login.c (2532) | login.c (3205) |
---|---|
1/*- 2 * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 105 unchanged lines hidden (view full) --- 114{ 115 extern char **environ; 116 struct group *gr; 117 struct stat st; 118 struct timeval tp; 119 struct utmp utmp; 120 int ask, ch, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval; 121 uid_t uid; | 1/*- 2 * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright --- 105 unchanged lines hidden (view full) --- 114{ 115 extern char **environ; 116 struct group *gr; 117 struct stat st; 118 struct timeval tp; 119 struct utmp utmp; 120 int ask, ch, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval; 121 uid_t uid; |
122 char *domain, *p, *salt, *ttyn; | 122 char *domain, *p, *ep, *salt, *ttyn; |
123 char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10]; 124 char localhost[MAXHOSTNAMELEN]; | 123 char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10]; 124 char localhost[MAXHOSTNAMELEN]; |
125 char full_hostname[MAXHOSTNAMELEN]; 126#ifdef SKEY 127 int permit_passwd = 0; 128 char *skey_getpass(), *skey_crypt(); 129#endif |
|
125 126 (void)signal(SIGALRM, timedout); 127 (void)alarm(timeout); 128 (void)signal(SIGQUIT, SIG_IGN); 129 (void)signal(SIGINT, SIG_IGN); 130 (void)setpriority(PRIO_PROCESS, 0, 0); 131 132 openlog("login", LOG_ODELAY, LOG_AUTH); 133 134 /* 135 * -p is used by getty to tell login not to destroy the environment 136 * -f is used to skip a second login authentication 137 * -h is used by other servers to pass the name of the remote 138 * host to login so that it may be placed in utmp and wtmp 139 */ | 130 131 (void)signal(SIGALRM, timedout); 132 (void)alarm(timeout); 133 (void)signal(SIGQUIT, SIG_IGN); 134 (void)signal(SIGINT, SIG_IGN); 135 (void)setpriority(PRIO_PROCESS, 0, 0); 136 137 openlog("login", LOG_ODELAY, LOG_AUTH); 138 139 /* 140 * -p is used by getty to tell login not to destroy the environment 141 * -f is used to skip a second login authentication 142 * -h is used by other servers to pass the name of the remote 143 * host to login so that it may be placed in utmp and wtmp 144 */ |
145 *full_hostname = '\0'; |
|
140 domain = NULL; 141 if (gethostname(localhost, sizeof(localhost)) < 0) 142 syslog(LOG_ERR, "couldn't get local hostname: %m"); 143 else 144 domain = strchr(localhost, '.'); 145 146 fflag = hflag = pflag = 0; 147 uid = getuid(); 148 while ((ch = getopt(argc, argv, "fh:p")) != EOF) 149 switch (ch) { 150 case 'f': 151 fflag = 1; 152 break; 153 case 'h': 154 if (uid) 155 errx(1, "-h option: %s", strerror(EPERM)); 156 hflag = 1; | 146 domain = NULL; 147 if (gethostname(localhost, sizeof(localhost)) < 0) 148 syslog(LOG_ERR, "couldn't get local hostname: %m"); 149 else 150 domain = strchr(localhost, '.'); 151 152 fflag = hflag = pflag = 0; 153 uid = getuid(); 154 while ((ch = getopt(argc, argv, "fh:p")) != EOF) 155 switch (ch) { 156 case 'f': 157 fflag = 1; 158 break; 159 case 'h': 160 if (uid) 161 errx(1, "-h option: %s", strerror(EPERM)); 162 hflag = 1; |
163 strncpy(full_hostname, optarg, sizeof(full_hostname)-1); |
|
157 if (domain && (p = strchr(optarg, '.')) && 158 strcasecmp(p, domain) == 0) 159 *p = 0; 160 hostname = optarg; 161 break; 162 case 'p': 163 pflag = 1; 164 break; --- 62 unchanged lines hidden (view full) --- 227 salt = "xx"; 228 229 /* 230 * if we have a valid account name, and it doesn't have a 231 * password, or the -f option was specified and the caller 232 * is root or the caller isn't changing their uid, don't 233 * authenticate. 234 */ | 164 if (domain && (p = strchr(optarg, '.')) && 165 strcasecmp(p, domain) == 0) 166 *p = 0; 167 hostname = optarg; 168 break; 169 case 'p': 170 pflag = 1; 171 break; --- 62 unchanged lines hidden (view full) --- 234 salt = "xx"; 235 236 /* 237 * if we have a valid account name, and it doesn't have a 238 * password, or the -f option was specified and the caller 239 * is root or the caller isn't changing their uid, don't 240 * authenticate. 241 */ |
235 if (pwd && (*pwd->pw_passwd == '\0' || 236 fflag && (uid == 0 || uid == pwd->pw_uid))) 237 break; | 242 if (pwd) { 243 if (pwd->pw_uid == 0) 244 rootlogin = 1; 245 246 if (fflag && (uid == 0 || uid == pwd->pw_uid)) { 247 /* already authenticated */ 248 break; 249 } else if (pwd->pw_passwd[0] == '\0') { 250 /* pretend password okay */ 251 rval = 0; 252 goto ttycheck; 253 } 254 } 255 |
238 fflag = 0; | 256 fflag = 0; |
239 if (pwd && pwd->pw_uid == 0) 240 rootlogin = 1; | |
241 242 (void)setpriority(PRIO_PROCESS, 0, -4); 243 | 257 258 (void)setpriority(PRIO_PROCESS, 0, -4); 259 |
260#ifdef SKEY 261 permit_passwd = skeyaccess(username, tty, 262 hostname ? full_hostname : NULL); 263 p = skey_getpass("Password:", pwd, permit_passwd); 264 ep = skey_crypt(p, salt, pwd, permit_passwd); 265#else |
|
244 p = getpass("Password:"); | 266 p = getpass("Password:"); |
267 ep = crypt(p, salt); 268#endif |
|
245 246 if (pwd) { 247#ifdef KERBEROS 248 rval = klogin(pwd, instance, localhost, p); 249 if (rval != 0 && rootlogin && pwd->pw_uid != 0) 250 rootlogin = 0; 251 if (rval == 0) 252 authok = 1; 253 else if (rval == 1) | 269 270 if (pwd) { 271#ifdef KERBEROS 272 rval = klogin(pwd, instance, localhost, p); 273 if (rval != 0 && rootlogin && pwd->pw_uid != 0) 274 rootlogin = 0; 275 if (rval == 0) 276 authok = 1; 277 else if (rval == 1) |
254 rval = strcmp(crypt(p, salt), pwd->pw_passwd); | 278 rval = strcmp(ep, pwd->pw_passwd); |
255#else | 279#else |
256 rval = strcmp(crypt(p, salt), pwd->pw_passwd); | 280 rval = strcmp(ep, pwd->pw_passwd); |
257#endif 258 } 259 memset(p, 0, strlen(p)); 260 261 (void)setpriority(PRIO_PROCESS, 0, 0); 262 | 281#endif 282 } 283 memset(p, 0, strlen(p)); 284 285 (void)setpriority(PRIO_PROCESS, 0, 0); 286 |
287 ttycheck: |
|
263 /* 264 * If trying to log in as root without Kerberos, 265 * but with insecure terminal, refuse the login attempt. 266 */ 267#ifdef KERBEROS 268 if (authok == 0) 269#endif | 288 /* 289 * If trying to log in as root without Kerberos, 290 * but with insecure terminal, refuse the login attempt. 291 */ 292#ifdef KERBEROS 293 if (authok == 0) 294#endif |
270 if (pwd && rootlogin && !rootterm(tty)) { | 295 if (pwd && !rval && rootlogin && !rootterm(tty)) { |
271 (void)fprintf(stderr, 272 "%s login refused on this terminal.\n", 273 pwd->pw_name); 274 if (hostname) 275 syslog(LOG_NOTICE, 276 "LOGIN %s REFUSED FROM %s ON TTY %s", 277 pwd->pw_name, hostname, tty); 278 else --- 111 unchanged lines hidden (view full) --- 390 else 391 syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", username, tty); 392 393#ifdef KERBEROS 394 if (!quietlog && notickets == 1) 395 (void)printf("Warning: no Kerberos tickets issued.\n"); 396#endif 397 | 296 (void)fprintf(stderr, 297 "%s login refused on this terminal.\n", 298 pwd->pw_name); 299 if (hostname) 300 syslog(LOG_NOTICE, 301 "LOGIN %s REFUSED FROM %s ON TTY %s", 302 pwd->pw_name, hostname, tty); 303 else --- 111 unchanged lines hidden (view full) --- 415 else 416 syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", username, tty); 417 418#ifdef KERBEROS 419 if (!quietlog && notickets == 1) 420 (void)printf("Warning: no Kerberos tickets issued.\n"); 421#endif 422 |
423#ifdef LOGALL 424 /* 425 * Syslog each successful login, so we don't have to watch hundreds 426 * of wtmp or lastlogin files. 427 */ 428 if (hostname) { 429 syslog(LOG_INFO, "login from %s as %s", hostname, pwd->pw_name); 430 } else { 431 syslog(LOG_INFO, "login on %s as %s", tty, pwd->pw_name); 432 } 433#endif 434 |
|
398 if (!quietlog) { 399 (void)printf("%s\n\t%s %s\n\n", 400 "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", 401 "The Regents of the University of California. ", 402 "All rights reserved."); 403 motd(); 404 (void)snprintf(tbuf, 405 sizeof(tbuf), "%s/%s", _PATH_MAILDIR, pwd->pw_name); 406 if (stat(tbuf, &st) == 0 && st.st_size != 0) 407 (void)printf("You have %smail.\n", 408 (st.st_mtime > st.st_atime) ? "new " : ""); 409 } 410 | 435 if (!quietlog) { 436 (void)printf("%s\n\t%s %s\n\n", 437 "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994", 438 "The Regents of the University of California. ", 439 "All rights reserved."); 440 motd(); 441 (void)snprintf(tbuf, 442 sizeof(tbuf), "%s/%s", _PATH_MAILDIR, pwd->pw_name); 443 if (stat(tbuf, &st) == 0 && st.st_size != 0) 444 (void)printf("You have %smail.\n", 445 (st.st_mtime > st.st_atime) ? "new " : ""); 446 } 447 |
448#ifdef LOGIN_ACCESS 449 if (login_access(pwd->pw_name, hostname ? full_hostname : tty) == 0) { 450 printf("Permission denied\n"); 451 if (hostname) 452 syslog(LOG_NOTICE, "%s LOGIN REFUSED FROM %s", 453 pwd->pw_name, hostname); 454 else 455 syslog(LOG_NOTICE, "%s LOGIN REFUSED ON %s", 456 pwd->pw_name, tty); 457 sleepexit(1); 458 } 459#endif 460 |
|
411 (void)signal(SIGALRM, SIG_DFL); 412 (void)signal(SIGQUIT, SIG_DFL); 413 (void)signal(SIGINT, SIG_DFL); 414 (void)signal(SIGTSTP, SIG_IGN); 415 416 tbuf[0] = '-'; 417 (void)strcpy(tbuf + 1, (p = strrchr(pwd->pw_shell, '/')) ? 418 p + 1 : pwd->pw_shell); --- 210 unchanged lines hidden --- | 461 (void)signal(SIGALRM, SIG_DFL); 462 (void)signal(SIGQUIT, SIG_DFL); 463 (void)signal(SIGINT, SIG_DFL); 464 (void)signal(SIGTSTP, SIG_IGN); 465 466 tbuf[0] = '-'; 467 (void)strcpy(tbuf + 1, (p = strrchr(pwd->pw_shell, '/')) ? 468 p + 1 : pwd->pw_shell); --- 210 unchanged lines hidden --- |