xref: /titanic_41/usr/src/cmd/ssh/sshd/auth-passwd.c (revision 430b4c467020edf2445feb0c21db01c88b86243a)
1 /*
2  * Author: Tatu Ylonen <ylo@cs.hut.fi>
3  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4  *                    All rights reserved
5  * Password authentication.  This file contains the functions to check whether
6  * the password is valid for the user.
7  *
8  * As far as I am concerned, the code I have written for this software
9  * can be used freely for any purpose.  Any derived versions of this
10  * software must be clearly marked as such, and if the derived work is
11  * incompatible with the protocol description in the RFC file, it must be
12  * called by a name other than "ssh" or "Secure Shell".
13  *
14  * Copyright (c) 1999 Dug Song.  All rights reserved.
15  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
16  *
17  * Redistribution and use in source and binary forms, with or without
18  * modification, are permitted provided that the following conditions
19  * are met:
20  * 1. Redistributions of source code must retain the above copyright
21  *    notice, this list of conditions and the following disclaimer.
22  * 2. Redistributions in binary form must reproduce the above copyright
23  *    notice, this list of conditions and the following disclaimer in the
24  *    documentation and/or other materials provided with the distribution.
25  *
26  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36  */
37 
38 #include "includes.h"
39 RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
40 
41 #include "packet.h"
42 #include "log.h"
43 #include "servconf.h"
44 #include "auth.h"
45 
46 #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
47 /* Don't need any of these headers for the PAM or SIA cases */
48 # ifdef HAVE_CRYPT_H
49 #  include <crypt.h>
50 # endif
51 # ifdef WITH_AIXAUTHENTICATE
52 #  include <login.h>
53 # endif
54 # ifdef __hpux
55 #  include <hpsecurity.h>
56 #  include <prot.h>
57 # endif
58 # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
59 #  include <shadow.h>
60 # endif
61 # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
62 #  include <sys/label.h>
63 #  include <sys/audit.h>
64 #  include <pwdadj.h>
65 # endif
66 # if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
67 #  include "md5crypt.h"
68 # endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
69 
70 # ifdef HAVE_CYGWIN
71 #  undef ERROR
72 #  include <windows.h>
73 #  include <sys/cygwin.h>
74 #  define is_winnt       (GetVersion() < 0x80000000)
75 # endif
76 #endif /* !USE_PAM && !HAVE_OSF_SIA */
77 
78 extern ServerOptions options;
79 #ifdef WITH_AIXAUTHENTICATE
80 extern char *aixloginmsg;
81 #endif
82 
83 /*
84  * Tries to authenticate the user using password.  Returns true if
85  * authentication succeeds.
86  */
87 int
88 auth_password(Authctxt *authctxt, const char *password)
89 {
90 #if defined(USE_PAM)
91 	if (*password == '\0' && options.permit_empty_passwd == 0)
92 		return 0;
93 	return auth_pam_password(authctxt, password);
94 #elif defined(HAVE_OSF_SIA)
95 	if (*password == '\0' && options.permit_empty_passwd == 0)
96 		return 0;
97 	return auth_sia_password(authctxt, password);
98 #else
99 	struct passwd * pw = authctxt->pw;
100 	char *encrypted_password;
101 	char *pw_password;
102 	char *salt;
103 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
104 	struct spwd *spw;
105 #endif
106 #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
107 	struct passwd_adjunct *spw;
108 #endif
109 #ifdef WITH_AIXAUTHENTICATE
110 	char *authmsg;
111 	int authsuccess;
112 	int reenter = 1;
113 #endif
114 
115 	/* deny if no user. */
116 	if (pw == NULL)
117 		return 0;
118 #ifndef HAVE_CYGWIN
119        if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
120 		return 0;
121 #endif
122 	if (*password == '\0' && options.permit_empty_passwd == 0)
123 		return 0;
124 #ifdef KRB5
125 	if (options.kerberos_authentication == 1) {
126 		int ret = auth_krb5_password(authctxt, password);
127 		if (ret == 1 || ret == 0)
128 			return ret;
129 		/* Fall back to ordinary passwd authentication. */
130 	}
131 #endif
132 #ifdef HAVE_CYGWIN
133 	if (is_winnt) {
134 		HANDLE hToken = cygwin_logon_user(pw, password);
135 
136 		if (hToken == INVALID_HANDLE_VALUE)
137 			return 0;
138 		cygwin_set_impersonation_token(hToken);
139 		return 1;
140 	}
141 #endif
142 #ifdef WITH_AIXAUTHENTICATE
143 	authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
144 
145 	if (authsuccess)
146 	        /* We don't have a pty yet, so just label the line as "ssh" */
147 	        if (loginsuccess(authctxt->user,
148 			get_canonical_hostname(options.verify_reverse_mapping),
149 			"ssh", &aixloginmsg) < 0)
150 				aixloginmsg = NULL;
151 
152 	return(authsuccess);
153 #endif
154 #ifdef KRB4
155 	if (options.kerberos_authentication == 1) {
156 		int ret = auth_krb4_password(authctxt, password);
157 		if (ret == 1 || ret == 0)
158 			return ret;
159 		/* Fall back to ordinary passwd authentication. */
160 	}
161 #endif
162 #ifdef BSD_AUTH
163 	if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
164 	    (char *)password) == 0)
165 		return 0;
166 	else
167 		return 1;
168 #endif
169 	pw_password = pw->pw_passwd;
170 
171 	/*
172 	 * Various interfaces to shadow or protected password data
173 	 */
174 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
175 	spw = getspnam(pw->pw_name);
176 	if (spw != NULL)
177 		pw_password = spw->sp_pwdp;
178 #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
179 
180 #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
181 	if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
182 		pw_password = spw->pwa_passwd;
183 #endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
184 
185 	/* Check for users with no password. */
186 	if ((password[0] == '\0') && (pw_password[0] == '\0'))
187 		return 1;
188 
189 	if (pw_password[0] != '\0')
190 		salt = pw_password;
191 	else
192 		salt = "xx";
193 
194 #ifdef HAVE_MD5_PASSWORDS
195 	if (is_md5_salt(salt))
196 		encrypted_password = md5_crypt(password, salt);
197 	else
198 		encrypted_password = crypt(password, salt);
199 #else /* HAVE_MD5_PASSWORDS */
200 	encrypted_password = crypt(password, salt);
201 #endif /* HAVE_MD5_PASSWORDS */
202 
203 	/* Authentication is accepted if the encrypted passwords are identical. */
204 	return (strcmp(encrypted_password, pw_password) == 0);
205 #endif /* !USE_PAM && !HAVE_OSF_SIA */
206 }
207