mirror/freebsd
1
0
Fork 0
mirror of https://git.FreeBSD.org/src.git synced 2025-01-28 16:43:09 +00:00
Code Issues Releases Activity

Reorganize pam_sm_authenticate() to reduce code duplication.

Browse Source 
Sponsored by:	DARPA, NAI Labs
This commit is contained in:
Dag-Erling Smørgrav 2002-04-07 21:18:18 +00:00
parent 67ec58a802
commit 50000f00df
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=94153
1 changed files with 22 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
lib/libpam/modules/pam_unix/pam_unix.c
View File

@ -121,16 +121,16 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
struct options options; struct options options;
struct passwd *pwd; struct passwd *pwd;
int retval; int retval;
const char *pass, *user; const char *pass, *user, *realpw;
char *encrypted, *password_prompt; char *prompt;
pam_std_option(&options, other_options, argc, argv); pam_std_option(&options, other_options, argc, argv);
PAM_LOG("Options processed"); PAM_LOG("Options processed");
if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) {
pwd = getpwnam(getlogin()); pwd = getpwnam(getlogin());
else { } else {
retval = pam_get_user(pamh, &user, NULL); retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS) if (retval != PAM_SUCCESS)
PAM_RETURN(retval); PAM_RETURN(retval);
@ -140,68 +140,31 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, int argc, const char
PAM_LOG("Got user: %s", user); PAM_LOG("Got user: %s", user);
if (pwd != NULL) { if (pwd != NULL) {
PAM_LOG("Doing real authentication"); PAM_LOG("Doing real authentication");
realpw = pwd->pw_passwd;
if (pwd->pw_passwd[0] == '\0' if (realpw[0] == '\0') {
&& pam_test_option(&options, PAM_OPT_NULLOK, NULL)) { if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) &&
/* pam_test_option(&options, PAM_OPT_NULLOK, NULL))
* No password case. XXX Are we giving too much away PAM_RETURN(PAM_SUCCESS);
* by not prompting for a password? realpw = "*";
*/
PAM_LOG("No password, and null password OK");
PAM_RETURN(PAM_SUCCESS);
} }
else { lc = login_getpwclass(pwd);
lc = login_getpwclass(pwd); } else {
password_prompt = login_getcapstr(lc, "passwd_prompt",
NULL, NULL);
retval = pam_get_authtok(pamh, PAM_AUTHTOK,
&pass, password_prompt);
login_close(lc);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Got password");
}
encrypted = crypt(pass, pwd->pw_passwd);
if (pass[0] == '\0' && pwd->pw_passwd[0] != '\0')
encrypted = colon;
PAM_LOG("Encrypted password 1 is: %s", encrypted);
PAM_LOG("Encrypted password 2 is: %s", pwd->pw_passwd);
retval = strcmp(encrypted, pwd->pw_passwd) == 0 ?
PAM_SUCCESS : PAM_AUTH_ERR;
}
else {
PAM_LOG("Doing dummy authentication"); PAM_LOG("Doing dummy authentication");
realpw = "*";
/*
* User unknown.
* Encrypt a dummy password so as to not give away too much.
*/
lc = login_getclass(NULL); lc = login_getclass(NULL);
password_prompt = login_getcapstr(lc, "passwd_prompt",
NULL, NULL);
retval = pam_get_authtok(pamh,
PAM_AUTHTOK, &pass, password_prompt);
login_close(lc);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
PAM_LOG("Got password");
crypt(pass, "xx");
retval = PAM_AUTH_ERR;
} }
prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL);
/* retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt);
* The PAM infrastructure will obliterate the cleartext login_close(lc);
* password before returning to the application.
*/
if (retval != PAM_SUCCESS) if (retval != PAM_SUCCESS)
PAM_VERBOSE_ERROR("UNIX authentication refused"); PAM_RETURN(retval);
PAM_LOG("Got password");
if (strcmp(crypt(pass, realpw), realpw) == 0)
PAM_RETURN(PAM_SUCCESS);
PAM_RETURN(retval); PAM_VERBOSE_ERROR("UNIX authentication refused");
PAM_RETURN(PAM_AUTH_ERR);
} }
PAM_EXTERN int PAM_EXTERN int