1 /*
2 * Author: Tatu Ylonen <ylo@cs.hut.fi>
3 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4 * All rights reserved
5 * Password authentication. This file contains the functions to check whether
6 * the password is valid for the user.
7 *
8 * As far as I am concerned, the code I have written for this software
9 * can be used freely for any purpose. Any derived versions of this
10 * software must be clearly marked as such, and if the derived work is
11 * incompatible with the protocol description in the RFC file, it must be
12 * called by a name other than "ssh" or "Secure Shell".
13 *
14 * Copyright (c) 1999 Dug Song. All rights reserved.
15 * Copyright (c) 2000 Markus Friedl. All rights reserved.
16 *
17 * Redistribution and use in source and binary forms, with or without
18 * modification, are permitted provided that the following conditions
19 * are met:
20 * 1. Redistributions of source code must retain the above copyright
21 * notice, this list of conditions and the following disclaimer.
22 * 2. Redistributions in binary form must reproduce the above copyright
23 * notice, this list of conditions and the following disclaimer in the
24 * documentation and/or other materials provided with the distribution.
25 *
26 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
27 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
28 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
29 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
30 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
31 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36 */
37
38 #include "includes.h"
39 RCSID("$OpenBSD: auth-passwd.c,v 1.27 2002/05/24 16:45:16 stevesk Exp $");
40
41 #include "packet.h"
42 #include "log.h"
43 #include "servconf.h"
44 #include "auth.h"
45
46 #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
47 /* Don't need any of these headers for the PAM or SIA cases */
48 # ifdef HAVE_CRYPT_H
49 # include <crypt.h>
50 # endif
51 # ifdef WITH_AIXAUTHENTICATE
52 # include <login.h>
53 # endif
54 # ifdef __hpux
55 # include <hpsecurity.h>
56 # include <prot.h>
57 # endif
58 # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
59 # include <shadow.h>
60 # endif
61 # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
62 # include <sys/label.h>
63 # include <sys/audit.h>
64 # include <pwdadj.h>
65 # endif
66 # if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
67 # include "md5crypt.h"
68 # endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
69
70 # ifdef HAVE_CYGWIN
71 # undef ERROR
72 # include <windows.h>
73 # include <sys/cygwin.h>
74 # define is_winnt (GetVersion() < 0x80000000)
75 # endif
76 #endif /* !USE_PAM && !HAVE_OSF_SIA */
77
78 extern ServerOptions options;
79 #ifdef WITH_AIXAUTHENTICATE
80 extern char *aixloginmsg;
81 #endif
82
83 /*
84 * Tries to authenticate the user using password. Returns true if
85 * authentication succeeds.
86 */
87 int
auth_password(Authctxt * authctxt,const char * password)88 auth_password(Authctxt *authctxt, const char *password)
89 {
90 #if defined(USE_PAM)
91 if (*password == '\0' && options.permit_empty_passwd == 0)
92 return 0;
93 return auth_pam_password(authctxt, password);
94 #elif defined(HAVE_OSF_SIA)
95 if (*password == '\0' && options.permit_empty_passwd == 0)
96 return 0;
97 return auth_sia_password(authctxt, password);
98 #else
99 struct passwd * pw = authctxt->pw;
100 char *encrypted_password;
101 char *pw_password;
102 char *salt;
103 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
104 struct spwd *spw;
105 #endif
106 #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
107 struct passwd_adjunct *spw;
108 #endif
109 #ifdef WITH_AIXAUTHENTICATE
110 char *authmsg;
111 int authsuccess;
112 int reenter = 1;
113 #endif
114
115 /* deny if no user. */
116 if (pw == NULL)
117 return 0;
118 #ifndef HAVE_CYGWIN
119 if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
120 return 0;
121 #endif
122 if (*password == '\0' && options.permit_empty_passwd == 0)
123 return 0;
124 #ifdef KRB5
125 if (options.kerberos_authentication == 1) {
126 int ret = auth_krb5_password(authctxt, password);
127 if (ret == 1 || ret == 0)
128 return ret;
129 /* Fall back to ordinary passwd authentication. */
130 }
131 #endif
132 #ifdef HAVE_CYGWIN
133 if (is_winnt) {
134 HANDLE hToken = cygwin_logon_user(pw, password);
135
136 if (hToken == INVALID_HANDLE_VALUE)
137 return 0;
138 cygwin_set_impersonation_token(hToken);
139 return 1;
140 }
141 #endif
142 #ifdef WITH_AIXAUTHENTICATE
143 authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
144
145 if (authsuccess)
146 /* We don't have a pty yet, so just label the line as "ssh" */
147 if (loginsuccess(authctxt->user,
148 get_canonical_hostname(options.verify_reverse_mapping),
149 "ssh", &aixloginmsg) < 0)
150 aixloginmsg = NULL;
151
152 return(authsuccess);
153 #endif
154 #ifdef KRB4
155 if (options.kerberos_authentication == 1) {
156 int ret = auth_krb4_password(authctxt, password);
157 if (ret == 1 || ret == 0)
158 return ret;
159 /* Fall back to ordinary passwd authentication. */
160 }
161 #endif
162 #ifdef BSD_AUTH
163 if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
164 (char *)password) == 0)
165 return 0;
166 else
167 return 1;
168 #endif
169 pw_password = pw->pw_passwd;
170
171 /*
172 * Various interfaces to shadow or protected password data
173 */
174 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
175 spw = getspnam(pw->pw_name);
176 if (spw != NULL)
177 pw_password = spw->sp_pwdp;
178 #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
179
180 #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
181 if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
182 pw_password = spw->pwa_passwd;
183 #endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
184
185 /* Check for users with no password. */
186 if ((password[0] == '\0') && (pw_password[0] == '\0'))
187 return 1;
188
189 if (pw_password[0] != '\0')
190 salt = pw_password;
191 else
192 salt = "xx";
193
194 #ifdef HAVE_MD5_PASSWORDS
195 if (is_md5_salt(salt))
196 encrypted_password = md5_crypt(password, salt);
197 else
198 encrypted_password = crypt(password, salt);
199 #else /* HAVE_MD5_PASSWORDS */
200 encrypted_password = crypt(password, salt);
201 #endif /* HAVE_MD5_PASSWORDS */
202
203 /* Authentication is accepted if the encrypted passwords are identical. */
204 return (strcmp(encrypted_password, pw_password) == 0);
205 #endif /* !USE_PAM && !HAVE_OSF_SIA */
206 }
207