Changeset View
Changeset View
Standalone View
Standalone View
lib/libpam/modules/pam_unix/pam_unix.c
| Show First 20 Lines • Show All 88 Lines • ▼ Show 20 Lines | |||||
| PAM_EXTERN int | PAM_EXTERN int | ||||
| pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, | pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, | ||||
| int argc __unused, const char *argv[] __unused) | int argc __unused, const char *argv[] __unused) | ||||
| { | { | ||||
| login_cap_t *lc; | login_cap_t *lc; | ||||
| struct passwd *pwd; | struct passwd *pwd; | ||||
| int retval; | int retval; | ||||
| const char *pass, *user, *realpw, *prompt; | const char *pass, *user, *realpw, *prompt; | ||||
| const char *nopasswd = ""; | |||||
markj: Seems this should really be called `emptypasswd`. | |||||
| if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { | if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { | ||||
| user = getlogin(); | user = getlogin(); | ||||
| } else { | } else { | ||||
| retval = pam_get_user(pamh, &user, NULL); | retval = pam_get_user(pamh, &user, NULL); | ||||
| if (retval != PAM_SUCCESS) | if (retval != PAM_SUCCESS) | ||||
| return (retval); | return (retval); | ||||
| } | } | ||||
| pwd = getpwnam(user); | pwd = getpwnam(user); | ||||
| PAM_LOG("Got user: %s", user); | PAM_LOG("Got user: %s", user); | ||||
| if (pwd != NULL) { | if (pwd != NULL) { | ||||
| PAM_LOG("Doing real authentication"); | PAM_LOG("Doing real authentication"); | ||||
| realpw = pwd->pw_passwd; | realpw = pwd->pw_passwd; | ||||
| if (realpw[0] == '\0') { | if (realpw[0] == '\0') { | ||||
| if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && | if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && | ||||
| openpam_get_option(pamh, PAM_OPT_NULLOK)) | openpam_get_option(pamh, PAM_OPT_NULLOK)) | ||||
| return (PAM_SUCCESS); | return (PAM_SUCCESS); | ||||
| PAM_LOG("Password is empty, using fake password"); | PAM_LOG("Password is empty, using fake password"); | ||||
| realpw = "*"; | realpw = "*"; | ||||
| } | } | ||||
| /* | |||||
| * Check whether the saved password hash matches the one | |||||
| * generated from an empty password - as opposed to empty | |||||
| * saved password hash, which is handled above. | |||||
| */ | |||||
| if (strcmp(crypt(nopasswd, realpw), realpw) == 0 && | |||||
| !(flags & PAM_DISALLOW_NULL_AUTHTOK) && | |||||
| openpam_get_option(pamh, PAM_OPT_NULLOK)) | |||||
Done Inline ActionsShould we check for the option and flag before calling crypt()? markj: Should we check for the option and flag before calling crypt()? | |||||
| return (PAM_SUCCESS); | |||||
| lc = login_getpwclass(pwd); | lc = login_getpwclass(pwd); | ||||
| } else { | } else { | ||||
| PAM_LOG("Doing dummy authentication"); | PAM_LOG("Doing dummy authentication"); | ||||
| realpw = "*"; | realpw = "*"; | ||||
| lc = login_getclass(NULL); | lc = login_getclass(NULL); | ||||
| } | } | ||||
| prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); | prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); | ||||
| retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); | retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); | ||||
| login_close(lc); | login_close(lc); | ||||
| if (retval != PAM_SUCCESS) | if (retval != PAM_SUCCESS) | ||||
| return (retval); | return (retval); | ||||
| PAM_LOG("Got password"); | PAM_LOG("Got password"); | ||||
| if (strnlen(pass, _PASSWORD_LEN + 1) > _PASSWORD_LEN) { | if (strnlen(pass, _PASSWORD_LEN + 1) > _PASSWORD_LEN) { | ||||
| PAM_LOG("Password is too long, using fake password"); | PAM_LOG("Password is too long, using fake password"); | ||||
| ▲ Show 20 Lines • Show All 353 Lines • Show Last 20 Lines | |||||
Seems this should really be called emptypasswd.