Annotation of src/usr.bin/ssh/auth-passwd.c, Revision 1.12
1.1 deraadt 1: /*
1.11 deraadt 2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
3: * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: * All rights reserved
5: * Created: Sat Mar 18 05:11:38 1995 ylo
6: * Password authentication. This file contains the functions to check whether
7: * the password is valid for the user.
8: */
1.1 deraadt 9:
10: #include "includes.h"
1.12 ! markus 11: RCSID("$Id: auth-passwd.c,v 1.11 1999/11/24 00:26:00 deraadt Exp $");
1.1 deraadt 12:
13: #include "packet.h"
14: #include "ssh.h"
15: #include "servconf.h"
16: #include "xmalloc.h"
17:
1.11 deraadt 18: /*
19: * Tries to authenticate the user using password. Returns true if
20: * authentication succeeds.
21: */
1.10 markus 22: int
23: auth_password(struct passwd * pw, const char *password)
1.1 deraadt 24: {
1.10 markus 25: extern ServerOptions options;
26: char *encrypted_password;
1.7 markus 27:
1.12 ! markus 28: if (pw->pw_uid == 0 && options.permit_root_login == 2)
1.10 markus 29: return 0;
1.12 ! markus 30: if (*password == '\0' && options.permit_empty_passwd == 0)
1.10 markus 31: return 0;
32: /* deny if no user. */
33: if (pw == NULL)
34: return 0;
1.1 deraadt 35:
1.6 markus 36: #ifdef SKEY
1.10 markus 37: if (options.skey_authentication == 1) {
38: if (strncasecmp(password, "s/key", 5) == 0) {
39: char *skeyinfo = skey_keyinfo(pw->pw_name);
40: if (skeyinfo == NULL) {
1.11 deraadt 41: debug("generating fake skeyinfo for %.100s.",
42: pw->pw_name);
1.10 markus 43: skeyinfo = skey_fake_keyinfo(pw->pw_name);
44: }
45: if (skeyinfo != NULL)
46: packet_send_debug(skeyinfo);
47: /* Try again. */
48: return 0;
49: } else if (skey_haskey(pw->pw_name) == 0 &&
50: skey_passcheck(pw->pw_name, (char *) password) != -1) {
51: /* Authentication succeeded. */
52: return 1;
53: }
54: /* Fall back to ordinary passwd authentication. */
55: }
1.6 markus 56: #endif
57:
1.2 dugsong 58: #if defined(KRB4)
1.12 ! markus 59: /*
! 60: * Support for Kerberos v4 authentication
! 61: * - Dug Song <dugsong@UMICH.EDU>
! 62: */
1.10 markus 63: if (options.kerberos_authentication) {
64: AUTH_DAT adata;
65: KTEXT_ST tkt;
66: struct hostent *hp;
67: unsigned long faddr;
68: char localhost[MAXHOSTNAMELEN];
69: char phost[INST_SZ];
70: char realm[REALM_SZ];
71: int r;
72:
1.12 ! markus 73: /*
! 74: * Try Kerberos password authentication only for non-root
! 75: * users and only if Kerberos is installed.
! 76: */
1.10 markus 77: if (pw->pw_uid != 0 && krb_get_lrealm(realm, 1) == KSUCCESS) {
78:
79: /* Set up our ticket file. */
80: if (!krb4_init(pw->pw_uid)) {
1.11 deraadt 81: log("Couldn't initialize Kerberos ticket file for %s!",
82: pw->pw_name);
1.10 markus 83: goto kerberos_auth_failure;
84: }
85: /* Try to get TGT using our password. */
1.11 deraadt 86: r = krb_get_pw_in_tkt((char *) pw->pw_name, "",
87: realm, "krbtgt", realm,
88: DEFAULT_TKT_LIFE, (char *) password);
1.10 markus 89: if (r != INTK_OK) {
1.11 deraadt 90: packet_send_debug("Kerberos V4 password "
91: "authentication for %s failed: %s",
92: pw->pw_name, krb_err_txt[r]);
1.10 markus 93: goto kerberos_auth_failure;
94: }
95: /* Successful authentication. */
96: chown(tkt_string(), pw->pw_uid, pw->pw_gid);
97:
1.11 deraadt 98: /*
99: * Now that we have a TGT, try to get a local
100: * "rcmd" ticket to ensure that we are not talking
101: * to a bogus Kerberos server.
102: */
1.10 markus 103: (void) gethostname(localhost, sizeof(localhost));
1.11 deraadt 104: (void) strlcpy(phost, (char *) krb_get_phost(localhost),
105: INST_SZ);
1.10 markus 106: r = krb_mk_req(&tkt, KRB4_SERVICE_NAME, phost, realm, 33);
107:
108: if (r == KSUCCESS) {
109: if (!(hp = gethostbyname(localhost))) {
110: log("Couldn't get local host address!");
111: goto kerberos_auth_failure;
112: }
1.11 deraadt 113: memmove((void *) &faddr, (void *) hp->h_addr,
114: sizeof(faddr));
1.10 markus 115:
116: /* Verify our "rcmd" ticket. */
1.11 deraadt 117: r = krb_rd_req(&tkt, KRB4_SERVICE_NAME, phost,
118: faddr, &adata, "");
1.10 markus 119: if (r == RD_AP_UNDEC) {
1.11 deraadt 120: /*
121: * Probably didn't have a srvtab on
122: * localhost. Allow login.
123: */
124: log("Kerberos V4 TGT for %s unverifiable, "
125: "no srvtab installed? krb_rd_req: %s",
126: pw->pw_name, krb_err_txt[r]);
1.10 markus 127: } else if (r != KSUCCESS) {
128: log("Kerberos V4 %s ticket unverifiable: %s",
129: KRB4_SERVICE_NAME, krb_err_txt[r]);
130: goto kerberos_auth_failure;
131: }
132: } else if (r == KDC_PR_UNKNOWN) {
1.12 ! markus 133: /*
! 134: * Allow login if no rcmd service exists, but
! 135: * log the error.
! 136: */
1.10 markus 137: log("Kerberos V4 TGT for %s unverifiable: %s; %s.%s "
138: "not registered, or srvtab is wrong?", pw->pw_name,
139: krb_err_txt[r], KRB4_SERVICE_NAME, phost);
140: } else {
1.12 ! markus 141: /*
! 142: * TGT is bad, forget it. Possibly spoofed!
! 143: */
1.11 deraadt 144: packet_send_debug("WARNING: Kerberos V4 TGT "
145: "possibly spoofed for %s: %s",
146: pw->pw_name, krb_err_txt[r]);
1.10 markus 147: goto kerberos_auth_failure;
148: }
149:
150: /* Authentication succeeded. */
151: return 1;
152:
153: kerberos_auth_failure:
154: krb4_cleanup_proc(NULL);
155:
156: if (!options.kerberos_or_local_passwd)
157: return 0;
158: } else {
159: /* Logging in as root or no local Kerberos realm. */
160: packet_send_debug("Unable to authenticate to Kerberos.");
161: }
162: /* Fall back to ordinary passwd authentication. */
1.2 dugsong 163: }
1.10 markus 164: #endif /* KRB4 */
165:
166: /* Check for users with no password. */
1.12 ! markus 167: if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0)
1.10 markus 168: return 1;
169: /* Encrypt the candidate password using the proper salt. */
170: encrypted_password = crypt(password,
1.11 deraadt 171: (pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx");
1.1 deraadt 172:
1.10 markus 173: /* Authentication is accepted if the encrypted passwords are identical. */
174: return (strcmp(encrypted_password, pw->pw_passwd) == 0);
1.1 deraadt 175: }