[svn-upgrade] Integrating new upstream version, shadow (4.0.11)

2007-10-07 11:46:34 +00:00
parent 8c50e06102
commit b48129fcbb
153 changed files with 8441 additions and 6643 deletions
--- a/lib/pwauth.c
+++ b/lib/pwauth.c
@ -31,7 +31,7 @@

 #ifndef USE_PAM
 #include "rcsid.h"
-RCSID ("$Id: pwauth.c,v 1.17 2005/04/17 15:21:42 kloczek Exp $")
+RCSID ("$Id: pwauth.c,v 1.18 2005/07/07 18:53:14 kloczek Exp $")
 #include <sys/types.h>
 #include <signal.h>
 #include <fcntl.h>
@ -41,6 +41,9 @@ RCSID ("$Id: pwauth.c,v 1.17 2005/04/17 15:21:42 kloczek Exp $")
 #include "defines.h"
 #include "pwauth.h"
 #include "getdef.h"
+#ifdef SKEY
+#include <skey.h>
+#endif
 #ifdef __linux__		/* standard password prompt by default */
 static const char *PROMPT = gettext_noop ("Password: ");
 #else
@ -69,6 +72,12 @@ pw_auth (const char *cipher, const char *user, int reason, const char *input)
 	const char *cp;
 	int retval;

+#ifdef	SKEY
+	int use_skey = 0;
+	char challenge_info[40];
+	struct skey skey;
+#endif
+
 	/*
 	 * There are programs for adding and deleting authentication data.
 	 */
@ -79,6 +88,7 @@ pw_auth (const char *cipher, const char *user, int reason, const char *input)
 	/*
 	 * There are even programs for changing the user name ...
 	 */
+
 	if (reason == PW_CHANGE && input != (char *) 0)
 		return 0;

@ -90,6 +100,7 @@ pw_auth (const char *cipher, const char *user, int reason, const char *input)
 	 * know it.  This is a policy decision that might have to be
 	 * revisited.
 	 */
+
 	if (reason == PW_CHANGE && getuid () == 0)
 		return 0;

@ -101,16 +112,34 @@ pw_auth (const char *cipher, const char *user, int reason, const char *input)
 	 * the user could just hit <ENTER>, so it doesn't really
 	 * matter.
 	 */
+
 	if (cipher == (char *) 0 || *cipher == '\0')
 		return 0;

+#ifdef	SKEY
+	/*
+	 * If the user has an S/KEY entry show them the pertinent info
+	 * and then we can try validating the created cyphertext and the SKEY.
+	 * If there is no SKEY information we default to not using SKEY.
+	 */
+
+	if (skeychallenge (&skey, user, challenge_info) == 0)
+		use_skey = 1;
+#endif
+
 	/*
 	 * Prompt for the password as required.  FTPD and REXECD both
 	 * get the cleartext password for us.
 	 */
+
 	if (reason != PW_FTP && reason != PW_REXEC && !input) {
 		if (!(cp = getdef_str ("LOGIN_STRING")))
 			cp = _(PROMPT);
+#ifdef	SKEY
+		if (use_skey)
+			printf ("[%s]\n", challenge_info);
+#endif
+
 		snprintf (prompt, sizeof prompt, cp, user);
 		clear = getpass (prompt);
 		if (!clear) {
@ -125,16 +154,50 @@ pw_auth (const char *cipher, const char *user, int reason, const char *input)
 	/*
 	 * Convert the cleartext password into a ciphertext string.
 	 * If the two match, the return value will be zero, which is
-	 * SUCCESS.
+	 * SUCCESS. Otherwise we see if SKEY is being used and check
+	 * the results there as well.
 	 */
+
 	retval = strcmp (pw_encrypt (input, cipher), cipher);

+#ifdef  SKEY
+	/*
+	 * If (1) The password fails to match, and
+	 * (2) The password is empty and
+	 * (3) We are using OPIE or S/Key, then
+	 * ...Re-prompt, with echo on.
+	 * -- AR 8/22/1999
+	 */
+	if (retval && !input[0] && (use_skey)) {
+		strncat (prompt, "(Echo on) ",
+			 (sizeof (prompt) - strlen (prompt)));
+		clear = getpass_with_echo (prompt);
+		if (!clear) {
+			static char c[1];
+
+			c[0] = '\0';
+			clear = c;
+		}
+		input = clear;
+	}
+
+	if (retval && use_skey) {
+		int passcheck = -1;
+
+		if (skeyverify (&skey, input) == 0)
+			passcheck = skey.n;
+		if (passcheck > 0)
+			retval = 0;
+	}
+#endif
+
 	/*
 	 * Things like RADIUS authentication may need the password -
 	 * if the external variable wipe_clear_pass is zero, we will
 	 * not wipe it (the caller should wipe clear_pass when it is
 	 * no longer needed).  --marekm
 	 */
+
 	clear_pass = clear;
 	if (wipe_clear_pass && clear && *clear)
 		strzero (clear);