Date: Fri, 2 Mar 2001 15:23:02 +0200 From: Peter Pentchev <roam@orbitel.bg> To: arch@FreeBSD.org Subject: pw(8) patch: add -H encpass option to set the pw_passwd field Message-ID: <20010302152302.C2609@ringworld.oblivion.bg>
next in thread | raw e-mail | index | archive | help
Hi,
A post to -hackers got me thinking about adding a PAM authentication module,
which uses Blowfish encryption and authenticates against passwd(5).
The one major obstacle with this scheme (at least as far as I could see)
is that there would be no way to set or change the user passwords,
apart from frobbing the /etc/{s,}pwd.db files (which is impolite in
the extreme), or the /etc/{master.,}passwd files (which is basically
just as bad, not to mention having to invoke pwd_mkdb(8) afterwards).
So.. what would be so bad about the attached patch, which lets a program
or a script invoke pw(8) with a 'usermod -H new-encrypted-password'
and have pw(8) store that password as-is in the user's pw_passwd field?
The password is already encrypted, so there'd be no big security risks
of someone watching the process table or something.
G'luck,
Peter
--
This sentence is false.
Index: src/usr.sbin/pw/pw.8
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pw/pw.8,v
retrieving revision 1.21
diff -u -r1.21 pw.8
--- src/usr.sbin/pw/pw.8 2001/02/01 16:43:57 1.21
+++ src/usr.sbin/pw/pw.8 2001/03/02 13:15:37
@@ -101,6 +101,7 @@
.Op Fl s Ar shell
.Op Fl L Ar class
.Op Fl h Ar fd
+.Op Fl H Ar encpass
.Op Fl N
.Op Fl P
.Op Fl Y
@@ -456,6 +457,15 @@
See
.Xr passwd 5
for details.
+.It Fl H Ar encpass
+Set the
+.Em passwd
+field in the user's passwd record.
+This option assumes that
+.Ar encpass
+is an already-encrypted password, providing a hook for adding new
+.Xr passwd 5
+encryption algorithms.
.It Fl h Ar fd
This option provides a special interface by which interactive scripts can
set an account password using
Index: src/usr.sbin/pw/pw.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pw/pw.c,v
retrieving revision 1.23
diff -u -r1.23 pw.c
--- src/usr.sbin/pw/pw.c 2000/12/29 18:04:49 1.23
+++ src/usr.sbin/pw/pw.c 2001/03/02 13:15:37
@@ -106,18 +106,18 @@
static const char *opts[W_NUM][M_NUM] =
{
{ /* user */
- "V:C:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:Db:NPy:Y",
+ "V:C:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:H:Db:NPy:Y",
"V:C:qn:u:rY",
- "V:C:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:FNPY",
+ "V:C:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:H:FNPY",
"V:C:qn:u:FPa7",
"V:C:q",
"V:C:q",
"V:C:q"
},
{ /* grp */
- "V:C:qn:g:h:M:pNPY",
+ "V:C:qn:g:h:H:M:pNPY",
"V:C:qn:g:Y",
- "V:C:qn:g:l:h:FM:m:NPY",
+ "V:C:qn:g:l:h:H:FM:m:NPY",
"V:C:qn:g:FPa",
"V:C:q"
}
Index: src/usr.sbin/pw/pw_group.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pw/pw_group.c,v
retrieving revision 1.13
diff -u -r1.13 pw_group.c
--- src/usr.sbin/pw/pw_group.c 2000/06/22 16:48:41 1.13
+++ src/usr.sbin/pw/pw_group.c 2001/03/02 13:15:38
@@ -158,6 +158,12 @@
* software.
*/
+ if ((getarg(args, 'h') != NULL) && (getarg(args, 'H') != NULL))
+ err(EX_DATAERR, "-h and -H cannot be used simultaneously");
+
+ if ((arg = getarg(args, 'H')) != NULL)
+ grp->gr_passwd = arg->val;
+
if ((arg = getarg(args, 'h')) != NULL) {
if (strcmp(arg->val, "-") == 0)
grp->gr_passwd = "*"; /* No access */
Index: src/usr.sbin/pw/pw_user.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pw/pw_user.c,v
retrieving revision 1.44
diff -u -r1.44 pw_user.c
--- src/usr.sbin/pw/pw_user.c 2000/12/29 18:04:49 1.44
+++ src/usr.sbin/pw/pw_user.c 2001/03/02 13:15:39
@@ -602,6 +602,14 @@
}
}
+ if ((getarg(args, 'h') != NULL) && (getarg(args, 'H') != NULL))
+ errx(EX_DATAERR, "-h and -H cannot be used simultaneously");
+
+ if ((arg = getarg(args, 'H')) != NULL) {
+ pwd->pw_passwd = arg->val;
+ edited = 1;
+ }
+
if ((arg = getarg(args, 'h')) != NULL) {
if (strcmp(arg->val, "-") == 0) {
if (!pwd->pw_passwd || *pwd->pw_passwd != '*') {
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010302152302.C2609>