version 1.10, 1999/11/23 22:25:52 |
version 1.11, 1999/11/24 00:26:00 |
|
|
/* |
/* |
|
* Author: Tatu Ylonen <ylo@cs.hut.fi> |
|
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
|
* All rights reserved |
|
* Created: Sat Mar 18 05:11:38 1995 ylo |
|
* Password authentication. This file contains the functions to check whether |
|
* the password is valid for the user. |
|
*/ |
|
|
auth-passwd.c |
|
|
|
Author: Tatu Ylonen <ylo@cs.hut.fi> |
|
|
|
Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
|
All rights reserved |
|
|
|
Created: Sat Mar 18 05:11:38 1995 ylo |
|
|
|
Password authentication. This file contains the functions to check whether |
|
the password is valid for the user. |
|
|
|
*/ |
|
|
|
#include "includes.h" |
#include "includes.h" |
RCSID("$Id$"); |
RCSID("$Id$"); |
|
|
|
|
#include "servconf.h" |
#include "servconf.h" |
#include "xmalloc.h" |
#include "xmalloc.h" |
|
|
/* Tries to authenticate the user using password. Returns true if |
/* |
authentication succeeds. */ |
* Tries to authenticate the user using password. Returns true if |
|
* authentication succeeds. |
|
*/ |
int |
int |
auth_password(struct passwd * pw, const char *password) |
auth_password(struct passwd * pw, const char *password) |
{ |
{ |
|
|
if (strncasecmp(password, "s/key", 5) == 0) { |
if (strncasecmp(password, "s/key", 5) == 0) { |
char *skeyinfo = skey_keyinfo(pw->pw_name); |
char *skeyinfo = skey_keyinfo(pw->pw_name); |
if (skeyinfo == NULL) { |
if (skeyinfo == NULL) { |
debug("generating fake skeyinfo for %.100s.", pw->pw_name); |
debug("generating fake skeyinfo for %.100s.", |
|
pw->pw_name); |
skeyinfo = skey_fake_keyinfo(pw->pw_name); |
skeyinfo = skey_fake_keyinfo(pw->pw_name); |
} |
} |
if (skeyinfo != NULL) |
if (skeyinfo != NULL) |
|
|
|
|
/* Set up our ticket file. */ |
/* Set up our ticket file. */ |
if (!krb4_init(pw->pw_uid)) { |
if (!krb4_init(pw->pw_uid)) { |
log("Couldn't initialize Kerberos ticket file for %s!", pw->pw_name); |
log("Couldn't initialize Kerberos ticket file for %s!", |
|
pw->pw_name); |
goto kerberos_auth_failure; |
goto kerberos_auth_failure; |
} |
} |
/* Try to get TGT using our password. */ |
/* Try to get TGT using our password. */ |
r = krb_get_pw_in_tkt((char *) pw->pw_name, "", realm, "krbtgt", realm, |
r = krb_get_pw_in_tkt((char *) pw->pw_name, "", |
DEFAULT_TKT_LIFE, (char *) password); |
realm, "krbtgt", realm, |
|
DEFAULT_TKT_LIFE, (char *) password); |
if (r != INTK_OK) { |
if (r != INTK_OK) { |
packet_send_debug("Kerberos V4 password authentication for %s " |
packet_send_debug("Kerberos V4 password " |
"failed: %s", pw->pw_name, krb_err_txt[r]); |
"authentication for %s failed: %s", |
|
pw->pw_name, krb_err_txt[r]); |
goto kerberos_auth_failure; |
goto kerberos_auth_failure; |
} |
} |
/* Successful authentication. */ |
/* Successful authentication. */ |
chown(tkt_string(), pw->pw_uid, pw->pw_gid); |
chown(tkt_string(), pw->pw_uid, pw->pw_gid); |
|
|
/* Now that we have a TGT, try to get a local |
/* |
"rcmd" ticket to ensure that we are not talking |
* Now that we have a TGT, try to get a local |
to a bogus Kerberos server. */ |
* "rcmd" ticket to ensure that we are not talking |
|
* to a bogus Kerberos server. |
|
*/ |
(void) gethostname(localhost, sizeof(localhost)); |
(void) gethostname(localhost, sizeof(localhost)); |
(void) strlcpy(phost, (char *) krb_get_phost(localhost), INST_SZ); |
(void) strlcpy(phost, (char *) krb_get_phost(localhost), |
|
INST_SZ); |
r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); |
r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33); |
|
|
if (r == KSUCCESS) { |
if (r == KSUCCESS) { |
|
|
log("Couldn't get local host address!"); |
log("Couldn't get local host address!"); |
goto kerberos_auth_failure; |
goto kerberos_auth_failure; |
} |
} |
memmove((void *) &faddr, (void *) hp->h_addr, sizeof(faddr)); |
memmove((void *) &faddr, (void *) hp->h_addr, |
|
sizeof(faddr)); |
|
|
/* Verify our "rcmd" ticket. */ |
/* Verify our "rcmd" ticket. */ |
r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, faddr, &adata, ""); |
r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost, |
|
faddr, &adata, ""); |
if (r == RD_AP_UNDEC) { |
if (r == RD_AP_UNDEC) { |
/* Probably didn't have a srvtab on localhost. Allow login. */ |
/* |
log("Kerberos V4 TGT for %s unverifiable, no srvtab installed? " |
* Probably didn't have a srvtab on |
"krb_rd_req: %s", pw->pw_name, krb_err_txt[r]); |
* localhost. Allow login. |
|
*/ |
|
log("Kerberos V4 TGT for %s unverifiable, " |
|
"no srvtab installed? krb_rd_req: %s", |
|
pw->pw_name, krb_err_txt[r]); |
} else if (r != KSUCCESS) { |
} else if (r != KSUCCESS) { |
log("Kerberos V4 %s ticket unverifiable: %s", |
log("Kerberos V4 %s ticket unverifiable: %s", |
KRB4_SERVICE_NAME, krb_err_txt[r]); |
KRB4_SERVICE_NAME, krb_err_txt[r]); |
|
|
} else { |
} else { |
/* TGT is bad, forget it. Possibly |
/* TGT is bad, forget it. Possibly |
spoofed! */ |
spoofed! */ |
packet_send_debug("WARNING: Kerberos V4 TGT possibly spoofed for" |
packet_send_debug("WARNING: Kerberos V4 TGT " |
"%s: %s", pw->pw_name, krb_err_txt[r]); |
"possibly spoofed for %s: %s", |
|
pw->pw_name, krb_err_txt[r]); |
goto kerberos_auth_failure; |
goto kerberos_auth_failure; |
} |
} |
|
|
|
|
|
|
/* Check for users with no password. */ |
/* Check for users with no password. */ |
if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) { |
if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) { |
packet_send_debug("Login permitted without a password because the account has no password."); |
packet_send_debug("Login permitted without a password " |
|
"because the account has no password."); |
return 1; |
return 1; |
} |
} |
/* Encrypt the candidate password using the proper salt. */ |
/* Encrypt the candidate password using the proper salt. */ |
encrypted_password = crypt(password, |
encrypted_password = crypt(password, |
(pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx"); |
(pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx"); |
|
|
/* Authentication is accepted if the encrypted passwords are identical. */ |
/* Authentication is accepted if the encrypted passwords are identical. */ |
return (strcmp(encrypted_password, pw->pw_passwd) == 0); |
return (strcmp(encrypted_password, pw->pw_passwd) == 0); |