auth2.c (98684) | auth2.c (98941) |
---|---|
1/* 2 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 10 unchanged lines hidden (view full) --- 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 25#include "includes.h" 26RCSID("$OpenBSD: auth2.c,v 1.93 2002/05/31 11:35:15 markus Exp $"); | 1/* 2 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 10 unchanged lines hidden (view full) --- 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 25#include "includes.h" 26RCSID("$OpenBSD: auth2.c,v 1.93 2002/05/31 11:35:15 markus Exp $"); |
27RCSID("$FreeBSD: head/crypto/openssh/auth2.c 98684 2002-06-23 16:09:08Z des $"); | |
28 29#include "ssh2.h" 30#include "xmalloc.h" 31#include "packet.h" 32#include "log.h" 33#include "servconf.h" 34#include "compat.h" 35#include "auth.h" 36#include "dispatch.h" 37#include "pathnames.h" | 27 28#include "ssh2.h" 29#include "xmalloc.h" 30#include "packet.h" 31#include "log.h" 32#include "servconf.h" 33#include "compat.h" 34#include "auth.h" 35#include "dispatch.h" 36#include "pathnames.h" |
38#include "canohost.h" | |
39#include "monitor_wrap.h" 40 | 37#include "monitor_wrap.h" 38 |
41#ifdef HAVE_LOGIN_CAP 42#include <login_cap.h> 43#endif /* HAVE_LOGIN_CAP */ 44 | |
45/* import */ 46extern ServerOptions options; 47extern u_char *session_id2; 48extern int session_id2_len; 49 50Authctxt *x_authctxt = NULL; 51 52/* methods */ --- 33 unchanged lines hidden (view full) --- 86{ 87 Authctxt *authctxt = authctxt_new(); 88 89 x_authctxt = authctxt; /*XXX*/ 90 91 /* challenge-response is implemented via keyboard interactive */ 92 if (options.challenge_response_authentication) 93 options.kbd_interactive_authentication = 1; | 39/* import */ 40extern ServerOptions options; 41extern u_char *session_id2; 42extern int session_id2_len; 43 44Authctxt *x_authctxt = NULL; 45 46/* methods */ --- 33 unchanged lines hidden (view full) --- 80{ 81 Authctxt *authctxt = authctxt_new(); 82 83 x_authctxt = authctxt; /*XXX*/ 84 85 /* challenge-response is implemented via keyboard interactive */ 86 if (options.challenge_response_authentication) 87 options.kbd_interactive_authentication = 1; |
88 if (options.pam_authentication_via_kbd_int) 89 options.kbd_interactive_authentication = 1; 90 if (use_privsep) 91 options.pam_authentication_via_kbd_int = 0; |
|
94 95 dispatch_init(&dispatch_protocol_error); 96 dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 97 dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 98 99 return (authctxt); 100} 101 --- 32 unchanged lines hidden (view full) --- 134 135static void 136input_userauth_request(int type, u_int32_t seq, void *ctxt) 137{ 138 Authctxt *authctxt = ctxt; 139 Authmethod *m = NULL; 140 char *user, *service, *method, *style = NULL; 141 int authenticated = 0; | 92 93 dispatch_init(&dispatch_protocol_error); 94 dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 95 dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 96 97 return (authctxt); 98} 99 --- 32 unchanged lines hidden (view full) --- 132 133static void 134input_userauth_request(int type, u_int32_t seq, void *ctxt) 135{ 136 Authctxt *authctxt = ctxt; 137 Authmethod *m = NULL; 138 char *user, *service, *method, *style = NULL; 139 int authenticated = 0; |
142#ifdef HAVE_LOGIN_CAP 143 login_cap_t *lc; 144#endif /* HAVE_LOGIN_CAP */ 145#if defined(HAVE_LOGIN_CAP) 146 const char *from_host, *from_ip; | |
147 | 140 |
148 from_host = get_canonical_hostname(options.verify_reverse_mapping); 149 from_ip = get_remote_ipaddr(); 150#endif /* HAVE_LOGIN_CAP */ 151 | |
152 if (authctxt == NULL) 153 fatal("input_userauth_request: no authctxt"); 154 155 user = packet_get_string(NULL); 156 service = packet_get_string(NULL); 157 method = packet_get_string(NULL); 158 debug("userauth-request for user %s service %s method %s", user, service, method); 159 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 160 161 if ((style = strchr(user, ':')) != NULL) 162 *style++ = 0; 163 164 if (authctxt->attempt++ == 0) { 165 /* setup auth context */ 166 authctxt->pw = PRIVSEP(getpwnamallow(user)); 167 if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 168 authctxt->valid = 1; 169 debug2("input_userauth_request: setting up authctxt for %s", user); 170#ifdef USE_PAM | 141 if (authctxt == NULL) 142 fatal("input_userauth_request: no authctxt"); 143 144 user = packet_get_string(NULL); 145 service = packet_get_string(NULL); 146 method = packet_get_string(NULL); 147 debug("userauth-request for user %s service %s method %s", user, service, method); 148 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 149 150 if ((style = strchr(user, ':')) != NULL) 151 *style++ = 0; 152 153 if (authctxt->attempt++ == 0) { 154 /* setup auth context */ 155 authctxt->pw = PRIVSEP(getpwnamallow(user)); 156 if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 157 authctxt->valid = 1; 158 debug2("input_userauth_request: setting up authctxt for %s", user); 159#ifdef USE_PAM |
171 start_pam(authctxt->pw); | 160 PRIVSEP(start_pam(authctxt->pw->pw_name)); |
172#endif 173 } else { 174 log("input_userauth_request: illegal user %s", user); | 161#endif 162 } else { 163 log("input_userauth_request: illegal user %s", user); |
175 authctxt->pw = NULL; | 164#ifdef USE_PAM 165 PRIVSEP(start_pam("NOUSER")); 166#endif |
176 } 177 setproctitle("%s%s", authctxt->pw ? user : "unknown", 178 use_privsep ? " [net]" : ""); 179 authctxt->user = xstrdup(user); 180 authctxt->service = xstrdup(service); 181 authctxt->style = style ? xstrdup(style) : NULL; 182 if (use_privsep) 183 mm_inform_authserv(service, style); 184 } else if (strcmp(user, authctxt->user) != 0 || 185 strcmp(service, authctxt->service) != 0) { 186 packet_disconnect("Change of username or service not allowed: " 187 "(%s,%s) -> (%s,%s)", 188 authctxt->user, authctxt->service, user, service); 189 } | 167 } 168 setproctitle("%s%s", authctxt->pw ? user : "unknown", 169 use_privsep ? " [net]" : ""); 170 authctxt->user = xstrdup(user); 171 authctxt->service = xstrdup(service); 172 authctxt->style = style ? xstrdup(style) : NULL; 173 if (use_privsep) 174 mm_inform_authserv(service, style); 175 } else if (strcmp(user, authctxt->user) != 0 || 176 strcmp(service, authctxt->service) != 0) { 177 packet_disconnect("Change of username or service not allowed: " 178 "(%s,%s) -> (%s,%s)", 179 authctxt->user, authctxt->service, user, service); 180 } |
190 191#ifdef HAVE_LOGIN_CAP 192 if (authctxt->pw != NULL) { 193 lc = login_getpwclass(authctxt->pw); 194 if (lc == NULL) 195 lc = login_getclassbyname(NULL, authctxt->pw); 196 if (!auth_hostok(lc, from_host, from_ip)) { 197 log("Denied connection for %.200s from %.200s [%.200s].", 198 authctxt->pw->pw_name, from_host, from_ip); 199 packet_disconnect("Sorry, you are not allowed to connect."); 200 } 201 if (!auth_timeok(lc, time(NULL))) { 202 log("LOGIN %.200s REFUSED (TIME) FROM %.200s", 203 authctxt->pw->pw_name, from_host); 204 packet_disconnect("Logins not available right now."); 205 } 206 login_close(lc); 207 lc = NULL; 208 } 209#endif /* HAVE_LOGIN_CAP */ | |
210 /* reset state */ 211 auth2_challenge_stop(authctxt); 212 authctxt->postponed = 0; 213 214 /* try to authenticate user */ 215 m = authmethod_lookup(method); 216 if (m != NULL) { 217 debug2("input_userauth_request: try method %s", method); 218 authenticated = m->userauth(authctxt); 219 } | 181 /* reset state */ 182 auth2_challenge_stop(authctxt); 183 authctxt->postponed = 0; 184 185 /* try to authenticate user */ 186 m = authmethod_lookup(method); 187 if (m != NULL) { 188 debug2("input_userauth_request: try method %s", method); 189 authenticated = m->userauth(authctxt); 190 } |
220#ifdef USE_PAM 221 if (authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL)) 222 authenticated = 0; 223#endif /* USE_PAM */ | |
224 userauth_finish(authctxt, authenticated, method); 225 226 xfree(service); 227 xfree(user); 228 xfree(method); 229} 230 231void --- 5 unchanged lines hidden (view full) --- 237 fatal("INTERNAL ERROR: authenticated invalid user %s", 238 authctxt->user); 239 240 /* Special handling for root */ 241 if (authenticated && authctxt->pw->pw_uid == 0 && 242 !auth_root_allowed(method)) 243 authenticated = 0; 244 | 191 userauth_finish(authctxt, authenticated, method); 192 193 xfree(service); 194 xfree(user); 195 xfree(method); 196} 197 198void --- 5 unchanged lines hidden (view full) --- 204 fatal("INTERNAL ERROR: authenticated invalid user %s", 205 authctxt->user); 206 207 /* Special handling for root */ 208 if (authenticated && authctxt->pw->pw_uid == 0 && 209 !auth_root_allowed(method)) 210 authenticated = 0; 211 |
212#ifdef USE_PAM 213 if (!use_privsep && authenticated && authctxt->user && 214 !do_pam_account(authctxt->user, NULL)) 215 authenticated = 0; 216#endif /* USE_PAM */ 217 |
|
245 /* Log before sending the reply */ 246 auth_log(authctxt, authenticated, method, " ssh2"); 247 248 if (authctxt->postponed) 249 return; 250 251 /* XXX todo: check if multiple auth methods are needed */ 252 if (authenticated == 1) { 253 /* turn off userauth */ 254 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 255 packet_start(SSH2_MSG_USERAUTH_SUCCESS); 256 packet_send(); 257 packet_write_wait(); 258 /* now we can break out */ 259 authctxt->success = 1; 260 } else { | 218 /* Log before sending the reply */ 219 auth_log(authctxt, authenticated, method, " ssh2"); 220 221 if (authctxt->postponed) 222 return; 223 224 /* XXX todo: check if multiple auth methods are needed */ 225 if (authenticated == 1) { 226 /* turn off userauth */ 227 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 228 packet_start(SSH2_MSG_USERAUTH_SUCCESS); 229 packet_send(); 230 packet_write_wait(); 231 /* now we can break out */ 232 authctxt->success = 1; 233 } else { |
261 if (authctxt->failures++ > AUTH_FAIL_MAX) | 234 if (authctxt->failures++ > AUTH_FAIL_MAX) { 235#ifdef WITH_AIXAUTHENTICATE 236 /* XXX: privsep */ 237 loginfailed(authctxt->user, 238 get_canonical_hostname(options.verify_reverse_mapping), 239 "ssh"); 240#endif /* WITH_AIXAUTHENTICATE */ |
262 packet_disconnect(AUTH_FAIL_MSG, authctxt->user); | 241 packet_disconnect(AUTH_FAIL_MSG, authctxt->user); |
242 } |
|
263 methods = authmethods_get(); 264 packet_start(SSH2_MSG_USERAUTH_FAILURE); 265 packet_put_cstring(methods); 266 packet_put_char(0); /* XXX partial success, unused */ 267 packet_send(); 268 packet_write_wait(); 269 xfree(methods); 270 } --- 52 unchanged lines hidden --- | 243 methods = authmethods_get(); 244 packet_start(SSH2_MSG_USERAUTH_FAILURE); 245 packet_put_cstring(methods); 246 packet_put_char(0); /* XXX partial success, unused */ 247 packet_send(); 248 packet_write_wait(); 249 xfree(methods); 250 } --- 52 unchanged lines hidden --- |