1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
23 * Use is subject to license terms.
24 * Copyright (c) 2016 by Delphix. All rights reserved.
25 */
26
27 #include <sys/types.h>
28 #include <sys/varargs.h>
29 #include <sys/param.h>
30 #include <sys/sysmacros.h>
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <deflt.h>
34 #include <security/pam_appl.h>
35 #include <security/pam_modules.h>
36 #include <security/pam_impl.h>
37 #include <string.h>
38 #include <ctype.h>
39 #include <unistd.h>
40 #include <syslog.h>
41 #include <libintl.h>
42 #include <errno.h>
43 #include <pwd.h>
44 #include "packer.h"
45
46 #include <passwdutil.h>
47
48 #define PWADMIN "/etc/default/passwd"
49
50 #define MINLENGTH 6
51 #define MINDIFF 3
52 #define MINALPHA 2
53 #define MINNONALPHA 1
54
55 mutex_t dictlock = DEFAULTMUTEX;
56
57 /*
58 * We implement:
59 * PASSLENGTH (int) minimum password length
60 * NAMECHECK (yes/no) perform comparison of password and loginname
61 * MINDIFF (int) minimum number of character-positions in which
62 * the old and the new password should differ.
63 * MINALPHA (int) minimum number of Alpha characters
64 * MINUPPER (int) minimum number of upper-case characters
65 * MINLOWER (int) minimum number of lower-case characters
66 * MAXREPEATS (int) maximum number of consecutively repeating chars
67 * WHITESPACE (yes/no) Are whitespaces allowed?
68 *
69 * Furthermore, these two mutualy exclusive groups of options are allowed:
70 *
71 * MINNONALPHA (int) minimum number of characters from the
72 * character classes [ punct, space, digit ]
73 * if WHITESPACE == NO, whitespaces don't count.
74 * and
75 * MINSPECIAL (int) minimum number of punctuation characters.
76 * if WHITESPACE != NO, whitespace is seen as
77 * a "special" character.
78 * MINDIGIT (int) minimum number of digits
79 *
80 * specifying options from both groups results in an error to syslog and
81 * failure to change the password.
82 *
83 * NOTE:
84 * HISTORY is implemented at the repository level (passwdutil).
85 */
86
87 /*
88 * default password-strength-values, compiled-in or stored in PWADMIN
89 * are kept in here
90 */
91 struct pwdefaults {
92 boolean_t server_policy; /* server policy flag from pam.conf */
93 uint_t minlength; /* minimum password lenght */
94 uint_t maxlength; /* maximum (significant) length */
95 boolean_t do_namecheck; /* check password against user's gecos */
96 char db_location[MAXPATHLEN]; /* location of the generated database */
97 boolean_t do_dictcheck; /* perform dictionary lookup */
98 char *dicts; /* list of dictionaries configured */
99 uint_t mindiff; /* old and new should differ by this much */
100 uint_t minalpha; /* minimum alpha characters required */
101 uint_t minupper; /* minimum uppercase characters required */
102 uint_t minlower; /* minimum lowercase characters required */
103 uint_t minnonalpha; /* minimum special (non alpha) required */
104 uint_t maxrepeat; /* maximum number of repeating chars allowed */
105 uint_t minspecial; /* punctuation characters */
106 uint_t mindigit; /* minimum number of digits required */
107 boolean_t whitespace; /* is whitespace allowed in a password */
108 };
109
110
111 /*PRINTFLIKE3*/
112 void
error(pam_handle_t * pamh,int flags,char * fmt,...)113 error(pam_handle_t *pamh, int flags, char *fmt, ...)
114 {
115 va_list ap;
116 char msg[1][PAM_MAX_MSG_SIZE];
117
118 va_start(ap, fmt);
119 (void) vsnprintf(msg[0], sizeof (msg[0]), fmt, ap);
120 va_end(ap);
121 if ((flags & PAM_SILENT) == 0)
122 (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, msg, NULL);
123 }
124
125 int
defread_int(char * name,uint_t * ip,void * defp)126 defread_int(char *name, uint_t *ip, void *defp)
127 {
128 char *q;
129 int r = 0;
130 if ((q = defread_r(name, defp)) != NULL) {
131 if (!isdigit(*q)) {
132 syslog(LOG_ERR, "pam_authtok_check: %s contains "
133 "non-integer value for %s: %s. "
134 "Using default instead.", PWADMIN, name, q);
135 } else {
136 *ip = atoi(q);
137 r = 1;
138 }
139 }
140 return (r);
141 }
142
143 /*
144 * fill in static defaults, and augment with settings from PWADMIN
145 * get system defaults with regard to maximum password length
146 */
147 int
get_passwd_defaults(pam_handle_t * pamh,char * user,struct pwdefaults * p)148 get_passwd_defaults(pam_handle_t *pamh, char *user, struct pwdefaults *p)
149 {
150 char *q;
151 boolean_t minnonalpha_defined = B_FALSE;
152 pwu_repository_t *pwu_rep;
153 struct pam_repository *pam_rep;
154 attrlist attr[2];
155 int result;
156 char *progname;
157 void *defp;
158
159 (void) pam_get_item(pamh, PAM_SERVICE, (void **)&progname);
160
161 /* Module defaults */
162 p->minlength = MINLENGTH;
163 p->do_namecheck = B_TRUE;
164 p->do_dictcheck = B_FALSE;
165 p->dicts = NULL;
166 p->mindiff = MINDIFF;
167 p->minalpha = MINALPHA;
168 p->minnonalpha = MINNONALPHA;
169 p->minupper = 0; /* not configured by default */
170 p->minlower = 0; /* not configured by default */
171 p->maxrepeat = 0; /* not configured by default */
172
173 p->minspecial = 0;
174 p->mindigit = 0;
175 p->whitespace = B_TRUE;
176
177 if ((defp = defopen_r(PWADMIN)) == NULL)
178 return (PAM_SUCCESS);
179
180 (void) defread_int("PASSLENGTH=", &p->minlength, defp);
181
182 if ((q = defread_r("NAMECHECK=", defp)) != NULL &&
183 strcasecmp(q, "NO") == 0)
184 p->do_namecheck = B_FALSE;
185
186 if ((q = defread_r("DICTIONLIST=", defp)) != NULL) {
187 if ((p->dicts = strdup(q)) == NULL) {
188 syslog(LOG_ERR, "pam_authtok_check: out of memory");
189 defclose_r(defp);
190 return (PAM_BUF_ERR);
191
192 }
193 p->do_dictcheck = B_TRUE;
194 } else {
195 p->dicts = NULL;
196 }
197
198 if ((q = defread_r("DICTIONDBDIR=", defp)) != NULL) {
199 if (strlcpy(p->db_location, q, sizeof (p->db_location)) >=
200 sizeof (p->db_location)) {
201 syslog(LOG_ERR, "pam_authtok_check: value for "
202 "DICTIONDBDIR too large.");
203 defclose_r(defp);
204 return (PAM_SYSTEM_ERR);
205 }
206 p->do_dictcheck = B_TRUE;
207 } else {
208 (void) strlcpy(p->db_location, CRACK_DIR,
209 sizeof (p->db_location));
210 }
211
212 (void) defread_int("MINDIFF=", &p->mindiff, defp);
213 (void) defread_int("MINALPHA=", &p->minalpha, defp);
214 (void) defread_int("MINUPPER=", &p->minupper, defp);
215 (void) defread_int("MINLOWER=", &p->minlower, defp);
216 if (defread_int("MINNONALPHA=", &p->minnonalpha, defp))
217 minnonalpha_defined = B_TRUE;
218 (void) defread_int("MAXREPEATS=", &p->maxrepeat, defp);
219
220 if (defread_int("MINSPECIAL=", &p->minspecial, defp)) {
221 if (minnonalpha_defined) {
222 syslog(LOG_ERR, "pam_authtok_check: %s contains "
223 "definition for MINNONALPHA and for MINSPECIAL. "
224 "These options are mutually exclusive.", PWADMIN);
225 defclose_r(defp);
226 return (PAM_SYSTEM_ERR);
227 }
228 p->minnonalpha = 0;
229 }
230
231 if (defread_int("MINDIGIT=", &p->mindigit, defp)) {
232 if (minnonalpha_defined) {
233 syslog(LOG_ERR, "pam_authtok_check: %s contains "
234 "definition for MINNONALPHA and for MINDIGIT. "
235 "These options are mutually exclusive.", PWADMIN);
236 defclose_r(defp);
237 return (PAM_SYSTEM_ERR);
238 }
239 p->minnonalpha = 0;
240 }
241
242 if ((q = defread_r("WHITESPACE=", defp)) != NULL)
243 p->whitespace =
244 (strcasecmp(q, "no") == 0 || strcmp(q, "0") == 0)
245 ? B_FALSE : B_TRUE;
246
247 defclose_r(defp);
248
249 /*
250 * Determine the number of significant characters in a password
251 *
252 * we find out where the user information came from (which repository),
253 * and which password-crypt-algorithm is to be used (based on the
254 * old password, or the system default).
255 *
256 * If the user comes from a repository other than FILES/NIS
257 * the module-flag "server_policy" means that we don't perform
258 * any checks on the user, but let the repository decide instead.
259 */
260
261 (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&pam_rep);
262 if (pam_rep != NULL) {
263 if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL)
264 return (PAM_BUF_ERR);
265 pwu_rep->type = pam_rep->type;
266 pwu_rep->scope = pam_rep->scope;
267 pwu_rep->scope_len = pam_rep->scope_len;
268 } else {
269 pwu_rep = PWU_DEFAULT_REP;
270 }
271
272 attr[0].type = ATTR_PASSWD; attr[0].next = &attr[1];
273 attr[1].type = ATTR_REP_NAME; attr[1].next = NULL;
274 result = __get_authtoken_attr(user, pwu_rep, attr);
275 if (pwu_rep != PWU_DEFAULT_REP)
276 free(pwu_rep);
277
278 if (result != PWU_SUCCESS) {
279 /*
280 * In the unlikely event that we can't obtain any info about
281 * the users password, we assume the most strict scenario.
282 */
283 p->maxlength = _PASS_MAX_XPG;
284 } else {
285 char *oldpw = attr[0].data.val_s;
286 char *repository = attr[1].data.val_s;
287 if ((strcmp(repository, "files") == 0 ||
288 strcmp(repository, "nis") == 0) ||
289 p->server_policy == B_FALSE) {
290 char *salt;
291 /*
292 * We currently need to supply this dummy to
293 * crypt_gensalt(). This will change RSN.
294 */
295 struct passwd dummy;
296
297 dummy.pw_name = user;
298
299 salt = crypt_gensalt(oldpw, &dummy);
300 if (salt && *salt == '$')
301 p->maxlength = _PASS_MAX;
302 else
303 p->maxlength = _PASS_MAX_XPG;
304
305 free(salt);
306
307 p->server_policy = B_FALSE; /* we perform checks */
308 } else {
309 /* not files or nis AND server_policy is set */
310 p->maxlength = _PASS_MAX;
311 }
312 free(attr[0].data.val_s);
313 free(attr[1].data.val_s);
314 }
315
316 /* sanity check of the configured parameters */
317 if (p->minlength < p->mindigit + p->minspecial + p->minnonalpha +
318 p->minalpha) {
319 syslog(LOG_ERR, "%s: pam_authtok_check: Defined minimum "
320 "password length (PASSLENGTH=%d) is less then minimum "
321 "characters in the various classes (%d)", progname,
322 p->minlength,
323 p->mindigit + p->minspecial + p->minnonalpha + p->minalpha);
324 p->minlength = p->mindigit + p->minspecial + p->minnonalpha +
325 p->minalpha;
326 syslog(LOG_ERR, "%s: pam_authtok_check: effective "
327 "PASSLENGTH set to %d.", progname, p->minlength);
328 /* this won't lead to failure */
329 }
330
331 if (p->maxlength < p->minlength) {
332 syslog(LOG_ERR, "%s: pam_authtok_check: The configured "
333 "minimum password length (PASSLENGTH=%d) is larger than "
334 "the number of significant characters the current "
335 "encryption algorithm uses (%d). See policy.conf(5) for "
336 "alternative password encryption algorithms.", progname);
337 /* this won't lead to failure */
338 }
339
340 return (PAM_SUCCESS);
341 }
342
343 /*
344 * free_passwd_defaults(struct pwdefaults *p)
345 *
346 * free space occupied by the defaults read from PWADMIN
347 */
348 void
free_passwd_defaults(struct pwdefaults * p)349 free_passwd_defaults(struct pwdefaults *p)
350 {
351 if (p && p->dicts)
352 free(p->dicts);
353 }
354
355 /*
356 * check_circular():
357 * This function return 1 if string "t" is a circular shift of
358 * string "s", else it returns 0. -1 is returned on failure.
359 * We also check to see if string "t" is a reversed-circular shift
360 * of string "s", i.e. "ABCDE" vs. "DCBAE".
361 */
362 static int
check_circular(s,t)363 check_circular(s, t)
364 char *s, *t;
365 {
366 char c, *p, *o, *r, *buff, *ubuff, *pubuff;
367 unsigned int i, j, k, l, m;
368 size_t len;
369 int ret = 0;
370
371 i = strlen(s);
372 l = strlen(t);
373 if (i != l)
374 return (0);
375 len = i + 1;
376
377 buff = malloc(len);
378 ubuff = malloc(len);
379 pubuff = malloc(len);
380
381 if (buff == NULL || ubuff == NULL || pubuff == NULL) {
382 syslog(LOG_ERR, "pam_authtok_check: out of memory.");
383 return (-1);
384 }
385
386 m = 2;
387 o = &ubuff[0];
388 for (p = s; c = *p++; *o++ = c)
389 if (islower(c))
390 c = toupper(c);
391 *o = '\0';
392 o = &pubuff[0];
393 for (p = t; c = *p++; *o++ = c)
394 if (islower(c))
395 c = toupper(c);
396
397 *o = '\0';
398
399 p = &ubuff[0];
400 while (m--) {
401 for (k = 0; k < i; k++) {
402 c = *p++;
403 o = p;
404 l = i;
405 r = &buff[0];
406 while (--l)
407 *r++ = *o++;
408 *r++ = c;
409 *r = '\0';
410 p = &buff[0];
411 if (strcmp(p, pubuff) == 0) {
412 ret = 1;
413 goto out;
414 }
415 }
416 p = p + i;
417 r = &ubuff[0];
418 j = i;
419 while (j--)
420 *--p = *r++; /* reverse test-string for m==0 pass */
421 }
422 out:
423 (void) memset(buff, 0, len);
424 (void) memset(ubuff, 0, len);
425 (void) memset(pubuff, 0, len);
426 free(buff);
427 free(ubuff);
428 free(pubuff);
429 return (ret);
430 }
431
432
433 /*
434 * count the different character classes present in the password.
435 */
436 int
check_composition(char * pw,struct pwdefaults * pwdef,pam_handle_t * pamh,int flags)437 check_composition(char *pw, struct pwdefaults *pwdef, pam_handle_t *pamh,
438 int flags)
439 {
440 uint_t alpha_cnt = 0;
441 uint_t upper_cnt = 0;
442 uint_t lower_cnt = 0;
443 uint_t special_cnt = 0;
444 uint_t whitespace_cnt = 0;
445 uint_t digit_cnt = 0;
446 uint_t maxrepeat = 0;
447 uint_t repeat = 1;
448 int ret = 0;
449 char *progname;
450 char errmsg[256];
451 char lastc = '\0';
452 uint_t significant = pwdef->maxlength;
453 char *w;
454
455 (void) pam_get_item(pamh, PAM_SERVICE, (void **)&progname);
456
457 /* go over the password gathering statistics */
458 for (w = pw; significant != 0 && *w != '\0'; w++, significant--) {
459 if (isalpha(*w)) {
460 alpha_cnt++;
461 if (isupper(*w)) {
462 upper_cnt++;
463 } else {
464 lower_cnt++;
465 }
466 } else if (isspace(*w))
467 whitespace_cnt++;
468 else if (isdigit(*w))
469 digit_cnt++;
470 else
471 special_cnt++;
472 if (*w == lastc) {
473 if (++repeat > maxrepeat)
474 maxrepeat = repeat;
475 } else {
476 repeat = 1;
477 }
478 lastc = *w;
479 }
480
481 /*
482 * If we only consider part of the password (the first maxlength
483 * characters) we give a modified error message. Otherwise, a
484 * user entering FooBar1234 with PASSLENGTH=6, MINDIGIT=4, while
485 * we're using the default UNIX crypt (8 chars significant),
486 * would not understand what's going on when they're told that
487 * "The password should contain at least 4 digits"...
488 * Instead, we now tell them
489 * "The first 8 characters of the password should contain at least
490 * 4 digits."
491 */
492 if (pwdef->maxlength < strlen(pw))
493 /*
494 * TRANSLATION_NOTE
495 * - Make sure the % and %% come over intact
496 * - The last %%s will be replaced by strings like
497 * "alphabetic character(s)"
498 * "numeric or special character(s)"
499 * "special character(s)"
500 * "digit(s)"
501 * "uppercase alpha character(s)"
502 * "lowercase alpha character(s)"
503 * So the final string written to the user might become
504 * "passwd: The first 8 characters of the password must contain
505 * at least 4 uppercase alpha characters(s)"
506 */
507 (void) snprintf(errmsg, sizeof (errmsg), dgettext(TEXT_DOMAIN,
508 "%s: The first %d characters of the password must "
509 "contain at least %%d %%s."), progname, pwdef->maxlength);
510 else
511 /*
512 * TRANSLATION_NOTE
513 * - Make sure the % and %% come over intact
514 * - The last %%s will be replaced by strings like
515 * "alphabetic character(s)"
516 * "numeric or special character(s)"
517 * "special character(s)"
518 * "digit(s)"
519 * "uppercase alpha character(s)"
520 * "lowercase alpha character(s)"
521 * So the final string written to the user might become
522 * "passwd: The password must contain at least 4 uppercase
523 * alpha characters(s)"
524 */
525 (void) snprintf(errmsg, sizeof (errmsg), dgettext(TEXT_DOMAIN,
526 "%s: The password must contain at least %%d %%s."),
527 progname);
528
529 /* Check for whitespace first since it influences special counts */
530 if (whitespace_cnt > 0 && pwdef->whitespace == B_FALSE) {
531 error(pamh, flags, dgettext(TEXT_DOMAIN,
532 "%s: Whitespace characters are not allowed."), progname);
533 ret = 1;
534 goto out;
535 }
536
537 /*
538 * Once we get here, whitespace_cnt is either 0, or whitespaces are
539 * to be treated a special characters.
540 */
541
542 if (alpha_cnt < pwdef->minalpha) {
543 error(pamh, flags, errmsg, pwdef->minalpha,
544 dgettext(TEXT_DOMAIN, "alphabetic character(s)"));
545 ret = 1;
546 goto out;
547 }
548
549 if (pwdef->minnonalpha > 0) {
550 /* specials are defined by MINNONALPHA */
551 /* nonalpha = special+whitespace+digit */
552 if ((special_cnt + whitespace_cnt + digit_cnt) <
553 pwdef->minnonalpha) {
554 error(pamh, flags, errmsg, pwdef->minnonalpha,
555 dgettext(TEXT_DOMAIN,
556 "numeric or special character(s)"));
557 ret = 1;
558 goto out;
559 }
560 } else {
561 /* specials are defined by MINSPECIAL and/or MINDIGIT */
562 if ((special_cnt + whitespace_cnt) < pwdef->minspecial) {
563 error(pamh, flags, errmsg, pwdef->minspecial,
564 dgettext(TEXT_DOMAIN, "special character(s)"));
565 ret = 1;
566 goto out;
567 }
568 if (digit_cnt < pwdef->mindigit) {
569 error(pamh, flags, errmsg, pwdef->mindigit,
570 dgettext(TEXT_DOMAIN, "digit(s)"));
571 ret = 1;
572 goto out;
573 }
574 }
575
576 if (upper_cnt < pwdef->minupper) {
577 error(pamh, flags, errmsg, pwdef->minupper,
578 dgettext(TEXT_DOMAIN, "uppercase alpha character(s)"));
579 ret = 1;
580 goto out;
581 }
582 if (lower_cnt < pwdef->minlower) {
583 error(pamh, flags, errmsg, pwdef->minlower,
584 dgettext(TEXT_DOMAIN, "lowercase alpha character(s)"));
585 ret = 1;
586 goto out;
587 }
588
589 if (pwdef->maxrepeat > 0 && maxrepeat > pwdef->maxrepeat) {
590 error(pamh, flags, dgettext(TEXT_DOMAIN,
591 "%s: Too many consecutively repeating characters. "
592 "Maximum allowed is %d."), progname, pwdef->maxrepeat);
593 ret = 1;
594 }
595 out:
596 return (ret);
597 }
598
599 /*
600 * make sure that old and new password differ by at least 'mindiff'
601 * positions. Return 0 if OK, 1 otherwise
602 */
603 int
check_diff(char * pw,char * opw,struct pwdefaults * pwdef,pam_handle_t * pamh,int flags)604 check_diff(char *pw, char *opw, struct pwdefaults *pwdef, pam_handle_t *pamh,
605 int flags)
606 {
607 size_t pwlen, opwlen, max;
608 unsigned int diff; /* difference between old and new */
609
610 if (opw == NULL)
611 opw = "";
612
613 max = pwdef->maxlength;
614 pwlen = MIN(strlen(pw), max);
615 opwlen = MIN(strlen(opw), max);
616
617 if (pwlen > opwlen)
618 diff = pwlen - opwlen;
619 else
620 diff = opwlen - pwlen;
621
622 while (*opw != '\0' && *pw != '\0' && max-- != 0) {
623 if (*opw != *pw)
624 diff++;
625 opw++;
626 pw++;
627 }
628
629 if (diff < pwdef->mindiff) {
630 char *progname;
631
632 (void) pam_get_item(pamh, PAM_SERVICE, (void **)&progname);
633
634 error(pamh, flags, dgettext(TEXT_DOMAIN,
635 "%s: The first %d characters of the old and new passwords "
636 "must differ by at least %d positions."), progname,
637 pwdef->maxlength, pwdef->mindiff);
638 return (1);
639 }
640
641 return (0);
642 }
643
644 /*
645 * check to see if password is in one way or another based on a
646 * dictionary word. Returns 0 if password is OK, 1 if it is based
647 * on a dictionary word and hence should be rejected.
648 */
649 int
check_dictionary(char * pw,struct pwdefaults * pwdef,pam_handle_t * pamh,int flags)650 check_dictionary(char *pw, struct pwdefaults *pwdef, pam_handle_t *pamh,
651 int flags)
652 {
653 int crack_ret;
654 int ret;
655 char *progname;
656
657 (void) pam_get_item(pamh, PAM_SERVICE, (void **)&progname);
658
659 /* dictionary check isn't MT-safe */
660 (void) mutex_lock(&dictlock);
661
662 if (pwdef->dicts &&
663 make_dict_database(pwdef->dicts, pwdef->db_location) != 0) {
664 (void) mutex_unlock(&dictlock);
665 syslog(LOG_ERR, "pam_authtok_check:pam_sm_chauthtok: "
666 "Dictionary database not present.");
667 error(pamh, flags, dgettext(TEXT_DOMAIN,
668 "%s: password dictionary missing."), progname);
669 return (PAM_SYSTEM_ERR);
670 }
671
672 crack_ret = DictCheck(pw, pwdef->db_location);
673
674 (void) mutex_unlock(&dictlock);
675
676 switch (crack_ret) {
677 case DATABASE_OPEN_FAIL:
678 syslog(LOG_ERR, "pam_authtok_check:pam_sm_chauthtok: "
679 "dictionary database open failure: %s", strerror(errno));
680 error(pamh, flags, dgettext(TEXT_DOMAIN,
681 "%s: failed to open dictionary database."), progname);
682 ret = PAM_SYSTEM_ERR;
683 break;
684 case DICTIONARY_WORD:
685 error(pamh, flags, dgettext(TEXT_DOMAIN,
686 "%s: password is based on a dictionary word."), progname);
687 ret = PAM_AUTHTOK_ERR;
688 break;
689 case REVERSE_DICTIONARY_WORD:
690 error(pamh, flags, dgettext(TEXT_DOMAIN,
691 "%s: password is based on a reversed dictionary word."),
692 progname);
693 ret = PAM_AUTHTOK_ERR;
694 break;
695 default:
696 ret = PAM_SUCCESS;
697 break;
698 }
699 return (ret);
700 }
701
702 int
pam_sm_chauthtok(pam_handle_t * pamh,int flags,int argc,const char ** argv)703 pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
704 {
705 int debug = 0;
706 int retcode = 0;
707 int force_check = 0;
708 int i;
709 size_t pwlen;
710 char *usrname;
711 char *pwbuf, *opwbuf;
712 pwu_repository_t *pwu_rep = PWU_DEFAULT_REP;
713 pam_repository_t *pwd_rep = NULL;
714 struct pwdefaults pwdef;
715 char *progname;
716
717 /* needs to be set before option processing */
718 pwdef.server_policy = B_FALSE;
719
720 for (i = 0; i < argc; i++) {
721 if (strcmp(argv[i], "debug") == 0)
722 debug = 1;
723 if (strcmp(argv[i], "force_check") == 0)
724 force_check = 1;
725 if (strcmp(argv[i], "server_policy") == 0)
726 pwdef.server_policy = B_TRUE;
727 }
728
729 if (debug)
730 syslog(LOG_AUTH | LOG_DEBUG,
731 "pam_authtok_check: pam_sm_chauthok called(%x) "
732 "force_check = %d", flags, force_check);
733
734 if ((flags & PAM_PRELIM_CHECK) == 0)
735 return (PAM_IGNORE);
736
737 (void) pam_get_item(pamh, PAM_SERVICE, (void **)&progname);
738 (void) pam_get_item(pamh, PAM_USER, (void **)&usrname);
739 if (usrname == NULL || *usrname == '\0') {
740 syslog(LOG_ERR, "pam_authtok_check: username name is empty");
741 return (PAM_USER_UNKNOWN);
742 }
743
744 (void) pam_get_item(pamh, PAM_AUTHTOK, (void **)&pwbuf);
745 (void) pam_get_item(pamh, PAM_OLDAUTHTOK, (void **)&opwbuf);
746 if (pwbuf == NULL)
747 return (PAM_AUTHTOK_ERR);
748
749 /* none of these checks holds if caller say so */
750 if ((flags & PAM_NO_AUTHTOK_CHECK) != 0 && force_check == 0)
751 return (PAM_SUCCESS);
752
753 /* read system-defaults */
754 retcode = get_passwd_defaults(pamh, usrname, &pwdef);
755 if (retcode != PAM_SUCCESS)
756 return (retcode);
757
758 if (debug) {
759 syslog(LOG_AUTH | LOG_DEBUG,
760 "pam_authtok_check: MAXLENGTH= %d, server_policy = %s",
761 pwdef.maxlength, pwdef.server_policy ? "true" : "false");
762 syslog(LOG_AUTH | LOG_DEBUG,
763 "pam_authtok_check: PASSLENGTH= %d", pwdef.minlength);
764 syslog(LOG_AUTH | LOG_DEBUG, "pam_authtok_check: NAMECHECK=%s",
765 pwdef.do_namecheck == B_TRUE ? "Yes" : "No");
766 syslog(LOG_AUTH | LOG_DEBUG,
767 "pam_authtok_check: do_dictcheck = %s\n",
768 pwdef.do_dictcheck ? "true" : "false");
769 if (pwdef.do_dictcheck) {
770 syslog(LOG_AUTH | LOG_DEBUG,
771 "pam_authtok_check: DICTIONLIST=%s",
772 (pwdef.dicts != NULL) ? pwdef.dicts : "<not set>");
773 syslog(LOG_AUTH | LOG_DEBUG,
774 "pam_authtok_check: DICTIONDBDIR=%s",
775 pwdef.db_location);
776 }
777 syslog(LOG_AUTH | LOG_DEBUG, "pam_authtok_check: MINDIFF=%d",
778 pwdef.mindiff);
779 syslog(LOG_AUTH | LOG_DEBUG,
780 "pam_authtok_check: MINALPHA=%d, MINNONALPHA=%d",
781 pwdef.minalpha, pwdef.minnonalpha);
782 syslog(LOG_AUTH | LOG_DEBUG,
783 "pam_authtok_check: MINSPECIAL=%d, MINDIGIT=%d",
784 pwdef.minspecial, pwdef.mindigit);
785 syslog(LOG_AUTH | LOG_DEBUG, "pam_authtok_check: WHITESPACE=%s",
786 pwdef.whitespace ? "YES" : "NO");
787 syslog(LOG_AUTH | LOG_DEBUG,
788 "pam_authtok_check: MINUPPER=%d, MINLOWER=%d",
789 pwdef.minupper, pwdef.minlower);
790 syslog(LOG_AUTH | LOG_DEBUG, "pam_authtok_check: MAXREPEATS=%d",
791 pwdef.maxrepeat);
792 }
793
794 /*
795 * If server policy is still true (might be changed from the
796 * value specified in /etc/pam.conf by get_passwd_defaults()),
797 * we return ignore and let the server do all the checks.
798 */
799 if (pwdef.server_policy == B_TRUE) {
800 free_passwd_defaults(&pwdef);
801 return (PAM_IGNORE);
802 }
803
804 /*
805 * XXX: JV: we can't really make any assumption on the length of
806 * the password that will be used by the crypto algorithm.
807 * for UNIX-style encryption, minalpha=5,minnonalpha=5 might
808 * be impossible, but not for MD5 style hashes... what to do?
809 *
810 * since we don't know what alg. will be used, we operate on
811 * the password as entered, so we don't sanity check anything
812 * for now.
813 */
814
815 /*
816 * Make sure new password is long enough
817 */
818 pwlen = strlen(pwbuf);
819
820 if (pwlen < pwdef.minlength) {
821 error(pamh, flags, dgettext(TEXT_DOMAIN,
822 "%s: Password too short - must be at least %d "
823 "characters."), progname, pwdef.minlength);
824 free_passwd_defaults(&pwdef);
825 return (PAM_AUTHTOK_ERR);
826 }
827
828 /* Make sure the password doesn't equal--a shift of--the username */
829 if (pwdef.do_namecheck) {
830 switch (check_circular(usrname, pwbuf)) {
831 case 1:
832 error(pamh, flags, dgettext(TEXT_DOMAIN,
833 "%s: Password cannot be circular shift of "
834 "logonid."), progname);
835 free_passwd_defaults(&pwdef);
836 return (PAM_AUTHTOK_ERR);
837 case -1:
838 free_passwd_defaults(&pwdef);
839 return (PAM_BUF_ERR);
840 default:
841 break;
842 }
843 }
844
845 /* Check if new password is in history list. */
846 (void) pam_get_item(pamh, PAM_REPOSITORY, (void **)&pwd_rep);
847 if (pwd_rep != NULL) {
848 if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL)
849 return (PAM_BUF_ERR);
850 pwu_rep->type = pwd_rep->type;
851 pwu_rep->scope = pwd_rep->scope;
852 pwu_rep->scope_len = pwd_rep->scope_len;
853 }
854
855 if (__check_history(usrname, pwbuf, pwu_rep) == PWU_SUCCESS) {
856 /* password found in history */
857 error(pamh, flags, dgettext(TEXT_DOMAIN,
858 "%s: Password in history list."), progname);
859 if (pwu_rep != PWU_DEFAULT_REP)
860 free(pwu_rep);
861 free_passwd_defaults(&pwdef);
862 return (PAM_AUTHTOK_ERR);
863 }
864
865 if (pwu_rep != PWU_DEFAULT_REP)
866 free(pwu_rep);
867
868 /* check MINALPHA, MINLOWER, etc. */
869 if (check_composition(pwbuf, &pwdef, pamh, flags) != 0) {
870 free_passwd_defaults(&pwdef);
871 return (PAM_AUTHTOK_ERR);
872 }
873
874 /* make sure the old and new password are not too much alike */
875 if (check_diff(pwbuf, opwbuf, &pwdef, pamh, flags) != 0) {
876 free_passwd_defaults(&pwdef);
877 return (PAM_AUTHTOK_ERR);
878 }
879
880 /* dictionary check */
881 if (pwdef.do_dictcheck) {
882 retcode = check_dictionary(pwbuf, &pwdef, pamh, flags);
883 if (retcode != PAM_SUCCESS) {
884 free_passwd_defaults(&pwdef);
885 return (retcode);
886 }
887 }
888
889 free_passwd_defaults(&pwdef);
890 /* password has passed all tests: it's strong enough */
891 return (PAM_SUCCESS);
892 }
893