login.c revision 1.10
1 1.1 cgd /*- 2 1.10 brezak * Copyright (c) 1980, 1987, 1988, 1991, 1993 3 1.10 brezak * The Regents of the University of California. All rights reserved. 4 1.1 cgd * 5 1.1 cgd * Redistribution and use in source and binary forms, with or without 6 1.1 cgd * modification, are permitted provided that the following conditions 7 1.1 cgd * are met: 8 1.1 cgd * 1. Redistributions of source code must retain the above copyright 9 1.1 cgd * notice, this list of conditions and the following disclaimer. 10 1.1 cgd * 2. Redistributions in binary form must reproduce the above copyright 11 1.1 cgd * notice, this list of conditions and the following disclaimer in the 12 1.1 cgd * documentation and/or other materials provided with the distribution. 13 1.1 cgd * 3. All advertising materials mentioning features or use of this software 14 1.1 cgd * must display the following acknowledgement: 15 1.1 cgd * This product includes software developed by the University of 16 1.1 cgd * California, Berkeley and its contributors. 17 1.1 cgd * 4. Neither the name of the University nor the names of its contributors 18 1.1 cgd * may be used to endorse or promote products derived from this software 19 1.1 cgd * without specific prior written permission. 20 1.1 cgd * 21 1.1 cgd * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 22 1.1 cgd * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 1.1 cgd * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 1.1 cgd * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 25 1.1 cgd * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 1.1 cgd * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 1.1 cgd * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 1.1 cgd * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 1.1 cgd * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 1.1 cgd * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 1.1 cgd * SUCH DAMAGE. 32 1.1 cgd */ 33 1.1 cgd 34 1.1 cgd #ifndef lint 35 1.10 brezak static char copyright[] = 36 1.10 brezak "@(#) Copyright (c) 1980, 1987, 1988, 1991, 1993\n\ 37 1.10 brezak The Regents of the University of California. All rights reserved.\n"; 38 1.1 cgd #endif /* not lint */ 39 1.1 cgd 40 1.1 cgd #ifndef lint 41 1.10 brezak static char sccsid[] = "@(#)login.c 8.1 (Berkeley) 6/9/93"; 42 1.1 cgd #endif /* not lint */ 43 1.1 cgd 44 1.1 cgd /* 45 1.1 cgd * login [ name ] 46 1.1 cgd * login -h hostname (for telnetd, etc.) 47 1.1 cgd * login -f name (for pre-authenticated login: datakit, xterm, etc.) 48 1.1 cgd */ 49 1.1 cgd 50 1.1 cgd #include <sys/param.h> 51 1.1 cgd #include <sys/stat.h> 52 1.1 cgd #include <sys/time.h> 53 1.1 cgd #include <sys/resource.h> 54 1.1 cgd #include <sys/file.h> 55 1.1 cgd 56 1.1 cgd #include <signal.h> 57 1.1 cgd #include <ttyent.h> 58 1.1 cgd #include <syslog.h> 59 1.5 cgd #include <setjmp.h> 60 1.5 cgd #include <tzfile.h> 61 1.5 cgd #include <utmp.h> 62 1.5 cgd #include <errno.h> 63 1.1 cgd #include <grp.h> 64 1.1 cgd #include <pwd.h> 65 1.5 cgd #include <unistd.h> 66 1.1 cgd #include <stdio.h> 67 1.5 cgd #include <stdlib.h> 68 1.1 cgd #include <string.h> 69 1.1 cgd #include "pathnames.h" 70 1.1 cgd 71 1.5 cgd void badlogin __P((char *)); 72 1.5 cgd void checknologin __P((void)); 73 1.5 cgd void dolastlog __P((int)); 74 1.5 cgd void getloginname __P((void)); 75 1.5 cgd void motd __P((void)); 76 1.5 cgd int rootterm __P((char *)); 77 1.5 cgd void sigint __P((int)); 78 1.5 cgd void sleepexit __P((int)); 79 1.5 cgd char *stypeof __P((char *)); 80 1.5 cgd void timedout __P((int)); 81 1.9 deraadt int pwcheck __P((char *, char *, char *, char *)); 82 1.10 brezak #if defined(KERBEROS) || defined(KERBEROS5) 83 1.5 cgd int klogin __P((struct passwd *, char *, char *, char *)); 84 1.10 brezak void kdestroy __P((void)); 85 1.10 brezak void dofork __P((void)); 86 1.5 cgd #endif 87 1.5 cgd 88 1.1 cgd #define TTYGRPNAME "tty" /* name of group to own ttys */ 89 1.1 cgd 90 1.1 cgd /* 91 1.1 cgd * This bounds the time given to login. Not a define so it can 92 1.1 cgd * be patched on machines where it's too small. 93 1.1 cgd */ 94 1.1 cgd int timeout = 300; 95 1.5 cgd 96 1.10 brezak #if defined(KERBEROS) || defined(KERBEROS5) 97 1.1 cgd int notickets = 1; 98 1.1 cgd char *instance; 99 1.10 brezak char *krbtkfile_env = NULL; 100 1.1 cgd int authok; 101 1.1 cgd #endif 102 1.1 cgd 103 1.1 cgd struct passwd *pwd; 104 1.1 cgd int failures; 105 1.1 cgd char term[64], *envinit[1], *hostname, *username, *tty; 106 1.1 cgd 107 1.5 cgd int 108 1.1 cgd main(argc, argv) 109 1.1 cgd int argc; 110 1.5 cgd char *argv[]; 111 1.1 cgd { 112 1.5 cgd extern char **environ; 113 1.1 cgd register int ch; 114 1.1 cgd register char *p; 115 1.5 cgd struct group *gr; 116 1.5 cgd struct stat st; 117 1.5 cgd struct timeval tp; 118 1.5 cgd struct utmp utmp; 119 1.5 cgd int ask, cnt, fflag, hflag, pflag, quietlog, rootlogin, rval, uid; 120 1.1 cgd char *domain, *salt, *ttyn; 121 1.1 cgd char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10]; 122 1.1 cgd char localhost[MAXHOSTNAMELEN]; 123 1.1 cgd 124 1.1 cgd (void)signal(SIGALRM, timedout); 125 1.1 cgd (void)alarm((u_int)timeout); 126 1.1 cgd (void)signal(SIGQUIT, SIG_IGN); 127 1.1 cgd (void)signal(SIGINT, SIG_IGN); 128 1.1 cgd (void)setpriority(PRIO_PROCESS, 0, 0); 129 1.1 cgd 130 1.1 cgd openlog("login", LOG_ODELAY, LOG_AUTH); 131 1.1 cgd 132 1.1 cgd /* 133 1.1 cgd * -p is used by getty to tell login not to destroy the environment 134 1.5 cgd * -f is used to skip a second login authentication 135 1.1 cgd * -h is used by other servers to pass the name of the remote 136 1.1 cgd * host to login so that it may be placed in utmp and wtmp 137 1.1 cgd */ 138 1.1 cgd domain = NULL; 139 1.1 cgd if (gethostname(localhost, sizeof(localhost)) < 0) 140 1.1 cgd syslog(LOG_ERR, "couldn't get local hostname: %m"); 141 1.1 cgd else 142 1.1 cgd domain = index(localhost, '.'); 143 1.1 cgd 144 1.1 cgd fflag = hflag = pflag = 0; 145 1.1 cgd uid = getuid(); 146 1.1 cgd while ((ch = getopt(argc, argv, "fh:p")) != EOF) 147 1.1 cgd switch (ch) { 148 1.1 cgd case 'f': 149 1.1 cgd fflag = 1; 150 1.1 cgd break; 151 1.1 cgd case 'h': 152 1.1 cgd if (uid) { 153 1.1 cgd (void)fprintf(stderr, 154 1.1 cgd "login: -h option: %s\n", strerror(EPERM)); 155 1.1 cgd exit(1); 156 1.1 cgd } 157 1.1 cgd hflag = 1; 158 1.1 cgd if (domain && (p = index(optarg, '.')) && 159 1.1 cgd strcasecmp(p, domain) == 0) 160 1.1 cgd *p = 0; 161 1.1 cgd hostname = optarg; 162 1.1 cgd break; 163 1.1 cgd case 'p': 164 1.1 cgd pflag = 1; 165 1.1 cgd break; 166 1.1 cgd case '?': 167 1.1 cgd default: 168 1.1 cgd if (!uid) 169 1.1 cgd syslog(LOG_ERR, "invalid flag %c", ch); 170 1.1 cgd (void)fprintf(stderr, 171 1.1 cgd "usage: login [-fp] [-h hostname] [username]\n"); 172 1.1 cgd exit(1); 173 1.1 cgd } 174 1.1 cgd argc -= optind; 175 1.1 cgd argv += optind; 176 1.5 cgd 177 1.1 cgd if (*argv) { 178 1.1 cgd username = *argv; 179 1.1 cgd ask = 0; 180 1.1 cgd } else 181 1.1 cgd ask = 1; 182 1.1 cgd 183 1.1 cgd for (cnt = getdtablesize(); cnt > 2; cnt--) 184 1.5 cgd (void)close(cnt); 185 1.1 cgd 186 1.5 cgd ttyn = ttyname(STDIN_FILENO); 187 1.1 cgd if (ttyn == NULL || *ttyn == '\0') { 188 1.5 cgd (void)snprintf(tname, sizeof(tname), "%s??", _PATH_TTY); 189 1.1 cgd ttyn = tname; 190 1.1 cgd } 191 1.1 cgd if (tty = rindex(ttyn, '/')) 192 1.1 cgd ++tty; 193 1.1 cgd else 194 1.1 cgd tty = ttyn; 195 1.1 cgd 196 1.1 cgd for (cnt = 0;; ask = 1) { 197 1.10 brezak #if defined(KERBEROS) || defined(KERBEROS5) 198 1.10 brezak kdestroy(); 199 1.10 brezak #endif 200 1.1 cgd if (ask) { 201 1.1 cgd fflag = 0; 202 1.1 cgd getloginname(); 203 1.1 cgd } 204 1.5 cgd rootlogin = 0; 205 1.1 cgd #ifdef KERBEROS 206 1.1 cgd if ((instance = index(username, '.')) != NULL) { 207 1.1 cgd if (strncmp(instance, ".root", 5) == 0) 208 1.5 cgd rootlogin = 1; 209 1.1 cgd *instance++ = '\0'; 210 1.5 cgd } else 211 1.1 cgd instance = ""; 212 1.1 cgd #endif 213 1.10 brezak #ifdef KERBEROS5 214 1.10 brezak if ((instance = index(username, '/')) != NULL) { 215 1.10 brezak if (strncmp(instance, "/root", 5) == 0) 216 1.10 brezak rootlogin = 1; 217 1.10 brezak *instance++ = '\0'; 218 1.10 brezak } else 219 1.10 brezak instance = ""; 220 1.10 brezak #endif 221 1.1 cgd if (strlen(username) > UT_NAMESIZE) 222 1.1 cgd username[UT_NAMESIZE] = '\0'; 223 1.1 cgd 224 1.1 cgd /* 225 1.1 cgd * Note if trying multiple user names; log failures for 226 1.1 cgd * previous user name, but don't bother logging one failure 227 1.1 cgd * for nonexistent name (mistyped username). 228 1.1 cgd */ 229 1.1 cgd if (failures && strcmp(tbuf, username)) { 230 1.1 cgd if (failures > (pwd ? 0 : 1)) 231 1.1 cgd badlogin(tbuf); 232 1.1 cgd failures = 0; 233 1.1 cgd } 234 1.1 cgd (void)strcpy(tbuf, username); 235 1.1 cgd 236 1.1 cgd if (pwd = getpwnam(username)) 237 1.1 cgd salt = pwd->pw_passwd; 238 1.1 cgd else 239 1.1 cgd salt = "xx"; 240 1.1 cgd 241 1.1 cgd /* 242 1.1 cgd * if we have a valid account name, and it doesn't have a 243 1.1 cgd * password, or the -f option was specified and the caller 244 1.1 cgd * is root or the caller isn't changing their uid, don't 245 1.1 cgd * authenticate. 246 1.1 cgd */ 247 1.7 mycroft if (pwd) { 248 1.7 mycroft if (pwd->pw_uid == 0) 249 1.7 mycroft rootlogin = 1; 250 1.7 mycroft 251 1.8 mycroft if (fflag && (uid == 0 || uid == pwd->pw_uid)) { 252 1.7 mycroft /* already authenticated */ 253 1.7 mycroft break; 254 1.7 mycroft } else if (pwd->pw_passwd[0] == '\0') { 255 1.7 mycroft /* pretend password okay */ 256 1.7 mycroft rval = 0; 257 1.7 mycroft goto ttycheck; 258 1.7 mycroft } 259 1.7 mycroft } 260 1.7 mycroft 261 1.1 cgd fflag = 0; 262 1.1 cgd 263 1.1 cgd (void)setpriority(PRIO_PROCESS, 0, -4); 264 1.1 cgd 265 1.1 cgd p = getpass("Password:"); 266 1.1 cgd 267 1.1 cgd if (pwd) { 268 1.10 brezak #if defined(KERBEROS) || defined(KERBEROS5) 269 1.1 cgd rval = klogin(pwd, instance, localhost, p); 270 1.1 cgd if (rval == 0) 271 1.1 cgd authok = 1; 272 1.10 brezak else if (rval == 1) { 273 1.10 brezak if (pwd->pw_uid != 0) 274 1.10 brezak rootlogin = 0; 275 1.9 deraadt rval = pwcheck(username, p, salt, pwd->pw_passwd); 276 1.10 brezak } 277 1.1 cgd #else 278 1.9 deraadt rval = pwcheck(username, p, salt, pwd->pw_passwd); 279 1.1 cgd #endif 280 1.1 cgd } 281 1.1 cgd bzero(p, strlen(p)); 282 1.1 cgd 283 1.1 cgd (void)setpriority(PRIO_PROCESS, 0, 0); 284 1.1 cgd 285 1.7 mycroft ttycheck: 286 1.1 cgd /* 287 1.1 cgd * If trying to log in as root without Kerberos, 288 1.1 cgd * but with insecure terminal, refuse the login attempt. 289 1.1 cgd */ 290 1.10 brezak #if defined(KERBEROS) || defined(KERBEROS5) 291 1.1 cgd if (authok == 0) 292 1.1 cgd #endif 293 1.7 mycroft if (pwd && !rval && rootlogin && !rootterm(tty)) { 294 1.1 cgd (void)fprintf(stderr, 295 1.1 cgd "%s login refused on this terminal.\n", 296 1.1 cgd pwd->pw_name); 297 1.1 cgd if (hostname) 298 1.1 cgd syslog(LOG_NOTICE, 299 1.1 cgd "LOGIN %s REFUSED FROM %s ON TTY %s", 300 1.1 cgd pwd->pw_name, hostname, tty); 301 1.1 cgd else 302 1.1 cgd syslog(LOG_NOTICE, 303 1.1 cgd "LOGIN %s REFUSED ON TTY %s", 304 1.1 cgd pwd->pw_name, tty); 305 1.1 cgd continue; 306 1.1 cgd } 307 1.1 cgd 308 1.1 cgd if (pwd && !rval) 309 1.1 cgd break; 310 1.1 cgd 311 1.1 cgd (void)printf("Login incorrect\n"); 312 1.1 cgd failures++; 313 1.1 cgd /* we allow 10 tries, but after 3 we start backing off */ 314 1.1 cgd if (++cnt > 3) { 315 1.1 cgd if (cnt >= 10) { 316 1.1 cgd badlogin(username); 317 1.1 cgd sleepexit(1); 318 1.1 cgd } 319 1.1 cgd sleep((u_int)((cnt - 3) * 5)); 320 1.1 cgd } 321 1.1 cgd } 322 1.1 cgd 323 1.1 cgd /* committed to login -- turn off timeout */ 324 1.1 cgd (void)alarm((u_int)0); 325 1.1 cgd 326 1.1 cgd endpwent(); 327 1.1 cgd 328 1.1 cgd /* if user not super-user, check for disabled logins */ 329 1.1 cgd if (!rootlogin) 330 1.1 cgd checknologin(); 331 1.1 cgd 332 1.1 cgd if (chdir(pwd->pw_dir) < 0) { 333 1.1 cgd (void)printf("No home directory %s!\n", pwd->pw_dir); 334 1.1 cgd if (chdir("/")) 335 1.1 cgd exit(0); 336 1.1 cgd pwd->pw_dir = "/"; 337 1.1 cgd (void)printf("Logging in with home = \"/\".\n"); 338 1.1 cgd } 339 1.1 cgd 340 1.1 cgd quietlog = access(_PATH_HUSHLOGIN, F_OK) == 0; 341 1.1 cgd 342 1.1 cgd if (pwd->pw_change || pwd->pw_expire) 343 1.1 cgd (void)gettimeofday(&tp, (struct timezone *)NULL); 344 1.1 cgd if (pwd->pw_change) 345 1.1 cgd if (tp.tv_sec >= pwd->pw_change) { 346 1.1 cgd (void)printf("Sorry -- your password has expired.\n"); 347 1.1 cgd sleepexit(1); 348 1.1 cgd } else if (pwd->pw_change - tp.tv_sec < 349 1.1 cgd 2 * DAYSPERWEEK * SECSPERDAY && !quietlog) 350 1.1 cgd (void)printf("Warning: your password expires on %s", 351 1.5 cgd ctime(&pwd->pw_change)); 352 1.1 cgd if (pwd->pw_expire) 353 1.1 cgd if (tp.tv_sec >= pwd->pw_expire) { 354 1.1 cgd (void)printf("Sorry -- your account has expired.\n"); 355 1.1 cgd sleepexit(1); 356 1.1 cgd } else if (pwd->pw_expire - tp.tv_sec < 357 1.1 cgd 2 * DAYSPERWEEK * SECSPERDAY && !quietlog) 358 1.1 cgd (void)printf("Warning: your account expires on %s", 359 1.1 cgd ctime(&pwd->pw_expire)); 360 1.1 cgd 361 1.5 cgd /* Nothing else left to fail -- really log in. */ 362 1.5 cgd bzero((void *)&utmp, sizeof(utmp)); 363 1.5 cgd (void)time(&utmp.ut_time); 364 1.5 cgd (void)strncpy(utmp.ut_name, username, sizeof(utmp.ut_name)); 365 1.5 cgd if (hostname) 366 1.5 cgd (void)strncpy(utmp.ut_host, hostname, sizeof(utmp.ut_host)); 367 1.5 cgd (void)strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line)); 368 1.5 cgd login(&utmp); 369 1.1 cgd 370 1.1 cgd dolastlog(quietlog); 371 1.1 cgd 372 1.1 cgd (void)chown(ttyn, pwd->pw_uid, 373 1.1 cgd (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid); 374 1.10 brezak #if defined(KERBEROS) || defined(KERBEROS5) 375 1.10 brezak /* Fork so that we can call kdestroy */ 376 1.10 brezak if (krbtkfile_env) 377 1.10 brezak dofork(); 378 1.10 brezak #endif 379 1.1 cgd (void)setgid(pwd->pw_gid); 380 1.1 cgd 381 1.1 cgd initgroups(username, pwd->pw_gid); 382 1.1 cgd 383 1.1 cgd if (*pwd->pw_shell == '\0') 384 1.1 cgd pwd->pw_shell = _PATH_BSHELL; 385 1.1 cgd 386 1.5 cgd /* Destroy environment unless user has requested its preservation. */ 387 1.1 cgd if (!pflag) 388 1.1 cgd environ = envinit; 389 1.1 cgd (void)setenv("HOME", pwd->pw_dir, 1); 390 1.1 cgd (void)setenv("SHELL", pwd->pw_shell, 1); 391 1.1 cgd if (term[0] == '\0') 392 1.5 cgd (void)strncpy(term, stypeof(tty), sizeof(term)); 393 1.1 cgd (void)setenv("TERM", term, 0); 394 1.1 cgd (void)setenv("LOGNAME", pwd->pw_name, 1); 395 1.1 cgd (void)setenv("USER", pwd->pw_name, 1); 396 1.1 cgd (void)setenv("PATH", _PATH_DEFPATH, 0); 397 1.1 cgd #ifdef KERBEROS 398 1.1 cgd if (krbtkfile_env) 399 1.1 cgd (void)setenv("KRBTKFILE", krbtkfile_env, 1); 400 1.1 cgd #endif 401 1.10 brezak #ifdef KERBEROS5 402 1.10 brezak if (krbtkfile_env) 403 1.10 brezak (void)setenv("KRB5CCNAME", krbtkfile_env, 1); 404 1.10 brezak #endif 405 1.1 cgd 406 1.1 cgd if (tty[sizeof("tty")-1] == 'd') 407 1.1 cgd syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name); 408 1.5 cgd 409 1.5 cgd /* If fflag is on, assume caller/authenticator has logged root login. */ 410 1.1 cgd if (rootlogin && fflag == 0) 411 1.1 cgd if (hostname) 412 1.1 cgd syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s FROM %s", 413 1.1 cgd username, tty, hostname); 414 1.1 cgd else 415 1.1 cgd syslog(LOG_NOTICE, "ROOT LOGIN (%s) ON %s", username, tty); 416 1.1 cgd 417 1.10 brezak #if defined(KERBEROS) || defined(KERBEROS5) 418 1.1 cgd if (!quietlog && notickets == 1) 419 1.1 cgd (void)printf("Warning: no Kerberos tickets issued.\n"); 420 1.1 cgd #endif 421 1.1 cgd 422 1.1 cgd if (!quietlog) { 423 1.10 brezak (void)printf("%s\n\t%s %s\n\n", 424 1.10 brezak "Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993", 425 1.10 brezak "The Regents of the University of California. ", 426 1.10 brezak "All rights reserved."); 427 1.1 cgd motd(); 428 1.5 cgd (void)snprintf(tbuf, 429 1.5 cgd sizeof(tbuf), "%s/%s", _PATH_MAILDIR, pwd->pw_name); 430 1.1 cgd if (stat(tbuf, &st) == 0 && st.st_size != 0) 431 1.1 cgd (void)printf("You have %smail.\n", 432 1.1 cgd (st.st_mtime > st.st_atime) ? "new " : ""); 433 1.1 cgd } 434 1.1 cgd 435 1.1 cgd (void)signal(SIGALRM, SIG_DFL); 436 1.1 cgd (void)signal(SIGQUIT, SIG_DFL); 437 1.1 cgd (void)signal(SIGINT, SIG_DFL); 438 1.1 cgd (void)signal(SIGTSTP, SIG_IGN); 439 1.1 cgd 440 1.1 cgd tbuf[0] = '-'; 441 1.5 cgd (void)strcpy(tbuf + 1, (p = rindex(pwd->pw_shell, '/')) ? 442 1.1 cgd p + 1 : pwd->pw_shell); 443 1.1 cgd 444 1.1 cgd if (setlogin(pwd->pw_name) < 0) 445 1.1 cgd syslog(LOG_ERR, "setlogin() failure: %m"); 446 1.1 cgd 447 1.5 cgd /* Discard permissions last so can't get killed and drop core. */ 448 1.1 cgd if (rootlogin) 449 1.1 cgd (void) setuid(0); 450 1.1 cgd else 451 1.1 cgd (void) setuid(pwd->pw_uid); 452 1.1 cgd 453 1.1 cgd execlp(pwd->pw_shell, tbuf, 0); 454 1.1 cgd (void)fprintf(stderr, "%s: %s\n", pwd->pw_shell, strerror(errno)); 455 1.1 cgd exit(1); 456 1.9 deraadt } 457 1.9 deraadt 458 1.9 deraadt int 459 1.9 deraadt pwcheck(user, p, salt, passwd) 460 1.9 deraadt char *user, *p, *salt, *passwd; 461 1.9 deraadt { 462 1.9 deraadt #ifdef SKEY 463 1.9 deraadt if (strcasecmp(p, "s/key") == 0) { 464 1.9 deraadt if (skey_haskey(user)) { 465 1.9 deraadt fprintf(stderr, "You have no s/key. "); 466 1.9 deraadt return 1; 467 1.9 deraadt } else { 468 1.9 deraadt return skey_authenticate(user); 469 1.9 deraadt } 470 1.9 deraadt } 471 1.9 deraadt #endif 472 1.9 deraadt return strcmp(crypt(p, salt), passwd); 473 1.1 cgd } 474 1.1 cgd 475 1.10 brezak #if defined(KERBEROS) || defined(KERBEROS5) 476 1.5 cgd #define NBUFSIZ (UT_NAMESIZE + 1 + 5) /* .root suffix */ 477 1.1 cgd #else 478 1.1 cgd #define NBUFSIZ (UT_NAMESIZE + 1) 479 1.10 brezak #endif 480 1.10 brezak 481 1.10 brezak #if defined(KERBEROS) || defined(KERBEROS5) 482 1.10 brezak /* 483 1.10 brezak * This routine handles cleanup stuff, and the like. 484 1.10 brezak * It exists only in the child process. 485 1.10 brezak */ 486 1.10 brezak #include <sys/wait.h> 487 1.10 brezak void 488 1.10 brezak dofork() 489 1.10 brezak { 490 1.10 brezak int child; 491 1.10 brezak 492 1.10 brezak if (!(child = fork())) 493 1.10 brezak return; /* Child process */ 494 1.10 brezak 495 1.10 brezak /* Setup stuff? This would be things we could do in parallel with login */ 496 1.10 brezak (void) chdir("/"); /* Let's not keep the fs busy... */ 497 1.10 brezak 498 1.10 brezak /* If we're the parent, watch the child until it dies */ 499 1.10 brezak while (wait(0) != child) 500 1.10 brezak ; 501 1.10 brezak 502 1.10 brezak /* Cleanup stuff */ 503 1.10 brezak /* Run kdestroy to destroy tickets */ 504 1.10 brezak kdestroy(); 505 1.10 brezak 506 1.10 brezak /* Leave */ 507 1.10 brezak exit(0); 508 1.10 brezak } 509 1.1 cgd #endif 510 1.1 cgd 511 1.5 cgd void 512 1.1 cgd getloginname() 513 1.1 cgd { 514 1.1 cgd register int ch; 515 1.1 cgd register char *p; 516 1.1 cgd static char nbuf[NBUFSIZ]; 517 1.1 cgd 518 1.1 cgd for (;;) { 519 1.1 cgd (void)printf("login: "); 520 1.1 cgd for (p = nbuf; (ch = getchar()) != '\n'; ) { 521 1.1 cgd if (ch == EOF) { 522 1.1 cgd badlogin(username); 523 1.1 cgd exit(0); 524 1.1 cgd } 525 1.1 cgd if (p < nbuf + (NBUFSIZ - 1)) 526 1.1 cgd *p++ = ch; 527 1.1 cgd } 528 1.1 cgd if (p > nbuf) 529 1.1 cgd if (nbuf[0] == '-') 530 1.1 cgd (void)fprintf(stderr, 531 1.1 cgd "login names may not start with '-'.\n"); 532 1.1 cgd else { 533 1.1 cgd *p = '\0'; 534 1.1 cgd username = nbuf; 535 1.1 cgd break; 536 1.1 cgd } 537 1.1 cgd } 538 1.1 cgd } 539 1.1 cgd 540 1.5 cgd int 541 1.1 cgd rootterm(ttyn) 542 1.1 cgd char *ttyn; 543 1.1 cgd { 544 1.1 cgd struct ttyent *t; 545 1.1 cgd 546 1.5 cgd return((t = getttynam(ttyn)) && t->ty_status & TTY_SECURE); 547 1.1 cgd } 548 1.1 cgd 549 1.1 cgd jmp_buf motdinterrupt; 550 1.1 cgd 551 1.5 cgd void 552 1.1 cgd motd() 553 1.1 cgd { 554 1.1 cgd register int fd, nchars; 555 1.1 cgd sig_t oldint; 556 1.1 cgd char tbuf[8192]; 557 1.1 cgd 558 1.1 cgd if ((fd = open(_PATH_MOTDFILE, O_RDONLY, 0)) < 0) 559 1.1 cgd return; 560 1.1 cgd oldint = signal(SIGINT, sigint); 561 1.1 cgd if (setjmp(motdinterrupt) == 0) 562 1.1 cgd while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) 563 1.1 cgd (void)write(fileno(stdout), tbuf, nchars); 564 1.1 cgd (void)signal(SIGINT, oldint); 565 1.1 cgd (void)close(fd); 566 1.1 cgd } 567 1.1 cgd 568 1.5 cgd /* ARGSUSED */ 569 1.1 cgd void 570 1.5 cgd sigint(signo) 571 1.5 cgd int signo; 572 1.1 cgd { 573 1.1 cgd longjmp(motdinterrupt, 1); 574 1.1 cgd } 575 1.1 cgd 576 1.5 cgd /* ARGSUSED */ 577 1.5 cgd void 578 1.5 cgd timedout(signo) 579 1.5 cgd int signo; 580 1.5 cgd { 581 1.5 cgd (void)fprintf(stderr, "Login timed out after %d seconds\n", timeout); 582 1.5 cgd exit(0); 583 1.5 cgd } 584 1.5 cgd 585 1.5 cgd void 586 1.1 cgd checknologin() 587 1.1 cgd { 588 1.1 cgd register int fd, nchars; 589 1.1 cgd char tbuf[8192]; 590 1.1 cgd 591 1.1 cgd if ((fd = open(_PATH_NOLOGIN, O_RDONLY, 0)) >= 0) { 592 1.1 cgd while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0) 593 1.1 cgd (void)write(fileno(stdout), tbuf, nchars); 594 1.1 cgd sleepexit(0); 595 1.1 cgd } 596 1.1 cgd } 597 1.1 cgd 598 1.5 cgd void 599 1.1 cgd dolastlog(quiet) 600 1.1 cgd int quiet; 601 1.1 cgd { 602 1.1 cgd struct lastlog ll; 603 1.1 cgd int fd; 604 1.1 cgd 605 1.1 cgd if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) { 606 1.1 cgd (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); 607 1.1 cgd if (!quiet) { 608 1.1 cgd if (read(fd, (char *)&ll, sizeof(ll)) == sizeof(ll) && 609 1.1 cgd ll.ll_time != 0) { 610 1.1 cgd (void)printf("Last login: %.*s ", 611 1.1 cgd 24-5, (char *)ctime(&ll.ll_time)); 612 1.1 cgd if (*ll.ll_host != '\0') 613 1.1 cgd (void)printf("from %.*s\n", 614 1.5 cgd (int)sizeof(ll.ll_host), 615 1.5 cgd ll.ll_host); 616 1.1 cgd else 617 1.1 cgd (void)printf("on %.*s\n", 618 1.5 cgd (int)sizeof(ll.ll_line), 619 1.5 cgd ll.ll_line); 620 1.1 cgd } 621 1.1 cgd (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET); 622 1.1 cgd } 623 1.1 cgd bzero((void *)&ll, sizeof(ll)); 624 1.1 cgd (void)time(&ll.ll_time); 625 1.5 cgd (void)strncpy(ll.ll_line, tty, sizeof(ll.ll_line)); 626 1.1 cgd if (hostname) 627 1.5 cgd (void)strncpy(ll.ll_host, hostname, sizeof(ll.ll_host)); 628 1.1 cgd (void)write(fd, (char *)&ll, sizeof(ll)); 629 1.1 cgd (void)close(fd); 630 1.1 cgd } 631 1.1 cgd } 632 1.1 cgd 633 1.5 cgd void 634 1.1 cgd badlogin(name) 635 1.1 cgd char *name; 636 1.1 cgd { 637 1.1 cgd if (failures == 0) 638 1.1 cgd return; 639 1.1 cgd if (hostname) { 640 1.1 cgd syslog(LOG_NOTICE, "%d LOGIN FAILURE%s FROM %s", 641 1.1 cgd failures, failures > 1 ? "S" : "", hostname); 642 1.1 cgd syslog(LOG_AUTHPRIV|LOG_NOTICE, 643 1.1 cgd "%d LOGIN FAILURE%s FROM %s, %s", 644 1.1 cgd failures, failures > 1 ? "S" : "", hostname, name); 645 1.1 cgd } else { 646 1.1 cgd syslog(LOG_NOTICE, "%d LOGIN FAILURE%s ON %s", 647 1.1 cgd failures, failures > 1 ? "S" : "", tty); 648 1.1 cgd syslog(LOG_AUTHPRIV|LOG_NOTICE, 649 1.1 cgd "%d LOGIN FAILURE%s ON %s, %s", 650 1.1 cgd failures, failures > 1 ? "S" : "", tty, name); 651 1.1 cgd } 652 1.1 cgd } 653 1.1 cgd 654 1.1 cgd #undef UNKNOWN 655 1.1 cgd #define UNKNOWN "su" 656 1.1 cgd 657 1.1 cgd char * 658 1.1 cgd stypeof(ttyid) 659 1.1 cgd char *ttyid; 660 1.1 cgd { 661 1.1 cgd struct ttyent *t; 662 1.1 cgd 663 1.1 cgd return(ttyid && (t = getttynam(ttyid)) ? t->ty_type : UNKNOWN); 664 1.1 cgd } 665 1.1 cgd 666 1.5 cgd void 667 1.1 cgd sleepexit(eval) 668 1.1 cgd int eval; 669 1.1 cgd { 670 1.5 cgd (void)sleep((u_int)5); 671 1.1 cgd exit(eval); 672 1.1 cgd } 673
Indexes created Tue Sep 30 20:09:53 GMT 2025