17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate * CDDL HEADER START
37c478bd9Sstevel@tonic-gate *
47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the
566e150d7SJohn Sonnenschein * Common Development and Distribution License (the "License").
666e150d7SJohn Sonnenschein * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate *
87c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate * and limitations under the License.
127c478bd9Sstevel@tonic-gate *
137c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate *
197c478bd9Sstevel@tonic-gate * CDDL HEADER END
207c478bd9Sstevel@tonic-gate */
217c478bd9Sstevel@tonic-gate /*
22b9175c69SKenjiro Tsuji * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
237c478bd9Sstevel@tonic-gate * Use is subject to license terms.
24*48bbca81SDaniel Hoffman * Copyright (c) 2016 by Delphix. All rights reserved.
257c478bd9Sstevel@tonic-gate */
267c478bd9Sstevel@tonic-gate
277c478bd9Sstevel@tonic-gate
287c478bd9Sstevel@tonic-gate #include <sys/types.h>
297c478bd9Sstevel@tonic-gate #include <sys/wait.h>
307c478bd9Sstevel@tonic-gate #include <sys/stat.h>
317c478bd9Sstevel@tonic-gate #include <fcntl.h>
327c478bd9Sstevel@tonic-gate #include <stdlib.h>
337c478bd9Sstevel@tonic-gate #include <security/pam_appl.h>
347c478bd9Sstevel@tonic-gate #include <security/pam_modules.h>
357c478bd9Sstevel@tonic-gate #include <security/pam_impl.h>
367c478bd9Sstevel@tonic-gate #include <syslog.h>
377c478bd9Sstevel@tonic-gate #include <pwd.h>
387c478bd9Sstevel@tonic-gate #include <shadow.h>
397c478bd9Sstevel@tonic-gate #include <lastlog.h>
407c478bd9Sstevel@tonic-gate #include <ctype.h>
417c478bd9Sstevel@tonic-gate #include <unistd.h>
427c478bd9Sstevel@tonic-gate #include <stdlib.h>
437c478bd9Sstevel@tonic-gate #include <stdio.h>
447c478bd9Sstevel@tonic-gate #include <libintl.h>
457c478bd9Sstevel@tonic-gate #include <signal.h>
467c478bd9Sstevel@tonic-gate #include <thread.h>
477c478bd9Sstevel@tonic-gate #include <synch.h>
487c478bd9Sstevel@tonic-gate #include <errno.h>
497c478bd9Sstevel@tonic-gate #include <time.h>
507c478bd9Sstevel@tonic-gate #include <string.h>
517c478bd9Sstevel@tonic-gate #include <crypt.h>
527c478bd9Sstevel@tonic-gate #include <assert.h>
537c478bd9Sstevel@tonic-gate #include <deflt.h>
547c478bd9Sstevel@tonic-gate #include <libintl.h>
557c478bd9Sstevel@tonic-gate #include <passwdutil.h>
567c478bd9Sstevel@tonic-gate
572de0a7d6SDan McDonald #define LASTLOG "/var/adm/lastlog"
587c478bd9Sstevel@tonic-gate #define LOGINADMIN "/etc/default/login"
597c478bd9Sstevel@tonic-gate #define UNIX_AUTH_DATA "SUNW-UNIX-AUTH-DATA"
607c478bd9Sstevel@tonic-gate #define UNIX_AUTHTOK_DATA "SUNW-UNIX-AUTHTOK-DATA"
617c478bd9Sstevel@tonic-gate
627c478bd9Sstevel@tonic-gate /*
637c478bd9Sstevel@tonic-gate * Function Declarations
647c478bd9Sstevel@tonic-gate */
657c478bd9Sstevel@tonic-gate extern void setusershell();
667c478bd9Sstevel@tonic-gate extern int _nfssys(int, void *);
677c478bd9Sstevel@tonic-gate
687c478bd9Sstevel@tonic-gate typedef struct _unix_authtok_data_ {
697c478bd9Sstevel@tonic-gate int age_status;
707c478bd9Sstevel@tonic-gate }unix_authtok_data;
717c478bd9Sstevel@tonic-gate
727c478bd9Sstevel@tonic-gate /*ARGSUSED*/
737c478bd9Sstevel@tonic-gate static void
unix_cleanup(pam_handle_t * pamh,void * data,int pam_status)747c478bd9Sstevel@tonic-gate unix_cleanup(
757c478bd9Sstevel@tonic-gate pam_handle_t *pamh,
767c478bd9Sstevel@tonic-gate void *data,
777c478bd9Sstevel@tonic-gate int pam_status)
787c478bd9Sstevel@tonic-gate {
797c478bd9Sstevel@tonic-gate free((unix_authtok_data *)data);
807c478bd9Sstevel@tonic-gate }
817c478bd9Sstevel@tonic-gate
827c478bd9Sstevel@tonic-gate /*
837c478bd9Sstevel@tonic-gate * check_for_login_inactivity - Check for login inactivity
847c478bd9Sstevel@tonic-gate *
857c478bd9Sstevel@tonic-gate */
867c478bd9Sstevel@tonic-gate
877c478bd9Sstevel@tonic-gate static int
check_for_login_inactivity(uid_t pw_uid,struct spwd * shpwd)887c478bd9Sstevel@tonic-gate check_for_login_inactivity(
897c478bd9Sstevel@tonic-gate uid_t pw_uid,
907c478bd9Sstevel@tonic-gate struct spwd *shpwd)
917c478bd9Sstevel@tonic-gate {
927c478bd9Sstevel@tonic-gate int fdl;
932de0a7d6SDan McDonald struct lastlog ll;
947c478bd9Sstevel@tonic-gate int retval;
957c478bd9Sstevel@tonic-gate offset_t offset;
967c478bd9Sstevel@tonic-gate
972de0a7d6SDan McDonald offset = (offset_t)pw_uid * (offset_t)sizeof (struct lastlog);
987c478bd9Sstevel@tonic-gate
992de0a7d6SDan McDonald if ((fdl = open(LASTLOG, O_RDWR|O_CREAT, 0444)) >= 0) {
1007c478bd9Sstevel@tonic-gate /*
1017c478bd9Sstevel@tonic-gate * Read the last login (ll) time
1027c478bd9Sstevel@tonic-gate */
1037c478bd9Sstevel@tonic-gate if (llseek(fdl, offset, SEEK_SET) != offset) {
10457c40785SJoep Vesseur __pam_log(LOG_AUTH | LOG_ERR,
10557c40785SJoep Vesseur "pam_unix_acct: pam_sm_acct_mgmt: "
1067c478bd9Sstevel@tonic-gate "can't obtain last login info on uid %d "
1077c478bd9Sstevel@tonic-gate "(uid too large)", pw_uid);
1089893142cSJoep Vesseur (void) close(fdl);
1097c478bd9Sstevel@tonic-gate return (0);
1107c478bd9Sstevel@tonic-gate }
1117c478bd9Sstevel@tonic-gate
1127c478bd9Sstevel@tonic-gate retval = read(fdl, (char *)&ll, sizeof (ll));
1137c478bd9Sstevel@tonic-gate
1142de0a7d6SDan McDonald /* Check for login inactivity */
1157c478bd9Sstevel@tonic-gate
1162de0a7d6SDan McDonald if ((shpwd->sp_inact > 0) && (retval == sizeof (ll)) &&
1172de0a7d6SDan McDonald ll.ll_time) {
1187c478bd9Sstevel@tonic-gate /*
1192de0a7d6SDan McDonald * account inactive too long.
1202de0a7d6SDan McDonald * and no update password set
1212de0a7d6SDan McDonald * and no last pwd change date in shadow file
1222de0a7d6SDan McDonald * and last pwd change more than inactive time
1232de0a7d6SDan McDonald * then account inactive too long and no access.
1247c478bd9Sstevel@tonic-gate */
1252de0a7d6SDan McDonald if (((time_t)((ll.ll_time / DAY) + shpwd->sp_inact)
1262de0a7d6SDan McDonald < DAY_NOW) &&
1272de0a7d6SDan McDonald (shpwd->sp_lstchg != 0) &&
1282de0a7d6SDan McDonald (shpwd->sp_lstchg != -1) &&
1292de0a7d6SDan McDonald ((shpwd->sp_lstchg + shpwd->sp_inact) < DAY_NOW)) {
1302de0a7d6SDan McDonald /*
1312de0a7d6SDan McDonald * Account inactive for too long
1322de0a7d6SDan McDonald */
1332de0a7d6SDan McDonald (void) close(fdl);
1342de0a7d6SDan McDonald return (1);
1352de0a7d6SDan McDonald }
1367c478bd9Sstevel@tonic-gate }
1372de0a7d6SDan McDonald
1382de0a7d6SDan McDonald (void) close(fdl);
1397c478bd9Sstevel@tonic-gate }
1407c478bd9Sstevel@tonic-gate return (0);
1417c478bd9Sstevel@tonic-gate }
1427c478bd9Sstevel@tonic-gate
1437c478bd9Sstevel@tonic-gate /*
1447c478bd9Sstevel@tonic-gate * new_password_check()
1457c478bd9Sstevel@tonic-gate *
1467c478bd9Sstevel@tonic-gate * check to see if the user needs to change their password
1477c478bd9Sstevel@tonic-gate */
1487c478bd9Sstevel@tonic-gate
1497c478bd9Sstevel@tonic-gate static int
new_password_check(shpwd,flags)15057c40785SJoep Vesseur new_password_check(shpwd, flags)
1517c478bd9Sstevel@tonic-gate struct spwd *shpwd;
1527c478bd9Sstevel@tonic-gate int flags;
1537c478bd9Sstevel@tonic-gate {
1547c478bd9Sstevel@tonic-gate time_t now = DAY_NOW;
1557c478bd9Sstevel@tonic-gate
1567c478bd9Sstevel@tonic-gate /*
1577c478bd9Sstevel@tonic-gate * We want to make sure that we change the password only if
1587c478bd9Sstevel@tonic-gate * passwords are required for the system, the user does not
1597c478bd9Sstevel@tonic-gate * have a password, AND the user's NULL password can be changed
1607c478bd9Sstevel@tonic-gate * according to its password aging information
1617c478bd9Sstevel@tonic-gate */
1627c478bd9Sstevel@tonic-gate
1637c478bd9Sstevel@tonic-gate if ((flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) {
1647c478bd9Sstevel@tonic-gate if (shpwd->sp_pwdp[0] == '\0') {
16557c40785SJoep Vesseur if (((shpwd->sp_max == -1) ||
1667c478bd9Sstevel@tonic-gate ((time_t)shpwd->sp_lstchg > now) ||
1677c478bd9Sstevel@tonic-gate ((now >= (time_t)(shpwd->sp_lstchg +
1687c478bd9Sstevel@tonic-gate shpwd->sp_min)) &&
1697c478bd9Sstevel@tonic-gate (shpwd->sp_max >= shpwd->sp_min)))) {
1707c478bd9Sstevel@tonic-gate return (PAM_NEW_AUTHTOK_REQD);
1717c478bd9Sstevel@tonic-gate }
1727c478bd9Sstevel@tonic-gate }
1737c478bd9Sstevel@tonic-gate }
1747c478bd9Sstevel@tonic-gate return (PAM_SUCCESS);
1757c478bd9Sstevel@tonic-gate }
1767c478bd9Sstevel@tonic-gate
1777c478bd9Sstevel@tonic-gate /*
1787c478bd9Sstevel@tonic-gate * perform_passwd_aging_check
1797c478bd9Sstevel@tonic-gate * - Check for password exipration.
1807c478bd9Sstevel@tonic-gate */
1817c478bd9Sstevel@tonic-gate static int
perform_passwd_aging_check(pam_handle_t * pamh,struct spwd * shpwd,int flags)1827c478bd9Sstevel@tonic-gate perform_passwd_aging_check(
1837c478bd9Sstevel@tonic-gate pam_handle_t *pamh,
1847c478bd9Sstevel@tonic-gate struct spwd *shpwd,
1857c478bd9Sstevel@tonic-gate int flags)
1867c478bd9Sstevel@tonic-gate {
1877c478bd9Sstevel@tonic-gate time_t now = DAY_NOW;
1887c478bd9Sstevel@tonic-gate int idledays = -1;
1897c478bd9Sstevel@tonic-gate char *ptr;
1907c478bd9Sstevel@tonic-gate char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
191b9175c69SKenjiro Tsuji void *defp;
1927c478bd9Sstevel@tonic-gate
1937c478bd9Sstevel@tonic-gate
194b9175c69SKenjiro Tsuji if ((defp = defopen_r(LOGINADMIN)) != NULL) {
195b9175c69SKenjiro Tsuji if ((ptr = defread_r("IDLEWEEKS=", defp)) != NULL)
1967c478bd9Sstevel@tonic-gate idledays = 7 * atoi(ptr);
197b9175c69SKenjiro Tsuji defclose_r(defp);
1987c478bd9Sstevel@tonic-gate }
1997c478bd9Sstevel@tonic-gate
2007c478bd9Sstevel@tonic-gate /*
2017c478bd9Sstevel@tonic-gate * if (sp_lstchg == 0), the administrator has forced the
202*48bbca81SDaniel Hoffman * user to change their passwd
2037c478bd9Sstevel@tonic-gate */
2047c478bd9Sstevel@tonic-gate if (shpwd->sp_lstchg == 0)
2057c478bd9Sstevel@tonic-gate return (PAM_NEW_AUTHTOK_REQD);
2067c478bd9Sstevel@tonic-gate
2077c478bd9Sstevel@tonic-gate /* If password aging is disabled (or min>max), all is well */
2087c478bd9Sstevel@tonic-gate if (shpwd->sp_max < 0 || shpwd->sp_max < shpwd->sp_min)
2097c478bd9Sstevel@tonic-gate return (PAM_SUCCESS);
2107c478bd9Sstevel@tonic-gate
2117c478bd9Sstevel@tonic-gate /* Password aging is enabled. See if the password has aged */
2127c478bd9Sstevel@tonic-gate if (now < (time_t)(shpwd->sp_lstchg + shpwd->sp_max))
2137c478bd9Sstevel@tonic-gate return (PAM_SUCCESS);
2147c478bd9Sstevel@tonic-gate
2157c478bd9Sstevel@tonic-gate /* Password has aged. Has it aged more than idledays ? */
2167c478bd9Sstevel@tonic-gate if (idledays < 0) /* IDLEWEEKS not configured */
2177c478bd9Sstevel@tonic-gate return (PAM_NEW_AUTHTOK_REQD);
2187c478bd9Sstevel@tonic-gate
2197c478bd9Sstevel@tonic-gate /* idledays is configured */
2207c478bd9Sstevel@tonic-gate if (idledays > 0 && (now < (time_t)(shpwd->sp_lstchg + idledays)))
2217c478bd9Sstevel@tonic-gate return (PAM_NEW_AUTHTOK_REQD);
2227c478bd9Sstevel@tonic-gate
2237c478bd9Sstevel@tonic-gate /* password has aged more that allowed for by IDLEWEEKS */
2247c478bd9Sstevel@tonic-gate if (!(flags & PAM_SILENT)) {
2257c478bd9Sstevel@tonic-gate (void) strlcpy(messages[0], dgettext(TEXT_DOMAIN,
2267c478bd9Sstevel@tonic-gate "Your password has been expired for too long."),
2277c478bd9Sstevel@tonic-gate sizeof (messages[0]));
2287c478bd9Sstevel@tonic-gate (void) strlcpy(messages[1], dgettext(TEXT_DOMAIN,
2297c478bd9Sstevel@tonic-gate "Please contact the system administrator."),
2307c478bd9Sstevel@tonic-gate sizeof (messages[0]));
2317c478bd9Sstevel@tonic-gate (void) __pam_display_msg(pamh, PAM_ERROR_MSG, 2, messages,
2327c478bd9Sstevel@tonic-gate NULL);
2337c478bd9Sstevel@tonic-gate }
2347c478bd9Sstevel@tonic-gate return (PAM_AUTHTOK_EXPIRED);
2357c478bd9Sstevel@tonic-gate }
2367c478bd9Sstevel@tonic-gate
2377c478bd9Sstevel@tonic-gate /*
2387c478bd9Sstevel@tonic-gate * warn_user_passwd_will_expire - warn the user when the password will
2397c478bd9Sstevel@tonic-gate * expire.
2407c478bd9Sstevel@tonic-gate */
2417c478bd9Sstevel@tonic-gate
2427c478bd9Sstevel@tonic-gate static void
warn_user_passwd_will_expire(pam_handle_t * pamh,struct spwd shpwd)2437c478bd9Sstevel@tonic-gate warn_user_passwd_will_expire(
2447c478bd9Sstevel@tonic-gate pam_handle_t *pamh,
2457c478bd9Sstevel@tonic-gate struct spwd shpwd)
2467c478bd9Sstevel@tonic-gate {
2477c478bd9Sstevel@tonic-gate time_t now = DAY_NOW;
2487c478bd9Sstevel@tonic-gate char messages[PAM_MAX_NUM_MSG][PAM_MAX_MSG_SIZE];
2497c478bd9Sstevel@tonic-gate time_t days;
2507c478bd9Sstevel@tonic-gate
2517c478bd9Sstevel@tonic-gate
2527c478bd9Sstevel@tonic-gate if ((shpwd.sp_warn > 0) && (shpwd.sp_max > 0) &&
2537c478bd9Sstevel@tonic-gate (now + shpwd.sp_warn) >= (time_t)(shpwd.sp_lstchg + shpwd.sp_max)) {
2547c478bd9Sstevel@tonic-gate days = (time_t)(shpwd.sp_lstchg + shpwd.sp_max) - now;
2557c478bd9Sstevel@tonic-gate if (days <= 0)
2567c478bd9Sstevel@tonic-gate (void) snprintf(messages[0],
25757c40785SJoep Vesseur sizeof (messages[0]),
25857c40785SJoep Vesseur dgettext(TEXT_DOMAIN,
25957c40785SJoep Vesseur "Your password will expire within 24 hours."));
2607c478bd9Sstevel@tonic-gate else if (days == 1)
2617c478bd9Sstevel@tonic-gate (void) snprintf(messages[0],
26257c40785SJoep Vesseur sizeof (messages[0]),
26357c40785SJoep Vesseur dgettext(TEXT_DOMAIN,
26457c40785SJoep Vesseur "Your password will expire in 1 day."));
2657c478bd9Sstevel@tonic-gate else
2667c478bd9Sstevel@tonic-gate (void) snprintf(messages[0],
26757c40785SJoep Vesseur sizeof (messages[0]),
26857c40785SJoep Vesseur dgettext(TEXT_DOMAIN,
26957c40785SJoep Vesseur "Your password will expire in %d days."),
27057c40785SJoep Vesseur (int)days);
2717c478bd9Sstevel@tonic-gate
2727c478bd9Sstevel@tonic-gate (void) __pam_display_msg(pamh, PAM_TEXT_INFO, 1, messages,
2737c478bd9Sstevel@tonic-gate NULL);
2747c478bd9Sstevel@tonic-gate }
2757c478bd9Sstevel@tonic-gate }
2767c478bd9Sstevel@tonic-gate
2777c478bd9Sstevel@tonic-gate /*
2787c478bd9Sstevel@tonic-gate * pam_sm_acct_mgmt - main account managment routine.
2797c478bd9Sstevel@tonic-gate * Returns: module error or specific error on failure
2807c478bd9Sstevel@tonic-gate */
2817c478bd9Sstevel@tonic-gate
2827c478bd9Sstevel@tonic-gate int
pam_sm_acct_mgmt(pam_handle_t * pamh,int flags,int argc,const char ** argv)2837c478bd9Sstevel@tonic-gate pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv)
2847c478bd9Sstevel@tonic-gate {
2857c478bd9Sstevel@tonic-gate uid_t pw_uid;
2867c478bd9Sstevel@tonic-gate char *repository_name = NULL;
2877c478bd9Sstevel@tonic-gate char *user;
2887c478bd9Sstevel@tonic-gate attrlist attr_pw[3];
2897c478bd9Sstevel@tonic-gate attrlist attr_spw[7];
2907c478bd9Sstevel@tonic-gate pwu_repository_t *pwu_rep = PWU_DEFAULT_REP;
2917c478bd9Sstevel@tonic-gate pwu_repository_t *auth_rep = NULL;
2927c478bd9Sstevel@tonic-gate int error = PAM_ACCT_EXPIRED;
2937c478bd9Sstevel@tonic-gate int result;
2947c478bd9Sstevel@tonic-gate int i;
2957c478bd9Sstevel@tonic-gate int debug = 0;
2967c478bd9Sstevel@tonic-gate int server_policy = 0;
2977c478bd9Sstevel@tonic-gate unix_authtok_data *status;
2987c478bd9Sstevel@tonic-gate struct spwd shpwd = {NULL, NULL,
2997c478bd9Sstevel@tonic-gate -1, -1, -1, -1, -1, -1, 0};
3007c478bd9Sstevel@tonic-gate
3017c478bd9Sstevel@tonic-gate for (i = 0; i < argc; i++) {
3027c478bd9Sstevel@tonic-gate if (strcasecmp(argv[i], "debug") == 0)
3037c478bd9Sstevel@tonic-gate debug = 1;
3047c478bd9Sstevel@tonic-gate else if (strcasecmp(argv[i], "server_policy") == 0)
3057c478bd9Sstevel@tonic-gate server_policy = 1;
3067c478bd9Sstevel@tonic-gate else if (strcasecmp(argv[i], "nowarn") == 0) {
3077c478bd9Sstevel@tonic-gate flags = flags | PAM_SILENT;
3087c478bd9Sstevel@tonic-gate } else {
30957c40785SJoep Vesseur __pam_log(LOG_AUTH | LOG_ERR,
31057c40785SJoep Vesseur "ACCOUNT:pam_sm_acct_mgmt: illegal option %s",
31157c40785SJoep Vesseur argv[i]);
3127c478bd9Sstevel@tonic-gate }
3137c478bd9Sstevel@tonic-gate }
3147c478bd9Sstevel@tonic-gate
3157c478bd9Sstevel@tonic-gate if (debug)
31657c40785SJoep Vesseur __pam_log(LOG_AUTH | LOG_DEBUG,
3177c478bd9Sstevel@tonic-gate "pam_unix_account: entering pam_sm_acct_mgmt()");
3187c478bd9Sstevel@tonic-gate
3197c478bd9Sstevel@tonic-gate if ((error = pam_get_item(pamh, PAM_USER, (void **)&user))
32057c40785SJoep Vesseur != PAM_SUCCESS)
3217c478bd9Sstevel@tonic-gate goto out;
3227c478bd9Sstevel@tonic-gate
3237c478bd9Sstevel@tonic-gate if (user == NULL) {
3247c478bd9Sstevel@tonic-gate error = PAM_USER_UNKNOWN;
3257c478bd9Sstevel@tonic-gate goto out;
3267c478bd9Sstevel@tonic-gate } else
3277c478bd9Sstevel@tonic-gate shpwd.sp_namp = user;
3287c478bd9Sstevel@tonic-gate
3297c478bd9Sstevel@tonic-gate if ((error = pam_get_item(pamh, PAM_REPOSITORY, (void **)&auth_rep))
33057c40785SJoep Vesseur != PAM_SUCCESS)
3317c478bd9Sstevel@tonic-gate goto out;
3327c478bd9Sstevel@tonic-gate
3337c478bd9Sstevel@tonic-gate if (auth_rep == NULL) {
3347c478bd9Sstevel@tonic-gate pwu_rep = PWU_DEFAULT_REP;
3357c478bd9Sstevel@tonic-gate } else {
3367c478bd9Sstevel@tonic-gate if ((pwu_rep = calloc(1, sizeof (*pwu_rep))) == NULL) {
3377c478bd9Sstevel@tonic-gate error = PAM_BUF_ERR;
3387c478bd9Sstevel@tonic-gate goto out;
3397c478bd9Sstevel@tonic-gate }
3407c478bd9Sstevel@tonic-gate pwu_rep->type = auth_rep->type;
3417c478bd9Sstevel@tonic-gate pwu_rep->scope = auth_rep->scope;
3427c478bd9Sstevel@tonic-gate pwu_rep->scope_len = auth_rep->scope_len;
3437c478bd9Sstevel@tonic-gate }
3447c478bd9Sstevel@tonic-gate
3457c478bd9Sstevel@tonic-gate /*
3467c478bd9Sstevel@tonic-gate * First get the password information
3477c478bd9Sstevel@tonic-gate */
3487c478bd9Sstevel@tonic-gate attr_pw[0].type = ATTR_REP_NAME; attr_pw[0].next = &attr_pw[1];
3497c478bd9Sstevel@tonic-gate attr_pw[1].type = ATTR_UID; attr_pw[1].next = &attr_pw[2];
3507c478bd9Sstevel@tonic-gate attr_pw[2].type = ATTR_PASSWD; attr_pw[2].next = NULL;
3517c478bd9Sstevel@tonic-gate result = __get_authtoken_attr(user, pwu_rep, attr_pw);
3527c478bd9Sstevel@tonic-gate
3537c478bd9Sstevel@tonic-gate if (result == PWU_NOT_FOUND) {
3547c478bd9Sstevel@tonic-gate error = PAM_USER_UNKNOWN;
3557c478bd9Sstevel@tonic-gate goto out;
3567c478bd9Sstevel@tonic-gate } else if (result == PWU_DENIED) {
3577c478bd9Sstevel@tonic-gate error = PAM_PERM_DENIED;
3587c478bd9Sstevel@tonic-gate goto out;
3597c478bd9Sstevel@tonic-gate } else if (result == PWU_NOMEM) {
3607c478bd9Sstevel@tonic-gate error = PAM_BUF_ERR;
3617c478bd9Sstevel@tonic-gate goto out;
3627c478bd9Sstevel@tonic-gate } else if (result != PWU_SUCCESS) {
3637c478bd9Sstevel@tonic-gate error = PAM_SERVICE_ERR;
3647c478bd9Sstevel@tonic-gate goto out;
3657c478bd9Sstevel@tonic-gate } else {
3667c478bd9Sstevel@tonic-gate repository_name = attr_pw[0].data.val_s;
3677c478bd9Sstevel@tonic-gate pw_uid = attr_pw[1].data.val_i;
3687c478bd9Sstevel@tonic-gate shpwd.sp_pwdp = attr_pw[2].data.val_s;
3697c478bd9Sstevel@tonic-gate }
3707c478bd9Sstevel@tonic-gate
3717c478bd9Sstevel@tonic-gate /*
37236e852a1SRaja Andra * if repository is not files|nis, and user wants server_policy,
37336e852a1SRaja Andra * we don't care about aging and hence return PAM_IGNORE
3747c478bd9Sstevel@tonic-gate */
3757c478bd9Sstevel@tonic-gate if (server_policy &&
3767c478bd9Sstevel@tonic-gate strcmp(repository_name, "files") != 0 &&
37736e852a1SRaja Andra strcmp(repository_name, "nis") != 0) {
3787c478bd9Sstevel@tonic-gate error = PAM_IGNORE;
3797c478bd9Sstevel@tonic-gate goto out;
3807c478bd9Sstevel@tonic-gate }
3817c478bd9Sstevel@tonic-gate
3827c478bd9Sstevel@tonic-gate /*
3837c478bd9Sstevel@tonic-gate * Now get the aging information
3847c478bd9Sstevel@tonic-gate */
3857c478bd9Sstevel@tonic-gate attr_spw[0].type = ATTR_LSTCHG; attr_spw[0].next = &attr_spw[1];
3867c478bd9Sstevel@tonic-gate attr_spw[1].type = ATTR_MIN; attr_spw[1].next = &attr_spw[2];
3877c478bd9Sstevel@tonic-gate attr_spw[2].type = ATTR_MAX; attr_spw[2].next = &attr_spw[3];
3887c478bd9Sstevel@tonic-gate attr_spw[3].type = ATTR_WARN; attr_spw[3].next = &attr_spw[4];
3897c478bd9Sstevel@tonic-gate attr_spw[4].type = ATTR_INACT; attr_spw[4].next = &attr_spw[5];
3907c478bd9Sstevel@tonic-gate attr_spw[5].type = ATTR_EXPIRE; attr_spw[5].next = &attr_spw[6];
3917c478bd9Sstevel@tonic-gate attr_spw[6].type = ATTR_FLAG; attr_spw[6].next = NULL;
3927c478bd9Sstevel@tonic-gate
3937c478bd9Sstevel@tonic-gate result = __get_authtoken_attr(user, pwu_rep, attr_spw);
3947c478bd9Sstevel@tonic-gate if (result == PWU_SUCCESS) {
3957c478bd9Sstevel@tonic-gate shpwd.sp_lstchg = attr_spw[0].data.val_i;
3967c478bd9Sstevel@tonic-gate shpwd.sp_min = attr_spw[1].data.val_i;
3977c478bd9Sstevel@tonic-gate shpwd.sp_max = attr_spw[2].data.val_i;
3987c478bd9Sstevel@tonic-gate shpwd.sp_warn = attr_spw[3].data.val_i;
3997c478bd9Sstevel@tonic-gate shpwd.sp_inact = attr_spw[4].data.val_i;
4007c478bd9Sstevel@tonic-gate shpwd.sp_expire = attr_spw[5].data.val_i;
4017c478bd9Sstevel@tonic-gate shpwd.sp_flag = attr_spw[6].data.val_i;
4027c478bd9Sstevel@tonic-gate }
4037c478bd9Sstevel@tonic-gate
4047c478bd9Sstevel@tonic-gate if (debug) {
4057c478bd9Sstevel@tonic-gate char *pw = "Unix PW";
4067c478bd9Sstevel@tonic-gate
4077c478bd9Sstevel@tonic-gate if (shpwd.sp_pwdp == NULL)
4087c478bd9Sstevel@tonic-gate pw = "NULL";
4097c478bd9Sstevel@tonic-gate else if (strncmp(shpwd.sp_pwdp, LOCKSTRING,
4107c478bd9Sstevel@tonic-gate sizeof (LOCKSTRING) - 1) == 0)
4117c478bd9Sstevel@tonic-gate pw = LOCKSTRING;
41266e150d7SJohn Sonnenschein else if (strcmp(shpwd.sp_pwdp, NOPWDRTR) == 0)
41366e150d7SJohn Sonnenschein pw = NOPWDRTR;
4147c478bd9Sstevel@tonic-gate
4157c478bd9Sstevel@tonic-gate if (result == PWU_DENIED) {
41657c40785SJoep Vesseur __pam_log(LOG_AUTH | LOG_DEBUG,
41757c40785SJoep Vesseur "pam_unix_account: %s: permission denied "
41857c40785SJoep Vesseur "to access password aging information. "
41957c40785SJoep Vesseur "Using defaults.", user);
4207c478bd9Sstevel@tonic-gate }
4217c478bd9Sstevel@tonic-gate
42257c40785SJoep Vesseur __pam_log(LOG_AUTH | LOG_DEBUG,
4237c478bd9Sstevel@tonic-gate "%s Policy:Unix, pw=%s, lstchg=%d, min=%d, max=%d, "
4247c478bd9Sstevel@tonic-gate "warn=%d, inact=%d, expire=%d",
4257c478bd9Sstevel@tonic-gate user, pw, shpwd.sp_lstchg, shpwd.sp_min, shpwd.sp_max,
4267c478bd9Sstevel@tonic-gate shpwd.sp_warn, shpwd.sp_inact, shpwd.sp_expire);
4277c478bd9Sstevel@tonic-gate }
4287c478bd9Sstevel@tonic-gate
4297c478bd9Sstevel@tonic-gate if (pwu_rep != PWU_DEFAULT_REP) {
4307c478bd9Sstevel@tonic-gate free(pwu_rep);
4317c478bd9Sstevel@tonic-gate pwu_rep = PWU_DEFAULT_REP;
4327c478bd9Sstevel@tonic-gate }
4337c478bd9Sstevel@tonic-gate
4347c478bd9Sstevel@tonic-gate if (result == PWU_NOT_FOUND) {
4357c478bd9Sstevel@tonic-gate error = PAM_USER_UNKNOWN;
4367c478bd9Sstevel@tonic-gate goto out;
4377c478bd9Sstevel@tonic-gate } else if (result == PWU_NOMEM) {
4387c478bd9Sstevel@tonic-gate error = PAM_BUF_ERR;
4397c478bd9Sstevel@tonic-gate goto out;
4407c478bd9Sstevel@tonic-gate } else if (result != PWU_SUCCESS && result != PWU_DENIED) {
4417c478bd9Sstevel@tonic-gate error = PAM_SERVICE_ERR;
4427c478bd9Sstevel@tonic-gate goto out;
4437c478bd9Sstevel@tonic-gate }
4447c478bd9Sstevel@tonic-gate
4457c478bd9Sstevel@tonic-gate /*
4467c478bd9Sstevel@tonic-gate * Check for locked account
4477c478bd9Sstevel@tonic-gate */
4487c478bd9Sstevel@tonic-gate if (shpwd.sp_pwdp != NULL &&
4497c478bd9Sstevel@tonic-gate strncmp(shpwd.sp_pwdp, LOCKSTRING, sizeof (LOCKSTRING) - 1) == 0) {
4507c478bd9Sstevel@tonic-gate char *service;
4517c478bd9Sstevel@tonic-gate char *rhost = NULL;
4527c478bd9Sstevel@tonic-gate
4537c478bd9Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
4547c478bd9Sstevel@tonic-gate (void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost);
4557c478bd9Sstevel@tonic-gate __pam_log(LOG_AUTH | LOG_NOTICE,
4567c478bd9Sstevel@tonic-gate "pam_unix_account: %s attempting to validate locked "
4577c478bd9Sstevel@tonic-gate "account %s from %s",
4587c478bd9Sstevel@tonic-gate service, user,
4597c478bd9Sstevel@tonic-gate (rhost != NULL && *rhost != '\0') ? rhost : "local host");
4607c478bd9Sstevel@tonic-gate error = PAM_PERM_DENIED;
4617c478bd9Sstevel@tonic-gate goto out;
4627c478bd9Sstevel@tonic-gate }
4637c478bd9Sstevel@tonic-gate
46457c40785SJoep Vesseur /*
46557c40785SJoep Vesseur * Check for NULL password and, if so, see if such is allowed
46657c40785SJoep Vesseur */
46757c40785SJoep Vesseur if (shpwd.sp_pwdp[0] == '\0' &&
46857c40785SJoep Vesseur (flags & PAM_DISALLOW_NULL_AUTHTOK) != 0) {
46957c40785SJoep Vesseur char *service;
47057c40785SJoep Vesseur char *rhost = NULL;
47157c40785SJoep Vesseur
47257c40785SJoep Vesseur (void) pam_get_item(pamh, PAM_SERVICE, (void **)&service);
47357c40785SJoep Vesseur (void) pam_get_item(pamh, PAM_RHOST, (void **)&rhost);
47457c40785SJoep Vesseur
47557c40785SJoep Vesseur __pam_log(LOG_AUTH | LOG_NOTICE,
47657c40785SJoep Vesseur "pam_unix_account: %s: empty password not allowed for "
47757c40785SJoep Vesseur "account %s from %s", service, user,
47857c40785SJoep Vesseur (rhost != NULL && *rhost != '\0') ? rhost : "local host");
47957c40785SJoep Vesseur error = PAM_PERM_DENIED;
48057c40785SJoep Vesseur goto out;
48157c40785SJoep Vesseur }
48257c40785SJoep Vesseur
4837c478bd9Sstevel@tonic-gate /*
4847c478bd9Sstevel@tonic-gate * Check for account expiration
4857c478bd9Sstevel@tonic-gate */
4867c478bd9Sstevel@tonic-gate if (shpwd.sp_expire > 0 &&
4877c478bd9Sstevel@tonic-gate (time_t)shpwd.sp_expire < DAY_NOW) {
4887c478bd9Sstevel@tonic-gate error = PAM_ACCT_EXPIRED;
4897c478bd9Sstevel@tonic-gate goto out;
4907c478bd9Sstevel@tonic-gate }
4917c478bd9Sstevel@tonic-gate
4927c478bd9Sstevel@tonic-gate /*
4937c478bd9Sstevel@tonic-gate * Check for excessive login account inactivity
4947c478bd9Sstevel@tonic-gate */
4957c478bd9Sstevel@tonic-gate if (check_for_login_inactivity(pw_uid, &shpwd)) {
4967c478bd9Sstevel@tonic-gate error = PAM_PERM_DENIED;
4977c478bd9Sstevel@tonic-gate goto out;
4987c478bd9Sstevel@tonic-gate }
4997c478bd9Sstevel@tonic-gate
5007c478bd9Sstevel@tonic-gate /*
5017c478bd9Sstevel@tonic-gate * Check to see if the user needs to change their password
5027c478bd9Sstevel@tonic-gate */
50357c40785SJoep Vesseur if (error = new_password_check(&shpwd, flags)) {
5047c478bd9Sstevel@tonic-gate goto out;
5057c478bd9Sstevel@tonic-gate }
5067c478bd9Sstevel@tonic-gate
5077c478bd9Sstevel@tonic-gate /*
5087c478bd9Sstevel@tonic-gate * Check to make sure password aging information is okay
5097c478bd9Sstevel@tonic-gate */
5107c478bd9Sstevel@tonic-gate if ((error = perform_passwd_aging_check(pamh, &shpwd, flags))
51157c40785SJoep Vesseur != PAM_SUCCESS) {
5127c478bd9Sstevel@tonic-gate goto out;
5137c478bd9Sstevel@tonic-gate }
5147c478bd9Sstevel@tonic-gate
5157c478bd9Sstevel@tonic-gate /*
5167c478bd9Sstevel@tonic-gate * Finally, warn the user if their password is about to expire.
5177c478bd9Sstevel@tonic-gate */
5187c478bd9Sstevel@tonic-gate if (!(flags & PAM_SILENT)) {
5197c478bd9Sstevel@tonic-gate warn_user_passwd_will_expire(pamh, shpwd);
5207c478bd9Sstevel@tonic-gate }
5217c478bd9Sstevel@tonic-gate
5227c478bd9Sstevel@tonic-gate /*
5237c478bd9Sstevel@tonic-gate * All done, return Success
5247c478bd9Sstevel@tonic-gate */
5257c478bd9Sstevel@tonic-gate error = PAM_SUCCESS;
5267c478bd9Sstevel@tonic-gate
5277c478bd9Sstevel@tonic-gate out:
5287c478bd9Sstevel@tonic-gate
5297c478bd9Sstevel@tonic-gate {
5307c478bd9Sstevel@tonic-gate int pam_res;
5317c478bd9Sstevel@tonic-gate unix_authtok_data *authtok_data;
5327c478bd9Sstevel@tonic-gate
5337c478bd9Sstevel@tonic-gate if (debug) {
53457c40785SJoep Vesseur __pam_log(LOG_AUTH | LOG_DEBUG,
53557c40785SJoep Vesseur "pam_unix_account: %s: %s",
53657c40785SJoep Vesseur (user == NULL)?"NULL":user,
53757c40785SJoep Vesseur pam_strerror(pamh, error));
5387c478bd9Sstevel@tonic-gate }
5397c478bd9Sstevel@tonic-gate
5407c478bd9Sstevel@tonic-gate if (repository_name)
5417c478bd9Sstevel@tonic-gate free(repository_name);
5427c478bd9Sstevel@tonic-gate if (pwu_rep != PWU_DEFAULT_REP)
5437c478bd9Sstevel@tonic-gate free(pwu_rep);
5447c478bd9Sstevel@tonic-gate if (shpwd.sp_pwdp) {
5457c478bd9Sstevel@tonic-gate (void) memset(shpwd.sp_pwdp, 0, strlen(shpwd.sp_pwdp));
5467c478bd9Sstevel@tonic-gate free(shpwd.sp_pwdp);
5477c478bd9Sstevel@tonic-gate }
5487c478bd9Sstevel@tonic-gate
5497c478bd9Sstevel@tonic-gate /* store the password aging status in the pam handle */
55057c40785SJoep Vesseur pam_res = pam_get_data(pamh, UNIX_AUTHTOK_DATA,
55157c40785SJoep Vesseur (const void **)&authtok_data);
5527c478bd9Sstevel@tonic-gate
55357c40785SJoep Vesseur if ((status = (unix_authtok_data *)calloc(1,
55457c40785SJoep Vesseur sizeof (unix_authtok_data))) == NULL) {
5557c478bd9Sstevel@tonic-gate return (PAM_BUF_ERR);
5567c478bd9Sstevel@tonic-gate }
5577c478bd9Sstevel@tonic-gate
5587c478bd9Sstevel@tonic-gate if (pam_res == PAM_SUCCESS)
5597c478bd9Sstevel@tonic-gate (void) memcpy(status, authtok_data,
56057c40785SJoep Vesseur sizeof (unix_authtok_data));
5617c478bd9Sstevel@tonic-gate
5627c478bd9Sstevel@tonic-gate status->age_status = error;
5637c478bd9Sstevel@tonic-gate if (pam_set_data(pamh, UNIX_AUTHTOK_DATA, status, unix_cleanup)
56457c40785SJoep Vesseur != PAM_SUCCESS) {
5657c478bd9Sstevel@tonic-gate free(status);
5667c478bd9Sstevel@tonic-gate return (PAM_SERVICE_ERR);
5677c478bd9Sstevel@tonic-gate }
5687c478bd9Sstevel@tonic-gate }
5697c478bd9Sstevel@tonic-gate
5707c478bd9Sstevel@tonic-gate return (error);
5717c478bd9Sstevel@tonic-gate }
572