diff options
Diffstat (limited to 'modules/pam_unix/pam_unix.c')
-rw-r--r-- | modules/pam_unix/pam_unix.c | 36 |
1 files changed, 19 insertions, 17 deletions
diff --git a/modules/pam_unix/pam_unix.c b/modules/pam_unix/pam_unix.c index b859512..54b6f12 100644 --- a/modules/pam_unix/pam_unix.c +++ b/modules/pam_unix/pam_unix.c @@ -2,7 +2,7 @@ #include <pwd.h> #include <netdb.h> -/*#include <shadow.h> */ +#include <shadow.h> #include <sys/types.h> #include <unistd.h> #include <time.h> @@ -22,6 +22,11 @@ #endif +#define PASSWORD_HASH "md5" +#define DEFAULT_WARN (2L * 7L * 86400L) /* two weeks */ +#define SALTSIZE 32 + + #include <security/pam_modules.h> #include <security/pam_appl.h> #include <security/pam_mod_misc.h> @@ -61,7 +66,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, if (pwd != NULL) { PAM_LOG("Doing real authentication"); - pass = pwd->sp_pwdp; + pass = pwd->pw_passwd; if (pass[0] == '\0') { if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && openpam_get_option(pamh, PAM_OPT_NULLOK)){ @@ -96,10 +101,10 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, if (pam_err != PAM_SUCCESS) return (PAM_AUTH_ERR); - /* check shadow */ + /* check passwd entry */ - crypt_pass = crypt(pass, pwd->sp_pwdp); - if ( strcmp(crypt_pass, pwd->sp_pwdp) != 0 ) { + crypt_pass = crypt(pass, pwd->pw_passwd); + if ( strcmp(crypt_pass, pwd->pw_passwd) != 0 ) { PAM_ERROR("Wrong password. Authentication failed."); pam_err = PAM_AUTH_ERR; } else { @@ -138,7 +143,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , login_cap_t *lc; #endif - struct passwd *pwd; + struct spwd *pwd; int pam_err; const char *user; time_t curtime; @@ -188,7 +193,7 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , } #endif - /* Check if pw_lstchg or pw_expire is set */ + /* Check if pw_lstchg or sp_expire is set */ if (pwd->sp_lstchg || pwd->sp_expire) curtime = time(NULL) / (60 * 60 * 24); @@ -198,9 +203,9 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags , login_close(lc); #endif return (PAM_ACCT_EXPIRED); - } else if ( ( pwd->sp_expire - curtime < pwd->sp_warn) ) { + } else if ( ( pwd->sp_expire - curtime < DEFAULT_WARN) ) { // pam_error(pamh, "Warning: your account expires on %s", -// ctime(&pwd->pw_expire)); +// ctime(&pwd->sp_expire)); } } @@ -258,7 +263,6 @@ pam_sm_chautok(pam_handle_t *pamh, int flags, * This is standard unix passwd changing function. */ struct passwd *new_pwd, *old_pwd; - char oldprefix[HASH_PREFIX_SIZE]; const char *user, *old_pass, *new_pass; char *hashedpwd; int pam_err; @@ -279,9 +283,9 @@ pam_sm_chautok(pam_handle_t *pamh, int flags, PAM_LOG("Got user: [%s]", user); - if (pwd == NULL) { + if (old_pwd == NULL) { PAM_ERROR("User [%s] either has a corrupted passwd entry or \ - is not in the selected database"); + is not in the selected database", user); return (PAM_AUTHTOK_RECOVERY_ERR); } @@ -310,18 +314,16 @@ pam_sm_chautok(pam_handle_t *pamh, int flags, return (pam_set_item(pamh, PAM_OLDAUTHTOK, "")); } - if ( (pwd->pw_passwd[0] == '\0' ) && + if ( (old_pwd->pw_passwd[0] == '\0' ) && ( openpam_get_option(pamh, PAM_OPT_NULLOK) ) && - ( openpam_get_option(pamh,PAM_DISALLOW_NULL_AUTHTOK)) ) { - + !(flags & PAM_DISALLOW_NULL_AUTHTOK) ) { /* * Something funny could happen here since we don't * ask for a password. */ old_pass = ""; } - - + } return (PAM_SUCCESS); |