diff --git a/ChangeLog b/ChangeLog index 15b7a3540..108ba4d50 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +20020404 + - (stevesk) [auth-pam.c auth-pam.h auth-passwd.c auth-sia.c auth-sia.h + auth1.c auth2.c] PAM, OSF_SIA password auth cleanup; from djm. + 20020402 - (bal) Hand Sync of scp.c (reverted to upstream code) - deraadt@cvs.openbsd.org 2002/03/30 17:45:46 @@ -8147,4 +8151,4 @@ - Wrote replacements for strlcpy and mkdtemp - Released 1.0pre1 -$Id: ChangeLog,v 1.2020 2002/04/03 03:36:54 mouring Exp $ +$Id: ChangeLog,v 1.2021 2002/04/04 19:02:28 stevesk Exp $ diff --git a/auth-pam.c b/auth-pam.c index d97d981c4..daa83c72a 100644 --- a/auth-pam.c +++ b/auth-pam.c @@ -28,6 +28,7 @@ #include "ssh.h" #include "xmalloc.h" #include "log.h" +#include "auth.h" #include "auth-pam.h" #include "servconf.h" #include "canohost.h" @@ -35,7 +36,7 @@ extern char *__progname; -RCSID("$Id: auth-pam.c,v 1.42 2002/02/05 01:40:47 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.43 2002/04/04 19:02:28 stevesk Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now" @@ -199,10 +200,11 @@ void do_pam_cleanup_proc(void *context) } /* Attempt password authentation using PAM */ -int auth_pam_password(struct passwd *pw, const char *password) +int auth_pam_password(Authctxt *authctxt, const char *password) { extern ServerOptions options; int pam_retval; + struct passwd *pw = authctxt->pw; do_pam_set_conv(&conv); diff --git a/auth-pam.h b/auth-pam.h index c249b5396..6b1f35add 100644 --- a/auth-pam.h +++ b/auth-pam.h @@ -1,4 +1,4 @@ -/* $Id: auth-pam.h,v 1.11 2001/03/27 06:12:24 djm Exp $ */ +/* $Id: auth-pam.h,v 1.12 2002/04/04 19:02:28 stevesk Exp $ */ #include "includes.h" #ifdef USE_PAM @@ -7,7 +7,7 @@ void start_pam(const char *user); void finish_pam(void); -int auth_pam_password(struct passwd *pw, const char *password); +int auth_pam_password(Authctxt *authctxt, const char *password); char **fetch_pam_environment(void); int do_pam_authenticate(int flags); int do_pam_account(char *username, char *remote_user); diff --git a/auth-passwd.c b/auth-passwd.c index 095b9ba27..7f3073839 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -38,47 +38,47 @@ #include "includes.h" RCSID("$OpenBSD: auth-passwd.c,v 1.24 2002/03/04 12:43:06 markus Exp $"); -#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) - #include "packet.h" #include "log.h" #include "servconf.h" #include "auth.h" -#ifdef HAVE_CRYPT_H -# include -#endif -#ifdef WITH_AIXAUTHENTICATE -# include -#endif -#ifdef __hpux -# include -# include -#endif -#ifdef HAVE_SCO_PROTECTED_PW -# include -# include -# include -#endif /* HAVE_SCO_PROTECTED_PW */ -#if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) -# include -#endif -#if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) -# include -# include -# include -#endif -#if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) -# include "md5crypt.h" -#endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ - -#ifdef HAVE_CYGWIN -#undef ERROR -#include -#include -#define is_winnt (GetVersion() < 0x80000000) -#endif +#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) +/* Don't need any of these headers for the PAM or SIA cases */ +# ifdef HAVE_CRYPT_H +# include +# endif +# ifdef WITH_AIXAUTHENTICATE +# include +# endif +# ifdef __hpux +# include +# include +# endif +# ifdef HAVE_SCO_PROTECTED_PW +# include +# include +# include +# endif /* HAVE_SCO_PROTECTED_PW */ +# if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) +# include +# endif +# if defined(HAVE_GETPWANAM) && !defined(DISABLE_SHADOW) +# include +# include +# include +# endif +# if defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) +# include "md5crypt.h" +# endif /* defined(HAVE_MD5_PASSWORDS) && !defined(HAVE_MD5_CRYPT) */ +# ifdef HAVE_CYGWIN +# undef ERROR +# include +# include +# define is_winnt (GetVersion() < 0x80000000) +# endif +#endif /* !USE_PAM && !HAVE_OSF_SIA */ extern ServerOptions options; @@ -89,6 +89,15 @@ extern ServerOptions options; int auth_password(Authctxt *authctxt, const char *password) { +#if defined(USE_PAM) + if (*password == '\0' && options.permit_empty_passwd == 0) + return 0; + return auth_pam_password(authctxt, password); +#elif defined(HAVE_OSF_SIA) + if (*password == '\0' && options.permit_empty_passwd == 0) + return 0; + return auth_sia_password(authctxt, password); +#else struct passwd * pw = authctxt->pw; char *encrypted_password; char *pw_password; @@ -221,5 +230,5 @@ auth_password(Authctxt *authctxt, const char *password) /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw_password) == 0); -} #endif /* !USE_PAM && !HAVE_OSF_SIA */ +} diff --git a/auth-sia.c b/auth-sia.c index 8585f5d6b..2bace5d47 100644 --- a/auth-sia.c +++ b/auth-sia.c @@ -6,6 +6,7 @@ #include "log.h" #include "servconf.h" #include "canohost.h" +#include "auth.h" #include #include @@ -23,15 +24,16 @@ extern char **saved_argv; extern int errno; int -auth_sia_password(char *user, char *pass) +auth_sia_password(Authctxt *authctxt, char *pass) { int ret; SIAENTITY *ent = NULL; const char *host; + char *user = authctxt->user; host = get_canonical_hostname(options.verify_reverse_mapping); - if (!user || !pass) + if (!user || !pass || pass[0] == '\0') return(0); if (sia_ses_init(&ent, saved_argc, saved_argv, host, user, NULL, 0, diff --git a/auth-sia.h b/auth-sia.h index eaa933322..4ae8d8991 100644 --- a/auth-sia.h +++ b/auth-sia.h @@ -2,7 +2,7 @@ #ifdef HAVE_OSF_SIA -int auth_sia_password(char *user, char *pass); +int auth_sia_password(Authctxt *authctxt, char *pass); void session_setup_sia(char *user, char *tty); #endif /* HAVE_OSF_SIA */ diff --git a/auth1.c b/auth1.c index 89ae47df2..55dbf78fa 100644 --- a/auth1.c +++ b/auth1.c @@ -84,13 +84,7 @@ do_authloop(Authctxt *authctxt) #if defined(KRB4) || defined(KRB5) (!options.kerberos_authentication || options.kerberos_or_local_passwd) && #endif -#ifdef USE_PAM - auth_pam_password(pw, "")) { -#elif defined(HAVE_OSF_SIA) - 0) { -#else PRIVSEP(auth_password(authctxt, ""))) { -#endif auth_log(authctxt, 1, "without authentication", ""); return; } @@ -246,17 +240,8 @@ do_authloop(Authctxt *authctxt) password = packet_get_string(&dlen); packet_check_eom(); -#ifdef USE_PAM - /* Do PAM auth with password */ - authenticated = auth_pam_password(pw, password); -#elif defined(HAVE_OSF_SIA) - /* Do SIA auth with password */ - authenticated = auth_sia_password(authctxt->user, - password); -#else /* !USE_PAM && !HAVE_OSF_SIA */ /* Try authentication with the password. */ authenticated = PRIVSEP(auth_password(authctxt, password)); -#endif /* USE_PAM */ memset(password, 0, strlen(password)); xfree(password); diff --git a/auth2.c b/auth2.c index 3377fde8b..eadaa7135 100644 --- a/auth2.c +++ b/auth2.c @@ -329,13 +329,7 @@ userauth_none(Authctxt *authctxt) if (check_nt_auth(1, authctxt->pw) == 0) return(0); #endif -#ifdef USE_PAM - return auth_pam_password(authctxt->pw, ""); -#elif defined(HAVE_OSF_SIA) - return 0; -#else /* !HAVE_OSF_SIA && !USE_PAM */ return PRIVSEP(auth_password(authctxt, "")); -#endif /* USE_PAM */ } static int @@ -354,13 +348,7 @@ userauth_passwd(Authctxt *authctxt) #ifdef HAVE_CYGWIN check_nt_auth(1, authctxt->pw) && #endif -#ifdef USE_PAM - auth_pam_password(authctxt->pw, password) == 1) -#elif defined(HAVE_OSF_SIA) - auth_sia_password(authctxt->user, password) == 1) -#else /* !USE_PAM && !HAVE_OSF_SIA */ PRIVSEP(auth_password(authctxt, password)) == 1) -#endif /* USE_PAM */ authenticated = 1; memset(password, 0, len); xfree(password);