From c0bbe505388a4e77857e16d5140674897ae09504 Mon Sep 17 00:00:00 2001 From: des Date: Tue, 5 Mar 2002 21:56:25 +0000 Subject: Switch to OpenPAM. Bump library version. Modules are now versioned, so applications linked with Linux-PAM will still work. Remove pam_get_pass(); OpenPAM has pam_get_authtok(). Remove pam_prompt(); OpenPAM has pam_{,v}{error,info,prompt}(). Remove pam_set_item(3) man page as OpenPAM has its own. Sponsored by: DARPA, NAI Labs --- lib/libpam/Makefile.inc | 2 +- lib/libpam/libpam/Makefile | 202 ++++++++++++++++----------- lib/libpam/libpam/pam_debug_log.c | 7 +- lib/libpam/libpam/pam_get_pass.c | 98 ------------- lib/libpam/libpam/pam_mod_misc.h | 2 - lib/libpam/libpam/pam_prompt.c | 64 --------- lib/libpam/libpam/pam_set_item.3 | 156 --------------------- lib/libpam/libpam/pam_std_option.c | 5 +- lib/libpam/libpam/security/pam_mod_misc.h | 2 - lib/libpam/modules/Makefile | 26 +--- lib/libpam/modules/Makefile.inc | 2 +- lib/libpam/modules/modules.inc | 27 ++++ lib/libpam/modules/pam_deny/Makefile | 2 +- lib/libpam/modules/pam_ftp/Makefile | 2 +- lib/libpam/modules/pam_ftp/pam_ftp.c | 17 +-- lib/libpam/modules/pam_kerberosIV/Makefile | 2 +- lib/libpam/modules/pam_krb5/Makefile | 2 +- lib/libpam/modules/pam_lastlog/Makefile | 2 +- lib/libpam/modules/pam_lastlog/pam_lastlog.c | 15 +- lib/libpam/modules/pam_login_access/Makefile | 2 +- lib/libpam/modules/pam_nologin/Makefile | 2 +- lib/libpam/modules/pam_nologin/pam_nologin.c | 2 +- lib/libpam/modules/pam_opie/Makefile | 2 +- lib/libpam/modules/pam_opie/pam_opie.c | 4 +- lib/libpam/modules/pam_opieaccess/Makefile | 2 +- lib/libpam/modules/pam_permit/Makefile | 2 +- lib/libpam/modules/pam_radius/Makefile | 2 +- lib/libpam/modules/pam_radius/pam_radius.c | 5 +- lib/libpam/modules/pam_rootok/Makefile | 2 +- lib/libpam/modules/pam_securetty/Makefile | 2 +- lib/libpam/modules/pam_self/Makefile | 2 +- lib/libpam/modules/pam_ssh/Makefile | 2 +- lib/libpam/modules/pam_ssh/pam_ssh.c | 3 +- lib/libpam/modules/pam_tacplus/Makefile | 2 +- lib/libpam/modules/pam_tacplus/pam_tacplus.c | 11 +- lib/libpam/modules/pam_unix/Makefile | 2 +- lib/libpam/modules/pam_unix/pam_unix.c | 79 +++++------ lib/libpam/modules/pam_wheel/Makefile | 2 +- usr.bin/login/login.c | 6 +- 39 files changed, 240 insertions(+), 531 deletions(-) delete mode 100644 lib/libpam/libpam/pam_get_pass.c delete mode 100644 lib/libpam/libpam/pam_prompt.c delete mode 100644 lib/libpam/libpam/pam_set_item.3 create mode 100644 lib/libpam/modules/modules.inc diff --git a/lib/libpam/Makefile.inc b/lib/libpam/Makefile.inc index e6596a0..eebf440 100644 --- a/lib/libpam/Makefile.inc +++ b/lib/libpam/Makefile.inc @@ -24,7 +24,7 @@ # # $FreeBSD$ -SHLIB_MAJOR= 1 +SHLIB_MAJOR= 2 SHLIB_MINOR= 0 #WARNS?= 4 diff --git a/lib/libpam/libpam/Makefile b/lib/libpam/libpam/Makefile index 42118cc..f74eb92 100644 --- a/lib/libpam/libpam/Makefile +++ b/lib/libpam/libpam/Makefile @@ -1,5 +1,13 @@ -# Copyright 1998 Juniper Networks, Inc. +#- +# Copyright (c) 1998 Juniper Networks, Inc. # All rights reserved. +# Copyright (c) 2002 Networks Associates Technologies, Inc. +# All rights reserved. +# +# Portions of this software was developed for the FreeBSD Project by +# ThinkSec AS and NAI Labs, the Security Research Division of Network +# Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 +# ("CBOSS"), as part of the DARPA CHATS research program. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions @@ -9,6 +17,9 @@ # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. +# 3. The name of the author may not be used to endorse or promote +# products derived from this software without specific prior written +# permission. # # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE @@ -22,110 +33,135 @@ # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. # -# $FreeBSD$ - -LIBPAM_VERSION_MAJOR= 0 -LIBPAM_VERSION_MINOR= 75 +# $FreeBSD$ +# -PAMDIR= ${.CURDIR}/../../../contrib/libpam -MODOBJDIR= ../modules +OPENPAM = ${.CURDIR}/../../../contrib/openpam -.PATH: ${PAMDIR}/libpam ${PAMDIR}/libpam_misc ${PAMDIR}/doc/man +LIB = pam -LIB= pam -CFLAGS+= -I${PAMDIR}/libpam/include -I${PAMDIR}/libpam_misc/include \ - -I${PAMDIR}/libpamc/include -I. -I${.CURDIR} -CFLAGS+= -DDEFAULT_MODULE_PATH=\"${SHLIBDIR}/\" \ - -DLIBPAM_VERSION_MAJOR=${LIBPAM_VERSION_MAJOR} \ - -DLIBPAM_VERSION_MINOR=${LIBPAM_VERSION_MINOR} -NOPROFILE= yes +CFLAGS += -I${.CURDIR} -I${OPENPAM}/include +CFLAGS += -DLIB_MAJ=${SHLIB_MAJOR} +WARNS ?= 4 -# Files from ${PAMDIR}/libpam: -SRCS= pam_account.c pam_auth.c pam_data.c pam_delay.c \ - pam_dispatch.c pam_end.c pam_env.c pam_handlers.c \ - pam_item.c pam_log.c pam_misc.c pam_password.c \ - pam_second.c pam_session.c pam_start.c \ - pam_strerror.c -HDRS1= _pam_compat.h _pam_macros.h _pam_types.h \ - pam_appl.h pam_malloc.h pam_modules.h -MAN+= pam_authenticate.3 pam_chauthtok.3 pam_fail_delay.3 \ - pam_open_session.3 pam_setcred.3 pam_start.3 \ - pam_strerror.3 -MLINKS+= pam_open_session.3 pam_close_session.3 \ - pam_start.3 pam_end.3 -MAN+= pam.8 -MLINKS+= pam.8 pam.conf.5 pam.8 pam.d.5 +SRCS = +SRCS += openpam_dispatch.c +SRCS += openpam_dynamic.c +SRCS += openpam_findenv.c +SRCS += openpam_get_option.c +SRCS += openpam_load.c +SRCS += openpam_log.c +SRCS += openpam_set_option.c +SRCS += openpam_ttyconv.c +SRCS += pam_acct_mgmt.c +SRCS += pam_authenticate.c +SRCS += pam_chauthtok.c +SRCS += pam_close_session.c +SRCS += pam_end.c +SRCS += pam_error.c +SRCS += pam_get_authtok.c +SRCS += pam_get_data.c +SRCS += pam_get_item.c +SRCS += pam_get_user.c +SRCS += pam_getenv.c +SRCS += pam_getenvlist.c +SRCS += pam_info.c +SRCS += pam_open_session.c +SRCS += pam_prompt.c +SRCS += pam_putenv.c +SRCS += pam_set_data.c +SRCS += pam_set_item.c +SRCS += pam_setcred.c +SRCS += pam_setenv.c +SRCS += pam_start.c +SRCS += pam_strerror.c +SRCS += pam_verror.c +SRCS += pam_vinfo.c +SRCS += pam_vprompt.c -# Files from ${PAMDIR}/libpamc: -HDRS0= pam_client.h +MAN = +MAN += openpam_get_option.3 +MAN += openpam_log.3 +MAN += openpam_set_option.3 +MAN += openpam_ttyconv.3 +MAN += pam.3 +MAN += pam_acct_mgmt.3 +MAN += pam_authenticate.3 +MAN += pam_chauthtok.3 +MAN += pam_close_session.3 +MAN += pam_end.3 +MAN += pam_error.3 +MAN += pam_get_authtok.3 +MAN += pam_get_data.3 +MAN += pam_get_item.3 +MAN += pam_get_user.3 +MAN += pam_getenv.3 +MAN += pam_getenvlist.3 +MAN += pam_info.3 +MAN += pam_open_session.3 +MAN += pam_prompt.3 +MAN += pam_putenv.3 +MAN += pam_set_data.3 +MAN += pam_set_item.3 +MAN += pam_setcred.3 +MAN += pam_setenv.3 +MAN += pam_sm_acct_mgmt.3 +MAN += pam_sm_authenticate.3 +MAN += pam_sm_chauthtok.3 +MAN += pam_sm_close_session.3 +MAN += pam_sm_open_session.3 +MAN += pam_sm_setcred.3 +MAN += pam_start.3 +MAN += pam_strerror.3 -# Files from ${PAMDIR}/libpam_misc: -SRCS+= help_env.c misc_conv.c -HDRS2= pam_misc.h +# Local additions +SRCS += pam_debug_log.c +SRCS += pam_std_option.c -# Files from ${.CURDIR}: -SRCS+= pam_get_pass.c pam_prompt.c pam_std_option.c pam_debug_log.c -HDRS3= pam_mod_misc.h -MAN+= pam_set_item.3 -MLINKS+= pam_set_item.3 pam_get_item.3 +HEADERS = +HEADERS += security/openpam.h +HEADERS += security/pam_appl.h +HEADERS += security/pam_constants.h +HEADERS += security/pam_modules.h +HEADERS += security/pam_types.h -# Static PAM modules: -STATIC_MODULES+= ${MODOBJDIR}/pam_deny/libpam_deny.a -STATIC_MODULES+= ${MODOBJDIR}/pam_ftp/libpam_ftp.a -.if defined(MAKE_KERBEROS4) && !defined(NOCRYPT) && !defined(NO_OPENSSL) -STATIC_MODULES+= ${MODOBJDIR}/pam_kerberosIV/libpam_kerberosIV.a -.endif -.if defined(MAKE_KERBEROS5) && !defined(NOCRYPT) && !defined(NO_OPENSSL) -STATIC_MODULES+= ${MODOBJDIR}/pam_krb5/libpam_krb5.a -.endif -STATIC_MODULES+= ${MODOBJDIR}/pam_lastlog/libpam_lastlog.a -STATIC_MODULES+= ${MODOBJDIR}/pam_login_access/libpam_login_access.a -STATIC_MODULES+= ${MODOBJDIR}/pam_nologin/libpam_nologin.a -STATIC_MODULES+= ${MODOBJDIR}/pam_opie/libpam_opie.a -STATIC_MODULES+= ${MODOBJDIR}/pam_opieaccess/libpam_opieaccess.a -STATIC_MODULES+= ${MODOBJDIR}/pam_permit/libpam_permit.a -STATIC_MODULES+= ${MODOBJDIR}/pam_radius/libpam_radius.a -STATIC_MODULES+= ${MODOBJDIR}/pam_rootok/libpam_rootok.a -STATIC_MODULES+= ${MODOBJDIR}/pam_securetty/libpam_securetty.a -STATIC_MODULES+= ${MODOBJDIR}/pam_self/libpam_self.a -.if !defined(NOCRYPT) && !defined(NO_OPENSSL) && !defined(NO_OPENSSH) -STATIC_MODULES+= ${MODOBJDIR}/pam_ssh/libpam_ssh.a -.endif -STATIC_MODULES+= ${MODOBJDIR}/pam_tacplus/libpam_tacplus.a -STATIC_MODULES+= ${MODOBJDIR}/pam_unix/libpam_unix.a -STATIC_MODULES+= ${MODOBJDIR}/pam_wheel/libpam_wheel.a +ADD_HEADERS = pam_mod_misc.h -STATICOBJS+= pam_static_modules.o -CLEANFILES+= pam_static.o +# Static modules +MODULE_DIR = ../modules +.include "${.CURDIR}/${MODULE_DIR}/modules.inc" +STATIC_MODULES = ${MODULES:C/.*/${MODULE_DIR}\/&\/lib&.a/} +STATICOBJS += openpam_static_modules.o +CLEANFILES += openpam_static.o -_EXTRADEPEND: pam_static.c +_EXTRADEPEND: openpam_static.c ${MKDEPCMD} -f ${DEPENDFILE} -a ${MKDEP} \ ${CFLAGS:M-nostdinc*} ${CFLAGS:M-[BID]*} \ ${.ALLSRC} .if ${OBJFORMAT} == elf -CLEANFILES+= setdef0.o _pam_static_modules.o setdef1.o \ +CLEANFILES+= setdef0.o openpam_static_modules.o setdef1.o \ setdef0.c setdef1.c setdefs.h -pam_static_modules.o: pam_static.o ${STATIC_MODULES} +openpam_static_modules.o: openpam_static.o ${STATIC_MODULES} ${LD} -o ${.TARGET} -r --whole-archive ${.ALLSRC} .else -pam_static_modules.o: pam_static.o ${STATIC_MODULES} +openpam_static_modules.o: openpam_static.o ${STATIC_MODULES} ${LD} -o ${.TARGET} -r -Bforcearchive ${.ALLSRC} .endif +# Headers beforeinstall: - cd ${PAMDIR}/libpamc/include/security; \ - ${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \ - ${HDRS0} ${DESTDIR}/usr/include/security - cd ${PAMDIR}/libpam/include/security; \ - ${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \ - ${HDRS1} ${DESTDIR}/usr/include/security - cd ${PAMDIR}/libpam_misc/include/security; \ - ${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \ - ${HDRS2} ${DESTDIR}/usr/include/security - cd ${.CURDIR}; \ - ${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \ - ${HDRS3} ${DESTDIR}/usr/include/security +.for HEADER in ${HEADERS} + ${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \ + ${OPENPAM}/include/${HEADER} ${DESTDIR}/usr/include/${HEADER} +.endfor +.for HEADER in ${ADD_HEADERS} + ${INSTALL} -C -o ${BINOWN} -g ${BINGRP} -m 444 \ + ${.CURDIR}/${HEADER} ${DESTDIR}/usr/include/security/${HEADER} +.endfor .include +.PATH: ${OPENPAM}/include +.PATH: ${OPENPAM}/lib +.PATH: ${OPENPAM}/doc/man diff --git a/lib/libpam/libpam/pam_debug_log.c b/lib/libpam/libpam/pam_debug_log.c index 8ba28b8..14e9b79 100644 --- a/lib/libpam/libpam/pam_debug_log.c +++ b/lib/libpam/libpam/pam_debug_log.c @@ -27,7 +27,6 @@ #include __FBSDID("$FreeBSD$"); -#include #include #include #include @@ -35,7 +34,9 @@ __FBSDID("$FreeBSD$"); #include #include -#include "pam_mod_misc.h" +#include +#include +#include #define FMTBUFSIZ 256 @@ -114,7 +115,7 @@ _pam_verbose_error(pam_handle_t *pamh, struct options *options, va_start(ap, format); asprintf(&fmtbuf, "%s: %s: %s", modname, function, format); vasprintf(&statusmsg, fmtbuf, ap); - pam_prompt(pamh, PAM_ERROR_MSG, statusmsg, NULL); + pam_error(pamh, "%s", statusmsg); free(statusmsg); free(fmtbuf); va_end(ap); diff --git a/lib/libpam/libpam/pam_get_pass.c b/lib/libpam/libpam/pam_get_pass.c deleted file mode 100644 index f47b69b..0000000 --- a/lib/libpam/libpam/pam_get_pass.c +++ /dev/null @@ -1,98 +0,0 @@ -/*- - * Copyright 1998 Juniper Networks, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -__FBSDID("$FreeBSD$"); - -#include -#include -#include -#include "pam_mod_misc.h" - -static int pam_conv_pass(pam_handle_t *, const char *, struct options *); - -static int -pam_conv_pass(pam_handle_t *pamh, const char *prompt, struct options *options) -{ - const struct pam_conv *conv; - struct pam_message msg; - const struct pam_message *msgs[1]; - struct pam_response *resp; - const void *item; - int retval; - - retval = pam_get_item(pamh, PAM_CONV, &item); - if (retval != PAM_SUCCESS) - return retval; - conv = (const struct pam_conv *)item; - msg.msg_style = pam_test_option(options, PAM_OPT_ECHO_PASS, NULL) ? - PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF; - msg.msg = prompt; - msgs[0] = &msg; - retval = conv->conv(1, msgs, &resp, conv->appdata_ptr); - if (retval != PAM_SUCCESS) - return retval; - retval = pam_set_item(pamh, PAM_AUTHTOK, resp[0].resp); - if (retval != PAM_SUCCESS) - return retval; - memset(resp[0].resp, 0, strlen(resp[0].resp)); - free(resp[0].resp); - free(resp); - return PAM_SUCCESS; -} - -int -pam_get_pass(pam_handle_t *pamh, const char **passp, const char *prompt, - struct options *options) -{ - int retval; - const void *item = NULL; - - /* - * Grab the already-entered password if we might want to use it. - */ - if (pam_test_option(options, PAM_OPT_TRY_FIRST_PASS, NULL) || - pam_test_option(options, PAM_OPT_USE_FIRST_PASS, NULL)) { - retval = pam_get_item(pamh, PAM_AUTHTOK, &item); - if (retval != PAM_SUCCESS) - return retval; - } - - if (item == NULL) { - /* The user hasn't entered a password yet. */ - if (pam_test_option(options, PAM_OPT_USE_FIRST_PASS, NULL)) - return PAM_AUTH_ERR; - /* Use the conversation function to get a password. */ - retval = pam_conv_pass(pamh, prompt, options); - if (retval != PAM_SUCCESS) - return retval; - retval = pam_get_item(pamh, PAM_AUTHTOK, &item); - if (retval != PAM_SUCCESS) - return retval; - } - *passp = (const char *)item; - return PAM_SUCCESS; -} diff --git a/lib/libpam/libpam/pam_mod_misc.h b/lib/libpam/libpam/pam_mod_misc.h index 611aa72..5a541b2 100644 --- a/lib/libpam/libpam/pam_mod_misc.h +++ b/lib/libpam/libpam/pam_mod_misc.h @@ -54,8 +54,6 @@ struct options { }; __BEGIN_DECLS -int pam_get_pass(pam_handle_t *, const char **, const char *, struct options *); -int pam_prompt(pam_handle_t *, int, const char *, char **); void pam_std_option(struct options *, struct opttab *, int, const char **); int pam_test_option(struct options *, enum opt, char **); void pam_set_option(struct options *, enum opt); diff --git a/lib/libpam/libpam/pam_prompt.c b/lib/libpam/libpam/pam_prompt.c deleted file mode 100644 index 8a463ce..0000000 --- a/lib/libpam/libpam/pam_prompt.c +++ /dev/null @@ -1,64 +0,0 @@ -/*- - * Copyright 1998 Juniper Networks, Inc. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -__FBSDID("$FreeBSD$"); - -#include -#include -#include "pam_mod_misc.h" - -/* - * Do a simple conversation which can consist of a message and/or a user - * response. - */ -int -pam_prompt(pam_handle_t *pamh, int style, const char *prompt, char **user_msg) -{ - const struct pam_conv *conv; - struct pam_message msg; - const struct pam_message *msgs[1]; - struct pam_response *resp; - const void *item; - int retval; - - retval = pam_get_item(pamh, PAM_CONV, &item); - if (retval != PAM_SUCCESS) - return retval; - conv = (const struct pam_conv *)item; - msg.msg_style = style; - msg.msg = prompt != NULL ? prompt : ""; - msgs[0] = &msg; - retval = conv->conv(1, msgs, &resp, conv->appdata_ptr); - if (retval != PAM_SUCCESS) - return retval; - if (user_msg != NULL) - *user_msg = resp[0].resp; - else if (resp[0].resp != NULL) - free(resp[0].resp); - free(resp); - return PAM_SUCCESS; -} diff --git a/lib/libpam/libpam/pam_set_item.3 b/lib/libpam/libpam/pam_set_item.3 deleted file mode 100644 index d305a92..0000000 --- a/lib/libpam/libpam/pam_set_item.3 +++ /dev/null @@ -1,156 +0,0 @@ -.\"- -.\" Copyright (c) 2001 Networks Associates Technologies, Inc. -.\" All rights reserved. -.\" -.\" This software was developed for the FreeBSD Project by ThinkSec AS and -.\" NAI Labs, the Security Research Division of Network Associates, Inc. -.\" under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the -.\" DARPA CHATS research program. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" 3. The name of the author may not be used to endorse or promote products -.\" derived from this software without specific prior written permission. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD$ -.\" -.Dd November 27, 2001 -.Dt PAM_SET_ITEM 3 -.Os -.Sh NAME -.Nm pam_set_item , -.Nm pam_get_item -.Nd setting authentication parameters -.Sh LIBRARY -.Lb libpam -.Sh SYNOPSIS -.In security/pam_modules.h -.Ft int -.Fn pam_set_item "pam_handle_t *pamh" "int type" "const void *item" -.Ft int -.Fn pam_get_item "const pam_handle_t *pamh" "int type" "const void **item" -.Sh DESCRIPTION -The -.Fn pam_set_item -and -.Fn pam_get_item -allow applications and modules to store and retrieve a variety of -authentication parameters, or -.Dq items . -Each item is identified by an integer constant. -The following items are defined: -.Bl -tag -width ".Dv PAM_USER_PROMPT" -.It Dv PAM_SERVICE -(string) -The name of the requesting service. -.It Dv PAM_USER -(string) -The name of the user the application wants to authenticate. -.It Dv PAM_USER_PROMPT -(string) -The string which will be used to prompt the user for an authentication -token. -.It Dv PAM_TTY -(string) -The name of the current terminal (for terminal-oriented applications) -or display (for X11 applications). -.It Dv PAM_RUSER -(string) -The name of the requesting user. -.It Dv PAM_RHOST -(string) -The name of the host the requesting user is logging in from. -.It Dv PAM_AUTHTOK -(opaque) -The current authentication token. -This item is only accessible from PAM modules. -.It Dv PAM_OLDAUTHTOK -(opaque) -The expired authentication token. -This item is only accessible from PAM modules. -.It Dv PAM_CONV -.Pq Vt "struct pam_conv" -The current conversation function. -The -.Vt pam_conv -structure is defined as follows: -.Bd -literal -struct pam_conv { - int (*conv)(int num_msg, - const struct pam_message **msg, - struct pam_response **resp, - void *appdata_ptr); - void *appdata_ptr; -}; -.Ed -.It Dv PAM_FAIL_DELAY -.Pq Vt delay_fn -A pointer to a callback function that should be called when a module -wants to introduce a delay after a failed authentication to discourage -brute-force attacks. -.El -.Sh RETURN VALUES -The -.Fn pam_set_item -and -.Fn pam_get_item -functions return one of the following values: -.Bl -tag -width ".Dv PAM_SYSTEM_ERR" -.It Dv PAM_SUCCESS -The operation succeeded. -.It Dv PAM_SYSTEM_ERR -The -.Fa pamh -argument was invalid. -.It Dv PAM_BUF_ERR -A call to -.Xr malloc 3 -failed, or the -.Fa item -argument to -.Fn pam_get_item -was -.Dv NULL . -.It Dv PAM_BAD_ITEM -The specified -.Fa item -does not exist or is not accessible to the caller. -.El -.Pp -The -.Xr pam_strerror 3 -function can be used to translate these return codes to descriptive -messages. -.Sh SEE ALSO -.Xr pam_start 3 , -.Xr pam_strerror 3 , -.Xr pam 8 -.Sh STANDARDS -.Rs -.%T "DCE-RFC 86.0" -.%D "October 1995" -.Re -.Pp -Note: the -.Dv PAM_USER_PROMPT -and -.Dv PAM_FAIL_DELAY -items are non-standard extensions. diff --git a/lib/libpam/libpam/pam_std_option.c b/lib/libpam/libpam/pam_std_option.c index d353aee..f0b5649 100644 --- a/lib/libpam/libpam/pam_std_option.c +++ b/lib/libpam/libpam/pam_std_option.c @@ -27,11 +27,12 @@ #include __FBSDID("$FreeBSD$"); -#include #include #include #include -#include "pam_mod_misc.h" + +#include +#include /* Everyone has to have these options. It is not an error to * specify them and then not use them. diff --git a/lib/libpam/libpam/security/pam_mod_misc.h b/lib/libpam/libpam/security/pam_mod_misc.h index 611aa72..5a541b2 100644 --- a/lib/libpam/libpam/security/pam_mod_misc.h +++ b/lib/libpam/libpam/security/pam_mod_misc.h @@ -54,8 +54,6 @@ struct options { }; __BEGIN_DECLS -int pam_get_pass(pam_handle_t *, const char **, const char *, struct options *); -int pam_prompt(pam_handle_t *, int, const char *, char **); void pam_std_option(struct options *, struct opttab *, int, const char **); int pam_test_option(struct options *, enum opt, char **); void pam_set_option(struct options *, enum opt); diff --git a/lib/libpam/modules/Makefile b/lib/libpam/modules/Makefile index 8140e4f..9e7b91b 100644 --- a/lib/libpam/modules/Makefile +++ b/lib/libpam/modules/Makefile @@ -24,29 +24,7 @@ # # $FreeBSD$ -SUBDIR+= pam_deny -SUBDIR+= pam_ftp -.if defined(MAKE_KERBEROS4) && !defined(NOCRYPT) && !defined(NO_OPENSSL) -SUBDIR+= pam_kerberosIV -.endif -.if defined(MAKE_KERBEROS5) && !defined(NOCRYPT) && !defined(NO_OPENSSL) -SUBDIR+= pam_krb5 -.endif -SUBDIR+= pam_lastlog -SUBDIR+= pam_login_access -SUBDIR+= pam_nologin -SUBDIR+= pam_opie -SUBDIR+= pam_opieaccess -SUBDIR+= pam_permit -SUBDIR+= pam_radius -SUBDIR+= pam_rootok -SUBDIR+= pam_securetty -SUBDIR+= pam_self -.if !defined(NOCRYPT) && !defined(NO_OPENSSL) && !defined(NO_OPENSSH) -SUBDIR+= pam_ssh -.endif -SUBDIR+= pam_tacplus -SUBDIR+= pam_unix -SUBDIR+= pam_wheel +.include "modules.inc" +SUBDIR = ${MODULES} .include diff --git a/lib/libpam/modules/Makefile.inc b/lib/libpam/modules/Makefile.inc index e4b0072..08a73eb 100644 --- a/lib/libpam/modules/Makefile.inc +++ b/lib/libpam/modules/Makefile.inc @@ -1,6 +1,6 @@ # $FreeBSD$ -PAMDIR= ${.CURDIR}/../../../../contrib/libpam +PAMDIR= ${.CURDIR}/../../../../contrib/openpam INTERNALLIB= yes INTERNALSTATICLIB=yes diff --git a/lib/libpam/modules/modules.inc b/lib/libpam/modules/modules.inc new file mode 100644 index 0000000..c61ec16 --- /dev/null +++ b/lib/libpam/modules/modules.inc @@ -0,0 +1,27 @@ +# $FreeBSD$ + +MODULES = +MODULES += pam_deny +MODULES += pam_ftp +.if defined(MAKE_KERBEROS4) && !defined(NOCRYPT) && !defined(NO_OPENSSL) +MODULES += pam_kerberosIV +.endif +.if defined(MAKE_KERBEROS5) && !defined(NOCRYPT) && !defined(NO_OPENSSL) +MODULES += pam_krb5 +.endif +MODULES += pam_lastlog +MODULES += pam_login_access +MODULES += pam_nologin +MODULES += pam_opie +MODULES += pam_opieaccess +MODULES += pam_permit +MODULES += pam_radius +MODULES += pam_rootok +MODULES += pam_securetty +MODULES += pam_self +.if !defined(NOCRYPT) && !defined(NO_OPENSSL) && !defined(NO_OPENSSH) +MODULES += pam_ssh +.endif +MODULES += pam_tacplus +MODULES += pam_unix +MODULES += pam_wheel diff --git a/lib/libpam/modules/pam_deny/Makefile b/lib/libpam/modules/pam_deny/Makefile index 9e07378..adbda34 100644 --- a/lib/libpam/modules/pam_deny/Makefile +++ b/lib/libpam/modules/pam_deny/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_deny -SHLIB_NAME= pam_deny.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_deny.c MAN= pam_deny.8 diff --git a/lib/libpam/modules/pam_ftp/Makefile b/lib/libpam/modules/pam_ftp/Makefile index 78717d4..414325e 100644 --- a/lib/libpam/modules/pam_ftp/Makefile +++ b/lib/libpam/modules/pam_ftp/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_ftp -SHLIB_NAME= pam_ftp.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_ftp.c MAN= pam_ftp.8 diff --git a/lib/libpam/modules/pam_ftp/pam_ftp.c b/lib/libpam/modules/pam_ftp/pam_ftp.c index 75dc62b..b412b3f 100644 --- a/lib/libpam/modules/pam_ftp/pam_ftp.c +++ b/lib/libpam/modules/pam_ftp/pam_ftp.c @@ -56,9 +56,11 @@ __FBSDID("$FreeBSD$"); #include #include -#include - -enum { PAM_OPT_NO_ANON=PAM_OPT_STD_MAX, PAM_OPT_IGNORE, PAM_OPT_USERS }; +enum { + PAM_OPT_NO_ANON = PAM_OPT_STD_MAX, + PAM_OPT_IGNORE, + PAM_OPT_USERS +}; static struct opttab other_options[] = { { "no_anon", PAM_OPT_NO_ANON }, @@ -150,10 +152,9 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha PAM_LOG("Doing non-anonymous"); } - retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, prompt, &token); + retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &token, "%s", prompt); if (retval != PAM_SUCCESS) - PAM_RETURN(retval == PAM_CONV_AGAIN - ? PAM_INCOMPLETE : PAM_AUTHINFO_UNAVAIL); + PAM_RETURN(PAM_AUTHINFO_UNAVAIL); PAM_LOG("Got password"); @@ -173,13 +174,13 @@ pam_sm_authenticate(pam_handle_t * pamh, int flags __unused, int argc, const cha } } } - else + else { PAM_LOG("Ignoring supplied password structure"); + } PAM_LOG("Done anonymous"); retval = PAM_SUCCESS; - } else { pam_set_item(pamh, PAM_AUTHTOK, token); diff --git a/lib/libpam/modules/pam_kerberosIV/Makefile b/lib/libpam/modules/pam_kerberosIV/Makefile index c0e4282..f6b288e 100644 --- a/lib/libpam/modules/pam_kerberosIV/Makefile +++ b/lib/libpam/modules/pam_kerberosIV/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_kerberosIV -SHLIB_NAME= pam_kerberosIV.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_kerberosIV.c klogin.c CFLAGS+= -DKERBEROS DPADD= ${LIBKRB} ${LIBCRYPTO} ${LIBCOM_ERR} diff --git a/lib/libpam/modules/pam_krb5/Makefile b/lib/libpam/modules/pam_krb5/Makefile index 0e0cbaf..525358a 100644 --- a/lib/libpam/modules/pam_krb5/Makefile +++ b/lib/libpam/modules/pam_krb5/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_krb5 -SHLIB_NAME= pam_krb5.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_krb5.c DPADD= ${LIBKRB5} ${LIBGSSAPI} ${LIBASN1} ${LIBCRYPTO} ${LIBCRYPT} \ ${LIBCOM_ERR} ${LIBROKEN} diff --git a/lib/libpam/modules/pam_lastlog/Makefile b/lib/libpam/modules/pam_lastlog/Makefile index 84ac3a1..8a516ed 100644 --- a/lib/libpam/modules/pam_lastlog/Makefile +++ b/lib/libpam/modules/pam_lastlog/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_lastlog -SHLIB_NAME= pam_lastlog.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_lastlog.c DPADD= ${LIBUTIL} LDADD= -lutil diff --git a/lib/libpam/modules/pam_lastlog/pam_lastlog.c b/lib/libpam/modules/pam_lastlog/pam_lastlog.c index bf6ff54..acfbda6 100644 --- a/lib/libpam/modules/pam_lastlog/pam_lastlog.c +++ b/lib/libpam/modules/pam_lastlog/pam_lastlog.c @@ -124,7 +124,6 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) struct utmp utmp; struct lastlog ll; const char *rhost, *user, *tty; - char *buf; off_t llpos; int fd, pam_err; @@ -164,22 +163,14 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) if ((flags & PAM_SILENT) == 0) { if (read(fd, &ll, sizeof(ll)) == sizeof(ll) && ll.ll_time != 0) { - asprintf(&buf, "Last login: %.*s ", 24 - 5, + pam_info(pamh, "Last login: %.*s ", 24 - 5, ctime(&ll.ll_time)); - if (buf != NULL) { - pam_prompt(pamh, PAM_TEXT_INFO, buf, NULL); - free(buf); - } if (*ll.ll_host != '\0') - asprintf(&buf, "from %.*s\n", + pam_info(pamh, "from %.*s\n", (int)sizeof(ll.ll_host), ll.ll_host); else - asprintf(&buf, "on %.*s\n", + pam_info(pamh, "on %.*s\n", (int)sizeof(ll.ll_line), ll.ll_line); - if (buf != NULL) { - pam_prompt(pamh, PAM_TEXT_INFO, buf, NULL); - free(buf); - } } if (lseek(fd, llpos, L_SET) != llpos) goto file_err; diff --git a/lib/libpam/modules/pam_login_access/Makefile b/lib/libpam/modules/pam_login_access/Makefile index 1425123..2235292 100644 --- a/lib/libpam/modules/pam_login_access/Makefile +++ b/lib/libpam/modules/pam_login_access/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_login_access -SHLIB_NAME= pam_login_access.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_login_access.c login_access.c MAN= pam_login_access.8 diff --git a/lib/libpam/modules/pam_nologin/Makefile b/lib/libpam/modules/pam_nologin/Makefile index 8f86525..d907dae 100644 --- a/lib/libpam/modules/pam_nologin/Makefile +++ b/lib/libpam/modules/pam_nologin/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_nologin -SHLIB_NAME= pam_nologin.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_nologin.c DPADD= ${LIBUTIL} LDADD= -lutil diff --git a/lib/libpam/modules/pam_nologin/pam_nologin.c b/lib/libpam/modules/pam_nologin/pam_nologin.c index dbc02dd..5f85b25 100644 --- a/lib/libpam/modules/pam_nologin/pam_nologin.c +++ b/lib/libpam/modules/pam_nologin/pam_nologin.c @@ -108,7 +108,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char if (mtmp != NULL) { read(fd, mtmp, st.st_size); mtmp[st.st_size] = '\0'; - pam_prompt(pamh, PAM_ERROR_MSG, mtmp, NULL); + pam_error(pamh, "%s", mtmp, NULL); free(mtmp); } diff --git a/lib/libpam/modules/pam_opie/Makefile b/lib/libpam/modules/pam_opie/Makefile index 704f2f6..330b4cc 100644 --- a/lib/libpam/modules/pam_opie/Makefile +++ b/lib/libpam/modules/pam_opie/Makefile @@ -26,7 +26,7 @@ # $FreeBSD$ LIB= pam_opie -SHLIB_NAME= pam_opie.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_opie.c DPADD= ${LIBOPIE} LDADD= -lopie diff --git a/lib/libpam/modules/pam_opie/pam_opie.c b/lib/libpam/modules/pam_opie/pam_opie.c index cee5985..324d6eb 100644 --- a/lib/libpam/modules/pam_opie/pam_opie.c +++ b/lib/libpam/modules/pam_opie/pam_opie.c @@ -78,7 +78,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char char challenge[OPIE_CHALLENGE_MAX]; char prompt[OPIE_CHALLENGE_MAX+22]; char resp[OPIE_SECRET_MAX]; - const char *user; + char *user; const char *response; pam_std_option(&options, other_options, argc, argv); @@ -124,7 +124,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char for (i = 0; i < 2; i++) { snprintf(prompt, sizeof prompt, promptstr[i], challenge); - retval = pam_get_pass(pamh, &response, prompt, &options); + retval = pam_get_authtok(pamh, &response, prompt); if (retval != PAM_SUCCESS) { opieunlock(); PAM_RETURN(retval); diff --git a/lib/libpam/modules/pam_opieaccess/Makefile b/lib/libpam/modules/pam_opieaccess/Makefile index 68f7863..2be222c 100644 --- a/lib/libpam/modules/pam_opieaccess/Makefile +++ b/lib/libpam/modules/pam_opieaccess/Makefile @@ -1,7 +1,7 @@ # $FreeBSD$ LIB= pam_opieaccess -SHLIB_NAME= ${LIB}.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= ${LIB}.c DPADD= ${LIBOPIE} LDADD= -lopie diff --git a/lib/libpam/modules/pam_permit/Makefile b/lib/libpam/modules/pam_permit/Makefile index 6d797b4..e549b03 100644 --- a/lib/libpam/modules/pam_permit/Makefile +++ b/lib/libpam/modules/pam_permit/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_permit -SHLIB_NAME= pam_permit.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_permit.c MAN= pam_permit.8 diff --git a/lib/libpam/modules/pam_radius/Makefile b/lib/libpam/modules/pam_radius/Makefile index 0121f10..be084b2 100644 --- a/lib/libpam/modules/pam_radius/Makefile +++ b/lib/libpam/modules/pam_radius/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_radius -SHLIB_NAME= pam_radius.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_radius.c DPADD= ${LIBRADIUS} LDADD= -lradius diff --git a/lib/libpam/modules/pam_radius/pam_radius.c b/lib/libpam/modules/pam_radius/pam_radius.c index bf23854..80e767e 100644 --- a/lib/libpam/modules/pam_radius/pam_radius.c +++ b/lib/libpam/modules/pam_radius/pam_radius.c @@ -237,7 +237,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char PAM_LOG("Got user: %s", user); - retval = pam_get_pass(pamh, &pass, PASSWORD_PROMPT, &options); + retval = pam_get_authtok(pamh, &pass, PASSWORD_PROMPT); if (retval != PAM_SUCCESS) PAM_RETURN(retval); @@ -285,7 +285,8 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char * to the value given in the "template_user" * option. */ - retval = pam_get_item(pamh, PAM_USER, &tmpuser); + retval = pam_get_item(pamh, PAM_USER, + (const void **)&tmpuser); if (retval != PAM_SUCCESS) PAM_RETURN(retval); if (getpwnam(tmpuser) == NULL) { diff --git a/lib/libpam/modules/pam_rootok/Makefile b/lib/libpam/modules/pam_rootok/Makefile index 948c0299..809bae1 100644 --- a/lib/libpam/modules/pam_rootok/Makefile +++ b/lib/libpam/modules/pam_rootok/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_rootok -SHLIB_NAME= pam_rootok.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_rootok.c MAN= pam_rootok.8 diff --git a/lib/libpam/modules/pam_securetty/Makefile b/lib/libpam/modules/pam_securetty/Makefile index 764dfb0..bdecfde 100644 --- a/lib/libpam/modules/pam_securetty/Makefile +++ b/lib/libpam/modules/pam_securetty/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_securetty -SHLIB_NAME= pam_securetty.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_securetty.c MAN= pam_securetty.8 diff --git a/lib/libpam/modules/pam_self/Makefile b/lib/libpam/modules/pam_self/Makefile index a607808..985dd4e 100644 --- a/lib/libpam/modules/pam_self/Makefile +++ b/lib/libpam/modules/pam_self/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_self -SHLIB_NAME= pam_self.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_self.c MAN= pam_self.8 diff --git a/lib/libpam/modules/pam_ssh/Makefile b/lib/libpam/modules/pam_ssh/Makefile index 00d74f5..945bb4c 100644 --- a/lib/libpam/modules/pam_ssh/Makefile +++ b/lib/libpam/modules/pam_ssh/Makefile @@ -4,7 +4,7 @@ SSHSRC= ${.CURDIR}/../../../../crypto/openssh LIB= pam_ssh -SHLIB_NAME= pam_ssh.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_ssh.c CFLAGS+= -I${SSHSRC} DPADD= ${LIBSSH} ${LIBCRYPTO} ${LIBCRYPT} ${LIBUTIL} diff --git a/lib/libpam/modules/pam_ssh/pam_ssh.c b/lib/libpam/modules/pam_ssh/pam_ssh.c index e17d164..9c5a5d6 100644 --- a/lib/libpam/modules/pam_ssh/pam_ssh.c +++ b/lib/libpam/modules/pam_ssh/pam_ssh.c @@ -49,6 +49,7 @@ __FBSDID("$FreeBSD$"); #include #include #include +#include #include #define PAM_SM_AUTH @@ -199,7 +200,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char * Pass prompt message to application and receive * passphrase. */ - retval = pam_get_pass(pamh, &pass, NEED_PASSPHRASE, &options); + retval = pam_get_authtok(pamh, &pass, NEED_PASSPHRASE); if (retval != PAM_SUCCESS) PAM_RETURN(retval); OpenSSL_add_all_algorithms(); /* required for DSA */ diff --git a/lib/libpam/modules/pam_tacplus/Makefile b/lib/libpam/modules/pam_tacplus/Makefile index 0d6daaa..5c5deb5 100644 --- a/lib/libpam/modules/pam_tacplus/Makefile +++ b/lib/libpam/modules/pam_tacplus/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_tacplus -SHLIB_NAME= pam_tacplus.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_tacplus.c DPADD= ${LIBTACPLUS} LDADD= -ltacplus diff --git a/lib/libpam/modules/pam_tacplus/pam_tacplus.c b/lib/libpam/modules/pam_tacplus/pam_tacplus.c index d56aa32..b2b5c0d 100644 --- a/lib/libpam/modules/pam_tacplus/pam_tacplus.c +++ b/lib/libpam/modules/pam_tacplus/pam_tacplus.c @@ -228,9 +228,9 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, retval = pam_get_user(pamh, &user_msg, srvr_msg[0] != '\0' ? srvr_msg : NULL); else if (status == TAC_AUTHEN_STATUS_GETPASS) - retval = pam_get_pass(pamh, &user_msg, + retval = pam_get_authtok(pamh, &user_msg, srvr_msg[0] != '\0' ? srvr_msg : - "Password:", &options); + "Password:"); free(srvr_msg); if (retval != PAM_SUCCESS) { /* XXX - send a TACACS+ abort packet */ @@ -246,9 +246,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, PAM_RETURN(PAM_SERVICE_ERR); retval = pam_prompt(pamh, pam_test_option(&options, PAM_OPT_ECHO_PASS, NULL) - ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF, - srvr_msg[0] != '\0' ? srvr_msg : "Data:", - &data_msg); + ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF, + &data_msg, + "%s", + srvr_msg[0] != '\0' ? srvr_msg : "Data:"); free(srvr_msg); if (retval != PAM_SUCCESS) { /* XXX - send a TACACS+ abort packet */ diff --git a/lib/libpam/modules/pam_unix/Makefile b/lib/libpam/modules/pam_unix/Makefile index 8365ab5..5f2923d 100644 --- a/lib/libpam/modules/pam_unix/Makefile +++ b/lib/libpam/modules/pam_unix/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_unix -SHLIB_NAME= pam_unix.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_unix.c pw_copy.c pw_yp.c pw_util.c ypxfr_misc.c ${GENSRCS} CFLAGS= -DYP -Dyp_error=warnx \ -I${.OBJDIR} \ diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c index e794ef9..c1ac813 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.c +++ b/lib/libpam/modules/pam_unix/pam_unix.c @@ -162,8 +162,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char PAM_RETURN(PAM_SUCCESS); } else { - retval = pam_get_pass(pamh, &pass, password_prompt, - &options); + retval = pam_get_authtok(pamh, &pass, password_prompt); if (retval != PAM_SUCCESS) PAM_RETURN(retval); PAM_LOG("Got password"); @@ -186,8 +185,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char * User unknown. * Encrypt a dummy password so as to not give away too much. */ - retval = pam_get_pass(pamh, &pass, password_prompt, - &options); + retval = pam_get_authtok(pamh, &pass, password_prompt); if (retval != PAM_SUCCESS) PAM_RETURN(retval); PAM_LOG("Got password"); @@ -232,7 +230,6 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char ** int retval; const char *rhost, *tty, *user; char rhostip[MAXHOSTNAMELEN]; - char buf[128]; pam_std_option(&options, other_options, argc, argv); @@ -283,10 +280,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char ** PAM_RETURN(PAM_ACCT_EXPIRED); } else if (pwd->pw_expire - tp.tv_sec < warntime && (flags & PAM_SILENT) == 0) { - snprintf(buf, sizeof(buf), - "Warning: your account expires on %s", + pam_error(pamh, "Warning: your account expires on %s", ctime(&pwd->pw_expire)); - pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL); } } @@ -298,10 +293,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags __unused, int argc, const char ** retval = PAM_NEW_AUTHTOK_REQD; } else if (pwd->pw_change - tp.tv_sec < warntime && (flags & PAM_SILENT) == 0) { - snprintf(buf, sizeof(buf), - "Warning: your password expires on %s", + pam_error(pamh, "Warning: your password expires on %s", ctime(&pwd->pw_change)); - pam_prompt(pamh, PAM_ERROR_MSG, buf, NULL); } } @@ -410,8 +403,8 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) PAM_RETURN(PAM_SUCCESS); } else { - retval = pam_get_pass(pamh, &pass, - PASSWORD_PROMPT_EXPIRED, &options); + retval = pam_get_authtok(pamh, &pass, + PASSWORD_PROMPT_EXPIRED); if (retval != PAM_SUCCESS) PAM_RETURN(retval); PAM_LOG("Got password: %s", pass); @@ -456,7 +449,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) while (retry++ < MAX_TRIES) { new_pass = NULL; retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, - NEW_PASSWORD_PROMPT_1, &new_pass); + &new_pass, "%s", NEW_PASSWORD_PROMPT_1); if (new_pass == NULL) new_pass = strdup(""); @@ -464,7 +457,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) if (retval == PAM_SUCCESS) { new_pass_ = NULL; retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, - NEW_PASSWORD_PROMPT_2, &new_pass_); + &new_pass_, "%s", NEW_PASSWORD_PROMPT_2); if (new_pass_ == NULL) new_pass_ = strdup(""); @@ -605,13 +598,13 @@ local_passwd(const char *user, const char *pass) * Copyright (c) 1995 Bill Paul */ int -yp_passwd(const char *user, const char *pass) +yp_passwd(const char *user __unused, const char *pass) { - struct master_yppasswd master_yppasswd; + struct master_yppasswd master_yppwd; struct passwd *pwd; struct rpc_err err; struct timeval tv; - struct yppasswd yppasswd; + struct yppasswd yppwd; CLIENT *clnt; login_cap_t *lc; int *status; @@ -640,29 +633,29 @@ yp_passwd(const char *user, const char *pass) /* Initialize password information */ if (suser_override) { - master_yppasswd.newpw.pw_passwd = strdup(pwd->pw_passwd); - master_yppasswd.newpw.pw_name = strdup(pwd->pw_name); - master_yppasswd.newpw.pw_uid = pwd->pw_uid; - master_yppasswd.newpw.pw_gid = pwd->pw_gid; - master_yppasswd.newpw.pw_expire = pwd->pw_expire; - master_yppasswd.newpw.pw_change = pwd->pw_change; - master_yppasswd.newpw.pw_fields = pwd->pw_fields; - master_yppasswd.newpw.pw_gecos = strdup(pwd->pw_gecos); - master_yppasswd.newpw.pw_dir = strdup(pwd->pw_dir); - master_yppasswd.newpw.pw_shell = strdup(pwd->pw_shell); - master_yppasswd.newpw.pw_class = pwd->pw_class != NULL ? + master_yppwd.newpw.pw_passwd = strdup(pwd->pw_passwd); + master_yppwd.newpw.pw_name = strdup(pwd->pw_name); + master_yppwd.newpw.pw_uid = pwd->pw_uid; + master_yppwd.newpw.pw_gid = pwd->pw_gid; + master_yppwd.newpw.pw_expire = pwd->pw_expire; + master_yppwd.newpw.pw_change = pwd->pw_change; + master_yppwd.newpw.pw_fields = pwd->pw_fields; + master_yppwd.newpw.pw_gecos = strdup(pwd->pw_gecos); + master_yppwd.newpw.pw_dir = strdup(pwd->pw_dir); + master_yppwd.newpw.pw_shell = strdup(pwd->pw_shell); + master_yppwd.newpw.pw_class = pwd->pw_class != NULL ? strdup(pwd->pw_class) : strdup(""); - master_yppasswd.oldpass = strdup(""); - master_yppasswd.domain = yp_domain; + master_yppwd.oldpass = strdup(""); + master_yppwd.domain = yp_domain; } else { - yppasswd.newpw.pw_passwd = strdup(pwd->pw_passwd); - yppasswd.newpw.pw_name = strdup(pwd->pw_name); - yppasswd.newpw.pw_uid = pwd->pw_uid; - yppasswd.newpw.pw_gid = pwd->pw_gid; - yppasswd.newpw.pw_gecos = strdup(pwd->pw_gecos); - yppasswd.newpw.pw_dir = strdup(pwd->pw_dir); - yppasswd.newpw.pw_shell = strdup(pwd->pw_shell); - yppasswd.oldpass = strdup(""); + yppwd.newpw.pw_passwd = strdup(pwd->pw_passwd); + yppwd.newpw.pw_name = strdup(pwd->pw_name); + yppwd.newpw.pw_uid = pwd->pw_uid; + yppwd.newpw.pw_gid = pwd->pw_gid; + yppwd.newpw.pw_gecos = strdup(pwd->pw_gecos); + yppwd.newpw.pw_dir = strdup(pwd->pw_dir); + yppwd.newpw.pw_shell = strdup(pwd->pw_shell); + yppwd.oldpass = strdup(""); } if (login_setcryptfmt(lc, "md5", NULL) == NULL) @@ -680,9 +673,9 @@ yp_passwd(const char *user, const char *pass) salt[27] = '\0'; if (suser_override) - master_yppasswd.newpw.pw_passwd = crypt(pass, salt); + master_yppwd.newpw.pw_passwd = crypt(pass, salt); else - yppasswd.newpw.pw_passwd = crypt(pass, salt); + yppwd.newpw.pw_passwd = crypt(pass, salt); if (suser_override) { if ((clnt = clnt_create(sockname, MASTER_YPPASSWDPROG, @@ -711,9 +704,9 @@ yp_passwd(const char *user, const char *pass) clnt->cl_auth = authunix_create_default(); if (suser_override) - status = yppasswdproc_update_master_1(&master_yppasswd, clnt); + status = yppasswdproc_update_master_1(&master_yppwd, clnt); else - status = yppasswdproc_update_1(&yppasswd, clnt); + status = yppasswdproc_update_1(&yppwd, clnt); clnt_geterr(clnt, &err); diff --git a/lib/libpam/modules/pam_wheel/Makefile b/lib/libpam/modules/pam_wheel/Makefile index b889a18..b09e115 100644 --- a/lib/libpam/modules/pam_wheel/Makefile +++ b/lib/libpam/modules/pam_wheel/Makefile @@ -25,7 +25,7 @@ # $FreeBSD$ LIB= pam_wheel -SHLIB_NAME= pam_wheel.so +SHLIB_NAME= ${LIB}.so.${SHLIB_MAJOR} SRCS= pam_wheel.c MAN= pam_wheel.8 diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c index b6a6c2b..c821319 100644 --- a/usr.bin/login/login.c +++ b/usr.bin/login/login.c @@ -77,7 +77,7 @@ __FBSDID("$FreeBSD$"); #include #include -#include +#include #include "login.h" #include "pathnames.h" @@ -154,7 +154,7 @@ static char *tty; * PAM data */ static pam_handle_t *pamh = NULL; -static struct pam_conv pamc = { misc_conv, NULL }; +static struct pam_conv pamc = { openpam_ttyconv, NULL }; static int pam_err; static int pam_silent = PAM_SILENT; static int pam_cred_established; @@ -513,7 +513,7 @@ main(int argc, char *argv[]) /* * We're done with PAM now; our parent will deal with the rest. */ - pam_end(pamh, PAM_DATA_SILENT); + pam_end(pamh, 0); pamh = NULL; /* -- cgit v1.1