auth-passwd.c revision 73400
1132720Skan/* 2132720Skan * Author: Tatu Ylonen <ylo@cs.hut.fi> 3169691Skan * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4132720Skan * All rights reserved 5132720Skan * Password authentication. This file contains the functions to check whether 6132720Skan * the password is valid for the user. 7132720Skan * 8132720Skan * As far as I am concerned, the code I have written for this software 9132720Skan * can be used freely for any purpose. Any derived versions of this 10132720Skan * software must be clearly marked as such, and if the derived work is 11132720Skan * incompatible with the protocol description in the RFC file, it must be 12132720Skan * called by a name other than "ssh" or "Secure Shell". 13132720Skan * 14132720Skan * 15132720Skan * Copyright (c) 1999 Dug Song. All rights reserved. 16132720Skan * 17132720Skan * Redistribution and use in source and binary forms, with or without 18169691Skan * modification, are permitted provided that the following conditions 19132720Skan * are met: 20132720Skan * 1. Redistributions of source code must retain the above copyright 21132720Skan * notice, this list of conditions and the following disclaimer. 22132720Skan * 2. Redistributions in binary form must reproduce the above copyright 23132720Skan * notice, this list of conditions and the following disclaimer in the 24132720Skan * documentation and/or other materials provided with the distribution. 25132720Skan * 26132720Skan * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 27132720Skan * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 28132720Skan * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 29132720Skan * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 30169691Skan * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 31169691Skan * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 32169691Skan * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 33169691Skan * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 34132720Skan * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 35132720Skan * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 36132720Skan * 37132720Skan * 38132720Skan * Copyright (c) 2000 Markus Friedl. All rights reserved. 39132720Skan * 40132720Skan * Redistribution and use in source and binary forms, with or without 41132720Skan * modification, are permitted provided that the following conditions 42169691Skan * are met: 43169691Skan * 1. Redistributions of source code must retain the above copyright 44169691Skan * notice, this list of conditions and the following disclaimer. 45169691Skan * 2. Redistributions in binary form must reproduce the above copyright 46169691Skan * notice, this list of conditions and the following disclaimer in the 47169691Skan * documentation and/or other materials provided with the distribution. 48169691Skan * 49132720Skan * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 50132720Skan * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 51132720Skan * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 52169691Skan * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 53169691Skan * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 54169691Skan * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 55169691Skan * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 56169691Skan * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 57132720Skan * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 58169691Skan * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 59169691Skan */ 60169691Skan 61169691Skan#include "includes.h" 62169691SkanRCSID("$OpenBSD: auth-passwd.c,v 1.18 2000/10/03 18:03:03 markus Exp $"); 63169691SkanRCSID("$FreeBSD: head/crypto/openssh/auth-passwd.c 73400 2001-03-04 02:22:04Z assar $"); 64169691Skan 65169691Skan#include "packet.h" 66169691Skan#include "ssh.h" 67169691Skan#include "servconf.h" 68169691Skan#include "xmalloc.h" 69169691Skan 70169691Skan/* 71169691Skan * Tries to authenticate the user using password. Returns true if 72169691Skan * authentication succeeds. 73169691Skan */ 74169691Skanint 75132720Skanauth_password(struct passwd * pw, const char *password) 76132720Skan{ 77169691Skan extern ServerOptions options; 78132720Skan char *encrypted_password; 79169691Skan 80132720Skan /* deny if no user. */ 81132720Skan if (pw == NULL) 82169691Skan return 0; 83132720Skan if (pw->pw_uid == 0 && options.permit_root_login == 2) 84169691Skan return 0; 85132720Skan if (*password == '\0' && options.permit_empty_passwd == 0) 86132720Skan return 0; 87169691Skan 88169691Skan#ifdef SKEY_VIA_PASSWD_IS_DISABLED 89169691Skan if (options.skey_authentication == 1) { 90169691Skan int ret = auth_skey_password(pw, password); 91169691Skan if (ret == 1 || ret == 0) 92132720Skan return ret; 93132720Skan /* Fall back to ordinary passwd authentication. */ 94132720Skan } 95132720Skan#endif 96132720Skan#ifdef KRB5 97132720Skan if (options.kerberos_authentication == 1) { 98132720Skan if (auth_krb5_password(pw, password)) 99132720Skan return 1; 100132720Skan /* Fall back to ordinary passwd authentication. */ 101132720Skan } 102132720Skan 103132720Skan#endif /* KRB5 */ 104132720Skan#ifdef KRB4 105132720Skan if (options.kerberos_authentication == 1) { 106132720Skan int ret = auth_krb4_password(pw, password); 107132720Skan if (ret == 1 || ret == 0) 108132720Skan return ret; 109132720Skan /* Fall back to ordinary passwd authentication. */ 110132720Skan } 111132720Skan#endif 112132720Skan 113132720Skan /* Check for users with no password. */ 114132720Skan if (strcmp(password, "") == 0 && strcmp(pw->pw_passwd, "") == 0) 115132720Skan return 1; 116132720Skan /* Encrypt the candidate password using the proper salt. */ 117132720Skan encrypted_password = crypt(password, 118132720Skan (pw->pw_passwd[0] && pw->pw_passwd[1]) ? pw->pw_passwd : "xx"); 119132720Skan 120132720Skan /* Authentication is accepted if the encrypted passwords are identical. */ 121132720Skan return (strcmp(encrypted_password, pw->pw_passwd) == 0); 122132720Skan} 123132720Skan