1 // system-level password checking for host auth mode
2 // by Nathan Bryant, March 1999
3 // updated by Trey van Riper, June 2005
5 // Copyright (c) 1999-2016 by the citadel.org team
7 // This program is open source software. Use, duplication, or disclosure
8 // is subject to the terms of the GNU General Public License, version 3.
9 // The program is distributed without any warranty, expressed or implied.
11 #if defined(__linux) || defined(__sun) // needed for crypt():
13 #define _XOPEN_SOURCE_EXTENDED 1
20 #include <sys/types.h>
30 #include <security/pam_appl.h>
32 // struct appdata: passed to the conversation function
38 // conv(): the PAM conversation function. this assumes that a
39 // PAM_PROMPT_ECHO_ON is asking for a username, and a PAM_PROMPT_ECHO_OFF is
40 // asking for a password. esoteric authentication modules will fail with this
41 // code, but we can't really support them with the existing client protocol
42 // anyway. the failure mode should be to deny access, in any case.
43 static int conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata_ptr) {
44 struct pam_response *temp_resp;
45 struct appdata *data = appdata_ptr;
48 malloc(sizeof(struct pam_response[num_msg]))) == NULL)
52 switch ((*msg)[num_msg].msg_style) {
53 case PAM_PROMPT_ECHO_ON:
54 temp_resp[num_msg].resp = strdup(data->name);
56 case PAM_PROMPT_ECHO_OFF:
57 temp_resp[num_msg].resp = strdup(data->pw);
60 temp_resp[num_msg].resp = NULL;
62 temp_resp[num_msg].resp_retcode = 0;
68 #endif // HAVE_PAM_START
71 // check that `pass' is the correct password for `uid'
72 // returns zero if no, nonzero if yes
73 int validate_password(uid_t uid, const char *pass) {
97 #ifdef PAM_DATA_SILENT
98 int flags = PAM_DATA_SILENT;
104 pc.appdata_ptr = &data;
105 data.name = pw->pw_name;
107 if (pam_start("citadel", pw->pw_name, &pc, &ph) != PAM_SUCCESS)
110 if ((i = pam_authenticate(ph, flags)) == PAM_SUCCESS) {
111 if ((i = pam_acct_mgmt(ph, flags)) == PAM_SUCCESS) {
116 pam_end(ph, i | flags);
118 crypted_pwd = pw->pw_passwd;
123 if (pw->pw_name == NULL)
125 if ((sp = getspnam(pw->pw_name)) != NULL) {
126 crypted_pwd = sp->sp_pwdp;
130 if (!strcmp(crypt(pass, crypted_pwd), crypted_pwd)) {
133 #endif // HAVE_PAM_START