Arthur de Jong

Open Source / Free Software developer

summaryrefslogtreecommitdiffstats
path: root/pam/pam.c
diff options
context:
space:
mode:
authorArthur de Jong <arthur@arthurdejong.org>2010-06-01 22:24:23 +0200
committerArthur de Jong <arthur@arthurdejong.org>2010-06-01 22:24:23 +0200
commit99ee179d9dc7f533792d1e57aa3c4e303e8edc60 (patch)
tree4aa7673deb8cab900b13a1cb403020f30b022ef6 /pam/pam.c
parentcc014bf0165d3e952465fb473de7335ba43b2eeb (diff)
implement an nullok PAM option and disable empty passwords by default
git-svn-id: http://arthurdejong.org/svn/nss-pam-ldapd/nss-pam-ldapd@1129 ef36b2f9-881f-0410-afb5-c4e39611909c
Diffstat (limited to 'pam/pam.c')
-rw-r--r--pam/pam.c19
1 files changed, 18 insertions, 1 deletions
diff --git a/pam/pam.c b/pam/pam.c
index d52ce27..f1adaa1 100644
--- a/pam/pam.c
+++ b/pam/pam.c
@@ -140,6 +140,7 @@ static int ctx_get(pam_handle_t *pamh,const char *username,struct pld_ctx **pctx
struct pld_cfg {
int use_first_pass;
int try_first_pass;
+ int nullok;
int no_warn;
int ignore_unknown_user;
int ignore_authinfo_unavail;
@@ -157,6 +158,7 @@ static int init(pam_handle_t *pamh,int flags,int argc,const char **argv,
/* initialise config with defaults */
cfg->use_first_pass=0;
cfg->try_first_pass=0;
+ cfg->nullok=0;
cfg->no_warn=0;
cfg->ignore_unknown_user=0;
cfg->ignore_authinfo_unavail=0;
@@ -169,6 +171,8 @@ static int init(pam_handle_t *pamh,int flags,int argc,const char **argv,
cfg->use_first_pass=1;
else if (strcmp(argv[i],"try_first_pass")==0)
cfg->try_first_pass=1;
+ else if (strcmp(argv[i],"nullok")==0)
+ cfg->nullok=1;
else if (strcmp(argv[i],"use_authtok")==0)
/* ignore, this option is used by pam_get_authtok() internally */;
else if (strcmp(argv[i],"no_warn")==0)
@@ -363,7 +367,13 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,const char **argv)
rc=pam_get_item(pamh,PAM_AUTHTOK,(const void **)&passwd);
if (rc!=PAM_SUCCESS)
pam_syslog(pamh,LOG_ERR,"failed to get password: %s",pam_strerror(pamh,rc));
- if (rc==PAM_SUCCESS)
+ else if (!cfg.nullok&&((passwd==NULL)||(passwd[0]=='\0')))
+ {
+ if (cfg.debug)
+ pam_syslog(pamh,LOG_DEBUG,"user has empty password, access denied");
+ rc=PAM_AUTH_ERR;
+ }
+ else
{
rc=nslcd_request_authc(pamh,ctx,&cfg,username,service,passwd);
if (rc==PAM_SUCCESS)
@@ -557,6 +567,13 @@ int pam_sm_chauthtok(pam_handle_t *pamh,int flags,int argc,const char **argv)
if (rc!=PAM_SUCCESS)
return rc;
}
+ /* check for empty password */
+ if (!cfg.nullok&&((oldpassword==NULL)||(oldpassword[0]=='\0')))
+ {
+ if (cfg.debug)
+ pam_syslog(pamh,LOG_DEBUG,"user has empty password, access denied");
+ rc=PAM_AUTH_ERR;
+ }
/* try authenticating */
rc=nslcd_request_authc(pamh,ctx,&cfg,username,service,oldpassword);
if (rc==PAM_SUCCESS)