diff options
author | tedu <tedu@openbsd.org> | 2016-05-17 20:51:56 +0000 |
---|---|---|
committer | tedu <tedu@openbsd.org> | 2016-05-17 20:51:56 +0000 |
commit | 464d4a88da6b596a024e6422630a4ac9142cc6b8 (patch) | |
tree | cfa1406baacae2cd8a5efc6195e75c123b3eb898 /usr.sbin/pppd | |
parent | remove VOP_CLOSE and vput that will be handled in the epilogue. (diff) | |
download | wireguard-openbsd-464d4a88da6b596a024e6422630a4ac9142cc6b8.tar.xz wireguard-openbsd-464d4a88da6b596a024e6422630a4ac9142cc6b8.zip |
remove pam and shadow code that's not used. ok deraadt jca
Diffstat (limited to 'usr.sbin/pppd')
-rw-r--r-- | usr.sbin/pppd/auth.c | 179 |
1 files changed, 1 insertions, 178 deletions
diff --git a/usr.sbin/pppd/auth.c b/usr.sbin/pppd/auth.c index 1e2f175c881..6bbe5d7eff5 100644 --- a/usr.sbin/pppd/auth.c +++ b/usr.sbin/pppd/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.36 2016/05/09 17:32:24 tedu Exp $ */ +/* $OpenBSD: auth.c,v 1.37 2016/05/17 20:51:56 tedu Exp $ */ /* * auth.c - PPP authentication and phase control. @@ -94,16 +94,7 @@ #include <netinet/in.h> #include <arpa/inet.h> -#ifdef USE_PAM -#include <security/pam_appl.h> -#endif -#ifdef HAS_SHADOW -#include <shadow.h> -#ifndef PW_PPP -#define PW_PPP PW_LOGIN -#endif -#endif #include "pppd.h" #include "fsm.h" @@ -734,75 +725,6 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg, msglen) } /* - * This function is needed for PAM. - */ - -#ifdef USE_PAM -static char *PAM_username = ""; -static char *PAM_password = ""; - -#ifdef PAM_ESTABLISH_CRED /* new PAM defines :(^ */ -#define MY_PAM_STRERROR(err_code) (char *) pam_strerror(pamh,err_code) -#else -#define MY_PAM_STRERROR(err_code) (char *) pam_strerror(err_code) -#endif - -static int pam_conv (int num_msg, - const struct pam_message **msg, - struct pam_response **resp, - void *appdata_ptr) -{ - int count = 0, replies = 0; - struct pam_response *reply = NULL; - int size = 0; - - for (count = 0; count < num_msg; count++) - { - struct pam_response *newreply; - int newsize = size + sizeof (struct pam_response); - newreply = realloc (reply, newsize); /* ANSI: is malloc() if reply==NULL */ - if (!newreply) { - free(reply); - reply = NULL; - return PAM_CONV_ERR; - } - reply = newreply; - size = newsize; - - switch (msg[count]->msg_style) - { - case PAM_PROMPT_ECHO_ON: - reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies++].resp = strdup(PAM_username); /* never NULL */ - break; - - case PAM_PROMPT_ECHO_OFF: - reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies++].resp = strdup(PAM_password); /* never NULL */ - break; - - case PAM_TEXT_INFO: - reply[replies].resp_retcode = PAM_SUCCESS; - reply[replies++].resp = NULL; - break; - - case PAM_ERROR_MSG: - default: - free (reply); - return PAM_CONV_ERR; - } - } - - if (resp) - *resp = reply; - else - free (reply); - - return PAM_SUCCESS; -} -#endif - -/* * plogin - Check the user name and password against the system * password database, and login the user if OK. * @@ -820,64 +742,10 @@ plogin(user, passwd, msg, msglen) int *msglen; { -#ifdef USE_PAM - - struct pam_conv pam_conversation; - pam_handle_t *pamh; - int pam_error; -/* - * Fill the pam_conversion structure - */ - memset (&pam_conversation, '\0', sizeof (struct pam_conv)); - pam_conversation.conv = &pam_conv; - - pam_error = pam_start ("ppp", user, &pam_conversation, &pamh); - - if (pam_error != PAM_SUCCESS) { - *msg = MY_PAM_STRERROR (pam_error); - return UPAP_AUTHNAK; - } -/* - * Define the fields for the credential validation - */ - (void) pam_set_item (pamh, PAM_TTY, devnam); - PAM_username = user; - PAM_password = passwd; -/* - * Validate the user - */ - pam_error = pam_authenticate (pamh, PAM_SILENT); - if (pam_error == PAM_SUCCESS) { - pam_error = pam_acct_mgmt (pamh, PAM_SILENT); - - /* start a session for this user. Session closed when link ends. */ - if (pam_error == PAM_SUCCESS) - (void) pam_open_session (pamh, PAM_SILENT); - } - - *msg = MY_PAM_STRERROR (pam_error); - - PAM_username = - PAM_password = ""; -/* - * Clean up the mess - */ - (void) pam_end (pamh, pam_error); - - if (pam_error != PAM_SUCCESS) - return UPAP_AUTHNAK; -/* - * Use the non-PAM methods directly - */ -#else /* #ifdef USE_PAM */ struct passwd *pw; char *tty; -#ifdef HAS_SHADOW - struct spwd *spwd; - struct spwd *getspnam(); -#endif pw = getpwnam_shadow(user); endpwent(); @@ -885,23 +753,6 @@ plogin(user, passwd, msg, msglen) return (UPAP_AUTHNAK); } -#ifdef HAS_SHADOW - spwd = getspnam(user); - endspent(); - if (spwd) { - /* check the age of the password entry */ - long now = time(NULL) / 86400L; - - if ((spwd->sp_expire > 0 && now >= spwd->sp_expire) - || ((spwd->sp_max >= 0 && spwd->sp_max < 10000) - && spwd->sp_lstchg >= 0 - && now >= spwd->sp_lstchg + spwd->sp_max)) { - syslog(LOG_WARNING, "Password for %s has expired", user); - return (UPAP_AUTHNAK); - } - pw->pw_passwd = spwd->sp_pwdp; - } -#endif /* * If no passwd, don't let them login. @@ -910,12 +761,6 @@ plogin(user, passwd, msg, msglen) || strcmp(crypt(passwd, pw->pw_passwd), pw->pw_passwd) != 0) return (UPAP_AUTHNAK); - /* These functions are not enabled for PAM. The reason for this is that */ - /* there is not necessarily a "passwd" entry for this user. That is */ - /* real purpose of 'PAM' -- to virtualize the account data from the */ - /* application. If you want to do the same thing, write the entry in */ - /* the 'session' hook. */ - /* * Write a wtmp entry for this user. */ @@ -941,7 +786,6 @@ plogin(user, passwd, msg, msglen) } #endif -#endif /* #ifdef USE_PAM */ syslog(LOG_INFO, "user %s logged in", user); logged_in = TRUE; @@ -955,33 +799,12 @@ plogin(user, passwd, msg, msglen) static void plogout() { -#ifdef USE_PAM - struct pam_conv pam_conversation; - pam_handle_t *pamh; - int pam_error; -/* - * Fill the pam_conversion structure. The PAM specification states that the - * session must be able to be closed by a totally different handle from which - * it was created. Hold the PAM group to their own specification! - */ - memset (&pam_conversation, '\0', sizeof (struct pam_conv)); - pam_conversation.conv = &pam_conv; - - pam_error = pam_start ("ppp", user, &pam_conversation, &pamh); - if (pam_error == PAM_SUCCESS) { - (void) pam_set_item (pamh, PAM_TTY, devnam); - (void) pam_close_session (pamh, PAM_SILENT); - (void) pam_end (pamh, PAM_SUCCESS); - } - -#else char *tty; tty = devnam; if (strncmp(tty, "/dev/", 5) == 0) tty += 5; logwtmp(tty, "", ""); /* Wipe out utmp logout entry */ -#endif logged_in = FALSE; } |