2 * system-level password checking for host auth mode
3 * by Nathan Bryant, March 1999
4 * updated by Trey van Riper, June 2005
6 * Copyright (c) 1999-2016 by the citadel.org team
8 * This program is open source software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License, version 3.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
17 #if defined(__linux) || defined(__sun) /* needed for crypt(): */
19 #define _XOPEN_SOURCE_EXTENDED 1
26 #include <sys/types.h>
36 #include <security/pam_appl.h>
39 * struct appdata: passed to the conversation function
47 * conv(): the PAM conversation function. this assumes that a
48 * PAM_PROMPT_ECHO_ON is asking for a username, and a PAM_PROMPT_ECHO_OFF is
49 * asking for a password. esoteric authentication modules will fail with this
50 * code, but we can't really support them with the existing client protocol
51 * anyway. the failure mode should be to deny access, in any case.
53 static int conv(int num_msg, const struct pam_message **msg,
54 struct pam_response **resp, void *appdata_ptr)
56 struct pam_response *temp_resp;
57 struct appdata *data = appdata_ptr;
60 malloc(sizeof(struct pam_response[num_msg]))) == NULL)
64 switch ((*msg)[num_msg].msg_style) {
65 case PAM_PROMPT_ECHO_ON:
66 temp_resp[num_msg].resp = strdup(data->name);
68 case PAM_PROMPT_ECHO_OFF:
69 temp_resp[num_msg].resp = strdup(data->pw);
72 temp_resp[num_msg].resp = NULL;
74 temp_resp[num_msg].resp_retcode = 0;
80 #endif /* HAVE_PAM_START */
84 * check that `pass' is the correct password for `uid'
85 * returns zero if no, nonzero if yes
87 int validate_password(uid_t uid, const char *pass)
110 #ifdef HAVE_PAM_START
112 #ifdef PAM_DATA_SILENT
113 int flags = PAM_DATA_SILENT;
119 pc.appdata_ptr = &data;
120 data.name = pw->pw_name;
122 if (pam_start("citadel", pw->pw_name, &pc, &ph) != PAM_SUCCESS)
125 if ((i = pam_authenticate(ph, flags)) == PAM_SUCCESS) {
126 if ((i = pam_acct_mgmt(ph, flags)) == PAM_SUCCESS) {
131 pam_end(ph, i | flags);
133 crypted_pwd = pw->pw_passwd;
138 if (pw->pw_name == NULL)
140 if ((sp = getspnam(pw->pw_name)) != NULL) {
141 crypted_pwd = sp->sp_pwdp;
145 if (!strcmp(crypt(pass, crypted_pwd), crypted_pwd)) {
148 #endif /* HAVE_PAM_START */