auth-passwd.c revision 181110 
12786Ssos/* $OpenBSD: auth-passwd.c,v 1.40 2006/08/03 03:34:41 deraadt Exp $ */
22786Ssos/*
32786Ssos * Author: Tatu Ylonen <ylo@cs.hut.fi>
42786Ssos * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
52786Ssos *                    All rights reserved
62786Ssos * Password authentication.  This file contains the functions to check whether
72786Ssos * the password is valid for the user.
86851Ssos *
92786Ssos * As far as I am concerned, the code I have written for this software
102786Ssos * can be used freely for any purpose.  Any derived versions of this
112786Ssos * software must be clearly marked as such, and if the derived work is
122786Ssos * incompatible with the protocol description in the RFC file, it must be
132786Ssos * called by a name other than "ssh" or "Secure Shell".
142786Ssos *
152786Ssos * Copyright (c) 1999 Dug Song.  All rights reserved.
162786Ssos * Copyright (c) 2000 Markus Friedl.  All rights reserved.
172786Ssos *
184748Ssos * Redistribution and use in source and binary forms, with or without
196851Ssos * modification, are permitted provided that the following conditions
202786Ssos * are met:
212786Ssos * 1. Redistributions of source code must retain the above copyright
222786Ssos *    notice, this list of conditions and the following disclaimer.
232786Ssos * 2. Redistributions in binary form must reproduce the above copyright
242786Ssos *    notice, this list of conditions and the following disclaimer in the
252786Ssos *    documentation and/or other materials provided with the distribution.
262786Ssos *
272786Ssos * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
282786Ssos * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
292786Ssos * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
302786Ssos * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
312786Ssos * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
322786Ssos * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
332786Ssos * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
342786Ssos * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
352786Ssos * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
362786Ssos * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
372786Ssos */
382786Ssos
392786Ssos#include "includes.h"
402786Ssos
412786Ssos#include <sys/types.h>
422786Ssos
432786Ssos#include <pwd.h>
442786Ssos#include <stdio.h>
452786Ssos#include <string.h>
462786Ssos#include <stdarg.h>
472786Ssos
482786Ssos#include "packet.h"
492786Ssos#include "buffer.h"
502786Ssos#include "log.h"
512786Ssos#include "servconf.h"
522786Ssos#include "key.h"
532786Ssos#include "hostfile.h"
542786Ssos#include "auth.h"
552786Ssos#include "auth-options.h"
562786Ssos
572786Ssosextern Buffer loginmsg;
582786Ssosextern ServerOptions options;
592786Ssos
602786Ssos#ifdef HAVE_LOGIN_CAP
612786Ssosextern login_cap_t *lc;
626851Ssos#endif
632786Ssos
642786Ssos
652786Ssos#define DAY		(24L * 60 * 60) /* 1 day in seconds */
662786Ssos#define TWO_WEEKS	(2L * 7 * DAY)	/* 2 weeks in seconds */
672786Ssos
682786Ssosvoid
692786Ssosdisable_forwarding(void)
702786Ssos{
712786Ssos	no_port_forwarding_flag = 1;
722786Ssos	no_agent_forwarding_flag = 1;
732786Ssos	no_x11_forwarding_flag = 1;
742786Ssos}
752786Ssos
762786Ssos/*
772786Ssos * Tries to authenticate the user using password.  Returns true if
782786Ssos * authentication succeeds.
792786Ssos */
802786Ssosint
815994Ssosauth_password(Authctxt *authctxt, const char *password)
822786Ssos{
832786Ssos	struct passwd * pw = authctxt->pw;
842786Ssos	int result, ok = authctxt->valid;
852786Ssos#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
862786Ssos	static int expire_checked = 0;
872786Ssos#endif
886045Ssos
892786Ssos#ifndef HAVE_CYGWIN
902786Ssos	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
912786Ssos		ok = 0;
922786Ssos#endif
932786Ssos	if (*password == '\0' && options.permit_empty_passwd == 0)
942786Ssos		return 0;
952786Ssos
962786Ssos#ifdef KRB5
972786Ssos	if (options.kerberos_authentication == 1) {
982786Ssos		int ret = auth_krb5_password(authctxt, password);
992786Ssos		if (ret == 1 || ret == 0)
1002786Ssos			return ret && ok;
1012786Ssos		/* Fall back to ordinary passwd authentication. */
1022786Ssos	}
1032786Ssos#endif
1042786Ssos#ifdef HAVE_CYGWIN
1052786Ssos	if (is_winnt) {
1062786Ssos		HANDLE hToken = cygwin_logon_user(pw, password);
1072786Ssos
1086851Ssos		if (hToken == INVALID_HANDLE_VALUE)
1092786Ssos			return 0;
1106851Ssos		cygwin_set_impersonation_token(hToken);
1116851Ssos		return ok;
1126851Ssos	}
113#endif
114#ifdef USE_PAM
115	if (options.use_pam)
116		return (sshpam_auth_passwd(authctxt, password) && ok);
117#endif
118#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
119	if (!expire_checked) {
120		expire_checked = 1;
121		if (auth_shadow_pwexpired(authctxt))
122			authctxt->force_pwchange = 1;
123	}
124#endif
125	result = sys_auth_passwd(authctxt, password);
126	if (authctxt->force_pwchange)
127		disable_forwarding();
128	return (result && ok);
129}
130
131#ifdef BSD_AUTH
132static void
133warn_expiry(Authctxt *authctxt, auth_session_t *as)
134{
135	char buf[256];
136	quad_t pwtimeleft, actimeleft, daysleft, pwwarntime, acwarntime;
137
138	pwwarntime = acwarntime = TWO_WEEKS;
139
140	pwtimeleft = auth_check_change(as);
141	actimeleft = auth_check_expire(as);
142#ifdef HAVE_LOGIN_CAP
143	if (authctxt->valid) {
144		pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS,
145		    TWO_WEEKS);
146		acwarntime = login_getcaptime(lc, "expire-warn", TWO_WEEKS,
147		    TWO_WEEKS);
148	}
149#endif
150	if (pwtimeleft != 0 && pwtimeleft < pwwarntime) {
151		daysleft = pwtimeleft / DAY + 1;
152		snprintf(buf, sizeof(buf),
153		    "Your password will expire in %lld day%s.\n",
154		    daysleft, daysleft == 1 ? "" : "s");
155		buffer_append(&loginmsg, buf, strlen(buf));
156	}
157	if (actimeleft != 0 && actimeleft < acwarntime) {
158		daysleft = actimeleft / DAY + 1;
159		snprintf(buf, sizeof(buf),
160		    "Your account will expire in %lld day%s.\n",
161		    daysleft, daysleft == 1 ? "" : "s");
162		buffer_append(&loginmsg, buf, strlen(buf));
163	}
164}
165
166int
167sys_auth_passwd(Authctxt *authctxt, const char *password)
168{
169	struct passwd *pw = authctxt->pw;
170	auth_session_t *as;
171	static int expire_checked = 0;
172
173	as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
174	    (char *)password);
175	if (as == NULL)
176		return (0);
177	if (auth_getstate(as) & AUTH_PWEXPIRED) {
178		auth_close(as);
179		disable_forwarding();
180		authctxt->force_pwchange = 1;
181		return (1);
182	} else {
183		if (!expire_checked) {
184			expire_checked = 1;
185			warn_expiry(authctxt, as);
186		}
187		return (auth_close(as));
188	}
189}
190#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
191int
192sys_auth_passwd(Authctxt *authctxt, const char *password)
193{
194	struct passwd *pw = authctxt->pw;
195	char *encrypted_password;
196
197	/* Just use the supplied fake password if authctxt is invalid */
198	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
199
200	/* Check for users with no password. */
201	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
202		return (1);
203
204	/* Encrypt the candidate password using the proper salt. */
205	encrypted_password = xcrypt(password,
206	    (pw_password[0] && pw_password[1]) ? pw_password : "xx");
207
208	/*
209	 * Authentication is accepted if the encrypted passwords
210	 * are identical.
211	 */
212	return (strcmp(encrypted_password, pw_password) == 0);
213}
214#endif
215