[BACK]Return to login.c CVS log [TXT][DIR] Up to [local] / src / usr.bin / login

Annotation of src/usr.bin/login/login.c, Revision 1.19

1.19    ! downsj      1: /*     $OpenBSD: login.c,v 1.18 1997/02/04 03:39:11 flipk Exp $        */
1.3       deraadt     2: /*     $NetBSD: login.c,v 1.13 1996/05/15 23:50:16 jtc Exp $   */
1.1       deraadt     3:
                      4: /*-
                      5:  * Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994
                      6:  *     The Regents of the University of California.  All rights reserved.
                      7:  *
                      8:  * Redistribution and use in source and binary forms, with or without
                      9:  * modification, are permitted provided that the following conditions
                     10:  * are met:
                     11:  * 1. Redistributions of source code must retain the above copyright
                     12:  *    notice, this list of conditions and the following disclaimer.
                     13:  * 2. Redistributions in binary form must reproduce the above copyright
                     14:  *    notice, this list of conditions and the following disclaimer in the
                     15:  *    documentation and/or other materials provided with the distribution.
                     16:  * 3. All advertising materials mentioning features or use of this software
                     17:  *    must display the following acknowledgement:
                     18:  *     This product includes software developed by the University of
                     19:  *     California, Berkeley and its contributors.
                     20:  * 4. Neither the name of the University nor the names of its contributors
                     21:  *    may be used to endorse or promote products derived from this software
                     22:  *    without specific prior written permission.
                     23:  *
                     24:  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
                     25:  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
                     26:  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
                     27:  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
                     28:  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
                     29:  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
                     30:  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
                     31:  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
                     32:  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
                     33:  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
                     34:  * SUCH DAMAGE.
                     35:  */
                     36:
                     37: #ifndef lint
                     38: static char copyright[] =
                     39: "@(#) Copyright (c) 1980, 1987, 1988, 1991, 1993, 1994\n\
                     40:        The Regents of the University of California.  All rights reserved.\n";
                     41: #endif /* not lint */
                     42:
                     43: #ifndef lint
                     44: #if 0
                     45: static char sccsid[] = "@(#)login.c    8.4 (Berkeley) 4/2/94";
                     46: #endif
1.19    ! downsj     47: static char rcsid[] = "$OpenBSD: login.c,v 1.18 1997/02/04 03:39:11 flipk Exp $";
1.1       deraadt    48: #endif /* not lint */
                     49:
                     50: /*
                     51:  * login [ name ]
                     52:  * login -h hostname   (for telnetd, etc.)
                     53:  * login -f name       (for pre-authenticated login: datakit, xterm, etc.)
                     54:  */
                     55:
                     56: #include <sys/param.h>
                     57: #include <sys/stat.h>
                     58: #include <sys/time.h>
                     59: #include <sys/resource.h>
                     60: #include <sys/file.h>
1.11      millert    61: #include <sys/wait.h>
1.1       deraadt    62:
                     63: #include <err.h>
                     64: #include <errno.h>
                     65: #include <grp.h>
                     66: #include <pwd.h>
                     67: #include <setjmp.h>
                     68: #include <signal.h>
                     69: #include <stdio.h>
                     70: #include <stdlib.h>
                     71: #include <string.h>
                     72: #include <syslog.h>
                     73: #include <ttyent.h>
                     74: #include <tzfile.h>
                     75: #include <unistd.h>
                     76: #include <utmp.h>
1.3       deraadt    77: #include <util.h>
1.1       deraadt    78:
                     79: #include "pathnames.h"
                     80:
                     81: void    badlogin __P((char *));
                     82: void    checknologin __P((void));
                     83: void    dolastlog __P((int));
                     84: void    getloginname __P((void));
                     85: void    motd __P((void));
                     86: int     rootterm __P((char *));
                     87: void    sigint __P((int));
1.11      millert    88: void    sighup __P((int));
1.1       deraadt    89: void    sleepexit __P((int));
                     90: char   *stypeof __P((char *));
                     91: void    timedout __P((int));
                     92: int     pwcheck __P((char *, char *, char *, char *));
                     93: #if defined(KERBEROS) || defined(KERBEROS5)
                     94: int     klogin __P((struct passwd *, char *, char *, char *));
                     95: void    kdestroy __P((void));
                     96: void    dofork __P((void));
                     97: #endif
                     98:
                     99: extern void login __P((struct utmp *));
1.13      millert   100: extern int check_failedlogin __P((uid_t));
1.14      millert   101: extern void log_failedlogin __P((uid_t, char *, char *, char *));
1.1       deraadt   102:
                    103: #define        TTYGRPNAME      "tty"           /* name of group to own ttys */
                    104:
                    105: /*
                    106:  * This bounds the time given to login.  Not a define so it can
                    107:  * be patched on machines where it's too small.
                    108:  */
                    109: u_int  timeout = 300;
                    110:
                    111: #if defined(KERBEROS) || defined(KERBEROS5)
                    112: int    notickets = 1;
                    113: char   *instance;
                    114: char   *krbtkfile_env;
                    115: int    authok;
                    116: #endif
                    117:
                    118: struct passwd *pwd;
                    119: int    failures;
1.14      millert   120: char   term[64], *envinit[1], *hostname, *tty;
                    121: char   *username = NULL, *rusername = NULL;
1.1       deraadt   122:
                    123: int
                    124: main(argc, argv)
                    125:        int argc;
                    126:        char *argv[];
                    127: {
                    128:        extern char **environ;
                    129:        struct group *gr;
                    130:        struct stat st;
                    131:        struct timeval tp;
                    132:        struct utmp utmp;
1.14      millert   133:        int ask, ch, cnt, fflag, hflag, pflag, uflag, quietlog, rootlogin, rval;
1.1       deraadt   134:        uid_t uid;
                    135:        char *domain, *p, *salt, *ttyn;
                    136:        char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10];
                    137:        char localhost[MAXHOSTNAMELEN];
                    138:
                    139:        (void)signal(SIGALRM, timedout);
                    140:        (void)alarm(timeout);
                    141:        (void)signal(SIGQUIT, SIG_IGN);
                    142:        (void)signal(SIGINT, SIG_IGN);
1.11      millert   143:        (void)signal(SIGHUP, sighup);
1.1       deraadt   144:        (void)setpriority(PRIO_PROCESS, 0, 0);
                    145:
                    146:        openlog("login", LOG_ODELAY, LOG_AUTH);
                    147:
                    148:        /*
                    149:         * -p is used by getty to tell login not to destroy the environment
                    150:         * -f is used to skip a second login authentication
                    151:         * -h is used by other servers to pass the name of the remote
                    152:         *    host to login so that it may be placed in utmp and wtmp
                    153:         */
                    154:        domain = NULL;
                    155:        if (gethostname(localhost, sizeof(localhost)) < 0)
                    156:                syslog(LOG_ERR, "couldn't get local hostname: %m");
                    157:        else
                    158:                domain = strchr(localhost, '.');
                    159:
                    160:        fflag = hflag = pflag = 0;
                    161:        uid = getuid();
1.16      millert   162:        while ((ch = getopt(argc, argv, "fh:u:p")) != -1)
1.1       deraadt   163:                switch (ch) {
                    164:                case 'f':
                    165:                        fflag = 1;
                    166:                        break;
                    167:                case 'h':
                    168:                        if (uid)
                    169:                                errx(1, "-h option: %s", strerror(EPERM));
                    170:                        hflag = 1;
                    171:                        if (domain && (p = strchr(optarg, '.')) &&
                    172:                            strcasecmp(p, domain) == 0)
                    173:                                *p = 0;
                    174:                        hostname = optarg;
                    175:                        break;
                    176:                case 'p':
                    177:                        pflag = 1;
                    178:                        break;
1.14      millert   179:                case 'u':
                    180:                        if (uid)
                    181:                                errx(1, "-u option: %s", strerror(EPERM));
                    182:                        uflag = 1;
                    183:                        rusername = optarg;
                    184:                        break;
1.1       deraadt   185:                case '?':
                    186:                default:
                    187:                        if (!uid)
                    188:                                syslog(LOG_ERR, "invalid flag %c", ch);
                    189:                        (void)fprintf(stderr,
                    190:                            "usage: login [-fp] [-h hostname] [username]\n");
                    191:                        exit(1);
                    192:                }
                    193:        argc -= optind;
                    194:        argv += optind;
                    195:
                    196:        if (*argv) {
                    197:                username = *argv;
                    198:                ask = 0;
                    199:        } else
                    200:                ask = 1;
                    201:
                    202:        for (cnt = getdtablesize(); cnt > 2; cnt--)
                    203:                (void)close(cnt);
                    204:
                    205:        ttyn = ttyname(STDIN_FILENO);
                    206:        if (ttyn == NULL || *ttyn == '\0') {
                    207:                (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY);
                    208:                ttyn = tname;
                    209:        }
1.12      millert   210:        if ((tty = strrchr(ttyn, '/')))
1.1       deraadt   211:                ++tty;
                    212:        else
                    213:                tty = ttyn;
                    214:
                    215:        for (cnt = 0;; ask = 1) {
                    216: #if defined(KERBEROS) || defined(KERBEROS5)
                    217:                kdestroy();
                    218: #endif
                    219:                if (ask) {
                    220:                        fflag = 0;
                    221:                        getloginname();
                    222:                }
                    223:                rootlogin = 0;
1.18      flipk     224:
                    225: #if defined(KERBEROS) || defined(KERBEROS5)
                    226:                /*
                    227:                 * Why should anyone with a root instance be able
                    228:                 * to be root here?
                    229:                 */
1.17      dm        230:                instance = "";
1.18      flipk     231: #endif
1.1       deraadt   232: #ifdef KERBEROS
                    233:                if ((instance = strchr(username, '.')) != NULL) {
                    234:                        if (strncmp(instance, ".root", 5) == 0)
                    235:                                rootlogin = 1;
                    236:                        *instance++ = '\0';
                    237:                } else
                    238:                        instance = "";
                    239: #endif
                    240: #ifdef KERBEROS5
                    241:                if ((instance = strchr(username, '/')) != NULL) {
                    242:                        if (strncmp(instance, "/root", 5) == 0)
                    243:                                rootlogin = 1;
                    244:                        *instance++ = '\0';
                    245:                } else
                    246:                        instance = "";
                    247: #endif
                    248:                if (strlen(username) > UT_NAMESIZE)
                    249:                        username[UT_NAMESIZE] = '\0';
                    250:
                    251:                /*
                    252:                 * Note if trying multiple user names; log failures for
                    253:                 * previous user name, but don't bother logging one failure
                    254:                 * for nonexistent name (mistyped username).
                    255:                 */
                    256:                if (failures && strcmp(tbuf, username)) {
                    257:                        if (failures > (pwd ? 0 : 1))
                    258:                                badlogin(tbuf);
                    259:                        failures = 0;
                    260:                }
                    261:                (void)strcpy(tbuf, username);
                    262:
1.12      millert   263:                if ((pwd = getpwnam(username)))
1.1       deraadt   264:                        salt = pwd->pw_passwd;
                    265:                else
                    266:                        salt = "xx";
                    267:
                    268:                /*
                    269:                 * if we have a valid account name, and it doesn't have a
                    270:                 * password, or the -f option was specified and the caller
                    271:                 * is root or the caller isn't changing their uid, don't
                    272:                 * authenticate.
                    273:                 */
                    274:                if (pwd) {
                    275:                        if (pwd->pw_uid == 0)
                    276:                                rootlogin = 1;
                    277:
                    278:                        if (fflag && (uid == 0 || uid == pwd->pw_uid)) {
                    279:                                /* already authenticated */
                    280:                                break;
                    281:                        } else if (pwd->pw_passwd[0] == '\0') {
                    282:                                /* pretend password okay */
                    283:                                rval = 0;
                    284:                                goto ttycheck;
                    285:                        }
                    286:                }
                    287:
                    288:                fflag = 0;
                    289:
                    290:                (void)setpriority(PRIO_PROCESS, 0, -4);
                    291:
                    292:                p = getpass("Password:");
                    293:
                    294:                if (pwd) {
                    295: #if defined(KERBEROS) || defined(KERBEROS5)
                    296:                        rval = klogin(pwd, instance, localhost, p);
                    297:                        if (rval != 0 && rootlogin && pwd->pw_uid != 0)
                    298:                                rootlogin = 0;
                    299:                        if (rval == 0)
                    300:                                authok = 1;
                    301:                        else if (rval == 1) {
                    302:                                if (pwd->pw_uid != 0)
                    303:                                        rootlogin = 0;
                    304:                                rval = pwcheck(username, p, salt, pwd->pw_passwd);
                    305:                        }
                    306: #else
                    307:                        rval = pwcheck(username, p, salt, pwd->pw_passwd);
                    308: #endif
                    309:                }
                    310:                memset(p, 0, strlen(p));
                    311:
                    312:                (void)setpriority(PRIO_PROCESS, 0, 0);
                    313:
                    314:        ttycheck:
                    315:                /*
                    316:                 * If trying to log in as root without Kerberos,
                    317:                 * but with insecure terminal, refuse the login attempt.
                    318:                 */
                    319: #if defined(KERBEROS) || defined(KERBEROS5)
                    320:                if (authok == 0)
                    321: #endif
                    322:                if (pwd && !rval && rootlogin && !rootterm(tty)) {
                    323:                        (void)fprintf(stderr,
                    324:                            "%s login refused on this terminal.\n",
                    325:                            pwd->pw_name);
                    326:                        if (hostname)
                    327:                                syslog(LOG_NOTICE,
1.14      millert   328:                                    "LOGIN %s REFUSED FROM %s%s%s ON TTY %s",
                    329:                                    pwd->pw_name, rusername ? rusername : "",
                    330:                                    rusername ? "@" : "", hostname, tty);
1.1       deraadt   331:                        else
                    332:                                syslog(LOG_NOTICE,
                    333:                                    "LOGIN %s REFUSED ON TTY %s",
                    334:                                     pwd->pw_name, tty);
                    335:                        continue;
                    336:                }
                    337:
                    338:                if (pwd && !rval)
                    339:                        break;
                    340:
                    341:                (void)printf("Login incorrect\n");
                    342:                failures++;
1.13      millert   343:                if (pwd)
1.14      millert   344:                        log_failedlogin(pwd->pw_uid, hostname, rusername, tty);
1.1       deraadt   345:                /* we allow 10 tries, but after 3 we start backing off */
                    346:                if (++cnt > 3) {
                    347:                        if (cnt >= 10) {
                    348:                                badlogin(username);
                    349:                                sleepexit(1);
                    350:                        }
                    351:                        sleep((u_int)((cnt - 3) * 5));
                    352:                }
                    353:        }
                    354:
                    355:        /* committed to login -- turn off timeout */
                    356:        (void)alarm((u_int)0);
                    357:
                    358:        endpwent();
                    359:
                    360:        /* if user not super-user, check for disabled logins */
                    361:        if (!rootlogin)
                    362:                checknologin();
                    363:
1.5       deraadt   364:        setegid(pwd->pw_gid);
                    365:        seteuid(pwd->pw_uid);
                    366:
1.1       deraadt   367:        if (chdir(pwd->pw_dir) < 0) {
                    368:                (void)printf("No home directory %s!\n", pwd->pw_dir);
                    369:                if (chdir("/"))
                    370:                        exit(0);
                    371:                pwd->pw_dir = "/";
                    372:                (void)printf("Logging in with home = \"/\".\n");
                    373:        }
                    374:
1.19    ! downsj    375:        quietlog = ((strcmp(pwd->pw_shell, "/sbin/nologin") == 0) ||
        !           376:                        (access(_PATH_HUSHLOGIN, F_OK) == 0));
1.5       deraadt   377:
                    378:        seteuid(0);
                    379:        setegid(0);     /* XXX use a saved gid instead? */
1.1       deraadt   380:
                    381:        if (pwd->pw_change || pwd->pw_expire)
                    382:                (void)gettimeofday(&tp, (struct timezone *)NULL);
                    383:        if (pwd->pw_change)
                    384:                if (tp.tv_sec >= pwd->pw_change) {
                    385:                        (void)printf("Sorry -- your password has expired.\n");
                    386:                        sleepexit(1);
                    387:                } else if (pwd->pw_change - tp.tv_sec <
                    388:                    2 * DAYSPERWEEK * SECSPERDAY && !quietlog)
                    389:                        (void)printf("Warning: your password expires on %s",
                    390:                            ctime(&pwd->pw_change));
                    391:        if (pwd->pw_expire)
                    392:                if (tp.tv_sec >= pwd->pw_expire) {
                    393:                        (void)printf("Sorry -- your account has expired.\n");
                    394:                        sleepexit(1);
                    395:                } else if (pwd->pw_expire - tp.tv_sec <
                    396:                    2 * DAYSPERWEEK * SECSPERDAY && !quietlog)
                    397:                        (void)printf("Warning: your account expires on %s",
                    398:                            ctime(&pwd->pw_expire));
                    399:
                    400:        /* Nothing else left to fail -- really log in. */
1.11      millert   401:        (void)signal(SIGHUP, SIG_DFL);
1.1       deraadt   402:        memset((void *)&utmp, 0, sizeof(utmp));
                    403:        (void)time(&utmp.ut_time);
                    404:        (void)strncpy(utmp.ut_name, username, sizeof(utmp.ut_name));
                    405:        if (hostname)
                    406:                (void)strncpy(utmp.ut_host, hostname, sizeof(utmp.ut_host));
                    407:        (void)strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line));
                    408:        login(&utmp);
                    409:
1.13      millert   410:        if (!quietlog)
                    411:                (void)check_failedlogin(pwd->pw_uid);
1.1       deraadt   412:        dolastlog(quietlog);
1.6       deraadt   413:
                    414:        login_fbtab(tty, pwd->pw_uid, pwd->pw_gid);
1.1       deraadt   415:
                    416:        (void)chown(ttyn, pwd->pw_uid,
                    417:            (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid);
                    418: #if defined(KERBEROS) || defined(KERBEROS5)
                    419:        /* Fork so that we can call kdestroy */
                    420:        if (krbtkfile_env)
                    421:            dofork();
                    422: #endif
1.15      tholo     423:        (void)setegid(pwd->pw_gid);
1.1       deraadt   424:        (void)setgid(pwd->pw_gid);
                    425:
                    426:        initgroups(username, pwd->pw_gid);
                    427:
                    428:        if (*pwd->pw_shell == '\0')
                    429:                pwd->pw_shell = _PATH_BSHELL;
                    430:
                    431:        /* Destroy environment unless user has requested its preservation. */
                    432:        if (!pflag)
                    433:                environ = envinit;
1.9       millert   434:        else {
                    435:                char **cpp, **cpp2;
                    436:
                    437:                for (cpp2 = cpp = environ; *cpp; cpp++) {
                    438:                        if (strncmp(*cpp, "LD_", 3) &&
                    439:                            strncmp(*cpp, "IFS=", 4))
                    440:                                *cpp2++ = *cpp;
                    441:                }
                    442:                *cpp2 = 0;
                    443:        }
1.1       deraadt   444:        (void)setenv("HOME", pwd->pw_dir, 1);
                    445:        (void)setenv("SHELL", pwd->pw_shell, 1);
                    446:        if (term[0] == '\0')
                    447:                (void)strncpy(term, stypeof(tty), sizeof(term));
                    448:        (void)setenv("TERM", term, 0);
                    449:        (void)setenv("LOGNAME", pwd->pw_name, 1);
                    450:        (void)setenv("USER", pwd->pw_name, 1);
                    451:        (void)setenv("PATH", _PATH_DEFPATH, 0);
1.14      millert   452:        if (hostname)
                    453:                (void)setenv("REMOTEHOST", hostname, 1);
                    454:        if (rusername)
                    455:                (void)setenv("REMOTEUSER", rusername, 1);
1.1       deraadt   456: #ifdef KERBEROS
                    457:        if (krbtkfile_env)
                    458:                (void)setenv("KRBTKFILE", krbtkfile_env, 1);
                    459: #endif
                    460: #ifdef KERBEROS5
                    461:        if (krbtkfile_env)
                    462:                (void)setenv("KRB5CCNAME", krbtkfile_env, 1);
                    463: #endif
                    464:
                    465:        /* If fflag is on, assume caller/authenticator has logged root login. */
                    466:        if (rootlogin && fflag == 0)
                    467:                if (hostname)
1.14      millert   468:                        syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s FROM %s%s%s",
                    469:                            username, tty, rusername ? rusername : "",
                    470:                            rusername ? "@" : "", hostname);
1.1       deraadt   471:                else
                    472:                        syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", username, tty);
                    473:
                    474: #if defined(KERBEROS) || defined(KERBEROS5)
                    475:        if (!quietlog && notickets == 1)
                    476:                (void)printf("Warning: no Kerberos tickets issued.\n");
                    477: #endif
                    478:
                    479:        if (!quietlog) {
1.2       deraadt   480: #if 0
1.1       deraadt   481:                (void)printf("%s\n\t%s  %s\n\n",
                    482:            "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994",
                    483:                    "The Regents of the University of California. ",
                    484:                    "All rights reserved.");
1.2       deraadt   485: #endif
1.1       deraadt   486:                motd();
                    487:                (void)snprintf(tbuf,
                    488:                    sizeof(tbuf), "%s/%s", _PATH_MAILDIR, pwd->pw_name);
                    489:                if (stat(tbuf, &st) == 0 && st.st_size != 0)
                    490:                        (void)printf("You have %smail.\n",
                    491:                            (st.st_mtime > st.st_atime) ? "new " : "");
                    492:        }
                    493:
                    494:        (void)signal(SIGALRM, SIG_DFL);
                    495:        (void)signal(SIGQUIT, SIG_DFL);
                    496:        (void)signal(SIGINT, SIG_DFL);
                    497:        (void)signal(SIGTSTP, SIG_IGN);
                    498:
                    499:        tbuf[0] = '-';
                    500:        (void)strcpy(tbuf + 1, (p = strrchr(pwd->pw_shell, '/')) ?
                    501:            p + 1 : pwd->pw_shell);
                    502:
                    503:        if (setlogin(pwd->pw_name) < 0)
                    504:                syslog(LOG_ERR, "setlogin() failure: %m");
                    505:
                    506:        /* Discard permissions last so can't get killed and drop core. */
                    507:        if (rootlogin)
                    508:                (void) setuid(0);
1.15      tholo     509:        else {
                    510:                (void) seteuid(pwd->pw_uid);
1.1       deraadt   511:                (void) setuid(pwd->pw_uid);
1.15      tholo     512:        }
1.1       deraadt   513:
                    514:        execlp(pwd->pw_shell, tbuf, 0);
                    515:        err(1, "%s", pwd->pw_shell);
                    516: }
                    517:
                    518: int
                    519: pwcheck(user, p, salt, passwd)
                    520:        char *user, *p, *salt, *passwd;
                    521: {
                    522: #ifdef SKEY
1.8       millert   523:        if (strcasecmp(p, "s/key") == 0)
1.7       deraadt   524:                return skey_authenticate(user);
1.1       deraadt   525: #endif
                    526:        return strcmp(crypt(p, salt), passwd);
                    527: }
                    528:
                    529: #if defined(KERBEROS) || defined(KERBEROS5)
                    530: #define        NBUFSIZ         (UT_NAMESIZE + 1 + 5)   /* .root suffix */
                    531: #else
                    532: #define        NBUFSIZ         (UT_NAMESIZE + 1)
                    533: #endif
                    534:
                    535: #if defined(KERBEROS) || defined(KERBEROS5)
                    536: /*
                    537:  * This routine handles cleanup stuff, and the like.
                    538:  * It exists only in the child process.
                    539:  */
                    540: #include <sys/wait.h>
                    541: void
                    542: dofork()
                    543: {
                    544:     int child;
                    545:
                    546:     if (!(child = fork()))
                    547:            return; /* Child process */
                    548:
                    549:     /* Setup stuff?  This would be things we could do in parallel with login */
                    550:     (void) chdir("/"); /* Let's not keep the fs busy... */
                    551:
                    552:     /* If we're the parent, watch the child until it dies */
                    553:     while (wait(0) != child)
                    554:            ;
                    555:
                    556:     /* Cleanup stuff */
                    557:     /* Run kdestroy to destroy tickets */
                    558:     kdestroy();
                    559:
                    560:     /* Leave */
                    561:     exit(0);
                    562: }
                    563: #endif
                    564:
                    565: void
                    566: getloginname()
                    567: {
                    568:        int ch;
                    569:        char *p;
                    570:        static char nbuf[NBUFSIZ];
                    571:
                    572:        for (;;) {
                    573:                (void)printf("login: ");
                    574:                for (p = nbuf; (ch = getchar()) != '\n'; ) {
                    575:                        if (ch == EOF) {
                    576:                                badlogin(username);
                    577:                                exit(0);
                    578:                        }
                    579:                        if (p < nbuf + (NBUFSIZ - 1))
                    580:                                *p++ = ch;
                    581:                }
                    582:                if (p > nbuf)
                    583:                        if (nbuf[0] == '-')
                    584:                                (void)fprintf(stderr,
                    585:                                    "login names may not start with '-'.\n");
                    586:                        else {
                    587:                                *p = '\0';
                    588:                                username = nbuf;
                    589:                                break;
                    590:                        }
                    591:        }
                    592: }
                    593:
                    594: int
                    595: rootterm(ttyn)
                    596:        char *ttyn;
                    597: {
                    598:        struct ttyent *t;
                    599:
                    600:        return ((t = getttynam(ttyn)) && t->ty_status & TTY_SECURE);
                    601: }
                    602:
                    603: jmp_buf motdinterrupt;
                    604:
                    605: void
                    606: motd()
                    607: {
                    608:        int fd, nchars;
                    609:        sig_t oldint;
                    610:        char tbuf[8192];
                    611:
                    612:        if ((fd = open(_PATH_MOTDFILE, O_RDONLY, 0)) < 0)
                    613:                return;
                    614:        oldint = signal(SIGINT, sigint);
                    615:        if (setjmp(motdinterrupt) == 0)
                    616:                while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)
                    617:                        (void)write(fileno(stdout), tbuf, nchars);
                    618:        (void)signal(SIGINT, oldint);
                    619:        (void)close(fd);
                    620: }
                    621:
                    622: /* ARGSUSED */
                    623: void
                    624: sigint(signo)
                    625:        int signo;
                    626: {
                    627:        longjmp(motdinterrupt, 1);
                    628: }
                    629:
                    630: /* ARGSUSED */
                    631: void
                    632: timedout(signo)
                    633:        int signo;
                    634: {
                    635:        (void)fprintf(stderr, "Login timed out after %d seconds\n", timeout);
                    636:        exit(0);
                    637: }
                    638:
                    639: void
                    640: checknologin()
                    641: {
                    642:        int fd, nchars;
                    643:        char tbuf[8192];
                    644:
                    645:        if ((fd = open(_PATH_NOLOGIN, O_RDONLY, 0)) >= 0) {
                    646:                while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)
                    647:                        (void)write(fileno(stdout), tbuf, nchars);
                    648:                sleepexit(0);
                    649:        }
                    650: }
                    651:
                    652: void
                    653: dolastlog(quiet)
                    654:        int quiet;
                    655: {
                    656:        struct lastlog ll;
                    657:        int fd;
                    658:
                    659:        if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) {
                    660:                (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET);
                    661:                if (!quiet) {
                    662:                        if (read(fd, (char *)&ll, sizeof(ll)) == sizeof(ll) &&
                    663:                            ll.ll_time != 0) {
                    664:                                (void)printf("Last login: %.*s ",
                    665:                                    24-5, (char *)ctime(&ll.ll_time));
1.14      millert   666:                                (void)printf("on %.*s",
                    667:                                    (int)sizeof(ll.ll_line),
                    668:                                    ll.ll_line);
1.1       deraadt   669:                                if (*ll.ll_host != '\0')
1.14      millert   670:                                        (void)printf(" from %.*s",
1.1       deraadt   671:                                            (int)sizeof(ll.ll_host),
                    672:                                            ll.ll_host);
1.14      millert   673:                                (void)putchar('\n');
1.1       deraadt   674:                        }
                    675:                        (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET);
                    676:                }
                    677:                memset((void *)&ll, 0, sizeof(ll));
                    678:                (void)time(&ll.ll_time);
                    679:                (void)strncpy(ll.ll_line, tty, sizeof(ll.ll_line));
                    680:                if (hostname)
                    681:                        (void)strncpy(ll.ll_host, hostname, sizeof(ll.ll_host));
                    682:                (void)write(fd, (char *)&ll, sizeof(ll));
                    683:                (void)close(fd);
                    684:        }
                    685: }
                    686:
                    687: void
                    688: badlogin(name)
                    689:        char *name;
                    690: {
                    691:        if (failures == 0)
                    692:                return;
                    693:        if (hostname) {
1.14      millert   694:                syslog(LOG_NOTICE, "%d LOGIN FAILURE%s FROM %s%s%s",
                    695:                    failures, failures > 1 ? "S" : "",
                    696:                    rusername ? rusername : "", rusername ? "@" : "", hostname);
1.1       deraadt   697:                syslog(LOG_AUTHPRIV|LOG_NOTICE,
1.14      millert   698:                    "%d LOGIN FAILURE%s FROM %s%s%s, %s",
                    699:                    failures, failures > 1 ? "S" : "",
                    700:                    rusername ? rusername : "", rusername ? "@" : "",
                    701:                    hostname, name);
1.1       deraadt   702:        } else {
                    703:                syslog(LOG_NOTICE, "%d LOGIN FAILURE%s ON %s",
                    704:                    failures, failures > 1 ? "S" : "", tty);
                    705:                syslog(LOG_AUTHPRIV|LOG_NOTICE,
                    706:                    "%d LOGIN FAILURE%s ON %s, %s",
                    707:                    failures, failures > 1 ? "S" : "", tty, name);
                    708:        }
                    709: }
                    710:
                    711: #undef UNKNOWN
                    712: #define        UNKNOWN "su"
                    713:
                    714: char *
                    715: stypeof(ttyid)
                    716:        char *ttyid;
                    717: {
                    718:        struct ttyent *t;
                    719:
                    720:        return (ttyid && (t = getttynam(ttyid)) ? t->ty_type : UNKNOWN);
                    721: }
                    722:
                    723: void
                    724: sleepexit(eval)
                    725:        int eval;
                    726: {
                    727:        (void)sleep(5);
                    728:        exit(eval);
1.11      millert   729: }
                    730:
                    731: void
                    732: sighup(signum)
                    733:        int signum;
                    734: {
                    735:        if (username)
                    736:                badlogin(username);
                    737:
                    738:        exit(W_EXITCODE(0, signum));
1.1       deraadt   739: }