Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 0410e32f47c0dcfc3385a1db2ee44f8bb35c10c4 / . / auth-passwd.c
blob: c0b7f725f81fb93eba96f7eb8fb1fd39cee03626 [file] [log] [blame]
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]1/*
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]5 * Password authentication. This file contains the functions to check whether
6 * the password is valid for the user.
Damien Millere4340be2000-09-16 13:29:08 +1100[diff] [blame]7 *
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
13 *
Damien Millere4340be2000-09-16 13:29:08 +1100[diff] [blame]14 * Copyright (c) 1999 Dug Song. All rights reserved.
Damien Millere4340be2000-09-16 13:29:08 +1100[diff] [blame]15 * Copyright (c) 2000 Markus Friedl. All rights reserved.
16 *
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
19 * are met:
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in the
24 * documentation and/or other materials provided with the distribution.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]36 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]37
38#include "includes.h"
Damien Miller444f9fc2002-06-21 16:05:12 +1000[diff] [blame]39RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]40
41#include "packet.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]42#include "log.h"
43#include "servconf.h"
Ben Lindstromdb65e8f2001-01-19 04:26:52 +0000[diff] [blame]44#include "auth.h"
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame^]45#include "openbsd-compat/xcrypt.h"
46#ifdef WITH_AIXAUTHENTICATE
47# include "buffer.h"
48# include "canohost.h"
49extern Buffer loginmsg;
50#endif
Damien Miller60396b02001-02-18 17:01:00 +1100[diff] [blame]51
52extern ServerOptions options;
53
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]54/*
55 * Tries to authenticate the user using password. Returns true if
56 * authentication succeeds.
57 */
Damien Miller4af51302000-04-16 11:18:38 +1000[diff] [blame]58int
Damien Miller60396b02001-02-18 17:01:00 +1100[diff] [blame]59auth_password(Authctxt *authctxt, const char *password)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]60{
Ben Lindstrom0b478142002-05-10 02:40:15 +0000[diff] [blame]61 struct passwd * pw = authctxt->pw;
Damien Millereab4bae2003-04-29 23:22:40 +1000[diff] [blame]62 int ok = authctxt->valid;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]63
Damien Millerece22a81999-12-30 09:48:15 +1100[diff] [blame]64 /* deny if no user. */
65 if (pw == NULL)
Damien Millereab4bae2003-04-29 23:22:40 +1000[diff] [blame]66 ok = 0;
Damien Millerbac2d8a2000-09-05 16:13:06 +1100[diff] [blame]67#ifndef HAVE_CYGWIN
Damien Millereab4bae2003-04-29 23:22:40 +1000[diff] [blame]68 if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
69 ok = 0;
Damien Millerbac2d8a2000-09-05 16:13:06 +1100[diff] [blame]70#endif
Ben Lindstrom0b478142002-05-10 02:40:15 +0000[diff] [blame]71 if (*password == '\0' && options.permit_empty_passwd == 0)
Damien Millereab4bae2003-04-29 23:22:40 +1000[diff] [blame]72 ok = 0;
Damien Miller2101bfc2003-01-22 15:42:26 +1100[diff] [blame]73
Damien Millereab4bae2003-04-29 23:22:40 +1000[diff] [blame]74 if (!ok)
75 return 0;
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame^]76
77#if defined(HAVE_OSF_SIA)
Damien Miller2101bfc2003-01-22 15:42:26 +1100[diff] [blame]78 return auth_sia_password(authctxt, password);
79#else
80# ifdef KRB5
Ben Lindstromec95ed92001-07-04 04:21:14 +0000[diff] [blame]81 if (options.kerberos_authentication == 1) {
82 int ret = auth_krb5_password(authctxt, password);
83 if (ret == 1 || ret == 0)
84 return ret;
85 /* Fall back to ordinary passwd authentication. */
86 }
Damien Miller2101bfc2003-01-22 15:42:26 +1100[diff] [blame]87# endif
88# ifdef HAVE_CYGWIN
Damien Millerbac2d8a2000-09-05 16:13:06 +1100[diff] [blame]89 if (is_winnt) {
90 HANDLE hToken = cygwin_logon_user(pw, password);
91
92 if (hToken == INVALID_HANDLE_VALUE)
Damien Miller3a961dc2003-06-03 10:25:48 +1000[diff] [blame]93 return (0);
Damien Millerbac2d8a2000-09-05 16:13:06 +1100[diff] [blame]94 cygwin_set_impersonation_token(hToken);
Damien Miller3a961dc2003-06-03 10:25:48 +1000[diff] [blame]95 return (1);
Damien Millerbac2d8a2000-09-05 16:13:06 +1100[diff] [blame]96 }
Damien Miller2101bfc2003-01-22 15:42:26 +1100[diff] [blame]97# endif
98# ifdef WITH_AIXAUTHENTICATE
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame^]99 {
100 char *authmsg;
101 int reenter = 1;
102 int authsuccess = (authenticate(pw->pw_name, password,
103 &reenter, &authmsg) == 0);
104 aix_remove_embedded_newlines(authmsg);
Ben Lindstrom164725f2002-09-25 23:14:14 +0000[diff] [blame]105
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame^]106 if (authsuccess) {
107 char *msg;
108 char *host =
109 (char *)get_canonical_hostname(options.use_dns);
Darren Tuckerb9aa0a02003-07-08 22:59:59 +1000[diff] [blame]110
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame^]111 debug3("AIX/authenticate succeeded for user %s: %.100s",
112 pw->pw_name, authmsg);
Darren Tuckerb9aa0a02003-07-08 22:59:59 +1000[diff] [blame]113
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame^]114 /* No pty yet, so just label the line as "ssh" */
115 if (loginsuccess(authctxt->user, host, "ssh",
116 &msg) == 0){
117 if (msg != NULL) {
118 debug("%s: msg %s", __func__, msg);
119 buffer_append(&loginmsg, msg,
120 strlen(msg));
121 xfree(msg);
122 }
Darren Tuckerb9aa0a02003-07-08 22:59:59 +1000[diff] [blame]123 }
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame^]124 } else
125 debug3("AIX/authenticate failed for user %s: %.100s",
126 pw->pw_name, authmsg);
Ben Lindstrom164725f2002-09-25 23:14:14 +0000[diff] [blame]127
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame^]128 if (authmsg != NULL)
129 xfree(authmsg);
130
131 return (authsuccess);
132 }
Damien Miller2101bfc2003-01-22 15:42:26 +1100[diff] [blame]133# endif
134# ifdef KRB4
Damien Milleraae6c611999-12-06 11:47:28 +1100[diff] [blame]135 if (options.kerberos_authentication == 1) {
Ben Lindstromec95ed92001-07-04 04:21:14 +0000[diff] [blame]136 int ret = auth_krb4_password(authctxt, password);
Damien Milleraae6c611999-12-06 11:47:28 +1100[diff] [blame]137 if (ret == 1 || ret == 0)
138 return ret;
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]139 /* Fall back to ordinary passwd authentication. */
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]140 }
Damien Miller2101bfc2003-01-22 15:42:26 +1100[diff] [blame]141# endif
142# ifdef BSD_AUTH
Ben Lindstromec95ed92001-07-04 04:21:14 +0000[diff] [blame]143 if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
144 (char *)password) == 0)
145 return 0;
146 else
147 return 1;
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame^]148# else
149 {
150 char *pw_password = shadow_pw(pw);
Damien Miller8a1e6a62000-09-16 15:55:52 +1100[diff] [blame]151
152 /* Check for users with no password. */
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame^]153 /* XXX Reverted back to OpenBSD, why was this changed again? */
154 if (strcmp(pw_password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
Damien Miller8a1e6a62000-09-16 15:55:52 +1100[diff] [blame]155 return 1;
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame^]156 else {
157 /* Encrypt the candidate password using the proper salt. */
158 char *encrypted_password = xcrypt(password,
159 (pw_password[0] && pw_password[1]) ? pw_password : "xx");
Damien Miller2e1b0821999-12-25 10:11:29 +1100[diff] [blame]160
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame^]161 /*
162 * Authentication is accepted if the encrypted passwords
163 * are identical.
164 */
165 return (strcmp(encrypted_password, pw_password) == 0);
166 }
Damien Miller2e1b0821999-12-25 10:11:29 +1100[diff] [blame]167
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame^]168 }
169# endif
Damien Miller4f9f42a2003-05-10 19:28:02 +1000[diff] [blame]170#endif /* !HAVE_OSF_SIA */
Kevin Stevese683e762002-04-04 19:02:28 +0000[diff] [blame]171}