auth-passwd.c

   1 /*
   2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
   3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
   4  *                    All rights reserved
   5  * Created: Sat Mar 18 05:11:38 1995 ylo
   6  * Password authentication.  This file contains the functions to check whether
   7  * the password is valid for the user.
   8  */
   9
  10 #include "includes.h"
  11
  12 #ifndef USE_PAM
  13
  14 RCSID("$Id$");
  15
  16 #include "packet.h"
  17 #include "ssh.h"
  18 #include "servconf.h"
  19 #include "xmalloc.h"
  20
  21 #ifdef HAVE_SHADOW_H
  22 # include <shadow.h>
  23 #endif
  24 #if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
  25 # include "md5crypt.h"
  26 #endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
  27
  28 /*
  29  * Tries to authenticate the user using password.  Returns true if
  30  * authentication succeeds.
  31  */
  32 int
  33 auth_password(struct passwd * pw, const char *password)
  34 {
  35         extern ServerOptions options;
  36         char *encrypted_password;
  37         char *pw_password;
  38         char *salt;
  39 #ifdef HAVE_SHADOW_H
  40         struct spwd *spw;
  41 #endif
  42
  43         /* deny if no user. */
  44         if (pw == NULL)
  45                 return 0;
  46         if (pw->pw_uid == 0 && options.permit_root_login == 2)
  47                 return 0;
  48         if (*password == '\0' && options.permit_empty_passwd == 0)
  49                 return 0;
  50
  51 #ifdef SKEY
  52         if (options.skey_authentication == 1) {
  53                 int ret = auth_skey_password(pw, password);
  54                 if (ret == 1 || ret == 0)
  55                         return ret;
  56                 /* Fall back to ordinary passwd authentication. */
  57         }
  58 #endif
  59 #ifdef KRB4
  60         if (options.kerberos_authentication == 1) {
  61                 int ret = auth_krb4_password(pw, password);
  62                 if (ret == 1 || ret == 0)
  63                         return ret;
  64                 /* Fall back to ordinary passwd authentication. */
  65         }
  66 #endif
  67
  68         /* Check for users with no password. */
  69         if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
  70                 return 1;
  71
  72         pw_password = pw->pw_passwd;
  73
  74 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
  75         spw = getspnam(pw->pw_name);
  76         if (spw != NULL)
  77         {
  78                 /* Check for users with no password. */
  79                 if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0)
  80                         return 1;
  81
  82                 pw_password = spw->sp_pwdp;
  83         }
  84 #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
  85
  86         if (pw_password[0] != '\0')
  87                 salt = pw_password;
  88         else
  89                 salt = "xx";
  90
  91 #ifdef HAVE_MD5_PASSWORDS
  92         if (is_md5_salt(salt))
  93                 encrypted_password = md5_crypt(password, salt);
  94         else
  95                 encrypted_password = crypt(password, salt);
  96 #else /* HAVE_MD5_PASSWORDS */
  97         encrypted_password = crypt(password, salt);
  98 #endif /* HAVE_MD5_PASSWORDS */
  99
 100         /* Authentication is accepted if the encrypted passwords are identical. */
 101         return (strcmp(encrypted_password, pw_password) == 0);
 102 }
 103 #endif /* !USE_PAM */