diff --git a/etc/pam.d/ftpd b/etc/pam.d/ftpd index 2ab916f5e2e0..d32016e15ad7 100644 --- a/etc/pam.d/ftpd +++ b/etc/pam.d/ftpd @@ -9,7 +9,7 @@ auth required pam_nologin.so no_warn #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn #auth sufficient pam_ssh.so no_warn try_first_pass -auth [default=ignore success=done cred_err=die] pam_opie.so no_warn +#auth sufficient pam_opie.so no_warn auth required pam_unix.so no_warn try_first_pass # account diff --git a/etc/pam.d/login b/etc/pam.d/login index eba50b9e5ab6..cecaf133c618 100644 --- a/etc/pam.d/login +++ b/etc/pam.d/login @@ -9,7 +9,7 @@ auth required pam_nologin.so no_warn #auth sufficient pam_kerberosIV.so no_warn try_first_pass #auth sufficient pam_krb5.so no_warn try_first_pass #auth required pam_ssh.so no_warn try_first_pass -auth [default=ignore success=done cred_err=die] pam_opie.so no_warn +#auth sufficient pam_opie.so no_warn auth required pam_unix.so no_warn try_first_pass # account diff --git a/etc/pam.d/su b/etc/pam.d/su index 9d7bcb180bec..e7f6192116ac 100644 --- a/etc/pam.d/su +++ b/etc/pam.d/su @@ -10,7 +10,7 @@ auth requisite pam_wheel.so no_warn auth_as_self noroot_ok #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self #auth required pam_ssh.so no_warn try_first_pass -auth [default=ignore success=done cred_err=die] pam_opie.so no_warn +#auth sufficient pam_opie.so no_warn auth required pam_unix.so no_warn try_first_pass nullok #auth sufficient pam_rootok.so no_warn ##auth sufficient pam_kerberosIV.so no_warn diff --git a/lib/libpam/modules/pam_opie/pam_opie.c b/lib/libpam/modules/pam_opie/pam_opie.c index a33c4220eb6f..52dd07fc26e6 100644 --- a/lib/libpam/modules/pam_opie/pam_opie.c +++ b/lib/libpam/modules/pam_opie/pam_opie.c @@ -66,12 +66,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) struct opie opie; struct options options; struct passwd *pwd; - int retval, i, pwok; + int retval, i; char *(promptstr[]) = { "%s\nPassword: ", "%s\nPassword [echo on]: "}; char challenge[OPIE_CHALLENGE_MAX]; char prompt[OPIE_CHALLENGE_MAX+22]; char resp[OPIE_SECRET_MAX]; - const char *user, *response, *rhost; + const char *user; + const char *response; pam_std_option(&options, other_options, argc, argv); @@ -88,16 +89,13 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) user = NULL; if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { - if ((pwd = getpwnam(getlogin())) == NULL) - PAM_RETURN(PAM_AUTH_ERR); + pwd = getpwnam(getlogin()); user = pwd->pw_name; } else { retval = pam_get_user(pamh, (const char **)&user, NULL); if (retval != PAM_SUCCESS) PAM_RETURN(retval); - if ((pwd = getpwnam(user)) == NULL) - PAM_RETURN(PAM_AUTH_ERR); } PAM_LOG("Got user: %s", user); @@ -108,14 +106,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) */ opiedisableaeh(); - if (opiechallenge(&opie, (char *)user, challenge) == 0) { - rhost = NULL; - (void) pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); - pwok = (rhost != NULL) && (*rhost != '\0') && - opieaccessfile((char *)rhost) && - opiealways(pwd->pw_dir); - } else - PAM_RETURN(PAM_AUTH_ERR); + opiechallenge(&opie, (char *)user, challenge); for (i = 0; i < 2; i++) { snprintf(prompt, sizeof prompt, promptstr[i], challenge); retval = pam_get_pass(pamh, &response, prompt, &options); @@ -134,7 +125,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) } /* We have to copy the response, because opieverify mucks with it. */ - strlcpy(resp, response, sizeof resp); + snprintf(resp, sizeof resp, "%s", response); /* * Opieverify is supposed to return -1 only if an error occurs. @@ -142,10 +133,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) * it expects. Thus we can't log an error and can only check for * success or lack thereof. */ - if (opieverify(&opie, resp) != 0) - retval = pwok ? PAM_AUTH_ERR : PAM_CRED_ERR; - else - retval = PAM_SUCCESS; + retval = opieverify(&opie, resp) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR; PAM_RETURN(retval); } diff --git a/lib/libpam/modules/pam_unix/pam_unix.c b/lib/libpam/modules/pam_unix/pam_unix.c index 7afa45a9ac2f..af6f989fb48c 100644 --- a/lib/libpam/modules/pam_unix/pam_unix.c +++ b/lib/libpam/modules/pam_unix/pam_unix.c @@ -152,8 +152,6 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) retval = strcmp(encrypted, pwd->pw_passwd) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR; - if (pwd->pw_expire && time(NULL) >= pwd->pw_expire) - retval = PAM_AUTH_ERR; } else { @@ -504,14 +502,15 @@ local_passwd(const char *user, const char *pass) syslog(LOG_ERR, "cannot set password cipher"); login_close(lc); /* Salt suitable for anything */ + srandomdev(); gettimeofday(&tv, 0); - to64(&salt[0], arc4random(), 3); + to64(&salt[0], random(), 3); to64(&salt[3], tv.tv_usec, 3); to64(&salt[6], tv.tv_sec, 2); - to64(&salt[8], arc4random(), 5); - to64(&salt[13], arc4random(), 5); - to64(&salt[17], arc4random(), 5); - to64(&salt[22], arc4random(), 5); + to64(&salt[8], random(), 5); + to64(&salt[13], random(), 5); + to64(&salt[17], random(), 5); + to64(&salt[22], random(), 5); salt[27] = '\0'; pwd->pw_passwd = crypt(pass, salt); @@ -597,14 +596,15 @@ yp_passwd(const char *user, const char *pass) syslog(LOG_ERR, "cannot set password cipher"); login_close(lc); /* Salt suitable for anything */ + srandomdev(); gettimeofday(&tv, 0); - to64(&salt[0], arc4random(), 3); + to64(&salt[0], random(), 3); to64(&salt[3], tv.tv_usec, 3); to64(&salt[6], tv.tv_sec, 2); - to64(&salt[8], arc4random(), 5); - to64(&salt[13], arc4random(), 5); - to64(&salt[17], arc4random(), 5); - to64(&salt[22], arc4random(), 5); + to64(&salt[8], random(), 5); + to64(&salt[13], random(), 5); + to64(&salt[17], random(), 5); + to64(&salt[22], random(), 5); salt[27] = '\0'; if (suser_override)