auth-passwd.c revision 65674
125603Skjc/* 225603Skjc * Author: Tatu Ylonen <ylo@cs.hut.fi> 325603Skjc * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 425603Skjc * All rights reserved 525603Skjc * Password authentication. This file contains the functions to check whether 625603Skjc * the password is valid for the user. 725603Skjc * 825603Skjc * As far as I am concerned, the code I have written for this software 925603Skjc * can be used freely for any purpose. Any derived versions of this 1025603Skjc * software must be clearly marked as such, and if the derived work is 1125603Skjc * incompatible with the protocol description in the RFC file, it must be 1225603Skjc * called by a name other than "ssh" or "Secure Shell". 1325603Skjc * 1425603Skjc * 1525603Skjc * Copyright (c) 1999 Dug Song. All rights reserved. 1625603Skjc * 1725603Skjc * Redistribution and use in source and binary forms, with or without 1825603Skjc * modification, are permitted provided that the following conditions 1925603Skjc * are met: 2025603Skjc * 1. Redistributions of source code must retain the above copyright 2125603Skjc * notice, this list of conditions and the following disclaimer. 2225603Skjc * 2. Redistributions in binary form must reproduce the above copyright 2325603Skjc * notice, this list of conditions and the following disclaimer in the 2425603Skjc * documentation and/or other materials provided with the distribution. 2525603Skjc * 2625603Skjc * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 2725603Skjc * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 2825603Skjc * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 2925603Skjc * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 3025603Skjc * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 3125603Skjc * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 3225603Skjc * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 3325603Skjc * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 3425603Skjc * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 3525603Skjc * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 3625603Skjc * 3725603Skjc * 3825603Skjc * Copyright (c) 2000 Markus Friedl. All rights reserved. 3925603Skjc * 4025603Skjc * Redistribution and use in source and binary forms, with or without 4125603Skjc * modification, are permitted provided that the following conditions 4225603Skjc * are met: 4325603Skjc * 1. Redistributions of source code must retain the above copyright 4425603Skjc * notice, this list of conditions and the following disclaimer. 4525603Skjc * 2. Redistributions in binary form must reproduce the above copyright 4625603Skjc * notice, this list of conditions and the following disclaimer in the 4725603Skjc * documentation and/or other materials provided with the distribution. 4825603Skjc * 4925603Skjc * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 5025603Skjc * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 5125603Skjc * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 5225603Skjc * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 5325603Skjc * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 5425603Skjc * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 5525603Skjc * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 5625603Skjc * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 5725603Skjc * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 5825603Skjc * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 5925603Skjc */ 6025603Skjc 6125603Skjc#include "includes.h" 6225603SkjcRCSID("$OpenBSD: auth-passwd.c,v 1.17 2000/09/07 20:27:49 deraadt Exp $"); 6325603SkjcRCSID("$FreeBSD: head/crypto/openssh/auth-passwd.c 65674 2000-09-10 09:35:38Z kris $"); 6425603Skjc 6525603Skjc#include "packet.h" 6625603Skjc#include "ssh.h" 6725603Skjc#include "servconf.h" 6825603Skjc#include "xmalloc.h" 6925603Skjc 7025603Skjc/* 7125603Skjc * Tries to authenticate the user using password. Returns true if 7225603Skjc * authentication succeeds. 7325603Skjc */ 7425603Skjcint 7525603Skjcauth_password(struct passwd * pw, const char *password) 7625603Skjc{ 7725603Skjc extern ServerOptions options; 7825603Skjc char *encrypted_password; 7925603Skjc 8025603Skjc /* deny if no user. */ 8125603Skjc if (pw == NULL) 8225603Skjc return 0; 8325603Skjc if (pw->pw_uid == 0 && options.permit_root_login == 2) 8425603Skjc return 0; 8525603Skjc if (*password == '\0' && options.permit_empty_passwd == 0) 8625603Skjc return 0; 8725603Skjc 8825603Skjc#ifdef SKEY 8925603Skjc if (options.skey_authentication == 1) { 9025603Skjc int ret = auth_skey_password(pw, password); 9125603Skjc if (ret == 1 || ret == 0) 9225603Skjc return ret; 9325603Skjc /* Fall back to ordinary passwd authentication. */ 9425603Skjc } 9525603Skjc#endif 9625603Skjc#ifdef KRB5 9725603Skjc if (options.krb5_authentication == 1) { 9825603Skjc if (auth_krb5_password(pw, password)) 9925603Skjc return 1; 10025603Skjc /* Fall back to ordinary passwd authentication. */ 10125603Skjc } 10225603Skjc 10325603Skjc#endif /* KRB5 */ 10425603Skjc#ifdef KRB4 10525603Skjc if (options.krb4_authentication == 1) { 10625603Skjc int ret = auth_krb4_password(pw, password); 10725603Skjc if (ret == 1 || ret == 0) 10825603Skjc return ret; 10925603Skjc /* Fall back to ordinary passwd authentication. */ 11025603Skjc } 11125603Skjc#endif 11225603Skjc 11325603Skjc /* Check for users with no password. */ 11425603Skjc if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) 11525603Skjc return 1; 11625603Skjc /* Encrypt the candidate password using the proper salt. */ 11725603Skjc encrypted_password = crypt(password, 11825603Skjc (pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx"); 11925603Skjc 12025603Skjc /* Authentication is accepted if the encrypted passwords are identical. */ 12125603Skjc return (strcmp(encrypted_password, pw->pw_passwd) == 0); 12225603Skjc} 12325603Skjc