passwd_nisplus.c

pwdutils是一套密码管理工具

/* Copyright (C) 2002, 2005 Thorsten Kukuk
   Author: Thorsten Kukuk <kukuk@thkukuk.de>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to the Free Software Foundation,
   Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.  */


#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#define _GNU_SOURCE

#include <pwd.h>
#include <time.h>
#include <ctype.h>
#include <unistd.h>
#include <string.h>
#include <rpc/key_prot.h>
#include <rpc/des_crypt.h>
#include <rpcsvc/nis.h>

#include <security/_pam_macros.h>
#include <security/pam_modules.h>

#include "i18n.h"
#include "public.h"
#include "nispasswd.h"

/* This is in glibc, but not in the headers */
extern int key_get_conv (char *pkey, des_block *deskey);

static bool_t
__pam_xdr_nispasswd_status (XDR *xdrs, nispasswd_status *objp)
{
  if (!xdr_enum(xdrs, (enum_t *)objp))
    return (FALSE);
  return (TRUE);
}

static bool_t
__pam_xdr_nispasswd_code (XDR *xdrs, nispasswd_code *objp)
{
  if (!xdr_enum(xdrs, (enum_t *)objp)) {
    return (FALSE);
  }
  return (TRUE);
}

static bool_t
__pam_xdr_nispasswd_field (XDR *xdrs, nispasswd_field *objp)
{
  if (!xdr_enum(xdrs, (enum_t *)objp)) {
    return (FALSE);
  }
  return (TRUE);
}

static bool_t
__pam_xdr_nispasswd_error (XDR *xdrs, nispasswd_error *objp)
{
  if (!__pam_xdr_nispasswd_field(xdrs, &objp->npd_field)) {
    return (FALSE);
  }
  if (!__pam_xdr_nispasswd_code(xdrs, &objp->npd_code)) {
    return (FALSE);
  }
  if (!xdr_pointer(xdrs, (char **)&objp->next, sizeof(nispasswd_error),
		   (xdrproc_t)__pam_xdr_nispasswd_error)) {
    return (FALSE);
  }
  return (TRUE);
}

static bool_t
__pam_xdr_passwd_info (XDR *xdrs, passwd_info *objp)
{
  if (!xdr_string(xdrs, &objp->pw_gecos, ~0)) {
    return (FALSE);
  }
  if (!xdr_string(xdrs, &objp->pw_shell, ~0)) {
    return (FALSE);
  }
  return (TRUE);
}

static bool_t
__pam_xdr_npd_request(XDR *xdrs, npd_request *objp)
{
  if (!xdr_string(xdrs, &objp->username, ~0)) {
    return (FALSE);
  }
  if (!xdr_string(xdrs, &objp->domain, ~0)) {
    return (FALSE);
  }
  if (!xdr_string(xdrs, &objp->key_type, ~0)) {
    return (FALSE);
  }
  if (!xdr_array(xdrs, (char **)&objp->user_pub_key.user_pub_key_val,
		 (u_int *)&objp->user_pub_key.user_pub_key_len, ~0,
		 sizeof(u_char), (xdrproc_t)xdr_u_char))
    return (FALSE);

  if (!xdr_array(xdrs, (char **)&objp->npd_authpass.npd_authpass_val,
		 (u_int *)&objp->npd_authpass.npd_authpass_len, ~0,
		 sizeof(u_char), (xdrproc_t)xdr_u_char))
    return (FALSE);

  if (!xdr_u_int (xdrs, &objp->ident))
    return (FALSE);

  return (TRUE);
}


static bool_t
__pam_xdr_passbuf (XDR *xdrs, passbuf objp)
{
  if (!xdr_opaque(xdrs, objp, __NPD_MAXPASSBYTES)) {
    return (FALSE);
  }
  return (TRUE);
}

static bool_t
__pam_xdr_npd_newpass (XDR *xdrs, npd_newpass *objp)
{
  if (!xdr_u_int(xdrs, &objp->npd_xrandval)) {
    return (FALSE);
  }
  if (!__pam_xdr_passbuf(xdrs, objp->pass)) {
    return (FALSE);
  }
  return (TRUE);
}

static bool_t
__pam_xdr_npd_update (XDR *xdrs, npd_update *objp)
{
  if (!xdr_u_int(xdrs, &objp->ident)) {
    return (FALSE);
  }
  if (!__pam_xdr_npd_newpass(xdrs, &objp->xnewpass)) {
    return (FALSE);
  }
  if (!__pam_xdr_passwd_info(xdrs, &objp->pass_info)) {
    return (FALSE);
  }
  return (TRUE);
}

static bool_t
__pam_xdr_nispasswd_verf (XDR *xdrs, nispasswd_verf *objp)
{
  if (!xdr_u_int (xdrs, &objp->npd_xid)) {
    return (FALSE);
  }
  if (!xdr_u_int (xdrs, &objp->npd_xrandval)) {
    return (FALSE);
  }
  return (TRUE);
}

static bool_t
__pam_xdr_nispasswd_authresult (XDR *xdrs, nispasswd_authresult *objp)
{
  if (!__pam_xdr_nispasswd_status(xdrs, &objp->status)) {
    return (FALSE);
  }
  switch (objp->status) {
  case NPD_SUCCESS:
  case NPD_TRYAGAIN:
    if (!__pam_xdr_nispasswd_verf(xdrs,
				  &objp->nispasswd_authresult_u.npd_verf))
      return FALSE;
    break;
  default:
    if (!__pam_xdr_nispasswd_code(xdrs,
				  &objp->nispasswd_authresult_u.npd_err))
      return (FALSE);
    break;
  }
  return (TRUE);
}

static bool_t
__pam_xdr_nispasswd_updresult (XDR *xdrs, nispasswd_updresult *objp)
{
  if (!__pam_xdr_nispasswd_status (xdrs, &objp->status))
    return (FALSE);
  switch (objp->status)
    {
    case NPD_PARTIALSUCCESS:
      if (!__pam_xdr_nispasswd_error (xdrs,
				      &objp->nispasswd_updresult_u.reason))
        return (FALSE);
      break;
    case NPD_FAILED:
      if (!__pam_xdr_nispasswd_code (xdrs,
				     &objp->nispasswd_updresult_u.npd_err))
        return (FALSE);
      break;
    default:
      break;
    }
  return (TRUE);
}

static const char *
npderr2str (nispasswd_code error)
{
  switch (error)
    {
    case NPD_NOTMASTER:
      return "Server is not master of this domain";
    case NPD_NOSUCHENTRY:
      return "No passwd entry exists for this user";
    case NPD_IDENTINVALID:
      return "Identifier invalid";
    case NPD_NOPASSWD:
      return "No password stored";
    case NPD_NOSHDWINFO:
      return "No shadow information stored";
    case NPD_SHDWCORRUPT:
      return "Shadow information corrupted";
    case NPD_NOTAGED:
      return "Passwd has not aged sufficiently";
    case NPD_CKGENFAILED:
      return "Common key could not be generated";
    case NPD_VERFINVALID:
      return "Verifier mismatch";
    case NPD_PASSINVALID:
      return "All auth attempts incorrect";
    case NPD_ENCRYPTFAIL:
      return "Encryption failed";
    case NPD_DECRYPTFAIL:
      return "Decryption failed";
    case NPD_KEYSUPDATED:
      return "New key-pair generated for user";
    case NPD_KEYNOTREENC:
      return "Could not reencrypt secret key";
    case NPD_PERMDENIED:
      return "Permission denied";
    case NPD_SRVNOTRESP:
      return "Server not responding";
    case NPD_NISERROR:
      return "NIS+ server error";
    case NPD_SYSTEMERR:
      return "System error";
    case NPD_BUFTOOSMALL:
      return "Buffer too small";
    case NPD_INVALIDARGS:
      return "Invalid args to function";
    default:
      return "Unknown error!";
    }
}


#define NISENTRYVAL(col,obj) \
        ((obj)->EN_data.en_cols.en_cols_val[(col)].ec_value.ec_value_val)
#define NISENTRYLEN(col,obj) \
        ((obj)->EN_data.en_cols.en_cols_val[(col)].ec_value.ec_value_len)
#define NISENTRYFLAG(col,res) \
        ((obj)->EN_data.en_cols.en_cols_val[(col)].ec_flags)

static int
update_npd (nis_object *obj, user_t *data)
{
  nis_server **server;
  CLIENT *clnt;
  struct timeval timeout;
  char oldpwd[17];
  npd_request request;
  npd_update update;
  nispasswd_authresult result;
  nispasswd_updresult updresult;
  char pkey_host[HEXKEYBYTES + 1];
  char pkey_user[HEXKEYBYTES + 1];
  char skey_data[HEXKEYBYTES + 1];
  char usernetname[MAXNETNAMELEN + 1], servernetname[MAXNETNAMELEN + 1];
  des_block CK;
  const char *masterhost;
  des_block cryptbuf;
  char ivec[8];
  u_int32_t *ixdr;
  int error;
  char *cp;

  /* build netname for user or if caller == root, host */
  if (getuid () == 0 && strncmp (NISENTRYVAL(0,obj), "root",
				 NISENTRYLEN(0,obj)) == 0)
    {
      char hostname[MAXHOSTNAMELEN + 1];

      if (gethostname (hostname, MAXHOSTNAMELEN) != 0)
	{
	  fprintf (stderr, _("Could not determine hostname!\n"));
	  return -1;
	}