1/* 2 * Copyright (c) 2012,2023 Damien Miller <djm@mindrot.org> 3 * 4 * Permission to use, copy, modify, and distribute this software for any 5 * purpose with or without fee is hereby granted, provided that the above 6 * copyright notice and this permission notice appear in all copies. 7 * 8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 15 */ 16 17#include <sys/types.h> 18 19#include <stdlib.h> 20#include <string.h> 21 22#include "log.h" 23#include "misc.h" 24#include "servconf.h" 25#include "xmalloc.h" 26#include "hostfile.h" 27#include "auth.h" 28 29extern ServerOptions options; 30 31/* 32 * Configuration of enabled authentication methods. Separate from the rest of 33 * auth2-*.c because we want to query it during server configuration validity 34 * checking in the sshd listener process without pulling all the auth code in 35 * too. 36 */ 37 38/* "none" is allowed only one time and it is cleared by userauth_none() later */ 39int none_enabled = 1; 40struct authmethod_cfg methodcfg_none = { 41 "none", 42 NULL, 43 &none_enabled 44}; 45struct authmethod_cfg methodcfg_pubkey = { 46 "publickey", 47 "publickey-hostbound-v00@openssh.com", 48 &options.pubkey_authentication 49}; 50#ifdef GSSAPI 51struct authmethod_cfg methodcfg_gssapi = { 52 "gssapi-with-mic", 53 NULL, 54 &options.gss_authentication 55}; 56#endif 57struct authmethod_cfg methodcfg_passwd = { 58 "password", 59 NULL, 60 &options.password_authentication 61}; 62struct authmethod_cfg methodcfg_kbdint = { 63 "keyboard-interactive", 64 NULL, 65 &options.kbd_interactive_authentication 66}; 67struct authmethod_cfg methodcfg_hostbased = { 68 "hostbased", 69 NULL, 70 &options.hostbased_authentication 71}; 72 73static struct authmethod_cfg *authmethod_cfgs[] = { 74 &methodcfg_none, 75 &methodcfg_pubkey, 76#ifdef GSSAPI 77 &methodcfg_gssapi, 78#endif 79 &methodcfg_passwd, 80 &methodcfg_kbdint, 81 &methodcfg_hostbased, 82 NULL 83}; 84 85/* 86 * Check a comma-separated list of methods for validity. If need_enable is 87 * non-zero, then also require that the methods are enabled. 88 * Returns 0 on success or -1 if the methods list is invalid. 89 */ 90int 91auth2_methods_valid(const char *_methods, int need_enable) 92{ 93 char *methods, *omethods, *method, *p; 94 u_int i, found; 95 int ret = -1; 96 const struct authmethod_cfg *cfg; 97 98 if (*_methods == '\0') { 99 error("empty authentication method list"); 100 return -1; 101 } 102 omethods = methods = xstrdup(_methods); 103 while ((method = strsep(&methods, ",")) != NULL) { 104 for (found = i = 0; !found && authmethod_cfgs[i] != NULL; i++) { 105 cfg = authmethod_cfgs[i]; 106 if ((p = strchr(method, ':')) != NULL) 107 *p = '\0'; 108 if (strcmp(method, cfg->name) != 0) 109 continue; 110 if (need_enable) { 111 if (cfg->enabled == NULL || 112 *(cfg->enabled) == 0) { 113 error("Disabled method \"%s\" in " 114 "AuthenticationMethods list \"%s\"", 115 method, _methods); 116 goto out; 117 } 118 } 119 found = 1; 120 break; 121 } 122 if (!found) { 123 error("Unknown authentication method \"%s\" in list", 124 method); 125 goto out; 126 } 127 } 128 ret = 0; 129 out: 130 free(omethods); 131 return ret; 132} 133