- Merged very large OpenBSD source code reformat

- OpenBSD CVS updates - [channels.c cipher.c compat.c log-client.c scp.c serverloop.c] [ssh.h sshd.8 sshd.c] syslog changes: * Unified Logmessage for all auth-types, for success and for failed * Standard connections get only ONE line in the LOG when level==LOG: Auth-attempts are logged only, if authentication is: a) successfull or b) with passwd or c) we had more than AUTH_FAIL_LOG failues * many log() became verbose() * old behaviour with level=VERBOSE - [readconf.c readconf.h ssh.1 ssh.h sshconnect.c sshd.c] tranfer s/key challenge/response data in SSH_SMSG_AUTH_TIS_CHALLENGE messages. allows use of s/key in windows (ttssh, securecrt) and ssh-1.2.27 clients without 'ssh -v', ok: niels@ - [sshd.8] -V, for fallback to openssh in SSH2 compatibility mode - [sshd.c] fix sigchld race; cjc5@po.cwru.edu
author: Damien Miller <djm@mindrot.org> 1999-11-25 00:26:21 +1100
committer: Damien Miller <djm@mindrot.org> 1999-11-25 00:26:21 +1100
commit: 95def09838fc61b37b6ea7cd5c234a465b4b129b (patch)
tree: 042744f76f40a326b873cb1c3690a6d7d966bc3e /auth-passwd.c
parent: 4d2f15f895f4c795afc008aeff3fd2ceffbc44f4 (diff)
1 files changed, 170 insertions, 174 deletions
diff --git a/auth-passwd.c b/auth-passwd.c
index a08bab3af..d3914fca3 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -1,30 +1,22 @@
 /*
+ * Author: Tatu Ylonen <ylo@cs.hut.fi>
-auth-passwd.c
+ * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ *                    All rights reserved
-Author: Tatu Ylonen <ylo@cs.hut.fi>
+ * Created: Sat Mar 18 05:11:38 1995 ylo
+ * Password authentication.  This file contains the functions to check whether
-Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+ * the password is valid for the user.
-                   All rights reserved
+ */
-Created: Sat Mar 18 05:11:38 1995 ylo
-Password authentication.  This file contains the functions to check whether
-the password is valid for the user.
-*/
 #include "includes.h"
 #ifndef HAVE_PAM
-RCSID("$Id: auth-passwd.c,v 1.5 1999/11/19 04:53:20 damien Exp $");
+RCSID("$Id: auth-passwd.c,v 1.6 1999/11/24 13:26:21 damien Exp $");
 #include "packet.h"
 #include "ssh.h"
 #include "servconf.h"
 #include "xmalloc.h"
-#include "config.h"
 #ifdef HAVE_SHADOW_H
 #include <shadow.h>
@@ -34,185 +26,189 @@ RCSID("$Id: auth-passwd.c,v 1.5 1999/11/19 04:53:20 damien Exp $");
 #include "md5crypt.h"
 #endif
-/* Don't need anything from here if we are using PAM */
+/*
+ * Tries to authenticate the user using password.  Returns true if
-/* Tries to authenticate the user using password.  Returns true if
+ * authentication succeeds.
-   authentication succeeds. */
+ */
+int 
-int auth_password(struct passwd *pw, const char *password)
+auth_password(struct passwd * pw, const char *password)
 {
-  extern ServerOptions options;
+        extern ServerOptions options;
-  char *encrypted_password;
+        char *encrypted_password;
 #ifdef HAVE_SHADOW_H
-  struct spwd *spw;
+        struct spwd *spw;
 #endif
-  if (pw->pw_uid == 0 && options.permit_root_login == 2)
+        if (pw->pw_uid == 0 && options.permit_root_login == 2) {
-  {
+                /* Server does not permit root login with password */
-      /*packet_send_debug("Server does not permit root login with password.");*/
+                return 0;
-      return 0;
+        }
-  }
+        if (*password == '\0' && options.permit_empty_passwd == 0) {
+                /* Server does not permit empty password login */
-  if (*password == '\0' && options.permit_empty_passwd == 0)
+                return 0;
-  {
+        }
-      /*packet_send_debug("Server does not permit empty password login.");*/
+        /* deny if no user. */
-      return 0;
+        if (pw == NULL)
-  }
+                return 0;
-  /* deny if no user. */
-  if (pw == NULL)
-    return 0;
 #ifdef SKEY
-  if (options.skey_authentication == 1) {
+        if (options.skey_authentication == 1) {
-    if (strncasecmp(password, "s/key", 5) == 0) {
+                if (strncasecmp(password, "s/key", 5) == 0) {
-      char *skeyinfo = skey_keyinfo(pw->pw_name);
+                        char *skeyinfo = skey_keyinfo(pw->pw_name);
-      if(skeyinfo == NULL){
+                        if (skeyinfo == NULL) {
-        debug("generating fake skeyinfo for %.100s.", pw->pw_name);
+                                debug("generating fake skeyinfo for %.100s.",
-        skeyinfo = skey_fake_keyinfo(pw->pw_name);
+                                    pw->pw_name);
-      }
+                                skeyinfo = skey_fake_keyinfo(pw->pw_name);
-      if(skeyinfo != NULL)
+                        }
-        packet_send_debug(skeyinfo);
+                        if (skeyinfo != NULL)
-      /* Try again. */
+                                packet_send_debug(skeyinfo);
-      return 0;
+                        /* Try again. */
-    }
+                        return 0;
-    else if (skey_haskey(pw->pw_name) == 0 && 
+                } else if (skey_haskey(pw->pw_name) == 0 &&
-             skey_passcheck(pw->pw_name, (char *)password) != -1) {
+                           skey_passcheck(pw->pw_name, (char *) password) != -1) {
-      /* Authentication succeeded. */
+                        /* Authentication succeeded. */
-      return 1;
+                        return 1;
-    }
+                }
-    /* Fall back to ordinary passwd authentication. */
+                /* Fall back to ordinary passwd authentication. */
-  }
+        }
 #endif
 #if defined(KRB4)
-  /* Support for Kerberos v4 authentication - Dug Song <dugsong@UMICH.EDU> */
+        /* Support for Kerberos v4 authentication - Dug Song
-  if (options.kerberos_authentication)
+           <dugsong@UMICH.EDU> */
-    {
+        if (options.kerberos_authentication) {
-      AUTH_DAT adata;
+                AUTH_DAT adata;
-      KTEXT_ST tkt;
+                KTEXT_ST tkt;
-      struct hostent *hp;
+                struct hostent *hp;
-      unsigned long faddr;
+                unsigned long faddr;
-      char localhost[MAXHOSTNAMELEN];
+                char localhost[MAXHOSTNAMELEN];
-      char phost[INST_SZ];
+                char phost[INST_SZ];
-      char realm[REALM_SZ];
+                char realm[REALM_SZ];
-      int r;
+                int r;
-      
-      /* Try Kerberos password authentication only for non-root
+                /* Try Kerberos password authentication only for non-root
-         users and only if Kerberos is installed. */
+                   users and only if Kerberos is installed. */
-      if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
+                if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
-        /* Set up our ticket file. */
+                        /* Set up our ticket file. */
-        if (!krb4_init(pw->pw_uid)) {
+                        if (!krb4_init(pw->pw_uid)) {
-          log("Couldn't initialize Kerberos ticket file for %s!", pw->pw_name);
+                                log("Couldn't initialize Kerberos ticket file for %s!",
-          goto kerberos_auth_failure;
+                                    pw->pw_name);
-        }
+                                goto kerberos_auth_failure;
-        /* Try to get TGT using our password. */
+                        }
-        r = krb_get_pw_in_tkt((char *)pw->pw_name, "", realm, "krbtgt", realm,
+                        /* Try to get TGT using our password. */
-                              DEFAULT_TKT_LIFE, (char *)password);
+                        r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
-        if (r != INTK_OK) {
+                            realm, "krbtgt", realm,
-          packet_send_debug("Kerberos V4 password authentication for %s "
+                            DEFAULT_TKT_LIFE, (char *) password);
-                            "failed: %s", pw->pw_name, krb_err_txt[r]);
+                        if (r != INTK_OK) {
-          goto kerberos_auth_failure;
+                                packet_send_debug("Kerberos V4 password "
+                                    "authentication for %s failed: %s",
+                                    pw->pw_name, krb_err_txt[r]);
+                                goto kerberos_auth_failure;
+                        }
+                        /* Successful authentication. */
+                        chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+                        /*
+                         * Now that we have a TGT, try to get a local
+                         * "rcmd" ticket to ensure that we are not talking
+                         * to a bogus Kerberos server.
+                         */
+                        (void) gethostname(localhost, sizeof(localhost));
+                        (void) strlcpy(phost, (char *) krb_get_phost(localhost),
+                            INST_SZ);
+                        r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
+                        if (r == KSUCCESS) {
+                                if (!(hp = gethostbyname(localhost))) {
+                                        log("Couldn't get local host address!");
+                                        goto kerberos_auth_failure;
+                                }
+                                memmove((void *) &faddr, (void *) hp->h_addr,
+                                    sizeof(faddr));
+                                /* Verify our "rcmd" ticket. */
+                                r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
+                                    faddr, &adata, "");
+                                if (r == RD_AP_UNDEC) {
+                                        /*
+                                         * Probably didn't have a srvtab on
+                                         * localhost. Allow login.
+                                         */
+                                        log("Kerberos V4 TGT for %s unverifiable, "
+                                            "no srvtab installed? krb_rd_req: %s",
+                                            pw->pw_name, krb_err_txt[r]);
+                                } else if (r != KSUCCESS) {
+                                        log("Kerberos V4 %s ticket unverifiable: %s",
+                                            KRB4_SERVICE_NAME, krb_err_txt[r]);
+                                        goto kerberos_auth_failure;
+                                }
+                        } else if (r == KDC_PR_UNKNOWN) {
+                                /* Allow login if no rcmd service exists,
+                                   but log the error. */
+                                log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
+                                    "not registered, or srvtab is wrong?", pw->pw_name,
+                                krb_err_txt[r], KRB4_SERVICE_NAME, phost);
+                        } else {
+                                /* TGT is bad, forget it. Possibly
+                                   spoofed! */
+                                packet_send_debug("WARNING: Kerberos V4 TGT "
+                                    "possibly spoofed for %s: %s",
+                                    pw->pw_name, krb_err_txt[r]);
+                                goto kerberos_auth_failure;
+                        }
+                        /* Authentication succeeded. */
+                        return 1;
+        kerberos_auth_failure:
+                        krb4_cleanup_proc(NULL);
+                        if (!options.kerberos_or_local_passwd)
+                                return 0;
+                } else {
+                        /* Logging in as root or no local Kerberos realm. */
+                        packet_send_debug("Unable to authenticate to Kerberos.");
+                }
+                /* Fall back to ordinary passwd authentication. */
        }
-        /* Successful authentication. */
+#endif                          /* KRB4 */
-        chown(tkt_string(), pw->pw_uid, pw->pw_gid);
-        
+        /* Check for users with no password. */
-        /* Now that we have a TGT, try to get a local "rcmd" ticket to
+        if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) {
-           ensure that we are not talking to a bogus Kerberos server. */
+                packet_send_debug("Login permitted without a password "
-        (void) gethostname(localhost, sizeof(localhost));
+                    "because the account has no password.");
-        (void) strlcpy(phost, (char *)krb_get_phost(localhost), INST_SZ);
+                return 1;
-        r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
-        if (r == KSUCCESS) {
-          if (!(hp = gethostbyname(localhost))) {
-            log("Couldn't get local host address!");
-            goto kerberos_auth_failure;
-          }
-          memmove((void *)&faddr, (void *)hp->h_addr, sizeof(faddr));
-          /* Verify our "rcmd" ticket. */
-          r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, faddr, &adata, "");
-          if (r == RD_AP_UNDEC) {
-            /* Probably didn't have a srvtab on localhost. Allow login. */
-            log("Kerberos V4 TGT for %s unverifiable, no srvtab installed? "
-                "krb_rd_req: %s", pw->pw_name, krb_err_txt[r]);
-          }
-          else if (r != KSUCCESS) {
-            log("Kerberos V4 %s ticket unverifiable: %s",
-                KRB4_SERVICE_NAME, krb_err_txt[r]);
-            goto kerberos_auth_failure;
-          }
-        }
-        else if (r == KDC_PR_UNKNOWN) {
-          /* Allow login if no rcmd service exists, but log the error. */
-          log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
-              "not registered, or srvtab is wrong?", pw->pw_name,
-              krb_err_txt[r], KRB4_SERVICE_NAME, phost);
-        }
-        else {
-          /* TGT is bad, forget it. Possibly spoofed! */
-          packet_send_debug("WARNING: Kerberos V4 TGT possibly spoofed for"
-                            "%s: %s", pw->pw_name, krb_err_txt[r]);
-          goto kerberos_auth_failure;
        }
-        
-        /* Authentication succeeded. */
-        return 1;
-        
-      kerberos_auth_failure:
-        krb4_cleanup_proc(NULL);
-        
-        if (!options.kerberos_or_local_passwd)
-          return 0;
-      }
-      else {
-        /* Logging in as root or no local Kerberos realm. */
-        packet_send_debug("Unable to authenticate to Kerberos.");
-      }
-      /* Fall back to ordinary passwd authentication. */
-    }
-#endif /* KRB4 */
-  
-  /* Check for users with no password. */
-  if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
-    {
-      packet_send_debug("Login permitted without a password because the account has no password.");
-      return 1; /* The user has no password and an empty password was tried. */
-    }
 #ifdef HAVE_SHADOW_H
-  spw = getspnam(pw->pw_name);
+        spw = getspnam(pw->pw_name);
-  if (spw == NULL)
+        if (spw == NULL)
-    return(0);
+                return(0);
-  if ((spw->sp_namp == NULL) || (strcmp(pw->pw_name, spw->sp_namp) != 0))
+        if ((spw->sp_namp == NULL) || (strcmp(pw->pw_name, spw->sp_namp) != 0))
-    fatal("Shadow lookup returned garbage.");
+                fatal("Shadow lookup returned garbage.");
-  if (strlen(spw->sp_pwdp) < 3)
+        if (strlen(spw->sp_pwdp) < 3)
-    return(0);
+                return(0);
-  /* Encrypt the candidate password using the proper salt. */
+        /* Encrypt the candidate password using the proper salt. */
 #ifdef HAVE_MD5_PASSWORDS
-  if (is_md5_salt(spw->sp_pwdp))
+        if (is_md5_salt(spw->sp_pwdp))
-    encrypted_password = md5_crypt(password, spw->sp_pwdp);
+                encrypted_password = md5_crypt(password, spw->sp_pwdp);
-  else
+        else
-    encrypted_password = crypt(password, spw->sp_pwdp);
+                encrypted_password = crypt(password, spw->sp_pwdp);
 #else /* HAVE_MD5_PASSWORDS */    
-  encrypted_password = crypt(password, spw->sp_pwdp);
+        encrypted_password = crypt(password, spw->sp_pwdp);
 #endif /* HAVE_MD5_PASSWORDS */    
+        /* Authentication is accepted if the encrypted passwords are identical. */
-  /* Authentication is accepted if the encrypted passwords are identical. */
+        return (strcmp(encrypted_password, spw->sp_pwdp) == 0);
-  return (strcmp(encrypted_password, spw->sp_pwdp) == 0);
 #else /* !HAVE_SHADOW_H */
+        encrypted_password = crypt(password,
+            (pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx");
-  /* Encrypt the candidate password using the proper salt. */
+        /* Authentication is accepted if the encrypted passwords are identical. */
-  encrypted_password = crypt(password, 
+        return (strcmp(encrypted_password, pw->pw_passwd) == 0);
-                             (pw->pw_passwd[0] && pw->pw_passwd[1]) ?
-                             pw->pw_passwd : "xx");
-  /* Authentication is accepted if the encrypted passwords are identical. */
-  return (strcmp(encrypted_password, pw->pw_passwd) == 0);
 #endif /* !HAVE_SHADOW_H */
 }
 #endif /* !HAVE_PAM */
author	Damien Miller <djm@mindrot.org>	1999-11-25 00:26:21 +1100
committer	Damien Miller <djm@mindrot.org>	1999-11-25 00:26:21 +1100
commit	95def09838fc61b37b6ea7cd5c234a465b4b129b (patch)
tree	042744f76f40a326b873cb1c3690a6d7d966bc3e /auth-passwd.c
parent	4d2f15f895f4c795afc008aeff3fd2ceffbc44f4 (diff)

diff --git a/auth-passwd.c b/auth-passwd.c index a08bab3af..d3914fca3 100644 --- a/auth-passwd.c +++ b/auth-passwd.c
@@ -1,30 +1,22 @@
1	/*	1	/*
2		2	* Author: Tatu Ylonen <ylo@cs.hut.fi>
3	auth-passwd.c	3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4		4	* All rights reserved
5	Author: Tatu Ylonen <ylo@cs.hut.fi>	5	* Created: Sat Mar 18 05:11:38 1995 ylo
6		6	* Password authentication. This file contains the functions to check whether
7	Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland	7	* the password is valid for the user.
8	All rights reserved	8	*/
9
10	Created: Sat Mar 18 05:11:38 1995 ylo
11
12	Password authentication. This file contains the functions to check whether
13	the password is valid for the user.
14
15	*/
16		9
17	#include "includes.h"	10	#include "includes.h"
18		11
19	#ifndef HAVE_PAM	12	#ifndef HAVE_PAM
20		13
21	RCSID("$Id: auth-passwd.c,v 1.5 1999/11/19 04:53:20 damien Exp $");	14	RCSID("$Id: auth-passwd.c,v 1.6 1999/11/24 13:26:21 damien Exp $");
22		15
23	#include "packet.h"	16	#include "packet.h"
24	#include "ssh.h"	17	#include "ssh.h"
25	#include "servconf.h"	18	#include "servconf.h"
26	#include "xmalloc.h"	19	#include "xmalloc.h"
27	#include "config.h"
28		20
29	#ifdef HAVE_SHADOW_H	21	#ifdef HAVE_SHADOW_H
30	#include <shadow.h>	22	#include <shadow.h>
@@ -34,185 +26,189 @@ RCSID("$Id: auth-passwd.c,v 1.5 1999/11/19 04:53:20 damien Exp $");
34	#include "md5crypt.h"	26	#include "md5crypt.h"
35	#endif	27	#endif
36		28
37	/* Don't need anything from here if we are using PAM */	29	/*
38		30	* Tries to authenticate the user using password. Returns true if
39	/* Tries to authenticate the user using password. Returns true if	31	* authentication succeeds.
40	authentication succeeds. */	32	*/
41		33	int
42	int auth_password(struct passwd pw, const char password)	34	auth_password(struct passwd * pw, const char *password)
43	{	35	{
44	extern ServerOptions options;	36	extern ServerOptions options;
45	char *encrypted_password;	37	char *encrypted_password;
46	#ifdef HAVE_SHADOW_H	38	#ifdef HAVE_SHADOW_H
47	struct spwd *spw;	39	struct spwd *spw;
48	#endif	40	#endif
49		41
50	if (pw->pw_uid == 0 && options.permit_root_login == 2)	42	if (pw->pw_uid == 0 && options.permit_root_login == 2) {
51	{	43	/* Server does not permit root login with password */
52	/packet_send_debug("Server does not permit root login with password.");/	44	return 0;
53	return 0;	45	}
54	}	46	if (*password == '\0' && options.permit_empty_passwd == 0) {
55		47	/* Server does not permit empty password login */
56	if (*password == '\0' && options.permit_empty_passwd == 0)	48	return 0;
57	{	49	}
58	/packet_send_debug("Server does not permit empty password login.");/	50	/* deny if no user. */
59	return 0;	51	if (pw == NULL)
60	}	52	return 0;
61
62	/* deny if no user. */
63	if (pw == NULL)
64	return 0;
65		53
66	#ifdef SKEY	54	#ifdef SKEY
67	if (options.skey_authentication == 1) {	55	if (options.skey_authentication == 1) {
68	if (strncasecmp(password, "s/key", 5) == 0) {	56	if (strncasecmp(password, "s/key", 5) == 0) {
69	char *skeyinfo = skey_keyinfo(pw->pw_name);	57	char *skeyinfo = skey_keyinfo(pw->pw_name);
70	if(skeyinfo == NULL){	58	if (skeyinfo == NULL) {
71	debug("generating fake skeyinfo for %.100s.", pw->pw_name);	59	debug("generating fake skeyinfo for %.100s.",
72	skeyinfo = skey_fake_keyinfo(pw->pw_name);	60	pw->pw_name);
73	}	61	skeyinfo = skey_fake_keyinfo(pw->pw_name);
74	if(skeyinfo != NULL)	62	}
75	packet_send_debug(skeyinfo);	63	if (skeyinfo != NULL)
76	/* Try again. */	64	packet_send_debug(skeyinfo);
77	return 0;	65	/* Try again. */
78	}	66	return 0;
79	else if (skey_haskey(pw->pw_name) == 0 &&	67	} else if (skey_haskey(pw->pw_name) == 0 &&
80	skey_passcheck(pw->pw_name, (char *)password) != -1) {	68	skey_passcheck(pw->pw_name, (char *) password) != -1) {
81	/* Authentication succeeded. */	69	/* Authentication succeeded. */
82	return 1;	70	return 1;
83	}	71	}
84	/* Fall back to ordinary passwd authentication. */	72	/* Fall back to ordinary passwd authentication. */
85	}	73	}
86	#endif	74	#endif
87		75
88	#if defined(KRB4)	76	#if defined(KRB4)
89	/* Support for Kerberos v4 authentication - Dug Song <dugsong@UMICH.EDU> */	77	/* Support for Kerberos v4 authentication - Dug Song
90	if (options.kerberos_authentication)	78	<dugsong@UMICH.EDU> */
91	{	79	if (options.kerberos_authentication) {
92	AUTH_DAT adata;	80	AUTH_DAT adata;
93	KTEXT_ST tkt;	81	KTEXT_ST tkt;
94	struct hostent *hp;	82	struct hostent *hp;
95	unsigned long faddr;	83	unsigned long faddr;
96	char localhost[MAXHOSTNAMELEN];	84	char localhost[MAXHOSTNAMELEN];
97	char phost[INST_SZ];	85	char phost[INST_SZ];
98	char realm[REALM_SZ];	86	char realm[REALM_SZ];
99	int r;	87	int r;
100		88
101	/* Try Kerberos password authentication only for non-root	89	/* Try Kerberos password authentication only for non-root
102	users and only if Kerberos is installed. */	90	users and only if Kerberos is installed. */
103	if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {	91	if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
104		92
105	/* Set up our ticket file. */	93	/* Set up our ticket file. */
106	if (!krb4_init(pw->pw_uid)) {	94	if (!krb4_init(pw->pw_uid)) {
107	log("Couldn't initialize Kerberos ticket file for %s!", pw->pw_name);	95	log("Couldn't initialize Kerberos ticket file for %s!",
108	goto kerberos_auth_failure;	96	pw->pw_name);
109	}	97	goto kerberos_auth_failure;
110	/* Try to get TGT using our password. */	98	}
111	r = krb_get_pw_in_tkt((char *)pw->pw_name, "", realm, "krbtgt", realm,	99	/* Try to get TGT using our password. */
112	DEFAULT_TKT_LIFE, (char *)password);	100	r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
113	if (r != INTK_OK) {	101	realm, "krbtgt", realm,
114	packet_send_debug("Kerberos V4 password authentication for %s "	102	DEFAULT_TKT_LIFE, (char *) password);
115	"failed: %s", pw->pw_name, krb_err_txt[r]);	103	if (r != INTK_OK) {
116	goto kerberos_auth_failure;	104	packet_send_debug("Kerberos V4 password "
		105	"authentication for %s failed: %s",
		106	pw->pw_name, krb_err_txt[r]);
		107	goto kerberos_auth_failure;
		108	}
		109	/* Successful authentication. */
		110	chown(tkt_string(), pw->pw_uid, pw->pw_gid);
		111
		112	/*
		113	* Now that we have a TGT, try to get a local
		114	* "rcmd" ticket to ensure that we are not talking
		115	* to a bogus Kerberos server.
		116	*/
		117	(void) gethostname(localhost, sizeof(localhost));
		118	(void) strlcpy(phost, (char *) krb_get_phost(localhost),
		119	INST_SZ);
		120	r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
		121
		122	if (r == KSUCCESS) {
		123	if (!(hp = gethostbyname(localhost))) {
		124	log("Couldn't get local host address!");
		125	goto kerberos_auth_failure;
		126	}
		127	memmove((void ) &faddr, (void ) hp->h_addr,
		128	sizeof(faddr));
		129
		130	/* Verify our "rcmd" ticket. */
		131	r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
		132	faddr, &adata, "");
		133	if (r == RD_AP_UNDEC) {
		134	/*
		135	* Probably didn't have a srvtab on
		136	* localhost. Allow login.
		137	*/
		138	log("Kerberos V4 TGT for %s unverifiable, "
		139	"no srvtab installed? krb_rd_req: %s",
		140	pw->pw_name, krb_err_txt[r]);
		141	} else if (r != KSUCCESS) {
		142	log("Kerberos V4 %s ticket unverifiable: %s",
		143	KRB4_SERVICE_NAME, krb_err_txt[r]);
		144	goto kerberos_auth_failure;
		145	}
		146	} else if (r == KDC_PR_UNKNOWN) {
		147	/* Allow login if no rcmd service exists,
		148	but log the error. */
		149	log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
		150	"not registered, or srvtab is wrong?", pw->pw_name,
		151	krb_err_txt[r], KRB4_SERVICE_NAME, phost);
		152	} else {
		153	/* TGT is bad, forget it. Possibly
		154	spoofed! */
		155	packet_send_debug("WARNING: Kerberos V4 TGT "
		156	"possibly spoofed for %s: %s",
		157	pw->pw_name, krb_err_txt[r]);
		158	goto kerberos_auth_failure;
		159	}
		160
		161	/* Authentication succeeded. */
		162	return 1;
		163
		164	kerberos_auth_failure:
		165	krb4_cleanup_proc(NULL);
		166
		167	if (!options.kerberos_or_local_passwd)
		168	return 0;
		169	} else {
		170	/* Logging in as root or no local Kerberos realm. */
		171	packet_send_debug("Unable to authenticate to Kerberos.");
		172	}
		173	/* Fall back to ordinary passwd authentication. */
117	}	174	}
118	/* Successful authentication. */	175	#endif /* KRB4 */
119	chown(tkt_string(), pw->pw_uid, pw->pw_gid);	176
120		177	/* Check for users with no password. */
121	/* Now that we have a TGT, try to get a local "rcmd" ticket to	178	if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) {
122	ensure that we are not talking to a bogus Kerberos server. */	179	packet_send_debug("Login permitted without a password "
123	(void) gethostname(localhost, sizeof(localhost));	180	"because the account has no password.");
124	(void) strlcpy(phost, (char *)krb_get_phost(localhost), INST_SZ);	181	return 1;
125	r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
126
127	if (r == KSUCCESS) {
128	if (!(hp = gethostbyname(localhost))) {
129	log("Couldn't get local host address!");
130	goto kerberos_auth_failure;
131	}
132	memmove((void )&faddr, (void )hp->h_addr, sizeof(faddr));
133
134	/* Verify our "rcmd" ticket. */
135	r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, faddr, &adata, "");
136	if (r == RD_AP_UNDEC) {
137	/* Probably didn't have a srvtab on localhost. Allow login. */
138	log("Kerberos V4 TGT for %s unverifiable, no srvtab installed? "
139	"krb_rd_req: %s", pw->pw_name, krb_err_txt[r]);
140	}
141	else if (r != KSUCCESS) {
142	log("Kerberos V4 %s ticket unverifiable: %s",
143	KRB4_SERVICE_NAME, krb_err_txt[r]);
144	goto kerberos_auth_failure;
145	}
146	}
147	else if (r == KDC_PR_UNKNOWN) {
148	/* Allow login if no rcmd service exists, but log the error. */
149	log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
150	"not registered, or srvtab is wrong?", pw->pw_name,
151	krb_err_txt[r], KRB4_SERVICE_NAME, phost);
152	}
153	else {
154	/* TGT is bad, forget it. Possibly spoofed! */
155	packet_send_debug("WARNING: Kerberos V4 TGT possibly spoofed for"
156	"%s: %s", pw->pw_name, krb_err_txt[r]);
157	goto kerberos_auth_failure;
158	}	182	}
159
160	/* Authentication succeeded. */
161	return 1;
162
163	kerberos_auth_failure:
164	krb4_cleanup_proc(NULL);
165
166	if (!options.kerberos_or_local_passwd)
167	return 0;
168	}
169	else {
170	/* Logging in as root or no local Kerberos realm. */
171	packet_send_debug("Unable to authenticate to Kerberos.");
172	}
173	/* Fall back to ordinary passwd authentication. */
174	}
175	#endif /* KRB4 */
176
177	/* Check for users with no password. */
178	if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
179	{
180	packet_send_debug("Login permitted without a password because the account has no password.");
181	return 1; /* The user has no password and an empty password was tried. */
182	}
183		183
184	#ifdef HAVE_SHADOW_H	184	#ifdef HAVE_SHADOW_H
185	spw = getspnam(pw->pw_name);	185	spw = getspnam(pw->pw_name);
186	if (spw == NULL)	186	if (spw == NULL)
187	return(0);	187	return(0);
188		188
189	if ((spw->sp_namp == NULL) \|\| (strcmp(pw->pw_name, spw->sp_namp) != 0))	189	if ((spw->sp_namp == NULL) \|\| (strcmp(pw->pw_name, spw->sp_namp) != 0))
190	fatal("Shadow lookup returned garbage.");	190	fatal("Shadow lookup returned garbage.");
191		191
192	if (strlen(spw->sp_pwdp) < 3)	192	if (strlen(spw->sp_pwdp) < 3)
193	return(0);	193	return(0);
194		194
195	/* Encrypt the candidate password using the proper salt. */	195	/* Encrypt the candidate password using the proper salt. */
196	#ifdef HAVE_MD5_PASSWORDS	196	#ifdef HAVE_MD5_PASSWORDS
197	if (is_md5_salt(spw->sp_pwdp))	197	if (is_md5_salt(spw->sp_pwdp))
198	encrypted_password = md5_crypt(password, spw->sp_pwdp);	198	encrypted_password = md5_crypt(password, spw->sp_pwdp);
199	else	199	else
200	encrypted_password = crypt(password, spw->sp_pwdp);	200	encrypted_password = crypt(password, spw->sp_pwdp);
201	#else /* HAVE_MD5_PASSWORDS */	201	#else /* HAVE_MD5_PASSWORDS */
202	encrypted_password = crypt(password, spw->sp_pwdp);	202	encrypted_password = crypt(password, spw->sp_pwdp);
203	#endif /* HAVE_MD5_PASSWORDS */	203	#endif /* HAVE_MD5_PASSWORDS */
204		204	/* Authentication is accepted if the encrypted passwords are identical. */
205	/* Authentication is accepted if the encrypted passwords are identical. */	205	return (strcmp(encrypted_password, spw->sp_pwdp) == 0);
206	return (strcmp(encrypted_password, spw->sp_pwdp) == 0);
207	#else /* !HAVE_SHADOW_H */	206	#else /* !HAVE_SHADOW_H */
		207	encrypted_password = crypt(password,
		208	(pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx");
208		209
209	/* Encrypt the candidate password using the proper salt. */	210	/* Authentication is accepted if the encrypted passwords are identical. */
210	encrypted_password = crypt(password,	211	return (strcmp(encrypted_password, pw->pw_passwd) == 0);
211	(pw->pw_passwd[0] && pw->pw_passwd[1]) ?
212	pw->pw_passwd : "xx");
213	/* Authentication is accepted if the encrypted passwords are identical. */
214	return (strcmp(encrypted_password, pw->pw_passwd) == 0);
215	#endif /* !HAVE_SHADOW_H */	212	#endif /* !HAVE_SHADOW_H */
216	}	213	}
217
218	#endif /* !HAVE_PAM */	214	#endif /* !HAVE_PAM */