Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / d7bdc0c8e8acc5f0621046a6b47066d72ad3462f / . / auth-sia.c
blob: debf30201b73fe182419c63ae6f08735516ad9df [file] [log] [blame]
Kevin Steves19fa9b52002-04-12 15:36:07 +0000[diff] [blame]1/*
2 * Copyright (c) 2002 Chris Adams. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */
24
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]25#include "includes.h"
26
27#ifdef HAVE_OSF_SIA
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]28#include <sia.h>
29#include <siad.h>
30#include <pwd.h>
31#include <signal.h>
32#include <setjmp.h>
33#include <sys/resource.h>
34#include <unistd.h>
Damien Millerded319c2006-09-01 15:38:36 +1000[diff] [blame]35#include <stdarg.h>
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]36#include <string.h>
Darren Tucker2c1eb822008-06-13 11:13:13 +1000[diff] [blame]37#include <sys/types.h>
38#include <sys/security.h>
39#include <prot.h>
40#include <time.h>
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]41
Damien Millerded319c2006-09-01 15:38:36 +1000[diff] [blame]42#include "ssh.h"
Darren Tucker17da5302006-09-08 09:54:41 +1000[diff] [blame]43#include "key.h"
44#include "hostfile.h"
Damien Millerded319c2006-09-01 15:38:36 +1000[diff] [blame]45#include "auth.h"
46#include "auth-sia.h"
47#include "log.h"
48#include "servconf.h"
49#include "canohost.h"
50#include "uidswap.h"
51
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]52extern ServerOptions options;
53extern int saved_argc;
54extern char **saved_argv;
55
Darren Tucker2c1eb822008-06-13 11:13:13 +1000[diff] [blame]56static int
57sia_password_change_required(const char *user)
58{
59 struct es_passwd *acct;
60 time_t pw_life;
61 time_t pw_date;
62
63 set_auth_parameters(saved_argc, saved_argv);
64
65 if ((acct = getespwnam(user)) == NULL) {
66 error("Couldn't access protected database entry for %s", user);
67 endprpwent();
68 return (0);
69 }
70
71 /* If forced password change flag is set, honor it */
72 if (acct->uflg->fg_psw_chg_reqd && acct->ufld->fd_psw_chg_reqd) {
73 endprpwent();
74 return (1);
75 }
76
77 /* Obtain password lifetime; if none, it can't have expired */
78 if (acct->uflg->fg_expire)
79 pw_life = acct->ufld->fd_expire;
80 else if (acct->sflg->fg_expire)
81 pw_life = acct->sfld->fd_expire;
82 else {
83 endprpwent();
84 return (0);
85 }
86
87 /* Offset from last change; if none, it must be expired */
88 if (acct->uflg->fg_schange)
89 pw_date = acct->ufld->fd_schange + pw_life;
90 else {
91 endprpwent();
92 return (1);
93 }
94
95 endprpwent();
96
97 /* If expiration date is prior to now, change password */
98
99 return (pw_date <= time((time_t *) NULL));
100}
101
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]102int
Darren Tucker00cadb82005-04-05 20:58:37 +1000[diff] [blame]103sys_auth_passwd(Authctxt *authctxt, const char *pass)
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]104{
105 int ret;
106 SIAENTITY *ent = NULL;
107 const char *host;
108
Damien Miller3a961dc2003-06-03 10:25:48 +1000[diff] [blame]109 host = get_canonical_hostname(options.use_dns);
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]110
Damien Miller5b5ca192003-05-19 00:50:02 +1000[diff] [blame]111 if (!authctxt->user || pass == NULL || pass[0] == '\0')
112 return (0);
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]113
Ben Lindstromc8c548d2003-03-21 01:18:09 +0000[diff] [blame]114 if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user,
115 NULL, 0, NULL) != SIASUCCESS)
Damien Miller5b5ca192003-05-19 00:50:02 +1000[diff] [blame]116 return (0);
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]117
118 if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) {
Damien Miller5b5ca192003-05-19 00:50:02 +1000[diff] [blame]119 error("Couldn't authenticate %s from %s",
120 authctxt->user, host);
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]121 if (ret & SIASTOP)
122 sia_ses_release(&ent);
Damien Miller5b5ca192003-05-19 00:50:02 +1000[diff] [blame]123
124 return (0);
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]125 }
126
127 sia_ses_release(&ent);
128
Darren Tucker2c1eb822008-06-13 11:13:13 +1000[diff] [blame]129 authctxt->force_pwchange = sia_password_change_required(
130 authctxt->user);
131
Damien Miller5b5ca192003-05-19 00:50:02 +1000[diff] [blame]132 return (1);
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]133}
134
135void
Ben Lindstromc8c548d2003-03-21 01:18:09 +0000[diff] [blame]136session_setup_sia(struct passwd *pw, char *tty)
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]137{
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]138 SIAENTITY *ent = NULL;
139 const char *host;
140
Damien Miller3a961dc2003-06-03 10:25:48 +1000[diff] [blame]141 host = get_canonical_hostname(options.use_dns);
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]142
Damien Millera8e06ce2003-11-21 23:48:55 +1100[diff] [blame]143 if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name,
Damien Miller5b5ca192003-05-19 00:50:02 +1000[diff] [blame]144 tty, 0, NULL) != SIASUCCESS)
Kevin Steves0c283d82002-04-11 20:39:40 +0000[diff] [blame]145 fatal("sia_ses_init failed");
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]146
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]147 if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) {
148 sia_ses_release(&ent);
Kevin Steves0c283d82002-04-11 20:39:40 +0000[diff] [blame]149 fatal("sia_make_entity_pwd failed");
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]150 }
151
152 ent->authtype = SIA_A_NONE;
Ben Lindstromc8c548d2003-03-21 01:18:09 +0000[diff] [blame]153 if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS)
154 fatal("Couldn't establish session for %s from %s",
155 pw->pw_name, host);
156
157 if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
Damien Miller5b5ca192003-05-19 00:50:02 +1000[diff] [blame]158 fatal("Couldn't launch session for %s from %s",
159 pw->pw_name, host);
Damien Miller787b2ec2003-11-21 23:56:47 +1100[diff] [blame]160
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]161 sia_ses_release(&ent);
162
Darren Tucker4e06a1d2003-11-22 14:25:15 +1100[diff] [blame]163 setuid(0);
164 permanently_set_uid(pw);
Damien Miller92ddb7d2001-02-14 01:25:23 +1100[diff] [blame]165}
166
167#endif /* HAVE_OSF_SIA */