2 Unix SMB/Netbios implementation.
5 Copyright (C) Andrew Tridgell 1992-1998
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 /* this module is for checking a username/password against a system
23 password database. The SMB encrypted password support is elsewhere */
27 extern int DEBUGLEVEL;
29 /* these are kept here to keep the string_combinations function simple */
30 static char this_user[100]="";
31 static char this_salt[100]="";
32 static char this_crypted[100]="";
36 /*******************************************************************
37 check on PAM authentication
38 ********************************************************************/
40 /* We first need some helper functions */
41 #include <security/pam_appl.h>
42 /* Static variables used to communicate between the conversation function
43 * and the server_login function
45 static char *PAM_username;
46 static char *PAM_password;
48 /* PAM conversation function
49 * Here we assume (for now, at least) that echo on means login name, and
50 * echo off means password.
52 static int PAM_conv (int num_msg,
53 const struct pam_message **msg,
54 struct pam_response **resp,
57 struct pam_response *reply = NULL;
59 #define COPY_STRING(s) (s) ? strdup(s) : NULL
61 reply = malloc(sizeof(struct pam_response) * num_msg);
62 if (!reply) return PAM_CONV_ERR;
64 for (replies = 0; replies < num_msg; replies++) {
65 switch (msg[replies]->msg_style) {
66 case PAM_PROMPT_ECHO_ON:
67 reply[replies].resp_retcode = PAM_SUCCESS;
68 reply[replies].resp = COPY_STRING(PAM_username);
71 case PAM_PROMPT_ECHO_OFF:
72 reply[replies].resp_retcode = PAM_SUCCESS;
73 reply[replies].resp = COPY_STRING(PAM_password);
80 reply[replies].resp_retcode = PAM_SUCCESS;
81 reply[replies].resp = NULL;
84 /* Must be an error of some sort... */
89 if (reply) *resp = reply;
92 static struct pam_conv PAM_conversation = {
98 static BOOL pam_auth(char *user,char *password)
103 /* Now use PAM to do authentication. For now, we won't worry about
104 * session logging, only authentication. Bail out if there are any
105 * errors. Since this is a limited protocol, and an even more limited
106 * function within a server speaking this protocol, we can't be as
107 * verbose as would otherwise make sense.
108 * Query: should we be using PAM_SILENT to shut PAM up?
110 #define PAM_BAIL if (pam_error != PAM_SUCCESS) { \
111 pam_end(pamh, 0); return False; \
113 PAM_password = password;
115 pam_error = pam_start("samba", user, &PAM_conversation, &pamh);
117 /* Setting PAM_SILENT stops generation of error messages to syslog
118 * to enable debugging on Red Hat Linux set:
120 * auth required /lib/security/pam_pwdb.so nullok shadow audit
121 * _OR_ change PAM_SILENT to 0 to force detailed reporting (logging)
123 pam_error = pam_authenticate(pamh, PAM_SILENT);
125 /* It is not clear to me that account management is the right thing
126 * to do, but it is not clear that it isn't, either. This can be
127 * removed if no account management should be done. Alternately,
128 * put a pam_allow.so entry in /etc/pam.conf for account handling. */
129 pam_error = pam_acct_mgmt(pamh, PAM_SILENT);
131 pam_end(pamh, PAM_SUCCESS);
132 /* If this point is reached, the user has been authenticated. */
140 #include <afs/stds.h>
141 #include <afs/kautils.h>
143 /*******************************************************************
144 check on AFS authentication
145 ********************************************************************/
146 static BOOL afs_auth(char *user,char *password)
148 long password_expires = 0;
151 /* For versions of AFS prior to 3.3, this routine has few arguments, */
152 /* but since I can't find the old documentation... :-) */
154 if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION+KA_USERAUTH_DOSETPAG,
156 (char *) 0, /* instance */
157 (char *) 0, /* cell */
159 0, /* lifetime, default */
160 &password_expires, /*days 'til it expires */
165 DEBUG(1,("AFS authentication for \"%s\" failed (%s)\n", user, reason));
173 #include <dce/dce_error.h>
174 #include <dce/sec_login.h>
176 /*****************************************************************
177 This new version of the DFS_AUTH code was donated by Karsten Muuss
178 <muuss@or.uni-bonn.de>. It fixes the following problems with the
181 - Server credentials may expire
182 - Client credential cache files have wrong owner
183 - purge_context() function is called with invalid argument
185 This new code was modified to ensure that on exit the uid/gid is
186 still root, and the original directory is restored. JRA.
187 ******************************************************************/
189 sec_login_handle_t my_dce_sec_context;
190 int dcelogin_atmost_once = 0;
192 /*******************************************************************
193 check on a DCE/DFS authentication
194 ********************************************************************/
195 static BOOL dfs_auth(char *user,char *password)
200 signed32 expire_time, current_time;
201 boolean32 password_reset;
203 sec_passwd_rec_t passwd_rec;
204 sec_login_auth_src_t auth_src = sec_login_auth_src_network;
205 unsigned char dce_errstr[dce_c_error_string_len];
208 if (dcelogin_atmost_once) return(False);
212 * We only go for a DCE login context if the given password
213 * matches that stored in the local password file..
214 * Assumes local passwd file is kept in sync w/ DCE RGY!
217 if (strcmp((char *)crypt(password,this_salt),this_crypted)) {
222 sec_login_get_current_context(&my_dce_sec_context, &err);
223 if (err != error_status_ok ) {
224 dce_error_inq_text(err, dce_errstr, &err2);
225 DEBUG(0,("DCE can't get current context. %s\n", dce_errstr));
230 sec_login_certify_identity(my_dce_sec_context, &err);
231 if (err != error_status_ok) {
232 dce_error_inq_text(err, dce_errstr, &err2);
233 DEBUG(0,("DCE can't get current context. %s\n", dce_errstr));
238 sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
239 if (err != error_status_ok) {
240 dce_error_inq_text(err, dce_errstr, &err2);
241 DEBUG(0,("DCE can't get expiration. %s\n", dce_errstr));
248 if (expire_time < (current_time + 60)) {
250 sec_passwd_rec_t *key;
252 sec_login_get_pwent(my_dce_sec_context,
253 (sec_login_passwd_t*)&pw, &err);
254 if (err != error_status_ok ) {
255 dce_error_inq_text(err, dce_errstr, &err2);
256 DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr));
261 sec_login_refresh_identity(my_dce_sec_context, &err);
262 if (err != error_status_ok) {
263 dce_error_inq_text(err, dce_errstr, &err2);
264 DEBUG(0,("DCE can't refresh identity. %s\n",
270 sec_key_mgmt_get_key(rpc_c_authn_dce_secret, NULL,
271 (unsigned char *)pw->pw_name,
272 sec_c_key_version_none,
274 if (err != error_status_ok) {
275 dce_error_inq_text(err, dce_errstr, &err2);
276 DEBUG(0,("DCE can't get key for %s. %s\n",
277 pw->pw_name, dce_errstr));
282 sec_login_valid_and_cert_ident(my_dce_sec_context, key,
283 &password_reset, &auth_src,
285 if (err != error_status_ok ) {
286 dce_error_inq_text(err, dce_errstr, &err2);
287 DEBUG(0,("DCE can't validate and certify identity for %s. %s\n",
288 pw->pw_name, dce_errstr));
291 sec_key_mgmt_free_key(key, &err);
292 if (err != error_status_ok ) {
293 dce_error_inq_text(err, dce_errstr, &err2);
294 DEBUG(0,("DCE can't free key.\n", dce_errstr));
298 if (sec_login_setup_identity((unsigned char *)user,
302 dce_error_inq_text(err, dce_errstr, &err2);
303 DEBUG(0,("DCE Setup Identity for %s failed: %s\n",
308 sec_login_get_pwent(my_dce_sec_context,
309 (sec_login_passwd_t*)&pw, &err);
310 if (err != error_status_ok) {
311 dce_error_inq_text(err, dce_errstr, &err2);
312 DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr));
317 sec_login_purge_context(&my_dce_sec_context, &err);
318 if (err != error_status_ok) {
319 dce_error_inq_text(err, dce_errstr, &err2);
320 DEBUG(0,("DCE can't purge context. %s\n", dce_errstr));
326 * NB. I'd like to change these to call something like become_user()
327 * instead but currently we don't have a connection
328 * context to become the correct user. This is already
329 * fairly platform specific code however, so I think
330 * this should be ok. I have added code to go
331 * back to being root on error though. JRA.
336 if (set_effective_gid(pw->pw_gid) != 0) {
337 DEBUG(0,("Can't set egid to %d (%s)\n",
338 pw->pw_gid, strerror(errno)));
342 if (set_effective_uid(pw->pw_uid) != 0) {
343 set_effective_gid(egid);
344 DEBUG(0,("Can't set euid to %d (%s)\n",
345 pw->pw_uid, strerror(errno)));
349 if (sec_login_setup_identity((unsigned char *)user,
353 dce_error_inq_text(err, dce_errstr, &err2);
354 DEBUG(0,("DCE Setup Identity for %s failed: %s\n",
359 sec_login_get_pwent(my_dce_sec_context,
360 (sec_login_passwd_t*)&pw, &err);
361 if (err != error_status_ok ) {
362 dce_error_inq_text(err, dce_errstr, &err2);
363 DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr));
367 passwd_rec.version_number = sec_passwd_c_version_none;
368 passwd_rec.pepper = NULL;
369 passwd_rec.key.key_type = sec_passwd_plain;
370 passwd_rec.key.tagged_union.plain = (idl_char *)password;
372 sec_login_validate_identity(my_dce_sec_context,
373 &passwd_rec, &password_reset,
375 if (err != error_status_ok ) {
376 dce_error_inq_text(err, dce_errstr, &err2);
377 DEBUG(0,("DCE Identity Validation failed for principal %s: %s\n",
382 sec_login_certify_identity(my_dce_sec_context, &err);
383 if (err != error_status_ok) {
384 dce_error_inq_text(err, dce_errstr, &err2);
385 DEBUG(0,("DCE certify identity failed: %s\n", dce_errstr));
389 if (auth_src != sec_login_auth_src_network) {
390 DEBUG(0,("DCE context has no network credentials.\n"));
393 sec_login_set_context(my_dce_sec_context, &err);
394 if (err != error_status_ok) {
395 dce_error_inq_text(err, dce_errstr, &err2);
396 DEBUG(0,("DCE login failed for principal %s, cant set context: %s\n",
399 sec_login_purge_context(&my_dce_sec_context, &err);
403 sec_login_get_pwent(my_dce_sec_context,
404 (sec_login_passwd_t*)&pw, &err);
405 if (err != error_status_ok) {
406 dce_error_inq_text(err, dce_errstr, &err2);
407 DEBUG(0,("DCE can't get pwent. %s\n", dce_errstr));
411 DEBUG(0,("DCE login succeeded for principal %s on pid %d\n",
414 DEBUG(3,("DCE principal: %s\n"
417 pw->pw_name, pw->pw_uid, pw->pw_gid));
418 DEBUG(3,(" info: %s\n"
421 pw->pw_gecos, pw->pw_dir, pw->pw_shell));
423 sec_login_get_expiration(my_dce_sec_context, &expire_time, &err);
424 if (err != error_status_ok) {
425 dce_error_inq_text(err, dce_errstr, &err2);
426 DEBUG(0,("DCE can't get expiration. %s\n", dce_errstr));
430 set_effective_uid(0);
431 set_effective_gid(0);
433 DEBUG(0,("DCE context expires: %s",asctime(localtime(&expire_time))));
435 dcelogin_atmost_once = 1;
440 /* Go back to root, JRA. */
441 set_effective_uid(0);
442 set_effective_gid(egid);
446 void dfs_unlogin(void)
450 unsigned char dce_errstr[dce_c_error_string_len];
452 sec_login_purge_context(&my_dce_sec_context, &err);
453 if (err != error_status_ok) {
454 dce_error_inq_text(err, dce_errstr, &err2);
455 DEBUG(0,("DCE purge login context failed for server instance %d: %s\n",
456 getpid(), dce_errstr));
465 /*******************************************************************
466 check on Kerberos authentication
467 ********************************************************************/
468 static BOOL krb5_auth(char *user,char *password)
470 krb5_data tgtname = {
475 krb5_context kcontext;
476 krb5_principal kprinc;
477 krb5_principal server;
480 krb5_address **addrs = (krb5_address **)0;
481 krb5_preauthtype *preauth = NULL;
482 krb5_keytab keytab = NULL;
484 krb5_ccache ccache = NULL;
488 if (retval=krb5_init_context(&kcontext)) {
492 if (retval = krb5_timeofday(kcontext, &now)) {
496 if (retval = krb5_cc_default(kcontext, &ccache)) {
500 if (retval = krb5_parse_name(kcontext, user, &kprinc)) {
506 kcreds.client = kprinc;
508 if ((retval = krb5_build_principal_ext(kcontext, &server,
509 krb5_princ_realm(kcontext, kprinc)->length,
510 krb5_princ_realm(kcontext, kprinc)->data,
513 krb5_princ_realm(kcontext, kprinc)->length,
514 krb5_princ_realm(kcontext, kprinc)->data,
519 kcreds.server = server;
521 retval = krb5_get_in_tkt_with_password(kcontext,
537 #endif /* KRB5_AUTH */
542 /*******************************************************************
543 check on Kerberos authentication
544 ********************************************************************/
545 static BOOL krb4_auth(char *user,char *password)
547 char realm[REALM_SZ];
548 char tkfile[MAXPATHLEN];
550 if (krb_get_lrealm(realm, 1) != KSUCCESS) {
551 (void) safe_strcpy(realm, KRB_REALM, sizeof (realm) - 1);
554 (void) slprintf(tkfile, sizeof(tkfile) - 1, "/tmp/samba_tkt_%d",
557 krb_set_tkt_string(tkfile);
558 if (krb_verify_user(user, "", realm,
560 "rmcd") == KSUCCESS) {
567 #endif /* KRB4_AUTH */
569 #ifdef LINUX_BIGCRYPT
570 /****************************************************************************
571 an enhanced crypt for Linux to handle password longer than 8 characters
572 ****************************************************************************/
573 static int linux_bigcrypt(char *password,char *salt1, char *crypted)
575 #define LINUX_PASSWORD_SEG_CHARS 8
579 StrnCpy(salt,salt1,2);
582 for ( i=strlen(password); i > 0; i -= LINUX_PASSWORD_SEG_CHARS) {
583 char * p = crypt(password,salt) + 2;
584 if (strncmp(p, crypted, LINUX_PASSWORD_SEG_CHARS) != 0)
586 password += LINUX_PASSWORD_SEG_CHARS;
587 crypted += strlen(p);
595 /****************************************************************************
596 an enhanced crypt for OSF1
597 ****************************************************************************/
598 static char *osf1_bigcrypt(char *password,char *salt1)
600 static char result[AUTH_MAX_PASSWD_LENGTH] = "";
605 int parts = strlen(password) / AUTH_CLEARTEXT_SEG_CHARS;
606 if (strlen(password)%AUTH_CLEARTEXT_SEG_CHARS) {
610 StrnCpy(salt,salt1,2);
611 StrnCpy(result,salt1,2);
614 for (i=0; i<parts;i++) {
616 strncat(result,p1+2,AUTH_MAX_PASSWD_LENGTH-strlen(p1+2)-1);
617 StrnCpy(salt,&result[2+i*AUTH_CIPHERTEXT_SEG_CHARS],2);
618 p2 += AUTH_CLEARTEXT_SEG_CHARS;
626 /****************************************************************************
627 apply a function to upper/lower case combinations
628 of a string and return true if one of them returns true.
629 try all combinations with N uppercase letters.
630 offset is the first char to try and change (start with 0)
631 it assumes the string starts lowercased
632 ****************************************************************************/
633 static BOOL string_combinations2(char *s,int offset,BOOL (*fn)(char *),int N)
638 #ifdef PASSWORD_LENGTH
639 len = MIN(len,PASSWORD_LENGTH);
642 if (N <= 0 || offset >= len) {
646 for (i=offset;i<(len-(N-1));i++) {
648 if (!islower(c)) continue;
650 if (string_combinations2(s,i+1,fn,N-1))
657 /****************************************************************************
658 apply a function to upper/lower case combinations
659 of a string and return true if one of them returns true.
660 try all combinations with up to N uppercase letters.
661 offset is the first char to try and change (start with 0)
662 it assumes the string starts lowercased
663 ****************************************************************************/
664 static BOOL string_combinations(char *s,BOOL (*fn)(char *),int N)
668 if (string_combinations2(s,0,fn,n)) return(True);
673 /****************************************************************************
674 core of password checking routine
675 ****************************************************************************/
676 static BOOL password_check(char *password)
680 /* This falls through if the password check fails
681 - if HAVE_CRYPT is not defined this causes an error msg
682 saying Warning - no crypt available
683 - if HAVE_CRYPT is defined this is a potential security hole
684 as it may authenticate via the crypt call when PAM
685 settings say it should fail.
686 if (pam_auth(user,password)) return(True);
687 Hence we make a direct return to avoid a second chance!!!
689 return (pam_auth(this_user,password));
690 #endif /* WITH_PAM */
693 if (afs_auth(this_user,password)) return(True);
694 #endif /* WITH_AFS */
697 if (dfs_auth(this_user,password)) return(True);
698 #endif /* WITH_DFS */
701 if (krb5_auth(this_user,password)) return(True);
702 #endif /* KRB5_AUTH */
705 if (krb4_auth(this_user,password)) return(True);
706 #endif /* KRB4_AUTH */
710 BOOL ret = (strcmp(osf1_bigcrypt(password,this_salt),this_crypted) == 0);
712 DEBUG(2,("OSF1_ENH_SEC failed. Trying normal crypt.\n"));
713 ret = (strcmp((char *)crypt(password,this_salt),this_crypted) == 0);
717 #endif /* OSF1_ENH_SEC */
720 return (strcmp((char *)crypt16(password, this_salt ),this_crypted) == 0);
721 #endif /* ULTRIX_AUTH */
723 #ifdef LINUX_BIGCRYPT
724 return(linux_bigcrypt(password,this_salt,this_crypted));
725 #endif /* LINUX_BIGCRYPT */
727 #if defined(HAVE_BIGCRYPT) && defined(HAVE_CRYPT) && defined(USE_BOTH_CRYPT_CALLS)
730 * Some systems have bigcrypt in the C library but might not
731 * actually use it for the password hashes (HPUX 10.20) is
732 * a noteable example. So we try bigcrypt first, followed
736 if(strcmp(bigcrypt(password,this_salt),this_crypted) == 0)
739 return (strcmp((char *)crypt(password,this_salt),this_crypted) == 0);
740 #else /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */
743 return(strcmp(bigcrypt(password,this_salt),this_crypted) == 0);
744 #endif /* HAVE_BIGCRYPT */
747 DEBUG(1,("Warning - no crypt available\n"));
749 #else /* HAVE_CRYPT */
750 return(strcmp((char *)crypt(password,this_salt),this_crypted) == 0);
751 #endif /* HAVE_CRYPT */
752 #endif /* HAVE_BIGCRYPT && HAVE_CRYPT && USE_BOTH_CRYPT_CALLS */
757 /****************************************************************************
758 check if a username/password is OK
759 the function pointer fn() points to a function to call when a successful
760 match is found and is used to update the encrypted password file
761 return True on correct match, False otherwise
762 ****************************************************************************/
763 BOOL pass_check(char *user,char *password, int pwlen, struct passwd *pwd,
764 BOOL (*fn)(char *, char *))
767 int level = lp_passwordlevel();
770 if (password) password[pwlen] = 0;
773 DEBUG(100,("checking user=[%s] pass=[%s]\n",user,password));
780 if (((!*password) || (!pwlen)) && !lp_null_passwords()) {
785 pass = (struct passwd *) pwd;
786 user = pass->pw_name;
788 pass = Get_Pwnam(user,True);
792 DEBUG(4,("Checking password for user %s (l=%d)\n",user,pwlen));
795 DEBUG(3,("Couldn't find user %s\n",user));
803 /* many shadow systems require you to be root to get
804 the password, in most cases this should already be
805 the case when this function is called, except
806 perhaps for IPC password changing requests */
808 spass = getspnam(pass->pw_name);
809 if (spass && spass->sp_pwdp) {
810 pstrcpy(pass->pw_passwd,spass->sp_pwdp);
813 #elif defined(IA_UINFO)
815 /* Need to get password with SVR4.2's ia_ functions
816 instead of get{sp,pw}ent functions. Required by
817 UnixWare 2.x, tested on version
818 2.1. (tangent@cyberport.com) */
820 if (ia_openinfo(pass->pw_name, &uinfo) != -1) {
821 ia_get_logpwd(uinfo, &(pass->pw_passwd));
826 #ifdef HAVE_GETPRPWNAM
828 struct pr_passwd *pr_pw = getprpwnam(pass->pw_name);
829 if (pr_pw && pr_pw->ufld.fd_encrypt)
830 pstrcpy(pass->pw_passwd,pr_pw->ufld.fd_encrypt);
836 struct pr_passwd *mypasswd;
837 DEBUG(5,("Checking password for user %s in OSF1_ENH_SEC\n",
839 mypasswd = getprpwnam (user);
841 fstrcpy(pass->pw_name,mypasswd->ufld.fd_name);
842 fstrcpy(pass->pw_passwd,mypasswd->ufld.fd_encrypt);
844 DEBUG(5,("OSF1_ENH_SEC: No entry for user %s in protected database !\n",
852 AUTHORIZATION *ap = getauthuid(pass->pw_uid);
854 fstrcpy(pass->pw_passwd, ap->a_password);
860 /* extract relevant info */
861 fstrcpy(this_user,pass->pw_name);
862 fstrcpy(this_salt,pass->pw_passwd);
864 #if defined(HAVE_TRUNCATED_SALT)
865 /* crypt on some platforms (HPUX in particular)
866 won't work with more than 2 salt characters. */
870 fstrcpy(this_crypted,pass->pw_passwd);
872 if (!*this_crypted) {
873 if (!lp_null_passwords()) {
874 DEBUG(2,("Disallowing %s with null password\n",
879 DEBUG(3,("Allowing access to %s with null password\n",
885 /* try it as it came to us */
886 if (password_check(password)) {
887 if (fn) fn(user,password);
891 /* if the password was given to us with mixed case then we don't
892 need to proceed as we know it hasn't been case modified by the
894 if (strhasupper(password) && strhaslower(password)) {
898 /* make a copy of it */
899 StrnCpy(pass2,password,sizeof(pstring)-1);
901 /* try all lowercase */
903 if (password_check(password)) {
904 if (fn) fn(user,password);
912 fstrcpy(password,pass2);
917 /* last chance - all combinations of up to level chars upper! */
920 if (string_combinations(password,password_check,level)) {
921 if (fn) fn(user,password);
926 fstrcpy(password,pass2);
git.samba.org / ira / wip.git / blob