From 059deae6f3f013d480361f74e55db135e1e482bc Mon Sep 17 00:00:00 2001 From: Guan-Zhong Huang Date: Sun, 22 Jul 2012 01:25:40 +0800 Subject: [PATCH 1/3] Fix incorrect usage of log_message() --- sesman/verify_user.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sesman/verify_user.c b/sesman/verify_user.c index 5bd89c73..81ddc0a8 100644 --- a/sesman/verify_user.c +++ b/sesman/verify_user.c @@ -76,7 +76,7 @@ auth_userpass(char *user, char *pass, int *errorcode) if (1 == auth_account_disabled(stp)) { - log_message(&(g_cfg->log), LOG_LEVEL_INFO, "account %s is disabled", user); + log_message(LOG_LEVEL_INFO, "account %s is disabled", user); return 0; } From 6fd7deb5103c43a5e62ae61695d6e32379db5602 Mon Sep 17 00:00:00 2001 From: Guan-Zhong Huang Date: Thu, 7 Feb 2013 18:08:28 +0800 Subject: [PATCH 2/3] Fix compilation error without PAM --- configure.ac | 5 +++++ xrdp/Makefile.am | 1 + xrdp/xrdp_mm.c | 15 +++++++++++++-- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 6dd4052e..d4315133 100644 --- a/configure.ac +++ b/configure.ac @@ -69,6 +69,11 @@ then fi fi +if test "x$enable_nopam" = "xyes" +then + AC_DEFINE([USE_NOPAM],1,[Disable PAM]) +fi + AS_IF( [test "x$enable_freerdp1" = "xyes"] , [PKG_CHECK_MODULES(FREERDP, freerdp >= 1.0.0)] ) # checking for libjpeg diff --git a/xrdp/Makefile.am b/xrdp/Makefile.am index b755bbeb..25ab3eed 100644 --- a/xrdp/Makefile.am +++ b/xrdp/Makefile.am @@ -14,6 +14,7 @@ AM_CFLAGS = \ $(EXTRA_DEFINES) INCLUDES = \ + -I$(top_builddir) \ -I$(top_srcdir)/common \ -I$(top_srcdir)/libxrdp diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c index 1f5acaaf..008f191e 100644 --- a/xrdp/xrdp_mm.c +++ b/xrdp/xrdp_mm.c @@ -17,12 +17,15 @@ * * module manager */ +#include #define ACCESS #include "xrdp.h" #include "log.h" #ifdef ACCESS +#ifndef USE_NOPAM #include "security/_pam_types.h" #endif +#endif /*****************************************************************************/ struct xrdp_mm *APP_CC @@ -1071,6 +1074,7 @@ xrdp_mm_sesman_data_in(struct trans *trans) } #ifdef ACCESS +#ifndef USE_NOPAM /*********************************************************************/ /* return 0 on success */ int access_control(char *username, char *password, char *srv) @@ -1183,6 +1187,7 @@ int access_control(char *username, char *password, char *srv) return rec; } #endif +#endif /*****************************************************************************/ /* This routine clears all states to make sure that our next login will be @@ -1206,6 +1211,7 @@ void cleanup_states(struct xrdp_mm *self) } } #ifdef ACCESS +#ifndef USE_NOPAM const char *getPAMError(const int pamError) { switch(pamError){ @@ -1333,6 +1339,7 @@ const char *getPAMAdditionalErrorInfo(const int pamError,struct xrdp_mm *self) } #endif +#endif /*****************************************************************************/ int APP_CC xrdp_mm_connect(struct xrdp_mm *self) @@ -1351,10 +1358,12 @@ xrdp_mm_connect(struct xrdp_mm *self) char port[8]; char chansrvport[256]; #ifdef ACCESS +#ifndef USE_NOPAM int use_pam_auth = 0; char pam_auth_sessionIP[256]; char pam_auth_password[256]; char pam_auth_username[256]; +#endif char username[256]; char password[256]; username[0] = 0; @@ -1390,6 +1399,7 @@ xrdp_mm_connect(struct xrdp_mm *self) } #ifdef ACCESS +#ifndef USE_NOPAM else if (g_strcasecmp(name, "pamusername") == 0) { use_pam_auth = 1; @@ -1403,6 +1413,7 @@ xrdp_mm_connect(struct xrdp_mm *self) { g_strncpy(pam_auth_password, value, 255); } +#endif else if (g_strcasecmp(name, "password") == 0) { g_strncpy(password, value, 255); @@ -1421,7 +1432,7 @@ xrdp_mm_connect(struct xrdp_mm *self) } #ifdef ACCESS - +#ifndef USE_NOPAM if (use_pam_auth) { int reply; @@ -1464,7 +1475,7 @@ xrdp_mm_connect(struct xrdp_mm *self) return rv; } } - +#endif #endif if (self->sesman_controlled) From b518a3bfe91bb157948dde85e42f63f42b00da58 Mon Sep 17 00:00:00 2001 From: Guan-Zhong Huang Date: Sat, 9 Mar 2013 12:51:35 +0800 Subject: [PATCH 3/3] Fix password authentication to handle different encryption algorithms --- sesman/verify_user.c | 42 ++++-------------------------------------- 1 file changed, 4 insertions(+), 38 deletions(-) diff --git a/sesman/verify_user.c b/sesman/verify_user.c index 81ddc0a8..85e614d3 100644 --- a/sesman/verify_user.c +++ b/sesman/verify_user.c @@ -50,12 +50,9 @@ auth_account_disabled(struct spwd *stp); long DEFAULT_CC auth_userpass(char *user, char *pass, int *errorcode) { - char salt[13] = "$1$"; - char hash[35] = ""; - char *encr = 0; + const char *encr; struct passwd *spw; struct spwd *stp; - int saltcnt = 0; spw = getpwnam(user); @@ -80,46 +77,15 @@ auth_userpass(char *user, char *pass, int *errorcode) return 0; } - g_strncpy(hash, stp->sp_pwdp, 34); + encr = stp->sp_pwdp; } else { /* old system with only passwd */ - g_strncpy(hash, spw->pw_passwd, 34); - } - - hash[34] = '\0'; - - if (g_strncmp(hash, "$1$", 3) == 0) - { - /* gnu style crypt(); */ - saltcnt = 3; - - while ((hash[saltcnt] != '$') && (saltcnt < 11)) - { - salt[saltcnt] = hash[saltcnt]; - saltcnt++; - } - - salt[saltcnt] = '$'; - salt[saltcnt + 1] = '\0'; - } - else - { - /* classic two char salt */ - salt[0] = hash[0]; - salt[1] = hash[1]; - salt[2] = '\0'; - } - - encr = crypt(pass, salt); - - if (g_strncmp(encr, hash, 34) != 0) - { - return 0; + encr = spw->pw_passwd; } - return 1; + return (strcmp(encr, crypt(pass, encr)) == 0); } /******************************************************************************/