summaryrefslogtreecommitdiff
path: root/source3/auth
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>1999-12-13 13:27:58 +0000
committerAndrew Tridgell <tridge@samba.org>1999-12-13 13:27:58 +0000
commit3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7 (patch)
tree866dd15416c3d8554bb207709f433a87ad0c012d /source3/auth
parentf6276724bafdb6145c0c7b565172d80cb04516ea (diff)
downloadsamba-3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7.tar.gz
samba-3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7.tar.bz2
samba-3db52feb1f3b2c07ce0b06ad4a7099fa6efe3fc7.zip
first pass at updating head branch to be to be the same as the SAMBA_2_0 branch
(This used to be commit 453a822a76780063dff23526c35408866d0c0154)
Diffstat (limited to 'source3/auth')
-rw-r--r--source3/auth/pass_check.c183
1 files changed, 129 insertions, 54 deletions
diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c
index 7effbfef8d..11ce0d754e 100644
--- a/source3/auth/pass_check.c
+++ b/source3/auth/pass_check.c
@@ -32,7 +32,7 @@ static char this_salt[100]="";
static char this_crypted[100]="";
-#ifdef HAVE_PAM
+#ifdef WITH_PAM
/*******************************************************************
check on PAM authentication
********************************************************************/
@@ -136,6 +136,10 @@ static BOOL pam_auth(char *user,char *password)
#ifdef WITH_AFS
+
+#include <afs/stds.h>
+#include <afs/kautils.h>
+
/*******************************************************************
check on AFS authentication
********************************************************************/
@@ -158,6 +162,7 @@ static BOOL afs_auth(char *user,char *password)
&reason) == 0) {
return(True);
}
+ DEBUG(1,("AFS authentication for \"%s\" failed (%s)\n", user, reason));
return(False);
}
#endif
@@ -165,6 +170,9 @@ static BOOL afs_auth(char *user,char *password)
#ifdef WITH_DFS
+#include <dce/dce_error.h>
+#include <dce/sec_login.h>
+
/*****************************************************************
This new version of the DFS_AUTH code was donated by Karsten Muuss
<muuss@or.uni-bonn.de>. It fixes the following problems with the
@@ -195,6 +203,7 @@ static BOOL dfs_auth(char *user,char *password)
sec_passwd_rec_t passwd_rec;
sec_login_auth_src_t auth_src = sec_login_auth_src_network;
unsigned char dce_errstr[dce_c_error_string_len];
+ gid_t egid;
if (dcelogin_atmost_once) return(False);
@@ -322,14 +331,16 @@ static BOOL dfs_auth(char *user,char *password)
* back to being root on error though. JRA.
*/
- if (setregid(-1, pw->pw_gid) != 0) {
+ egid = getegid();
+
+ if (set_effective_gid(pw->pw_gid) != 0) {
DEBUG(0,("Can't set egid to %d (%s)\n",
pw->pw_gid, strerror(errno)));
return False;
}
- if (setreuid(-1, pw->pw_uid) != 0) {
- setgid(0);
+ if (set_effective_uid(pw->pw_uid) != 0) {
+ set_effective_gid(egid);
DEBUG(0,("Can't set euid to %d (%s)\n",
pw->pw_uid, strerror(errno)));
return False;
@@ -340,24 +351,17 @@ static BOOL dfs_auth(char *user,char *password)
&my_dce_sec_context,
&err) == 0) {
dce_error_inq_text(err, dce_errstr, &err2);
- /* Go back to root, JRA. */
- setuid(0);
- setgid(0);
DEBUG(0,("DCE Setup Identity for %s failed: %s\n",
user,dce_errstr));
- return(False);
+ goto err;
}
sec_login_get_pwent(my_dce_sec_context,
(sec_login_passwd_t*)&pw, &err);
if (err != error_status_ok ) {
dce_error_inq_text(err, dce_errstr, &err2);
- /* Go back to root, JRA. */
- setuid(0);
- setgid(0);
DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr));
-
- return(False);
+ goto err;
}
passwd_rec.version_number = sec_passwd_c_version_none;
@@ -370,24 +374,16 @@ static BOOL dfs_auth(char *user,char *password)
&auth_src, &err);
if (err != error_status_ok ) {
dce_error_inq_text(err, dce_errstr, &err2);
- /* Go back to root, JRA. */
- setuid(0);
- setgid(0);
DEBUG(0,("DCE Identity Validation failed for principal %s: %s\n",
user,dce_errstr));
-
- return(False);
+ goto err;
}
sec_login_certify_identity(my_dce_sec_context, &err);
if (err != error_status_ok) {
dce_error_inq_text(err, dce_errstr, &err2);
- /* Go back to root, JRA. */
- setuid(0);
- setgid(0);
DEBUG(0,("DCE certify identity failed: %s\n", dce_errstr));
-
- return(False);
+ goto err;
}
if (auth_src != sec_login_auth_src_network) {
@@ -401,10 +397,7 @@ static BOOL dfs_auth(char *user,char *password)
user,dce_errstr));
sec_login_purge_context(&my_dce_sec_context, &err);
- /* Go back to root, JRA. */
- setuid(0);
- setgid(0);
- return(False);
+ goto err;
}
sec_login_get_pwent(my_dce_sec_context,
@@ -412,11 +405,7 @@ static BOOL dfs_auth(char *user,char *password)
if (err != error_status_ok) {
dce_error_inq_text(err, dce_errstr, &err2);
DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr));
-
- /* Go back to root, JRA. */
- setuid(0);
- setgid(0);
- return(False);
+ goto err;
}
DEBUG(0,("DCE login succeeded for principal %s on pid %d\n",
@@ -434,21 +423,24 @@ static BOOL dfs_auth(char *user,char *password)
sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
if (err != error_status_ok) {
dce_error_inq_text(err, dce_errstr, &err2);
- /* Go back to root, JRA. */
- setuid(0);
- setgid(0);
DEBUG(0,("DCE can't get expiration. %s\n", dce_errstr));
-
- return(False);
+ goto err;
}
- setuid(0);
- setgid(0);
+ set_effective_uid(0);
+ set_effective_gid(0);
DEBUG(0,("DCE context expires: %s",asctime(localtime(&expire_time))));
dcelogin_atmost_once = 1;
return (True);
+
+err:
+
+ /* Go back to root, JRA. */
+ set_effective_uid(0);
+ set_effective_gid(egid);
+ return(False);
}
void dfs_unlogin(void)
@@ -467,6 +459,9 @@ void dfs_unlogin(void)
#endif
#ifdef KRB5_AUTH
+
+#include <krb5.h>
+
/*******************************************************************
check on Kerberos authentication
********************************************************************/
@@ -614,6 +609,7 @@ static char *osf1_bigcrypt(char *password,char *salt1)
StrnCpy(salt,salt1,2);
StrnCpy(result,salt1,2);
+ result[2]='\0';
for (i=0; i<parts;i++) {
p1 = crypt(p2,salt);
@@ -680,7 +676,7 @@ core of password checking routine
static BOOL password_check(char *password)
{
-#ifdef HAVE_PAM
+#ifdef WITH_PAM
/* This falls through if the password check fails
- if HAVE_CRYPT is not defined this causes an error msg
saying Warning - no crypt available
@@ -691,23 +687,23 @@ static BOOL password_check(char *password)
Hence we make a direct return to avoid a second chance!!!
*/
return (pam_auth(this_user,password));
-#endif
+#endif /* WITH_PAM */
#ifdef WITH_AFS
if (afs_auth(this_user,password)) return(True);
-#endif
+#endif /* WITH_AFS */
#ifdef WITH_DFS
if (dfs_auth(this_user,password)) return(True);
-#endif
+#endif /* WITH_DFS */
#ifdef KRB5_AUTH
if (krb5_auth(this_user,password)) return(True);
-#endif
+#endif /* KRB5_AUTH */
#ifdef KRB4_AUTH
if (krb4_auth(this_user,password)) return(True);
-#endif
+#endif /* KRB4_AUTH */
#ifdef OSF1_ENH_SEC
{
@@ -718,26 +714,42 @@ static BOOL password_check(char *password)
}
return ret;
}
-#endif
+#endif /* OSF1_ENH_SEC */
#ifdef ULTRIX_AUTH
return (strcmp((char *)crypt16(password, this_salt ),this_crypted) == 0);
-#endif
+#endif /* ULTRIX_AUTH */
#ifdef LINUX_BIGCRYPT
return(linux_bigcrypt(password,this_salt,this_crypted));
-#endif
+#endif /* LINUX_BIGCRYPT */
+
+#if defined(HAVE_BIGCRYPT) && defined(HAVE_CRYPT) && defined(USE_BOTH_CRYPT_CALLS)
+
+ /*
+ * Some systems have bigcrypt in the C library but might not
+ * actually use it for the password hashes (HPUX 10.20) is
+ * a noteable example. So we try bigcrypt first, followed
+ * by crypt.
+ */
+
+ if(strcmp(bigcrypt(password,this_salt),this_crypted) == 0)
+ return True;
+ else
+ return (strcmp((char *)crypt(password,this_salt),this_crypted) == 0);
+#else /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */
#ifdef HAVE_BIGCRYPT
return(strcmp(bigcrypt(password,this_salt),this_crypted) == 0);
-#endif
+#endif /* HAVE_BIGCRYPT */
#ifndef HAVE_CRYPT
DEBUG(1,("Warning - no crypt available\n"));
return(False);
-#else
+#else /* HAVE_CRYPT */
return(strcmp((char *)crypt(password,this_salt),this_crypted) == 0);
-#endif
+#endif /* HAVE_CRYPT */
+#endif /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */
}
@@ -753,13 +765,12 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd,
{
pstring pass2;
int level = lp_passwordlevel();
- const struct passwd *pass;
+ struct passwd *pass;
if (password) password[pwlen] = 0;
#if DEBUG_PASSWORD
- DEBUG(100,("checking user=[%s] pass=",user));
- dump_data(100, password, strlen(password));
+ DEBUG(100,("checking user=[%s] pass=[%s]\n",user,password));
#endif
if (!password) {
@@ -785,12 +796,76 @@ BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd,
return(False);
}
+#ifdef HAVE_GETSPNAM
+ {
+ struct spwd *spass;
+
+ /* many shadow systems require you to be root to get
+ the password, in most cases this should already be
+ the case when this function is called, except
+ perhaps for IPC password changing requests */
+
+ spass = getspnam(pass->pw_name);
+ if (spass && spass->sp_pwdp) {
+ pstrcpy(pass->pw_passwd,spass->sp_pwdp);
+ }
+ }
+#elif defined(IA_UINFO)
+ {
+ /* Need to get password with SVR4.2's ia_ functions
+ instead of get{sp,pw}ent functions. Required by
+ UnixWare 2.x, tested on version
+ 2.1. (tangent@cyberport.com) */
+ uinfo_t uinfo;
+ if (ia_openinfo(pass->pw_name, &uinfo) != -1) {
+ ia_get_logpwd(uinfo, &(pass->pw_passwd));
+ }
+ }
+#endif
+
+#ifdef HAVE_GETPRPWNAM
+ {
+ struct pr_passwd *pr_pw = getprpwnam(pass->pw_name);
+ if (pr_pw && pr_pw->ufld.fd_encrypt)
+ pstrcpy(pass->pw_passwd,pr_pw->ufld.fd_encrypt);
+ }
+#endif
+
+#ifdef OSF1_ENH_SEC
+ {
+ struct pr_passwd *mypasswd;
+ DEBUG(5,("Checking password for user %s in OSF1_ENH_SEC\n",
+ user));
+ mypasswd = getprpwnam (user);
+ if (mypasswd) {
+ fstrcpy(pass->pw_name,mypasswd->ufld.fd_name);
+ fstrcpy(pass->pw_passwd,mypasswd->ufld.fd_encrypt);
+ } else {
+ DEBUG(5,("OSF1_ENH_SEC: No entry for user %s in protected database !\n",
+ user));
+ }
+ }
+#endif
+
+#ifdef ULTRIX_AUTH
+ {
+ AUTHORIZATION *ap = getauthuid(pass->pw_uid);
+ if (ap) {
+ fstrcpy(pass->pw_passwd, ap->a_password);
+ endauthent();
+ }
+ }
+#endif
+
/* extract relevant info */
fstrcpy(this_user,pass->pw_name);
fstrcpy(this_salt,pass->pw_passwd);
+
+#if defined(HAVE_TRUNCATED_SALT)
/* crypt on some platforms (HPUX in particular)
won't work with more than 2 salt characters. */
this_salt[2] = 0;
+#endif
fstrcpy(this_crypted,pass->pw_passwd);