static auth_result_t get_crypted_password(const char* username, char* buffer, size_t size, error_handler_t *error_handler) { #if defined(AIX43) || defined(AIX51) #define BUFSIZE 1024 char buf[BUFSIZE]; struct userpw *pw = NULL; strncpy(buf, username, BUFSIZE); pw = getuserpw(buf); if(pw == NULL) { error_handler->error(MSG_AUTHUSER_USER_UNKNOWN_S, username); return JUTI_AUTH_FAILED; } else { strncpy(pw->upw_passwd, buffer, size); return JUTI_AUTH_SUCCESS; } #else struct passwd *pw = getpwnam(username); if(pw == NULL ) { error_handler->error(MSG_AUTHUSER_USER_UNKNOWN_S, username); return JUTI_AUTH_FAILED; #if !defined(JUTI_NO_SHADOW) /* On linux the getpwnam returns the password "x" if the user has a shadow entry and authuser is not started as user root */ } else if (strcmp("x", pw->pw_passwd) == 0) { struct spwd *pres = NULL; #ifdef DEBUG printf("getpwnam did not return the crypted passwd, try getspnam\n"); #endif pres = getspnam(username); if(pres == NULL) { error_handler->error(MSG_AUTHUSER_NO_SHADOW_ENTRY_S, username); return JUTI_AUTH_FAILED; } strncpy(buffer, pres->sp_pwdp, size); #endif } else { strncpy(buffer, pw->pw_passwd, size); } #endif return JUTI_AUTH_SUCCESS; }
int check_auth(char *login, char *passwd) { char *cpass; struct userpw *upwd= getuserpw(login); #ifdef NEED_UID struct passwd *pwd; #endif if (upwd == NULL) return(errno == EACCES ? STATUS_INT_NOROOT : STATUS_UNKNOWN); #ifdef NEED_UID if ((pwd= getpwnam(login)) == NULL) return(STATUS_UNKNOWN); hisuid= pwd->pw_uid; haveuid= 1; #endif #ifdef MIN_UNIX_UID if (hisuid < MIN_UNIX_UID) return(STATUS_BLOCKED); #endif cpass= crypt(passwd, upwd->upw_passwd); return(strcmp(cpass, upwd->upw_passwd) ? STATUS_INVALID : STATUS_OK); }
int check_passwd(stralloc *login, stralloc *authdata, struct credentials *c, int fast) { int ret; struct passwd *pw; #ifdef PW_SHADOW struct spwd *spw; #endif #ifdef AIX struct userpw *spw; #endif if (localdelivery() == 0) return NOSUCH; pw = getpwnam(login->s); if (!pw) { /* XXX: unfortunately getpwnam() hides temporary errors */ logit(32, "check_passwd: user %s not found in passwd db\n", login->s); return NOSUCH; } logit(32, "check_passwd: user %s found in passwd db\n", login->s); if (!fast) { c->gid = pw->pw_gid; c->uid = pw->pw_uid; /* * Here we don't check the home and maildir path, if a user * has a faked passwd entry, then you have a bigger problem * on your system than just a guy how can read the mail of * other users/customers. */ if (!stralloc_copys(&c->home, pw->pw_dir)) return ERRNO; if (!stralloc_0(&c->home)) return ERRNO; ret = get_local_maildir(&c->home, &c->maildir); if (ret != 0) return ret; logit(32, "get_local_maildir: maildir=%s\n", c->maildir.s); } #ifdef PW_SHADOW spw = getspnam(login->s); if (!spw) /* XXX: again, temp hidden */ return FAILED; ret = cmp_passwd((unsigned char*) authdata->s, spw->sp_pwdp); #else /* no PW_SHADOW */ #ifdef AIX spw = getuserpw(login->s); if (!spw) /* XXX: and again */ return FAILED; ret = cmp_passwd((unsigned char*) authdata->s, spw->upw_passwd); #else /* no AIX */ ret = cmp_passwd((unsigned char*) authdata->s, pw->pw_passwd); #endif /* END AIX */ #endif /* END PW_SHADOW */ logit(32, "check_pw: password compare was %s\n", ret==OK?"successful":"not successful"); return ret; }
gchar * mdm_verify_user (MdmDisplay *d, const char *username, gboolean allow_retry) { gchar *login, *passwd, *ppasswd; struct passwd *pwent; struct spwd *sp; #if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS) \ || defined (HAVE_LOGINRESTRICTIONS) gchar *message = NULL; #endif #if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS) gchar *info_msg = NULL, *response = NULL; gint reEnter, ret; #endif if (d->attached && d->timed_login_ok) mdm_slave_greeter_ctl_no_ret (MDM_STARTTIMER, ""); if (username == NULL) { authenticate_again: /* Ask for the user's login */ mdm_verify_select_user (NULL); mdm_slave_greeter_ctl_no_ret (MDM_MSG, _("Please enter your username")); login = mdm_slave_greeter_ctl (MDM_PROMPT, _("Username:"******""); g_free (login); return NULL; } } mdm_slave_greeter_ctl_no_ret (MDM_MSG, ""); if (mdm_daemon_config_get_value_bool (MDM_KEY_DISPLAY_LAST_LOGIN)) { char *info = mdm_get_last_info (login); mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, info); g_free (info); } } else { login = g_strdup (username); } mdm_slave_greeter_ctl_no_ret (MDM_SETLOGIN, login); pwent = getpwnam (login); setspent (); /* Lookup shadow password */ sp = getspnam (login); /* Use shadow password when available */ if (sp != NULL) { ppasswd = g_strdup (sp->sp_pwdp); } else { /* In case shadow password cannot be retrieved (when using NIS authentication for example), use standard passwd */ if (pwent != NULL && pwent->pw_passwd != NULL) ppasswd = g_strdup (pwent->pw_passwd); else /* If no password can be retrieved, set it to NULL */ ppasswd = NULL; } endspent (); /* Request the user's password */ if (pwent != NULL && ve_string_empty (ppasswd)) { /* eeek a passwordless account */ passwd = g_strdup (""); } else { passwd = mdm_slave_greeter_ctl (MDM_NOECHO, _("Password:"******""); if (mdm_slave_greeter_check_interruption ()) { if (d->attached) mdm_slave_greeter_ctl_no_ret (MDM_STOPTIMER, ""); g_free (login); g_free (passwd); g_free (ppasswd); return NULL; } } if (d->attached) mdm_slave_greeter_ctl_no_ret (MDM_STOPTIMER, ""); if (pwent == NULL) { mdm_sleep_no_signal (mdm_daemon_config_get_value_int (MDM_KEY_RETRY_DELAY)); mdm_debug ("Couldn't authenticate user"); print_cant_auth_errbox (); g_free (login); g_free (passwd); g_free (ppasswd); return NULL; } /* Check whether password is valid */ if (ppasswd == NULL || (ppasswd[0] != '\0' && strcmp (crypt (passwd, ppasswd), ppasswd) != 0)) { mdm_sleep_no_signal (mdm_daemon_config_get_value_int (MDM_KEY_RETRY_DELAY)); mdm_debug ("Couldn't authenticate user"); print_cant_auth_errbox (); g_free (login); g_free (passwd); g_free (ppasswd); return NULL; } if (( ! mdm_daemon_config_get_value_bool (MDM_KEY_ALLOW_ROOT) || ( ! mdm_daemon_config_get_value_bool (MDM_KEY_ALLOW_REMOTE_ROOT) && ! d->attached)) && pwent->pw_uid == 0) { mdm_debug ("Root login disallowed on display '%s'", d->name); mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, _("The system administrator " "is not allowed to login " "from this screen")); /*mdm_slave_greeter_ctl_no_ret (MDM_ERRDLG, _("Root login disallowed"));*/ g_free (login); g_free (passwd); g_free (ppasswd); return NULL; } #ifdef HAVE_LOGINRESTRICTIONS /* Check with the 'loginrestrictions' function if the user has been disallowed */ if (loginrestrictions (login, 0, NULL, &message) != 0) { mdm_debug ("User not allowed to log in"); mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, _("\nThe system administrator " "has disabled your " "account.")); g_free (login); g_free (passwd); g_free (ppasswd); if (message != NULL) free (message); return NULL; } if (message != NULL) free (message); message = NULL; #else /* ! HAVE_LOGINRESTRICTIONS */ /* check for the standard method of disallowing users */ if (pwent->pw_shell != NULL && (strcmp (pwent->pw_shell, NOLOGIN) == 0 || strcmp (pwent->pw_shell, "/bin/true") == 0 || strcmp (pwent->pw_shell, "/bin/false") == 0)) { mdm_debug ("User not allowed to log in"); mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, _("\nThe system administrator " "has disabled your " "account.")); /*mdm_slave_greeter_ctl_no_ret (MDM_ERRDLG, _("Login disabled"));*/ g_free (login); g_free (passwd); g_free (ppasswd); return NULL; } #endif /* HAVE_LOGINRESTRICTIONS */ g_free (passwd); g_free (ppasswd); if ( ! mdm_slave_check_user_wants_to_log_in (login)) { g_free (login); login = NULL; goto authenticate_again; } if ( ! mdm_setup_gids (login, pwent->pw_gid)) { mdm_debug ("Cannot set user group"); mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, _("\nCannot set your user group; " "you will not be able to log in. " "Please contact your system administrator.")); g_free (login); return NULL; } #if defined (HAVE_PASSWDEXPIRED) && defined (HAVE_CHPASS) switch (passwdexpired (login, &info_msg)) { case 1 : mdm_debug ("User password has expired"); mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR, _("You are required to change your password.\n" "Please choose a new one.")); g_free (info_msg); do { ret = chpass (login, response, &reEnter, &message); g_free (response); if (ret != 1) { if (ret != 0) { mdm_slave_greeter_ctl_no_ret (MDM_ERRBOX, _("\nCannot change your password; " "you will not be able to log in. " "Please try again later or contact " "your system administrator.")); } else if ((reEnter != 0) && (message)) { response = mdm_slave_greeter_ctl (MDM_NOECHO, message); if (response == NULL) response = g_strdup (""); } } g_free (message); message = NULL; } while ( ((reEnter != 0) && (ret == 0)) || (ret ==1) ); g_free (response); g_free (message); if ((ret != 0) || (reEnter != 0)) { return NULL; } #if defined (CAN_CLEAR_ADMCHG) /* The password is changed by root, clear the ADM_CHG flag in the passwd file */ ret = setpwdb (S_READ | S_WRITE); if (!ret) { upwd = getuserpw (login); if (upwd == NULL) { ret = -1; } else { upwd->upw_flags &= ~PW_ADMCHG; ret = putuserpw (upwd); if (!ret) { ret = endpwdb (); } } } if (ret) { mdm_errorgui_error_box (d, GTK_MESSAGE_WARNING, _("Your password has been changed but " "you may have to change it again. " "Please try again later or contact " "your system administrator.")); } #else /* !CAN_CLEAR_ADMCHG */ mdm_errorgui_error_box (d, GTK_MESSAGE_WARNING, _("Your password has been changed but you " "may have to change it again. Please try again " "later or contact your system administrator.")); #endif /* CAN_CLEAR_ADMCHG */ break; case 2 : mdm_debug ("User password has expired"); mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR, _("Your password has expired.\n" "Only a system administrator can now change it")); g_free (info_msg); return NULL; break; case -1 : mdm_debug ("Internal error on passwdexpired"); mdm_errorgui_error_box (d, GTK_MESSAGE_ERROR, _("An internal error occurred. You will not be able to log in.\n" "Please try again later or contact your system administrator.")); g_free (info_msg); return NULL; break; default : g_free (info_msg); break; } #endif /* HAVE_PASSWDEXPIRED && HAVE_CHPASS */ return login; }