2 Unix SMB/CIFS implementation.
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 /* this module is for checking a username/password against a system
21 password database. The SMB encrypted password support is elsewhere */
26 #define DBGC_CLASS DBGC_AUTH
28 /* these are kept here to keep the string_combinations function simple */
29 static char *ths_user;
31 static const char *get_this_user(void)
39 #if defined(WITH_PAM) || defined(OSF1_ENH_SEC)
40 static const char *set_this_user(const char *newuser)
42 char *orig_user = ths_user;
43 ths_user = SMB_STRDUP(newuser);
49 #if !defined(WITH_PAM)
50 static char *ths_salt;
51 /* This must be writable. */
52 static char *get_this_salt(void)
57 /* We may be setting a modified version of the same
58 * string, so don't free before use. */
60 static const char *set_this_salt(const char *newsalt)
62 char *orig_salt = ths_salt;
63 ths_salt = SMB_STRDUP(newsalt);
68 static char *ths_crypted;
69 static const char *get_this_crypted(void)
77 static const char *set_this_crypted(const char *newcrypted)
79 char *orig_crypted = ths_crypted;
80 ths_crypted = SMB_STRDUP(newcrypted);
81 SAFE_FREE(orig_crypted);
89 #include <afs/kautils.h>
91 /*******************************************************************
92 check on AFS authentication
93 ********************************************************************/
94 static bool afs_auth(char *user, char *password)
96 long password_expires = 0;
99 /* For versions of AFS prior to 3.3, this routine has few arguments, */
100 /* but since I can't find the old documentation... :-) */
102 if (ka_UserAuthenticateGeneral
103 (KA_USERAUTH_VERSION + KA_USERAUTH_DOSETPAG, user, (char *)0, /* instance */
104 (char *)0, /* cell */
105 password, 0, /* lifetime, default */
106 &password_expires, /*days 'til it expires */
113 ("AFS authentication for \"%s\" failed (%s)\n", user, reason));
121 #include <dce/dce_error.h>
122 #include <dce/sec_login.h>
124 /*****************************************************************
125 This new version of the DFS_AUTH code was donated by Karsten Muuss
126 <muuss@or.uni-bonn.de>. It fixes the following problems with the
129 - Server credentials may expire
130 - Client credential cache files have wrong owner
131 - purge_context() function is called with invalid argument
133 This new code was modified to ensure that on exit the uid/gid is
134 still root, and the original directory is restored. JRA.
135 ******************************************************************/
137 sec_login_handle_t my_dce_sec_context;
138 int dcelogin_atmost_once = 0;
140 /*******************************************************************
141 check on a DCE/DFS authentication
142 ********************************************************************/
143 static bool dfs_auth(char *user, char *password)
149 signed32 expire_time, current_time;
150 boolean32 password_reset;
152 sec_passwd_rec_t passwd_rec;
153 sec_login_auth_src_t auth_src = sec_login_auth_src_network;
154 unsigned char dce_errstr[dce_c_error_string_len];
157 if (dcelogin_atmost_once)
162 * We only go for a DCE login context if the given password
163 * matches that stored in the local password file..
164 * Assumes local passwd file is kept in sync w/ DCE RGY!
167 if (strcmp((char *)crypt(password, get_this_salt()), get_this_crypted()))
173 sec_login_get_current_context(&my_dce_sec_context, &err);
174 if (err != error_status_ok)
176 dce_error_inq_text(err, dce_errstr, &err2);
177 DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr));
182 sec_login_certify_identity(my_dce_sec_context, &err);
183 if (err != error_status_ok)
185 dce_error_inq_text(err, dce_errstr, &err2);
186 DEBUG(0, ("DCE can't get current context. %s\n", dce_errstr));
191 sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
192 if (err != error_status_ok)
194 dce_error_inq_text(err, dce_errstr, &err2);
195 DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr));
202 if (expire_time < (current_time + 60))
205 sec_passwd_rec_t *key;
207 sec_login_get_pwent(my_dce_sec_context,
208 (sec_login_passwd_t *) & pw, &err);
209 if (err != error_status_ok)
211 dce_error_inq_text(err, dce_errstr, &err2);
212 DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
217 sec_login_refresh_identity(my_dce_sec_context, &err);
218 if (err != error_status_ok)
220 dce_error_inq_text(err, dce_errstr, &err2);
221 DEBUG(0, ("DCE can't refresh identity. %s\n",
227 sec_key_mgmt_get_key(rpc_c_authn_dce_secret, NULL,
228 (unsigned char *)pw->pw_name,
229 sec_c_key_version_none,
230 (void **)&key, &err);
231 if (err != error_status_ok)
233 dce_error_inq_text(err, dce_errstr, &err2);
234 DEBUG(0, ("DCE can't get key for %s. %s\n",
235 pw->pw_name, dce_errstr));
240 sec_login_valid_and_cert_ident(my_dce_sec_context, key,
241 &password_reset, &auth_src,
243 if (err != error_status_ok)
245 dce_error_inq_text(err, dce_errstr, &err2);
247 ("DCE can't validate and certify identity for %s. %s\n",
248 pw->pw_name, dce_errstr));
251 sec_key_mgmt_free_key(key, &err);
252 if (err != error_status_ok)
254 dce_error_inq_text(err, dce_errstr, &err2);
255 DEBUG(0, ("DCE can't free key.\n", dce_errstr));
259 if (sec_login_setup_identity((unsigned char *)user,
261 &my_dce_sec_context, &err) == 0)
263 dce_error_inq_text(err, dce_errstr, &err2);
264 DEBUG(0, ("DCE Setup Identity for %s failed: %s\n",
269 sec_login_get_pwent(my_dce_sec_context,
270 (sec_login_passwd_t *) & pw, &err);
271 if (err != error_status_ok)
273 dce_error_inq_text(err, dce_errstr, &err2);
274 DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
279 sec_login_purge_context(&my_dce_sec_context, &err);
280 if (err != error_status_ok)
282 dce_error_inq_text(err, dce_errstr, &err2);
283 DEBUG(0, ("DCE can't purge context. %s\n", dce_errstr));
289 * NB. I'd like to change these to call something like change_to_user()
290 * instead but currently we don't have a connection
291 * context to become the correct user. This is already
292 * fairly platform specific code however, so I think
293 * this should be ok. I have added code to go
294 * back to being root on error though. JRA.
299 set_effective_gid(pw->pw_gid);
300 set_effective_uid(pw->pw_uid);
302 if (sec_login_setup_identity((unsigned char *)user,
304 &my_dce_sec_context, &err) == 0)
306 dce_error_inq_text(err, dce_errstr, &err2);
307 DEBUG(0, ("DCE Setup Identity for %s failed: %s\n",
312 sec_login_get_pwent(my_dce_sec_context,
313 (sec_login_passwd_t *) & pw, &err);
314 if (err != error_status_ok)
316 dce_error_inq_text(err, dce_errstr, &err2);
317 DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
321 passwd_rec.version_number = sec_passwd_c_version_none;
322 passwd_rec.pepper = NULL;
323 passwd_rec.key.key_type = sec_passwd_plain;
324 passwd_rec.key.tagged_union.plain = (idl_char *) password;
326 sec_login_validate_identity(my_dce_sec_context,
327 &passwd_rec, &password_reset,
329 if (err != error_status_ok)
331 dce_error_inq_text(err, dce_errstr, &err2);
333 ("DCE Identity Validation failed for principal %s: %s\n",
338 sec_login_certify_identity(my_dce_sec_context, &err);
339 if (err != error_status_ok)
341 dce_error_inq_text(err, dce_errstr, &err2);
342 DEBUG(0, ("DCE certify identity failed: %s\n", dce_errstr));
346 if (auth_src != sec_login_auth_src_network)
348 DEBUG(0, ("DCE context has no network credentials.\n"));
351 sec_login_set_context(my_dce_sec_context, &err);
352 if (err != error_status_ok)
354 dce_error_inq_text(err, dce_errstr, &err2);
356 ("DCE login failed for principal %s, cant set context: %s\n",
359 sec_login_purge_context(&my_dce_sec_context, &err);
363 sec_login_get_pwent(my_dce_sec_context,
364 (sec_login_passwd_t *) & pw, &err);
365 if (err != error_status_ok)
367 dce_error_inq_text(err, dce_errstr, &err2);
368 DEBUG(0, ("DCE can't get pwent. %s\n", dce_errstr));
372 DEBUG(0, ("DCE login succeeded for principal %s on pid %d\n",
373 user, sys_getpid()));
375 DEBUG(3, ("DCE principal: %s\n"
378 pw->pw_name, pw->pw_uid, pw->pw_gid));
379 DEBUG(3, (" info: %s\n"
382 pw->pw_gecos, pw->pw_dir, pw->pw_shell));
384 sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
385 if (err != error_status_ok)
387 dce_error_inq_text(err, dce_errstr, &err2);
388 DEBUG(0, ("DCE can't get expiration. %s\n", dce_errstr));
392 set_effective_uid(0);
393 set_effective_gid(0);
395 t = localtime(&expire_time);
397 const char *asct = asctime(t);
399 DEBUG(0,("DCE context expires: %s", asct));
403 dcelogin_atmost_once = 1;
408 /* Go back to root, JRA. */
409 set_effective_uid(0);
410 set_effective_gid(egid);
414 void dfs_unlogin(void)
418 unsigned char dce_errstr[dce_c_error_string_len];
420 sec_login_purge_context(&my_dce_sec_context, &err);
421 if (err != error_status_ok)
423 dce_error_inq_text(err, dce_errstr, &err2);
425 ("DCE purge login context failed for server instance %d: %s\n",
426 sys_getpid(), dce_errstr));
431 #ifdef LINUX_BIGCRYPT
432 /****************************************************************************
433 an enhanced crypt for Linux to handle password longer than 8 characters
434 ****************************************************************************/
435 static int linux_bigcrypt(char *password, char *salt1, char *crypted)
437 #define LINUX_PASSWORD_SEG_CHARS 8
441 StrnCpy(salt, salt1, 2);
444 for (i = strlen(password); i > 0; i -= LINUX_PASSWORD_SEG_CHARS) {
445 char *p = crypt(password, salt) + 2;
446 if (strncmp(p, crypted, LINUX_PASSWORD_SEG_CHARS) != 0)
448 password += LINUX_PASSWORD_SEG_CHARS;
449 crypted += strlen(p);
457 /****************************************************************************
458 an enhanced crypt for OSF1
459 ****************************************************************************/
460 static char *osf1_bigcrypt(char *password, char *salt1)
462 static char result[AUTH_MAX_PASSWD_LENGTH] = "";
467 int parts = strlen(password) / AUTH_CLEARTEXT_SEG_CHARS;
468 if (strlen(password) % AUTH_CLEARTEXT_SEG_CHARS)
471 StrnCpy(salt, salt1, 2);
472 StrnCpy(result, salt1, 2);
475 for (i = 0; i < parts; i++) {
476 p1 = crypt(p2, salt);
477 strncat(result, p1 + 2,
478 AUTH_MAX_PASSWD_LENGTH - strlen(p1 + 2) - 1);
479 StrnCpy(salt, &result[2 + i * AUTH_CIPHERTEXT_SEG_CHARS], 2);
480 p2 += AUTH_CLEARTEXT_SEG_CHARS;
488 /****************************************************************************
489 apply a function to upper/lower case combinations
490 of a string and return true if one of them returns true.
491 try all combinations with N uppercase letters.
492 offset is the first char to try and change (start with 0)
493 it assumes the string starts lowercased
494 ****************************************************************************/
495 static NTSTATUS string_combinations2(char *s, int offset,
496 NTSTATUS (*fn)(const char *s,
498 int N, void *private_data)
504 #ifdef PASSWORD_LENGTH
505 len = MIN(len, PASSWORD_LENGTH);
508 if (N <= 0 || offset >= len)
509 return (fn(s, private_data));
511 for (i = offset; i < (len - (N - 1)); i++) {
513 if (!islower_ascii(c))
515 s[i] = toupper_ascii(c);
516 nt_status = string_combinations2(s, i + 1, fn, N - 1,
518 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
523 return (NT_STATUS_WRONG_PASSWORD);
526 /****************************************************************************
527 apply a function to upper/lower case combinations
528 of a string and return true if one of them returns true.
529 try all combinations with up to N uppercase letters.
530 offset is the first char to try and change (start with 0)
531 it assumes the string starts lowercased
532 ****************************************************************************/
533 static NTSTATUS string_combinations(char *s,
534 NTSTATUS (*fn)(const char *s,
536 int N, void *private_data)
540 for (n = 1; n <= N; n++) {
541 nt_status = string_combinations2(s, 0, fn, n, private_data);
542 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
546 return NT_STATUS_WRONG_PASSWORD;
550 /****************************************************************************
551 core of password checking routine
552 ****************************************************************************/
553 static NTSTATUS password_check(const char *password, void *private_data)
556 const char *rhost = (const char *)private_data;
557 return smb_pam_passcheck(get_this_user(), rhost, password);
563 if (afs_auth(get_this_user(), password))
565 #endif /* WITH_AFS */
568 if (dfs_auth(get_this_user(), password))
570 #endif /* WITH_DFS */
574 ret = (strcmp(osf1_bigcrypt(password, get_this_salt()),
575 get_this_crypted()) == 0);
578 ("OSF1_ENH_SEC failed. Trying normal crypt.\n"));
579 ret = (strcmp((char *)crypt(password, get_this_salt()), get_this_crypted()) == 0);
584 return NT_STATUS_WRONG_PASSWORD;
587 #endif /* OSF1_ENH_SEC */
590 ret = (strcmp((char *)crypt16(password, get_this_salt()), get_this_crypted()) == 0);
594 return NT_STATUS_WRONG_PASSWORD;
597 #endif /* ULTRIX_AUTH */
599 #ifdef LINUX_BIGCRYPT
600 ret = (linux_bigcrypt(password, get_this_salt(), get_this_crypted()));
604 return NT_STATUS_WRONG_PASSWORD;
606 #endif /* LINUX_BIGCRYPT */
608 #if defined(HAVE_BIGCRYPT) && defined(HAVE_CRYPT) && defined(USE_BOTH_CRYPT_CALLS)
611 * Some systems have bigcrypt in the C library but might not
612 * actually use it for the password hashes (HPUX 10.20) is
613 * a noteable example. So we try bigcrypt first, followed
617 if (strcmp(bigcrypt(password, get_this_salt()), get_this_crypted()) == 0)
620 ret = (strcmp((char *)crypt(password, get_this_salt()), get_this_crypted()) == 0);
624 return NT_STATUS_WRONG_PASSWORD;
626 #else /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */
629 ret = (strcmp(bigcrypt(password, get_this_salt()), get_this_crypted()) == 0);
633 return NT_STATUS_WRONG_PASSWORD;
635 #endif /* HAVE_BIGCRYPT */
638 DEBUG(1, ("Warning - no crypt available\n"));
639 return NT_STATUS_LOGON_FAILURE;
640 #else /* HAVE_CRYPT */
641 ret = (strcmp((char *)crypt(password, get_this_salt()), get_this_crypted()) == 0);
645 return NT_STATUS_WRONG_PASSWORD;
647 #endif /* HAVE_CRYPT */
648 #endif /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */
649 #endif /* WITH_PAM */
654 /****************************************************************************
655 CHECK if a username/password is OK
656 the function pointer fn() points to a function to call when a successful
657 match is found and is used to update the encrypted password file
658 return NT_STATUS_OK on correct match, appropriate error otherwise
659 ****************************************************************************/
661 NTSTATUS pass_check(const struct passwd *pass,
663 const char *password,
667 int level = lp_passwordlevel();
672 char addr[INET6_ADDRSTRLEN];
674 rhost = client_name(smbd_server_fd());
675 if (strequal(rhost,"UNKNOWN"))
676 rhost = client_addr(smbd_server_fd(), addr, sizeof(addr));
678 #ifdef DEBUG_PASSWORD
679 DEBUG(100, ("checking user=[%s] pass=[%s]\n", user, password));
683 return NT_STATUS_LOGON_FAILURE;
685 if ((!*password) && !lp_null_passwords())
686 return NT_STATUS_LOGON_FAILURE;
688 #if defined(WITH_PAM)
691 * If we're using PAM we want to short-circuit all the
692 * checks below and dive straight into the PAM code.
695 if (set_this_user(user) == NULL) {
696 return NT_STATUS_NO_MEMORY;
699 DEBUG(4, ("pass_check: Checking (PAM) password for user %s\n", user));
701 #else /* Not using PAM */
703 DEBUG(4, ("pass_check: Checking password for user %s\n", user));
706 DEBUG(3, ("Couldn't find user %s\n", user));
707 return NT_STATUS_NO_SUCH_USER;
711 /* Copy into global for the convenience of looping code */
712 /* Also the place to keep the 'password' no matter what
713 crazy struct it started in... */
714 if (set_this_crypted(pass->pw_passwd) == NULL) {
715 return NT_STATUS_NO_MEMORY;
717 if (set_this_salt(pass->pw_passwd) == NULL) {
718 return NT_STATUS_NO_MEMORY;
725 /* many shadow systems require you to be root to get
726 the password, in most cases this should already be
727 the case when this function is called, except
728 perhaps for IPC password changing requests */
730 spass = getspnam(pass->pw_name);
731 if (spass && spass->sp_pwdp) {
732 if (set_this_crypted(spass->sp_pwdp) == NULL) {
733 return NT_STATUS_NO_MEMORY;
735 if (set_this_salt(spass->sp_pwdp) == NULL) {
736 return NT_STATUS_NO_MEMORY;
740 #elif defined(IA_UINFO)
742 /* Need to get password with SVR4.2's ia_ functions
743 instead of get{sp,pw}ent functions. Required by
744 UnixWare 2.x, tested on version
745 2.1. (tangent@cyberport.com) */
747 if (ia_openinfo(pass->pw_name, &uinfo) != -1)
748 ia_get_logpwd(uinfo, &(pass->pw_passwd));
752 #ifdef HAVE_GETPRPWNAM
754 struct pr_passwd *pr_pw = getprpwnam(pass->pw_name);
755 if (pr_pw && pr_pw->ufld.fd_encrypt) {
756 if (set_this_crypted(pr_pw->ufld.fd_encrypt) == NULL) {
757 return NT_STATUS_NO_MEMORY;
763 #ifdef HAVE_GETPWANAM
765 struct passwd_adjunct *pwret;
766 pwret = getpwanam(s);
767 if (pwret && pwret->pwa_passwd) {
768 if (set_this_crypted(pwret->pwa_passwd) == NULL) {
769 return NT_STATUS_NO_MEMORY;
777 struct pr_passwd *mypasswd;
778 DEBUG(5, ("Checking password for user %s in OSF1_ENH_SEC\n",
780 mypasswd = getprpwnam(user);
782 if (set_this_user(mypasswd->ufld.fd_name) == NULL) {
783 return NT_STATUS_NO_MEMORY;
785 if (set_this_crypted(mypasswd->ufld.fd_encrypt) == NULL) {
786 return NT_STATUS_NO_MEMORY;
790 ("OSF1_ENH_SEC: No entry for user %s in protected database !\n",
798 AUTHORIZATION *ap = getauthuid(pass->pw_uid);
800 if (set_this_crypted(ap->a_password) == NULL) {
802 return NT_STATUS_NO_MEMORY;
809 #if defined(HAVE_TRUNCATED_SALT)
810 /* crypt on some platforms (HPUX in particular)
811 won't work with more than 2 salt characters. */
813 char *trunc_salt = get_this_salt();
814 if (!trunc_salt || strlen(trunc_salt) < 2) {
815 return NT_STATUS_LOGON_FAILURE;
818 if (set_this_salt(trunc_salt) == NULL) {
819 return NT_STATUS_NO_MEMORY;
824 if (!get_this_crypted() || !*get_this_crypted()) {
825 if (!lp_null_passwords()) {
826 DEBUG(2, ("Disallowing %s with null password\n",
828 return NT_STATUS_LOGON_FAILURE;
832 ("Allowing access to %s with null password\n",
838 #endif /* defined(WITH_PAM) */
840 /* try it as it came to us */
841 nt_status = password_check(password, (void *)rhost);
842 if NT_STATUS_IS_OK(nt_status) {
844 } else if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) {
845 /* No point continuing if its not the password thats to blame (ie PAM disabled). */
853 /* if the password was given to us with mixed case then we don't
854 * need to proceed as we know it hasn't been case modified by the
856 if (strhasupper(password) && strhaslower(password)) {
860 /* make a copy of it */
861 pass2 = talloc_strdup(talloc_tos(), password);
863 return NT_STATUS_NO_MEMORY;
866 /* try all lowercase if it's currently all uppercase */
867 if (strhasupper(pass2)) {
869 nt_status = password_check(pass2, (void *)rhost);
870 if (NT_STATUS_IS_OK(nt_status)) {
877 return NT_STATUS_WRONG_PASSWORD;
880 /* last chance - all combinations of up to level chars upper! */
883 nt_status = string_combinations(pass2, password_check, level,
885 if (NT_STATUS_IS_OK(nt_status)) {
889 return NT_STATUS_WRONG_PASSWORD;
git.samba.org / samba.git / blob