4 * system-level password checking for host auth mode
5 * by Nathan Bryant, March 1999
6 * updated by Trey van Riper, June 2005
8 * Copyright (c) 1999-2009 by the citadel.org team
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 3 of the License, or
13 * (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
26 #if defined(__linux) || defined(__sun) /* needed for crypt(): */
28 #define _XOPEN_SOURCE_EXTENDED 1
35 #include <sys/types.h>
45 #include <security/pam_appl.h>
48 * struct appdata: passed to the conversation function
58 * conv(): the PAM conversation function. this assumes that a
59 * PAM_PROMPT_ECHO_ON is asking for a username, and a PAM_PROMPT_ECHO_OFF is
60 * asking for a password. esoteric authentication modules will fail with this
61 * code, but we can't really support them with the existing client protocol
62 * anyway. the failure mode should be to deny access, in any case.
65 static int conv(int num_msg, const struct pam_message **msg,
66 struct pam_response **resp, void *appdata_ptr)
68 struct pam_response *temp_resp;
69 struct appdata *data = appdata_ptr;
71 if ((temp_resp = malloc(sizeof(struct pam_response[num_msg]))) == NULL)
76 switch ((*msg)[num_msg].msg_style)
78 case PAM_PROMPT_ECHO_ON:
79 temp_resp[num_msg].resp = strdup(data->name);
81 case PAM_PROMPT_ECHO_OFF:
82 temp_resp[num_msg].resp = strdup(data->pw);
85 temp_resp[num_msg].resp = NULL;
87 temp_resp[num_msg].resp_retcode = 0;
93 #endif /* HAVE_PAM_START */
97 * check that `pass' is the correct password for `uid'
98 * returns zero if no, nonzero if yes
101 int validate_password(uid_t uid, const char *pass)
103 #ifdef HAVE_PAM_START
118 flags = 0; /* silences compiler warning */
120 #ifdef PAM_DATA_SILENT
121 flags = ( flags | PAM_DATA_SILENT ) ;
122 #endif /* PAM_DATA_SILENT */
123 if ((pw = getpwuid(uid)) == NULL) {
127 #ifdef HAVE_PAM_START
129 pc.appdata_ptr = &data;
130 data.name = pw->pw_name;
132 if (pam_start("citadel", pw->pw_name, &pc, &ph) != PAM_SUCCESS)
135 if ((i = pam_authenticate(ph, flags)) == PAM_SUCCESS)
136 if ((i = pam_acct_mgmt(ph, flags)) == PAM_SUCCESS)
139 pam_end(ph, i | flags);
141 crypted_pwd = pw->pw_passwd;
144 if ((sp = getspnam(pw->pw_name)) != NULL)
145 crypted_pwd = sp->sp_pwdp;
148 if (!strcmp(crypt(pass, crypted_pwd), crypted_pwd))
150 #endif /* HAVE_PAM_START */