Changeset View
Changeset View
Standalone View
Standalone View
lib/libpam/modules/pam_unix/pam_unix.c
Show First 20 Lines • Show All 88 Lines • ▼ Show 20 Lines | |||||
PAM_EXTERN int | PAM_EXTERN int | ||||
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, | pam_sm_authenticate(pam_handle_t *pamh, int flags __unused, | ||||
int argc __unused, const char *argv[] __unused) | int argc __unused, const char *argv[] __unused) | ||||
{ | { | ||||
login_cap_t *lc; | login_cap_t *lc; | ||||
struct passwd *pwd; | struct passwd *pwd; | ||||
int retval; | int retval; | ||||
const char *pass, *user, *realpw, *prompt; | const char *pass, *user, *realpw, *prompt; | ||||
const char *emptypasswd = ""; | |||||
markj: Seems this should really be called `emptypasswd`. | |||||
if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { | if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) { | ||||
user = getlogin(); | user = getlogin(); | ||||
} else { | } else { | ||||
retval = pam_get_user(pamh, &user, NULL); | retval = pam_get_user(pamh, &user, NULL); | ||||
if (retval != PAM_SUCCESS) | if (retval != PAM_SUCCESS) | ||||
return (retval); | return (retval); | ||||
} | } | ||||
pwd = getpwnam(user); | pwd = getpwnam(user); | ||||
PAM_LOG("Got user: %s", user); | PAM_LOG("Got user: %s", user); | ||||
if (pwd != NULL) { | if (pwd != NULL) { | ||||
PAM_LOG("Doing real authentication"); | PAM_LOG("Doing real authentication"); | ||||
realpw = pwd->pw_passwd; | realpw = pwd->pw_passwd; | ||||
if (realpw[0] == '\0') { | if (realpw[0] == '\0') { | ||||
if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && | if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && | ||||
openpam_get_option(pamh, PAM_OPT_NULLOK)) | openpam_get_option(pamh, PAM_OPT_NULLOK)) | ||||
return (PAM_SUCCESS); | return (PAM_SUCCESS); | ||||
PAM_LOG("Password is empty, using fake password"); | PAM_LOG("Password is empty, using fake password"); | ||||
realpw = "*"; | realpw = "*"; | ||||
} | } | ||||
/* | |||||
* Check whether the saved password hash matches the one | |||||
* generated from an empty password - as opposed to empty | |||||
* saved password hash, which is handled above. | |||||
*/ | |||||
if (!(flags & PAM_DISALLOW_NULL_AUTHTOK) && | |||||
openpam_get_option(pamh, PAM_OPT_EMPTYOK) && | |||||
strcmp(crypt(emptypasswd, realpw), realpw) == 0) | |||||
Done Inline ActionsShould we check for the option and flag before calling crypt()? markj: Should we check for the option and flag before calling crypt()? | |||||
return (PAM_SUCCESS); | |||||
lc = login_getpwclass(pwd); | lc = login_getpwclass(pwd); | ||||
} else { | } else { | ||||
PAM_LOG("Doing dummy authentication"); | PAM_LOG("Doing dummy authentication"); | ||||
realpw = "*"; | realpw = "*"; | ||||
lc = login_getclass(NULL); | lc = login_getclass(NULL); | ||||
} | } | ||||
prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); | prompt = login_getcapstr(lc, "passwd_prompt", NULL, NULL); | ||||
retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); | retval = pam_get_authtok(pamh, PAM_AUTHTOK, &pass, prompt); | ||||
▲ Show 20 Lines • Show All 359 Lines • Show Last 20 Lines |
Seems this should really be called emptypasswd.