char *
shadow_pw(struct passwd *pw)
{
char *pw_password = pw->pw_passwd;
# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
struct spwd *spw = getspnam(pw->pw_name);
if (spw != NULL)
pw_password = spw->sp_pwdp;
# endif
#ifdef USE_LIBIAF
return(get_iaf_password(pw));
#endif
# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
struct passwd_adjunct *spw;
if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
pw_password = spw->pwa_passwd;
# elif defined(HAVE_SECUREWARE)
struct pr_passwd *spw = getprpwnam(pw->pw_name);
if (spw != NULL)
pw_password = spw->ufld.fd_encrypt;
# endif
return pw_password;
}
static struct passwd *_Get_Pwnam(char *s)
{
struct passwd *ret;
ret = sys_getpwnam(s);
if (ret) {
#ifdef HAVE_GETPWANAM
struct passwd_adjunct *pwret;
pwret = getpwanam(s);
if (pwret && pwret->pwa_passwd) {
pstrcpy(ret->pw_passwd,pwret->pwa_passwd);
}
#endif
}
return(ret);
}
/****************************************************************************
Get_Pwnam wrapper
****************************************************************************/
static struct passwd *
_Get_Pwnam (const char *s)
{
struct passwd *ret;
ret = getpwnam (s);
if (ret)
{
#ifdef HAVE_GETPWANAM
struct passwd_adjunct *pwret;
pwret = getpwanam (s);
if (pwret)
{
free (ret->pw_passwd);
ret->pw_passwd = pwret->pwa_passwd;
}
#endif
}
return (ret);
}
/*
* Tries to authenticate the user using password. Returns true if
* authentication succeeds.
*/
int
auth_password(Authctxt *authctxt, const char *password)
{
#if defined(USE_PAM)
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
return auth_pam_password(authctxt, password);
#elif defined(HAVE_OSF_SIA)
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
return auth_sia_password(authctxt, password);
#else
struct passwd * pw = authctxt->pw;
char *encrypted_password;
char *pw_password;
char *salt;
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
struct spwd *spw;
#endif
#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
struct passwd_adjunct *spw;
#endif
#ifdef WITH_AIXAUTHENTICATE
char *authmsg;
int authsuccess;
int reenter = 1;
#endif
/* deny if no user. */
if (pw == NULL)
return 0;
#ifndef HAVE_CYGWIN
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
return 0;
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
#ifdef KRB5
if (options.kerberos_authentication == 1) {
int ret = auth_krb5_password(authctxt, password);
if (ret == 1 || ret == 0)
return ret;
/* Fall back to ordinary passwd authentication. */
}
#endif
#ifdef HAVE_CYGWIN
if (is_winnt) {
HANDLE hToken = cygwin_logon_user(pw, password);
if (hToken == INVALID_HANDLE_VALUE)
return 0;
cygwin_set_impersonation_token(hToken);
return 1;
}
#endif
#ifdef WITH_AIXAUTHENTICATE
authsuccess = (authenticate(pw->pw_name,password,&reenter,&authmsg) == 0);
if (authsuccess)
/* We don't have a pty yet, so just label the line as "ssh" */
if (loginsuccess(authctxt->user,
get_canonical_hostname(options.verify_reverse_mapping),
"ssh", &aixloginmsg) < 0)
aixloginmsg = NULL;
return(authsuccess);
#endif
#ifdef KRB4
if (options.kerberos_authentication == 1) {
int ret = auth_krb4_password(authctxt, password);
if (ret == 1 || ret == 0)
return ret;
/* Fall back to ordinary passwd authentication. */
}
#endif
#ifdef BSD_AUTH
if (auth_userokay(pw->pw_name, authctxt->style, "auth-ssh",
(char *)password) == 0)
return 0;
else
return 1;
#endif
pw_password = pw->pw_passwd;
/*
* Various interfaces to shadow or protected password data
*/
#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
spw = getspnam(pw->pw_name);
if (spw != NULL)
pw_password = spw->sp_pwdp;
#endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
if (issecure() && (spw = getpwanam(pw->pw_name)) != NULL)
pw_password = spw->pwa_passwd;
#endif /* defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) */
/* Check for users with no password. */
if ((password[0] == '\0') && (pw_password[0] == '\0'))
return 1;
if (pw_password[0] != '\0')
salt = pw_password;
else
salt = "xx";
#ifdef HAVE_MD5_PASSWORDS
if (is_md5_salt(salt))
encrypted_password = md5_crypt(password, salt);
else
encrypted_password = crypt(password, salt);
#else /* HAVE_MD5_PASSWORDS */
encrypted_password = crypt(password, salt);
#endif /* HAVE_MD5_PASSWORDS */
/* Authentication is accepted if the encrypted passwords are identical. */
return (strcmp(encrypted_password, pw_password) == 0);
#endif /* !USE_PAM && !HAVE_OSF_SIA */
}
NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *password,
int pwlen, BOOL (*fn) (const char *, const char *), BOOL run_cracker)
{
pstring pass2;
int level = lp_passwordlevel();
NTSTATUS nt_status;
#ifdef DEBUG_PASSWORD
DEBUG(100, ("checking user=[%s] pass=[%s]\n", user, password));
#endif
if (!password)
return NT_STATUS_LOGON_FAILURE;
if (((!*password) || (!pwlen)) && !lp_null_passwords())
return NT_STATUS_LOGON_FAILURE;
#if defined(WITH_PAM)
/*
* If we're using PAM we want to short-circuit all the
* checks below and dive straight into the PAM code.
*/
fstrcpy(this_user, user);
DEBUG(4, ("pass_check: Checking (PAM) password for user %s (l=%d)\n", user, pwlen));
#else /* Not using PAM */
DEBUG(4, ("pass_check: Checking password for user %s (l=%d)\n", user, pwlen));
if (!pass) {
DEBUG(3, ("Couldn't find user %s\n", user));
return NT_STATUS_NO_SUCH_USER;
}
/* Copy into global for the convenience of looping code */
/* Also the place to keep the 'password' no matter what
crazy struct it started in... */
fstrcpy(this_crypted, pass->pw_passwd);
fstrcpy(this_salt, pass->pw_passwd);
#ifdef HAVE_GETSPNAM
{
struct spwd *spass;
/* many shadow systems require you to be root to get
the password, in most cases this should already be
the case when this function is called, except
perhaps for IPC password changing requests */
spass = getspnam(pass->pw_name);
if (spass && spass->sp_pwdp) {
fstrcpy(this_crypted, spass->sp_pwdp);
fstrcpy(this_salt, spass->sp_pwdp);
}
}
#elif defined(IA_UINFO)
{
/* Need to get password with SVR4.2's ia_ functions
instead of get{sp,pw}ent functions. Required by
UnixWare 2.x, tested on version
2.1. ([email protected]) */
uinfo_t uinfo;
if (ia_openinfo(pass->pw_name, &uinfo) != -1)
ia_get_logpwd(uinfo, &(pass->pw_passwd));
}
#endif
#ifdef HAVE_GETPRPWNAM
{
struct pr_passwd *pr_pw = getprpwnam(pass->pw_name);
if (pr_pw && pr_pw->ufld.fd_encrypt)
fstrcpy(this_crypted, pr_pw->ufld.fd_encrypt);
}
#endif
#ifdef HAVE_GETPWANAM
{
struct passwd_adjunct *pwret;
pwret = getpwanam(s);
if (pwret && pwret->pwa_passwd)
fstrcpy(this_crypted, pwret->pwa_passwd);
}
#endif
#ifdef OSF1_ENH_SEC
{
struct pr_passwd *mypasswd;
DEBUG(5, ("Checking password for user %s in OSF1_ENH_SEC\n",
user));
mypasswd = getprpwnam(user);
if (mypasswd) {
fstrcpy(this_user, mypasswd->ufld.fd_name);
fstrcpy(this_crypted, mypasswd->ufld.fd_encrypt);
} else {
DEBUG(5,
("OSF1_ENH_SEC: No entry for user %s in protected database !\n",
user));
}
}
#endif
#ifdef ULTRIX_AUTH
{
AUTHORIZATION *ap = getauthuid(pass->pw_uid);
if (ap) {
fstrcpy(this_crypted, ap->a_password);
endauthent();
}
}
#endif
#if defined(HAVE_TRUNCATED_SALT)
/* crypt on some platforms (HPUX in particular)
won't work with more than 2 salt characters. */
this_salt[2] = 0;
#endif
if (!*this_crypted) {
if (!lp_null_passwords()) {
DEBUG(2, ("Disallowing %s with null password\n",
this_user));
return NT_STATUS_LOGON_FAILURE;
}
if (!*password) {
DEBUG(3,
("Allowing access to %s with null password\n",
this_user));
return NT_STATUS_OK;
}
}
#endif /* defined(WITH_PAM) */
/* try it as it came to us */
nt_status = password_check(password);
if NT_STATUS_IS_OK(nt_status) {
if (fn) {
fn(user, password);
}
return (nt_status);
} else if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
/* As above, but uses struct passwd. This function does all the work. */
SshUser ssh_user_initialize_with_pw(struct passwd *pw, Boolean privileged)
{
SshUser uc;
char correct_passwd[200];
if (!pw)
return NULL;
uc = ssh_xcalloc(1, sizeof(*uc));
uc->name = ssh_xstrdup(pw->pw_name);
uc->dir = ssh_xstrdup(pw->pw_dir);
uc->uid = pw->pw_uid;
uc->gid = pw->pw_gid;
if (strcmp(pw->pw_shell, "") == 0)
{
uc->shell = ssh_xstrdup("/bin/sh");
}
else
{
uc->shell = ssh_xstrdup(pw->pw_shell);
}
if (privileged)
{
/* Save the encrypted password. */
strncpy(correct_passwd, pw->pw_passwd, sizeof(correct_passwd));
#ifdef HAVE_SIA
/* pr->pw_passwd may not be the real encrypted password (it won't be
under Enhanced Security), but we don't care because we never look at
uc->correct_encrypted_passwd. We let my_sia_validate_user() do all
the work instead. */
#else /* HAVE_SIA */
/* If we have shadow passwords, lookup the real encrypted password from
the shadow file, and replace the saved encrypted password with the
real encrypted password. */
#if defined(HAVE_SCO_ETC_SHADOW) || defined(HAVE_HPUX_TCB_AUTH)
{
struct pr_passwd *pr = getprpwnam(ssh_user_name(uc));
pr = getprpwnam(ssh_user_name(uc));
if (pr)
strncpy(correct_passwd, pr->ufld.fd_encrypt, sizeof(correct_passwd));
endprpwent();
}
#else /* defined(HAVE_SCO_ETC_SHADOW) || defined(HAVE_HPUX_TCB_AUTH) */
#ifdef HAVE_ETC_SHADOW
{
struct spwd *sp = getspnam(ssh_user_name(uc));
#if defined(SECURE_RPC) && defined(NIS_PLUS)
if (geteuid() == UID_ROOT && ssh_user_uid(uc) != UID_ROOT &&
(!sp || !sp->sp_pwdp || !strcmp(sp->sp_pwdp,"*NP*")))
if (seteuid(ssh_user_uid(uc)) >= 0)
{
sp = getspnam(ssh_user_name(uc)); /* retry as user */
seteuid(UID_ROOT);
}
#endif /* SECURE_RPC && NIS_PLUS */
if (sp)
strncpy(correct_passwd, sp->sp_pwdp, sizeof(correct_passwd));
endspent();
}
#else /* HAVE_ETC_SHADOW */
#ifdef HAVE_ETC_SECURITY_PASSWD_ADJUNCT
{
struct passwd_adjunct *sp = getpwanam(ssh_user_name(uc));
if (sp)
strncpy(correct_passwd, sp->pwa_passwd, sizeof(correct_passwd));
endpwaent();
}
#else /* HAVE_ETC_SECURITY_PASSWD_ADJUNCT */
#ifdef HAVE_ETC_SECURITY_PASSWD /* AIX, at least. Is there an easier way? */
{
FILE *f;
char line[1024], looking_for_user[200], *cp;
int found_user = 0;
f = fopen("/etc/security/passwd", "r");
if (f)
{
/* XXX: user next line was server_user, is this OK? */
snprintf(looking_for_user, sizeof(looking_for_user), "%.190s:", user);
while (fgets(line, sizeof(line), f))
{
if (strchr(line, '\n'))
*strchr(line, '\n') = 0;
if (strcmp(line, looking_for_user) == 0)
found_user = 1;
else
if (line[0] != '\t' && line[0] != ' ')
found_user = 0;
else
if (found_user)
{
for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
;
if (strncmp(cp, "password = "******"password = "******"password = "),
sizeof(correct_passwd));
correct_passwd[sizeof(correct_passwd) - 1] = 0;
break;
}
}
}
fclose(f);
}
}
#endif /* HAVE_ETC_SECURITY_PASSWD */
#endif /* HAVE_ETC_SECURITY_PASSWD_ADJUNCT */
#endif /* HAVE_ETC_SHADOW */
#endif /* HAVE_SCO_ETC_SHADOW */
#endif /* HAVE_SIA */
uc->correct_encrypted_passwd = ssh_xstrdup(correct_passwd);
uc->login_allowed = ssh_login_permitted(uc->name, uc);
}
else /* !privileged */
{
uc->correct_encrypted_passwd = NULL;
uc->login_allowed = TRUE;
uc->password_needs_change = FALSE;
}
/* XXX should check password expirations (some systems already do this in
ssh_login_permitted). */
return uc;
}
