auth-passwd.c revision 92559
157429Smarkm/* 257429Smarkm * Author: Tatu Ylonen <ylo@cs.hut.fi> 357429Smarkm * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 457429Smarkm * All rights reserved 557429Smarkm * Password authentication. This file contains the functions to check whether 657429Smarkm * the password is valid for the user. 765674Skris * 865674Skris * As far as I am concerned, the code I have written for this software 965674Skris * can be used freely for any purpose. Any derived versions of this 1065674Skris * software must be clearly marked as such, and if the derived work is 1165674Skris * incompatible with the protocol description in the RFC file, it must be 1265674Skris * called by a name other than "ssh" or "Secure Shell". 1365674Skris * 1465674Skris * Copyright (c) 1999 Dug Song. All rights reserved. 1565674Skris * Copyright (c) 2000 Markus Friedl. All rights reserved. 1665674Skris * 1765674Skris * Redistribution and use in source and binary forms, with or without 1865674Skris * modification, are permitted provided that the following conditions 1965674Skris * are met: 2065674Skris * 1. Redistributions of source code must retain the above copyright 2165674Skris * notice, this list of conditions and the following disclaimer. 2265674Skris * 2. Redistributions in binary form must reproduce the above copyright 2365674Skris * notice, this list of conditions and the following disclaimer in the 2465674Skris * documentation and/or other materials provided with the distribution. 2565674Skris * 2665674Skris * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 2765674Skris * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 2865674Skris * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 2965674Skris * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 3065674Skris * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 3165674Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 3265674Skris * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 3365674Skris * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 3465674Skris * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 3565674Skris * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 3657429Smarkm */ 3757429Smarkm 3857429Smarkm#include "includes.h" 3992559SdesRCSID("$OpenBSD: auth-passwd.c,v 1.24 2002/03/04 12:43:06 markus Exp $"); 4065674SkrisRCSID("$FreeBSD: head/crypto/openssh/auth-passwd.c 92559 2002-03-18 10:09:43Z des $"); 4157429Smarkm 4257429Smarkm#include "packet.h" 4376262Sgreen#include "log.h" 4457429Smarkm#include "servconf.h" 4576262Sgreen#include "auth.h" 4657429Smarkm 4776262Sgreen 4876262Sgreenextern ServerOptions options; 4976262Sgreen 5057429Smarkm/* 5157429Smarkm * Tries to authenticate the user using password. Returns true if 5257429Smarkm * authentication succeeds. 5357429Smarkm */ 5465674Skrisint 5576262Sgreenauth_password(Authctxt *authctxt, const char *password) 5657429Smarkm{ 5776262Sgreen struct passwd * pw = authctxt->pw; 5857429Smarkm char *encrypted_password; 5957429Smarkm 6057429Smarkm /* deny if no user. */ 6157429Smarkm if (pw == NULL) 6257429Smarkm return 0; 6376262Sgreen if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) 6457429Smarkm return 0; 6557429Smarkm if (*password == '\0' && options.permit_empty_passwd == 0) 6657429Smarkm return 0; 6757565Smarkm#ifdef KRB5 6873400Sassar if (options.kerberos_authentication == 1) { 6992559Sdes int ret = auth_krb5_password(authctxt, password); 7092559Sdes if (ret == 1 || ret == 0) 7192559Sdes return ret; 7257565Smarkm /* Fall back to ordinary passwd authentication. */ 7357565Smarkm } 7492559Sdes#endif 7557429Smarkm#ifdef KRB4 7673400Sassar if (options.kerberos_authentication == 1) { 7792559Sdes int ret = auth_krb4_password(authctxt, password); 7857429Smarkm if (ret == 1 || ret == 0) 7957429Smarkm return ret; 8057429Smarkm /* Fall back to ordinary passwd authentication. */ 8157429Smarkm } 8257429Smarkm#endif 8392559Sdes#ifdef BSD_AUTH 8492559Sdes if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", 8592559Sdes (char *)password) == 0) 8692559Sdes return 0; 8792559Sdes else 8892559Sdes return 1; 8992559Sdes#endif 9057429Smarkm /* Check for users with no password. */ 9157429Smarkm if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) 9257429Smarkm return 1; 9357429Smarkm /* Encrypt the candidate password using the proper salt. */ 9457429Smarkm encrypted_password = crypt(password, 9557429Smarkm (pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx"); 9657429Smarkm 9757429Smarkm /* Authentication is accepted if the encrypted passwords are identical. */ 9857429Smarkm return (strcmp(encrypted_password, pw->pw_passwd) == 0); 9957429Smarkm} 100