Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

pam_unix: Respect passwordtime from login.conf if set.

Rewrap a lot of really short lines in pam_unix.8.

Note that pam_unix(8) does not respect PAM_CHANGE_EXPIRED_AUTHTOK.

Obtained-from:  FreeBSD
  • Loading branch information...
commit fcb45d59ca171ba5028f7af87d9870b78128e2bc 1 parent 09e61f6
authored December 24, 2011
119  lib/pam_module/pam_unix/pam_unix.8
@@ -32,10 +32,9 @@
32 32
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 33
 .\" SUCH DAMAGE.
34 34
 .\"
35  
-.\" $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.8,v 1.13 2007/03/27 09:59:15 yar Exp $
36  
-.\" $DragonFly: src/lib/pam_module/pam_unix/pam_unix.8,v 1.1 2005/08/01 16:15:19 joerg Exp $
  35
+.\" $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.8,v 1.17 2011/11/02 23:40:21 des Exp $
37 36
 .\"
38  
-.Dd March 27, 2007
  37
+.Dd June 20, 2009
39 38
 .Dt PAM_UNIX 8
40 39
 .Os
41 40
 .Sh NAME
@@ -53,8 +52,7 @@ The
53 52
 authentication service module for PAM,
54 53
 .Nm
55 54
 provides functionality for three PAM categories:
56  
-authentication,
57  
-account management, and password management.
  55
+authentication, account management, and password management.
58 56
 In terms of the
59 57
 .Ar module-type
60 58
 parameter, they are the
@@ -67,14 +65,13 @@ It also provides a null function for session management.
67 65
 .Ss Ux Ss Authentication Module
68 66
 The
69 67
 .Ux
70  
-authentication component
71  
-provides functions to verify the identity of a user
  68
+authentication component provides functions to verify the identity of
  69
+a user
72 70
 .Pq Fn pam_sm_authenticate ,
73 71
 which obtains the relevant
74 72
 .Xr passwd 5
75 73
 entry.
76  
-It prompts the user for a password
77  
-and verifies that this is correct with
  74
+It prompts the user for a password and verifies that this is correct with
78 75
 .Xr crypt 3 .
79 76
 .Pp
80 77
 The following options may be passed to the authentication module:
@@ -85,66 +82,57 @@ debugging information at
85 82
 .Dv LOG_DEBUG
86 83
 level.
87 84
 .It Cm use_first_pass
88  
-If the authentication module
89  
-is not the first in the stack,
90  
-and a previous module
91  
-obtained the user's password,
92  
-that password is used
93  
-to authenticate the user.
94  
-If this fails,
95  
-the authentication module returns failure
96  
-without prompting the user for a password.
97  
-This option has no effect
98  
-if the authentication module
99  
-is the first in the stack,
100  
-or if no previous modules
101  
-obtained the user's password.
  85
+If the authentication module is not the first in the stack, and a
  86
+previous module obtained the user's password, that password is used to
  87
+authenticate the user.
  88
+If this fails, the authentication module returns failure without
  89
+prompting the user for a password.
  90
+This option has no effect if the authentication module is the first in
  91
+the stack, or if no previous modules obtained the user's password.
102 92
 .It Cm try_first_pass
103 93
 This option is similar to the
104 94
 .Cm use_first_pass
105  
-option,
106  
-except that if the previously obtained password fails,
107  
-the user is prompted for another password.
  95
+option, except that if the previously obtained password fails, the
  96
+user is prompted for another password.
108 97
 .It Cm auth_as_self
109  
-This option will require the user
110  
-to authenticate himself as the user
111  
-given by
112  
-.Xr getlogin 2 ,
113  
-not as the account they are attempting to access.
  98
+This option will require the user to authenticate themselves as
  99
+themselves, not as the account they are attempting to access.
114 100
 This is primarily for services like
115 101
 .Xr su 1 ,
116  
-where the user's ability to retype
117  
-their own password
118  
-might be deemed sufficient.
  102
+where the user's ability to retype their own password might be deemed
  103
+sufficient.
119 104
 .It Cm nullok
120  
-If the password database
121  
-has no password
122  
-for the entity being authenticated,
123  
-then this option
124  
-will forgo password prompting,
125  
-and silently allow authentication to succeed.
  105
+If the password database has no password for the entity being
  106
+authenticated, then this option will forgo password prompting, and
  107
+silently allow authentication to succeed.
  108
+.Pp
  109
+.Sy NOTE:
  110
+If
  111
+.Nm
  112
+is invoked by a process that does not have the privileges required to
  113
+access the password database (in most cases, this means root
  114
+privileges), the
  115
+.Cm nullok
  116
+option may cause
  117
+.Nm
  118
+to allow any user to log in with any password.
126 119
 .It Cm local_pass
127  
-Use only the local password database,
128  
-even if NIS is in use.
129  
-This will cause an authentication failure
130  
-if the system is configured
  120
+Use only the local password database, even if NIS is in use.
  121
+This will cause an authentication failure if the system is configured
131 122
 to only use NIS.
132 123
 .It Cm nis_pass
133 124
 Use only the NIS password database.
134  
-This will cause an authentication failure
135  
-if the system is not configured
136  
-to use NIS.
  125
+This will cause an authentication failure if the system is not
  126
+configured to use NIS.
137 127
 .El
138 128
 .Ss Ux Ss Account Management Module
139 129
 The
140 130
 .Ux
141  
-account management component
142  
-provides a function to perform account management,
  131
+account management component provides a function to perform account
  132
+management,
143 133
 .Fn pam_sm_acct_mgmt .
144  
-The function verifies
145  
-that the authenticated user
146  
-is allowed to log into the local user account
147  
-by checking the following criteria:
  134
+The function verifies that the authenticated user is allowed to log
  135
+into the local user account by checking the following criteria:
148 136
 .Bl -dash -offset indent
149 137
 .It
150 138
 locked status of the account compatible with
@@ -169,8 +157,8 @@ level.
169 157
 .Ss Ux Ss Password Management Module
170 158
 The
171 159
 .Ux
172  
-password management component
173  
-provides a function to perform password management,
  160
+password management component provides a function to perform password
  161
+management,
174 162
 .Fn pam_sm_chauthtok .
175 163
 The function changes
176 164
 the user's password.
@@ -184,17 +172,14 @@ debugging information at
184 172
 level.
185 173
 .It Cm no_warn
186 174
 suppress warning messages to the user.
187  
-These messages include
188  
-reasons why the user's
189  
-authentication attempt was declined.
  175
+These messages include reasons why the user's authentication attempt
  176
+was declined.
190 177
 .It Cm local_pass
191  
-forces the password module
192  
-to change a local password
193  
-in favour of a NIS one.
  178
+forces the password module to change a local password in favour of a
  179
+NIS one.
194 180
 .It Cm nis_pass
195  
-forces the password module
196  
-to change a NIS password
197  
-in favour of a local one.
  181
+forces the password module to change a NIS password in favour of a
  182
+local one.
198 183
 .El
199 184
 .Sh FILES
200 185
 .Bl -tag -width ".Pa /etc/master.passwd" -compact
@@ -214,3 +199,9 @@ password database.
214 199
 .Xr pam 8 ,
215 200
 .Xr pw 8 ,
216 201
 .Xr yp 8
  202
+.Sh BUGS
  203
+The
  204
+.Nm
  205
+module ignores the
  206
+.Dv PAM_CHANGE_EXPIRED_AUTHTOK
  207
+flag.
17  lib/pam_module/pam_unix/pam_unix.c
@@ -33,8 +33,7 @@
33 33
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 34
  * SUCH DAMAGE.
35 35
  *
36  
- * $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.53 2007/12/21 12:00:16 des Exp $
37  
- * $DragonFly: src/lib/pam_module/pam_unix/pam_unix.c,v 1.1 2005/08/01 16:15:19 joerg Exp $
  36
+ * $FreeBSD: src/lib/libpam/modules/pam_unix/pam_unix.c,v 1.56 2011/11/05 10:00:29 ed Exp $
38 37
  */
39 38
 
40 39
 #include <sys/param.h>
@@ -50,6 +49,7 @@
50 49
 #include <string.h>
51 50
 #include <stdio.h>
52 51
 #include <syslog.h>
  52
+#include <time.h>
53 53
 #include <unistd.h>
54 54
 
55 55
 #include <libutil.h>
@@ -80,8 +80,6 @@ static char password_hash[] =		PASSWORD_HASH;
80 80
 #define PAM_OPT_LOCAL_PASS	"local_pass"
81 81
 #define PAM_OPT_NIS_PASS	"nis_pass"
82 82
 
83  
-char *tempname = NULL;
84  
-
85 83
 /*
86 84
  * authentication management
87 85
  */
@@ -271,10 +269,11 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
271 269
 	const void *yp_domain, *yp_server;
272 270
 #endif
273 271
 	char salt[SALTSIZE + 1];
274  
-	login_cap_t * lc;
  272
+	login_cap_t *lc;
275 273
 	struct passwd *pwd, *old_pwd;
276 274
 	const char *user, *old_pass, *new_pass;
277 275
 	char *encrypted;
  276
+	time_t passwordtime;
278 277
 	int pfd, tfd, retval;
279 278
 
280 279
 	if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF))
@@ -377,11 +376,17 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags,
377 376
 		if ((old_pwd = pw_dup(pwd)) == NULL)
378 377
 			return (PAM_BUF_ERR);
379 378
 
380  
-		pwd->pw_change = 0;
381 379
 		lc = login_getclass(pwd->pw_class);
382 380
 		if (login_setcryptfmt(lc, password_hash, NULL) == NULL)
383 381
 			openpam_log(PAM_LOG_ERROR,
384 382
 			    "can't set password cipher, relying on default");
  383
+
  384
+		/* set password expiry date */
  385
+		pwd->pw_change = 0;
  386
+		passwordtime = login_getcaptime(lc, "passwordtime", 0, 0);
  387
+		if (passwordtime > 0)
  388
+			pwd->pw_change = time(NULL) + passwordtime;
  389
+
385 390
 		login_close(lc);
386 391
 		makesalt(salt);
387 392
 		pwd->pw_passwd = crypt(new_pass, salt);

0 notes on commit fcb45d5

Please sign in to comment.
Something went wrong with that request. Please try again.