123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113 |
- /*
- * CDE - Common Desktop Environment
- *
- * Copyright (c) 1993-2012, The Open Group. All rights reserved.
- *
- * These libraries and programs are free software; you can
- * redistribute them and/or modify them under the terms of the GNU
- * Lesser General Public License as published by the Free Software
- * Foundation; either version 2 of the License, or (at your option)
- * any later version.
- *
- * These libraries and programs are distributed in the hope that
- * they will be useful, but WITHOUT ANY WARRANTY; without even the
- * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
- * PURPOSE. See the GNU Lesser General Public License for more
- * details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with these libraries and programs; if not, write
- * to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
- * Floor, Boston, MA 02110-1301 USA
- */
- /* $XConsortium: sysauth.c /main/7 1996/10/30 11:12:45 drk $ */
- /* *
- * (c) Copyright 1993, 1994 Hewlett-Packard Company *
- * (c) Copyright 1993, 1994 International Business Machines Corp. *
- * (c) Copyright 1993, 1994 Sun Microsystems, Inc. *
- * (c) Copyright 1993, 1994 Novell, Inc. *
- */
- /************************************<+>*************************************
- ****************************************************************************
- **
- ** File: sysauth.c
- **
- ** Project: DT
- **
- ** Description: Dtgreet user authentication routines
- **
- ** These routines validate the user; checking name, password,
- ** number of users on the system, password aging, etc.
- **
- **
- ** (c) Copyright 1987, 1988, 1989 by Hewlett-Packard Company
- **
- **
- ** Conditional compiles for HPUX:
- **
- ** OSMAJORVERSION < 8
- ** HP-UX 7.0/7.03 restricted license counting algorithms
- ** are used. Otherwise HP-UX 8.0 and beyond is used
- **
- ** AUDIT HP C2 security enhancements; checks for existence of
- ** SECUREPASSWD file and authenticates user against
- ** password contained in that file. Also performs
- ** self-auditing of login actions. Incompatible with
- ** #ifdef SecureWare
- **
- ** __AFS AFS 3 authentication mechanism
- ** __KERBEROS Kerberos authentication mechanism
- ** __PASSWD_ETC Domain/OS Registry from HP-UX authentication mechanism
- **
- ** Platform identification:
- **
- ** sun SUN OS only
- ** SVR4 SUN OS et al.
- ** _AIX AIX only
- ** _POWER AIX version 4 only
- **
- ****************************************************************************
- ************************************<+>*************************************/
- /***************************************************************************
- *
- * Includes & Defines
- *
- ***************************************************************************/
- #include <stdio.h>
- #include <fcntl.h>
- #include <stdlib.h>
- #include <pwd.h>
- #if defined(PAM) || defined(HAS_PAM_LIBRARY)
- #include <security/pam_appl.h>
- #include "pam_svc.h"
- #endif
- #ifdef _AIX
- #include <usersec.h>
- #include <login.h>
- #include <sys/access.h>
- #include <sys/sem.h>
- #include <sys/stat.h>
- #include <sys/ipc.h>
- #include <sys/audit.h>
- #endif
- /* necessary for bzero */
- #ifdef SVR4
- #include <X11/Xfuncs.h>
- #if defined(sun)
- #include <shadow.h>
- #endif
- #endif
- #include "dm.h"
- #include "vg.h"
- #include "vgmsg.h"
- #include "sysauth.h"
- /*
- * Define as generic those without platform specific code.
- */
- #if !(defined(_AIX) || defined(sun) || \
- defined(HAS_PAM_LIBRARY))
- #define generic
- #endif
- #if defined(__linux__)
- # include <shadow.h>
- #endif
- #if defined(sun) || defined(HAS_PAM_LIBRARY)
- /***************************************************************************
- *
- * Start authentication routines (SUN)
- *
- ***************************************************************************/
- #include "solaris.h"
- #ifdef SUNAUTH
- #include <security/ia_appl.h>
- #endif
- /***************************************************************************
- *
- * Procedure declarations (SUN)
- *
- ***************************************************************************/
- static void Audit( struct passwd *p, char *msg, int errnum) ;
- /***************************************************************************
- *
- * Audit (SUN)
- *
- ***************************************************************************/
- static void
- Audit( struct passwd *p, char *msg, int errnum )
- {
- /*
- * make sure program is back to super-user...
- */
- seteuid(0);
- Debug("Audit: %s\n", msg);
- return;
- }
- /***************************************************************************
- *
- * Authenticate (SUN)
- *
- * verify the user
- *
- * return codes indicate authentication results.
- ***************************************************************************/
- int
- Authenticate( struct display *d, char *name, char *passwd, char **msg )
- {
- int status;
- char* ttyLine = d->gettyLine;
- /*
- * Nothing to do if no name provided.
- */
- if (!name) {
- return(VF_INVALID);
- }
- /*
- * Construct device line
- */
- #ifdef DEF_NETWORK_DEV
- /*
- * If location is not local (remote XDMCP dtlogin) and
- * remote accouting is enabled (networkDev start with /dev/...)
- * Set tty line name to match network device for accouting.
- * Unless the resource was specifically set, default is value
- * of DEF_NETWORK_DEV define (/dev/dtremote)
- */
- if ( d->displayType.location != Local &&
- networkDev && !strncmp(networkDev,"/dev/",5)) {
- ttyLine = networkDev+5;
- }
- #endif
- /*
- * Authenticate user and return status
- */
- #if defined(PAM) || defined(HAS_PAM_LIBRARY)
- status =
- #ifdef PAM
- PamAuthenticate
- #else
- _DtAuthentication
- #endif
- ("dtlogin", d->name, passwd, name, ttyLine);
- switch(status) {
- case PAM_SUCCESS:
- return(VF_OK);
- case PAM_NEW_AUTHTOK_REQD:
- return(VF_PASSWD_AGED);
- default:
- return(passwd ? VF_INVALID : VF_CHALLENGE);
- }
- #else
- status = solaris_authenticate("dtlogin", d->name, passwd, name, ttyLine);
- switch(status) {
- case IA_SUCCESS:
- return(VF_OK);
- case IA_NEWTOK_REQD:
- return(VF_PASSWD_AGED);
- default:
- return(passwd ? VF_INVALID : VF_CHALLENGE);
- }
- #endif /* !PAM */
- }
- /***************************************************************************
- *
- * End authentication routines (SUN)
- *
- ***************************************************************************/
- #endif /* sun */
- /***************************************************************************
- ***************************************************************************
- ***************************************************************************
- ***************************************************************************
- ***************************************************************************/
- #ifdef _AIX
- /***************************************************************************
- *
- * GetLoginInfo
- *
- * get the information from the display about local/remote login and
- * create a dummy tty name for loginrestrictions.
- *
- ***************************************************************************/
- void
- GetLoginInfo(struct display *d, int *loginType, char *ttyName, char **hostname)
- {
- char workarea[128];
- CleanUpName(d->name, workarea, 128);
- sprintf(ttyName, "/dev/dtlogin/%s", workarea);
- if (d->displayType.location == Foreign) {
- *loginType = S_RLOGIN;
- *hostname = d->name;
- Debug("Login Info - Remote user on tty=%s.\n", ttyName);
- } else {
- *loginType = S_LOGIN;
- *hostname = NULL;
- Debug("Login Info - Local user on tty=%s.\n", ttyName);
- }
- }
- #ifdef _POWER
- /***************************************************************************
- *
- * Authenticate (AIX version 4.1)
- *
- * verify the user
- *
- * return codes indicate authentication results.
- ***************************************************************************/
- Authenticate( struct display *d, char *name, char *passwd, char **msg )
- {
- int arc;
- int rc;
- int reenter;
- static int unknown;
- static char *msgpending;
- int loginType;
- char tty[128];
- char *hostname;
- GetLoginInfo(d, &loginType, tty, &hostname);
- if (name == NULL)
- {
- unknown = 0;
- }
- if (unknown)
- {
- /*
- * No more challenges. User failed login.
- */
- unknown = 0;
- loginfailed(name, hostname, tty);
- return(VF_INVALID);
- }
- /*
- * Authenticate with response to last challenge.
- */
- rc = authenticate(name, passwd, &reenter, msg);
- if (reenter)
- {
- /*
- * System has presented user with new challenge.
- */
- return(VF_CHALLENGE);
- }
- if (rc && errno == ENOENT)
- {
- /*
- * User is unknown to the system. Simulate a password
- * challenge, but save message for display for next call.
- */
- unknown = 1;
- return(VF_CHALLENGE);
- }
- if (rc)
- {
- /*
- * No more challenges. User failed login.
- */
- loginfailed(name, hostname, tty);
- return(VF_INVALID);
- }
- /*
- * User authenticated. Check login restrictions.
- */
- rc = loginrestrictions(name, loginType, tty, msg);
- if (rc)
- {
- /*
- * Login restrictions disallow login.
- */
- loginfailed(name, hostname, tty);
- return(VF_MESSAGE);
- }
- /*
- * Check password expiration.
- */
- rc = passwdexpired(name, msg);
- if (rc)
- {
- /*
- * Login succeeded, but password expired.
- */
- return(VF_PASSWD_AGED);
- }
- /*
- * Login succeeded.
- */
- loginsuccess(name, hostname, tty, msg);
- return(VF_OK);
- }
- #else /* !_POWER */
- /***************************************************************************
- *
- * Start authentication routines (AIX)
- *
- ***************************************************************************/
- #include <time.h>
- #include <sys/types.h>
- #include <sys/errno.h>
- #include <usersec.h>
- #include <userpw.h>
- #include <userconf.h>
- #include <utmp.h>
- #include <time.h>
- /***************************************************************************
- *
- * External declarations (AIX)
- *
- ***************************************************************************/
- /***************************************************************************
- *
- * Procedure declarations (AIX)
- *
- ***************************************************************************/
- static void Audit( struct passwd *p, char *msg, int errnum) ;
- static int PasswordAged(char *name, struct passwd *pw) ;
- static void WriteBtmp( char *name) ;
- /***************************************************************************
- *
- * Global variables (AIX)
- *
- ***************************************************************************/
- /***************************************************************************
- *
- * Audit (AIX)
- *
- ***************************************************************************/
- static void
- Audit( struct passwd *p, char *msg, int errnum )
- {
- /*
- * make sure program is back to super-user...
- */
- seteuid(0);
- if ( (auditwrite ("USER_Login", AUDIT_OK,
- p->pw_name, strlen (p->pw_name) + 1,
- msg, strlen (msg) + 1, NULL)) == -1 )
- Debug(" Could not do Auditing\n");
- }
- /***************************************************************************
- *
- * WriteBtmp (AIX)
- *
- * log bad login attempts to /etc/security/failedlogin file
- *
- * RK 09.13.93
- ***************************************************************************/
- static void
- WriteBtmp( char *name )
- {
- int fd;
- struct utmp ut;
- if( (fd = open("/etc/security/failedlogin",O_CREAT|O_RDWR,0644)) != -1) {
- bzero(&ut,sizeof(struct utmp));
- if(name)
- strncpy(ut.ut_user, name, sizeof ut.ut_user);
- ut.ut_type = USER_PROCESS;
- ut.ut_pid = getpid();
- ut.ut_time = time((time_t *)0);
- write(fd, (char *)&ut, sizeof(struct utmp));
- close(fd);
- }
- }
- /***************************************************************************
- *
- * PasswordAged (AIX)
- *
- * see if password has aged
- ***************************************************************************/
- #define SECONDS_IN_WEEK 604800L
- static int
- PasswordAged(char *name, struct passwd *pw )
- {
- struct userpw *pupw; /* authentication information from getuserpw() */
- struct userpw upw; /* working authentication information */
- int err; /* return code from getconfattr() */
- ulong maxage; /* maximun age from getconfattr() */
- ulong now; /* time now */
- #ifdef _POWER
- return(FALSE);
- #else /* _POWER */
- /*
- * Determine user password aging criteria. Note that only
- * the 'lastupdate' and 'flags' fields are set by this operation.
- */
- setpwdb(S_READ);
- if ((pupw = getuserpw(name)) != NULL)
- {
- upw.upw_lastupdate = pupw->upw_lastupdate;
- upw.upw_flags = pupw->upw_flags;
- }
- else
- {
- upw.upw_lastupdate = 0;
- upw.upw_flags = 0;
- }
- endpwdb();
- /*
- * Consider password as having not expired if nocheck set.
- */
- if (upw.upw_flags & PW_NOCHECK) return(FALSE);
- /*
- * Get system password aging criteria.
- */
- err = getconfattr (SC_SYS_PASSWD, SC_MAXAGE, (void *)&maxage, SEC_INT);
- if (!err && maxage)
- {
- /*
- * Change from weeks to seconds
- */
- maxage = maxage * SECONDS_IN_WEEK;
- now = time ((long *) 0);
- if ((upw.upw_lastupdate + maxage) >= now)
- {
- /*
- * Password has not expired.
- */
- return(FALSE);
- }
- }
- else
- {
- /*
- * Could not retrieve system password aging info or maxage set to
- * zero. In either case, consider password has having not expired.
- */
- return(FALSE);
- }
- /*
- * We haven't returned by now, so indicate password has expired.
- */
- return(TRUE);
- #endif /* _POWER */
- }
- /***************************************************************************
- * dt_failedlogin (AIX)
- *
- * log failed login in /etc/security/lastlog
- ***************************************************************************/
- struct lastlogin {
- time_t ftime;
- time_t stime;
- int fcount;
- char user[32];
- char *stty;
- char *ftty;
- char *shost;
- char *fhost;
- };
- extern void
- dt_lastlogin ( char * user, struct lastlogin * llogin);
- void
- dt_failedlogin(char *name, char *ttyName, char *hostName)
- {
- struct lastlogin last_login;
- last_login.stime = 0;
- time(&last_login.ftime);
- last_login.ftty = ttyName;
- last_login.fhost = (char *) malloc (MAXHOSTNAMELEN);
- if (hostName == NULL) {
- gethostname (last_login.fhost , MAXHOSTNAMELEN);
- } else {
- strncpy(last_login.fhost, hostName, MAXHOSTNAMELEN);
- last_login.fhost[MAXHOSTNAMELEN -1] = '\0';
- }
- Debug("logging failed lastlogin entry (user=%s)\n",name);
- dt_lastlogin(name, &last_login);
- free(last_login.fhost);
- }
-
- /***************************************************************************
- *
- * Authenticate (AIX)
- *
- * verify the user
- *
- * return codes indicate authentication results.
- ***************************************************************************/
- #define MAXATTEMPTS 3
- struct passwd nouser = {"", "nope"}; /* invalid user password struct */
- int
- Authenticate( struct display *d, char *name, char *passwd, char **msg )
- {
- static int login_attempts = 0; /* # failed authentications */
- struct passwd *p; /* password structure */
- char *crypt();
- char *origpw;
- int loginType;
- char tty[128];
- char *hostname;
- /*
- * Nothing to do if no name provided.
- */
- if (!name)
- return(VF_INVALID);
- /*
- * Save provided password.
- */
- origpw = passwd;
- if (!passwd) passwd = "";
- if(strlen(name) > S_NAMELEN)
- return(VF_INVALID);
- GetLoginInfo(d, &loginType, tty, &hostname);
- p = getpwnam(name);
-
- if (!p || strcmp (crypt (passwd, p->pw_passwd), p->pw_passwd)) {
- WriteBtmp(name);
- if ((++login_attempts % MAXATTEMPTS) == 0 ) {
- if (p == NULL )
- p = &nouser;
- Audit(p, " Failed login (bailout)", 1);
- }
- if (origpw) {
- dt_failedlogin(name, tty, hostname);
- return (VF_INVALID);
- } else
- return(VF_CHALLENGE);
- }
- /* Note: The password should be checked if it is the first time
- the user is logging in or whether the sysadm has changed
- the password for the user. Code should be added here if
- this functionality should be supported. The "upw_flags"
- of the password structure gets set to PW_ADMCHG in this
- case. RK 09.13.93.
- */
- /*
- * check password aging...
- */
- if ( PasswordAged(name,p) ) return(VF_PASSWD_AGED);
- /* Validate for User Account RK 09.13.93 */
- if(ckuseracct(name, loginType, tty) == -1) {
- dt_failedlogin(name, tty, hostname);
- return(VF_INVALID);
- }
- /*
- * validate uid and gid...
- */
- if ((p->pw_gid < 0) ||
- (setgid(p->pw_gid) == -1)) {
- Audit(p, " attempted to login - bad group id", 1);
- return(VF_BAD_GID);
- }
- if ((p->pw_uid < 0)) {
- Audit(p, " attempted to login - bad user id", 1);
- return(VF_BAD_UID);
- }
- /* Check for max number of logins RK 09.13.93 */
- if (tsm_check_login(p->pw_uid) == -1) {
- dt_failedlogin(name, tty, hostname);
- return(VF_INVALID);
- }
- /* Check for /etc/nologin file RK 09.13.93 */
- if ( (access("/etc/nologin",R_OK) == 0) && (p->pw_uid != 0) ) {
- dt_failedlogin(name, tty, hostname);
- return(VF_INVALID);
- }
- /*
- * verify home directory exists...
- */
- if(chdir(p->pw_dir) < 0) {
- Audit(p, " attempted to login - no home directory", 1);
- return(VF_HOME);
- }
- /*
- * verify ok...
- */
- Audit(p, " Successful login", 0);
- return(VF_OK);
- }
- /**************************************************************************
- *
- * tsm_check_login()
- *
- * Checks for max number of logins on the system. If the new user trying to
- * login exceeds the max limit then the user is not allowed to login.
- *
- * RK 09.13.93
- **************************************************************************/
- /**************************************************************************
- *
- * tsm_check_login()
- *
- * Checks for max number of logins on the system. If the new user trying to
- * login exceeds the max limit then the user is not allowed to login.
- *
- * RK 09.13.93
- **************************************************************************/
- int
- tsm_check_login(uid_t uid)
- {
- key_t key;
- char *buffer;
- int semid;
- int fd;
- struct stat stat_buf;
- static struct sembuf sop = { 0, -1, (SEM_UNDO|IPC_NOWAIT) };
- static struct sembuf initsop = { 0, 0, (IPC_NOWAIT) };
- /*
- * The login counter semaphore may not be set yet. See if it exists
- * and try creating it with the correct count if it doesn't. An
- * attempt is made to create the semaphore. Only if that attempt fails
- * is the semaphore set to maxlogins from login.cfg.
- */
- /*
- * Don't Check if the user is already logged. ie running login
- * from a shell
- */
- /*
- * Generate the semaphore key from the init program.
- */
- Debug("Start of maxlogin check\n");
- if ((key = ftok (CDE_INSTALLATION_TOP "/bin/dtlogin", 1)) != (key_t) -1) {
- Debug("key created\n");
- if ((semid = semget (key, 1, IPC_CREAT|IPC_EXCL|0600)) != -1) {
- int i;
- Debug("Completed IPCkey\n");
- if (! getconfattr ("usw", "maxlogins", &i, SEC_INT)) {
- Debug("Max logins from login.cfg is :%d\n",i);
- if (i <= 0)
- i = 10000; /* a very large number */
- initsop.sem_op = i;
- if (semop (semid, &initsop, 1))
- {
- Debug("failed while decrementing\n");
- return(-1);
- }
- } else {
- semctl (semid, 1, IPC_RMID, 0);
- }
- }
- /*
- * Only 'n' login sessions are allowed on the system.
- * This code block decrements a semaphore.
- * The semundo value will be set to adjust the
- * semaphore when tsm exits.
- *
- * This code will be ignored if the appropriate
- * semaphore set does not exist.
- */
- if ((semid = semget (key, 1, 0)) != -1) {
- Debug("getting key for maxlogins\n");
- /*
- * If the semaphore is zero and we are not
- * root, then we fail as there are already the
- * allotted number of login sessions on the
- * system.
- */
- if ((semop (semid, &sop, 1) == -1) && uid) {
- Debug("reached MAXLOGINS limit\n");
- errno = EAGAIN;
- return(-1);
- }
- }
- }
- }
- #endif /* !_POWER */
- #endif /* _AIX */
- /***************************************************************************
- *
- * End authentication routines (AIX)
- *
- ***************************************************************************/
- /***************************************************************************
- ***************************************************************************
- ***************************************************************************
- ***************************************************************************
- ***************************************************************************
- ***************************************************************************
- ***************************************************************************
- ***************************************************************************/
- #ifdef generic
- /***************************************************************************
- *
- * Start authentication routines (generic)
- *
- ***************************************************************************/
- /***************************************************************************
- *
- * These are a set of routine to do simple password, home dir, uid, and gid
- * validation. They can be used as a first pass validation for future
- * porting efforts.
- *
- * When platform specific validation is developed, those routines should be
- * included in their own section and the use of these routines discontinued.
- *
- ***************************************************************************/
- /***************************************************************************
- *
- * External declarations (generic)
- *
- ***************************************************************************/
- /***************************************************************************
- *
- * Procedure declarations (generic)
- *
- ***************************************************************************/
- static void Audit( struct passwd *p, char *msg, int errnum) ;
- static int PasswordAged( struct passwd *pw) ;
- static void WriteBtmp( char *name) ;
- /***************************************************************************
- *
- * Global variables (generic)
- *
- ***************************************************************************/
- /***************************************************************************
- *
- * Audit (generic)
- *
- ***************************************************************************/
- static void
- Audit( struct passwd *p, char *msg, int errnum )
- {
- /*
- * make sure program is back to super-user...
- */
- if(-1 == seteuid(0)) {
- perror(strerror(errno));
- }
- return;
- }
- /***************************************************************************
- *
- * WriteBtmp (generic)
- *
- * log bad login attempts
- *
- ***************************************************************************/
- static void
- WriteBtmp( char *name )
- {
- return;
- }
- /***************************************************************************
- *
- * PasswordAged (Generic)
- *
- * see if password has aged
- ***************************************************************************/
- #define SECONDS_IN_WEEK 604800L
- static int
- PasswordAged( struct passwd *pw )
- {
- return(FALSE);
- }
-
- /***************************************************************************
- *
- * Authenticate (generic)
- *
- * verify the user
- *
- * return codes indicate authentication results.
- ***************************************************************************/
- #define MAXATTEMPTS 3
- struct passwd nouser = {"", "nope"}; /* invalid user password struct */
- int
- Authenticate( struct display *d, char *name, char *passwd, char **msg )
- {
- static int login_attempts = 0; /* # failed authentications */
-
- struct passwd *p; /* password structure */
- char *crypt();
- int n;
- char *origpw;
- /*
- * Nothing to do if no name provided.
- */
- if (!name)
- return(VF_INVALID);
- /*
- * Save provided password.
- */
- origpw = passwd;
- if (!passwd) passwd = "";
- p = getpwnam(name);
-
- #if defined(__linux__)
- /*
- * Use the Linux Shadow Password system to get the crypt()ed password
- */
- if(p) {
- struct spwd *s = getspnam(name);
- if(s) {
- p->pw_passwd = s->sp_pwdp;
- }
- }
- #endif
- #if defined(__OpenBSD__) && OSMAJORVERSION > 5
- /*
- * Use the OpenBSD getpwnam_shadow function to get the crypt()ed password
- */
- p = getpwnam_shadow(name);
- #endif
- if (!p || strlen(name) == 0 ||
- strcmp (crypt (passwd, p->pw_passwd), p->pw_passwd)) {
- WriteBtmp(name);
- if ((++login_attempts % MAXATTEMPTS) == 0 ) {
- if (p == NULL )
- p = &nouser;
- Audit(p, " Failed login (bailout)", 1);
- }
-
- return(origpw ? VF_INVALID : VF_CHALLENGE);
- }
- /*
- * check password aging...
- */
- if ( PasswordAged(p) ) return(VF_PASSWD_AGED);
-
- /*
- * verify home directory exists...
- */
- if(chdir(p->pw_dir) < 0) {
- Audit(p, " attempted to login - no home directory", 1);
- return(VF_HOME);
- }
- /*
- * validate uid and gid...
- */
- if (setgid(p->pw_gid) == -1) {
- Audit(p, " attempted to login - bad group id", 1);
- return(VF_BAD_GID);
- }
- if (seteuid(p->pw_uid) == -1) {
- Audit(p, " attempted to login - bad user id", 1);
- return(VF_BAD_UID);
- }
- /*
- * verify ok...
- */
- Audit(p, " Successful login", 0);
- return(VF_OK);
- }
- /***************************************************************************
- *
- * End authentication routines (generic)
- *
- ***************************************************************************/
- #endif /* generic */
- /***************************************************************************
- ***************************************************************************
- ***************************************************************************
- ***************************************************************************
- ***************************************************************************
- ***************************************************************************
- ***************************************************************************
- ***************************************************************************/
|