탐색 도움말
로그인
SoftwareDesign
/
csu3_am335x
8
0
포크 0
파일 이슈 0 풀 리퀘스트 0 위키
브렌치: master
브랜치 태그
csu3_am335x
/
EVSE
/
GPL
/
linux-pam-1.5.2
/
modules
/
pam_userdb
/
pam_userdb.c

pam_userdb.c 15 KB
고유링크 히스토리 Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517 
  1. /*
    2. 

  2.  * pam_userdb module
    3. 

  3.  *
    4. 

  4.  * Written by Cristian Gafton <gafton@redhat.com> 1996/09/10
    5. 

  5.  * See the end of the file for Copyright Information
    6. 

  6.  */
    7. 

  7. 

  8. #include "config.h"
    9. 

  9. 

  10. #include <stdio.h>
    11. 

  11. #include <stdlib.h>
    12. 

  12. #include <unistd.h>
    13. 

  13. #include <string.h>
    14. 

  14. #include <syslog.h>
    15. 

  15. #include <stdarg.h>
    16. 

  16. #include <sys/types.h>
    17. 

  17. #include <sys/stat.h>
    18. 

  18. #include <fcntl.h>
    19. 

  19. #include <errno.h>
    20. 

  20. #ifdef HAVE_CRYPT_H
    21. 

  21. #include <crypt.h>
    22. 

  22. #endif
    23. 

  23. 

  24. #include "pam_userdb.h"
    25. 

  25. 

  26. #ifdef HAVE_NDBM_H
    27. 

  27. # include <ndbm.h>
    28. 

  28. #else
    29. 

  29. # ifdef HAVE_DB_H
    30. 

  30. #  define DB_DBM_HSEARCH    1 /* use the dbm interface */
    31. 

  31. #  define HAVE_DBM	      /* for BerkDB 5.0 and later */
    32. 

  32. #  include <db.h>
    33. 

  33. # else
    34. 

  34. #  error "failed to find a libdb or equivalent"
    35. 

  35. # endif
    36. 

  36. #endif
    37. 

  37. 

  38. #include <security/pam_modules.h>
    39. 

  39. #include <security/pam_ext.h>
    40. 

  40. #include <security/_pam_macros.h>
    41. 

  41. #include "pam_inline.h"
    42. 

  42. 

  43. /*
    44. 

  44.  * Conversation function to obtain the user's password
    45. 

  45.  */
    46. 

  46. static int
    47. 

  47. obtain_authtok(pam_handle_t *pamh)
    48. 

  48. {
    49. 

  49.     char *resp;
    50. 

  50.     const void *item;
    51. 

  51.     int retval;
    52. 

  52. 

  53.     retval = pam_prompt(pamh, PAM_PROMPT_ECHO_OFF, &resp, _("Password: "));
    54. 

  54. 

  55.     if (retval != PAM_SUCCESS)
    56. 

  56. 	return retval;
    57. 

  57. 

  58.     if (resp == NULL)
    59. 

  59. 	return PAM_CONV_ERR;
    60. 

  60. 

  61.     /* set the auth token */
    62. 

  62.     retval = pam_set_item(pamh, PAM_AUTHTOK, resp);
    63. 

  63. 

  64.     /* clean it up */
    65. 

  65.     _pam_overwrite(resp);
    66. 

  66.     _pam_drop(resp);
    67. 

  67. 

  68.     if ( (retval != PAM_SUCCESS) ||
    69. 

  69. 	 (retval = pam_get_item(pamh, PAM_AUTHTOK, &item))
    70. 

  70. 	 != PAM_SUCCESS ) {
    71. 

  71. 	return retval;
    72. 

  72.     }
    73. 

  73. 

  74.     return retval;
    75. 

  75. }
    76. 

  76. 

  77. static int
    78. 

  78. _pam_parse (pam_handle_t *pamh, int argc, const char **argv,
    79. 

  79. 	    const char **database, const char **cryptmode)
    80. 

  80. {
    81. 

  81.   int ctrl;
    82. 

  82. 

  83.   *database = NULL;
    84. 

  84.   *cryptmode = NULL;
    85. 

  85. 

  86.   /* step through arguments */
    87. 

  87.   for (ctrl = 0; argc-- > 0; ++argv)
    88. 

  88.     {
    89. 

  89.       const char *str;
    90. 

  90. 

  91.       /* generic options */
    92. 

  92. 

  93.       if (!strcmp(*argv,"debug"))
    94. 

  94. 	ctrl |= PAM_DEBUG_ARG;
    95. 

  95.       else if (!strcasecmp(*argv, "icase"))
    96. 

  96. 	ctrl |= PAM_ICASE_ARG;
    97. 

  97.       else if (!strcasecmp(*argv, "dump"))
    98. 

  98. 	ctrl |= PAM_DUMP_ARG;
    99. 

  99.       else if (!strcasecmp(*argv, "unknown_ok"))
    100. 

  100. 	ctrl |= PAM_UNKNOWN_OK_ARG;
    101. 

  101.       else if (!strcasecmp(*argv, "key_only"))
    102. 

  102. 	ctrl |= PAM_KEY_ONLY_ARG;
    103. 

  103.       else if (!strcasecmp(*argv, "use_first_pass"))
    104. 

  104. 	ctrl |= PAM_USE_FPASS_ARG;
    105. 

  105.       else if (!strcasecmp(*argv, "try_first_pass"))
    106. 

  106. 	ctrl |= PAM_TRY_FPASS_ARG;
    107. 

  107.       else if ((str = pam_str_skip_icase_prefix(*argv, "db=")) != NULL)
    108. 

  108. 	{
    109. 

  109. 	  *database = str;
    110. 

  110. 	  if (**database == '\0') {
    111. 

  111. 	    *database = NULL;
    112. 

  112. 	    pam_syslog(pamh, LOG_ERR,
    113. 

  113. 		       "db= specification missing argument - ignored");
    114. 

  114. 	  }
    115. 

  115. 	}
    116. 

  116.       else if ((str = pam_str_skip_icase_prefix(*argv, "crypt=")) != NULL)
    117. 

  117. 	{
    118. 

  118. 	  *cryptmode = str;
    119. 

  119. 	  if (**cryptmode == '\0')
    120. 

  120. 	    pam_syslog(pamh, LOG_ERR,
    121. 

  121. 		       "crypt= specification missing argument - ignored");
    122. 

  122. 	}
    123. 

  123.       else
    124. 

  124. 	{
    125. 

  125. 	  pam_syslog(pamh, LOG_ERR, "unknown option: %s", *argv);
    126. 

  126. 	}
    127. 

  127.     }
    128. 

  128. 

  129.   return ctrl;
    130. 

  130. }
    131. 

  131. 

  132. 

  133. /*
    134. 

  134.  * Looks up a user name in a database and checks the password
    135. 

  135.  *
    136. 

  136.  * return values:
    137. 

  137.  *	 1  = User not found
    138. 

  138.  *	 0  = OK
    139. 

  139.  *	-1  = Password incorrect
    140. 

  140.  *	-2  = System error
    141. 

  141.  */
    142. 

  142. static int
    143. 

  143. user_lookup (pam_handle_t *pamh, const char *database, const char *cryptmode,
    144. 

  144. 	     const char *user, const char *pass, int ctrl)
    145. 

  145. {
    146. 

  146.     DBM *dbm;
    147. 

  147.     datum key, data;
    148. 

  148. 

  149.     /* Open the DB file. */
    150. 

  150.     dbm = dbm_open(database, O_RDONLY, 0644);
    151. 

  151.     if (dbm == NULL) {
    152. 

  152. 	pam_syslog(pamh, LOG_ERR,
    153. 

  153. 		   "user_lookup: could not open database `%s': %m", database);
    154. 

  154. 	return -2;
    155. 

  155.     }
    156. 

  156. 

  157.     /* dump out the database contents for debugging */
    158. 

  158.     if (ctrl & PAM_DUMP_ARG) {
    159. 

  159. 	pam_syslog(pamh, LOG_INFO, "Database dump:");
    160. 

  160. 	for (key = dbm_firstkey(dbm);  key.dptr != NULL;
    161. 

  161. 	     key = dbm_nextkey(dbm)) {
    162. 

  162. 	    data = dbm_fetch(dbm, key);
    163. 

  163. 	    pam_syslog(pamh, LOG_INFO,
    164. 

  164. 		       "key[len=%d] = `%s', data[len=%d] = `%s'",
    165. 

  165. 		       key.dsize, key.dptr, data.dsize, data.dptr);
    166. 

  166. 	}
    167. 

  167.     }
    168. 

  168. 

  169.     /* do some more init work */
    170. 

  170.     memset(&key, 0, sizeof(key));
    171. 

  171.     memset(&data, 0, sizeof(data));
    172. 

  172.     if (ctrl & PAM_KEY_ONLY_ARG) {
    173. 

  173. 	if (asprintf(&key.dptr, "%s-%s", user, pass) < 0)
    174. 

  174. 	    key.dptr = NULL;
    175. 

  175. 	else
    176. 

  176. 	    key.dsize = strlen(key.dptr);
    177. 

  177.     } else {
    178. 

  178.         key.dptr = strdup(user);
    179. 

  179.         key.dsize = strlen(user);
    180. 

  180.     }
    181. 

  181. 

  182.     if (key.dptr) {
    183. 

  183. 	data = dbm_fetch(dbm, key);
    184. 

  184. 	memset(key.dptr, 0, key.dsize);
    185. 

  185. 	free(key.dptr);
    186. 

  186.     }
    187. 

  187. 

  188.     if (ctrl & PAM_DEBUG_ARG) {
    189. 

  189. 	pam_syslog(pamh, LOG_INFO,
    190. 

  190. 		   "password in database is [%p]`%.*s', len is %d",
    191. 

  191. 		   data.dptr, data.dsize, (char *) data.dptr, data.dsize);
    192. 

  192.     }
    193. 

  193. 

  194.     if (data.dptr != NULL) {
    195. 

  195. 	int compare = -2;
    196. 

  196. 

  197. 	if (ctrl & PAM_KEY_ONLY_ARG)
    198. 

  198. 	  {
    199. 

  199. 	    dbm_close (dbm);
    200. 

  200. 	    return 0; /* found it, data contents don't matter */
    201. 

  201. 	}
    202. 

  202. 

  203. 	if (cryptmode && pam_str_skip_icase_prefix(cryptmode, "crypt") != NULL) {
    204. 

  204. 

  205. 	  /* crypt(3) password storage */
    206. 

  206. 

  207. 	  char *cryptpw = NULL;
    208. 

  208. 

  209. 	  if (data.dsize < 13) {
    210. 

  210. 	    /* hash is too short */
    211. 

  211. 	    pam_syslog(pamh, LOG_INFO, "password hash in database is too short");
    212. 

  212. 	  } else if (ctrl & PAM_ICASE_ARG) {
    213. 

  213. 	    pam_syslog(pamh, LOG_INFO,
    214. 

  214. 	       "case-insensitive comparison only works with plaintext passwords");
    215. 

  215. 	  } else {
    216. 

  216. 	    /* libdb is not guaranteed to produce null terminated strings */
    217. 

  217. 	    char *pwhash = strndup(data.dptr, data.dsize);
    218. 

  218. 

  219. 	    if (pwhash == NULL) {
    220. 

  220. 	      pam_syslog(pamh, LOG_CRIT, "strndup failed: data.dptr");
    221. 

  221. 	    } else {
    222. 

  222. #ifdef HAVE_CRYPT_R
    223. 

  223. 	      struct crypt_data *cdata = NULL;
    224. 

  224. 	      cdata = malloc(sizeof(*cdata));
    225. 

  225. 	      if (cdata == NULL) {
    226. 

  226. 	        pam_syslog(pamh, LOG_CRIT, "malloc failed: struct crypt_data");
    227. 

  227. 	      } else {
    228. 

  228. 	        cdata->initialized = 0;
    229. 

  229. 	        cryptpw = crypt_r(pass, pwhash, cdata);
    230. 

  230. 	      }
    231. 

  231. #else
    232. 

  232. 	      cryptpw = crypt (pass, pwhash);
    233. 

  233. #endif
    234. 

  234. 	      if (cryptpw && strlen(cryptpw) == (size_t)data.dsize) {
    235. 

  235. 	        compare = memcmp(data.dptr, cryptpw, data.dsize);
    236. 

  236. 	      } else {
    237. 

  237. 	        if (ctrl & PAM_DEBUG_ARG) {
    238. 

  238. 	          if (cryptpw) {
    239. 

  239. 	            pam_syslog(pamh, LOG_INFO, "lengths of computed and stored hashes differ");
    240. 

  240. 	            pam_syslog(pamh, LOG_INFO, "computed hash: %s", cryptpw);
    241. 

  241. 	          } else {
    242. 

  242. 	            pam_syslog(pamh, LOG_ERR, "crypt() returned NULL");
    243. 

  243. 	          }
    244. 

  244. 	        }
    245. 

  245. 	      }
    246. 

  246. #ifdef HAVE_CRYPT_R
    247. 

  247. 	      free(cdata);
    248. 

  248. #endif
    249. 

  249. 	    }
    250. 

  250. 	    free(pwhash);
    251. 

  251. 	  }
    252. 

  252. 	} else {
    253. 

  253. 

  254. 	  /* Unknown password encryption method -
    255. 

  255. 	   * default to plaintext password storage
    256. 

  256. 	   */
    257. 

  257. 

  258. 	  if (strlen(pass) != (size_t)data.dsize) {
    259. 

  259. 	    compare = 1; /* wrong password len -> wrong password */
    260. 

  260. 	  } else if (ctrl & PAM_ICASE_ARG) {
    261. 

  261. 	    compare = strncasecmp(data.dptr, pass, data.dsize);
    262. 

  262. 	  } else {
    263. 

  263. 	    compare = strncmp(data.dptr, pass, data.dsize);
    264. 

  264. 	  }
    265. 

  265. 

  266. 	  if (cryptmode && pam_str_skip_icase_prefix(cryptmode, "none") == NULL
    267. 

  267. 		&& (ctrl & PAM_DEBUG_ARG)) {
    268. 

  268. 	    pam_syslog(pamh, LOG_INFO, "invalid value for crypt parameter: %s",
    269. 

  269. 		       cryptmode);
    270. 

  270. 	    pam_syslog(pamh, LOG_INFO, "defaulting to plaintext password mode");
    271. 

  271. 	  }
    272. 

  272. 

  273. 	}
    274. 

  274. 

  275. 	dbm_close(dbm);
    276. 

  276. 	if (compare == 0)
    277. 

  277. 	    return 0; /* match */
    278. 

  278. 	else
    279. 

  279. 	    return -1; /* wrong */
    280. 

  280.     } else {
    281. 

  281.         int saw_user = 0;
    282. 

  282. 

  283. 	if (ctrl & PAM_DEBUG_ARG) {
    284. 

  284. 	    pam_syslog(pamh, LOG_INFO, "error returned by dbm_fetch: %m");
    285. 

  285. 	}
    286. 

  286. 

  287. 	/* probably we should check dbm_error() here */
    288. 

  288. 

  289.         if ((ctrl & PAM_KEY_ONLY_ARG) == 0) {
    290. 

  290. 	    dbm_close(dbm);
    291. 

  291.             return 1; /* not key_only, so no entry => no entry for the user */
    292. 

  292.         }
    293. 

  293. 

  294.         /* now handle the key_only case */
    295. 

  295.         for (key = dbm_firstkey(dbm);
    296. 

  296.              key.dptr != NULL;
    297. 

  297.              key = dbm_nextkey(dbm)) {
    298. 

  298.             int compare;
    299. 

  299.             /* first compare the user portion (case sensitive) */
    300. 

  300.             compare = strncmp(key.dptr, user, strlen(user));
    301. 

  301.             if (compare == 0) {
    302. 

  302.                 /* assume failure */
    303. 

  303.                 compare = -1;
    304. 

  304.                 /* if we have the divider where we expect it to be... */
    305. 

  305.                 if (key.dptr[strlen(user)] == '-') {
    306. 

  306. 		    saw_user = 1;
    307. 

  307. 		    if ((size_t)key.dsize == strlen(user) + 1 + strlen(pass)) {
    308. 

  308. 		        if (ctrl & PAM_ICASE_ARG) {
    309. 

  309. 			    /* compare the password portion (case insensitive)*/
    310. 

  310.                             compare = strncasecmp(key.dptr + strlen(user) + 1,
    311. 

  311.                                                   pass,
    312. 

  312.                                                   strlen(pass));
    313. 

  313. 		        } else {
    314. 

  314.                             /* compare the password portion (case sensitive) */
    315. 

  315.                             compare = strncmp(key.dptr + strlen(user) + 1,
    316. 

  316.                                               pass,
    317. 

  317.                                               strlen(pass));
    318. 

  318. 		        }
    319. 

  319. 		    }
    320. 

  320.                 }
    321. 

  321.                 if (compare == 0) {
    322. 

  322.                     dbm_close(dbm);
    323. 

  323.                     return 0; /* match */
    324. 

  324.                 }
    325. 

  325.             }
    326. 

  326.         }
    327. 

  327.         dbm_close(dbm);
    328. 

  328. 	if (saw_user)
    329. 

  329. 	    return -1; /* saw the user, but password mismatch */
    330. 

  330. 	else
    331. 

  331. 	    return 1; /* not found */
    332. 

  332.     }
    333. 

  333. 

  334.     /* NOT REACHED */
    335. 

  335.     return -2;
    336. 

  336. }
    337. 

  337. 

  338. /* --- authentication management functions (only) --- */
    339. 

  339. 

  340. int
    341. 

  341. pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
    342. 

  342. 		    int argc, const char **argv)
    343. 

  343. {
    344. 

  344.      const char *username;
    345. 

  345.      const void *password;
    346. 

  346.      const char *database = NULL;
    347. 

  347.      const char *cryptmode = NULL;
    348. 

  348.      int retval = PAM_AUTH_ERR, ctrl;
    349. 

  349. 

  350.      /* parse arguments */
    351. 

  351.      ctrl = _pam_parse(pamh, argc, argv, &database, &cryptmode);
    352. 

  352.      if (database == NULL) {
    353. 

  353.         pam_syslog(pamh, LOG_ERR, "can not get the database name");
    354. 

  354.         return PAM_SERVICE_ERR;
    355. 

  355.      }
    356. 

  356. 

  357.      /* Get the username */
    358. 

  358.      retval = pam_get_user(pamh, &username, NULL);
    359. 

  359.      if (retval != PAM_SUCCESS) {
    360. 

  360.         pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s",
    361. 

  361.                    pam_strerror(pamh, retval));
    362. 

  362.         return PAM_SERVICE_ERR;
    363. 

  363.      }
    364. 

  364. 

  365.      if ((ctrl & PAM_USE_FPASS_ARG) == 0 && (ctrl & PAM_TRY_FPASS_ARG) == 0) {
    366. 

  366.         /* Converse to obtain a password */
    367. 

  367.         retval = obtain_authtok(pamh);
    368. 

  368.         if (retval != PAM_SUCCESS) {
    369. 

  369. 	    pam_syslog(pamh, LOG_ERR, "can not obtain password from user");
    370. 

  370. 	    return retval;
    371. 

  371.         }
    372. 

  372.      }
    373. 

  373. 

  374.      /* Check if we got a password */
    375. 

  375.      retval = pam_get_item(pamh, PAM_AUTHTOK, &password);
    376. 

  376.      if (retval != PAM_SUCCESS || password == NULL) {
    377. 

  377.         if ((ctrl & PAM_TRY_FPASS_ARG) != 0) {
    378. 

  378. 	    /* Converse to obtain a password */
    379. 

  379. 	    retval = obtain_authtok(pamh);
    380. 

  380. 	    if (retval != PAM_SUCCESS) {
    381. 

  381. 	        pam_syslog(pamh, LOG_ERR, "can not obtain password from user");
    382. 

  382. 		return retval;
    383. 

  383. 	    }
    384. 

  384. 	    retval = pam_get_item(pamh, PAM_AUTHTOK, &password);
    385. 

  385. 	}
    386. 

  386. 	if (retval != PAM_SUCCESS || password == NULL) {
    387. 

  387. 	    pam_syslog(pamh, LOG_ERR, "can not recover user password");
    388. 

  388. 	    return PAM_AUTHTOK_RECOVERY_ERR;
    389. 

  389. 	}
    390. 

  390.      }
    391. 

  391. 

  392.      if (ctrl & PAM_DEBUG_ARG)
    393. 

  393. 	 pam_syslog(pamh, LOG_INFO, "Verify user `%s' with a password",
    394. 

  394. 		    username);
    395. 

  395. 

  396.      /* Now use the username to look up password in the database file */
    397. 

  397.      retval = user_lookup(pamh, database, cryptmode, username, password, ctrl);
    398. 

  398.      switch (retval) {
    399. 

  399. 	 case -2:
    400. 

  400. 	     /* some sort of system error. The log was already printed */
    401. 

  401. 	     return PAM_SERVICE_ERR;
    402. 

  402. 	 case -1:
    403. 

  403. 	     /* incorrect password */
    404. 

  404. 	     pam_syslog(pamh, LOG_NOTICE,
    405. 

  405. 			"user `%s' denied access (incorrect password)",
    406. 

  406. 			username);
    407. 

  407. 	     return PAM_AUTH_ERR;
    408. 

  408. 	 case 1:
    409. 

  409. 	     /* the user does not exist in the database */
    410. 

  410. 	     if (ctrl & PAM_DEBUG_ARG)
    411. 

  411. 		 pam_syslog(pamh, LOG_NOTICE,
    412. 

  412. 			    "user `%s' not found in the database", username);
    413. 

  413. 	     return PAM_USER_UNKNOWN;
    414. 

  414. 	 case 0:
    415. 

  415. 	     /* Otherwise, the authentication looked good */
    416. 

  416. 	     pam_syslog(pamh, LOG_NOTICE, "user '%s' granted access", username);
    417. 

  417. 	     return PAM_SUCCESS;
    418. 

  418. 	 default:
    419. 

  419. 	     /* we don't know anything about this return value */
    420. 

  420. 	     pam_syslog(pamh, LOG_ERR,
    421. 

  421. 		      "internal module error (retval = %d, user = `%s'",
    422. 

  422. 		      retval, username);
    423. 

  423. 	     return PAM_SERVICE_ERR;
    424. 

  424.      }
    425. 

  425. 

  426.      /* should not be reached */
    427. 

  427.      return PAM_IGNORE;
    428. 

  428. }
    429. 

  429. 

  430. int
    431. 

  431. pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
    432. 

  432. 	       int argc UNUSED, const char **argv UNUSED)
    433. 

  433. {
    434. 

  434.     return PAM_SUCCESS;
    435. 

  435. }
    436. 

  436. 

  437. int
    438. 

  438. pam_sm_acct_mgmt(pam_handle_t *pamh, int flags UNUSED,
    439. 

  439. 		 int argc, const char **argv)
    440. 

  440. {
    441. 

  441.     const char *username;
    442. 

  442.     const char *database = NULL;
    443. 

  443.     const char *cryptmode = NULL;
    444. 

  444.     int retval = PAM_AUTH_ERR, ctrl;
    445. 

  445. 

  446.     /* parse arguments */
    447. 

  447.     ctrl = _pam_parse(pamh, argc, argv, &database, &cryptmode);
    448. 

  448. 

  449.     /* Get the username */
    450. 

  450.     retval = pam_get_user(pamh, &username, NULL);
    451. 

  451.     if (retval != PAM_SUCCESS) {
    452. 

  452.         pam_syslog(pamh, LOG_NOTICE, "cannot determine user name: %s",
    453. 

  453.                    pam_strerror(pamh, retval));
    454. 

  454.         return PAM_SERVICE_ERR;
    455. 

  455.     }
    456. 

  456. 

  457.     /* Now use the username to look up password in the database file */
    458. 

  458.     retval = user_lookup(pamh, database, cryptmode, username, "", ctrl);
    459. 

  459.     switch (retval) {
    460. 

  460.         case -2:
    461. 

  461. 	    /* some sort of system error. The log was already printed */
    462. 

  462. 	    return PAM_SERVICE_ERR;
    463. 

  463. 	case -1:
    464. 

  464. 	    /* incorrect password, but we don't care */
    465. 

  465. 	    /* FALL THROUGH */
    466. 

  466. 	case 0:
    467. 

  467. 	    /* authentication succeeded. dumbest password ever. */
    468. 

  468. 	    return PAM_SUCCESS;
    469. 

  469. 	case 1:
    470. 

  470. 	    /* the user does not exist in the database */
    471. 

  471. 	    return PAM_USER_UNKNOWN;
    472. 

  472.         default:
    473. 

  473. 	    /* we don't know anything about this return value */
    474. 

  474. 	    pam_syslog(pamh, LOG_ERR,
    475. 

  475. 		       "internal module error (retval = %d, user = `%s'",
    476. 

  476. 		       retval, username);
    477. 

  477.             return PAM_SERVICE_ERR;
    478. 

  478.     }
    479. 

  479. 

  480.     return PAM_SUCCESS;
    481. 

  481. }
    482. 

  482. 

  483. /*
    484. 

  484.  * Copyright (c) Cristian Gafton <gafton@redhat.com>, 1999
    485. 

  485.  *                                              All rights reserved
    486. 

  486.  *
    487. 

  487.  * Redistribution and use in source and binary forms, with or without
    488. 

  488.  * modification, are permitted provided that the following conditions
    489. 

  489.  * are met:
    490. 

  490.  * 1. Redistributions of source code must retain the above copyright
    491. 

  491.  *    notice, and the entire permission notice in its entirety,
    492. 

  492.  *    including the disclaimer of warranties.
    493. 

  493.  * 2. Redistributions in binary form must reproduce the above copyright
    494. 

  494.  *    notice, this list of conditions and the following disclaimer in the
    495. 

  495.  *    documentation and/or other materials provided with the distribution.
    496. 

  496.  * 3. The name of the author may not be used to endorse or promote
    497. 

  497.  *    products derived from this software without specific prior
    498. 

  498.  *    written permission.
    499. 

  499.  *
    500. 

  500.  * ALTERNATIVELY, this product may be distributed under the terms of
    501. 

  501.  * the GNU Public License, in which case the provisions of the GPL are
    502. 

  502.  * required INSTEAD OF the above restrictions.  (This clause is
    503. 

  503.  * necessary due to a potential bad interaction between the GPL and
    504. 

  504.  * the restrictions contained in a BSD-style copyright.)
    505. 

  505.  *
    506. 

  506.  * THIS SOFTWARE IS PROVIDED `AS IS'' AND ANY EXPRESS OR IMPLIED
    507. 

  507.  * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
    508. 

  508.  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
    509. 

  509.  * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
    510. 

  510.  * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
    511. 

  511.  * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
    512. 

  512.  * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    513. 

  513.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
    514. 

  514.  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
    515. 

  515.  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
    516. 

  516.  * OF THE POSSIBILITY OF SUCH DAMAGE.
    517. 

  517.  */
    518.