From fee04ec6ef0f99e1d817f7e91b3b1eb7cc56cc99 Mon Sep 17 00:00:00 2001 From: Joachim de Groot Date: Sun, 6 May 2012 16:01:31 +0200 Subject: [PATCH 1/1] pw(8): Add an option to accept encrypted passwords Add a `-H ' option that is like `-h ', but accepts an already encrypted password on the specified file descriptor. Taken-from: FreeBSD SVN 124382 --- usr.sbin/pw/pw.8 | 17 +++++++++++------ usr.sbin/pw/pw.c | 11 ++++++----- usr.sbin/pw/pw_group.c | 12 +++++++++--- usr.sbin/pw/pw_user.c | 39 ++++++++++++++++++++++++++------------- 4 files changed, 52 insertions(+), 27 deletions(-) diff --git a/usr.sbin/pw/pw.8 b/usr.sbin/pw/pw.8 index dd9dcb9..4bf1a75 100644 --- a/usr.sbin/pw/pw.8 +++ b/usr.sbin/pw/pw.8 @@ -23,9 +23,8 @@ .\" SUCH DAMAGE. .\" .\" $FreeBSD: src/usr.sbin/pw/pw.8,v 1.19.2.12 2003/05/08 15:01:44 trhodes Exp $ -.\" $DragonFly: src/usr.sbin/pw/pw.8,v 1.5 2008/05/02 02:05:08 swildner Exp $ .\" -.Dd December 9, 1996 +.Dd January 11, 2004 .Dt PW 8 .Os .Sh NAME @@ -52,7 +51,7 @@ .Op Fl s Ar shell .Op Fl o .Op Fl L Ar class -.Op Fl h Ar fd +.Op Fl h Ar fd | Fl H Ar fd .Op Fl N .Op Fl P .Op Fl Y @@ -102,7 +101,7 @@ .Op Fl w Ar method .Op Fl s Ar shell .Op Fl L Ar class -.Op Fl h Ar fd +.Op Fl h Ar fd | Fl H Ar fd .Op Fl N .Op Fl P .Op Fl Y @@ -131,7 +130,7 @@ .Op Fl g Ar gid .Op Fl M Ar members .Op Fl o -.Op Fl h Ar fd +.Op Fl h Ar fd | Fl H Ar fd .Op Fl N .Op Fl P .Op Fl Y @@ -153,7 +152,7 @@ .Op Fl l Ar name .Op Fl M Ar members .Op Fl m Ar newmembers -.Op Fl h Ar fd +.Op Fl h Ar fd | Fl H Ar fd .Op Fl N .Op Fl P .Op Fl Y @@ -508,6 +507,12 @@ is given as the argument then the password will be set to .Ql \&* , rendering the account inaccessible via password-based login. +.It Fl H Ar fd +Read an encrypted password string from the specified file descriptor. +This is like +.Fl h , +but the password should be supplied already encrypted in a form +suitable for writing directly to the password database. .El .Pp It is possible to use diff --git a/usr.sbin/pw/pw.c b/usr.sbin/pw/pw.c index 1608377..352ab68 100644 --- a/usr.sbin/pw/pw.c +++ b/usr.sbin/pw/pw.c @@ -24,7 +24,6 @@ * SUCH DAMAGE. * * $FreeBSD: src/usr.sbin/pw/pw.c,v 1.18.2.5 2001/07/19 01:46:55 kris Exp $ - * $DragonFly: src/usr.sbin/pw/pw.c,v 1.3 2004/12/18 22:48:04 swildner Exp $ */ #include @@ -104,18 +103,18 @@ main(int argc, char *argv[]) static const char *opts[W_NUM][M_NUM] = { { /* user */ - "V:C:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:Db:NPy:Y", + "V:C:qn:u:c:d:e:p:g:G:mk:s:oL:i:w:h:H:Db:NPy:Y", "V:C:qn:u:rY", - "V:C:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:FNPY", + "V:C:qn:u:c:d:e:p:g:G:ml:k:s:w:L:h:H:FNPY", "V:C:qn:u:FPa7", "V:C:q", "V:C:q", "V:C:q" }, { /* grp */ - "V:C:qn:g:h:M:pNPY", + "V:C:qn:g:h:H:M:pNPY", "V:C:qn:g:Y", - "V:C:qn:g:l:h:FM:m:NPY", + "V:C:qn:g:l:h:H:FM:m:NPY", "V:C:qn:g:FPa", "V:C:q" } @@ -313,6 +312,7 @@ cmdhelp(int mode, int which) "\t-o duplicate uid ok\n" "\t-L class user class\n" "\t-h fd read password on fd\n" + "\t-H fd read encrypted password on fd\n" "\t-Y update NIS maps\n" "\t-N no update\n" " Setting defaults:\n" @@ -355,6 +355,7 @@ cmdhelp(int mode, int which) "\t-s shell name of login shell\n" "\t-w method set new password using method\n" "\t-h fd read password on fd\n" + "\t-H fd read encrypted password on fd\n" "\t-Y update NIS maps\n" "\t-N no update\n", "usage: pw usershow [uid|name] [switches]\n" diff --git a/usr.sbin/pw/pw_group.c b/usr.sbin/pw/pw_group.c index f3ca55c..3e3efd1 100644 --- a/usr.sbin/pw/pw_group.c +++ b/usr.sbin/pw/pw_group.c @@ -24,7 +24,6 @@ * SUCH DAMAGE. * * $FreeBSD: src/usr.sbin/pw/pw_group.c,v 1.12.2.1 2000/06/28 19:19:04 ache Exp $ - * $DragonFly: src/usr.sbin/pw/pw_group.c,v 1.3 2004/09/25 20:38:21 dillon Exp $ */ #include @@ -168,11 +167,13 @@ pw_group(struct userconf * cnf, int mode, struct cargs * args) * software. */ - if ((arg = getarg(args, 'h')) != NULL) { + if ((arg = getarg(args, 'h')) != NULL || + (arg = getarg(args, 'H')) != NULL) { if (strcmp(arg->val, "-") == 0) grp->gr_passwd = "*"; /* No access */ else { int fd = atoi(arg->val); + int precrypt = (arg->ch == 'H'); int b; int istty = isatty(fd); struct termios t; @@ -206,7 +207,12 @@ pw_group(struct userconf * cnf, int mode, struct cargs * args) *p = '\0'; if (!*line) errx(EX_DATAERR, "empty password read on file descriptor %d", fd); - grp->gr_passwd = pw_pwcrypt(line); + if (precrypt) { + if (strchr(line, ':') != NULL) + return EX_DATAERR; + grp->gr_passwd = line; + } else + grp->gr_passwd = pw_pwcrypt(line); } } diff --git a/usr.sbin/pw/pw_user.c b/usr.sbin/pw/pw_user.c index 6755e99..5130bcd 100644 --- a/usr.sbin/pw/pw_user.c +++ b/usr.sbin/pw/pw_user.c @@ -23,9 +23,7 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * * $FreeBSD: src/usr.sbin/pw/pw_user.c,v 1.34.2.13 2003/02/01 21:20:10 gad Exp $ - * $DragonFly: src/usr.sbin/pw/pw_user.c,v 1.4 2004/11/30 20:12:21 joerg Exp $ */ #include @@ -84,6 +82,7 @@ static void rmskey(char const * name); * -L class user class * -l name new login name * -h fd password filehandle + * -H fd encrypted password filehandle * -F force print or add * Setting defaults: * -D set user defaults @@ -541,7 +540,8 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) warnx("WARNING: home `%s' is not a directory", pwd->pw_dir); } - if ((arg = getarg(args, 'w')) != NULL && getarg(args, 'h') == NULL) { + if ((arg = getarg(args, 'w')) != NULL && + getarg(args, 'h') == NULL && getarg(args, 'H') == NULL) { login_cap_t *lc; lc = login_getpwclass(pwd); @@ -599,7 +599,8 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) } } - if ((arg = getarg(args, 'h')) != NULL) { + if ((arg = getarg(args, 'h')) != NULL || + (arg = getarg(args, 'H')) != NULL) { if (strcmp(arg->val, "-") == 0) { if (!pwd->pw_passwd || *pwd->pw_passwd != '*') { pwd->pw_passwd = "*"; /* No access */ @@ -607,6 +608,7 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) } } else { int fd = atoi(arg->val); + int precrypt = (arg->ch == 'H'); int b; int istty = isatty(fd); struct termios t; @@ -621,7 +623,10 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) /* Disable echo */ n.c_lflag &= ~(ECHO); tcsetattr(fd, TCSANOW, &n); - printf("%sassword for user %s:", (mode == M_UPDATE) ? "New p" : "P", pwd->pw_name); + printf("%s%spassword for user %s:", + (mode == M_UPDATE) ? "new " : "", + precrypt ? "encrypted " : "", + pwd->pw_name); fflush(stdout); } } @@ -632,7 +637,8 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) fflush(stdout); } if (b < 0) { - warn("-h file descriptor"); + warn("-%c file descriptor", precrypt ? 'H' : + 'h'); return EX_IOERR; } line[b] = '\0'; @@ -640,12 +646,18 @@ pw_user(struct userconf * cnf, int mode, struct cargs * args) *p = '\0'; if (!*line) errx(EX_DATAERR, "empty password read on file descriptor %d", fd); - lc = login_getpwclass(pwd); - if (lc == NULL || - login_setcryptfmt(lc, "md5", NULL) == NULL) - warn("setting crypt(3) format"); - login_close(lc); - pwd->pw_passwd = pw_pwcrypt(line); + if (precrypt) { + if (strchr(line, ':') != NULL) + return EX_DATAERR; + pwd->pw_passwd = line; + } else { + lc = login_getpwclass(pwd); + if (lc == NULL || + login_setcryptfmt(lc, "md5", NULL) == NULL) + warn("setting crypt(3) format"); + login_close(lc); + pwd->pw_passwd = pw_pwcrypt(line); + } edited = 1; } } @@ -1088,7 +1100,8 @@ pw_password(struct userconf * cnf, struct cargs * args, char const * user) /* * We give this information back to the user */ - if (getarg(args, 'h') == NULL && getarg(args, 'N') == NULL) { + if (getarg(args, 'h') == NULL && getarg(args, 'H') == NULL && + getarg(args, 'N') == NULL) { if (isatty(STDOUT_FILENO)) printf("Password for '%s' is: ", user); printf("%s\n", pwbuf); -- 1.7.9.3