- markus@cvs.openbsd.org 2004/01/30 09:48:57

[auth-passwd.c auth.h pathnames.h session.c] support for password change; ok dtucker@ (set password-dead=1w in login.conf to use this). In -Portable, this is currently only platforms using bsdauth.
author: Darren Tucker <dtucker@zip.com.au> 2004-02-06 16:24:31 +1100
committer: Darren Tucker <dtucker@zip.com.au> 2004-02-06 16:24:31 +1100
commit: 23bc8d0bff3ee9976be32a287079f7571b5bd50d (patch)
tree: bbc24dec24bebcbbfb338579e82917d96b79898d /auth-passwd.c
parent: 819d4526ca01cdb1e226df8b00c606c537e3e1f7 (diff)
1 files changed, 64 insertions, 34 deletions
diff --git a/auth-passwd.c b/auth-passwd.c
index a27170ccc..d12996bba 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -42,11 +42,21 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.30 2003/11/04 08:54:09 djm Exp $");
 #include "log.h"
 #include "servconf.h"
 #include "auth.h"
+#include "auth-options.h"
 #ifdef WITH_AIXAUTHENTICATE
 # include "canohost.h"
 #endif
 extern ServerOptions options;
+int sys_auth_passwd(Authctxt *, const char *);
+static void
+disable_forwarding(void)
+{
+        no_port_forwarding_flag = 1;
+        no_agent_forwarding_flag = 1;
+        no_x11_forwarding_flag = 1;
+}
 /*
 * Tries to authenticate the user using password.  Returns true if
@@ -66,17 +76,21 @@ auth_password(Authctxt *authctxt, const char *password)
                return 0;
 #if defined(HAVE_OSF_SIA)
+        /*
+         * XXX: any reason this is before krb?  could be moved to
+         * sys_auth_passwd()?  -dt
+         */
        return auth_sia_password(authctxt, password) && ok;
-#else
+#endif
-# ifdef KRB5
+#ifdef KRB5
        if (options.kerberos_authentication == 1) {
                int ret = auth_krb5_password(authctxt, password);
                if (ret == 1 || ret == 0)
                        return ret && ok;
                /* Fall back to ordinary passwd authentication. */
        }
-# endif
+#endif
-# ifdef HAVE_CYGWIN
+#ifdef HAVE_CYGWIN
        if (is_winnt) {
                HANDLE hToken = cygwin_logon_user(pw, password);
@@ -85,41 +99,57 @@ auth_password(Authctxt *authctxt, const char *password)
                cygwin_set_impersonation_token(hToken);
                return ok;
        }
-# endif
+#endif
-# ifdef WITH_AIXAUTHENTICATE
+        return (sys_auth_passwd(authctxt, password) && ok);
-        if (aix_authenticate(pw->pw_name, password,
+}
-            get_canonical_hostname(options.use_dns)) == 0)
-                return 0;
+#ifdef BSD_AUTH
-        else
+int
-                return ok;
+sys_auth_passwd(Authctxt *authctxt, const char *password)
-# endif
+{
-# ifdef BSD_AUTH
+        struct passwd *pw = authctxt->pw;
-        if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
+        auth_session_t *as;
-            (char *)password) == 0)
-                return 0;
+        as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
-        else
+            (char *)password);
-                return ok;
+        if (auth_getstate(as) & AUTH_PWEXPIRED) {
-# else
+                auth_close(as);
-        {
+                disable_forwarding();
+                authctxt->force_pwchange = 1;
+                return (1);
+        } else {
+                return (auth_close(as));
+        }
+}
+#elif defined(WITH_AIXAUTHENTICATE)
+int
+sys_auth_passwd(Authctxt *authctxt, const char *password)
+{
+        return (aix_authenticate(authctxt->pw->pw_name, password,
+            get_canonical_hostname(options.use_dns)));
+}
+#else
+int
+sys_auth_passwd(Authctxt *authctxt, const char *password)
+{
+        struct passwd *pw = authctxt->pw;
+        char *encrypted_password;
        /* Just use the supplied fake password if authctxt is invalid */
        char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
        /* Check for users with no password. */
        if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
-                return ok;
+                return (1);
-        else {
-                /* Encrypt the candidate password using the proper salt. */
-                char *encrypted_password = xcrypt(password,
-                    (pw_password[0] && pw_password[1]) ? pw_password : "xx");
-                /*
+        /* Encrypt the candidate password using the proper salt. */
-                 * Authentication is accepted if the encrypted passwords
+        encrypted_password = xcrypt(password,
-                 * are identical.
+            (pw_password[0] && pw_password[1]) ? pw_password : "xx");
-                 */
-                return (strcmp(encrypted_password, pw_password) == 0) && ok;
-        }
-        }
+        /*
-# endif
+         * Authentication is accepted if the encrypted passwords
-#endif /* !HAVE_OSF_SIA */
+         * are identical.
+         */
+        return (strcmp(encrypted_password, pw_password) == 0);
 }
+#endif
author	Darren Tucker <dtucker@zip.com.au>	2004-02-06 16:24:31 +1100
committer	Darren Tucker <dtucker@zip.com.au>	2004-02-06 16:24:31 +1100
commit	23bc8d0bff3ee9976be32a287079f7571b5bd50d (patch)
tree	bbc24dec24bebcbbfb338579e82917d96b79898d /auth-passwd.c
parent	819d4526ca01cdb1e226df8b00c606c537e3e1f7 (diff)

diff --git a/auth-passwd.c b/auth-passwd.c index a27170ccc..d12996bba 100644 --- a/auth-passwd.c +++ b/auth-passwd.c
@@ -42,11 +42,21 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.30 2003/11/04 08:54:09 djm Exp $");
42	#include "log.h"	42	#include "log.h"
43	#include "servconf.h"	43	#include "servconf.h"
44	#include "auth.h"	44	#include "auth.h"
		45	#include "auth-options.h"
45	#ifdef WITH_AIXAUTHENTICATE	46	#ifdef WITH_AIXAUTHENTICATE
46	# include "canohost.h"	47	# include "canohost.h"
47	#endif	48	#endif
48		49
49	extern ServerOptions options;	50	extern ServerOptions options;
		51	int sys_auth_passwd(Authctxt , const char );
		52
		53	static void
		54	disable_forwarding(void)
		55	{
		56	no_port_forwarding_flag = 1;
		57	no_agent_forwarding_flag = 1;
		58	no_x11_forwarding_flag = 1;
		59	}
50		60
51	/*	61	/*
52	* Tries to authenticate the user using password. Returns true if	62	* Tries to authenticate the user using password. Returns true if
@@ -66,17 +76,21 @@ auth_password(Authctxt authctxt, const char password)
66	return 0;	76	return 0;
67		77
68	#if defined(HAVE_OSF_SIA)	78	#if defined(HAVE_OSF_SIA)
		79	/*
		80	* XXX: any reason this is before krb? could be moved to
		81	* sys_auth_passwd()? -dt
		82	*/
69	return auth_sia_password(authctxt, password) && ok;	83	return auth_sia_password(authctxt, password) && ok;
70	#else	84	#endif
71	# ifdef KRB5	85	#ifdef KRB5
72	if (options.kerberos_authentication == 1) {	86	if (options.kerberos_authentication == 1) {
73	int ret = auth_krb5_password(authctxt, password);	87	int ret = auth_krb5_password(authctxt, password);
74	if (ret == 1 \|\| ret == 0)	88	if (ret == 1 \|\| ret == 0)
75	return ret && ok;	89	return ret && ok;
76	/* Fall back to ordinary passwd authentication. */	90	/* Fall back to ordinary passwd authentication. */
77	}	91	}
78	# endif	92	#endif
79	# ifdef HAVE_CYGWIN	93	#ifdef HAVE_CYGWIN
80	if (is_winnt) {	94	if (is_winnt) {
81	HANDLE hToken = cygwin_logon_user(pw, password);	95	HANDLE hToken = cygwin_logon_user(pw, password);
82		96
@@ -85,41 +99,57 @@ auth_password(Authctxt authctxt, const char password)
85	cygwin_set_impersonation_token(hToken);	99	cygwin_set_impersonation_token(hToken);
86	return ok;	100	return ok;
87	}	101	}
88	# endif	102	#endif
89	# ifdef WITH_AIXAUTHENTICATE	103	return (sys_auth_passwd(authctxt, password) && ok);
90	if (aix_authenticate(pw->pw_name, password,	104	}
91	get_canonical_hostname(options.use_dns)) == 0)	105
92	return 0;	106	#ifdef BSD_AUTH
93	else	107	int
94	return ok;	108	sys_auth_passwd(Authctxt authctxt, const char password)
95	# endif	109	{
96	# ifdef BSD_AUTH	110	struct passwd *pw = authctxt->pw;
97	if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",	111	auth_session_t *as;
98	(char *)password) == 0)	112
99	return 0;	113	as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
100	else	114	(char *)password);
101	return ok;	115	if (auth_getstate(as) & AUTH_PWEXPIRED) {
102	# else	116	auth_close(as);
103	{	117	disable_forwarding();
		118	authctxt->force_pwchange = 1;
		119	return (1);
		120	} else {
		121	return (auth_close(as));
		122	}
		123	}
		124	#elif defined(WITH_AIXAUTHENTICATE)
		125	int
		126	sys_auth_passwd(Authctxt authctxt, const char password)
		127	{
		128	return (aix_authenticate(authctxt->pw->pw_name, password,
		129	get_canonical_hostname(options.use_dns)));
		130	}
		131	#else
		132	int
		133	sys_auth_passwd(Authctxt authctxt, const char password)
		134	{
		135	struct passwd *pw = authctxt->pw;
		136	char *encrypted_password;
		137
104	/* Just use the supplied fake password if authctxt is invalid */	138	/* Just use the supplied fake password if authctxt is invalid */
105	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;	139	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
106		140
107	/* Check for users with no password. */	141	/* Check for users with no password. */
108	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)	142	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
109	return ok;	143	return (1);
110	else {
111	/* Encrypt the candidate password using the proper salt. */
112	char *encrypted_password = xcrypt(password,
113	(pw_password[0] && pw_password[1]) ? pw_password : "xx");
114		144
115	/*	145	/* Encrypt the candidate password using the proper salt. */
116	* Authentication is accepted if the encrypted passwords	146	encrypted_password = xcrypt(password,
117	* are identical.	147	(pw_password[0] && pw_password[1]) ? pw_password : "xx");
118	*/
119	return (strcmp(encrypted_password, pw_password) == 0) && ok;
120	}
121		148
122	}	149	/*
123	# endif	150	* Authentication is accepted if the encrypted passwords
124	#endif /* !HAVE_OSF_SIA */	151	* are identical.
		152	*/
		153	return (strcmp(encrypted_password, pw_password) == 0);
125	}	154	}
		155	#endif