summaryrefslogtreecommitdiff
path: root/auth-passwd.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth-passwd.c')
-rw-r--r--auth-passwd.c141
1 files changed, 67 insertions, 74 deletions
diff --git a/auth-passwd.c b/auth-passwd.c
index 971c7ba19..b9679abd0 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -36,19 +36,24 @@
36 */ 36 */
37 37
38#include "includes.h" 38#include "includes.h"
39RCSID("$OpenBSD: auth-passwd.c,v 1.29 2003/08/26 09:58:43 markus Exp $"); 39RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $");
40 40
41#include "packet.h" 41#include "packet.h"
42#include "log.h" 42#include "log.h"
43#include "servconf.h" 43#include "servconf.h"
44#include "auth.h" 44#include "auth.h"
45#ifdef WITH_AIXAUTHENTICATE 45#include "auth-options.h"
46# include "buffer.h"
47# include "canohost.h"
48extern Buffer loginmsg;
49#endif
50 46
51extern ServerOptions options; 47extern ServerOptions options;
48int sys_auth_passwd(Authctxt *, const char *);
49
50void
51disable_forwarding(void)
52{
53 no_port_forwarding_flag = 1;
54 no_agent_forwarding_flag = 1;
55 no_x11_forwarding_flag = 1;
56}
52 57
53/* 58/*
54 * Tries to authenticate the user using password. Returns true if 59 * Tries to authenticate the user using password. Returns true if
@@ -59,29 +64,31 @@ auth_password(Authctxt *authctxt, const char *password)
59{ 64{
60 struct passwd * pw = authctxt->pw; 65 struct passwd * pw = authctxt->pw;
61 int ok = authctxt->valid; 66 int ok = authctxt->valid;
67 static int expire_checked = 0;
62 68
63 /* deny if no user. */
64 if (pw == NULL)
65 return 0;
66#ifndef HAVE_CYGWIN 69#ifndef HAVE_CYGWIN
67 if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) 70 if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
68 ok = 0; 71 ok = 0;
69#endif 72#endif
70 if (*password == '\0' && options.permit_empty_passwd == 0) 73 if (*password == '\0' && options.permit_empty_passwd == 0)
71 return 0; 74 return 0;
72 75
73#if defined(HAVE_OSF_SIA) 76#if defined(HAVE_OSF_SIA)
77 /*
78 * XXX: any reason this is before krb? could be moved to
79 * sys_auth_passwd()? -dt
80 */
74 return auth_sia_password(authctxt, password) && ok; 81 return auth_sia_password(authctxt, password) && ok;
75#else 82#endif
76# ifdef KRB5 83#ifdef KRB5
77 if (options.kerberos_authentication == 1) { 84 if (options.kerberos_authentication == 1) {
78 int ret = auth_krb5_password(authctxt, password); 85 int ret = auth_krb5_password(authctxt, password);
79 if (ret == 1 || ret == 0) 86 if (ret == 1 || ret == 0)
80 return ret && ok; 87 return ret && ok;
81 /* Fall back to ordinary passwd authentication. */ 88 /* Fall back to ordinary passwd authentication. */
82 } 89 }
83# endif 90#endif
84# ifdef HAVE_CYGWIN 91#ifdef HAVE_CYGWIN
85 if (is_winnt) { 92 if (is_winnt) {
86 HANDLE hToken = cygwin_logon_user(pw, password); 93 HANDLE hToken = cygwin_logon_user(pw, password);
87 94
@@ -90,74 +97,60 @@ auth_password(Authctxt *authctxt, const char *password)
90 cygwin_set_impersonation_token(hToken); 97 cygwin_set_impersonation_token(hToken);
91 return ok; 98 return ok;
92 } 99 }
93# endif 100#endif
94# ifdef WITH_AIXAUTHENTICATE 101#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
95 { 102 if (!expire_checked) {
96 char *authmsg = NULL; 103 expire_checked = 1;
97 int reenter = 1; 104 if (auth_shadow_pwexpired(authctxt)) {
98 int authsuccess = 0; 105 disable_forwarding();
99 106 authctxt->force_pwchange = 1;
100 if (authenticate(pw->pw_name, password, &reenter,
101 &authmsg) == 0 && ok) {
102 char *msg;
103 char *host =
104 (char *)get_canonical_hostname(options.use_dns);
105
106 authsuccess = 1;
107 aix_remove_embedded_newlines(authmsg);
108
109 debug3("AIX/authenticate succeeded for user %s: %.100s",
110 pw->pw_name, authmsg);
111
112 /* No pty yet, so just label the line as "ssh" */
113 aix_setauthdb(authctxt->user);
114 if (loginsuccess(authctxt->user, host, "ssh",
115 &msg) == 0) {
116 if (msg != NULL) {
117 debug("%s: msg %s", __func__, msg);
118 buffer_append(&loginmsg, msg,
119 strlen(msg));
120 xfree(msg);
121 }
122 }
123 } else {
124 debug3("AIX/authenticate failed for user %s: %.100s",
125 pw->pw_name, authmsg);
126 } 107 }
108 }
109#endif
110
111 return (sys_auth_passwd(authctxt, password) && ok);
112}
127 113
128 if (authmsg != NULL) 114#ifdef BSD_AUTH
129 xfree(authmsg); 115int
130 116sys_auth_passwd(Authctxt *authctxt, const char *password)
131 return authsuccess; 117{
118 struct passwd *pw = authctxt->pw;
119 auth_session_t *as;
120
121 as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
122 (char *)password);
123 if (auth_getstate(as) & AUTH_PWEXPIRED) {
124 auth_close(as);
125 disable_forwarding();
126 authctxt->force_pwchange = 1;
127 return (1);
128 } else {
129 return (auth_close(as));
132 } 130 }
133# endif 131}
134# ifdef BSD_AUTH 132#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
135 if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", 133int
136 (char *)password) == 0) 134sys_auth_passwd(Authctxt *authctxt, const char *password)
137 return 0; 135{
138 else 136 struct passwd *pw = authctxt->pw;
139 return ok; 137 char *encrypted_password;
140# else 138
141 {
142 /* Just use the supplied fake password if authctxt is invalid */ 139 /* Just use the supplied fake password if authctxt is invalid */
143 char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; 140 char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
144 141
145 /* Check for users with no password. */ 142 /* Check for users with no password. */
146 if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) 143 if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
147 return ok; 144 return (1);
148 else {
149 /* Encrypt the candidate password using the proper salt. */
150 char *encrypted_password = xcrypt(password,
151 (pw_password[0] && pw_password[1]) ? pw_password : "xx");
152 145
153 /* 146 /* Encrypt the candidate password using the proper salt. */
154 * Authentication is accepted if the encrypted passwords 147 encrypted_password = xcrypt(password,
155 * are identical. 148 (pw_password[0] && pw_password[1]) ? pw_password : "xx");
156 */
157 return (strcmp(encrypted_password, pw_password) == 0) && ok;
158 }
159 149
160 } 150 /*
161# endif 151 * Authentication is accepted if the encrypted passwords
162#endif /* !HAVE_OSF_SIA */ 152 * are identical.
153 */
154 return (strcmp(encrypted_password, pw_password) == 0);
163} 155}
156#endif