1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
/* cygsuba.c: Minimal subauthentication functionality to support
logon without password.
Copyright 2001 Red Hat, Inc.
Written by Corinna Vinschen <vinschen@redhat.com>
This file is part of Cygwin.
This software is a copyrighted work licensed under the terms of the
Cygwin license. Please consult the file "CYGWIN_LICENSE" for
details. */
#include <windows.h>
#include <subauth.h>
#include <ntsecapi.h>
NTSTATUS NTAPI
Msv1_0SubAuthenticationRoutine (NETLOGON_LOGON_INFO_CLASS logon_level,
VOID *logon_inf,
ULONG flags,
USER_ALL_INFORMATION *usr_inf,
ULONG *which,
ULONG *usr_flags,
BOOLEAN *auth,
LARGE_INTEGER *logoff,
LARGE_INTEGER *kickoff)
{
ULONG valid_account = USER_NORMAL_ACCOUNT;
if (!(flags & MSV1_0_PASSTHRU))
valid_account |= USER_TEMP_DUPLICATE_ACCOUNT;
*which = *usr_flags = 0;
/* Not a Network logon?
TODO: How do I manage an interactive logon using a subauthentication
package??? The logon_level "interactive" is available but I never
got it working. I assume that's the reason I don't get a legal
logon session so that I can connect to network drives. */
if (logon_level != NetlogonNetworkInformation)
{
*auth = TRUE;
return STATUS_INVALID_INFO_CLASS;
}
/* Account type ok? */
if (!(usr_inf->UserAccountControl & valid_account))
{
*auth = FALSE;
return STATUS_NO_SUCH_USER;
}
/* Guest logon? */
if (flags & MSV1_0_GUEST_LOGON)
*usr_flags = LOGON_GUEST;
#if defined (SSHD)
/* The same code could be used to allow the DLL checking for
SSH RSA/DSA keys. For that purpose, SSH would need it's
own implementation with the below field used to transport
the keys which have to be checked. This could be used to
allow secure logon with RSA/DSA instead of passwords.
Of course that needs lots of additions to the code... */
{
PNETLOGON_NETWORK_INFO nw_inf = (PNETLOGON_NETWORK_INFO) logon_inf;
/*
nw_inf->LmChallenge.data <=>
MSV1_0_LM20_LOGON::ChallengeToClient
nw_inf->NtChallengeResponse <=>
MSV1_0_LM20_LOGON::CaseSensitiveChallengeResponse
nw_inf->LmChallengeResponse <=>
MSV1_0_LM20_LOGON::CaseInsensitiveChallengeResponse
*/
if (authentication_failed)
{
*auth = (usr_inf->UserAccountControl & USER_ACCOUNT_DISABLED) ?
FALSE : TRUE;
return STATUS_WRONG_PASSWORD;
}
}
#endif
/* All accounts except for the local admin are checked for being
locked out or disabled or expired. */
if (usr_inf->UserId != DOMAIN_USER_RID_ADMIN)
{
SYSTEMTIME CurrentTime;
LARGE_INTEGER LogonTime;
/* Account locked out? */
if (usr_inf->UserAccountControl & USER_ACCOUNT_AUTO_LOCKED)
{
*auth = (usr_inf->UserAccountControl & USER_ACCOUNT_DISABLED) ?
FALSE : TRUE;
return STATUS_ACCOUNT_LOCKED_OUT;
}
/* Account disabled? */
if (usr_inf->UserAccountControl & USER_ACCOUNT_DISABLED)
{
*auth = FALSE;
return STATUS_ACCOUNT_DISABLED;
}
/* Account expired? */
GetSystemTime (&CurrentTime);
SystemTimeToFileTime(&CurrentTime, (LPFILETIME) &LogonTime);
if (usr_inf->AccountExpires.QuadPart &&
LogonTime.QuadPart >= usr_inf->AccountExpires.QuadPart)
{
*auth = TRUE;
return STATUS_ACCOUNT_EXPIRED;
}
}
/* Don't force logout. */
logoff->HighPart = 0x7FFFFFFF;
logoff->LowPart = 0xFFFFFFFF;
kickoff->HighPart = 0x7FFFFFFF;
kickoff->LowPart = 0xFFFFFFFF;
*auth = TRUE;
return STATUS_SUCCESS;
}
NTSTATUS NTAPI
Msv1_0SubAuthenticationFilter (NETLOGON_LOGON_INFO_CLASS logon_level,
VOID *logon_inf,
ULONG flags,
USER_ALL_INFORMATION *usr_inf,
ULONG *which,
ULONG *usr_flags,
BOOLEAN *auth,
LARGE_INTEGER *logoff,
LARGE_INTEGER *kickoff)
{
return Msv1_0SubAuthenticationRoutine (logon_level, logon_inf, flags,
usr_inf, which, usr_flags,
auth, logoff, kickoff);
}
|
