blob: 971c7ba19d9be09cc4efdd1d37f0c9dfc6c13f53 [file] [log] [blame]
Damien Millerd4a8b7e1999-10-27 13:42:43 +10001/*
Damien Miller95def091999-11-25 00:26:21 +11002 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
Damien Miller95def091999-11-25 00:26:21 +11005 * Password authentication. This file contains the functions to check whether
6 * the password is valid for the user.
Damien Millere4340be2000-09-16 13:29:08 +11007 *
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
13 *
Damien Millere4340be2000-09-16 13:29:08 +110014 * Copyright (c) 1999 Dug Song. All rights reserved.
Damien Millere4340be2000-09-16 13:29:08 +110015 * Copyright (c) 2000 Markus Friedl. All rights reserved.
16 *
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
19 * are met:
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in the
24 * documentation and/or other materials provided with the distribution.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Miller95def091999-11-25 00:26:21 +110036 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +100037
38#include "includes.h"
Damien Miller856f0be2003-09-03 07:32:45 +100039RCSID("$OpenBSD: auth-passwd.c,v 1.29 2003/08/26 09:58:43 markus Exp $");
Damien Millerd4a8b7e1999-10-27 13:42:43 +100040
41#include "packet.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +000042#include "log.h"
43#include "servconf.h"
Ben Lindstromdb65e8f2001-01-19 04:26:52 +000044#include "auth.h"
Ben Lindstrom0410e322003-07-24 06:52:13 +000045#ifdef WITH_AIXAUTHENTICATE
46# include "buffer.h"
47# include "canohost.h"
48extern Buffer loginmsg;
49#endif
Damien Miller60396b02001-02-18 17:01:00 +110050
51extern ServerOptions options;
52
Damien Miller95def091999-11-25 00:26:21 +110053/*
54 * Tries to authenticate the user using password. Returns true if
55 * authentication succeeds.
56 */
Damien Miller4af51302000-04-16 11:18:38 +100057int
Damien Miller60396b02001-02-18 17:01:00 +110058auth_password(Authctxt *authctxt, const char *password)
Damien Millerd4a8b7e1999-10-27 13:42:43 +100059{
Ben Lindstrom0b478142002-05-10 02:40:15 +000060 struct passwd * pw = authctxt->pw;
Damien Millereab4bae2003-04-29 23:22:40 +100061 int ok = authctxt->valid;
Damien Millerd4a8b7e1999-10-27 13:42:43 +100062
Damien Millerece22a81999-12-30 09:48:15 +110063 /* deny if no user. */
64 if (pw == NULL)
Damien Miller856f0be2003-09-03 07:32:45 +100065 return 0;
Damien Millerbac2d8a2000-09-05 16:13:06 +110066#ifndef HAVE_CYGWIN
Damien Millereab4bae2003-04-29 23:22:40 +100067 if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
68 ok = 0;
Damien Millerbac2d8a2000-09-05 16:13:06 +110069#endif
Ben Lindstrom0b478142002-05-10 02:40:15 +000070 if (*password == '\0' && options.permit_empty_passwd == 0)
Damien Millereab4bae2003-04-29 23:22:40 +100071 return 0;
Ben Lindstrom0410e322003-07-24 06:52:13 +000072
73#if defined(HAVE_OSF_SIA)
Damien Miller856f0be2003-09-03 07:32:45 +100074 return auth_sia_password(authctxt, password) && ok;
Damien Miller2101bfc2003-01-22 15:42:26 +110075#else
76# ifdef KRB5
Ben Lindstromec95ed92001-07-04 04:21:14 +000077 if (options.kerberos_authentication == 1) {
78 int ret = auth_krb5_password(authctxt, password);
79 if (ret == 1 || ret == 0)
Damien Miller856f0be2003-09-03 07:32:45 +100080 return ret && ok;
Ben Lindstromec95ed92001-07-04 04:21:14 +000081 /* Fall back to ordinary passwd authentication. */
82 }
Damien Miller2101bfc2003-01-22 15:42:26 +110083# endif
84# ifdef HAVE_CYGWIN
Damien Millerbac2d8a2000-09-05 16:13:06 +110085 if (is_winnt) {
86 HANDLE hToken = cygwin_logon_user(pw, password);
87
88 if (hToken == INVALID_HANDLE_VALUE)
Damien Miller856f0be2003-09-03 07:32:45 +100089 return 0;
Damien Millerbac2d8a2000-09-05 16:13:06 +110090 cygwin_set_impersonation_token(hToken);
Damien Miller856f0be2003-09-03 07:32:45 +100091 return ok;
Damien Millerbac2d8a2000-09-05 16:13:06 +110092 }
Damien Miller2101bfc2003-01-22 15:42:26 +110093# endif
94# ifdef WITH_AIXAUTHENTICATE
Ben Lindstrom0410e322003-07-24 06:52:13 +000095 {
Damien Miller856f0be2003-09-03 07:32:45 +100096 char *authmsg = NULL;
Ben Lindstrom0410e322003-07-24 06:52:13 +000097 int reenter = 1;
Damien Miller856f0be2003-09-03 07:32:45 +100098 int authsuccess = 0;
Ben Lindstrom164725f2002-09-25 23:14:14 +000099
Damien Miller856f0be2003-09-03 07:32:45 +1000100 if (authenticate(pw->pw_name, password, &reenter,
101 &authmsg) == 0 && ok) {
Ben Lindstrom0410e322003-07-24 06:52:13 +0000102 char *msg;
103 char *host =
104 (char *)get_canonical_hostname(options.use_dns);
Darren Tuckerb9aa0a02003-07-08 22:59:59 +1000105
Damien Miller856f0be2003-09-03 07:32:45 +1000106 authsuccess = 1;
107 aix_remove_embedded_newlines(authmsg);
108
Ben Lindstrom0410e322003-07-24 06:52:13 +0000109 debug3("AIX/authenticate succeeded for user %s: %.100s",
110 pw->pw_name, authmsg);
Darren Tuckerb9aa0a02003-07-08 22:59:59 +1000111
Ben Lindstrom0410e322003-07-24 06:52:13 +0000112 /* No pty yet, so just label the line as "ssh" */
Darren Tucker2270c7e2003-09-13 10:41:56 +1000113 aix_setauthdb(authctxt->user);
Ben Lindstrom0410e322003-07-24 06:52:13 +0000114 if (loginsuccess(authctxt->user, host, "ssh",
Damien Miller856f0be2003-09-03 07:32:45 +1000115 &msg) == 0) {
Ben Lindstrom0410e322003-07-24 06:52:13 +0000116 if (msg != NULL) {
117 debug("%s: msg %s", __func__, msg);
118 buffer_append(&loginmsg, msg,
119 strlen(msg));
120 xfree(msg);
121 }
Darren Tuckerb9aa0a02003-07-08 22:59:59 +1000122 }
Damien Miller856f0be2003-09-03 07:32:45 +1000123 } else {
Ben Lindstrom0410e322003-07-24 06:52:13 +0000124 debug3("AIX/authenticate failed for user %s: %.100s",
125 pw->pw_name, authmsg);
Damien Miller856f0be2003-09-03 07:32:45 +1000126 }
Ben Lindstrom164725f2002-09-25 23:14:14 +0000127
Ben Lindstrom0410e322003-07-24 06:52:13 +0000128 if (authmsg != NULL)
129 xfree(authmsg);
130
Damien Miller856f0be2003-09-03 07:32:45 +1000131 return authsuccess;
Ben Lindstrom0410e322003-07-24 06:52:13 +0000132 }
Damien Miller2101bfc2003-01-22 15:42:26 +1100133# endif
Damien Miller2101bfc2003-01-22 15:42:26 +1100134# ifdef BSD_AUTH
Ben Lindstromec95ed92001-07-04 04:21:14 +0000135 if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
136 (char *)password) == 0)
137 return 0;
138 else
Damien Miller856f0be2003-09-03 07:32:45 +1000139 return ok;
Ben Lindstrom0410e322003-07-24 06:52:13 +0000140# else
141 {
Damien Miller856f0be2003-09-03 07:32:45 +1000142 /* Just use the supplied fake password if authctxt is invalid */
143 char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
Damien Miller8a1e6a62000-09-16 15:55:52 +1100144
145 /* Check for users with no password. */
Damien Miller5d07e6d2003-09-18 18:25:46 +1000146 if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
Damien Miller856f0be2003-09-03 07:32:45 +1000147 return ok;
Ben Lindstrom0410e322003-07-24 06:52:13 +0000148 else {
149 /* Encrypt the candidate password using the proper salt. */
150 char *encrypted_password = xcrypt(password,
151 (pw_password[0] && pw_password[1]) ? pw_password : "xx");
Damien Miller2e1b0821999-12-25 10:11:29 +1100152
Ben Lindstrom0410e322003-07-24 06:52:13 +0000153 /*
154 * Authentication is accepted if the encrypted passwords
155 * are identical.
156 */
Damien Miller856f0be2003-09-03 07:32:45 +1000157 return (strcmp(encrypted_password, pw_password) == 0) && ok;
Ben Lindstrom0410e322003-07-24 06:52:13 +0000158 }
Damien Miller2e1b0821999-12-25 10:11:29 +1100159
Ben Lindstrom0410e322003-07-24 06:52:13 +0000160 }
161# endif
Damien Miller4f9f42a2003-05-10 19:28:02 +1000162#endif /* !HAVE_OSF_SIA */
Kevin Stevese683e762002-04-04 19:02:28 +0000163}