Date: Fri, 2 Mar 2001 15:23:02 +0200 From: Peter Pentchev <roam@orbitel.bg> To: arch@FreeBSD.org Subject: pw(8) patch: add -H encpass option to set the pw_passwd field Message-ID: <20010302152302.C2609@ringworld.oblivion.bg>
next in thread | raw e-mail | index | archive | help
Hi, A post to -hackers got me thinking about adding a PAM authentication module, which uses Blowfish encryption and authenticates against passwd(5). The one major obstacle with this scheme (at least as far as I could see) is that there would be no way to set or change the user passwords, apart from frobbing the /etc/{s,}pwd.db files (which is impolite in the extreme), or the /etc/{master.,}passwd files (which is basically just as bad, not to mention having to invoke pwd_mkdb(8) afterwards). So.. what would be so bad about the attached patch, which lets a program or a script invoke pw(8) with a 'usermod -H new-encrypted-password' and have pw(8) store that password as-is in the user's pw_passwd field? The password is already encrypted, so there'd be no big security risks of someone watching the process table or something. G'luck, Peter -- This sentence is false. Index: src/usr.sbin/pw/pw.8 =================================================================== RCS file: /home/ncvs/src/usr.sbin/pw/pw.8,v retrieving revision 1.21 diff -u -r1.21 pw.8 --- src/usr.sbin/pw/pw.8 2001/02/01 16:43:57 1.21 +++ src/usr.sbin/pw/pw.8 2001/03/02 13:15:37 @@ -101,6 +101,7 @@ .Op Fl s Ar shell .Op Fl L Ar class .Op Fl h Ar fd +.Op Fl H Ar encpass .Op Fl N .Op Fl P .Op Fl Y @@ -456,6 +457,15 @@ See .Xr passwd 5 for details. +.It Fl H Ar encpass +Set the +.Em passwd +field in the user's passwd record. +This option assumes that +.Ar encpass +is an already-encrypted password, providing a hook for adding new +.Xr passwd 5 +encryption algorithms. .It Fl h Ar fd This option provides a special interface by which interactive scripts can set an account password using Index: src/usr.sbin/pw/pw.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/pw/pw.c,v retrieving revision 1.23 diff -u -r1.23 pw.c --- src/usr.sbin/pw/pw.c 2000/12/29 18:04:49 1.23 +++ src/usr.sbin/pw/pw.c 2001/03/02 13:15:37 @@ -106,18 +106,18 @@ static const char *opts[W_NUM][M_NUM] = { { /* user */ - "V:C:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:Db:NPy:Y", + "V:C:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:H:Db:NPy:Y", "V:C:qn:u:rY", - "V:C:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:FNPY", + "V:C:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:H:FNPY", "V:C:qn:u:FPa7", "V:C:q", "V:C:q", "V:C:q" }, { /* grp */ - "V:C:qn:g:h:M:pNPY", + "V:C:qn:g:h:H:M:pNPY", "V:C:qn:g:Y", - "V:C:qn:g:l:h:FM:m:NPY", + "V:C:qn:g:l:h:H:FM:m:NPY", "V:C:qn:g:FPa", "V:C:q" } Index: src/usr.sbin/pw/pw_group.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/pw/pw_group.c,v retrieving revision 1.13 diff -u -r1.13 pw_group.c --- src/usr.sbin/pw/pw_group.c 2000/06/22 16:48:41 1.13 +++ src/usr.sbin/pw/pw_group.c 2001/03/02 13:15:38 @@ -158,6 +158,12 @@ * software. */ + if ((getarg(args, 'h') != NULL) && (getarg(args, 'H') != NULL)) + err(EX_DATAERR, "-h and -H cannot be used simultaneously"); + + if ((arg = getarg(args, 'H')) != NULL) + grp->gr_passwd = arg->val; + if ((arg = getarg(args, 'h')) != NULL) { if (strcmp(arg->val, "-") == 0) grp->gr_passwd = "*"; /* No access */ Index: src/usr.sbin/pw/pw_user.c =================================================================== RCS file: /home/ncvs/src/usr.sbin/pw/pw_user.c,v retrieving revision 1.44 diff -u -r1.44 pw_user.c --- src/usr.sbin/pw/pw_user.c 2000/12/29 18:04:49 1.44 +++ src/usr.sbin/pw/pw_user.c 2001/03/02 13:15:39 @@ -602,6 +602,14 @@ } } + if ((getarg(args, 'h') != NULL) && (getarg(args, 'H') != NULL)) + errx(EX_DATAERR, "-h and -H cannot be used simultaneously"); + + if ((arg = getarg(args, 'H')) != NULL) { + pwd->pw_passwd = arg->val; + edited = 1; + } + if ((arg = getarg(args, 'h')) != NULL) { if (strcmp(arg->val, "-") == 0) { if (!pwd->pw_passwd || *pwd->pw_passwd != '*') { To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010302152302.C2609>