1 /* 2 * Copyright (c) 2002 Chris Adams. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 25 #include "includes.h" 26 27 #ifdef HAVE_OSF_SIA 28 #include <sia.h> 29 #include <siad.h> 30 #include <pwd.h> 31 #include <signal.h> 32 #include <setjmp.h> 33 #include <sys/resource.h> 34 #include <unistd.h> 35 #include <stdarg.h> 36 #include <string.h> 37 #include <sys/types.h> 38 #include <sys/security.h> 39 #include <prot.h> 40 #include <time.h> 41 42 #include "ssh.h" 43 #include "key.h" 44 #include "hostfile.h" 45 #include "auth.h" 46 #include "auth-sia.h" 47 #include "log.h" 48 #include "servconf.h" 49 #include "canohost.h" 50 #include "uidswap.h" 51 52 extern ServerOptions options; 53 extern int saved_argc; 54 extern char **saved_argv; 55 56 static int 57 sia_password_change_required(const char *user) 58 { 59 struct es_passwd *acct; 60 time_t pw_life; 61 time_t pw_date; 62 63 set_auth_parameters(saved_argc, saved_argv); 64 65 if ((acct = getespwnam(user)) == NULL) { 66 error("Couldn't access protected database entry for %s", user); 67 endprpwent(); 68 return (0); 69 } 70 71 /* If forced password change flag is set, honor it */ 72 if (acct->uflg->fg_psw_chg_reqd && acct->ufld->fd_psw_chg_reqd) { 73 endprpwent(); 74 return (1); 75 } 76 77 /* Obtain password lifetime; if none, it can't have expired */ 78 if (acct->uflg->fg_expire) 79 pw_life = acct->ufld->fd_expire; 80 else if (acct->sflg->fg_expire) 81 pw_life = acct->sfld->fd_expire; 82 else { 83 endprpwent(); 84 return (0); 85 } 86 87 /* Offset from last change; if none, it must be expired */ 88 if (acct->uflg->fg_schange) 89 pw_date = acct->ufld->fd_schange + pw_life; 90 else { 91 endprpwent(); 92 return (1); 93 } 94 95 endprpwent(); 96 97 /* If expiration date is prior to now, change password */ 98 99 return (pw_date <= time((time_t *) NULL)); 100 } 101 102 int 103 sys_auth_passwd(Authctxt *authctxt, const char *pass) 104 { 105 int ret; 106 SIAENTITY *ent = NULL; 107 const char *host; 108 109 host = get_canonical_hostname(options.use_dns); 110 111 if (!authctxt->user || pass == NULL || pass[0] == '\0') 112 return (0); 113 114 if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user, 115 NULL, 0, NULL) != SIASUCCESS) 116 return (0); 117 118 if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) { 119 error("Couldn't authenticate %s from %s", 120 authctxt->user, host); 121 if (ret & SIASTOP) 122 sia_ses_release(&ent); 123 124 return (0); 125 } 126 127 sia_ses_release(&ent); 128 129 authctxt->force_pwchange = sia_password_change_required( 130 authctxt->user); 131 132 return (1); 133 } 134 135 void 136 session_setup_sia(struct passwd *pw, char *tty) 137 { 138 SIAENTITY *ent = NULL; 139 const char *host; 140 141 host = get_canonical_hostname(options.use_dns); 142 143 if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name, 144 tty, 0, NULL) != SIASUCCESS) 145 fatal("sia_ses_init failed"); 146 147 if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) { 148 sia_ses_release(&ent); 149 fatal("sia_make_entity_pwd failed"); 150 } 151 152 ent->authtype = SIA_A_NONE; 153 if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS) 154 fatal("Couldn't establish session for %s from %s", 155 pw->pw_name, host); 156 157 if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS) 158 fatal("Couldn't launch session for %s from %s", 159 pw->pw_name, host); 160 161 sia_ses_release(&ent); 162 163 setuid(0); 164 permanently_set_uid(pw); 165 } 166 167 #endif /* HAVE_OSF_SIA */ 168