diff options
Diffstat (limited to 'auth-passwd.c')
-rw-r--r-- | auth-passwd.c | 98 |
1 files changed, 64 insertions, 34 deletions
diff --git a/auth-passwd.c b/auth-passwd.c index a27170ccc..d12996bba 100644 --- a/auth-passwd.c +++ b/auth-passwd.c | |||
@@ -42,11 +42,21 @@ RCSID("$OpenBSD: auth-passwd.c,v 1.30 2003/11/04 08:54:09 djm Exp $"); | |||
42 | #include "log.h" | 42 | #include "log.h" |
43 | #include "servconf.h" | 43 | #include "servconf.h" |
44 | #include "auth.h" | 44 | #include "auth.h" |
45 | #include "auth-options.h" | ||
45 | #ifdef WITH_AIXAUTHENTICATE | 46 | #ifdef WITH_AIXAUTHENTICATE |
46 | # include "canohost.h" | 47 | # include "canohost.h" |
47 | #endif | 48 | #endif |
48 | 49 | ||
49 | extern ServerOptions options; | 50 | extern ServerOptions options; |
51 | int sys_auth_passwd(Authctxt *, const char *); | ||
52 | |||
53 | static void | ||
54 | disable_forwarding(void) | ||
55 | { | ||
56 | no_port_forwarding_flag = 1; | ||
57 | no_agent_forwarding_flag = 1; | ||
58 | no_x11_forwarding_flag = 1; | ||
59 | } | ||
50 | 60 | ||
51 | /* | 61 | /* |
52 | * Tries to authenticate the user using password. Returns true if | 62 | * Tries to authenticate the user using password. Returns true if |
@@ -66,17 +76,21 @@ auth_password(Authctxt *authctxt, const char *password) | |||
66 | return 0; | 76 | return 0; |
67 | 77 | ||
68 | #if defined(HAVE_OSF_SIA) | 78 | #if defined(HAVE_OSF_SIA) |
79 | /* | ||
80 | * XXX: any reason this is before krb? could be moved to | ||
81 | * sys_auth_passwd()? -dt | ||
82 | */ | ||
69 | return auth_sia_password(authctxt, password) && ok; | 83 | return auth_sia_password(authctxt, password) && ok; |
70 | #else | 84 | #endif |
71 | # ifdef KRB5 | 85 | #ifdef KRB5 |
72 | if (options.kerberos_authentication == 1) { | 86 | if (options.kerberos_authentication == 1) { |
73 | int ret = auth_krb5_password(authctxt, password); | 87 | int ret = auth_krb5_password(authctxt, password); |
74 | if (ret == 1 || ret == 0) | 88 | if (ret == 1 || ret == 0) |
75 | return ret && ok; | 89 | return ret && ok; |
76 | /* Fall back to ordinary passwd authentication. */ | 90 | /* Fall back to ordinary passwd authentication. */ |
77 | } | 91 | } |
78 | # endif | 92 | #endif |
79 | # ifdef HAVE_CYGWIN | 93 | #ifdef HAVE_CYGWIN |
80 | if (is_winnt) { | 94 | if (is_winnt) { |
81 | HANDLE hToken = cygwin_logon_user(pw, password); | 95 | HANDLE hToken = cygwin_logon_user(pw, password); |
82 | 96 | ||
@@ -85,41 +99,57 @@ auth_password(Authctxt *authctxt, const char *password) | |||
85 | cygwin_set_impersonation_token(hToken); | 99 | cygwin_set_impersonation_token(hToken); |
86 | return ok; | 100 | return ok; |
87 | } | 101 | } |
88 | # endif | 102 | #endif |
89 | # ifdef WITH_AIXAUTHENTICATE | 103 | return (sys_auth_passwd(authctxt, password) && ok); |
90 | if (aix_authenticate(pw->pw_name, password, | 104 | } |
91 | get_canonical_hostname(options.use_dns)) == 0) | 105 | |
92 | return 0; | 106 | #ifdef BSD_AUTH |
93 | else | 107 | int |
94 | return ok; | 108 | sys_auth_passwd(Authctxt *authctxt, const char *password) |
95 | # endif | 109 | { |
96 | # ifdef BSD_AUTH | 110 | struct passwd *pw = authctxt->pw; |
97 | if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", | 111 | auth_session_t *as; |
98 | (char *)password) == 0) | 112 | |
99 | return 0; | 113 | as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh", |
100 | else | 114 | (char *)password); |
101 | return ok; | 115 | if (auth_getstate(as) & AUTH_PWEXPIRED) { |
102 | # else | 116 | auth_close(as); |
103 | { | 117 | disable_forwarding(); |
118 | authctxt->force_pwchange = 1; | ||
119 | return (1); | ||
120 | } else { | ||
121 | return (auth_close(as)); | ||
122 | } | ||
123 | } | ||
124 | #elif defined(WITH_AIXAUTHENTICATE) | ||
125 | int | ||
126 | sys_auth_passwd(Authctxt *authctxt, const char *password) | ||
127 | { | ||
128 | return (aix_authenticate(authctxt->pw->pw_name, password, | ||
129 | get_canonical_hostname(options.use_dns))); | ||
130 | } | ||
131 | #else | ||
132 | int | ||
133 | sys_auth_passwd(Authctxt *authctxt, const char *password) | ||
134 | { | ||
135 | struct passwd *pw = authctxt->pw; | ||
136 | char *encrypted_password; | ||
137 | |||
104 | /* Just use the supplied fake password if authctxt is invalid */ | 138 | /* Just use the supplied fake password if authctxt is invalid */ |
105 | char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; | 139 | char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; |
106 | 140 | ||
107 | /* Check for users with no password. */ | 141 | /* Check for users with no password. */ |
108 | if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) | 142 | if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) |
109 | return ok; | 143 | return (1); |
110 | else { | ||
111 | /* Encrypt the candidate password using the proper salt. */ | ||
112 | char *encrypted_password = xcrypt(password, | ||
113 | (pw_password[0] && pw_password[1]) ? pw_password : "xx"); | ||
114 | 144 | ||
115 | /* | 145 | /* Encrypt the candidate password using the proper salt. */ |
116 | * Authentication is accepted if the encrypted passwords | 146 | encrypted_password = xcrypt(password, |
117 | * are identical. | 147 | (pw_password[0] && pw_password[1]) ? pw_password : "xx"); |
118 | */ | ||
119 | return (strcmp(encrypted_password, pw_password) == 0) && ok; | ||
120 | } | ||
121 | 148 | ||
122 | } | 149 | /* |
123 | # endif | 150 | * Authentication is accepted if the encrypted passwords |
124 | #endif /* !HAVE_OSF_SIA */ | 151 | * are identical. |
152 | */ | ||
153 | return (strcmp(encrypted_password, pw_password) == 0); | ||
125 | } | 154 | } |
155 | #endif | ||