/***************************************************************** * * kcheckpass - Simple password checker * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public * License as published by the Free Software Foundation; either * version 2 of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * General Public License for more details. * * You should have received a copy of the GNU General Public * License along with this program; if not, write to the Free * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. * * * kcheckpass is a simple password checker. Just invoke and * send it the password on stdin. * * If the password was accepted, the program exits with 0; * if it was rejected, it exits with 1. Any other exit * code signals an error. * * It's hopefully simple enough to allow it to be setuid * root. * * Compile with -DHAVE_VSYSLOG if you have vsyslog(). * Compile with -DHAVE_PAM if you have a PAM system, * and link with -lpam -ldl. * Compile with -DHAVE_SHADOW if you have a shadow * password system. * * Copyright (C) 1998, Caldera, Inc. * Released under the GNU General Public License * * Olaf Kirch <okir@caldera.de> General Framework and PAM support * Christian Esken <esken@kde.org> Shadow and /etc/passwd support * Roberto Teixeira <maragato@kde.org> other user (-U) support * Oswald Buddenhagen <ossi@kde.org> Binary server mode * * Other parts were taken from kscreensaver's passwd.cpp. * *****************************************************************/ #include "kcheckpass.h" #include <stdarg.h> #include <stdio.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <syslog.h> #include <stdlib.h> #include <errno.h> #include <time.h> /* Compatibility: accept some options from environment variables */ #define ACCEPT_ENV #define THROTTLE 3 static int havetty, sfd = -1, nullpass; static char * conv_legacy (ConvRequest what, const char *prompt) { char *p, *p2; int len; char buf[1024]; switch (what) { case ConvGetBinary: break; case ConvGetNormal: /* there is no prompt == 0 case */ if (!havetty) break; /* i guess we should use /dev/tty ... */ fputs(prompt, stdout); fflush(stdout); if (!fgets(buf, sizeof(buf), stdin)) return 0; len = strlen(buf); if (len && buf[len - 1] == '\n') buf[--len] = 0; return strdup(buf); case ConvGetHidden: if (havetty) { #ifdef HAVE_GETPASSPHRASE p = getpassphrase(prompt ? prompt : "Password: "); #else p = getpass(prompt ? prompt : "Password: "); #endif p2 = strdup(p); memset(p, 0, strlen(p)); return p2; } else { if (prompt) break; if ((len = read(0, buf, sizeof(buf) - 1)) < 0) { message("Cannot read password\n"); return 0; } else { if (len && buf[len - 1] == '\n') --len; buf[len] = 0; p2 = strdup(buf); memset(buf, 0, len); return p2; } } case ConvPutInfo: message("Information: %s\n", prompt); return 0; case ConvPutError: message("Error: %s\n", prompt); return 0; } message("Authentication backend requested data type which cannot be handled.\n"); return 0; } static int Reader (void *buf, int count) { int ret, rlen; for (rlen = 0; rlen < count; ) { dord: ret = read (sfd, (void *)((char *)buf + rlen), count - rlen); if (ret < 0) { if (errno == EINTR) goto dord; if (errno == EAGAIN) break; return -1; } if (!ret) break; rlen += ret; } return rlen; } static void GRead (void *buf, int count) { if (Reader (buf, count) != count) { message ("Communication breakdown on read\n"); exit(15); } } static void GWrite (const void *buf, int count) { if (write (sfd, buf, count) != count) { message ("Communication breakdown on write\n"); exit(15); } } static void GSendInt (int val) { GWrite (&val, sizeof(val)); } static void GSendStr (const char *buf) { unsigned len = buf ? strlen (buf) + 1 : 0; GWrite (&len, sizeof(len)); GWrite (buf, len); } static void GSendArr (int len, const char *buf) { GWrite (&len, sizeof(len)); GWrite (buf, len); } static int GRecvInt (void) { int val; GRead (&val, sizeof(val)); return val; } static char * GRecvStr (void) { unsigned len; char *buf; if (!(len = GRecvInt())) return (char *)0; if (len > 0x1000 || !(buf = malloc (len))) { message ("No memory for read buffer\n"); exit(15); } GRead (buf, len); buf[len - 1] = 0; /* we're setuid ... don't trust "them" */ return buf; } static char * GRecvArr (void) { unsigned len; char *arr; if (!(len = (unsigned) GRecvInt())) return (char *)0; if (len > 0x10000 || !(arr = malloc (len))) { message ("No memory for read buffer\n"); exit(15); } GRead (arr, len); return arr; } static char * conv_server (ConvRequest what, const char *prompt) { GSendInt (what); switch (what) { case ConvGetBinary: { unsigned const char *up = (unsigned const char *)prompt; int len = up[3] | (up[2] << 8) | (up[1] << 16) | (up[0] << 24); GSendArr (len, prompt); return GRecvArr (); } case ConvGetNormal: case ConvGetHidden: { char *msg; GSendStr (prompt); msg = GRecvStr (); if (msg && (GRecvInt() & IsPassword) && !*msg) nullpass = 1; return msg; } case ConvPutInfo: case ConvPutError: default: GSendStr (prompt); return 0; } } void message(const char *fmt, ...) { va_list ap; va_start(ap, fmt); vfprintf(stderr, fmt, ap); va_end(ap); } #ifndef O_NOFOLLOW # define O_NOFOLLOW 0 #endif static void ATTR_NORETURN usage(int exitval) { message( "usage: kcheckpass {-h|[-c caller] [-m method] [-U username|-S handle]}\n" " options:\n" " -h this help message\n" " -U username authenticate the specified user instead of current user\n" " -S handle operate in binary server mode on file descriptor handle\n" " -c caller the calling application, effectively the PAM service basename\n" " -m method use the specified authentication method (default: \"classic\")\n" " exit codes:\n" " 0 success\n" " 1 invalid password\n" " 2 cannot read password database\n" " Anything else tells you something's badly hosed.\n" ); exit(exitval); } int main(int argc, char **argv) { #ifdef HAVE_PAM const char *caller = KCHECKPASS_PAM_SERVICE; #endif const char *method = "classic"; const char *username = 0; #ifdef ACCEPT_ENV char *p; #endif struct passwd *pw; int c, nfd, lfd; uid_t uid; time_t nexttime; AuthReturn ret; struct flock lk; char fname[64], fcont[64]; #ifdef HAVE_OSF_C2_PASSWD initialize_osf_security(argc, argv); #endif /* Make sure stdout/stderr are open */ for (c = 1; c <= 2; c++) { if (fcntl(c, F_GETFL) == -1) { if ((nfd = open("/dev/null", O_WRONLY)) < 0) { message("cannot open /dev/null: %s\n", strerror(errno)); exit(10); } if (c != nfd) { dup2(nfd, c); close(nfd); } } } havetty = isatty(0); while ((c = getopt(argc, argv, "hc:m:U:S:")) != -1) { switch (c) { case 'h': usage(0); break; case 'c': #ifdef HAVE_PAM caller = optarg; #endif break; case 'm': method = optarg; break; case 'U': username = optarg; break; case 'S': sfd = atoi(optarg); break; default: message("Command line option parsing error\n"); usage(10); } } #ifdef ACCEPT_ENV # ifdef HAVE_PAM if ((p = getenv("TDE_PAM_ACTION"))) caller = p; # endif if ((p = getenv("TCHECKPASS_USER"))) username = p; #endif uid = getuid(); if (!username) { if (!(p = getenv("LOGNAME")) || !(pw = getpwnam(p)) || pw->pw_uid != uid) if (!(p = getenv("USER")) || !(pw = getpwnam(p)) || pw->pw_uid != uid) if (!(pw = getpwuid(uid))) { message("Cannot determinate current user\n"); return AuthError; } if (!(username = strdup(pw->pw_name))) { message("Out of memory\n"); return AuthError; } } /* * Throttle kcheckpass invocations to avoid abusing it for bruteforcing * the password. This delay belongs to the *previous* invocation, where * we can't enforce it reliably (without risking giving away the result * before it is due). We don't differentiate between success and failure - * it's not expected to have a noticable adverse effect. */ if ( uid != geteuid() ) { sprintf(fname, "/var/run/kcheckpass.%d", uid); if ((lfd = open(fname, O_RDWR | O_CREAT | O_NOFOLLOW, 0600)) < 0) { message("Cannot open lockfile\n"); return AuthError; } lk.l_type = F_WRLCK; lk.l_whence = SEEK_SET; lk.l_start = lk.l_len = 0; if (fcntl(lfd, F_SETLKW, &lk)) { message("Cannot obtain lock\n"); return AuthError; } if ((c = read(lfd, fcont, sizeof(fcont)-1)) > 0 && (fcont[c] = '\0', sscanf(fcont, "%ld", &nexttime) == 1)) { time_t ct = time(0); if (nexttime > ct && nexttime < ct + THROTTLE) sleep(nexttime - ct); } lseek(lfd, 0, SEEK_SET); write(lfd, fcont, sprintf(fcont, "%lu\n", time(0) + THROTTLE)); close(lfd); } /* Now do the fandango */ ret = Authenticate( #ifdef HAVE_PAM caller, #endif method, username, sfd < 0 ? conv_legacy : conv_server); if (ret == AuthBad) { message("Authentication failure\n"); if (!nullpass) { openlog("kcheckpass", LOG_PID, LOG_AUTH); syslog(LOG_NOTICE, "Authentication failure for %s (invoked by uid %d)", username, uid); } } return ret; } void dispose(char *str) { memset(str, 0, strlen(str)); free(str); } /***************************************************************** The real authentication methods are in separate source files. Look in checkpass_*.c *****************************************************************/