Loading user profile during authentication

Author: manojampalam

auth-passwd.c

@@ -41,13 +41,13 @@
 #include "xmalloc.h"
 #endif
 
-/*
- * We support only client side kerberos on Windows.
- */
+ /*
+  * We support only client side kerberos on Windows.
+  */
 
 #ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
+#undef GSSAPI
+#undef KRB5
 #endif
 
 #include <sys/types.h>
@@ -155,23 +155,23 @@ warn_expiry(Authctxt *authctxt, auth_session_t *as)
 #ifdef HAVE_LOGIN_CAP
 	if (authctxt->valid) {
 		pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS,
-		    TWO_WEEKS);
+			TWO_WEEKS);
 		acwarntime = login_getcaptime(lc, "expire-warn", TWO_WEEKS,
-		    TWO_WEEKS);
+			TWO_WEEKS);
 	}
 #endif
 	if (pwtimeleft != 0 && pwtimeleft < pwwarntime) {
 		daysleft = pwtimeleft / DAY + 1;
 		snprintf(buf, sizeof(buf),
-		    "Your password will expire in %lld day%s.\n",
-		    daysleft, daysleft == 1 ? "" : "s");
+			"Your password will expire in %lld day%s.\n",
+			daysleft, daysleft == 1 ? "" : "s");
 		buffer_append(&loginmsg, buf, strlen(buf));
 	}
 	if (actimeleft != 0 && actimeleft < acwarntime) {
 		daysleft = actimeleft / DAY + 1;
 		snprintf(buf, sizeof(buf),
-		    "Your account will expire in %lld day%s.\n",
-		    daysleft, daysleft == 1 ? "" : "s");
+			"Your account will expire in %lld day%s.\n",
+			daysleft, daysleft == 1 ? "" : "s");
 		buffer_append(&loginmsg, buf, strlen(buf));
 	}
 }
@@ -184,15 +184,16 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
 	static int expire_checked = 0;
 
 	as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
-	    (char *)password);
+		(char *)password);
 	if (as == NULL)
 		return (0);
 	if (auth_getstate(as) & AUTH_PWEXPIRED) {
 		auth_close(as);
 		disable_forwarding();
 		authctxt->force_pwchange = 1;
 		return (1);
-	} else {
+	}
+	else {
 		if (!expire_checked) {
 			expire_checked = 1;
 			warn_expiry(authctxt, as);
@@ -202,183 +203,43 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
 }
 
 #elif defined(WIN32_FIXME)
+extern int auth_sock;
 int sys_auth_passwd(Authctxt *authctxt, const char *password)
 {
-  /* 
-   * Authenticate on Windows 
-   */
-   
-  struct passwd *pw = authctxt -> pw;
-
-  HANDLE hToken = INVALID_HANDLE_VALUE;
-  
-  BOOL worked = FALSE;
-  
-  LPWSTR user_UTF16     = NULL;
-  LPWSTR password_UTF16 = NULL;
-  LPWSTR domain_UTF16   = NULL;
-
-  int buffer_size = 0;
-  
-  /*
-   * Identify domain or local login.
-   */
-
-  char *username = authctxt->user;
-
-  char *domainslash = strchr(authctxt->user, '\\');
-  if (domainslash) {
-	  // domain\username format
-	  char *domainname = authctxt->user;
-	  *domainslash = '\0';
-	  username = ++domainslash; // username is past the domain \ is the username
-
- 	  // Convert domainname from UTF-8 to UTF-16
-	  buffer_size = MultiByteToWideChar(CP_UTF8, 0, domainname, -1, NULL, 0);
-
-	  if (buffer_size > 0)
-	  {
-		  domain_UTF16 = xmalloc(4 * buffer_size);
-	  }
-	  else
-	  {
-		  return 0;
-	  }
-
-	  if (0 == MultiByteToWideChar(CP_UTF8, 0, domainname,
-		  -1, domain_UTF16, buffer_size))
-	  {
-		  free(domain_UTF16);
-
-		  return 0;
-	  }
-  }
-  else if (domainslash = strchr(authctxt->user, '@')) {
-	  // username@domain format
-	  username = authctxt->user;
-	  *domainslash = '\0';
-	  char *domainname = ++domainslash; // domainname is past the user@
-
-								// Convert domainname from UTF-8 to UTF-16
-	  buffer_size = MultiByteToWideChar(CP_UTF8, 0, domainname, -1, NULL, 0);
-
-	  if (buffer_size > 0)
-	  {
-		  domain_UTF16 = xmalloc(4 * buffer_size);
-	  }
-	  else
-	  {
-		  return 0;
-	  }
-
-	  if (0 == MultiByteToWideChar(CP_UTF8, 0, domainname,
-		  -1, domain_UTF16, buffer_size))
-	  {
-		  free(domain_UTF16);
-
-		  return 0;
-	  }
-  }
-  else {
-	  domain_UTF16 = strchr(authctxt->user, '@') ? NULL : L".";
-  }
-  
-  authctxt -> methoddata = hToken;
- 
-  if (domain_UTF16 == NULL)
-  {
-    debug3("Using domain logon...");
-  }
-  
-  /*
-   * Convert username from UTF-8 to UTF-16
-   */
- 
-  buffer_size = MultiByteToWideChar(CP_UTF8, 0, username, -1, NULL, 0);
-
-  if (buffer_size > 0)
-  {
-    user_UTF16 = xmalloc(4 * buffer_size);
-  }
-  else
-  {
-    return 0;
-  }
-  
-  if (0 == MultiByteToWideChar(CP_UTF8, 0, username,
-                                   -1, user_UTF16, buffer_size))
-  {
-    free(user_UTF16);
-
-    return 0;
-  }
-
-  /*
-   * Convert password from UTF-8 to UTF-16
-   */
-  
-  buffer_size = MultiByteToWideChar(CP_UTF8, 0, password, -1, NULL, 0);
-
-  if (buffer_size > 0)
-  {
-    password_UTF16 = xmalloc(4 * buffer_size);
-  }
-  else
-  {
-    return 0;
-  }
-  
-  if (0 == MultiByteToWideChar(CP_UTF8, 0, password, -1, 
-                                   password_UTF16 , buffer_size))
-  {
-    free(password_UTF16 );
-
-    return 0;
-  }
-  
-  worked = LogonUserW(user_UTF16, domain_UTF16, password_UTF16,
-	  LOGON32_LOGON_NETWORK,
-                             LOGON32_PROVIDER_DEFAULT, &hToken);
-                             
-  
-  free(user_UTF16);
-  free(password_UTF16);
-  if (domainslash) free(domain_UTF16);
-  
-  /*
-   * If login still fails, go out.
-   */
-   
-  if (!worked || hToken == INVALID_HANDLE_VALUE)
-  {
-    return 0;
-  }
-
-  /*
-   * Make sure this can be inherited for when 
-   * we start shells or commands.
-   */
-  
-  worked = SetHandleInformation(hToken, HANDLE_FLAG_INHERIT, HANDLE_FLAG_INHERIT);
-  
-  if (!worked)
-  {
-    CloseHandle(hToken);
-    
-    hToken = INVALID_HANDLE_VALUE;
-    
-    authctxt -> methoddata = hToken;
-
-    return 0;
-  }
-
-  /*
-   * Save the handle (or invalid handle) as method-specific data.
-   */
-   
-  authctxt -> methoddata = hToken;
-
-  return 1;
+	/*
+	 * Authenticate on Windows
+	 */
+
+	{
+		u_char *blob = NULL;
+		size_t blen = 0;
+		DWORD token = 0;
+		struct sshbuf *msg = NULL;
+
+		msg = sshbuf_new();
+		if (!msg)
+			return 0;
+		if (sshbuf_put_u8(msg, 100) != 0 ||
+			sshbuf_put_cstring(msg, "password") != 0 ||
+			sshbuf_put_cstring(msg, authctxt->user) != 0 ||
+			sshbuf_put_cstring(msg, password) != 0 ||
+			ssh_request_reply(auth_sock, msg, msg) != 0 ||
+			sshbuf_get_u32(msg, &token) != 0) {
+			debug("auth agent did not authorize client %s", authctxt->pw->pw_name);
+			return 0;
+		}
+
+
+		if (blob)
+			free(blob);
+		if (msg)
+			sshbuf_free(msg);
+
+		authctxt->methoddata = token;
+		
+	}
+
+	return 1;
 }
 
 #elif !defined(CUSTOM_SYS_AUTH_PASSWD)
@@ -397,13 +258,13 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
 
 	/* Encrypt the candidate password using the proper salt. */
 	encrypted_password = xcrypt(password,
-	    (pw_password[0] && pw_password[1]) ? pw_password : "xx");
+		(pw_password[0] && pw_password[1]) ? pw_password : "xx");
 
 	/*
 	 * Authentication is accepted if the encrypted passwords
 	 * are identical.
 	 */
 	return encrypted_password != NULL &&
-	    strcmp(encrypted_password, pw_password) == 0;
+		strcmp(encrypted_password, pw_password) == 0;
 }
 #endif