This is my 'Authentication Rewrite' version 1.01, mostly as submitted to

samba-technical a few weeks ago.

The idea here is to standardize the checking of user names and passwords,
thereby ensuring that all authtentications pass the same standards.  The
interface currently implemented in as

nt_status = check_password(user_info, server_info)

where user_info contains (mostly) the authentication data, and server_info
contains things like the user-id they got, and their resolved user name.

The current ugliness with the way the structures are created will be killed
the next revision, when they will be created and malloced by creator functions.

This patch also includes the first implementation of NTLMv2 in HEAD, but which
needs some more testing.  We also add a hack to allow plaintext passwords to be
compared with smbpasswd, not the system password database.

Finally, this patch probably reintroduces the PAM accounts bug we had in
2.2.0, I'll fix that once this hits the tree.  (I've just finished testing
it on a wide variety of platforms, so I want to get this patch in).
(This used to be commit b30b6202f31d339b48d51c0d38174cafd1cfcd42)

1 files changed, 165 insertions, 0 deletions

diff --git a/source3/auth/auth_rhosts.c b/source3/auth/auth_rhosts.c
new file mode 100644
index 0000000000..c1bee6247c
--- /dev/null
+++ b/source3/auth/auth_rhosts.c
@@ -0,0 +1,165 @@
+/* 
+   Unix SMB/Netbios implementation.
+   Version 1.9.
+   Main SMB reply routines
+   Copyright (C) Andrew Tridgell 1992-1998
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+extern int DEBUGLEVEL;
+
+
+/****************************************************************************
+ Read the a hosts.equiv or .rhosts file and check if it
+ allows this user from this machine.
+****************************************************************************/
+
+static BOOL check_user_equiv(char *user, char *remote, char *equiv_file)
+{
+  int plus_allowed = 1;
+  char *file_host;
+  char *file_user;
+  char **lines = file_lines_load(equiv_file, NULL);
+  int i;
+
+  DEBUG(5, ("check_user_equiv %s %s %s\n", user, remote, equiv_file));
+  if (! lines) return False;
+  for (i=0; lines[i]; i++) {
+    char *buf = lines[i];
+    trim_string(buf," "," ");
+
+    if (buf[0] != '#' && buf[0] != '\n') 
+    {
+      BOOL is_group = False;
+      int plus = 1;
+      char *bp = buf;
+      if (strcmp(buf, "NO_PLUS\n") == 0)
+      {
+	DEBUG(6, ("check_user_equiv NO_PLUS\n"));
+	plus_allowed = 0;
+      }
+      else {
+	if (buf[0] == '+') 
+	{
+	  bp++;
+	  if (*bp == '\n' && plus_allowed) 
+	  {
+	    /* a bare plus means everbody allowed */
+	    DEBUG(6, ("check_user_equiv everybody allowed\n"));
+	    file_lines_free(lines);
+	    return True;
+	  }
+	}
+	else if (buf[0] == '-')
+	{
+	  bp++;
+	  plus = 0;
+	}
+	if (*bp == '@') 
+	{
+	  is_group = True;
+	  bp++;
+	}
+	file_host = strtok(bp, " \t\n");
+	file_user = strtok(NULL, " \t\n");
+	DEBUG(7, ("check_user_equiv %s %s\n", file_host ? file_host : "(null)", 
+                 file_user ? file_user : "(null)" ));
+	if (file_host && *file_host) 
+	{
+	  BOOL host_ok = False;
+
+#if defined(HAVE_NETGROUP) && defined(HAVE_YP_GET_DEFAULT_DOMAIN)
+	  if (is_group)
+	    {
+	      static char *mydomain = NULL;
+	      if (!mydomain)
+		yp_get_default_domain(&mydomain);
+	      if (mydomain && innetgr(file_host,remote,user,mydomain))
+		host_ok = True;
+	    }
+#else
+	  if (is_group)
+	    {
+	      DEBUG(1,("Netgroups not configured\n"));
+	      continue;
+	    }
+#endif
+
+	  /* is it this host */
+	  /* the fact that remote has come from a call of gethostbyaddr
+	   * means that it may have the fully qualified domain name
+	   * so we could look up the file version to get it into
+	   * a canonical form, but I would rather just type it
+	   * in full in the equiv file
+	   */
+	  if (!host_ok && !is_group && strequal(remote, file_host))
+	    host_ok = True;
+
+	  if (!host_ok)
+	    continue;
+
+	  /* is it this user */
+	  if (file_user == 0 || strequal(user, file_user)) 
+	    {
+	      DEBUG(5, ("check_user_equiv matched %s%s %s\n",
+			(plus ? "+" : "-"), file_host,
+			(file_user ? file_user : "")));
+	      file_lines_free(lines);
+	      return (plus ? True : False);
+	    }
+	}
+      }
+    }
+  }
+  file_lines_free(lines);
+  return False;
+}
+
+
+/****************************************************************************
+check for a possible hosts equiv or rhosts entry for the user
+****************************************************************************/
+BOOL check_hosts_equiv(char *user)
+{
+  char *fname = NULL;
+  pstring rhostsfile;
+  struct passwd *pass = Get_Pwnam(user,True);
+
+  if (!pass) 
+    return(False);
+
+  fname = lp_hosts_equiv();
+
+  /* note: don't allow hosts.equiv on root */
+  if (fname && *fname && (pass->pw_uid != 0)) {
+	  if (check_user_equiv(user,client_name(),fname))
+		  return(True);
+  }
+  
+  if (lp_use_rhosts())
+    {
+      char *home = get_user_home_dir(user);
+      if (home) {
+	      slprintf(rhostsfile, sizeof(rhostsfile)-1, "%s/.rhosts", home);
+	      if (check_user_equiv(user,client_name(),rhostsfile))
+		      return(True);
+      }
+    }
+
+  return(False);
+}