[openssh.git] / auth-passwd.c

/*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
 *                    All rights reserved
 * Created: Sat Mar 18 05:11:38 1995 ylo
 * Password authentication.  This file contains the functions to check whether
 * the password is valid for the user.
 */

#include "includes.h"

RCSID("$OpenBSD: auth-passwd.c,v 1.16 2000/06/20 01:39:38 markus Exp $");

#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)

#include "packet.h"
#include "ssh.h"
#include "servconf.h"
#include "xmalloc.h"

#ifdef WITH_AIXAUTHENTICATE
# include <login.h>
#endif
#ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW
# include <hpsecurity.h>
# include <prot.h>
#endif
#ifdef HAVE_SHADOW_H
# include <shadow.h>
#endif
#ifdef HAVE_GETPWANAM
# include <sys/label.h>
# include <sys/audit.h>
# include <pwdadj.h>
#endif
#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
# include "md5crypt.h"
#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */

#ifdef HAVE_CYGWIN
#undef ERROR
#include <windows.h>
#include <sys/cygwin.h>
#define is_winnt       (GetVersion() < 0x80000000)
#endif

/*
 * Tries to authenticate the user using password.  Returns true if
 * authentication succeeds.
 */
int
auth_password(struct passwd * pw, const char *password)
{
	extern ServerOptions options;
	char *encrypted_password;
	char *pw_password;
	char *salt;
#ifdef HAVE_SHADOW_H
	struct spwd *spw;
#endif
#ifdef HAVE_GETPWANAM
	struct passwd_adjunct *spw;
#endif
#ifdef WITH_AIXAUTHENTICATE
	char *authmsg;
	char *loginmsg;
	int reenter = 1;
#endif

	/* deny if no user. */
	if (pw == NULL)
		return 0;
#ifndef HAVE_CYGWIN
	if (pw->pw_uid == 0 && options.permit_root_login == 2)
		return 0;
#endif
#ifdef HAVE_CYGWIN
	/*
	 * Empty password is only possible on NT if the user has _really_
	 * an empty password and authentication is done, though.
	 */
        if (!is_winnt) 
#endif
	if (*password == '\0' && options.permit_empty_passwd == 0)
		return 0;

#ifdef HAVE_CYGWIN
	if (is_winnt) {
		HANDLE hToken = cygwin_logon_user(pw, password);

		if (hToken == INVALID_HANDLE_VALUE)
			return 0;
		cygwin_set_impersonation_token(hToken);
		return 1;
	}
#endif

#ifdef SKEY
	if (options.skey_authentication == 1) {
		int ret = auth_skey_password(pw, password);
		if (ret == 1 || ret == 0)
			return ret;
		/* Fall back to ordinary passwd authentication. */
	}
#endif

#ifdef WITH_AIXAUTHENTICATE
	return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
#endif

#ifdef KRB4
	if (options.kerberos_authentication == 1) {
		int ret = auth_krb4_password(pw, password);
		if (ret == 1 || ret == 0)
			return ret;
		/* Fall back to ordinary passwd authentication. */
	}
#endif

	/* Check for users with no password. */
	if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
		return 1;

	pw_password = pw->pw_passwd;

#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
	spw = getspnam(pw->pw_name);
	if (spw != NULL) 
	{
		/* Check for users with no password. */
		if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0)
			return 1;

		pw_password = spw->sp_pwdp;
	}
#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
	if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
	{
		/* Check for users with no password. */
		if (strcmp(password, "") == 0 && strcmp(spw->pwa_passwd, "") == 0)
			return 1;

		pw_password = spw->pwa_passwd;
	}
#endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */

	if (pw_password[0] != '\0')
		salt = pw_password;
	else
		salt = "xx";

#ifdef HAVE_MD5_PASSWORDS
	if (is_md5_salt(salt))
		encrypted_password = md5_crypt(password, salt);
	else
		encrypted_password = crypt(password, salt);
#else /* HAVE_MD5_PASSWORDS */    
# ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW
	encrypted_password = bigcrypt(password, salt);
# else
	encrypted_password = crypt(password, salt);
# endif /* HAVE_HPUX_TRUSTED_SYSTEM_PW */
#endif /* HAVE_MD5_PASSWORDS */    

	/* Authentication is accepted if the encrypted passwords are identical. */
	return (strcmp(encrypted_password, pw_password) == 0);
}
#endif /* !USE_PAM && !HAVE_OSF_SIA */
Commit	Line	Data
8efc0c15	1	/*
5260325f	2	* Author: Tatu Ylonen <ylo@cs.hut.fi>
	3	* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
	4	* All rights reserved
	5	* Created: Sat Mar 18 05:11:38 1995 ylo
	6	* Password authentication. This file contains the functions to check whether
	7	* the password is valid for the user.
	8	*/
8efc0c15	9
8efc0c15	10	#include "includes.h"
caf3bc51	11
74fc9186	12	RCSID("$OpenBSD: auth-passwd.c,v 1.16 2000/06/20 01:39:38 markus Exp $");
8efc0c15	13
4d33e531	14	#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
4d33e531	15
8efc0c15	16	#include "packet.h"
	17	#include "ssh.h"
	18	#include "servconf.h"
	19	#include "xmalloc.h"
b2344d54	20
4c40f834	21	#ifdef WITH_AIXAUTHENTICATE
2b763e31	22	# include <login.h>
	23	#endif
	24	#ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW
	25	# include <hpsecurity.h>
	26	# include <prot.h>
4c40f834	27	#endif
b2344d54	28	#ifdef HAVE_SHADOW_H
d94aa2ae	29	# include <shadow.h>
caf3bc51	30	#endif
a423beaf	31	#ifdef HAVE_GETPWANAM
	32	# include <sys/label.h>
	33	# include <sys/audit.h>
	34	# include <pwdadj.h>
	35	#endif
d94aa2ae	36	#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
	37	# include "md5crypt.h"
	38	#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
caf3bc51	39
3c62e7eb	40	#ifdef HAVE_CYGWIN
	41	#undef ERROR
	42	#include <windows.h>
	43	#include <sys/cygwin.h>
	44	#define is_winnt (GetVersion() < 0x80000000)
	45	#endif
	46
5260325f	47	/*
	48	* Tries to authenticate the user using password. Returns true if
	49	* authentication succeeds.
	50	*/
6ae2364d	51	int
5260325f	52	auth_password(struct passwd * pw, const char *password)
8efc0c15	53	{
5260325f	54	extern ServerOptions options;
5260325f	55	char *encrypted_password;
f498ed15	56	char *pw_password;
f498ed15	57	char *salt;
b2344d54	58	#ifdef HAVE_SHADOW_H
5260325f	59	struct spwd *spw;
b2344d54	60	#endif
a423beaf	61	#ifdef HAVE_GETPWANAM
	62	struct passwd_adjunct *spw;
	63	#endif
4c40f834	64	#ifdef WITH_AIXAUTHENTICATE
	65	char *authmsg;
	66	char *loginmsg;
	67	int reenter = 1;
	68	#endif
8efc0c15	69
13f825f4	70	/* deny if no user. */
	71	if (pw == NULL)
	72	return 0;
3c62e7eb	73	#ifndef HAVE_CYGWIN
aa3378df	74	if (pw->pw_uid == 0 && options.permit_root_login == 2)
5260325f	75	return 0;
3c62e7eb	76	#endif
	77	#ifdef HAVE_CYGWIN
	78	/*
	79	* Empty password is only possible on NT if the user has _really_
	80	* an empty password and authentication is done, though.
	81	*/
	82	if (!is_winnt)
	83	#endif
aa3378df	84	if (*password == '\0' && options.permit_empty_passwd == 0)
5260325f	85	return 0;
8efc0c15	86
3c62e7eb	87	#ifdef HAVE_CYGWIN
	88	if (is_winnt) {
	89	HANDLE hToken = cygwin_logon_user(pw, password);
	90
	91	if (hToken == INVALID_HANDLE_VALUE)
	92	return 0;
	93	cygwin_set_impersonation_token(hToken);
	94	return 1;
	95	}
	96	#endif
	97
8efc0c15	98	#ifdef SKEY
5260325f	99	if (options.skey_authentication == 1) {
57112b5a	100	int ret = auth_skey_password(pw, password);
	101	if (ret == 1 \|\| ret == 0)
	102	return ret;
5260325f	103	/* Fall back to ordinary passwd authentication. */
5260325f	104	}
8efc0c15	105	#endif
4c40f834	106
	107	#ifdef WITH_AIXAUTHENTICATE
	108	return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
	109	#endif
	110
57112b5a	111	#ifdef KRB4
	112	if (options.kerberos_authentication == 1) {
	113	int ret = auth_krb4_password(pw, password);
	114	if (ret == 1 \|\| ret == 0)
	115	return ret;
5260325f	116	/* Fall back to ordinary passwd authentication. */
8efc0c15	117	}
57112b5a	118	#endif
5260325f	119
5260325f	120	/* Check for users with no password. */
aa3378df	121	if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
5260325f	122	return 1;
8efc0c15	123
f498ed15	124	pw_password = pw->pw_passwd;
f498ed15	125
59dd7a31	126	#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
5260325f	127	spw = getspnam(pw->pw_name);
76b8607f	128	if (spw != NULL)
	129	{
	130	/* Check for users with no password. */
	131	if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0)
	132	return 1;
b2344d54	133
76b8607f	134	pw_password = spw->sp_pwdp;
76b8607f	135	}
f498ed15	136	#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
a423beaf	137	#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
	138	if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
	139	{
	140	/* Check for users with no password. */
	141	if (strcmp(password, "") == 0 && strcmp(spw->pwa_passwd, "") == 0)
	142	return 1;
	143
	144	pw_password = spw->pwa_passwd;
	145	}
	146	#endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
b2344d54	147
f498ed15	148	if (pw_password[0] != '\0')
f498ed15	149	salt = pw_password;
5260325f	150	else
f498ed15	151	salt = "xx";
59dd7a31	152
59dd7a31	153	#ifdef HAVE_MD5_PASSWORDS
f498ed15	154	if (is_md5_salt(salt))
f498ed15	155	encrypted_password = md5_crypt(password, salt);
59dd7a31	156	else
f498ed15	157	encrypted_password = crypt(password, salt);
59dd7a31	158	#else /* HAVE_MD5_PASSWORDS */
2b763e31	159	# ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW
	160	encrypted_password = bigcrypt(password, salt);
	161	# else
f498ed15	162	encrypted_password = crypt(password, salt);
2b763e31	163	# endif /* HAVE_HPUX_TRUSTED_SYSTEM_PW */
59dd7a31	164	#endif /* HAVE_MD5_PASSWORDS */
b2344d54	165
5260325f	166	/* Authentication is accepted if the encrypted passwords are identical. */
f498ed15	167	return (strcmp(encrypted_password, pw_password) == 0);
8efc0c15	168	}
4d33e531	169	#endif /* !USE_PAM && !HAVE_OSF_SIA */