]>
Commit | Line | Data |
---|---|---|
8efc0c15 | 1 | /* |
5260325f | 2 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
4 | * All rights reserved | |
5 | * Created: Sat Mar 18 05:11:38 1995 ylo | |
6 | * Password authentication. This file contains the functions to check whether | |
7 | * the password is valid for the user. | |
8 | */ | |
8efc0c15 | 9 | |
10 | #include "includes.h" | |
caf3bc51 | 11 | |
12 | #ifndef HAVE_PAM | |
13 | ||
8efc0c15 | 14 | RCSID("$Id$"); |
15 | ||
16 | #include "packet.h" | |
17 | #include "ssh.h" | |
18 | #include "servconf.h" | |
19 | #include "xmalloc.h" | |
b2344d54 | 20 | |
21 | #ifdef HAVE_SHADOW_H | |
22 | #include <shadow.h> | |
23 | #endif | |
24 | ||
caf3bc51 | 25 | #ifdef HAVE_MD5_PASSWORDS |
26 | #include "md5crypt.h" | |
27 | #endif | |
28 | ||
5260325f | 29 | /* |
30 | * Tries to authenticate the user using password. Returns true if | |
31 | * authentication succeeds. | |
32 | */ | |
33 | int | |
34 | auth_password(struct passwd * pw, const char *password) | |
8efc0c15 | 35 | { |
5260325f | 36 | extern ServerOptions options; |
37 | char *encrypted_password; | |
b2344d54 | 38 | #ifdef HAVE_SHADOW_H |
5260325f | 39 | struct spwd *spw; |
b2344d54 | 40 | #endif |
8efc0c15 | 41 | |
aa3378df | 42 | if (pw->pw_uid == 0 && options.permit_root_login == 2) |
5260325f | 43 | return 0; |
aa3378df | 44 | if (*password == '\0' && options.permit_empty_passwd == 0) |
5260325f | 45 | return 0; |
5260325f | 46 | /* deny if no user. */ |
47 | if (pw == NULL) | |
48 | return 0; | |
8efc0c15 | 49 | |
8efc0c15 | 50 | #ifdef SKEY |
5260325f | 51 | if (options.skey_authentication == 1) { |
57112b5a | 52 | int ret = auth_skey_password(pw, password); |
53 | if (ret == 1 || ret == 0) | |
54 | return ret; | |
5260325f | 55 | /* Fall back to ordinary passwd authentication. */ |
56 | } | |
8efc0c15 | 57 | #endif |
57112b5a | 58 | #ifdef KRB4 |
59 | if (options.kerberos_authentication == 1) { | |
60 | int ret = auth_krb4_password(pw, password); | |
61 | if (ret == 1 || ret == 0) | |
62 | return ret; | |
5260325f | 63 | /* Fall back to ordinary passwd authentication. */ |
8efc0c15 | 64 | } |
57112b5a | 65 | #endif |
5260325f | 66 | |
67 | /* Check for users with no password. */ | |
aa3378df | 68 | if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) |
5260325f | 69 | return 1; |
8efc0c15 | 70 | |
b2344d54 | 71 | #ifdef HAVE_SHADOW_H |
5260325f | 72 | spw = getspnam(pw->pw_name); |
73 | if (spw == NULL) | |
74 | return(0); | |
b2344d54 | 75 | |
5260325f | 76 | if ((spw->sp_namp == NULL) || (strcmp(pw->pw_name, spw->sp_namp) != 0)) |
77 | fatal("Shadow lookup returned garbage."); | |
b2344d54 | 78 | |
c9d323f0 | 79 | /* Check for users with no password. */ |
80 | if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0) | |
81 | return 1; | |
82 | ||
5260325f | 83 | if (strlen(spw->sp_pwdp) < 3) |
84 | return(0); | |
b2344d54 | 85 | |
5260325f | 86 | /* Encrypt the candidate password using the proper salt. */ |
caf3bc51 | 87 | #ifdef HAVE_MD5_PASSWORDS |
5260325f | 88 | if (is_md5_salt(spw->sp_pwdp)) |
89 | encrypted_password = md5_crypt(password, spw->sp_pwdp); | |
90 | else | |
91 | encrypted_password = crypt(password, spw->sp_pwdp); | |
caf3bc51 | 92 | #else /* HAVE_MD5_PASSWORDS */ |
5260325f | 93 | encrypted_password = crypt(password, spw->sp_pwdp); |
caf3bc51 | 94 | #endif /* HAVE_MD5_PASSWORDS */ |
5260325f | 95 | /* Authentication is accepted if the encrypted passwords are identical. */ |
96 | return (strcmp(encrypted_password, spw->sp_pwdp) == 0); | |
b2344d54 | 97 | #else /* !HAVE_SHADOW_H */ |
5260325f | 98 | encrypted_password = crypt(password, |
99 | (pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx"); | |
b2344d54 | 100 | |
5260325f | 101 | /* Authentication is accepted if the encrypted passwords are identical. */ |
102 | return (strcmp(encrypted_password, pw->pw_passwd) == 0); | |
b2344d54 | 103 | #endif /* !HAVE_SHADOW_H */ |
8efc0c15 | 104 | } |
b2344d54 | 105 | #endif /* !HAVE_PAM */ |