char * shadow_pw(struct passwd *pw) { char *pw_password = pw->pw_passwd; # if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) struct spwd *spw = getspnam(pw->pw_name); if (spw != NULL) pw_password = spw->sp_pwdp; # endif #ifdef USE_LIBIAF return(get_iaf_password(pw)); #endif # if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) struct passwd_adjunct *spw; if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) pw_password = spw->pwa_passwd; # elif defined(HAVE_SECUREWARE) struct pr_passwd *spw = getprpwnam(pw->pw_name); if (spw != NULL) pw_password = spw->ufld.fd_encrypt; # endif return pw_password; }
static struct passwd *_Get_Pwnam(char *s) { struct passwd *ret; ret = sys_getpwnam(s); if (ret) { #ifdef HAVE_GETPWANAM struct passwd_adjunct *pwret; pwret = getpwanam(s); if (pwret && pwret->pwa_passwd) { pstrcpy(ret->pw_passwd,pwret->pwa_passwd); } #endif } return(ret); }
/**************************************************************************** Get_Pwnam wrapper ****************************************************************************/ static struct passwd * _Get_Pwnam (const char *s) { struct passwd *ret; ret = getpwnam (s); if (ret) { #ifdef HAVE_GETPWANAM struct passwd_adjunct *pwret; pwret = getpwanam (s); if (pwret) { free (ret->pw_passwd); ret->pw_passwd = pwret->pwa_passwd; } #endif } return (ret); }
/* * Tries to authenticate the user using password. Returns true if * authentication succeeds. */ int auth_password(Authctxt *authctxt, const char *password) { #if defined(USE_PAM) if (*password == '\0' && options.permit_empty_passwd == 0) return 0; return auth_pam_password(authctxt, password); #elif defined(HAVE_OSF_SIA) if (*password == '\0' && options.permit_empty_passwd == 0) return 0; return auth_sia_password(authctxt, password); #else struct passwd * pw = authctxt->pw; char *encrypted_password; char *pw_password; char *salt; #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) struct spwd *spw; #endif #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) struct passwd_adjunct *spw; #endif #ifdef WITH_AIXAUTHENTICATE char *authmsg; int authsuccess; int reenter = 1; #endif /* deny if no user. */ if (pw == NULL) return 0; #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) return 0; #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; #ifdef KRB5 if (options.kerberos_authentication == 1) { int ret = auth_krb5_password(authctxt, password); if (ret == 1 || ret == 0) return ret; /* Fall back to ordinary passwd authentication. */ } #endif #ifdef HAVE_CYGWIN if (is_winnt) { HANDLE hToken = cygwin_logon_user(pw, password); if (hToken == INVALID_HANDLE_VALUE) return 0; cygwin_set_impersonation_token(hToken); return 1; } #endif #ifdef WITH_AIXAUTHENTICATE authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0); if (authsuccess) /* We don't have a pty yet, so just label the line as "ssh" */ if (loginsuccess(authctxt->user, get_canonical_hostname(options.verify_reverse_mapping), "ssh", &aixloginmsg) < 0) aixloginmsg = NULL; return(authsuccess); #endif #ifdef KRB4 if (options.kerberos_authentication == 1) { int ret = auth_krb4_password(authctxt, password); if (ret == 1 || ret == 0) return ret; /* Fall back to ordinary passwd authentication. */ } #endif #ifdef BSD_AUTH if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh", (char *)password) == 0) return 0; else return 1; #endif pw_password = pw->pw_passwd; /* * Various interfaces to shadow or protected password data */ #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) spw = getspnam(pw->pw_name); if (spw != NULL) pw_password = spw->sp_pwdp; #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ #if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL) pw_password = spw->pwa_passwd; #endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */ /* Check for users with no password. */ if ((password[0] == '\0') && (pw_password[0] == '\0')) return 1; if (pw_password[0] != '\0') salt = pw_password; else salt = "xx"; #ifdef HAVE_MD5_PASSWORDS if (is_md5_salt(salt)) encrypted_password = md5_crypt(password, salt); else encrypted_password = crypt(password, salt); #else /* HAVE_MD5_PASSWORDS */ encrypted_password = crypt(password, salt); #endif /* HAVE_MD5_PASSWORDS */ /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw_password) == 0); #endif /* !USE_PAM && !HAVE_OSF_SIA */ }
NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *password, int pwlen, BOOL (*fn) (const char *, const char *), BOOL run_cracker) { pstring pass2; int level = lp_passwordlevel(); NTSTATUS nt_status; #ifdef DEBUG_PASSWORD DEBUG(100, ("checking user=[%s] pass=[%s]\n", user, password)); #endif if (!password) return NT_STATUS_LOGON_FAILURE; if (((!*password) || (!pwlen)) && !lp_null_passwords()) return NT_STATUS_LOGON_FAILURE; #if defined(WITH_PAM) /* * If we're using PAM we want to short-circuit all the * checks below and dive straight into the PAM code. */ fstrcpy(this_user, user); DEBUG(4, ("pass_check: Checking (PAM) password for user %s (l=%d)\n", user, pwlen)); #else /* Not using PAM */ DEBUG(4, ("pass_check: Checking password for user %s (l=%d)\n", user, pwlen)); if (!pass) { DEBUG(3, ("Couldn't find user %s\n", user)); return NT_STATUS_NO_SUCH_USER; } /* Copy into global for the convenience of looping code */ /* Also the place to keep the 'password' no matter what crazy struct it started in... */ fstrcpy(this_crypted, pass->pw_passwd); fstrcpy(this_salt, pass->pw_passwd); #ifdef HAVE_GETSPNAM { struct spwd *spass; /* many shadow systems require you to be root to get the password, in most cases this should already be the case when this function is called, except perhaps for IPC password changing requests */ spass = getspnam(pass->pw_name); if (spass && spass->sp_pwdp) { fstrcpy(this_crypted, spass->sp_pwdp); fstrcpy(this_salt, spass->sp_pwdp); } } #elif defined(IA_UINFO) { /* Need to get password with SVR4.2's ia_ functions instead of get{sp,pw}ent functions. Required by UnixWare 2.x, tested on version 2.1. ([email protected]) */ uinfo_t uinfo; if (ia_openinfo(pass->pw_name, &uinfo) != -1) ia_get_logpwd(uinfo, &(pass->pw_passwd)); } #endif #ifdef HAVE_GETPRPWNAM { struct pr_passwd *pr_pw = getprpwnam(pass->pw_name); if (pr_pw && pr_pw->ufld.fd_encrypt) fstrcpy(this_crypted, pr_pw->ufld.fd_encrypt); } #endif #ifdef HAVE_GETPWANAM { struct passwd_adjunct *pwret; pwret = getpwanam(s); if (pwret && pwret->pwa_passwd) fstrcpy(this_crypted, pwret->pwa_passwd); } #endif #ifdef OSF1_ENH_SEC { struct pr_passwd *mypasswd; DEBUG(5, ("Checking password for user %s in OSF1_ENH_SEC\n", user)); mypasswd = getprpwnam(user); if (mypasswd) { fstrcpy(this_user, mypasswd->ufld.fd_name); fstrcpy(this_crypted, mypasswd->ufld.fd_encrypt); } else { DEBUG(5, ("OSF1_ENH_SEC: No entry for user %s in protected database !\n", user)); } } #endif #ifdef ULTRIX_AUTH { AUTHORIZATION *ap = getauthuid(pass->pw_uid); if (ap) { fstrcpy(this_crypted, ap->a_password); endauthent(); } } #endif #if defined(HAVE_TRUNCATED_SALT) /* crypt on some platforms (HPUX in particular) won't work with more than 2 salt characters. */ this_salt[2] = 0; #endif if (!*this_crypted) { if (!lp_null_passwords()) { DEBUG(2, ("Disallowing %s with null password\n", this_user)); return NT_STATUS_LOGON_FAILURE; } if (!*password) { DEBUG(3, ("Allowing access to %s with null password\n", this_user)); return NT_STATUS_OK; } } #endif /* defined(WITH_PAM) */ /* try it as it came to us */ nt_status = password_check(password); if NT_STATUS_IS_OK(nt_status) { if (fn) { fn(user, password); } return (nt_status); } else if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
/* As above, but uses struct passwd. This function does all the work. */ SshUser ssh_user_initialize_with_pw(struct passwd *pw, Boolean privileged) { SshUser uc; char correct_passwd[200]; if (!pw) return NULL; uc = ssh_xcalloc(1, sizeof(*uc)); uc->name = ssh_xstrdup(pw->pw_name); uc->dir = ssh_xstrdup(pw->pw_dir); uc->uid = pw->pw_uid; uc->gid = pw->pw_gid; if (strcmp(pw->pw_shell, "") == 0) { uc->shell = ssh_xstrdup("/bin/sh"); } else { uc->shell = ssh_xstrdup(pw->pw_shell); } if (privileged) { /* Save the encrypted password. */ strncpy(correct_passwd, pw->pw_passwd, sizeof(correct_passwd)); #ifdef HAVE_SIA /* pr->pw_passwd may not be the real encrypted password (it won't be under Enhanced Security), but we don't care because we never look at uc->correct_encrypted_passwd. We let my_sia_validate_user() do all the work instead. */ #else /* HAVE_SIA */ /* If we have shadow passwords, lookup the real encrypted password from the shadow file, and replace the saved encrypted password with the real encrypted password. */ #if defined(HAVE_SCO_ETC_SHADOW) || defined(HAVE_HPUX_TCB_AUTH) { struct pr_passwd *pr = getprpwnam(ssh_user_name(uc)); pr = getprpwnam(ssh_user_name(uc)); if (pr) strncpy(correct_passwd, pr->ufld.fd_encrypt, sizeof(correct_passwd)); endprpwent(); } #else /* defined(HAVE_SCO_ETC_SHADOW) || defined(HAVE_HPUX_TCB_AUTH) */ #ifdef HAVE_ETC_SHADOW { struct spwd *sp = getspnam(ssh_user_name(uc)); #if defined(SECURE_RPC) && defined(NIS_PLUS) if (geteuid() == UID_ROOT && ssh_user_uid(uc) != UID_ROOT && (!sp || !sp->sp_pwdp || !strcmp(sp->sp_pwdp,"*NP*"))) if (seteuid(ssh_user_uid(uc)) >= 0) { sp = getspnam(ssh_user_name(uc)); /* retry as user */ seteuid(UID_ROOT); } #endif /* SECURE_RPC && NIS_PLUS */ if (sp) strncpy(correct_passwd, sp->sp_pwdp, sizeof(correct_passwd)); endspent(); } #else /* HAVE_ETC_SHADOW */ #ifdef HAVE_ETC_SECURITY_PASSWD_ADJUNCT { struct passwd_adjunct *sp = getpwanam(ssh_user_name(uc)); if (sp) strncpy(correct_passwd, sp->pwa_passwd, sizeof(correct_passwd)); endpwaent(); } #else /* HAVE_ETC_SECURITY_PASSWD_ADJUNCT */ #ifdef HAVE_ETC_SECURITY_PASSWD /* AIX, at least. Is there an easier way? */ { FILE *f; char line[1024], looking_for_user[200], *cp; int found_user = 0; f = fopen("/etc/security/passwd", "r"); if (f) { /* XXX: user next line was server_user, is this OK? */ snprintf(looking_for_user, sizeof(looking_for_user), "%.190s:", user); while (fgets(line, sizeof(line), f)) { if (strchr(line, '\n')) *strchr(line, '\n') = 0; if (strcmp(line, looking_for_user) == 0) found_user = 1; else if (line[0] != '\t' && line[0] != ' ') found_user = 0; else if (found_user) { for (cp = line; *cp == ' ' || *cp == '\t'; cp++) ; if (strncmp(cp, "password = "******"password = "******"password = "), sizeof(correct_passwd)); correct_passwd[sizeof(correct_passwd) - 1] = 0; break; } } } fclose(f); } } #endif /* HAVE_ETC_SECURITY_PASSWD */ #endif /* HAVE_ETC_SECURITY_PASSWD_ADJUNCT */ #endif /* HAVE_ETC_SHADOW */ #endif /* HAVE_SCO_ETC_SHADOW */ #endif /* HAVE_SIA */ uc->correct_encrypted_passwd = ssh_xstrdup(correct_passwd); uc->login_allowed = ssh_login_permitted(uc->name, uc); } else /* !privileged */ { uc->correct_encrypted_passwd = NULL; uc->login_allowed = TRUE; uc->password_needs_change = FALSE; } /* XXX should check password expirations (some systems already do this in ssh_login_permitted). */ return uc; }