auth-passwd.c revision 126277
1/* 2 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * All rights reserved 5 * Password authentication. This file contains the functions to check whether 6 * the password is valid for the user. 7 * 8 * As far as I am concerned, the code I have written for this software 9 * can be used freely for any purpose. Any derived versions of this 10 * software must be clearly marked as such, and if the derived work is 11 * incompatible with the protocol description in the RFC file, it must be 12 * called by a name other than "ssh" or "Secure Shell". 13 * 14 * Copyright (c) 1999 Dug Song. All rights reserved. 15 * Copyright (c) 2000 Markus Friedl. All rights reserved. 16 * 17 * Redistribution and use in source and binary forms, with or without 18 * modification, are permitted provided that the following conditions 19 * are met: 20 * 1. Redistributions of source code must retain the above copyright 21 * notice, this list of conditions and the following disclaimer. 22 * 2. Redistributions in binary form must reproduce the above copyright 23 * notice, this list of conditions and the following disclaimer in the 24 * documentation and/or other materials provided with the distribution. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36 */ 37 38#include "includes.h" 39RCSID("$OpenBSD: auth-passwd.c,v 1.31 2004/01/30 09:48:57 markus Exp $"); 40RCSID("$FreeBSD: head/crypto/openssh/auth-passwd.c 126277 2004-02-26 10:52:33Z des $"); 41 42#include "packet.h" 43#include "log.h" 44#include "servconf.h" 45#include "auth.h" 46#include "auth-options.h" 47 48extern ServerOptions options; 49int sys_auth_passwd(Authctxt *, const char *); 50 51void 52disable_forwarding(void) 53{ 54 no_port_forwarding_flag = 1; 55 no_agent_forwarding_flag = 1; 56 no_x11_forwarding_flag = 1; 57} 58 59/* 60 * Tries to authenticate the user using password. Returns true if 61 * authentication succeeds. 62 */ 63int 64auth_password(Authctxt *authctxt, const char *password) 65{ 66 struct passwd * pw = authctxt->pw; 67 int ok = authctxt->valid; 68 static int expire_checked = 0; 69 70#ifndef HAVE_CYGWIN 71 if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) 72 ok = 0; 73#endif 74 if (*password == '\0' && options.permit_empty_passwd == 0) 75 return 0; 76 77#if defined(HAVE_OSF_SIA) 78 /* 79 * XXX: any reason this is before krb? could be moved to 80 * sys_auth_passwd()? -dt 81 */ 82 return auth_sia_password(authctxt, password) && ok; 83#endif 84#ifdef KRB5 85 if (options.kerberos_authentication == 1) { 86 int ret = auth_krb5_password(authctxt, password); 87 if (ret == 1 || ret == 0) 88 return ret && ok; 89 /* Fall back to ordinary passwd authentication. */ 90 } 91#endif 92#ifdef HAVE_CYGWIN 93 if (is_winnt) { 94 HANDLE hToken = cygwin_logon_user(pw, password); 95 96 if (hToken == INVALID_HANDLE_VALUE) 97 return 0; 98 cygwin_set_impersonation_token(hToken); 99 return ok; 100 } 101#endif 102#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) 103 if (!expire_checked) { 104 expire_checked = 1; 105 if (auth_shadow_pwexpired(authctxt)) { 106 disable_forwarding(); 107 authctxt->force_pwchange = 1; 108 } 109 } 110#endif 111 112 return (sys_auth_passwd(authctxt, password) && ok); 113} 114 115#ifdef BSD_AUTH 116int 117sys_auth_passwd(Authctxt *authctxt, const char *password) 118{ 119 struct passwd *pw = authctxt->pw; 120 auth_session_t *as; 121 122 as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh", 123 (char *)password); 124 if (auth_getstate(as) & AUTH_PWEXPIRED) { 125 auth_close(as); 126 disable_forwarding(); 127 authctxt->force_pwchange = 1; 128 return (1); 129 } else { 130 return (auth_close(as)); 131 } 132} 133#elif !defined(CUSTOM_SYS_AUTH_PASSWD) 134int 135sys_auth_passwd(Authctxt *authctxt, const char *password) 136{ 137 struct passwd *pw = authctxt->pw; 138 char *encrypted_password; 139 140 /* Just use the supplied fake password if authctxt is invalid */ 141 char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; 142 143 /* Check for users with no password. */ 144 if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) 145 return (1); 146 147 /* Encrypt the candidate password using the proper salt. */ 148 encrypted_password = xcrypt(password, 149 (pw_password[0] && pw_password[1]) ? pw_password : "xx"); 150 151 /* 152 * Authentication is accepted if the encrypted passwords 153 * are identical. 154 */ 155 return (strcmp(encrypted_password, pw_password) == 0); 156} 157#endif 158