2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5 * Created: Sat Mar 18 05:11:38 1995 ylo
6 * Password authentication. This file contains the functions to check whether
7 * the password is valid for the user.
14 RCSID("$OpenBSD: auth-passwd.c,v 1.16 2000/06/20 01:39:38 markus Exp $");
21 #ifdef WITH_AIXAUTHENTICATE
24 #ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW
25 # include <hpsecurity.h>
32 # include <sys/label.h>
33 # include <sys/audit.h>
36 #if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
37 # include "md5crypt.h"
38 #endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
41 * Tries to authenticate the user using password. Returns true if
42 * authentication succeeds.
45 auth_password(struct passwd * pw, const char *password)
47 extern ServerOptions options;
48 char *encrypted_password;
55 struct passwd_adjunct *spw;
57 #ifdef WITH_AIXAUTHENTICATE
63 /* deny if no user. */
66 if (pw->pw_uid == 0 && options.permit_root_login == 2)
68 if (*password == '\0' && options.permit_empty_passwd == 0)
72 if (options.skey_authentication == 1) {
73 int ret = auth_skey_password(pw, password);
74 if (ret == 1 || ret == 0)
76 /* Fall back to ordinary passwd authentication. */
80 #ifdef WITH_AIXAUTHENTICATE
81 return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
85 if (options.kerberos_authentication == 1) {
86 int ret = auth_krb4_password(pw, password);
87 if (ret == 1 || ret == 0)
89 /* Fall back to ordinary passwd authentication. */
93 /* Check for users with no password. */
94 if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
97 pw_password = pw->pw_passwd;
99 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
100 spw = getspnam(pw->pw_name);
103 /* Check for users with no password. */
104 if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0)
107 pw_password = spw->sp_pwdp;
109 #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
110 #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
111 if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
113 /* Check for users with no password. */
114 if (strcmp(password, "") == 0 && strcmp(spw->pwa_passwd, "") == 0)
117 pw_password = spw->pwa_passwd;
119 #endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
121 if (pw_password[0] != '\0')
126 #ifdef HAVE_MD5_PASSWORDS
127 if (is_md5_salt(salt))
128 encrypted_password = md5_crypt(password, salt);
130 encrypted_password = crypt(password, salt);
131 #else /* HAVE_MD5_PASSWORDS */
132 # ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW
133 encrypted_password = bigcrypt(password, salt);
135 encrypted_password = crypt(password, salt);
136 # endif /* HAVE_HPUX_TRUSTED_SYSTEM_PW */
137 #endif /* HAVE_MD5_PASSWORDS */
139 /* Authentication is accepted if the encrypted passwords are identical. */
140 return (strcmp(encrypted_password, pw_password) == 0);
142 #endif /* !USE_PAM */