New option `-a otp' to allow OTPs but no ordinary passwords in cleartext.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@888 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Assar Westerlund
@@ -135,6 +135,8 @@ RCSID("$Id$");
|
|||||||
#include <skey.h>
|
#include <skey.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#include <otp.h>
|
||||||
|
|
||||||
void yyparse();
|
void yyparse();
|
||||||
|
|
||||||
#ifndef LOG_FTP
|
#ifndef LOG_FTP
|
||||||
@@ -282,10 +284,12 @@ main(int argc, char **argv)
|
|||||||
{
|
{
|
||||||
if(strcmp(optarg, "none") == 0)
|
if(strcmp(optarg, "none") == 0)
|
||||||
auth_level = 0;
|
auth_level = 0;
|
||||||
else if(strcmp(optarg, "safe") == 0)
|
else if(strcmp(optarg, "otp") == 0)
|
||||||
auth_level = 1;
|
auth_level = 1;
|
||||||
else if(strcmp(optarg, "user") == 0)
|
else if(strcmp(optarg, "safe") == 0)
|
||||||
auth_level = 2;
|
auth_level = 2;
|
||||||
|
else if(strcmp(optarg, "user") == 0)
|
||||||
|
auth_level = 3;
|
||||||
else
|
else
|
||||||
warnx("bad value for -a");
|
warnx("bad value for -a");
|
||||||
break;
|
break;
|
||||||
@@ -499,6 +503,7 @@ static char curname[10]; /* current USER name */
|
|||||||
static struct skey sk;
|
static struct skey sk;
|
||||||
static int permit_passwd;
|
static int permit_passwd;
|
||||||
#endif /* SKEY */
|
#endif /* SKEY */
|
||||||
|
OtpContext otp_ctx;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* USER command.
|
* USER command.
|
||||||
@@ -516,7 +521,7 @@ user(char *name)
|
|||||||
{
|
{
|
||||||
char *cp, *shell;
|
char *cp, *shell;
|
||||||
|
|
||||||
if(auth_level == 2 && !auth_complete){
|
if(auth_level == 3 && !auth_complete){
|
||||||
reply(530, "No login allowed without authorization.");
|
reply(530, "No login allowed without authorization.");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@@ -549,7 +554,7 @@ user(char *name)
|
|||||||
"ANONYMOUS FTP LOGIN REFUSED FROM %s", remotehost);
|
"ANONYMOUS FTP LOGIN REFUSED FROM %s", remotehost);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if(auth_level == 1 && !auth_complete){
|
if(auth_level == 2 && !auth_complete){
|
||||||
reply(530, "Only authorized and anonymous login allowed.");
|
reply(530, "Only authorized and anonymous login allowed.");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@@ -576,6 +581,7 @@ user(char *name)
|
|||||||
if(auth_ok())
|
if(auth_ok())
|
||||||
ct->userok(name);
|
ct->userok(name);
|
||||||
else {
|
else {
|
||||||
|
#if 0
|
||||||
#ifdef SKEY
|
#ifdef SKEY
|
||||||
char ss[256];
|
char ss[256];
|
||||||
|
|
||||||
@@ -592,13 +598,28 @@ user(char *name)
|
|||||||
reply(331, "Password required for %s.", name);
|
reply(331, "Password required for %s.", name);
|
||||||
askpasswd = 1;
|
askpasswd = 1;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
char ss[256];
|
||||||
|
|
||||||
|
if (otp_challenge(&otp_ctx, name, ss, sizeof(ss)) == 0) {
|
||||||
|
reply(331, "Password %s for %s required.",
|
||||||
|
ss, name);
|
||||||
|
askpasswd = 1;
|
||||||
|
} else if (auth_level == 0) {
|
||||||
|
reply(331, "Password required for %s.", name);
|
||||||
|
askpasswd = 1;
|
||||||
|
} else
|
||||||
|
reply(530,
|
||||||
|
"Only authorized, anonymous and OTP "
|
||||||
|
"login allowed.");
|
||||||
|
|
||||||
}
|
}
|
||||||
/*
|
/*
|
||||||
* Delay before reading passwd after first failed
|
* Delay before reading passwd after first failed
|
||||||
* attempt to slow down passwd-guessing programs.
|
* attempt to slow down passwd-guessing programs.
|
||||||
*/
|
*/
|
||||||
if (login_attempts)
|
if (login_attempts)
|
||||||
sleep((unsigned) login_attempts);
|
sleep(login_attempts);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -729,6 +750,7 @@ void
|
|||||||
pass(char *passwd)
|
pass(char *passwd)
|
||||||
{
|
{
|
||||||
int rval;
|
int rval;
|
||||||
|
|
||||||
/* some clients insists on sending a password */
|
/* some clients insists on sending a password */
|
||||||
if (logged_in && askpasswd == 0){
|
if (logged_in && askpasswd == 0){
|
||||||
reply(230, "Dumpucko!");
|
reply(230, "Dumpucko!");
|
||||||
@@ -741,10 +763,9 @@ pass(char *passwd)
|
|||||||
}
|
}
|
||||||
askpasswd = 0;
|
askpasswd = 0;
|
||||||
if (!guest) { /* "ftp" is only account allowed no password */
|
if (!guest) { /* "ftp" is only account allowed no password */
|
||||||
if (pw == NULL) {
|
if (pw == NULL)
|
||||||
rval = 1; /* failure below */
|
rval = 1; /* failure below */
|
||||||
goto skip;
|
#if 0
|
||||||
}
|
|
||||||
#ifdef SKEY
|
#ifdef SKEY
|
||||||
if (skeyverify (&sk, passwd) == 0) {
|
if (skeyverify (&sk, passwd) == 0) {
|
||||||
rval = 0;
|
rval = 0;
|
||||||
@@ -754,16 +775,19 @@ pass(char *passwd)
|
|||||||
goto skip;
|
goto skip;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
{
|
#endif
|
||||||
|
else if (otp_verify_user (&otp_ctx, passwd) == 0) {
|
||||||
|
rval = 0;
|
||||||
|
} else if(auth_level == 0) {
|
||||||
char realm[REALM_SZ];
|
char realm[REALM_SZ];
|
||||||
if((rval = krb_get_lrealm(realm, 1)) == KSUCCESS)
|
if((rval = krb_get_lrealm(realm, 1)) == KSUCCESS)
|
||||||
rval = krb_verify_user(pw->pw_name, "", realm,
|
rval = krb_verify_user(pw->pw_name, "", realm,
|
||||||
passwd, 1, NULL);
|
passwd, 1, NULL);
|
||||||
|
if (rval != 0 )
|
||||||
|
rval = unix_verify_user(pw->pw_name, passwd);
|
||||||
}
|
}
|
||||||
|
memset (passwd, 0, strlen(passwd));
|
||||||
|
|
||||||
if (rval != 0)
|
|
||||||
rval = unix_verify_user(pw->pw_name, passwd);
|
|
||||||
skip:
|
|
||||||
/*
|
/*
|
||||||
* If rval == 1, the user failed the authentication check
|
* If rval == 1, the user failed the authentication check
|
||||||
* above. If rval == 0, either Kerberos or local authentication
|
* above. If rval == 0, either Kerberos or local authentication
|
||||||
|
|||||||
Reference in New Issue
Block a user