- (stevesk) [auth-pam.c auth-pam.h auth-passwd.c auth-sia.c auth-sia.h

auth1.c auth2.c] PAM, OSF_SIA password auth cleanup; from djm.

ChangeLog

@@ -1,3 +1,7 @@
+20020404
+ - (stevesk) [auth-pam.c auth-pam.h auth-passwd.c auth-sia.c auth-sia.h
+    auth1.c auth2.c] PAM, OSF_SIA password auth cleanup; from djm.
+
 20020402
  - (bal) Hand Sync of scp.c (reverted to upstream code)
    - deraadt@cvs.openbsd.org 2002/03/30 17:45:46
@@ -8147,4 +8151,4 @@
  - Wrote replacements for strlcpy and mkdtemp
  - Released 1.0pre1
 
-$Id: ChangeLog,v 1.2020 2002/04/03 03:36:54 mouring Exp $
+$Id: ChangeLog,v 1.2021 2002/04/04 19:02:28 stevesk Exp $

auth-pam.c

@@ -28,6 +28,7 @@
 #include "ssh.h"
 #include "xmalloc.h"
 #include "log.h"
+#include "auth.h"
 #include "auth-pam.h"
 #include "servconf.h"
 #include "canohost.h"
@@ -35,7 +36,7 @@
 
 extern char *__progname;
 
-RCSID("$Id: auth-pam.c,v 1.42 2002/02/05 01:40:47 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.43 2002/04/04 19:02:28 stevesk Exp $");
 
 #define NEW_AUTHTOK_MSG \
 	"Warning: Your password has expired, please change it now"
@@ -199,10 +200,11 @@ void do_pam_cleanup_proc(void *context)
 }
 
 /* Attempt password authentation using PAM */
-int auth_pam_password(struct passwd *pw, const char *password)
+int auth_pam_password(Authctxt *authctxt, const char *password)
 {
 	extern ServerOptions options;
 	int pam_retval;
+	struct passwd *pw = authctxt->pw;
 
 	do_pam_set_conv(&conv);
 

auth-pam.h

@@ -1,4 +1,4 @@
-/* $Id: auth-pam.h,v 1.11 2001/03/27 06:12:24 djm Exp $ */
+/* $Id: auth-pam.h,v 1.12 2002/04/04 19:02:28 stevesk Exp $ */
 
 #include "includes.h"
 #ifdef USE_PAM
@@ -7,7 +7,7 @@
 
 void start_pam(const char *user);
 void finish_pam(void);
-int auth_pam_password(struct passwd *pw, const char *password);
+int auth_pam_password(Authctxt *authctxt, const char *password);
 char **fetch_pam_environment(void);
 int do_pam_authenticate(int flags);
 int do_pam_account(char *username, char *remote_user);

auth-passwd.c

@@ -38,47 +38,47 @@
 #include "includes.h"
 RCSID("$OpenBSD: auth-passwd.c,v 1.24 2002/03/04 12:43:06 markus Exp $");
 
-#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
-
 #include "packet.h"
 #include "log.h"
 #include "servconf.h"
 #include "auth.h"
 
-#ifdef HAVE_CRYPT_H
-# include <crypt.h>
-#endif
-#ifdef WITH_AIXAUTHENTICATE
-# include <login.h>
-#endif
-#ifdef __hpux
-# include <hpsecurity.h>
-# include <prot.h>
-#endif
-#ifdef HAVE_SCO_PROTECTED_PW
-# include <sys/security.h>
-# include <sys/audit.h>
-# include <prot.h>
-#endif /* HAVE_SCO_PROTECTED_PW */
-#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
-# include <shadow.h>
-#endif
-#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
-# include <sys/label.h>
-# include <sys/audit.h>
-# include <pwdadj.h>
-#endif
-#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
-# include "md5crypt.h"
-#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
-
-#ifdef HAVE_CYGWIN
-#undef ERROR
-#include <windows.h>
-#include <sys/cygwin.h>
-#define is_winnt       (GetVersion() < 0x80000000)
-#endif
+#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
+/* Don't need any of these headers for the PAM or SIA cases */
+# ifdef HAVE_CRYPT_H
+#  include <crypt.h>
+# endif
+# ifdef WITH_AIXAUTHENTICATE
+#  include <login.h>
+# endif
+# ifdef __hpux
+#  include <hpsecurity.h>
+#  include <prot.h>
+# endif
+# ifdef HAVE_SCO_PROTECTED_PW
+#  include <sys/security.h>
+#  include <sys/audit.h>
+#  include <prot.h>
+# endif /* HAVE_SCO_PROTECTED_PW */
+# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
+#  include <shadow.h>
+# endif
+# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW)
+#  include <sys/label.h>
+#  include <sys/audit.h>
+#  include <pwdadj.h>
+# endif
+# if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT)
+#  include "md5crypt.h"
+# endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */
 
+# ifdef HAVE_CYGWIN
+#  undef ERROR
+#  include <windows.h>
+#  include <sys/cygwin.h>
+#  define is_winnt       (GetVersion() < 0x80000000)
+# endif
+#endif /* !USE_PAM && !HAVE_OSF_SIA */
 
 extern ServerOptions options;
 
@@ -89,6 +89,15 @@ extern ServerOptions options;
 int
 auth_password(Authctxt *authctxt, const char *password)
 {
+#if defined(USE_PAM)
+	if (*password == '\0' && options.permit_empty_passwd == 0)
+		return 0;
+	return auth_pam_password(authctxt, password);
+#elif defined(HAVE_OSF_SIA)
+	if (*password == '\0' && options.permit_empty_passwd == 0)
+		return 0;
+	return auth_sia_password(authctxt, password);
+#else
 	struct passwd * pw = authctxt->pw;
 	char *encrypted_password;
 	char *pw_password;
@@ -221,5 +230,5 @@ auth_password(Authctxt *authctxt, const char *password)
 
 	/* Authentication is accepted if the encrypted passwords are identical. */
 	return (strcmp(encrypted_password, pw_password) == 0);
-}
 #endif /* !USE_PAM && !HAVE_OSF_SIA */
+}

auth-sia.c

@@ -6,6 +6,7 @@
 #include "log.h"
 #include "servconf.h"
 #include "canohost.h"
+#include "auth.h"
 
 #include <sia.h>
 #include <siad.h>
@@ -23,15 +24,16 @@ extern char **saved_argv;
 extern int errno;
 
 int
-auth_sia_password(char *user, char *pass)
+auth_sia_password(Authctxt *authctxt, char *pass)
 {
 	int ret;
 	SIAENTITY *ent = NULL;
 	const char *host;
+	char *user = authctxt->user;
 
 	host = get_canonical_hostname(options.verify_reverse_mapping);
 
-	if (!user || !pass)
+	if (!user || !pass || pass[0] == '\0')
 		return(0);
 
 	if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0,

auth-sia.h

@@ -2,7 +2,7 @@
 
 #ifdef HAVE_OSF_SIA
 
-int	auth_sia_password(char *user, char *pass);
+int	auth_sia_password(Authctxt *authctxt, char *pass);
 void	session_setup_sia(char *user, char *tty);
 
 #endif /* HAVE_OSF_SIA */

auth1.c

@@ -84,13 +84,7 @@ do_authloop(Authctxt *authctxt)
 #if defined(KRB4) || defined(KRB5)
 	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
 #endif
-#ifdef USE_PAM
-	    auth_pam_password(pw, "")) {
-#elif defined(HAVE_OSF_SIA)
-	    0) {
-#else
 	    PRIVSEP(auth_password(authctxt, ""))) {
-#endif
 		auth_log(authctxt, 1, "without authentication", "");
 		return;
 	}
@@ -246,17 +240,8 @@ do_authloop(Authctxt *authctxt)
 			password = packet_get_string(&dlen);
 			packet_check_eom();
 
-#ifdef USE_PAM
-			/* Do PAM auth with password */
-			authenticated = auth_pam_password(pw, password);
-#elif defined(HAVE_OSF_SIA)
-			/* Do SIA auth with password */
-			authenticated = auth_sia_password(authctxt->user, 
-			    password);
-#else /* !USE_PAM && !HAVE_OSF_SIA */
 			/* Try authentication with the password. */
 			authenticated = PRIVSEP(auth_password(authctxt, password));
-#endif /* USE_PAM */
 
 			memset(password, 0, strlen(password));
 			xfree(password);

auth2.c

@@ -329,13 +329,7 @@ userauth_none(Authctxt *authctxt)
 	if (check_nt_auth(1, authctxt->pw) == 0)
 		return(0);
 #endif
-#ifdef USE_PAM
-	return auth_pam_password(authctxt->pw, "");
-#elif defined(HAVE_OSF_SIA)
-	return 0;
-#else /* !HAVE_OSF_SIA && !USE_PAM */
 	return PRIVSEP(auth_password(authctxt, ""));
-#endif /* USE_PAM */
 }
 
 static int
@@ -354,13 +348,7 @@ userauth_passwd(Authctxt *authctxt)
 #ifdef HAVE_CYGWIN
 	    check_nt_auth(1, authctxt->pw) &&
 #endif
-#ifdef USE_PAM
-	    auth_pam_password(authctxt->pw, password) == 1)
-#elif defined(HAVE_OSF_SIA)
-	    auth_sia_password(authctxt->user, password) == 1)
-#else /* !USE_PAM && !HAVE_OSF_SIA */
 	    PRIVSEP(auth_password(authctxt, password)) == 1)
-#endif /* USE_PAM */
 		authenticated = 1;
 	memset(password, 0, len);
 	xfree(password);