diff options
| author | Denis Vlasenko <vda.linux@googlemail.com> | 2007-09-03 11:56:27 +0000 |
|---|---|---|
| committer | Denis Vlasenko <vda.linux@googlemail.com> | 2007-09-03 11:56:27 +0000 |
| commit | 82f3b16713dd43d25ecd25efc1dc67d00c81af73 (patch) | |
| tree | 9aff26cf7314089e4f826ca0761eb8ffdf25f622 | |
| parent | 9862e6b0560ba8d4261d16534d9372883aca98bc (diff) | |
| download | busybox-w32-82f3b16713dd43d25ecd25efc1dc67d00c81af73.tar.gz busybox-w32-82f3b16713dd43d25ecd25efc1dc67d00c81af73.tar.bz2 busybox-w32-82f3b16713dd43d25ecd25efc1dc67d00c81af73.zip | |
login: do reject wrong passwords with PAM auth
| -rw-r--r-- | loginutils/login.c | 33 |
1 files changed, 21 insertions, 12 deletions
diff --git a/loginutils/login.c b/loginutils/login.c index 3b4cf2af8..5d5053840 100644 --- a/loginutils/login.c +++ b/loginutils/login.c | |||
| @@ -307,18 +307,26 @@ int login_main(int argc, char **argv) | |||
| 307 | goto pam_auth_failed; | 307 | goto pam_auth_failed; |
| 308 | } | 308 | } |
| 309 | pamret = pam_authenticate(pamh, 0); | 309 | pamret = pam_authenticate(pamh, 0); |
| 310 | if (pamret == PAM_SUCCESS) { | 310 | if (pamret != PAM_SUCCESS) { |
| 311 | char *pamuser; | 311 | failed_msg = "pam_authenticate"; |
| 312 | /* check that the account is healthy. */ | 312 | goto pam_auth_failed; |
| 313 | pamret = pam_acct_mgmt(pamh, 0); | 313 | /* TODO: or just "goto auth_failed" |
| 314 | if (pamret != PAM_SUCCESS) { | 314 | * since user seems to enter wrong password |
| 315 | failed_msg = "account setup"; | 315 | * (in this case pamret == 7) |
| 316 | goto pam_auth_failed; | 316 | */ |
| 317 | } | 317 | } |
| 318 | /* read user back */ | 318 | /* check that the account is healthy */ |
| 319 | pamret = pam_acct_mgmt(pamh, 0); | ||
| 320 | if (pamret != PAM_SUCCESS) { | ||
| 321 | failed_msg = "account setup"; | ||
| 322 | goto pam_auth_failed; | ||
| 323 | } | ||
| 324 | /* read user back */ | ||
| 325 | { | ||
| 326 | const char *pamuser; | ||
| 319 | /* gcc: "dereferencing type-punned pointer breaks aliasing rules..." | 327 | /* gcc: "dereferencing type-punned pointer breaks aliasing rules..." |
| 320 | * thus we use double cast */ | 328 | * thus we cast to (void*) */ |
| 321 | if (pam_get_item(pamh, PAM_USER, (const void **)(void*)&pamuser) != PAM_SUCCESS) { | 329 | if (pam_get_item(pamh, PAM_USER, (void*)&pamuser) != PAM_SUCCESS) { |
| 322 | failed_msg = "pam_get_item(USER)"; | 330 | failed_msg = "pam_get_item(USER)"; |
| 323 | goto pam_auth_failed; | 331 | goto pam_auth_failed; |
| 324 | } | 332 | } |
| @@ -331,7 +339,7 @@ int login_main(int argc, char **argv) | |||
| 331 | break; | 339 | break; |
| 332 | goto auth_failed; | 340 | goto auth_failed; |
| 333 | pam_auth_failed: | 341 | pam_auth_failed: |
| 334 | bb_error_msg("%s failed: %s", failed_msg, pam_strerror(pamh, pamret)); | 342 | bb_error_msg("%s failed: %s (%d)", failed_msg, pam_strerror(pamh, pamret), pamret); |
| 335 | safe_strncpy(username, "UNKNOWN", sizeof(username)); | 343 | safe_strncpy(username, "UNKNOWN", sizeof(username)); |
| 336 | #else /* not PAM */ | 344 | #else /* not PAM */ |
| 337 | pw = getpwnam(username); | 345 | pw = getpwnam(username); |
| @@ -360,6 +368,7 @@ int login_main(int argc, char **argv) | |||
| 360 | auth_failed: | 368 | auth_failed: |
| 361 | opt &= ~LOGIN_OPT_f; | 369 | opt &= ~LOGIN_OPT_f; |
| 362 | bb_do_delay(FAIL_DELAY); | 370 | bb_do_delay(FAIL_DELAY); |
| 371 | /* TODO: doesn't sound like correct English phrase to me */ | ||
| 363 | puts("Login incorrect"); | 372 | puts("Login incorrect"); |
| 364 | if (++count == 3) { | 373 | if (++count == 3) { |
| 365 | syslog(LOG_WARNING, "invalid password for '%s'%s", | 374 | syslog(LOG_WARNING, "invalid password for '%s'%s", |