- Added shadow password patch from Thomas Neumann <tom@smart.ruhr.de>

 - Added ifdefs to auth-passwd.c to exclude it when PAM is enabled

diff --git a/ChangeLog b/ChangeLog
index 242b29d9405676dddb219f81fade2ff75bb8bc0f..1ac4dfee8acbb0c108baa1ffbd9f2dd123ae42d5 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,8 @@
      totalsize, ok niels,aaron
  - Delay fork (-f option) in ssh until after port forwarded connections 
    have been initialised. Patch from Jani Hakala <jahakala@cc.jyu.fi>
+ - Added shadow password patch from Thomas Neumann <tom@smart.ruhr.de>
+ - Added ifdefs to auth-passwd.c to exclude it when PAM is enabled
 
 19991112
  - Merged changes from OpenBSD CVS

diff --git a/README b/README
index 5cf0b4496ce3f82f65f280b844922dbe073e5cc4..f60f596041c6ee109faf9fb6cee41bdac95e549b 100644 (file)
--- a/README
+++ b/README
@@ -52,6 +52,7 @@ Nalin Dahyabhai <nalin.dahyabhai@pobox.com> - PAM environment patch
 Phil Hands <phil@hands.com> - Debian scripts, assorted patches
 Niels Kristian Bech Jensen <nkbj@image.dk> - Makefile patches
 Marc G. Fournier <marc.fournier@acadiau.ca> - Solaris patches
+Thomas Neumann <tom@smart.ruhr.de> - Shadow passwords
 
 Miscellania - 
 

diff --git a/auth-passwd.c b/auth-passwd.c
index 9e7e00693efe25e326702c9bdc77e7632ad0cc3a..0cd53884a55c48ac9b5487121d7459d3028d1c3d 100644 (file)
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -21,6 +21,14 @@ RCSID("$Id$");
 #include "ssh.h"
 #include "servconf.h"
 #include "xmalloc.h"
+#include "config.h"
+
+#ifdef HAVE_SHADOW_H
+#include <shadow.h>
+#endif
+
+#ifndef HAVE_PAM
+/* Don't need anything from here if we are using PAM */
 
 /* Tries to authenticate the user using password.  Returns true if
    authentication succeeds. */
@@ -29,6 +37,9 @@ int auth_password(struct passwd *pw, const char *password)
 {
   extern ServerOptions options;
   char *encrypted_password;
+#ifdef HAVE_SHADOW_H
+  struct spwd *spw;
+#endif
 
   if (pw->pw_uid == 0 && options.permit_root_login == 2)
   {
@@ -164,11 +175,31 @@ int auth_password(struct passwd *pw, const char *password)
       return 1; /* The user has no password and an empty password was tried. */
     }
 
+#ifdef HAVE_SHADOW_H
+  spw = getspnam(pw->pw_name);
+  if (spw == NULL)
+    return(0);
+
+  if ((spw->sp_namp == NULL) || (strcmp(pw->pw_name, spw->sp_namp) != 0))
+    fatal("Shadow lookup returned garbage.");
+
+  if (strlen(spw->sp_pwdp) < 3)
+    return(0);
+
+  /* Encrypt the candidate password using the proper salt. */
+  encrypted_password = crypt(password, spw->sp_pwdp);
+
+  /* Authentication is accepted if the encrypted passwords are identical. */
+  return (strcmp(encrypted_password, spw->sp_pwdp) == 0);
+#else /* !HAVE_SHADOW_H */
+
   /* Encrypt the candidate password using the proper salt. */
   encrypted_password = crypt(password, 
                             (pw->pw_passwd[0] && pw->pw_passwd[1]) ?
                             pw->pw_passwd : "xx");
-
   /* Authentication is accepted if the encrypted passwords are identical. */
   return (strcmp(encrypted_password, pw->pw_passwd) == 0);
+#endif /* !HAVE_SHADOW_H */
 }
+
+#endif /* !HAVE_PAM */

diff --git a/configure.in b/configure.in
index d80ac7c7f490da310bbb372d525bed90f8be0039..bd34e6ddc4d1d0c1781b7157f931f14ab19cb582 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -55,7 +55,7 @@ AC_CHECK_LIB(dl, dlopen, , )
 AC_CHECK_LIB(pam, pam_authenticate, , )
 
 dnl Checks for header files.
-AC_CHECK_HEADERS(pty.h endian.h paths.h lastlog.h)
+AC_CHECK_HEADERS(pty.h endian.h paths.h lastlog.h shadow.h)
 
 dnl Checks for library functions.
 AC_PROG_GCC_TRADITIONAL