6 files changed, 185 insertions, 1 deletions

diff --git a/Makefile b/Makefile
index b0518f5..8e112d5 100644
--- a/Makefile
+++ b/Makefile
@@ -26,7 +26,8 @@ PATH = $(_LB):$(_UB):$(_SB)
 PATH_ROOT = $(_LS):$(_LB):$(_US):$(_UB):$(_SS):$(_SB)
 
 auth_none = 0
-auth_pam = 1
+auth_crypt = 1
+auth_pam = 2
 
 H = \#
 VCS_LEN = $(shell vcs="$(VCS)" ; echo "$${$(H)vcs}")
@@ -42,6 +43,9 @@ OPTIMISE = -Os
 CPPFLAGS = $(EXTRA_CPP_FLAGS) $(STR_CPPFLAGS) $(VRB_CPPFLAGS)
 CFLAGS = -std=gnu99 -Wall -Wextra
 LDFLAGS =
+ifeq ($(AUTH),crypt)
+LDFLAGS += -lcrypt
+endif
 ifeq ($(AUTH),pam)
 LDFLAGS += -lpam
 endif
diff --git a/configurable-definitions b/configurable-definitions
index bbc3135..8d5a946 100644
--- a/configurable-definitions
+++ b/configurable-definitions
@@ -40,4 +40,10 @@ AUTH (default: pam, type: name)
 
         pam	   -- Pluggable Authentication Module (PAM)
 	none	   -- Always auto-authenticate
+	crypt	   -- Authenticate with crypt and /etc/shadow or /etc/passwd
+
+
+NO_SHADOW (default: undefined, type: #ifdef, required: AUTH=crypt)
+
+    Do not use /etc/shadow (shadow.h) unless HAVE_SHADOW is definied
 
diff --git a/src/auth.h b/src/auth.h
index c24a70d..3851b95 100644
--- a/src/auth.h
+++ b/src/auth.h
@@ -31,6 +31,15 @@
 
 #elif AUTH == 1
 
+#include "auth/crypt.h"
+#define  close_login_session(...)  /* do nothing */
+#define  initialise_login          initialise_crypt
+#define  authenticate_login        authenticate_crypt
+#define  verify_account(...)       /* do nothing */
+#define  open_login_session(...)   /* do nothing */
+
+#elif AUTH == 2
+
 #include "auth/pam.h"
 #define  close_login_session  close_session_pam
 #define  initialise_login     initialise_pam
diff --git a/src/auth/crypt.c b/src/auth/crypt.c
new file mode 100644
index 0000000..27238e2
--- /dev/null
+++ b/src/auth/crypt.c
@@ -0,0 +1,122 @@
+/**
+ * cerberus – Minimal login program
+ * 
+ * Copyright © 2013  Mattias Andrée (maandree@member.fsf.org)
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+#ifndef NO_SHADOW
+# ifndef HAVE_SHADOW
+#  define HAVE_SHADOW
+# endif
+#endif
+
+#define _XOPEN_SOURCE
+#include <unistd.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <string.h>
+#ifdef HAVE_SHADOW
+#include <shadow.h>
+#endif
+
+#include "../config.h"
+
+#include "crypt.h"
+
+
+#if !defined(__USE_SVID) && !defined(__USE_MISC) && !defined(__USE_XOPEN_EXTENDED) 
+#define endpwent()  /* do nothing */
+#endif
+
+
+/**
+ * Function that can be used to read a passphrase from the terminal
+ */
+static char* (*passphrase_reader)(void) = NULL;
+
+/**
+ * The username of the user to log in to
+ */
+static char* login_username;
+
+
+
+/**
+ * Initialise crypt authentication module
+ * 
+ * @param  remote    The remote computer, {@code NULL} for local login
+ * @param  username  The username of the user to log in to
+ * @param  reader    Function that can be used to read a passphrase from the terminal
+ */
+void initialise_crypt(char* remote, char* username, char* (*reader)(void))
+{
+  (void) remote;
+  
+  login_username = username;
+  passphrase_reader = reader;
+}
+
+
+/**
+ * Perform token authentication
+ * 
+ * @return  Whether the user got automatically authenticated
+ */
+char authenticate_crypt(void)
+{
+#ifdef HAVE_SHADOW
+  struct spwd* shadow_entry = NULL;
+#endif
+  struct passwd* passwd_entry = NULL;
+  char* crypted;
+  char* entered;
+  
+#ifdef HAVE_SHADOW
+  shadow_entry = getspnam(login_username);
+  endspent();
+  
+  if (shadow_entry)
+    crypted = shadow_entry->sp_pwdp;
+  else
+    {
+#endif
+      passwd_entry = getpwnam(login_username);
+      if (passwd_entry)
+	crypted = passwd_entry->pw_passwd;
+      else
+	{
+	  perror("getpwnam");
+	  endpwent();
+	  sleep(ERROR_SLEEP);
+	  _exit(1);
+	}
+      endpwent();
+#ifdef HAVE_SHADOW
+    }
+#endif
+  
+  if (!(crypted && *crypted)) /* empty means that no passphrase is required (not even Enter) */
+    return 1;
+  
+  entered = crypt(passphrase_reader(), crypted /* salt argument stops parsing when encrypted begins */);
+  if (entered && !strcmp(entered, crypted))
+    return 0;
+  
+  printf("Incorrect passphrase\n");
+  sleep(FAILURE_SLEEP);
+  _exit(1);
+}
+
diff --git a/src/auth/crypt.h b/src/auth/crypt.h
new file mode 100644
index 0000000..e75c5b5
--- /dev/null
+++ b/src/auth/crypt.h
@@ -0,0 +1,41 @@
+/**
+ * cerberus – Minimal login program
+ * 
+ * Copyright © 2013  Mattias Andrée (maandree@member.fsf.org)
+ * 
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+#ifndef __CRYPT_H__
+#define __CRYPT_H__
+
+
+/**
+ * Initialise crypt authentication module
+ * 
+ * @param  remote    The remote computer, {@code NULL} for local login
+ * @param  username  The username of the user to log in to
+ * @param  reader    Function that can be used to read a passphrase from the terminal
+ */
+void initialise_crypt(char* remote, char* username, char* (*reader)(void));
+
+/**
+ * Perform token authentication
+ * 
+ * @return  Whether the user got automatically authenticated
+ */
+char authenticate_crypt(void);
+
+
+#endif
+
diff --git a/src/cerberus.c b/src/cerberus.c
index e52a48f..c555a2b 100644
--- a/src/cerberus.c
+++ b/src/cerberus.c
@@ -196,6 +196,7 @@ void do_login(int argc, char** argv)
   #ifdef USE_TTY_GROUP
   if ((group = getgrnam(TTY_GROUP)))
     tty_group = group->gr_gid;
+  endgrent();
   #endif
   secure_tty(tty_group);
   
@@ -223,6 +224,7 @@ void do_login(int argc, char** argv)
       sleep(ERROR_SLEEP);
       _exit(1);
     }
+  endpwent();
   username = entry->pw_name;