Mercurial > dropbear
comparison svr-authpasswd.c @ 1617:1fbe598a14fb
Merge bugfix delay invalid users
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Thu, 23 Aug 2018 23:43:45 +0800 |
| parents | 5d2d1021ca00 |
| children | 228b086794b7 |
comparison
equal
deleted
inserted
replaced
| 1611:0196f4f83fee | 1617:1fbe598a14fb |
|---|---|
| 46 return constant_time_memcmp(a, b, la); | 46 return constant_time_memcmp(a, b, la); |
| 47 } | 47 } |
| 48 | 48 |
| 49 /* Process a password auth request, sending success or failure messages as | 49 /* Process a password auth request, sending success or failure messages as |
| 50 * appropriate */ | 50 * appropriate */ |
| 51 void svr_auth_password() { | 51 void svr_auth_password(int valid_user) { |
| 52 | 52 |
| 53 char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */ | 53 char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */ |
| 54 char * testcrypt = NULL; /* crypt generated from the user's password sent */ | 54 char * testcrypt = NULL; /* crypt generated from the user's password sent */ |
| 55 char * password; | 55 char * password = NULL; |
| 56 unsigned int passwordlen; | 56 unsigned int passwordlen; |
| 57 | |
| 58 unsigned int changepw; | 57 unsigned int changepw; |
| 59 | |
| 60 passwdcrypt = ses.authstate.pw_passwd; | |
| 61 | |
| 62 #ifdef DEBUG_HACKCRYPT | |
| 63 /* debugging crypt for non-root testing with shadows */ | |
| 64 passwdcrypt = DEBUG_HACKCRYPT; | |
| 65 #endif | |
| 66 | 58 |
| 67 /* check if client wants to change password */ | 59 /* check if client wants to change password */ |
| 68 changepw = buf_getbool(ses.payload); | 60 changepw = buf_getbool(ses.payload); |
| 69 if (changepw) { | 61 if (changepw) { |
| 70 /* not implemented by this server */ | 62 /* not implemented by this server */ |
| 71 send_msg_userauth_failure(0, 1); | 63 send_msg_userauth_failure(0, 1); |
| 72 return; | 64 return; |
| 73 } | 65 } |
| 74 | 66 |
| 75 password = buf_getstring(ses.payload, &passwordlen); | 67 password = buf_getstring(ses.payload, &passwordlen); |
| 76 | 68 if (valid_user) { |
| 77 /* the first bytes of passwdcrypt are the salt */ | 69 /* the first bytes of passwdcrypt are the salt */ |
| 78 testcrypt = crypt(password, passwdcrypt); | 70 passwdcrypt = ses.authstate.pw_passwd; |
| 71 testcrypt = crypt(password, passwdcrypt); | |
| 72 } | |
| 79 m_burn(password, passwordlen); | 73 m_burn(password, passwordlen); |
| 80 m_free(password); | 74 m_free(password); |
| 75 | |
| 76 /* After we have got the payload contents we can exit if the username | |
| 77 is invalid. Invalid users have already been logged. */ | |
| 78 if (!valid_user) { | |
| 79 send_msg_userauth_failure(0, 1); | |
| 80 return; | |
| 81 } | |
| 81 | 82 |
| 82 if (testcrypt == NULL) { | 83 if (testcrypt == NULL) { |
| 83 /* crypt() with an invalid salt like "!!" */ | 84 /* crypt() with an invalid salt like "!!" */ |
| 84 dropbear_log(LOG_WARNING, "User account '%s' is locked", | 85 dropbear_log(LOG_WARNING, "User account '%s' is locked", |
| 85 ses.authstate.pw_name); | 86 ses.authstate.pw_name); |