auth.h revision 215116 
139830Speter/* $OpenBSD: auth.h,v 1.66 2010/05/07 11:30:29 djm Exp $ */
239830Speter
339830Speter/*
439830Speter * Copyright (c) 2000 Markus Friedl.  All rights reserved.
539830Speter *
639830Speter * Redistribution and use in source and binary forms, with or without
739830Speter * modification, are permitted provided that the following conditions
839830Speter * are met:
939830Speter * 1. Redistributions of source code must retain the above copyright
1039830Speter *    notice, this list of conditions and the following disclaimer.
1139830Speter * 2. Redistributions in binary form must reproduce the above copyright
1239830Speter *    notice, this list of conditions and the following disclaimer in the
1339830Speter *    documentation and/or other materials provided with the distribution.
1439830Speter *
1539830Speter * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
1639830Speter * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1739830Speter * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
1839830Speter * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
1939830Speter * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
2039830Speter * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
2139830Speter * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
2239830Speter * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
2339830Speter * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
2439830Speter * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
2539830Speter *
2639830Speter */
2740254Speter
2839830Speter#ifndef AUTH_H
2939830Speter#define AUTH_H
3039830Speter
3139830Speter#include <signal.h>
3239830Speter
3340143Speter#include <openssl/rsa.h>
3439830Speter
3539830Speter#ifdef HAVE_LOGIN_CAP
3639830Speter#include <login_cap.h>
3739830Speter#endif
3839830Speter#ifdef BSD_AUTH
3939830Speter#include <bsd_auth.h>
4039830Speter#endif
4139830Speter#ifdef KRB5
4239830Speter#include <krb5.h>
4340143Speter#endif
4439830Speter
4539830Spetertypedef struct Authctxt Authctxt;
4639830Spetertypedef struct Authmethod Authmethod;
4739830Spetertypedef struct KbdintDevice KbdintDevice;
4839830Speter
4939830Speterstruct Authctxt {
5039830Speter	sig_atomic_t	 success;
5139830Speter	int		 authenticated;	/* authenticated and alarms cancelled */
5239830Speter	int		 postponed;	/* authentication needs another step */
5339830Speter	int		 valid;		/* user exists and is allowed to login */
5439830Speter	int		 attempt;
5539830Speter	int		 failures;
5639830Speter	int		 force_pwchange;
5739830Speter	char		*user;		/* username sent by the client */
5839830Speter	char		*service;
5939830Speter	struct passwd	*pw;		/* set if 'valid' */
6039830Speter	char		*style;
6140143Speter	void		*kbdintctxt;
6239830Speter	void		*jpake_ctx;
6339830Speter#ifdef BSD_AUTH
6439830Speter	auth_session_t	*as;
6539830Speter#endif
6639830Speter#ifdef KRB5
6739830Speter	krb5_context	 krb5_ctx;
6839830Speter	krb5_ccache	 krb5_fwd_ccache;
6939830Speter	krb5_principal	 krb5_user;
7039830Speter	char		*krb5_ticket_file;
7139830Speter	char		*krb5_ccname;
7239830Speter#endif
7339830Speter	Buffer		*loginmsg;
7439830Speter	void		*methoddata;
7539830Speter};
7639830Speter/*
7739830Speter * Every authentication method has to handle authentication requests for
7839830Speter * non-existing users, or for users that are not allowed to login. In this
7939830Speter * case 'valid' is set to 0, but 'user' points to the username requested by
8039830Speter * the client.
8139830Speter */
8239830Speter
8339830Speterstruct Authmethod {
8439830Speter	char	*name;
8539830Speter	int	(*userauth)(Authctxt *authctxt);
8639830Speter	int	*enabled;
8739830Speter};
8839830Speter
8939830Speter/*
9039830Speter * Keyboard interactive device:
9139830Speter * init_ctx	returns: non NULL upon success
9239830Speter * query	returns: 0 - success, otherwise failure
9339830Speter * respond	returns: 0 - success, 1 - need further interaction,
9439830Speter *		otherwise - failure
9539830Speter */
9639830Speterstruct KbdintDevice
9739830Speter{
9839830Speter	const char *name;
9939830Speter	void*	(*init_ctx)(Authctxt*);
10039830Speter	int	(*query)(void *ctx, char **name, char **infotxt,
10139830Speter		    u_int *numprompts, char ***prompts, u_int **echo_on);
10239830Speter	int	(*respond)(void *ctx, u_int numresp, char **responses);
10339830Speter	void	(*free_ctx)(void *ctx);
10439830Speter};
10539830Speter
10639830Speterint      auth_rhosts(struct passwd *, const char *);
10739830Speterint
10839830Speterauth_rhosts2(struct passwd *, const char *, const char *, const char *);
10939830Speter
11039830Speterint	 auth_rhosts_rsa(Authctxt *, char *, Key *);
11139830Speterint      auth_password(Authctxt *, const char *);
11240143Speterint      auth_rsa(Authctxt *, BIGNUM *);
11339830Speterint      auth_rsa_challenge_dialog(Key *);
11439830SpeterBIGNUM	*auth_rsa_generate_challenge(Key *);
11540143Speterint	 auth_rsa_verify_response(Key *, BIGNUM *, u_char[]);
11639830Speterint	 auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
11739830Speter
11839830Speterint	 auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
11939830Speterint	 hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
12039830Speterint	 user_key_allowed(struct passwd *, Key *);
12139830Speter
12239830Speter#ifdef KRB5
12339830Speterint	auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
12439830Speterint	auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
12539830Speterint	auth_krb5_password(Authctxt *authctxt, const char *password);
12639830Spetervoid	krb5_cleanup_proc(Authctxt *authctxt);
12739830Speter#endif /* KRB5 */
12839830Speter
12939830Speter#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
13039830Speter#include <shadow.h>
13139830Speterint auth_shadow_acctexpired(struct spwd *);
13239830Speterint auth_shadow_pwexpired(Authctxt *);
13339830Speter#endif
13439830Speter
13539830Speter#include "auth-pam.h"
13639830Speter#include "audit.h"
13739830Spetervoid remove_kbdint_device(const char *);
13839830Speter
13939830Spetervoid disable_forwarding(void);
14039830Speter
14139830Spetervoid	do_authentication(Authctxt *);
14239830Spetervoid	do_authentication2(Authctxt *);
14339830Speter
14440143Spetervoid	auth_log(Authctxt *, int, char *, char *);
14540143Spetervoid	userauth_finish(Authctxt *, int, char *);
14640143Spetervoid	userauth_send_banner(const char *);
14740143Speterint	auth_root_allowed(char *);
14840143Speter
14939830Speterchar	*auth2_read_banner(void);
15040143Speter
15140143Spetervoid	privsep_challenge_enable(void);
15240143Speter
15340143Speterint	auth2_challenge(Authctxt *, char *);
15440143Spetervoid	auth2_challenge_stop(Authctxt *);
15540143Speterint	bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
15639830Speterint	bsdauth_respond(void *, u_int, char **);
15739830Speterint	skey_query(void *, char **, char **, u_int *, char ***, u_int **);
15840254Speterint	skey_respond(void *, u_int, char **);
15940254Speter
16039830Spetervoid	auth2_jpake_get_pwdata(Authctxt *, BIGNUM **, char **, char **);
16140143Spetervoid	auth2_jpake_stop(Authctxt *);
16240143Speter
16339830Speterint	allowed_user(struct passwd *);
16439830Speterstruct passwd * getpwnamallow(const char *user);
16539830Speter
16639830Speterchar	*get_challenge(Authctxt *);
16739830Speterint	verify_response(Authctxt *, const char *);
16839830Spetervoid	abandon_challenge_response(Authctxt *);
16939830Speter
17039830Speterchar	*authorized_keys_file(struct passwd *);
17139830Speterchar	*authorized_keys_file2(struct passwd *);
17239830Speterchar	*authorized_principals_file(struct passwd *);
17339830Speter
17439830SpeterFILE	*auth_openkeyfile(const char *, struct passwd *, int);
17539830SpeterFILE	*auth_openprincipals(const char *, struct passwd *, int);
17639830Speterint	 auth_key_is_revoked(Key *);
17739830Speter
17839830SpeterHostStatus
17939830Spetercheck_key_in_hostfiles(struct passwd *, Key *, const char *,
18039830Speter    const char *, const char *);
18139830Speter
18239830Speter/* hostkey handling */
18339830SpeterKey	*get_hostkey_by_index(int);
18440143SpeterKey	*get_hostkey_public_by_type(int);
18539830SpeterKey	*get_hostkey_private_by_type(int);
18639830Speterint	 get_hostkey_index(Key *);
18740143Speterint	 ssh1_session_key(BIGNUM *);
18839887Speter
18939830Speter/* debug messages during authentication */
19039887Spetervoid	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
19139830Spetervoid	 auth_debug_send(void);
19239887Spetervoid	 auth_debug_reset(void);
19339830Speter
19439830Speterstruct passwd *fakepw(void);
19539830Speter
19639830Speterint	 sys_auth_passwd(Authctxt *, const char *);
19739887Speter
19839887Speter#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
19939887Speter
20040143Speter#define SKEY_PROMPT "\nS/Key Password: "
20140143Speter
20240143Speter#if defined(KRB5) && !defined(HEIMDAL)
20340143Speter#include <krb5.h>
20440143Speterkrb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
20540143Speter#endif
20640143Speter#endif
20740143Speter