From d3ea4ac5edbb0b19e79556447299ca4f21fa5a25 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 31 Jul 2003 12:40:54 +0000 Subject: Moved everything to trunk git-svn-id: file:///home/lennart/svn/public/pam_dotfile/trunk@13 5391d09e-f7c1-0310-8aa1-84a1c93f5a38 --- LICENSE | 340 +++++++++++++++++++++++++++++++++++ Makefile.am | 35 ++++ bootstrap.sh | 40 +++++ configure.ac | 133 ++++++++++++++ doc/Makefile.am | 35 ++++ doc/README.html.in | 265 ++++++++++++++++++++++++++++ doc/style.css | 12 ++ man/Makefile.am | 33 ++++ man/pam-dotfile-gen.1.xml.in | 89 ++++++++++ man/pam-dotfile-helper.8.xml.in | 61 +++++++ src/Makefile.am | 41 +++++ src/common.c | 220 +++++++++++++++++++++++ src/common.h | 43 +++++ src/log.c | 48 +++++ src/log.h | 30 ++++ src/md5.c | 381 ++++++++++++++++++++++++++++++++++++++++ src/md5.h | 91 ++++++++++ src/md5util.c | 45 +++++ src/md5util.h | 31 ++++ src/pam-dotfile-gen.c | 280 +++++++++++++++++++++++++++++ src/pam-dotfile-helper.c | 117 ++++++++++++ src/pam_dotfile.c | 321 +++++++++++++++++++++++++++++++++ src/pamtest.c | 66 +++++++ 23 files changed, 2757 insertions(+) create mode 100644 LICENSE create mode 100644 Makefile.am create mode 100755 bootstrap.sh create mode 100644 configure.ac create mode 100644 doc/Makefile.am create mode 100644 doc/README.html.in create mode 100644 doc/style.css create mode 100644 man/Makefile.am create mode 100644 man/pam-dotfile-gen.1.xml.in create mode 100644 man/pam-dotfile-helper.8.xml.in create mode 100644 src/Makefile.am create mode 100644 src/common.c create mode 100644 src/common.h create mode 100644 src/log.c create mode 100644 src/log.h create mode 100644 src/md5.c create mode 100644 src/md5.h create mode 100644 src/md5util.c create mode 100644 src/md5util.h create mode 100644 src/pam-dotfile-gen.c create mode 100644 src/pam-dotfile-helper.c create mode 100644 src/pam_dotfile.c create mode 100644 src/pamtest.c diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d60c31a --- /dev/null +++ b/LICENSE @@ -0,0 +1,340 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc. + 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Library General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Library General +Public License instead of this License. diff --git a/Makefile.am b/Makefile.am new file mode 100644 index 0000000..5925919 --- /dev/null +++ b/Makefile.am @@ -0,0 +1,35 @@ +# $Id$ + +# This file is part of pam_dotfile. +# +# pam_dotfile is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# pam_dotfile is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with pam_dotfile; if not, write to the Free Software Foundation, +# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +EXTRA_DIST=bootstrap.sh README LICENSE +SUBDIRS=src man doc + +MAINTAINERCLEANFILES = README +noinst_DATA = README + +README: + rm -f README + $(MAKE) -C doc README + ln -s doc/README README + +homepage: + test -d $$HOME/homepage/lennart + mkdir -p $$HOME/homepage/lennart/projects/pam_dotfile + cp *.tar.gz $$HOME/homepage/lennart/projects/pam_dotfile + cp doc/README.html doc/style.css $$HOME/homepage/lennart/projects/pam_dotfile + cp $$HOME/homepage/lennart/projects/pam_dotfile/README.html $$HOME/homepage/lennart/projects/pam_dotfile/index.html diff --git a/bootstrap.sh b/bootstrap.sh new file mode 100755 index 0000000..bf2c22a --- /dev/null +++ b/bootstrap.sh @@ -0,0 +1,40 @@ +#!/bin/sh +# $Id$ + +# This file is part of pam_dotfile. +# +# pam_dotfile is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# pam_dotfile is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with pam_dotfile; if not, write to the Free Software Foundation, +# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +if [ "x$1" = "xam" ] ; then + set -ex + automake -a -c + ./config.status +else + set -ex + + make maintainer-clean || true + + rm -rf autom4te.cache + rm -f config.cache + + aclocal + libtoolize -c --force + autoheader + automake -a -c + autoconf -Wall + + ./configure "$@" +fi + diff --git a/configure.ac b/configure.ac new file mode 100644 index 0000000..5db808e --- /dev/null +++ b/configure.ac @@ -0,0 +1,133 @@ +# -*- Autoconf -*- +# Process this file with autoconf to produce a configure script. + +# $Id$ + +# This file is part of pam_dotfile. +# +# pam_dotfile is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# pam_dotfile is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with pam_dotfile; if not, write to the Free Software Foundation, +# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +AC_PREREQ(2.57) +AC_INIT([pam_dotfile], [0.6], [mzcnzqbgsvyr@itaparica.org]) +AC_CONFIG_SRCDIR([src/pam_dotfile.c]) +AC_CONFIG_HEADERS([config.h]) +AM_INIT_AUTOMAKE([foreign -Wall]) +AM_MAINTAINER_MODE + +AM_DISABLE_STATIC + +# Checks for programs. +AC_PROG_CC +AC_PROG_LIBTOOL +AC_PROG_CXX + +# If using GCC specifiy some additional parameters +if test "x$GCC" = "xyes" ; then + CFLAGS="$CFLAGS -pipe -Wall" +fi + +CFLAGS="$CFLAGS -L/lib" + +# Checks for libraries. +AC_CHECK_HEADER([security/pam_modules.h],, [AC_MSG_ERROR([*** Sorry, you have to install the PAM development files ***])]) + +LIBS="$LIBS -ldl -lpam -lpam_misc" + +case "$host" in + *-*-linux*) + PAM_MODDIR="/lib/security" + ;; + *) + PAM_MODDIR="/usr/lib" + ;; +esac +AC_SUBST(PAM_MODDIR) + +# Checks for header files. + +AC_CHECK_FUNCS([dup2 memset strchr strerror strrchr]) +AC_FUNC_FORK +AC_FUNC_LSTAT +AC_FUNC_LSTAT_FOLLOWS_SLASHED_SYMLINK +AC_FUNC_VPRINTF + +AC_CHECK_HEADERS([fcntl.h limits.h syslog.h termios.h]) +AC_HEADER_STDC +AC_HEADER_SYS_WAIT + +AC_C_CONST + +AC_TYPE_MODE_T +AC_TYPE_PID_T +AC_TYPE_SIGNAL +AC_TYPE_UID_T + + +# LYNX documentation generation +AC_ARG_ENABLE(lynx, + AC_HELP_STRING([--disable-lynx], [Turn off lynx usage for documentation generation]), +[case "${enableval}" in + yes) lynx=yes ;; + no) lynx=no ;; + *) AC_MSG_ERROR(bad value ${enableval} for --disable-lynx) ;; +esac],[lynx=yes]) + +if test x$lynx = xyes ; then + AC_CHECK_PROG(have_lynx, lynx, yes, no) + + if test x$have_lynx = xno ; then + AC_MSG_ERROR([*** Sorry, you have to install lynx or use --disable-lynx ***]) + fi +fi + +AM_CONDITIONAL([USE_LYNX], [test "x$lynx" = xyes]) + +# XMLTOMAN manpage generation +AC_ARG_ENABLE(xmltoman, + AC_HELP_STRING([--disable-xmltoman], [Disable rebuilding of man pages with xmltoman]), +[case "${enableval}" in + yes) xmltoman=yes ;; + no) xmltoman=no ;; + *) AC_MSG_ERROR([bad value ${enableval} for --disable-xmltoman]) ;; +esac],[xmltoman=yes]) + +if test x$xmltoman = xyes ; then + AC_CHECK_PROG(have_xmltoman, xmltoman, yes, no) + + if test x$have_xmltoman = xno ; then + AC_MSG_WARN([*** Not rebuilding man pages as xmltoman is not found ***]) + xmltoman=no + fi +fi + +AM_CONDITIONAL([USE_XMLTOMAN], [test "x$xmltoman" = xyes]) + +AC_ARG_ENABLE(compat05, + AC_HELP_STRING([--enable-compat05], [Enable compatibility with pam_dotfile <= 0.5]), +[case "${enableval}" in + yes) compat05=yes ;; + no) compat05=no ;; + *) AC_MSG_ERROR(bad value ${enableval} for --enable-compat05) ;; +esac],[compat05=no]) + +if test x$compat05 = xyes ; then + AC_MSG_NOTICE([ *** Compatibility with pam_dotfile <= 0.5 is ENABLED ***]) + CFLAGS="$CFLAGS -DCOMPAT05=1" +else + AC_MSG_WARN([ *** Compatibility with pam_dotfile <= 0.5 is DISABLED ***]) +fi + +AC_CONFIG_FILES([src/Makefile Makefile man/Makefile doc/Makefile doc/README.html]) +AC_OUTPUT diff --git a/doc/Makefile.am b/doc/Makefile.am new file mode 100644 index 0000000..5c36d4e --- /dev/null +++ b/doc/Makefile.am @@ -0,0 +1,35 @@ +# $Id$ + +# This file is part of pam_dotfile. +# +# pam_dotfile is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# pam_dotfile is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with pam_dotfile; if not, write to the Free Software Foundation, +# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +noinst_DATA = README.html README +EXTRA_DIST = $(noinst_DATA) style.css README.html.in + +MAINTAINERCLEANFILES = README README.html +CLEANFILES = + +if USE_LYNX +README: README.html + lynx --dump $^ | sed 's,file://localhost/.*/doc/README.html,README,' > $@ + +CLEANFILES += README +endif + +tidy: README.html + tidy -e < README.html + +.PHONY: tidy diff --git a/doc/README.html.in b/doc/README.html.in new file mode 100644 index 0000000..59d4614 --- /dev/null +++ b/doc/README.html.in @@ -0,0 +1,265 @@ + + + + + +pam_dotfile @PACKAGE_VERSION@ + + + + +

pam_dotfile @PACKAGE_VERSION@

+ +

Copyright 2002,2003 Lennart Poettering <mzcnzqbgsvyr [at] itaparica.org>

+ + + +

License

+ +

This program is free software; you can redistribute it and/or +modify it under the terms of the GNU General Public License as +published by the Free Software Foundation; either version 2 of the +License, or (at your option) any later version.

+ +

This program is distributed in the hope that it will be useful, but +WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more details.

+ +

You should have received a copy of the GNU General Public License +along with this program; if not, write to the Free Software +Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

+ +

News

+ +
Mon July 21 2003:

Version +0.6 released, changes include: Fix MD5 digest generation. This +breaks compatibility with pam_dotfile <= 0.5 unless +--enable-compat05 is specified at compile time. Minor other +fixes (mostly related to the build system). All users should update.

+ +
Tue July 8 2003:

Version +0.5 released, changes include: Autoconf support, fixed an important bug regarding a race on child process creation. All users should update.

+ +

Overview

+ +

pam_dotfileis a PAM module which allows users to have more +than one password for a single account, each for a different +service. This is desirable because many users have objections to using +the same password for (as an example) an IMAP4 mailbox and SSH +access. The IMAP4 password should be distinct from the SSH password +because the user wants to save the former in the configuration of his +mail agent, but not the latter. The same applies to POP3 mailboxes, +FTP and comparable services.

+ +

Status

+ +

Version @PACKAGE_VERSION@ is stable and feature complete.

+ +

Documentation

+ +

How does it work?

+ +

The module needs be activated for the specific service in the +configuration file /etc/pam.d/<service>. The user is +than able to create a second valid password for that service by +issuing the following commands:

+ +
+pam-dotfile-gen -a <service>
+
+ +

Replace <service> by the PAM service name, e.g. imapd. The user has to enter the new password twice. This will save the +password to ~/.pam-<service> in a hashed way.

+ +

A complete example for the service imap (for the IMAP server dovecot in this +case):

+ +

/etc/pam.d/imap:

+ +
+#%PAM-1.0
+auth sufficient pam_unix_auth.so
+auth sufficient pam_dotfile.so use_first_pass no_warn
+auth required pam_deny.so
+
+ +

As user waldo:

+ +
+[waldo@wonder] ~$ pam-dotfile-gen -a imap
+Password:quux
+Please repeat; password:quux
+Password added.
+
+ +

That's it. User waldo may now access his IMAP mail store either by +using his unix password or by using quux.

+ +

If you want to deny access with the unix password when a .pam file +exists, you should install the following /etc/pam.d/imap:

+ +
+#%PAM-1.0
+auth [success=done new_authtok_reqd=done authinfo_unavail=ignore default=die] pam_dotfile.so no_warn
+auth [success=done new_authtok_reqd=done default=die] pam_unix.so use_first_pass
+
+ +

Please note: the pam.d fragments shown above are based on Debian +GNU/Linux' default PAM installation. I know that some distributions +(i.e. Red Hat) use pam_pwdb.so instead of pam_unix.so as default +authentication mechanism. Please adapt the pam.d configuration to your +specific distribution.

+ +

Notes

+ +

For getting access to the user's files a SUID root helper utility +/sbin/pam-dotfile-helper is used.

+ +

The .pam files are ignored when their access mode AND 077 is non-zero, +when they are symlinks or when any parent directory is group or world +writable.

+ +

pam_dotfile will try to open the the following files for +authentication (in that order):

+ +
    +
  1. ~/.pam-<service>
    2. +
  2. ~/.pam/<service>
    3. +
  3. ~/.pam-other
    4. +
  4. ~/.pam/other
    5. +
+ +

The first file in this list that exists is used for +authentication. Regardless of any of the passwords contained therein +are correct the other files are NOT evaluated.

+ +

The hashing is implemented in the following way:

+ +
    +
  1. A 16 byte random string is read from /dev/urandom (salt)
    2. +
  2. It is formatted in a 32 character hexadecimal string
    3. +
  3. The password is appended
    4. +
  4. The MD5 hash of this string is calculated
    5. +
  5. The hash is formatted in another 32 character hexadecimal string
    6. +
  6. The result is the concatenation of the two hexadecimal strings
    7. +
+ +

I believe that this is somewhat secure. However, I am not a +cryptoanalyst, I cannot guarantee for this. (Probably a cryptoanalyst +cannot either.)

+ +

The hashing function changed a little from 0.5 to 0.6. There was an +ugly error in formatting the digest into a hexadecimal string. By fixing +this the old hashed passwords became incompatible with newer releases +of pam_dotfile. For sake of compatibility I added the option +--enable-compat05 to the configure script. Passwords +for 0.6 are prefixed with a + in the dot files, older +passwords are not. You are encouraged to fix your passwords to comply +with the new version.

+ +

pam-dotfile-gen may be used as a filter that reads a text stream +with unencrypted passwords and crypts them. Empty lines and those +starting with # are passed in an unmodified way to STDOUT. Thus the +user may comment the passwords in his .pam files.

+ +

PAM parameters

+ +
    + +
  • debug - Be very verbose to syslog(3)
    • + +
  • use_first_pass - Don't issue a password prompt, use one + supplied by a previous modules
    • + +
  • try_first_pass - Nearly the same as use_first_pass, but don't + fail if no password was supplied, instead query the user
    • + +
  • use_authtok - Synonym for use_first_pass
    • + +
  • rootok - Don't deny access for users with uid == 0
    • + +
  • nullok - Don't deny access for null passwords
    • + +
  • fork - Always fork before trying to open the password files via the helper tool
    • + +
  • nofork - Never fork
    • + +
  • no_warn - Suppress warnings to syslog(3)
    • + +
  • stat_only_home - verifies group/world readability only inside the home directory. + e.g. if the configuration file is /home/waldo/.pam/service + only /home/waldo/.pam and /home/waldo are tested. + This is sometimes necessary if the home directories are symbolic links.
    • + +
  • nocompat05 - Disable compatibility with pam_dotfile <= 0.5. This is only available if pam_dotfile was compiled with --enable-compat05
    • +
+ + +

Requirements

+ +

pam_dotfile was developed and tested on Debian GNU/Linux +"testing" from July 2003, it should work on most other Linux +distributions (and maybe Unix versions) since it uses GNU autoconf and +GNU libtool for source code configuration and shared library +management.

+ +

You need the PAM development headers installed (naturally...)

+ +

Installation

+ +

As this package is made with the GNU autotools you should run +./configure inside the distribution directory for configuring +the source tree. After that you should run make for +compilation and make install (as root) for installation of +pam_dotfile.

+ +

If you upgrade from versions prior to 0.6 you should pass +--enable-compat05 to configure to enable +compatibility with old user dot files. If you do not specify this, old +passwords are ignored, the users have to recreate their passwords with +pam-dotfile-gen.

+ +

If you do a fresh install you should not pass +--enable-compat05 to configure. (An alternative is +to specify --enable-compat05 but to disable it afterwards by +using nocompat05 on the pam configuration line.)

+ +

Acknowledgements

+ +

This software includes an implementation of the MD5 algorithm by +L. Peter Deutsch. Thanks to him for this.

+ +

Oliver Kurth for packaging pam_dotfile for Debian

+ +

Christian Loitsch provided a patch with some bugfixes and support +for stat_only_home

+ +

Download

+ +

The newest release is always available from http://www.stud.uni-hamburg.de/~lennart/projects/pam_dotfile/

+ +

The current release is @PACKAGE_VERSION@

+ +

You may find a mostly up to date Debian package of pam_dotfile on the Debian package repository.

+ +
+ +
Lennart Poettering <mzcnzqbgsvyr [at] itaparica.org>, July 2003
+
$Id$
+ + + diff --git a/doc/style.css b/doc/style.css new file mode 100644 index 0000000..0a40aef --- /dev/null +++ b/doc/style.css @@ -0,0 +1,12 @@ +/* $Id$ */ +body { color: black; background-color: white; margin: 0.5cm; } +a:link, a:visited { color: #900000; } +p { margin-left: 0.5cm; margin-right: 0.5cm; } +div.news-date { margin-left: 0.5cm; font-size: 80%; color: #4f0000; } +p.news-text { margin-left: 1cm; } +ul { margin-left: .5cm; } +ol { margin-left: .5cm; } +h1 { color: #00009F; } +h2 { color: #00009F; } +h3 { color: #00004F; margin-left: 0.5cm; } +pre { margin-left: .5cm; background-color: #f0f0f0; padding: 0.4cm;} diff --git a/man/Makefile.am b/man/Makefile.am new file mode 100644 index 0000000..78a8129 --- /dev/null +++ b/man/Makefile.am @@ -0,0 +1,33 @@ +# $Id$ +# +# This file is part of pam_dotfile. +# +# pam_dotfile is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# pam_dotfile is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with pam_dotfile; if not, write to the Free Software Foundation, +# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +man_MANS = pam-dotfile-gen.1 pam-dotfile-helper.8 + +EXTRA_DIST = $(man_MANS) pam-dotfile-helper.8.xml.in pam-dotfile-gen.1.xml.in + +if USE_XMLTOMAN + +CLEANFILES = $(man_MANS) + +pam-dotfile-gen.1: pam-dotfile-gen.1.xml.in Makefile + sed -e 's,@sysconfdir\@,$(sysconfdir),g' -e 's,@sbindir\@,$(sbindir),g' -e 's,@PACKAGE_BUGREPORT\@,$(PACKAGE_BUGREPORT),g' $< | xmltoman - > $@ + +pam-dotfile-helper.8: pam-dotfile-helper.8.xml.in Makefile + sed -e 's,@sysconfdir\@,$(sysconfdir),g' -e 's,@sbindir\@,$(sbindir),g' -e 's,@PACKAGE_BUGREPORT\@,$(PACKAGE_BUGREPORT),g' $< | xmltoman - > $@ + +endif diff --git a/man/pam-dotfile-gen.1.xml.in b/man/pam-dotfile-gen.1.xml.in new file mode 100644 index 0000000..ff2a986 --- /dev/null +++ b/man/pam-dotfile-gen.1.xml.in @@ -0,0 +1,89 @@ + + + + + + + + pam-dotfile-gen >> ~/.pam-service + pam-dotfile-gen -a service + + + + +

pam-dotfile-gen is a utility to create a password for a + particular service, if your system administrator has set up + authenication for that service with libpam-dotfile.

+ +

To create or change your password, just enter pam-dotfile-gen + -a <service> and you will be prompted for the + password. The password will be written to ~/.pam-<service> + in a hashed format. To add another password to the same service + repeat the command.

+ +

If called without any argument the tool will act as + filter. Unencrypted passwords are read from STDIN, are crypted + and written to STDOUT. The passwords are separated by + newlines. Empty lines and lines beginning with # are ignored and + written in an untouched way to STDOUT.

+ +

The file format of the ~/.pam is rather simple. Every + non-empty line which does not begin with # is compared with the + hashed password to be checked. This allows you to specify free + form comments for each password with a simple text editor.

+ + + + + + + + + + + +
+

pam-dotfile was written by Lennart Poettering + <@PACKAGE_BUGREPORT@>. pam-dotfile is available + at

+
+ +
+

This man page was written using by Oliver Kurth.

+
+ + diff --git a/man/pam-dotfile-helper.8.xml.in b/man/pam-dotfile-helper.8.xml.in new file mode 100644 index 0000000..c47f0ea --- /dev/null +++ b/man/pam-dotfile-helper.8.xml.in @@ -0,0 +1,61 @@ + + + + + + + + + <not invoked manually> + + + +

+ A helper binary for the pam_dotfile module, pam-dotfile-helper, is provided to + check the user's password. This binary is very simple and + will only check the password of the user invoking it. It is called + transparently on behalf of the user by the authenticating component of + the pam_dotfile module. In this way it is possible for applications + to work without being setuid root. +

+ + +
+

+ This program is not intended to be called directly by users and will + log to syslog if it is called improperly (i.e., by someone trying to + exploit it). +

+
+ +
+

pam-dotfile was written by Lennart Poettering + <@PACKAGE_BUGREPORT@>. pam-dotfile is available + at +

+
+ +
+

This man page was written using by Oliver Kurth.

+
+ + diff --git a/src/Makefile.am b/src/Makefile.am new file mode 100644 index 0000000..2905b7c --- /dev/null +++ b/src/Makefile.am @@ -0,0 +1,41 @@ +# $Id$ +# +# This file is part of pam_dotfile. +# +# pam_dotfile is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# pam_dotfile is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with pam_dotfile; if not, write to the Free Software Foundation, +# Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. + +AM_CFLAGS = -DSBINDIR=\"@sbindir@\" + +moduledir = @PAM_MODDIR@ +module_LTLIBRARIES = pam_dotfile.la + +pam_dotfile_la_SOURCES = pam_dotfile.c md5.c md5util.c md5.h md5util.h log.c log.h common.c common.h +pam_dotfile_la_LDFLAGS = -module -avoid-version +pam_dotfile_la_CFLAGS = $(AM_CFLAGS) + +sbin_PROGRAMS = pam-dotfile-helper +bin_PROGRAMS = pam-dotfile-gen pamtest + +pam_dotfile_gen_SOURCES = pam-dotfile-gen.c md5.c md5.h md5util.c md5util.h +pam_dotfile_gen_CFLAGS = $(AM_CFLAGS) + +pam_dotfile_helper_SOURCES = pam-dotfile-helper.c md5.c md5.h md5util.c md5util.h common.c common.h log.c log.h +pam_dotfile_helper_CFLAGS = $(AM_CFLAGS) + +pamtest_SOURCES = pamtest.c + +install-exec-hook: + chown root $(DESTDIR)$(sbindir)/pam-dotfile-helper + chmod u+s $(DESTDIR)$(sbindir)/pam-dotfile-helper diff --git a/src/common.c b/src/common.c new file mode 100644 index 0000000..da575fe --- /dev/null +++ b/src/common.c @@ -0,0 +1,220 @@ +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include +#include +#include +#include +#include +#include + +#include "common.h" +#include "md5.h" +#include "md5util.h" +#include "log.h" + +static int _md5_compare(context_t *c, const char *password, const char *ln) { + md5_state_t st; + static md5_byte_t digest[16]; + static char t[33]; +#ifdef COMPAT05 + int olddigest = 0; +#endif + + if (ln[0] == '+') + ln++; + else { +#ifdef COMPAT05 + if (!c->opt_nocompat05) + olddigest = 1; + else { +#endif + logmsg(c, LOG_WARNING, "Authentication failure: pam_dotfile configured whithout compatibility for <= 0.5, but used with <= 0.5 authentication data"); + return PAM_AUTH_ERR; +#ifdef COMPAT05 + } +#endif + } + + if (strlen(ln) != 64) { + logmsg(c, LOG_WARNING, "Authentication failure: broken MD5 digest"); + return PAM_AUTH_ERR; + } + + md5_init(&st); + md5_append(&st, ln, 32); + md5_append(&st, password, strlen(password)); + md5_finish(&st, digest); + +#ifdef COMPAT05 + if (olddigest) + fhex_broken_md5(digest, t); + else +#endif + fhex_md5(digest, t); + + t[32] = 0; + + return strcmp(ln+32, t) ? PAM_AUTH_ERR : PAM_SUCCESS; +} + +static int _check_parent_dirs(const char *base, const char *fn) { + static char p[PATH_MAX]; + static struct stat st; + int size_base; + int retval; + + size_base = snprintf(p, sizeof(p) - 1, "%s", base); + if (size_base >= (sizeof(p) - 1)) + return -1; + + retval = snprintf(&(p[size_base]), sizeof(p) - size_base, "%s", fn); + if (retval >= (sizeof(p) - size_base)) + return -1; + + + for (;;) { + char *slash = strrchr(p, '/'); + + if (slash == p || !slash) + return 0; + + if (slash < &(p[size_base])) + return 0; + + + *slash = 0; + + if (lstat(p, &st) < 0) + return -1; + + if (st.st_mode & 022) + return -1; + } +} + +int user_authentication(context_t *c, const char *username, const char *password) { + struct passwd *pw; + FILE *f; + static char fn[PATH_MAX]; + static char pam_fn[PATH_MAX]; + static struct stat st; + int ret; + + if (!(pw = getpwnam(username))) { + logmsg(c, LOG_WARNING, "Authentication failure: user <%s> not found", username); + return PAM_USER_UNKNOWN; + } + + if (!c->opt_rootok && pw->pw_uid == 0) { + logmsg(c, LOG_WARNING, "Authentication failure: access denied for root"); + return PAM_AUTH_ERR; + } + + logmsg(c, LOG_DEBUG, "Searching file for service %s", c->service); + + snprintf(fn, sizeof(fn), "%s/.pam-%s", pw->pw_dir, c->service); + snprintf(pam_fn, sizeof(fn), "/.pam-%s", c->service); + if (!(f = fopen(fn, "r")) && errno == ENOENT) { + snprintf(fn, sizeof(fn), "%s/.pam/%s", pw->pw_dir, c->service); + snprintf(pam_fn, sizeof(fn), "/.pam/%s", c->service); + if (!(f = fopen(fn, "r")) && errno == ENOENT) { + snprintf(fn, sizeof(fn), "%s/.pam-other", pw->pw_dir); + snprintf(pam_fn, sizeof(fn), "/.pam-other"); + if (!(f = fopen(fn, "r")) && errno == ENOENT) { + snprintf(fn, sizeof(fn), "%s/.pam/other", pw->pw_dir); + snprintf(pam_fn, sizeof(fn), "/.pam/other"); + if (!(f = fopen(fn, "r")) && errno == ENOENT) { + logmsg(c, LOG_WARNING, "Authentication failure: no .pam file in home directory of <%s> existent", username); + return PAM_AUTHINFO_UNAVAIL; + } + } + } + } + + if (!f) { + logmsg(c, LOG_WARNING, "Authentication failure: could not open .pam file in home directory of <%s>", username); + return PAM_AUTH_ERR; + } + + if (lstat(fn, &st) < 0) { + logmsg(c, LOG_ERR, "Could not lstat() file %s: %s", fn, strerror(errno)); + fclose(f); + return PAM_AUTH_ERR; + } + + if (!S_ISREG(st.st_mode)) { + logmsg(c, LOG_ERR, "%s ist not a regular file: %s", fn, strerror(errno)); + fclose(f); + return PAM_AUTH_ERR; + } + + if (fstat(fileno(f), &st) < 0) { + logmsg(c, LOG_ERR, "Could not fstat() file %s: %s", fn, strerror(errno)); + fclose(f); + return PAM_AUTH_ERR; + } + + if (st.st_mode & 0077) { + logmsg(c, LOG_WARNING, "Authentication failure: bad access mode of file %s: %04o, correct is 0600\n", fn, st.st_mode & 07777); + fclose(f); + return PAM_AUTH_ERR; + } + + if (st.st_uid != pw->pw_uid) { + logmsg(c, LOG_WARNING, "Authentication failure: bad owner of file %s: %u, correct is %u\n", fn, st.st_uid, pw->pw_uid); + fclose(f); + return PAM_AUTH_ERR; + } + + if ((c->opt_stat_only_home ? _check_parent_dirs(pw->pw_dir, pam_fn) : _check_parent_dirs("", fn)) < 0) { + logmsg(c, LOG_ERR, "Parent directories of %s must not be group or world writable", fn); + fclose(f); + return PAM_AUTH_ERR; + } + + ret = PAM_AUTH_ERR; + while (!feof(f)) { + static char ln[100]; + int n; + + if (!fgets(ln, sizeof(ln), f)) + break; + + if (ln[0] == 0 || ln[0] == '\n' || ln[0] == '#') + continue; + + if (ln[(n = strlen(ln))-1] == '\n') + ln[n-1] = 0; + + if (!_md5_compare(c, password, ln)) { + ret = PAM_SUCCESS; + break; + } + } + + fclose(f); + + if (ret == PAM_SUCCESS) + logmsg(c, LOG_INFO, "Authentication successful for user <%s>", username); + else + logmsg(c, LOG_WARNING, "Authentication failure: bad password for user <%s>", username); + + return ret; +} diff --git a/src/common.h b/src/common.h new file mode 100644 index 0000000..ef34cf3 --- /dev/null +++ b/src/common.h @@ -0,0 +1,43 @@ +#ifndef foocommonhfoo +#define foocommonhfoo + +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include +#include + +typedef struct context { + int opt_debug; + int opt_use_first_pass; + int opt_try_first_pass; + int opt_rootok; + int opt_nullok; + int opt_fork; // 0: auto; 1: fork; -1: nofork; + int opt_no_warn; + int opt_stat_only_home; +#ifdef COMPAT05 + int opt_nocompat05; +#endif + const char *service; +} context_t; + +int user_authentication(context_t *c, const char *username, const char *password); + +#endif diff --git a/src/log.c b/src/log.c new file mode 100644 index 0000000..6edcf06 --- /dev/null +++ b/src/log.c @@ -0,0 +1,48 @@ +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include +#include +#include + +#include "log.h" + +void logmsg(context_t *c, int level, char *format, ...) { + va_list ap; + va_start(ap, format); + +// vfprintf(stderr, format, ap); +// fprintf(stderr, "\n"); + + if (c->opt_debug || (level != LOG_DEBUG && level != LOG_WARNING) || (level == LOG_WARNING && !c->opt_no_warn)) { + static char ln[256]; + char *p; + + if (c->service) + snprintf(p = ln, sizeof(ln), "%s(pam_dotfile)", c->service); + else + p = "pam_dotfile"; + + openlog(p, LOG_PID, LOG_AUTHPRIV); + vsyslog(level, format, ap); + closelog(); + } + + va_end(ap); +} diff --git a/src/log.h b/src/log.h new file mode 100644 index 0000000..b695b64 --- /dev/null +++ b/src/log.h @@ -0,0 +1,30 @@ +#ifndef foologhfoo +#define foologhfoo + +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include +#include "common.h" + +void logmsg(context_t *c, int level, char *format, ...); + +#endif + + diff --git a/src/md5.c b/src/md5.c new file mode 100644 index 0000000..2c9c2fc --- /dev/null +++ b/src/md5.c @@ -0,0 +1,381 @@ +/* + Copyright (C) 1999, 2000, 2002 Aladdin Enterprises. All rights reserved. + + This software is provided 'as-is', without any express or implied + warranty. In no event will the authors be held liable for any damages + arising from the use of this software. + + Permission is granted to anyone to use this software for any purpose, + including commercial applications, and to alter it and redistribute it + freely, subject to the following restrictions: + + 1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. + 2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. + 3. This notice may not be removed or altered from any source distribution. + + L. Peter Deutsch + ghost@aladdin.com + + */ +/* $Id$ */ +/* + Independent implementation of MD5 (RFC 1321). + + This code implements the MD5 Algorithm defined in RFC 1321, whose + text is available at + http://www.ietf.org/rfc/rfc1321.txt + The code is derived from the text of the RFC, including the test suite + (section A.5) but excluding the rest of Appendix A. It does not include + any code or documentation that is identified in the RFC as being + copyrighted. + + The original and principal author of md5.c is L. Peter Deutsch + . Other authors are noted in the change history + that follows (in reverse chronological order): + + 2002-04-13 lpd Clarified derivation from RFC 1321; now handles byte order + either statically or dynamically; added missing #include + in library. + 2002-03-11 lpd Corrected argument list for main(), and added int return + type, in test program and T value program. + 2002-02-21 lpd Added missing #include in test program. + 2000-07-03 lpd Patched to eliminate warnings about "constant is + unsigned in ANSI C, signed in traditional"; made test program + self-checking. + 1999-11-04 lpd Edited comments slightly for automatic TOC extraction. + 1999-10-18 lpd Fixed typo in header comment (ansi2knr rather than md5). + 1999-05-03 lpd Original version. + */ + +#include "md5.h" +#include + +#undef BYTE_ORDER /* 1 = big-endian, -1 = little-endian, 0 = unknown */ +#ifdef ARCH_IS_BIG_ENDIAN +# define BYTE_ORDER (ARCH_IS_BIG_ENDIAN ? 1 : -1) +#else +# define BYTE_ORDER 0 +#endif + +#define T_MASK ((md5_word_t)~0) +#define T1 /* 0xd76aa478 */ (T_MASK ^ 0x28955b87) +#define T2 /* 0xe8c7b756 */ (T_MASK ^ 0x173848a9) +#define T3 0x242070db +#define T4 /* 0xc1bdceee */ (T_MASK ^ 0x3e423111) +#define T5 /* 0xf57c0faf */ (T_MASK ^ 0x0a83f050) +#define T6 0x4787c62a +#define T7 /* 0xa8304613 */ (T_MASK ^ 0x57cfb9ec) +#define T8 /* 0xfd469501 */ (T_MASK ^ 0x02b96afe) +#define T9 0x698098d8 +#define T10 /* 0x8b44f7af */ (T_MASK ^ 0x74bb0850) +#define T11 /* 0xffff5bb1 */ (T_MASK ^ 0x0000a44e) +#define T12 /* 0x895cd7be */ (T_MASK ^ 0x76a32841) +#define T13 0x6b901122 +#define T14 /* 0xfd987193 */ (T_MASK ^ 0x02678e6c) +#define T15 /* 0xa679438e */ (T_MASK ^ 0x5986bc71) +#define T16 0x49b40821 +#define T17 /* 0xf61e2562 */ (T_MASK ^ 0x09e1da9d) +#define T18 /* 0xc040b340 */ (T_MASK ^ 0x3fbf4cbf) +#define T19 0x265e5a51 +#define T20 /* 0xe9b6c7aa */ (T_MASK ^ 0x16493855) +#define T21 /* 0xd62f105d */ (T_MASK ^ 0x29d0efa2) +#define T22 0x02441453 +#define T23 /* 0xd8a1e681 */ (T_MASK ^ 0x275e197e) +#define T24 /* 0xe7d3fbc8 */ (T_MASK ^ 0x182c0437) +#define T25 0x21e1cde6 +#define T26 /* 0xc33707d6 */ (T_MASK ^ 0x3cc8f829) +#define T27 /* 0xf4d50d87 */ (T_MASK ^ 0x0b2af278) +#define T28 0x455a14ed +#define T29 /* 0xa9e3e905 */ (T_MASK ^ 0x561c16fa) +#define T30 /* 0xfcefa3f8 */ (T_MASK ^ 0x03105c07) +#define T31 0x676f02d9 +#define T32 /* 0x8d2a4c8a */ (T_MASK ^ 0x72d5b375) +#define T33 /* 0xfffa3942 */ (T_MASK ^ 0x0005c6bd) +#define T34 /* 0x8771f681 */ (T_MASK ^ 0x788e097e) +#define T35 0x6d9d6122 +#define T36 /* 0xfde5380c */ (T_MASK ^ 0x021ac7f3) +#define T37 /* 0xa4beea44 */ (T_MASK ^ 0x5b4115bb) +#define T38 0x4bdecfa9 +#define T39 /* 0xf6bb4b60 */ (T_MASK ^ 0x0944b49f) +#define T40 /* 0xbebfbc70 */ (T_MASK ^ 0x4140438f) +#define T41 0x289b7ec6 +#define T42 /* 0xeaa127fa */ (T_MASK ^ 0x155ed805) +#define T43 /* 0xd4ef3085 */ (T_MASK ^ 0x2b10cf7a) +#define T44 0x04881d05 +#define T45 /* 0xd9d4d039 */ (T_MASK ^ 0x262b2fc6) +#define T46 /* 0xe6db99e5 */ (T_MASK ^ 0x1924661a) +#define T47 0x1fa27cf8 +#define T48 /* 0xc4ac5665 */ (T_MASK ^ 0x3b53a99a) +#define T49 /* 0xf4292244 */ (T_MASK ^ 0x0bd6ddbb) +#define T50 0x432aff97 +#define T51 /* 0xab9423a7 */ (T_MASK ^ 0x546bdc58) +#define T52 /* 0xfc93a039 */ (T_MASK ^ 0x036c5fc6) +#define T53 0x655b59c3 +#define T54 /* 0x8f0ccc92 */ (T_MASK ^ 0x70f3336d) +#define T55 /* 0xffeff47d */ (T_MASK ^ 0x00100b82) +#define T56 /* 0x85845dd1 */ (T_MASK ^ 0x7a7ba22e) +#define T57 0x6fa87e4f +#define T58 /* 0xfe2ce6e0 */ (T_MASK ^ 0x01d3191f) +#define T59 /* 0xa3014314 */ (T_MASK ^ 0x5cfebceb) +#define T60 0x4e0811a1 +#define T61 /* 0xf7537e82 */ (T_MASK ^ 0x08ac817d) +#define T62 /* 0xbd3af235 */ (T_MASK ^ 0x42c50dca) +#define T63 0x2ad7d2bb +#define T64 /* 0xeb86d391 */ (T_MASK ^ 0x14792c6e) + + +static void +md5_process(md5_state_t *pms, const md5_byte_t *data /*[64]*/) +{ + md5_word_t + a = pms->abcd[0], b = pms->abcd[1], + c = pms->abcd[2], d = pms->abcd[3]; + md5_word_t t; +#if BYTE_ORDER > 0 + /* Define storage only for big-endian CPUs. */ + md5_word_t X[16]; +#else + /* Define storage for little-endian or both types of CPUs. */ + md5_word_t xbuf[16]; + const md5_word_t *X; +#endif + + { +#if BYTE_ORDER == 0 + /* + * Determine dynamically whether this is a big-endian or + * little-endian machine, since we can use a more efficient + * algorithm on the latter. + */ + static const int w = 1; + + if (*((const md5_byte_t *)&w)) /* dynamic little-endian */ +#endif +#if BYTE_ORDER <= 0 /* little-endian */ + { + /* + * On little-endian machines, we can process properly aligned + * data without copying it. + */ + if (!((data - (const md5_byte_t *)0) & 3)) { + /* data are properly aligned */ + X = (const md5_word_t *)data; + } else { + /* not aligned */ + memcpy(xbuf, data, 64); + X = xbuf; + } + } +#endif +#if BYTE_ORDER == 0 + else /* dynamic big-endian */ +#endif +#if BYTE_ORDER >= 0 /* big-endian */ + { + /* + * On big-endian machines, we must arrange the bytes in the + * right order. + */ + const md5_byte_t *xp = data; + int i; + +# if BYTE_ORDER == 0 + X = xbuf; /* (dynamic only) */ +# else +# define xbuf X /* (static only) */ +# endif + for (i = 0; i < 16; ++i, xp += 4) + xbuf[i] = xp[0] + (xp[1] << 8) + (xp[2] << 16) + (xp[3] << 24); + } +#endif + } + +#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32 - (n)))) + + /* Round 1. */ + /* Let [abcd k s i] denote the operation + a = b + ((a + F(b,c,d) + X[k] + T[i]) <<< s). */ +#define F(x, y, z) (((x) & (y)) | (~(x) & (z))) +#define SET(a, b, c, d, k, s, Ti)\ + t = a + F(b,c,d) + X[k] + Ti;\ + a = ROTATE_LEFT(t, s) + b + /* Do the following 16 operations. */ + SET(a, b, c, d, 0, 7, T1); + SET(d, a, b, c, 1, 12, T2); + SET(c, d, a, b, 2, 17, T3); + SET(b, c, d, a, 3, 22, T4); + SET(a, b, c, d, 4, 7, T5); + SET(d, a, b, c, 5, 12, T6); + SET(c, d, a, b, 6, 17, T7); + SET(b, c, d, a, 7, 22, T8); + SET(a, b, c, d, 8, 7, T9); + SET(d, a, b, c, 9, 12, T10); + SET(c, d, a, b, 10, 17, T11); + SET(b, c, d, a, 11, 22, T12); + SET(a, b, c, d, 12, 7, T13); + SET(d, a, b, c, 13, 12, T14); + SET(c, d, a, b, 14, 17, T15); + SET(b, c, d, a, 15, 22, T16); +#undef SET + + /* Round 2. */ + /* Let [abcd k s i] denote the operation + a = b + ((a + G(b,c,d) + X[k] + T[i]) <<< s). */ +#define G(x, y, z) (((x) & (z)) | ((y) & ~(z))) +#define SET(a, b, c, d, k, s, Ti)\ + t = a + G(b,c,d) + X[k] + Ti;\ + a = ROTATE_LEFT(t, s) + b + /* Do the following 16 operations. */ + SET(a, b, c, d, 1, 5, T17); + SET(d, a, b, c, 6, 9, T18); + SET(c, d, a, b, 11, 14, T19); + SET(b, c, d, a, 0, 20, T20); + SET(a, b, c, d, 5, 5, T21); + SET(d, a, b, c, 10, 9, T22); + SET(c, d, a, b, 15, 14, T23); + SET(b, c, d, a, 4, 20, T24); + SET(a, b, c, d, 9, 5, T25); + SET(d, a, b, c, 14, 9, T26); + SET(c, d, a, b, 3, 14, T27); + SET(b, c, d, a, 8, 20, T28); + SET(a, b, c, d, 13, 5, T29); + SET(d, a, b, c, 2, 9, T30); + SET(c, d, a, b, 7, 14, T31); + SET(b, c, d, a, 12, 20, T32); +#undef SET + + /* Round 3. */ + /* Let [abcd k s t] denote the operation + a = b + ((a + H(b,c,d) + X[k] + T[i]) <<< s). */ +#define H(x, y, z) ((x) ^ (y) ^ (z)) +#define SET(a, b, c, d, k, s, Ti)\ + t = a + H(b,c,d) + X[k] + Ti;\ + a = ROTATE_LEFT(t, s) + b + /* Do the following 16 operations. */ + SET(a, b, c, d, 5, 4, T33); + SET(d, a, b, c, 8, 11, T34); + SET(c, d, a, b, 11, 16, T35); + SET(b, c, d, a, 14, 23, T36); + SET(a, b, c, d, 1, 4, T37); + SET(d, a, b, c, 4, 11, T38); + SET(c, d, a, b, 7, 16, T39); + SET(b, c, d, a, 10, 23, T40); + SET(a, b, c, d, 13, 4, T41); + SET(d, a, b, c, 0, 11, T42); + SET(c, d, a, b, 3, 16, T43); + SET(b, c, d, a, 6, 23, T44); + SET(a, b, c, d, 9, 4, T45); + SET(d, a, b, c, 12, 11, T46); + SET(c, d, a, b, 15, 16, T47); + SET(b, c, d, a, 2, 23, T48); +#undef SET + + /* Round 4. */ + /* Let [abcd k s t] denote the operation + a = b + ((a + I(b,c,d) + X[k] + T[i]) <<< s). */ +#define I(x, y, z) ((y) ^ ((x) | ~(z))) +#define SET(a, b, c, d, k, s, Ti)\ + t = a + I(b,c,d) + X[k] + Ti;\ + a = ROTATE_LEFT(t, s) + b + /* Do the following 16 operations. */ + SET(a, b, c, d, 0, 6, T49); + SET(d, a, b, c, 7, 10, T50); + SET(c, d, a, b, 14, 15, T51); + SET(b, c, d, a, 5, 21, T52); + SET(a, b, c, d, 12, 6, T53); + SET(d, a, b, c, 3, 10, T54); + SET(c, d, a, b, 10, 15, T55); + SET(b, c, d, a, 1, 21, T56); + SET(a, b, c, d, 8, 6, T57); + SET(d, a, b, c, 15, 10, T58); + SET(c, d, a, b, 6, 15, T59); + SET(b, c, d, a, 13, 21, T60); + SET(a, b, c, d, 4, 6, T61); + SET(d, a, b, c, 11, 10, T62); + SET(c, d, a, b, 2, 15, T63); + SET(b, c, d, a, 9, 21, T64); +#undef SET + + /* Then perform the following additions. (That is increment each + of the four registers by the value it had before this block + was started.) */ + pms->abcd[0] += a; + pms->abcd[1] += b; + pms->abcd[2] += c; + pms->abcd[3] += d; +} + +void +md5_init(md5_state_t *pms) +{ + pms->count[0] = pms->count[1] = 0; + pms->abcd[0] = 0x67452301; + pms->abcd[1] = /*0xefcdab89*/ T_MASK ^ 0x10325476; + pms->abcd[2] = /*0x98badcfe*/ T_MASK ^ 0x67452301; + pms->abcd[3] = 0x10325476; +} + +void +md5_append(md5_state_t *pms, const md5_byte_t *data, int nbytes) +{ + const md5_byte_t *p = data; + int left = nbytes; + int offset = (pms->count[0] >> 3) & 63; + md5_word_t nbits = (md5_word_t)(nbytes << 3); + + if (nbytes <= 0) + return; + + /* Update the message length. */ + pms->count[1] += nbytes >> 29; + pms->count[0] += nbits; + if (pms->count[0] < nbits) + pms->count[1]++; + + /* Process an initial partial block. */ + if (offset) { + int copy = (offset + nbytes > 64 ? 64 - offset : nbytes); + + memcpy(pms->buf + offset, p, copy); + if (offset + copy < 64) + return; + p += copy; + left -= copy; + md5_process(pms, pms->buf); + } + + /* Process full blocks. */ + for (; left >= 64; p += 64, left -= 64) + md5_process(pms, p); + + /* Process a final partial block. */ + if (left) + memcpy(pms->buf, p, left); +} + +void +md5_finish(md5_state_t *pms, md5_byte_t digest[16]) +{ + static const md5_byte_t pad[64] = { + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 + }; + md5_byte_t data[8]; + int i; + + /* Save the length before padding. */ + for (i = 0; i < 8; ++i) + data[i] = (md5_byte_t)(pms->count[i >> 2] >> ((i & 3) << 3)); + /* Pad to 56 bytes mod 64. */ + md5_append(pms, pad, ((55 - (pms->count[0] >> 3)) & 63) + 1); + /* Append the length. */ + md5_append(pms, data, 8); + for (i = 0; i < 16; ++i) + digest[i] = (md5_byte_t)(pms->abcd[i >> 2] >> ((i & 3) << 3)); +} diff --git a/src/md5.h b/src/md5.h new file mode 100644 index 0000000..5eb6d6c --- /dev/null +++ b/src/md5.h @@ -0,0 +1,91 @@ +/* + Copyright (C) 1999, 2002 Aladdin Enterprises. All rights reserved. + + This software is provided 'as-is', without any express or implied + warranty. In no event will the authors be held liable for any damages + arising from the use of this software. + + Permission is granted to anyone to use this software for any purpose, + including commercial applications, and to alter it and redistribute it + freely, subject to the following restrictions: + + 1. The origin of this software must not be misrepresented; you must not + claim that you wrote the original software. If you use this software + in a product, an acknowledgment in the product documentation would be + appreciated but is not required. + 2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. + 3. This notice may not be removed or altered from any source distribution. + + L. Peter Deutsch + ghost@aladdin.com + + */ +/* $Id$ */ +/* + Independent implementation of MD5 (RFC 1321). + + This code implements the MD5 Algorithm defined in RFC 1321, whose + text is available at + http://www.ietf.org/rfc/rfc1321.txt + The code is derived from the text of the RFC, including the test suite + (section A.5) but excluding the rest of Appendix A. It does not include + any code or documentation that is identified in the RFC as being + copyrighted. + + The original and principal author of md5.h is L. Peter Deutsch + . Other authors are noted in the change history + that follows (in reverse chronological order): + + 2002-04-13 lpd Removed support for non-ANSI compilers; removed + references to Ghostscript; clarified derivation from RFC 1321; + now handles byte order either statically or dynamically. + 1999-11-04 lpd Edited comments slightly for automatic TOC extraction. + 1999-10-18 lpd Fixed typo in header comment (ansi2knr rather than md5); + added conditionalization for C++ compilation from Martin + Purschke . + 1999-05-03 lpd Original version. + */ + +#ifndef md5_INCLUDED +# define md5_INCLUDED + +/* + * This package supports both compile-time and run-time determination of CPU + * byte order. If ARCH_IS_BIG_ENDIAN is defined as 0, the code will be + * compiled to run only on little-endian CPUs; if ARCH_IS_BIG_ENDIAN is + * defined as non-zero, the code will be compiled to run only on big-endian + * CPUs; if ARCH_IS_BIG_ENDIAN is not defined, the code will be compiled to + * run on either big- or little-endian CPUs, but will run slightly less + * efficiently on either one than if ARCH_IS_BIG_ENDIAN is defined. + */ + +typedef unsigned char md5_byte_t; /* 8-bit byte */ +typedef unsigned int md5_word_t; /* 32-bit word */ + +/* Define the state of the MD5 Algorithm. */ +typedef struct md5_state_s { + md5_word_t count[2]; /* message length in bits, lsw first */ + md5_word_t abcd[4]; /* digest buffer */ + md5_byte_t buf[64]; /* accumulate block */ +} md5_state_t; + +#ifdef __cplusplus +extern "C" +{ +#endif + +/* Initialize the algorithm. */ +void md5_init(md5_state_t *pms); + +/* Append a string to the message. */ +void md5_append(md5_state_t *pms, const md5_byte_t *data, int nbytes); + +/* Finish the message and return the digest. */ +void md5_finish(md5_state_t *pms, md5_byte_t digest[16]); + +#ifdef __cplusplus +} /* end extern "C" */ +#endif + +#endif /* md5_INCLUDED */ diff --git a/src/md5util.c b/src/md5util.c new file mode 100644 index 0000000..ec416be --- /dev/null +++ b/src/md5util.c @@ -0,0 +1,45 @@ +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include "md5util.h" + + +#ifdef COMPAT05 + +void fhex_broken(unsigned char *bin, int len, char *txt) { + const static char hex[] = "01234567890abcdef"; + int i; + + for (i = 0; i < len; i++) { + txt[i*2] = hex[bin[i]>>4]; + txt[i*2+1] = hex[bin[i]&0xF]; + } +} + +#endif + +void fhex(unsigned char *bin, int len, char *txt) { + const static char hex[] = "0123456789abcdef"; + int i; + + for (i = 0; i < len; i++) { + txt[i*2] = hex[bin[i]>>4]; + txt[i*2+1] = hex[bin[i]&0xF]; + } +} diff --git a/src/md5util.h b/src/md5util.h new file mode 100644 index 0000000..da6f538 --- /dev/null +++ b/src/md5util.h @@ -0,0 +1,31 @@ +#ifndef foomd5utilhfoo +#define foomd5utilhfoo + +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +void fhex(unsigned char *bin, int len, char *txt); +#define fhex_md5(bin,txt) fhex((bin),16,(txt)) + +#ifdef COMPAT05 +void fhex_broken(unsigned char *bin, int len, char *txt); +#define fhex_broken_md5(bin,txt) fhex_broken((bin),16,(txt)) +#endif + +#endif diff --git a/src/pam-dotfile-gen.c b/src/pam-dotfile-gen.c new file mode 100644 index 0000000..0d10ec3 --- /dev/null +++ b/src/pam-dotfile-gen.c @@ -0,0 +1,280 @@ +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "md5.h" +#include "md5util.h" + +#ifdef COMPAT05 +int compat = 0; +#endif + +static void _random(char *r, int l) { + FILE *f; + int b = 0; + + if ((f = fopen("/dev/urandom", "r"))) { + if (fread(r, l, 1, f) == 1) + b = 1; + fclose(f); + } + + if (!b) { + int i; + fprintf(stderr, "WARNING: Could not read /dev/urandom, generating pseudo randomness.\n"); + + for (i = 0; i < l; i++) + r[i] = (unsigned char) rand() & 0xFF; + } +} + +static void _md5_gen(const char *password, FILE *f) { + static unsigned char salt[16]; + static char saltc[33]; + static unsigned char digest[16]; + static char digestc[33]; + md5_state_t t; + + _random(salt, 16); + + fhex(salt, 16, saltc); + saltc[32] = 0; + + md5_init(&t); + md5_append(&t, saltc, 32); + md5_append(&t, password, strlen(password)); + md5_finish(&t, digest); + +#ifdef COMPAT05 + if (compat) + fhex_broken_md5(digest, digestc); + else +#endif + fhex_md5(digest, digestc); + digestc[32] = 0; + +#ifdef COMPAT05 + fprintf(f, "%s%s%s\n", compat ? "" : "+", saltc, digestc); +#else + fprintf(f, "+%s%s\n", saltc, digestc); +#endif +} + +void usage(char *argv0) { + char *p; + + if ((p = strrchr(argv0, '/'))) + p++; + else + p = argv0; + +#ifdef COMPAT05 + printf("%s [-C] [-a ] | -h\n" +#else + printf("%s [-a ] | -h\n" +#endif + " -a Add a password for the specified service\n" + " -h Show this help\n" +#ifdef COMPAT05 + " -C Enable compatibility with pam_dotfile <= 0.5\n" +#endif + , p); +} + +char *chomp(char *p) { + char *e; + + while ((e = strchr(p, '\n'))) + *e = 0; + + return p; +} + +int set_echo(int fd, int b) { + static struct termios saved; + + if (!b) { + static struct termios t; + + if (tcgetattr(fd, &saved) < 0) { + fprintf(stderr, "tcgetattr(): %s\n", strerror(errno)); + return -1; + } + + t = saved; + t.c_lflag &= ~ECHO; + + if (tcsetattr(fd, TCSANOW, &t) < 0) { + fprintf(stderr, "tcsetattr(): %s\n", strerror(errno)); + return -1; + } + + } else { + if (tcsetattr(fd, TCSANOW, &saved) < 0) { + fprintf(stderr, "tcsetattr(): %s\n", strerror(errno)); + return -1; + } + } + + + return 0; +} + +int add_password(char *p) { + FILE *f = NULL; + static char fn[PATH_MAX]; + static char password1[128], password2[128]; + int r = -1; + int e = 0; + mode_t m; + + if (isatty(STDIN_FILENO)) { + if (set_echo(STDIN_FILENO, 0) < 0) + goto finish; + + e = 1; + } + + snprintf(fn, sizeof(fn), "%s/.pam-%s", getenv("HOME"), p); + + m = umask(0077); + if (!(f = fopen(fn, "a"))) { + umask(m); + fprintf(stderr, "Could not open file <%s> for writing: %s\n", fn, strerror(errno)); + goto finish; + } + umask(m); + + if (isatty(STDIN_FILENO)) { + fputs("Password:", stdout); + fflush(stdout); + } + + if (!fgets(password1, sizeof(password1), stdin)) { + fprintf(stderr, "Failure reading password\n"); + goto finish; + } + + if (isatty(STDIN_FILENO)) { + fputs("\nPlease repeat; password:", stdout); + fflush(stdout); + } + + if (!fgets(password2, sizeof(password2), stdin)) { + fprintf(stderr, "Failure reading password\n"); + goto finish; + } + + if (isatty(STDIN_FILENO)) { + fputs("\n", stdout); + fflush(stdout); + } + + chomp(password1); + chomp(password2); + + if (strcmp(password1, password2)) { + fprintf(stderr, "ERROR: Passwords do not match!\n"); + goto finish; + } + + _md5_gen(password1, f); + + fprintf(stderr, "Password added.\n"); + + r = 0; + +finish: + if (e) + set_echo(STDIN_FILENO, 1); + + if (f) { + fclose(f); + chmod(fn, 0600); + } + + return 0; +} + +int main(int argc, char*argv[]) { + int c; +#ifdef COMPAT05 + const char* argspec = "a:hC"; +#else + const char* argspec = "a:h"; +#endif + char *addp = 0; + + srand(time(NULL)*getpid()); + + + while ((c = getopt(argc, argv, argspec)) > 0) { + + switch (c) { + case 'a' : + addp = optarg; + break; + +#ifdef COMPAT05 + case 'C': + compat = 1; + break; +#endif + + default: + usage(argv[0]); + return 1; + } + } + + + if (addp) + return add_password(addp) < 0 ? 1 : 0; + + for(;;) { + int n; + static char ln[256]; + + if (!fgets(ln, sizeof(ln), stdin)) + break; + + if (ln[0] == 0 || ln[0] == '\n' || ln[0] == '#') { + fputs(ln, stdout); + continue; + } + + if (ln[(n = strlen(ln))-1] == '\n') + ln[n-1] = 0; + + _md5_gen(ln, stdout); + } + + return 0; +} diff --git a/src/pam-dotfile-helper.c b/src/pam-dotfile-helper.c new file mode 100644 index 0000000..04c73de --- /dev/null +++ b/src/pam-dotfile-helper.c @@ -0,0 +1,117 @@ +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include +#include +#include +#include +#include + +#include "common.h" +#include "log.h" + +#define DELAY 5 + +int main(int argc, char* argv[]) { + context_t c; + char *username; + static char password[128]; + int r; + + signal(SIGINT, SIG_IGN); + signal(SIGQUIT, SIG_IGN); + signal(SIGHUP, SIG_IGN); + signal(SIGTERM, SIG_IGN); + signal(SIGPIPE, SIG_IGN); + signal(SIGUSR1, SIG_IGN); + signal(SIGUSR2, SIG_IGN); + signal(SIGTSTP, SIG_IGN); + + memset(&c, 0, sizeof(context_t)); + + if (isatty(0) || isatty(1) || isatty(2)) { + int n; + struct passwd *pw; + uid_t uid = getuid(); + + pw = getpwuid(uid); + + fprintf(stderr, "This program is not intended to be run in this way.\n"); + logmsg(&c, LOG_WARNING, "A stupid user (%s; uid=%i) ran pam-dotfile-helper on the command line", pw ? pw->pw_name : "???", uid); + + n = 5; + while ((n = sleep(n)) > 0); + + return 1; + } + + if (argc != 7) { + logmsg(&c, LOG_WARNING, "Invalid invocation"); + return 4; + } + + c.service = argv[1]; + username = argv[2]; + + if (!strcmp(argv[3], "debug")) + c.opt_debug = 1; + + if (!strcmp(argv[4], "no_warn")) + c.opt_no_warn = 1; + + if (!strcmp(argv[5], "stat_only_home")) + c.opt_stat_only_home = 1; + +#ifdef COMPAT05 + if (!strcmp(argv[6], "nocompat05")) + c.opt_nocompat05 = 1; +#endif + + logmsg(&c, LOG_DEBUG, "%s|%s|%s", + c.opt_debug ? "debug" : "nodebug", + c.opt_no_warn ? "no_warn" : "warn" +#ifdef COMPAT05 + ,c.opt_nocompat05 ? "nocompat05" : "compat05" +#endif + ); + + if (geteuid() != 0) { + logmsg(&c, LOG_WARNING, "Not run as root, executable is probably not SETUID?"); + return 4; + } + + logmsg(&c, LOG_DEBUG, "Helper started"); + + if (!fgets(password, sizeof(password), stdin)) { + logmsg(&c, LOG_WARNING, "Failure reading from STDIN"); + return 4; + } + + switch (user_authentication(&c, username, password)) { + case PAM_SUCCESS: r = 0; break; + case PAM_AUTH_ERR: r = 1; break; + case PAM_AUTHINFO_UNAVAIL: r = 2; break; + case PAM_USER_UNKNOWN: r = 3; break; + default: r = 4; break; + } + + logmsg(&c, LOG_DEBUG, "Helper exiting with return value %u", r); + + return r; +} diff --git a/src/pam_dotfile.c b/src/pam_dotfile.c new file mode 100644 index 0000000..edc5230 --- /dev/null +++ b/src/pam_dotfile.c @@ -0,0 +1,321 @@ +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define PAM_SM_AUTH + +#include +#include + +#include "md5.h" +#include "md5util.h" +#include "common.h" +#include "log.h" + +#define HELPERTOOL SBINDIR"/pam-dotfile-helper" + +#ifndef PAM_FAIL_DELAY +#define pam_fail_delay(x,y) 0 +#endif + +#define PAM_DOTFILE_DELAY 3000000 + +static void sigchld(int sig) { +} + +static int _fork_authentication(context_t *c, const char *username, const char *password) { + pid_t pid; + int r = PAM_SYSTEM_ERR, p[2]; + struct sigaction sa_save, sa; + + if (pipe(p) < 0) { + logmsg(c, LOG_ERR, "pipe(): %s", strerror(errno)); + return PAM_SYSTEM_ERR; + } + + memset(&sa, 0, sizeof(sa)); + sa.sa_handler = sigchld; + sa.sa_flags = SA_RESTART; + + if (sigaction(SIGCHLD, &sa, &sa_save) < 0) { + logmsg(c, LOG_ERR, "sigaction(): %s", strerror(errno)); + goto finish; + } + + if ((pid = fork()) < 0) { + logmsg(c, LOG_ERR, "fork(): %s", strerror(errno)); + goto finish; + } else if (pid == 0) { + char * const args[] = { + HELPERTOOL, + x_strdup(c->service), + x_strdup(username), + c->opt_debug ? "debug" : "nodebug", + c->opt_no_warn ? "no_warn" : "warn", + c->opt_stat_only_home ? "stat_only_home" : "stat_all", +#ifdef COMPAT05 + c->opt_nocompat05 ? "nocompat05" : "compat05", +#else + "nocompat05", +#endif + NULL + }; + char * envp[] = { NULL }; + + if (p[0] != 0 && dup2(p[0], 0) != 0) { + logmsg(c, LOG_ERR, "dup2(): %s", strerror(errno)); + exit(2); + } + + close(1); + close(2); + close(p[0]); + close(p[1]); + + if (open("/dev/null", O_WRONLY) != 1) { + logmsg(c, LOG_ERR, "open(\"/dev/null\", O_WRONLY): %s", strerror(errno)); + exit(2); + } + + if (open("/dev/null", O_WRONLY) != 2) { + logmsg(c, LOG_ERR, "open(\"/dev/null\", O_WRONLY): %s", strerror(errno)); + exit(2); + } + + execve(HELPERTOOL, args, envp); + + logmsg(c, LOG_ERR, "execve(): %s", strerror(errno)); + + exit(100); + } else if (pid > 0) { + FILE *f; + int r2; + + close(p[0]); + + if (!(f = fdopen(p[1], "w"))) { + logmsg(c, LOG_ERR, "fdopen() failed."); + goto finish; + } else { + fputs(password, f); + fflush(f); + } + + fclose(f); + close(p[1]); + + if (waitpid(pid, &r2, 0) < 0) { + logmsg(c, LOG_ERR, "waitpid(): %s", strerror(errno)); + goto finish; + } else { + if (WIFEXITED(r2)) { + logmsg(c, LOG_DEBUG, "Helper returned %u", WEXITSTATUS(r2)); + + switch (WEXITSTATUS(r2)) { + case 0: r = PAM_SUCCESS; break; + case 1: r = PAM_AUTH_ERR; break; + case 2: r = PAM_AUTHINFO_UNAVAIL; break; + case 3: r = PAM_USER_UNKNOWN; break; + } + } else + logmsg(c, LOG_DEBUG, "Helper failed abnormally"); + } + } + +finish: + + if (sigaction(SIGCHLD, &sa_save, NULL) < 0) { + logmsg(c, LOG_ERR, "sigaction()#2: %s", strerror(errno)); + r = PAM_SYSTEM_ERR; + } + + + return r; +} + +static int _authentication(context_t *c, const char *username, const char *password) { + int b; + + if (!username || !*username) { + logmsg(c, LOG_WARNING, "Authentication failure: null username supplied"); + return PAM_AUTH_ERR; + } + + if (!password || (!c->opt_nullok && !*password)) { + logmsg(c, LOG_WARNING, "Authentication failure: null password supplied"); + return PAM_AUTH_ERR; + } + + b = geteuid() != 0; + + if (b && c->opt_fork < 0) { + logmsg(c, LOG_ERR, "Option set and uid != 0, failing"); + return PAM_SYSTEM_ERR; + } + + if (c->opt_fork > 0) + b = 1; + + if (!b) + return user_authentication(c, username, password); + else + return _fork_authentication(c, username, password); +} + +static int _parse_opt(context_t *c, int argc, const char **argv) { + for (; argc; argc--, argv++) { + if (!strcmp(*argv, "debug")) + c->opt_debug = 1; + else if (!strcmp(*argv, "use_first_pass") || !strcmp(*argv, "use_authtok")) + c->opt_use_first_pass = 1; + else if (!strcmp(*argv, "try_first_pass")) + c->opt_try_first_pass = 1; + else if (!strcmp(*argv, "rootok")) + c->opt_rootok = 1; + else if (!strcmp(*argv, "nullok")) + c->opt_nullok = 1; + else if (!strcmp(*argv, "fork")) + c->opt_fork = 1; + else if (!strcmp(*argv, "nofork")) + c->opt_fork = -1; + else if (!strcmp(*argv, "no_warn")) + c->opt_no_warn = 1; + else if (!strcmp(*argv, "stat_only_home")) + c->opt_stat_only_home = 1; +#ifdef COMPAT05 + else if (!strcmp(*argv, "nocompat05")) + c->opt_nocompat05 = 1; +#endif + else + logmsg(c, LOG_WARNING, "Invalid argument <%s>, ignoring", *argv); + } + + return PAM_SUCCESS; +} + +PAM_EXTERN int pam_sm_authenticate(pam_handle_t *ph, int flags, int argc, const char **argv) { + const char *username = NULL, *password = NULL, *service = NULL; + int r; + context_t c; + const struct pam_conv *pc; + static struct pam_message m[1] = { { msg_style: PAM_PROMPT_ECHO_OFF, msg : "Dotfile Password: " } }; + const static struct pam_message* pm[] = { &m[0] }; + struct pam_response *a; + + memset(&c, 0, sizeof(c)); + + if ((r = _parse_opt(&c, argc, argv)) != PAM_SUCCESS) + return r; + + if ((r = pam_get_user(ph, &username, NULL)) != PAM_SUCCESS) { + logmsg(&c, LOG_ERR, "pam_get_user(): %s", pam_strerror(ph, r)); + return r; + } + + if (!username || !*username) { + logmsg(&c, LOG_DEBUG, "Authentication failure: no username supplied"); + return PAM_CRED_INSUFFICIENT; + } + + if ((r = pam_get_item(ph, PAM_SERVICE, (const void**) &service)) != PAM_SUCCESS) { + logmsg(&c, LOG_ERR, "pam_get_item(*, PAM_SERVICE, *): %s", pam_strerror(ph, r)); + return r; + } + + c.service = service; + + if (c.opt_use_first_pass || c.opt_try_first_pass) + if ((r = pam_get_item(ph, PAM_AUTHTOK, (const void**) &password)) != PAM_SUCCESS) { + logmsg(&c, LOG_ERR, "pam_get_item(*, PAM_AUTHTOK, *): %s", pam_strerror(ph, r)); + return r; + } + + if (c.opt_use_first_pass && !password) { + logmsg(&c, LOG_DEBUG, "No password passed in PAM_AUTHTOK."); + return PAM_CRED_INSUFFICIENT; + } + + if (password) { + if ((r = _authentication(&c, username, password)) == PAM_SUCCESS) { + logmsg(&c, LOG_DEBUG, "Authentication with PAM_AUTHTOK sucessful"); + return PAM_SUCCESS; + } else if (r != PAM_AUTH_ERR) { + logmsg(&c, LOG_DEBUG, "Authentication with PAM_AUTHTOK failed (%i): %s", r, pam_strerror(ph, r)); + return r; + } + + logmsg(&c, LOG_DEBUG, "Authentication with PAM_AUTHTOK failed"); + + if (c.opt_use_first_pass) { + pam_fail_delay(ph, PAM_DOTFILE_DELAY); + return PAM_AUTH_ERR; + } + } + + if ((r = pam_get_item(ph, PAM_CONV, (const void**) &pc)) != PAM_SUCCESS) { + logmsg(&c, LOG_ERR, "pam_get_item(*, PAM_CONV, *): %s", pam_strerror(ph, r)); + return r; + } + + if (!pc || !pc->conv) { + logmsg(&c, LOG_ERR, "conv() function invalid"); + return PAM_CONV_ERR; + } + + if ((r = pc->conv(1, pm, &a, pc->appdata_ptr)) != PAM_SUCCESS) { + logmsg(&c, LOG_ERR, "conv(): %s", pam_strerror(ph, r)); + return r; + } + + if (!a->resp) { + logmsg(&c, LOG_ERR, "Got no password."); + return PAM_CRED_INSUFFICIENT; + } + + if ((r = pam_set_item(ph, PAM_AUTHTOK, x_strdup(a->resp))) != PAM_SUCCESS) + return r; + + if ((r = _authentication(&c, username, a->resp)) == PAM_SUCCESS) { + logmsg(&c, LOG_DEBUG, "Authentication with user password sucessful"); + return PAM_SUCCESS; + } else if (r != PAM_AUTH_ERR) { + logmsg(&c, LOG_DEBUG, "Authentication with PAM_AUTHTOK failed (%i): %s", r, pam_strerror(ph, r)); + return r; + } + + logmsg(&c, LOG_DEBUG, "Authentication failed with user password"); + pam_fail_delay(ph, PAM_DOTFILE_DELAY); + return PAM_AUTH_ERR; +} + +PAM_EXTERN int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { + return PAM_SUCCESS; +} diff --git a/src/pamtest.c b/src/pamtest.c new file mode 100644 index 0000000..171e601 --- /dev/null +++ b/src/pamtest.c @@ -0,0 +1,66 @@ +/*** + This file is part of pam_dotfile. + + pam_dotfile is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + pam_dotfile is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + + You should have received a copy of the GNU General Public License + along with pam_dotfile; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 + USA +***/ + +#include + +#include +#include + +int main(int argc, char*argv[]) { + static struct pam_conv pc = { misc_conv, NULL }; + pam_handle_t *ph = NULL; + int r, ret; + char *username, *procname, *service; + + if ((procname = strchr(argv[0], '/'))) + procname++; + else + procname = argv[0]; + + if (argc <= 1 || argc > 3) { + fprintf(stderr, "Usage: %s [] []\n", procname); + exit(1); + } + + service = (argc >= 2) ? argv[1] : procname; + username = (argc == 3) ? argv[2] : NULL; + + if (username) + printf("Trying to authenticate <%s> for service <%s>.\n", username, service); + else + printf("Trying to authenticate for service <%s>.\n", service); + + if ((r = pam_start(service, username, &pc, &ph)) != PAM_SUCCESS) { + fprintf(stderr, "Failure starting pam: %s\n", pam_strerror(ph, r)); + return 1; + } + + if ((r = pam_authenticate(ph, 0)) != PAM_SUCCESS) { + fprintf(stderr, "Failed to authenticate: %s\n", pam_strerror(ph, r)); + ret = 1; + } else { + printf("Authentication successful.\n"); + ret = 0; + } + + if ((r = pam_end(ph, r)) != PAM_SUCCESS) + fprintf(stderr, "Failure shutting down pam: %s\n", pam_strerror(ph, r)); + + return ret; +} -- cgit