From d7c3e32076b97cf7e52d02808b5093a32b82685b Mon Sep 17 00:00:00 2001 From: Charl Botha Date: Sat, 20 Dec 2003 19:21:19 +0000 Subject: Integrated bigcrypt/crypt patch by Greg Norris. Getting ready for release 0.99. --- README | 10 ++++------ changelog | 5 ++++- pam_pwdfile.c | 31 ++++++++++++++++++++----------- 3 files changed, 28 insertions(+), 18 deletions(-) diff --git a/README b/README index 8962ae4..532f230 100644 --- a/README +++ b/README @@ -1,8 +1,8 @@ README for pam_pwdfile PAM module - Charl P. Botha -$Id: README,v 1.11 2002-06-10 21:51:04 cpbotha Exp $ +$Id: README,v 1.12 2003-12-20 19:21:19 cpbotha Exp $ --------------------------------------------------------------------------- -This is version 0.98 of pam_pwdfile. +This is version 0.99 of pam_pwdfile. This pam module can be used for the authentication service only, in cases where one wants to use a different set of passwords than those in the main @@ -34,7 +34,8 @@ to Ethan Benson for this patch. The ASCII password file is simply a list of lines, each looking like this: username:crypted_passwd[13] in the case of vanilla crypted passwords and username:crypted_passwd[34] in the case of MD5 crypted passwords. The -latter is thanks to Warwick Duncan . +latter is thanks to Warwick Duncan . pam_pwdfile +also handles bigcrypt passwords. Warwick has also written a utility for managing the password files that pam_pwdfile uses. Please see: http://eclipse.che.uct.ac.za/chpwdfile/ @@ -45,6 +46,3 @@ just so that one can have multiple sets of passwords for different services, e.g. with our /etc/imap.passwd. It is however possible with certain applications patched for pam (Cyrus IMAP server e.g.) that one does not need the users to exist in the system database. - -Thanks to Michael-John Turner pam_pwdfile is available as a -debian package (libpam-pwdfile) from potato onwards. diff --git a/changelog b/changelog index 7dba557..6e11a72 100644 --- a/changelog +++ b/changelog @@ -1,5 +1,5 @@ changelog for pam_pwdfile PAM module - Charl P. Botha -$Id: changelog,v 1.18 2003-07-07 15:09:35 cpbotha Exp $ +$Id: changelog,v 1.19 2003-12-20 19:21:19 cpbotha Exp $ --------------------------------------------------------------------------- 0.99 : @@ -8,6 +8,9 @@ $Id: changelog,v 1.18 2003-07-07 15:09:35 cpbotha Exp $ setup Cyrus IMAPD + pam_pwdfile so that one does not have to create system accounts for imapd users * added Makefile.standalone by Gerald Richter to the contrib files. +* integrated patch by Greg Norris for better handling of bigcrypt/crypt + switcheroos. Greg Norris in the current Debian maintainer. +* The 't' key on my home linux workstation is going. 0.98 : Mon Jun 10 23:49:46 CEST 2002 diff --git a/pam_pwdfile.c b/pam_pwdfile.c index 1b45116..2d020a9 100644 --- a/pam_pwdfile.c +++ b/pam_pwdfile.c @@ -1,14 +1,14 @@ -/* pam_pwdfile.c copyright 1999-2001 by Charl P. Botha +/* pam_pwdfile.c copyright 1999-2003 by Charl P. Botha * - * $Id: pam_pwdfile.c,v 1.17 2002-06-10 21:51:04 cpbotha Exp $ + * $Id: pam_pwdfile.c,v 1.18 2003-12-20 19:21:19 cpbotha Exp $ * * pam authentication module that can be pointed at any username/crypted * text file so that pam using application can use an alternate set of * passwords than specified in system password database * - * version 0.98 + * version 0.99 * - * Copyright (c) Charl P. Botha, 1999-2002. All rights reserved + * Copyright (c) Charl P. Botha, 1999-2003. All rights reserved * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -61,7 +61,7 @@ #include #include "md5.h" -/*extern char *crypt(const char *key, const char *salt);*/ +extern char *crypt(const char *key, const char *salt); extern char *bigcrypt(const char *key, const char *salt); #define PWDF_PARAM "pwdfile" @@ -70,6 +70,7 @@ extern char *bigcrypt(const char *key, const char *salt); #define PWDFN_LEN 256 #define CRYPTED_DESPWD_LEN 13 #define CRYPTED_MD5PWD_LEN 34 +#define CRYPTED_BCPWD_LEN 178 #ifdef DEBUG # define D(a) a; @@ -210,8 +211,8 @@ static int fgetpwnam(FILE *stream, const char *name, char *password) { /* get the password and put it in its place */ curpass = strsep(&tpointer,":"); if (curpass != NULL) { - /* we use md5 pwd len, as this is just a safe maximum */ - strncpy(password,curpass,CRYPTED_MD5PWD_LEN+1); + /* we use bigcrypt pwd len, as this is just a safe maximum */ + strncpy(password,curpass,CRYPTED_BCPWD_LEN+1); pwdfound = 1; } /* if (curpass... */ } /* if (strcmp(curname... */ @@ -227,7 +228,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, const char *name; char *password; char pwdfilename[PWDFN_LEN]; - char salt[12], stored_crypted_password[CRYPTED_MD5PWD_LEN+1]; + char salt[12], stored_crypted_password[CRYPTED_BCPWD_LEN+1]; char *crypted_password; FILE *pwdfile; int use_flock = 0; @@ -348,6 +349,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* Extract the salt and set the passwd length, depending on MD5 or DES */ if (strncmp(stored_crypted_password, "$1$", 3) == 0) { + D(_pam_log(LOG_ERR,"password hash type is 'md5'")); /* get out the salt into "salt" */ strncpy(salt, stored_crypted_password, 11); salt[11] = '\0'; @@ -370,9 +372,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* get the salt out into "salt" */ strncpy(salt, stored_crypted_password, 2); salt[2] = '\0'; - stored_crypted_password[CRYPTED_DESPWD_LEN] = '\0'; - - crypted_password = bigcrypt(password, salt); + stored_crypted_password[CRYPTED_BCPWD_LEN] = '\0'; + + if (strlen(stored_crypted_password) <= CRYPTED_DESPWD_LEN) { + D(_pam_log(LOG_ERR,"password hash type is 'crypt'")); + crypted_password = crypt(password, salt); + } else { + D(_pam_log(LOG_ERR,"password hash type is 'bigcrypt'")); + crypted_password = bigcrypt(password, salt); + } + if (strcmp(crypted_password, stored_crypted_password) == 0) { temp_result = 1; -- cgit v1.2.3