/**************************************************************************** core of password checking routine ****************************************************************************/ BOOL password_check(char *password) { #ifdef USE_PAM /* This falls through if the password check fails - if NO_CRYPT is defined this causes an error msg saying Warning - no crypt available - if NO_CRYPT is NOT defined this is a potential security hole as it may authenticate via the crypt call when PAM settings say it should fail. if (pam_auth(this_user,password)) return(True); Hence we make a direct return to avoid a second chance!!! */ return (pam_auth(this_user,password)); #endif #ifdef AFS_AUTH if (afs_auth(this_user,password)) return(True); #endif #ifdef DFS_AUTH if (dfs_auth(this_user,password)) return(True); #endif #ifdef KRB5_AUTH if (krb5_auth(this_user,password)) return(True); #endif #ifdef KRB4_AUTH if (krb4_auth(this_user,password)) return(True); #endif #ifdef PWDAUTH if (pwdauth(this_user,password) == 0) return(True); #endif #ifdef OSF1_ENH_SEC { BOOL ret = (strcmp(osf1_bigcrypt(password,this_salt),this_crypted) == 0); if(!ret) { DEBUG(2,("password_check: OSF1_ENH_SEC failed. Trying normal crypt.\n")); ret = (strcmp((char *)crypt(password,this_salt),this_crypted) == 0); } return ret; } #endif #ifdef ULTRIX_AUTH return (strcmp((char *)crypt16(password, this_salt ),this_crypted) == 0); #endif #ifdef LINUX_BIGCRYPT return(linux_bigcrypt(password,this_salt,this_crypted)); #endif #ifdef HPUX_10_TRUSTED return(strcmp(bigcrypt(password,this_salt),this_crypted) == 0); #endif #ifdef NO_CRYPT DEBUG(1,("Warning - no crypt available\n")); return(False); #else return(strcmp((char *)crypt(password,this_salt),this_crypted) == 0); #endif }
/* Try to authenticate the user based on: - PAM if the system has it, else it checks: - pwdauth if the system supports it. - conventional auth (check salt on /etc/passwd, crypt, and compare - try to contact the local ftp server and login (if -f flag used) */ static int do_auth (const char *username, const char *password) { int auth = 0; struct passwd *this; if (strcmp (username, "anonymous") == 0) username = "******"; #ifdef HAVE_PAM if (mc_pam_auth (username, password) == 0) auth = 1; #else /* if there is no pam */ #ifdef HAVE_PWDAUTH if (pwdauth (username, password) == 0) auth = 1; else #endif #ifdef HAVE_CRYPT if (do_classic_auth (username, password)) auth = 1; else #endif if (ftp) auth = do_ftp_auth (username, password); #endif /* not pam */ if (!auth) return 0; this = getpwnam (username); if (this == 0) return 0; if (chdir (this->pw_dir) == -1) return 0; if (this->pw_dir[strlen (this->pw_dir) - 1] == '/') home_dir = strdup (this->pw_dir); else { char *new_home_dir = malloc (strlen (this->pw_dir) + 2); if (new_home_dir) { strcpy (new_home_dir, this->pw_dir); strcat (new_home_dir, "/"); home_dir = new_home_dir; } else home_dir = "/"; } if (setgid (this->pw_gid) == -1) return 0; #ifdef HAVE_INITGROUPS #ifdef NGROUPS_MAX if (NGROUPS_MAX > 1 && initgroups (this->pw_name, this->pw_gid)) return 0; #endif #endif #if defined (HAVE_SETUID) if (setuid (this->pw_uid)) return 0; #elif defined (HAVE_SETREUID) if (setreuid (this->pw_uid, this->pw_uid)) return 0; #endif /* If the setuid call failed, then deny access */ /* This should fix the problem on those machines with strange setups */ if (getuid () != this->pw_uid) return 0; if (strcmp (username, "ftp") == 0) chroot (this->pw_dir); endpwent (); return auth; }