Mercurial > dropbear
comparison svr-authpasswd.c @ 628:d40f3cc47aed
- Add ALLOW_BLANK_PASSWORD option
- Don't reject blank-password logins via public key
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Wed, 26 Oct 2011 15:49:47 +0000 |
| parents | a98a2138364a |
| children | 0edf08895a33 |
comparison
equal
deleted
inserted
replaced
| 627:7cc34a52feb8 | 628:d40f3cc47aed |
|---|---|
| 40 struct spwd *spasswd = NULL; | 40 struct spwd *spasswd = NULL; |
| 41 #endif | 41 #endif |
| 42 char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */ | 42 char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */ |
| 43 char * testcrypt = NULL; /* crypt generated from the user's password sent */ | 43 char * testcrypt = NULL; /* crypt generated from the user's password sent */ |
| 44 unsigned char * password; | 44 unsigned char * password; |
| 45 int success_blank = 0; | |
| 45 unsigned int passwordlen; | 46 unsigned int passwordlen; |
| 46 | 47 |
| 47 unsigned int changepw; | 48 unsigned int changepw; |
| 48 | 49 |
| 49 passwdcrypt = ses.authstate.pw_passwd; | 50 passwdcrypt = ses.authstate.pw_passwd; |
| 58 #ifdef DEBUG_HACKCRYPT | 59 #ifdef DEBUG_HACKCRYPT |
| 59 /* debugging crypt for non-root testing with shadows */ | 60 /* debugging crypt for non-root testing with shadows */ |
| 60 passwdcrypt = DEBUG_HACKCRYPT; | 61 passwdcrypt = DEBUG_HACKCRYPT; |
| 61 #endif | 62 #endif |
| 62 | 63 |
| 63 /* check for empty password - need to do this again here | |
| 64 * since the shadow password may differ to that tested | |
| 65 * in auth.c */ | |
| 66 if (passwdcrypt[0] == '\0') { | |
| 67 dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", | |
| 68 ses.authstate.pw_name); | |
| 69 send_msg_userauth_failure(0, 1); | |
| 70 return; | |
| 71 } | |
| 72 | |
| 73 /* check if client wants to change password */ | 64 /* check if client wants to change password */ |
| 74 changepw = buf_getbool(ses.payload); | 65 changepw = buf_getbool(ses.payload); |
| 75 if (changepw) { | 66 if (changepw) { |
| 76 /* not implemented by this server */ | 67 /* not implemented by this server */ |
| 77 send_msg_userauth_failure(0, 1); | 68 send_msg_userauth_failure(0, 1); |
| 83 /* the first bytes of passwdcrypt are the salt */ | 74 /* the first bytes of passwdcrypt are the salt */ |
| 84 testcrypt = crypt((char*)password, passwdcrypt); | 75 testcrypt = crypt((char*)password, passwdcrypt); |
| 85 m_burn(password, passwordlen); | 76 m_burn(password, passwordlen); |
| 86 m_free(password); | 77 m_free(password); |
| 87 | 78 |
| 88 if (strcmp(testcrypt, passwdcrypt) == 0) { | 79 /* check for empty password */ |
| 80 if (passwdcrypt[0] == '\0') { | |
| 81 #ifdef ALLOW_BLANK_PASSWORD | |
| 82 if (passwordlen == 0) { | |
| 83 success_blank = 1; | |
| 84 } | |
| 85 #else | |
| 86 dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected", | |
| 87 ses.authstate.pw_name); | |
| 88 send_msg_userauth_failure(0, 1); | |
| 89 return; | |
| 90 #endif | |
| 91 } | |
| 92 | |
| 93 if (success_blank || strcmp(testcrypt, passwdcrypt) == 0) { | |
| 89 /* successful authentication */ | 94 /* successful authentication */ |
| 90 dropbear_log(LOG_NOTICE, | 95 dropbear_log(LOG_NOTICE, |
| 91 "Password auth succeeded for '%s' from %s", | 96 "Password auth succeeded for '%s' from %s", |
| 92 ses.authstate.pw_name, | 97 ses.authstate.pw_name, |
| 93 svr_ses.addrstring); | 98 svr_ses.addrstring); |
| 97 "Bad password attempt for '%s' from %s", | 102 "Bad password attempt for '%s' from %s", |
| 98 ses.authstate.pw_name, | 103 ses.authstate.pw_name, |
| 99 svr_ses.addrstring); | 104 svr_ses.addrstring); |
| 100 send_msg_userauth_failure(0, 1); | 105 send_msg_userauth_failure(0, 1); |
| 101 } | 106 } |
| 102 | |
| 103 } | 107 } |
| 104 | 108 |
| 105 #endif | 109 #endif |