17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * CDDL HEADER START
37c478bd9Sstevel@tonic-gate  *
47c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
5*57c40785SJoep Vesseur  * Common Development and Distribution License (the "License").
6*57c40785SJoep Vesseur  * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate  *
87c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate  * and limitations under the License.
127c478bd9Sstevel@tonic-gate  *
137c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate  *
197c478bd9Sstevel@tonic-gate  * CDDL HEADER END
207c478bd9Sstevel@tonic-gate  */
217c478bd9Sstevel@tonic-gate /*
22*57c40785SJoep Vesseur  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
237c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
247c478bd9Sstevel@tonic-gate  */
257c478bd9Sstevel@tonic-gate 
267c478bd9Sstevel@tonic-gate #include <sys/varargs.h>
277c478bd9Sstevel@tonic-gate #include <string.h>
287c478bd9Sstevel@tonic-gate #include <stdlib.h>
297c478bd9Sstevel@tonic-gate #include <syslog.h>
307c478bd9Sstevel@tonic-gate 
317c478bd9Sstevel@tonic-gate #include <security/pam_appl.h>
327c478bd9Sstevel@tonic-gate #include <security/pam_modules.h>
337c478bd9Sstevel@tonic-gate #include <security/pam_impl.h>
347c478bd9Sstevel@tonic-gate 
357c478bd9Sstevel@tonic-gate #include <sys/note.h>
367c478bd9Sstevel@tonic-gate 
377c478bd9Sstevel@tonic-gate #include <libintl.h>
387c478bd9Sstevel@tonic-gate 
397c478bd9Sstevel@tonic-gate #include <passwdutil.h>
407c478bd9Sstevel@tonic-gate 
417c478bd9Sstevel@tonic-gate /*PRINTFLIKE2*/
427c478bd9Sstevel@tonic-gate void
error(pam_handle_t * pamh,char * fmt,...)437c478bd9Sstevel@tonic-gate error(pam_handle_t *pamh, char *fmt, ...)
447c478bd9Sstevel@tonic-gate {
457c478bd9Sstevel@tonic-gate 	va_list ap;
467c478bd9Sstevel@tonic-gate 	char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
477c478bd9Sstevel@tonic-gate 
487c478bd9Sstevel@tonic-gate 	va_start(ap, fmt);
497c478bd9Sstevel@tonic-gate 	(void) vsnprintf(messages[0], sizeof (messages[0]), fmt, ap);
507c478bd9Sstevel@tonic-gate 	(void) __pam_display_msg(pamh, PAM_ERROR_MSG, 1, messages, NULL);
517c478bd9Sstevel@tonic-gate 	va_end(ap);
527c478bd9Sstevel@tonic-gate }
537c478bd9Sstevel@tonic-gate 
547c478bd9Sstevel@tonic-gate int
read_authtok(pam_handle_t * pamh,int debug)557c478bd9Sstevel@tonic-gate read_authtok(pam_handle_t *pamh, int debug)
567c478bd9Sstevel@tonic-gate {
577c478bd9Sstevel@tonic-gate 	int res;
587c478bd9Sstevel@tonic-gate 	char *authtok;
597c478bd9Sstevel@tonic-gate 	char *pwd;
607c478bd9Sstevel@tonic-gate 
617c478bd9Sstevel@tonic-gate 	/*
627c478bd9Sstevel@tonic-gate 	 * We are about to read the new AUTHTOK. Store the AUTHTOK that
637c478bd9Sstevel@tonic-gate 	 * the user used to authenticate in OLDAUTHTOK, so it is available
647c478bd9Sstevel@tonic-gate 	 * to future modules. If OLDAUTHTOK is already set, we leave it alone
657c478bd9Sstevel@tonic-gate 	 */
667c478bd9Sstevel@tonic-gate 
677c478bd9Sstevel@tonic-gate 	res = pam_get_item(pamh, PAM_OLDAUTHTOK, (void **)&authtok);
687c478bd9Sstevel@tonic-gate 	if (res != PAM_SUCCESS)
697c478bd9Sstevel@tonic-gate 		return (res);
707c478bd9Sstevel@tonic-gate 
717c478bd9Sstevel@tonic-gate 	if (authtok == NULL) {
727c478bd9Sstevel@tonic-gate 		res = pam_get_item(pamh, PAM_AUTHTOK, (void **)&authtok);
737c478bd9Sstevel@tonic-gate 		if (res != PAM_SUCCESS)
747c478bd9Sstevel@tonic-gate 			return (res);
757c478bd9Sstevel@tonic-gate 		if (authtok != NULL) {
767c478bd9Sstevel@tonic-gate 			res = pam_set_item(pamh, PAM_OLDAUTHTOK,
77*57c40785SJoep Vesseur 			    (void *)authtok);
787c478bd9Sstevel@tonic-gate 			if (res == PAM_SUCCESS)
797c478bd9Sstevel@tonic-gate 				res = pam_set_item(pamh, PAM_AUTHTOK, NULL);
807c478bd9Sstevel@tonic-gate 
817c478bd9Sstevel@tonic-gate 			if (debug)
82*57c40785SJoep Vesseur 				__pam_log(LOG_AUTH | LOG_DEBUG,
83*57c40785SJoep Vesseur 				    "read_authtok: Copied AUTHTOK to "
84*57c40785SJoep Vesseur 				    "OLDAUTHTOK");
857c478bd9Sstevel@tonic-gate 
867c478bd9Sstevel@tonic-gate 			if (res != PAM_SUCCESS)
877c478bd9Sstevel@tonic-gate 				goto out;
887c478bd9Sstevel@tonic-gate 		}
897c478bd9Sstevel@tonic-gate 	} else {
907c478bd9Sstevel@tonic-gate 		/*
917c478bd9Sstevel@tonic-gate 		 * OLDAUTHTOK was filled in. If AUTHTOK is also filled
927c478bd9Sstevel@tonic-gate 		 * in, we either succeed a module that has done our
937c478bd9Sstevel@tonic-gate 		 * work, or we're here because one of the modules
947c478bd9Sstevel@tonic-gate 		 * that are stacked beyond us has returned PAM_TRY_AGAIN.
957c478bd9Sstevel@tonic-gate 		 * In either case, we should *not* prompt for another
967c478bd9Sstevel@tonic-gate 		 * password.
977c478bd9Sstevel@tonic-gate 		 */
987c478bd9Sstevel@tonic-gate 		res = pam_get_item(pamh, PAM_AUTHTOK, (void **)&pwd);
997c478bd9Sstevel@tonic-gate 		if (res != PAM_SUCCESS)
1007c478bd9Sstevel@tonic-gate 			goto out;
1017c478bd9Sstevel@tonic-gate 		if (pwd != NULL) {
1027c478bd9Sstevel@tonic-gate 			goto out;
1037c478bd9Sstevel@tonic-gate 		}
1047c478bd9Sstevel@tonic-gate 	}
1057c478bd9Sstevel@tonic-gate 
1067c478bd9Sstevel@tonic-gate 	/*
1077c478bd9Sstevel@tonic-gate 	 * Make sure PAM_AUTHTOK is empty, or the framework will not
1087c478bd9Sstevel@tonic-gate 	 * put the value read by __pam_get_authtok into it
1097c478bd9Sstevel@tonic-gate 	 */
1107c478bd9Sstevel@tonic-gate 	(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1117c478bd9Sstevel@tonic-gate 
1127c478bd9Sstevel@tonic-gate 	res = __pam_get_authtok(pamh, PAM_PROMPT, PAM_AUTHTOK,
1137c478bd9Sstevel@tonic-gate 	    dgettext(TEXT_DOMAIN, "New Password: "), &pwd);
1147c478bd9Sstevel@tonic-gate 
1157c478bd9Sstevel@tonic-gate 	if (res != PAM_SUCCESS)
1167c478bd9Sstevel@tonic-gate 		goto out;
1177c478bd9Sstevel@tonic-gate 
1187c478bd9Sstevel@tonic-gate 	if (pwd == NULL) {
1197c478bd9Sstevel@tonic-gate 		char *service;
1207c478bd9Sstevel@tonic-gate 		if ((pam_get_item(pamh, PAM_SERVICE, (void **)&service) ==
1217c478bd9Sstevel@tonic-gate 		    PAM_SUCCESS) && service != NULL) {
1227c478bd9Sstevel@tonic-gate 			error(pamh, dgettext(TEXT_DOMAIN, "%s: Sorry."),
1237c478bd9Sstevel@tonic-gate 			    service);
1247c478bd9Sstevel@tonic-gate 		}
1257c478bd9Sstevel@tonic-gate 		res = PAM_PERM_DENIED;
1267c478bd9Sstevel@tonic-gate 	} else {
1277c478bd9Sstevel@tonic-gate 		(void) memset(pwd, 0, strlen(pwd));
1287c478bd9Sstevel@tonic-gate 		free(pwd);
1297c478bd9Sstevel@tonic-gate 	}
1307c478bd9Sstevel@tonic-gate out:
1317c478bd9Sstevel@tonic-gate 	if (res != PAM_SUCCESS) {
1327c478bd9Sstevel@tonic-gate 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1337c478bd9Sstevel@tonic-gate 		(void) pam_set_item(pamh, PAM_OLDAUTHTOK, NULL);
1347c478bd9Sstevel@tonic-gate 	} else {
1357c478bd9Sstevel@tonic-gate 		/*
1367c478bd9Sstevel@tonic-gate 		 * Since we don't actually check the password, we should
1377c478bd9Sstevel@tonic-gate 		 * not return PAM_SUCCESS if everything went OK.
1387c478bd9Sstevel@tonic-gate 		 * We should return PAM_IGNORE instead.
1397c478bd9Sstevel@tonic-gate 		 */
1407c478bd9Sstevel@tonic-gate 		res = PAM_IGNORE;
1417c478bd9Sstevel@tonic-gate 	}
1427c478bd9Sstevel@tonic-gate 
1437c478bd9Sstevel@tonic-gate 	return (res);
1447c478bd9Sstevel@tonic-gate }
1457c478bd9Sstevel@tonic-gate 
1467c478bd9Sstevel@tonic-gate int
verify_authtok(pam_handle_t * pamh,int debug)1477c478bd9Sstevel@tonic-gate verify_authtok(pam_handle_t *pamh, int debug)
1487c478bd9Sstevel@tonic-gate {
1497c478bd9Sstevel@tonic-gate 	int res;
1507c478bd9Sstevel@tonic-gate 	char *authtok;
1517c478bd9Sstevel@tonic-gate 	char *pwd;
1527c478bd9Sstevel@tonic-gate 
1537c478bd9Sstevel@tonic-gate 	if (debug)
154*57c40785SJoep Vesseur 		__pam_log(LOG_AUTH | LOG_DEBUG,
155*57c40785SJoep Vesseur 		    "pam_authtok_get: verifying authtok");
1567c478bd9Sstevel@tonic-gate 
1577c478bd9Sstevel@tonic-gate 	/*
1587c478bd9Sstevel@tonic-gate 	 * All we need to do, is make sure that the user re-enters
1597c478bd9Sstevel@tonic-gate 	 * the password correctly.
1607c478bd9Sstevel@tonic-gate 	 */
1617c478bd9Sstevel@tonic-gate 
1627c478bd9Sstevel@tonic-gate 	res = pam_get_item(pamh, PAM_AUTHTOK, (void **)&authtok);
1637c478bd9Sstevel@tonic-gate 	if (res != PAM_SUCCESS || authtok == NULL)
1647c478bd9Sstevel@tonic-gate 		return (PAM_AUTHTOK_ERR);
1657c478bd9Sstevel@tonic-gate 
1667c478bd9Sstevel@tonic-gate 	res = __pam_get_authtok(pamh, PAM_PROMPT, 0, dgettext(TEXT_DOMAIN,
1677c478bd9Sstevel@tonic-gate 	    "Re-enter new Password: "), &pwd);
1687c478bd9Sstevel@tonic-gate 
1697c478bd9Sstevel@tonic-gate 	if (res != PAM_SUCCESS)
1707c478bd9Sstevel@tonic-gate 		return (res);
1717c478bd9Sstevel@tonic-gate 
1727c478bd9Sstevel@tonic-gate 	if (strcmp(authtok, pwd) != 0) {
1737c478bd9Sstevel@tonic-gate 		char *service;
1747c478bd9Sstevel@tonic-gate 
1757c478bd9Sstevel@tonic-gate 		if ((pam_get_item(pamh, PAM_SERVICE, (void **)&service) ==
1767c478bd9Sstevel@tonic-gate 		    PAM_SUCCESS) && service != NULL) {
1777c478bd9Sstevel@tonic-gate 			error(pamh, dgettext(TEXT_DOMAIN,
1787c478bd9Sstevel@tonic-gate 			    "%s: They don't match."), service);
1797c478bd9Sstevel@tonic-gate 		}
1807c478bd9Sstevel@tonic-gate 		(void) pam_set_item(pamh, PAM_AUTHTOK, NULL);
1817c478bd9Sstevel@tonic-gate 		(void) memset(pwd, 0, strlen(pwd));
1827c478bd9Sstevel@tonic-gate 		free(pwd);
1837c478bd9Sstevel@tonic-gate 		return (PAM_AUTHTOK_ERR);
1847c478bd9Sstevel@tonic-gate 	}
1857c478bd9Sstevel@tonic-gate 
1867c478bd9Sstevel@tonic-gate 	if (debug)
187*57c40785SJoep Vesseur 		__pam_log(LOG_AUTH | LOG_DEBUG,
188*57c40785SJoep Vesseur 		    "pam_authtok_get: new password verified");
1897c478bd9Sstevel@tonic-gate 
1907c478bd9Sstevel@tonic-gate 	(void) memset(pwd, 0, strlen(pwd));
1917c478bd9Sstevel@tonic-gate 	free(pwd);
1927c478bd9Sstevel@tonic-gate 	return (PAM_IGNORE);
1937c478bd9Sstevel@tonic-gate }
1947c478bd9Sstevel@tonic-gate 
1957c478bd9Sstevel@tonic-gate int
pam_sm_chauthtok(pam_handle_t * pamh,int flags,int argc,const char ** argv)1967c478bd9Sstevel@tonic-gate pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv)
1977c478bd9Sstevel@tonic-gate {
1987c478bd9Sstevel@tonic-gate 	int i;
1997c478bd9Sstevel@tonic-gate 	int debug = 0;
2007c478bd9Sstevel@tonic-gate 	int res;
2017c478bd9Sstevel@tonic-gate 
2027c478bd9Sstevel@tonic-gate 	for (i = 0; i < argc; i++)
2037c478bd9Sstevel@tonic-gate 		if (strcmp(argv[i], "debug") == 0)
2047c478bd9Sstevel@tonic-gate 			debug = 1;
2057c478bd9Sstevel@tonic-gate 
2067c478bd9Sstevel@tonic-gate 	if ((flags & PAM_PRELIM_CHECK) == PAM_PRELIM_CHECK)
2077c478bd9Sstevel@tonic-gate 		res = read_authtok(pamh, debug);
2087c478bd9Sstevel@tonic-gate 	else
2097c478bd9Sstevel@tonic-gate 		res = verify_authtok(pamh, debug);
2107c478bd9Sstevel@tonic-gate 
2117c478bd9Sstevel@tonic-gate 	return (res);
2127c478bd9Sstevel@tonic-gate }
2137c478bd9Sstevel@tonic-gate 
2147c478bd9Sstevel@tonic-gate /*
2157c478bd9Sstevel@tonic-gate  * int pam_sm_authenticate(pamh, flags, argc, argv)
2167c478bd9Sstevel@tonic-gate  *
2177c478bd9Sstevel@tonic-gate  * Read authentication token from user.
2187c478bd9Sstevel@tonic-gate  */
2197c478bd9Sstevel@tonic-gate int
pam_sm_authenticate(pam_handle_t * pamh,int flags,int argc,const char ** argv)2207c478bd9Sstevel@tonic-gate pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv)
2217c478bd9Sstevel@tonic-gate {
2227c478bd9Sstevel@tonic-gate 
2237c478bd9Sstevel@tonic-gate 	char	*user;
2247c478bd9Sstevel@tonic-gate 	char	*password;
2257c478bd9Sstevel@tonic-gate 	int	i;
2267c478bd9Sstevel@tonic-gate 	int	debug = 0;
2277c478bd9Sstevel@tonic-gate 	int	res;
2287c478bd9Sstevel@tonic-gate 	int	fail = 0;
2297c478bd9Sstevel@tonic-gate 
2307c478bd9Sstevel@tonic-gate 	attrlist al[1];
2317c478bd9Sstevel@tonic-gate 	pam_repository_t *auth_rep = NULL;
2327c478bd9Sstevel@tonic-gate 	pwu_repository_t *pwu_rep  = NULL;
2337c478bd9Sstevel@tonic-gate 
2347c478bd9Sstevel@tonic-gate 	for (i = 0; i < argc; i++)
2357c478bd9Sstevel@tonic-gate 		if (strcmp(argv[i], "debug") == 0)
2367c478bd9Sstevel@tonic-gate 			debug = 1;
2377c478bd9Sstevel@tonic-gate 
2387c478bd9Sstevel@tonic-gate 	if (debug)
239*57c40785SJoep Vesseur 		__pam_log(LOG_AUTH | LOG_DEBUG,
240*57c40785SJoep Vesseur 		    "pam_authtok_get:pam_sm_authenticate: flags = %d", flags);
2417c478bd9Sstevel@tonic-gate 
2427c478bd9Sstevel@tonic-gate 	if ((res = pam_get_user(pamh, &user, NULL)) != PAM_SUCCESS) {
2437c478bd9Sstevel@tonic-gate 		if (debug)
244*57c40785SJoep Vesseur 			__pam_log(LOG_AUTH | LOG_DEBUG,
2457c478bd9Sstevel@tonic-gate 			    "pam_authtok_get: get user failed: %s",
2467c478bd9Sstevel@tonic-gate 			    pam_strerror(pamh, res));
2477c478bd9Sstevel@tonic-gate 		return (res);
2487c478bd9Sstevel@tonic-gate 	}
2497c478bd9Sstevel@tonic-gate 
2507c478bd9Sstevel@tonic-gate 	if (user == NULL || *user == '\0') {
251*57c40785SJoep Vesseur 		__pam_log(LOG_AUTH | LOG_ERR,
252*57c40785SJoep Vesseur 		    "pam_authtok_get: pam_sm_authenticate: PAM_USER NULL or "
253*57c40785SJoep Vesseur 		    "empty");
2547c478bd9Sstevel@tonic-gate 		return (PAM_SYSTEM_ERR);
2557c478bd9Sstevel@tonic-gate 	}
2567c478bd9Sstevel@tonic-gate 
2577c478bd9Sstevel@tonic-gate 	res = pam_get_item(pamh, PAM_AUTHTOK, (void **)&password);
2587c478bd9Sstevel@tonic-gate 	if (res != PAM_SUCCESS)
2597c478bd9Sstevel@tonic-gate 		return (res);
2607c478bd9Sstevel@tonic-gate 
2617c478bd9Sstevel@tonic-gate 	if (password != NULL)
2627c478bd9Sstevel@tonic-gate 		return (PAM_IGNORE);
2637c478bd9Sstevel@tonic-gate 
2647c478bd9Sstevel@tonic-gate 	/*
2657c478bd9Sstevel@tonic-gate 	 * No password has been entered yet. Check to see if we need
2667c478bd9Sstevel@tonic-gate 	 * to obtain a password
2677c478bd9Sstevel@tonic-gate 	 */
2687c478bd9Sstevel@tonic-gate 
2697c478bd9Sstevel@tonic-gate 	res = pam_get_item(pamh, PAM_REPOSITORY, (void **)&auth_rep);
2707c478bd9Sstevel@tonic-gate 	if (res != PAM_SUCCESS) {
271*57c40785SJoep Vesseur 		__pam_log(LOG_AUTH | LOG_ERR,
272*57c40785SJoep Vesseur 		    "pam_authtok_get: error getting repository");
2737c478bd9Sstevel@tonic-gate 		return (PAM_SYSTEM_ERR);
2747c478bd9Sstevel@tonic-gate 	}
2757c478bd9Sstevel@tonic-gate 
2767c478bd9Sstevel@tonic-gate 	if (auth_rep == NULL) {
2777c478bd9Sstevel@tonic-gate 		pwu_rep = PWU_DEFAULT_REP;
2787c478bd9Sstevel@tonic-gate 	} else {
2797c478bd9Sstevel@tonic-gate 		if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL)
2807c478bd9Sstevel@tonic-gate 			return (PAM_BUF_ERR);
2817c478bd9Sstevel@tonic-gate 		pwu_rep->type = auth_rep->type;
2827c478bd9Sstevel@tonic-gate 		pwu_rep->scope = auth_rep->scope;
2837c478bd9Sstevel@tonic-gate 		pwu_rep->scope_len = auth_rep->scope_len;
2847c478bd9Sstevel@tonic-gate 	}
2857c478bd9Sstevel@tonic-gate 
2867c478bd9Sstevel@tonic-gate 	(void) memset(&al, 0, sizeof (al));
2877c478bd9Sstevel@tonic-gate 	al[0].type = ATTR_PASSWD;
2887c478bd9Sstevel@tonic-gate 	al[0].next = NULL;
2897c478bd9Sstevel@tonic-gate 
2907c478bd9Sstevel@tonic-gate 	res = __get_authtoken_attr(user, pwu_rep, al);
2917c478bd9Sstevel@tonic-gate 
2927c478bd9Sstevel@tonic-gate 	if (pwu_rep != PWU_DEFAULT_REP)
2937c478bd9Sstevel@tonic-gate 		free(pwu_rep);
2947c478bd9Sstevel@tonic-gate 
2957c478bd9Sstevel@tonic-gate 	if (res == PWU_SUCCESS &&
2967c478bd9Sstevel@tonic-gate 	    (al[0].data.val_s == NULL || al[0].data.val_s[0] == '\0')) {
297*57c40785SJoep Vesseur 		char *service = NULL;
298*57c40785SJoep Vesseur 		char *rhost = NULL;
299*57c40785SJoep Vesseur 
3007c478bd9Sstevel@tonic-gate 		/*
3017c478bd9Sstevel@tonic-gate 		 * if PAM_DIASALLOW_NULL_AUTHTOK has not been set, we
3027c478bd9Sstevel@tonic-gate 		 * simply return IGNORE
3037c478bd9Sstevel@tonic-gate 		 */
3047c478bd9Sstevel@tonic-gate 		if ((flags & PAM_DISALLOW_NULL_AUTHTOK) == 0)
3057c478bd9Sstevel@tonic-gate 			return (PAM_IGNORE);
3067c478bd9Sstevel@tonic-gate 
3077c478bd9Sstevel@tonic-gate 		/*
308*57c40785SJoep Vesseur 		 * NULL authtoks are not allowed, so we need to fail.
309*57c40785SJoep Vesseur 		 * We will ask for a password to mask the failure however.
3107c478bd9Sstevel@tonic-gate 		 */
311*57c40785SJoep Vesseur 		(void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost);
312*57c40785SJoep Vesseur 		(void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
313*57c40785SJoep Vesseur 		if (service == NULL)
314*57c40785SJoep Vesseur 			service = "unknown";
315*57c40785SJoep Vesseur 		if (rhost == NULL || *rhost == '\0')
316*57c40785SJoep Vesseur 			rhost = "localhost";
317*57c40785SJoep Vesseur 		__pam_log(LOG_AUTH | LOG_NOTICE,
318*57c40785SJoep Vesseur 		    "pam_authtok_get: %s: empty password not allowed for "
319*57c40785SJoep Vesseur 		    "%s from %s.", service, user, rhost);
3207c478bd9Sstevel@tonic-gate 		fail = 1;
3217c478bd9Sstevel@tonic-gate 	}
3227c478bd9Sstevel@tonic-gate 	if (al[0].data.val_s != NULL) {
3237c478bd9Sstevel@tonic-gate 		(void) memset(al[0].data.val_s, 0, strlen(al[0].data.val_s));
3247c478bd9Sstevel@tonic-gate 		free(al[0].data.val_s);
3257c478bd9Sstevel@tonic-gate 	}
3267c478bd9Sstevel@tonic-gate 
3277c478bd9Sstevel@tonic-gate 	res = __pam_get_authtok(pamh, PAM_PROMPT, PAM_AUTHTOK,
3287c478bd9Sstevel@tonic-gate 	    dgettext(TEXT_DOMAIN, "Password: "), &password);
3297c478bd9Sstevel@tonic-gate 	if (res != PAM_SUCCESS)
3307c478bd9Sstevel@tonic-gate 		return (res);
3317c478bd9Sstevel@tonic-gate 
3327c478bd9Sstevel@tonic-gate 	if (password != NULL) {
3337c478bd9Sstevel@tonic-gate 		(void) pam_set_item(pamh, PAM_AUTHTOK, (void *)password);
3347c478bd9Sstevel@tonic-gate 		(void) memset(password, 0, strlen(password));
3357c478bd9Sstevel@tonic-gate 		free(password);
3367c478bd9Sstevel@tonic-gate 	} else if (debug) {
337*57c40785SJoep Vesseur 		__pam_log(LOG_AUTH | LOG_DEBUG,
338*57c40785SJoep Vesseur 		    "pam_authtok_get: pam_sm_authenticate: "
339*57c40785SJoep Vesseur 		    "got NULL password from get_authtok()");
3407c478bd9Sstevel@tonic-gate 	}
3417c478bd9Sstevel@tonic-gate 
3427c478bd9Sstevel@tonic-gate 	if (fail) {
343*57c40785SJoep Vesseur 		__pam_log(LOG_AUTH | LOG_DEBUG,
344*57c40785SJoep Vesseur 		    "pam_authtok_get:pam_sm_authenticate: "
3457c478bd9Sstevel@tonic-gate 		    "failing because NULL authtok not allowed");
3467c478bd9Sstevel@tonic-gate 		return (PAM_AUTH_ERR);
3477c478bd9Sstevel@tonic-gate 	} else
3487c478bd9Sstevel@tonic-gate 		return (PAM_IGNORE);
3497c478bd9Sstevel@tonic-gate }
3507c478bd9Sstevel@tonic-gate 
3517c478bd9Sstevel@tonic-gate /*ARGSUSED*/
3527c478bd9Sstevel@tonic-gate int
pam_sm_setcred(pam_handle_t * pamh,int flags,int argc,const char ** argv)3537c478bd9Sstevel@tonic-gate pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv)
3547c478bd9Sstevel@tonic-gate {
3557c478bd9Sstevel@tonic-gate 	return (PAM_IGNORE);
3567c478bd9Sstevel@tonic-gate }
357