pax_global_header00006660000000000000000000000064121310447660014516gustar00rootroot0000000000000052 comment=947c83e0b16413a8672d1ad912605cf573e580a6 chkpwd-pam-0.1.1.1/000075500000000000000000000000001213104476600137055ustar00rootroot00000000000000chkpwd-pam-0.1.1.1/.gear/000075500000000000000000000000001213104476600147015ustar00rootroot00000000000000chkpwd-pam-0.1.1.1/.gear/rules000064400000000000000000000000071213104476600157530ustar00rootroot00000000000000tar: . chkpwd-pam-0.1.1.1/Makefile000064400000000000000000000002101213104476600153360ustar00rootroot00000000000000CFLAGS := -Wall -pipe -O2 LDFLAGS := LIBS = -lpam_userpass -lpam chkpwd-pam: chkpwd-pam.c $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(LIBS) chkpwd-pam-0.1.1.1/chkpwd-pam.c000064400000000000000000000043071213104476600161100ustar00rootroot00000000000000#include #include #include #include #include #include #include #include #include #include #include #ifndef PROGNAME #define PROGNAME "chkpwd-pam" #endif #define LOCKDIR "/var/lock/" PROGNAME #define THROTTLE 3 typedef enum { AuthOK = 0, AuthBad = 1, AuthError = 2, AuthAbort = 3 } AuthReturn; #if THROTTLE static int throttle(uid_t uid) { if (!chdir(LOCKDIR)) { int fd; char fname[sizeof(uid) * 2 + 1]; sprintf(fname, "%0*X", (int)(sizeof(fname) - 1), uid); fd = open(fname, O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW, 0600); if (fd >= 0) return close(fd); if (errno == EEXIST) { fd = open(fname, O_RDWR|O_NOFOLLOW); if (fd >= 0) { struct stat st; struct flock lk = { .l_type = F_WRLCK, .l_whence = SEEK_SET, .l_start = 0, .l_len = 0 }; if (!fcntl(fd, F_SETLKW, &lk) && !fstat(fd, &st)) { time_t t = st.st_mtime + THROTTLE - time(0); if (t > 0) { if (t > THROTTLE) t = THROTTLE; do { t = sleep(t); } while (t); } if (!futimens(fd, NULL)) return close(fd); } close(fd); } } } return -1; } #endif int main(void) { char password[256]; pam_userpass_t data; pam_handle_t *h; ssize_t l; int err; struct passwd *pwent; struct pam_conv conv = {.conv = pam_userpass_conv, .appdata_ptr = &data}; uid_t uid = getuid(); #if THROTTLE if (throttle(uid)) return AuthError; #endif pwent = getpwuid(uid); if (!pwent || !pwent->pw_name) return AuthError; data.user = pwent->pw_name; l = read(STDIN_FILENO, password, sizeof(password) - 1); if (l < 0) return AuthError; password[l] = '\0'; data.pass = password; openlog(PROGNAME, LOG_PID, LOG_AUTH); if (pam_start("userpass", data.user, &conv, &h) != PAM_SUCCESS) return AuthError; err = pam_authenticate(h, 0); pam_end(h, err); memset(password, 0, l); switch (err) { case PAM_SUCCESS: return AuthOK; case PAM_ABORT: return AuthAbort; case PAM_USER_UNKNOWN: case PAM_AUTH_ERR: case PAM_MAXTRIES: case PAM_AUTHINFO_UNAVAIL: return AuthBad; case PAM_CRED_INSUFFICIENT: default: return AuthError; } } chkpwd-pam-0.1.1.1/chkpwd-pam.spec000064400000000000000000000024241213104476600166160ustar00rootroot00000000000000%define _group chkpwd %define _libexecdir %_prefix/libexec Name: chkpwd-pam Version: 0.1.1.1 Release: alt1 Summary: PAM user password checker License: GPLv3 Group: System/Base Source: %name-%version.tar %define _bindir %_libexecdir/%name %define lockfilesdir %_lockdir/%name BuildRequires: pam_userpass-devel %description Tool for check user password through PAM. %prep %setup -q %build %make_build CFLAGS="%optflags" %install install -d -m 0755 %buildroot{%_bindir,%lockfilesdir,%_tmpfilesdir,%_sysconfdir/pam.d} install -m 0755 %name %buildroot%_bindir/ install -m 0644 userpass.pamd %buildroot%_sysconfdir/pam.d/userpass echo 'd %lockfilesdir 1770 root %_group' > %buildroot%_tmpfilesdir/%name.conf %files %dir %_bindir %attr(2711,root,%_group) %_bindir/* %attr(1770,root,%_group) %dir %lockfilesdir %_tmpfilesdir/%name.conf %_sysconfdir/pam.d/* %changelog * Tue Apr 09 2013 Led 0.1.1.1-alt1 - chkpwd-pam.c: fixed lockdir path * Thu Apr 04 2013 Led 0.1.1-alt1 - 0.1.1: + add throttle chkpwd-pam invocations to avoid abusing it for bruteforcing the password - add systemd support * Wed Apr 03 2013 Led 0.1.0-alt2 - moved chkpwd-pam to separate directory * Tue Apr 02 2013 Led 0.1.0-alt1 - initial build chkpwd-pam-0.1.1.1/userpass.pamd000064400000000000000000000001211213104476600164070ustar00rootroot00000000000000#%PAM-1.0 auth required pam_userpass.so auth include system-auth-use_first_pass