diff options
author | Colin Watson <cjwatson@debian.org> | 2003-09-23 18:08:35 +0000 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2003-09-23 18:08:35 +0000 |
commit | d59fd3e421aa81b8e5e118f3f806081df2aca879 (patch) | |
tree | 356a4e607edc979c625bb33db63c656d771478bd /auth-passwd.c | |
parent | 7505658c58e96b8d270f1928a0e1fa7f3e0c266b (diff) | |
parent | 45431c9b4677608680cd071768cbf156b316a7e8 (diff) |
Merge 3.7.1p2 to the trunk. I have absolutely no idea yet whether this will
work.
Diffstat (limited to 'auth-passwd.c')
-rw-r--r-- | auth-passwd.c | 224 |
1 files changed, 70 insertions, 154 deletions
diff --git a/auth-passwd.c b/auth-passwd.c index 2307c1e5e..971c7ba19 100644 --- a/auth-passwd.c +++ b/auth-passwd.c | |||
@@ -36,55 +36,20 @@ | |||
36 | */ | 36 | */ |
37 | 37 | ||
38 | #include "includes.h" | 38 | #include "includes.h" |
39 | RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $"); | 39 | RCSID("$OpenBSD: auth-passwd.c,v 1.29 2003/08/26 09:58:43 markus Exp $"); |
40 | 40 | ||
41 | #include "packet.h" | 41 | #include "packet.h" |
42 | #include "log.h" | 42 | #include "log.h" |
43 | #include "servconf.h" | 43 | #include "servconf.h" |
44 | #include "auth.h" | 44 | #include "auth.h" |
45 | |||
46 | #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) | ||
47 | /* Don't need any of these headers for the PAM or SIA cases */ | ||
48 | # ifdef HAVE_CRYPT_H | ||
49 | # include <crypt.h> | ||
50 | # endif | ||
51 | # ifdef WITH_AIXAUTHENTICATE | ||
52 | # include <login.h> | ||
53 | # endif | ||
54 | # ifdef __hpux | ||
55 | # include <hpsecurity.h> | ||
56 | # include <prot.h> | ||
57 | # endif | ||
58 | # ifdef HAVE_SECUREWARE | ||
59 | # include <sys/security.h> | ||
60 | # include <sys/audit.h> | ||
61 | # include <prot.h> | ||
62 | # endif /* HAVE_SECUREWARE */ | ||
63 | # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | ||
64 | # include <shadow.h> | ||
65 | # endif | ||
66 | # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) | ||
67 | # include <sys/label.h> | ||
68 | # include <sys/audit.h> | ||
69 | # include <pwdadj.h> | ||
70 | # endif | ||
71 | # if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) | ||
72 | # include "md5crypt.h" | ||
73 | # endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ | ||
74 | |||
75 | # ifdef HAVE_CYGWIN | ||
76 | # undef ERROR | ||
77 | # include <windows.h> | ||
78 | # include <sys/cygwin.h> | ||
79 | # define is_winnt (GetVersion() < 0x80000000) | ||
80 | # endif | ||
81 | #endif /* !USE_PAM && !HAVE_OSF_SIA */ | ||
82 | |||
83 | extern ServerOptions options; | ||
84 | #ifdef WITH_AIXAUTHENTICATE | 45 | #ifdef WITH_AIXAUTHENTICATE |
85 | extern char *aixloginmsg; | 46 | # include "buffer.h" |
47 | # include "canohost.h" | ||
48 | extern Buffer loginmsg; | ||
86 | #endif | 49 | #endif |
87 | 50 | ||
51 | extern ServerOptions options; | ||
52 | |||
88 | /* | 53 | /* |
89 | * Tries to authenticate the user using password. Returns true if | 54 | * Tries to authenticate the user using password. Returns true if |
90 | * authentication succeeds. | 55 | * authentication succeeds. |
@@ -94,58 +59,25 @@ auth_password(Authctxt *authctxt, const char *password) | |||
94 | { | 59 | { |
95 | struct passwd * pw = authctxt->pw; | 60 | struct passwd * pw = authctxt->pw; |
96 | int ok = authctxt->valid; | 61 | int ok = authctxt->valid; |
97 | #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) | ||
98 | char *encrypted_password; | ||
99 | char *pw_password; | ||
100 | char *salt; | ||
101 | # if defined(__hpux) || defined(HAVE_SECUREWARE) | ||
102 | struct pr_passwd *spw; | ||
103 | # endif /* __hpux || HAVE_SECUREWARE */ | ||
104 | # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | ||
105 | struct spwd *spw; | ||
106 | # endif | ||
107 | # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) | ||
108 | struct passwd_adjunct *spw; | ||
109 | # endif | ||
110 | # ifdef WITH_AIXAUTHENTICATE | ||
111 | char *authmsg; | ||
112 | int authsuccess; | ||
113 | int reenter = 1; | ||
114 | # endif | ||
115 | #endif /* !defined(USE_PAM) && !defined(HAVE_OSF_SIA) */ | ||
116 | 62 | ||
117 | /* deny if no user. */ | 63 | /* deny if no user. */ |
118 | if (pw == NULL) | 64 | if (pw == NULL) |
119 | ok = 0; | 65 | return 0; |
120 | #ifndef HAVE_CYGWIN | 66 | #ifndef HAVE_CYGWIN |
121 | if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) | 67 | if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) |
122 | ok = 0; | 68 | ok = 0; |
123 | #endif | 69 | #endif |
124 | if (*password == '\0' && options.permit_empty_passwd == 0) | 70 | if (*password == '\0' && options.permit_empty_passwd == 0) |
125 | ok = 0; | ||
126 | |||
127 | #if defined(USE_PAM) | ||
128 | /* | ||
129 | * If the user logging in is root and RootLogin=no, always attempt | ||
130 | * an invalid root login to prevent leaking timing information | ||
131 | */ | ||
132 | if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) { | ||
133 | auth_pam_password(authctxt, "\b\n\r\177INCORRECT"); | ||
134 | return 0; | 71 | return 0; |
135 | } | 72 | |
136 | return auth_pam_password(authctxt, password) && ok; | 73 | #if defined(HAVE_OSF_SIA) |
137 | #elif defined(HAVE_OSF_SIA) | 74 | return auth_sia_password(authctxt, password) && ok; |
138 | if (!ok) | ||
139 | return 0; | ||
140 | return auth_sia_password(authctxt, password); | ||
141 | #else | 75 | #else |
142 | if (!ok) | ||
143 | return 0; | ||
144 | # ifdef KRB5 | 76 | # ifdef KRB5 |
145 | if (options.kerberos_authentication == 1) { | 77 | if (options.kerberos_authentication == 1) { |
146 | int ret = auth_krb5_password(authctxt, password); | 78 | int ret = auth_krb5_password(authctxt, password); |
147 | if (ret == 1 || ret == 0) | 79 | if (ret == 1 || ret == 0) |
148 | return ret; | 80 | return ret && ok; |
149 | /* Fall back to ordinary passwd authentication. */ | 81 | /* Fall back to ordinary passwd authentication. */ |
150 | } | 82 | } |
151 | # endif | 83 | # endif |
@@ -156,27 +88,47 @@ auth_password(Authctxt *authctxt, const char *password) | |||
156 | if (hToken == INVALID_HANDLE_VALUE) | 88 | if (hToken == INVALID_HANDLE_VALUE) |
157 | return 0; | 89 | return 0; |
158 | cygwin_set_impersonation_token(hToken); | 90 | cygwin_set_impersonation_token(hToken); |
159 | return 1; | 91 | return ok; |
160 | } | 92 | } |
161 | # endif | 93 | # endif |
162 | # ifdef WITH_AIXAUTHENTICATE | 94 | # ifdef WITH_AIXAUTHENTICATE |
163 | authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); | 95 | { |
164 | 96 | char *authmsg = NULL; | |
165 | if (authsuccess) | 97 | int reenter = 1; |
166 | /* We don't have a pty yet, so just label the line as "ssh" */ | 98 | int authsuccess = 0; |
167 | if (loginsuccess(authctxt->user, | 99 | |
168 | get_canonical_hostname(options.verify_reverse_mapping), | 100 | if (authenticate(pw->pw_name, password, &reenter, |
169 | "ssh", &aixloginmsg) < 0) | 101 | &authmsg) == 0 && ok) { |
170 | aixloginmsg = NULL; | 102 | char *msg; |
171 | 103 | char *host = | |
172 | return(authsuccess); | 104 | (char *)get_canonical_hostname(options.use_dns); |
173 | # endif | 105 | |
174 | # ifdef KRB4 | 106 | authsuccess = 1; |
175 | if (options.kerberos_authentication == 1) { | 107 | aix_remove_embedded_newlines(authmsg); |
176 | int ret = auth_krb4_password(authctxt, password); | 108 | |
177 | if (ret == 1 || ret == 0) | 109 | debug3("AIX/authenticate succeeded for user %s: %.100s", |
178 | return ret; | 110 | pw->pw_name, authmsg); |
179 | /* Fall back to ordinary passwd authentication. */ | 111 | |
112 | /* No pty yet, so just label the line as "ssh" */ | ||
113 | aix_setauthdb(authctxt->user); | ||
114 | if (loginsuccess(authctxt->user, host, "ssh", | ||
115 | &msg) == 0) { | ||
116 | if (msg != NULL) { | ||
117 | debug("%s: msg %s", __func__, msg); | ||
118 | buffer_append(&loginmsg, msg, | ||
119 | strlen(msg)); | ||
120 | xfree(msg); | ||
121 | } | ||
122 | } | ||
123 | } else { | ||
124 | debug3("AIX/authenticate failed for user %s: %.100s", | ||
125 | pw->pw_name, authmsg); | ||
126 | } | ||
127 | |||
128 | if (authmsg != NULL) | ||
129 | xfree(authmsg); | ||
130 | |||
131 | return authsuccess; | ||
180 | } | 132 | } |
181 | # endif | 133 | # endif |
182 | # ifdef BSD_AUTH | 134 | # ifdef BSD_AUTH |
@@ -184,64 +136,28 @@ auth_password(Authctxt *authctxt, const char *password) | |||
184 | (char *)password) == 0) | 136 | (char *)password) == 0) |
185 | return 0; | 137 | return 0; |
186 | else | 138 | else |
187 | return 1; | 139 | return ok; |
188 | # endif | 140 | # else |
189 | pw_password = pw->pw_passwd; | 141 | { |
190 | 142 | /* Just use the supplied fake password if authctxt is invalid */ | |
191 | /* | 143 | char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; |
192 | * Various interfaces to shadow or protected password data | ||
193 | */ | ||
194 | # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | ||
195 | spw = getspnam(pw->pw_name); | ||
196 | if (spw != NULL) | ||
197 | pw_password = spw->sp_pwdp; | ||
198 | # endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ | ||
199 | |||
200 | # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) | ||
201 | if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) | ||
202 | pw_password = spw->pwa_passwd; | ||
203 | # endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ | ||
204 | |||
205 | # ifdef HAVE_SECUREWARE | ||
206 | if ((spw = getprpwnam(pw->pw_name)) != NULL) | ||
207 | pw_password = spw->ufld.fd_encrypt; | ||
208 | # endif /* HAVE_SECUREWARE */ | ||
209 | |||
210 | # if defined(__hpux) && !defined(HAVE_SECUREWARE) | ||
211 | if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL) | ||
212 | pw_password = spw->ufld.fd_encrypt; | ||
213 | # endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */ | ||
214 | 144 | ||
215 | /* Check for users with no password. */ | 145 | /* Check for users with no password. */ |
216 | if ((password[0] == '\0') && (pw_password[0] == '\0')) | 146 | if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) |
217 | return 1; | 147 | return ok; |
218 | 148 | else { | |
219 | if (pw_password[0] != '\0') | 149 | /* Encrypt the candidate password using the proper salt. */ |
220 | salt = pw_password; | 150 | char *encrypted_password = xcrypt(password, |
221 | else | 151 | (pw_password[0] && pw_password[1]) ? pw_password : "xx"); |
222 | salt = "xx"; | 152 | |
153 | /* | ||
154 | * Authentication is accepted if the encrypted passwords | ||
155 | * are identical. | ||
156 | */ | ||
157 | return (strcmp(encrypted_password, pw_password) == 0) && ok; | ||
158 | } | ||
223 | 159 | ||
224 | # ifdef HAVE_MD5_PASSWORDS | 160 | } |
225 | if (is_md5_salt(salt)) | 161 | # endif |
226 | encrypted_password = md5_crypt(password, salt); | 162 | #endif /* !HAVE_OSF_SIA */ |
227 | else | ||
228 | encrypted_password = crypt(password, salt); | ||
229 | # else /* HAVE_MD5_PASSWORDS */ | ||
230 | # if defined(__hpux) && !defined(HAVE_SECUREWARE) | ||
231 | if (iscomsec()) | ||
232 | encrypted_password = bigcrypt(password, salt); | ||
233 | else | ||
234 | encrypted_password = crypt(password, salt); | ||
235 | # else | ||
236 | # ifdef HAVE_SECUREWARE | ||
237 | encrypted_password = bigcrypt(password, salt); | ||
238 | # else | ||
239 | encrypted_password = crypt(password, salt); | ||
240 | # endif /* HAVE_SECUREWARE */ | ||
241 | # endif /* __hpux && !defined(HAVE_SECUREWARE) */ | ||
242 | # endif /* HAVE_MD5_PASSWORDS */ | ||
243 | |||
244 | /* Authentication is accepted if the encrypted passwords are identical. */ | ||
245 | return (strcmp(encrypted_password, pw_password) == 0); | ||
246 | #endif /* !USE_PAM && !HAVE_OSF_SIA */ | ||
247 | } | 163 | } |