diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2003-07-24 06:52:13 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2003-07-24 06:52:13 +0000 |
commit | 0410e32f47c0dcfc3385a1db2ee44f8bb35c10c4 (patch) | |
tree | 5050f4c269f589b71cf440fe69aab4d00b269703 /auth-passwd.c | |
parent | acb98497fb7ff75362491d1c17a5e01fe2beb5b8 (diff) |
- (bal) [auth-passwd.c openbsd-compat/Makefile.in openbsd-compat/xcrypt.c
openbsd-compat/xcrypt.h] Split off encryption into xcrypt() interface,
and isolate shadow password functions. Tested in Solaris, but should
not break other platforms too badly (except maybe HP =). Also brings
auth-passwd.c into full sync with OpenBSD tree.
Diffstat (limited to 'auth-passwd.c')
-rw-r--r-- | auth-passwd.c | 196 |
1 files changed, 58 insertions, 138 deletions
diff --git a/auth-passwd.c b/auth-passwd.c index f078eddd5..c0b7f725f 100644 --- a/auth-passwd.c +++ b/auth-passwd.c | |||
@@ -42,46 +42,14 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $"); | |||
42 | #include "log.h" | 42 | #include "log.h" |
43 | #include "servconf.h" | 43 | #include "servconf.h" |
44 | #include "auth.h" | 44 | #include "auth.h" |
45 | #include "buffer.h" | 45 | #include "openbsd-compat/xcrypt.h" |
46 | #include "xmalloc.h" | 46 | #ifdef WITH_AIXAUTHENTICATE |
47 | #include "canohost.h" | 47 | # include "buffer.h" |
48 | 48 | # include "canohost.h" | |
49 | #if !defined(HAVE_OSF_SIA) | 49 | extern Buffer loginmsg; |
50 | /* Don't need any of these headers for the SIA cases */ | 50 | #endif |
51 | # ifdef HAVE_CRYPT_H | ||
52 | # include <crypt.h> | ||
53 | # endif | ||
54 | # ifdef __hpux | ||
55 | # include <hpsecurity.h> | ||
56 | # include <prot.h> | ||
57 | # endif | ||
58 | # ifdef HAVE_SECUREWARE | ||
59 | # include <sys/security.h> | ||
60 | # include <sys/audit.h> | ||
61 | # include <prot.h> | ||
62 | # endif /* HAVE_SECUREWARE */ | ||
63 | # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | ||
64 | # include <shadow.h> | ||
65 | # endif | ||
66 | # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) | ||
67 | # include <sys/label.h> | ||
68 | # include <sys/audit.h> | ||
69 | # include <pwdadj.h> | ||
70 | # endif | ||
71 | # if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) | ||
72 | # include "md5crypt.h" | ||
73 | # endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ | ||
74 | |||
75 | # ifdef HAVE_CYGWIN | ||
76 | # undef ERROR | ||
77 | # include <windows.h> | ||
78 | # include <sys/cygwin.h> | ||
79 | # define is_winnt (GetVersion() < 0x80000000) | ||
80 | # endif | ||
81 | #endif /* !HAVE_OSF_SIA */ | ||
82 | 51 | ||
83 | extern ServerOptions options; | 52 | extern ServerOptions options; |
84 | extern Buffer loginmsg; | ||
85 | 53 | ||
86 | /* | 54 | /* |
87 | * Tries to authenticate the user using password. Returns true if | 55 | * Tries to authenticate the user using password. Returns true if |
@@ -92,25 +60,6 @@ auth_password(Authctxt *authctxt, const char *password) | |||
92 | { | 60 | { |
93 | struct passwd * pw = authctxt->pw; | 61 | struct passwd * pw = authctxt->pw; |
94 | int ok = authctxt->valid; | 62 | int ok = authctxt->valid; |
95 | #if !defined(HAVE_OSF_SIA) | ||
96 | char *encrypted_password; | ||
97 | char *pw_password; | ||
98 | char *salt; | ||
99 | # if defined(__hpux) || defined(HAVE_SECUREWARE) | ||
100 | struct pr_passwd *spw; | ||
101 | # endif /* __hpux || HAVE_SECUREWARE */ | ||
102 | # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | ||
103 | struct spwd *spw; | ||
104 | # endif | ||
105 | # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) | ||
106 | struct passwd_adjunct *spw; | ||
107 | # endif | ||
108 | # ifdef WITH_AIXAUTHENTICATE | ||
109 | char *authmsg; | ||
110 | int authsuccess; | ||
111 | int reenter = 1; | ||
112 | # endif | ||
113 | #endif /* !defined(HAVE_OSF_SIA) */ | ||
114 | 63 | ||
115 | /* deny if no user. */ | 64 | /* deny if no user. */ |
116 | if (pw == NULL) | 65 | if (pw == NULL) |
@@ -122,13 +71,12 @@ auth_password(Authctxt *authctxt, const char *password) | |||
122 | if (*password == '\0' && options.permit_empty_passwd == 0) | 71 | if (*password == '\0' && options.permit_empty_passwd == 0) |
123 | ok = 0; | 72 | ok = 0; |
124 | 73 | ||
125 | #if defined(HAVE_OSF_SIA) | ||
126 | if (!ok) | 74 | if (!ok) |
127 | return 0; | 75 | return 0; |
76 | |||
77 | #if defined(HAVE_OSF_SIA) | ||
128 | return auth_sia_password(authctxt, password); | 78 | return auth_sia_password(authctxt, password); |
129 | #else | 79 | #else |
130 | if (!ok) | ||
131 | return 0; | ||
132 | # ifdef KRB5 | 80 | # ifdef KRB5 |
133 | if (options.kerberos_authentication == 1) { | 81 | if (options.kerberos_authentication == 1) { |
134 | int ret = auth_krb5_password(authctxt, password); | 82 | int ret = auth_krb5_password(authctxt, password); |
@@ -148,32 +96,40 @@ auth_password(Authctxt *authctxt, const char *password) | |||
148 | } | 96 | } |
149 | # endif | 97 | # endif |
150 | # ifdef WITH_AIXAUTHENTICATE | 98 | # ifdef WITH_AIXAUTHENTICATE |
151 | authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); | 99 | { |
152 | aix_remove_embedded_newlines(authmsg); | 100 | char *authmsg; |
153 | 101 | int reenter = 1; | |
154 | if (authsuccess) { | 102 | int authsuccess = (authenticate(pw->pw_name, password, |
155 | char *msg; | 103 | &reenter, &authmsg) == 0); |
156 | char *host = (char *)get_canonical_hostname(options.use_dns); | 104 | aix_remove_embedded_newlines(authmsg); |
157 | 105 | ||
158 | debug3("AIX/authenticate succeeded for user %s: %.100s", | 106 | if (authsuccess) { |
159 | pw->pw_name, authmsg); | 107 | char *msg; |
160 | 108 | char *host = | |
161 | /* We don't have a pty yet, so just label the line as "ssh" */ | 109 | (char *)get_canonical_hostname(options.use_dns); |
162 | if (loginsuccess(authctxt->user, host, "ssh", &msg) == 0){ | 110 | |
163 | if (msg != NULL) { | 111 | debug3("AIX/authenticate succeeded for user %s: %.100s", |
164 | debug("%s: msg %s", __func__, msg); | 112 | pw->pw_name, authmsg); |
165 | buffer_append(&loginmsg, msg, strlen(msg)); | 113 | |
166 | xfree(msg); | 114 | /* No pty yet, so just label the line as "ssh" */ |
115 | if (loginsuccess(authctxt->user, host, "ssh", | ||
116 | &msg) == 0){ | ||
117 | if (msg != NULL) { | ||
118 | debug("%s: msg %s", __func__, msg); | ||
119 | buffer_append(&loginmsg, msg, | ||
120 | strlen(msg)); | ||
121 | xfree(msg); | ||
122 | } | ||
167 | } | 123 | } |
168 | } | 124 | } else |
169 | } else { | 125 | debug3("AIX/authenticate failed for user %s: %.100s", |
170 | debug3("AIX/authenticate failed for user %s: %.100s", | 126 | pw->pw_name, authmsg); |
171 | pw->pw_name, authmsg); | 127 | |
172 | } | 128 | if (authmsg != NULL) |
173 | if (authmsg != NULL) | 129 | xfree(authmsg); |
174 | xfree(authmsg); | ||
175 | 130 | ||
176 | return (authsuccess); | 131 | return (authsuccess); |
132 | } | ||
177 | # endif | 133 | # endif |
178 | # ifdef KRB4 | 134 | # ifdef KRB4 |
179 | if (options.kerberos_authentication == 1) { | 135 | if (options.kerberos_authentication == 1) { |
@@ -189,63 +145,27 @@ auth_password(Authctxt *authctxt, const char *password) | |||
189 | return 0; | 145 | return 0; |
190 | else | 146 | else |
191 | return 1; | 147 | return 1; |
192 | # endif | 148 | # else |
193 | pw_password = pw->pw_passwd; | 149 | { |
194 | 150 | char *pw_password = shadow_pw(pw); | |
195 | /* | ||
196 | * Various interfaces to shadow or protected password data | ||
197 | */ | ||
198 | # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) | ||
199 | spw = getspnam(pw->pw_name); | ||
200 | if (spw != NULL) | ||
201 | pw_password = spw->sp_pwdp; | ||
202 | # endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ | ||
203 | |||
204 | # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) | ||
205 | if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) | ||
206 | pw_password = spw->pwa_passwd; | ||
207 | # endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ | ||
208 | |||
209 | # ifdef HAVE_SECUREWARE | ||
210 | if ((spw = getprpwnam(pw->pw_name)) != NULL) | ||
211 | pw_password = spw->ufld.fd_encrypt; | ||
212 | # endif /* HAVE_SECUREWARE */ | ||
213 | |||
214 | # if defined(__hpux) && !defined(HAVE_SECUREWARE) | ||
215 | if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL) | ||
216 | pw_password = spw->ufld.fd_encrypt; | ||
217 | # endif /* defined(__hpux) && !defined(HAVE_SECUREWARE) */ | ||
218 | 151 | ||
219 | /* Check for users with no password. */ | 152 | /* Check for users with no password. */ |
220 | if ((password[0] == '\0') && (pw_password[0] == '\0')) | 153 | /* XXX Reverted back to OpenBSD, why was this changed again? */ |
154 | if (strcmp(pw_password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) | ||
221 | return 1; | 155 | return 1; |
156 | else { | ||
157 | /* Encrypt the candidate password using the proper salt. */ | ||
158 | char *encrypted_password = xcrypt(password, | ||
159 | (pw_password[0] && pw_password[1]) ? pw_password : "xx"); | ||
160 | |||
161 | /* | ||
162 | * Authentication is accepted if the encrypted passwords | ||
163 | * are identical. | ||
164 | */ | ||
165 | return (strcmp(encrypted_password, pw_password) == 0); | ||
166 | } | ||
222 | 167 | ||
223 | if (pw_password[0] != '\0') | 168 | } |
224 | salt = pw_password; | 169 | # endif |
225 | else | ||
226 | salt = "xx"; | ||
227 | |||
228 | # ifdef HAVE_MD5_PASSWORDS | ||
229 | if (is_md5_salt(salt)) | ||
230 | encrypted_password = md5_crypt(password, salt); | ||
231 | else | ||
232 | encrypted_password = crypt(password, salt); | ||
233 | # else /* HAVE_MD5_PASSWORDS */ | ||
234 | # if defined(__hpux) && !defined(HAVE_SECUREWARE) | ||
235 | if (iscomsec()) | ||
236 | encrypted_password = bigcrypt(password, salt); | ||
237 | else | ||
238 | encrypted_password = crypt(password, salt); | ||
239 | # else | ||
240 | # ifdef HAVE_SECUREWARE | ||
241 | encrypted_password = bigcrypt(password, salt); | ||
242 | # else | ||
243 | encrypted_password = crypt(password, salt); | ||
244 | # endif /* HAVE_SECUREWARE */ | ||
245 | # endif /* __hpux && !defined(HAVE_SECUREWARE) */ | ||
246 | # endif /* HAVE_MD5_PASSWORDS */ | ||
247 | |||
248 | /* Authentication is accepted if the encrypted passwords are identical. */ | ||
249 | return (strcmp(encrypted_password, pw_password) == 0); | ||
250 | #endif /* !HAVE_OSF_SIA */ | 170 | #endif /* !HAVE_OSF_SIA */ |
251 | } | 171 | } |