Blame - auth-passwd.c - platform/external/openssh

blob: 095b9ba27c9b43e7eba6c5bd2c9de28cbb10b704 [file] [log] [blame]

Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	1	/*
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	2	* Author: Tatu Ylonen <ylo@cs.hut.fi>
				3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
				4	* All rights reserved
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	5	* Password authentication. This file contains the functions to check whether
				6	* the password is valid for the user.
Damien Miller	e4340be	2000-09-16 13:29:08 +1100	[diff] [blame]	7	*
				8	* As far as I am concerned, the code I have written for this software
				9	* can be used freely for any purpose. Any derived versions of this
				10	* software must be clearly marked as such, and if the derived work is
				11	* incompatible with the protocol description in the RFC file, it must be
				12	* called by a name other than "ssh" or "Secure Shell".
				13	*
Damien Miller	e4340be	2000-09-16 13:29:08 +1100	[diff] [blame]	14	* Copyright (c) 1999 Dug Song. All rights reserved.
Damien Miller	e4340be	2000-09-16 13:29:08 +1100	[diff] [blame]	15	* Copyright (c) 2000 Markus Friedl. All rights reserved.
				16	*
				17	* Redistribution and use in source and binary forms, with or without
				18	* modification, are permitted provided that the following conditions
				19	* are met:
				20	* 1. Redistributions of source code must retain the above copyright
				21	* notice, this list of conditions and the following disclaimer.
				22	* 2. Redistributions in binary form must reproduce the above copyright
				23	* notice, this list of conditions and the following disclaimer in the
				24	* documentation and/or other materials provided with the distribution.
				25	*
				26	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
				27	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
				28	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
				29	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
				30	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				31	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
				32	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
				33	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
				34	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
				35	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	36	*/
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	37
				38	#include "includes.h"
Ben Lindstrom	d96c8b3	2002-03-05 01:45:56 +0000	[diff] [blame]	39	RCSID("$OpenBSD: auth-passwd.c,v 1.24 2002/03/04 12:43:06 markus Exp $");
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	40
Damien Miller	b8c656e	2000-06-28 15:22:41 +1000	[diff] [blame]	41	#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
				42
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	43	#include "packet.h"
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	44	#include "log.h"
				45	#include "servconf.h"
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	46	#include "auth.h"
				47
Damien Miller	da2ed56	2001-04-25 22:50:18 +1000	[diff] [blame]	48	#ifdef HAVE_CRYPT_H
				49	# include <crypt.h>
				50	#endif
Damien Miller	1fa154b	2000-01-23 10:32:03 +1100	[diff] [blame]	51	#ifdef WITH_AIXAUTHENTICATE
Damien Miller	1bead33	2000-04-30 00:47:29 +1000	[diff] [blame]	52	# include <login.h>
Damien Miller	1fa154b	2000-01-23 10:32:03 +1100	[diff] [blame]	53	#endif
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	54	#ifdef __hpux
Damien Miller	1bead33	2000-04-30 00:47:29 +1000	[diff] [blame]	55	# include <hpsecurity.h>
				56	# include <prot.h>
				57	#endif
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	58	#ifdef HAVE_SCO_PROTECTED_PW
				59	# include <sys/security.h>
				60	# include <sys/audit.h>
				61	# include <prot.h>
				62	#endif /* HAVE_SCO_PROTECTED_PW */
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	63	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
Damien Miller	beb4ba5	1999-12-28 15:09:35 +1100	[diff] [blame]	64	# include <shadow.h>
Damien Miller	2cb210f	1999-11-13 15:40:10 +1100	[diff] [blame]	65	#endif
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	66	#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	67	# include <sys/label.h>
				68	# include <sys/audit.h>
				69	# include <pwdadj.h>
				70	#endif
Damien Miller	beb4ba5	1999-12-28 15:09:35 +1100	[diff] [blame]	71	#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
				72	# include "md5crypt.h"
				73	#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
Damien Miller	dd1c7ba	1999-11-19 15:53:20 +1100	[diff] [blame]	74
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	75	#ifdef HAVE_CYGWIN
				76	#undef ERROR
				77	#include <windows.h>
				78	#include <sys/cygwin.h>
				79	#define is_winnt (GetVersion() < 0x80000000)
				80	#endif
				81
Damien Miller	60396b0	2001-02-18 17:01:00 +1100	[diff] [blame]	82
				83	extern ServerOptions options;
				84
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	85	/*
				86	* Tries to authenticate the user using password. Returns true if
				87	* authentication succeeds.
				88	*/
Damien Miller	4af5130	2000-04-16 11:18:38 +1000	[diff] [blame]	89	int
Damien Miller	60396b0	2001-02-18 17:01:00 +1100	[diff] [blame]	90	auth_password(Authctxt authctxt, const char password)
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	91	{
Damien Miller	60396b0	2001-02-18 17:01:00 +1100	[diff] [blame]	92	struct passwd * pw = authctxt->pw;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	93	char *encrypted_password;
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	94	char *pw_password;
				95	char *salt;
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	96	#ifdef __hpux
				97	struct pr_passwd *spw;
				98	#endif
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	99	#ifdef HAVE_SCO_PROTECTED_PW
				100	struct pr_passwd *spw;
				101	#endif /* HAVE_SCO_PROTECTED_PW */
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	102	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	103	struct spwd *spw;
Damien Miller	2cb210f	1999-11-13 15:40:10 +1100	[diff] [blame]	104	#endif
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	105	#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	106	struct passwd_adjunct *spw;
				107	#endif
Damien Miller	1fa154b	2000-01-23 10:32:03 +1100	[diff] [blame]	108	#ifdef WITH_AIXAUTHENTICATE
				109	char *authmsg;
				110	char *loginmsg;
				111	int reenter = 1;
				112	#endif
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	113
Damien Miller	ece22a8	1999-12-30 09:48:15 +1100	[diff] [blame]	114	/* deny if no user. */
				115	if (pw == NULL)
				116	return 0;
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	117	#ifndef HAVE_CYGWIN
Ben Lindstrom	d8a9021	2001-02-15 03:08:27 +0000	[diff] [blame]	118	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	119	return 0;
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	120	#endif
				121	#ifdef HAVE_CYGWIN
				122	/*
				123	* Empty password is only possible on NT if the user has _really_
				124	* an empty password and authentication is done, though.
				125	*/
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	126	if (!is_winnt)
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	127	#endif
Damien Miller	5428f64	1999-11-25 11:54:57 +1100	[diff] [blame]	128	if (*password == '\0' && options.permit_empty_passwd == 0)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	129	return 0;
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	130	#ifdef KRB5
				131	if (options.kerberos_authentication == 1) {
				132	int ret = auth_krb5_password(authctxt, password);
				133	if (ret == 1 \|\| ret == 0)
				134	return ret;
				135	/* Fall back to ordinary passwd authentication. */
				136	}
Damien Miller	60396b0	2001-02-18 17:01:00 +1100	[diff] [blame]	137	#endif
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	138	#ifdef HAVE_CYGWIN
				139	if (is_winnt) {
				140	HANDLE hToken = cygwin_logon_user(pw, password);
				141
				142	if (hToken == INVALID_HANDLE_VALUE)
				143	return 0;
				144	cygwin_set_impersonation_token(hToken);
				145	return 1;
				146	}
				147	#endif
Damien Miller	1fa154b	2000-01-23 10:32:03 +1100	[diff] [blame]	148	#ifdef WITH_AIXAUTHENTICATE
				149	return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
				150	#endif
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	151	#ifdef KRB4
				152	if (options.kerberos_authentication == 1) {
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	153	int ret = auth_krb4_password(authctxt, password);
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	154	if (ret == 1 \|\| ret == 0)
				155	return ret;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	156	/* Fall back to ordinary passwd authentication. */
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	157	}
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	158	#endif
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	159	#ifdef BSD_AUTH
				160	if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
				161	(char *)password) == 0)
				162	return 0;
				163	else
				164	return 1;
				165	#endif
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	166	pw_password = pw->pw_passwd;
Damien Miller	606f880	2000-09-16 15:39:56 +1100	[diff] [blame]	167
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	168	/*
				169	* Various interfaces to shadow or protected password data
				170	*/
Damien Miller	cb7e5f9	1999-12-21 21:03:09 +1100	[diff] [blame]	171	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	172	spw = getspnam(pw->pw_name);
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	173	if (spw != NULL)
Damien Miller	8eb0fd6	1999-12-31 08:49:13 +1100	[diff] [blame]	174	pw_password = spw->sp_pwdp;
Damien Miller	cb7e5f9	1999-12-21 21:03:09 +1100	[diff] [blame]	175	#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	176
				177	#ifdef HAVE_SCO_PROTECTED_PW
				178	spw = getprpwnam(pw->pw_name);
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	179	if (spw != NULL)
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	180	pw_password = spw->ufld.fd_encrypt;
				181	#endif /* HAVE_SCO_PROTECTED_PW */
				182
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	183	#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
				184	if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	185	pw_password = spw->pwa_passwd;
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	186	#endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	187
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	188	#if defined(__hpux)
				189	if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL)
				190	pw_password = spw->ufld.fd_encrypt;
				191	#endif /* defined(__hpux) */
				192
				193	/* Check for users with no password. */
				194	if ((password[0] == '\0') && (pw_password[0] == '\0'))
				195	return 1;
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	196
				197	if (pw_password[0] != '\0')
				198	salt = pw_password;
				199	else
				200	salt = "xx";
				201
				202	#ifdef HAVE_MD5_PASSWORDS
				203	if (is_md5_salt(salt))
				204	encrypted_password = md5_crypt(password, salt);
				205	else
				206	encrypted_password = crypt(password, salt);
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	207	#else /* HAVE_MD5_PASSWORDS */
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	208	# ifdef __hpux
				209	if (iscomsec())
				210	encrypted_password = bigcrypt(password, salt);
				211	else
				212	encrypted_password = crypt(password, salt);
Damien Miller	1bead33	2000-04-30 00:47:29 +1000	[diff] [blame]	213	# else
Damien Miller	f966109	2002-01-03 10:30:56 +1100	[diff] [blame]	214	# ifdef HAVE_SCO_PROTECTED_PW
				215	encrypted_password = bigcrypt(password, salt);
				216	# else
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	217	encrypted_password = crypt(password, salt);
Damien Miller	f966109	2002-01-03 10:30:56 +1100	[diff] [blame]	218	# endif /* HAVE_SCO_PROTECTED_PW */
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	219	# endif /* __hpux */
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	220	#endif /* HAVE_MD5_PASSWORDS */
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	221
				222	/* Authentication is accepted if the encrypted passwords are identical. */
				223	return (strcmp(encrypted_password, pw_password) == 0);
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	224	}
Damien Miller	b8c656e	2000-06-28 15:22:41 +1000	[diff] [blame]	225	#endif /* !USE_PAM && !HAVE_OSF_SIA */