1/* $OpenBSD: auth.c,v 1.80 2008/11/04 07:58:09 djm Exp $ */
|
| 1/* $OpenBSD: auth.c,v 1.86 2010/03/05 02:58:11 djm Exp $ */ |
2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#include "includes.h"
|
27__RCSID("$FreeBSD: head/crypto/openssh/auth.c 192595 2009-05-22 18:46:28Z des $");
|
| 27__RCSID("$FreeBSD: head/crypto/openssh/auth.c 204917 2010-03-09 19:16:43Z des $"); |
28
29#include <sys/types.h>
30#include <sys/stat.h>
31#include <sys/param.h>
32
33#include <netinet/in.h>
34
35#include <errno.h>
36#include <fcntl.h>
37#ifdef HAVE_PATHS_H
38# include <paths.h>
39#endif
40#include <pwd.h>
41#ifdef HAVE_LOGIN_H
42#include <login.h>
43#endif
44#ifdef USE_SHADOW
45#include <shadow.h>
46#endif
47#ifdef HAVE_LIBGEN_H
48#include <libgen.h>
49#endif
50#include <stdarg.h>
51#include <stdio.h>
52#include <string.h>
53#include <unistd.h>
54
55#include "xmalloc.h"
56#include "match.h"
57#include "groupaccess.h"
58#include "log.h"
59#include "buffer.h"
60#include "servconf.h"
61#include "key.h"
62#include "hostfile.h"
63#include "auth.h"
64#include "auth-options.h"
65#include "canohost.h"
66#include "uidswap.h"
67#include "misc.h"
68#include "packet.h"
69#include "loginrec.h"
70#ifdef GSSAPI
71#include "ssh-gss.h"
72#endif
|
| 73#include "authfile.h" |
74#include "monitor_wrap.h"
75
76/* import */
77extern ServerOptions options;
78extern int use_privsep;
79extern Buffer loginmsg;
80extern struct passwd *privsep_pw;
81
82/* Debugging messages */
83Buffer auth_debug;
84int auth_debug_init;
85
86/*
87 * Check if the user is allowed to log in via ssh. If user is listed
88 * in DenyUsers or one of user's groups is listed in DenyGroups, false
89 * will be returned. If AllowUsers isn't empty and user isn't listed
90 * there, or if AllowGroups isn't empty and one of user's groups isn't
91 * listed there, false will be returned.
92 * If the user's shell is not executable, false will be returned.
93 * Otherwise true is returned.
94 */
95int
96allowed_user(struct passwd * pw)
97{
98 struct stat st;
99 const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
|
99 char *shell;
|
100 u_int i;
101#ifdef USE_SHADOW
102 struct spwd *spw = NULL;
103#endif
104
105 /* Shouldn't be called if pw is NULL, but better safe than sorry... */
106 if (!pw || !pw->pw_name)
107 return 0;
108
109#ifdef USE_SHADOW
110 if (!options.use_pam)
111 spw = getspnam(pw->pw_name);
112#ifdef HAS_SHADOW_EXPIRE
113 if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
114 return 0;
115#endif /* HAS_SHADOW_EXPIRE */
116#endif /* USE_SHADOW */
117
118 /* grab passwd field for locked account check */
119 passwd = pw->pw_passwd;
120#ifdef USE_SHADOW
121 if (spw != NULL)
122#ifdef USE_LIBIAF
123 passwd = get_iaf_password(pw);
124#else
125 passwd = spw->sp_pwdp;
126#endif /* USE_LIBIAF */
127#endif
128
129 /* check for locked account */
130 if (!options.use_pam && passwd && *passwd) {
131 int locked = 0;
132
133#ifdef LOCKED_PASSWD_STRING
134 if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
135 locked = 1;
136#endif
137#ifdef LOCKED_PASSWD_PREFIX
138 if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
139 strlen(LOCKED_PASSWD_PREFIX)) == 0)
140 locked = 1;
141#endif
142#ifdef LOCKED_PASSWD_SUBSTR
143 if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
144 locked = 1;
145#endif
146#ifdef USE_LIBIAF
147 free(passwd);
148#endif /* USE_LIBIAF */
149 if (locked) {
150 logit("User %.100s not allowed because account is locked",
151 pw->pw_name);
152 return 0;
153 }
154 }
155
156 /*
|
157 * Get the shell from the password data. An empty shell field is
158 * legal, and means /bin/sh.
|
157 * Deny if shell does not exist or is not executable unless we
158 * are chrooting. |
159 */
|
160 shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
|
160 if (options.chroot_directory == NULL ||
161 strcasecmp(options.chroot_directory, "none") == 0) {
162 char *shell = xstrdup((pw->pw_shell[0] == '\0') ?
163 _PATH_BSHELL : pw->pw_shell); /* empty = /bin/sh */ |
164
|
162 /* deny if shell does not exists or is not executable */
163 if (stat(shell, &st) != 0) {
164 logit("User %.100s not allowed because shell %.100s does not exist",
165 pw->pw_name, shell);
166 return 0;
|
165 if (stat(shell, &st) != 0) {
166 logit("User %.100s not allowed because shell %.100s "
167 "does not exist", pw->pw_name, shell);
168 xfree(shell);
169 return 0;
170 }
171 if (S_ISREG(st.st_mode) == 0 ||
172 (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
173 logit("User %.100s not allowed because shell %.100s "
174 "is not executable", pw->pw_name, shell);
175 xfree(shell);
176 return 0;
177 }
178 xfree(shell); |
179 }
|
168 if (S_ISREG(st.st_mode) == 0 ||
169 (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
170 logit("User %.100s not allowed because shell %.100s is not executable",
171 pw->pw_name, shell);
172 return 0;
173 }
|
180
181 if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
182 options.num_deny_groups > 0 || options.num_allow_groups > 0) {
183 hostname = get_canonical_hostname(options.use_dns);
184 ipaddr = get_remote_ipaddr();
185 }
186
187 /* Return false if user is listed in DenyUsers */
188 if (options.num_deny_users > 0) {
189 for (i = 0; i < options.num_deny_users; i++)
190 if (match_user(pw->pw_name, hostname, ipaddr,
191 options.deny_users[i])) {
192 logit("User %.100s from %.100s not allowed "
193 "because listed in DenyUsers",
194 pw->pw_name, hostname);
195 return 0;
196 }
197 }
198 /* Return false if AllowUsers isn't empty and user isn't listed there */
199 if (options.num_allow_users > 0) {
200 for (i = 0; i < options.num_allow_users; i++)
201 if (match_user(pw->pw_name, hostname, ipaddr,
202 options.allow_users[i]))
203 break;
204 /* i < options.num_allow_users iff we break for loop */
205 if (i >= options.num_allow_users) {
206 logit("User %.100s from %.100s not allowed because "
207 "not listed in AllowUsers", pw->pw_name, hostname);
208 return 0;
209 }
210 }
211 if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
212 /* Get the user's group access list (primary and supplementary) */
213 if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
214 logit("User %.100s from %.100s not allowed because "
215 "not in any group", pw->pw_name, hostname);
216 return 0;
217 }
218
219 /* Return false if one of user's groups is listed in DenyGroups */
220 if (options.num_deny_groups > 0)
221 if (ga_match(options.deny_groups,
222 options.num_deny_groups)) {
223 ga_free();
224 logit("User %.100s from %.100s not allowed "
225 "because a group is listed in DenyGroups",
226 pw->pw_name, hostname);
227 return 0;
228 }
229 /*
230 * Return false if AllowGroups isn't empty and one of user's groups
231 * isn't listed there
232 */
233 if (options.num_allow_groups > 0)
234 if (!ga_match(options.allow_groups,
235 options.num_allow_groups)) {
236 ga_free();
237 logit("User %.100s from %.100s not allowed "
238 "because none of user's groups are listed "
239 "in AllowGroups", pw->pw_name, hostname);
240 return 0;
241 }
242 ga_free();
243 }
244
245#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
246 if (!sys_auth_allowed_user(pw, &loginmsg))
247 return 0;
248#endif
249
250 /* We found no reason not to let this user try to log on... */
251 return 1;
252}
253
254void
255auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
256{
257 void (*authlog) (const char *fmt,...) = verbose;
258 char *authmsg;
259
260 if (use_privsep && !mm_is_monitor() && !authctxt->postponed)
261 return;
262
263 /* Raise logging level */
264 if (authenticated == 1 ||
265 !authctxt->valid ||
266 authctxt->failures >= options.max_authtries / 2 ||
267 strcmp(method, "password") == 0)
268 authlog = logit;
269
270 if (authctxt->postponed)
271 authmsg = "Postponed";
272 else
273 authmsg = authenticated ? "Accepted" : "Failed";
274
275 authlog("%s %s for %s%.100s from %.200s port %d%s",
276 authmsg,
277 method,
278 authctxt->valid ? "" : "invalid user ",
279 authctxt->user,
280 get_remote_ipaddr(),
281 get_remote_port(),
282 info);
283
284#ifdef CUSTOM_FAILED_LOGIN
285 if (authenticated == 0 && !authctxt->postponed &&
286 (strcmp(method, "password") == 0 ||
287 strncmp(method, "keyboard-interactive", 20) == 0 ||
288 strcmp(method, "challenge-response") == 0))
289 record_failed_login(authctxt->user,
290 get_canonical_hostname(options.use_dns), "ssh");
291# ifdef WITH_AIXAUTHENTICATE
292 if (authenticated)
293 sys_auth_record_login(authctxt->user,
294 get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
295# endif
296#endif
297#ifdef SSH_AUDIT_EVENTS
298 if (authenticated == 0 && !authctxt->postponed)
299 audit_event(audit_classify_auth(method));
300#endif
301}
302
303/*
304 * Check whether root logins are disallowed.
305 */
306int
307auth_root_allowed(char *method)
308{
309 switch (options.permit_root_login) {
310 case PERMIT_YES:
311 return 1;
312 case PERMIT_NO_PASSWD:
313 if (strcmp(method, "password") != 0)
314 return 1;
315 break;
316 case PERMIT_FORCED_ONLY:
317 if (forced_command) {
318 logit("Root login accepted for forced command.");
319 return 1;
320 }
321 break;
322 }
323 logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
324 return 0;
325}
326
327
328/*
329 * Given a template and a passwd structure, build a filename
330 * by substituting % tokenised options. Currently, %% becomes '%',
331 * %h becomes the home directory and %u the username.
332 *
333 * This returns a buffer allocated by xmalloc.
334 */
335static char *
336expand_authorized_keys(const char *filename, struct passwd *pw)
337{
338 char *file, ret[MAXPATHLEN];
339 int i;
340
341 file = percent_expand(filename, "h", pw->pw_dir,
342 "u", pw->pw_name, (char *)NULL);
343
344 /*
345 * Ensure that filename starts anchored. If not, be backward
346 * compatible and prepend the '%h/'
347 */
348 if (*file == '/')
349 return (file);
350
351 i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
352 if (i < 0 || (size_t)i >= sizeof(ret))
353 fatal("expand_authorized_keys: path too long");
354 xfree(file);
355 return (xstrdup(ret));
356}
357
358char *
359authorized_keys_file(struct passwd *pw)
360{
361 return expand_authorized_keys(options.authorized_keys_file, pw);
362}
363
364char *
365authorized_keys_file2(struct passwd *pw)
366{
367 return expand_authorized_keys(options.authorized_keys_file2, pw);
368}
369
370/* return ok if key exists in sysfile or userfile */
371HostStatus
372check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
373 const char *sysfile, const char *userfile)
374{
375 Key *found;
376 char *user_hostfile;
377 struct stat st;
378 HostStatus host_status;
379
380 /* Check if we know the host and its host key. */
381 found = key_new(key->type);
382 host_status = check_host_in_hostfile(sysfile, host, key, found, NULL);
383
384 if (host_status != HOST_OK && userfile != NULL) {
385 user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
386 if (options.strict_modes &&
387 (stat(user_hostfile, &st) == 0) &&
388 ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
389 (st.st_mode & 022) != 0)) {
390 logit("Authentication refused for %.100s: "
391 "bad owner or modes for %.200s",
392 pw->pw_name, user_hostfile);
393 } else {
394 temporarily_use_uid(pw);
395 host_status = check_host_in_hostfile(user_hostfile,
396 host, key, found, NULL);
397 restore_uid();
398 }
399 xfree(user_hostfile);
400 }
401 key_free(found);
402
403 debug2("check_key_in_hostfiles: key %s for %s", host_status == HOST_OK ?
404 "ok" : "not found", host);
405 return host_status;
406}
407
408
409/*
410 * Check a given file for security. This is defined as all components
411 * of the path to the file must be owned by either the owner of
412 * of the file or root and no directories must be group or world writable.
413 *
414 * XXX Should any specific check be done for sym links ?
415 *
416 * Takes an open file descriptor, the file name, a uid and and
417 * error buffer plus max size as arguments.
418 *
419 * Returns 0 on success and -1 on failure
420 */
421static int
422secure_filename(FILE *f, const char *file, struct passwd *pw,
423 char *err, size_t errlen)
424{
425 uid_t uid = pw->pw_uid;
426 char buf[MAXPATHLEN], homedir[MAXPATHLEN];
427 char *cp;
428 int comparehome = 0;
429 struct stat st;
430
431 if (realpath(file, buf) == NULL) {
432 snprintf(err, errlen, "realpath %s failed: %s", file,
433 strerror(errno));
434 return -1;
435 }
436 if (realpath(pw->pw_dir, homedir) != NULL)
437 comparehome = 1;
438
439 /* check the open file to avoid races */
440 if (fstat(fileno(f), &st) < 0 ||
441 (st.st_uid != 0 && st.st_uid != uid) ||
442 (st.st_mode & 022) != 0) {
443 snprintf(err, errlen, "bad ownership or modes for file %s",
444 buf);
445 return -1;
446 }
447
448 /* for each component of the canonical path, walking upwards */
449 for (;;) {
450 if ((cp = dirname(buf)) == NULL) {
451 snprintf(err, errlen, "dirname() failed");
452 return -1;
453 }
454 strlcpy(buf, cp, sizeof(buf));
455
456 debug3("secure_filename: checking '%s'", buf);
457 if (stat(buf, &st) < 0 ||
458 (st.st_uid != 0 && st.st_uid != uid) ||
459 (st.st_mode & 022) != 0) {
460 snprintf(err, errlen,
461 "bad ownership or modes for directory %s", buf);
462 return -1;
463 }
464
|
459 /* If are passed the homedir then we can stop */
|
| 465 /* If are past the homedir then we can stop */ |
466 if (comparehome && strcmp(homedir, buf) == 0) {
467 debug3("secure_filename: terminating check at '%s'",
468 buf);
469 break;
470 }
471 /*
472 * dirname should always complete with a "/" path,
473 * but we can be paranoid and check for "." too
474 */
475 if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0))
476 break;
477 }
478 return 0;
479}
480
481FILE *
482auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
483{
484 char line[1024];
485 struct stat st;
486 int fd;
487 FILE *f;
488
489 /*
490 * Open the file containing the authorized keys
491 * Fail quietly if file does not exist
492 */
|
487 if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1)
|
493 if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
494 if (errno != ENOENT)
495 debug("Could not open keyfile '%s': %s", file,
496 strerror(errno)); |
497 return NULL;
|
| 498 } |
499
500 if (fstat(fd, &st) < 0) {
501 close(fd);
502 return NULL;
503 }
504 if (!S_ISREG(st.st_mode)) {
505 logit("User %s authorized keys %s is not a regular file",
506 pw->pw_name, file);
507 close(fd);
508 return NULL;
509 }
510 unset_nonblock(fd);
511 if ((f = fdopen(fd, "r")) == NULL) {
512 close(fd);
513 return NULL;
514 }
515 if (options.strict_modes &&
516 secure_filename(f, file, pw, line, sizeof(line)) != 0) {
517 fclose(f);
518 logit("Authentication refused: %s", line);
519 return NULL;
520 }
521
522 return f;
523}
524
525struct passwd *
526getpwnamallow(const char *user)
527{
528#ifdef HAVE_LOGIN_CAP
529 extern login_cap_t *lc;
530#ifdef BSD_AUTH
531 auth_session_t *as;
532#endif
533#endif
534 struct passwd *pw;
535
536 parse_server_match_config(&options, user,
537 get_canonical_hostname(options.use_dns), get_remote_ipaddr());
538
|
539#if defined(_AIX) && defined(HAVE_SETAUTHDB)
540 aix_setauthdb(user);
541#endif
542 |
543 pw = getpwnam(user);
|
544
545#if defined(_AIX) && defined(HAVE_SETAUTHDB)
546 aix_restoreauthdb();
547#endif
548#ifdef HAVE_CYGWIN
549 /*
550 * Windows usernames are case-insensitive. To avoid later problems
551 * when trying to match the username, the user is only allowed to
552 * login if the username is given in the same case as stored in the
553 * user database.
554 */
555 if (pw != NULL && strcmp(user, pw->pw_name) != 0) {
556 logit("Login name %.100s does not match stored username %.100s",
557 user, pw->pw_name);
558 pw = NULL;
559 }
560#endif |
561 if (pw == NULL) {
562 logit("Invalid user %.100s from %.100s",
563 user, get_remote_ipaddr());
564#ifdef CUSTOM_FAILED_LOGIN
565 record_failed_login(user,
566 get_canonical_hostname(options.use_dns), "ssh");
567#endif
568#ifdef SSH_AUDIT_EVENTS
569 audit_event(SSH_INVALID_USER);
570#endif /* SSH_AUDIT_EVENTS */
571 return (NULL);
572 }
573 if (!allowed_user(pw))
574 return (NULL);
575#ifdef HAVE_LOGIN_CAP
576 if ((lc = login_getpwclass(pw)) == NULL) {
577 debug("unable to get login class: %s", user);
578 return (NULL);
579 }
580#ifdef BSD_AUTH
581 if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
582 auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
583 debug("Approval failure for %s", user);
584 pw = NULL;
585 }
586 if (as != NULL)
587 auth_close(as);
588#endif
589#endif
590 if (pw != NULL)
591 return (pwcopy(pw));
592 return (NULL);
593}
594
|
595/* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
596int
597auth_key_is_revoked(Key *key)
598{
599 char *key_fp;
600
601 if (options.revoked_keys_file == NULL)
602 return 0;
603
604 switch (key_in_file(key, options.revoked_keys_file, 0)) {
605 case 0:
606 /* key not revoked */
607 return 0;
608 case -1:
609 /* Error opening revoked_keys_file: refuse all keys */
610 error("Revoked keys file is unreadable: refusing public key "
611 "authentication");
612 return 1;
613 case 1:
614 /* Key revoked */
615 key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
616 error("WARNING: authentication attempt with a revoked "
617 "%s key %s ", key_type(key), key_fp);
618 xfree(key_fp);
619 return 1;
620 }
621 fatal("key_in_file returned junk");
622}
623 |
624void
625auth_debug_add(const char *fmt,...)
626{
627 char buf[1024];
628 va_list args;
629
630 if (!auth_debug_init)
631 return;
632
633 va_start(args, fmt);
634 vsnprintf(buf, sizeof(buf), fmt, args);
635 va_end(args);
636 buffer_put_cstring(&auth_debug, buf);
637}
638
639void
640auth_debug_send(void)
641{
642 char *msg;
643
644 if (!auth_debug_init)
645 return;
646 while (buffer_len(&auth_debug)) {
647 msg = buffer_get_string(&auth_debug, NULL);
648 packet_send_debug("%s", msg);
649 xfree(msg);
650 }
651}
652
653void
654auth_debug_reset(void)
655{
656 if (auth_debug_init)
657 buffer_clear(&auth_debug);
658 else {
659 buffer_init(&auth_debug);
660 auth_debug_init = 1;
661 }
662}
663
664struct passwd *
665fakepw(void)
666{
667 static struct passwd fake;
668
669 memset(&fake, 0, sizeof(fake));
670 fake.pw_name = "NOUSER";
671 fake.pw_passwd =
672 "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
673 fake.pw_gecos = "NOUSER";
674 fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
675 fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
676#ifdef HAVE_PW_CLASS_IN_PASSWD
677 fake.pw_class = "";
678#endif
679 fake.pw_dir = "/nonexist";
680 fake.pw_shell = "/nonexist";
681
682 return (&fake);
683}
|