# pam_pwexport by Peter Samuelson <peter@cadcamlab.org> 2000/06/12
# release 0.0

The point here is to snoop on passwords and report to an outside
program.  This is useful any time you are migrating your user database
from one auth scheme to another -- as users log in and change
passwords, you harvest these passwords and put them in your new
format.

It works by collecting your username and password and (if you supply
it) your old password, and sending those to the stdin of an arbitrary
program (or script), like so:

  user foo
  oldpassword bar
  password baz

where the `oldpassword' line may be missing.

PAM usage: in any relevant pam.conf files, insert:

  auth     requisite pam_unix.so		# or whatever
  auth     required  pam_pwexport.so /some/exe/somewhere

  password requisite pam_unix.so		# or whatever
  password required  pam_pwexport.so /some/exe/somewhere

NOTE: it doesn't actually prompt for usernames and passwords, nor does
it verify anything, so you MUST chain it onto an existing module such
as pam_unix.  That's what the `requisite' keyword does.

NOTE ALSO: if your migration scheme requires the "old password" in
order to work, you may as well skip the "auth" lines, since (for
obvious reasons) they will never return that info.


All this was inspired by the needs of many Samba users -- either for
migrating Unix passwords to a real NT domain, or to a Samba-controlled
NT domain, or to a Samba server acting standalone.  In all cases we
need to generate LanManager password hashes, and in the first case we
need the old password as well as the new one, which is why we harvest
that whenever we can (i.e. on a password change not done by root).

Example usage for an NT domain: Modify your pam.conf files as shown
above, and write a script called /some/exe/somewhere something along
these lines:

----------------------------------------------------------------------
  #!/bin/sh

  ntserver=YOURNTSERVER
  while read a b; do
    case $a in
      user)        u="$b" ;;
      password)    n="$b" ;;
      oldpassword) o="$b" ;;
    esac
  done

  if [ ${o-xxx} != xxx ]; then
    (echo "$o"; echo "$n"; echo "$n") |
      /usr/local/samba/bin/smbpasswd -s -r "$ntserver" -U "$u"
  fi
----------------------------------------------------------------------

The script will need some tweaking.  Note that your shell had better
have a builtin version of `echo' that doesn't puts its arguments in
argv[].  Otherwise, for security purposes, you'll need to use a
different language (like awk).


TODO:

More error checking
Replace popen/pclose, eliminate stdio (can interact badly with PAM apps)
Parameters to control behavior ("don't bother if oldpassword not available")
Lots of cleanup
Perhaps an option to prompt for info
