ANNOUNCE: pam_pwexport, Unix->SMB password changes

[Peter Samuelson]

[Nicholas J Brealey <nick at orpwood.demon.co.uk>]
> I managed to get it working on Solaris 7 11/99 using the attached
> patch and this compile command:
> 
> gcc -o pam_pwexport.so -UPAM_EXTERN= -fPIC -shared pam_pwexport.c -lpam

I believe -UPAM_EXTERN= is a no-op.  Did you mean -DPAM_EXTERN= instead?

> Unfortunately the Solaris 7 11/99 passwd command seems to truncate
> the password to 8 letters before it reaches the pam_pwexport module.
> The Solaris 8 passwd command is OK. It looks like Sun need to release
> a patch to make this work on Solaris 7.

Not surprising -- historically, all Unices had that limitation.  As you
probably know, it's because the original DES crypt() can only handle 56
bits.  (A mistake from the beginning.  The least they could have done
would have been to use 6 significant bits per char instead of 7.  7
bits is wasteful since ASCII only has 96 printable chars in it.  Very,
very few people use even close to the whole printable range, much less
the 32 control characters, so the keyspace is effectively much less
than 56 bits.)

In traditional Unix, as I recall, even the library function getpass()
truncates at 8 characters.  This is über-stupid, because it means that
clients of non-local services (rlogin, ftp) can't use it.  (I think I
got that tidbit from an old version of the NcFTP source.)


>  #define PAM_SM_AUTH
>  #define PAM_SM_PASSWORD
> +#include <security/pam_appl.h>
>  #include <security/pam_modules.h>

OK, applied.  I believe HP-UX requires this too, and on Linux it
doesn't appear to hurt.

> -  pam_get_item (pamh, PAM_USER, (const void **)&user);
> -  pam_get_item (pamh, PAM_AUTHTOK, (const void **)&tok);
> +  pam_get_item (pamh, PAM_USER, (void **)&user);
> +  pam_get_item (pamh, PAM_AUTHTOK, (void **)&tok);

Is that to avoid a warning or an error?  On Linux I was just supressing
warnings here, so the consts can be taken out.  Or, kludge of kludges,
one could compile with -Dconst on Solaris....

Peter