[svn-upgrade] Integrating new upstream version, shadow (4.0.11)

lib/Makefile.am

@@ -6,7 +6,7 @@ DEFS =
 lib_LTLIBRARIES = libshadow.la
 
 libshadow_la_LDFLAGS = -version-info 0:0:0
-libshadow_la_LIBADD = $(INTLLIBS) $(LIBCRYPT) $(LIBSELINUX)
+libshadow_la_LIBADD = $(INTLLIBS) $(LIBCRYPT) $(LIBSKEY) $(LIBMD) $(LIBSELINUX)
 
 libshadow_la_SOURCES = \
 	commonio.c \

lib/Makefile.in

@@ -58,6 +58,7 @@ libLTLIBRARIES_INSTALL = $(INSTALL)
 LTLIBRARIES = $(lib_LTLIBRARIES)
 am__DEPENDENCIES_1 =
 libshadow_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
+	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
 	$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
 am_libshadow_la_OBJECTS = commonio.lo encrypt.lo fputsx.lo getdef.lo \
 	getpass.lo groupio.lo gshadow.lo lockpw.lo nscd.lo port.lo \
@@ -121,10 +122,12 @@ LIBCRACK = @LIBCRACK@
 LIBCRYPT = @LIBCRYPT@
 LIBICONV = @LIBICONV@
 LIBINTL = @LIBINTL@
+LIBMD = @LIBMD@
 LIBOBJS = @LIBOBJS@
 LIBPAM = @LIBPAM@
 LIBS = @LIBS@
 LIBSELINUX = @LIBSELINUX@
+LIBSKEY = @LIBSKEY@
 LIBTOOL = @LIBTOOL@
 LN_S = @LN_S@
 LTLIBICONV = @LTLIBICONV@
@@ -201,7 +204,7 @@ target_alias = @target_alias@
 AUTOMAKE_OPTIONS = 1.0 foreign
 lib_LTLIBRARIES = libshadow.la
 libshadow_la_LDFLAGS = -version-info 0:0:0
-libshadow_la_LIBADD = $(INTLLIBS) $(LIBCRYPT) $(LIBSELINUX)
+libshadow_la_LIBADD = $(INTLLIBS) $(LIBCRYPT) $(LIBSKEY) $(LIBMD) $(LIBSELINUX)
 libshadow_la_SOURCES = \
 	commonio.c \
 	commonio.h \

lib/getdef.c

@@ -30,7 +30,7 @@
 #include <config.h>
 
 #include "rcsid.h"
-RCSID ("$Id: getdef.c,v 1.30 2005/05/25 19:31:50 kloczek Exp $")
+RCSID ("$Id: getdef.c,v 1.31 2005/07/12 18:54:39 kloczek Exp $")
 #include "prototypes.h"
 #include "defines.h"
 #include <stdio.h>
@@ -72,7 +72,6 @@ static struct itemdef def_table[] = {
 	{"LASTLOG_ENAB", NULL},
 	{"LOGIN_STRING", NULL},
 	{"MAIL_CHECK_ENAB", NULL},
-	{"MAIL_DIR", NULL},
 	{"MAIL_FILE", NULL},
 	{"MD5_CRYPT_ENAB", NULL},
 	{"MOTD_FILE", NULL},
@@ -88,8 +87,8 @@ static struct itemdef def_table[] = {
 	{"QUOTAS_ENAB", NULL},
 	{"ULIMIT", NULL},
 #endif
-	{"CONSOLE", NULL},
 	{"CONSOLE_GROUPS", NULL},
+	{"CONSOLE", NULL},
 	{"CREATE_HOME", NULL},
 	{"ERASECHAR", NULL},
 	{"FAKE_SHELL", NULL},
@@ -102,6 +101,7 @@ static struct itemdef def_table[] = {
 	{"LOGIN_TIMEOUT", NULL},
 	{"LOG_OK_LOGINS", NULL},
 	{"LOG_UNKFAIL_ENAB", NULL},
+	{"MAIL_DIR", NULL},
 	{"SULOG_FILE", NULL},
 	{"SU_NAME", NULL},
 #ifdef USE_SYSLOG

lib/nscd.c

@@ -13,7 +13,8 @@
 /* Version number of the daemon interface */
 #define NSCD_VERSION 2
 /* Path for the Unix domain socket.  */
-#define _PATH_NSCDSOCKET "/var/run/.nscd_socket"
+#define _PATH_NSCDSOCKET "/var/run/nscd/socket"
+#define _PATH_NSCDSOCKET_OLD "/var/run/.nscd_socket"
 
 /* Available services.  */
 typedef enum {
@@ -57,8 +58,15 @@ static int nscd_open_socket (void)
 	assert (sizeof (addr.sun_path) >= sizeof (_PATH_NSCDSOCKET));
 	strcpy (addr.sun_path, _PATH_NSCDSOCKET);
 	if (connect (sock, (struct sockaddr *) &addr, sizeof (addr)) < 0) {
-		close (sock);
-		return -1;
+		addr.sun_family = AF_UNIX;
+		assert (sizeof (addr.sun_path) >=
+			sizeof (_PATH_NSCDSOCKET_OLD));
+		strcpy (addr.sun_path, _PATH_NSCDSOCKET_OLD);
+		if (connect (sock, (struct sockaddr *) &addr, sizeof (addr)) <
+		    0) {
+			close (sock);
+			return -1;
+		}
 	}
 
 	return sock;
@@ -71,6 +79,7 @@ int nscd_flush_cache (char *service)
 {
 	int sock = nscd_open_socket ();
 	request_header req;
+	struct iovec iov[2];
 	ssize_t nbytes;
 
 	if (sock == -1)
@@ -78,15 +87,15 @@ int nscd_flush_cache (char *service)
 
 	req.version = NSCD_VERSION;
 	req.type = INVALIDATE;
-	req.key_len = strlen (service) + 1;
-	nbytes = write (sock, &req, sizeof (request_header));
-	if (nbytes != sizeof (request_header)) {
-		close (sock);
-		return -1;
-	}
+	req.key_len = strlen (service);
 
-	nbytes = write (sock, (void *) service, req.key_len);
+	iov[0].iov_base = &req;
+	iov[0].iov_len = sizeof (req);
+	iov[1].iov_base = service;
+	iov[1].iov_len = req.key_len;
+
+	nbytes = writev (sock, iov, 2);
 
 	close (sock);
-	return (nbytes != req.key_len ? (-1) : 0);
+	return (nbytes != iov[0].iov_len + iov[1].iov_len ? (-1) : 0);
 }

lib/pwauth.c

@@ -31,7 +31,7 @@
 
 #ifndef USE_PAM
 #include "rcsid.h"
-RCSID ("$Id: pwauth.c,v 1.17 2005/04/17 15:21:42 kloczek Exp $")
+RCSID ("$Id: pwauth.c,v 1.18 2005/07/07 18:53:14 kloczek Exp $")
 #include <sys/types.h>
 #include <signal.h>
 #include <fcntl.h>
@@ -41,6 +41,9 @@ RCSID ("$Id: pwauth.c,v 1.17 2005/04/17 15:21:42 kloczek Exp $")
 #include "defines.h"
 #include "pwauth.h"
 #include "getdef.h"
+#ifdef SKEY
+#include <skey.h>
+#endif
 #ifdef __linux__		/* standard password prompt by default */
 static const char *PROMPT = gettext_noop ("Password: ");
 #else
@@ -69,6 +72,12 @@ pw_auth (const char *cipher, const char *user, int reason, const char *input)
 	const char *cp;
 	int retval;
 
+#ifdef	SKEY
+	int use_skey = 0;
+	char challenge_info[40];
+	struct skey skey;
+#endif
+
 	/*
 	 * There are programs for adding and deleting authentication data.
 	 */
@@ -79,6 +88,7 @@ pw_auth (const char *cipher, const char *user, int reason, const char *input)
 	/*
 	 * There are even programs for changing the user name ...
 	 */
+
 	if (reason == PW_CHANGE && input != (char *) 0)
 		return 0;
 
@@ -90,6 +100,7 @@ pw_auth (const char *cipher, const char *user, int reason, const char *input)
 	 * know it.  This is a policy decision that might have to be
 	 * revisited.
 	 */
+
 	if (reason == PW_CHANGE && getuid () == 0)
 		return 0;
 
@@ -101,16 +112,34 @@ pw_auth (const char *cipher, const char *user, int reason, const char *input)
 	 * the user could just hit <ENTER>, so it doesn't really
 	 * matter.
 	 */
+
 	if (cipher == (char *) 0 || *cipher == '\0')
 		return 0;
 
+#ifdef	SKEY
+	/*
+	 * If the user has an S/KEY entry show them the pertinent info
+	 * and then we can try validating the created cyphertext and the SKEY.
+	 * If there is no SKEY information we default to not using SKEY.
+	 */
+
+	if (skeychallenge (&skey, user, challenge_info) == 0)
+		use_skey = 1;
+#endif
+
 	/*
 	 * Prompt for the password as required.  FTPD and REXECD both
 	 * get the cleartext password for us.
 	 */
+
 	if (reason != PW_FTP && reason != PW_REXEC && !input) {
 		if (!(cp = getdef_str ("LOGIN_STRING")))
 			cp = _(PROMPT);
+#ifdef	SKEY
+		if (use_skey)
+			printf ("[%s]\n", challenge_info);
+#endif
+
 		snprintf (prompt, sizeof prompt, cp, user);
 		clear = getpass (prompt);
 		if (!clear) {
@@ -125,16 +154,50 @@ pw_auth (const char *cipher, const char *user, int reason, const char *input)
 	/*
 	 * Convert the cleartext password into a ciphertext string.
 	 * If the two match, the return value will be zero, which is
-	 * SUCCESS.
+	 * SUCCESS. Otherwise we see if SKEY is being used and check
+	 * the results there as well.
 	 */
+
 	retval = strcmp (pw_encrypt (input, cipher), cipher);
 
+#ifdef  SKEY
+	/*
+	 * If (1) The password fails to match, and
+	 * (2) The password is empty and
+	 * (3) We are using OPIE or S/Key, then
+	 * ...Re-prompt, with echo on.
+	 * -- AR 8/22/1999
+	 */
+	if (retval && !input[0] && (use_skey)) {
+		strncat (prompt, "(Echo on) ",
+			 (sizeof (prompt) - strlen (prompt)));
+		clear = getpass_with_echo (prompt);
+		if (!clear) {
+			static char c[1];
+
+			c[0] = '\0';
+			clear = c;
+		}
+		input = clear;
+	}
+
+	if (retval && use_skey) {
+		int passcheck = -1;
+
+		if (skeyverify (&skey, input) == 0)
+			passcheck = skey.n;
+		if (passcheck > 0)
+			retval = 0;
+	}
+#endif
+
 	/*
 	 * Things like RADIUS authentication may need the password -
 	 * if the external variable wipe_clear_pass is zero, we will
 	 * not wipe it (the caller should wipe clear_pass when it is
 	 * no longer needed).  --marekm
 	 */
+
 	clear_pass = clear;
 	if (wipe_clear_pass && clear && *clear)
 		strzero (clear);