Changeset View
Changeset View
Standalone View
Standalone View
lib/libpam/modules/pam_unix/pam_unix.c
Show First 20 Lines • Show All 88 Lines • ▼ Show 20 Lines | |||||
PAM_EXTERN int | PAM_EXTERN int | ||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, | pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, | ||||
int argc __unused, const char *argv[] __unused) | int argc __unused, const char *argv[] __unused) | ||||
{ | { | ||||
login_cap_t *lc; | login_cap_t *lc; | ||||
struct passwd *pwd; | struct passwd *pwd; | ||||
int retval; | int retval; | ||||
const char *pass, *user, *realpw, *prompt; | const char *pass, *user, *realpw, *prompt; | ||||
const char *nopasswd = ""; | |||||
markj: Seems this should really be called `emptypasswd`. | |||||
if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { | if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { | ||||
user = getlogin(); | user = getlogin(); | ||||
} else { | } else { | ||||
retval = pam_get_user(pamh, &user, NULL); | retval = pam_get_user(pamh, &user, NULL); | ||||
if (retval != PAM_SUCCESS) | if (retval != PAM_SUCCESS) | ||||
return (retval); | return (retval); | ||||
} | } | ||||
pwd = getpwnam(user); | pwd = getpwnam(user); | ||||
PAM_LOG("Got user: %s", user); | PAM_LOG("Got user: %s", user); | ||||
if (pwd != NULL) { | if (pwd != NULL) { | ||||
PAM_LOG("Doing real authentication"); | PAM_LOG("Doing real authentication"); | ||||
realpw = pwd->pw_passwd; | realpw = pwd->pw_passwd; | ||||
if (realpw[0] == '\0') { | if (realpw[0] == '\0') { | ||||
if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && | if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && | ||||
openpam_get_option(pamh, PAM_OPT_NULLOK)) | openpam_get_option(pamh, PAM_OPT_NULLOK)) | ||||
return (PAM_SUCCESS); | return (PAM_SUCCESS); | ||||
PAM_LOG("Password is empty, using fake password"); | PAM_LOG("Password is empty, using fake password"); | ||||
realpw = "*"; | realpw = "*"; | ||||
} | } | ||||
/* | |||||
* Check whether the saved password hash matches the one | |||||
* generated from an empty password - as opposed to empty | |||||
* saved password hash, which is handled above. | |||||
*/ | |||||
if (strcmp(crypt(nopasswd, realpw), realpw) == 0 && | |||||
!(flags & PAM_DISALLOW_NULL_AUTHTOK) && | |||||
openpam_get_option(pamh, PAM_OPT_NULLOK)) | |||||
Done Inline ActionsShould we check for the option and flag before calling crypt()? markj: Should we check for the option and flag before calling crypt()? | |||||
return (PAM_SUCCESS); | |||||
lc = login_getpwclass(pwd); | lc = login_getpwclass(pwd); | ||||
} else { | } else { | ||||
PAM_LOG("Doing dummy authentication"); | PAM_LOG("Doing dummy authentication"); | ||||
realpw = "*"; | realpw = "*"; | ||||
lc = login_getclass(NULL); | lc = login_getclass(NULL); | ||||
} | } | ||||
prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); | prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); | ||||
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); | retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); | ||||
login_close(lc); | login_close(lc); | ||||
if (retval != PAM_SUCCESS) | if (retval != PAM_SUCCESS) | ||||
return (retval); | return (retval); | ||||
PAM_LOG("Got password"); | PAM_LOG("Got password"); | ||||
if (strnlen(pass, _PASSWORD_LEN + 1) > _PASSWORD_LEN) { | if (strnlen(pass, _PASSWORD_LEN + 1) > _PASSWORD_LEN) { | ||||
PAM_LOG("Password is too long, using fake password"); | PAM_LOG("Password is too long, using fake password"); | ||||
▲ Show 20 Lines • Show All 353 Lines • Show Last 20 Lines |
Seems this should really be called emptypasswd.