auth-passwd.c

   1 /*
   2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
   3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
   4  *                    All rights reserved
   5  * Created: Sat Mar 18 05:11:38 1995 ylo
   6  * Password authentication.  This file contains the functions to check whether
   7  * the password is valid for the user.
   8  */
   9
  10 #include "includes.h"
  11
  12 #ifndef USE_PAM
  13
  14 RCSID("$OpenBSD: auth-passwd.c,v 1.16 2000/06/20 01:39:38 markus Exp $");
  15
  16 #include "packet.h"
  17 #include "ssh.h"
  18 #include "servconf.h"
  19 #include "xmalloc.h"
  20
  21 #ifdef WITH_AIXAUTHENTICATE
  22 # include <login.h>
  23 #endif
  24 #ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW
  25 # include <hpsecurity.h>
  26 # include <prot.h>
  27 #endif
  28 #ifdef HAVE_SHADOW_H
  29 # include <shadow.h>
  30 #endif
  31 #ifdef HAVE_GETPWANAM
  32 # include <sys/label.h>
  33 # include <sys/audit.h>
  34 # include <pwdadj.h>
  35 #endif
  36 #if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
  37 # include "md5crypt.h"
  38 #endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
  39
  40 /*
  41  * Tries to authenticate the user using password.  Returns true if
  42  * authentication succeeds.
  43  */
  44 int
  45 auth_password(struct passwd * pw, const char *password)
  46 {
  47         extern ServerOptions options;
  48         char *encrypted_password;
  49         char *pw_password;
  50         char *salt;
  51 #ifdef HAVE_SHADOW_H
  52         struct spwd *spw;
  53 #endif
  54 #ifdef HAVE_GETPWANAM
  55         struct passwd_adjunct *spw;
  56 #endif
  57 #ifdef WITH_AIXAUTHENTICATE
  58         char *authmsg;
  59         char *loginmsg;
  60         int reenter = 1;
  61 #endif
  62
  63         /* deny if no user. */
  64         if (pw == NULL)
  65                 return 0;
  66         if (pw->pw_uid == 0 && options.permit_root_login == 2)
  67                 return 0;
  68         if (*password == '\0' && options.permit_empty_passwd == 0)
  69                 return 0;
  70
  71 #ifdef SKEY
  72         if (options.skey_authentication == 1) {
  73                 int ret = auth_skey_password(pw, password);
  74                 if (ret == 1 || ret == 0)
  75                         return ret;
  76                 /* Fall back to ordinary passwd authentication. */
  77         }
  78 #endif
  79
  80 #ifdef WITH_AIXAUTHENTICATE
  81         return (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
  82 #endif
  83
  84 #ifdef KRB4
  85         if (options.kerberos_authentication == 1) {
  86                 int ret = auth_krb4_password(pw, password);
  87                 if (ret == 1 || ret == 0)
  88                         return ret;
  89                 /* Fall back to ordinary passwd authentication. */
  90         }
  91 #endif
  92
  93         /* Check for users with no password. */
  94         if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
  95                 return 1;
  96
  97         pw_password = pw->pw_passwd;
  98
  99 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
 100         spw = getspnam(pw->pw_name);
 101         if (spw != NULL)
 102         {
 103                 /* Check for users with no password. */
 104                 if (strcmp(password, "") == 0 && strcmp(spw->sp_pwdp, "") == 0)
 105                         return 1;
 106
 107                 pw_password = spw->sp_pwdp;
 108         }
 109 #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
 110 #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
 111         if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
 112         {
 113                 /* Check for users with no password. */
 114                 if (strcmp(password, "") == 0 && strcmp(spw->pwa_passwd, "") == 0)
 115                         return 1;
 116
 117                 pw_password = spw->pwa_passwd;
 118         }
 119 #endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
 120
 121         if (pw_password[0] != '\0')
 122                 salt = pw_password;
 123         else
 124                 salt = "xx";
 125
 126 #ifdef HAVE_MD5_PASSWORDS
 127         if (is_md5_salt(salt))
 128                 encrypted_password = md5_crypt(password, salt);
 129         else
 130                 encrypted_password = crypt(password, salt);
 131 #else /* HAVE_MD5_PASSWORDS */
 132 # ifdef HAVE_HPUX_TRUSTED_SYSTEM_PW
 133         encrypted_password = bigcrypt(password, salt);
 134 # else
 135         encrypted_password = crypt(password, salt);
 136 # endif /* HAVE_HPUX_TRUSTED_SYSTEM_PW */
 137 #endif /* HAVE_MD5_PASSWORDS */
 138
 139         /* Authentication is accepted if the encrypted passwords are identical. */
 140         return (strcmp(encrypted_password, pw_password) == 0);
 141 }
 142 #endif /* !USE_PAM */