]>
Commit | Line | Data |
---|---|---|
8efc0c15 | 1 | /* |
2 | ||
3 | auth-passwd.c | |
4 | ||
5 | Author: Tatu Ylonen <ylo@cs.hut.fi> | |
6 | ||
7 | Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | |
8 | All rights reserved | |
9 | ||
10 | Created: Sat Mar 18 05:11:38 1995 ylo | |
11 | ||
12 | Password authentication. This file contains the functions to check whether | |
13 | the password is valid for the user. | |
14 | ||
15 | */ | |
16 | ||
17 | #include "includes.h" | |
18 | RCSID("$Id$"); | |
19 | ||
20 | #include "packet.h" | |
21 | #include "ssh.h" | |
22 | #include "servconf.h" | |
23 | #include "xmalloc.h" | |
b2344d54 | 24 | #include "config.h" |
25 | ||
26 | #ifdef HAVE_SHADOW_H | |
27 | #include <shadow.h> | |
28 | #endif | |
29 | ||
30 | #ifndef HAVE_PAM | |
31 | /* Don't need anything from here if we are using PAM */ | |
8efc0c15 | 32 | |
8efc0c15 | 33 | /* Tries to authenticate the user using password. Returns true if |
34 | authentication succeeds. */ | |
35 | ||
36 | int auth_password(struct passwd *pw, const char *password) | |
37 | { | |
38 | extern ServerOptions options; | |
39 | char *encrypted_password; | |
b2344d54 | 40 | #ifdef HAVE_SHADOW_H |
41 | struct spwd *spw; | |
42 | #endif | |
8efc0c15 | 43 | |
44 | if (pw->pw_uid == 0 && options.permit_root_login == 2) | |
45 | { | |
46 | /*packet_send_debug("Server does not permit root login with password.");*/ | |
47 | return 0; | |
48 | } | |
49 | ||
50 | if (*password == '\0' && options.permit_empty_passwd == 0) | |
51 | { | |
52 | /*packet_send_debug("Server does not permit empty password login.");*/ | |
53 | return 0; | |
54 | } | |
55 | ||
56 | /* deny if no user. */ | |
57 | if (pw == NULL) | |
58 | return 0; | |
59 | ||
8efc0c15 | 60 | #ifdef SKEY |
61 | if (options.skey_authentication == 1) { | |
62 | if (strncasecmp(password, "s/key", 5) == 0) { | |
63 | char *skeyinfo = skey_keyinfo(pw->pw_name); | |
64 | if(skeyinfo == NULL){ | |
65 | debug("generating fake skeyinfo for %.100s.", pw->pw_name); | |
66 | skeyinfo = skey_fake_keyinfo(pw->pw_name); | |
67 | } | |
68 | if(skeyinfo != NULL) | |
69 | packet_send_debug(skeyinfo); | |
70 | /* Try again. */ | |
71 | return 0; | |
72 | } | |
73 | else if (skey_haskey(pw->pw_name) == 0 && | |
74 | skey_passcheck(pw->pw_name, (char *)password) != -1) { | |
75 | /* Authentication succeeded. */ | |
76 | return 1; | |
77 | } | |
78 | /* Fall back to ordinary passwd authentication. */ | |
79 | } | |
80 | #endif | |
81 | ||
82 | #if defined(KRB4) | |
83 | /* Support for Kerberos v4 authentication - Dug Song <dugsong@UMICH.EDU> */ | |
84 | if (options.kerberos_authentication) | |
85 | { | |
86 | AUTH_DAT adata; | |
87 | KTEXT_ST tkt; | |
88 | struct hostent *hp; | |
89 | unsigned long faddr; | |
6a17f9c2 | 90 | char localhost[MAXHOSTNAMELEN]; |
91 | char phost[INST_SZ]; | |
92 | char realm[REALM_SZ]; | |
8efc0c15 | 93 | int r; |
94 | ||
95 | /* Try Kerberos password authentication only for non-root | |
96 | users and only if Kerberos is installed. */ | |
97 | if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) { | |
98 | ||
99 | /* Set up our ticket file. */ | |
6a17f9c2 | 100 | if (!krb4_init(pw->pw_uid)) { |
101 | log("Couldn't initialize Kerberos ticket file for %s!", pw->pw_name); | |
8efc0c15 | 102 | goto kerberos_auth_failure; |
103 | } | |
104 | /* Try to get TGT using our password. */ | |
105 | r = krb_get_pw_in_tkt((char *)pw->pw_name, "", realm, "krbtgt", realm, | |
106 | DEFAULT_TKT_LIFE, (char *)password); | |
107 | if (r != INTK_OK) { | |
108 | packet_send_debug("Kerberos V4 password authentication for %s " | |
109 | "failed: %s", pw->pw_name, krb_err_txt[r]); | |
110 | goto kerberos_auth_failure; | |
111 | } | |
112 | /* Successful authentication. */ | |
6a17f9c2 | 113 | chown(tkt_string(), pw->pw_uid, pw->pw_gid); |
8efc0c15 | 114 | |
115 | /* Now that we have a TGT, try to get a local "rcmd" ticket to | |
116 | ensure that we are not talking to a bogus Kerberos server. */ | |
6a17f9c2 | 117 | (void) gethostname(localhost, sizeof(localhost)); |
118 | (void) strlcpy(phost, (char *)krb_get_phost(localhost), INST_SZ); | |
8efc0c15 | 119 | r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); |
120 | ||
121 | if (r == KSUCCESS) { | |
122 | if (!(hp = gethostbyname(localhost))) { | |
123 | log("Couldn't get local host address!"); | |
124 | goto kerberos_auth_failure; | |
125 | } | |
126 | memmove((void *)&faddr, (void *)hp->h_addr, sizeof(faddr)); | |
127 | ||
128 | /* Verify our "rcmd" ticket. */ | |
129 | r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, faddr, &adata, ""); | |
130 | if (r == RD_AP_UNDEC) { | |
131 | /* Probably didn't have a srvtab on localhost. Allow login. */ | |
132 | log("Kerberos V4 TGT for %s unverifiable, no srvtab installed? " | |
133 | "krb_rd_req: %s", pw->pw_name, krb_err_txt[r]); | |
134 | } | |
135 | else if (r != KSUCCESS) { | |
136 | log("Kerberos V4 %s ticket unverifiable: %s", | |
137 | KRB4_SERVICE_NAME, krb_err_txt[r]); | |
138 | goto kerberos_auth_failure; | |
139 | } | |
140 | } | |
141 | else if (r == KDC_PR_UNKNOWN) { | |
142 | /* Allow login if no rcmd service exists, but log the error. */ | |
143 | log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s " | |
144 | "not registered, or srvtab is wrong?", pw->pw_name, | |
145 | krb_err_txt[r], KRB4_SERVICE_NAME, phost); | |
146 | } | |
147 | else { | |
148 | /* TGT is bad, forget it. Possibly spoofed! */ | |
149 | packet_send_debug("WARNING: Kerberos V4 TGT possibly spoofed for" | |
150 | "%s: %s", pw->pw_name, krb_err_txt[r]); | |
151 | goto kerberos_auth_failure; | |
152 | } | |
153 | ||
154 | /* Authentication succeeded. */ | |
155 | return 1; | |
156 | ||
157 | kerberos_auth_failure: | |
6a17f9c2 | 158 | krb4_cleanup_proc(NULL); |
159 | ||
160 | if (!options.kerberos_or_local_passwd) | |
161 | return 0; | |
8efc0c15 | 162 | } |
163 | else { | |
164 | /* Logging in as root or no local Kerberos realm. */ | |
165 | packet_send_debug("Unable to authenticate to Kerberos."); | |
166 | } | |
167 | /* Fall back to ordinary passwd authentication. */ | |
168 | } | |
169 | #endif /* KRB4 */ | |
170 | ||
171 | /* Check for users with no password. */ | |
172 | if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) | |
173 | { | |
174 | packet_send_debug("Login permitted without a password because the account has no password."); | |
175 | return 1; /* The user has no password and an empty password was tried. */ | |
176 | } | |
177 | ||
b2344d54 | 178 | #ifdef HAVE_SHADOW_H |
179 | spw = getspnam(pw->pw_name); | |
180 | if (spw == NULL) | |
181 | return(0); | |
182 | ||
183 | if ((spw->sp_namp == NULL) || (strcmp(pw->pw_name, spw->sp_namp) != 0)) | |
184 | fatal("Shadow lookup returned garbage."); | |
185 | ||
186 | if (strlen(spw->sp_pwdp) < 3) | |
187 | return(0); | |
188 | ||
189 | /* Encrypt the candidate password using the proper salt. */ | |
190 | encrypted_password = crypt(password, spw->sp_pwdp); | |
191 | ||
192 | /* Authentication is accepted if the encrypted passwords are identical. */ | |
193 | return (strcmp(encrypted_password, spw->sp_pwdp) == 0); | |
194 | #else /* !HAVE_SHADOW_H */ | |
195 | ||
8efc0c15 | 196 | /* Encrypt the candidate password using the proper salt. */ |
197 | encrypted_password = crypt(password, | |
198 | (pw->pw_passwd[0] && pw->pw_passwd[1]) ? | |
199 | pw->pw_passwd : "xx"); | |
8efc0c15 | 200 | /* Authentication is accepted if the encrypted passwords are identical. */ |
201 | return (strcmp(encrypted_password, pw->pw_passwd) == 0); | |
b2344d54 | 202 | #endif /* !HAVE_SHADOW_H */ |
8efc0c15 | 203 | } |
b2344d54 | 204 | |
205 | #endif /* !HAVE_PAM */ |