| auth2.c (181097) | auth2.c (181111) |
|---|---|
| 1/* $OpenBSD: auth2.c,v 1.113 2006/08/03 03:34:41 deraadt Exp $ */ | 1/* $OpenBSD: auth2.c,v 1.119 2008/07/04 23:30:16 djm Exp $ */ |
| 2/* 3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. --- 9 unchanged lines hidden (view full) --- 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26#include "includes.h" | 2/* 3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. --- 9 unchanged lines hidden (view full) --- 19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24 */ 25 26#include "includes.h" |
| 27__RCSID("$FreeBSD: head/crypto/openssh/auth2.c 181097 2008-08-01 01:13:41Z des $"); | 27__RCSID("$FreeBSD: head/crypto/openssh/auth2.c 181111 2008-08-01 02:48:36Z des $"); |
| 28 29#include <sys/types.h> | 28 29#include <sys/types.h> |
| 30#include <sys/stat.h> 31#include <sys/uio.h> |
|
| 30 | 32 |
| 33#include <fcntl.h> |
|
| 31#include <pwd.h> 32#include <stdarg.h> 33#include <string.h> | 34#include <pwd.h> 35#include <stdarg.h> 36#include <string.h> |
| 37#include <unistd.h> |
|
| 34 35#include "xmalloc.h" | 38 39#include "xmalloc.h" |
| 40#include "atomicio.h" |
|
| 36#include "ssh2.h" 37#include "packet.h" 38#include "log.h" 39#include "buffer.h" 40#include "servconf.h" 41#include "compat.h" 42#include "key.h" 43#include "hostfile.h" --- 40 unchanged lines hidden (view full) --- 84/* protocol */ 85 86static void input_service_request(int, u_int32_t, void *); 87static void input_userauth_request(int, u_int32_t, void *); 88 89/* helper */ 90static Authmethod *authmethod_lookup(const char *); 91static char *authmethods_get(void); | 41#include "ssh2.h" 42#include "packet.h" 43#include "log.h" 44#include "buffer.h" 45#include "servconf.h" 46#include "compat.h" 47#include "key.h" 48#include "hostfile.h" --- 40 unchanged lines hidden (view full) --- 89/* protocol */ 90 91static void input_service_request(int, u_int32_t, void *); 92static void input_userauth_request(int, u_int32_t, void *); 93 94/* helper */ 95static Authmethod *authmethod_lookup(const char *); 96static char *authmethods_get(void); |
| 92int user_key_allowed(struct passwd *, Key *); | |
| 93 | 97 |
| 98char * 99auth2_read_banner(void) 100{ 101 struct stat st; 102 char *banner = NULL; 103 size_t len, n; 104 int fd; 105 106 if ((fd = open(options.banner, O_RDONLY)) == -1) 107 return (NULL); 108 if (fstat(fd, &st) == -1) { 109 close(fd); 110 return (NULL); 111 } 112 if (st.st_size > 1*1024*1024) { 113 close(fd); 114 return (NULL); 115 } 116 117 len = (size_t)st.st_size; /* truncate */ 118 banner = xmalloc(len + 1); 119 n = atomicio(read, fd, banner, len); 120 close(fd); 121 122 if (n != len) { 123 xfree(banner); 124 return (NULL); 125 } 126 banner[n] = '\0'; 127 128 return (banner); 129} 130 131void 132userauth_send_banner(const char *msg) 133{ 134 if (datafellows & SSH_BUG_BANNER) 135 return; 136 137 packet_start(SSH2_MSG_USERAUTH_BANNER); 138 packet_put_cstring(msg); 139 packet_put_cstring(""); /* language, unused */ 140 packet_send(); 141 debug("%s: sent", __func__); 142} 143 144static void 145userauth_banner(void) 146{ 147 char *banner = NULL; 148 149 if (options.banner == NULL || 150 strcasecmp(options.banner, "none") == 0 || 151 (datafellows & SSH_BUG_BANNER) != 0) 152 return; 153 154 if ((banner = PRIVSEP(auth2_read_banner())) == NULL) 155 goto done; 156 userauth_send_banner(banner); 157 158done: 159 if (banner) 160 xfree(banner); 161} 162 |
|
| 94/* 95 * loop until authctxt->success == TRUE 96 */ | 163/* 164 * loop until authctxt->success == TRUE 165 */ |
| 97 | |
| 98void 99do_authentication2(Authctxt *authctxt) 100{ | 166void 167do_authentication2(Authctxt *authctxt) 168{ |
| 101 /* challenge-response is implemented via keyboard interactive */ 102 if (options.challenge_response_authentication) 103 options.kbd_interactive_authentication = 1; 104 | |
| 105 dispatch_init(&dispatch_protocol_error); 106 dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 107 dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 108} 109 110/*ARGSUSED*/ 111static void 112input_service_request(int type, u_int32_t seq, void *ctxt) --- 75 unchanged lines hidden (view full) --- 188 PRIVSEP(start_pam(authctxt)); 189#endif 190 setproctitle("%s%s", authctxt->valid ? user : "unknown", 191 use_privsep ? " [net]" : ""); 192 authctxt->service = xstrdup(service); 193 authctxt->style = style ? xstrdup(style) : NULL; 194 if (use_privsep) 195 mm_inform_authserv(service, style); | 169 dispatch_init(&dispatch_protocol_error); 170 dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 171 dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 172} 173 174/*ARGSUSED*/ 175static void 176input_service_request(int type, u_int32_t seq, void *ctxt) --- 75 unchanged lines hidden (view full) --- 252 PRIVSEP(start_pam(authctxt)); 253#endif 254 setproctitle("%s%s", authctxt->valid ? user : "unknown", 255 use_privsep ? " [net]" : ""); 256 authctxt->service = xstrdup(service); 257 authctxt->style = style ? xstrdup(style) : NULL; 258 if (use_privsep) 259 mm_inform_authserv(service, style); |
| 260 userauth_banner(); |
|
| 196 } else if (strcmp(user, authctxt->user) != 0 || 197 strcmp(service, authctxt->service) != 0) { 198 packet_disconnect("Change of username or service not allowed: " 199 "(%s,%s) -> (%s,%s)", 200 authctxt->user, authctxt->service, user, service); 201 } 202 203#ifdef HAVE_LOGIN_CAP --- 23 unchanged lines hidden (view full) --- 227 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 228 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 229#endif 230 231 authctxt->postponed = 0; 232 233 /* try to authenticate user */ 234 m = authmethod_lookup(method); | 261 } else if (strcmp(user, authctxt->user) != 0 || 262 strcmp(service, authctxt->service) != 0) { 263 packet_disconnect("Change of username or service not allowed: " 264 "(%s,%s) -> (%s,%s)", 265 authctxt->user, authctxt->service, user, service); 266 } 267 268#ifdef HAVE_LOGIN_CAP --- 23 unchanged lines hidden (view full) --- 292 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 293 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 294#endif 295 296 authctxt->postponed = 0; 297 298 /* try to authenticate user */ 299 m = authmethod_lookup(method); |
| 235 if (m != NULL) { | 300 if (m != NULL && authctxt->failures < options.max_authtries) { |
| 236 debug2("input_userauth_request: try method %s", method); 237 authenticated = m->userauth(authctxt); 238 } 239 userauth_finish(authctxt, authenticated, method); 240 241 xfree(service); 242 xfree(user); 243 xfree(method); --- 50 unchanged lines hidden (view full) --- 294 /* turn off userauth */ 295 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 296 packet_start(SSH2_MSG_USERAUTH_SUCCESS); 297 packet_send(); 298 packet_write_wait(); 299 /* now we can break out */ 300 authctxt->success = 1; 301 } else { | 301 debug2("input_userauth_request: try method %s", method); 302 authenticated = m->userauth(authctxt); 303 } 304 userauth_finish(authctxt, authenticated, method); 305 306 xfree(service); 307 xfree(user); 308 xfree(method); --- 50 unchanged lines hidden (view full) --- 359 /* turn off userauth */ 360 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 361 packet_start(SSH2_MSG_USERAUTH_SUCCESS); 362 packet_send(); 363 packet_write_wait(); 364 /* now we can break out */ 365 authctxt->success = 1; 366 } else { |
| 302 if (authctxt->failures++ > options.max_authtries) { | 367 368 /* Allow initial try of "none" auth without failure penalty */ 369 if (authctxt->attempt > 1 || strcmp(method, "none") != 0) 370 authctxt->failures++; 371 if (authctxt->failures >= options.max_authtries) { |
| 303#ifdef SSH_AUDIT_EVENTS 304 PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); 305#endif 306 packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 307 } 308 methods = authmethods_get(); 309 packet_start(SSH2_MSG_USERAUTH_FAILURE); 310 packet_put_cstring(methods); 311 packet_put_char(0); /* XXX partial success, unused */ 312 packet_send(); 313 packet_write_wait(); 314 xfree(methods); 315 } 316} 317 | 372#ifdef SSH_AUDIT_EVENTS 373 PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); 374#endif 375 packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 376 } 377 methods = authmethods_get(); 378 packet_start(SSH2_MSG_USERAUTH_FAILURE); 379 packet_put_cstring(methods); 380 packet_put_char(0); /* XXX partial success, unused */ 381 packet_send(); 382 packet_write_wait(); 383 xfree(methods); 384 } 385} 386 |
| 318#define DELIM "," 319 | |
| 320static char * 321authmethods_get(void) 322{ 323 Buffer b; 324 char *list; 325 int i; 326 327 buffer_init(&b); --- 24 unchanged lines hidden (view full) --- 352 if (authmethods[i]->enabled != NULL && 353 *(authmethods[i]->enabled) != 0 && 354 strcmp(name, authmethods[i]->name) == 0) 355 return authmethods[i]; 356 debug2("Unrecognized authentication method name: %s", 357 name ? name : "NULL"); 358 return NULL; 359} | 387static char * 388authmethods_get(void) 389{ 390 Buffer b; 391 char *list; 392 int i; 393 394 buffer_init(&b); --- 24 unchanged lines hidden (view full) --- 419 if (authmethods[i]->enabled != NULL && 420 *(authmethods[i]->enabled) != 0 && 421 strcmp(name, authmethods[i]->name) == 0) 422 return authmethods[i]; 423 debug2("Unrecognized authentication method name: %s", 424 name ? name : "NULL"); 425 return NULL; 426} |
| 427 |
|