diff options
author | des <des@FreeBSD.org> | 2002-04-07 21:18:18 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2002-04-07 21:18:18 +0000 |
commit | a3ac60a8cbdce34bcb3dd1546d74625724f2f00b (patch) | |
tree | fb8bae29887ad98e1d2a2beca54ef816dc469783 /lib | |
parent | 3234f33800c83afb4064abd66d068443fef4d3a6 (diff) | |
download | FreeBSD-src-a3ac60a8cbdce34bcb3dd1546d74625724f2f00b.zip FreeBSD-src-a3ac60a8cbdce34bcb3dd1546d74625724f2f00b.tar.gz |
Reorganize pam_sm_authenticate() to reduce code duplication.
Sponsored by: DARPA, NAI Labs
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libpam/modules/pam_unix/pam_unix.c | 81 |
1 files changed, 22 insertions, 59 deletions
diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c index 8f03673..42317f7 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.c +++ b/lib/libpam/modules/pam_unix/pam_unix.c @@ -121,16 +121,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char struct options options; struct passwd *pwd; int retval; - const char *pass, *user; - char *encrypted, *password_prompt; + const char *pass, *user, *realpw; + char *prompt; pam_std_option(&options, other_options, argc, argv); PAM_LOG("Options processed"); - if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) + if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { pwd = getpwnam(getlogin()); - else { + } else { retval = pam_get_user(pamh, &user, NULL); if (retval != PAM_SUCCESS) PAM_RETURN(retval); @@ -140,68 +140,31 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char PAM_LOG("Got user: %s", user); if (pwd != NULL) { - PAM_LOG("Doing real authentication"); - - if (pwd->pw_passwd[0] == '\0' - && pam_test_option(&options, PAM_OPT_NULLOK, NULL)) { - /* - * No password case. XXX Are we giving too much away - * by not prompting for a password? - */ - PAM_LOG("No password, and null password OK"); - PAM_RETURN(PAM_SUCCESS); + realpw = pwd->pw_passwd; + if (realpw[0] == '\0') { + if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && + pam_test_option(&options, PAM_OPT_NULLOK, NULL)) + PAM_RETURN(PAM_SUCCESS); + realpw = "*"; } - else { - lc = login_getpwclass(pwd); - password_prompt = login_getcapstr(lc, "passwd_prompt", - NULL, NULL); - retval = pam_get_authtok(pamh, PAM_AUTHTOK, - &pass, password_prompt); - login_close(lc); - if (retval != PAM_SUCCESS) - PAM_RETURN(retval); - PAM_LOG("Got password"); - } - encrypted = crypt(pass, pwd->pw_passwd); - if (pass[0] == '\0' && pwd->pw_passwd[0] != '\0') - encrypted = colon; - - PAM_LOG("Encrypted password 1 is: %s", encrypted); - PAM_LOG("Encrypted password 2 is: %s", pwd->pw_passwd); - - retval = strcmp(encrypted, pwd->pw_passwd) == 0 ? - PAM_SUCCESS : PAM_AUTH_ERR; - } - else { - + lc = login_getpwclass(pwd); + } else { PAM_LOG("Doing dummy authentication"); - - /* - * User unknown. - * Encrypt a dummy password so as to not give away too much. - */ + realpw = "*"; lc = login_getclass(NULL); - password_prompt = login_getcapstr(lc, "passwd_prompt", - NULL, NULL); - retval = pam_get_authtok(pamh, - PAM_AUTHTOK, &pass, password_prompt); - login_close(lc); - if (retval != PAM_SUCCESS) - PAM_RETURN(retval); - PAM_LOG("Got password"); - crypt(pass, "xx"); - retval = PAM_AUTH_ERR; } - - /* - * The PAM infrastructure will obliterate the cleartext - * password before returning to the application. - */ + prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); + retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); + login_close(lc); if (retval != PAM_SUCCESS) - PAM_VERBOSE_ERROR("UNIX authentication refused"); + PAM_RETURN(retval); + PAM_LOG("Got password"); + if (strcmp(crypt(pass, realpw), realpw) == 0) + PAM_RETURN(PAM_SUCCESS); - PAM_RETURN(retval); + PAM_VERBOSE_ERROR("UNIX authentication refused"); + PAM_RETURN(PAM_AUTH_ERR); } PAM_EXTERN int |