diff options
| author | Damien Miller <djm@mindrot.org> | 1999-11-25 11:54:57 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 1999-11-25 11:54:57 +1100 |
| commit | 5428f646ad32da88ddd04a8c287d595524674fbf (patch) | |
| tree | cc1f1e5d7852e1f44d41077f776abf7dab7ac06d /auth-passwd.c | |
| parent | 9072e1889648988da38b7b81bce95291c1dc3a23 (diff) | |
- More reformatting merged from OpenBSD CVS
- Merged OpenBSD CVS changes:
- [channels.c]
report from mrwizard@psu.edu via djm@ibs.com.au
- [channels.c]
set SO_REUSEADDR and SO_LINGER for forwarded ports.
chip@valinux.com via damien@ibs.com.au
- [nchan.c]
it's not an error() if shutdown_write failes in nchan.
- [readconf.c]
remove dead #ifdef-0-code
- [readconf.c servconf.c]
strcasecmp instead of tolower
- [scp.c]
progress meter overflow fix from damien@ibs.com.au
- [ssh-add.1 ssh-add.c]
SSH_ASKPASS support
- [ssh.1 ssh.c]
postpone fork_after_authentication until command execution,
request/patch from jahakala@cc.jyu.fi via damien@ibs.com.au
plus: use daemon() for backgrounding
Diffstat (limited to 'auth-passwd.c')
| -rw-r--r-- | auth-passwd.c | 38 |
1 files changed, 19 insertions, 19 deletions
diff --git a/auth-passwd.c b/auth-passwd.c index d3914fca3..e5574ffbe 100644 --- a/auth-passwd.c +++ b/auth-passwd.c | |||
| @@ -11,7 +11,7 @@ | |||
| 11 | 11 | ||
| 12 | #ifndef HAVE_PAM | 12 | #ifndef HAVE_PAM |
| 13 | 13 | ||
| 14 | RCSID("$Id: auth-passwd.c,v 1.6 1999/11/24 13:26:21 damien Exp $"); | 14 | RCSID("$Id: auth-passwd.c,v 1.7 1999/11/25 00:54:57 damien Exp $"); |
| 15 | 15 | ||
| 16 | #include "packet.h" | 16 | #include "packet.h" |
| 17 | #include "ssh.h" | 17 | #include "ssh.h" |
| @@ -39,14 +39,10 @@ auth_password(struct passwd * pw, const char *password) | |||
| 39 | struct spwd *spw; | 39 | struct spwd *spw; |
| 40 | #endif | 40 | #endif |
| 41 | 41 | ||
| 42 | if (pw->pw_uid == 0 && options.permit_root_login == 2) { | 42 | if (pw->pw_uid == 0 && options.permit_root_login == 2) |
| 43 | /* Server does not permit root login with password */ | ||
| 44 | return 0; | 43 | return 0; |
| 45 | } | 44 | if (*password == '\0' && options.permit_empty_passwd == 0) |
| 46 | if (*password == '\0' && options.permit_empty_passwd == 0) { | ||
| 47 | /* Server does not permit empty password login */ | ||
| 48 | return 0; | 45 | return 0; |
| 49 | } | ||
| 50 | /* deny if no user. */ | 46 | /* deny if no user. */ |
| 51 | if (pw == NULL) | 47 | if (pw == NULL) |
| 52 | return 0; | 48 | return 0; |
| @@ -74,8 +70,10 @@ auth_password(struct passwd * pw, const char *password) | |||
| 74 | #endif | 70 | #endif |
| 75 | 71 | ||
| 76 | #if defined(KRB4) | 72 | #if defined(KRB4) |
| 77 | /* Support for Kerberos v4 authentication - Dug Song | 73 | /* |
| 78 | <dugsong@UMICH.EDU> */ | 74 | * Support for Kerberos v4 authentication |
| 75 | * - Dug Song <dugsong@UMICH.EDU> | ||
| 76 | */ | ||
| 79 | if (options.kerberos_authentication) { | 77 | if (options.kerberos_authentication) { |
| 80 | AUTH_DAT adata; | 78 | AUTH_DAT adata; |
| 81 | KTEXT_ST tkt; | 79 | KTEXT_ST tkt; |
| @@ -86,8 +84,10 @@ auth_password(struct passwd * pw, const char *password) | |||
| 86 | char realm[REALM_SZ]; | 84 | char realm[REALM_SZ]; |
| 87 | int r; | 85 | int r; |
| 88 | 86 | ||
| 89 | /* Try Kerberos password authentication only for non-root | 87 | /* |
| 90 | users and only if Kerberos is installed. */ | 88 | * Try Kerberos password authentication only for non-root |
| 89 | * users and only if Kerberos is installed. | ||
| 90 | */ | ||
| 91 | if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) { | 91 | if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) { |
| 92 | 92 | ||
| 93 | /* Set up our ticket file. */ | 93 | /* Set up our ticket file. */ |
| @@ -144,14 +144,17 @@ auth_password(struct passwd * pw, const char *password) | |||
| 144 | goto kerberos_auth_failure; | 144 | goto kerberos_auth_failure; |
| 145 | } | 145 | } |
| 146 | } else if (r == KDC_PR_UNKNOWN) { | 146 | } else if (r == KDC_PR_UNKNOWN) { |
| 147 | /* Allow login if no rcmd service exists, | 147 | /* |
| 148 | but log the error. */ | 148 | * Allow login if no rcmd service exists, but |
| 149 | * log the error. | ||
| 150 | */ | ||
| 149 | log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s " | 151 | log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s " |
| 150 | "not registered, or srvtab is wrong?", pw->pw_name, | 152 | "not registered, or srvtab is wrong?", pw->pw_name, |
| 151 | krb_err_txt[r], KRB4_SERVICE_NAME, phost); | 153 | krb_err_txt[r], KRB4_SERVICE_NAME, phost); |
| 152 | } else { | 154 | } else { |
| 153 | /* TGT is bad, forget it. Possibly | 155 | /* |
| 154 | spoofed! */ | 156 | * TGT is bad, forget it. Possibly spoofed! |
| 157 | */ | ||
| 155 | packet_send_debug("WARNING: Kerberos V4 TGT " | 158 | packet_send_debug("WARNING: Kerberos V4 TGT " |
| 156 | "possibly spoofed for %s: %s", | 159 | "possibly spoofed for %s: %s", |
| 157 | pw->pw_name, krb_err_txt[r]); | 160 | pw->pw_name, krb_err_txt[r]); |
| @@ -175,11 +178,8 @@ auth_password(struct passwd * pw, const char *password) | |||
| 175 | #endif /* KRB4 */ | 178 | #endif /* KRB4 */ |
| 176 | 179 | ||
| 177 | /* Check for users with no password. */ | 180 | /* Check for users with no password. */ |
| 178 | if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) { | 181 | if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) |
| 179 | packet_send_debug("Login permitted without a password " | ||
| 180 | "because the account has no password."); | ||
| 181 | return 1; | 182 | return 1; |
| 182 | } | ||
| 183 | 183 | ||
| 184 | #ifdef HAVE_SHADOW_H | 184 | #ifdef HAVE_SHADOW_H |
| 185 | spw = getspnam(pw->pw_name); | 185 | spw = getspnam(pw->pw_name); |