTERNALSTATICLIB=yes diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c index b68a9d4..329b784 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.c +++ b/lib/libpam/modules/pam_unix/pam_unix.c @@ -27,18 +27,26 @@ */ #include <sys/types.h> +#include <sys/time.h> +#include <login_cap.h> #include <pwd.h> #include <stdlib.h> #include <string.h> +#include <stdio.h> #include <unistd.h> #define PAM_SM_AUTH +#define PAM_SM_ACCOUNT #include <security/pam_modules.h> #include "pam_mod_misc.h" #define PASSWORD_PROMPT "Password:" +/* + * authentication management + */ + PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) @@ -87,4 +95,70 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) return PAM_SUCCESS; } +/* + * account management + * + * check pw_change and pw_expire fields + */ +PAM_EXTERN +int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, + int argc, const char **argv) +{ + const char *user; + struct passwd *pw; + struct timeval tp; + time_t warntime; + login_cap_t *lc = NULL; + char buf[128]; + int retval; + + retval = pam_get_item(pamh, PAM_USER, (const void **)&user); + if (retval != PAM_SUCCESS || user == NULL) + /* some implementations return PAM_SUCCESS here */ + return PAM_USER_UNKNOWN; + + if ((pw = getpwnam(user)) == NULL) + return PAM_USER_UNKNOWN; + + retval = PAM_SUCCESS; + lc = login_getpwclass(pw); + + if (pw->pw_change || pw->pw_expire) + gettimeofday(&tp, NULL); + +#define DEFAULT_WARN (2L * 7L * 86400L) /* Two weeks */ + + warntime = login_getcaptime(lc, "warnpassword", DEFAULT_WARN, + DEFAULT_WARN); + + if (pw->pw_change) { + if (tp.tv_sec >= pw->pw_change) + /* some implementations return PAM_AUTHTOK_EXPIRED */ + retval = PAM_NEW_AUTHTOK_REQD; + else if (pw->pw_change - tp.tv_sec < warntime) { + snprintf(buf, sizeof(buf), + "Warning: your password expires on %s", + ctime(&pw->pw_change)); + pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL); + } + } + + warntime = login_getcaptime(lc, "warnexpire", DEFAULT_WARN, + DEFAULT_WARN); + + if (pw->pw_expire) { + if (tp.tv_sec >= pw->pw_expire) + retval = PAM_ACCT_EXPIRED; + else if (pw->pw_expire - tp.tv_sec < warntime) { + snprintf(buf, sizeof(buf), + "Warning: your account expires on %s", + ctime(&pw->pw_expire)); + pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL); + } + } + + login_close(lc); + return retval; +} + PAM_MODULE_ENTRY("pam_unix"); |