auth2.c revision 255767
1217044Snwhitehorn/* $OpenBSD: auth2.c,v 1.129 2013/05/19 02:42:42 djm Exp $ */ 2217044Snwhitehorn/* 3217044Snwhitehorn * Copyright (c) 2000 Markus Friedl. All rights reserved. 4217044Snwhitehorn * 5217044Snwhitehorn * Redistribution and use in source and binary forms, with or without 6217044Snwhitehorn * modification, are permitted provided that the following conditions 7217044Snwhitehorn * are met: 8217044Snwhitehorn * 1. Redistributions of source code must retain the above copyright 9217044Snwhitehorn * notice, this list of conditions and the following disclaimer. 10217044Snwhitehorn * 2. Redistributions in binary form must reproduce the above copyright 11217044Snwhitehorn * notice, this list of conditions and the following disclaimer in the 12217044Snwhitehorn * documentation and/or other materials provided with the distribution. 13217044Snwhitehorn * 14217044Snwhitehorn * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 15217044Snwhitehorn * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 16217044Snwhitehorn * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 17217044Snwhitehorn * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 18217044Snwhitehorn * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 19217044Snwhitehorn * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 20217044Snwhitehorn * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 21217044Snwhitehorn * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 22217044Snwhitehorn * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 23217044Snwhitehorn * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 24217044Snwhitehorn */ 25217044Snwhitehorn 26217044Snwhitehorn#include "includes.h" 27217044Snwhitehorn__RCSID("$FreeBSD: head/crypto/openssh/auth2.c 255767 2013-09-21 21:36:09Z des $"); 28217044Snwhitehorn 29217044Snwhitehorn#include <sys/types.h> 30217044Snwhitehorn#include <sys/stat.h> 31217044Snwhitehorn#include <sys/uio.h> 32217044Snwhitehorn 33217044Snwhitehorn#include <fcntl.h> 34217044Snwhitehorn#include <pwd.h> 35217044Snwhitehorn#include <stdarg.h> 36217044Snwhitehorn#include <string.h> 37217044Snwhitehorn#include <unistd.h> 38217044Snwhitehorn 39217044Snwhitehorn#include "atomicio.h" 40217044Snwhitehorn#include "xmalloc.h" 41217044Snwhitehorn#include "ssh2.h" 42217044Snwhitehorn#include "packet.h" 43217044Snwhitehorn#include "log.h" 44217044Snwhitehorn#include "buffer.h" 45217044Snwhitehorn#include "servconf.h" 46217044Snwhitehorn#include "compat.h" 47217044Snwhitehorn#include "key.h" 48217044Snwhitehorn#include "hostfile.h" 49217044Snwhitehorn#include "auth.h" 50217044Snwhitehorn#include "dispatch.h" 51217044Snwhitehorn#include "pathnames.h" 52217044Snwhitehorn#include "buffer.h" 53217044Snwhitehorn#include "canohost.h" 54217044Snwhitehorn 55217044Snwhitehorn#ifdef GSSAPI 56217044Snwhitehorn#include "ssh-gss.h" 57217044Snwhitehorn#endif 58217044Snwhitehorn#include "monitor_wrap.h" 59217044Snwhitehorn 60217044Snwhitehorn/* import */ 61217044Snwhitehornextern ServerOptions options; 62217044Snwhitehornextern u_char *session_id2; 63217044Snwhitehornextern u_int session_id2_len; 64217044Snwhitehornextern Buffer loginmsg; 65217044Snwhitehorn 66217044Snwhitehorn/* methods */ 67217044Snwhitehorn 68217044Snwhitehornextern Authmethod method_none; 69217044Snwhitehornextern Authmethod method_pubkey; 70217044Snwhitehornextern Authmethod method_passwd; 71217044Snwhitehornextern Authmethod method_kbdint; 72217044Snwhitehornextern Authmethod method_hostbased; 73217044Snwhitehorn#ifdef GSSAPI 74217044Snwhitehornextern Authmethod method_gssapi; 75217044Snwhitehorn#endif 76217044Snwhitehorn#ifdef JPAKE 77217044Snwhitehornextern Authmethod method_jpake; 78217044Snwhitehorn#endif 79217044Snwhitehorn 80217044SnwhitehornAuthmethod *authmethods[] = { 81217044Snwhitehorn &method_none, 82217044Snwhitehorn &method_pubkey, 83217044Snwhitehorn#ifdef GSSAPI 84217044Snwhitehorn &method_gssapi, 85217044Snwhitehorn#endif 86217044Snwhitehorn#ifdef JPAKE 87217044Snwhitehorn &method_jpake, 88217044Snwhitehorn#endif 89217044Snwhitehorn &method_passwd, 90217044Snwhitehorn &method_kbdint, 91217044Snwhitehorn &method_hostbased, 92217044Snwhitehorn NULL 93217044Snwhitehorn}; 94217044Snwhitehorn 95217044Snwhitehorn/* protocol */ 96217044Snwhitehorn 97217044Snwhitehornstatic void input_service_request(int, u_int32_t, void *); 98217044Snwhitehornstatic void input_userauth_request(int, u_int32_t, void *); 99217044Snwhitehorn 100217044Snwhitehorn/* helper */ 101217044Snwhitehornstatic Authmethod *authmethod_lookup(Authctxt *, const char *); 102217044Snwhitehornstatic char *authmethods_get(Authctxt *authctxt); 103217044Snwhitehorn 104217044Snwhitehorn#define MATCH_NONE 0 /* method or submethod mismatch */ 105217044Snwhitehorn#define MATCH_METHOD 1 /* method matches (no submethod specified) */ 106217044Snwhitehorn#define MATCH_BOTH 2 /* method and submethod match */ 107217044Snwhitehorn#define MATCH_PARTIAL 3 /* method matches, submethod can't be checked */ 108217044Snwhitehornstatic int list_starts_with(const char *, const char *, const char *); 109217044Snwhitehorn 110217044Snwhitehornchar * 111217044Snwhitehornauth2_read_banner(void) 112217044Snwhitehorn{ 113217044Snwhitehorn struct stat st; 114217044Snwhitehorn char *banner = NULL; 115217044Snwhitehorn size_t len, n; 116217044Snwhitehorn int fd; 117217044Snwhitehorn 118217044Snwhitehorn if ((fd = open(options.banner, O_RDONLY)) == -1) 119217044Snwhitehorn return (NULL); 120217044Snwhitehorn if (fstat(fd, &st) == -1) { 121217044Snwhitehorn close(fd); 122217044Snwhitehorn return (NULL); 123217044Snwhitehorn } 124217044Snwhitehorn if (st.st_size <= 0 || st.st_size > 1*1024*1024) { 125217044Snwhitehorn close(fd); 126217044Snwhitehorn return (NULL); 127217044Snwhitehorn } 128217044Snwhitehorn 129217044Snwhitehorn len = (size_t)st.st_size; /* truncate */ 130217044Snwhitehorn banner = xmalloc(len + 1); 131217044Snwhitehorn n = atomicio(read, fd, banner, len); 132217044Snwhitehorn close(fd); 133217044Snwhitehorn 134217044Snwhitehorn if (n != len) { 135217044Snwhitehorn free(banner); 136217044Snwhitehorn return (NULL); 137217044Snwhitehorn } 138217044Snwhitehorn banner[n] = '\0'; 139217044Snwhitehorn 140217044Snwhitehorn return (banner); 141217044Snwhitehorn} 142217044Snwhitehorn 143217044Snwhitehornvoid 144217044Snwhitehornuserauth_send_banner(const char *msg) 145217044Snwhitehorn{ 146217044Snwhitehorn if (datafellows & SSH_BUG_BANNER) 147217044Snwhitehorn return; 148217044Snwhitehorn 149217044Snwhitehorn packet_start(SSH2_MSG_USERAUTH_BANNER); 150217044Snwhitehorn packet_put_cstring(msg); 151217044Snwhitehorn packet_put_cstring(""); /* language, unused */ 152217044Snwhitehorn packet_send(); 153217044Snwhitehorn debug("%s: sent", __func__); 154217044Snwhitehorn} 155217044Snwhitehorn 156217044Snwhitehornstatic void 157217044Snwhitehornuserauth_banner(void) 158217044Snwhitehorn{ 159217044Snwhitehorn char *banner = NULL; 160217044Snwhitehorn 161217044Snwhitehorn if (options.banner == NULL || 162217044Snwhitehorn strcasecmp(options.banner, "none") == 0 || 163217044Snwhitehorn (datafellows & SSH_BUG_BANNER) != 0) 164217044Snwhitehorn return; 165217044Snwhitehorn 166217044Snwhitehorn if ((banner = PRIVSEP(auth2_read_banner())) == NULL) 167217044Snwhitehorn goto done; 168217044Snwhitehorn userauth_send_banner(banner); 169217044Snwhitehorn 170217044Snwhitehorndone: 171217044Snwhitehorn free(banner); 172217044Snwhitehorn} 173217044Snwhitehorn 174217044Snwhitehorn/* 175217044Snwhitehorn * loop until authctxt->success == TRUE 176217044Snwhitehorn */ 177217044Snwhitehornvoid 178217044Snwhitehorndo_authentication2(Authctxt *authctxt) 179217044Snwhitehorn{ 180217044Snwhitehorn dispatch_init(&dispatch_protocol_error); 181217044Snwhitehorn dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); 182217044Snwhitehorn dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); 183217044Snwhitehorn} 184217044Snwhitehorn 185217044Snwhitehorn/*ARGSUSED*/ 186217044Snwhitehornstatic void 187217044Snwhitehorninput_service_request(int type, u_int32_t seq, void *ctxt) 188217044Snwhitehorn{ 189217044Snwhitehorn Authctxt *authctxt = ctxt; 190217044Snwhitehorn u_int len; 191217044Snwhitehorn int acceptit = 0; 192217044Snwhitehorn char *service = packet_get_cstring(&len); 193217044Snwhitehorn packet_check_eom(); 194217044Snwhitehorn 195217044Snwhitehorn if (authctxt == NULL) 196217044Snwhitehorn fatal("input_service_request: no authctxt"); 197217044Snwhitehorn 198217044Snwhitehorn if (strcmp(service, "ssh-userauth") == 0) { 199217044Snwhitehorn if (!authctxt->success) { 200217044Snwhitehorn acceptit = 1; 201217044Snwhitehorn /* now we can handle user-auth requests */ 202217044Snwhitehorn dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request); 203217044Snwhitehorn } 204217044Snwhitehorn } 205217044Snwhitehorn /* XXX all other service requests are denied */ 206217044Snwhitehorn 207217044Snwhitehorn if (acceptit) { 208217044Snwhitehorn packet_start(SSH2_MSG_SERVICE_ACCEPT); 209217044Snwhitehorn packet_put_cstring(service); 210217044Snwhitehorn packet_send(); 211217044Snwhitehorn packet_write_wait(); 212217044Snwhitehorn } else { 213217044Snwhitehorn debug("bad service request %s", service); 214217044Snwhitehorn packet_disconnect("bad service request %s", service); 215217044Snwhitehorn } 216217044Snwhitehorn free(service); 217217044Snwhitehorn} 218217044Snwhitehorn 219217044Snwhitehorn/*ARGSUSED*/ 220217044Snwhitehornstatic void 221217044Snwhitehorninput_userauth_request(int type, u_int32_t seq, void *ctxt) 222217044Snwhitehorn{ 223217044Snwhitehorn Authctxt *authctxt = ctxt; 224217044Snwhitehorn Authmethod *m = NULL; 225217044Snwhitehorn char *user, *service, *method, *style = NULL; 226217044Snwhitehorn int authenticated = 0; 227217044Snwhitehorn#ifdef HAVE_LOGIN_CAP 228217044Snwhitehorn login_cap_t *lc; 229217044Snwhitehorn const char *from_host, *from_ip; 230217044Snwhitehorn 231217044Snwhitehorn from_host = get_canonical_hostname(options.use_dns); 232217044Snwhitehorn from_ip = get_remote_ipaddr(); 233217044Snwhitehorn#endif 234217044Snwhitehorn 235217044Snwhitehorn if (authctxt == NULL) 236217044Snwhitehorn fatal("input_userauth_request: no authctxt"); 237217044Snwhitehorn 238217044Snwhitehorn user = packet_get_cstring(NULL); 239217044Snwhitehorn service = packet_get_cstring(NULL); 240217044Snwhitehorn method = packet_get_cstring(NULL); 241217044Snwhitehorn debug("userauth-request for user %s service %s method %s", user, service, method); 242217044Snwhitehorn debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); 243217044Snwhitehorn 244217044Snwhitehorn if ((style = strchr(user, ':')) != NULL) 245217044Snwhitehorn *style++ = 0; 246217044Snwhitehorn 247217044Snwhitehorn if (authctxt->attempt++ == 0) { 248217044Snwhitehorn /* setup auth context */ 249217044Snwhitehorn authctxt->pw = PRIVSEP(getpwnamallow(user)); 250217044Snwhitehorn authctxt->user = xstrdup(user); 251217044Snwhitehorn if (authctxt->pw && strcmp(service, "ssh-connection")==0) { 252217044Snwhitehorn authctxt->valid = 1; 253217044Snwhitehorn debug2("input_userauth_request: setting up authctxt for %s", user); 254217044Snwhitehorn } else { 255217044Snwhitehorn logit("input_userauth_request: invalid user %s", user); 256217044Snwhitehorn authctxt->pw = fakepw(); 257217044Snwhitehorn#ifdef SSH_AUDIT_EVENTS 258217044Snwhitehorn PRIVSEP(audit_event(SSH_INVALID_USER)); 259217044Snwhitehorn#endif 260217044Snwhitehorn } 261217044Snwhitehorn#ifdef USE_PAM 262217044Snwhitehorn if (options.use_pam) 263217044Snwhitehorn PRIVSEP(start_pam(authctxt)); 264217044Snwhitehorn#endif 265217044Snwhitehorn setproctitle("%s%s", authctxt->valid ? user : "unknown", 266217044Snwhitehorn use_privsep ? " [net]" : ""); 267217044Snwhitehorn authctxt->service = xstrdup(service); 268217044Snwhitehorn authctxt->style = style ? xstrdup(style) : NULL; 269217044Snwhitehorn if (use_privsep) 270217044Snwhitehorn mm_inform_authserv(service, style); 271217044Snwhitehorn userauth_banner(); 272217044Snwhitehorn if (auth2_setup_methods_lists(authctxt) != 0) 273217044Snwhitehorn packet_disconnect("no authentication methods enabled"); 274217044Snwhitehorn } else if (strcmp(user, authctxt->user) != 0 || 275217044Snwhitehorn strcmp(service, authctxt->service) != 0) { 276217044Snwhitehorn packet_disconnect("Change of username or service not allowed: " 277217044Snwhitehorn "(%s,%s) -> (%s,%s)", 278217044Snwhitehorn authctxt->user, authctxt->service, user, service); 279217044Snwhitehorn } 280217044Snwhitehorn 281217044Snwhitehorn#ifdef HAVE_LOGIN_CAP 282217044Snwhitehorn if (authctxt->pw != NULL) { 283217044Snwhitehorn lc = login_getpwclass(authctxt->pw); 284217044Snwhitehorn if (lc == NULL) 285217044Snwhitehorn lc = login_getclassbyname(NULL, authctxt->pw); 286217044Snwhitehorn if (!auth_hostok(lc, from_host, from_ip)) { 287217044Snwhitehorn logit("Denied connection for %.200s from %.200s [%.200s].", 288217044Snwhitehorn authctxt->pw->pw_name, from_host, from_ip); 289217044Snwhitehorn packet_disconnect("Sorry, you are not allowed to connect."); 290217044Snwhitehorn } 291217044Snwhitehorn if (!auth_timeok(lc, time(NULL))) { 292217044Snwhitehorn logit("LOGIN %.200s REFUSED (TIME) FROM %.200s", 293217044Snwhitehorn authctxt->pw->pw_name, from_host); 294217044Snwhitehorn packet_disconnect("Logins not available right now."); 295217044Snwhitehorn } 296217044Snwhitehorn login_close(lc); 297217044Snwhitehorn lc = NULL; 298217044Snwhitehorn } 299217044Snwhitehorn#endif /* HAVE_LOGIN_CAP */ 300217044Snwhitehorn 301217044Snwhitehorn /* reset state */ 302217044Snwhitehorn auth2_challenge_stop(authctxt); 303217044Snwhitehorn#ifdef JPAKE 304217044Snwhitehorn auth2_jpake_stop(authctxt); 305217044Snwhitehorn#endif 306217044Snwhitehorn 307217044Snwhitehorn#ifdef GSSAPI 308217044Snwhitehorn /* XXX move to auth2_gssapi_stop() */ 309217044Snwhitehorn dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL); 310217044Snwhitehorn dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL); 311217044Snwhitehorn#endif 312217044Snwhitehorn 313217044Snwhitehorn authctxt->postponed = 0; 314217044Snwhitehorn authctxt->server_caused_failure = 0; 315217044Snwhitehorn 316217044Snwhitehorn /* try to authenticate user */ 317217044Snwhitehorn m = authmethod_lookup(authctxt, method); 318217044Snwhitehorn if (m != NULL && authctxt->failures < options.max_authtries) { 319217044Snwhitehorn debug2("input_userauth_request: try method %s", method); 320217044Snwhitehorn authenticated = m->userauth(authctxt); 321217044Snwhitehorn } 322217044Snwhitehorn userauth_finish(authctxt, authenticated, method, NULL); 323217044Snwhitehorn 324217044Snwhitehorn free(service); 325217044Snwhitehorn free(user); 326217044Snwhitehorn free(method); 327217044Snwhitehorn} 328217044Snwhitehorn 329217044Snwhitehornvoid 330217044Snwhitehornuserauth_finish(Authctxt *authctxt, int authenticated, const char *method, 331217044Snwhitehorn const char *submethod) 332217044Snwhitehorn{ 333217044Snwhitehorn char *methods; 334217044Snwhitehorn int partial = 0; 335217044Snwhitehorn 336217044Snwhitehorn if (!authctxt->valid && authenticated) 337217044Snwhitehorn fatal("INTERNAL ERROR: authenticated invalid user %s", 338217044Snwhitehorn authctxt->user); 339217044Snwhitehorn if (authenticated && authctxt->postponed) 340217044Snwhitehorn fatal("INTERNAL ERROR: authenticated and postponed"); 341217044Snwhitehorn 342217044Snwhitehorn /* Special handling for root */ 343217044Snwhitehorn if (authenticated && authctxt->pw->pw_uid == 0 && 344217044Snwhitehorn !auth_root_allowed(method)) { 345217044Snwhitehorn authenticated = 0; 346217044Snwhitehorn#ifdef SSH_AUDIT_EVENTS 347217044Snwhitehorn PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); 348217044Snwhitehorn#endif 349217044Snwhitehorn } 350217044Snwhitehorn 351217044Snwhitehorn if (authenticated && options.num_auth_methods != 0) { 352217044Snwhitehorn if (!auth2_update_methods_lists(authctxt, method, submethod)) { 353217044Snwhitehorn authenticated = 0; 354217044Snwhitehorn partial = 1; 355217044Snwhitehorn } 356217044Snwhitehorn } 357217044Snwhitehorn 358217044Snwhitehorn /* Log before sending the reply */ 359217044Snwhitehorn auth_log(authctxt, authenticated, partial, method, submethod); 360217044Snwhitehorn 361217044Snwhitehorn if (authctxt->postponed) 362217044Snwhitehorn return; 363217044Snwhitehorn 364217044Snwhitehorn#ifdef USE_PAM 365217044Snwhitehorn if (options.use_pam && authenticated) { 366217044Snwhitehorn if (!PRIVSEP(do_pam_account())) { 367217044Snwhitehorn /* if PAM returned a message, send it to the user */ 368217044Snwhitehorn if (buffer_len(&loginmsg) > 0) { 369217044Snwhitehorn buffer_append(&loginmsg, "\0", 1); 370217044Snwhitehorn userauth_send_banner(buffer_ptr(&loginmsg)); 371217044Snwhitehorn packet_write_wait(); 372217044Snwhitehorn } 373217044Snwhitehorn fatal("Access denied for user %s by PAM account " 374217044Snwhitehorn "configuration", authctxt->user); 375217044Snwhitehorn } 376217044Snwhitehorn } 377217044Snwhitehorn#endif 378217044Snwhitehorn 379217044Snwhitehorn#ifdef _UNICOS 380217044Snwhitehorn if (authenticated && cray_access_denied(authctxt->user)) { 381217044Snwhitehorn authenticated = 0; 382217044Snwhitehorn fatal("Access denied for user %s.", authctxt->user); 383217044Snwhitehorn } 384217044Snwhitehorn#endif /* _UNICOS */ 385217044Snwhitehorn 386217044Snwhitehorn if (authenticated == 1) { 387217044Snwhitehorn /* turn off userauth */ 388217044Snwhitehorn dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore); 389217044Snwhitehorn packet_start(SSH2_MSG_USERAUTH_SUCCESS); 390217044Snwhitehorn packet_send(); 391217044Snwhitehorn packet_write_wait(); 392217044Snwhitehorn /* now we can break out */ 393217044Snwhitehorn authctxt->success = 1; 394217044Snwhitehorn } else { 395217044Snwhitehorn 396217044Snwhitehorn /* Allow initial try of "none" auth without failure penalty */ 397217044Snwhitehorn if (!authctxt->server_caused_failure && 398217044Snwhitehorn (authctxt->attempt > 1 || strcmp(method, "none") != 0)) 399217044Snwhitehorn authctxt->failures++; 400217044Snwhitehorn if (authctxt->failures >= options.max_authtries) { 401217044Snwhitehorn#ifdef SSH_AUDIT_EVENTS 402217044Snwhitehorn PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); 403217044Snwhitehorn#endif 404217044Snwhitehorn packet_disconnect(AUTH_FAIL_MSG, authctxt->user); 405217044Snwhitehorn } 406217044Snwhitehorn methods = authmethods_get(authctxt); 407217044Snwhitehorn debug3("%s: failure partial=%d next methods=\"%s\"", __func__, 408217044Snwhitehorn partial, methods); 409217044Snwhitehorn packet_start(SSH2_MSG_USERAUTH_FAILURE); 410217044Snwhitehorn packet_put_cstring(methods); 411217044Snwhitehorn packet_put_char(partial); 412217044Snwhitehorn packet_send(); 413217044Snwhitehorn packet_write_wait(); 414217044Snwhitehorn free(methods); 415217044Snwhitehorn } 416217044Snwhitehorn} 417217044Snwhitehorn 418217044Snwhitehorn/* 419217044Snwhitehorn * Checks whether method is allowed by at least one AuthenticationMethods 420217044Snwhitehorn * methods list. Returns 1 if allowed, or no methods lists configured. 421217044Snwhitehorn * 0 otherwise. 422217044Snwhitehorn */ 423217044Snwhitehornint 424217044Snwhitehornauth2_method_allowed(Authctxt *authctxt, const char *method, 425217044Snwhitehorn const char *submethod) 426217044Snwhitehorn{ 427217044Snwhitehorn u_int i; 428217044Snwhitehorn 429217044Snwhitehorn /* 430217044Snwhitehorn * NB. authctxt->num_auth_methods might be zero as a result of 431217044Snwhitehorn * auth2_setup_methods_lists(), so check the configuration. 432217044Snwhitehorn */ 433217044Snwhitehorn if (options.num_auth_methods == 0) 434217044Snwhitehorn return 1; 435217044Snwhitehorn for (i = 0; i < authctxt->num_auth_methods; i++) { 436217044Snwhitehorn if (list_starts_with(authctxt->auth_methods[i], method, 437217044Snwhitehorn submethod) != MATCH_NONE) 438217044Snwhitehorn return 1; 439217044Snwhitehorn } 440217044Snwhitehorn return 0; 441217044Snwhitehorn} 442217044Snwhitehorn 443217044Snwhitehornstatic char * 444217044Snwhitehornauthmethods_get(Authctxt *authctxt) 445217044Snwhitehorn{ 446217044Snwhitehorn Buffer b; 447217044Snwhitehorn char *list; 448217044Snwhitehorn u_int i; 449217044Snwhitehorn 450217044Snwhitehorn buffer_init(&b); 451217044Snwhitehorn for (i = 0; authmethods[i] != NULL; i++) { 452217044Snwhitehorn if (strcmp(authmethods[i]->name, "none") == 0) 453217044Snwhitehorn continue; 454217044Snwhitehorn if (authmethods[i]->enabled == NULL || 455217044Snwhitehorn *(authmethods[i]->enabled) == 0) 456217044Snwhitehorn continue; 457217044Snwhitehorn if (!auth2_method_allowed(authctxt, authmethods[i]->name, 458217044Snwhitehorn NULL)) 459217044Snwhitehorn continue; 460217044Snwhitehorn if (buffer_len(&b) > 0) 461217044Snwhitehorn buffer_append(&b, ",", 1); 462217044Snwhitehorn buffer_append(&b, authmethods[i]->name, 463217044Snwhitehorn strlen(authmethods[i]->name)); 464217044Snwhitehorn } 465217044Snwhitehorn buffer_append(&b, "\0", 1); 466217044Snwhitehorn list = xstrdup(buffer_ptr(&b)); 467217044Snwhitehorn buffer_free(&b); 468217044Snwhitehorn return list; 469217044Snwhitehorn} 470217044Snwhitehorn 471217044Snwhitehornstatic Authmethod * 472217044Snwhitehornauthmethod_lookup(Authctxt *authctxt, const char *name) 473217044Snwhitehorn{ 474217044Snwhitehorn int i; 475217044Snwhitehorn 476217044Snwhitehorn if (name != NULL) 477217044Snwhitehorn for (i = 0; authmethods[i] != NULL; i++) 478217044Snwhitehorn if (authmethods[i]->enabled != NULL && 479217044Snwhitehorn *(authmethods[i]->enabled) != 0 && 480217044Snwhitehorn strcmp(name, authmethods[i]->name) == 0 && 481217044Snwhitehorn auth2_method_allowed(authctxt, 482217044Snwhitehorn authmethods[i]->name, NULL)) 483217044Snwhitehorn return authmethods[i]; 484217044Snwhitehorn debug2("Unrecognized authentication method name: %s", 485217044Snwhitehorn name ? name : "NULL"); 486217044Snwhitehorn return NULL; 487217044Snwhitehorn} 488217044Snwhitehorn 489217044Snwhitehorn/* 490217044Snwhitehorn * Check a comma-separated list of methods for validity. Is need_enable is 491217044Snwhitehorn * non-zero, then also require that the methods are enabled. 492217044Snwhitehorn * Returns 0 on success or -1 if the methods list is invalid. 493217044Snwhitehorn */ 494217044Snwhitehornint 495217044Snwhitehornauth2_methods_valid(const char *_methods, int need_enable) 496217044Snwhitehorn{ 497217044Snwhitehorn char *methods, *omethods, *method, *p; 498217044Snwhitehorn u_int i, found; 499217044Snwhitehorn int ret = -1; 500217044Snwhitehorn 501217044Snwhitehorn if (*_methods == '\0') { 502217044Snwhitehorn error("empty authentication method list"); 503217044Snwhitehorn return -1; 504217044Snwhitehorn } 505217044Snwhitehorn omethods = methods = xstrdup(_methods); 506217044Snwhitehorn while ((method = strsep(&methods, ",")) != NULL) { 507217044Snwhitehorn for (found = i = 0; !found && authmethods[i] != NULL; i++) { 508217044Snwhitehorn if ((p = strchr(method, ':')) != NULL) 509217044Snwhitehorn *p = '\0'; 510217044Snwhitehorn if (strcmp(method, authmethods[i]->name) != 0) 511217044Snwhitehorn continue; 512217044Snwhitehorn if (need_enable) { 513217044Snwhitehorn if (authmethods[i]->enabled == NULL || 514217044Snwhitehorn *(authmethods[i]->enabled) == 0) { 515217044Snwhitehorn error("Disabled method \"%s\" in " 516217044Snwhitehorn "AuthenticationMethods list \"%s\"", 517217044Snwhitehorn method, _methods); 518217044Snwhitehorn goto out; 519217044Snwhitehorn } 520217044Snwhitehorn } 521217044Snwhitehorn found = 1; 522217044Snwhitehorn break; 523217044Snwhitehorn } 524217044Snwhitehorn if (!found) { 525217044Snwhitehorn error("Unknown authentication method \"%s\" in list", 526217044Snwhitehorn method); 527217044Snwhitehorn goto out; 528217044Snwhitehorn } 529217044Snwhitehorn } 530217044Snwhitehorn ret = 0; 531217044Snwhitehorn out: 532217044Snwhitehorn free(omethods); 533217044Snwhitehorn return ret; 534217044Snwhitehorn} 535217044Snwhitehorn 536217044Snwhitehorn/* 537217044Snwhitehorn * Prune the AuthenticationMethods supplied in the configuration, removing 538217044Snwhitehorn * any methods lists that include disabled methods. Note that this might 539217044Snwhitehorn * leave authctxt->num_auth_methods == 0, even when multiple required auth 540217044Snwhitehorn * has been requested. For this reason, all tests for whether multiple is 541217044Snwhitehorn * enabled should consult options.num_auth_methods directly. 542217044Snwhitehorn */ 543217044Snwhitehornint 544217044Snwhitehornauth2_setup_methods_lists(Authctxt *authctxt) 545217044Snwhitehorn{ 546217044Snwhitehorn u_int i; 547217044Snwhitehorn 548217044Snwhitehorn if (options.num_auth_methods == 0) 549217044Snwhitehorn return 0; 550217044Snwhitehorn debug3("%s: checking methods", __func__); 551217044Snwhitehorn authctxt->auth_methods = xcalloc(options.num_auth_methods, 552217044Snwhitehorn sizeof(*authctxt->auth_methods)); 553217044Snwhitehorn authctxt->num_auth_methods = 0; 554217044Snwhitehorn for (i = 0; i < options.num_auth_methods; i++) { 555217044Snwhitehorn if (auth2_methods_valid(options.auth_methods[i], 1) != 0) { 556217044Snwhitehorn logit("Authentication methods list \"%s\" contains " 557217044Snwhitehorn "disabled method, skipping", 558217044Snwhitehorn options.auth_methods[i]); 559217044Snwhitehorn continue; 560217044Snwhitehorn } 561217044Snwhitehorn debug("authentication methods list %d: %s", 562217044Snwhitehorn authctxt->num_auth_methods, options.auth_methods[i]); 563217044Snwhitehorn authctxt->auth_methods[authctxt->num_auth_methods++] = 564217044Snwhitehorn xstrdup(options.auth_methods[i]); 565217044Snwhitehorn } 566217044Snwhitehorn if (authctxt->num_auth_methods == 0) { 567217044Snwhitehorn error("No AuthenticationMethods left after eliminating " 568217044Snwhitehorn "disabled methods"); 569217044Snwhitehorn return -1; 570217044Snwhitehorn } 571217044Snwhitehorn return 0; 572217044Snwhitehorn} 573217044Snwhitehorn 574217044Snwhitehornstatic int 575217044Snwhitehornlist_starts_with(const char *methods, const char *method, 576217044Snwhitehorn const char *submethod) 577217044Snwhitehorn{ 578217044Snwhitehorn size_t l = strlen(method); 579217044Snwhitehorn int match; 580217044Snwhitehorn const char *p; 581217044Snwhitehorn 582217044Snwhitehorn if (strncmp(methods, method, l) != 0) 583217044Snwhitehorn return MATCH_NONE; 584217044Snwhitehorn p = methods + l; 585217044Snwhitehorn match = MATCH_METHOD; 586217044Snwhitehorn if (*p == ':') { 587217044Snwhitehorn if (!submethod) 588217044Snwhitehorn return MATCH_PARTIAL; 589217044Snwhitehorn l = strlen(submethod); 590217044Snwhitehorn p += 1; 591217044Snwhitehorn if (strncmp(submethod, p, l)) 592217044Snwhitehorn return MATCH_NONE; 593217044Snwhitehorn p += l; 594217044Snwhitehorn match = MATCH_BOTH; 595217044Snwhitehorn } 596217044Snwhitehorn if (*p != ',' && *p != '\0') 597217044Snwhitehorn return MATCH_NONE; 598217044Snwhitehorn return match; 599217044Snwhitehorn} 600217044Snwhitehorn 601217044Snwhitehorn/* 602217044Snwhitehorn * Remove method from the start of a comma-separated list of methods. 603217044Snwhitehorn * Returns 0 if the list of methods did not start with that method or 1 604217044Snwhitehorn * if it did. 605217044Snwhitehorn */ 606217044Snwhitehornstatic int 607217044Snwhitehornremove_method(char **methods, const char *method, const char *submethod) 608217044Snwhitehorn{ 609217044Snwhitehorn char *omethods = *methods, *p; 610217044Snwhitehorn size_t l = strlen(method); 611217044Snwhitehorn int match; 612217044Snwhitehorn 613217044Snwhitehorn match = list_starts_with(omethods, method, submethod); 614217044Snwhitehorn if (match != MATCH_METHOD && match != MATCH_BOTH) 615217044Snwhitehorn return 0; 616217044Snwhitehorn p = omethods + l; 617217044Snwhitehorn if (submethod && match == MATCH_BOTH) 618217044Snwhitehorn p += 1 + strlen(submethod); /* include colon */ 619217044Snwhitehorn if (*p == ',') 620217044Snwhitehorn p++; 621217044Snwhitehorn *methods = xstrdup(p); 622217044Snwhitehorn free(omethods); 623217044Snwhitehorn return 1; 624217044Snwhitehorn} 625217044Snwhitehorn 626217044Snwhitehorn/* 627217044Snwhitehorn * Called after successful authentication. Will remove the successful method 628217044Snwhitehorn * from the start of each list in which it occurs. If it was the last method 629217044Snwhitehorn * in any list, then authentication is deemed successful. 630217044Snwhitehorn * Returns 1 if the method completed any authentication list or 0 otherwise. 631217044Snwhitehorn */ 632217044Snwhitehornint 633217044Snwhitehornauth2_update_methods_lists(Authctxt *authctxt, const char *method, 634217044Snwhitehorn const char *submethod) 635217044Snwhitehorn{ 636217044Snwhitehorn u_int i, found = 0; 637217044Snwhitehorn 638217044Snwhitehorn debug3("%s: updating methods list after \"%s\"", __func__, method); 639217044Snwhitehorn for (i = 0; i < authctxt->num_auth_methods; i++) { 640217044Snwhitehorn if (!remove_method(&(authctxt->auth_methods[i]), method, 641217044Snwhitehorn submethod)) 642217044Snwhitehorn continue; 643217044Snwhitehorn found = 1; 644217044Snwhitehorn if (*authctxt->auth_methods[i] == '\0') { 645217044Snwhitehorn debug2("authentication methods list %d complete", i); 646217044Snwhitehorn return 1; 647217044Snwhitehorn } 648217044Snwhitehorn debug3("authentication methods list %d remaining: \"%s\"", 649217044Snwhitehorn i, authctxt->auth_methods[i]); 650217044Snwhitehorn } 651217044Snwhitehorn /* This should not happen, but would be bad if it did */ 652217044Snwhitehorn if (!found) 653217044Snwhitehorn fatal("%s: method not in AuthenticationMethods", __func__); 654217044Snwhitehorn return 0; 655217044Snwhitehorn} 656217044Snwhitehorn 657217044Snwhitehorn 658217044Snwhitehorn