/[LeafOK_CVS]/lbbs/src/login.c
ViewVC logotype

Contents of /lbbs/src/login.c

Parent Directory Parent Directory | Revision Log Revision Log

Revision 1.71 - (show annotations)
Fri Nov 28 14:35:38 2025 UTC (3 months, 2 weeks ago) by sysadm
Branch: MAIN
Changes since 1.70: +7 -0 lines
Content type: text/x-csrc 
Prevent user with special privilege from logging in via plain (non-SSH) mode
1 /* SPDX-License-Identifier: GPL-3.0-or-later */
2 /*
3 * login
4 * - user authentication and online status manager
5 *
6 * Copyright (C) 2004-2025 Leaflet <leaflet@leafok.com>
7 */
8
9 #ifdef HAVE_CONFIG_H
10 #include "config.h"
11 #endif
12
13 #include "bbs.h"
14 #include "common.h"
15 #include "database.h"
16 #include "io.h"
17 #include "ip_mask.h"
18 #include "log.h"
19 #include "login.h"
20 #include "screen.h"
21 #include "user_priv.h"
22 #include <ctype.h>
23 #include <errno.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <regex.h>
27 #include <unistd.h>
28 #include <mysql.h>
29 #include <sys/param.h>
30
31 static const int BBS_username_min_len = 3; // common len = 5, special len = 3
32 static const int BBS_password_min_len = 5; // legacy len = 5, current len = 6
33
34 static const int BBS_allowed_login_failures_within_interval = 10;
35 static const int BBS_login_failures_count_interval = 10; // minutes
36 static const int BBS_allowed_login_failures_per_account = 3;
37
38 const int BBS_login_retry_times = 3;
39
40 int bbs_login(void)
41 {
42 char username[BBS_username_max_len + 1];
43 char password[BBS_password_max_len + 1];
44 int i = 0;
45 int ok = 0;
46
47 for (; !SYS_server_exit && !ok && i < BBS_login_retry_times; i++)
48 {
49 prints("\033[1;33m请输入帐号\033[m(试用请输入`\033[1;36mguest\033[m', "
50 "注册请输入`\033[1;31mnew\033[m'): ");
51 iflush();
52
53 if (str_input(username, sizeof(username), DOECHO) < 0)
54 {
55 continue;
56 }
57
58 if (strcmp(username, "guest") == 0)
59 {
60 load_guest_info();
61
62 return 0;
63 }
64
65 if (strcmp(username, "new") == 0)
66 {
67 display_file(DATA_REGISTER, 1);
68
69 return -1;
70 }
71
72 if (username[0] != '\0')
73 {
74 prints("\033[1;37m请输入密码\033[m: ");
75 iflush();
76
77 if (str_input(password, sizeof(password), NOECHO) < 0)
78 {
79 continue;
80 }
81
82 ok = (check_user(username, password) == 0);
83 iflush();
84 }
85 }
86
87 if (!ok)
88 {
89 display_file(DATA_LOGIN_ERROR, 1);
90 return -1;
91 }
92
93 log_common("User \"%s\"(%ld) login from %s:%d\n",
94 BBS_username, BBS_priv.uid, hostaddr_client, port_client);
95
96 return 0;
97 }
98
99 int check_user(const char *username, const char *password)
100 {
101 MYSQL *db = NULL;
102 MYSQL_RES *rs = NULL;
103 MYSQL_ROW row;
104 char sql[SQL_BUFFER_LEN];
105 int ret = 0;
106 int BBS_uid = 0;
107 char client_addr[IP_ADDR_LEN];
108 int i;
109 int ok = 1;
110 char user_tz_env[BBS_user_tz_max_len + 2];
111
112 db = db_open();
113 if (db == NULL)
114 {
115 ret = -1;
116 goto cleanup;
117 }
118
119 // Verify format
120 for (i = 0; ok && username[i] != '\0'; i++)
121 {
122 if (!(isalpha((int)username[i]) || (i > 0 && (isdigit((int)username[i]) || username[i] == '_'))))
123 {
124 ok = 0;
125 }
126 }
127 if (ok && (i < BBS_username_min_len || i > BBS_username_max_len))
128 {
129 ok = 0;
130 }
131 for (i = 0; ok && password[i] != '\0'; i++)
132 {
133 if (!isalnum((int)password[i]))
134 {
135 ok = 0;
136 }
137 }
138 if (ok && (i < BBS_password_min_len || i > BBS_password_max_len))
139 {
140 ok = 0;
141 }
142
143 if (!ok)
144 {
145 prints("\033[1;31m用户名或密码格式错误...\033[m\r\n");
146 ret = 1;
147 goto cleanup;
148 }
149
150 // Begin transaction
151 if (mysql_query(db, "SET autocommit=0") != 0)
152 {
153 log_error("SET autocommit=0 error: %s\n", mysql_error(db));
154 ret = -1;
155 goto cleanup;
156 }
157
158 if (mysql_query(db, "BEGIN") != 0)
159 {
160 log_error("Begin transaction error: %s\n", mysql_error(db));
161 ret = -1;
162 goto cleanup;
163 }
164
165 // Failed login attempts from the same source (subnet /24) during certain time period
166 strncpy(client_addr, hostaddr_client, sizeof(client_addr) - 1);
167 client_addr[sizeof(client_addr) - 1] = '\0';
168
169 snprintf(sql, sizeof(sql),
170 "SELECT COUNT(*) AS err_count FROM user_err_login_log "
171 "WHERE login_dt >= SUBDATE(NOW(), INTERVAL %d MINUTE) "
172 "AND login_ip LIKE '%s'",
173 BBS_login_failures_count_interval,
174 ip_mask(client_addr, 1, '%'));
175 if (mysql_query(db, sql) != 0)
176 {
177 log_error("Query user_list error: %s\n", mysql_error(db));
178 ret = -1;
179 goto cleanup;
180 }
181 if ((rs = mysql_store_result(db)) == NULL)
182 {
183 log_error("Get user_list data failed\n");
184 ret = -1;
185 goto cleanup;
186 }
187 if ((row = mysql_fetch_row(rs)))
188 {
189 if (atoi(row[0]) >= BBS_allowed_login_failures_within_interval)
190 {
191 prints("\033[1;31m来源存在多次失败登陆尝试,请稍后再试,或使用Web方式访问\033[m\r\n");
192 ret = 1;
193 goto cleanup;
194 }
195 }
196 mysql_free_result(rs);
197 rs = NULL;
198
199 // Failed login attempts against the current username since last successful login
200 snprintf(sql, sizeof(sql),
201 "SELECT COUNT(*) AS err_count FROM user_err_login_log "
202 "LEFT JOIN user_list ON user_err_login_log.username = user_list.username "
203 "LEFT JOIN user_pubinfo ON user_list.UID = user_pubinfo.UID "
204 "WHERE user_err_login_log.username = '%s' "
205 "AND (user_err_login_log.login_dt >= user_pubinfo.last_login_dt "
206 "OR user_pubinfo.last_login_dt IS NULL)",
207 username);
208 if (mysql_query(db, sql) != 0)
209 {
210 log_error("Query user_list error: %s\n", mysql_error(db));
211 ret = -1;
212 goto cleanup;
213 }
214 if ((rs = mysql_store_result(db)) == NULL)
215 {
216 log_error("Get user_list data failed\n");
217 ret = -1;
218 goto cleanup;
219 }
220 if ((row = mysql_fetch_row(rs)))
221 {
222 if (atoi(row[0]) >= BBS_allowed_login_failures_per_account)
223 {
224 prints("\033[1;31m账户存在多次失败登陆尝试,请使用Web方式登录解锁\033[m\r\n");
225 ret = 1;
226 goto cleanup;
227 }
228 }
229 mysql_free_result(rs);
230 rs = NULL;
231
232 snprintf(sql, sizeof(sql),
233 "SELECT UID, username, p_login FROM user_list "
234 "WHERE username = '%s' AND password = SHA2('%s', 256) AND enable",
235 username, password);
236 if (mysql_query(db, sql) != 0)
237 {
238 log_error("Query user_list error: %s\n", mysql_error(db));
239 ret = -1;
240 goto cleanup;
241 }
242 if ((rs = mysql_store_result(db)) == NULL)
243 {
244 log_error("Get user_list data failed\n");
245 ret = -1;
246 goto cleanup;
247 }
248 if ((row = mysql_fetch_row(rs)))
249 {
250 BBS_uid = atoi(row[0]);
251 strncpy(BBS_username, row[1], sizeof(BBS_username) - 1);
252 BBS_username[sizeof(BBS_username) - 1] = '\0';
253 int p_login = atoi(row[2]);
254
255 mysql_free_result(rs);
256 rs = NULL;
257
258 // Add user login log
259 snprintf(sql, sizeof(sql),
260 "INSERT INTO user_login_log(UID, login_dt, login_ip) "
261 "VALUES(%d, NOW(), '%s')",
262 BBS_uid, hostaddr_client);
263 if (mysql_query(db, sql) != 0)
264 {
265 log_error("Insert into user_login_log error: %s\n", mysql_error(db));
266 ret = -1;
267 goto cleanup;
268 }
269
270 // Commit transaction
271 if (mysql_query(db, "COMMIT") != 0)
272 {
273 log_error("Commit transaction error: %s\n", mysql_error(db));
274 ret = -1;
275 goto cleanup;
276 }
277
278 if (p_login == 0)
279 {
280 prints("\033[1;31m您目前无权登陆...\033[m\r\n");
281 ret = 1;
282 goto cleanup;
283 }
284 }
285 else
286 {
287 mysql_free_result(rs);
288 rs = NULL;
289
290 snprintf(sql, sizeof(sql),
291 "INSERT INTO user_err_login_log(username, password, login_dt, login_ip) "
292 "VALUES('%s', '%s', NOW(), '%s')",
293 username, password, hostaddr_client);
294 if (mysql_query(db, sql) != 0)
295 {
296 log_error("Insert into user_err_login_log error: %s\n", mysql_error(db));
297 ret = -1;
298 goto cleanup;
299 }
300
301 // Commit transaction
302 if (mysql_query(db, "COMMIT") != 0)
303 {
304 log_error("Commit transaction error: %s\n", mysql_error(db));
305 ret = -1;
306 goto cleanup;
307 }
308
309 prints("\033[1;31m错误的用户名或密码...\033[m\r\n");
310 ret = 1;
311 goto cleanup;
312 }
313
314 // Set AUTOCOMMIT = 1
315 if (mysql_query(db, "SET autocommit=1") != 0)
316 {
317 log_error("SET autocommit=1 error: %s\n", mysql_error(db));
318 ret = -1;
319 goto cleanup;
320 }
321
322 ret = load_user_info(db, BBS_uid);
323
324 switch (ret)
325 {
326 case 0: // Login successfully
327 break;
328 case -1: // Load data error
329 prints("\033[1;31m读取用户数据错误...\033[m\r\n");
330 ret = -1;
331 goto cleanup;
332 case -2: // Unused
333 prints("\033[1;31m请通过Web登录更新用户许可协议...\033[m\r\n");
334 ret = 1;
335 goto cleanup;
336 case -3: // Dead
337 prints("\033[1;31m很遗憾,您已经永远离开了我们的世界!\033[m\r\n");
338 ret = 1;
339 goto cleanup;
340 default:
341 ret = -2;
342 goto cleanup;
343 }
344
345 if (!SSH_v2 && checklevel2(&BBS_priv, P_MAN_S))
346 {
347 prints("\033[1;31m非普通账户必须使用SSH方式登录\033[m\r\n");
348 ret = 1;
349 goto cleanup;
350 }
351
352 snprintf(sql, sizeof(sql),
353 "UPDATE user_pubinfo SET visit_count = visit_count + 1, "
354 "last_login_dt = NOW() WHERE UID = %d",
355 BBS_uid);
356 if (mysql_query(db, sql) != 0)
357 {
358 log_error("Update user_pubinfo error: %s\n", mysql_error(db));
359 ret = -1;
360 goto cleanup;
361 }
362
363 if (user_online_add(db) != 0)
364 {
365 ret = -1;
366 goto cleanup;
367 }
368
369 BBS_last_access_tm = BBS_login_tm = time(NULL);
370
371 // Set user tz to process env
372 if (BBS_user_tz[0] != '\0')
373 {
374 user_tz_env[0] = ':';
375 strncpy(user_tz_env + 1, BBS_user_tz, sizeof(user_tz_env) - 2);
376 user_tz_env[sizeof(user_tz_env) - 1] = '\0';
377
378 if (setenv("TZ", user_tz_env, 1) == -1)
379 {
380 log_error("setenv(TZ = %s) error %d\n", user_tz_env, errno);
381 return -3;
382 }
383
384 tzset();
385 }
386
387 cleanup:
388 mysql_free_result(rs);
389 mysql_close(db);
390
391 return ret;
392 }
393
394 int load_user_info(MYSQL *db, int BBS_uid)
395 {
396 MYSQL_RES *rs = NULL;
397 MYSQL_ROW row;
398 char sql[SQL_BUFFER_LEN];
399 int life;
400 time_t last_login_dt;
401 int ret = 0;
402
403 snprintf(sql, sizeof(sql),
404 "SELECT life, UNIX_TIMESTAMP(last_login_dt), user_timezone, exp, nickname "
405 "FROM user_pubinfo WHERE UID = %d",
406 BBS_uid);
407 if (mysql_query(db, sql) != 0)
408 {
409 log_error("Query user_pubinfo error: %s\n", mysql_error(db));
410 ret = -1;
411 goto cleanup;
412 }
413 if ((rs = mysql_store_result(db)) == NULL)
414 {
415 log_error("Get user_pubinfo data failed\n");
416 ret = -1;
417 goto cleanup;
418 }
419 if ((row = mysql_fetch_row(rs)))
420 {
421 life = atoi(row[0]);
422 last_login_dt = (time_t)atol(row[1]);
423
424 strncpy(BBS_user_tz, row[2], sizeof(BBS_user_tz) - 1);
425 BBS_user_tz[sizeof(BBS_user_tz) - 1] = '\0';
426
427 BBS_user_exp = atoi(row[3]);
428
429 strncpy(BBS_nickname, row[4], sizeof(BBS_nickname));
430 BBS_nickname[sizeof(BBS_nickname) - 1] = '\0';
431 }
432 else
433 {
434 ret = -1; // Data not found
435 goto cleanup;
436 }
437 mysql_free_result(rs);
438 rs = NULL;
439
440 if (life != 333 && life != 365 && life != 666 && life != 999 && // Not immortal
441 time(NULL) - last_login_dt > 60 * 60 * 24 * life)
442 {
443 ret = -3; // Dead
444 goto cleanup;
445 }
446
447 if (load_priv(db, &BBS_priv, BBS_uid) != 0)
448 {
449 ret = -1;
450 goto cleanup;
451 }
452
453 cleanup:
454 mysql_free_result(rs);
455
456 return ret;
457 }
458
459 int load_guest_info(void)
460 {
461 MYSQL *db = NULL;
462 int ret = 0;
463
464 db = db_open();
465 if (db == NULL)
466 {
467 ret = -1;
468 goto cleanup;
469 }
470
471 strncpy(BBS_username, "guest", sizeof(BBS_username) - 1);
472 BBS_username[sizeof(BBS_username) - 1] = '\0';
473
474 BBS_user_exp = 0;
475
476 strncpy(BBS_nickname, "Guest", sizeof(BBS_nickname));
477 BBS_nickname[sizeof(BBS_nickname) - 1] = '\0';
478
479 if (load_priv(db, &BBS_priv, 0) != 0)
480 {
481 ret = -1;
482 goto cleanup;
483 }
484
485 if (user_online_add(db) != 0)
486 {
487 ret = -1;
488 goto cleanup;
489 }
490
491 BBS_last_access_tm = BBS_login_tm = time(NULL);
492
493 cleanup:
494 mysql_close(db);
495
496 return ret;
497 }
498
499 int user_online_add(MYSQL *db)
500 {
501 char sql[SQL_BUFFER_LEN];
502
503 snprintf(sql, sizeof(sql),
504 "INSERT INTO visit_log(dt, IP) VALUES(NOW(), '%s')",
505 hostaddr_client);
506 if (mysql_query(db, sql) != 0)
507 {
508 log_error("Add visit log error: %s\n", mysql_error(db));
509 return -1;
510 }
511
512 if (user_online_del(db) != 0)
513 {
514 return -2;
515 }
516
517 snprintf(sql, sizeof(sql),
518 "INSERT INTO user_online(SID, UID, ip, current_action, login_tm, last_tm) "
519 "VALUES('Telnet_Process_%d', %d, '%s', 'LOGIN', NOW(), NOW())",
520 getpid(), BBS_priv.uid, hostaddr_client);
521 if (mysql_query(db, sql) != 0)
522 {
523 log_error("Add user_online error: %s\n", mysql_error(db));
524 return -3;
525 }
526
527 return 0;
528 }
529
530 int user_online_del(MYSQL *db)
531 {
532 char sql[SQL_BUFFER_LEN];
533
534 snprintf(sql, sizeof(sql),
535 "DELETE FROM user_online WHERE SID = 'Telnet_Process_%d'",
536 getpid());
537 if (mysql_query(db, sql) != 0)
538 {
539 log_error("Delete user_online error: %s\n", mysql_error(db));
540 return -1;
541 }
542
543 return 0;
544 }
545
546 int user_online_exp(MYSQL *db)
547 {
548 char sql[SQL_BUFFER_LEN];
549
550 // +1 exp for every 5 minutes online since last logout
551 // but at most 24 hours worth of exp can be gained in Telnet session
552 snprintf(sql, sizeof(sql),
553 "UPDATE user_pubinfo SET exp = exp + FLOOR(LEAST(TIMESTAMPDIFF("
554 "SECOND, GREATEST(last_login_dt, IF(last_logout_dt IS NULL, last_login_dt, last_logout_dt)), NOW()"
555 ") / 60 / 5, 12 * 24)), last_logout_dt = NOW() "
556 "WHERE UID = %d",
557 BBS_priv.uid);
558 if (mysql_query(db, sql) != 0)
559 {
560 log_error("Update user_pubinfo error: %s\n", mysql_error(db));
561 return -1;
562 }
563
564 return 0;
565 }
566
567 int user_online_update(const char *action)
568 {
569 MYSQL *db = NULL;
570 char sql[SQL_BUFFER_LEN];
571
572 if ((action == NULL || strcmp(BBS_current_action, action) == 0) &&
573 time(NULL) - BBS_current_action_tm < BBS_current_action_refresh_interval) // No change
574 {
575 return 0;
576 }
577
578 if (action != NULL)
579 {
580 strncpy(BBS_current_action, action, sizeof(BBS_current_action) - 1);
581 BBS_current_action[sizeof(BBS_current_action) - 1] = '\0';
582 }
583
584 BBS_current_action_tm = time(NULL);
585
586 db = db_open();
587 if (db == NULL)
588 {
589 log_error("db_open() error: %s\n", mysql_error(db));
590 return -1;
591 }
592
593 snprintf(sql, sizeof(sql),
594 "UPDATE user_online SET current_action = '%s', last_tm = NOW() "
595 "WHERE SID = 'Telnet_Process_%d'",
596 BBS_current_action, getpid());
597 if (mysql_query(db, sql) != 0)
598 {
599 log_error("Update user_online error: %s\n", mysql_error(db));
600 return -2;
601 }
602
603 mysql_close(db);
604
605 return 1;
606 }
webmaster@leafok.com
 ViewVC Help
Powered by ViewVC 1.3.0-beta1