1/* $OpenBSD: auth.h,v 1.108 2024/05/17 06:42:04 jsg Exp $ */
2
3/*
4 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 * 1. Redistributions of source code must retain the above copyright
10 *    notice, this list of conditions and the following disclaimer.
11 * 2. Redistributions in binary form must reproduce the above copyright
12 *    notice, this list of conditions and the following disclaimer in the
13 *    documentation and/or other materials provided with the distribution.
14 *
15 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
16 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
17 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
18 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
19 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
20 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
21 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
22 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
23 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25 *
26 */
27
28#ifndef AUTH_H
29#define AUTH_H
30
31#include <signal.h>
32#include <stdio.h>
33
34#include <bsd_auth.h>
35#ifdef KRB5
36#include <krb5.h>
37#endif
38
39struct passwd;
40struct ssh;
41struct sshbuf;
42struct sshkey;
43struct sshkey_cert;
44struct sshauthopt;
45
46typedef struct Authctxt Authctxt;
47typedef struct Authmethod Authmethod;
48typedef struct KbdintDevice KbdintDevice;
49
50struct Authctxt {
51	sig_atomic_t	 success;
52	int		 authenticated;	/* authenticated and alarms cancelled */
53	int		 postponed;	/* authentication needs another step */
54	int		 valid;		/* user exists and is allowed to login */
55	int		 attempt;
56	int		 failures;
57	int		 server_caused_failure;
58	int		 force_pwchange;
59	char		*user;		/* username sent by the client */
60	char		*service;
61	struct passwd	*pw;		/* set if 'valid' */
62	char		*style;
63
64	/* Method lists for multiple authentication */
65	char		**auth_methods;	/* modified from server config */
66	u_int		 num_auth_methods;
67
68	/* Authentication method-specific data */
69	void		*methoddata;
70	void		*kbdintctxt;
71	auth_session_t	*as;
72#ifdef KRB5
73	krb5_context	 krb5_ctx;
74	krb5_ccache	 krb5_fwd_ccache;
75	krb5_principal	 krb5_user;
76	char		*krb5_ticket_file;
77#endif
78
79	/* Authentication keys already used; these will be refused henceforth */
80	struct sshkey	**prev_keys;
81	u_int		 nprev_keys;
82
83	/* Last used key and ancillary information from active auth method */
84	struct sshkey	*auth_method_key;
85	char		*auth_method_info;
86
87	/* Information exposed to session */
88	struct sshbuf	*session_info;	/* Auth info for environment */
89};
90
91/*
92 * Every authentication method has to handle authentication requests for
93 * non-existing users, or for users that are not allowed to login. In this
94 * case 'valid' is set to 0, but 'user' points to the username requested by
95 * the client.
96 */
97
98struct authmethod_cfg {
99	const char *name;
100	const char *synonym;
101	int *enabled;
102};
103
104struct Authmethod {
105	struct authmethod_cfg *cfg;
106	int	(*userauth)(struct ssh *, const char *);
107};
108
109/*
110 * Keyboard interactive device:
111 * init_ctx	returns: non NULL upon success
112 * query	returns: 0 - success, otherwise failure
113 * respond	returns: 0 - success, 1 - need further interaction,
114 *		otherwise - failure
115 */
116struct KbdintDevice
117{
118	const char *name;
119	void*	(*init_ctx)(Authctxt*);
120	int	(*query)(void *ctx, char **name, char **infotxt,
121		    u_int *numprompts, char ***prompts, u_int **echo_on);
122	int	(*respond)(void *ctx, u_int numresp, char **responses);
123	void	(*free_ctx)(void *ctx);
124};
125
126int
127auth_rhosts2(struct passwd *, const char *, const char *, const char *);
128
129int      auth_password(struct ssh *, const char *);
130
131int	 hostbased_key_allowed(struct ssh *, struct passwd *,
132	    const char *, char *, struct sshkey *);
133int	 user_key_allowed(struct ssh *ssh, struct passwd *, struct sshkey *,
134    int, struct sshauthopt **);
135int	 auth2_key_already_used(Authctxt *, const struct sshkey *);
136
137/*
138 * Handling auth method-specific information for logging and prevention
139 * of key reuse during multiple authentication.
140 */
141void	 auth2_authctxt_reset_info(Authctxt *);
142void	 auth2_record_key(Authctxt *, int, const struct sshkey *);
143void	 auth2_record_info(Authctxt *authctxt, const char *, ...)
144	    __attribute__((__format__ (printf, 2, 3)))
145	    __attribute__((__nonnull__ (2)));
146void	 auth2_update_session_info(Authctxt *, const char *, const char *);
147
148#ifdef KRB5
149int	auth_krb5_password(Authctxt *authctxt, const char *password);
150void	krb5_cleanup_proc(Authctxt *authctxt);
151#endif /* KRB5 */
152
153void	do_authentication2(struct ssh *);
154
155void	auth_log(struct ssh *, int, int, const char *, const char *);
156void	auth_maxtries_exceeded(struct ssh *) __attribute__((noreturn));
157void	userauth_finish(struct ssh *, int, const char *, const char *);
158int	auth_root_allowed(struct ssh *, const char *);
159
160char	*auth2_read_banner(void);
161int	 auth2_methods_valid(const char *, int);
162int	 auth2_update_methods_lists(Authctxt *, const char *, const char *);
163int	 auth2_setup_methods_lists(Authctxt *);
164int	 auth2_method_allowed(Authctxt *, const char *, const char *);
165
166void	privsep_challenge_enable(void);
167
168int	auth2_challenge(struct ssh *, char *);
169void	auth2_challenge_stop(struct ssh *);
170int	bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
171int	bsdauth_respond(void *, u_int, char **);
172
173int	allowed_user(struct ssh *, struct passwd *);
174struct passwd * getpwnamallow(struct ssh *, const char *user);
175
176char	*expand_authorized_keys(const char *, struct passwd *pw);
177char	*authorized_principals_file(struct passwd *);
178
179int	 auth_key_is_revoked(struct sshkey *);
180
181const char	*auth_get_canonical_hostname(struct ssh *, int);
182
183HostStatus
184check_key_in_hostfiles(struct passwd *, struct sshkey *, const char *,
185    const char *, const char *);
186
187/* hostkey handling */
188struct sshkey	*get_hostkey_by_index(int);
189struct sshkey	*get_hostkey_public_by_index(int, struct ssh *);
190struct sshkey	*get_hostkey_public_by_type(int, int, struct ssh *);
191struct sshkey	*get_hostkey_private_by_type(int, int, struct ssh *);
192int	 get_hostkey_index(struct sshkey *, int, struct ssh *);
193int	 sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
194    u_char **, size_t *, const u_char *, size_t, const char *);
195
196/* Key / cert options linkage to auth layer */
197int	 auth_activate_options(struct ssh *, struct sshauthopt *);
198void	 auth_restrict_session(struct ssh *);
199void	 auth_log_authopts(const char *, const struct sshauthopt *, int);
200
201/* debug messages during authentication */
202void	 auth_debug_add(const char *fmt,...)
203    __attribute__((format(printf, 1, 2)));
204void	 auth_debug_send(struct ssh *);
205void	 auth_debug_reset(void);
206
207struct passwd *fakepw(void);
208
209/* auth2-pubkeyfile.c */
210int	 auth_authorise_keyopts(struct passwd *, struct sshauthopt *, int,
211    const char *, const char *, const char *);
212int	 auth_check_principals_line(char *, const struct sshkey_cert *,
213    const char *, struct sshauthopt **);
214int	 auth_process_principals(FILE *, const char *,
215    const struct sshkey_cert *, struct sshauthopt **);
216int	 auth_check_authkey_line(struct passwd *, struct sshkey *,
217    char *, const char *, const char *, const char *, struct sshauthopt **);
218int	 auth_check_authkeys_file(struct passwd *, FILE *, char *,
219    struct sshkey *, const char *, const char *, struct sshauthopt **);
220FILE	*auth_openkeyfile(const char *, struct passwd *, int);
221FILE	*auth_openprincipals(const char *, struct passwd *, int);
222
223#endif
224