* src/login.c: Re-indent.
This commit is contained in:
parent
1e3f19ad89
commit
54a0762bbb
@ -2,6 +2,7 @@
|
|||||||
|
|
||||||
* src/login.c: Add missing closing }. This was probably never
|
* src/login.c: Add missing closing }. This was probably never
|
||||||
noticed because UT_ADDR is never defined.
|
noticed because UT_ADDR is never defined.
|
||||||
|
* src/login.c: Re-indent.
|
||||||
|
|
||||||
2008-09-20 Nicolas François <nicolas.francois@centraliens.net>
|
2008-09-20 Nicolas François <nicolas.francois@centraliens.net>
|
||||||
|
|
||||||
|
622
src/login.c
622
src/login.c
@ -487,357 +487,349 @@ int main (int argc, char **argv)
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
#ifdef UT_HOST
|
#ifdef UT_HOST
|
||||||
strncpy (utent.ut_host, hostname,
|
strncpy (utent.ut_host, hostname, sizeof (utent.ut_host));
|
||||||
sizeof (utent.ut_host));
|
|
||||||
#endif
|
#endif
|
||||||
#if HAVE_UTMPX_H
|
#if HAVE_UTMPX_H
|
||||||
strncpy (utxent.ut_host, hostname,
|
strncpy (utxent.ut_host, hostname, sizeof (utxent.ut_host));
|
||||||
sizeof (utxent.ut_host));
|
|
||||||
#endif
|
#endif
|
||||||
/*
|
|
||||||
* Add remote hostname to the environment. I think
|
|
||||||
* (not sure) I saw it once on Irix. --marekm
|
|
||||||
*/
|
|
||||||
addenv ("REMOTEHOST", hostname);
|
|
||||||
}
|
|
||||||
#ifdef __linux__
|
|
||||||
/*
|
/*
|
||||||
* workaround for init/getty leaving junk in ut_host at least in
|
* Add remote hostname to the environment. I think
|
||||||
* some version of RedHat. --marekm
|
* (not sure) I saw it once on Irix. --marekm
|
||||||
*/
|
*/
|
||||||
else if (amroot) {
|
addenv ("REMOTEHOST", hostname);
|
||||||
memzero (utent.ut_host, sizeof utent.ut_host);
|
}
|
||||||
}
|
#ifdef __linux__
|
||||||
|
/*
|
||||||
|
* workaround for init/getty leaving junk in ut_host at least in
|
||||||
|
* some version of RedHat. --marekm
|
||||||
|
*/
|
||||||
|
else if (amroot) {
|
||||||
|
memzero (utent.ut_host, sizeof utent.ut_host);
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
if (fflg) {
|
if (fflg) {
|
||||||
preauth_flag = true;
|
preauth_flag = true;
|
||||||
}
|
}
|
||||||
if (hflg) {
|
if (hflg) {
|
||||||
reason = PW_RLOGIN;
|
reason = PW_RLOGIN;
|
||||||
}
|
}
|
||||||
#ifdef RLOGIN
|
#ifdef RLOGIN
|
||||||
if ( rflg
|
if ( rflg
|
||||||
&& do_rlogin (hostname, username, sizeof username,
|
&& do_rlogin (hostname, username, sizeof username,
|
||||||
term, sizeof term)) {
|
term, sizeof term)) {
|
||||||
preauth_flag = true;
|
preauth_flag = true;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
OPENLOG ("login");
|
OPENLOG ("login");
|
||||||
|
|
||||||
setup_tty ();
|
setup_tty ();
|
||||||
|
|
||||||
#ifndef USE_PAM
|
#ifndef USE_PAM
|
||||||
umask (getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
|
umask (getdef_num ("UMASK", GETDEF_DEFAULT_UMASK));
|
||||||
|
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* Use the ULIMIT in the login.defs file, and if
|
* Use the ULIMIT in the login.defs file, and if
|
||||||
* there isn't one, use the default value. The
|
* there isn't one, use the default value. The
|
||||||
* user may have one for themselves, but otherwise,
|
* user may have one for themselves, but otherwise,
|
||||||
* just take what you get.
|
* just take what you get.
|
||||||
*/
|
*/
|
||||||
long limit = getdef_long ("ULIMIT", -1L);
|
long limit = getdef_long ("ULIMIT", -1L);
|
||||||
|
|
||||||
if (limit != -1) {
|
if (limit != -1) {
|
||||||
set_filesize_limit (limit);
|
set_filesize_limit (limit);
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
/*
|
/*
|
||||||
* The entire environment will be preserved if the -p flag
|
* The entire environment will be preserved if the -p flag
|
||||||
* is used.
|
* is used.
|
||||||
*/
|
*/
|
||||||
if (pflg) {
|
if (pflg) {
|
||||||
while (NULL != *envp) { /* add inherited environment, */
|
while (NULL != *envp) { /* add inherited environment, */
|
||||||
addenv (*envp, NULL); /* some variables change later */
|
addenv (*envp, NULL); /* some variables change later */
|
||||||
envp++;
|
envp++;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#ifdef RLOGIN
|
#ifdef RLOGIN
|
||||||
if (term[0] != '\0') {
|
if (term[0] != '\0') {
|
||||||
addenv ("TERM", term);
|
addenv ("TERM", term);
|
||||||
|
} else
|
||||||
|
#endif
|
||||||
|
{
|
||||||
|
/* preserve TERM from getty */
|
||||||
|
if (!pflg) {
|
||||||
|
tmp = getenv ("TERM");
|
||||||
|
if (NULL != tmp) {
|
||||||
|
addenv ("TERM", tmp);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
init_env ();
|
||||||
|
|
||||||
|
if (optind < argc) { /* get the user name */
|
||||||
|
if (rflg || (fflg && ('\0' != username[0]))) {
|
||||||
|
usage ();
|
||||||
|
}
|
||||||
|
|
||||||
|
STRFCPY (username, argv[optind]);
|
||||||
|
strzero (argv[optind]);
|
||||||
|
++optind;
|
||||||
|
}
|
||||||
|
if (optind < argc) { /* now set command line variables */
|
||||||
|
set_env (argc - optind, &argv[optind]);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (rflg || hflg) {
|
||||||
|
cp = hostname;
|
||||||
|
} else {
|
||||||
|
/* FIXME: What is the priority:
|
||||||
|
* UT_HOST or HAVE_UTMPX_H? */
|
||||||
|
#ifdef UT_HOST
|
||||||
|
if ('\0' != utent.ut_host[0]) {
|
||||||
|
cp = utent.ut_host;
|
||||||
|
} else
|
||||||
|
#endif
|
||||||
|
#if HAVE_UTMPX_H
|
||||||
|
if ('\0' != utxent.ut_host[0]) {
|
||||||
|
cp = utxent.ut_host;
|
||||||
} else
|
} else
|
||||||
#endif
|
#endif
|
||||||
{
|
{
|
||||||
/* preserve TERM from getty */
|
cp = "";
|
||||||
if (!pflg) {
|
|
||||||
tmp = getenv ("TERM");
|
|
||||||
if (NULL != tmp) {
|
|
||||||
addenv ("TERM", tmp);
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
init_env ();
|
if ('\0' != *cp) {
|
||||||
|
snprintf (fromhost, sizeof fromhost,
|
||||||
|
" on '%.100s' from '%.200s'", tty, cp);
|
||||||
|
} else {
|
||||||
|
snprintf (fromhost, sizeof fromhost,
|
||||||
|
" on '%.100s'", tty);
|
||||||
|
}
|
||||||
|
|
||||||
if (optind < argc) { /* get the user name */
|
top:
|
||||||
if (rflg || (fflg && ('\0' != username[0]))) {
|
/* only allow ALARM sec. for login */
|
||||||
usage ();
|
(void) signal (SIGALRM, alarm_handler);
|
||||||
}
|
timeout = getdef_num ("LOGIN_TIMEOUT", ALARM);
|
||||||
|
if (timeout > 0) {
|
||||||
|
alarm (timeout);
|
||||||
|
}
|
||||||
|
|
||||||
STRFCPY (username, argv[optind]);
|
environ = newenvp; /* make new environment active */
|
||||||
strzero (argv[optind]);
|
delay = getdef_num ("FAIL_DELAY", 1);
|
||||||
++optind;
|
retries = getdef_num ("LOGIN_RETRIES", RETRIES);
|
||||||
}
|
|
||||||
if (optind < argc) { /* now set command line variables */
|
|
||||||
set_env (argc - optind, &argv[optind]);
|
|
||||||
}
|
|
||||||
|
|
||||||
if (rflg || hflg) {
|
|
||||||
cp = hostname;
|
|
||||||
} else {
|
|
||||||
/* FIXME: What is the priority:
|
|
||||||
* UT_HOST or HAVE_UTMPX_H? */
|
|
||||||
#ifdef UT_HOST
|
|
||||||
if ('\0' != utent.ut_host[0]) {
|
|
||||||
cp = utent.ut_host;
|
|
||||||
} else
|
|
||||||
#endif
|
|
||||||
#if HAVE_UTMPX_H
|
|
||||||
if ('\0' != utxent.ut_host[0]) {
|
|
||||||
cp = utxent.ut_host;
|
|
||||||
} else
|
|
||||||
#endif
|
|
||||||
{
|
|
||||||
cp = "";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
if ('\0' != *cp) {
|
|
||||||
snprintf (fromhost, sizeof fromhost,
|
|
||||||
" on '%.100s' from '%.200s'", tty, cp);
|
|
||||||
} else {
|
|
||||||
snprintf (fromhost, sizeof fromhost,
|
|
||||||
" on '%.100s'", tty);
|
|
||||||
}
|
|
||||||
|
|
||||||
top:
|
|
||||||
/* only allow ALARM sec. for login */
|
|
||||||
(void) signal (SIGALRM, alarm_handler);
|
|
||||||
timeout = getdef_num ("LOGIN_TIMEOUT", ALARM);
|
|
||||||
if (timeout > 0) {
|
|
||||||
alarm (timeout);
|
|
||||||
}
|
|
||||||
|
|
||||||
environ = newenvp; /* make new environment active */
|
|
||||||
delay = getdef_num ("FAIL_DELAY", 1);
|
|
||||||
retries = getdef_num ("LOGIN_RETRIES", RETRIES);
|
|
||||||
|
|
||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
retcode = pam_start ("login", username, &conv, &pamh);
|
retcode = pam_start ("login", username, &conv, &pamh);
|
||||||
if (retcode != PAM_SUCCESS) {
|
if (retcode != PAM_SUCCESS) {
|
||||||
fprintf (stderr,
|
fprintf (stderr,
|
||||||
_("login: PAM Failure, aborting: %s\n"),
|
_("login: PAM Failure, aborting: %s\n"),
|
||||||
pam_strerror (pamh, retcode));
|
pam_strerror (pamh, retcode));
|
||||||
SYSLOG ((LOG_ERR, "Couldn't initialize PAM: %s",
|
SYSLOG ((LOG_ERR, "Couldn't initialize PAM: %s",
|
||||||
pam_strerror (pamh, retcode)));
|
pam_strerror (pamh, retcode)));
|
||||||
exit (99);
|
exit (99);
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* hostname & tty are either set to NULL or their correct values,
|
||||||
|
* depending on how much we know. We also set PAM's fail delay to
|
||||||
|
* ours.
|
||||||
|
*/
|
||||||
|
retcode = pam_set_item (pamh, PAM_RHOST, hostname);
|
||||||
|
PAM_FAIL_CHECK;
|
||||||
|
retcode = pam_set_item (pamh, PAM_TTY, tty);
|
||||||
|
PAM_FAIL_CHECK;
|
||||||
|
#ifdef HAS_PAM_FAIL_DELAY
|
||||||
|
retcode = pam_fail_delay (pamh, 1000000 * delay);
|
||||||
|
PAM_FAIL_CHECK;
|
||||||
|
#endif
|
||||||
|
/* if fflg, then the user has already been authenticated */
|
||||||
|
if (!fflg || (getuid () != 0)) {
|
||||||
|
int failcount = 0;
|
||||||
|
char hostn[256];
|
||||||
|
char loginprompt[256]; /* That's one hell of a prompt :) */
|
||||||
|
|
||||||
|
/* Make the login prompt look like we want it */
|
||||||
|
if (gethostname (hostn, sizeof (hostn)) == 0) {
|
||||||
|
snprintf (loginprompt,
|
||||||
|
sizeof (loginprompt),
|
||||||
|
_("%s login: "), hostn);
|
||||||
|
} else {
|
||||||
|
snprintf (loginprompt,
|
||||||
|
sizeof (loginprompt), _("login: "));
|
||||||
|
}
|
||||||
|
|
||||||
|
retcode = pam_set_item (pamh, PAM_USER_PROMPT, loginprompt);
|
||||||
|
PAM_FAIL_CHECK;
|
||||||
|
|
||||||
|
/* if we didn't get a user on the command line,
|
||||||
|
set it to NULL */
|
||||||
|
pam_get_item (pamh, PAM_USER, (const void **)ptr_pam_user);
|
||||||
|
if (pam_user[0] == '\0') {
|
||||||
|
pam_set_item (pamh, PAM_USER, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* hostname & tty are either set to NULL or their correct values,
|
* There may be better ways to deal with some of
|
||||||
* depending on how much we know. We also set PAM's fail delay to
|
* these conditions, but at least this way I don't
|
||||||
* ours.
|
* think we'll be giving away information. Perhaps
|
||||||
|
* someday we can trust that all PAM modules will
|
||||||
|
* pay attention to failure count and get rid of
|
||||||
|
* MAX_LOGIN_TRIES?
|
||||||
*/
|
*/
|
||||||
retcode = pam_set_item (pamh, PAM_RHOST, hostname);
|
failcount = 0;
|
||||||
PAM_FAIL_CHECK;
|
while (true) {
|
||||||
retcode = pam_set_item (pamh, PAM_TTY, tty);
|
const char *failent_user;
|
||||||
PAM_FAIL_CHECK;
|
failed = false;
|
||||||
|
|
||||||
|
failcount++;
|
||||||
#ifdef HAS_PAM_FAIL_DELAY
|
#ifdef HAS_PAM_FAIL_DELAY
|
||||||
retcode = pam_fail_delay (pamh, 1000000 * delay);
|
if (delay > 0) {
|
||||||
PAM_FAIL_CHECK;
|
retcode = pam_fail_delay(pamh, 1000000*delay);
|
||||||
#endif
|
|
||||||
/* if fflg, then the user has already been authenticated */
|
|
||||||
if (!fflg || (getuid () != 0)) {
|
|
||||||
int failcount = 0;
|
|
||||||
char hostn[256];
|
|
||||||
char loginprompt[256]; /* That's one hell of a prompt :) */
|
|
||||||
|
|
||||||
/* Make the login prompt look like we want it */
|
|
||||||
if (gethostname (hostn, sizeof (hostn)) == 0) {
|
|
||||||
snprintf (loginprompt,
|
|
||||||
sizeof (loginprompt),
|
|
||||||
_("%s login: "), hostn);
|
|
||||||
} else {
|
|
||||||
snprintf (loginprompt,
|
|
||||||
sizeof (loginprompt), _("login: "));
|
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
retcode =
|
retcode = pam_authenticate (pamh, 0);
|
||||||
pam_set_item (pamh, PAM_USER_PROMPT, loginprompt);
|
|
||||||
PAM_FAIL_CHECK;
|
|
||||||
|
|
||||||
/* if we didn't get a user on the command line,
|
|
||||||
set it to NULL */
|
|
||||||
pam_get_item (pamh, PAM_USER,
|
pam_get_item (pamh, PAM_USER,
|
||||||
(const void **)ptr_pam_user);
|
(const void **) ptr_pam_user);
|
||||||
if (pam_user[0] == '\0') {
|
|
||||||
pam_set_item (pamh, PAM_USER, NULL);
|
if ((NULL != pam_user) && ('\0' != pam_user[0])) {
|
||||||
|
pwd = xgetpwnam(pam_user);
|
||||||
|
if (NULL != pwd) {
|
||||||
|
pwent = *pwd;
|
||||||
|
failent_user = pwent.pw_name;
|
||||||
|
} else {
|
||||||
|
if ( getdef_bool("LOG_UNKFAIL_ENAB")
|
||||||
|
&& (NULL != pam_user)) {
|
||||||
|
failent_user = pam_user;
|
||||||
|
} else {
|
||||||
|
failent_user = "UNKNOWN";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
pwd = NULL;
|
||||||
|
failent_user = "UNKNOWN";
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
if (retcode == PAM_MAXTRIES || failcount >= retries) {
|
||||||
* There may be better ways to deal with some of
|
SYSLOG ((LOG_NOTICE,
|
||||||
* these conditions, but at least this way I don't
|
"TOO MANY LOGIN TRIES (%d)%s FOR '%s'",
|
||||||
* think we'll be giving away information. Perhaps
|
failcount, fromhost, failent_user));
|
||||||
* someday we can trust that all PAM modules will
|
fprintf(stderr,
|
||||||
* pay attention to failure count and get rid of
|
_("Maximum number of tries exceeded (%d)\n"),
|
||||||
* MAX_LOGIN_TRIES?
|
failcount);
|
||||||
*/
|
PAM_END;
|
||||||
failcount = 0;
|
exit(0);
|
||||||
while (true) {
|
} else if (retcode == PAM_ABORT) {
|
||||||
const char *failent_user;
|
/* Serious problems, quit now */
|
||||||
failed = false;
|
fputs (_("login: abort requested by PAM\n"),stderr);
|
||||||
|
SYSLOG ((LOG_ERR,"PAM_ABORT returned from pam_authenticate()"));
|
||||||
|
PAM_END;
|
||||||
|
exit(99);
|
||||||
|
} else if (retcode != PAM_SUCCESS) {
|
||||||
|
SYSLOG ((LOG_NOTICE,"FAILED LOGIN (%d)%s FOR '%s', %s",
|
||||||
|
failcount, fromhost, failent_user,
|
||||||
|
pam_strerror (pamh, retcode)));
|
||||||
|
failed = true;
|
||||||
|
}
|
||||||
|
|
||||||
failcount++;
|
if (!failed) {
|
||||||
#ifdef HAS_PAM_FAIL_DELAY
|
break;
|
||||||
if (delay > 0) {
|
}
|
||||||
retcode = pam_fail_delay(pamh, 1000000*delay);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
|
|
||||||
retcode = pam_authenticate (pamh, 0);
|
|
||||||
|
|
||||||
pam_get_item (pamh, PAM_USER,
|
|
||||||
(const void **) ptr_pam_user);
|
|
||||||
|
|
||||||
if ((NULL != pam_user) && ('\0' != pam_user[0])) {
|
|
||||||
pwd = xgetpwnam(pam_user);
|
|
||||||
if (NULL != pwd) {
|
|
||||||
pwent = *pwd;
|
|
||||||
failent_user = pwent.pw_name;
|
|
||||||
} else {
|
|
||||||
if ( getdef_bool("LOG_UNKFAIL_ENAB")
|
|
||||||
&& (NULL != pam_user)) {
|
|
||||||
failent_user = pam_user;
|
|
||||||
} else {
|
|
||||||
failent_user = "UNKNOWN";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
pwd = NULL;
|
|
||||||
failent_user = "UNKNOWN";
|
|
||||||
}
|
|
||||||
|
|
||||||
if (retcode == PAM_MAXTRIES || failcount >= retries) {
|
|
||||||
SYSLOG ((LOG_NOTICE,
|
|
||||||
"TOO MANY LOGIN TRIES (%d)%s FOR '%s'",
|
|
||||||
failcount, fromhost, failent_user));
|
|
||||||
fprintf(stderr,
|
|
||||||
_("Maximum number of tries exceeded (%d)\n"),
|
|
||||||
failcount);
|
|
||||||
PAM_END;
|
|
||||||
exit(0);
|
|
||||||
} else if (retcode == PAM_ABORT) {
|
|
||||||
/* Serious problems, quit now */
|
|
||||||
fputs (_("login: abort requested by PAM\n"),stderr);
|
|
||||||
SYSLOG ((LOG_ERR,"PAM_ABORT returned from pam_authenticate()"));
|
|
||||||
PAM_END;
|
|
||||||
exit(99);
|
|
||||||
} else if (retcode != PAM_SUCCESS) {
|
|
||||||
SYSLOG ((LOG_NOTICE,"FAILED LOGIN (%d)%s FOR '%s', %s",
|
|
||||||
failcount, fromhost, failent_user,
|
|
||||||
pam_strerror (pamh, retcode)));
|
|
||||||
failed = true;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!failed) {
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
#ifdef WITH_AUDIT
|
#ifdef WITH_AUDIT
|
||||||
audit_fd = audit_open ();
|
audit_fd = audit_open ();
|
||||||
audit_log_acct_message (audit_fd,
|
audit_log_acct_message (audit_fd,
|
||||||
AUDIT_USER_LOGIN,
|
AUDIT_USER_LOGIN,
|
||||||
NULL, /* Prog. name */
|
NULL, /* Prog. name */
|
||||||
"login",
|
"login",
|
||||||
failent_user,
|
failent_user,
|
||||||
AUDIT_NO_ID,
|
AUDIT_NO_ID,
|
||||||
hostname,
|
hostname,
|
||||||
NULL, /* addr */
|
NULL, /* addr */
|
||||||
tty,
|
tty,
|
||||||
0); /* result */
|
0); /* result */
|
||||||
close (audit_fd);
|
close (audit_fd);
|
||||||
#endif /* WITH_AUDIT */
|
#endif /* WITH_AUDIT */
|
||||||
|
|
||||||
fprintf (stderr, "\nLogin incorrect\n");
|
fprintf (stderr, "\nLogin incorrect\n");
|
||||||
|
|
||||||
/* Let's give it another go around */
|
/* Let's give it another go around */
|
||||||
pam_set_item (pamh, PAM_USER, NULL);
|
pam_set_item (pamh, PAM_USER, NULL);
|
||||||
}
|
|
||||||
|
|
||||||
/* We don't get here unless they were authenticated above */
|
|
||||||
alarm (0);
|
|
||||||
retcode = pam_acct_mgmt (pamh, 0);
|
|
||||||
|
|
||||||
if (retcode == PAM_NEW_AUTHTOK_REQD) {
|
|
||||||
retcode =
|
|
||||||
pam_chauthtok (pamh,
|
|
||||||
PAM_CHANGE_EXPIRED_AUTHTOK);
|
|
||||||
}
|
|
||||||
|
|
||||||
PAM_FAIL_CHECK;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Grab the user information out of the password file for future usage
|
/* We don't get here unless they were authenticated above */
|
||||||
First get the username that we are actually using, though.
|
alarm (0);
|
||||||
*/
|
retcode = pam_acct_mgmt (pamh, 0);
|
||||||
retcode =
|
|
||||||
pam_get_item (pamh, PAM_USER, (const void **)ptr_pam_user);
|
if (retcode == PAM_NEW_AUTHTOK_REQD) {
|
||||||
pwd = xgetpwnam (pam_user);
|
retcode = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
|
||||||
if (NULL == pwd) {
|
|
||||||
SYSLOG ((LOG_ERR, "xgetpwnam(%s) failed",
|
|
||||||
getdef_bool ("LOG_UNKFAIL_ENAB") ?
|
|
||||||
pam_user : "UNKNOWN"));
|
|
||||||
exit (1);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if (fflg) {
|
PAM_FAIL_CHECK;
|
||||||
retcode = pam_acct_mgmt (pamh, 0);
|
}
|
||||||
PAM_FAIL_CHECK;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (setup_groups (pwd) != 0) {
|
/* Grab the user information out of the password file for future usage
|
||||||
exit (1);
|
First get the username that we are actually using, though.
|
||||||
}
|
*/
|
||||||
|
retcode = pam_get_item (pamh, PAM_USER, (const void **)ptr_pam_user);
|
||||||
|
pwd = xgetpwnam (pam_user);
|
||||||
|
if (NULL == pwd) {
|
||||||
|
SYSLOG ((LOG_ERR, "xgetpwnam(%s) failed",
|
||||||
|
getdef_bool ("LOG_UNKFAIL_ENAB") ?
|
||||||
|
pam_user : "UNKNOWN"));
|
||||||
|
exit (1);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (fflg) {
|
||||||
|
retcode = pam_acct_mgmt (pamh, 0);
|
||||||
|
PAM_FAIL_CHECK;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (setup_groups (pwd) != 0) {
|
||||||
|
exit (1);
|
||||||
|
}
|
||||||
|
|
||||||
|
pwent = *pwd;
|
||||||
|
|
||||||
|
retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
|
||||||
|
PAM_FAIL_CHECK;
|
||||||
|
|
||||||
|
retcode = pam_open_session (pamh, hushed (&pwent) ? PAM_SILENT : 0);
|
||||||
|
PAM_FAIL_CHECK;
|
||||||
|
|
||||||
|
pwd = xgetpwnam (pam_user);
|
||||||
|
if (NULL == pwd) {
|
||||||
|
pwent.pw_name = pam_user;
|
||||||
|
strcpy (temp_pw, "!");
|
||||||
|
pwent.pw_passwd = temp_pw;
|
||||||
|
pwent.pw_shell = temp_shell;
|
||||||
|
|
||||||
|
preauth_flag = false;
|
||||||
|
failed = true;
|
||||||
|
} else {
|
||||||
pwent = *pwd;
|
pwent = *pwd;
|
||||||
|
}
|
||||||
retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
|
|
||||||
PAM_FAIL_CHECK;
|
|
||||||
|
|
||||||
retcode = pam_open_session (pamh,
|
|
||||||
hushed (&pwent) ? PAM_SILENT : 0);
|
|
||||||
PAM_FAIL_CHECK;
|
|
||||||
|
|
||||||
pwd = xgetpwnam (pam_user);
|
|
||||||
if (NULL == pwd) {
|
|
||||||
pwent.pw_name = pam_user;
|
|
||||||
strcpy (temp_pw, "!");
|
|
||||||
pwent.pw_passwd = temp_pw;
|
|
||||||
pwent.pw_shell = temp_shell;
|
|
||||||
|
|
||||||
preauth_flag = false;
|
|
||||||
failed = true;
|
|
||||||
} else {
|
|
||||||
pwent = *pwd;
|
|
||||||
}
|
|
||||||
|
|
||||||
#else /* ! USE_PAM */
|
#else /* ! USE_PAM */
|
||||||
while (true) { /* repeatedly get login/password pairs */
|
while (true) { /* repeatedly get login/password pairs */
|
||||||
failed = false; /* haven't failed authentication yet */
|
failed = false; /* haven't failed authentication yet */
|
||||||
if ('\0' == username[0]) { /* need to get a login id */
|
if ('\0' == username[0]) { /* need to get a login id */
|
||||||
if (subroot) {
|
if (subroot) {
|
||||||
closelog ();
|
closelog ();
|
||||||
exit (1);
|
exit (1);
|
||||||
}
|
|
||||||
preauth_flag = false;
|
|
||||||
login_prompt (_("\n%s login: "), username,
|
|
||||||
sizeof username);
|
|
||||||
continue;
|
|
||||||
}
|
}
|
||||||
|
preauth_flag = false;
|
||||||
|
login_prompt (_("\n%s login: "), username,
|
||||||
|
sizeof username);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
pwd = xgetpwnam (username);
|
pwd = xgetpwnam (username);
|
||||||
if (NULL == pwd) {
|
if (NULL == pwd) {
|
||||||
@ -861,8 +853,8 @@ int main (int argc, char **argv)
|
|||||||
pwent.pw_passwd = spwd->sp_pwdp;
|
pwent.pw_passwd = spwd->sp_pwdp;
|
||||||
} else {
|
} else {
|
||||||
SYSLOG ((LOG_WARN,
|
SYSLOG ((LOG_WARN,
|
||||||
"no shadow password for '%s'%s",
|
"no shadow password for '%s'%s",
|
||||||
username, fromhost));
|
username, fromhost));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -895,9 +887,9 @@ int main (int argc, char **argv)
|
|||||||
* for those who really want to log them. --marekm
|
* for those who really want to log them. --marekm
|
||||||
*/
|
*/
|
||||||
SYSLOG ((LOG_WARN, "invalid password for '%s' %s",
|
SYSLOG ((LOG_WARN, "invalid password for '%s' %s",
|
||||||
( (NULL != pwd)
|
( (NULL != pwd)
|
||||||
|| getdef_bool ("LOG_UNKFAIL_ENAB")) ?
|
|| getdef_bool ("LOG_UNKFAIL_ENAB")) ?
|
||||||
username : "UNKNOWN", fromhost));
|
username : "UNKNOWN", fromhost));
|
||||||
failed = true;
|
failed = true;
|
||||||
|
|
||||||
auth_ok:
|
auth_ok:
|
||||||
@ -916,15 +908,15 @@ int main (int argc, char **argv)
|
|||||||
if ( !failed
|
if ( !failed
|
||||||
&& !login_access (username, *hostname ? hostname : tty)) {
|
&& !login_access (username, *hostname ? hostname : tty)) {
|
||||||
SYSLOG ((LOG_WARN, "LOGIN '%s' REFUSED %s",
|
SYSLOG ((LOG_WARN, "LOGIN '%s' REFUSED %s",
|
||||||
username, fromhost));
|
username, fromhost));
|
||||||
failed = true;
|
failed = true;
|
||||||
}
|
}
|
||||||
if ( (NULL != pwd)
|
if ( (NULL != pwd)
|
||||||
&& getdef_bool ("FAILLOG_ENAB")
|
&& getdef_bool ("FAILLOG_ENAB")
|
||||||
&& !failcheck (pwent.pw_uid, &faillog, failed)) {
|
&& !failcheck (pwent.pw_uid, &faillog, failed)) {
|
||||||
SYSLOG ((LOG_CRIT,
|
SYSLOG ((LOG_CRIT,
|
||||||
"exceeded failure limit for '%s' %s",
|
"exceeded failure limit for '%s' %s",
|
||||||
username, fromhost));
|
username, fromhost));
|
||||||
failed = true;
|
failed = true;
|
||||||
}
|
}
|
||||||
if (!failed) {
|
if (!failed) {
|
||||||
@ -964,7 +956,7 @@ int main (int argc, char **argv)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
strncpy (failent.ut_user, failent_user,
|
strncpy (failent.ut_user, failent_user,
|
||||||
sizeof (failent.ut_user));
|
sizeof (failent.ut_user));
|
||||||
failent.ut_type = USER_PROCESS;
|
failent.ut_type = USER_PROCESS;
|
||||||
failtmp (&failent);
|
failtmp (&failent);
|
||||||
}
|
}
|
||||||
@ -973,7 +965,7 @@ int main (int argc, char **argv)
|
|||||||
retries--;
|
retries--;
|
||||||
if (retries <= 0) {
|
if (retries <= 0) {
|
||||||
SYSLOG ((LOG_CRIT, "REPEATED login failures%s",
|
SYSLOG ((LOG_CRIT, "REPEATED login failures%s",
|
||||||
fromhost));
|
fromhost));
|
||||||
}
|
}
|
||||||
/*
|
/*
|
||||||
* If this was a passwordless account and we get here, login
|
* If this was a passwordless account and we get here, login
|
||||||
@ -1016,7 +1008,7 @@ int main (int argc, char **argv)
|
|||||||
if ( getdef_bool ("PORTTIME_CHECKS_ENAB")
|
if ( getdef_bool ("PORTTIME_CHECKS_ENAB")
|
||||||
&& !isttytime (pwent.pw_name, tty, time ((time_t *) 0))) {
|
&& !isttytime (pwent.pw_name, tty, time ((time_t *) 0))) {
|
||||||
SYSLOG ((LOG_WARN, "invalid login time for '%s'%s",
|
SYSLOG ((LOG_WARN, "invalid login time for '%s'%s",
|
||||||
username, fromhost));
|
username, fromhost));
|
||||||
closelog ();
|
closelog ();
|
||||||
bad_time_notify ();
|
bad_time_notify ();
|
||||||
exit (1);
|
exit (1);
|
||||||
@ -1100,7 +1092,7 @@ int main (int argc, char **argv)
|
|||||||
if (child < 0) {
|
if (child < 0) {
|
||||||
/* error in fork() */
|
/* error in fork() */
|
||||||
fprintf (stderr, _("%s: failure forking: %s"),
|
fprintf (stderr, _("%s: failure forking: %s"),
|
||||||
Prog, strerror (errno));
|
Prog, strerror (errno));
|
||||||
PAM_END;
|
PAM_END;
|
||||||
exit (0);
|
exit (0);
|
||||||
} else if (child != 0) {
|
} else if (child != 0) {
|
||||||
@ -1167,8 +1159,8 @@ int main (int argc, char **argv)
|
|||||||
puts (_
|
puts (_
|
||||||
("Warning: login re-enabled after temporary lockout."));
|
("Warning: login re-enabled after temporary lockout."));
|
||||||
SYSLOG ((LOG_WARN,
|
SYSLOG ((LOG_WARN,
|
||||||
"login '%s' re-enabled after temporary lockout (%d failures)",
|
"login '%s' re-enabled after temporary lockout (%d failures)",
|
||||||
username, (int) faillog.fail_cnt));
|
username, (int) faillog.fail_cnt));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if ( getdef_bool ("LASTLOG_ENAB")
|
if ( getdef_bool ("LASTLOG_ENAB")
|
||||||
@ -1177,19 +1169,19 @@ int main (int argc, char **argv)
|
|||||||
|
|
||||||
#ifdef HAVE_STRFTIME
|
#ifdef HAVE_STRFTIME
|
||||||
strftime (ptime, sizeof (ptime),
|
strftime (ptime, sizeof (ptime),
|
||||||
"%a %b %e %H:%M:%S %z %Y",
|
"%a %b %e %H:%M:%S %z %Y",
|
||||||
localtime (&ll_time));
|
localtime (&ll_time));
|
||||||
printf (_("Last login: %s on %s"),
|
printf (_("Last login: %s on %s"),
|
||||||
ptime, lastlog.ll_line);
|
ptime, lastlog.ll_line);
|
||||||
#else
|
#else
|
||||||
printf (_("Last login: %.19s on %s"),
|
printf (_("Last login: %.19s on %s"),
|
||||||
ctime (&ll_time), lastlog.ll_line);
|
ctime (&ll_time), lastlog.ll_line);
|
||||||
#endif
|
#endif
|
||||||
#ifdef HAVE_LL_HOST /* __linux__ || SUN4 */
|
#ifdef HAVE_LL_HOST /* __linux__ || SUN4 */
|
||||||
if ('\0' != lastlog.ll_host[0]) {
|
if ('\0' != lastlog.ll_host[0]) {
|
||||||
printf (_(" from %.*s"),
|
printf (_(" from %.*s"),
|
||||||
(int) sizeof lastlog.
|
(int) sizeof lastlog.
|
||||||
ll_host, lastlog.ll_host);
|
ll_host, lastlog.ll_host);
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
printf (".\n");
|
printf (".\n");
|
||||||
|
Loading…
Reference in New Issue
Block a user