xref: /freebsd/crypto/openssh/auth-sia.c (revision 39beb93c3f8bdbf72a61fda42300b5ebed7390c8)
1 /*
2  * Copyright (c) 2002 Chris Adams.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23  */
24 
25 #include "includes.h"
26 
27 #ifdef HAVE_OSF_SIA
28 #include <sia.h>
29 #include <siad.h>
30 #include <pwd.h>
31 #include <signal.h>
32 #include <setjmp.h>
33 #include <sys/resource.h>
34 #include <unistd.h>
35 #include <stdarg.h>
36 #include <string.h>
37 #include <sys/types.h>
38 #include <sys/security.h>
39 #include <prot.h>
40 #include <time.h>
41 
42 #include "ssh.h"
43 #include "key.h"
44 #include "hostfile.h"
45 #include "auth.h"
46 #include "auth-sia.h"
47 #include "log.h"
48 #include "servconf.h"
49 #include "canohost.h"
50 #include "uidswap.h"
51 
52 extern ServerOptions options;
53 extern int saved_argc;
54 extern char **saved_argv;
55 
56 static int
57 sia_password_change_required(const char *user)
58 {
59 	struct es_passwd *acct;
60 	time_t pw_life;
61 	time_t pw_date;
62 
63 	set_auth_parameters(saved_argc, saved_argv);
64 
65 	if ((acct = getespwnam(user)) == NULL) {
66 		error("Couldn't access protected database entry for %s", user);
67 		endprpwent();
68 		return (0);
69 	}
70 
71 	/* If forced password change flag is set, honor it */
72 	if (acct->uflg->fg_psw_chg_reqd && acct->ufld->fd_psw_chg_reqd) {
73 		endprpwent();
74 		return (1);
75 	}
76 
77 	/* Obtain password lifetime; if none, it can't have expired */
78 	if (acct->uflg->fg_expire)
79 		pw_life = acct->ufld->fd_expire;
80 	else if (acct->sflg->fg_expire)
81 		pw_life = acct->sfld->fd_expire;
82 	else {
83 		endprpwent();
84 		return (0);
85 	}
86 
87 	/* Offset from last change; if none, it must be expired */
88 	if (acct->uflg->fg_schange)
89 		pw_date = acct->ufld->fd_schange + pw_life;
90 	else {
91 		endprpwent();
92 		return (1);
93 	}
94 
95 	endprpwent();
96 
97 	/* If expiration date is prior to now, change password */
98 
99 	return (pw_date <= time((time_t *) NULL));
100 }
101 
102 int
103 sys_auth_passwd(Authctxt *authctxt, const char *pass)
104 {
105 	int ret;
106 	SIAENTITY *ent = NULL;
107 	const char *host;
108 
109 	host = get_canonical_hostname(options.use_dns);
110 
111 	if (!authctxt->user || pass == NULL || pass[0] == '\0')
112 		return (0);
113 
114 	if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user,
115 	    NULL, 0, NULL) != SIASUCCESS)
116 		return (0);
117 
118 	if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) {
119 		error("Couldn't authenticate %s from %s",
120 		    authctxt->user, host);
121 		if (ret & SIASTOP)
122 			sia_ses_release(&ent);
123 
124 		return (0);
125 	}
126 
127 	sia_ses_release(&ent);
128 
129 	authctxt->force_pwchange = sia_password_change_required(
130 		authctxt->user);
131 
132 	return (1);
133 }
134 
135 void
136 session_setup_sia(struct passwd *pw, char *tty)
137 {
138 	SIAENTITY *ent = NULL;
139 	const char *host;
140 
141 	host = get_canonical_hostname(options.use_dns);
142 
143 	if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name,
144 	    tty, 0, NULL) != SIASUCCESS)
145 		fatal("sia_ses_init failed");
146 
147 	if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) {
148 		sia_ses_release(&ent);
149 		fatal("sia_make_entity_pwd failed");
150 	}
151 
152 	ent->authtype = SIA_A_NONE;
153 	if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS)
154 		fatal("Couldn't establish session for %s from %s",
155 		    pw->pw_name, host);
156 
157 	if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
158 		fatal("Couldn't launch session for %s from %s",
159 		    pw->pw_name, host);
160 
161 	sia_ses_release(&ent);
162 
163 	setuid(0);
164 	permanently_set_uid(pw);
165 }
166 
167 #endif /* HAVE_OSF_SIA */
168