/****************************************************************************
core of password checking routine
****************************************************************************/
BOOL password_check(char *password)
{
#ifdef USE_PAM
/* This falls through if the password check fails
- if NO_CRYPT is defined this causes an error msg
saying Warning - no crypt available
- if NO_CRYPT is NOT defined this is a potential security hole
as it may authenticate via the crypt call when PAM
settings say it should fail.
if (pam_auth(this_user,password)) return(True);
Hence we make a direct return to avoid a second chance!!!
*/
return (pam_auth(this_user,password));
#endif
#ifdef AFS_AUTH
if (afs_auth(this_user,password)) return(True);
#endif
#ifdef DFS_AUTH
if (dfs_auth(this_user,password)) return(True);
#endif
#ifdef KRB5_AUTH
if (krb5_auth(this_user,password)) return(True);
#endif
#ifdef KRB4_AUTH
if (krb4_auth(this_user,password)) return(True);
#endif
#ifdef PWDAUTH
if (pwdauth(this_user,password) == 0)
return(True);
#endif
#ifdef OSF1_ENH_SEC
{
BOOL ret = (strcmp(osf1_bigcrypt(password,this_salt),this_crypted) == 0);
if(!ret) {
DEBUG(2,("password_check: OSF1_ENH_SEC failed. Trying normal crypt.\n"));
ret = (strcmp((char *)crypt(password,this_salt),this_crypted) == 0);
}
return ret;
}
#endif
#ifdef ULTRIX_AUTH
return (strcmp((char *)crypt16(password, this_salt ),this_crypted) == 0);
#endif
#ifdef LINUX_BIGCRYPT
return(linux_bigcrypt(password,this_salt,this_crypted));
#endif
#ifdef HPUX_10_TRUSTED
return(strcmp(bigcrypt(password,this_salt),this_crypted) == 0);
#endif
#ifdef NO_CRYPT
DEBUG(1,("Warning - no crypt available\n"));
return(False);
#else
return(strcmp((char *)crypt(password,this_salt),this_crypted) == 0);
#endif
}
/* Try to authenticate the user based on:
- PAM if the system has it, else it checks:
- pwdauth if the system supports it.
- conventional auth (check salt on /etc/passwd, crypt, and compare
- try to contact the local ftp server and login (if -f flag used)
*/
static int
do_auth (const char *username, const char *password)
{
int auth = 0;
struct passwd *this;
if (strcmp (username, "anonymous") == 0)
username = "******";
#ifdef HAVE_PAM
if (mc_pam_auth (username, password) == 0)
auth = 1;
#else /* if there is no pam */
#ifdef HAVE_PWDAUTH
if (pwdauth (username, password) == 0)
auth = 1;
else
#endif
#ifdef HAVE_CRYPT
if (do_classic_auth (username, password))
auth = 1;
else
#endif
if (ftp)
auth = do_ftp_auth (username, password);
#endif /* not pam */
if (!auth)
return 0;
this = getpwnam (username);
if (this == 0)
return 0;
if (chdir (this->pw_dir) == -1)
return 0;
if (this->pw_dir[strlen (this->pw_dir) - 1] == '/')
home_dir = strdup (this->pw_dir);
else {
char *new_home_dir = malloc (strlen (this->pw_dir) + 2);
if (new_home_dir) {
strcpy (new_home_dir, this->pw_dir);
strcat (new_home_dir, "/");
home_dir = new_home_dir;
} else
home_dir = "/";
}
if (setgid (this->pw_gid) == -1)
return 0;
#ifdef HAVE_INITGROUPS
#ifdef NGROUPS_MAX
if (NGROUPS_MAX > 1 && initgroups (this->pw_name, this->pw_gid))
return 0;
#endif
#endif
#if defined (HAVE_SETUID)
if (setuid (this->pw_uid))
return 0;
#elif defined (HAVE_SETREUID)
if (setreuid (this->pw_uid, this->pw_uid))
return 0;
#endif
/* If the setuid call failed, then deny access */
/* This should fix the problem on those machines with strange setups */
if (getuid () != this->pw_uid)
return 0;
if (strcmp (username, "ftp") == 0)
chroot (this->pw_dir);
endpwent ();
return auth;
}
