1 /*
2  * ProFTPD - mod_sftp 'password' user authentication
3  * Copyright (c) 2008-2017 TJ Saunders
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation; either version 2 of the License, or
8  * (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program; if not, write to the Free Software
17  * Foundation, Inc., 51 Franklin Street, Suite 500, Boston, MA 02110-1335, USA.
18  *
19  * As a special exemption, TJ Saunders and other respective copyright holders
20  * give permission to link this program with OpenSSL, and distribute the
21  * resulting executable, without including the source code for OpenSSL in the
22  * source distribution.
23  */
24 
25 #include "mod_sftp.h"
26 #include "packet.h"
27 #include "auth.h"
28 #include "msg.h"
29 #include "cipher.h"
30 #include "mac.h"
31 #include "utf8.h"
32 
sftp_auth_password(struct ssh2_packet * pkt,cmd_rec * pass_cmd,const char * orig_user,const char * user,const char * service,unsigned char ** buf,uint32_t * buflen,int * send_userauth_fail)33 int sftp_auth_password(struct ssh2_packet *pkt, cmd_rec *pass_cmd,
34     const char *orig_user, const char *user, const char *service,
35     unsigned char **buf, uint32_t *buflen, int *send_userauth_fail) {
36   const char *cipher_algo, *mac_algo;
37   char *passwd;
38   int have_new_passwd, res;
39   struct passwd *pw;
40   size_t passwd_len;
41 
42   cipher_algo = sftp_cipher_get_read_algo();
43   mac_algo = sftp_mac_get_read_algo();
44 
45   if (strncmp(cipher_algo, "none", 5) == 0 ||
46       strncmp(mac_algo, "none", 5) == 0) {
47 
48     if (sftp_opts & SFTP_OPT_ALLOW_INSECURE_LOGIN) {
49       (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
50         "WARNING: cipher algorithm '%s' or MAC algorithm '%s' INSECURE for "
51         "password authentication (SFTPOption AllowInsecureLogin in effect)",
52         cipher_algo, mac_algo);
53 
54     } else {
55       (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
56         "cipher algorithm '%s' or MAC algorithm '%s' unacceptable for "
57         "password authentication, denying password authentication request",
58         cipher_algo, mac_algo);
59 
60       pr_log_auth(PR_LOG_NOTICE,
61         "USER %s (Login failed): cipher algorithm '%s' or MAC algorithm '%s' "
62         "unsupported for password authentication", user,
63         cipher_algo, mac_algo);
64 
65       *send_userauth_fail = TRUE;
66       errno = EPERM;
67       return 0;
68     }
69   }
70 
71   /* XXX We currently don't do anything with this. */
72   have_new_passwd = sftp_msg_read_bool(pkt->pool, buf, buflen);
73   if (have_new_passwd) {
74     (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION, "%s",
75       "client says they have provided a new password; this functionality "
76       "is not currently supported");
77   }
78 
79   passwd = sftp_msg_read_string(pkt->pool, buf, buflen);
80   passwd = sftp_utf8_decode_str(pkt->pool, passwd);
81   passwd_len = strlen(passwd);
82 
83   pass_cmd->arg = passwd;
84 
85   if (pr_cmd_dispatch_phase(pass_cmd, PRE_CMD, 0) < 0) {
86     (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
87       "authentication request for user '%s' blocked by '%s' handler",
88       orig_user, (char *) pass_cmd->argv[0]);
89 
90     pr_log_auth(PR_LOG_NOTICE,
91       "USER %s (Login failed): blocked by '%s' handler", orig_user,
92       (char *) pass_cmd->argv[0]);
93 
94     pr_cmd_dispatch_phase(pass_cmd, POST_CMD_ERR, 0);
95     pr_cmd_dispatch_phase(pass_cmd, LOG_CMD_ERR, 0);
96 
97     pr_memscrub(passwd, passwd_len);
98 
99     *send_userauth_fail = TRUE;
100     errno = EPERM;
101     return 0;
102   }
103 
104   pw = pr_auth_getpwnam(pkt->pool, user);
105   if (pw == NULL) {
106     (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
107       "no account for user '%s' found", user);
108 
109     pr_log_auth(PR_LOG_NOTICE,
110       "USER %s: no such user found from %s [%s] to %s:%d", user,
111       session.c->remote_name, pr_netaddr_get_ipstr(session.c->remote_addr),
112       pr_netaddr_get_ipstr(session.c->local_addr), session.c->local_port);
113 
114     pr_memscrub(passwd, passwd_len);
115 
116     *send_userauth_fail = TRUE;
117     errno = ENOENT;
118     return 0;
119   }
120 
121   if (passwd_len == 0) {
122     config_rec *c;
123     int allow_empty_passwords = TRUE;
124 
125     c = find_config(main_server->conf, CONF_PARAM, "AllowEmptyPasswords",
126       FALSE);
127     if (c != NULL) {
128       allow_empty_passwords = *((int *) c->argv[0]);
129     }
130 
131     if (allow_empty_passwords == FALSE) {
132       pr_log_debug(DEBUG5,
133         "Refusing empty password from user '%s' (AllowEmptyPasswords false)",
134          user);
135       pr_log_auth(PR_LOG_NOTICE,
136         "Refusing empty password from user '%s'", user);
137 
138       pr_event_generate("mod_auth.empty-password", user);
139       pr_response_add_err(R_501, "Login incorrect.");
140 
141       pr_cmd_dispatch_phase(pass_cmd, POST_CMD_ERR, 0);
142       pr_cmd_dispatch_phase(pass_cmd, LOG_CMD_ERR, 0);
143 
144       pr_memscrub(passwd, passwd_len);
145 
146       *send_userauth_fail = TRUE;
147       errno = EPERM;
148       return 0;
149     }
150   }
151 
152   res = pr_auth_authenticate(pkt->pool, user, passwd);
153   pr_memscrub(passwd, passwd_len);
154 
155   switch (res) {
156     case PR_AUTH_OK:
157       break;
158 
159     case PR_AUTH_NOPWD:
160       (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
161         "password authentication for user '%s' failed: No such user", user);
162       pr_log_auth(PR_LOG_NOTICE, "USER %s (Login failed): No such user found",
163         user);
164       *send_userauth_fail = TRUE;
165       errno = ENOENT;
166       return 0;
167 
168     case PR_AUTH_BADPWD:
169       (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
170         "password authentication for user '%s' failed: Incorrect password",
171         user);
172       pr_log_auth(PR_LOG_NOTICE, "USER %s (Login failed): Incorrect password",
173         user);
174       *send_userauth_fail = TRUE;
175       errno = EINVAL;
176       return 0;
177 
178     case PR_AUTH_AGEPWD:
179       (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
180         "password authentication for user '%s' failed: Password expired",
181         user);
182       pr_log_auth(PR_LOG_NOTICE, "USER %s (Login failed): Password expired",
183         user);
184       *send_userauth_fail = TRUE;
185       errno = EINVAL;
186       return 0;
187 
188     case PR_AUTH_DISABLEDPWD:
189       (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
190         "password authentication for user '%s' failed: Account disabled",
191         user);
192       pr_log_auth(PR_LOG_NOTICE, "USER %s (Login failed): Account disabled",
193         user);
194       *send_userauth_fail = TRUE;
195       errno = EINVAL;
196       return 0;
197 
198     default:
199       (void) pr_log_writefile(sftp_logfd, MOD_SFTP_VERSION,
200         "unknown authentication value (%d), returning error", res);
201       *send_userauth_fail = TRUE;
202       errno = EINVAL;
203       return 0;
204   }
205 
206   return 1;
207 }
208 
sftp_auth_password_init(pool * p)209 int sftp_auth_password_init(pool *p) {
210   return 0;
211 }
212