Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 856f0be66908352828bb595f7ad5213623c0c610 / . / auth-passwd.c
blob: 57a2d362002c0eda8a5b485c6c6f2c1ae0ce6cca [file] [log] [blame]
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]1/*
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]5 * Password authentication. This file contains the functions to check whether
6 * the password is valid for the user.
Damien Millere4340be2000-09-16 13:29:08 +1100[diff] [blame]7 *
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
13 *
Damien Millere4340be2000-09-16 13:29:08 +1100[diff] [blame]14 * Copyright (c) 1999 Dug Song. All rights reserved.
Damien Millere4340be2000-09-16 13:29:08 +1100[diff] [blame]15 * Copyright (c) 2000 Markus Friedl. All rights reserved.
16 *
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
19 * are met:
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in the
24 * documentation and/or other materials provided with the distribution.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]36 */
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]37
38#include "includes.h"
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]39RCSID("$OpenBSD: auth-passwd.c,v 1.29 2003/08/26 09:58:43 markus Exp $");
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]40
41#include "packet.h"
Ben Lindstrom226cfa02001-01-22 05:34:40 +0000[diff] [blame]42#include "log.h"
43#include "servconf.h"
Ben Lindstromdb65e8f2001-01-19 04:26:52 +0000[diff] [blame]44#include "auth.h"
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]45#ifdef WITH_AIXAUTHENTICATE
46# include "buffer.h"
47# include "canohost.h"
48extern Buffer loginmsg;
49#endif
Damien Miller60396b02001-02-18 17:01:00 +1100[diff] [blame]50
51extern ServerOptions options;
52
Damien Miller95def091999-11-25 00:26:21 +1100[diff] [blame]53/*
54 * Tries to authenticate the user using password. Returns true if
55 * authentication succeeds.
56 */
Damien Miller4af51302000-04-16 11:18:38 +1000[diff] [blame]57int
Damien Miller60396b02001-02-18 17:01:00 +1100[diff] [blame]58auth_password(Authctxt *authctxt, const char *password)
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]59{
Ben Lindstrom0b478142002-05-10 02:40:15 +0000[diff] [blame]60 struct passwd * pw = authctxt->pw;
Damien Millereab4bae2003-04-29 23:22:40 +1000[diff] [blame]61 int ok = authctxt->valid;
Damien Millerd4a8b7e1999-10-27 13:42:43 +1000[diff] [blame]62
Damien Millerece22a81999-12-30 09:48:15 +1100[diff] [blame]63 /* deny if no user. */
64 if (pw == NULL)
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]65 return 0;
Damien Millerbac2d8a2000-09-05 16:13:06 +1100[diff] [blame]66#ifndef HAVE_CYGWIN
Damien Millereab4bae2003-04-29 23:22:40 +1000[diff] [blame]67 if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
68 ok = 0;
Damien Millerbac2d8a2000-09-05 16:13:06 +1100[diff] [blame]69#endif
Ben Lindstrom0b478142002-05-10 02:40:15 +0000[diff] [blame]70 if (*password == '\0' && options.permit_empty_passwd == 0)
Damien Millereab4bae2003-04-29 23:22:40 +1000[diff] [blame]71 return 0;
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]72
73#if defined(HAVE_OSF_SIA)
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]74 return auth_sia_password(authctxt, password) && ok;
Damien Miller2101bfc2003-01-22 15:42:26 +1100[diff] [blame]75#else
76# ifdef KRB5
Ben Lindstromec95ed92001-07-04 04:21:14 +0000[diff] [blame]77 if (options.kerberos_authentication == 1) {
78 int ret = auth_krb5_password(authctxt, password);
79 if (ret == 1 || ret == 0)
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]80 return ret && ok;
Ben Lindstromec95ed92001-07-04 04:21:14 +0000[diff] [blame]81 /* Fall back to ordinary passwd authentication. */
82 }
Damien Miller2101bfc2003-01-22 15:42:26 +1100[diff] [blame]83# endif
84# ifdef HAVE_CYGWIN
Damien Millerbac2d8a2000-09-05 16:13:06 +1100[diff] [blame]85 if (is_winnt) {
86 HANDLE hToken = cygwin_logon_user(pw, password);
87
88 if (hToken == INVALID_HANDLE_VALUE)
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]89 return 0;
Damien Millerbac2d8a2000-09-05 16:13:06 +1100[diff] [blame]90 cygwin_set_impersonation_token(hToken);
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]91 return ok;
Damien Millerbac2d8a2000-09-05 16:13:06 +1100[diff] [blame]92 }
Damien Miller2101bfc2003-01-22 15:42:26 +1100[diff] [blame]93# endif
94# ifdef WITH_AIXAUTHENTICATE
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]95 {
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]96 char *authmsg = NULL;
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]97 int reenter = 1;
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]98 int authsuccess = 0;
Ben Lindstrom164725f2002-09-25 23:14:14 +0000[diff] [blame]99
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]100 if (authenticate(pw->pw_name, password, &reenter,
101 &authmsg) == 0 && ok) {
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]102 char *msg;
103 char *host =
104 (char *)get_canonical_hostname(options.use_dns);
Darren Tuckerb9aa0a02003-07-08 22:59:59 +1000[diff] [blame]105
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]106 authsuccess = 1;
107 aix_remove_embedded_newlines(authmsg);
108
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]109 debug3("AIX/authenticate succeeded for user %s: %.100s",
110 pw->pw_name, authmsg);
Darren Tuckerb9aa0a02003-07-08 22:59:59 +1000[diff] [blame]111
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]112 /* No pty yet, so just label the line as "ssh" */
113 if (loginsuccess(authctxt->user, host, "ssh",
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]114 &msg) == 0) {
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]115 if (msg != NULL) {
116 debug("%s: msg %s", __func__, msg);
117 buffer_append(&loginmsg, msg,
118 strlen(msg));
119 xfree(msg);
120 }
Darren Tuckerb9aa0a02003-07-08 22:59:59 +1000[diff] [blame]121 }
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]122 } else {
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]123 debug3("AIX/authenticate failed for user %s: %.100s",
124 pw->pw_name, authmsg);
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]125 }
Ben Lindstrom164725f2002-09-25 23:14:14 +0000[diff] [blame]126
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]127 if (authmsg != NULL)
128 xfree(authmsg);
129
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]130 return authsuccess;
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]131 }
Damien Miller2101bfc2003-01-22 15:42:26 +1100[diff] [blame]132# endif
Damien Miller2101bfc2003-01-22 15:42:26 +1100[diff] [blame]133# ifdef BSD_AUTH
Ben Lindstromec95ed92001-07-04 04:21:14 +0000[diff] [blame]134 if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
135 (char *)password) == 0)
136 return 0;
137 else
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]138 return ok;
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]139# else
140 {
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]141 /* Just use the supplied fake password if authctxt is invalid */
142 char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
Damien Miller8a1e6a62000-09-16 15:55:52 +1100[diff] [blame]143
144 /* Check for users with no password. */
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]145 if (strcmp(pw_password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]146 return ok;
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]147 else {
148 /* Encrypt the candidate password using the proper salt. */
149 char *encrypted_password = xcrypt(password,
150 (pw_password[0] && pw_password[1]) ? pw_password : "xx");
Damien Miller2e1b0821999-12-25 10:11:29 +1100[diff] [blame]151
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]152 /*
153 * Authentication is accepted if the encrypted passwords
154 * are identical.
155 */
Damien Miller856f0be2003-09-03 07:32:45 +1000[diff] [blame^]156 return (strcmp(encrypted_password, pw_password) == 0) && ok;
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]157 }
Damien Miller2e1b0821999-12-25 10:11:29 +1100[diff] [blame]158
Ben Lindstrom0410e322003-07-24 06:52:13 +0000[diff] [blame]159 }
160# endif
Damien Miller4f9f42a2003-05-10 19:28:02 +1000[diff] [blame]161#endif /* !HAVE_OSF_SIA */
Kevin Stevese683e762002-04-04 19:02:28 +0000[diff] [blame]162}