Annotation of src/usr.bin/ssh/auth-passwd.c, Revision 1.11
1.1 deraadt 1: /*
1.11 ! deraadt 2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
! 3: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
! 4: * All rights reserved
! 5: * Created: Sat Mar 18 05:11:38 1995 ylo
! 6: * Password authentication. This file contains the functions to check whether
! 7: * the password is valid for the user.
! 8: */
1.1 deraadt 9:
10: #include "includes.h"
1.11 ! deraadt 11: RCSID("$Id: auth-passwd.c,v 1.10 1999/11/23 22:25:52 markus Exp $");
1.1 deraadt 12:
13: #include "packet.h"
14: #include "ssh.h"
15: #include "servconf.h"
16: #include "xmalloc.h"
17:
1.11 ! deraadt 18: /*
! 19: * Tries to authenticate the user using password. Returns true if
! 20: * authentication succeeds.
! 21: */
1.10 markus 22: int
23: auth_password(struct passwd * pw, const char *password)
1.1 deraadt 24: {
1.10 markus 25: extern ServerOptions options;
26: char *encrypted_password;
1.7 markus 27:
1.10 markus 28: if (pw->pw_uid == 0 && options.permit_root_login == 2) {
29: /* Server does not permit root login with password */
30: return 0;
31: }
32: if (*password == '\0' && options.permit_empty_passwd == 0) {
33: /* Server does not permit empty password login */
34: return 0;
35: }
36: /* deny if no user. */
37: if (pw == NULL)
38: return 0;
1.1 deraadt 39:
1.6 markus 40: #ifdef SKEY
1.10 markus 41: if (options.skey_authentication == 1) {
42: if (strncasecmp(password, "s/key", 5) == 0) {
43: char *skeyinfo = skey_keyinfo(pw->pw_name);
44: if (skeyinfo == NULL) {
1.11 ! deraadt 45: debug("generating fake skeyinfo for %.100s.",
! 46: pw->pw_name);
1.10 markus 47: skeyinfo = skey_fake_keyinfo(pw->pw_name);
48: }
49: if (skeyinfo != NULL)
50: packet_send_debug(skeyinfo);
51: /* Try again. */
52: return 0;
53: } else if (skey_haskey(pw->pw_name) == 0 &&
54: skey_passcheck(pw->pw_name, (char *) password) != -1) {
55: /* Authentication succeeded. */
56: return 1;
57: }
58: /* Fall back to ordinary passwd authentication. */
59: }
1.6 markus 60: #endif
61:
1.2 dugsong 62: #if defined(KRB4)
1.10 markus 63: /* Support for Kerberos v4 authentication - Dug Song
64: <dugsong@UMICH.EDU> */
65: if (options.kerberos_authentication) {
66: AUTH_DAT adata;
67: KTEXT_ST tkt;
68: struct hostent *hp;
69: unsigned long faddr;
70: char localhost[MAXHOSTNAMELEN];
71: char phost[INST_SZ];
72: char realm[REALM_SZ];
73: int r;
74:
75: /* Try Kerberos password authentication only for non-root
76: users and only if Kerberos is installed. */
77: if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
78:
79: /* Set up our ticket file. */
80: if (!krb4_init(pw->pw_uid)) {
1.11 ! deraadt 81: log("Couldn't initialize Kerberos ticket file for %s!",
! 82: pw->pw_name);
1.10 markus 83: goto kerberos_auth_failure;
84: }
85: /* Try to get TGT using our password. */
1.11 ! deraadt 86: r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
! 87: realm, "krbtgt", realm,
! 88: DEFAULT_TKT_LIFE, (char *) password);
1.10 markus 89: if (r != INTK_OK) {
1.11 ! deraadt 90: packet_send_debug("Kerberos V4 password "
! 91: "authentication for %s failed: %s",
! 92: pw->pw_name, krb_err_txt[r]);
1.10 markus 93: goto kerberos_auth_failure;
94: }
95: /* Successful authentication. */
96: chown(tkt_string(), pw->pw_uid, pw->pw_gid);
97:
1.11 ! deraadt 98: /*
! 99: * Now that we have a TGT, try to get a local
! 100: * "rcmd" ticket to ensure that we are not talking
! 101: * to a bogus Kerberos server.
! 102: */
1.10 markus 103: (void) gethostname(localhost, sizeof(localhost));
1.11 ! deraadt 104: (void) strlcpy(phost, (char *) krb_get_phost(localhost),
! 105: INST_SZ);
1.10 markus 106: r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
107:
108: if (r == KSUCCESS) {
109: if (!(hp = gethostbyname(localhost))) {
110: log("Couldn't get local host address!");
111: goto kerberos_auth_failure;
112: }
1.11 ! deraadt 113: memmove((void *) &faddr, (void *) hp->h_addr,
! 114: sizeof(faddr));
1.10 markus 115:
116: /* Verify our "rcmd" ticket. */
1.11 ! deraadt 117: r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
! 118: faddr, &adata, "");
1.10 markus 119: if (r == RD_AP_UNDEC) {
1.11 ! deraadt 120: /*
! 121: * Probably didn't have a srvtab on
! 122: * localhost. Allow login.
! 123: */
! 124: log("Kerberos V4 TGT for %s unverifiable, "
! 125: "no srvtab installed? krb_rd_req: %s",
! 126: pw->pw_name, krb_err_txt[r]);
1.10 markus 127: } else if (r != KSUCCESS) {
128: log("Kerberos V4 %s ticket unverifiable: %s",
129: KRB4_SERVICE_NAME, krb_err_txt[r]);
130: goto kerberos_auth_failure;
131: }
132: } else if (r == KDC_PR_UNKNOWN) {
133: /* Allow login if no rcmd service exists,
134: but log the error. */
135: log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
136: "not registered, or srvtab is wrong?", pw->pw_name,
137: krb_err_txt[r], KRB4_SERVICE_NAME, phost);
138: } else {
139: /* TGT is bad, forget it. Possibly
140: spoofed! */
1.11 ! deraadt 141: packet_send_debug("WARNING: Kerberos V4 TGT "
! 142: "possibly spoofed for %s: %s",
! 143: pw->pw_name, krb_err_txt[r]);
1.10 markus 144: goto kerberos_auth_failure;
145: }
146:
147: /* Authentication succeeded. */
148: return 1;
149:
150: kerberos_auth_failure:
151: krb4_cleanup_proc(NULL);
152:
153: if (!options.kerberos_or_local_passwd)
154: return 0;
155: } else {
156: /* Logging in as root or no local Kerberos realm. */
157: packet_send_debug("Unable to authenticate to Kerberos.");
158: }
159: /* Fall back to ordinary passwd authentication. */
1.2 dugsong 160: }
1.10 markus 161: #endif /* KRB4 */
162:
163: /* Check for users with no password. */
164: if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) {
1.11 ! deraadt 165: packet_send_debug("Login permitted without a password "
! 166: "because the account has no password.");
1.10 markus 167: return 1;
1.2 dugsong 168: }
1.10 markus 169: /* Encrypt the candidate password using the proper salt. */
170: encrypted_password = crypt(password,
1.11 ! deraadt 171: (pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx");
1.1 deraadt 172:
1.10 markus 173: /* Authentication is accepted if the encrypted passwords are identical. */
174: return (strcmp(encrypted_password, pw->pw_passwd) == 0);
1.1 deraadt 175: }