summaryrefslogtreecommitdiff
path: root/pam_pwdfile.c
diff options
context:
space:
mode:
authorTimo Weingärtner <timo@tiwe.de>2013-04-26 12:57:56 +0200
committerTimo Weingärtner <timo@tiwe.de>2013-05-11 01:38:39 +0200
commit629c03d7775e1f4b5c0fdee358c6773f70e91961 (patch)
treee8f01909604d50376a38c9c6fc19902432621781 /pam_pwdfile.c
parentfbce1a480fda4c97b21c87fb39096d23db6eedfb (diff)
downloadlibpam-pwdfile-629c03d7775e1f4b5c0fdee358c6773f70e91961.tar.gz
add debug module option and use pam_syslog
also: * remove some unnessesary comments * add vim settings for unusual indentation
Diffstat (limited to 'pam_pwdfile.c')
-rw-r--r--pam_pwdfile.c71
1 files changed, 24 insertions, 47 deletions
diff --git a/pam_pwdfile.c b/pam_pwdfile.c
index c8cae75..d8c9e69 100644
--- a/pam_pwdfile.c
+++ b/pam_pwdfile.c
@@ -44,7 +44,6 @@
#include <features.h>
#include <syslog.h>
-#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
@@ -54,11 +53,13 @@
#include <sys/wait.h>
#include <sys/file.h>
#include <unistd.h>
+#include <syslog.h>
#include <security/pam_appl.h>
#define PAM_SM_AUTH
#include <security/pam_modules.h>
+#include <security/pam_ext.h>
#include "md5.h"
extern char *crypt(const char *key, const char *salt);
@@ -72,27 +73,10 @@ extern char *bigcrypt(const char *key, const char *salt);
#define CRYPTED_MD5PWD_LEN 34
#define CRYPTED_BCPWD_LEN 178
-#ifdef DEBUG
-# define D(a) a;
-#else
-# define D(a) {}
-#endif
-
/* prototypes */
int converse(pam_handle_t *, int, struct pam_message **, struct pam_response **);
int _set_auth_tok(pam_handle_t *, int, int, const char **);
-/* logging function ripped from pam_listfile.c */
-static void _pam_log(int err, const char *format, ...) {
- va_list args;
-
- va_start(args, format);
- openlog("pam_pwdfile", LOG_CONS|LOG_PID, LOG_AUTH);
- vsyslog(err, format, args);
- va_end(args);
- closelog();
-}
-
static int lock_fd(int fd) {
int delay;
@@ -235,6 +219,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
int use_flock = 0;
int use_delay = 1;
int temp_result = 0;
+ int debug = 0;
/* we require the pwdfile switch and argument to be present, else we don't work */
/* pcnt is the parameter counter variable for iterating through argv */
@@ -264,48 +249,45 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
} else if (strcmp(argv[pcnt],NODELAY_PARAM)==0) {
/* no delay on authentication failure */
use_delay = 0;
+ } else if (strcmp(argv[pcnt], "debug") == 0) {
+ debug = 1;
}
} while (++pcnt < argc);
#ifdef HAVE_PAM_FAIL_DELAY
if (use_delay) {
- D(("setting delay"));
- (void) pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */
+ if (debug) pam_syslog(pamh, LOG_DEBUG, "setting fail delay");
+ (void) pam_fail_delay(pamh, 2000000); /* 2 sec */
}
#endif
- /* for some or other reason, the password file wasn't specified */
if (!pwdfilename_found) {
- _pam_log(LOG_ERR,"password file name not specified");
+ pam_syslog(pamh, LOG_ERR, "password file name not specified");
return PAM_AUTHINFO_UNAVAIL;
}
- /* DEBUG */
- D(_pam_log(LOG_ERR, "password filename extracted"));
+ if (debug) pam_syslog(pamh, LOG_DEBUG, "password filename extracted");
/* now try to open the password file */
if ((pwdfile=fopen(pwdfilename,"r"))==NULL) {
- _pam_log(LOG_ERR,"couldn't open password file %s",pwdfilename);
+ pam_syslog(pamh, LOG_ALERT, "couldn't open password file %s", pwdfilename);
return PAM_AUTHINFO_UNAVAIL;
}
- /* set a lock on the password file */
if (use_flock && lock_fd(fileno(pwdfile)) == -1) {
- _pam_log(LOG_ERR,"couldn't lock password file %s",pwdfilename);
+ pam_syslog(pamh, LOG_ALERT, "couldn't lock password file %s", pwdfilename);
return PAM_AUTHINFO_UNAVAIL;
}
/* get user name */
if ((retval = pam_get_user(pamh,&name,"login: ")) != PAM_SUCCESS) {
- _pam_log(LOG_ERR, "username not found");
+ pam_syslog(pamh, LOG_ERR, "username not found");
fclose(pwdfile);
return retval;
}
-
- /* DEBUG */
- D(_pam_log(LOG_ERR,"username is %s", name));
+ if (debug) pam_syslog(pamh, LOG_DEBUG, "username is %s", name);
/* get password - code from pam_unix_auth.c */
pam_get_item(pamh, PAM_AUTHTOK, (void *)&password);
@@ -319,38 +301,34 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
pam_get_item(pamh, PAM_AUTHTOK, (void *)&password);
if ((retval = pam_get_item(pamh, PAM_AUTHTOK, (void *)&password)) != PAM_SUCCESS) {
- _pam_log(LOG_ERR, "auth token not found");
+ pam_syslog(pamh, LOG_ERR, "auth token not found");
fclose(pwdfile);
return retval;
}
- /* DEBUG */
- D(_pam_log(LOG_ERR,"got password from user", password));
-
/* now crypt password and compare to the user entry in the password file */
/* first make sure password is long enough -- may I do this? */
if (strlen(password)<2 || password==NULL) {
- _pam_log(LOG_ERR,"password too short or NULL");
+ pam_syslog(pamh, LOG_ERR, "password too short or NULL");
fclose(pwdfile);
return PAM_AUTH_ERR;
}
/* get the crypted password corresponding to this user */
if (!fgetpwnam(pwdfile, name, stored_crypted_password)) {
- _pam_log(LOG_ERR,"user not found in password database");
+ pam_syslog(pamh, LOG_ERR, "user not found in password database");
fclose(pwdfile);
return PAM_AUTHINFO_UNAVAIL;
}
- /* DEBUG */
- D(_pam_log(LOG_ERR,"got crypted password == '%s'", stored_crypted_password));
+ if (debug) pam_syslog(pamh, LOG_DEBUG, "got crypted password == '%s'", stored_crypted_password);
temp_result = 0;
/* Extract the salt and set the passwd length, depending on MD5 or DES */
if (strncmp(stored_crypted_password, "$1$", 3) == 0) {
- D(_pam_log(LOG_ERR,"password hash type is 'md5'"));
+ if (debug) pam_syslog(pamh, LOG_ERR, "password hash type is 'md5'");
/* get out the salt into "salt" */
strncpy(salt, stored_crypted_password, 11);
salt[11] = '\0';
@@ -376,10 +354,10 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
stored_crypted_password[CRYPTED_BCPWD_LEN] = '\0';
if (strlen(stored_crypted_password) <= CRYPTED_DESPWD_LEN) {
- D(_pam_log(LOG_ERR,"password hash type is 'crypt'"));
+ if (debug) pam_syslog(pamh, LOG_DEBUG, "password hash type is 'crypt'");
crypted_password = crypt(password, salt);
} else {
- D(_pam_log(LOG_ERR,"password hash type is 'bigcrypt'"));
+ if (debug) pam_syslog(pamh, LOG_DEBUG, "password hash type is 'bigcrypt'");
crypted_password = bigcrypt(password, salt);
}
@@ -389,19 +367,17 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags,
}
}
- /* DEBUG */
- D(_pam_log(LOG_ERR,"user password crypted is '%s'", crypted_password));
+ if (debug) pam_syslog(pamh, LOG_DEBUG, "user password crypted is '%s'", crypted_password);
/* if things don't match up, complain */
if (!temp_result)
{
- _pam_log(LOG_ERR,"wrong password for user %s",name);
+ pam_syslog(pamh, LOG_NOTICE, "wrong password for user %s", name);
fclose(pwdfile);
return PAM_AUTH_ERR;
}
- /* DEBUG */
- D(_pam_log(LOG_ERR,"passwords match"));
+ if (debug) pam_syslog(pamh, LOG_DEBUG, "passwords match");
/* we've gotten here, i.e. authentication was sucessful! */
fclose(pwdfile);
@@ -427,3 +403,4 @@ struct pam_module _pam_listfile_modstruct = {
NULL,
};
#endif
+/* vim:set ts=8 sw=4: */