xref: /netbsd-src/crypto/external/bsd/openssh/dist/auth-passwd.c (revision c38e7cc395b1472a774ff828e46123de44c628e9) 
1 /*	$NetBSD: auth-passwd.c,v 1.9 2018/04/07 00:26:12 christos Exp $	*/
2 /* $OpenBSD: auth-passwd.c,v 1.46 2018/03/03 03:15:51 djm Exp $ */
3 /*
4  * Author: Tatu Ylonen <ylo@cs.hut.fi>
5  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
6  *                    All rights reserved
7  * Password authentication.  This file contains the functions to check whether
8  * the password is valid for the user.
9  *
10  * As far as I am concerned, the code I have written for this software
11  * can be used freely for any purpose.  Any derived versions of this
12  * software must be clearly marked as such, and if the derived work is
13  * incompatible with the protocol description in the RFC file, it must be
14  * called by a name other than "ssh" or "Secure Shell".
15  *
16  * Copyright (c) 1999 Dug Song.  All rights reserved.
17  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
18  *
19  * Redistribution and use in source and binary forms, with or without
20  * modification, are permitted provided that the following conditions
21  * are met:
22  * 1. Redistributions of source code must retain the above copyright
23  *    notice, this list of conditions and the following disclaimer.
24  * 2. Redistributions in binary form must reproduce the above copyright
25  *    notice, this list of conditions and the following disclaimer in the
26  *    documentation and/or other materials provided with the distribution.
27  *
28  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
29  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
30  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
31  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
32  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
33  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
34  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
35  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
36  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
37  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
38  */
39 
40 #include "includes.h"
41 __RCSID("$NetBSD: auth-passwd.c,v 1.9 2018/04/07 00:26:12 christos Exp $");
42 #include <sys/types.h>
43 
44 #include <login_cap.h>
45 #include <pwd.h>
46 #include <stdio.h>
47 #include <string.h>
48 #include <stdarg.h>
49 #include <unistd.h>
50 
51 #include "packet.h"
52 #include "buffer.h"
53 #include "log.h"
54 #include "misc.h"
55 #include "servconf.h"
56 #include "key.h"
57 #include "hostfile.h"
58 #include "auth.h"
59 #include "auth-options.h"
60 
61 extern Buffer loginmsg;
62 extern ServerOptions options;
63 int sys_auth_passwd(struct ssh *, const char *);
64 
65 #ifdef HAVE_LOGIN_CAP
66 extern login_cap_t *lc;
67 #endif
68 
69 #define DAY		(24L * 60 * 60) /* 1 day in seconds */
70 #define TWO_WEEKS	(2L * 7 * DAY)	/* 2 weeks in seconds */
71 
72 #define MAX_PASSWORD_LEN	1024
73 
74 /*
75  * Tries to authenticate the user using password.  Returns true if
76  * authentication succeeds.
77  */
78 int
79 auth_password(struct ssh *ssh, const char *password)
80 {
81 	Authctxt *authctxt = ssh->authctxt;
82 	struct passwd *pw = authctxt->pw;
83 	int ok = authctxt->valid;
84 
85 	if (strlen(password) > MAX_PASSWORD_LEN)
86 		return 0;
87 
88 	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
89 		ok = 0;
90 	if (*password == '\0' && options.permit_empty_passwd == 0)
91 		return 0;
92 #ifdef KRB5
93 	if (options.kerberos_authentication == 1) {
94 		int ret = auth_krb5_password(authctxt, password);
95  		if (ret == 1 || ret == 0)
96  			return ret && ok;
97  		/* Fall back to ordinary passwd authentication. */
98 	}
99 #endif
100 
101 #ifdef USE_PAM
102 	if (options.use_pam)
103 		return (sshpam_auth_passwd(authctxt, password) && ok);
104 #endif
105 	return (sys_auth_passwd(ssh, password) && ok);
106 }
107 
108 #ifdef BSD_AUTH
109 static void
110 warn_expiry(Authctxt *authctxt, auth_session_t *as)
111 {
112 	char buf[256];
113 	quad_t pwtimeleft, actimeleft, daysleft, pwwarntime, acwarntime;
114 
115 	pwwarntime = acwarntime = TWO_WEEKS;
116 
117 	pwtimeleft = auth_check_change(as);
118 	actimeleft = auth_check_expire(as);
119 #ifdef HAVE_LOGIN_CAP
120 	if (authctxt->valid) {
121 		pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS,
122 		    TWO_WEEKS);
123 		acwarntime = login_getcaptime(lc, "expire-warn", TWO_WEEKS,
124 		    TWO_WEEKS);
125 	}
126 #endif
127 	if (pwtimeleft != 0 && pwtimeleft < pwwarntime) {
128 		daysleft = pwtimeleft / DAY + 1;
129 		snprintf(buf, sizeof(buf),
130 		    "Your password will expire in %lld day%s.\n",
131 		    daysleft, daysleft == 1 ? "" : "s");
132 		buffer_append(&loginmsg, buf, strlen(buf));
133 	}
134 	if (actimeleft != 0 && actimeleft < acwarntime) {
135 		daysleft = actimeleft / DAY + 1;
136 		snprintf(buf, sizeof(buf),
137 		    "Your account will expire in %lld day%s.\n",
138 		    daysleft, daysleft == 1 ? "" : "s");
139 		buffer_append(&loginmsg, buf, strlen(buf));
140 	}
141 }
142 
143 int
144 sys_auth_passwd(struct ssh *ssh, const char *password)
145 {
146 	Authctxt *authctxt = ssh->authctxt;
147 	auth_session_t *as;
148 	static int expire_checked = 0;
149 
150 	as = auth_usercheck(authctxt->pw->pw_name, authctxt->style, "auth-ssh",
151 	    (char *)password);
152 	if (as == NULL)
153 		return (0);
154 	if (auth_getstate(as) & AUTH_PWEXPIRED) {
155 		auth_close(as);
156 		auth_restrict_session(ssh);
157 		authctxt->force_pwchange = 1;
158 		return (1);
159 	} else {
160 		if (!expire_checked) {
161 			expire_checked = 1;
162 			warn_expiry(authctxt, as);
163 		}
164 		return (auth_close(as));
165 	}
166 }
167 #else
168 
169 #define shadow_pw(pw)	(pw)->pw_passwd
170 #define xcrypt(a, b) crypt((a), (b))
171 
172 int
173 sys_auth_passwd(struct ssh *ssh, const char *password)
174 {
175 	Authctxt *authctxt = ssh->authctxt;
176 	struct passwd *pw = authctxt->pw;
177 	char *encrypted_password, *salt = NULL;
178 
179 	/* Just use the supplied fake password if authctxt is invalid */
180 	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
181 
182 	/* Check for users with no password. */
183 	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
184 		return (1);
185 
186 	/*
187 	 * Encrypt the candidate password using the proper salt, or pass a
188 	 * NULL and let xcrypt pick one.
189 	 */
190 	if (authctxt->valid && pw_password[0] && pw_password[1])
191 		salt = pw_password;
192 	encrypted_password = xcrypt(password, salt ? salt : "xx");
193 
194 	/*
195 	 * Authentication is accepted if the encrypted passwords
196 	 * are identical.
197 	 */
198 	return encrypted_password != NULL &&
199 	    strcmp(encrypted_password, pw_password) == 0;
200 }
201 #endif
202