[openssh.git] / auth2.c

/*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"
RCSID("$OpenBSD: auth2.c,v 1.19 2000/10/11 20:27:23 markus Exp $");

#ifdef HAVE_OSF_SIA
# include <sia.h>
# include <siad.h>
#endif

#include <openssl/dsa.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>

#include "xmalloc.h"
#include "rsa.h"
#include "ssh.h"
#include "pty.h"
#include "packet.h"
#include "buffer.h"
#include "servconf.h"
#include "compat.h"
#include "channels.h"
#include "bufaux.h"
#include "ssh2.h"
#include "auth.h"
#include "session.h"
#include "dispatch.h"
#include "auth.h"
#include "key.h"
#include "kex.h"

#include "dsa.h"
#include "uidswap.h"
#include "auth-options.h"

/* import */
extern ServerOptions options;
extern unsigned char *session_id2;
extern int session_id2_len;

#ifdef WITH_AIXAUTHENTICATE
extern char *aixloginmsg;
#endif
#ifdef HAVE_OSF_SIA
extern int saved_argc;
extern char **saved_argv;
#endif

static Authctxt	*x_authctxt = NULL;
static int one = 1;

typedef struct Authmethod Authmethod;
struct Authmethod {
	char	*name;
	int	(*userauth)(Authctxt *authctxt);
	int	*enabled;
};

/* protocol */

void	input_service_request(int type, int plen, void *ctxt);
void	input_userauth_request(int type, int plen, void *ctxt);
void	protocol_error(int type, int plen, void *ctxt);


/* helper */
Authmethod	*authmethod_lookup(const char *name);
struct passwd	*pwcopy(struct passwd *pw);
int	user_dsa_key_allowed(struct passwd *pw, Key *key);
char	*authmethods_get(void);

/* auth */
int	userauth_none(Authctxt *authctxt);
int	userauth_passwd(Authctxt *authctxt);
int	userauth_pubkey(Authctxt *authctxt);
int	userauth_kbdint(Authctxt *authctxt);

Authmethod authmethods[] = {
	{"none",
		userauth_none,
		&one},
	{"publickey",
		userauth_pubkey,
		&options.dsa_authentication},
	{"keyboard-interactive",
		userauth_kbdint,
		&options.kbd_interactive_authentication},
	{"password",
		userauth_passwd,
		&options.password_authentication},
	{NULL, NULL, NULL}
};

/*
 * loop until authctxt->success == TRUE
 */

void
do_authentication2()
{
	Authctxt *authctxt = xmalloc(sizeof(*authctxt));
	memset(authctxt, 'a', sizeof(*authctxt));
	authctxt->valid = 0;
	authctxt->attempt = 0;
	authctxt->success = 0;
	x_authctxt = authctxt;		/*XXX*/

#ifdef KRB4
	/* turn off kerberos, not supported by SSH2 */
	options.kerberos_authentication = 0;
#endif
	dispatch_init(&protocol_error);
	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
	dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
	do_authenticated2();
}

void
protocol_error(int type, int plen, void *ctxt)
{
	log("auth: protocol error: type %d plen %d", type, plen);
	packet_start(SSH2_MSG_UNIMPLEMENTED);
	packet_put_int(0);
	packet_send();
	packet_write_wait();
}

void
input_service_request(int type, int plen, void *ctxt)
{
	Authctxt *authctxt = ctxt;
	unsigned int len;
	int accept = 0;
	char *service = packet_get_string(&len);
	packet_done();

	if (authctxt == NULL)
		fatal("input_service_request: no authctxt");

	if (strcmp(service, "ssh-userauth") == 0) {
		if (!authctxt->success) {
			accept = 1;
			/* now we can handle user-auth requests */
			dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
		}
	}
	/* XXX all other service requests are denied */

	if (accept) {
		packet_start(SSH2_MSG_SERVICE_ACCEPT);
		packet_put_cstring(service);
		packet_send();
		packet_write_wait();
	} else {
		debug("bad service request %s", service);
		packet_disconnect("bad service request %s", service);
	}
	xfree(service);
}

void
input_userauth_request(int type, int plen, void *ctxt)
{
	Authctxt *authctxt = ctxt;
	Authmethod *m = NULL;
	char *user, *service, *method;
	int authenticated = 0;

	if (authctxt == NULL)
		fatal("input_userauth_request: no authctxt");
	if (authctxt->attempt++ >= AUTH_FAIL_MAX) {
#ifdef WITH_AIXAUTHENTICATE 
		loginfailed(user,get_canonical_hostname(),"ssh");
#endif /* WITH_AIXAUTHENTICATE */
		packet_disconnect("too many failed userauth_requests");
	}

	user = packet_get_string(NULL);
	service = packet_get_string(NULL);
	method = packet_get_string(NULL);
	debug("userauth-request for user %s service %s method %s", user, service, method);
	debug("attempt #%d", authctxt->attempt);

	if (authctxt->attempt == 1) { 
		/* setup auth context */
		struct passwd *pw = NULL;
		setproctitle("%s", user);
		pw = getpwnam(user);
		if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) {
			authctxt->pw = pwcopy(pw);
			authctxt->valid = 1;
			debug2("input_userauth_request: setting up authctxt for %s", user);
#ifdef USE_PAM
			start_pam(pw);
#endif
		} else {
			log("input_userauth_request: illegal user %s", user);
		}
		authctxt->user = xstrdup(user);
		authctxt->service = xstrdup(service);
	} else if (authctxt->valid) {
		if (strcmp(user, authctxt->user) != 0 ||
		    strcmp(service, authctxt->service) != 0) {
			log("input_userauth_request: missmatch: (%s,%s)!=(%s,%s)",
			    user, service, authctxt->user, authctxt->service);
			authctxt->valid = 0;
		}
	}

	m = authmethod_lookup(method);
	if (m != NULL) {
		debug2("input_userauth_request: try method %s", method);
		authenticated =	m->userauth(authctxt);
	} else {
		debug2("input_userauth_request: unsupported method %s", method);
	}
	if (!authctxt->valid && authenticated == 1) {
		log("input_userauth_request: INTERNAL ERROR: authenticated invalid user %s service %s", user, method);
		authenticated = 0;
	}

	/* Special handling for root */
	if (authenticated == 1 &&
	    authctxt->valid && authctxt->pw->pw_uid == 0 && !options.permit_root_login) {
		authenticated = 0;
		log("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname());
	}

#ifdef USE_PAM
	if (authenticated && !do_pam_account(authctxt->pw->pw_name, NULL))
		authenticated = 0;
#endif /* USE_PAM */

	/* Log before sending the reply */
	userauth_log(authctxt, authenticated, method);
	userauth_reply(authctxt, authenticated);

	xfree(service);
	xfree(user);
	xfree(method);
}


void
userauth_log(Authctxt *authctxt, int authenticated, char *method)
{
	void (*authlog) (const char *fmt,...) = verbose;
	char *user = NULL, *authmsg = NULL;

	/* Raise logging level */
	if (authenticated == 1 ||
	    !authctxt->valid ||
	    authctxt->attempt >= AUTH_FAIL_LOG ||
	    strcmp(method, "password") == 0)
		authlog = log;

	if (authenticated == 1) {
		authmsg = "Accepted";
	} else if (authenticated == 0) {
		authmsg = "Failed";
	} else {
		authmsg = "Postponed";
	}

	if (authctxt->valid) {
		user = authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user;
	} else {
		user = "NOUSER";
	}

	authlog("%s %s for %.200s from %.200s port %d ssh2",
	    authmsg,
	    method,
	    user,
	    get_remote_ipaddr(),
	    get_remote_port());
}

void   
userauth_reply(Authctxt *authctxt, int authenticated)
{
	/* XXX todo: check if multiple auth methods are needed */
	if (authenticated == 1) {
#ifdef WITH_AIXAUTHENTICATE
		/* We don't have a pty yet, so just label the line as "ssh" */
		if (loginsuccess(user, get_canonical_hostname(), "ssh",
				&aixloginmsg) < 0)
			aixloginmsg = NULL;
#endif /* WITH_AIXAUTHENTICATE */
		/* turn off userauth */
		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
		packet_start(SSH2_MSG_USERAUTH_SUCCESS);
		packet_send();
		packet_write_wait();
		/* now we can break out */
		authctxt->success = 1;
	} else if (authenticated == 0) {
		char *methods = authmethods_get();
		packet_start(SSH2_MSG_USERAUTH_FAILURE);
		packet_put_cstring(methods);
		packet_put_char(0);	/* XXX partial success, unused */
		packet_send();
		packet_write_wait();
		xfree(methods);
	} else {
		/* do nothing, we did already send a reply */
	}
}

int
userauth_none(Authctxt *authctxt)
{
	/* disable method "none", only allowed one time */
	Authmethod *m = authmethod_lookup("none");
	if (m != NULL)
		m->enabled = NULL;
	packet_done();

	if (authctxt->valid == 0)
		return(0);
		
#ifdef HAVE_CYGWIN
	if (check_nt_auth(1, authctxt->pw->pw_uid) == 0)
		return(0);
#endif
#ifdef USE_PAM
	return auth_pam_password(authctxt->pw, "");
#elif defined(HAVE_OSF_SIA)
	return (sia_validate_user(NULL, saved_argc, saved_argv, 
		get_canonical_hostname(), authctxt->pw->pw_name, NULL, 
		0, NULL, "") == SIASUCCESS);
#else /* !HAVE_OSF_SIA && !USE_PAM */
	return auth_password(authctxt->pw, "");
#endif /* USE_PAM */
}

int
userauth_passwd(Authctxt *authctxt)
{
	char *password;
	int authenticated = 0;
	int change;
	unsigned int len;
	change = packet_get_char();
	if (change)
		log("password change not supported");
	password = packet_get_string(&len);
	packet_done();
	if (authctxt->valid &&
#ifdef HAVE_CYGWIN
		check_nt_auth(1, authctxt->pw->pw_uid) &&
#endif
#ifdef USE_PAM
	    auth_pam_password(authctxt->pw, password) == 1)
#elif defined(HAVE_OSF_SIA)
	    sia_validate_user(NULL, saved_argc, saved_argv, 
		 	get_canonical_hostname(), authctxt->pw->pw_name, NULL, 0, 
			NULL, password) == SIASUCCESS)
#else /* !USE_PAM && !HAVE_OSF_SIA */
	    auth_password(authctxt->pw, password) == 1)
#endif /* USE_PAM */
		authenticated = 1;
	memset(password, 0, len);
	xfree(password);
	return authenticated;
}

int
userauth_kbdint(Authctxt *authctxt)
{
	int authenticated = 0;
	char *lang = NULL;
	char *devs = NULL;

	lang = packet_get_string(NULL);
	devs = packet_get_string(NULL);
	packet_done();

	debug("keyboard-interactive language %s devs %s", lang, devs);
#ifdef SKEY
	/* XXX hardcoded, we should look at devs */
	if (options.skey_authentication != 0)
		authenticated = auth2_skey(authctxt);
#endif
	xfree(lang);
	xfree(devs);
#ifdef HAVE_CYGWIN
	if (check_nt_auth(0, authctxt->pw->pw_uid) == 0)
		return(0);
#endif
	return authenticated;
}

int
userauth_pubkey(Authctxt *authctxt)
{
	Buffer b;
	Key *key;
	char *pkalg, *pkblob, *sig;
	unsigned int alen, blen, slen;
	int have_sig;
	int authenticated = 0;

	if (!authctxt->valid) {
		debug2("userauth_pubkey: disabled because of invalid user");
		return 0;
	}
	have_sig = packet_get_char();
	pkalg = packet_get_string(&alen);
	if (strcmp(pkalg, KEX_DSS) != 0) {
		log("bad pkalg %s", pkalg);	/*XXX*/
		xfree(pkalg);
		return 0;
	}
	pkblob = packet_get_string(&blen);
	key = dsa_key_from_blob(pkblob, blen);
	if (key != NULL) {
		if (have_sig) {
			sig = packet_get_string(&slen);
			packet_done();
			buffer_init(&b);
			if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) {
				buffer_put_string(&b, session_id2, session_id2_len);
			} else {
				buffer_append(&b, session_id2, session_id2_len);
			}
			/* reconstruct packet */
			buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
			buffer_put_cstring(&b, authctxt->user);
			buffer_put_cstring(&b,
			    datafellows & SSH_BUG_PUBKEYAUTH ?
			    "ssh-userauth" :
			    authctxt->service);
			buffer_put_cstring(&b, "publickey");
			buffer_put_char(&b, have_sig);
			buffer_put_cstring(&b, KEX_DSS);
			buffer_put_string(&b, pkblob, blen);
#ifdef DEBUG_DSS
			buffer_dump(&b);
#endif
			/* test for correct signature */
			if (user_dsa_key_allowed(authctxt->pw, key) &&
			    dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
				authenticated = 1;
			buffer_clear(&b);
			xfree(sig);
		} else {
			debug("test whether pkalg/pkblob are acceptable");
			packet_done();

			/* XXX fake reply and always send PK_OK ? */
			/*
			 * XXX this allows testing whether a user is allowed
			 * to login: if you happen to have a valid pubkey this
			 * message is sent. the message is NEVER sent at all
			 * if a user is not allowed to login. is this an
			 * issue? -markus
			 */
			if (user_dsa_key_allowed(authctxt->pw, key)) {
				packet_start(SSH2_MSG_USERAUTH_PK_OK);
				packet_put_string(pkalg, alen);
				packet_put_string(pkblob, blen);
				packet_send();
				packet_write_wait();
				authenticated = -1;
			}
		}
		if (authenticated != 1)
			auth_clear_options();
		key_free(key);
	}
	xfree(pkalg);
	xfree(pkblob);
#ifdef HAVE_CYGWIN
	if (check_nt_auth(0, authctxt->pw->pw_uid) == 0)
		return(0);
#endif
	return authenticated;
}

/* get current user */

struct passwd*
auth_get_user(void)
{
	return (x_authctxt != NULL && x_authctxt->valid) ? x_authctxt->pw : NULL;
}

#define	DELIM	","

char *
authmethods_get(void)
{
	Authmethod *method = NULL;
	unsigned int size = 0;
	char *list;

	for (method = authmethods; method->name != NULL; method++) {
		if (strcmp(method->name, "none") == 0)
			continue;
		if (method->enabled != NULL && *(method->enabled) != 0) {
			if (size != 0)
				size += strlen(DELIM);
			size += strlen(method->name);
		}
	}
	size++;			/* trailing '\0' */
	list = xmalloc(size);
	list[0] = '\0';

	for (method = authmethods; method->name != NULL; method++) {
		if (strcmp(method->name, "none") == 0)
			continue;
		if (method->enabled != NULL && *(method->enabled) != 0) {
			if (list[0] != '\0')
				strlcat(list, DELIM, size);
			strlcat(list, method->name, size);
		}
	}
	return list;
}

Authmethod *
authmethod_lookup(const char *name)
{
	Authmethod *method = NULL;
	if (name != NULL)
		for (method = authmethods; method->name != NULL; method++)
			if (method->enabled != NULL &&
			    *(method->enabled) != 0 &&
			    strcmp(name, method->name) == 0)
				return method;
	debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
	return NULL;
}

/* return 1 if user allows given key */
int
user_dsa_key_allowed(struct passwd *pw, Key *key)
{
	char line[8192], file[1024];
	int found_key = 0;
	unsigned int bits = -1;
	FILE *f;
	unsigned long linenum = 0;
	struct stat st;
	Key *found;

	if (pw == NULL)
		return 0;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw->pw_uid);

	/* The authorized keys. */
	snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir,
	    SSH_USER_PERMITTED_KEYS2);

	/* Fail quietly if file does not exist */
	if (stat(file, &st) < 0) {
		/* Restore the privileged uid. */
		restore_uid();
		return 0;
	}
	/* Open the file containing the authorized keys. */
	f = fopen(file, "r");
	if (!f) {
		/* Restore the privileged uid. */
		restore_uid();
		return 0;
	}
	if (options.strict_modes) {
		int fail = 0;
		char buf[1024];
		/* Check open file in order to avoid open/stat races */
		if (fstat(fileno(f), &st) < 0 ||
		    (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
		    (st.st_mode & 022) != 0) {
			snprintf(buf, sizeof buf,
			    "%s authentication refused for %.100s: "
			    "bad ownership or modes for '%s'.",
			    key_type(key), pw->pw_name, file);
			fail = 1;
		} else {
			/* Check path to SSH_USER_PERMITTED_KEYS */
			int i;
			static const char *check[] = {
				"", SSH_USER_DIR, NULL
			};
			for (i = 0; check[i]; i++) {
				snprintf(line, sizeof line, "%.500s/%.100s",
				    pw->pw_dir, check[i]);
				if (stat(line, &st) < 0 ||
				    (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
				    (st.st_mode & 022) != 0) {
					snprintf(buf, sizeof buf,
					    "%s authentication refused for %.100s: "
					    "bad ownership or modes for '%s'.",
					    key_type(key), pw->pw_name, line);
					fail = 1;
					break;
				}
			}
		}
		if (fail) {
			fclose(f);
			log("%s",buf);
			restore_uid();
			return 0;
		}
	}
	found_key = 0;
	found = key_new(key->type);

	while (fgets(line, sizeof(line), f)) {
		char *cp, *options = NULL;
		linenum++;
		/* Skip leading whitespace, empty and comment lines. */
		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
			;
		if (!*cp || *cp == '\n' || *cp == '#')
			continue;

		bits = key_read(found, &cp);
		if (bits == 0) {
			/* no key?  check if there are options for this key */
			int quoted = 0;
			options = cp;
			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
				if (*cp == '\\' && cp[1] == '"')
					cp++;	/* Skip both */
				else if (*cp == '"')
					quoted = !quoted;
			}
			/* Skip remaining whitespace. */
			for (; *cp == ' ' || *cp == '\t'; cp++)
				;
			bits = key_read(found, &cp);
			if (bits == 0) {
				/* still no key?  advance to next line*/
				continue;
			}
		}
		if (key_equal(found, key) &&
		    auth_parse_options(pw, options, linenum) == 1) {
			found_key = 1;
			debug("matching key found: file %s, line %ld",
			    file, linenum);
			break;
		}
	}
	restore_uid();
	fclose(f);
	key_free(found);
	return found_key;
}

struct passwd *
pwcopy(struct passwd *pw)
{
	struct passwd *copy = xmalloc(sizeof(*copy));
	memset(copy, 0, sizeof(*copy));
	copy->pw_name = xstrdup(pw->pw_name);
	copy->pw_passwd = xstrdup(pw->pw_passwd);
	copy->pw_uid = pw->pw_uid;
	copy->pw_gid = pw->pw_gid;
#ifdef HAVE_PW_CLASS_IN_PASSWD
	copy->pw_class = xstrdup(pw->pw_class);
#endif
	copy->pw_dir = xstrdup(pw->pw_dir);
	copy->pw_shell = xstrdup(pw->pw_shell);
	return copy;
}
Commit	Line	Data
a306f2dd	1	/*
	2	* Copyright (c) 2000 Markus Friedl. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
a306f2dd	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	23	*/
bcbf86ec	24
a306f2dd	25	#include "includes.h"
94ec8c6b	26	RCSID("$OpenBSD: auth2.c,v 1.19 2000/10/11 20:27:23 markus Exp $");
	27
	28	#ifdef HAVE_OSF_SIA
	29	# include <sia.h>
	30	# include <siad.h>
	31	#endif
a306f2dd	32
	33	#include <openssl/dsa.h>
	34	#include <openssl/rsa.h>
	35	#include <openssl/evp.h>
	36
	37	#include "xmalloc.h"
	38	#include "rsa.h"
	39	#include "ssh.h"
	40	#include "pty.h"
	41	#include "packet.h"
	42	#include "buffer.h"
a306f2dd	43	#include "servconf.h"
	44	#include "compat.h"
	45	#include "channels.h"
	46	#include "bufaux.h"
	47	#include "ssh2.h"
	48	#include "auth.h"
	49	#include "session.h"
	50	#include "dispatch.h"
	51	#include "auth.h"
	52	#include "key.h"
	53	#include "kex.h"
	54
	55	#include "dsa.h"
	56	#include "uidswap.h"
38c295d6	57	#include "auth-options.h"
a306f2dd	58
	59	/* import */
	60	extern ServerOptions options;
	61	extern unsigned char *session_id2;
	62	extern int session_id2_len;
	63
94ec8c6b	64	#ifdef WITH_AIXAUTHENTICATE
	65	extern char *aixloginmsg;
	66	#endif
	67	#ifdef HAVE_OSF_SIA
	68	extern int saved_argc;
	69	extern char **saved_argv;
	70	#endif
	71
	72	static Authctxt *x_authctxt = NULL;
	73	static int one = 1;
	74
	75	typedef struct Authmethod Authmethod;
	76	struct Authmethod {
	77	char *name;
	78	int (userauth)(Authctxt authctxt);
	79	int *enabled;
	80	};
	81
a306f2dd	82	/* protocol */
a306f2dd	83
188adeb2	84	void input_service_request(int type, int plen, void *ctxt);
	85	void input_userauth_request(int type, int plen, void *ctxt);
	86	void protocol_error(int type, int plen, void *ctxt);
a306f2dd	87
a306f2dd	88
a306f2dd	89	/* helper */
94ec8c6b	90	Authmethod authmethod_lookup(const char name);
94ec8c6b	91	struct passwd pwcopy(struct passwd pw);
a306f2dd	92	int user_dsa_key_allowed(struct passwd pw, Key key);
94ec8c6b	93	char *authmethods_get(void);
a306f2dd	94
94ec8c6b	95	/* auth */
	96	int userauth_none(Authctxt *authctxt);
	97	int userauth_passwd(Authctxt *authctxt);
	98	int userauth_pubkey(Authctxt *authctxt);
	99	int userauth_kbdint(Authctxt *authctxt);
	100
	101	Authmethod authmethods[] = {
	102	{"none",
	103	userauth_none,
	104	&one},
	105	{"publickey",
	106	userauth_pubkey,
	107	&options.dsa_authentication},
	108	{"keyboard-interactive",
	109	userauth_kbdint,
	110	&options.kbd_interactive_authentication},
	111	{"password",
	112	userauth_passwd,
	113	&options.password_authentication},
	114	{NULL, NULL, NULL}
a306f2dd	115	};
a306f2dd	116
a306f2dd	117	/*
94ec8c6b	118	* loop until authctxt->success == TRUE
a306f2dd	119	*/
	120
	121	void
	122	do_authentication2()
	123	{
94ec8c6b	124	Authctxt authctxt = xmalloc(sizeof(authctxt));
	125	memset(authctxt, 'a', sizeof(*authctxt));
	126	authctxt->valid = 0;
	127	authctxt->attempt = 0;
	128	authctxt->success = 0;
	129	x_authctxt = authctxt; /XXX/
	130
8cb940db	131	#ifdef KRB4
94ec8c6b	132	/* turn off kerberos, not supported by SSH2 */
3189621b	133	options.kerberos_authentication = 0;
8cb940db	134	#endif
a306f2dd	135	dispatch_init(&protocol_error);
a306f2dd	136	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
94ec8c6b	137	dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
a306f2dd	138	do_authenticated2();
	139	}
	140
	141	void
188adeb2	142	protocol_error(int type, int plen, void *ctxt)
a306f2dd	143	{
	144	log("auth: protocol error: type %d plen %d", type, plen);
	145	packet_start(SSH2_MSG_UNIMPLEMENTED);
	146	packet_put_int(0);
	147	packet_send();
	148	packet_write_wait();
	149	}
	150
	151	void
188adeb2	152	input_service_request(int type, int plen, void *ctxt)
a306f2dd	153	{
94ec8c6b	154	Authctxt *authctxt = ctxt;
a306f2dd	155	unsigned int len;
	156	int accept = 0;
	157	char *service = packet_get_string(&len);
	158	packet_done();
	159
94ec8c6b	160	if (authctxt == NULL)
	161	fatal("input_service_request: no authctxt");
	162
a306f2dd	163	if (strcmp(service, "ssh-userauth") == 0) {
94ec8c6b	164	if (!authctxt->success) {
a306f2dd	165	accept = 1;
	166	/* now we can handle user-auth requests */
	167	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
	168	}
	169	}
	170	/* XXX all other service requests are denied */
	171
	172	if (accept) {
	173	packet_start(SSH2_MSG_SERVICE_ACCEPT);
	174	packet_put_cstring(service);
	175	packet_send();
	176	packet_write_wait();
	177	} else {
	178	debug("bad service request %s", service);
	179	packet_disconnect("bad service request %s", service);
	180	}
	181	xfree(service);
	182	}
	183
	184	void
188adeb2	185	input_userauth_request(int type, int plen, void *ctxt)
a306f2dd	186	{
94ec8c6b	187	Authctxt *authctxt = ctxt;
	188	Authmethod *m = NULL;
	189	char user, service, *method;
a306f2dd	190	int authenticated = 0;
a306f2dd	191
94ec8c6b	192	if (authctxt == NULL)
	193	fatal("input_userauth_request: no authctxt");
	194	if (authctxt->attempt++ >= AUTH_FAIL_MAX) {
c1ef8333	195	#ifdef WITH_AIXAUTHENTICATE
	196	loginfailed(user,get_canonical_hostname(),"ssh");
	197	#endif /* WITH_AIXAUTHENTICATE */
	198	packet_disconnect("too many failed userauth_requests");
	199	}
a306f2dd	200
94ec8c6b	201	user = packet_get_string(NULL);
	202	service = packet_get_string(NULL);
	203	method = packet_get_string(NULL);
	204	debug("userauth-request for user %s service %s method %s", user, service, method);
	205	debug("attempt #%d", authctxt->attempt);
	206
	207	if (authctxt->attempt == 1) {
	208	/* setup auth context */
	209	struct passwd *pw = NULL;
	210	setproctitle("%s", user);
	211	pw = getpwnam(user);
	212	if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) {
	213	authctxt->pw = pwcopy(pw);
	214	authctxt->valid = 1;
	215	debug2("input_userauth_request: setting up authctxt for %s", user);
	216	#ifdef USE_PAM
	217	start_pam(pw);
	218	#endif
	219	} else {
	220	log("input_userauth_request: illegal user %s", user);
	221	}
	222	authctxt->user = xstrdup(user);
	223	authctxt->service = xstrdup(service);
	224	} else if (authctxt->valid) {
	225	if (strcmp(user, authctxt->user) != 0 \|\|
	226	strcmp(service, authctxt->service) != 0) {
	227	log("input_userauth_request: missmatch: (%s,%s)!=(%s,%s)",
	228	user, service, authctxt->user, authctxt->service);
	229	authctxt->valid = 0;
a306f2dd	230	}
a306f2dd	231	}
9cd45ea4	232
94ec8c6b	233	m = authmethod_lookup(method);
	234	if (m != NULL) {
	235	debug2("input_userauth_request: try method %s", method);
	236	authenticated = m->userauth(authctxt);
	237	} else {
	238	debug2("input_userauth_request: unsupported method %s", method);
	239	}
	240	if (!authctxt->valid && authenticated == 1) {
	241	log("input_userauth_request: INTERNAL ERROR: authenticated invalid user %s service %s", user, method);
9cd45ea4	242	authenticated = 0;
9cd45ea4	243	}
9cd45ea4	244
94ec8c6b	245	/* Special handling for root */
	246	if (authenticated == 1 &&
	247	authctxt->valid && authctxt->pw->pw_uid == 0 && !options.permit_root_login) {
a306f2dd	248	authenticated = 0;
94ec8c6b	249	log("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname());
a306f2dd	250	}
	251
	252	#ifdef USE_PAM
94ec8c6b	253	if (authenticated && !do_pam_account(authctxt->pw->pw_name, NULL))
9cd45ea4	254	authenticated = 0;
a306f2dd	255	#endif /* USE_PAM */
a306f2dd	256
94ec8c6b	257	/* Log before sending the reply */
	258	userauth_log(authctxt, authenticated, method);
	259	userauth_reply(authctxt, authenticated);
	260
	261	xfree(service);
	262	xfree(user);
	263	xfree(method);
	264	}
	265
	266
	267	void
	268	userauth_log(Authctxt authctxt, int authenticated, char method)
	269	{
	270	void (authlog) (const char fmt,...) = verbose;
	271	char user = NULL, authmsg = NULL;
	272
1d1ffb87	273	/* Raise logging level */
1d1ffb87	274	if (authenticated == 1 \|\|
94ec8c6b	275	!authctxt->valid \|\|
94ec8c6b	276	authctxt->attempt >= AUTH_FAIL_LOG \|\|
1d1ffb87	277	strcmp(method, "password") == 0)
	278	authlog = log;
	279
a306f2dd	280	if (authenticated == 1) {
a306f2dd	281	authmsg = "Accepted";
1d1ffb87	282	} else if (authenticated == 0) {
	283	authmsg = "Failed";
	284	} else {
	285	authmsg = "Postponed";
	286	}
94ec8c6b	287
	288	if (authctxt->valid) {
	289	user = authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user;
	290	} else {
	291	user = "NOUSER";
	292	}
	293
1d1ffb87	294	authlog("%s %s for %.200s from %.200s port %d ssh2",
94ec8c6b	295	authmsg,
	296	method,
	297	user,
	298	get_remote_ipaddr(),
	299	get_remote_port());
	300	}
1d1ffb87	301
94ec8c6b	302	void
	303	userauth_reply(Authctxt *authctxt, int authenticated)
	304	{
1d1ffb87	305	/* XXX todo: check if multiple auth methods are needed */
1d1ffb87	306	if (authenticated == 1) {
c1ef8333	307	#ifdef WITH_AIXAUTHENTICATE
c1ef8333	308	/* We don't have a pty yet, so just label the line as "ssh" */
94ec8c6b	309	if (loginsuccess(user, get_canonical_hostname(), "ssh",
c1ef8333	310	&aixloginmsg) < 0)
	311	aixloginmsg = NULL;
	312	#endif /* WITH_AIXAUTHENTICATE */
a306f2dd	313	/* turn off userauth */
	314	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
	315	packet_start(SSH2_MSG_USERAUTH_SUCCESS);
	316	packet_send();
	317	packet_write_wait();
	318	/* now we can break out */
94ec8c6b	319	authctxt->success = 1;
a306f2dd	320	} else if (authenticated == 0) {
94ec8c6b	321	char *methods = authmethods_get();
a306f2dd	322	packet_start(SSH2_MSG_USERAUTH_FAILURE);
94ec8c6b	323	packet_put_cstring(methods);
94ec8c6b	324	packet_put_char(0); /* XXX partial success, unused */
a306f2dd	325	packet_send();
a306f2dd	326	packet_write_wait();
94ec8c6b	327	xfree(methods);
	328	} else {
	329	/* do nothing, we did already send a reply */
a306f2dd	330	}
a306f2dd	331	}
	332
	333	int
94ec8c6b	334	userauth_none(Authctxt *authctxt)
a306f2dd	335	{
94ec8c6b	336	/* disable method "none", only allowed one time */
	337	Authmethod *m = authmethod_lookup("none");
	338	if (m != NULL)
	339	m->enabled = NULL;
a306f2dd	340	packet_done();
4d33e531	341
94ec8c6b	342	if (authctxt->valid == 0)
	343	return(0);
	344
	345	#ifdef HAVE_CYGWIN
	346	if (check_nt_auth(1, authctxt->pw->pw_uid) == 0)
	347	return(0);
	348	#endif
a306f2dd	349	#ifdef USE_PAM
94ec8c6b	350	return auth_pam_password(authctxt->pw, "");
4d33e531	351	#elif defined(HAVE_OSF_SIA)
94ec8c6b	352	return (sia_validate_user(NULL, saved_argc, saved_argv,
	353	get_canonical_hostname(), authctxt->pw->pw_name, NULL,
	354	0, NULL, "") == SIASUCCESS);
4d33e531	355	#else /* !HAVE_OSF_SIA && !USE_PAM */
94ec8c6b	356	return auth_password(authctxt->pw, "");
a306f2dd	357	#endif /* USE_PAM */
a306f2dd	358	}
94ec8c6b	359
a306f2dd	360	int
94ec8c6b	361	userauth_passwd(Authctxt *authctxt)
a306f2dd	362	{
	363	char *password;
	364	int authenticated = 0;
	365	int change;
	366	unsigned int len;
	367	change = packet_get_char();
	368	if (change)
	369	log("password change not supported");
	370	password = packet_get_string(&len);
	371	packet_done();
94ec8c6b	372	if (authctxt->valid &&
	373	#ifdef HAVE_CYGWIN
	374	check_nt_auth(1, authctxt->pw->pw_uid) &&
	375	#endif
a306f2dd	376	#ifdef USE_PAM
94ec8c6b	377	auth_pam_password(authctxt->pw, password) == 1)
4d33e531	378	#elif defined(HAVE_OSF_SIA)
4d33e531	379	sia_validate_user(NULL, saved_argc, saved_argv,
94ec8c6b	380	get_canonical_hostname(), authctxt->pw->pw_name, NULL, 0,
4d33e531	381	NULL, password) == SIASUCCESS)
4d33e531	382	#else /* !USE_PAM && !HAVE_OSF_SIA */
94ec8c6b	383	auth_password(authctxt->pw, password) == 1)
a306f2dd	384	#endif /* USE_PAM */
	385	authenticated = 1;
	386	memset(password, 0, len);
	387	xfree(password);
	388	return authenticated;
	389	}
94ec8c6b	390
	391	int
	392	userauth_kbdint(Authctxt *authctxt)
	393	{
	394	int authenticated = 0;
	395	char *lang = NULL;
	396	char *devs = NULL;
	397
	398	lang = packet_get_string(NULL);
	399	devs = packet_get_string(NULL);
	400	packet_done();
	401
	402	debug("keyboard-interactive language %s devs %s", lang, devs);
	403	#ifdef SKEY
	404	/* XXX hardcoded, we should look at devs */
	405	if (options.skey_authentication != 0)
	406	authenticated = auth2_skey(authctxt);
	407	#endif
	408	xfree(lang);
	409	xfree(devs);
	410	#ifdef HAVE_CYGWIN
	411	if (check_nt_auth(0, authctxt->pw->pw_uid) == 0)
	412	return(0);
	413	#endif
	414	return authenticated;
	415	}
	416
a306f2dd	417	int
94ec8c6b	418	userauth_pubkey(Authctxt *authctxt)
a306f2dd	419	{
	420	Buffer b;
	421	Key *key;
	422	char pkalg, pkblob, *sig;
	423	unsigned int alen, blen, slen;
	424	int have_sig;
	425	int authenticated = 0;
	426
94ec8c6b	427	if (!authctxt->valid) {
94ec8c6b	428	debug2("userauth_pubkey: disabled because of invalid user");
a306f2dd	429	return 0;
	430	}
	431	have_sig = packet_get_char();
	432	pkalg = packet_get_string(&alen);
	433	if (strcmp(pkalg, KEX_DSS) != 0) {
a306f2dd	434	log("bad pkalg %s", pkalg); /XXX/
94ec8c6b	435	xfree(pkalg);
a306f2dd	436	return 0;
	437	}
	438	pkblob = packet_get_string(&blen);
	439	key = dsa_key_from_blob(pkblob, blen);
	440	if (key != NULL) {
	441	if (have_sig) {
	442	sig = packet_get_string(&slen);
	443	packet_done();
	444	buffer_init(&b);
74fc9186	445	if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) {
	446	buffer_put_string(&b, session_id2, session_id2_len);
	447	} else {
	448	buffer_append(&b, session_id2, session_id2_len);
	449	}
38c295d6	450	/* reconstruct packet */
a306f2dd	451	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
94ec8c6b	452	buffer_put_cstring(&b, authctxt->user);
38c295d6	453	buffer_put_cstring(&b,
	454	datafellows & SSH_BUG_PUBKEYAUTH ?
	455	"ssh-userauth" :
94ec8c6b	456	authctxt->service);
38c295d6	457	buffer_put_cstring(&b, "publickey");
	458	buffer_put_char(&b, have_sig);
	459	buffer_put_cstring(&b, KEX_DSS);
	460	buffer_put_string(&b, pkblob, blen);
a306f2dd	461	#ifdef DEBUG_DSS
	462	buffer_dump(&b);
	463	#endif
	464	/* test for correct signature */
94ec8c6b	465	if (user_dsa_key_allowed(authctxt->pw, key) &&
a306f2dd	466	dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
	467	authenticated = 1;
	468	buffer_clear(&b);
	469	xfree(sig);
	470	} else {
94ec8c6b	471	debug("test whether pkalg/pkblob are acceptable");
a306f2dd	472	packet_done();
94ec8c6b	473
a306f2dd	474	/* XXX fake reply and always send PK_OK ? */
1d1ffb87	475	/*
	476	* XXX this allows testing whether a user is allowed
	477	* to login: if you happen to have a valid pubkey this
	478	* message is sent. the message is NEVER sent at all
	479	* if a user is not allowed to login. is this an
	480	* issue? -markus
	481	*/
94ec8c6b	482	if (user_dsa_key_allowed(authctxt->pw, key)) {
a306f2dd	483	packet_start(SSH2_MSG_USERAUTH_PK_OK);
	484	packet_put_string(pkalg, alen);
	485	packet_put_string(pkblob, blen);
	486	packet_send();
	487	packet_write_wait();
	488	authenticated = -1;
	489	}
	490	}
94ec8c6b	491	if (authenticated != 1)
94ec8c6b	492	auth_clear_options();
a306f2dd	493	key_free(key);
	494	}
	495	xfree(pkalg);
	496	xfree(pkblob);
94ec8c6b	497	#ifdef HAVE_CYGWIN
	498	if (check_nt_auth(0, authctxt->pw->pw_uid) == 0)
	499	return(0);
	500	#endif
a306f2dd	501	return authenticated;
	502	}
	503
94ec8c6b	504	/* get current user */
a306f2dd	505
	506	struct passwd*
	507	auth_get_user(void)
	508	{
94ec8c6b	509	return (x_authctxt != NULL && x_authctxt->valid) ? x_authctxt->pw : NULL;
a306f2dd	510	}
a306f2dd	511
94ec8c6b	512	#define DELIM ","
	513
	514	char *
	515	authmethods_get(void)
a306f2dd	516	{
94ec8c6b	517	Authmethod *method = NULL;
	518	unsigned int size = 0;
	519	char *list;
	520
	521	for (method = authmethods; method->name != NULL; method++) {
	522	if (strcmp(method->name, "none") == 0)
	523	continue;
	524	if (method->enabled != NULL && *(method->enabled) != 0) {
	525	if (size != 0)
	526	size += strlen(DELIM);
	527	size += strlen(method->name);
a306f2dd	528	}
94ec8c6b	529	}
	530	size++; /* trailing '\0' */
	531	list = xmalloc(size);
	532	list[0] = '\0';
	533
	534	for (method = authmethods; method->name != NULL; method++) {
	535	if (strcmp(method->name, "none") == 0)
	536	continue;
	537	if (method->enabled != NULL && *(method->enabled) != 0) {
	538	if (list[0] != '\0')
	539	strlcat(list, DELIM, size);
	540	strlcat(list, method->name, size);
a306f2dd	541	}
a306f2dd	542	}
94ec8c6b	543	return list;
	544	}
	545
	546	Authmethod *
	547	authmethod_lookup(const char *name)
	548	{
	549	Authmethod *method = NULL;
	550	if (name != NULL)
	551	for (method = authmethods; method->name != NULL; method++)
	552	if (method->enabled != NULL &&
	553	*(method->enabled) != 0 &&
	554	strcmp(name, method->name) == 0)
	555	return method;
	556	debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
	557	return NULL;
a306f2dd	558	}
	559
	560	/* return 1 if user allows given key */
	561	int
	562	user_dsa_key_allowed(struct passwd pw, Key key)
	563	{
	564	char line[8192], file[1024];
	565	int found_key = 0;
	566	unsigned int bits = -1;
	567	FILE *f;
	568	unsigned long linenum = 0;
	569	struct stat st;
	570	Key *found;
	571
94ec8c6b	572	if (pw == NULL)
	573	return 0;
	574
a306f2dd	575	/* Temporarily use the user's uid. */
	576	temporarily_use_uid(pw->pw_uid);
	577
	578	/* The authorized keys. */
	579	snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir,
	580	SSH_USER_PERMITTED_KEYS2);
	581
	582	/* Fail quietly if file does not exist */
	583	if (stat(file, &st) < 0) {
	584	/* Restore the privileged uid. */
	585	restore_uid();
	586	return 0;
	587	}
	588	/* Open the file containing the authorized keys. */
	589	f = fopen(file, "r");
	590	if (!f) {
	591	/* Restore the privileged uid. */
	592	restore_uid();
	593	return 0;
	594	}
	595	if (options.strict_modes) {
	596	int fail = 0;
	597	char buf[1024];
	598	/* Check open file in order to avoid open/stat races */
	599	if (fstat(fileno(f), &st) < 0 \|\|
	600	(st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
	601	(st.st_mode & 022) != 0) {
de273eef	602	snprintf(buf, sizeof buf,
	603	"%s authentication refused for %.100s: "
	604	"bad ownership or modes for '%s'.",
	605	key_type(key), pw->pw_name, file);
a306f2dd	606	fail = 1;
	607	} else {
	608	/* Check path to SSH_USER_PERMITTED_KEYS */
	609	int i;
	610	static const char *check[] = {
	611	"", SSH_USER_DIR, NULL
	612	};
	613	for (i = 0; check[i]; i++) {
	614	snprintf(line, sizeof line, "%.500s/%.100s",
	615	pw->pw_dir, check[i]);
	616	if (stat(line, &st) < 0 \|\|
	617	(st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
	618	(st.st_mode & 022) != 0) {
	619	snprintf(buf, sizeof buf,
de273eef	620	"%s authentication refused for %.100s: "
a306f2dd	621	"bad ownership or modes for '%s'.",
de273eef	622	key_type(key), pw->pw_name, line);
a306f2dd	623	fail = 1;
	624	break;
	625	}
	626	}
	627	}
	628	if (fail) {
a306f2dd	629	fclose(f);
089fbbd2	630	log("%s",buf);
a306f2dd	631	restore_uid();
	632	return 0;
	633	}
	634	}
	635	found_key = 0;
de273eef	636	found = key_new(key->type);
a306f2dd	637
a306f2dd	638	while (fgets(line, sizeof(line), f)) {
38c295d6	639	char cp, options = NULL;
a306f2dd	640	linenum++;
	641	/* Skip leading whitespace, empty and comment lines. */
	642	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)
	643	;
	644	if (!cp \|\| cp == '\n' \|\| *cp == '#')
	645	continue;
38c295d6	646
a306f2dd	647	bits = key_read(found, &cp);
38c295d6	648	if (bits == 0) {
	649	/* no key? check if there are options for this key */
	650	int quoted = 0;
	651	options = cp;
	652	for (; cp && (quoted \|\| (cp != ' ' && *cp != '\t')); cp++) {
	653	if (*cp == '\\' && cp[1] == '"')
	654	cp++; /* Skip both */
	655	else if (*cp == '"')
	656	quoted = !quoted;
	657	}
	658	/* Skip remaining whitespace. */
	659	for (; cp == ' ' \|\| cp == '\t'; cp++)
	660	;
	661	bits = key_read(found, &cp);
	662	if (bits == 0) {
	663	/* still no key? advance to next line*/
	664	continue;
	665	}
	666	}
	667	if (key_equal(found, key) &&
	668	auth_parse_options(pw, options, linenum) == 1) {
a306f2dd	669	found_key = 1;
	670	debug("matching key found: file %s, line %ld",
	671	file, linenum);
	672	break;
	673	}
	674	}
	675	restore_uid();
	676	fclose(f);
	677	key_free(found);
	678	return found_key;
	679	}
94ec8c6b	680
	681	struct passwd *
	682	pwcopy(struct passwd *pw)
	683	{
	684	struct passwd copy = xmalloc(sizeof(copy));
	685	memset(copy, 0, sizeof(*copy));
	686	copy->pw_name = xstrdup(pw->pw_name);
	687	copy->pw_passwd = xstrdup(pw->pw_passwd);
	688	copy->pw_uid = pw->pw_uid;
	689	copy->pw_gid = pw->pw_gid;
	690	#ifdef HAVE_PW_CLASS_IN_PASSWD
	691	copy->pw_class = xstrdup(pw->pw_class);
	692	#endif
	693	copy->pw_dir = xstrdup(pw->pw_dir);
	694	copy->pw_shell = xstrdup(pw->pw_shell);
	695	return copy;
	696	}