[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

patch: use_authtok in pam_cracklib



Hi,
This patch adds "use_authtok" option to pam_cracklib module.
I'm working on password generator module and I thought that it might
be a good thing if cracklib module was able to just check the password
obtained by the previous module on the stack.

The patch is in two parts, first is the code and second the documentation.

Jan
-- 
Jan RÍkorajski            |  ALL SUSPECTS ARE GUILTY. PERIOD!
baggins<at>mimuw.edu.pl   |  OTHERWISE THEY WOULDN'T BE SUSPECTS, WOULD THEY?
BOFH, type MANIAC         |                   -- TROOPS by Kevin Rubio
Index: pam_cracklib.c
===================================================================
RCS file: /usr/src/cvsroot/pam/modules/pam_cracklib/pam_cracklib.c,v
retrieving revision 1.3
diff -u -u -r1.3 pam_cracklib.c
--- pam_cracklib.c	1999/06/14 02:44:09	1.3
+++ pam_cracklib.c	1999/08/09 22:22:40
@@ -93,6 +93,7 @@
 static int up_credit = 1;
 static int low_credit = 1;
 static int oth_credit = 1;
+static int use_authtok = 0;
 static char prompt_type[BUFSIZ];
 
 static int _pam_parse(int argc, const char **argv)
@@ -137,6 +138,8 @@
 	     oth_credit = strtol(*argv+8,&ep,10);
 	     if (!ep || (oth_credit < 0))
 		 oth_credit = 0;
+	 } else if (!strncmp(*argv,"use_authtok",11)) {
+		 use_authtok = 1;
 	 } else {
 	     _pam_log(LOG_ERR,"pam_parse: unknown option; %s",*argv);
 	 }
@@ -506,33 +509,48 @@
          * set PAM_AUTHTOK and return
          */
 
-        /* Prepare to ask the user for the first time */
-        memset(prompt,0,sizeof(prompt));
-        sprintf(prompt,PROMPT1,prompt_type);
-        pmsg[0] = &msg[0];
-        msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
-        msg[0].msg = prompt;
-
-        resp = NULL;
-        retval = converse(pamh, ctrl, 1, pmsg, &resp);
-        if (resp != NULL) {
-            /* interpret the response */
-            if (retval == PAM_SUCCESS) {     /* a good conversation */
-                token1 = x_strdup(resp[0].resp);
-                if (token1 == NULL) {
-                    _pam_log(LOG_NOTICE,
-                             "could not recover authentication token 1");
-                    retval = PAM_AUTHTOK_RECOVER_ERR;
+	if (use_authtok == 1) {
+            retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **) &item);
+	    if (retval != PAM_SUCCESS) {
+		/* very strange. */
+		_pam_log(LOG_ALERT
+			,"pam_get_item returned error to pam_cracklib"
+			);
+	    } else if (item != NULL) {      /* we have a password! */
+		token1 = item;
+		item = NULL;
+	    } else {
+		retval = PAM_AUTHTOK_RECOVER_ERR;         /* didn't work */
+	    }
+	} else {
+            /* Prepare to ask the user for the first time */
+            memset(prompt,0,sizeof(prompt));
+            sprintf(prompt,PROMPT1,prompt_type);
+            pmsg[0] = &msg[0];
+            msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
+            msg[0].msg = prompt;
+
+            resp = NULL;
+            retval = converse(pamh, ctrl, 1, pmsg, &resp);
+            if (resp != NULL) {
+                /* interpret the response */
+                if (retval == PAM_SUCCESS) {     /* a good conversation */
+                    token1 = x_strdup(resp[0].resp);
+                    if (token1 == NULL) {
+                        _pam_log(LOG_NOTICE,
+                                 "could not recover authentication token 1");
+                        retval = PAM_AUTHTOK_RECOVER_ERR;
+                    }
                 }
+                /*
+                 * tidy up the conversation (resp_retcode) is ignored
+                 */
+                _pam_drop_reply(resp, 1);
+            } else {
+                retval = (retval == PAM_SUCCESS) ?
+                         PAM_AUTHTOK_RECOVER_ERR:retval ;
             }
-            /*
-             * tidy up the conversation (resp_retcode) is ignored
-             */
-            _pam_drop_reply(resp, 1);
-        } else {
-            retval = (retval == PAM_SUCCESS) ?
-                     PAM_AUTHTOK_RECOVER_ERR:retval ;
-        }
+	}
 
         if (retval != PAM_SUCCESS) {
             if (ctrl && PAM_DEBUG_ARG)
@@ -584,75 +602,77 @@
         }
 
         /* Now we have a good passwd. Ask for it once again */
-        
-        bzero(prompt,sizeof(prompt));
-        sprintf(prompt,PROMPT2,prompt_type);
-        pmsg[0] = &msg[0];
-        msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
-        msg[0].msg = prompt;
-
-        resp = NULL;
-        retval = converse(pamh, ctrl, 1, pmsg, &resp);
-        if (resp != NULL) {
-            /* interpret the response */
-            if (retval == PAM_SUCCESS) {     /* a good conversation */
-                token2 = x_strdup(resp[0].resp);
-                if (token2 == NULL) {
-                    _pam_log(LOG_NOTICE,
-                             "could not recover authentication token 2");
-                    retval = PAM_AUTHTOK_RECOVER_ERR;
+
+        if (use_authtok == 0) {
+            bzero(prompt,sizeof(prompt));
+            sprintf(prompt,PROMPT2,prompt_type);
+            pmsg[0] = &msg[0];
+            msg[0].msg_style = PAM_PROMPT_ECHO_OFF;
+            msg[0].msg = prompt;
+
+            resp = NULL;
+            retval = converse(pamh, ctrl, 1, pmsg, &resp);
+            if (resp != NULL) {
+                /* interpret the response */
+                if (retval == PAM_SUCCESS) {     /* a good conversation */
+                    token2 = x_strdup(resp[0].resp);
+                    if (token2 == NULL) {
+                        _pam_log(LOG_NOTICE,
+                                 "could not recover authentication token 2");
+                        retval = PAM_AUTHTOK_RECOVER_ERR;
+                    }
                 }
+                /*
+                 * tidy up the conversation (resp_retcode) is ignored
+                 */
+	        _pam_drop_reply(resp, 1);
+            } else {
+                retval = (retval == PAM_SUCCESS) ?
+                         PAM_AUTHTOK_RECOVER_ERR:retval ;
             }
-            /*
-             * tidy up the conversation (resp_retcode) is ignored
-             */
-	    _pam_drop_reply(resp, 1);
-        } else {
-            retval = (retval == PAM_SUCCESS) ?
-                     PAM_AUTHTOK_RECOVER_ERR:retval ;
-        }
 
-        if (retval != PAM_SUCCESS) {
-            if (ctrl && PAM_DEBUG_ARG)
-                _pam_log(LOG_DEBUG
-			 ,"unable to obtain the password a second time");
-            continue;
-        }
+            if (retval != PAM_SUCCESS) {
+                if (ctrl && PAM_DEBUG_ARG)
+                    _pam_log(LOG_DEBUG
+			     ,"unable to obtain the password a second time");
+                continue;
+            }
 
-        /* Hopefully now token1 and token2 the same password ... */
-        if (strcmp(token1,token2) != 0) {
-            /* tell the user */
-            make_remark(pamh, ctrl, PAM_ERROR_MSG, MISTYPED_PASS);
-            token1 = _pam_delete(token1);
-            token2 = _pam_delete(token2);
-            pam_set_item(pamh, PAM_AUTHTOK, NULL);
-            if (ctrl & PAM_DEBUG_ARG)
-                _pam_log(LOG_NOTICE,"Password mistyped");
-            retval = PAM_AUTHTOK_RECOVER_ERR;
-            continue;
-        }
+            /* Hopefully now token1 and token2 the same password ... */
+            if (strcmp(token1,token2) != 0) {
+                /* tell the user */
+                make_remark(pamh, ctrl, PAM_ERROR_MSG, MISTYPED_PASS);
+                token1 = _pam_delete(token1);
+                token2 = _pam_delete(token2);
+                pam_set_item(pamh, PAM_AUTHTOK, NULL);
+                if (ctrl & PAM_DEBUG_ARG)
+                    _pam_log(LOG_NOTICE,"Password mistyped");
+                retval = PAM_AUTHTOK_RECOVER_ERR;
+                continue;
+            }
         
-        /* Yes, the password was typed correct twice
-         * we store this password as an item
-         */
+            /* Yes, the password was typed correct twice
+             * we store this password as an item
+             */
 
-        retval = pam_set_item(pamh, PAM_AUTHTOK, token1);
-        /* clean it up */
-        token1 = _pam_delete(token1);
-        token2 = _pam_delete(token2);
-        if (
-            (retval != PAM_SUCCESS) ||
-            (
-             (
-                retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&item)
-             ) != PAM_SUCCESS
-            )
-           ) {
-                _pam_log(LOG_CRIT, "error manipulating password");
-                continue;
+            retval = pam_set_item(pamh, PAM_AUTHTOK, token1);
+            /* clean it up */
+            token1 = _pam_delete(token1);
+            token2 = _pam_delete(token2);
+            if (
+                (retval != PAM_SUCCESS) ||
+                (
+                 (
+                    retval = pam_get_item(pamh, PAM_AUTHTOK, (const void **)&item)
+                 ) != PAM_SUCCESS
+                )
+               ) {
+                    _pam_log(LOG_CRIT, "error manipulating password");
+                    continue;
+            }
+            item = NULL;                 /* break link to password */
+            return PAM_SUCCESS;
         }
-        item = NULL;                 /* break link to password */
-        return PAM_SUCCESS;
         
         } while (retry_times--);
 
--- pam/doc/modules/pam_cracklib.sgml~	Mon Jul  5 16:34:39 1999
+++ pam/doc/modules/pam_cracklib.sgml	Wed Aug 11 13:49:49 1999
@@ -118,6 +118,7 @@
 
 <tt/debug/; <tt/type=XXX/; <tt/retry=N/; <tt/difok=N/; <tt/minlen=N/;
 <tt/dcredit=N/; <tt/ucredit=N/; <tt/lcredit=N/; <tt/ocredit=N/;
+<tt/use_authtok/;
 
 <tag><bf>Description:</bf></tag>
 
@@ -208,6 +209,12 @@
 character will count +1 towards meeting the current <tt/minlen/ value.
 The default for <tt/ocredit/ is 1 which is the recommended value for
 <tt/minlen/ less than 10.
+
+<item> <tt/use_authtok/ -
+
+This argument is used to <em/force/ the module to not prompt the user
+for a new password but use the one provided by the previously stacked
+<tt/password/ module.
 
 </itemize>
 

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []