Blame - auth-passwd.c - platform/external/openssh

blob: 988297cb464a4bbd01a681bf17cf2771eab44665 [file] [log] [blame]

Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	1	/*
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	2	* Author: Tatu Ylonen <ylo@cs.hut.fi>
				3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
				4	* All rights reserved
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	5	* Password authentication. This file contains the functions to check whether
				6	* the password is valid for the user.
Damien Miller	e4340be	2000-09-16 13:29:08 +1100	[diff] [blame]	7	*
				8	* As far as I am concerned, the code I have written for this software
				9	* can be used freely for any purpose. Any derived versions of this
				10	* software must be clearly marked as such, and if the derived work is
				11	* incompatible with the protocol description in the RFC file, it must be
				12	* called by a name other than "ssh" or "Secure Shell".
				13	*
Damien Miller	e4340be	2000-09-16 13:29:08 +1100	[diff] [blame]	14	* Copyright (c) 1999 Dug Song. All rights reserved.
Damien Miller	e4340be	2000-09-16 13:29:08 +1100	[diff] [blame]	15	* Copyright (c) 2000 Markus Friedl. All rights reserved.
				16	*
				17	* Redistribution and use in source and binary forms, with or without
				18	* modification, are permitted provided that the following conditions
				19	* are met:
				20	* 1. Redistributions of source code must retain the above copyright
				21	* notice, this list of conditions and the following disclaimer.
				22	* 2. Redistributions in binary form must reproduce the above copyright
				23	* notice, this list of conditions and the following disclaimer in the
				24	* documentation and/or other materials provided with the distribution.
				25	*
				26	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
				27	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
				28	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
				29	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
				30	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				31	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
				32	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
				33	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
				34	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
				35	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	36	*/
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	37
				38	#include "includes.h"
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	39	RCSID("$OpenBSD: auth-passwd.c,v 1.23 2001/06/26 16:15:23 dugsong Exp $");
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	40
Damien Miller	b8c656e	2000-06-28 15:22:41 +1000	[diff] [blame]	41	#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
				42
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	43	#include "packet.h"
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	44	#include "xmalloc.h"
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	45	#include "log.h"
				46	#include "servconf.h"
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	47	#include "auth.h"
				48
Damien Miller	da2ed56	2001-04-25 22:50:18 +1000	[diff] [blame]	49	#ifdef HAVE_CRYPT_H
				50	# include <crypt.h>
				51	#endif
Damien Miller	1fa154b	2000-01-23 10:32:03 +1100	[diff] [blame]	52	#ifdef WITH_AIXAUTHENTICATE
Damien Miller	1bead33	2000-04-30 00:47:29 +1000	[diff] [blame]	53	# include <login.h>
Damien Miller	1fa154b	2000-01-23 10:32:03 +1100	[diff] [blame]	54	#endif
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	55	#ifdef __hpux
Damien Miller	1bead33	2000-04-30 00:47:29 +1000	[diff] [blame]	56	# include <hpsecurity.h>
				57	# include <prot.h>
				58	#endif
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	59	#ifdef HAVE_SCO_PROTECTED_PW
				60	# include <sys/security.h>
				61	# include <sys/audit.h>
				62	# include <prot.h>
				63	#endif /* HAVE_SCO_PROTECTED_PW */
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	64	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
Damien Miller	beb4ba5	1999-12-28 15:09:35 +1100	[diff] [blame]	65	# include <shadow.h>
Damien Miller	2cb210f	1999-11-13 15:40:10 +1100	[diff] [blame]	66	#endif
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	67	#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	68	# include <sys/label.h>
				69	# include <sys/audit.h>
				70	# include <pwdadj.h>
				71	#endif
Damien Miller	beb4ba5	1999-12-28 15:09:35 +1100	[diff] [blame]	72	#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
				73	# include "md5crypt.h"
				74	#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
Damien Miller	dd1c7ba	1999-11-19 15:53:20 +1100	[diff] [blame]	75
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	76	#ifdef HAVE_CYGWIN
				77	#undef ERROR
				78	#include <windows.h>
				79	#include <sys/cygwin.h>
				80	#define is_winnt (GetVersion() < 0x80000000)
				81	#endif
				82
Damien Miller	60396b0	2001-02-18 17:01:00 +1100	[diff] [blame]	83
				84	extern ServerOptions options;
				85
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	86	/*
				87	* Tries to authenticate the user using password. Returns true if
				88	* authentication succeeds.
				89	*/
Damien Miller	4af5130	2000-04-16 11:18:38 +1000	[diff] [blame]	90	int
Damien Miller	60396b0	2001-02-18 17:01:00 +1100	[diff] [blame]	91	auth_password(Authctxt authctxt, const char password)
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	92	{
Damien Miller	60396b0	2001-02-18 17:01:00 +1100	[diff] [blame]	93	struct passwd * pw = authctxt->pw;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	94	char *encrypted_password;
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	95	char *pw_password;
				96	char *salt;
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	97	#ifdef __hpux
				98	struct pr_passwd *spw;
				99	#endif
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	100	#ifdef HAVE_SCO_PROTECTED_PW
				101	struct pr_passwd *spw;
				102	#endif /* HAVE_SCO_PROTECTED_PW */
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	103	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	104	struct spwd *spw;
Damien Miller	2cb210f	1999-11-13 15:40:10 +1100	[diff] [blame]	105	#endif
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	106	#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	107	struct passwd_adjunct *spw;
				108	#endif
Damien Miller	1fa154b	2000-01-23 10:32:03 +1100	[diff] [blame]	109	#ifdef WITH_AIXAUTHENTICATE
				110	char *authmsg;
				111	char *loginmsg;
				112	int reenter = 1;
				113	#endif
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	114
Damien Miller	ece22a8	1999-12-30 09:48:15 +1100	[diff] [blame]	115	/* deny if no user. */
				116	if (pw == NULL)
				117	return 0;
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	118	#ifndef HAVE_CYGWIN
Ben Lindstrom	d8a9021	2001-02-15 03:08:27 +0000	[diff] [blame]	119	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	120	return 0;
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	121	#endif
				122	#ifdef HAVE_CYGWIN
				123	/*
				124	* Empty password is only possible on NT if the user has _really_
				125	* an empty password and authentication is done, though.
				126	*/
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	127	if (!is_winnt)
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	128	#endif
Damien Miller	5428f64	1999-11-25 11:54:57 +1100	[diff] [blame]	129	if (*password == '\0' && options.permit_empty_passwd == 0)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	130	return 0;
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	131	#ifdef KRB5
				132	if (options.kerberos_authentication == 1) {
				133	int ret = auth_krb5_password(authctxt, password);
				134	if (ret == 1 \|\| ret == 0)
				135	return ret;
				136	/* Fall back to ordinary passwd authentication. */
				137	}
Damien Miller	60396b0	2001-02-18 17:01:00 +1100	[diff] [blame]	138	#endif
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	139	#ifdef HAVE_CYGWIN
				140	if (is_winnt) {
				141	HANDLE hToken = cygwin_logon_user(pw, password);
				142
				143	if (hToken == INVALID_HANDLE_VALUE)
				144	return 0;
				145	cygwin_set_impersonation_token(hToken);
				146	return 1;
				147	}
				148	#endif
Damien Miller	1fa154b	2000-01-23 10:32:03 +1100	[diff] [blame]	149	#ifdef WITH_AIXAUTHENTICATE
				150	return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
				151	#endif
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	152	#ifdef KRB4
				153	if (options.kerberos_authentication == 1) {
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	154	int ret = auth_krb4_password(authctxt, password);
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	155	if (ret == 1 \|\| ret == 0)
				156	return ret;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	157	/* Fall back to ordinary passwd authentication. */
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	158	}
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	159	#endif
Ben Lindstrom	ec95ed9	2001-07-04 04:21:14 +0000	[diff] [blame]	160	#ifdef BSD_AUTH
				161	if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
				162	(char *)password) == 0)
				163	return 0;
				164	else
				165	return 1;
				166	#endif
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	167	pw_password = pw->pw_passwd;
Damien Miller	606f880	2000-09-16 15:39:56 +1100	[diff] [blame]	168
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	169	/*
				170	* Various interfaces to shadow or protected password data
				171	*/
Damien Miller	cb7e5f9	1999-12-21 21:03:09 +1100	[diff] [blame]	172	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	173	spw = getspnam(pw->pw_name);
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	174	if (spw != NULL)
Damien Miller	8eb0fd6	1999-12-31 08:49:13 +1100	[diff] [blame]	175	pw_password = spw->sp_pwdp;
Damien Miller	cb7e5f9	1999-12-21 21:03:09 +1100	[diff] [blame]	176	#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	177
				178	#ifdef HAVE_SCO_PROTECTED_PW
				179	spw = getprpwnam(pw->pw_name);
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	180	if (spw != NULL)
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	181	pw_password = spw->ufld.fd_encrypt;
				182	#endif /* HAVE_SCO_PROTECTED_PW */
				183
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	184	#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
				185	if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	186	pw_password = spw->pwa_passwd;
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	187	#endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	188
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	189	#if defined(__hpux)
				190	if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL)
				191	pw_password = spw->ufld.fd_encrypt;
				192	#endif /* defined(__hpux) */
				193
				194	/* Check for users with no password. */
				195	if ((password[0] == '\0') && (pw_password[0] == '\0'))
				196	return 1;
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	197
				198	if (pw_password[0] != '\0')
				199	salt = pw_password;
				200	else
				201	salt = "xx";
				202
				203	#ifdef HAVE_MD5_PASSWORDS
				204	if (is_md5_salt(salt))
				205	encrypted_password = md5_crypt(password, salt);
				206	else
				207	encrypted_password = crypt(password, salt);
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	208	#else /* HAVE_MD5_PASSWORDS */
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	209	# ifdef __hpux
				210	if (iscomsec())
				211	encrypted_password = bigcrypt(password, salt);
				212	else
				213	encrypted_password = crypt(password, salt);
Damien Miller	1bead33	2000-04-30 00:47:29 +1000	[diff] [blame]	214	# else
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	215	encrypted_password = crypt(password, salt);
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	216	# endif /* __hpux */
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	217	#endif /* HAVE_MD5_PASSWORDS */
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	218
				219	/* Authentication is accepted if the encrypted passwords are identical. */
				220	return (strcmp(encrypted_password, pw_password) == 0);
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	221	}
Damien Miller	b8c656e	2000-06-28 15:22:41 +1000	[diff] [blame]	222	#endif /* !USE_PAM && !HAVE_OSF_SIA */