diff options
Diffstat (limited to 'auth-passwd.c')
-rw-r--r-- | auth-passwd.c | 209 |
1 files changed, 209 insertions, 0 deletions
diff --git a/auth-passwd.c b/auth-passwd.c new file mode 100644 index 000000000..7d6846789 --- /dev/null +++ b/auth-passwd.c | |||
@@ -0,0 +1,209 @@ | |||
1 | /* | ||
2 | |||
3 | auth-passwd.c | ||
4 | |||
5 | Author: Tatu Ylonen <ylo@cs.hut.fi> | ||
6 | |||
7 | Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
8 | All rights reserved | ||
9 | |||
10 | Created: Sat Mar 18 05:11:38 1995 ylo | ||
11 | |||
12 | Password authentication. This file contains the functions to check whether | ||
13 | the password is valid for the user. | ||
14 | |||
15 | */ | ||
16 | |||
17 | #include "includes.h" | ||
18 | RCSID("$Id: auth-passwd.c,v 1.1 1999/10/27 03:42:43 damien Exp $"); | ||
19 | |||
20 | #include "packet.h" | ||
21 | #include "ssh.h" | ||
22 | #include "servconf.h" | ||
23 | #include "xmalloc.h" | ||
24 | |||
25 | #ifdef KRB4 | ||
26 | extern char *ticket; | ||
27 | #endif /* KRB4 */ | ||
28 | |||
29 | #ifdef HAVE_PAM | ||
30 | #include <security/pam_appl.h> | ||
31 | extern pam_handle_t *pamh; | ||
32 | extern int retval; | ||
33 | extern char* pampasswd; | ||
34 | extern int origretval; | ||
35 | #endif /* HAVE_PAM */ | ||
36 | |||
37 | /* Tries to authenticate the user using password. Returns true if | ||
38 | authentication succeeds. */ | ||
39 | |||
40 | int auth_password(struct passwd *pw, const char *password) | ||
41 | { | ||
42 | extern ServerOptions options; | ||
43 | char *encrypted_password; | ||
44 | |||
45 | if (pw->pw_uid == 0 && options.permit_root_login == 2) | ||
46 | { | ||
47 | /*packet_send_debug("Server does not permit root login with password.");*/ | ||
48 | return 0; | ||
49 | } | ||
50 | |||
51 | if (*password == '\0' && options.permit_empty_passwd == 0) | ||
52 | { | ||
53 | /*packet_send_debug("Server does not permit empty password login.");*/ | ||
54 | return 0; | ||
55 | } | ||
56 | |||
57 | /* deny if no user. */ | ||
58 | if (pw == NULL) | ||
59 | return 0; | ||
60 | |||
61 | #ifdef HAVE_PAM | ||
62 | retval = origretval; | ||
63 | |||
64 | pampasswd = xstrdup(password); | ||
65 | |||
66 | if (retval == PAM_SUCCESS) | ||
67 | retval = pam_authenticate ((pam_handle_t *)pamh, 0); | ||
68 | |||
69 | if (retval == PAM_SUCCESS) | ||
70 | retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0); | ||
71 | |||
72 | xfree(pampasswd); | ||
73 | |||
74 | if (retval == PAM_SUCCESS) | ||
75 | retval = pam_open_session ((pam_handle_t *)pamh, 0); | ||
76 | |||
77 | return (retval == PAM_SUCCESS); | ||
78 | |||
79 | #else /* HAVE_PAM */ | ||
80 | |||
81 | #ifdef SKEY | ||
82 | if (options.skey_authentication == 1) { | ||
83 | if (strncasecmp(password, "s/key", 5) == 0) { | ||
84 | char *skeyinfo = skey_keyinfo(pw->pw_name); | ||
85 | if(skeyinfo == NULL){ | ||
86 | debug("generating fake skeyinfo for %.100s.", pw->pw_name); | ||
87 | skeyinfo = skey_fake_keyinfo(pw->pw_name); | ||
88 | } | ||
89 | if(skeyinfo != NULL) | ||
90 | packet_send_debug(skeyinfo); | ||
91 | /* Try again. */ | ||
92 | return 0; | ||
93 | } | ||
94 | else if (skey_haskey(pw->pw_name) == 0 && | ||
95 | skey_passcheck(pw->pw_name, (char *)password) != -1) { | ||
96 | /* Authentication succeeded. */ | ||
97 | return 1; | ||
98 | } | ||
99 | /* Fall back to ordinary passwd authentication. */ | ||
100 | } | ||
101 | #endif | ||
102 | |||
103 | #if defined(KRB4) | ||
104 | /* Support for Kerberos v4 authentication - Dug Song <dugsong@UMICH.EDU> */ | ||
105 | if (options.kerberos_authentication) | ||
106 | { | ||
107 | AUTH_DAT adata; | ||
108 | KTEXT_ST tkt; | ||
109 | struct hostent *hp; | ||
110 | unsigned long faddr; | ||
111 | char localhost[MAXHOSTNAMELEN]; /* local host name */ | ||
112 | char phost[INST_SZ]; /* host instance */ | ||
113 | char realm[REALM_SZ]; /* local Kerberos realm */ | ||
114 | int r; | ||
115 | |||
116 | /* Try Kerberos password authentication only for non-root | ||
117 | users and only if Kerberos is installed. */ | ||
118 | if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) { | ||
119 | |||
120 | /* Set up our ticket file. */ | ||
121 | if (!ssh_tf_init(pw->pw_uid)) { | ||
122 | log("Couldn't initialize Kerberos ticket file for %s!", | ||
123 | pw->pw_name); | ||
124 | goto kerberos_auth_failure; | ||
125 | } | ||
126 | /* Try to get TGT using our password. */ | ||
127 | r = krb_get_pw_in_tkt((char *)pw->pw_name, "", realm, "krbtgt", realm, | ||
128 | DEFAULT_TKT_LIFE, (char *)password); | ||
129 | if (r != INTK_OK) { | ||
130 | packet_send_debug("Kerberos V4 password authentication for %s " | ||
131 | "failed: %s", pw->pw_name, krb_err_txt[r]); | ||
132 | goto kerberos_auth_failure; | ||
133 | } | ||
134 | /* Successful authentication. */ | ||
135 | chown(ticket, pw->pw_uid, pw->pw_gid); | ||
136 | |||
137 | (void) gethostname(localhost, sizeof(localhost)); | ||
138 | (void) strlcpy(phost, (char *)krb_get_phost(localhost), INST_SZ); | ||
139 | |||
140 | /* Now that we have a TGT, try to get a local "rcmd" ticket to | ||
141 | ensure that we are not talking to a bogus Kerberos server. */ | ||
142 | r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); | ||
143 | |||
144 | if (r == KSUCCESS) { | ||
145 | if (!(hp = gethostbyname(localhost))) { | ||
146 | log("Couldn't get local host address!"); | ||
147 | goto kerberos_auth_failure; | ||
148 | } | ||
149 | memmove((void *)&faddr, (void *)hp->h_addr, sizeof(faddr)); | ||
150 | |||
151 | /* Verify our "rcmd" ticket. */ | ||
152 | r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, faddr, &adata, ""); | ||
153 | if (r == RD_AP_UNDEC) { | ||
154 | /* Probably didn't have a srvtab on localhost. Allow login. */ | ||
155 | log("Kerberos V4 TGT for %s unverifiable, no srvtab installed? " | ||
156 | "krb_rd_req: %s", pw->pw_name, krb_err_txt[r]); | ||
157 | } | ||
158 | else if (r != KSUCCESS) { | ||
159 | log("Kerberos V4 %s ticket unverifiable: %s", | ||
160 | KRB4_SERVICE_NAME, krb_err_txt[r]); | ||
161 | goto kerberos_auth_failure; | ||
162 | } | ||
163 | } | ||
164 | else if (r == KDC_PR_UNKNOWN) { | ||
165 | /* Allow login if no rcmd service exists, but log the error. */ | ||
166 | log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s " | ||
167 | "not registered, or srvtab is wrong?", pw->pw_name, | ||
168 | krb_err_txt[r], KRB4_SERVICE_NAME, phost); | ||
169 | } | ||
170 | else { | ||
171 | /* TGT is bad, forget it. Possibly spoofed! */ | ||
172 | packet_send_debug("WARNING: Kerberos V4 TGT possibly spoofed for" | ||
173 | "%s: %s", pw->pw_name, krb_err_txt[r]); | ||
174 | goto kerberos_auth_failure; | ||
175 | } | ||
176 | |||
177 | /* Authentication succeeded. */ | ||
178 | return 1; | ||
179 | |||
180 | kerberos_auth_failure: | ||
181 | (void) dest_tkt(); | ||
182 | xfree(ticket); | ||
183 | ticket = NULL; | ||
184 | if (!options.kerberos_or_local_passwd ) return 0; | ||
185 | } | ||
186 | else { | ||
187 | /* Logging in as root or no local Kerberos realm. */ | ||
188 | packet_send_debug("Unable to authenticate to Kerberos."); | ||
189 | } | ||
190 | /* Fall back to ordinary passwd authentication. */ | ||
191 | } | ||
192 | #endif /* KRB4 */ | ||
193 | |||
194 | /* Check for users with no password. */ | ||
195 | if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) | ||
196 | { | ||
197 | packet_send_debug("Login permitted without a password because the account has no password."); | ||
198 | return 1; /* The user has no password and an empty password was tried. */ | ||
199 | } | ||
200 | |||
201 | /* Encrypt the candidate password using the proper salt. */ | ||
202 | encrypted_password = crypt(password, | ||
203 | (pw->pw_passwd[0] && pw->pw_passwd[1]) ? | ||
204 | pw->pw_passwd : "xx"); | ||
205 | |||
206 | /* Authentication is accepted if the encrypted passwords are identical. */ | ||
207 | return (strcmp(encrypted_password, pw->pw_passwd) == 0); | ||
208 | #endif /* HAVE_PAM */ | ||
209 | } | ||