1/* 2 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 23 */ 24 25#include "includes.h" 26RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $");
|
27RCSID("$FreeBSD: head/crypto/openssh/auth2.c 149753 2005-09-03 07:04:25Z des $");
|
27RCSID("$FreeBSD: head/crypto/openssh/auth2.c 157019 2006-03-22 20:41:37Z des $"); |
28 29#include "canohost.h" 30#include "ssh2.h" 31#include "xmalloc.h" 32#include "packet.h" 33#include "log.h" 34#include "servconf.h" 35#include "compat.h" 36#include "auth.h" 37#include "dispatch.h" 38#include "pathnames.h" 39#include "monitor_wrap.h" 40#include "buffer.h" 41 42#ifdef GSSAPI 43#include "ssh-gss.h" 44#endif 45 46/* import */ 47extern ServerOptions options; 48extern u_char *session_id2; 49extern u_int session_id2_len; 50extern Buffer loginmsg; 51 52/* methods */ 53 54extern Authmethod method_none; 55extern Authmethod method_pubkey; 56extern Authmethod method_passwd; 57extern Authmethod method_kbdint; 58extern Authmethod method_hostbased; 59#ifdef GSSAPI 60extern Authmethod method_gssapi; 61#endif 62 63Authmethod *authmethods[] = { 64 &method_none, 65 &method_pubkey, 66#ifdef GSSAPI 67 &method_gssapi, 68#endif 69 &method_passwd, 70 &method_kbdint, 71 &method_hostbased, 72 NULL 73}; 74 75/* protocol */ 76 77static void input_service_request(int, u_int32_t, void *); 78static void input_userauth_request(int, u_int32_t, void *); 79 80/* helper */ 81static Authmethod *authmethod_lookup(const char *); 82static char *authmethods_get(void); 83int user_key_allowed(struct passwd *, Key *); 84 85/* 86 * loop until authctxt->success == TRUE 87 */ 88 89void 90do_authentication2(Authctxt *authctxt) 91{ 92 /* challenge-response is implemented via keyboard interactive */ 93 if (options.challenge_response_authentication) 94 options.kbd_interactive_authentication = 1; 95 96 dispatch_init(&dispatch_protocol_error); 97 dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 98 dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 99} 100 101static void 102input_service_request(int type, u_int32_t seq, void *ctxt) 103{ 104 Authctxt *authctxt = ctxt; 105 u_int len; 106 int acceptit = 0; 107 char *service = packet_get_string(&len); 108 packet_check_eom(); 109 110 if (authctxt == NULL) 111 fatal("input_service_request: no authctxt"); 112 113 if (strcmp(service, "ssh-userauth") == 0) { 114 if (!authctxt->success) { 115 acceptit = 1; 116 /* now we can handle user-auth requests */ 117 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); 118 } 119 } 120 /* XXX all other service requests are denied */ 121 122 if (acceptit) { 123 packet_start(SSH2_MSG_SERVICE_ACCEPT); 124 packet_put_cstring(service); 125 packet_send(); 126 packet_write_wait(); 127 } else { 128 debug("bad service request %s", service); 129 packet_disconnect("bad service request %s", service); 130 } 131 xfree(service); 132} 133 134static void 135input_userauth_request(int type, u_int32_t seq, void *ctxt) 136{ 137 Authctxt *authctxt = ctxt; 138 Authmethod *m = NULL; 139 char *user, *service, *method, *style = NULL; 140 int authenticated = 0; 141#ifdef HAVE_LOGIN_CAP 142 login_cap_t *lc; 143 const char *from_host, *from_ip; 144 145 from_host = get_canonical_hostname(options.use_dns); 146 from_ip = get_remote_ipaddr(); 147#endif 148 149 if (authctxt == NULL) 150 fatal("input_userauth_request: no authctxt"); 151 152 user = packet_get_string(NULL); 153 service = packet_get_string(NULL); 154 method = packet_get_string(NULL); 155 debug("userauth-request for user %s service %s method %s", user, service, method); 156 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 157 158 if ((style = strchr(user, ':')) != NULL) 159 *style++ = 0; 160 161 if (authctxt->attempt++ == 0) { 162 /* setup auth context */ 163 authctxt->pw = PRIVSEP(getpwnamallow(user)); 164 authctxt->user = xstrdup(user); 165 if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 166 authctxt->valid = 1; 167 debug2("input_userauth_request: setting up authctxt for %s", user);
|
168#ifdef USE_PAM
169 if (options.use_pam)
170 PRIVSEP(start_pam(authctxt));
171#endif
|
168 } else { 169 logit("input_userauth_request: invalid user %s", user); 170 authctxt->pw = fakepw();
|
175#ifdef USE_PAM
176 if (options.use_pam)
177 PRIVSEP(start_pam(authctxt));
178#endif
|
171#ifdef SSH_AUDIT_EVENTS 172 PRIVSEP(audit_event(SSH_INVALID_USER)); 173#endif 174 }
|
175#ifdef USE_PAM 176 if (options.use_pam) 177 PRIVSEP(start_pam(authctxt)); 178#endif |
179 setproctitle("%s%s", authctxt->valid ? user : "unknown", 180 use_privsep ? " [net]" : ""); 181 authctxt->service = xstrdup(service); 182 authctxt->style = style ? xstrdup(style) : NULL; 183 if (use_privsep) 184 mm_inform_authserv(service, style); 185 } else if (strcmp(user, authctxt->user) != 0 || 186 strcmp(service, authctxt->service) != 0) { 187 packet_disconnect("Change of username or service not allowed: " 188 "(%s,%s) -> (%s,%s)", 189 authctxt->user, authctxt->service, user, service); 190 } 191 192#ifdef HAVE_LOGIN_CAP 193 if (authctxt->pw != NULL) { 194 lc = login_getpwclass(authctxt->pw); 195 if (lc == NULL) 196 lc = login_getclassbyname(NULL, authctxt->pw); 197 if (!auth_hostok(lc, from_host, from_ip)) { 198 logit("Denied connection for %.200s from %.200s [%.200s].", 199 authctxt->pw->pw_name, from_host, from_ip); 200 packet_disconnect("Sorry, you are not allowed to connect."); 201 } 202 if (!auth_timeok(lc, time(NULL))) { 203 logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", 204 authctxt->pw->pw_name, from_host); 205 packet_disconnect("Logins not available right now."); 206 } 207 login_close(lc); 208 lc = NULL; 209 } 210#endif /* HAVE_LOGIN_CAP */ 211 212 /* reset state */ 213 auth2_challenge_stop(authctxt); 214 215#ifdef GSSAPI 216 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 217 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 218#endif 219 220 authctxt->postponed = 0; 221 222 /* try to authenticate user */ 223 m = authmethod_lookup(method); 224 if (m != NULL) { 225 debug2("input_userauth_request: try method %s", method); 226 authenticated = m->userauth(authctxt); 227 } 228 userauth_finish(authctxt, authenticated, method); 229 230 xfree(service); 231 xfree(user); 232 xfree(method); 233} 234 235void 236userauth_finish(Authctxt *authctxt, int authenticated, char *method) 237{ 238 char *methods; 239 240 if (!authctxt->valid && authenticated) 241 fatal("INTERNAL ERROR: authenticated invalid user %s", 242 authctxt->user); 243 244 /* Special handling for root */ 245 if (authenticated && authctxt->pw->pw_uid == 0 && 246 !auth_root_allowed(method)) { 247 authenticated = 0; 248#ifdef SSH_AUDIT_EVENTS 249 PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); 250#endif 251 } 252 253#ifdef USE_PAM 254 if (options.use_pam && authenticated) { 255 if (!PRIVSEP(do_pam_account())) { 256 /* if PAM returned a message, send it to the user */ 257 if (buffer_len(&loginmsg) > 0) { 258 buffer_append(&loginmsg, "\0", 1); 259 userauth_send_banner(buffer_ptr(&loginmsg)); 260 packet_write_wait(); 261 } 262 fatal("Access denied for user %s by PAM account " 263 "configuration", authctxt->user); 264 } 265 } 266#endif 267 268#ifdef _UNICOS 269 if (authenticated && cray_access_denied(authctxt->user)) { 270 authenticated = 0; 271 fatal("Access denied for user %s.",authctxt->user); 272 } 273#endif /* _UNICOS */ 274 275 /* Log before sending the reply */ 276 auth_log(authctxt, authenticated, method, " ssh2"); 277 278 if (authctxt->postponed) 279 return; 280 281 /* XXX todo: check if multiple auth methods are needed */ 282 if (authenticated == 1) { 283 /* turn off userauth */ 284 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 285 packet_start(SSH2_MSG_USERAUTH_SUCCESS); 286 packet_send(); 287 packet_write_wait(); 288 /* now we can break out */ 289 authctxt->success = 1; 290 } else { 291 if (authctxt->failures++ > options.max_authtries) { 292#ifdef SSH_AUDIT_EVENTS 293 PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); 294#endif 295 packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 296 } 297 methods = authmethods_get(); 298 packet_start(SSH2_MSG_USERAUTH_FAILURE); 299 packet_put_cstring(methods); 300 packet_put_char(0); /* XXX partial success, unused */ 301 packet_send(); 302 packet_write_wait(); 303 xfree(methods); 304 } 305} 306 307#define DELIM "," 308 309static char * 310authmethods_get(void) 311{ 312 Buffer b; 313 char *list; 314 int i; 315 316 buffer_init(&b); 317 for (i = 0; authmethods[i] != NULL; i++) { 318 if (strcmp(authmethods[i]->name, "none") == 0) 319 continue; 320 if (authmethods[i]->enabled != NULL && 321 *(authmethods[i]->enabled) != 0) { 322 if (buffer_len(&b) > 0) 323 buffer_append(&b, ",", 1); 324 buffer_append(&b, authmethods[i]->name, 325 strlen(authmethods[i]->name)); 326 } 327 } 328 buffer_append(&b, "\0", 1); 329 list = xstrdup(buffer_ptr(&b)); 330 buffer_free(&b); 331 return list; 332} 333 334static Authmethod * 335authmethod_lookup(const char *name) 336{ 337 int i; 338 339 if (name != NULL) 340 for (i = 0; authmethods[i] != NULL; i++) 341 if (authmethods[i]->enabled != NULL && 342 *(authmethods[i]->enabled) != 0 && 343 strcmp(name, authmethods[i]->name) == 0) 344 return authmethods[i]; 345 debug2("Unrecognized authentication method name: %s", 346 name ? name : "NULL"); 347 return NULL; 348}
|