crypto/openssh/auth.h

181111Sdes/* $OpenBSD: auth.h,v 1.61 2008/07/02 12:03:51 dtucker Exp $ */
92559Sdes
65668Skris/*
65668Skris * Copyright (c) 2000 Markus Friedl.  All rights reserved.
65668Skris *
65668Skris * Redistribution and use in source and binary forms, with or without
65668Skris * modification, are permitted provided that the following conditions
65668Skris * are met:
65668Skris * 1. Redistributions of source code must retain the above copyright
65668Skris *    notice, this list of conditions and the following disclaimer.
65668Skris * 2. Redistributions in binary form must reproduce the above copyright
65668Skris *    notice, this list of conditions and the following disclaimer in the
65668Skris *    documentation and/or other materials provided with the distribution.
65668Skris *
65668Skris * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
65668Skris * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
65668Skris * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
65668Skris * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
65668Skris * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
65668Skris * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
65668Skris * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
65668Skris * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
65668Skris * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
65668Skris * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
69587Sgreen *
65668Skris */
92559Sdes
60573Skris#ifndef AUTH_H
60573Skris#define AUTH_H
60573Skris
162856Sdes#include <signal.h>
162856Sdes
76259Sgreen#include <openssl/rsa.h>
76259Sgreen
76259Sgreen#ifdef HAVE_LOGIN_CAP
76259Sgreen#include <login_cap.h>
76259Sgreen#endif
76259Sgreen#ifdef BSD_AUTH
76259Sgreen#include <bsd_auth.h>
76259Sgreen#endif
92559Sdes#ifdef KRB5
92559Sdes#include <krb5.h>
92559Sdes#endif
76259Sgreen
69587Sgreentypedef struct Authctxt Authctxt;
98684Sdestypedef struct Authmethod Authmethod;
92559Sdestypedef struct KbdintDevice KbdintDevice;
92559Sdes
69587Sgreenstruct Authctxt {
162856Sdes	sig_atomic_t	 success;
162856Sdes	int		 authenticated;	/* authenticated and alarms cancelled */
124211Sdes	int		 postponed;	/* authentication needs another step */
124211Sdes	int		 valid;		/* user exists and is allowed to login */
92559Sdes	int		 attempt;
92559Sdes	int		 failures;
126277Sdes	int		 force_pwchange;
124211Sdes	char		*user;		/* username sent by the client */
92559Sdes	char		*service;
124211Sdes	struct passwd	*pw;		/* set if 'valid' */
92559Sdes	char		*style;
92559Sdes	void		*kbdintctxt;
76259Sgreen#ifdef BSD_AUTH
92559Sdes	auth_session_t	*as;
76259Sgreen#endif
92559Sdes#ifdef KRB5
92559Sdes	krb5_context	 krb5_ctx;
92559Sdes	krb5_ccache	 krb5_fwd_ccache;
92559Sdes	krb5_principal	 krb5_user;
92559Sdes	char		*krb5_ticket_file;
128460Sdes	char		*krb5_ccname;
92559Sdes#endif
147005Sdes	Buffer		*loginmsg;
124211Sdes	void		*methoddata;
69587Sgreen};
124211Sdes/*
124211Sdes * Every authentication method has to handle authentication requests for
124211Sdes * non-existing users, or for users that are not allowed to login. In this
124211Sdes * case 'valid' is set to 0, but 'user' points to the username requested by
124211Sdes * the client.
124211Sdes */
69587Sgreen
98684Sdesstruct Authmethod {
98684Sdes	char	*name;
98684Sdes	int	(*userauth)(Authctxt *authctxt);
98684Sdes	int	*enabled;
98684Sdes};
98684Sdes
76259Sgreen/*
92559Sdes * Keyboard interactive device:
92559Sdes * init_ctx	returns: non NULL upon success
92559Sdes * query	returns: 0 - success, otherwise failure
92559Sdes * respond	returns: 0 - success, 1 - need further interaction,
92559Sdes *		otherwise - failure
76259Sgreen */
92559Sdesstruct KbdintDevice
92559Sdes{
92559Sdes	const char *name;
92559Sdes	void*	(*init_ctx)(Authctxt*);
92559Sdes	int	(*query)(void *ctx, char **name, char **infotxt,
92559Sdes		    u_int *numprompts, char ***prompts, u_int **echo_on);
92559Sdes	int	(*respond)(void *ctx, u_int numresp, char **responses);
92559Sdes	void	(*free_ctx)(void *ctx);
92559Sdes};
76259Sgreen
98684Sdesint      auth_rhosts(struct passwd *, const char *);
76259Sgreenint
92559Sdesauth_rhosts2(struct passwd *, const char *, const char *, const char *);
76259Sgreen
126277Sdesint	 auth_rhosts_rsa(Authctxt *, char *, Key *);
92559Sdesint      auth_password(Authctxt *, const char *);
126277Sdesint      auth_rsa(Authctxt *, BIGNUM *);
98684Sdesint      auth_rsa_challenge_dialog(Key *);
98684SdesBIGNUM	*auth_rsa_generate_challenge(Key *);
98684Sdesint	 auth_rsa_verify_response(Key *, BIGNUM *, u_char[]);
98684Sdesint	 auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
76259Sgreen
98684Sdesint	 auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
98684Sdesint	 hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
98684Sdesint	 user_key_allowed(struct passwd *, Key *);
98684Sdes
92559Sdes#ifdef KRB5
106130Sdesint	auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
92559Sdesint	auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
92559Sdesint	auth_krb5_password(Authctxt *authctxt, const char *password);
126277Sdesvoid	krb5_cleanup_proc(Authctxt *authctxt);
92559Sdes#endif /* KRB5 */
76259Sgreen
126277Sdes#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
126277Sdes#include <shadow.h>
126277Sdesint auth_shadow_acctexpired(struct spwd *);
126277Sdesint auth_shadow_pwexpired(Authctxt *);
126277Sdes#endif
126277Sdes
98941Sdes#include "auth-pam.h"
147005Sdes#include "audit.h"
147005Sdesvoid remove_kbdint_device(const char *);
147005Sdes
126277Sdesvoid disable_forwarding(void);
98941Sdes
126277Sdesvoid	do_authentication(Authctxt *);
126277Sdesvoid	do_authentication2(Authctxt *);
60573Skris
92559Sdesvoid	auth_log(Authctxt *, int, char *, char *);
92559Sdesvoid	userauth_finish(Authctxt *, int, char *);
147005Sdesvoid	userauth_send_banner(const char *);
92559Sdesint	auth_root_allowed(char *);
60573Skris
98684Sdeschar	*auth2_read_banner(void);
98684Sdes
98684Sdesvoid	privsep_challenge_enable(void);
98684Sdes
92559Sdesint	auth2_challenge(Authctxt *, char *);
92559Sdesvoid	auth2_challenge_stop(Authctxt *);
98684Sdesint	bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
98684Sdesint	bsdauth_respond(void *, u_int, char **);
98684Sdesint	skey_query(void *, char **, char **, u_int *, char ***, u_int **);
98684Sdesint	skey_respond(void *, u_int, char **);
60573Skris
92559Sdesint	allowed_user(struct passwd *);
98684Sdesstruct passwd * getpwnamallow(const char *user);
76259Sgreen
92559Sdeschar	*get_challenge(Authctxt *);
92559Sdesint	verify_response(Authctxt *, const char *);
112870Sdesvoid	abandon_challenge_response(Authctxt *);
76259Sgreen
92559Sdeschar	*authorized_keys_file(struct passwd *);
92559Sdeschar	*authorized_keys_file2(struct passwd *);
92559Sdes
181111SdesFILE	*auth_openkeyfile(const char *, struct passwd *, int);
92559Sdes
92559SdesHostStatus
92559Sdescheck_key_in_hostfiles(struct passwd *, Key *, const char *,
92559Sdes    const char *, const char *);
92559Sdes
98684Sdes/* hostkey handling */
98684SdesKey	*get_hostkey_by_index(int);
98684SdesKey	*get_hostkey_by_type(int);
98684Sdesint	 get_hostkey_index(Key *);
98684Sdesint	 ssh1_session_key(BIGNUM *);
98684Sdes
98684Sdes/* debug messages during authentication */
98684Sdesvoid	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
98684Sdesvoid	 auth_debug_send(void);
98684Sdesvoid	 auth_debug_reset(void);
98684Sdes
124211Sdesstruct passwd *fakepw(void);
124211Sdes
147005Sdesint	 sys_auth_passwd(Authctxt *, const char *);
147005Sdes
60573Skris#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
60573Skris
98941Sdes#define SKEY_PROMPT "\nS/Key Password: "
149753Sdes
149753Sdes#if defined(KRB5) && !defined(HEIMDAL)
149753Sdes#include <krb5.h>
149753Sdeskrb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
60573Skris#endif
99046Sdes#endif