auth2.c revision 162856 
1/* $OpenBSD: auth2.c,v 1.113 2006/08/03 03:34:41 deraadt Exp $ */
2/*
3 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 *    notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 *    notice, this list of conditions and the following disclaimer in the
12 *    documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#include "includes.h"
27__RCSID("$FreeBSD: head/crypto/openssh/auth2.c 162856 2006-09-30 13:38:06Z des $");
28
29#include <sys/types.h>
30
31#include <pwd.h>
32#include <stdarg.h>
33#include <string.h>
34
35#include "xmalloc.h"
36#include "ssh2.h"
37#include "packet.h"
38#include "log.h"
39#include "buffer.h"
40#include "servconf.h"
41#include "compat.h"
42#include "key.h"
43#include "hostfile.h"
44#include "auth.h"
45#include "dispatch.h"
46#include "pathnames.h"
47#include "buffer.h"
48#include "canohost.h"
49
50#ifdef GSSAPI
51#include "ssh-gss.h"
52#endif
53#include "monitor_wrap.h"
54
55/* import */
56extern ServerOptions options;
57extern u_char *session_id2;
58extern u_int session_id2_len;
59extern Buffer loginmsg;
60
61/* methods */
62
63extern Authmethod method_none;
64extern Authmethod method_pubkey;
65extern Authmethod method_passwd;
66extern Authmethod method_kbdint;
67extern Authmethod method_hostbased;
68#ifdef GSSAPI
69extern Authmethod method_gssapi;
70#endif
71
72Authmethod *authmethods[] = {
73	&method_none,
74	&method_pubkey,
75#ifdef GSSAPI
76	&method_gssapi,
77#endif
78	&method_passwd,
79	&method_kbdint,
80	&method_hostbased,
81	NULL
82};
83
84/* protocol */
85
86static void input_service_request(int, u_int32_t, void *);
87static void input_userauth_request(int, u_int32_t, void *);
88
89/* helper */
90static Authmethod *authmethod_lookup(const char *);
91static char *authmethods_get(void);
92int user_key_allowed(struct passwd *, Key *);
93
94/*
95 * loop until authctxt->success == TRUE
96 */
97
98void
99do_authentication2(Authctxt *authctxt)
100{
101	/* challenge-response is implemented via keyboard interactive */
102	if (options.challenge_response_authentication)
103		options.kbd_interactive_authentication = 1;
104
105	dispatch_init(&dispatch_protocol_error);
106	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
107	dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
108}
109
110/*ARGSUSED*/
111static void
112input_service_request(int type, u_int32_t seq, void *ctxt)
113{
114	Authctxt *authctxt = ctxt;
115	u_int len;
116	int acceptit = 0;
117	char *service = packet_get_string(&len);
118	packet_check_eom();
119
120	if (authctxt == NULL)
121		fatal("input_service_request: no authctxt");
122
123	if (strcmp(service, "ssh-userauth") == 0) {
124		if (!authctxt->success) {
125			acceptit = 1;
126			/* now we can handle user-auth requests */
127			dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
128		}
129	}
130	/* XXX all other service requests are denied */
131
132	if (acceptit) {
133		packet_start(SSH2_MSG_SERVICE_ACCEPT);
134		packet_put_cstring(service);
135		packet_send();
136		packet_write_wait();
137	} else {
138		debug("bad service request %s", service);
139		packet_disconnect("bad service request %s", service);
140	}
141	xfree(service);
142}
143
144/*ARGSUSED*/
145static void
146input_userauth_request(int type, u_int32_t seq, void *ctxt)
147{
148	Authctxt *authctxt = ctxt;
149	Authmethod *m = NULL;
150	char *user, *service, *method, *style = NULL;
151	int authenticated = 0;
152#ifdef HAVE_LOGIN_CAP
153	login_cap_t *lc;
154	const char *from_host, *from_ip;
155
156        from_host = get_canonical_hostname(options.use_dns);
157        from_ip = get_remote_ipaddr();
158#endif
159
160	if (authctxt == NULL)
161		fatal("input_userauth_request: no authctxt");
162
163	user = packet_get_string(NULL);
164	service = packet_get_string(NULL);
165	method = packet_get_string(NULL);
166	debug("userauth-request for user %s service %s method %s", user, service, method);
167	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
168
169	if ((style = strchr(user, ':')) != NULL)
170		*style++ = 0;
171
172	if (authctxt->attempt++ == 0) {
173		/* setup auth context */
174		authctxt->pw = PRIVSEP(getpwnamallow(user));
175		authctxt->user = xstrdup(user);
176		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
177			authctxt->valid = 1;
178			debug2("input_userauth_request: setting up authctxt for %s", user);
179		} else {
180			logit("input_userauth_request: invalid user %s", user);
181			authctxt->pw = fakepw();
182#ifdef SSH_AUDIT_EVENTS
183			PRIVSEP(audit_event(SSH_INVALID_USER));
184#endif
185		}
186#ifdef USE_PAM
187		if (options.use_pam)
188			PRIVSEP(start_pam(authctxt));
189#endif
190		setproctitle("%s%s", authctxt->valid ? user : "unknown",
191		    use_privsep ? " [net]" : "");
192		authctxt->service = xstrdup(service);
193		authctxt->style = style ? xstrdup(style) : NULL;
194		if (use_privsep)
195			mm_inform_authserv(service, style);
196	} else if (strcmp(user, authctxt->user) != 0 ||
197	    strcmp(service, authctxt->service) != 0) {
198		packet_disconnect("Change of username or service not allowed: "
199		    "(%s,%s) -> (%s,%s)",
200		    authctxt->user, authctxt->service, user, service);
201	}
202
203#ifdef HAVE_LOGIN_CAP
204        if (authctxt->pw != NULL) {
205                lc = login_getpwclass(authctxt->pw);
206                if (lc == NULL)
207                        lc = login_getclassbyname(NULL, authctxt->pw);
208                if (!auth_hostok(lc, from_host, from_ip)) {
209                        logit("Denied connection for %.200s from %.200s [%.200s].",
210                            authctxt->pw->pw_name, from_host, from_ip);
211                        packet_disconnect("Sorry, you are not allowed to connect.");
212                }
213                if (!auth_timeok(lc, time(NULL))) {
214                        logit("LOGIN %.200s REFUSED (TIME) FROM %.200s",
215                            authctxt->pw->pw_name, from_host);
216                        packet_disconnect("Logins not available right now.");
217                }
218                login_close(lc);
219                lc = NULL;
220        }
221#endif  /* HAVE_LOGIN_CAP */
222
223	/* reset state */
224	auth2_challenge_stop(authctxt);
225
226#ifdef GSSAPI
227	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
228	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
229#endif
230
231	authctxt->postponed = 0;
232
233	/* try to authenticate user */
234	m = authmethod_lookup(method);
235	if (m != NULL) {
236		debug2("input_userauth_request: try method %s", method);
237		authenticated =	m->userauth(authctxt);
238	}
239	userauth_finish(authctxt, authenticated, method);
240
241	xfree(service);
242	xfree(user);
243	xfree(method);
244}
245
246void
247userauth_finish(Authctxt *authctxt, int authenticated, char *method)
248{
249	char *methods;
250
251	if (!authctxt->valid && authenticated)
252		fatal("INTERNAL ERROR: authenticated invalid user %s",
253		    authctxt->user);
254
255	/* Special handling for root */
256	if (authenticated && authctxt->pw->pw_uid == 0 &&
257	    !auth_root_allowed(method)) {
258		authenticated = 0;
259#ifdef SSH_AUDIT_EVENTS
260		PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
261#endif
262	}
263
264#ifdef USE_PAM
265	if (options.use_pam && authenticated) {
266		if (!PRIVSEP(do_pam_account())) {
267			/* if PAM returned a message, send it to the user */
268			if (buffer_len(&loginmsg) > 0) {
269				buffer_append(&loginmsg, "\0", 1);
270				userauth_send_banner(buffer_ptr(&loginmsg));
271				packet_write_wait();
272			}
273			fatal("Access denied for user %s by PAM account "
274			    "configuration", authctxt->user);
275		}
276	}
277#endif
278
279#ifdef _UNICOS
280	if (authenticated && cray_access_denied(authctxt->user)) {
281		authenticated = 0;
282		fatal("Access denied for user %s.",authctxt->user);
283	}
284#endif /* _UNICOS */
285
286	/* Log before sending the reply */
287	auth_log(authctxt, authenticated, method, " ssh2");
288
289	if (authctxt->postponed)
290		return;
291
292	/* XXX todo: check if multiple auth methods are needed */
293	if (authenticated == 1) {
294		/* turn off userauth */
295		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
296		packet_start(SSH2_MSG_USERAUTH_SUCCESS);
297		packet_send();
298		packet_write_wait();
299		/* now we can break out */
300		authctxt->success = 1;
301	} else {
302		if (authctxt->failures++ > options.max_authtries) {
303#ifdef SSH_AUDIT_EVENTS
304			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
305#endif
306			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
307		}
308		methods = authmethods_get();
309		packet_start(SSH2_MSG_USERAUTH_FAILURE);
310		packet_put_cstring(methods);
311		packet_put_char(0);	/* XXX partial success, unused */
312		packet_send();
313		packet_write_wait();
314		xfree(methods);
315	}
316}
317
318#define	DELIM	","
319
320static char *
321authmethods_get(void)
322{
323	Buffer b;
324	char *list;
325	int i;
326
327	buffer_init(&b);
328	for (i = 0; authmethods[i] != NULL; i++) {
329		if (strcmp(authmethods[i]->name, "none") == 0)
330			continue;
331		if (authmethods[i]->enabled != NULL &&
332		    *(authmethods[i]->enabled) != 0) {
333			if (buffer_len(&b) > 0)
334				buffer_append(&b, ",", 1);
335			buffer_append(&b, authmethods[i]->name,
336			    strlen(authmethods[i]->name));
337		}
338	}
339	buffer_append(&b, "\0", 1);
340	list = xstrdup(buffer_ptr(&b));
341	buffer_free(&b);
342	return list;
343}
344
345static Authmethod *
346authmethod_lookup(const char *name)
347{
348	int i;
349
350	if (name != NULL)
351		for (i = 0; authmethods[i] != NULL; i++)
352			if (authmethods[i]->enabled != NULL &&
353			    *(authmethods[i]->enabled) != 0 &&
354			    strcmp(name, authmethods[i]->name) == 0)
355				return authmethods[i];
356	debug2("Unrecognized authentication method name: %s",
357	    name ? name : "NULL");
358	return NULL;
359}
360