int sys_auth_passwd(struct ssh *ssh, const char *password) { Authctxt *authctxt = ssh->authctxt; struct passwd *pw = authctxt->pw; char *encrypted_password, *salt = NULL; /* Just use the supplied fake password if authctxt is invalid */ char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; /* Check for users with no password. */ if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) return (1); /* * Encrypt the candidate password using the proper salt, or pass a * NULL and let xcrypt pick one. */ if (authctxt->valid && pw_password[0] && pw_password[1]) salt = pw_password; encrypted_password = xcrypt(password, salt ? salt : "xx"); /* * Authentication is accepted if the encrypted passwords * are identical. */ return encrypted_password != NULL && strcmp(encrypted_password, pw_password) == 0; }
/* * Pick an appropriate password encryption type and salt for the running * system by searching through accounts until we find one that has a valid * salt. Usually this will be root unless the root account is locked out. * If we don't find one we return a traditional DES-based salt. */ static const char * pick_salt(void) { struct passwd *pw; char *passwd, *p; size_t typelen; static char salt[32]; if (salt[0] != '\0') return salt; strlcpy(salt, "xx", sizeof(salt)); setpwent(); while ((pw = getpwent()) != NULL) { if ((passwd = shadow_pw(pw)) == NULL) continue; if (passwd[0] == '$' && (p = strrchr(passwd+1, '$')) != NULL) { typelen = p - passwd + 1; strlcpy(salt, passwd, MIN(typelen, sizeof(salt))); explicit_bzero(passwd, strlen(passwd)); goto out; } } out: endpwent(); return salt; }
int sys_auth_passwd(Authctxt *authctxt, const char *password) { struct passwd *pw = authctxt->pw; char *encrypted_password; /* Just use the supplied fake password if authctxt is invalid */ char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; /* Check for users with no password. */ if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) return (1); /* Encrypt the candidate password using the proper salt. */ encrypted_password = xcrypt(password, (pw_password[0] && pw_password[1]) ? pw_password : "******"); /* * Authentication is accepted if the encrypted passwords * are identical. */ return (strcmp(encrypted_password, pw_password) == 0); }
int sys_auth_passwd(Authctxt *authctxt, const char *password) { struct passwd *pw = authctxt->pw; char *salt; int result; /* Just use the supplied fake password if authctxt is invalid */ char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; /* Check for users with no password. */ if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) return (1); /* Encrypt the candidate password using the proper salt. */ salt = (pw_password[0] && pw_password[1]) ? pw_password : "******"; /* * Authentication is accepted if the encrypted passwords * are identical. */ #ifdef UNIXWARE_LONG_PASSWORDS if (!nischeck(pw->pw_name)) { result = ((strcmp(bigcrypt(password, salt), pw_password) == 0) || (strcmp(osr5bigcrypt(password, salt), pw_password) == 0)); } else #endif /* UNIXWARE_LONG_PASSWORDS */ result = (strcmp(xcrypt(password, salt), pw_password) == 0); #ifdef USE_LIBIAF if (authctxt->valid) free(pw_password); #endif return(result); }
/* * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ int auth_password(Authctxt *authctxt, const char *password) { struct passwd * pw = authctxt->pw; int ok = authctxt->valid; /* deny if no user. */ if (pw == NULL) return 0; #ifndef HAVE_CYGWIN if (pw && pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; #if defined(HAVE_OSF_SIA) return auth_sia_password(authctxt, password) && ok; #else # ifdef KRB5 if (options.kerberos_authentication == 1) { int ret = auth_krb5_password(authctxt, password); if (ret == 1 || ret == 0) return ret && ok; /* Fall back to ordinary passwd authentication. */ } # endif # ifdef HAVE_CYGWIN if (is_winnt) { HANDLE hToken = cygwin_logon_user(pw, password); if (hToken == INVALID_HANDLE_VALUE) return 0; cygwin_set_impersonation_token(hToken); return ok; } # endif # ifdef WITH_AIXAUTHENTICATE { char *authmsg = NULL; int reenter = 1; int authsuccess = 0; if (authenticate(pw->pw_name, password, &reenter, &authmsg) == 0 && ok) { char *msg; char *host = (char *)get_canonical_hostname(options.use_dns); authsuccess = 1; aix_remove_embedded_newlines(authmsg); debug3("AIX/authenticate succeeded for user %s: %.100s", pw->pw_name, authmsg); /* No pty yet, so just label the line as "ssh" */ aix_setauthdb(authctxt->user); if (loginsuccess(authctxt->user, host, "ssh", &msg) == 0) { if (msg != NULL) { debug("%s: msg %s", __func__, msg); buffer_append(&loginmsg, msg, strlen(msg)); xfree(msg); } } } else { debug3("AIX/authenticate failed for user %s: %.100s", pw->pw_name, authmsg); } if (authmsg != NULL) xfree(authmsg); return authsuccess; } # endif # ifdef BSD_AUTH if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", (char *)password) == 0) return 0; else return ok; # else { /* Just use the supplied fake password if authctxt is invalid */ char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd; /* Check for users with no password. */ if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) return ok; else { /* Encrypt the candidate password using the proper salt. */ char *encrypted_password = xcrypt(password, (pw_password[0] && pw_password[1]) ? pw_password : "******"); /* * Authentication is accepted if the encrypted passwords * are identical. */ return (strcmp(encrypted_password, pw_password) == 0) && ok; } } # endif #endif /* !HAVE_OSF_SIA */ }