auth.h revision 226046
111894Speter/* $OpenBSD: auth.h,v 1.69 2011/05/23 03:30:07 djm Exp $ */ 29Sjkh 311894Speter/* 411894Speter * Copyright (c) 2000 Markus Friedl. All rights reserved. 59Sjkh * 69Sjkh * Redistribution and use in source and binary forms, with or without 79Sjkh * modification, are permitted provided that the following conditions 89Sjkh * are met: 99Sjkh * 1. Redistributions of source code must retain the above copyright 109Sjkh * notice, this list of conditions and the following disclaimer. 119Sjkh * 2. Redistributions in binary form must reproduce the above copyright 129Sjkh * notice, this list of conditions and the following disclaimer in the 139Sjkh * documentation and/or other materials provided with the distribution. 149Sjkh * 159Sjkh * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 169Sjkh * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 179Sjkh * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 189Sjkh * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 199Sjkh * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 2011894Speter * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 2111894Speter * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 2211894Speter * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 239Sjkh * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 249Sjkh * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 259Sjkh * 269Sjkh */ 279Sjkh 289Sjkh#ifndef AUTH_H 299Sjkh#define AUTH_H 3011894Speter 3111894Speter#include <signal.h> 3211894Speter 338858Srgrimes#include <openssl/rsa.h> 3411894Speter 3511894Speter#ifdef HAVE_LOGIN_CAP 3611894Speter#include <login_cap.h> 3711894Speter#endif 3811894Speter#ifdef BSD_AUTH 3911894Speter#include <bsd_auth.h> 4011894Speter#endif 4111894Speter#ifdef KRB5 4211894Speter#include <krb5.h> 4311894Speter#endif 4411894Speter 4511894Spetertypedef struct Authctxt Authctxt; 4611894Spetertypedef struct Authmethod Authmethod; 4711894Spetertypedef struct KbdintDevice KbdintDevice; 4811894Speter 4911894Speterstruct Authctxt { 5011894Speter sig_atomic_t success; 5111894Speter int authenticated; /* authenticated and alarms cancelled */ 5211894Speter int postponed; /* authentication needs another step */ 5311894Speter int valid; /* user exists and is allowed to login */ 5411894Speter int attempt; 5511894Speter int failures; 5611894Speter int server_caused_failure; 5711894Speter int force_pwchange; 5811894Speter char *user; /* username sent by the client */ 5911894Speter char *service; 6011894Speter struct passwd *pw; /* set if 'valid' */ 619Sjkh char *style; 629Sjkh void *kbdintctxt; 639Sjkh void *jpake_ctx; 649Sjkh#ifdef BSD_AUTH 659Sjkh auth_session_t *as; 669Sjkh#endif 679Sjkh#ifdef KRB5 689Sjkh krb5_context krb5_ctx; 699Sjkh krb5_ccache krb5_fwd_ccache; 709Sjkh krb5_principal krb5_user; 719Sjkh char *krb5_ticket_file; 729Sjkh char *krb5_ccname; 739Sjkh#endif 749Sjkh Buffer *loginmsg; 759Sjkh void *methoddata; 769Sjkh}; 779Sjkh/* 789Sjkh * Every authentication method has to handle authentication requests for 799Sjkh * non-existing users, or for users that are not allowed to login. In this 809Sjkh * case 'valid' is set to 0, but 'user' points to the username requested by 819Sjkh * the client. 829Sjkh */ 839Sjkh 849Sjkhstruct Authmethod { 859Sjkh char *name; 869Sjkh int (*userauth)(Authctxt *authctxt); 879Sjkh int *enabled; 889Sjkh}; 899Sjkh 909Sjkh/* 919Sjkh * Keyboard interactive device: 929Sjkh * init_ctx returns: non NULL upon success 939Sjkh * query returns: 0 - success, otherwise failure 949Sjkh * respond returns: 0 - success, 1 - need further interaction, 959Sjkh * otherwise - failure 969Sjkh */ 979Sjkhstruct KbdintDevice 989Sjkh{ 999Sjkh const char *name; 1008858Srgrimes void* (*init_ctx)(Authctxt*); 1019Sjkh int (*query)(void *ctx, char **name, char **infotxt, 1029Sjkh u_int *numprompts, char ***prompts, u_int **echo_on); 1038858Srgrimes int (*respond)(void *ctx, u_int numresp, char **responses); 1049Sjkh void (*free_ctx)(void *ctx); 1059Sjkh}; 1069Sjkh 1079Sjkhint auth_rhosts(struct passwd *, const char *); 1088858Srgrimesint 1099Sjkhauth_rhosts2(struct passwd *, const char *, const char *, const char *); 1109Sjkh 1119Sjkhint auth_rhosts_rsa(Authctxt *, char *, Key *); 1128858Srgrimesint auth_password(Authctxt *, const char *); 1139Sjkhint auth_rsa(Authctxt *, BIGNUM *); 1148858Srgrimesint auth_rsa_challenge_dialog(Key *); 1159SjkhBIGNUM *auth_rsa_generate_challenge(Key *); 1168858Srgrimesint auth_rsa_verify_response(Key *, BIGNUM *, u_char[]); 1179Sjkhint auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **); 1189Sjkh 1198858Srgrimesint auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *); 1209Sjkhint hostbased_key_allowed(struct passwd *, const char *, char *, Key *); 1219Sjkhint user_key_allowed(struct passwd *, Key *); 1229Sjkh 1238858Srgrimes#ifdef KRB5 1249Sjkhint auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); 1259Sjkhint auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); 1269Sjkhint auth_krb5_password(Authctxt *authctxt, const char *password); 1279Sjkhvoid krb5_cleanup_proc(Authctxt *authctxt); 1289Sjkh#endif /* KRB5 */ 1299Sjkh 1309Sjkh#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) 1319Sjkh#include <shadow.h> 1329Sjkhint auth_shadow_acctexpired(struct spwd *); 1339Sjkhint auth_shadow_pwexpired(Authctxt *); 1349Sjkh#endif 1359Sjkh 1369Sjkh#include "auth-pam.h" 1379Sjkh#include "audit.h" 1389Sjkhvoid remove_kbdint_device(const char *); 1399Sjkh 1409Sjkhvoid disable_forwarding(void); 1419Sjkh 1429Sjkhvoid do_authentication(Authctxt *); 1439Sjkhvoid do_authentication2(Authctxt *); 1449Sjkh 1459Sjkhvoid auth_log(Authctxt *, int, char *, char *); 1469Sjkhvoid userauth_finish(Authctxt *, int, char *); 1479Sjkhvoid userauth_send_banner(const char *); 1489Sjkhint auth_root_allowed(char *); 1499Sjkh 1509Sjkhchar *auth2_read_banner(void); 1519Sjkh 1529Sjkhvoid privsep_challenge_enable(void); 1539Sjkh 15413512Smppint auth2_challenge(Authctxt *, char *); 1559Sjkhvoid auth2_challenge_stop(Authctxt *); 1569Sjkhint bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); 15711894Speterint bsdauth_respond(void *, u_int, char **); 1589Sjkhint skey_query(void *, char **, char **, u_int *, char ***, u_int **); 1599Sjkhint skey_respond(void *, u_int, char **); 1609Sjkh 1619Sjkhvoid auth2_jpake_get_pwdata(Authctxt *, BIGNUM **, char **, char **); 16211894Spetervoid auth2_jpake_stop(Authctxt *); 1639Sjkh 1649Sjkhint allowed_user(struct passwd *); 1659Sjkhstruct passwd * getpwnamallow(const char *user); 1669Sjkh 1679Sjkhchar *get_challenge(Authctxt *); 1689Sjkhint verify_response(Authctxt *, const char *); 16911894Spetervoid abandon_challenge_response(Authctxt *); 17011894Speter 1719Sjkhchar *expand_authorized_keys(const char *, struct passwd *pw); 1729Sjkhchar *authorized_principals_file(struct passwd *); 1739Sjkh 1749SjkhFILE *auth_openkeyfile(const char *, struct passwd *, int); 1759SjkhFILE *auth_openprincipals(const char *, struct passwd *, int); 1769Sjkhint auth_key_is_revoked(Key *); 17711894Speter 1789SjkhHostStatus 1799Sjkhcheck_key_in_hostfiles(struct passwd *, Key *, const char *, 1809Sjkh const char *, const char *); 1819Sjkh 1829Sjkh/* hostkey handling */ 1839SjkhKey *get_hostkey_by_index(int); 1849SjkhKey *get_hostkey_public_by_type(int); 18511894SpeterKey *get_hostkey_private_by_type(int); 1869Sjkhint get_hostkey_index(Key *); 1879Sjkhint ssh1_session_key(BIGNUM *); 1889Sjkh 18911894Speter/* debug messages during authentication */ 19011894Spetervoid auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); 1919Sjkhvoid auth_debug_send(void); 1929Sjkhvoid auth_debug_reset(void); 19311894Speter 19411894Speterstruct passwd *fakepw(void); 19511894Speter 19611894Speterint sys_auth_passwd(Authctxt *, const char *); 19711894Speter 19811894Speter#define AUTH_FAIL_MSG "Too many authentication failures for %.100s" 1999Sjkh 2009Sjkh#define SKEY_PROMPT "\nS/Key Password: " 2019Sjkh 2029Sjkh#if defined(KRB5) && !defined(HEIMDAL) 2039Sjkh#include <krb5.h> 2049Sjkhkrb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *); 20511894Speter#endif 2069Sjkh#endif 2079Sjkh