1 files changed, 67 insertions, 74 deletions
diff --git a/auth-passwd.c b/auth-passwd.c
index 971c7ba19..b9679abd0 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -36,19 +36,24 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-passwd.c,v 1.29 2003/08/26 09:58:43 markus Exp $");
+RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $");
 #include "packet.h"
 #include "log.h"
 #include "servconf.h"
 #include "auth.h"
-#ifdef WITH_AIXAUTHENTICATE
+#include "auth-options.h"
-# include "buffer.h"
-# include "canohost.h"
-extern Buffer loginmsg;
-#endif
 extern ServerOptions options;
+int sys_auth_passwd(Authctxt *, const char *);
+void
+disable_forwarding(void)
+{
+        no_port_forwarding_flag = 1;
+        no_agent_forwarding_flag = 1;
+        no_x11_forwarding_flag = 1;
+}
 /*
 * Tries to authenticate the user using password.  Returns true if
@@ -59,29 +64,31 @@ auth_password(Authctxt *authctxt, const char *password)
 {
        struct passwd * pw = authctxt->pw;
        int ok = authctxt->valid;
+        static int expire_checked = 0;
-        /* deny if no user. */
-        if (pw == NULL)
-                return 0;
 #ifndef HAVE_CYGWIN
-        if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
+        if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
                ok = 0;
 #endif
        if (*password == '\0' && options.permit_empty_passwd == 0)
                return 0;
 #if defined(HAVE_OSF_SIA)
+        /*
+         * XXX: any reason this is before krb?  could be moved to
+         * sys_auth_passwd()?  -dt
+         */
        return auth_sia_password(authctxt, password) && ok;
-#else
+#endif
-# ifdef KRB5
+#ifdef KRB5
        if (options.kerberos_authentication == 1) {
                int ret = auth_krb5_password(authctxt, password);
                if (ret == 1 || ret == 0)
                        return ret && ok;
                /* Fall back to ordinary passwd authentication. */
        }
-# endif
+#endif
-# ifdef HAVE_CYGWIN
+#ifdef HAVE_CYGWIN
        if (is_winnt) {
                HANDLE hToken = cygwin_logon_user(pw, password);
@@ -90,74 +97,60 @@ auth_password(Authctxt *authctxt, const char *password)
                cygwin_set_impersonation_token(hToken);
                return ok;
        }
-# endif
+#endif
-# ifdef WITH_AIXAUTHENTICATE
+#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-        {
+        if (!expire_checked) {
-                char *authmsg = NULL;
+                expire_checked = 1;
-                int reenter = 1;
+                if (auth_shadow_pwexpired(authctxt)) {
-                int authsuccess = 0;
+                        disable_forwarding();
+                        authctxt->force_pwchange = 1;
-                if (authenticate(pw->pw_name, password, &reenter,
-                    &authmsg) == 0 && ok) {
-                        char *msg;
-                        char *host = 
-                            (char *)get_canonical_hostname(options.use_dns);
-                        authsuccess = 1;
-                        aix_remove_embedded_newlines(authmsg);  
-                        debug3("AIX/authenticate succeeded for user %s: %.100s",
-                                pw->pw_name, authmsg);
-                        /* No pty yet, so just label the line as "ssh" */
-                        aix_setauthdb(authctxt->user);
-                        if (loginsuccess(authctxt->user, host, "ssh", 
-                            &msg) == 0) {
-                                if (msg != NULL) {
-                                        debug("%s: msg %s", __func__, msg);
-                                        buffer_append(&loginmsg, msg, 
-                                            strlen(msg));
-                                        xfree(msg);
-                                }
-                        }
-                } else {
-                        debug3("AIX/authenticate failed for user %s: %.100s",
-                            pw->pw_name, authmsg);
                }
+        }
+#endif
+                
+        return (sys_auth_passwd(authctxt, password) && ok);
+}
-                if (authmsg != NULL)
+#ifdef BSD_AUTH
-                        xfree(authmsg);
+int
+sys_auth_passwd(Authctxt *authctxt, const char *password)
-                return authsuccess;
+{
+        struct passwd *pw = authctxt->pw;
+        auth_session_t *as;
+        as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
+            (char *)password);
+        if (auth_getstate(as) & AUTH_PWEXPIRED) {
+                auth_close(as);
+                disable_forwarding();
+                authctxt->force_pwchange = 1;
+                return (1);
+        } else {
+                return (auth_close(as));
        }
-# endif
+}
-# ifdef BSD_AUTH
+#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
-        if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
+int
-            (char *)password) == 0)
+sys_auth_passwd(Authctxt *authctxt, const char *password)
-                return 0;
+{
-        else
+        struct passwd *pw = authctxt->pw;
-                return ok;
+        char *encrypted_password;
-# else
-        {
        /* Just use the supplied fake password if authctxt is invalid */
        char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
        /* Check for users with no password. */
        if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
-                return ok;
+                return (1);
-        else {
-                /* Encrypt the candidate password using the proper salt. */
-                char *encrypted_password = xcrypt(password,
-                    (pw_password[0] && pw_password[1]) ? pw_password : "xx");
-                /*
+        /* Encrypt the candidate password using the proper salt. */
-                 * Authentication is accepted if the encrypted passwords
+        encrypted_password = xcrypt(password,
-                 * are identical.
+            (pw_password[0] && pw_password[1]) ? pw_password : "xx");
-                 */
-                return (strcmp(encrypted_password, pw_password) == 0) && ok;
-        }
-        }
+        /*
-# endif
+         * Authentication is accepted if the encrypted passwords
-#endif /* !HAVE_OSF_SIA */
+         * are identical.
+         */
+        return (strcmp(encrypted_password, pw_password) == 0);
 }
+#endif

diff --git a/auth-passwd.c b/auth-passwd.c index 971c7ba19..b9679abd0 100644 --- a/auth-passwd.c +++ b/auth-passwd.c
@@ -36,19 +36,24 @@
36	*/	36	*/
37		37
38	#include "includes.h"	38	#include "includes.h"
39	RCSID("$OpenBSD: auth-passwd.c,v 1.29 2003/08/26 09:58:43 markus Exp $");	39	RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $");
40		40
41	#include "packet.h"	41	#include "packet.h"
42	#include "log.h"	42	#include "log.h"
43	#include "servconf.h"	43	#include "servconf.h"
44	#include "auth.h"	44	#include "auth.h"
45	#ifdef WITH_AIXAUTHENTICATE	45	#include "auth-options.h"
46	# include "buffer.h"
47	# include "canohost.h"
48	extern Buffer loginmsg;
49	#endif
50		46
51	extern ServerOptions options;	47	extern ServerOptions options;
		48	int sys_auth_passwd(Authctxt , const char );
		49
		50	void
		51	disable_forwarding(void)
		52	{
		53	no_port_forwarding_flag = 1;
		54	no_agent_forwarding_flag = 1;
		55	no_x11_forwarding_flag = 1;
		56	}
52		57
53	/*	58	/*
54	* Tries to authenticate the user using password. Returns true if	59	* Tries to authenticate the user using password. Returns true if
@@ -59,29 +64,31 @@ auth_password(Authctxt authctxt, const char password)
59	{	64	{
60	struct passwd * pw = authctxt->pw;	65	struct passwd * pw = authctxt->pw;
61	int ok = authctxt->valid;	66	int ok = authctxt->valid;
		67	static int expire_checked = 0;
62		68
63	/* deny if no user. */
64	if (pw == NULL)
65	return 0;
66	#ifndef HAVE_CYGWIN	69	#ifndef HAVE_CYGWIN
67	if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)	70	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
68	ok = 0;	71	ok = 0;
69	#endif	72	#endif
70	if (*password == '\0' && options.permit_empty_passwd == 0)	73	if (*password == '\0' && options.permit_empty_passwd == 0)
71	return 0;	74	return 0;
72		75
73	#if defined(HAVE_OSF_SIA)	76	#if defined(HAVE_OSF_SIA)
		77	/*
		78	* XXX: any reason this is before krb? could be moved to
		79	* sys_auth_passwd()? -dt
		80	*/
74	return auth_sia_password(authctxt, password) && ok;	81	return auth_sia_password(authctxt, password) && ok;
75	#else	82	#endif
76	# ifdef KRB5	83	#ifdef KRB5
77	if (options.kerberos_authentication == 1) {	84	if (options.kerberos_authentication == 1) {
78	int ret = auth_krb5_password(authctxt, password);	85	int ret = auth_krb5_password(authctxt, password);
79	if (ret == 1 \|\| ret == 0)	86	if (ret == 1 \|\| ret == 0)
80	return ret && ok;	87	return ret && ok;
81	/* Fall back to ordinary passwd authentication. */	88	/* Fall back to ordinary passwd authentication. */
82	}	89	}
83	# endif	90	#endif
84	# ifdef HAVE_CYGWIN	91	#ifdef HAVE_CYGWIN
85	if (is_winnt) {	92	if (is_winnt) {
86	HANDLE hToken = cygwin_logon_user(pw, password);	93	HANDLE hToken = cygwin_logon_user(pw, password);
87		94
@@ -90,74 +97,60 @@ auth_password(Authctxt authctxt, const char password)
90	cygwin_set_impersonation_token(hToken);	97	cygwin_set_impersonation_token(hToken);
91	return ok;	98	return ok;
92	}	99	}
93	# endif	100	#endif
94	# ifdef WITH_AIXAUTHENTICATE	101	#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
95	{	102	if (!expire_checked) {
96	char *authmsg = NULL;	103	expire_checked = 1;
97	int reenter = 1;	104	if (auth_shadow_pwexpired(authctxt)) {
98	int authsuccess = 0;	105	disable_forwarding();
99		106	authctxt->force_pwchange = 1;
100	if (authenticate(pw->pw_name, password, &reenter,
101	&authmsg) == 0 && ok) {
102	char *msg;
103	char *host =
104	(char *)get_canonical_hostname(options.use_dns);
105
106	authsuccess = 1;
107	aix_remove_embedded_newlines(authmsg);
108
109	debug3("AIX/authenticate succeeded for user %s: %.100s",
110	pw->pw_name, authmsg);
111
112	/* No pty yet, so just label the line as "ssh" */
113	aix_setauthdb(authctxt->user);
114	if (loginsuccess(authctxt->user, host, "ssh",
115	&msg) == 0) {
116	if (msg != NULL) {
117	debug("%s: msg %s", __func__, msg);
118	buffer_append(&loginmsg, msg,
119	strlen(msg));
120	xfree(msg);
121	}
122	}
123	} else {
124	debug3("AIX/authenticate failed for user %s: %.100s",
125	pw->pw_name, authmsg);
126	}	107	}
		108	}
		109	#endif
		110
		111	return (sys_auth_passwd(authctxt, password) && ok);
		112	}
127		113
128	if (authmsg != NULL)	114	#ifdef BSD_AUTH
129	xfree(authmsg);	115	int
130		116	sys_auth_passwd(Authctxt authctxt, const char password)
131	return authsuccess;	117	{
		118	struct passwd *pw = authctxt->pw;
		119	auth_session_t *as;
		120
		121	as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
		122	(char *)password);
		123	if (auth_getstate(as) & AUTH_PWEXPIRED) {
		124	auth_close(as);
		125	disable_forwarding();
		126	authctxt->force_pwchange = 1;
		127	return (1);
		128	} else {
		129	return (auth_close(as));
132	}	130	}
133	# endif	131	}
134	# ifdef BSD_AUTH	132	#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
135	if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",	133	int
136	(char *)password) == 0)	134	sys_auth_passwd(Authctxt authctxt, const char password)
137	return 0;	135	{
138	else	136	struct passwd *pw = authctxt->pw;
139	return ok;	137	char *encrypted_password;
140	# else	138
141	{
142	/* Just use the supplied fake password if authctxt is invalid */	139	/* Just use the supplied fake password if authctxt is invalid */
143	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;	140	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
144		141
145	/* Check for users with no password. */	142	/* Check for users with no password. */
146	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)	143	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
147	return ok;	144	return (1);
148	else {
149	/* Encrypt the candidate password using the proper salt. */
150	char *encrypted_password = xcrypt(password,
151	(pw_password[0] && pw_password[1]) ? pw_password : "xx");
152		145
153	/*	146	/* Encrypt the candidate password using the proper salt. */
154	* Authentication is accepted if the encrypted passwords	147	encrypted_password = xcrypt(password,
155	* are identical.	148	(pw_password[0] && pw_password[1]) ? pw_password : "xx");
156	*/
157	return (strcmp(encrypted_password, pw_password) == 0) && ok;
158	}
159		149
160	}	150	/*
161	# endif	151	* Authentication is accepted if the encrypted passwords
162	#endif /* !HAVE_OSF_SIA */	152	* are identical.
		153	*/
		154	return (strcmp(encrypted_password, pw_password) == 0);
163	}	155	}
		156	#endif