pwauth-2.3.8.orig/0000750000175000017500000000000011165420332014335 5ustar haizaarfornovadevpwauth-2.3.8.orig/nologin.c0000640000175000017500000000407611142072264016160 0ustar haizaarfornovadev/* ======================================================================= * Copyright 1996, Jan D. Wolter and Steven R. Weiss, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The names of the authors must not be used to endorse or * promote products derived from this software without prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * ======================================================================= */ #include "pwauth.h" #ifdef NOLOGIN_FILE /* CHECK_NOLOGIN - return true if the nologin file does not exist or our * uid is below MIN_NOLOGIN_UID. */ check_nologin() { /* Return true if the file does not exist (the access() function returns * true if the file doesn't exist - pretty dumb, eh?) */ if (access(NOLOGIN_FILE, F_OK)) return 1; #if MIN_NOLOGIN_UID > 0 if (hisuid < MIN_NOLOGIN_UID) return 1; #endif return 0; } #endif pwauth-2.3.8.orig/fail_log.c0000640000175000017500000001312711142072264016264 0ustar haizaarfornovadev/* ======================================================================= * Copyright 1996, Jan D. Wolter and Steven R. Weiss, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The names of the authors must not be used to endorse or * promote products derived from this software without prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * ======================================================================= */ #include "pwauth.h" #ifdef RESET_FAIL_COUNT #define MODE_FAILLOG O_RDWR #else #define MODE_FAILLOG O_RDONLY #endif #ifdef FAILLOG_JFH /* CHECK_FAILS - Check if the account is disable dued to the maximum number of * failed logins being exceeded. Returns true if the account is OK to log * into or if the faillog information doesn't exist. This never resets the * bad login count to zero. It should, but I don't really believe anyone * uses this anymore, so I'm not going to bother implementing that. */ int check_fails() { int result= 1; struct faillog flog; int flfd; if (!haveuid) return 1; if ((flfd= open(PATH_FAILLOG,MODE_FAILLOG)) >= 0) { lseek(flfd, hisuid * sizeof(struct faillog), 0); result= (read(flfd, &flog, sizeof(struct faillog)) != sizeof(struct faillog)) || flog.fail_max == 0 || flog.fail_cur < flog.fail_max; close(flfd); } return result; } /* LOG_FAILURE - Do whatever we need to do to log a failed login attempt. */ void log_failure() { int flfd; struct faillog flog; if (!haveuid) return; /* Log the failure in /var/adm/faillog - JFH style */ if ((flfd= open(PATH_FAILLOG,O_RDWR)) > 0) { /* Read the user's record (indexed by uid) */ lseek(flfd, hisuid * sizeof(struct faillog), 0); if (read(flfd,&flog,sizeof(struct faillog)) != sizeof(struct faillog)) { flog.fail_cnt= 0; flog.fail_max= 0; flog.fail_time= 0L; flog.failline[0]= '\0'; } /* Increment the count (checking for overflow) */ if (flog.fail_cnt + 1 > 0) flog.fail_cnt++; flog.fail_time= time(0L); strcpy(flog.fail_line,"http"); /* Write it back out */ lseek(flfd, hisuid * sizeof(struct faillog), 0); write(flfd, &flog, sizeof(struct faillog)); close(flfd); } } #endif /* FAILLOG_JFH */ #ifdef FAILLOG_OPENBSD /* CHECK_FAILS - Check if the account is disable dued to the maximum number of * failed logins being exceeded. Returns true if the account is OK to log * into or if the faillog information doesn't exist. If the count has not * been exceeded, then the count is reset to zero. */ int check_fails() { int result= 1; #if defined(MAX_FAIL_COUNT) || defined(RESET_FAIL_COUNT) struct badlogin flog; int flfd; if (!haveuid) return 1; if ((flfd= open(PATH_FAILLOG,MODE_FAILLOG)) >= 0) { /* Read user's record (indexed by uid) */ lseek(flfd, hisuid * sizeof(struct badlogin), 0); if (read(flfd, &flog, sizeof(struct badlogin)) != sizeof(struct badlogin) || flog.bl_time == 0) memset(&flog, 0, sizeof(struct badlogin)); #ifdef MAX_FAIL_COUNT result= (flog.count >= MAX_FAIL_COUNT); #endif #ifdef RESET_FAIL_COUNT if (!result && flog.count > 0) { flog.count= 0; lseek(flfd, hisuid * sizeof(struct badlogin), 0); write(flfd, &flog, sizeof(struct badlogin)); } #endif close(flfd); } #endif /* MAX_FAIL_COUNT || RESET_FAIL_COUNT */ return result; } /* LOG_FAILURE - Do whatever we need to do to log a failed login attempt. */ log_failure() { int flfd; struct badlogin flog; char *host; if (!haveuid) return; /* Log the failure in /var/log/failedlogin - OpenBSD style */ if ((flfd= open(PATH_FAILLOG,O_RDWR)) > 0) { /* Read user's record (indexed by uid) */ lseek(flfd, hisuid * sizeof(struct badlogin), 0); if (read(flfd, &flog, sizeof(struct badlogin)) != sizeof(struct badlogin) || flog.bl_time == 0) memset(&flog, 0, sizeof(struct badlogin)); /* Increment the count (checking for overflow) */ if (flog.count + 1 > 0) flog.count++; /* Set time and remote host names */ time(&flog.bl_time); strncpy(flog.bl_line, "http", sizeof(flog.bl_line)); if ((host= getenv("HOST")) == NULL) host= getenv("IP"); if (host != NULL) strncpy(flog.bl_host, host, sizeof(flog.bl_host)); else flog.bl_host[0]= '\0'; flog.bl_name[0]= '\0'; /* Remote name always unknown */ /* Write it back out */ lseek(flfd, hisuid * sizeof(struct badlogin), 0); write(flfd, &flog, sizeof(struct badlogin)); close(flfd); } } #endif pwauth-2.3.8.orig/snooze.c0000640000175000017500000000442611142072264016027 0ustar haizaarfornovadev/* ======================================================================= * Copyright 1996, Jan D. Wolter and Steven R. Weiss, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The names of the authors must not be used to endorse or * promote products derived from this software without prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * ======================================================================= */ #include "pwauth.h" /* SNOOZE - Do a serialized sleep of the given number of seconds. This means, * wait till no other pwauth processes are in their sleeps, and then sleep * for the number of seconds given. Note that a snooze(0) may lead to some * sleep time, if other pwauth processes are in sleeps. */ snooze(int seconds) { #ifdef SLEEP_LOCK int slfd; #endif /* Lock the sleep-lock file to serialize our sleeps */ #ifdef SLEEP_LOCK if ((slfd= open(SLEEP_LOCK,O_CREAT|O_RDONLY,0644)) >= 0) flock(slfd,LOCK_EX); #endif sleep(seconds); /* Release sleep-lock file */ #ifdef SLEEP_LOCK /*flock(slfd,LOCK_UN);*/ close(slfd); #endif } pwauth-2.3.8.orig/auth_openbsd.c0000640000175000017500000001124611142072264017163 0ustar haizaarfornovadev/* ======================================================================= * Copyright 1996, Jan D. Wolter and Steven R. Weiss, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The names of the authors must not be used to endorse or * promote products derived from this software without prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * ======================================================================= */ #include "pwauth.h" #ifdef LOGIN_CONF_OPENBSD #include #include #include /* =================== OpenBSD LOGIN.CONF Authentication =================== */ /* CHECK_AUTH - Check a login and return a status code. * (This version for systems with auth_usercheck() call.) */ int check_auth(char *login, char *passwd) { auth_session_t *as; login_cap_t *lc; struct passwd *pwd; char *style; int state, exists; /* The following would work, but it doesn't return the logincap to us, * and we will need it below to check for nologin files. * * as= auth_usercheck(login, NULL, NULL, passwd); */ /* Get the login cap for this user from the database */ pwd= getpwnam(login); exists= (pwd != NULL); #ifdef NEED_UID if (exists) {hisuid= pwd->pw_uid; haveuid= 1;} #endif if ((lc = login_getclass(pwd ? pwd->pw_class : NULL)) == NULL) return STATUS_INT_ERR; /* Get the login style to use */ if ((style= login_getstyle(lc, NULL, NULL)) == NULL) { login_close(lc); return STATUS_INT_ERR+1; } /* Start a BSD authentication session and set it up */ if ((as= auth_open()) == NULL) { login_close(lc); return STATUS_INT_ERR+2; } auth_setitem(as, AUTHV_SERVICE, "response"); auth_setdata(as, "", 1); auth_setdata(as, passwd, strlen(passwd)+1); /* Run the authenticator */ as= auth_verify(as, style, login, lc->lc_class, (char *)NULL); /* Check if login is expired */ #ifdef CHECK_LOGIN_EXPIRATION if (auth_check_expire(as) < 0) { login_close(lc); auth_close(as); return STATUS_EXPIRED; } #endif /* Check if password has expired */ #ifdef CHECK_PASSWORD_EXPIRATION if (auth_check_change(as) < 0) { login_close(lc); auth_close(as); return STATUS_PW_EXPIRED; } #endif /* Get the results */ pwd= auth_getpwd(as); exists= exists || (pwd != NULL); state= auth_getstate(as); auth_close(as); #ifdef NEED_UID /* prefer this uid number to any one we got before - probably the same */ if (pwd != NULL) {hisuid= pwd->pw_uid; haveuid= 1;} #endif if (!(state & AUTH_OKAY)) { login_close(lc); return (exists ? STATUS_INVALID : STATUS_UNKNOWN); } /* Check for nologin file */ if (!login_getcapbool(lc, "ignorenologin", 0)) { /* If ignorelogin is not define, nologin should be defined */ char *nologin= login_getcapstr(lc, "nologin", "", NULL); login_close(lc); if (nologin == NULL) return STATUS_INT_ERR+4; /* check existance of nologin file defined for class in login.conf */ if (*nologin != '\0') { int rc= access(nologin,F_OK); free(nologin); if (rc == 0) return STATUS_NOLOGIN; } /* Check existance of stock nologin file */ #ifdef _PATH_NOLOGIN if (access(_PATH_NOLOGIN,F_OK) == 0) return STATUS_NOLOGIN; #endif } else login_close(lc); /* Check if uid is above minimum */ #ifdef MIN_UNIX_UID if (haveuid && hisuid < MIN_UNIX_UID) return(STATUS_BLOCKED); #endif return STATUS_OK; } #endif /* LOGIN_CONF_OPENBSD */ pwauth-2.3.8.orig/checkfaillog.c0000640000175000017500000000565711142072264017134 0ustar haizaarfornovadev/* ======================================================================= * Copyright 1996, Jan D. Wolter and Steven R. Weiss, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The names of the authors must not be used to endorse or * promote products derived from this software without prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * ======================================================================= */ #include #include #include #include #include "config.h" #include "fail_log.h" int main(int argc, char **argv) { int i, j; int reset= 0, verbose= 1; char *user= NULL, *msg= NULL; uid_t uid= getuid(); /* Parse command line */ for (i= 1; i < argc; i++) { if (argv[i][0] == '-') { for (j= 1; argv[i][j] != '\0'; j++) { switch (argv[i][j]) { case 'z': reset= 1; break; case 's': verbose= 0; break; default: goto usage; } } } else if (user == NULL) user= argv[i]; else goto usage; } /* Root can run this on other user's accounts */ if (user != NULL) { struct passwd *pw; if ((pw= getpwnam(user)) == NULL) { fprintf(stderr,"%s: User %s does not exist.\n", argv[0], user); exit(2); } if (uid != 0 && pw->pw_uid != uid) { fprintf(stderr,"%s: Only root can access other user's accounts.\n", argv[0]); exit(3); } uid= pw->pw_uid; } /* Do the thing */ #if defined(FAILLOG_JFH) || defined(FAILLOG_OPENBSD) msg= check_fails(uid, reset, verbose); #endif /* Output the result */ if (msg != NULL) puts(msg); else if (!verbose) puts("0:::"); exit(0); usage: fprintf(stderr,"usage: %s [-z] [-s] [user]\n", argv[0]); exit(1); } pwauth-2.3.8.orig/auth_mdw.c0000640000175000017500000000646011155502725016326 0ustar haizaarfornovadev/* ======================================================================= * Copyright 1996, Jan D. Wolter and Steven R. Weiss, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The names of the authors must not be used to endorse or * promote products derived from this software without prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * ======================================================================= */ #include "pwauth.h" #ifdef SHADOW_MDW #ifdef NEED_UID #include #endif #include /* is -I/usr/local/include on gcc command? */ char *kg_pwhash(char *clear, char *user, char *result, int resultlen); char *pw_encrypt(); #endif /* SHADOW_MDW */ #ifdef SHADOW_MDW /* ===================== MDW Authentication ===================== */ /* CHECK_AUTH - Check a login and return a status code. * (This version for systems with kg_pwhash() call.) */ int check_auth(char *login, char *passwd) { char *cpass; char bf[40]; struct spwd *spwd= getspnam(login); #ifdef NEED_UID struct passwd *pwd; #endif #if defined(CHECK_LOGIN_EXPIRATION) || defined(CHECK_PASSWORD_EXPIRATION) int today= time(NULL)/(24*60*60); #endif if (spwd == NULL) return(errno == EACCES ? STATUS_INT_NOROOT : STATUS_UNKNOWN); #ifdef NEED_UID if ((pwd= getpwnam(login)) == NULL) return(STATUS_UNKNOWN); hisuid= pwd->pw_uid; haveuid= 1; #endif #ifdef MIN_UNIX_UID if (hisuid < MIN_UNIX_UID) return(STATUS_BLOCKED); #endif if (spwd->sp_pwdp[0] != '%') cpass= pw_encrypt(passwd, spwd->sp_pwdp); else if ((cpass= kg_pwhash(passwd, login, bf, 40)) == NULL) return(STATUS_INT_ERR); if (strcmp(cpass, spwd->sp_pwdp)) return STATUS_INVALID; #ifdef CHECK_LOGIN_EXPIRATION if (spwd->sp_expire >= 0 && spwd->sp_expire < today) return STATUS_EXPIRED; #endif #ifdef CHECK_PASSWORD_EXPIRATION /* Root forced password expiration */ if (spwd->sp_lstchg == 0) return STATUS_PW_EXPIRED; /* Normal password expiration */ if (spwd->sp_max >= 0 && spwd->sp_lstchg + spwd->sp_max < today) return STATUS_PW_EXPIRED; #endif return STATUS_OK; } #endif /* SHADOW_MDW */ pwauth-2.3.8.orig/unixgroup0000750000175000017500000000422111142072264016324 0ustar haizaarfornovadev#!/usr/bin/perl # # This is a group authenticator for use with mod_auth_external using the # "environment" argument passing method. If you are using mod_authnz_external, # then a much better choice is to use mod_authz_unixgroup for group checking. # It checks if the Unix user ID passed in the USER environment variable is in # any of Unix groups (names or numbers) listed in the GROUP environment # variable. It returns # 0 - if the user is in one of the groups # 1 - if the user is not in any of the groups # 2 - if the user does not exist. # # This isn't a very efficient way to do group checking. I hope to find time # to do something better someday. # # Typical Usage: # In httpd.conf declare an pwauth authenticator and a unixgroup authenticator: # # AddExternalAuth pwauth /path/to/pwauth # SetExternalAuthMethod pwauth pipe # AddExternalGroup unixgroup /path/to/unixgroup # SetExternalGroupMethod unixgroup environment # # In .htaccess file do something like # # AuthType Basic # AuthName SystemName # AuthExternal pwauth # GroupExternal unixgroup # require group customers admins staff # # Here "SystemName" is a string that will be included in the pop-up login # box, all Unix groupnames which are to be allowed to login are listed on the # "require group" command. If you are using this with mod_authnz_external, # you'll need to add the directive "AuthBasicProvider external", but if you are # using mod_authnz_external, you should be using mod_authz_unixgroup instead # of this. # Get primary GID number for the user $user= $ENV{USER}; $gid= (getpwnam($user))[3]; exit 2 if !defined $gid; # user does not exist - Reject # Loop through groups foreach $group (split ' ', $ENV{GROUP}) { if ($group =~ /^\d+$/) { # Group given as GID number exit 0 if ($group == $gid); # Get list of members $members= (getgrgid($group))[3]; } else { # Group given by name ($gname, $x, $ggid, $members)= getgrnam($group); next if !$gname; # skip non-existant group exit 0 if ($ggid == $gid); } # Check if user is in member list foreach $mem (split ' ',$members) { exit 0 if ($user eq $mem); } } exit 1; pwauth-2.3.8.orig/auth_sun.c0000640000175000017500000000723011155501440016331 0ustar haizaarfornovadev/* ======================================================================= * Copyright 1996, Jan D. Wolter and Steven R. Weiss, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The names of the authors must not be used to endorse or * promote products derived from this software without prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * ======================================================================= */ #include "pwauth.h" #ifdef SHADOW_SUN #ifdef NEED_UID #include #endif #include struct spwd *getspnam(); char *crypt(); #endif /* SHADOW_SUN */ #ifdef SHADOW_JFH #ifdef NEED_UID #include #endif #include /* this may be hidden in /usr/local/include */ struct spwd *getspnam(); char *pw_encrypt(); #endif /* SHADOW_JFH */ #if defined(SHADOW_JFH) || defined(SHADOW_SUN) /* ===================== JFH and SUN Authentication ===================== */ /* CHECK_AUTH - Check a login and return a status code. * (This version for systems with getspnam() call.) */ int check_auth(char *login, char *passwd) { char *cpass; struct spwd *spwd= getspnam(login); #ifdef NEED_UID struct passwd *pwd; #endif #if defined(CHECK_LOGIN_EXPIRATION) || defined(CHECK_PASSWORD_EXPIRATION) int today= time(NULL)/(24*60*60); #endif if (spwd == NULL) return(errno == EACCES ? STATUS_INT_NOROOT : STATUS_UNKNOWN); #ifdef NEED_UID if ((pwd= getpwnam(login)) == NULL) return(STATUS_UNKNOWN); hisuid= pwd->pw_uid; haveuid= 1; #endif #ifdef MIN_UNIX_UID if (hisuid < MIN_UNIX_UID) return(STATUS_BLOCKED); #endif #ifdef SHADOW_JFH cpass= pw_encrypt(passwd, spwd->sp_pwdp); #else cpass= crypt(passwd, spwd->sp_pwdp); #endif if (strcmp(cpass, spwd->sp_pwdp)) return STATUS_INVALID; #ifdef CHECK_LOGIN_EXPIRATION if (spwd->sp_expire >= 0 && spwd->sp_expire < today) return STATUS_EXPIRED; #endif #ifdef CHECK_PASSWORD_EXPIRATION /* Root forced password expiration */ if (spwd->sp_lstchg == 0) return STATUS_PW_EXPIRED; /* Normal password expiration */ /* We used to have sp_lstchg + sp_max + sp_inact < today * here, apparantly during the inact period you are only supposed to be able * to get on to change your password, not anything else, show we shouldn't * allow access during that period. */ if (spwd->sp_max >= 0 && spwd->sp_lstchg + spwd->sp_max < today) return STATUS_PW_EXPIRED; #endif return STATUS_OK; } #endif /* SHADOW_JFH || SHADOW_SUN */ pwauth-2.3.8.orig/Makefile0000640000175000017500000000325611142072264016006 0ustar haizaarfornovadev# The following three lines should be modified to appropriate values for your # system. Most of the configurable stuff is in config.h # # CC= an ansi-C compiler. If "cc" doesn't work, try "gcc". # LIB= libraries to link in. -lcrypt, -lshadow, -lpam sometimes needed. # LOCALFLAGS= compiler flags. Usually -g, -O, and stuff like that. # Settings for author's system (Redhat 6.1) CC=gcc LIB= -lcrypt LOCALFLAGS= -g # For PAM on Redhat Linux # LIB=-lpam -ldl # For PAM on Solaris or OS X # LIB=-lpam # -------------------- No User Servicable Parts Below ----------------------- CFLAGS= $(LOCALFLAGS) pwauth: main.o auth_aix.o auth_bsd.o auth_hpux.o auth_mdw.o auth_openbsd.o \ auth_pam.o auth_sun.o fail_log.o lastlog.o nologin.o snooze.o $(CC) -o pwauth $(CFLAGS) main.o auth_aix.o auth_bsd.o auth_hpux.o \ auth_mdw.o auth_openbsd.o auth_pam.o auth_sun.o fail_log.o \ lastlog.o nologin.o snooze.o $(LIB) checkfaillog: checkfaillog.o fail_check.o $(CC) -o checkfaillog $(CFLAGS) checkfaillog.o fail_check.o $(LIB) main.o: main.c config.h pwauth.h fail_log.h auth_aix.o: auth_aix.c config.h pwauth.h auth_bsd.o: auth_bsd.c config.h pwauth.h auth_hpux.o: auth_hpux.c config.h pwauth.h auth_mdw.o: auth_mdw.c config.h pwauth.h auth_openbsd.o: auth_openbsd.c config.h auth_pam.o: auth_pam.c config.h pwauth.h auth_sun.o: auth_sun.c config.h pwauth.h checkfaillog.o: checkfaillog.c config.h fail_log.h fail_check.o: fail_check.c config.h fail_log.h fail_log.o: fail_log.c config.h pwauth.h fail_log.h lastlog.o: lastlog.c config.h pwauth.h nologin.o: nologin.c config.h pwauth.h snooze.o: snooze.c config.h pwauth.h clean: rm -f *.o distclean: rm -f *.o pwauth checkfaillog pwauth-2.3.8.orig/auth_hpux.c0000640000175000017500000000464311142072264016520 0ustar haizaarfornovadev/* ======================================================================= * Copyright 1996, Jan D. Wolter and Steven R. Weiss, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The names of the authors must not be used to endorse or * promote products derived from this software without prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * ======================================================================= */ #include "pwauth.h" #ifdef SHADOW_HPUX #include #include #include /* ===================== HPUX Authentication ===================== */ /* CHECK_AUTH - Check a login and return a status code. * (This version for systems with a getprpwnam() call.) */ int check_auth(char *login, char *passwd) { char *cpass; struct pr_passwd *pwd= getprpwnam(login); if (pwd == NULL) return(STATUS_UNKNOWN); #ifdef NEED_UID hisuid= pwd->ufld.fd_uid; haveuid= 1; #endif #ifdef MIN_UNIX_UID if (hisuid < MIN_UNIX_UID) return(STATUS_BLOCKED); #endif /* Should this be a call to bigcrypt() instead? */ cpass= crypt(passwd, pwd->ufld.fd_encrypt); return(strcmp(cpass, pwd->ufld.fd_encrypt) ? STATUS_INVALID : STATUS_OK); } #endif /* SHADOW_HPUX */ pwauth-2.3.8.orig/main.c0000640000175000017500000000730411165413376015444 0ustar haizaarfornovadev/* ======================================================================= * Copyright 1996, Jan D. Wolter and Steven R. Weiss, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The names of the authors must not be used to endorse or * promote products derived from this software without prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * ======================================================================= */ #include "pwauth.h" #ifdef NEED_UID int hisuid; int haveuid= 0; #endif #ifdef SERVER_UIDS /* Array of uid numbers that may run this program */ int server_uids[]= {SERVER_UIDS, 0}; #endif main(int argc, char **argv) { #ifdef ENV_METHOD char *login, *passwd; #else char login[BFSZ+1], passwd[BFSZ+1]; char *c, *strchr(); #endif int uid,i; int status; struct rlimit rlim; /* Don't dump core (could contain part of shadow file) */ rlim.rlim_cur = rlim.rlim_max = 0; (void)setrlimit(RLIMIT_CORE, &rlim); #ifdef SERVER_UIDS /* Check that we were invoked by one of the listed uids or by root */ uid= getuid(); for (i= 0; server_uids[i] != 0 && server_uids[i] != uid; i++) ; if (uid != server_uids[i]) exit(STATUS_INT_USER); #endif /* Get the arguments (login and password) */ #ifdef ENV_METHOD if ((login= getenv("USER")) == NULL || (passwd= getenv("PASS")) == NULL) exit(STATUS_INT_ARGS); #else if (fgets(login, BFSZ, stdin) == NULL || fgets(passwd, BFSZ, stdin) == NULL) exit(STATUS_INT_ARGS); if ((c= strchr(login,'\n')) != NULL) *c= '\0'; if ((c= strchr(passwd,'\n')) != NULL) *c= '\0'; #endif #ifdef DOMAIN_AWARE if ((c= strchr(login,'\\')) != NULL) strcpy (login,++c); #endif /* Check validity of login/passwd */ status= check_auth(login,passwd); #ifdef IGNORE_CASE if (status == STATUS_UNKNOWN) { int uc= 0; for (c= login; *c != '\0'; c++) if (isascii(*c) && isupper(*c)) { uc= 1; *c= tolower(*c); } if (uc) status= check_auth(login,passwd); } #endif bzero(passwd,strlen(passwd)); /* Erase plain-text from our memory */ #ifdef FAILLOG_JFH if (status == STATUS_OK && !check_fails()) status= STATUS_MANYFAILS; #endif #ifdef NOLOGIN_FILE if (status == STATUS_OK && !check_nologin()) status= STATUS_NOLOGIN; #endif if (status == STATUS_OK) { /* Good login */ #ifdef UNIX_LASTLOG lastlog(); #endif snooze(0); exit(STATUS_OK); } else { /* Bad login */ #ifdef KEEP_FAILLOG log_failure(); #endif snooze(SLEEP_TIME); exit(status); } } pwauth-2.3.8.orig/config.h0000640000175000017500000003475411165417224015777 0ustar haizaarfornovadev/* ======================================================================= * Copyright 1996, Jan D. Wolter and Steven R. Weiss, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The names of the authors must not be used to endorse or * promote products derived from this software without prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * ======================================================================= */ /* PWAUTH configuration file * * Note - the default settings in this file are the way I use it. I * guarantee you, they won't work for you. You must change them. * */ /* There are lots of different kinds of password databases. Define one of * the following: * * - SHADOW_NONE: old fashioned Unix systems which have the encrypted * passwords in the passwd file. Actually, since you don't need to be * root to access these, you might do better using Lou Langholtz's * mod_auth_system.c, which is available from the contributed modules * directory at apache.org. * * - SHADOW_BSD: This is the shadow password system in BSDI, NetBSD, OpenBSD, * and FreeBSD. It uses exactly the same calls as SHADOW_NONE, but * getpwnam() only returns the encrypted password if you are root. This * would only work with OS X if the accounts being authenticated are * configured with legacy crypt style passwords. In general, the PAM * option is more likely to be usuable in OS X. * * - SHADOW_SUN: This is the shadow password system in Solaris, Linux and * IRIX 5.3 systems. It uses getspnam() to fetch passwords and crypt() to * encrypt them. * * - SHADOW_JFH: This the old version of Julianne F. Haugh's public-domain * shadow package. It uses getspnam() to fetch passwords and pw_encrpyt() * to encrypt them. The JFH shadow code is available at * ftp://gumby.dsd.trw.com/pub/security/shadow-3.2.2.tar.Z * Newer versions seem to be compatible with SHADOW_SUN. * * - SHADOW_MDW: This is Grex's variation on the JFH shadow file system, * which uses Marcus D. Watt's interface to the password encryption. If you * ain't Grex, you ain't got it. * * - SHADOW_AIX: This is the AIX shadow password system. It uses getuserpw() * to fetch passwords and (apparantly) crypt() to encrypt them. This has * not been tested. Shadow BSD is also likely to work with AIX. * * - SHADOW_HPUX: This is the HP-UX shadow password system. It uses * getprpwnam() to fetch passwords and either crypt() or bigcrypt() to * encrypt them (I'm not sure which is right). This has not been tested * and probably doesn't work. * * - PAM: Talk to the authentication system through PAM - the plug-in * authentication module interface. This exists on Solaris 7, FreeBSD, * most versions of Linux and OS X. You'll need to create * /etc/pam.d/pwauth or edit /etc/pam.config to include entries for * pwauth. If you are using PAM to authenticate out of something you * don't need to be root to access, then you might use instead Ingo * Lutkebohle's mod_auth_pam.c module. You probably want to comment * out the UNIX_LASTLOG, MIN_UNIX_UID, and NOLOGIN_FILE options below. * * - PAM_SOLARIS: Solaris versions of PAM have some incompatibilities with * Linux/FreeBSD versions. I think HP-UX needs this too, but don't really * know. * * - PAM_SOLARIS_26: Solaris 2.6 PAM has some header file declarations and * function behaviors that don't agree with either their own documentation * or with any other implementation. Bugs, in short. This option uses * PAM with work-arounds for the Solaris 2.6 bugs. * * - PAM_OS_X: OS X keeps it's header files in a different place, so use * this option instead of the PAM option. * * - LOGIN_CONF_OPENBSD: Many BSD derived systems use a login.conf file to * configure authentication instead of (or in addition to) PAM. We * currently support authentication through this mechanism only for * OpenBSD. Of course, if you login.conf configuration is standard, you * can just use SHADOW_BSD, but if you want pwauth to respect settings * in login.conf this option can be used instead. The API used here, is * however, pretty much unique to OpenBSD and will not work on NetBSD or * FreeBSD. */ /* #define SHADOW_NONE /**/ /* #define SHADOW_BSD /* FreeBSD, NetBSD, OpenBSD, BSDI, OS X */ #define SHADOW_SUN /* Linux, Solaris, IRIX */ /* #define SHADOW_JFH /**/ /* #define SHADOW_MDW /**/ /* #define SHADOW_AIX /* AIX */ /* #define SHADOW_HPUX /* HPUX ? */ /* #define PAM /* Linux PAM or OpenPAM*/ /* #define PAM_OS_X /* PAM on OS X */ /* #define PAM_SOLARIS /* PAM on Solaris other than 2.6 */ /* #define PAM_SOLARIS_26 /* PAM on Solaris 2.6 */ /* #define LOGIN_CONF_OPENBSD /* login.conf on OpenBSD */ /* There is also limited support for two failure logging systems (the database * that informs you that "there have been 3426 unsuccessful attempts to log * into your account since your last login" and which may disable accounts * with too many failed logins). * * If a FAILLOG option is enabled, pwauth will increment the failure count * each time there is a failed attempt to login. Depending on the the * configuration, it may also deny logins to users who have had too many * bad login attempts. * * Very few Unix systems seem to have faillog files installed, so most * installations will not want this option. * * No faillog option should be used with PAM. This kind of logging is handled * at a lower level with PAM. * * - FAILLOG_JFH: This is associated with the JFH shadow system. Some Linux * systems may have this, but most don't seem to. Failures are logged in * the /var/adm/faillog file, and if any user accumulates too many failed * logins, future logins are denied. The faillog.h header file is part of * the JFH shadow file package. If you define PATH_FAILLOG, then this * will be used as the path of the faillog file instead of the one defined * in faillog.h. * * - FAILLOG_OPENBSD: OpenBSD has a faillog, although it does not disable * logins if any maximum exceeded. Failure counts are kept in * /var/log/failedlogin. There is no system header file that defines the * format of this file, however. Instead the definition for the file * format is embedded in the "login" source code. Bad things will happen * if the definition there does not the match the definition in pwauth. * * Though OpenBSD's login program does not refuse further logins if the * number of failed logins has gotten too large, pwauth will do so if you * define MAX_FAIL_COUNT. If you want to use a file different than the * default, you can define this in PATH_FAILLOG. * * - FAILLOG_PWAUTH: This is meant to be used by systems that lack any * native faillog. This will keep a faillog for pwauth only. For the * moment, this is identical to FAILLOG_OPENBSD, except that the default * path of the log file is different. In future releases this may * diverge from FAILLOG_OPENBSD. Defining MAX_FAIL_COUNT and PATH_FAILLOG * has the same effect as above. * * RESET_FAIL_COUNT controls whether or not the failure count is reset to * zero when a successful login occurs. The advantages of this are obvious. * The problem with it is that it obliterates all record of how many failures * there were. Login utilities normally print out the failure count before * resetting it, so that users are notified if their account is under attack, * but pwauth cannot print messages that the user will see. The optimum * strategy would probably be to have your CGI run a separate program, such * as the 'checkfaillog' program included in this distribution, that * reports and resets the failure count. */ /* #define FAILLOG_JFH /**/ /* #define FAILLOG_OPENBSD /**/ /* #define FAILLOG_PWAUTH /**/ /* #define PATH_FAILLOG "/var/log/faillog" /**/ /* #define MAX_FAIL_COUNT 40 /**/ /* #define RESET_FAIL_COUNT /**/ /* If UNIX_LASTLOG is defined, the program will update the lastlog entry so * that there is a record of the user having logged in. This is important on * systems where you expire unused accounts and some users may only log in * via the web. If you have the lastlog.h header file, define HAVE_LASTLOG_H. * * If you are using PAM to authentication out of something other than the * unix user database, then you should disable this. The lastlog file is * index by the user's uid number, and users from other databases don't have * uid numbers. */ #define UNIX_LASTLOG /**/ #define HAVE_LASTLOG_H /**/ /* If NOLOGIN_FILE is defined to the full path name of a file, then the * existance of that file is checked on every login attempt. If it exists * all logins to accounts with uid's of MIN_NOLOGIN_UID or more will be * rejected. * * If you are using PAM, then you should disable this. In that case, this * check is better done through PAM, and the maximum uid check won't work * right with PAM. */ #define NOLOGIN_FILE "/etc/nologin" /**/ #define MIN_NOLOGIN_UID 1 /**/ /* Defining CHECK_LOGIN_EXPIRATION and CHECK_PASSWORD_EXPIRATION causes * pwauth to check if the given login has expired, or it's password has * expired. Most modern versions of Unix support these options. * * These checks have not been implemented for the SHADOW_AIX and SHADOW_HPUX * options. It's probably possible to do so for SHADOW_HPUX, but lacking a * system to test on, I haven't bothered. */ #define CHECK_LOGIN_EXPIRATION /**/ #define CHECK_PASSWORD_EXPIRATION /**/ /* It is generally sensible to restrict what users can run pwauth. Though * there are other programs that users can use to test if password guesses * are correct, like "su" and "passwd", pwauth is much easier to interface * a password guessing program to, so why not be paranoid and restrict it * as much as possible? * * If you are using pwauth with mod_auth_external, you will want to restrict * it to be runnable from whatever uid your httpd runs as. (For apache, this * is determined by the "User" directive in your httpd.conf file. It may be * called something like "nobody" or "httpd" or "apache". Usually the easiest * way to figure it out is just to do a "ps" and see what most apache processes * are running as.) * * There are two ways to do this. First, you can compile in the uid numbers * that are allowed to run this program, by listing them on the SERVER_UID * variable below. At runtime, pwauth will check that the uid of the user * that invoked it is on this list. So if you have just one uid that should * be able to run pwauth, you can say something like: * #define SERVER_UIDS 72 * If you have several, separate them by commas, like this: * #define SERVER_UIDS 12,343,93 * The root account can always run this program, so you don't have to * to list that. If you do list it, it must be given last. * * The second option is to create a special group, called something like * "pwauth" for user id's that are allowed to run pwauth. To do this, you * should compile pwauth with the SERVER_UIDS variable UNDEFINED. This will * disable the runtime uid check. Then, when you install the pwauth program, * set it's group ownership to the "pwauth" group, and permit it so that only * the owner and the group can run it. Do not permit it to be executable to * others. This has the advantage of not requiring a recompile if you want * to change the uid list. */ #define SERVER_UIDS 72 /* user "nobody" */ /* If MIN_UNIX_UID is defined to an integer, logins with uid numbers less than * that value will be rejected, even if the password is correct. * * If you are using PAM to authenticate against anything other than the local * unix password file, then leave this undefined (if you define it, only login * names which are in the local unix passwd file and have uid's greater the * given value will be accepted). */ #define MIN_UNIX_UID 500 /**/ /* If IGNORE_CASE is defined, the login given is checked in two different * ways. First without any changes and then with all letters converted to * lower case. This is useful for users accustomed to the Windows environment. */ /* #define IGNORE_CASE /**/ /* If DOMAIN_AWARE is enabled, then we we check login names to see if they * contain a backslash, and discard anything up to and including the backslash. * This is for use in environments where there are windows users accustomed * to login names formed like "domain\username". */ /* #define DOMAIN_AWARE /**/ /* On failed authentications, pwauth will sleep for SLEEP_TIME seconds, using * a lock on the file whose full path is given by SLEEP_LOCK to prevent any * other instances of pwauth from running during that time. This is meant * to slow down password guessing programs, but could be a performance * problem on extremely heavily used systems. To disable this, don't define * SLEEP_LOCK. SLEEP_TIME defaults to 2 seconds if not defined. */ #define SLEEP_LOCK "/var/run/pwauth.lock" /* If ENV_METHOD is defined, pwauth expects mod_auth_external to be configured * SetAuthExternalMethod environment * instead of * SetAuthExternalMethod pipe * This is insecure on some versions of Unixes, but might be a bit faster. */ /* #define ENV_METHOD /**/ /* If /usr/include/paths.h exists define this. Obviously I need to autoconfig * this. */ #define PATHS_H /**/ pwauth-2.3.8.orig/lastlog.c0000640000175000017500000000444511142072264016160 0ustar haizaarfornovadev/* ======================================================================= * Copyright 1996, Jan D. Wolter and Steven R. Weiss, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The names of the authors must not be used to endorse or * promote products derived from this software without prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * ======================================================================= */ #include "pwauth.h" /* LASTLOG - update the system's lastlog */ #ifdef UNIX_LASTLOG void lastlog() { struct lastlog ll; int fd; char *hostname= getenv("HOST"); char *hostaddr= getenv("IP"); ll.ll_time= time(0L); strncpy(ll.ll_line,"http",UT_LINESIZE); if (hostname != NULL && strlen(hostname) <= UT_HOSTSIZE) strncpy(ll.ll_host,hostname,UT_HOSTSIZE); else if (hostaddr != NULL) strncpy(ll.ll_host,hostaddr,UT_HOSTSIZE); else ll.ll_host[0]= '\0'; if ((fd= open(LASTLOG,O_WRONLY)) < 0) return; lseek(fd, (long)(hisuid * sizeof(struct lastlog)), 0); write(fd, &ll, sizeof(struct lastlog)); close(fd); } #endif /*UNIX_LASTLOG*/ pwauth-2.3.8.orig/fail_check.c0000640000175000017500000001300611142072264016554 0ustar haizaarfornovadev/* ======================================================================= * Copyright 1996, Jan D. Wolter and Steven R. Weiss, All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The names of the authors must not be used to endorse or * promote products derived from this software without prior written * permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * ======================================================================= */ #include #include #include #include #include #include "config.h" #include "fail_log.h" #ifdef FAILLOG_JFH /* CHECK_FAILS - Read the faillog file entry for the given uid. Return NULL * if there have been no failures. If there have been failures, reset the * count to zero if "reset" is true, and Return a string describing the state. * The format of the string depends on the versbose flag. * verbose=0 * :::\n * verbose=1 * failures since last login. Last was