1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
|
/*
* $Id$
*/
#ifndef _PAM_UNIX_SUPPORT_H
#define _PAM_UNIX_SUPPORT_H
#include <pwd.h>
/*
* File to read value of ENCRYPT_METHOD from.
*/
#define LOGIN_DEFS "/etc/login.defs"
/*
* here is the string to inform the user that the new passwords they
* typed were not the same.
*/
/* type definition for the control options */
typedef struct {
const char *token;
unsigned long long mask; /* shall assume 64 bits of flags */
unsigned long long flag;
unsigned int is_hash_algo;
} UNIX_Ctrls;
/*
* macro to determine if a given flag is on
*/
#define on(x,ctrl) (unix_args[x].flag & ctrl)
/*
* macro to determine that a given flag is NOT on
*/
#define off(x,ctrl) (!on(x,ctrl))
/*
* macro to turn on/off a ctrl flag manually
*/
#define set(x,ctrl) (ctrl = ((ctrl)&unix_args[x].mask)|unix_args[x].flag)
#define unset(x,ctrl) (ctrl &= ~(unix_args[x].flag))
/* the generic mask */
#define _ALL_ON_ (~0ULL)
/* end of macro definitions definitions for the control flags */
/* ****************************************************************** *
* ctrl flags proper..
*/
/*
* here are the various options recognized by the unix module. They
* are enumerated here and then defined below. Internal arguments are
* given NULL tokens.
*/
#define UNIX__OLD_PASSWD 0 /* internal */
#define UNIX__VERIFY_PASSWD 1 /* internal */
#define UNIX__IAMROOT 2 /* internal */
#define UNIX_AUDIT 3 /* print more things than debug..
some information may be sensitive */
#define UNIX_USE_FIRST_PASS 4
#define UNIX_TRY_FIRST_PASS 5
#define UNIX_AUTHTOK_TYPE 6 /* TYPE for pam_get_authtok() */
#define UNIX__PRELIM 7 /* internal */
#define UNIX__UPDATE 8 /* internal */
#define UNIX__NONULL 9 /* internal */
#define UNIX__QUIET 10 /* internal */
#define UNIX_USE_AUTHTOK 11 /* insist on reading PAM_AUTHTOK */
#define UNIX_SHADOW 12 /* signal shadow on */
#define UNIX_MD5_PASS 13 /* force the use of MD5 passwords */
#define UNIX__NULLOK 14 /* Null token ok */
#define UNIX_DEBUG 15 /* send more info to syslog(3) */
#define UNIX_NODELAY 16 /* admin does not want a fail-delay */
#define UNIX_NIS 17 /* wish to use NIS for pwd */
#define UNIX_BIGCRYPT 18 /* use DEC-C2 crypt()^x function */
#define UNIX_LIKE_AUTH 19 /* need to auth for setcred to work */
#define UNIX_REMEMBER_PASSWD 20 /* Remember N previous passwords */
#define UNIX_NOREAP 21 /* don't reap child process */
#define UNIX_BROKEN_SHADOW 22 /* ignore errors reading password aging
* information during acct management */
#define UNIX_SHA256_PASS 23 /* new password hashes will use SHA256 */
#define UNIX_SHA512_PASS 24 /* new password hashes will use SHA512 */
#define UNIX_ALGO_ROUNDS 25 /* optional number of rounds for new
password hash algorithms */
#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
#define UNIX_MIN_PASS_LEN 27 /* min length for password */
#define UNIX_QUIET 28 /* Don't print informational messages */
#define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration if not used for authentication */
#define UNIX_DES 30 /* DES, default */
#define UNIX_GOST_YESCRYPT_PASS 31 /* new password hashes will use gost-yescrypt */
#define UNIX_YESCRYPT_PASS 32 /* new password hashes will use yescrypt */
#define UNIX_NULLRESETOK 33 /* allow empty password if password reset is enforced */
/* -------------- */
#define UNIX_CTRLS_ 34 /* number of ctrl arguments defined */
#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)&&off(UNIX_GOST_YESCRYPT_PASS,ctrl)&&off(UNIX_YESCRYPT_PASS,ctrl))
static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
{
/* symbol token name ctrl mask ctrl *
* --------------------------- -------------------- ------------------------- ---------------- */
/* UNIX__OLD_PASSWD */ {NULL, _ALL_ON_, 01, 0},
/* UNIX__VERIFY_PASSWD */ {NULL, _ALL_ON_, 02, 0},
/* UNIX__IAMROOT */ {NULL, _ALL_ON_, 04, 0},
/* UNIX_AUDIT */ {"audit", _ALL_ON_, 010, 0},
/* UNIX_USE_FIRST_PASS */ {"use_first_pass", _ALL_ON_^(060ULL), 020, 0},
/* UNIX_TRY_FIRST_PASS */ {"try_first_pass", _ALL_ON_^(060ULL), 040, 0},
/* UNIX_AUTHTOK_TYPE */ {"authtok_type=", _ALL_ON_, 0100, 0},
/* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600ULL), 0200, 0},
/* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600ULL), 0400, 0},
/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000, 0},
/* UNIX__QUIET */ {NULL, _ALL_ON_, 02000, 0},
/* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000, 0},
/* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000, 0},
/* UNIX_MD5_PASS */ {"md5", _ALL_ON_^(015660420000ULL), 020000, 1},
/* UNIX__NULLOK */ {"nullok", _ALL_ON_^(01000ULL), 0, 0},
/* UNIX_DEBUG */ {"debug", _ALL_ON_, 040000, 0},
/* UNIX_NODELAY */ {"nodelay", _ALL_ON_, 0100000, 0},
/* UNIX_NIS */ {"nis", _ALL_ON_, 0200000, 0},
/* UNIX_BIGCRYPT */ {"bigcrypt", _ALL_ON_^(015660420000ULL), 0400000, 1},
/* UNIX_LIKE_AUTH */ {"likeauth", _ALL_ON_, 01000000, 0},
/* UNIX_REMEMBER_PASSWD */ {"remember=", _ALL_ON_, 02000000, 0},
/* UNIX_NOREAP */ {"noreap", _ALL_ON_, 04000000, 0},
/* UNIX_BROKEN_SHADOW */ {"broken_shadow", _ALL_ON_, 010000000, 0},
/* UNIX_SHA256_PASS */ {"sha256", _ALL_ON_^(015660420000ULL), 020000000, 1},
/* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(015660420000ULL), 040000000, 1},
/* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000, 0},
/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(015660420000ULL), 0200000000, 1},
/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0},
/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0},
/* UNIX_DES */ {"des", _ALL_ON_^(015660420000ULL), 0, 1},
/* UNIX_GOST_YESCRYPT_PASS */ {"gost_yescrypt", _ALL_ON_^(015660420000ULL), 04000000000, 1},
/* UNIX_YESCRYPT_PASS */ {"yescrypt", _ALL_ON_^(015660420000ULL), 010000000000, 1},
/* UNIX_NULLRESETOK */ {"nullresetok", _ALL_ON_, 020000000000, 0},
};
#define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag)
/* use this to free strings. ESPECIALLY password strings */
#define _pam_delete(xx) \
{ \
_pam_overwrite(xx); \
_pam_drop(xx); \
}
extern int _make_remark(pam_handle_t * pamh, unsigned long long ctrl,
int type, const char *text);
extern unsigned long long _set_ctrl(pam_handle_t * pamh, int flags,
int *remember, int *rounds,
int *pass_min_len,
int argc, const char **argv);
extern int _unix_getpwnam (pam_handle_t *pamh,
const char *name, int files, int nis,
struct passwd **ret);
extern int _unix_comesfromsource (pam_handle_t *pamh,
const char *name, int files, int nis);
extern int _unix_blankpasswd(pam_handle_t *pamh, unsigned long long ctrl,
const char *name);
extern int _unix_verify_password(pam_handle_t * pamh, const char *name,
const char *p, unsigned long long ctrl);
extern int _unix_verify_user(pam_handle_t *pamh, unsigned long long ctrl,
const char *name, int *daysleft);
extern int _unix_run_verify_binary(pam_handle_t *pamh,
unsigned long long ctrl,
const char *user, int *daysleft);
#endif /* _PAM_UNIX_SUPPORT_H */
|
