diff options
author | Damien Miller <djm@mindrot.org> | 2003-01-22 15:42:26 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2003-01-22 15:42:26 +1100 |
commit | 2101bfc4e1dbe1dc475d71158b1c24c6d2e2e412 (patch) | |
tree | b9012d184941802b5f9fa188a3a530410513c755 | |
parent | 53d81483f0bcea8af2207583bb6e83c187d522fc (diff) |
- (djm) Reorganise PAM & SIA password handling to eliminate some common code
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | auth-pam.c | 10 | ||||
-rw-r--r-- | auth-passwd.c | 89 | ||||
-rw-r--r-- | auth-sia.c | 2 |
4 files changed, 48 insertions, 56 deletions
@@ -5,6 +5,7 @@ | |||
5 | Add a -t life option to ssh-agent that set the default lifetime. | 5 | Add a -t life option to ssh-agent that set the default lifetime. |
6 | The default can still be overriden by using -t in ssh-add. | 6 | The default can still be overriden by using -t in ssh-add. |
7 | OK markus@ | 7 | OK markus@ |
8 | - (djm) Reorganise PAM & SIA password handling to eliminate some common code | ||
8 | 9 | ||
9 | 20030120 | 10 | 20030120 |
10 | - (djm) Fix compilation for NetBSD from dtucker@zip.com.au | 11 | - (djm) Fix compilation for NetBSD from dtucker@zip.com.au |
@@ -1048,4 +1049,4 @@ | |||
1048 | save auth method before monitor_reset_key_state(); bugzilla bug #284; | 1049 | save auth method before monitor_reset_key_state(); bugzilla bug #284; |
1049 | ok provos@ | 1050 | ok provos@ |
1050 | 1051 | ||
1051 | $Id: ChangeLog,v 1.2579 2003/01/22 00:47:19 djm Exp $ | 1052 | $Id: ChangeLog,v 1.2580 2003/01/22 04:42:26 djm Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index 99b03f45b..fe9570f92 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -38,7 +38,7 @@ extern char *__progname; | |||
38 | 38 | ||
39 | extern int use_privsep; | 39 | extern int use_privsep; |
40 | 40 | ||
41 | RCSID("$Id: auth-pam.c,v 1.54 2002/07/28 20:24:08 stevesk Exp $"); | 41 | RCSID("$Id: auth-pam.c,v 1.55 2003/01/22 04:42:26 djm Exp $"); |
42 | 42 | ||
43 | #define NEW_AUTHTOK_MSG \ | 43 | #define NEW_AUTHTOK_MSG \ |
44 | "Warning: Your password has expired, please change it now." | 44 | "Warning: Your password has expired, please change it now." |
@@ -210,14 +210,6 @@ int auth_pam_password(Authctxt *authctxt, const char *password) | |||
210 | 210 | ||
211 | do_pam_set_conv(&conv); | 211 | do_pam_set_conv(&conv); |
212 | 212 | ||
213 | /* deny if no user. */ | ||
214 | if (pw == NULL) | ||
215 | return 0; | ||
216 | if (pw->pw_uid == 0 && options.permit_root_login == PERMIT_NO_PASSWD) | ||
217 | return 0; | ||
218 | if (*password == '\0' && options.permit_empty_passwd == 0) | ||
219 | return 0; | ||
220 | |||
221 | __pampasswd = password; | 213 | __pampasswd = password; |
222 | 214 | ||
223 | pamstate = INITIAL_LOGIN; | 215 | pamstate = INITIAL_LOGIN; |
diff --git a/auth-passwd.c b/auth-passwd.c index 185db7d6d..cbf093f0d 100644 --- a/auth-passwd.c +++ b/auth-passwd.c | |||
@@ -92,52 +92,51 @@ extern char *aixloginmsg; | |||
92 | int | 92 | int |
93 | auth_password(Authctxt *authctxt, const char *password) | 93 | auth_password(Authctxt *authctxt, const char *password) |
94 | { | 94 | { |
95 | #if defined(USE_PAM) | 95 | #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) |
96 | if (*password == '\0' && options.permit_empty_passwd == 0) | ||
97 | return 0; | ||
98 | return auth_pam_password(authctxt, password); | ||
99 | #elif defined(HAVE_OSF_SIA) | ||
100 | if (*password == '\0' && options.permit_empty_passwd == 0) | ||
101 | return 0; | ||
102 | return auth_sia_password(authctxt, password); | ||
103 | #else | ||
104 | struct passwd * pw = authctxt->pw; | 96 | struct passwd * pw = authctxt->pw; |
105 | char *encrypted_password; | 97 | char *encrypted_password; |
106 | char *pw_password; | 98 | char *pw_password; |
107 | char *salt; | 99 | char *salt; |
108 | #if defined(__hpux) || defined(HAVE_SECUREWARE) | 100 | # if defined(__hpux) || defined(HAVE_SECUREWARE) |
109 | struct pr_passwd *spw; | 101 | struct pr_passwd *spw; |
110 | #endif /* __hpux || HAVE_SECUREWARE */ | 102 | # endif /* __hpux || HAVE_SECUREWARE */ |
111 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | 103 | # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) |
112 | struct spwd *spw; | 104 | struct spwd *spw; |
113 | #endif | 105 | # endif |
114 | #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) | 106 | # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) |
115 | struct passwd_adjunct *spw; | 107 | struct passwd_adjunct *spw; |
116 | #endif | 108 | # endif |
117 | #ifdef WITH_AIXAUTHENTICATE | 109 | # ifdef WITH_AIXAUTHENTICATE |
118 | char *authmsg; | 110 | char *authmsg; |
119 | int authsuccess; | 111 | int authsuccess; |
120 | int reenter = 1; | 112 | int reenter = 1; |
121 | #endif | 113 | # endif |
114 | #endif /* !defined(USE_PAM) && !defined(HAVE_OSF_SIA) */ | ||
122 | 115 | ||
123 | /* deny if no user. */ | 116 | /* deny if no user. */ |
124 | if (pw == NULL) | 117 | if (pw == NULL) |
125 | return 0; | 118 | return 0; |
126 | #ifndef HAVE_CYGWIN | 119 | #ifndef HAVE_CYGWIN |
127 | if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) | 120 | if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_NO_PASSWD) |
128 | return 0; | 121 | return 0; |
129 | #endif | 122 | #endif |
130 | if (*password == '\0' && options.permit_empty_passwd == 0) | 123 | if (*password == '\0' && options.permit_empty_passwd == 0) |
131 | return 0; | 124 | return 0; |
132 | #ifdef KRB5 | 125 | |
126 | #if defined(USE_PAM) | ||
127 | return auth_pam_password(authctxt, password); | ||
128 | #elif defined(HAVE_OSF_SIA) | ||
129 | return auth_sia_password(authctxt, password); | ||
130 | #else | ||
131 | # ifdef KRB5 | ||
133 | if (options.kerberos_authentication == 1) { | 132 | if (options.kerberos_authentication == 1) { |
134 | int ret = auth_krb5_password(authctxt, password); | 133 | int ret = auth_krb5_password(authctxt, password); |
135 | if (ret == 1 || ret == 0) | 134 | if (ret == 1 || ret == 0) |
136 | return ret; | 135 | return ret; |
137 | /* Fall back to ordinary passwd authentication. */ | 136 | /* Fall back to ordinary passwd authentication. */ |
138 | } | 137 | } |
139 | #endif | 138 | # endif |
140 | #ifdef HAVE_CYGWIN | 139 | # ifdef HAVE_CYGWIN |
141 | if (is_winnt) { | 140 | if (is_winnt) { |
142 | HANDLE hToken = cygwin_logon_user(pw, password); | 141 | HANDLE hToken = cygwin_logon_user(pw, password); |
143 | 142 | ||
@@ -146,8 +145,8 @@ auth_password(Authctxt *authctxt, const char *password) | |||
146 | cygwin_set_impersonation_token(hToken); | 145 | cygwin_set_impersonation_token(hToken); |
147 | return 1; | 146 | return 1; |
148 | } | 147 | } |
149 | #endif | 148 | # endif |
150 | #ifdef WITH_AIXAUTHENTICATE | 149 | # ifdef WITH_AIXAUTHENTICATE |
151 | authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); | 150 | authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); |
152 | 151 | ||
153 | if (authsuccess) | 152 | if (authsuccess) |
@@ -158,47 +157,47 @@ auth_password(Authctxt *authctxt, const char *password) | |||
158 | aixloginmsg = NULL; | 157 | aixloginmsg = NULL; |
159 | 158 | ||
160 | return(authsuccess); | 159 | return(authsuccess); |
161 | #endif | 160 | # endif |
162 | #ifdef KRB4 | 161 | # ifdef KRB4 |
163 | if (options.kerberos_authentication == 1) { | 162 | if (options.kerberos_authentication == 1) { |
164 | int ret = auth_krb4_password(authctxt, password); | 163 | int ret = auth_krb4_password(authctxt, password); |
165 | if (ret == 1 || ret == 0) | 164 | if (ret == 1 || ret == 0) |
166 | return ret; | 165 | return ret; |
167 | /* Fall back to ordinary passwd authentication. */ | 166 | /* Fall back to ordinary passwd authentication. */ |
168 | } | 167 | } |
169 | #endif | 168 | # endif |
170 | #ifdef BSD_AUTH | 169 | # ifdef BSD_AUTH |
171 | if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", | 170 | if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", |
172 | (char *)password) == 0) | 171 | (char *)password) == 0) |
173 | return 0; | 172 | return 0; |
174 | else | 173 | else |
175 | return 1; | 174 | return 1; |
176 | #endif | 175 | # endif |
177 | pw_password = pw->pw_passwd; | 176 | pw_password = pw->pw_passwd; |
178 | 177 | ||
179 | /* | 178 | /* |
180 | * Various interfaces to shadow or protected password data | 179 | * Various interfaces to shadow or protected password data |
181 | */ | 180 | */ |
182 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | 181 | # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) |
183 | spw = getspnam(pw->pw_name); | 182 | spw = getspnam(pw->pw_name); |
184 | if (spw != NULL) | 183 | if (spw != NULL) |
185 | pw_password = spw->sp_pwdp; | 184 | pw_password = spw->sp_pwdp; |
186 | #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ | 185 | # endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ |
187 | 186 | ||
188 | #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) | 187 | # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) |
189 | if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) | 188 | if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) |
190 | pw_password = spw->pwa_passwd; | 189 | pw_password = spw->pwa_passwd; |
191 | #endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ | 190 | # endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ |
192 | 191 | ||
193 | #ifdef HAVE_SECUREWARE | 192 | # ifdef HAVE_SECUREWARE |
194 | if ((spw = getprpwnam(pw->pw_name)) != NULL) | 193 | if ((spw = getprpwnam(pw->pw_name)) != NULL) |
195 | pw_password = spw->ufld.fd_encrypt; | 194 | pw_password = spw->ufld.fd_encrypt; |
196 | #endif /* HAVE_SECUREWARE */ | 195 | # endif /* HAVE_SECUREWARE */ |
197 | 196 | ||
198 | #if defined(__hpux) && !defined(HAVE_SECUREWARE) | 197 | # if defined(__hpux) && !defined(HAVE_SECUREWARE) |
199 | if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL) | 198 | if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL) |
200 | pw_password = spw->ufld.fd_encrypt; | 199 | pw_password = spw->ufld.fd_encrypt; |
201 | #endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */ | 200 | # endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */ |
202 | 201 | ||
203 | /* Check for users with no password. */ | 202 | /* Check for users with no password. */ |
204 | if ((password[0] == '\0') && (pw_password[0] == '\0')) | 203 | if ((password[0] == '\0') && (pw_password[0] == '\0')) |
@@ -209,25 +208,25 @@ auth_password(Authctxt *authctxt, const char *password) | |||
209 | else | 208 | else |
210 | salt = "xx"; | 209 | salt = "xx"; |
211 | 210 | ||
212 | #ifdef HAVE_MD5_PASSWORDS | 211 | # ifdef HAVE_MD5_PASSWORDS |
213 | if (is_md5_salt(salt)) | 212 | if (is_md5_salt(salt)) |
214 | encrypted_password = md5_crypt(password, salt); | 213 | encrypted_password = md5_crypt(password, salt); |
215 | else | 214 | else |
216 | encrypted_password = crypt(password, salt); | 215 | encrypted_password = crypt(password, salt); |
217 | #else /* HAVE_MD5_PASSWORDS */ | 216 | # else /* HAVE_MD5_PASSWORDS */ |
218 | # if defined(__hpux) && !defined(HAVE_SECUREWARE) | 217 | # if defined(__hpux) && !defined(HAVE_SECUREWARE) |
219 | if (iscomsec()) | 218 | if (iscomsec()) |
220 | encrypted_password = bigcrypt(password, salt); | 219 | encrypted_password = bigcrypt(password, salt); |
221 | else | 220 | else |
222 | encrypted_password = crypt(password, salt); | 221 | encrypted_password = crypt(password, salt); |
223 | # else | ||
224 | # ifdef HAVE_SECUREWARE | ||
225 | encrypted_password = bigcrypt(password, salt); | ||
226 | # else | 222 | # else |
223 | # ifdef HAVE_SECUREWARE | ||
224 | encrypted_password = bigcrypt(password, salt); | ||
225 | # else | ||
227 | encrypted_password = crypt(password, salt); | 226 | encrypted_password = crypt(password, salt); |
228 | # endif /* HAVE_SECUREWARE */ | 227 | # endif /* HAVE_SECUREWARE */ |
229 | # endif /* __hpux && !defined(HAVE_SECUREWARE) */ | 228 | # endif /* __hpux && !defined(HAVE_SECUREWARE) */ |
230 | #endif /* HAVE_MD5_PASSWORDS */ | 229 | # endif /* HAVE_MD5_PASSWORDS */ |
231 | 230 | ||
232 | /* Authentication is accepted if the encrypted passwords are identical. */ | 231 | /* Authentication is accepted if the encrypted passwords are identical. */ |
233 | return (strcmp(encrypted_password, pw_password) == 0); | 232 | return (strcmp(encrypted_password, pw_password) == 0); |
diff --git a/auth-sia.c b/auth-sia.c index 58b17c16f..071e154d8 100644 --- a/auth-sia.c +++ b/auth-sia.c | |||
@@ -57,7 +57,7 @@ auth_sia_password(Authctxt *authctxt, char *pass) | |||
57 | 57 | ||
58 | host = get_canonical_hostname(options.verify_reverse_mapping); | 58 | host = get_canonical_hostname(options.verify_reverse_mapping); |
59 | 59 | ||
60 | if (!user || !pass || pass[0] == '\0') | 60 | if (pass[0] == '\0') |
61 | return(0); | 61 | return(0); |
62 | 62 | ||
63 | if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, | 63 | if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, |