auth-passwd.c revision 124211 
1/*
2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 *                    All rights reserved
5 * Password authentication.  This file contains the functions to check whether
6 * the password is valid for the user.
7 *
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose.  Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
13 *
14 * Copyright (c) 1999 Dug Song.  All rights reserved.
15 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
16 *
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
19 * are met:
20 * 1. Redistributions of source code must retain the above copyright
21 *    notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 *    notice, this list of conditions and the following disclaimer in the
24 *    documentation and/or other materials provided with the distribution.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36 */
37
38#include "includes.h"
39RCSID("$OpenBSD: auth-passwd.c,v 1.29 2003/08/26 09:58:43 markus Exp $");
40RCSID("$FreeBSD: head/crypto/openssh/auth-passwd.c 124211 2004-01-07 11:16:27Z des $");
41
42#include "packet.h"
43#include "log.h"
44#include "servconf.h"
45#include "auth.h"
46#ifdef WITH_AIXAUTHENTICATE
47# include "buffer.h"
48# include "canohost.h"
49extern Buffer loginmsg;
50#endif
51
52extern ServerOptions options;
53
54/*
55 * Tries to authenticate the user using password.  Returns true if
56 * authentication succeeds.
57 */
58int
59auth_password(Authctxt *authctxt, const char *password)
60{
61	struct passwd * pw = authctxt->pw;
62	int ok = authctxt->valid;
63
64	/* deny if no user. */
65	if (pw == NULL)
66		return 0;
67#ifndef HAVE_CYGWIN
68	if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
69		ok = 0;
70#endif
71	if (*password == '\0' && options.permit_empty_passwd == 0)
72		return 0;
73
74#if defined(HAVE_OSF_SIA)
75	return auth_sia_password(authctxt, password) && ok;
76#else
77# ifdef KRB5
78	if (options.kerberos_authentication == 1) {
79		int ret = auth_krb5_password(authctxt, password);
80		if (ret == 1 || ret == 0)
81			return ret && ok;
82		/* Fall back to ordinary passwd authentication. */
83	}
84# endif
85# ifdef HAVE_CYGWIN
86	if (is_winnt) {
87		HANDLE hToken = cygwin_logon_user(pw, password);
88
89		if (hToken == INVALID_HANDLE_VALUE)
90			return 0;
91		cygwin_set_impersonation_token(hToken);
92		return ok;
93	}
94# endif
95# ifdef WITH_AIXAUTHENTICATE
96	{
97		char *authmsg = NULL;
98		int reenter = 1;
99		int authsuccess = 0;
100
101		if (authenticate(pw->pw_name, password, &reenter,
102		    &authmsg) == 0 && ok) {
103			char *msg;
104			char *host =
105			    (char *)get_canonical_hostname(options.use_dns);
106
107			authsuccess = 1;
108			aix_remove_embedded_newlines(authmsg);
109
110			debug3("AIX/authenticate succeeded for user %s: %.100s",
111				pw->pw_name, authmsg);
112
113	        	/* No pty yet, so just label the line as "ssh" */
114			aix_setauthdb(authctxt->user);
115	        	if (loginsuccess(authctxt->user, host, "ssh",
116			    &msg) == 0) {
117				if (msg != NULL) {
118					debug("%s: msg %s", __func__, msg);
119					buffer_append(&loginmsg, msg,
120					    strlen(msg));
121					xfree(msg);
122				}
123			}
124		} else {
125			debug3("AIX/authenticate failed for user %s: %.100s",
126			    pw->pw_name, authmsg);
127		}
128
129		if (authmsg != NULL)
130			xfree(authmsg);
131
132		return authsuccess;
133	}
134# endif
135# ifdef BSD_AUTH
136	if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
137	    (char *)password) == 0)
138		return 0;
139	else
140		return ok;
141# else
142	{
143	/* Just use the supplied fake password if authctxt is invalid */
144	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
145
146	/* Check for users with no password. */
147	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
148		return ok;
149	else {
150		/* Encrypt the candidate password using the proper salt. */
151		char *encrypted_password = xcrypt(password,
152		    (pw_password[0] && pw_password[1]) ? pw_password : "xx");
153
154		/*
155		 * Authentication is accepted if the encrypted passwords
156		 * are identical.
157		 */
158		return (strcmp(encrypted_password, pw_password) == 0) && ok;
159	}
160
161	}
162# endif
163#endif /* !HAVE_OSF_SIA */
164}
165