summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2003-07-31 12:40:54 +0000
committerLennart Poettering <lennart@poettering.net>2003-07-31 12:40:54 +0000
commitd3ea4ac5edbb0b19e79556447299ca4f21fa5a25 (patch)
treeefba452826adef82c1f1ccda48c8ca4c9cd4a7d7
Moved everything to trunk
git-svn-id: file:///home/lennart/svn/public/pam_dotfile/trunk@13 5391d09e-f7c1-0310-8aa1-84a1c93f5a38
Diffstat
-rw-r--r--LICENSE340
-rw-r--r--Makefile.am35
-rwxr-xr-xbootstrap.sh40
-rw-r--r--configure.ac133
-rw-r--r--doc/Makefile.am35
-rw-r--r--doc/README.html.in265
-rw-r--r--doc/style.css12
-rw-r--r--man/Makefile.am33
-rw-r--r--man/pam-dotfile-gen.1.xml.in89
-rw-r--r--man/pam-dotfile-helper.8.xml.in61
-rw-r--r--src/Makefile.am41
-rw-r--r--src/common.c220
-rw-r--r--src/common.h43
-rw-r--r--src/log.c48
-rw-r--r--src/log.h30
-rw-r--r--src/md5.c381
-rw-r--r--src/md5.h91
-rw-r--r--src/md5util.c45
-rw-r--r--src/md5util.h31
-rw-r--r--src/pam-dotfile-gen.c280
-rw-r--r--src/pam-dotfile-helper.c117
-rw-r--r--src/pam_dotfile.c321
-rw-r--r--src/pamtest.c66
23 files changed, 2757 insertions, 0 deletions
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..d60c31a
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,340 @@
+ GNU GENERAL PUBLIC LICENSE
+ Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+ Preamble
+
+ The licenses for most software are designed to take away your
+freedom to share and change it. By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users. This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it. (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.) You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+ To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have. You must make sure that they, too, receive or can get the
+source code. And you must show them these terms so they know their
+rights.
+
+ We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+ Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software. If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+ Finally, any free program is threatened constantly by software
+patents. We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary. To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ GNU GENERAL PUBLIC LICENSE
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+ 0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License. The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language. (Hereinafter, translation is included without limitation in
+the term "modification".) Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope. The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+ 1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+ 2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+ a) You must cause the modified files to carry prominent notices
+ stating that you changed the files and the date of any change.
+
+ b) You must cause any work that you distribute or publish, that in
+ whole or in part contains or is derived from the Program or any
+ part thereof, to be licensed as a whole at no charge to all third
+ parties under the terms of this License.
+
+ c) If the modified program normally reads commands interactively
+ when run, you must cause it, when started running for such
+ interactive use in the most ordinary way, to print or display an
+ announcement including an appropriate copyright notice and a
+ notice that there is no warranty (or else, saying that you provide
+ a warranty) and that users may redistribute the program under
+ these conditions, and telling the user how to view a copy of this
+ License. (Exception: if the Program itself is interactive but
+ does not normally print such an announcement, your work based on
+ the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole. If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works. But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+ 3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+ a) Accompany it with the complete corresponding machine-readable
+ source code, which must be distributed under the terms of Sections
+ 1 and 2 above on a medium customarily used for software interchange; or,
+
+ b) Accompany it with a written offer, valid for at least three
+ years, to give any third party, for a charge no more than your
+ cost of physically performing source distribution, a complete
+ machine-readable copy of the corresponding source code, to be
+ distributed under the terms of Sections 1 and 2 above on a medium
+ customarily used for software interchange; or,
+
+ c) Accompany it with the information you received as to the offer
+ to distribute corresponding source code. (This alternative is
+ allowed only for noncommercial distribution and only if you
+ received the program in object code or executable form with such
+ an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it. For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable. However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+ 4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License. Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+ 5. You are not required to accept this License, since you have not
+signed it. However, nothing else grants you permission to modify or
+distribute the Program or its derivative works. These actions are
+prohibited by law if you do not accept this License. Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+ 6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions. You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+ 7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all. For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices. Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+ 8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded. In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+ 9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time. Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation. If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+ 10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission. For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this. Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+ NO WARRANTY
+
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+ END OF TERMS AND CONDITIONS
+
+ How to Apply These Terms to Your New Programs
+
+ If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+ <one line to give the program's name and a brief idea of what it does.>
+ Copyright (C) <year> <name of author>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+ Gnomovision version 69, Copyright (C) year name of author
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License. Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. Here is a sample; alter the names:
+
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+ <signature of Ty Coon>, 1 April 1989
+ Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs. If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library. If this is what you want to do, use the GNU Library General
+Public License instead of this License.
diff --git a/Makefile.am b/Makefile.am
new file mode 100644
index 0000000..5925919
--- /dev/null
+++ b/Makefile.am
@@ -0,0 +1,35 @@
+# $Id$
+
+# This file is part of pam_dotfile.
+#
+# pam_dotfile is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# pam_dotfile is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with pam_dotfile; if not, write to the Free Software Foundation,
+# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
+
+EXTRA_DIST=bootstrap.sh README LICENSE
+SUBDIRS=src man doc
+
+MAINTAINERCLEANFILES = README
+noinst_DATA = README
+
+README:
+ rm -f README
+ $(MAKE) -C doc README
+ ln -s doc/README README
+
+homepage:
+ test -d $$HOME/homepage/lennart
+ mkdir -p $$HOME/homepage/lennart/projects/pam_dotfile
+ cp *.tar.gz $$HOME/homepage/lennart/projects/pam_dotfile
+ cp doc/README.html doc/style.css $$HOME/homepage/lennart/projects/pam_dotfile
+ cp $$HOME/homepage/lennart/projects/pam_dotfile/README.html $$HOME/homepage/lennart/projects/pam_dotfile/index.html
diff --git a/bootstrap.sh b/bootstrap.sh
new file mode 100755
index 0000000..bf2c22a
--- /dev/null
+++ b/bootstrap.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+# $Id$
+
+# This file is part of pam_dotfile.
+#
+# pam_dotfile is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# pam_dotfile is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with pam_dotfile; if not, write to the Free Software Foundation,
+# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
+
+if [ "x$1" = "xam" ] ; then
+ set -ex
+ automake -a -c
+ ./config.status
+else
+ set -ex
+
+ make maintainer-clean || true
+
+ rm -rf autom4te.cache
+ rm -f config.cache
+
+ aclocal
+ libtoolize -c --force
+ autoheader
+ automake -a -c
+ autoconf -Wall
+
+ ./configure "$@"
+fi
+
diff --git a/configure.ac b/configure.ac
new file mode 100644
index 0000000..5db808e
--- /dev/null
+++ b/configure.ac
@@ -0,0 +1,133 @@
+# -*- Autoconf -*-
+# Process this file with autoconf to produce a configure script.
+
+# $Id$
+
+# This file is part of pam_dotfile.
+#
+# pam_dotfile is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# pam_dotfile is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with pam_dotfile; if not, write to the Free Software Foundation,
+# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
+
+AC_PREREQ(2.57)
+AC_INIT([pam_dotfile], [0.6], [mzcnzqbgsvyr@itaparica.org])
+AC_CONFIG_SRCDIR([src/pam_dotfile.c])
+AC_CONFIG_HEADERS([config.h])
+AM_INIT_AUTOMAKE([foreign -Wall])
+AM_MAINTAINER_MODE
+
+AM_DISABLE_STATIC
+
+# Checks for programs.
+AC_PROG_CC
+AC_PROG_LIBTOOL
+AC_PROG_CXX
+
+# If using GCC specifiy some additional parameters
+if test "x$GCC" = "xyes" ; then
+ CFLAGS="$CFLAGS -pipe -Wall"
+fi
+
+CFLAGS="$CFLAGS -L/lib"
+
+# Checks for libraries.
+AC_CHECK_HEADER([security/pam_modules.h],, [AC_MSG_ERROR([*** Sorry, you have to install the PAM development files ***])])
+
+LIBS="$LIBS -ldl -lpam -lpam_misc"
+
+case "$host" in
+ *-*-linux*)
+ PAM_MODDIR="/lib/security"
+ ;;
+ *)
+ PAM_MODDIR="/usr/lib"
+ ;;
+esac
+AC_SUBST(PAM_MODDIR)
+
+# Checks for header files.
+
+AC_CHECK_FUNCS([dup2 memset strchr strerror strrchr])
+AC_FUNC_FORK
+AC_FUNC_LSTAT
+AC_FUNC_LSTAT_FOLLOWS_SLASHED_SYMLINK
+AC_FUNC_VPRINTF
+
+AC_CHECK_HEADERS([fcntl.h limits.h syslog.h termios.h])
+AC_HEADER_STDC
+AC_HEADER_SYS_WAIT
+
+AC_C_CONST
+
+AC_TYPE_MODE_T
+AC_TYPE_PID_T
+AC_TYPE_SIGNAL
+AC_TYPE_UID_T
+
+
+# LYNX documentation generation
+AC_ARG_ENABLE(lynx,
+ AC_HELP_STRING([--disable-lynx], [Turn off lynx usage for documentation generation]),
+[case "${enableval}" in
+ yes) lynx=yes ;;
+ no) lynx=no ;;
+ *) AC_MSG_ERROR(bad value ${enableval} for --disable-lynx) ;;
+esac],[lynx=yes])
+
+if test x$lynx = xyes ; then
+ AC_CHECK_PROG(have_lynx, lynx, yes, no)
+
+ if test x$have_lynx = xno ; then
+ AC_MSG_ERROR([*** Sorry, you have to install lynx or use --disable-lynx ***])
+ fi
+fi
+
+AM_CONDITIONAL([USE_LYNX], [test "x$lynx" = xyes])
+
+# XMLTOMAN manpage generation
+AC_ARG_ENABLE(xmltoman,
+ AC_HELP_STRING([--disable-xmltoman], [Disable rebuilding of man pages with xmltoman]),
+[case "${enableval}" in
+ yes) xmltoman=yes ;;
+ no) xmltoman=no ;;
+ *) AC_MSG_ERROR([bad value ${enableval} for --disable-xmltoman]) ;;
+esac],[xmltoman=yes])
+
+if test x$xmltoman = xyes ; then
+ AC_CHECK_PROG(have_xmltoman, xmltoman, yes, no)
+
+ if test x$have_xmltoman = xno ; then
+ AC_MSG_WARN([*** Not rebuilding man pages as xmltoman is not found ***])
+ xmltoman=no
+ fi
+fi
+
+AM_CONDITIONAL([USE_XMLTOMAN], [test "x$xmltoman" = xyes])
+
+AC_ARG_ENABLE(compat05,
+ AC_HELP_STRING([--enable-compat05], [Enable compatibility with pam_dotfile <= 0.5]),
+[case "${enableval}" in
+ yes) compat05=yes ;;
+ no) compat05=no ;;
+ *) AC_MSG_ERROR(bad value ${enableval} for --enable-compat05) ;;
+esac],[compat05=no])
+
+if test x$compat05 = xyes ; then
+ AC_MSG_NOTICE([ *** Compatibility with pam_dotfile <= 0.5 is ENABLED ***])
+ CFLAGS="$CFLAGS -DCOMPAT05=1"
+else
+ AC_MSG_WARN([ *** Compatibility with pam_dotfile <= 0.5 is DISABLED ***])
+fi
+
+AC_CONFIG_FILES([src/Makefile Makefile man/Makefile doc/Makefile doc/README.html])
+AC_OUTPUT
diff --git a/doc/Makefile.am b/doc/Makefile.am
new file mode 100644
index 0000000..5c36d4e
--- /dev/null
+++ b/doc/Makefile.am
@@ -0,0 +1,35 @@
+# $Id$
+
+# This file is part of pam_dotfile.
+#
+# pam_dotfile is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# pam_dotfile is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with pam_dotfile; if not, write to the Free Software Foundation,
+# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
+
+noinst_DATA = README.html README
+EXTRA_DIST = $(noinst_DATA) style.css README.html.in
+
+MAINTAINERCLEANFILES = README README.html
+CLEANFILES =
+
+if USE_LYNX
+README: README.html
+ lynx --dump $^ | sed 's,file://localhost/.*/doc/README.html,README,' > $@
+
+CLEANFILES += README
+endif
+
+tidy: README.html
+ tidy -e < README.html
+
+.PHONY: tidy
diff --git a/doc/README.html.in b/doc/README.html.in
new file mode 100644
index 0000000..59d4614
--- /dev/null
+++ b/doc/README.html.in
@@ -0,0 +1,265 @@
+<?xml version="1.0" encoding="iso-8895-15"?> <!-- -*-html-helper-*- -->
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>pam_dotfile @PACKAGE_VERSION@</title>
+<link rel="stylesheet" type="text/css" href="style.css" />
+</head>
+
+<body>
+<h1><a name="top">pam_dotfile @PACKAGE_VERSION@</a></h1>
+
+<p><i>Copyright 2002,2003 Lennart Poettering &lt;mzcnzqbgsvyr [at] itaparica.org&gt;</i></p>
+
+<ul class="toc">
+ <li><a href="#license">License</a></li>
+ <li><a href="#news">News</a></li>
+ <li><a href="#overview">Overview</a></li>
+ <li><a href="#status">Status</a></li>
+ <li><a href="#documentation">Documentation</a></li>
+ <li><a href="#requirements">Requirements</a></li>
+ <li><a href="#installation">Installation</a></li>
+ <li><a href="#acks">Acknowledgements</a></li>
+ <li><a href="#download">Download</a></li>
+</ul>
+
+<h2><a name="license">License</a></h2>
+
+<p>This program is free software; you can redistribute it and/or
+modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation; either version 2 of the
+License, or (at your option) any later version.</p>
+
+<p>This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.</p>
+
+<p>You should have received a copy of the GNU General Public License
+along with this program; if not, write to the Free Software
+Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.</p>
+
+<h2><a name="news">News</a></h2>
+
+<div class="news-date">Mon July 21 2003: </div> <p
+class="news-text"><a
+href="http://www.stud.uni-hamburg.de/~lennart/projects/pam_dotfile/pam_dotfile-0.6.tar.gz">Version
+0.6</a> released, changes include: Fix MD5 digest generation. This
+breaks compatibility with <tt>pam_dotfile</tt> <= 0.5 unless
+<tt>--enable-compat05</tt> is specified at compile time. Minor other
+fixes (mostly related to the build system). <b>All users should update.</b></p>
+
+<div class="news-date">Tue July 8 2003: </div> <p class="news-text"><a
+href="http://www.stud.uni-hamburg.de/~lennart/projects/pam_dotfile/pam_dotfile-0.5.tar.gz">Version
+0.5</a> released, changes include: Autoconf support, fixed an important bug regarding a race on child process creation. <b>All users should update.</b></p>
+
+<h2><a name="overview">Overview</a></h2>
+
+<p><tt>pam_dotfile</tt>is a PAM module which allows users to have more
+than one password for a single account, each for a different
+service. This is desirable because many users have objections to using
+the same password for (as an example) an IMAP4 mailbox and SSH
+access. The IMAP4 password should be distinct from the SSH password
+because the user wants to save the former in the configuration of his
+mail agent, but not the latter. The same applies to POP3 mailboxes,
+FTP and comparable services.</p>
+
+<h2><a name="status">Status</a></h2>
+
+<p>Version @PACKAGE_VERSION@ is stable and feature complete.</p>
+
+<h2><a name="documentation">Documentation</a></h2>
+
+<h3>How does it work?</h3>
+
+<p>The module needs be activated for the specific service in the
+configuration file <tt>/etc/pam.d/&lt;service&gt;</tt>. The user is
+than able to create a second valid password for that service by
+issuing the following commands:</p>
+
+<pre>
+pam-dotfile-gen -a &lt;service&gt;
+</pre>
+
+<p>Replace <tt>&lt;service&gt;</tt> by the PAM service name, e.g. <tt>imapd</tt>. The user has to enter the new password twice. This will save the
+password to <tt>~/.pam-&lt;service&gt;</tt> in a hashed way.</p>
+
+<p>A complete example for the service <tt>imap</tt> (for the IMAP server dovecot in this
+case):</p>
+
+<p><tt>/etc/pam.d/imap</tt>:</p>
+
+<pre>
+#%PAM-1.0
+auth sufficient pam_unix_auth.so
+auth sufficient pam_dotfile.so use_first_pass no_warn
+auth required pam_deny.so
+</pre>
+
+<p>As user <tt>waldo</tt>:</p>
+
+<pre>
+[waldo@wonder] ~$ pam-dotfile-gen -a imap
+Password:quux
+Please repeat; password:quux
+Password added.
+</pre>
+
+<p>That's it. User <tt>waldo</tt> may now access his IMAP mail store either by
+using his unix password or by using <i>quux</i>.</p>
+
+<p>If you want to deny access with the unix password when a <tt>.pam</tt> file
+exists, you should install the following <tt>/etc/pam.d/imap</tt>:</p>
+
+<pre>
+#%PAM-1.0
+auth [success=done new_authtok_reqd=done authinfo_unavail=ignore default=die] pam_dotfile.so no_warn
+auth [success=done new_authtok_reqd=done default=die] pam_unix.so use_first_pass
+</pre>
+
+<p>Please note: the <tt>pam.d</tt> fragments shown above are based on Debian
+GNU/Linux' default PAM installation. I know that some distributions
+(i.e. Red Hat) use <tt>pam_pwdb.so</tt> instead of <tt>pam_unix.so</tt> as default
+authentication mechanism. Please adapt the <tt>pam.d</tt> configuration to your
+specific distribution.</p>
+
+<h3>Notes</h3>
+
+<p>For getting access to the user's files a SUID root helper utility
+<tt>/sbin/pam-dotfile-helper</tt> is used.</p>
+
+<p>The <tt>.pam</tt> files are ignored when their access mode AND 077 is non-zero,
+when they are symlinks or when any parent directory is group or world
+writable.</p>
+
+<p><tt>pam_dotfile</tt> will try to open the the following files for
+authentication (in that order):</p>
+
+<ol>
+ <li><tt>~/.pam-&lt;service&gt;</tt></li>
+ <li><tt>~/.pam/&lt;service&gt;</tt></li>
+ <li><tt>~/.pam-other</tt></li>
+ <li><tt>~/.pam/other</tt></li>
+</ol>
+
+<p>The first file in this list that exists is used for
+authentication. Regardless of any of the passwords contained therein
+are correct the other files are NOT evaluated.</p>
+
+<p>The hashing is implemented in the following way:</p>
+
+<ol>
+ <li>A 16 byte random string is read from <tt>/dev/urandom</tt> (salt)</li>
+ <li>It is formatted in a 32 character hexadecimal string</li>
+ <li>The password is appended</li>
+ <li>The MD5 hash of this string is calculated</li>
+ <li>The hash is formatted in another 32 character hexadecimal string</li>
+ <li>The result is the concatenation of the two hexadecimal strings</li>
+</ol>
+
+<p>I believe that this is somewhat secure. However, I am not a
+cryptoanalyst, I cannot guarantee for this. (Probably a cryptoanalyst
+cannot either.)</p>
+
+<p>The hashing function changed a little from 0.5 to 0.6. There was an
+ugly error in formatting the digest into a hexadecimal string. By fixing
+this the old hashed passwords became incompatible with newer releases
+of <tt>pam_dotfile</tt>. For sake of compatibility I added the option
+<tt>--enable-compat05</tt> to the <tt>configure</tt> script. Passwords
+for 0.6 are prefixed with a <tt>+</tt> in the dot files, older
+passwords are not. You are encouraged to fix your passwords to comply
+with the new version.</p>
+
+<p><tt>pam-dotfile-gen</tt> may be used as a filter that reads a text stream
+with unencrypted passwords and crypts them. Empty lines and those
+starting with # are passed in an unmodified way to STDOUT. Thus the
+user may comment the passwords in his <tt>.pam</tt> files.</p>
+
+<h3>PAM parameters</h3>
+
+<ul>
+
+ <li><tt>debug</tt> - Be very verbose to <tt>syslog(3)</tt></li>
+
+ <li><tt>use_first_pass</tt> - Don't issue a password prompt, use one
+ supplied by a previous modules</li>
+
+ <li><tt>try_first_pass</tt> - Nearly the same as <tt>use_first_pass</tt>, but don't
+ fail if no password was supplied, instead query the user</li>
+
+ <li><tt>use_authtok</tt> - Synonym for <tt>use_first_pass</tt></li>
+
+ <li><tt>rootok</tt> - Don't deny access for users with <tt>uid == 0</tt></li>
+
+ <li><tt>nullok</tt> - Don't deny access for null passwords</li>
+
+ <li><tt>fork</tt> - Always fork before trying to open the password files via the helper tool</li>
+
+ <li><tt>nofork</tt> - Never fork</li>
+
+ <li><tt>no_warn</tt> - Suppress warnings to <tt>syslog(3)</tt></li>
+
+ <li><tt>stat_only_home</tt> - verifies group/world readability only inside the home directory.
+ e.g. if the configuration file is <tt>/home/waldo/.pam/service</tt>
+ only <tt>/home/waldo/.pam</tt> and <tt>/home/waldo</tt> are tested.
+ This is sometimes necessary if the home directories are symbolic links.</li>
+
+ <li><tt>nocompat05</tt> - Disable compatibility with <tt>pam_dotfile</tt> <= 0.5. This is only available if <tt>pam_dotfile</tt> was compiled with <tt>--enable-compat05</tt></li>
+</ul>
+
+
+<h2><a name="requirements">Requirements</a></h2>
+
+<p><tt>pam_dotfile</tt> was developed and tested on Debian GNU/Linux
+"testing" from July 2003, it should work on most other Linux
+distributions (and maybe Unix versions) since it uses GNU autoconf and
+GNU libtool for source code configuration and shared library
+management.</p>
+
+<p>You need the PAM development headers installed (naturally...)</p>
+
+<h2><a name="installation">Installation</a></h2>
+
+<p>As this package is made with the GNU autotools you should run
+<tt>./configure</tt> inside the distribution directory for configuring
+the source tree. After that you should run <tt>make</tt> for
+compilation and <tt>make install</tt> (as root) for installation of
+<tt>pam_dotfile</tt>.</p>
+
+<p>If you upgrade from versions prior to 0.6 you should pass
+<tt>--enable-compat05</tt> to <tt>configure</tt> to enable
+compatibility with old user dot files. If you do not specify this, old
+passwords are ignored, the users have to recreate their passwords with
+<tt>pam-dotfile-gen</tt>.</p>
+
+<p>If you do a fresh install you should not pass
+<tt>--enable-compat05</tt> to <tt>configure</tt>. (An alternative is
+to specify <tt>--enable-compat05</tt> but to disable it afterwards by
+using <tt>nocompat05</tt> on the pam configuration line.)</p>
+
+<h2><a name="acks">Acknowledgements</a></h2>
+
+<p>This software includes an implementation of the MD5 algorithm by
+L. Peter Deutsch. Thanks to him for this.</p>
+
+<p>Oliver Kurth for packaging <tt>pam_dotfile</tt> for Debian</p>
+
+<p>Christian Loitsch provided a patch with some bugfixes and support
+for <tt>stat_only_home</tt></p>
+
+<h2><a name="download">Download</a></h2>
+
+<p>The newest release is always available from <a href="http://www.stud.uni-hamburg.de/~lennart/projects/pam_dotfile/">http://www.stud.uni-hamburg.de/~lennart/projects/pam_dotfile/</a></p>
+
+<p>The current release is <a href="http://www.stud.uni-hamburg.de/~lennart/projects/pam_dotfile/pam_dotfile-@PACKAGE_VERSION@.tar.gz">@PACKAGE_VERSION@</a></p>
+
+<p>You may find a mostly up to date Debian package of <tt>pam_dotfile</tt> on the <a href="http://packages.debian.org/cgi-bin/search_packages.pl?keywords=libpam-dotfile&amp;searchon=names&amp;subword=1&amp;version=all&amp;release=all">Debian package repository</a>.</p>
+
+<hr/>
+
+<address>Lennart Poettering &lt;mzcnzqbgsvyr [at] itaparica.org&gt;, July 2003</address>
+<div><i>$Id$</i></div>
+
+</body>
+</html>
diff --git a/doc/style.css b/doc/style.css
new file mode 100644
index 0000000..0a40aef
--- /dev/null
+++ b/doc/style.css
@@ -0,0 +1,12 @@
+/* $Id$ */
+body { color: black; background-color: white; margin: 0.5cm; }
+a:link, a:visited { color: #900000; }
+p { margin-left: 0.5cm; margin-right: 0.5cm; }
+div.news-date { margin-left: 0.5cm; font-size: 80%; color: #4f0000; }
+p.news-text { margin-left: 1cm; }
+ul { margin-left: .5cm; }
+ol { margin-left: .5cm; }
+h1 { color: #00009F; }
+h2 { color: #00009F; }
+h3 { color: #00004F; margin-left: 0.5cm; }
+pre { margin-left: .5cm; background-color: #f0f0f0; padding: 0.4cm;}
diff --git a/man/Makefile.am b/man/Makefile.am
new file mode 100644
index 0000000..78a8129
--- /dev/null
+++ b/man/Makefile.am
@@ -0,0 +1,33 @@
+# $Id$
+#
+# This file is part of pam_dotfile.
+#
+# pam_dotfile is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# pam_dotfile is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with pam_dotfile; if not, write to the Free Software Foundation,
+# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
+
+man_MANS = pam-dotfile-gen.1 pam-dotfile-helper.8
+
+EXTRA_DIST = $(man_MANS) pam-dotfile-helper.8.xml.in pam-dotfile-gen.1.xml.in
+
+if USE_XMLTOMAN
+
+CLEANFILES = $(man_MANS)
+
+pam-dotfile-gen.1: pam-dotfile-gen.1.xml.in Makefile
+ sed -e 's,@sysconfdir\@,$(sysconfdir),g' -e 's,@sbindir\@,$(sbindir),g' -e 's,@PACKAGE_BUGREPORT\@,$(PACKAGE_BUGREPORT),g' $< | xmltoman - > $@
+
+pam-dotfile-helper.8: pam-dotfile-helper.8.xml.in Makefile
+ sed -e 's,@sysconfdir\@,$(sysconfdir),g' -e 's,@sbindir\@,$(sbindir),g' -e 's,@PACKAGE_BUGREPORT\@,$(PACKAGE_BUGREPORT),g' $< | xmltoman - > $@
+
+endif
diff --git a/man/pam-dotfile-gen.1.xml.in b/man/pam-dotfile-gen.1.xml.in
new file mode 100644
index 0000000..ff2a986
--- /dev/null
+++ b/man/pam-dotfile-gen.1.xml.in
@@ -0,0 +1,89 @@
+<?xml version="1.0" standalone='no'?>
+<!-- <!DOCTYPE spec SYSTEM "man.dtd"> -->
+
+<!--
+ This file is part of pam_dotfile.
+
+ pam_dotfile is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ pam_dotfile is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with pam_dotfile; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ USA
+-->
+ <manpage name="pam-dotfile-gen" section="1" desc="change password for libpam-dotfile">
+
+ <synopsis>
+ <cmd>pam-dotfile-gen &gt;&gt; ~/.pam-<arg>service</arg></cmd>
+ <cmd>pam-dotfile-gen -a <arg>service</arg></cmd>
+ </synopsis>
+
+ <description>
+
+ <p>pam-dotfile-gen is a utility to create a password for a
+ particular service, if your system administrator has set up
+ authenication for that service with libpam-dotfile.</p>
+
+ <p>To create or change your password, just enter pam-dotfile-gen
+ -a &lt;service&gt; and you will be prompted for the
+ password. The password will be written to ~/.pam-&lt;service&gt;
+ in a hashed format. To add another password to the same service
+ repeat the command.</p>
+
+ <p>If called without any argument the tool will act as
+ filter. Unencrypted passwords are read from STDIN, are crypted
+ and written to STDOUT. The passwords are separated by
+ newlines. Empty lines and lines beginning with # are ignored and
+ written in an untouched way to STDOUT.</p>
+
+ <p>The file format of the ~/.pam is rather simple. Every
+ non-empty line which does not begin with # is compared with the
+ hashed password to be checked. This allows you to specify free
+ form comments for each password with a simple text editor.</p>
+ </description>
+
+ <options>
+
+ <option>
+ <p><opt>-a <arg>service</arg></opt></p>
+ <optdesc><p>
+ Instead of acting as a filter read a single password from the user and add it to the .pam-file for the specified service.
+ </p></optdesc>
+ </option>
+
+ <option>
+ <p><opt>-C</opt></p>
+
+ <optdesc><p> Enable compatibility with pam_dotfile older than
+ 0.6. Passwords hashed with this enabled are created in a form
+ compatible with older release. You shouldn't use this.
+ </p></optdesc>
+
+ </option>
+
+ <option>
+ <p><opt>-h</opt></p>
+
+ <optdesc><p>Show a terse usage summary.</p></optdesc></option>
+ </options>
+
+ <section name="Author">
+ <p>pam-dotfile was written by Lennart Poettering
+ &lt;@PACKAGE_BUGREPORT@&gt;. pam-dotfile is available
+ at <url href="http://www.stud.uni-hamburg.de/users/lennart/projects/pam_dotfile/"/> </p>
+ </section>
+
+ <section name="Comments">
+ <p>This man page was written using <manref name="xmltoman" section="1"
+ href="http://masqmail.cx/xml2man/"/> by Oliver Kurth.</p>
+ </section>
+
+ </manpage>
diff --git a/man/pam-dotfile-helper.8.xml.in b/man/pam-dotfile-helper.8.xml.in
new file mode 100644
index 0000000..c47f0ea
--- /dev/null
+++ b/man/pam-dotfile-helper.8.xml.in
@@ -0,0 +1,61 @@
+<?xml version="1.0" standalone='no'?>
+<!DOCTYPE spec SYSTEM "man.dtd">
+
+<!--
+ This file is part of pam_dotfile.
+
+ pam_dotfile is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ pam_dotfile is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with pam_dotfile; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ USA
+-->
+
+ <manpage name="pam-dotfile-helper" section="8" desc="check password for libpam-dotfile">
+
+ <synopsis>
+ &lt;not invoked manually&gt;
+ </synopsis>
+
+ <description>
+ <p>
+ A helper binary for the pam_dotfile module, pam-dotfile-helper, is provided to
+ check the user's password. This binary is very simple and
+ will only check the password of the user invoking it. It is called
+ transparently on behalf of the user by the authenticating component of
+ the pam_dotfile module. In this way it is possible for applications
+ to work without being setuid root.
+ </p>
+ </description>
+
+ <section name="usage">
+ <p>
+ This program is not intended to be called directly by users and will
+ log to syslog if it is called improperly (i.e., by someone trying to
+ exploit it).
+ </p>
+ </section>
+
+ <section name="Author">
+ <p>pam-dotfile was written by Lennart Poettering
+ &lt;@PACKAGE_BUGREPORT@&gt;. pam-dotfile is available
+ at <url
+ href="http://www.stud.uni-hamburg.de/users/lennart/projects/pam_dotfile/"/>
+ </p>
+ </section>
+
+ <section name="Comments">
+ <p>This man page was written using <manref name="xmltoman" section="1"
+ href="http://masqmail.cx/xml2man/"/> by Oliver Kurth.</p>
+ </section>
+
+ </manpage>
diff --git a/src/Makefile.am b/src/Makefile.am
new file mode 100644
index 0000000..2905b7c
--- /dev/null
+++ b/src/Makefile.am
@@ -0,0 +1,41 @@
+# $Id$
+#
+# This file is part of pam_dotfile.
+#
+# pam_dotfile is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# pam_dotfile is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with pam_dotfile; if not, write to the Free Software Foundation,
+# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
+
+AM_CFLAGS = -DSBINDIR=\"@sbindir@\"
+
+moduledir = @PAM_MODDIR@
+module_LTLIBRARIES = pam_dotfile.la
+
+pam_dotfile_la_SOURCES = pam_dotfile.c md5.c md5util.c md5.h md5util.h log.c log.h common.c common.h
+pam_dotfile_la_LDFLAGS = -module -avoid-version
+pam_dotfile_la_CFLAGS = $(AM_CFLAGS)
+
+sbin_PROGRAMS = pam-dotfile-helper
+bin_PROGRAMS = pam-dotfile-gen pamtest
+
+pam_dotfile_gen_SOURCES = pam-dotfile-gen.c md5.c md5.h md5util.c md5util.h
+pam_dotfile_gen_CFLAGS = $(AM_CFLAGS)
+
+pam_dotfile_helper_SOURCES = pam-dotfile-helper.c md5.c md5.h md5util.c md5util.h common.c common.h log.c log.h
+pam_dotfile_helper_CFLAGS = $(AM_CFLAGS)
+
+pamtest_SOURCES = pamtest.c
+
+install-exec-hook:
+ chown root $(DESTDIR)$(sbindir)/pam-dotfile-helper
+ chmod u+s $(DESTDIR)$(sbindir)/pam-dotfile-helper
diff --git a/src/common.c b/src/common.c
new file mode 100644
index 0000000..da575fe
--- /dev/null
+++ b/src/common.c
@@ -0,0 +1,220 @@
+/***
+ This file is part of pam_dotfile.
+
+ pam_dotfile is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ pam_dotfile is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with pam_dotfile; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ USA
+***/
+
+#include <stdio.h>
+#include <limits.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <pwd.h>
+
+#include "common.h"
+#include "md5.h"
+#include "md5util.h"
+#include "log.h"
+
+static int _md5_compare(context_t *c, const char *password, const char *ln) {
+ md5_state_t st;
+ static md5_byte_t digest[16];
+ static char t[33];
+#ifdef COMPAT05
+ int olddigest = 0;
+#endif
+
+ if (ln[0] == '+')
+ ln++;
+ else {
+#ifdef COMPAT05
+ if (!c->opt_nocompat05)
+ olddigest = 1;
+ else {
+#endif
+ logmsg(c, LOG_WARNING, "Authentication failure: pam_dotfile configured whithout compatibility for <= 0.5, but used with <= 0.5 authentication data");
+ return PAM_AUTH_ERR;
+#ifdef COMPAT05
+ }
+#endif
+ }
+
+ if (strlen(ln) != 64) {
+ logmsg(c, LOG_WARNING, "Authentication failure: broken MD5 digest");
+ return PAM_AUTH_ERR;
+ }
+
+ md5_init(&st);
+ md5_append(&st, ln, 32);
+ md5_append(&st, password, strlen(password));
+ md5_finish(&st, digest);
+
+#ifdef COMPAT05
+ if (olddigest)
+ fhex_broken_md5(digest, t);
+ else
+#endif
+ fhex_md5(digest, t);
+
+ t[32] = 0;
+
+ return strcmp(ln+32, t) ? PAM_AUTH_ERR : PAM_SUCCESS;
+}
+
+static int _check_parent_dirs(const char *base, const char *fn) {
+ static char p[PATH_MAX];
+ static struct stat st;
+ int size_base;
+ int retval;
+
+ size_base = snprintf(p, sizeof(p) - 1, "%s", base);
+ if (size_base >= (sizeof(p) - 1))
+ return -1;
+
+ retval = snprintf(&(p[size_base]), sizeof(p) - size_base, "%s", fn);
+ if (retval >= (sizeof(p) - size_base))
+ return -1;
+
+
+ for (;;) {
+ char *slash = strrchr(p, '/');
+
+ if (slash == p || !slash)
+ return 0;
+
+ if (slash < &(p[size_base]))
+ return 0;
+
+
+ *slash = 0;
+
+ if (lstat(p, &st) < 0)
+ return -1;
+
+ if (st.st_mode & 022)
+ return -1;
+ }
+}
+
+int user_authentication(context_t *c, const char *username, const char *password) {
+ struct passwd *pw;
+ FILE *f;
+ static char fn[PATH_MAX];
+ static char pam_fn[PATH_MAX];
+ static struct stat st;
+ int ret;
+
+ if (!(pw = getpwnam(username))) {
+ logmsg(c, LOG_WARNING, "Authentication failure: user <%s> not found", username);
+ return PAM_USER_UNKNOWN;
+ }
+
+ if (!c->opt_rootok && pw->pw_uid == 0) {
+ logmsg(c, LOG_WARNING, "Authentication failure: access denied for root");
+ return PAM_AUTH_ERR;
+ }
+
+ logmsg(c, LOG_DEBUG, "Searching file for service %s", c->service);
+
+ snprintf(fn, sizeof(fn), "%s/.pam-%s", pw->pw_dir, c->service);
+ snprintf(pam_fn, sizeof(fn), "/.pam-%s", c->service);
+ if (!(f = fopen(fn, "r")) && errno == ENOENT) {
+ snprintf(fn, sizeof(fn), "%s/.pam/%s", pw->pw_dir, c->service);
+ snprintf(pam_fn, sizeof(fn), "/.pam/%s", c->service);
+ if (!(f = fopen(fn, "r")) && errno == ENOENT) {
+ snprintf(fn, sizeof(fn), "%s/.pam-other", pw->pw_dir);
+ snprintf(pam_fn, sizeof(fn), "/.pam-other");
+ if (!(f = fopen(fn, "r")) && errno == ENOENT) {
+ snprintf(fn, sizeof(fn), "%s/.pam/other", pw->pw_dir);
+ snprintf(pam_fn, sizeof(fn), "/.pam/other");
+ if (!(f = fopen(fn, "r")) && errno == ENOENT) {
+ logmsg(c, LOG_WARNING, "Authentication failure: no .pam file in home directory of <%s> existent", username);
+ return PAM_AUTHINFO_UNAVAIL;
+ }
+ }
+ }
+ }
+
+ if (!f) {
+ logmsg(c, LOG_WARNING, "Authentication failure: could not open .pam file in home directory of <%s>", username);
+ return PAM_AUTH_ERR;
+ }
+
+ if (lstat(fn, &st) < 0) {
+ logmsg(c, LOG_ERR, "Could not lstat() file %s: %s", fn, strerror(errno));
+ fclose(f);
+ return PAM_AUTH_ERR;
+ }
+
+ if (!S_ISREG(st.st_mode)) {
+ logmsg(c, LOG_ERR, "%s ist not a regular file: %s", fn, strerror(errno));
+ fclose(f);
+ return PAM_AUTH_ERR;
+ }
+
+ if (fstat(fileno(f), &st) < 0) {
+ logmsg(c, LOG_ERR, "Could not fstat() file %s: %s", fn, strerror(errno));
+ fclose(f);
+ return PAM_AUTH_ERR;
+ }
+
+ if (st.st_mode & 0077) {
+ logmsg(c, LOG_WARNING, "Authentication failure: bad access mode of file %s: %04o, correct is 0600\n", fn, st.st_mode & 07777);
+ fclose(f);
+ return PAM_AUTH_ERR;
+ }
+
+ if (st.st_uid != pw->pw_uid) {
+ logmsg(c, LOG_WARNING, "Authentication failure: bad owner of file %s: %u, correct is %u\n", fn, st.st_uid, pw->pw_uid);
+ fclose(f);
+ return PAM_AUTH_ERR;
+ }
+
+ if ((c->opt_stat_only_home ? _check_parent_dirs(pw->pw_dir, pam_fn) : _check_parent_dirs("", fn)) < 0) {
+ logmsg(c, LOG_ERR, "Parent directories of %s must not be group or world writable", fn);
+ fclose(f);
+ return PAM_AUTH_ERR;
+ }
+
+ ret = PAM_AUTH_ERR;
+ while (!feof(f)) {
+ static char ln[100];
+ int n;
+
+ if (!fgets(ln, sizeof(ln), f))
+ break;
+
+ if (ln[0] == 0 || ln[0] == '\n' || ln[0] == '#')
+ continue;
+
+ if (ln[(n = strlen(ln))-1] == '\n')
+ ln[n-1] = 0;
+
+ if (!_md5_compare(c, password, ln)) {
+ ret = PAM_SUCCESS;
+ break;
+ }
+ }
+
+ fclose(f);
+
+ if (ret == PAM_SUCCESS)
+ logmsg(c, LOG_INFO, "Authentication successful for user <%s>", username);
+ else
+ logmsg(c, LOG_WARNING, "Authentication failure: bad password for user <%s>", username);
+
+ return ret;
+}
diff --git a/src/common.h b/src/common.h
new file mode 100644
index 0000000..ef34cf3
--- /dev/null
+++ b/src/common.h
@@ -0,0 +1,43 @@
+#ifndef foocommonhfoo
+#define foocommonhfoo
+
+/***
+ This file is part of pam_dotfile.
+
+ pam_dotfile is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ pam_dotfile is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with pam_dotfile; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ USA
+***/
+
+#include <security/pam_modules.h>
+#include <security/_pam_macros.h>
+
+typedef struct context {
+ int opt_debug;
+ int opt_use_first_pass;
+ int opt_try_first_pass;
+ int opt_rootok;
+ int opt_nullok;
+ int opt_fork; // 0: auto; 1: fork; -1: nofork;
+ int opt_no_warn;
+ int opt_stat_only_home;
+#ifdef COMPAT05
+ int opt_nocompat05;
+#endif
+ const char *service;
+} context_t;
+
+int user_authentication(context_t *c, const char *username, const char *password);
+
+#endif
diff --git a/src/log.c b/src/log.c
new file mode 100644
index 0000000..6edcf06
--- /dev/null
+++ b/src/log.c
@@ -0,0 +1,48 @@
+/***
+ This file is part of pam_dotfile.
+
+ pam_dotfile is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ pam_dotfile is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with pam_dotfile; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ USA
+***/
+
+#include <syslog.h>
+#include <stdarg.h>
+#include <stdio.h>
+
+#include "log.h"
+
+void logmsg(context_t *c, int level, char *format, ...) {
+ va_list ap;
+ va_start(ap, format);
+
+// vfprintf(stderr, format, ap);
+// fprintf(stderr, "\n");
+
+ if (c->opt_debug || (level != LOG_DEBUG && level != LOG_WARNING) || (level == LOG_WARNING && !c->opt_no_warn)) {
+ static char ln[256];
+ char *p;
+
+ if (c->service)
+ snprintf(p = ln, sizeof(ln), "%s(pam_dotfile)", c->service);
+ else
+ p = "pam_dotfile";
+
+ openlog(p, LOG_PID, LOG_AUTHPRIV);
+ vsyslog(level, format, ap);
+ closelog();
+ }
+
+ va_end(ap);
+}
diff --git a/src/log.h b/src/log.h
new file mode 100644
index 0000000..b695b64
--- /dev/null
+++ b/src/log.h
@@ -0,0 +1,30 @@
+#ifndef foologhfoo
+#define foologhfoo
+
+/***
+ This file is part of pam_dotfile.
+
+ pam_dotfile is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ pam_dotfile is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with pam_dotfile; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ USA
+***/
+
+#include <syslog.h>
+#include "common.h"
+
+void logmsg(context_t *c, int level, char *format, ...);
+
+#endif
+
+
diff --git a/src/md5.c b/src/md5.c
new file mode 100644
index 0000000..2c9c2fc
--- /dev/null
+++ b/src/md5.c
@@ -0,0 +1,381 @@
+/*
+ Copyright (C) 1999, 2000, 2002 Aladdin Enterprises. All rights reserved.
+
+ This software is provided 'as-is', without any express or implied
+ warranty. In no event will the authors be held liable for any damages
+ arising from the use of this software.
+
+ Permission is granted to anyone to use this software for any purpose,
+ including commercial applications, and to alter it and redistribute it
+ freely, subject to the following restrictions:
+
+ 1. The origin of this software must not be misrepresented; you must not
+ claim that you wrote the original software. If you use this software
+ in a product, an acknowledgment in the product documentation would be
+ appreciated but is not required.
+ 2. Altered source versions must be plainly marked as such, and must not be
+ misrepresented as being the original software.
+ 3. This notice may not be removed or altered from any source distribution.
+
+ L. Peter Deutsch
+ ghost@aladdin.com
+
+ */
+/* $Id$ */
+/*
+ Independent implementation of MD5 (RFC 1321).
+
+ This code implements the MD5 Algorithm defined in RFC 1321, whose
+ text is available at
+ http://www.ietf.org/rfc/rfc1321.txt
+ The code is derived from the text of the RFC, including the test suite
+ (section A.5) but excluding the rest of Appendix A. It does not include
+ any code or documentation that is identified in the RFC as being
+ copyrighted.
+
+ The original and principal author of md5.c is L. Peter Deutsch
+ <ghost@aladdin.com>. Other authors are noted in the change history
+ that follows (in reverse chronological order):
+
+ 2002-04-13 lpd Clarified derivation from RFC 1321; now handles byte order
+ either statically or dynamically; added missing #include <string.h>
+ in library.
+ 2002-03-11 lpd Corrected argument list for main(), and added int return
+ type, in test program and T value program.
+ 2002-02-21 lpd Added missing #include <stdio.h> in test program.
+ 2000-07-03 lpd Patched to eliminate warnings about "constant is
+ unsigned in ANSI C, signed in traditional"; made test program
+ self-checking.
+ 1999-11-04 lpd Edited comments slightly for automatic TOC extraction.
+ 1999-10-18 lpd Fixed typo in header comment (ansi2knr rather than md5).
+ 1999-05-03 lpd Original version.
+ */
+
+#include "md5.h"
+#include <string.h>
+
+#undef BYTE_ORDER /* 1 = big-endian, -1 = little-endian, 0 = unknown */
+#ifdef ARCH_IS_BIG_ENDIAN
+# define BYTE_ORDER (ARCH_IS_BIG_ENDIAN ? 1 : -1)
+#else
+# define BYTE_ORDER 0
+#endif
+
+#define T_MASK ((md5_word_t)~0)
+#define T1 /* 0xd76aa478 */ (T_MASK ^ 0x28955b87)
+#define T2 /* 0xe8c7b756 */ (T_MASK ^ 0x173848a9)
+#define T3 0x242070db
+#define T4 /* 0xc1bdceee */ (T_MASK ^ 0x3e423111)
+#define T5 /* 0xf57c0faf */ (T_MASK ^ 0x0a83f050)
+#define T6 0x4787c62a
+#define T7 /* 0xa8304613 */ (T_MASK ^ 0x57cfb9ec)
+#define T8 /* 0xfd469501 */ (T_MASK ^ 0x02b96afe)
+#define T9 0x698098d8
+#define T10 /* 0x8b44f7af */ (T_MASK ^ 0x74bb0850)
+#define T11 /* 0xffff5bb1 */ (T_MASK ^ 0x0000a44e)
+#define T12 /* 0x895cd7be */ (T_MASK ^ 0x76a32841)
+#define T13 0x6b901122
+#define T14 /* 0xfd987193 */ (T_MASK ^ 0x02678e6c)
+#define T15 /* 0xa679438e */ (T_MASK ^ 0x5986bc71)
+#define T16 0x49b40821
+#define T17 /* 0xf61e2562 */ (T_MASK ^ 0x09e1da9d)
+#define T18 /* 0xc040b340 */ (T_MASK ^ 0x3fbf4cbf)
+#define T19 0x265e5a51
+#define T20 /* 0xe9b6c7aa */ (T_MASK ^ 0x16493855)
+#define T21 /* 0xd62f105d */ (T_MASK ^ 0x29d0efa2)
+#define T22 0x02441453
+#define T23 /* 0xd8a1e681 */ (T_MASK ^ 0x275e197e)
+#define T24 /* 0xe7d3fbc8 */ (T_MASK ^ 0x182c0437)
+#define T25 0x21e1cde6
+#define T26 /* 0xc33707d6 */ (T_MASK ^ 0x3cc8f829)
+#define T27 /* 0xf4d50d87 */ (T_MASK ^ 0x0b2af278)
+#define T28 0x455a14ed
+#define T29 /* 0xa9e3e905 */ (T_MASK ^ 0x561c16fa)
+#define T30 /* 0xfcefa3f8 */ (T_MASK ^ 0x03105c07)
+#define T31 0x676f02d9
+#define T32 /* 0x8d2a4c8a */ (T_MASK ^ 0x72d5b375)
+#define T33 /* 0xfffa3942 */ (T_MASK ^ 0x0005c6bd)
+#define T34 /* 0x8771f681 */ (T_MASK ^ 0x788e097e)
+#define T35 0x6d9d6122
+#define T36 /* 0xfde5380c */ (T_MASK ^ 0x021ac7f3)
+#define T37 /* 0xa4beea44 */ (T_MASK ^ 0x5b4115bb)
+#define T38 0x4bdecfa9
+#define T39 /* 0xf6bb4b60 */ (T_MASK ^ 0x0944b49f)
+#define T40 /* 0xbebfbc70 */ (T_MASK ^ 0x4140438f)
+#define T41 0x289b7ec6
+#define T42 /* 0xeaa127fa */ (T_MASK ^ 0x155ed805)
+#define T43 /* 0xd4ef3085 */ (T_MASK ^ 0x2b10cf7a)
+#define T44 0x04881d05
+#define T45 /* 0xd9d4d039 */ (T_MASK ^ 0x262b2fc6)
+#define T46 /* 0xe6db99e5 */ (T_MASK ^ 0x1924661a)
+#define T47 0x1fa27cf8
+#define T48 /* 0xc4ac5665 */ (T_MASK ^ 0x3b53a99a)
+#define T49 /* 0xf4292244 */ (T_MASK ^ 0x0bd6ddbb)
+#define T50 0x432aff97
+#define T51 /* 0xab9423a7 */ (T_MASK ^ 0x546bdc58)
+#define T52 /* 0xfc93a039 */ (T_MASK ^ 0x036c5fc6)
+#define T53 0x655b59c3
+#define T54 /* 0x8f0ccc92 */ (T_MASK ^ 0x70f3336d)
+#define T55 /* 0xffeff47d */ (T_MASK ^ 0x00100b82)
+#define T56 /* 0x85845dd1 */ (T_MASK ^ 0x7a7ba22e)
+#define T57 0x6fa87e4f
+#define T58 /* 0xfe2ce6e0 */ (T_MASK ^ 0x01d3191f)
+#define T59 /* 0xa3014314 */ (T_MASK ^ 0x5cfebceb)
+#define T60 0x4e0811a1
+#define T61 /* 0xf7537e82 */ (T_MASK ^ 0x08ac817d)
+#define T62 /* 0xbd3af235 */ (T_MASK ^ 0x42c50dca)
+#define T63 0x2ad7d2bb
+#define T64 /* 0xeb86d391 */ (T_MASK ^ 0x14792c6e)
+
+
+static void
+md5_process(md5_state_t *pms, const md5_byte_t *data /*[64]*/)
+{
+ md5_word_t
+ a = pms->abcd[0], b = pms->abcd[1],
+ c = pms->abcd[2], d = pms->abcd[3];
+ md5_word_t t;
+#if BYTE_ORDER > 0
+ /* Define storage only for big-endian CPUs. */
+ md5_word_t X[16];
+#else
+ /* Define storage for little-endian or both types of CPUs. */
+ md5_word_t xbuf[16];
+ const md5_word_t *X;
+#endif
+
+ {
+#if BYTE_ORDER == 0
+ /*
+ * Determine dynamically whether this is a big-endian or
+ * little-endian machine, since we can use a more efficient
+ * algorithm on the latter.
+ */
+ static const int w = 1;
+
+ if (*((const md5_byte_t *)&w)) /* dynamic little-endian */
+#endif
+#if BYTE_ORDER <= 0 /* little-endian */
+ {
+ /*
+ * On little-endian machines, we can process properly aligned
+ * data without copying it.
+ */
+ if (!((data - (const md5_byte_t *)0) & 3)) {
+ /* data are properly aligned */
+ X = (const md5_word_t *)data;
+ } else {
+ /* not aligned */
+ memcpy(xbuf, data, 64);
+ X = xbuf;
+ }
+ }
+#endif
+#if BYTE_ORDER == 0
+ else /* dynamic big-endian */
+#endif
+#if BYTE_ORDER >= 0 /* big-endian */
+ {
+ /*
+ * On big-endian machines, we must arrange the bytes in the
+ * right order.
+ */
+ const md5_byte_t *xp = data;
+ int i;
+
+# if BYTE_ORDER == 0
+ X = xbuf; /* (dynamic only) */
+# else
+# define xbuf X /* (static only) */
+# endif
+ for (i = 0; i < 16; ++i, xp += 4)
+ xbuf[i] = xp[0] + (xp[1] << 8) + (xp[2] << 16) + (xp[3] << 24);
+ }
+#endif
+ }
+
+#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32 - (n))))
+
+ /* Round 1. */
+ /* Let [abcd k s i] denote the operation
+ a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */
+#define F(x, y, z) (((x) & (y)) | (~(x) & (z)))
+#define SET(a, b, c, d, k, s, Ti)\
+ t = a + F(b,c,d) + X[k] + Ti;\
+ a = ROTATE_LEFT(t, s) + b
+ /* Do the following 16 operations. */
+ SET(a, b, c, d, 0, 7, T1);
+ SET(d, a, b, c, 1, 12, T2);
+ SET(c, d, a, b, 2, 17, T3);
+ SET(b, c, d, a, 3, 22, T4);
+ SET(a, b, c, d, 4, 7, T5);
+ SET(d, a, b, c, 5, 12, T6);
+ SET(c, d, a, b, 6, 17, T7);
+ SET(b, c, d, a, 7, 22, T8);
+ SET(a, b, c, d, 8, 7, T9);
+ SET(d, a, b, c, 9, 12, T10);
+ SET(c, d, a, b, 10, 17, T11);
+ SET(b, c, d, a, 11, 22, T12);
+ SET(a, b, c, d, 12, 7, T13);
+ SET(d, a, b, c, 13, 12, T14);
+ SET(c, d, a, b, 14, 17, T15);
+ SET(b, c, d, a, 15, 22, T16);
+#undef SET
+
+ /* Round 2. */
+ /* Let [abcd k s i] denote the operation
+ a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */
+#define G(x, y, z) (((x) & (z)) | ((y) & ~(z)))
+#define SET(a, b, c, d, k, s, Ti)\
+ t = a + G(b,c,d) + X[k] + Ti;\
+ a = ROTATE_LEFT(t, s) + b
+ /* Do the following 16 operations. */
+ SET(a, b, c, d, 1, 5, T17);
+ SET(d, a, b, c, 6, 9, T18);
+ SET(c, d, a, b, 11, 14, T19);
+ SET(b, c, d, a, 0, 20, T20);
+ SET(a, b, c, d, 5, 5, T21);
+ SET(d, a, b, c, 10, 9, T22);
+ SET(c, d, a, b, 15, 14, T23);
+ SET(b, c, d, a, 4, 20, T24);
+ SET(a, b, c, d, 9, 5, T25);
+ SET(d, a, b, c, 14, 9, T26);
+ SET(c, d, a, b, 3, 14, T27);
+ SET(b, c, d, a, 8, 20, T28);
+ SET(a, b, c, d, 13, 5, T29);
+ SET(d, a, b, c, 2, 9, T30);
+ SET(c, d, a, b, 7, 14, T31);
+ SET(b, c, d, a, 12, 20, T32);
+#undef SET
+
+ /* Round 3. */
+ /* Let [abcd k s t] denote the operation
+ a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */
+#define H(x, y, z) ((x) ^ (y) ^ (z))
+#define SET(a, b, c, d, k, s, Ti)\
+ t = a + H(b,c,d) + X[k] + Ti;\
+ a = ROTATE_LEFT(t, s) + b
+ /* Do the following 16 operations. */
+ SET(a, b, c, d, 5, 4, T33);
+ SET(d, a, b, c, 8, 11, T34);
+ SET(c, d, a, b, 11, 16, T35);
+ SET(b, c, d, a, 14, 23, T36);
+ SET(a, b, c, d, 1, 4, T37);
+ SET(d, a, b, c, 4, 11, T38);
+ SET(c, d, a, b, 7, 16, T39);
+ SET(b, c, d, a, 10, 23, T40);
+ SET(a, b, c, d, 13, 4, T41);
+ SET(d, a, b, c, 0, 11, T42);
+ SET(c, d, a, b, 3, 16, T43);
+ SET(b, c, d, a, 6, 23, T44);
+ SET(a, b, c, d, 9, 4, T45);
+ SET(d, a, b, c, 12, 11, T46);
+ SET(c, d, a, b, 15, 16, T47);
+ SET(b, c, d, a, 2, 23, T48);
+#undef SET
+
+ /* Round 4. */
+ /* Let [abcd k s t] denote the operation
+ a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */
+#define I(x, y, z) ((y) ^ ((x) | ~(z)))
+#define SET(a, b, c, d, k, s, Ti)\
+ t = a + I(b,c,d) + X[k] + Ti;\
+ a = ROTATE_LEFT(t, s) + b
+ /* Do the following 16 operations. */
+ SET(a, b, c, d, 0, 6, T49);
+ SET(d, a, b, c, 7, 10, T50);
+ SET(c, d, a, b, 14, 15, T51);
+ SET(b, c, d, a, 5, 21, T52);
+ SET(a, b, c, d, 12, 6, T53);
+ SET(d, a, b, c, 3, 10, T54);
+ SET(c, d, a, b, 10, 15, T55);
+ SET(b, c, d, a, 1, 21, T56);
+ SET(a, b, c, d, 8, 6, T57);
+ SET(d, a, b, c, 15, 10, T58);
+ SET(c, d, a, b, 6, 15, T59);
+ SET(b, c, d, a, 13, 21, T60);
+ SET(a, b, c, d, 4, 6, T61);
+ SET(d, a, b, c, 11, 10, T62);
+ SET(c, d, a, b, 2, 15, T63);
+ SET(b, c, d, a, 9, 21, T64);
+#undef SET
+
+ /* Then perform the following additions. (That is increment each
+ of the four registers by the value it had before this block
+ was started.) */
+ pms->abcd[0] += a;
+ pms->abcd[1] += b;
+ pms->abcd[2] += c;
+ pms->abcd[3] += d;
+}
+
+void
+md5_init(md5_state_t *pms)
+{
+ pms->count[0] = pms->count[1] = 0;
+ pms->abcd[0] = 0x67452301;
+ pms->abcd[1] = /*0xefcdab89*/ T_MASK ^ 0x10325476;
+ pms->abcd[2] = /*0x98badcfe*/ T_MASK ^ 0x67452301;
+ pms->abcd[3] = 0x10325476;
+}
+
+void
+md5_append(md5_state_t *pms, const md5_byte_t *data, int nbytes)
+{
+ const md5_byte_t *p = data;
+ int left = nbytes;
+ int offset = (pms->count[0] >> 3) & 63;
+ md5_word_t nbits = (md5_word_t)(nbytes << 3);
+
+ if (nbytes <= 0)
+ return;
+
+ /* Update the message length. */
+ pms->count[1] += nbytes >> 29;
+ pms->count[0] += nbits;
+ if (pms->count[0] < nbits)
+ pms->count[1]++;
+
+ /* Process an initial partial block. */
+ if (offset) {
+ int copy = (offset + nbytes > 64 ? 64 - offset : nbytes);
+
+ memcpy(pms->buf + offset, p, copy);
+ if (offset + copy < 64)
+ return;
+ p += copy;
+ left -= copy;
+ md5_process(pms, pms->buf);
+ }
+
+ /* Process full blocks. */
+ for (; left >= 64; p += 64, left -= 64)
+ md5_process(pms, p);
+
+ /* Process a final partial block. */
+ if (left)
+ memcpy(pms->buf, p, left);
+}
+
+void
+md5_finish(md5_state_t *pms, md5_byte_t digest[16])
+{
+ static const md5_byte_t pad[64] = {
+ 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
+ };
+ md5_byte_t data[8];
+ int i;
+
+ /* Save the length before padding. */
+ for (i = 0; i < 8; ++i)
+ data[i] = (md5_byte_t)(pms->count[i >> 2] >> ((i & 3) << 3));
+ /* Pad to 56 bytes mod 64. */
+ md5_append(pms, pad, ((55 - (pms->count[0] >> 3)) & 63) + 1);
+ /* Append the length. */
+ md5_append(pms, data, 8);
+ for (i = 0; i < 16; ++i)
+ digest[i] = (md5_byte_t)(pms->abcd[i >> 2] >> ((i & 3) << 3));
+}
diff --git a/src/md5.h b/src/md5.h
new file mode 100644
index 0000000..5eb6d6c
--- /dev/null
+++ b/src/md5.h
@@ -0,0 +1,91 @@
+/*
+ Copyright (C) 1999, 2002 Aladdin Enterprises. All rights reserved.
+
+ This software is provided 'as-is', without any express or implied
+ warranty. In no event will the authors be held liable for any damages
+ arising from the use of this software.
+
+ Permission is granted to anyone to use this software for any purpose,
+ including commercial applications, and to alter it and redistribute it
+ freely, subject to the following restrictions:
+
+ 1. The origin of this software must not be misrepresented; you must not
+ claim that you wrote the original software. If you use this software
+ in a product, an acknowledgment in the product documentation would be
+ appreciated but is not required.
+ 2. Altered source versions must be plainly marked as such, and must not be
+ misrepresented as being the original software.
+ 3. This notice may not be removed or altered from any source distribution.
+
+ L. Peter Deutsch
+ ghost@aladdin.com
+
+ */
+/* $Id$ */
+/*
+ Independent implementation of MD5 (RFC 1321).
+
+ This code implements the MD5 Algorithm defined in RFC 1321, whose
+ text is available at
+ http://www.ietf.org/rfc/rfc1321.txt
+ The code is derived from the text of the RFC, including the test suite
+ (section A.5) but excluding the rest of Appendix A. It does not include
+ any code or documentation that is identified in the RFC as being
+ copyrighted.
+
+ The original and principal author of md5.h is L. Peter Deutsch
+ <ghost@aladdin.com>. Other authors are noted in the change history
+ that follows (in reverse chronological order):
+
+ 2002-04-13 lpd Removed support for non-ANSI compilers; removed
+ references to Ghostscript; clarified derivation from RFC 1321;
+ now handles byte order either statically or dynamically.
+ 1999-11-04 lpd Edited comments slightly for automatic TOC extraction.
+ 1999-10-18 lpd Fixed typo in header comment (ansi2knr rather than md5);
+ added conditionalization for C++ compilation from Martin
+ Purschke <purschke@bnl.gov>.
+ 1999-05-03 lpd Original version.
+ */
+
+#ifndef md5_INCLUDED
+# define md5_INCLUDED
+
+/*
+ * This package supports both compile-time and run-time determination of CPU
+ * byte order. If ARCH_IS_BIG_ENDIAN is defined as 0, the code will be
+ * compiled to run only on little-endian CPUs; if ARCH_IS_BIG_ENDIAN is
+ * defined as non-zero, the code will be compiled to run only on big-endian
+ * CPUs; if ARCH_IS_BIG_ENDIAN is not defined, the code will be compiled to
+ * run on either big- or little-endian CPUs, but will run slightly less
+ * efficiently on either one than if ARCH_IS_BIG_ENDIAN is defined.
+ */
+
+typedef unsigned char md5_byte_t; /* 8-bit byte */
+typedef unsigned int md5_word_t; /* 32-bit word */
+
+/* Define the state of the MD5 Algorithm. */
+typedef struct md5_state_s {
+ md5_word_t count[2]; /* message length in bits, lsw first */
+ md5_word_t abcd[4]; /* digest buffer */
+ md5_byte_t buf[64]; /* accumulate block */
+} md5_state_t;
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+/* Initialize the algorithm. */
+void md5_init(md5_state_t *pms);
+
+/* Append a string to the message. */
+void md5_append(md5_state_t *pms, const md5_byte_t *data, int nbytes);
+
+/* Finish the message and return the digest. */
+void md5_finish(md5_state_t *pms, md5_byte_t digest[16]);
+
+#ifdef __cplusplus
+} /* end extern "C" */
+#endif
+
+#endif /* md5_INCLUDED */
diff --git a/src/md5util.c b/src/md5util.c
new file mode 100644
index 0000000..ec416be
--- /dev/null
+++ b/src/md5util.c
@@ -0,0 +1,45 @@
+/***
+ This file is part of pam_dotfile.
+
+ pam_dotfile is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ pam_dotfile is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with pam_dotfile; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ USA
+***/
+
+#include "md5util.h"
+
+
+#ifdef COMPAT05
+
+void fhex_broken(unsigned char *bin, int len, char *txt) {
+ const static char hex[] = "01234567890abcdef";
+ int i;
+
+ for (i = 0; i < len; i++) {
+ txt[i*2] = hex[bin[i]>>4];
+ txt[i*2+1] = hex[bin[i]&0xF];
+ }
+}
+
+#endif
+
+void fhex(unsigned char *bin, int len, char *txt) {
+ const static char hex[] = "0123456789abcdef";
+ int i;
+
+ for (i = 0; i < len; i++) {
+ txt[i*2] = hex[bin[i]>>4];
+ txt[i*2+1] = hex[bin[i]&0xF];
+ }
+}
diff --git a/src/md5util.h b/src/md5util.h
new file mode 100644
index 0000000..da6f538
--- /dev/null
+++ b/src/md5util.h
@@ -0,0 +1,31 @@
+#ifndef foomd5utilhfoo
+#define foomd5utilhfoo
+
+/***
+ This file is part of pam_dotfile.
+
+ pam_dotfile is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ pam_dotfile is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with pam_dotfile; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ USA
+***/
+
+void fhex(unsigned char *bin, int len, char *txt);
+#define fhex_md5(bin,txt) fhex((bin),16,(txt))
+
+#ifdef COMPAT05
+void fhex_broken(unsigned char *bin, int len, char *txt);
+#define fhex_broken_md5(bin,txt) fhex_broken((bin),16,(txt))
+#endif
+
+#endif
diff --git a/src/pam-dotfile-gen.c b/src/pam-dotfile-gen.c
new file mode 100644
index 0000000..0d10ec3
--- /dev/null
+++ b/src/pam-dotfile-gen.c
@@ -0,0 +1,280 @@
+/***
+ This file is part of pam_dotfile.
+
+ pam_dotfile is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ pam_dotfile is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with pam_dotfile; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ USA
+***/
+
+#include <string.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <unistd.h>
+#include <limits.h>
+#include <errno.h>
+#include <string.h>
+#include <termios.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include "md5.h"
+#include "md5util.h"
+
+#ifdef COMPAT05
+int compat = 0;
+#endif
+
+static void _random(char *r, int l) {
+ FILE *f;
+ int b = 0;
+
+ if ((f = fopen("/dev/urandom", "r"))) {
+ if (fread(r, l, 1, f) == 1)
+ b = 1;
+ fclose(f);
+ }
+
+ if (!b) {
+ int i;
+ fprintf(stderr, "WARNING: Could not read /dev/urandom, generating pseudo randomness.\n");
+
+ for (i = 0; i < l; i++)
+ r[i] = (unsigned char) rand() & 0xFF;
+ }
+}
+
+static void _md5_gen(const char *password, FILE *f) {
+ static unsigned char salt[16];
+ static char saltc[33];
+ static unsigned char digest[16];
+ static char digestc[33];
+ md5_state_t t;
+
+ _random(salt, 16);
+
+ fhex(salt, 16, saltc);
+ saltc[32] = 0;
+
+ md5_init(&t);
+ md5_append(&t, saltc, 32);
+ md5_append(&t, password, strlen(password));
+ md5_finish(&t, digest);
+
+#ifdef COMPAT05
+ if (compat)
+ fhex_broken_md5(digest, digestc);
+ else
+#endif
+ fhex_md5(digest, digestc);
+ digestc[32] = 0;
+
+#ifdef COMPAT05
+ fprintf(f, "%s%s%s\n", compat ? "" : "+", saltc, digestc);
+#else
+ fprintf(f, "+%s%s\n", saltc, digestc);
+#endif
+}
+
+void usage(char *argv0) {
+ char *p;
+
+ if ((p = strrchr(argv0, '/')))
+ p++;
+ else
+ p = argv0;
+
+#ifdef COMPAT05
+ printf("%s [-C] [-a <service>] | -h\n"
+#else
+ printf("%s [-a <service>] | -h\n"
+#endif
+ " -a <service> Add a password for the specified service\n"
+ " -h Show this help\n"
+#ifdef COMPAT05
+ " -C Enable compatibility with pam_dotfile <= 0.5\n"
+#endif
+ , p);
+}
+
+char *chomp(char *p) {
+ char *e;
+
+ while ((e = strchr(p, '\n')))
+ *e = 0;
+
+ return p;
+}
+
+int set_echo(int fd, int b) {
+ static struct termios saved;
+
+ if (!b) {
+ static struct termios t;
+
+ if (tcgetattr(fd, &saved) < 0) {
+ fprintf(stderr, "tcgetattr(): %s\n", strerror(errno));
+ return -1;
+ }
+
+ t = saved;
+ t.c_lflag &= ~ECHO;
+
+ if (tcsetattr(fd, TCSANOW, &t) < 0) {
+ fprintf(stderr, "tcsetattr(): %s\n", strerror(errno));
+ return -1;
+ }
+
+ } else {
+ if (tcsetattr(fd, TCSANOW, &saved) < 0) {
+ fprintf(stderr, "tcsetattr(): %s\n", strerror(errno));
+ return -1;
+ }
+ }
+
+
+ return 0;
+}
+
+int add_password(char *p) {
+ FILE *f = NULL;
+ static char fn[PATH_MAX];
+ static char password1[128], password2[128];
+ int r = -1;
+ int e = 0;
+ mode_t m;
+
+ if (isatty(STDIN_FILENO)) {
+ if (set_echo(STDIN_FILENO, 0) < 0)
+ goto finish;
+
+ e = 1;
+ }
+
+ snprintf(fn, sizeof(fn), "%s/.pam-%s", getenv("HOME"), p);
+
+ m = umask(0077);
+ if (!(f = fopen(fn, "a"))) {
+ umask(m);
+ fprintf(stderr, "Could not open file <%s> for writing: %s\n", fn, strerror(errno));
+ goto finish;
+ }
+ umask(m);
+
+ if (isatty(STDIN_FILENO)) {
+ fputs("Password:", stdout);
+ fflush(stdout);
+ }
+
+ if (!fgets(password1, sizeof(password1), stdin)) {
+ fprintf(stderr, "Failure reading password\n");
+ goto finish;
+ }
+
+ if (isatty(STDIN_FILENO)) {
+ fputs("\nPlease repeat; password:", stdout);
+ fflush(stdout);
+ }
+
+ if (!fgets(password2, sizeof(password2), stdin)) {
+ fprintf(stderr, "Failure reading password\n");
+ goto finish;
+ }
+
+ if (isatty(STDIN_FILENO)) {
+ fputs("\n", stdout);
+ fflush(stdout);
+ }
+
+ chomp(password1);
+ chomp(password2);
+
+ if (strcmp(password1, password2)) {
+ fprintf(stderr, "ERROR: Passwords do not match!\n");
+ goto finish;
+ }
+
+ _md5_gen(password1, f);
+
+ fprintf(stderr, "Password added.\n");
+
+ r = 0;
+
+finish:
+ if (e)
+ set_echo(STDIN_FILENO, 1);
+
+ if (f) {
+ fclose(f);
+ chmod(fn, 0600);
+ }
+
+ return 0;
+}
+
+int main(int argc, char*argv[]) {
+ int c;
+#ifdef COMPAT05
+ const char* argspec = "a:hC";
+#else
+ const char* argspec = "a:h";
+#endif
+ char *addp = 0;
+
+ srand(time(NULL)*getpid());
+
+
+ while ((c = getopt(argc, argv, argspec)) > 0) {
+
+ switch (c) {
+ case 'a' :
+ addp = optarg;
+ break;
+
+#ifdef COMPAT05
+ case 'C':
+ compat = 1;
+ break;
+#endif
+
+ default:
+ usage(argv[0]);
+ return 1;
+ }
+ }
+
+
+ if (addp)
+ return add_password(addp) < 0 ? 1 : 0;
+
+ for(;;) {
+ int n;
+ static char ln[256];
+
+ if (!fgets(ln, sizeof(ln), stdin))
+ break;
+
+ if (ln[0] == 0 || ln[0] == '\n' || ln[0] == '#') {
+ fputs(ln, stdout);
+ continue;
+ }
+
+ if (ln[(n = strlen(ln))-1] == '\n')
+ ln[n-1] = 0;
+
+ _md5_gen(ln, stdout);
+ }
+
+ return 0;
+}
diff --git a/src/pam-dotfile-helper.c b/src/pam-dotfile-helper.c
new file mode 100644
index 0000000..04c73de
--- /dev/null
+++ b/src/pam-dotfile-helper.c
@@ -0,0 +1,117 @@
+/***
+ This file is part of pam_dotfile.
+
+ pam_dotfile is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ pam_dotfile is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with pam_dotfile; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ USA
+***/
+
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <signal.h>
+#include <pwd.h>
+
+#include "common.h"
+#include "log.h"
+
+#define DELAY 5
+
+int main(int argc, char* argv[]) {
+ context_t c;
+ char *username;
+ static char password[128];
+ int r;
+
+ signal(SIGINT, SIG_IGN);
+ signal(SIGQUIT, SIG_IGN);
+ signal(SIGHUP, SIG_IGN);
+ signal(SIGTERM, SIG_IGN);
+ signal(SIGPIPE, SIG_IGN);
+ signal(SIGUSR1, SIG_IGN);
+ signal(SIGUSR2, SIG_IGN);
+ signal(SIGTSTP, SIG_IGN);
+
+ memset(&c, 0, sizeof(context_t));
+
+ if (isatty(0) || isatty(1) || isatty(2)) {
+ int n;
+ struct passwd *pw;
+ uid_t uid = getuid();
+
+ pw = getpwuid(uid);
+
+ fprintf(stderr, "This program is not intended to be run in this way.\n");
+ logmsg(&c, LOG_WARNING, "A stupid user (%s; uid=%i) ran pam-dotfile-helper on the command line", pw ? pw->pw_name : "???", uid);
+
+ n = 5;
+ while ((n = sleep(n)) > 0);
+
+ return 1;
+ }
+
+ if (argc != 7) {
+ logmsg(&c, LOG_WARNING, "Invalid invocation");
+ return 4;
+ }
+
+ c.service = argv[1];
+ username = argv[2];
+
+ if (!strcmp(argv[3], "debug"))
+ c.opt_debug = 1;
+
+ if (!strcmp(argv[4], "no_warn"))
+ c.opt_no_warn = 1;
+
+ if (!strcmp(argv[5], "stat_only_home"))
+ c.opt_stat_only_home = 1;
+
+#ifdef COMPAT05
+ if (!strcmp(argv[6], "nocompat05"))
+ c.opt_nocompat05 = 1;
+#endif
+
+ logmsg(&c, LOG_DEBUG, "%s|%s|%s",
+ c.opt_debug ? "debug" : "nodebug",
+ c.opt_no_warn ? "no_warn" : "warn"
+#ifdef COMPAT05
+ ,c.opt_nocompat05 ? "nocompat05" : "compat05"
+#endif
+ );
+
+ if (geteuid() != 0) {
+ logmsg(&c, LOG_WARNING, "Not run as root, executable is probably not SETUID?");
+ return 4;
+ }
+
+ logmsg(&c, LOG_DEBUG, "Helper started");
+
+ if (!fgets(password, sizeof(password), stdin)) {
+ logmsg(&c, LOG_WARNING, "Failure reading from STDIN");
+ return 4;
+ }
+
+ switch (user_authentication(&c, username, password)) {
+ case PAM_SUCCESS: r = 0; break;
+ case PAM_AUTH_ERR: r = 1; break;
+ case PAM_AUTHINFO_UNAVAIL: r = 2; break;
+ case PAM_USER_UNKNOWN: r = 3; break;
+ default: r = 4; break;
+ }
+
+ logmsg(&c, LOG_DEBUG, "Helper exiting with return value %u", r);
+
+ return r;
+}
diff --git a/src/pam_dotfile.c b/src/pam_dotfile.c
new file mode 100644
index 0000000..edc5230
--- /dev/null
+++ b/src/pam_dotfile.c
@@ -0,0 +1,321 @@
+/***
+ This file is part of pam_dotfile.
+
+ pam_dotfile is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ pam_dotfile is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with pam_dotfile; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ USA
+***/
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <pwd.h>
+#include <unistd.h>
+#include <limits.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+
+#define PAM_SM_AUTH
+
+#include <security/pam_modules.h>
+#include <security/_pam_macros.h>
+
+#include "md5.h"
+#include "md5util.h"
+#include "common.h"
+#include "log.h"
+
+#define HELPERTOOL SBINDIR"/pam-dotfile-helper"
+
+#ifndef PAM_FAIL_DELAY
+#define pam_fail_delay(x,y) 0
+#endif
+
+#define PAM_DOTFILE_DELAY 3000000
+
+static void sigchld(int sig) {
+}
+
+static int _fork_authentication(context_t *c, const char *username, const char *password) {
+ pid_t pid;
+ int r = PAM_SYSTEM_ERR, p[2];
+ struct sigaction sa_save, sa;
+
+ if (pipe(p) < 0) {
+ logmsg(c, LOG_ERR, "pipe(): %s", strerror(errno));
+ return PAM_SYSTEM_ERR;
+ }
+
+ memset(&sa, 0, sizeof(sa));
+ sa.sa_handler = sigchld;
+ sa.sa_flags = SA_RESTART;
+
+ if (sigaction(SIGCHLD, &sa, &sa_save) < 0) {
+ logmsg(c, LOG_ERR, "sigaction(): %s", strerror(errno));
+ goto finish;
+ }
+
+ if ((pid = fork()) < 0) {
+ logmsg(c, LOG_ERR, "fork(): %s", strerror(errno));
+ goto finish;
+ } else if (pid == 0) {
+ char * const args[] = {
+ HELPERTOOL,
+ x_strdup(c->service),
+ x_strdup(username),
+ c->opt_debug ? "debug" : "nodebug",
+ c->opt_no_warn ? "no_warn" : "warn",
+ c->opt_stat_only_home ? "stat_only_home" : "stat_all",
+#ifdef COMPAT05
+ c->opt_nocompat05 ? "nocompat05" : "compat05",
+#else
+ "nocompat05",
+#endif
+ NULL
+ };
+ char * envp[] = { NULL };
+
+ if (p[0] != 0 && dup2(p[0], 0) != 0) {
+ logmsg(c, LOG_ERR, "dup2(): %s", strerror(errno));
+ exit(2);
+ }
+
+ close(1);
+ close(2);
+ close(p[0]);
+ close(p[1]);
+
+ if (open("/dev/null", O_WRONLY) != 1) {
+ logmsg(c, LOG_ERR, "open(\"/dev/null\", O_WRONLY): %s", strerror(errno));
+ exit(2);
+ }
+
+ if (open("/dev/null", O_WRONLY) != 2) {
+ logmsg(c, LOG_ERR, "open(\"/dev/null\", O_WRONLY): %s", strerror(errno));
+ exit(2);
+ }
+
+ execve(HELPERTOOL, args, envp);
+
+ logmsg(c, LOG_ERR, "execve(): %s", strerror(errno));
+
+ exit(100);
+ } else if (pid > 0) {
+ FILE *f;
+ int r2;
+
+ close(p[0]);
+
+ if (!(f = fdopen(p[1], "w"))) {
+ logmsg(c, LOG_ERR, "fdopen() failed.");
+ goto finish;
+ } else {
+ fputs(password, f);
+ fflush(f);
+ }
+
+ fclose(f);
+ close(p[1]);
+
+ if (waitpid(pid, &r2, 0) < 0) {
+ logmsg(c, LOG_ERR, "waitpid(): %s", strerror(errno));
+ goto finish;
+ } else {
+ if (WIFEXITED(r2)) {
+ logmsg(c, LOG_DEBUG, "Helper returned %u", WEXITSTATUS(r2));
+
+ switch (WEXITSTATUS(r2)) {
+ case 0: r = PAM_SUCCESS; break;
+ case 1: r = PAM_AUTH_ERR; break;
+ case 2: r = PAM_AUTHINFO_UNAVAIL; break;
+ case 3: r = PAM_USER_UNKNOWN; break;
+ }
+ } else
+ logmsg(c, LOG_DEBUG, "Helper failed abnormally");
+ }
+ }
+
+finish:
+
+ if (sigaction(SIGCHLD, &sa_save, NULL) < 0) {
+ logmsg(c, LOG_ERR, "sigaction()#2: %s", strerror(errno));
+ r = PAM_SYSTEM_ERR;
+ }
+
+
+ return r;
+}
+
+static int _authentication(context_t *c, const char *username, const char *password) {
+ int b;
+
+ if (!username || !*username) {
+ logmsg(c, LOG_WARNING, "Authentication failure: null username supplied");
+ return PAM_AUTH_ERR;
+ }
+
+ if (!password || (!c->opt_nullok && !*password)) {
+ logmsg(c, LOG_WARNING, "Authentication failure: null password supplied");
+ return PAM_AUTH_ERR;
+ }
+
+ b = geteuid() != 0;
+
+ if (b && c->opt_fork < 0) {
+ logmsg(c, LOG_ERR, "Option <nofork> set and uid != 0, failing");
+ return PAM_SYSTEM_ERR;
+ }
+
+ if (c->opt_fork > 0)
+ b = 1;
+
+ if (!b)
+ return user_authentication(c, username, password);
+ else
+ return _fork_authentication(c, username, password);
+}
+
+static int _parse_opt(context_t *c, int argc, const char **argv) {
+ for (; argc; argc--, argv++) {
+ if (!strcmp(*argv, "debug"))
+ c->opt_debug = 1;
+ else if (!strcmp(*argv, "use_first_pass") || !strcmp(*argv, "use_authtok"))
+ c->opt_use_first_pass = 1;
+ else if (!strcmp(*argv, "try_first_pass"))
+ c->opt_try_first_pass = 1;
+ else if (!strcmp(*argv, "rootok"))
+ c->opt_rootok = 1;
+ else if (!strcmp(*argv, "nullok"))
+ c->opt_nullok = 1;
+ else if (!strcmp(*argv, "fork"))
+ c->opt_fork = 1;
+ else if (!strcmp(*argv, "nofork"))
+ c->opt_fork = -1;
+ else if (!strcmp(*argv, "no_warn"))
+ c->opt_no_warn = 1;
+ else if (!strcmp(*argv, "stat_only_home"))
+ c->opt_stat_only_home = 1;
+#ifdef COMPAT05
+ else if (!strcmp(*argv, "nocompat05"))
+ c->opt_nocompat05 = 1;
+#endif
+ else
+ logmsg(c, LOG_WARNING, "Invalid argument <%s>, ignoring", *argv);
+ }
+
+ return PAM_SUCCESS;
+}
+
+PAM_EXTERN int pam_sm_authenticate(pam_handle_t *ph, int flags, int argc, const char **argv) {
+ const char *username = NULL, *password = NULL, *service = NULL;
+ int r;
+ context_t c;
+ const struct pam_conv *pc;
+ static struct pam_message m[1] = { { msg_style: PAM_PROMPT_ECHO_OFF, msg : "Dotfile Password: " } };
+ const static struct pam_message* pm[] = { &m[0] };
+ struct pam_response *a;
+
+ memset(&c, 0, sizeof(c));
+
+ if ((r = _parse_opt(&c, argc, argv)) != PAM_SUCCESS)
+ return r;
+
+ if ((r = pam_get_user(ph, &username, NULL)) != PAM_SUCCESS) {
+ logmsg(&c, LOG_ERR, "pam_get_user(): %s", pam_strerror(ph, r));
+ return r;
+ }
+
+ if (!username || !*username) {
+ logmsg(&c, LOG_DEBUG, "Authentication failure: no username supplied");
+ return PAM_CRED_INSUFFICIENT;
+ }
+
+ if ((r = pam_get_item(ph, PAM_SERVICE, (const void**) &service)) != PAM_SUCCESS) {
+ logmsg(&c, LOG_ERR, "pam_get_item(*, PAM_SERVICE, *): %s", pam_strerror(ph, r));
+ return r;
+ }
+
+ c.service = service;
+
+ if (c.opt_use_first_pass || c.opt_try_first_pass)
+ if ((r = pam_get_item(ph, PAM_AUTHTOK, (const void**) &password)) != PAM_SUCCESS) {
+ logmsg(&c, LOG_ERR, "pam_get_item(*, PAM_AUTHTOK, *): %s", pam_strerror(ph, r));
+ return r;
+ }
+
+ if (c.opt_use_first_pass && !password) {
+ logmsg(&c, LOG_DEBUG, "No password passed in PAM_AUTHTOK.");
+ return PAM_CRED_INSUFFICIENT;
+ }
+
+ if (password) {
+ if ((r = _authentication(&c, username, password)) == PAM_SUCCESS) {
+ logmsg(&c, LOG_DEBUG, "Authentication with PAM_AUTHTOK sucessful");
+ return PAM_SUCCESS;
+ } else if (r != PAM_AUTH_ERR) {
+ logmsg(&c, LOG_DEBUG, "Authentication with PAM_AUTHTOK failed (%i): %s", r, pam_strerror(ph, r));
+ return r;
+ }
+
+ logmsg(&c, LOG_DEBUG, "Authentication with PAM_AUTHTOK failed");
+
+ if (c.opt_use_first_pass) {
+ pam_fail_delay(ph, PAM_DOTFILE_DELAY);
+ return PAM_AUTH_ERR;
+ }
+ }
+
+ if ((r = pam_get_item(ph, PAM_CONV, (const void**) &pc)) != PAM_SUCCESS) {
+ logmsg(&c, LOG_ERR, "pam_get_item(*, PAM_CONV, *): %s", pam_strerror(ph, r));
+ return r;
+ }
+
+ if (!pc || !pc->conv) {
+ logmsg(&c, LOG_ERR, "conv() function invalid");
+ return PAM_CONV_ERR;
+ }
+
+ if ((r = pc->conv(1, pm, &a, pc->appdata_ptr)) != PAM_SUCCESS) {
+ logmsg(&c, LOG_ERR, "conv(): %s", pam_strerror(ph, r));
+ return r;
+ }
+
+ if (!a->resp) {
+ logmsg(&c, LOG_ERR, "Got no password.");
+ return PAM_CRED_INSUFFICIENT;
+ }
+
+ if ((r = pam_set_item(ph, PAM_AUTHTOK, x_strdup(a->resp))) != PAM_SUCCESS)
+ return r;
+
+ if ((r = _authentication(&c, username, a->resp)) == PAM_SUCCESS) {
+ logmsg(&c, LOG_DEBUG, "Authentication with user password sucessful");
+ return PAM_SUCCESS;
+ } else if (r != PAM_AUTH_ERR) {
+ logmsg(&c, LOG_DEBUG, "Authentication with PAM_AUTHTOK failed (%i): %s", r, pam_strerror(ph, r));
+ return r;
+ }
+
+ logmsg(&c, LOG_DEBUG, "Authentication failed with user password");
+ pam_fail_delay(ph, PAM_DOTFILE_DELAY);
+ return PAM_AUTH_ERR;
+}
+
+PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) {
+ return PAM_SUCCESS;
+}
diff --git a/src/pamtest.c b/src/pamtest.c
new file mode 100644
index 0000000..171e601
--- /dev/null
+++ b/src/pamtest.c
@@ -0,0 +1,66 @@
+/***
+ This file is part of pam_dotfile.
+
+ pam_dotfile is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ pam_dotfile is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with pam_dotfile; if not, write to the Free Software
+ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307
+ USA
+***/
+
+#include <stdio.h>
+
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
+
+int main(int argc, char*argv[]) {
+ static struct pam_conv pc = { misc_conv, NULL };
+ pam_handle_t *ph = NULL;
+ int r, ret;
+ char *username, *procname, *service;
+
+ if ((procname = strchr(argv[0], '/')))
+ procname++;
+ else
+ procname = argv[0];
+
+ if (argc <= 1 || argc > 3) {
+ fprintf(stderr, "Usage: %s [<service>] [<username>]\n", procname);
+ exit(1);
+ }
+
+ service = (argc >= 2) ? argv[1] : procname;
+ username = (argc == 3) ? argv[2] : NULL;
+
+ if (username)
+ printf("Trying to authenticate <%s> for service <%s>.\n", username, service);
+ else
+ printf("Trying to authenticate for service <%s>.\n", service);
+
+ if ((r = pam_start(service, username, &pc, &ph)) != PAM_SUCCESS) {
+ fprintf(stderr, "Failure starting pam: %s\n", pam_strerror(ph, r));
+ return 1;
+ }
+
+ if ((r = pam_authenticate(ph, 0)) != PAM_SUCCESS) {
+ fprintf(stderr, "Failed to authenticate: %s\n", pam_strerror(ph, r));
+ ret = 1;
+ } else {
+ printf("Authentication successful.\n");
+ ret = 0;
+ }
+
+ if ((r = pam_end(ph, r)) != PAM_SUCCESS)
+ fprintf(stderr, "Failure shutting down pam: %s\n", pam_strerror(ph, r));
+
+ return ret;
+}
generated by cgit (git 2.34.1) at 2024-04-25 23:39:35 +0000