Blame - auth-passwd.c - platform/external/openssh

blob: 27977155aba42cfa0a0b5cce8f09356f045e58ba [file] [log] [blame]

Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	1	/*
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	2	* Author: Tatu Ylonen <ylo@cs.hut.fi>
				3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
				4	* All rights reserved
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	5	* Password authentication. This file contains the functions to check whether
				6	* the password is valid for the user.
Damien Miller	e4340be	2000-09-16 13:29:08 +1100	[diff] [blame]	7	*
				8	* As far as I am concerned, the code I have written for this software
				9	* can be used freely for any purpose. Any derived versions of this
				10	* software must be clearly marked as such, and if the derived work is
				11	* incompatible with the protocol description in the RFC file, it must be
				12	* called by a name other than "ssh" or "Secure Shell".
				13	*
Damien Miller	e4340be	2000-09-16 13:29:08 +1100	[diff] [blame]	14	* Copyright (c) 1999 Dug Song. All rights reserved.
Damien Miller	e4340be	2000-09-16 13:29:08 +1100	[diff] [blame]	15	* Copyright (c) 2000 Markus Friedl. All rights reserved.
				16	*
				17	* Redistribution and use in source and binary forms, with or without
				18	* modification, are permitted provided that the following conditions
				19	* are met:
				20	* 1. Redistributions of source code must retain the above copyright
				21	* notice, this list of conditions and the following disclaimer.
				22	* 2. Redistributions in binary form must reproduce the above copyright
				23	* notice, this list of conditions and the following disclaimer in the
				24	* documentation and/or other materials provided with the distribution.
				25	*
				26	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
				27	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
				28	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
				29	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
				30	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
				31	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
				32	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
				33	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
				34	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
				35	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	36	*/
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	37
				38	#include "includes.h"
Ben Lindstrom	eebc4a2	2001-03-22 01:22:03 +0000	[diff] [blame^]	39	RCSID("$OpenBSD: auth-passwd.c,v 1.22 2001/03/20 18:57:04 markus Exp $");
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	40
Damien Miller	b8c656e	2000-06-28 15:22:41 +1000	[diff] [blame]	41	#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
				42
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	43	#include "packet.h"
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	44	#include "xmalloc.h"
Ben Lindstrom	226cfa0	2001-01-22 05:34:40 +0000	[diff] [blame]	45	#include "log.h"
				46	#include "servconf.h"
Ben Lindstrom	db65e8f	2001-01-19 04:26:52 +0000	[diff] [blame]	47	#include "auth.h"
				48
Damien Miller	1fa154b	2000-01-23 10:32:03 +1100	[diff] [blame]	49	#ifdef WITH_AIXAUTHENTICATE
Damien Miller	1bead33	2000-04-30 00:47:29 +1000	[diff] [blame]	50	# include <login.h>
Damien Miller	1fa154b	2000-01-23 10:32:03 +1100	[diff] [blame]	51	#endif
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	52	#ifdef __hpux
Damien Miller	1bead33	2000-04-30 00:47:29 +1000	[diff] [blame]	53	# include <hpsecurity.h>
				54	# include <prot.h>
				55	#endif
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	56	#ifdef HAVE_SCO_PROTECTED_PW
				57	# include <sys/security.h>
				58	# include <sys/audit.h>
				59	# include <prot.h>
				60	#endif /* HAVE_SCO_PROTECTED_PW */
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	61	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
Damien Miller	beb4ba5	1999-12-28 15:09:35 +1100	[diff] [blame]	62	# include <shadow.h>
Damien Miller	2cb210f	1999-11-13 15:40:10 +1100	[diff] [blame]	63	#endif
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	64	#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	65	# include <sys/label.h>
				66	# include <sys/audit.h>
				67	# include <pwdadj.h>
				68	#endif
Damien Miller	beb4ba5	1999-12-28 15:09:35 +1100	[diff] [blame]	69	#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
				70	# include "md5crypt.h"
				71	#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
Damien Miller	dd1c7ba	1999-11-19 15:53:20 +1100	[diff] [blame]	72
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	73	#ifdef HAVE_CYGWIN
				74	#undef ERROR
				75	#include <windows.h>
				76	#include <sys/cygwin.h>
				77	#define is_winnt (GetVersion() < 0x80000000)
				78	#endif
				79
Damien Miller	60396b0	2001-02-18 17:01:00 +1100	[diff] [blame]	80
				81	extern ServerOptions options;
				82
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	83	/*
				84	* Tries to authenticate the user using password. Returns true if
				85	* authentication succeeds.
				86	*/
Damien Miller	4af5130	2000-04-16 11:18:38 +1000	[diff] [blame]	87	int
Damien Miller	60396b0	2001-02-18 17:01:00 +1100	[diff] [blame]	88	auth_password(Authctxt authctxt, const char password)
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	89	{
Damien Miller	60396b0	2001-02-18 17:01:00 +1100	[diff] [blame]	90	struct passwd * pw = authctxt->pw;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	91	char *encrypted_password;
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	92	char *pw_password;
				93	char *salt;
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	94	#ifdef __hpux
				95	struct pr_passwd *spw;
				96	#endif
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	97	#ifdef HAVE_SCO_PROTECTED_PW
				98	struct pr_passwd *spw;
				99	#endif /* HAVE_SCO_PROTECTED_PW */
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	100	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	101	struct spwd *spw;
Damien Miller	2cb210f	1999-11-13 15:40:10 +1100	[diff] [blame]	102	#endif
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	103	#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	104	struct passwd_adjunct *spw;
				105	#endif
Damien Miller	1fa154b	2000-01-23 10:32:03 +1100	[diff] [blame]	106	#ifdef WITH_AIXAUTHENTICATE
				107	char *authmsg;
				108	char *loginmsg;
				109	int reenter = 1;
				110	#endif
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	111
Damien Miller	ece22a8	1999-12-30 09:48:15 +1100	[diff] [blame]	112	/* deny if no user. */
				113	if (pw == NULL)
				114	return 0;
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	115	#ifndef HAVE_CYGWIN
Ben Lindstrom	d8a9021	2001-02-15 03:08:27 +0000	[diff] [blame]	116	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	117	return 0;
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	118	#endif
				119	#ifdef HAVE_CYGWIN
				120	/*
				121	* Empty password is only possible on NT if the user has _really_
				122	* an empty password and authentication is done, though.
				123	*/
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	124	if (!is_winnt)
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	125	#endif
Damien Miller	5428f64	1999-11-25 11:54:57 +1100	[diff] [blame]	126	if (*password == '\0' && options.permit_empty_passwd == 0)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	127	return 0;
Damien Miller	60396b0	2001-02-18 17:01:00 +1100	[diff] [blame]	128	#ifdef BSD_AUTH
				129	if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
				130	(char *)password) == 0)
				131	return 0;
				132	else
				133	return 1;
				134	#endif
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	135
Damien Miller	bac2d8a	2000-09-05 16:13:06 +1100	[diff] [blame]	136	#ifdef HAVE_CYGWIN
				137	if (is_winnt) {
				138	HANDLE hToken = cygwin_logon_user(pw, password);
				139
				140	if (hToken == INVALID_HANDLE_VALUE)
				141	return 0;
				142	cygwin_set_impersonation_token(hToken);
				143	return 1;
				144	}
				145	#endif
				146
Damien Miller	1fa154b	2000-01-23 10:32:03 +1100	[diff] [blame]	147	#ifdef WITH_AIXAUTHENTICATE
				148	return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
				149	#endif
				150
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	151	#ifdef KRB4
				152	if (options.kerberos_authentication == 1) {
				153	int ret = auth_krb4_password(pw, password);
				154	if (ret == 1 \|\| ret == 0)
				155	return ret;
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	156	/* Fall back to ordinary passwd authentication. */
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	157	}
Damien Miller	aae6c61	1999-12-06 11:47:28 +1100	[diff] [blame]	158	#endif
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	159
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	160
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	161	pw_password = pw->pw_passwd;
Damien Miller	606f880	2000-09-16 15:39:56 +1100	[diff] [blame]	162
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	163	/*
				164	* Various interfaces to shadow or protected password data
				165	*/
Damien Miller	cb7e5f9	1999-12-21 21:03:09 +1100	[diff] [blame]	166	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
Damien Miller	95def09	1999-11-25 00:26:21 +1100	[diff] [blame]	167	spw = getspnam(pw->pw_name);
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	168	if (spw != NULL)
Damien Miller	8eb0fd6	1999-12-31 08:49:13 +1100	[diff] [blame]	169	pw_password = spw->sp_pwdp;
Damien Miller	cb7e5f9	1999-12-21 21:03:09 +1100	[diff] [blame]	170	#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	171
				172	#ifdef HAVE_SCO_PROTECTED_PW
				173	spw = getprpwnam(pw->pw_name);
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	174	if (spw != NULL)
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	175	pw_password = spw->ufld.fd_encrypt;
				176	#endif /* HAVE_SCO_PROTECTED_PW */
				177
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	178	#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
				179	if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	180	pw_password = spw->pwa_passwd;
Damien Miller	dfc83f4	2000-05-20 15:02:59 +1000	[diff] [blame]	181	#endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
Damien Miller	78315eb	2000-09-29 23:01:36 +1100	[diff] [blame]	182
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	183	#if defined(__hpux)
				184	if (iscomsec() && (spw = getprpwnam(pw->pw_name)) != NULL)
				185	pw_password = spw->ufld.fd_encrypt;
				186	#endif /* defined(__hpux) */
				187
				188	/* Check for users with no password. */
				189	if ((password[0] == '\0') && (pw_password[0] == '\0'))
				190	return 1;
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	191
				192	if (pw_password[0] != '\0')
				193	salt = pw_password;
				194	else
				195	salt = "xx";
				196
				197	#ifdef HAVE_MD5_PASSWORDS
				198	if (is_md5_salt(salt))
				199	encrypted_password = md5_crypt(password, salt);
				200	else
				201	encrypted_password = crypt(password, salt);
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	202	#else /* HAVE_MD5_PASSWORDS */
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	203	# ifdef __hpux
				204	if (iscomsec())
				205	encrypted_password = bigcrypt(password, salt);
				206	else
				207	encrypted_password = crypt(password, salt);
Damien Miller	1bead33	2000-04-30 00:47:29 +1000	[diff] [blame]	208	# else
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	209	encrypted_password = crypt(password, salt);
Damien Miller	8a1e6a6	2000-09-16 15:55:52 +1100	[diff] [blame]	210	# endif /* __hpux */
Kevin Steves	ef4eea9	2001-02-05 12:42:17 +0000	[diff] [blame]	211	#endif /* HAVE_MD5_PASSWORDS */
Damien Miller	2e1b082	1999-12-25 10:11:29 +1100	[diff] [blame]	212
				213	/* Authentication is accepted if the encrypted passwords are identical. */
				214	return (strcmp(encrypted_password, pw_password) == 0);
Damien Miller	d4a8b7e	1999-10-27 13:42:43 +1000	[diff] [blame]	215	}
Damien Miller	b8c656e	2000-06-28 15:22:41 +1000	[diff] [blame]	216	#endif /* !USE_PAM && !HAVE_OSF_SIA */