Line | Source | Count |
1 | | - |
2 | | - |
3 | | - |
4 | | - |
5 | | - |
6 | | - |
7 | | - |
8 | | - |
9 | | - |
10 | | - |
11 | | - |
12 | | - |
13 | | - |
14 | | - |
15 | | - |
16 | | - |
17 | | - |
18 | | - |
19 | | - |
20 | | - |
21 | | - |
22 | | - |
23 | | - |
24 | | - |
25 | | - |
26 | | - |
27 | | - |
28 | | - |
29 | | - |
30 | | - |
31 | | - |
32 | | - |
33 | | - |
34 | | - |
35 | | - |
36 | | - |
37 | | - |
38 | | - |
39 | #include "includes.h" | - |
40 | | - |
41 | #include <sys/types.h> | - |
42 | | - |
43 | #include <pwd.h> | - |
44 | #include <stdio.h> | - |
45 | #include <string.h> | - |
46 | #include <stdarg.h> | - |
47 | | - |
48 | #include "packet.h" | - |
49 | #include "sshbuf.h" | - |
50 | #include "ssherr.h" | - |
51 | #include "log.h" | - |
52 | #include "misc.h" | - |
53 | #include "servconf.h" | - |
54 | #include "sshkey.h" | - |
55 | #include "hostfile.h" | - |
56 | #include "auth.h" | - |
57 | #include "auth-options.h" | - |
58 | | - |
59 | extern struct sshbuf *loginmsg; | - |
60 | extern ServerOptions options; | - |
61 | | - |
62 | #ifdef HAVE_LOGIN_CAP | - |
63 | extern login_cap_t *lc; | - |
64 | #endif | - |
65 | | - |
66 | | - |
67 | #define DAY (24L * 60 * 60) /* 1 day in seconds */ | - |
68 | #define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ | - |
69 | | - |
70 | #define MAX_PASSWORD_LEN 1024 | - |
71 | | - |
72 | | - |
73 | | - |
74 | | - |
75 | | - |
76 | int | - |
77 | auth_password(struct ssh *ssh, const char *password) | - |
78 | { | - |
79 | Authctxt *authctxt = ssh->authctxt; | - |
80 | struct passwd *pw = authctxt->pw; | - |
81 | int result, ok = authctxt->valid; | - |
82 | #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) | - |
83 | static int expire_checked = 0; | - |
84 | #endif | - |
85 | | - |
86 | if (strlen(password) > MAX_PASSWORD_LEN)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
87 | return 0; never executed: return 0; | 0 |
88 | | - |
89 | #ifndef HAVE_CYGWIN | - |
90 | if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
91 | ok = 0; never executed: ok = 0; | 0 |
92 | #endif | - |
93 | if (*password == '\0' && options.permit_empty_passwd == 0)TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
94 | return 0; never executed: return 0; | 0 |
95 | | - |
96 | #ifdef KRB5 | - |
97 | if (options.kerberos_authentication == 1) { | - |
98 | int ret = auth_krb5_password(authctxt, password); | - |
99 | if (ret == 1 || ret == 0) | - |
100 | return ret && ok; | - |
101 | | - |
102 | } | - |
103 | #endif | - |
104 | #ifdef HAVE_CYGWIN | - |
105 | { | - |
106 | HANDLE hToken = cygwin_logon_user(pw, password); | - |
107 | | - |
108 | if (hToken == INVALID_HANDLE_VALUE) | - |
109 | return 0; | - |
110 | cygwin_set_impersonation_token(hToken); | - |
111 | return ok; | - |
112 | } | - |
113 | #endif | - |
114 | #ifdef USE_PAM | - |
115 | if (options.use_pam) | - |
116 | return (sshpam_auth_passwd(authctxt, password) && ok); | - |
117 | #endif | - |
118 | #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) | - |
119 | if (!expire_checked) {TRUE | never evaluated | FALSE | never evaluated |
| 0 |
120 | expire_checked = 1; | - |
121 | if (auth_shadow_pwexpired(authctxt))TRUE | never evaluated | FALSE | never evaluated |
| 0 |
122 | authctxt->force_pwchange = 1; never executed: authctxt->force_pwchange = 1; | 0 |
123 | } never executed: end of block | 0 |
124 | #endif | - |
125 | result = sys_auth_passwd(ssh, password); | - |
126 | if (authctxt->force_pwchange)TRUE | never evaluated | FALSE | never evaluated |
| 0 |
127 | auth_restrict_session(ssh); never executed: auth_restrict_session(ssh); | 0 |
128 | return (result && ok); never executed: return (result && ok); TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
129 | } | - |
130 | | - |
131 | #ifdef BSD_AUTH | - |
132 | static void | - |
133 | warn_expiry(Authctxt *authctxt, auth_session_t *as) | - |
134 | { | - |
135 | int r; | - |
136 | quad_t pwtimeleft, actimeleft, daysleft, pwwarntime, acwarntime; | - |
137 | | - |
138 | pwwarntime = acwarntime = TWO_WEEKS; | - |
139 | | - |
140 | pwtimeleft = auth_check_change(as); | - |
141 | actimeleft = auth_check_expire(as); | - |
142 | #ifdef HAVE_LOGIN_CAP | - |
143 | if (authctxt->valid) { | - |
144 | pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS, | - |
145 | TWO_WEEKS); | - |
146 | acwarntime = login_getcaptime(lc, "expire-warn", TWO_WEEKS, | - |
147 | TWO_WEEKS); | - |
148 | } | - |
149 | #endif | - |
150 | if (pwtimeleft != 0 && pwtimeleft < pwwarntime) { | - |
151 | daysleft = pwtimeleft / DAY + 1; | - |
152 | if ((r = sshbuf_putf(loginmsg, | - |
153 | "Your password will expire in %lld day%s.\n", | - |
154 | daysleft, daysleft == 1 ? "" : "s")) != 0) | - |
155 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | - |
156 | } | - |
157 | if (actimeleft != 0 && actimeleft < acwarntime) { | - |
158 | daysleft = actimeleft / DAY + 1; | - |
159 | if ((r = sshbuf_putf(loginmsg, | - |
160 | "Your account will expire in %lld day%s.\n", | - |
161 | daysleft, daysleft == 1 ? "" : "s")) != 0) | - |
162 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | - |
163 | } | - |
164 | } | - |
165 | | - |
166 | int | - |
167 | sys_auth_passwd(struct ssh *ssh, const char *password) | - |
168 | { | - |
169 | Authctxt *authctxt = ssh->authctxt; | - |
170 | auth_session_t *as; | - |
171 | static int expire_checked = 0; | - |
172 | | - |
173 | as = auth_usercheck(authctxt->pw->pw_name, authctxt->style, "auth-ssh", | - |
174 | (char *)password); | - |
175 | if (as == NULL) | - |
176 | return (0); | - |
177 | if (auth_getstate(as) & AUTH_PWEXPIRED) { | - |
178 | auth_close(as); | - |
179 | auth_restrict_session(ssh); | - |
180 | authctxt->force_pwchange = 1; | - |
181 | return (1); | - |
182 | } else { | - |
183 | if (!expire_checked) { | - |
184 | expire_checked = 1; | - |
185 | warn_expiry(authctxt, as); | - |
186 | } | - |
187 | return (auth_close(as)); | - |
188 | } | - |
189 | } | - |
190 | #elif !defined(CUSTOM_SYS_AUTH_PASSWD) | - |
191 | int | - |
192 | sys_auth_passwd(struct ssh *ssh, const char *password) | - |
193 | { | - |
194 | Authctxt *authctxt = ssh->authctxt; | - |
195 | struct passwd *pw = authctxt->pw; | - |
196 | char *encrypted_password, *salt = NULL; | - |
197 | | - |
198 | | - |
199 | char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;TRUE | never evaluated | FALSE | never evaluated |
| 0 |
200 | | - |
201 | | - |
202 | if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0) never executed: __result = (((const unsigned char *) (const char *) ( pw_password ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( "" ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( password ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( "" ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
203 | return (1); never executed: return (1); | 0 |
204 | | - |
205 | | - |
206 | | - |
207 | | - |
208 | | - |
209 | if (authctxt->valid && pw_password[0] && pw_password[1])TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
210 | salt = pw_password; never executed: salt = pw_password; | 0 |
211 | encrypted_password = xcrypt(password, salt); | - |
212 | | - |
213 | | - |
214 | | - |
215 | | - |
216 | | - |
217 | return encrypted_password != NULL && never executed: return encrypted_password != ((void *)0) && __extension__ ({ size_t __s1_len, __s2_len; (__builtin_constant_p ( encrypted_password ) && __builtin_constant_p ( pw_password ) && (__s1_len = __builtin_strlen ( encrypted_password ), __s2_len = __builtin_strle...) (const char *) ( pw_password ))[2] - __s2[2]); if (__s2_len > 2 && __result == 0) __result = (((const unsigned char *) (const char *) ( pw_password ))[3] - __s2[3]); } } __result; }))) : __builtin_strcmp ( encrypted_password , pw_password )))); }) == 0; TRUE | never evaluated | FALSE | never evaluated |
| 0 |
218 | strcmp(encrypted_password, pw_password) == 0; never executed: return encrypted_password != ((void *)0) && __extension__ ({ size_t __s1_len, __s2_len; (__builtin_constant_p ( encrypted_password ) && __builtin_constant_p ( pw_password ) && (__s1_len = __builtin_strlen ( encrypted_password ), __s2_len = __builtin_strle...) (const char *) ( pw_password ))[2] - __s2[2]); if (__s2_len > 2 && __result == 0) __result = (((const unsigned char *) (const char *) ( pw_password ))[3] - __s2[3]); } } __result; }))) : __builtin_strcmp ( encrypted_password , pw_password )))); }) == 0; never executed: __result = (((const unsigned char *) (const char *) ( encrypted_password ))[3] - __s2[3]); never executed: end of block never executed: end of block never executed: __result = (((const unsigned char *) (const char *) ( pw_password ))[3] - __s2[3]); never executed: end of block never executed: end of block TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
TRUE | never evaluated | FALSE | never evaluated |
| 0 |
219 | } | - |
220 | #endif | - |
| | |