summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/libpam/modules/pam_krb5/pam_krb5.c85
-rw-r--r--lib/libpam/modules/pam_opie/pam_opie.c22
-rw-r--r--lib/libpam/modules/pam_radius/pam_radius.c33
-rw-r--r--lib/libpam/modules/pam_tacplus/pam_tacplus.c36
-rw-r--r--lib/libpam/modules/pam_unix/pam_unix.c49
5 files changed, 58 insertions, 167 deletions
diff --git a/lib/libpam/modules/pam_krb5/pam_krb5.c b/lib/libpam/modules/pam_krb5/pam_krb5.c
index 705b452..a81ddff 100644
--- a/lib/libpam/modules/pam_krb5/pam_krb5.c
+++ b/lib/libpam/modules/pam_krb5/pam_krb5.c
@@ -71,6 +71,7 @@ __FBSDID("$FreeBSD$");
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>
+#include <security/openpam.h>
#define COMPAT_HEIMDAL
/* #define COMPAT_MIT */
@@ -84,29 +85,17 @@ static void compat_free_data_contents(krb5_context, krb5_data *);
#define PASSWORD_PROMPT "Password:"
#define NEW_PASSWORD_PROMPT "New Password:"
-enum {
- PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX,
- PAM_OPT_CCACHE,
- PAM_OPT_FORWARDABLE,
- PAM_OPT_NO_CCACHE,
- PAM_OPT_REUSE_CCACHE
-};
-
-static struct opttab other_options[] = {
- { "auth_as_self", PAM_OPT_AUTH_AS_SELF },
- { "ccache", PAM_OPT_CCACHE },
- { "forwardable", PAM_OPT_FORWARDABLE },
- { "no_ccache", PAM_OPT_NO_CCACHE },
- { "reuse_ccache", PAM_OPT_REUSE_CCACHE },
- { NULL, 0 }
-};
+#define PAM_OPT_CCACHE "ccache"
+#define PAM_OPT_FORWARDABLE "forwardable"
+#define PAM_OPT_NO_CCACHE "no_ccache"
+#define PAM_OPT_REUSE_CCACHE "reuse_ccache"
/*
* authentication management
*/
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
- int argc, const char *argv[])
+ int argc __unused, const char *argv[] __unused)
{
krb5_error_code krbret;
krb5_context pam_context;
@@ -114,16 +103,11 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
krb5_principal princ;
krb5_ccache ccache;
krb5_get_init_creds_opt opts;
- struct options options;
struct passwd *pwd;
int retval;
const char *sourceuser, *user, *pass, *service;
char *principal, *princ_name, *ccache_name, luser[32], *srvdup;
- pam_std_option(&options, other_options, argc, argv);
-
- PAM_LOG("Options processed");
-
retval = pam_get_user(pamh, &user, USER_PROMPT);
if (retval != PAM_SUCCESS)
return (retval);
@@ -153,7 +137,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
krb5_get_init_creds_opt_init(&opts);
- if (pam_test_option(&options, PAM_OPT_FORWARDABLE, NULL))
+ if (openpam_get_option(pamh, PAM_OPT_FORWARDABLE))
krb5_get_init_creds_opt_set_forwardable(&opts, 1);
PAM_LOG("Credentials initialised");
@@ -168,7 +152,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
PAM_LOG("Done krb5_cc_register()");
/* Get principal name */
- if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL))
+ if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
asprintf(&principal, "%s/%s", sourceuser, user);
else
principal = strdup(user);
@@ -288,7 +272,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
goto cleanup;
}
krbret = verify_krb_v5_tgt(pam_context, ccache, srvdup,
- pam_test_option(&options, PAM_OPT_FORWARDABLE, NULL));
+ openpam_get_option(pamh, PAM_OPT_FORWARDABLE) ? 1 : 0);
free(srvdup);
if (krbret == -1) {
PAM_VERBOSE_ERROR("Kerberos 5 error");
@@ -348,7 +332,7 @@ cleanup3:
PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh, int flags,
- int argc, const char *argv[])
+ int argc __unused, const char *argv[] __unused)
{
krb5_error_code krbret;
@@ -357,19 +341,14 @@ pam_sm_setcred(pam_handle_t *pamh, int flags,
krb5_creds creds;
krb5_ccache ccache_temp, ccache_perm;
krb5_cc_cursor cursor;
- struct options options;
struct passwd *pwd = NULL;
int retval;
- char *user;
- char *cache_name, *cache_env_name, *p, *q;
+ const char *cache_name, *q, *user;
+ char *cache_name_buf = NULL, *p;
uid_t euid;
gid_t egid;
- pam_std_option(&options, other_options, argc, argv);
-
- PAM_LOG("Options processed");
-
if (flags & PAM_DELETE_CRED)
return (PAM_SUCCESS);
@@ -440,10 +419,11 @@ pam_sm_setcred(pam_handle_t *pamh, int flags,
PAM_LOG("Done setegid() & seteuid()");
/* Get the cache name */
- cache_name = NULL;
- pam_test_option(&options, PAM_OPT_CCACHE, &cache_name);
- if (cache_name == NULL)
- asprintf(&cache_name, "FILE:/tmp/krb5cc_%d", pwd->pw_uid);
+ cache_name = openpam_get_option(pamh, PAM_OPT_CCACHE);
+ if (cache_name == NULL) {
+ asprintf(&cache_name_buf, "FILE:/tmp/krb5cc_%d", pwd->pw_uid);
+ cache_name = cache_name_buf;
+ }
p = calloc(PATH_MAX + 16, sizeof(char));
q = cache_name;
@@ -559,17 +539,9 @@ pam_sm_setcred(pam_handle_t *pamh, int flags,
PAM_LOG("Cache closed");
- cache_env_name = malloc(strlen(cache_name) + 12);
- if (!cache_env_name) {
- PAM_LOG("Error malloc(): failure");
- krb5_cc_destroy(pam_context, ccache_perm);
- retval = PAM_BUF_ERR;
- goto cleanup2;
- }
-
- sprintf(cache_env_name, "KRB5CCNAME=%s", cache_name);
- if ((retval = pam_putenv(pamh, cache_env_name)) != 0) {
- PAM_LOG("Error pam_putenv(): %s", pam_strerror(pamh, retval));
+ retval = pam_setenv(pamh, "KRB5CCNAME", cache_name, 1);
+ if (retval != PAM_SUCCESS) {
+ PAM_LOG("Error pam_setenv(): %s", pam_strerror(pamh, retval));
krb5_cc_destroy(pam_context, ccache_perm);
retval = PAM_SERVICE_ERR;
goto cleanup2;
@@ -589,6 +561,9 @@ cleanup3:
PAM_LOG("Done seteuid() & setegid()");
+ if (cache_name_buf != NULL)
+ free(cache_name_buf);
+
return (retval);
}
@@ -597,20 +572,15 @@ cleanup3:
*/
PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
- int argc, const char *argv[])
+ int argc __unused, const char *argv[] __unused)
{
krb5_error_code krbret;
krb5_context pam_context;
krb5_ccache ccache;
krb5_principal princ;
- struct options options;
int retval;
const char *user, *ccache_name;
- pam_std_option(&options, other_options, argc, argv);
-
- PAM_LOG("Options processed");
-
retval = pam_get_item(pamh, PAM_USER, (const void **)&user);
if (retval != PAM_SUCCESS)
return (retval);
@@ -673,7 +643,7 @@ cleanup:
*/
PAM_EXTERN int
pam_sm_chauthtok(pam_handle_t *pamh, int flags,
- int argc, const char *argv[])
+ int argc __unused, const char *argv[] __unused)
{
krb5_error_code krbret;
krb5_context pam_context;
@@ -681,15 +651,10 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
krb5_principal princ;
krb5_get_init_creds_opt opts;
krb5_data result_code_string, result_string;
- struct options options;
int result_code, retval;
const char *user, *pass;
char *princ_name, *passdup;
- pam_std_option(&options, other_options, argc, argv);
-
- PAM_LOG("Options processed");
-
if (!(flags & PAM_UPDATE_AUTHTOK))
return (PAM_AUTHTOK_ERR);
diff --git a/lib/libpam/modules/pam_opie/pam_opie.c b/lib/libpam/modules/pam_opie/pam_opie.c
index c66adf4..07f6f6e 100644
--- a/lib/libpam/modules/pam_opie/pam_opie.c
+++ b/lib/libpam/modules/pam_opie/pam_opie.c
@@ -52,23 +52,13 @@ __FBSDID("$FreeBSD$");
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>
-enum {
- PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX,
- PAM_OPT_NO_FAKE_PROMPTS
-};
-
-static struct opttab other_options[] = {
- { "auth_as_self", PAM_OPT_AUTH_AS_SELF },
- { "no_fake_prompts", PAM_OPT_NO_FAKE_PROMPTS },
- { NULL, 0 }
-};
+#define PAM_OPT_NO_FAKE_PROMPTS "no_fake_prompts"
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
- int argc, const char *argv[])
+ int argc __unused, const char *argv[] __unused)
{
struct opie opie;
- struct options options;
struct passwd *pwd;
int retval, i;
const char *(promptstr[]) = { "%s\nPassword: ", "%s\nPassword [echo on]: "};
@@ -77,12 +67,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
char *response;
int style;
- pam_std_option(&options, other_options, argc, argv);
-
- PAM_LOG("Options processed");
-
user = NULL;
- if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) {
+ if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
if ((pwd = getpwnam(getlogin())) == NULL)
return (PAM_AUTH_ERR);
user = pwd->pw_name;
@@ -108,7 +94,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
*/
/* XXX generates a const warning because of incorrect prototype */
if (opiechallenge(&opie, (char *)user, challenge) != 0 &&
- pam_test_option(&options, PAM_OPT_NO_FAKE_PROMPTS, NULL))
+ openpam_get_option(pamh, PAM_OPT_NO_FAKE_PROMPTS))
return (PAM_AUTH_ERR);
/*
diff --git a/lib/libpam/modules/pam_radius/pam_radius.c b/lib/libpam/modules/pam_radius/pam_radius.c
index bc09d26..891ea1d 100644
--- a/lib/libpam/modules/pam_radius/pam_radius.c
+++ b/lib/libpam/modules/pam_radius/pam_radius.c
@@ -51,18 +51,9 @@ __FBSDID("$FreeBSD$");
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>
-enum {
- PAM_OPT_CONF = PAM_OPT_STD_MAX,
- PAM_OPT_TEMPLATE_USER,
- PAM_OPT_NAS_ID
-};
-
-static struct opttab other_options[] = {
- { "conf", PAM_OPT_CONF },
- { "template_user", PAM_OPT_TEMPLATE_USER },
- { "nas_id", PAM_OPT_NAS_ID },
- { NULL, 0 }
-};
+#define PAM_OPT_CONF "conf"
+#define PAM_OPT_TEMPLATE_USER "template_user"
+#define PAM_OPT_NAS_ID "nas_id"
#define MAX_CHALLENGE_MSGS 10
#define PASSWORD_PROMPT "RADIUS Password:"
@@ -218,25 +209,17 @@ do_challenge(pam_handle_t *pamh, struct rad_handle *radh, const char *user)
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
- int argc, const char *argv[])
+ int argc __unused, const char *argv[] __unused)
{
- struct options options;
struct rad_handle *radh;
const char *user, *tmpuser, *pass;
- char *conf_file, *template_user, *nas_id;
+ const char *conf_file, *template_user, *nas_id;
int retval;
int e;
- pam_std_option(&options, other_options, argc, argv);
-
- PAM_LOG("Options processed");
-
- conf_file = NULL;
- pam_test_option(&options, PAM_OPT_CONF, &conf_file);
- template_user = NULL;
- pam_test_option(&options, PAM_OPT_TEMPLATE_USER, &template_user);
- nas_id = NULL;
- pam_test_option(&options, PAM_OPT_NAS_ID, &nas_id);
+ conf_file = openpam_get_option(pamh, PAM_OPT_CONF);
+ template_user = openpam_get_option(pamh, PAM_OPT_TEMPLATE_USER);
+ nas_id = openpam_get_option(pamh, PAM_OPT_NAS_ID);
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
diff --git a/lib/libpam/modules/pam_tacplus/pam_tacplus.c b/lib/libpam/modules/pam_tacplus/pam_tacplus.c
index 19e3185..3a9a249 100644
--- a/lib/libpam/modules/pam_tacplus/pam_tacplus.c
+++ b/lib/libpam/modules/pam_tacplus/pam_tacplus.c
@@ -52,16 +52,8 @@ __FBSDID("$FreeBSD$");
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>
-enum {
- PAM_OPT_CONF = PAM_OPT_STD_MAX,
- PAM_OPT_TEMPLATE_USER
-};
-
-static struct opttab other_options[] = {
- { "conf", PAM_OPT_CONF },
- { "template_user", PAM_OPT_TEMPLATE_USER },
- { NULL, 0 }
-};
+#define PAM_OPT_CONF "conf"
+#define PAM_OPT_TEMPLATE_USER "template_user"
typedef int (*set_func)(struct tac_handle *, const char *);
@@ -115,22 +107,14 @@ set_msg(struct tac_handle *tach, const char *msg)
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
- int argc, const char *argv[])
+ int argc __unused, const char *argv[] __unused)
{
- struct options options;
int retval;
struct tac_handle *tach;
- char *conf_file;
- char *template_user;
-
- pam_std_option(&options, other_options, argc, argv);
-
- PAM_LOG("Options processed");
+ const char *conf_file, *template_user;
- conf_file = NULL;
- pam_test_option(&options, PAM_OPT_CONF, &conf_file);
- template_user = NULL;
- pam_test_option(&options, PAM_OPT_TEMPLATE_USER, &template_user);
+ conf_file = openpam_get_option(pamh, PAM_OPT_CONF);
+ template_user = openpam_get_option(pamh, PAM_OPT_TEMPLATE_USER);
tach = tac_open();
if (tach == NULL) {
@@ -184,8 +168,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
return (PAM_AUTHINFO_UNAVAIL);
}
status = TAC_AUTHEN_STATUS(sflags);
- if (!TAC_AUTHEN_NOECHO(sflags))
- pam_set_option(&options, PAM_OPT_ECHO_PASS);
+ openpam_set_option(pamh, PAM_OPT_ECHO_PASS,
+ TAC_AUTHEN_NOECHO(sflags) ? NULL : "");
switch (status) {
case TAC_AUTHEN_STATUS_PASS:
@@ -245,8 +229,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
if ((srvr_msg = get_msg(tach)) == NULL)
return (PAM_SERVICE_ERR);
retval = pam_prompt(pamh,
- pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL)
- ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF,
+ openpam_get_option(pamh, PAM_OPT_ECHO_PASS) ?
+ PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF,
&data_msg, "%s", *srvr_msg ? srvr_msg : "Data:");
free(srvr_msg);
if (retval != PAM_SUCCESS) {
diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c
index 56cdd1a..5c45425 100644
--- a/lib/libpam/modules/pam_unix/pam_unix.c
+++ b/lib/libpam/modules/pam_unix/pam_unix.c
@@ -74,20 +74,8 @@ static void makesalt(char []);
static char password_hash[] = PASSWORD_HASH;
-enum {
- PAM_OPT_AUTH_AS_SELF = PAM_OPT_STD_MAX,
- PAM_OPT_NULLOK,
- PAM_OPT_LOCAL_PASS,
- PAM_OPT_NIS_PASS
-};
-
-static struct opttab other_options[] = {
- { "auth_as_self", PAM_OPT_AUTH_AS_SELF },
- { "nullok", PAM_OPT_NULLOK },
- { "local_pass", PAM_OPT_LOCAL_PASS },
- { "nis_pass", PAM_OPT_NIS_PASS },
- { NULL, 0 }
-};
+#define PAM_OPT_LOCAL_PASS "local_pass"
+#define PAM_OPT_NIS_PASS "nis_pass"
char *tempname = NULL;
@@ -96,19 +84,14 @@ char *tempname = NULL;
*/
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
- int argc, const char *argv[])
+ int argc __unused, const char *argv[] __unused)
{
login_cap_t *lc;
- struct options options;
struct passwd *pwd;
int retval;
const char *pass, *user, *realpw, *prompt;
- pam_std_option(&options, other_options, argc, argv);
-
- PAM_LOG("Options processed");
-
- if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) {
+ if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
pwd = getpwnam(getlogin());
} else {
retval = pam_get_user(pamh, &user, NULL);
@@ -124,7 +107,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
realpw = pwd->pw_passwd;
if (realpw[0] == '\0') {
if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
- pam_test_option(&options, PAM_OPT_NULLOK, NULL))
+ openpam_get_option(pamh, PAM_OPT_NULLOK))
return (PAM_SUCCESS);
realpw = "*";
}
@@ -160,10 +143,9 @@ pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
*/
PAM_EXTERN int
pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
- int argc, const char *argv[])
+ int argc __unused, const char *argv[] __unused)
{
struct addrinfo hints, *res;
- struct options options;
struct passwd *pwd;
struct timeval tp;
login_cap_t *lc;
@@ -172,10 +154,6 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
const char *rhost, *tty, *user;
char rhostip[MAXHOSTNAMELEN] = "";
- pam_std_option(&options, other_options, argc, argv);
-
- PAM_LOG("Options processed");
-
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
return (retval);
@@ -279,13 +257,12 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused,
*/
PAM_EXTERN int
pam_sm_chauthtok(pam_handle_t *pamh, int flags,
- int argc, const char *argv[])
+ int argc __unused, const char *argv[] __unused)
{
#ifdef YP
struct ypclnt *ypclnt;
const char *yp_domain, *yp_server;
#endif
- struct options options;
char salt[SALTSIZE + 1];
login_cap_t * lc;
struct passwd *pwd, *old_pwd;
@@ -293,11 +270,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
char *encrypted;
int pfd, tfd, retval;
- pam_std_option(&options, other_options, argc, argv);
-
- PAM_LOG("Options processed");
-
- if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL))
+ if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
pwd = getpwnam(getlogin());
else {
retval = pam_get_user(pamh, &user, NULL);
@@ -321,7 +294,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
return (pam_set_item(pamh, PAM_OLDAUTHTOK, ""));
if (pwd->pw_passwd[0] == '\0'
- && pam_test_option(&options, PAM_OPT_NULLOK, NULL)) {
+ && openpam_get_option(pamh, PAM_OPT_NULLOK)) {
/*
* No password case. XXX Are we giving too much away
* by not prompting for a password?
@@ -338,7 +311,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
/* always encrypt first */
encrypted = crypt(old_pass, pwd->pw_passwd);
if (old_pass[0] == '\0' &&
- !pam_test_option(&options, PAM_OPT_NULLOK, NULL))
+ !openpam_get_option(pamh, PAM_OPT_NULLOK))
return (PAM_PERM_DENIED);
if (strcmp(encrypted, pwd->pw_passwd) != 0)
return (PAM_PERM_DENIED);
@@ -367,7 +340,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
}
if (getuid() != 0 && new_pass[0] == '\0' &&
- !pam_test_option(&options, PAM_OPT_NULLOK, NULL))
+ !openpam_get_option(pamh, PAM_OPT_NULLOK))
return (PAM_PERM_DENIED);
if ((old_pwd = pw_dup(pwd)) == NULL)
OpenPOWER on IntegriCloud