| version 1.10, 1999/11/23 22:25:52 |
version 1.11, 1999/11/24 00:26:00 |
|
|
| /* |
/* |
| |
* Author: Tatu Ylonen <ylo@cs.hut.fi> |
| |
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| |
* All rights reserved |
| |
* Created: Sat Mar 18 05:11:38 1995 ylo |
| |
* Password authentication. This file contains the functions to check whether |
| |
* the password is valid for the user. |
| |
*/ |
| |
|
| auth-passwd.c |
|
| |
|
| Author: Tatu Ylonen <ylo@cs.hut.fi> |
|
| |
|
| Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
|
| All rights reserved |
|
| |
|
| Created: Sat Mar 18 05:11:38 1995 ylo |
|
| |
|
| Password authentication. This file contains the functions to check whether |
|
| the password is valid for the user. |
|
| |
|
| */ |
|
| |
|
| #include "includes.h" |
#include "includes.h" |
| RCSID("$Id$"); |
RCSID("$Id$"); |
| |
|
|
|
| #include "servconf.h" |
#include "servconf.h" |
| #include "xmalloc.h" |
#include "xmalloc.h" |
| |
|
| /* Tries to authenticate the user using password. Returns true if |
/* |
| authentication succeeds. */ |
* Tries to authenticate the user using password. Returns true if |
| |
* authentication succeeds. |
| |
*/ |
| int |
int |
| auth_password(struct passwd * pw, const char *password) |
auth_password(struct passwd * pw, const char *password) |
| { |
{ |
|
|
| if (strncasecmp(password, "s/key", 5) == 0) { |
if (strncasecmp(password, "s/key", 5) == 0) { |
| char *skeyinfo = skey_keyinfo(pw->pw_name); |
char *skeyinfo = skey_keyinfo(pw->pw_name); |
| if (skeyinfo == NULL) { |
if (skeyinfo == NULL) { |
| debug("generating fake skeyinfo for %.100s.", pw->pw_name); |
debug("generating fake skeyinfo for %.100s.", |
| |
pw->pw_name); |
| skeyinfo = skey_fake_keyinfo(pw->pw_name); |
skeyinfo = skey_fake_keyinfo(pw->pw_name); |
| } |
} |
| if (skeyinfo != NULL) |
if (skeyinfo != NULL) |
|
|
| |
|
| /* Set up our ticket file. */ |
/* Set up our ticket file. */ |
| if (!krb4_init(pw->pw_uid)) { |
if (!krb4_init(pw->pw_uid)) { |
| log("Couldn't initialize Kerberos ticket file for %s!", pw->pw_name); |
log("Couldn't initialize Kerberos ticket file for %s!", |
| |
pw->pw_name); |
| goto kerberos_auth_failure; |
goto kerberos_auth_failure; |
| } |
} |
| /* Try to get TGT using our password. */ |
/* Try to get TGT using our password. */ |
| r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm, "krbtgt", realm, |
r = krb_get_pw_in_tkt((char *) pw->pw_name, "", |
| DEFAULT_TKT_LIFE, (char *) password); |
realm, "krbtgt", realm, |
| |
DEFAULT_TKT_LIFE, (char *) password); |
| if (r != INTK_OK) { |
if (r != INTK_OK) { |
| packet_send_debug("Kerberos V4 password authentication for %s " |
packet_send_debug("Kerberos V4 password " |
| "failed: %s", pw->pw_name, krb_err_txt[r]); |
"authentication for %s failed: %s", |
| |
pw->pw_name, krb_err_txt[r]); |
| goto kerberos_auth_failure; |
goto kerberos_auth_failure; |
| } |
} |
| /* Successful authentication. */ |
/* Successful authentication. */ |
| chown(tkt_string(), pw->pw_uid, pw->pw_gid); |
chown(tkt_string(), pw->pw_uid, pw->pw_gid); |
| |
|
| /* Now that we have a TGT, try to get a local |
/* |
| "rcmd" ticket to ensure that we are not talking |
* Now that we have a TGT, try to get a local |
| to a bogus Kerberos server. */ |
* "rcmd" ticket to ensure that we are not talking |
| |
* to a bogus Kerberos server. |
| |
*/ |
| (void) gethostname(localhost, sizeof(localhost)); |
(void) gethostname(localhost, sizeof(localhost)); |
| (void) strlcpy(phost, (char *) krb_get_phost(localhost), INST_SZ); |
(void) strlcpy(phost, (char *) krb_get_phost(localhost), |
| |
INST_SZ); |
| r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); |
r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); |
| |
|
| if (r == KSUCCESS) { |
if (r == KSUCCESS) { |
|
|
| log("Couldn't get local host address!"); |
log("Couldn't get local host address!"); |
| goto kerberos_auth_failure; |
goto kerberos_auth_failure; |
| } |
} |
| memmove((void *) &faddr, (void *) hp->h_addr, sizeof(faddr)); |
memmove((void *) &faddr, (void *) hp->h_addr, |
| |
sizeof(faddr)); |
| |
|
| /* Verify our "rcmd" ticket. */ |
/* Verify our "rcmd" ticket. */ |
| r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, faddr, &adata, ""); |
r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, |
| |
faddr, &adata, ""); |
| if (r == RD_AP_UNDEC) { |
if (r == RD_AP_UNDEC) { |
| /* Probably didn't have a srvtab on localhost. Allow login. */ |
/* |
| log("Kerberos V4 TGT for %s unverifiable, no srvtab installed? " |
* Probably didn't have a srvtab on |
| "krb_rd_req: %s", pw->pw_name, krb_err_txt[r]); |
* localhost. Allow login. |
| |
*/ |
| |
log("Kerberos V4 TGT for %s unverifiable, " |
| |
"no srvtab installed? krb_rd_req: %s", |
| |
pw->pw_name, krb_err_txt[r]); |
| } else if (r != KSUCCESS) { |
} else if (r != KSUCCESS) { |
| log("Kerberos V4 %s ticket unverifiable: %s", |
log("Kerberos V4 %s ticket unverifiable: %s", |
| KRB4_SERVICE_NAME, krb_err_txt[r]); |
KRB4_SERVICE_NAME, krb_err_txt[r]); |
|
|
| } else { |
} else { |
| /* TGT is bad, forget it. Possibly |
/* TGT is bad, forget it. Possibly |
| spoofed! */ |
spoofed! */ |
| packet_send_debug("WARNING: Kerberos V4 TGT possibly spoofed for" |
packet_send_debug("WARNING: Kerberos V4 TGT " |
| "%s: %s", pw->pw_name, krb_err_txt[r]); |
"possibly spoofed for %s: %s", |
| |
pw->pw_name, krb_err_txt[r]); |
| goto kerberos_auth_failure; |
goto kerberos_auth_failure; |
| } |
} |
| |
|
|
|
| |
|
| /* Check for users with no password. */ |
/* Check for users with no password. */ |
| if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) { |
if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) { |
| packet_send_debug("Login permitted without a password because the account has no password."); |
packet_send_debug("Login permitted without a password " |
| |
"because the account has no password."); |
| return 1; |
return 1; |
| } |
} |
| /* Encrypt the candidate password using the proper salt. */ |
/* Encrypt the candidate password using the proper salt. */ |
| encrypted_password = crypt(password, |
encrypted_password = crypt(password, |
| (pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx"); |
(pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx"); |
| |
|
| /* Authentication is accepted if the encrypted passwords are identical. */ |
/* Authentication is accepted if the encrypted passwords are identical. */ |
| return (strcmp(encrypted_password, pw->pw_passwd) == 0); |
return (strcmp(encrypted_password, pw->pw_passwd) == 0); |
![[BACK]](/icons/back.gif){kind=icon}
Return to auth-passwd.c CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh