diff options
author | Kevin Steves <stevesk@pobox.com> | 2002-04-04 19:02:28 +0000 |
---|---|---|
committer | Kevin Steves <stevesk@pobox.com> | 2002-04-04 19:02:28 +0000 |
commit | e683e7643997118ac51b18c073a6aba410c0cc3c (patch) | |
tree | f2a98c2979198a89e00eb5cdd3d6fbf0fb986377 | |
parent | af40bc6a72013e9eec74ec99e21dab9342ac9880 (diff) |
- (stevesk) [auth-pam.c auth-pam.h auth-passwd.c auth-sia.c auth-sia.h
auth1.c auth2.c] PAM, OSF_SIA password auth cleanup; from djm.
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | auth-pam.c | 6 | ||||
-rw-r--r-- | auth-pam.h | 4 | ||||
-rw-r--r-- | auth-passwd.c | 83 | ||||
-rw-r--r-- | auth-sia.c | 6 | ||||
-rw-r--r-- | auth-sia.h | 2 | ||||
-rw-r--r-- | auth1.c | 15 | ||||
-rw-r--r-- | auth2.c | 12 |
8 files changed, 62 insertions, 72 deletions
@@ -1,3 +1,7 @@ | |||
1 | 20020404 | ||
2 | - (stevesk) [auth-pam.c auth-pam.h auth-passwd.c auth-sia.c auth-sia.h | ||
3 | auth1.c auth2.c] PAM, OSF_SIA password auth cleanup; from djm. | ||
4 | |||
1 | 20020402 | 5 | 20020402 |
2 | - (bal) Hand Sync of scp.c (reverted to upstream code) | 6 | - (bal) Hand Sync of scp.c (reverted to upstream code) |
3 | - deraadt@cvs.openbsd.org 2002/03/30 17:45:46 | 7 | - deraadt@cvs.openbsd.org 2002/03/30 17:45:46 |
@@ -8147,4 +8151,4 @@ | |||
8147 | - Wrote replacements for strlcpy and mkdtemp | 8151 | - Wrote replacements for strlcpy and mkdtemp |
8148 | - Released 1.0pre1 | 8152 | - Released 1.0pre1 |
8149 | 8153 | ||
8150 | $Id: ChangeLog,v 1.2020 2002/04/03 03:36:54 mouring Exp $ | 8154 | $Id: ChangeLog,v 1.2021 2002/04/04 19:02:28 stevesk Exp $ |
diff --git a/auth-pam.c b/auth-pam.c index d97d981c4..daa83c72a 100644 --- a/auth-pam.c +++ b/auth-pam.c | |||
@@ -28,6 +28,7 @@ | |||
28 | #include "ssh.h" | 28 | #include "ssh.h" |
29 | #include "xmalloc.h" | 29 | #include "xmalloc.h" |
30 | #include "log.h" | 30 | #include "log.h" |
31 | #include "auth.h" | ||
31 | #include "auth-pam.h" | 32 | #include "auth-pam.h" |
32 | #include "servconf.h" | 33 | #include "servconf.h" |
33 | #include "canohost.h" | 34 | #include "canohost.h" |
@@ -35,7 +36,7 @@ | |||
35 | 36 | ||
36 | extern char *__progname; | 37 | extern char *__progname; |
37 | 38 | ||
38 | RCSID("$Id: auth-pam.c,v 1.42 2002/02/05 01:40:47 djm Exp $"); | 39 | RCSID("$Id: auth-pam.c,v 1.43 2002/04/04 19:02:28 stevesk Exp $"); |
39 | 40 | ||
40 | #define NEW_AUTHTOK_MSG \ | 41 | #define NEW_AUTHTOK_MSG \ |
41 | "Warning: Your password has expired, please change it now" | 42 | "Warning: Your password has expired, please change it now" |
@@ -199,10 +200,11 @@ void do_pam_cleanup_proc(void *context) | |||
199 | } | 200 | } |
200 | 201 | ||
201 | /* Attempt password authentation using PAM */ | 202 | /* Attempt password authentation using PAM */ |
202 | int auth_pam_password(struct passwd *pw, const char *password) | 203 | int auth_pam_password(Authctxt *authctxt, const char *password) |
203 | { | 204 | { |
204 | extern ServerOptions options; | 205 | extern ServerOptions options; |
205 | int pam_retval; | 206 | int pam_retval; |
207 | struct passwd *pw = authctxt->pw; | ||
206 | 208 | ||
207 | do_pam_set_conv(&conv); | 209 | do_pam_set_conv(&conv); |
208 | 210 | ||
diff --git a/auth-pam.h b/auth-pam.h index c249b5396..6b1f35add 100644 --- a/auth-pam.h +++ b/auth-pam.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $Id: auth-pam.h,v 1.11 2001/03/27 06:12:24 djm Exp $ */ | 1 | /* $Id: auth-pam.h,v 1.12 2002/04/04 19:02:28 stevesk Exp $ */ |
2 | 2 | ||
3 | #include "includes.h" | 3 | #include "includes.h" |
4 | #ifdef USE_PAM | 4 | #ifdef USE_PAM |
@@ -7,7 +7,7 @@ | |||
7 | 7 | ||
8 | void start_pam(const char *user); | 8 | void start_pam(const char *user); |
9 | void finish_pam(void); | 9 | void finish_pam(void); |
10 | int auth_pam_password(struct passwd *pw, const char *password); | 10 | int auth_pam_password(Authctxt *authctxt, const char *password); |
11 | char **fetch_pam_environment(void); | 11 | char **fetch_pam_environment(void); |
12 | int do_pam_authenticate(int flags); | 12 | int do_pam_authenticate(int flags); |
13 | int do_pam_account(char *username, char *remote_user); | 13 | int do_pam_account(char *username, char *remote_user); |
diff --git a/auth-passwd.c b/auth-passwd.c index 095b9ba27..7f3073839 100644 --- a/auth-passwd.c +++ b/auth-passwd.c | |||
@@ -38,47 +38,47 @@ | |||
38 | #include "includes.h" | 38 | #include "includes.h" |
39 | RCSID("$OpenBSD: auth-passwd.c,v 1.24 2002/03/04 12:43:06 markus Exp $"); | 39 | RCSID("$OpenBSD: auth-passwd.c,v 1.24 2002/03/04 12:43:06 markus Exp $"); |
40 | 40 | ||
41 | #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) | ||
42 | |||
43 | #include "packet.h" | 41 | #include "packet.h" |
44 | #include "log.h" | 42 | #include "log.h" |
45 | #include "servconf.h" | 43 | #include "servconf.h" |
46 | #include "auth.h" | 44 | #include "auth.h" |
47 | 45 | ||
48 | #ifdef HAVE_CRYPT_H | 46 | #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) |
49 | # include <crypt.h> | 47 | /* Don't need any of these headers for the PAM or SIA cases */ |
50 | #endif | 48 | # ifdef HAVE_CRYPT_H |
51 | #ifdef WITH_AIXAUTHENTICATE | 49 | # include <crypt.h> |
52 | # include <login.h> | 50 | # endif |
53 | #endif | 51 | # ifdef WITH_AIXAUTHENTICATE |
54 | #ifdef __hpux | 52 | # include <login.h> |
55 | # include <hpsecurity.h> | 53 | # endif |
56 | # include <prot.h> | 54 | # ifdef __hpux |
57 | #endif | 55 | # include <hpsecurity.h> |
58 | #ifdef HAVE_SCO_PROTECTED_PW | 56 | # include <prot.h> |
59 | # include <sys/security.h> | 57 | # endif |
60 | # include <sys/audit.h> | 58 | # ifdef HAVE_SCO_PROTECTED_PW |
61 | # include <prot.h> | 59 | # include <sys/security.h> |
62 | #endif /* HAVE_SCO_PROTECTED_PW */ | 60 | # include <sys/audit.h> |
63 | #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | 61 | # include <prot.h> |
64 | # include <shadow.h> | 62 | # endif /* HAVE_SCO_PROTECTED_PW */ |
65 | #endif | 63 | # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) |
66 | #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) | 64 | # include <shadow.h> |
67 | # include <sys/label.h> | 65 | # endif |
68 | # include <sys/audit.h> | 66 | # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) |
69 | # include <pwdadj.h> | 67 | # include <sys/label.h> |
70 | #endif | 68 | # include <sys/audit.h> |
71 | #if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) | 69 | # include <pwdadj.h> |
72 | # include "md5crypt.h" | 70 | # endif |
73 | #endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ | 71 | # if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) |
74 | 72 | # include "md5crypt.h" | |
75 | #ifdef HAVE_CYGWIN | 73 | # endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ |
76 | #undef ERROR | 74 | |
77 | #include <windows.h> | 75 | # ifdef HAVE_CYGWIN |
78 | #include <sys/cygwin.h> | 76 | # undef ERROR |
79 | #define is_winnt (GetVersion() < 0x80000000) | 77 | # include <windows.h> |
80 | #endif | 78 | # include <sys/cygwin.h> |
81 | 79 | # define is_winnt (GetVersion() < 0x80000000) | |
80 | # endif | ||
81 | #endif /* !USE_PAM && !HAVE_OSF_SIA */ | ||
82 | 82 | ||
83 | extern ServerOptions options; | 83 | extern ServerOptions options; |
84 | 84 | ||
@@ -89,6 +89,15 @@ extern ServerOptions options; | |||
89 | int | 89 | int |
90 | auth_password(Authctxt *authctxt, const char *password) | 90 | auth_password(Authctxt *authctxt, const char *password) |
91 | { | 91 | { |
92 | #if defined(USE_PAM) | ||
93 | if (*password == '\0' && options.permit_empty_passwd == 0) | ||
94 | return 0; | ||
95 | return auth_pam_password(authctxt, password); | ||
96 | #elif defined(HAVE_OSF_SIA) | ||
97 | if (*password == '\0' && options.permit_empty_passwd == 0) | ||
98 | return 0; | ||
99 | return auth_sia_password(authctxt, password); | ||
100 | #else | ||
92 | struct passwd * pw = authctxt->pw; | 101 | struct passwd * pw = authctxt->pw; |
93 | char *encrypted_password; | 102 | char *encrypted_password; |
94 | char *pw_password; | 103 | char *pw_password; |
@@ -221,5 +230,5 @@ auth_password(Authctxt *authctxt, const char *password) | |||
221 | 230 | ||
222 | /* Authentication is accepted if the encrypted passwords are identical. */ | 231 | /* Authentication is accepted if the encrypted passwords are identical. */ |
223 | return (strcmp(encrypted_password, pw_password) == 0); | 232 | return (strcmp(encrypted_password, pw_password) == 0); |
224 | } | ||
225 | #endif /* !USE_PAM && !HAVE_OSF_SIA */ | 233 | #endif /* !USE_PAM && !HAVE_OSF_SIA */ |
234 | } | ||
diff --git a/auth-sia.c b/auth-sia.c index 8585f5d6b..2bace5d47 100644 --- a/auth-sia.c +++ b/auth-sia.c | |||
@@ -6,6 +6,7 @@ | |||
6 | #include "log.h" | 6 | #include "log.h" |
7 | #include "servconf.h" | 7 | #include "servconf.h" |
8 | #include "canohost.h" | 8 | #include "canohost.h" |
9 | #include "auth.h" | ||
9 | 10 | ||
10 | #include <sia.h> | 11 | #include <sia.h> |
11 | #include <siad.h> | 12 | #include <siad.h> |
@@ -23,15 +24,16 @@ extern char **saved_argv; | |||
23 | extern int errno; | 24 | extern int errno; |
24 | 25 | ||
25 | int | 26 | int |
26 | auth_sia_password(char *user, char *pass) | 27 | auth_sia_password(Authctxt *authctxt, char *pass) |
27 | { | 28 | { |
28 | int ret; | 29 | int ret; |
29 | SIAENTITY *ent = NULL; | 30 | SIAENTITY *ent = NULL; |
30 | const char *host; | 31 | const char *host; |
32 | char *user = authctxt->user; | ||
31 | 33 | ||
32 | host = get_canonical_hostname(options.verify_reverse_mapping); | 34 | host = get_canonical_hostname(options.verify_reverse_mapping); |
33 | 35 | ||
34 | if (!user || !pass) | 36 | if (!user || !pass || pass[0] == '\0') |
35 | return(0); | 37 | return(0); |
36 | 38 | ||
37 | if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, | 39 | if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, |
diff --git a/auth-sia.h b/auth-sia.h index eaa933322..4ae8d8991 100644 --- a/auth-sia.h +++ b/auth-sia.h | |||
@@ -2,7 +2,7 @@ | |||
2 | 2 | ||
3 | #ifdef HAVE_OSF_SIA | 3 | #ifdef HAVE_OSF_SIA |
4 | 4 | ||
5 | int auth_sia_password(char *user, char *pass); | 5 | int auth_sia_password(Authctxt *authctxt, char *pass); |
6 | void session_setup_sia(char *user, char *tty); | 6 | void session_setup_sia(char *user, char *tty); |
7 | 7 | ||
8 | #endif /* HAVE_OSF_SIA */ | 8 | #endif /* HAVE_OSF_SIA */ |
@@ -84,13 +84,7 @@ do_authloop(Authctxt *authctxt) | |||
84 | #if defined(KRB4) || defined(KRB5) | 84 | #if defined(KRB4) || defined(KRB5) |
85 | (!options.kerberos_authentication || options.kerberos_or_local_passwd) && | 85 | (!options.kerberos_authentication || options.kerberos_or_local_passwd) && |
86 | #endif | 86 | #endif |
87 | #ifdef USE_PAM | ||
88 | auth_pam_password(pw, "")) { | ||
89 | #elif defined(HAVE_OSF_SIA) | ||
90 | 0) { | ||
91 | #else | ||
92 | PRIVSEP(auth_password(authctxt, ""))) { | 87 | PRIVSEP(auth_password(authctxt, ""))) { |
93 | #endif | ||
94 | auth_log(authctxt, 1, "without authentication", ""); | 88 | auth_log(authctxt, 1, "without authentication", ""); |
95 | return; | 89 | return; |
96 | } | 90 | } |
@@ -246,17 +240,8 @@ do_authloop(Authctxt *authctxt) | |||
246 | password = packet_get_string(&dlen); | 240 | password = packet_get_string(&dlen); |
247 | packet_check_eom(); | 241 | packet_check_eom(); |
248 | 242 | ||
249 | #ifdef USE_PAM | ||
250 | /* Do PAM auth with password */ | ||
251 | authenticated = auth_pam_password(pw, password); | ||
252 | #elif defined(HAVE_OSF_SIA) | ||
253 | /* Do SIA auth with password */ | ||
254 | authenticated = auth_sia_password(authctxt->user, | ||
255 | password); | ||
256 | #else /* !USE_PAM && !HAVE_OSF_SIA */ | ||
257 | /* Try authentication with the password. */ | 243 | /* Try authentication with the password. */ |
258 | authenticated = PRIVSEP(auth_password(authctxt, password)); | 244 | authenticated = PRIVSEP(auth_password(authctxt, password)); |
259 | #endif /* USE_PAM */ | ||
260 | 245 | ||
261 | memset(password, 0, strlen(password)); | 246 | memset(password, 0, strlen(password)); |
262 | xfree(password); | 247 | xfree(password); |
@@ -329,13 +329,7 @@ userauth_none(Authctxt *authctxt) | |||
329 | if (check_nt_auth(1, authctxt->pw) == 0) | 329 | if (check_nt_auth(1, authctxt->pw) == 0) |
330 | return(0); | 330 | return(0); |
331 | #endif | 331 | #endif |
332 | #ifdef USE_PAM | ||
333 | return auth_pam_password(authctxt->pw, ""); | ||
334 | #elif defined(HAVE_OSF_SIA) | ||
335 | return 0; | ||
336 | #else /* !HAVE_OSF_SIA && !USE_PAM */ | ||
337 | return PRIVSEP(auth_password(authctxt, "")); | 332 | return PRIVSEP(auth_password(authctxt, "")); |
338 | #endif /* USE_PAM */ | ||
339 | } | 333 | } |
340 | 334 | ||
341 | static int | 335 | static int |
@@ -354,13 +348,7 @@ userauth_passwd(Authctxt *authctxt) | |||
354 | #ifdef HAVE_CYGWIN | 348 | #ifdef HAVE_CYGWIN |
355 | check_nt_auth(1, authctxt->pw) && | 349 | check_nt_auth(1, authctxt->pw) && |
356 | #endif | 350 | #endif |
357 | #ifdef USE_PAM | ||
358 | auth_pam_password(authctxt->pw, password) == 1) | ||
359 | #elif defined(HAVE_OSF_SIA) | ||
360 | auth_sia_password(authctxt->user, password) == 1) | ||
361 | #else /* !USE_PAM && !HAVE_OSF_SIA */ | ||
362 | PRIVSEP(auth_password(authctxt, password)) == 1) | 351 | PRIVSEP(auth_password(authctxt, password)) == 1) |
363 | #endif /* USE_PAM */ | ||
364 | authenticated = 1; | 352 | authenticated = 1; |
365 | memset(password, 0, len); | 353 | memset(password, 0, len); |
366 | xfree(password); | 354 | xfree(password); |