xref: /freebsd/crypto/openssh/auth-passwd.c (revision 09a53ad8f1318c5daae6cfb19d97f4f6459f0013)
1 /* $OpenBSD: auth-passwd.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
2 /*
3  * Author: Tatu Ylonen <ylo@cs.hut.fi>
4  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
5  *                    All rights reserved
6  * Password authentication.  This file contains the functions to check whether
7  * the password is valid for the user.
8  *
9  * As far as I am concerned, the code I have written for this software
10  * can be used freely for any purpose.  Any derived versions of this
11  * software must be clearly marked as such, and if the derived work is
12  * incompatible with the protocol description in the RFC file, it must be
13  * called by a name other than "ssh" or "Secure Shell".
14  *
15  * Copyright (c) 1999 Dug Song.  All rights reserved.
16  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
17  *
18  * Redistribution and use in source and binary forms, with or without
19  * modification, are permitted provided that the following conditions
20  * are met:
21  * 1. Redistributions of source code must retain the above copyright
22  *    notice, this list of conditions and the following disclaimer.
23  * 2. Redistributions in binary form must reproduce the above copyright
24  *    notice, this list of conditions and the following disclaimer in the
25  *    documentation and/or other materials provided with the distribution.
26  *
27  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
28  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
29  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
30  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
31  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
32  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
33  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
34  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
35  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
36  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37  */
38 
39 #include "includes.h"
40 
41 #include <sys/types.h>
42 
43 #include <pwd.h>
44 #include <stdio.h>
45 #include <string.h>
46 #include <stdarg.h>
47 
48 #include "packet.h"
49 #include "buffer.h"
50 #include "log.h"
51 #include "misc.h"
52 #include "servconf.h"
53 #include "key.h"
54 #include "hostfile.h"
55 #include "auth.h"
56 #include "auth-options.h"
57 
58 extern Buffer loginmsg;
59 extern ServerOptions options;
60 
61 #ifdef HAVE_LOGIN_CAP
62 extern login_cap_t *lc;
63 #endif
64 
65 
66 #define DAY		(24L * 60 * 60) /* 1 day in seconds */
67 #define TWO_WEEKS	(2L * 7 * DAY)	/* 2 weeks in seconds */
68 
69 void
70 disable_forwarding(void)
71 {
72 	no_port_forwarding_flag = 1;
73 	no_agent_forwarding_flag = 1;
74 	no_x11_forwarding_flag = 1;
75 }
76 
77 /*
78  * Tries to authenticate the user using password.  Returns true if
79  * authentication succeeds.
80  */
81 int
82 auth_password(Authctxt *authctxt, const char *password)
83 {
84 	struct passwd * pw = authctxt->pw;
85 	int result, ok = authctxt->valid;
86 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
87 	static int expire_checked = 0;
88 #endif
89 
90 #ifndef HAVE_CYGWIN
91 	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
92 		ok = 0;
93 #endif
94 	if (*password == '\0' && options.permit_empty_passwd == 0)
95 		return 0;
96 
97 #ifdef KRB5
98 	if (options.kerberos_authentication == 1) {
99 		int ret = auth_krb5_password(authctxt, password);
100 		if (ret == 1 || ret == 0)
101 			return ret && ok;
102 		/* Fall back to ordinary passwd authentication. */
103 	}
104 #endif
105 #ifdef HAVE_CYGWIN
106 	{
107 		HANDLE hToken = cygwin_logon_user(pw, password);
108 
109 		if (hToken == INVALID_HANDLE_VALUE)
110 			return 0;
111 		cygwin_set_impersonation_token(hToken);
112 		return ok;
113 	}
114 #endif
115 #ifdef USE_PAM
116 	if (options.use_pam)
117 		return (sshpam_auth_passwd(authctxt, password) && ok);
118 #endif
119 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
120 	if (!expire_checked) {
121 		expire_checked = 1;
122 		if (auth_shadow_pwexpired(authctxt))
123 			authctxt->force_pwchange = 1;
124 	}
125 #endif
126 	result = sys_auth_passwd(authctxt, password);
127 	if (authctxt->force_pwchange)
128 		disable_forwarding();
129 	return (result && ok);
130 }
131 
132 #ifdef BSD_AUTH
133 static void
134 warn_expiry(Authctxt *authctxt, auth_session_t *as)
135 {
136 	char buf[256];
137 	quad_t pwtimeleft, actimeleft, daysleft, pwwarntime, acwarntime;
138 
139 	pwwarntime = acwarntime = TWO_WEEKS;
140 
141 	pwtimeleft = auth_check_change(as);
142 	actimeleft = auth_check_expire(as);
143 #ifdef HAVE_LOGIN_CAP
144 	if (authctxt->valid) {
145 		pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS,
146 		    TWO_WEEKS);
147 		acwarntime = login_getcaptime(lc, "expire-warn", TWO_WEEKS,
148 		    TWO_WEEKS);
149 	}
150 #endif
151 	if (pwtimeleft != 0 && pwtimeleft < pwwarntime) {
152 		daysleft = pwtimeleft / DAY + 1;
153 		snprintf(buf, sizeof(buf),
154 		    "Your password will expire in %lld day%s.\n",
155 		    daysleft, daysleft == 1 ? "" : "s");
156 		buffer_append(&loginmsg, buf, strlen(buf));
157 	}
158 	if (actimeleft != 0 && actimeleft < acwarntime) {
159 		daysleft = actimeleft / DAY + 1;
160 		snprintf(buf, sizeof(buf),
161 		    "Your account will expire in %lld day%s.\n",
162 		    daysleft, daysleft == 1 ? "" : "s");
163 		buffer_append(&loginmsg, buf, strlen(buf));
164 	}
165 }
166 
167 int
168 sys_auth_passwd(Authctxt *authctxt, const char *password)
169 {
170 	struct passwd *pw = authctxt->pw;
171 	auth_session_t *as;
172 	static int expire_checked = 0;
173 
174 	as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
175 	    (char *)password);
176 	if (as == NULL)
177 		return (0);
178 	if (auth_getstate(as) & AUTH_PWEXPIRED) {
179 		auth_close(as);
180 		disable_forwarding();
181 		authctxt->force_pwchange = 1;
182 		return (1);
183 	} else {
184 		if (!expire_checked) {
185 			expire_checked = 1;
186 			warn_expiry(authctxt, as);
187 		}
188 		return (auth_close(as));
189 	}
190 }
191 #elif !defined(CUSTOM_SYS_AUTH_PASSWD)
192 int
193 sys_auth_passwd(Authctxt *authctxt, const char *password)
194 {
195 	struct passwd *pw = authctxt->pw;
196 	char *encrypted_password;
197 
198 	/* Just use the supplied fake password if authctxt is invalid */
199 	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
200 
201 	/* Check for users with no password. */
202 	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
203 		return (1);
204 
205 	/* Encrypt the candidate password using the proper salt. */
206 	encrypted_password = xcrypt(password,
207 	    (pw_password[0] && pw_password[1]) ? pw_password : "xx");
208 
209 	/*
210 	 * Authentication is accepted if the encrypted passwords
211 	 * are identical.
212 	 */
213 	return encrypted_password != NULL &&
214 	    strcmp(encrypted_password, pw_password) == 0;
215 }
216 #endif
217