2 * Copyright (c) 2000-2002 by Solar Designer. See LICENSE.
5 #define _XOPEN_SOURCE 600
6 #define _XOPEN_SOURCE_EXTENDED
7 #define _XOPEN_VERSION 600
19 #define PAM_SM_PASSWORD
21 #include <security/pam_appl.h>
23 #include <security/pam_modules.h>
25 #include "pam_macros.h"
27 #if !defined(PAM_EXTERN) && !defined(PAM_STATIC)
28 #define PAM_EXTERN extern
31 #if !defined(PAM_AUTHTOK_RECOVERY_ERR) && defined(PAM_AUTHTOK_RECOVER_ERR)
32 #define PAM_AUTHTOK_RECOVERY_ERR PAM_AUTHTOK_RECOVER_ERR
35 #if defined(__sun__) && !defined(LINUX_PAM) && !defined(_OPENPAM)
36 /* Sun's PAM doesn't use const here */
39 #define lo_const const
41 typedef lo_const void *pam_item_t;
45 #define F_ENFORCE_MASK 0x00000003
46 #define F_ENFORCE_USERS 0x00000001
47 #define F_ENFORCE_ROOT 0x00000002
48 #define F_ENFORCE_EVERYONE F_ENFORCE_MASK
49 #define F_NON_UNIX 0x00000004
50 #define F_ASK_OLDAUTHTOK_MASK 0x00000030
51 #define F_ASK_OLDAUTHTOK_PRELIM 0x00000010
52 #define F_ASK_OLDAUTHTOK_UPDATE 0x00000020
53 #define F_CHECK_OLDAUTHTOK 0x00000040
54 #define F_USE_FIRST_PASS 0x00000100
55 #define F_USE_AUTHTOK 0x00000200
63 static params_t defaults = {
65 {INT_MAX, 24, 12, 8, 7}, /* min */
67 3, /* passphrase_words */
72 F_ENFORCE_EVERYONE, /* flags */
76 #define PROMPT_OLDPASS \
77 "Enter current password: "
78 #define PROMPT_NEWPASS1 \
79 "Enter new password: "
80 #define PROMPT_NEWPASS2 \
81 "Re-type new password: "
83 #define MESSAGE_MISCONFIGURED \
84 "System configuration error. Please contact your administrator."
85 #define MESSAGE_INVALID_OPTION \
86 "pam_passwdqc: Invalid option: \"%s\"."
87 #define MESSAGE_INTRO_PASSWORD \
88 "\nYou can now choose the new password.\n"
89 #define MESSAGE_INTRO_BOTH \
90 "\nYou can now choose the new password or passphrase.\n"
91 #define MESSAGE_EXPLAIN_PASSWORD_1 \
92 "A valid password should be a mix of upper and lower case letters,\n" \
93 "digits and other characters. You can use a%s %d character long\n" \
94 "password with characters from at least 3 of these 4 classes.\n" \
95 "Characters that form a common pattern are discarded by the check.\n"
96 #define MESSAGE_EXPLAIN_PASSWORD_2 \
97 "A valid password should be a mix of upper and lower case letters,\n" \
98 "digits and other characters. You can use a%s %d character long\n" \
99 "password with characters from at least 3 of these 4 classes, or\n" \
100 "a%s %d character long password containing characters from all the\n" \
101 "classes. Characters that form a common pattern are discarded by\n" \
103 #define MESSAGE_EXPLAIN_PASSPHRASE \
104 "A passphrase should be of at least %d words, %d to %d characters\n" \
105 "long and contain enough different characters.\n"
106 #define MESSAGE_RANDOM \
107 "Alternatively, if noone else can see your terminal now, you can\n" \
108 "pick this as your password: \"%s\".\n"
109 #define MESSAGE_RANDOMONLY \
110 "This system is configured to permit randomly generated passwords\n" \
111 "only. If noone else can see your terminal now, you can pick this\n" \
112 "as your password: \"%s\". Otherwise, come back later.\n"
113 #define MESSAGE_RANDOMFAILED \
114 "This system is configured to use randomly generated passwords\n" \
115 "only, but the attempt to generate a password has failed. This\n" \
116 "could happen for a number of reasons: you could have requested\n" \
117 "an impossible password length, or the access to kernel random\n" \
118 "number pool could have failed."
119 #define MESSAGE_TOOLONG \
120 "This password may be too long for some services. Choose another."
121 #define MESSAGE_TRUNCATED \
122 "Warning: your longer password will be truncated to 8 characters."
123 #define MESSAGE_WEAKPASS \
125 #define MESSAGE_NOTRANDOM \
126 "Sorry, you've mistyped the password that was generated for you."
127 #define MESSAGE_MISTYPED \
128 "Sorry, passwords do not match."
129 #define MESSAGE_RETRY \
132 static int converse(pam_handle_t *pamh, int style, lo_const char *text,
133 struct pam_response **resp)
136 lo_const struct pam_conv *conv;
137 struct pam_message msg, *pmsg;
140 status = pam_get_item(pamh, PAM_CONV, &item);
141 if (status != PAM_SUCCESS)
146 msg.msg_style = style;
147 msg.msg = (char *)text;
150 return conv->conv(1, (lo_const struct pam_message **)&pmsg, resp,
155 __attribute__ ((format (printf, 3, 4)))
157 static int say(pam_handle_t *pamh, int style, const char *format, ...)
162 struct pam_response *resp;
165 va_start(args, format);
166 needed = vsnprintf(buffer, sizeof(buffer), format, args);
169 if ((unsigned int)needed < sizeof(buffer)) {
170 status = converse(pamh, style, buffer, &resp);
171 _pam_overwrite(buffer);
174 memset(buffer, 0, sizeof(buffer));
180 static int check_max(params_t *params, pam_handle_t *pamh, const char *newpass)
182 if ((int)strlen(newpass) > params->qc.max) {
183 if (params->qc.max != 8) {
184 say(pamh, PAM_ERROR_MSG, MESSAGE_TOOLONG);
187 say(pamh, PAM_TEXT_INFO, MESSAGE_TRUNCATED);
193 static int parse(params_t *params, pam_handle_t *pamh,
194 int argc, const char **argv)
202 if (!strncmp(*argv, "min=", 4)) {
204 for (i = 0; i < 5; i++) {
205 if (!strncmp(p, "disabled", 8)) {
209 v = strtoul(p, &e, 10);
212 if (i < 4 && *p++ != ',') break;
213 if (v > INT_MAX) break;
214 if (i && (int)v > params->qc.min[i - 1]) break;
215 params->qc.min[i] = v;
219 if (!strncmp(*argv, "max=", 4)) {
220 v = strtoul(*argv + 4, &e, 10);
221 if (*e || v < 8 || v > INT_MAX) break;
224 if (!strncmp(*argv, "passphrase=", 11)) {
225 v = strtoul(*argv + 11, &e, 10);
226 if (*e || v > INT_MAX) break;
227 params->qc.passphrase_words = v;
229 if (!strncmp(*argv, "match=", 6)) {
230 v = strtoul(*argv + 6, &e, 10);
231 if (*e || v > INT_MAX) break;
232 params->qc.match_length = v;
234 if (!strncmp(*argv, "similar=", 8)) {
235 if (!strcmp(*argv + 8, "permit"))
236 params->qc.similar_deny = 0;
238 if (!strcmp(*argv + 8, "deny"))
239 params->qc.similar_deny = 1;
243 if (!strncmp(*argv, "random=", 7)) {
244 v = strtoul(*argv + 7, &e, 10);
245 if (!strcmp(e, ",only")) {
247 params->qc.min[4] = INT_MAX;
249 if (*e || v > INT_MAX) break;
250 params->qc.random_bits = v;
252 if (!strncmp(*argv, "enforce=", 8)) {
253 params->flags &= ~F_ENFORCE_MASK;
254 if (!strcmp(*argv + 8, "users"))
255 params->flags |= F_ENFORCE_USERS;
257 if (!strcmp(*argv + 8, "everyone"))
258 params->flags |= F_ENFORCE_EVERYONE;
260 if (strcmp(*argv + 8, "none"))
263 if (!strcmp(*argv, "non-unix")) {
264 if (params->flags & F_CHECK_OLDAUTHTOK) break;
265 params->flags |= F_NON_UNIX;
267 if (!strncmp(*argv, "retry=", 6)) {
268 v = strtoul(*argv + 6, &e, 10);
269 if (*e || v > INT_MAX) break;
272 if (!strncmp(*argv, "ask_oldauthtok", 14)) {
273 params->flags &= ~F_ASK_OLDAUTHTOK_MASK;
274 if (params->flags & F_USE_FIRST_PASS) break;
275 if (!strcmp(*argv + 14, "=update"))
276 params->flags |= F_ASK_OLDAUTHTOK_UPDATE;
279 params->flags |= F_ASK_OLDAUTHTOK_PRELIM;
283 if (!strcmp(*argv, "check_oldauthtok")) {
284 if (params->flags & F_NON_UNIX) break;
285 params->flags |= F_CHECK_OLDAUTHTOK;
287 if (!strcmp(*argv, "use_first_pass")) {
288 if (params->flags & F_ASK_OLDAUTHTOK_MASK) break;
289 params->flags |= F_USE_FIRST_PASS | F_USE_AUTHTOK;
291 if (!strcmp(*argv, "use_authtok")) {
292 params->flags |= F_USE_AUTHTOK;
300 say(pamh, PAM_ERROR_MSG, MESSAGE_MISCONFIGURED);
302 say(pamh, PAM_ERROR_MSG, MESSAGE_INVALID_OPTION, *argv);
310 PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
311 int argc, const char **argv)
314 struct pam_response *resp;
315 struct passwd *pw, fake_pw;
320 lo_const char *user, *oldpass, *curpass;
321 char *newpass, *randompass;
324 int randomonly, enforce, retries_left, retry_wanted;
328 status = parse(¶ms, pamh, argc, argv);
329 if (status != PAM_SUCCESS)
333 if (flags & PAM_PRELIM_CHECK) {
334 if (params.flags & F_ASK_OLDAUTHTOK_PRELIM)
337 if (flags & PAM_UPDATE_AUTHTOK) {
338 if (params.flags & F_ASK_OLDAUTHTOK_UPDATE)
341 return PAM_SERVICE_ERR;
343 if (ask_oldauthtok && getuid() != 0) {
344 status = converse(pamh, PAM_PROMPT_ECHO_OFF,
345 PROMPT_OLDPASS, &resp);
347 if (status == PAM_SUCCESS) {
348 if (resp && resp->resp) {
349 status = pam_set_item(pamh,
350 PAM_OLDAUTHTOK, resp->resp);
351 _pam_drop_reply(resp, 1);
353 status = PAM_AUTHTOK_RECOVERY_ERR;
356 if (status != PAM_SUCCESS)
360 if (flags & PAM_PRELIM_CHECK)
363 status = pam_get_item(pamh, PAM_USER, &item);
364 if (status != PAM_SUCCESS)
368 status = pam_get_item(pamh, PAM_OLDAUTHTOK, &item);
369 if (status != PAM_SUCCESS)
373 if (params.flags & F_NON_UNIX) {
375 pw->pw_name = (char *)user;
381 return PAM_USER_UNKNOWN;
382 if ((params.flags & F_CHECK_OLDAUTHTOK) && getuid() != 0) {
384 status = PAM_AUTH_ERR;
387 if (!strcmp(pw->pw_passwd, "x")) {
388 spw = getspnam(user);
391 if (strcmp(crypt(oldpass, spw->sp_pwdp),
393 status = PAM_AUTH_ERR;
394 memset(spw->sp_pwdp, 0,
395 strlen(spw->sp_pwdp));
397 status = PAM_AUTH_ERR;
400 if (strcmp(crypt(oldpass, pw->pw_passwd),
402 status = PAM_AUTH_ERR;
404 memset(pw->pw_passwd, 0, strlen(pw->pw_passwd));
405 if (status != PAM_SUCCESS)
409 randomonly = params.qc.min[4] > params.qc.max;
412 enforce = params.flags & F_ENFORCE_USERS;
414 enforce = params.flags & F_ENFORCE_ROOT;
416 if (params.flags & F_USE_AUTHTOK) {
417 status = pam_get_item(pamh, PAM_AUTHTOK, &item);
418 if (status != PAM_SUCCESS)
421 if (!curpass || (check_max(¶ms, pamh, curpass) && enforce))
422 return PAM_AUTHTOK_ERR;
423 reason = _passwdqc_check(¶ms.qc, curpass, oldpass, pw);
425 say(pamh, PAM_ERROR_MSG, MESSAGE_WEAKPASS, reason);
427 status = PAM_AUTHTOK_ERR;
432 retries_left = params.retry;
438 params.qc.passphrase_words && params.qc.min[2] <= params.qc.max)
439 status = say(pamh, PAM_TEXT_INFO, MESSAGE_INTRO_BOTH);
441 status = say(pamh, PAM_TEXT_INFO, MESSAGE_INTRO_PASSWORD);
442 if (status != PAM_SUCCESS)
445 if (!randomonly && params.qc.min[3] <= params.qc.min[4])
446 status = say(pamh, PAM_TEXT_INFO, MESSAGE_EXPLAIN_PASSWORD_1,
447 params.qc.min[3] == 8 || params.qc.min[3] == 11 ? "n" : "",
451 status = say(pamh, PAM_TEXT_INFO, MESSAGE_EXPLAIN_PASSWORD_2,
452 params.qc.min[3] == 8 || params.qc.min[3] == 11 ? "n" : "",
454 params.qc.min[4] == 8 || params.qc.min[4] == 11 ? "n" : "",
456 if (status != PAM_SUCCESS)
460 params.qc.passphrase_words &&
461 params.qc.min[2] <= params.qc.max) {
462 status = say(pamh, PAM_TEXT_INFO, MESSAGE_EXPLAIN_PASSPHRASE,
463 params.qc.passphrase_words,
464 params.qc.min[2], params.qc.max);
465 if (status != PAM_SUCCESS)
469 randompass = _passwdqc_random(¶ms.qc);
471 status = say(pamh, PAM_TEXT_INFO, randomonly ?
472 MESSAGE_RANDOMONLY : MESSAGE_RANDOM, randompass);
473 if (status != PAM_SUCCESS) {
474 _pam_overwrite(randompass);
479 say(pamh, PAM_ERROR_MSG, getuid() != 0 ?
480 MESSAGE_MISCONFIGURED : MESSAGE_RANDOMFAILED);
481 return PAM_AUTHTOK_ERR;
484 status = converse(pamh, PAM_PROMPT_ECHO_OFF, PROMPT_NEWPASS1, &resp);
485 if (status == PAM_SUCCESS && (!resp || !resp->resp))
486 status = PAM_AUTHTOK_ERR;
488 if (status != PAM_SUCCESS) {
489 if (randompass) _pam_overwrite(randompass);
493 newpass = strdup(resp->resp);
495 _pam_drop_reply(resp, 1);
498 if (randompass) _pam_overwrite(randompass);
502 if (check_max(¶ms, pamh, newpass) && enforce) {
503 status = PAM_AUTHTOK_ERR;
508 if (status == PAM_SUCCESS &&
509 (!randompass || !strstr(newpass, randompass)) &&
511 (reason = _passwdqc_check(¶ms.qc, newpass, oldpass, pw)))) {
513 say(pamh, PAM_ERROR_MSG, MESSAGE_NOTRANDOM);
515 say(pamh, PAM_ERROR_MSG, MESSAGE_WEAKPASS, reason);
517 status = PAM_AUTHTOK_ERR;
522 if (status == PAM_SUCCESS)
523 status = converse(pamh, PAM_PROMPT_ECHO_OFF,
524 PROMPT_NEWPASS2, &resp);
525 if (status == PAM_SUCCESS) {
526 if (resp && resp->resp) {
527 if (strcmp(newpass, resp->resp)) {
529 PAM_ERROR_MSG, MESSAGE_MISTYPED);
530 if (status == PAM_SUCCESS) {
531 status = PAM_AUTHTOK_ERR;
535 _pam_drop_reply(resp, 1);
537 status = PAM_AUTHTOK_ERR;
540 if (status == PAM_SUCCESS)
541 status = pam_set_item(pamh, PAM_AUTHTOK, newpass);
543 if (randompass) _pam_overwrite(randompass);
544 _pam_overwrite(newpass);
547 if (retry_wanted && --retries_left > 0) {
548 status = say(pamh, PAM_TEXT_INFO, MESSAGE_RETRY);
549 if (status == PAM_SUCCESS)
556 #ifdef PAM_MODULE_ENTRY
557 PAM_MODULE_ENTRY("pam_passwdqc");
558 #elif defined(PAM_STATIC)
559 struct pam_module _pam_passwdqc_modstruct = {