static auth_result_t get_crypted_password(const char* username, char* buffer, size_t size,
error_handler_t *error_handler) {
#if defined(AIX43) || defined(AIX51)
#define BUFSIZE 1024
char buf[BUFSIZE];
struct userpw *pw = NULL;
strncpy(buf, username, BUFSIZE);
pw = getuserpw(buf);
if(pw == NULL) {
error_handler->error(MSG_AUTHUSER_USER_UNKNOWN_S, username);
return JUTI_AUTH_FAILED;
} else {
strncpy(pw->upw_passwd, buffer, size);
return JUTI_AUTH_SUCCESS;
}
#else
struct passwd *pw = getpwnam(username);
if(pw == NULL ) {
error_handler->error(MSG_AUTHUSER_USER_UNKNOWN_S, username);
return JUTI_AUTH_FAILED;
#if !defined(JUTI_NO_SHADOW)
/* On linux the getpwnam returns the password "x" if the user has a shadow
entry and authuser is not started as user root */
} else if (strcmp("x", pw->pw_passwd) == 0) {
struct spwd *pres = NULL;
#ifdef DEBUG
printf("getpwnam did not return the crypted passwd, try getspnam\n");
#endif
pres = getspnam(username);
if(pres == NULL) {
error_handler->error(MSG_AUTHUSER_NO_SHADOW_ENTRY_S, username);
return JUTI_AUTH_FAILED;
}
strncpy(buffer, pres->sp_pwdp, size);
#endif
} else {
strncpy(buffer, pw->pw_passwd, size);
}
#endif
return JUTI_AUTH_SUCCESS;
}
int check_auth(char *login, char *passwd)
{
char *cpass;
struct userpw *upwd= getuserpw(login);
#ifdef NEED_UID
struct passwd *pwd;
#endif
if (upwd == NULL)
return(errno == EACCES ? STATUS_INT_NOROOT : STATUS_UNKNOWN);
#ifdef NEED_UID
if ((pwd= getpwnam(login)) == NULL) return(STATUS_UNKNOWN);
hisuid= pwd->pw_uid;
haveuid= 1;
#endif
#ifdef MIN_UNIX_UID
if (hisuid < MIN_UNIX_UID) return(STATUS_BLOCKED);
#endif
cpass= crypt(passwd, upwd->upw_passwd);
return(strcmp(cpass, upwd->upw_passwd) ? STATUS_INVALID : STATUS_OK);
}
int
check_passwd(stralloc *login, stralloc *authdata,
struct credentials *c, int fast)
{
int ret;
struct passwd *pw;
#ifdef PW_SHADOW
struct spwd *spw;
#endif
#ifdef AIX
struct userpw *spw;
#endif
if (localdelivery() == 0) return NOSUCH;
pw = getpwnam(login->s);
if (!pw) {
/* XXX: unfortunately getpwnam() hides temporary errors */
logit(32, "check_passwd: user %s not found in passwd db\n",
login->s);
return NOSUCH;
}
logit(32, "check_passwd: user %s found in passwd db\n",
login->s);
if (!fast) {
c->gid = pw->pw_gid;
c->uid = pw->pw_uid;
/*
* Here we don't check the home and maildir path, if a user
* has a faked passwd entry, then you have a bigger problem
* on your system than just a guy how can read the mail of
* other users/customers.
*/
if (!stralloc_copys(&c->home, pw->pw_dir))
return ERRNO;
if (!stralloc_0(&c->home))
return ERRNO;
ret = get_local_maildir(&c->home, &c->maildir);
if (ret != 0)
return ret;
logit(32, "get_local_maildir: maildir=%s\n", c->maildir.s);
}
#ifdef PW_SHADOW
spw = getspnam(login->s);
if (!spw)
/* XXX: again, temp hidden */
return FAILED;
ret = cmp_passwd((unsigned char*) authdata->s, spw->sp_pwdp);
#else /* no PW_SHADOW */
#ifdef AIX
spw = getuserpw(login->s);
if (!spw)
/* XXX: and again */
return FAILED;
ret = cmp_passwd((unsigned char*) authdata->s, spw->upw_passwd);
#else /* no AIX */
ret = cmp_passwd((unsigned char*) authdata->s, pw->pw_passwd);
#endif /* END AIX */
#endif /* END PW_SHADOW */
logit(32, "check_pw: password compare was %s\n",
ret==OK?"successful":"not successful");
return ret;
}
gchar *
mdm_verify_user (MdmDisplay *d,
const char *username,
gboolean allow_retry)
{
gchar *login, *passwd, *ppasswd;
struct passwd *pwent;
struct spwd *sp;
#if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS) \
|| defined (HAVE_LOGINRESTRICTIONS)
gchar *message = NULL;
#endif
#if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS)
gchar *info_msg = NULL, *response = NULL;
gint reEnter, ret;
#endif
if (d->attached && d->timed_login_ok)
mdm_slave_greeter_ctl_no_ret (MDM_STARTTIMER, "");
if (username == NULL) {
authenticate_again:
/* Ask for the user's login */
mdm_verify_select_user (NULL);
mdm_slave_greeter_ctl_no_ret (MDM_MSG, _("Please enter your username"));
login = mdm_slave_greeter_ctl (MDM_PROMPT, _("Username:"******"");
g_free (login);
return NULL;
}
}
mdm_slave_greeter_ctl_no_ret (MDM_MSG, "");
if (mdm_daemon_config_get_value_bool (MDM_KEY_DISPLAY_LAST_LOGIN)) {
char *info = mdm_get_last_info (login);
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, info);
g_free (info);
}
} else {
login = g_strdup (username);
}
mdm_slave_greeter_ctl_no_ret (MDM_SETLOGIN, login);
pwent = getpwnam (login);
setspent ();
/* Lookup shadow password */
sp = getspnam (login);
/* Use shadow password when available */
if (sp != NULL) {
ppasswd = g_strdup (sp->sp_pwdp);
} else {
/* In case shadow password cannot be retrieved (when using NIS
authentication for example), use standard passwd */
if (pwent != NULL &&
pwent->pw_passwd != NULL)
ppasswd = g_strdup (pwent->pw_passwd);
else
/* If no password can be retrieved, set it to NULL */
ppasswd = NULL;
}
endspent ();
/* Request the user's password */
if (pwent != NULL &&
ve_string_empty (ppasswd)) {
/* eeek a passwordless account */
passwd = g_strdup ("");
} else {
passwd = mdm_slave_greeter_ctl (MDM_NOECHO, _("Password:"******"");
if (mdm_slave_greeter_check_interruption ()) {
if (d->attached)
mdm_slave_greeter_ctl_no_ret (MDM_STOPTIMER, "");
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
}
if (d->attached)
mdm_slave_greeter_ctl_no_ret (MDM_STOPTIMER, "");
if (pwent == NULL) {
mdm_sleep_no_signal (mdm_daemon_config_get_value_int (MDM_KEY_RETRY_DELAY));
mdm_debug ("Couldn't authenticate user");
print_cant_auth_errbox ();
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
/* Check whether password is valid */
if (ppasswd == NULL || (ppasswd[0] != '\0' &&
strcmp (crypt (passwd, ppasswd), ppasswd) != 0)) {
mdm_sleep_no_signal (mdm_daemon_config_get_value_int (MDM_KEY_RETRY_DELAY));
mdm_debug ("Couldn't authenticate user");
print_cant_auth_errbox ();
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
if (( ! mdm_daemon_config_get_value_bool (MDM_KEY_ALLOW_ROOT) ||
( ! mdm_daemon_config_get_value_bool (MDM_KEY_ALLOW_REMOTE_ROOT) &&
! d->attached)) && pwent->pw_uid == 0) {
mdm_debug ("Root login disallowed on display '%s'", d->name);
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("The system administrator "
"is not allowed to login "
"from this screen"));
/*mdm_slave_greeter_ctl_no_ret (MDM_ERRDLG,
_("Root login disallowed"));*/
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
#ifdef HAVE_LOGINRESTRICTIONS
/* Check with the 'loginrestrictions' function
if the user has been disallowed */
if (loginrestrictions (login, 0, NULL, &message) != 0) {
mdm_debug ("User not allowed to log in");
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("\nThe system administrator "
"has disabled your "
"account."));
g_free (login);
g_free (passwd);
g_free (ppasswd);
if (message != NULL)
free (message);
return NULL;
}
if (message != NULL)
free (message);
message = NULL;
#else /* ! HAVE_LOGINRESTRICTIONS */
/* check for the standard method of disallowing users */
if (pwent->pw_shell != NULL &&
(strcmp (pwent->pw_shell, NOLOGIN) == 0 ||
strcmp (pwent->pw_shell, "/bin/true") == 0 ||
strcmp (pwent->pw_shell, "/bin/false") == 0)) {
mdm_debug ("User not allowed to log in");
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("\nThe system administrator "
"has disabled your "
"account."));
/*mdm_slave_greeter_ctl_no_ret (MDM_ERRDLG,
_("Login disabled"));*/
g_free (login);
g_free (passwd);
g_free (ppasswd);
return NULL;
}
#endif /* HAVE_LOGINRESTRICTIONS */
g_free (passwd);
g_free (ppasswd);
if ( ! mdm_slave_check_user_wants_to_log_in (login)) {
g_free (login);
login = NULL;
goto authenticate_again;
}
if ( ! mdm_setup_gids (login, pwent->pw_gid)) {
mdm_debug ("Cannot set user group");
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("\nCannot set your user group; "
"you will not be able to log in. "
"Please contact your system administrator."));
g_free (login);
return NULL;
}
#if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS)
switch (passwdexpired (login, &info_msg)) {
case 1 :
mdm_debug ("User password has expired");
mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
_("You are required to change your password.\n"
"Please choose a new one."));
g_free (info_msg);
do {
ret = chpass (login, response, &reEnter, &message);
g_free (response);
if (ret != 1) {
if (ret != 0) {
mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX,
_("\nCannot change your password; "
"you will not be able to log in. "
"Please try again later or contact "
"your system administrator."));
} else if ((reEnter != 0) && (message)) {
response = mdm_slave_greeter_ctl (MDM_NOECHO, message);
if (response == NULL)
response = g_strdup ("");
}
}
g_free (message);
message = NULL;
} while ( ((reEnter != 0) && (ret == 0))
|| (ret ==1) );
g_free (response);
g_free (message);
if ((ret != 0) || (reEnter != 0)) {
return NULL;
}
#if defined (CAN_CLEAR_ADMCHG)
/* The password is changed by root, clear the ADM_CHG
flag in the passwd file */
ret = setpwdb (S_READ | S_WRITE);
if (!ret) {
upwd = getuserpw (login);
if (upwd == NULL) {
ret = -1;
}
else {
upwd->upw_flags &= ~PW_ADMCHG;
ret = putuserpw (upwd);
if (!ret) {
ret = endpwdb ();
}
}
}
if (ret) {
mdm_errorgui_error_box (d, GTK_MESSAGE_WARNING,
_("Your password has been changed but "
"you may have to change it again. "
"Please try again later or contact "
"your system administrator."));
}
#else /* !CAN_CLEAR_ADMCHG */
mdm_errorgui_error_box (d, GTK_MESSAGE_WARNING,
_("Your password has been changed but you "
"may have to change it again. Please try again "
"later or contact your system administrator."));
#endif /* CAN_CLEAR_ADMCHG */
break;
case 2 :
mdm_debug ("User password has expired");
mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
_("Your password has expired.\n"
"Only a system administrator can now change it"));
g_free (info_msg);
return NULL;
break;
case -1 :
mdm_debug ("Internal error on passwdexpired");
mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR,
_("An internal error occurred. You will not be able to log in.\n"
"Please try again later or contact your system administrator."));
g_free (info_msg);
return NULL;
break;
default :
g_free (info_msg);
break;
}
#endif /* HAVE_PASSWDEXPIRED && HAVE_CHPASS */
return login;
}
