From f5adefa106e28c92dd73dbabac12bad667ef7b8f Mon Sep 17 00:00:00 2001
From: Pavel Březina <pbrezina@redhat.com>
Date: Thu, 31 Oct 2019 12:26:31 +0100
Subject: pam_unix: add nullresetok option to allow reset blank passwords

Adding nullresetok to auth phase of pam_unix module will allow users
with blank password to authenticate in order to immediatelly change
their password even if nullok is not set.

This allows to have blank password authentication disabled but still
allows administrator to create new user accounts with expired blank
password that must be change on the first login.
---
 modules/pam_unix/support.c | 47 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)

(limited to 'modules/pam_unix/support.c')

diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 33761840..6a840a26 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -595,6 +595,7 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name
 {
 	struct passwd *pwd = NULL;
 	char *salt = NULL;
+	int daysleft;
 	int retval;
 
 	D(("called"));
@@ -605,6 +606,15 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name
 	 * else (CG)
 	 */
 
+	if (on(UNIX_NULLRESETOK, ctrl)) {
+	    retval = _unix_verify_user(pamh, ctrl, name, &daysleft);
+	    if (retval == PAM_NEW_AUTHTOK_REQD) {
+	        /* password reset is enforced, allow authentication with empty password */
+	        pam_syslog(pamh, LOG_DEBUG, "user [%s] has expired blank password, enabling nullok", name);
+	        set(UNIX__NULLOK, ctrl);
+	    }
+	}
+
 	if (on(UNIX__NONULL, ctrl))
 		return 0;	/* will fail but don't let on yet */
 
@@ -796,6 +806,43 @@ cleanup:
 	return retval;
 }
 
+int
+_unix_verify_user(pam_handle_t *pamh,
+                  unsigned long long ctrl,
+                  const char *name,
+                  int *daysleft)
+{
+    int retval;
+    struct spwd *spent;
+    struct passwd *pwent;
+
+    retval = get_account_info(pamh, name, &pwent, &spent);
+    if (retval == PAM_USER_UNKNOWN) {
+        pam_syslog(pamh, LOG_ERR,
+             "could not identify user (from getpwnam(%s))",
+             name);
+        return retval;
+    }
+
+    if (retval == PAM_SUCCESS && spent == NULL)
+        return PAM_SUCCESS;
+
+    if (retval == PAM_UNIX_RUN_HELPER) {
+        retval = _unix_run_verify_binary(pamh, ctrl, name, daysleft);
+        if (retval == PAM_AUTHINFO_UNAVAIL &&
+            on(UNIX_BROKEN_SHADOW, ctrl))
+            return PAM_SUCCESS;
+    } else if (retval != PAM_SUCCESS) {
+        if (on(UNIX_BROKEN_SHADOW,ctrl))
+            return PAM_SUCCESS;
+        else
+            return retval;
+    } else
+        retval = check_shadow_expiry(pamh, spent, daysleft);
+
+    return retval;
+}
+
 /* ****************************************************************** *
  * Copyright (c) Jan Rękorajski 1999.
  * Copyright (c) Andrew G. Morgan 1996-8.
-- 
cgit v1.2.3