diff options
author | djm@openbsd.org <djm@openbsd.org> | 2019-01-19 21:41:18 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2019-01-20 09:45:17 +1100 |
commit | 3a00a921590d4c4b7e96df11bb10e6f9253ad45e (patch) | |
tree | 24186d71a6a77de7e303af919a4be64f2c7461bf | |
parent | 7ec5cb4d15ed2f2c5c9f5d00e6b361d136fc1e2d (diff) |
upstream: convert auth.c to new packet API
with & ok markus@
OpenBSD-Commit-ID: 7e10359f614ff522b52a3f05eec576257794e8e4
-rw-r--r-- | auth.c | 26 | ||||
-rw-r--r-- | auth.h | 12 | ||||
-rw-r--r-- | auth2.c | 8 | ||||
-rw-r--r-- | monitor.c | 8 | ||||
-rw-r--r-- | monitor_wrap.c | 5 | ||||
-rw-r--r-- | monitor_wrap.h | 5 | ||||
-rw-r--r-- | session.c | 4 |
7 files changed, 31 insertions, 37 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.c,v 1.137 2019/01/19 21:37:48 djm Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.138 2019/01/19 21:41:18 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -77,9 +77,6 @@ | |||
77 | #include "compat.h" | 77 | #include "compat.h" |
78 | #include "channels.h" | 78 | #include "channels.h" |
79 | 79 | ||
80 | #include "opacket.h" /* XXX */ | ||
81 | extern struct ssh *active_state; /* XXX */ | ||
82 | |||
83 | /* import */ | 80 | /* import */ |
84 | extern ServerOptions options; | 81 | extern ServerOptions options; |
85 | extern int use_privsep; | 82 | extern int use_privsep; |
@@ -100,9 +97,8 @@ static struct sshbuf *auth_debug; | |||
100 | * Otherwise true is returned. | 97 | * Otherwise true is returned. |
101 | */ | 98 | */ |
102 | int | 99 | int |
103 | allowed_user(struct passwd * pw) | 100 | allowed_user(struct ssh *ssh, struct passwd * pw) |
104 | { | 101 | { |
105 | struct ssh *ssh = active_state; /* XXX */ | ||
106 | struct stat st; | 102 | struct stat st; |
107 | const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; | 103 | const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; |
108 | u_int i; | 104 | u_int i; |
@@ -312,10 +308,10 @@ format_method_key(Authctxt *authctxt) | |||
312 | } | 308 | } |
313 | 309 | ||
314 | void | 310 | void |
315 | auth_log(Authctxt *authctxt, int authenticated, int partial, | 311 | auth_log(struct ssh *ssh, int authenticated, int partial, |
316 | const char *method, const char *submethod) | 312 | const char *method, const char *submethod) |
317 | { | 313 | { |
318 | struct ssh *ssh = active_state; /* XXX */ | 314 | Authctxt *authctxt = (Authctxt *)ssh->authctxt; |
319 | int level = SYSLOG_LEVEL_VERBOSE; | 315 | int level = SYSLOG_LEVEL_VERBOSE; |
320 | const char *authmsg; | 316 | const char *authmsg; |
321 | char *extra = NULL; | 317 | char *extra = NULL; |
@@ -377,9 +373,9 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, | |||
377 | 373 | ||
378 | 374 | ||
379 | void | 375 | void |
380 | auth_maxtries_exceeded(Authctxt *authctxt) | 376 | auth_maxtries_exceeded(struct ssh *ssh) |
381 | { | 377 | { |
382 | struct ssh *ssh = active_state; /* XXX */ | 378 | Authctxt *authctxt = (Authctxt *)ssh->authctxt; |
383 | 379 | ||
384 | error("maximum authentication attempts exceeded for " | 380 | error("maximum authentication attempts exceeded for " |
385 | "%s%.100s from %.200s port %d ssh2", | 381 | "%s%.100s from %.200s port %d ssh2", |
@@ -387,7 +383,7 @@ auth_maxtries_exceeded(Authctxt *authctxt) | |||
387 | authctxt->user, | 383 | authctxt->user, |
388 | ssh_remote_ipaddr(ssh), | 384 | ssh_remote_ipaddr(ssh), |
389 | ssh_remote_port(ssh)); | 385 | ssh_remote_port(ssh)); |
390 | packet_disconnect("Too many authentication failures"); | 386 | ssh_packet_disconnect(ssh, "Too many authentication failures"); |
391 | /* NOTREACHED */ | 387 | /* NOTREACHED */ |
392 | } | 388 | } |
393 | 389 | ||
@@ -562,9 +558,8 @@ auth_openprincipals(const char *file, struct passwd *pw, int strict_modes) | |||
562 | } | 558 | } |
563 | 559 | ||
564 | struct passwd * | 560 | struct passwd * |
565 | getpwnamallow(const char *user) | 561 | getpwnamallow(struct ssh *ssh, const char *user) |
566 | { | 562 | { |
567 | struct ssh *ssh = active_state; /* XXX */ | ||
568 | #ifdef HAVE_LOGIN_CAP | 563 | #ifdef HAVE_LOGIN_CAP |
569 | extern login_cap_t *lc; | 564 | extern login_cap_t *lc; |
570 | #ifdef BSD_AUTH | 565 | #ifdef BSD_AUTH |
@@ -614,7 +609,7 @@ getpwnamallow(const char *user) | |||
614 | #endif /* SSH_AUDIT_EVENTS */ | 609 | #endif /* SSH_AUDIT_EVENTS */ |
615 | return (NULL); | 610 | return (NULL); |
616 | } | 611 | } |
617 | if (!allowed_user(pw)) | 612 | if (!allowed_user(ssh, pw)) |
618 | return (NULL); | 613 | return (NULL); |
619 | #ifdef HAVE_LOGIN_CAP | 614 | #ifdef HAVE_LOGIN_CAP |
620 | if ((lc = login_getclass(pw->pw_class)) == NULL) { | 615 | if ((lc = login_getclass(pw->pw_class)) == NULL) { |
@@ -693,9 +688,8 @@ auth_debug_add(const char *fmt,...) | |||
693 | } | 688 | } |
694 | 689 | ||
695 | void | 690 | void |
696 | auth_debug_send(void) | 691 | auth_debug_send(struct ssh *ssh) |
697 | { | 692 | { |
698 | struct ssh *ssh = active_state; /* XXX */ | ||
699 | char *msg; | 693 | char *msg; |
700 | int r; | 694 | int r; |
701 | 695 | ||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.h,v 1.97 2019/01/19 21:38:24 djm Exp $ */ | 1 | /* $OpenBSD: auth.h,v 1.98 2019/01/19 21:41:18 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
@@ -168,8 +168,8 @@ void remove_kbdint_device(const char *); | |||
168 | 168 | ||
169 | void do_authentication2(struct ssh *); | 169 | void do_authentication2(struct ssh *); |
170 | 170 | ||
171 | void auth_log(Authctxt *, int, int, const char *, const char *); | 171 | void auth_log(struct ssh *, int, int, const char *, const char *); |
172 | void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn)); | 172 | void auth_maxtries_exceeded(struct ssh *) __attribute__((noreturn)); |
173 | void userauth_finish(struct ssh *, int, const char *, const char *); | 173 | void userauth_finish(struct ssh *, int, const char *, const char *); |
174 | int auth_root_allowed(struct ssh *, const char *); | 174 | int auth_root_allowed(struct ssh *, const char *); |
175 | 175 | ||
@@ -186,8 +186,8 @@ void auth2_challenge_stop(struct ssh *); | |||
186 | int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); | 186 | int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); |
187 | int bsdauth_respond(void *, u_int, char **); | 187 | int bsdauth_respond(void *, u_int, char **); |
188 | 188 | ||
189 | int allowed_user(struct passwd *); | 189 | int allowed_user(struct ssh *, struct passwd *); |
190 | struct passwd * getpwnamallow(const char *user); | 190 | struct passwd * getpwnamallow(struct ssh *, const char *user); |
191 | 191 | ||
192 | char *expand_authorized_keys(const char *, struct passwd *pw); | 192 | char *expand_authorized_keys(const char *, struct passwd *pw); |
193 | char *authorized_principals_file(struct passwd *); | 193 | char *authorized_principals_file(struct passwd *); |
@@ -222,7 +222,7 @@ void auth_log_authopts(const char *, const struct sshauthopt *, int); | |||
222 | /* debug messages during authentication */ | 222 | /* debug messages during authentication */ |
223 | void auth_debug_add(const char *fmt,...) | 223 | void auth_debug_add(const char *fmt,...) |
224 | __attribute__((format(printf, 1, 2))); | 224 | __attribute__((format(printf, 1, 2))); |
225 | void auth_debug_send(void); | 225 | void auth_debug_send(struct ssh *); |
226 | void auth_debug_reset(void); | 226 | void auth_debug_reset(void); |
227 | 227 | ||
228 | struct passwd *fakepw(void); | 228 | struct passwd *fakepw(void); |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth2.c,v 1.153 2019/01/19 21:38:24 djm Exp $ */ | 1 | /* $OpenBSD: auth2.c,v 1.154 2019/01/19 21:41:18 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -284,7 +284,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh) | |||
284 | 284 | ||
285 | if (authctxt->attempt++ == 0) { | 285 | if (authctxt->attempt++ == 0) { |
286 | /* setup auth context */ | 286 | /* setup auth context */ |
287 | authctxt->pw = PRIVSEP(getpwnamallow(user)); | 287 | authctxt->pw = PRIVSEP(getpwnamallow(ssh, user)); |
288 | authctxt->user = xstrdup(user); | 288 | authctxt->user = xstrdup(user); |
289 | if (authctxt->pw && strcmp(service, "ssh-connection")==0) { | 289 | if (authctxt->pw && strcmp(service, "ssh-connection")==0) { |
290 | authctxt->valid = 1; | 290 | authctxt->valid = 1; |
@@ -381,7 +381,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method, | |||
381 | } | 381 | } |
382 | 382 | ||
383 | /* Log before sending the reply */ | 383 | /* Log before sending the reply */ |
384 | auth_log(authctxt, authenticated, partial, method, submethod); | 384 | auth_log(ssh, authenticated, partial, method, submethod); |
385 | 385 | ||
386 | /* Update information exposed to session */ | 386 | /* Update information exposed to session */ |
387 | if (authenticated || partial) | 387 | if (authenticated || partial) |
@@ -429,7 +429,7 @@ userauth_finish(struct ssh *ssh, int authenticated, const char *method, | |||
429 | #ifdef SSH_AUDIT_EVENTS | 429 | #ifdef SSH_AUDIT_EVENTS |
430 | PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); | 430 | PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); |
431 | #endif | 431 | #endif |
432 | auth_maxtries_exceeded(authctxt); | 432 | auth_maxtries_exceeded(ssh); |
433 | } | 433 | } |
434 | methods = authmethods_get(authctxt); | 434 | methods = authmethods_get(authctxt); |
435 | debug3("%s: failure partial=%d next methods=\"%s\"", __func__, | 435 | debug3("%s: failure partial=%d next methods=\"%s\"", __func__, |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.189 2019/01/19 21:31:32 djm Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.190 2019/01/19 21:41:18 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -338,7 +338,7 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
338 | #endif | 338 | #endif |
339 | } | 339 | } |
340 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { | 340 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { |
341 | auth_log(authctxt, authenticated, partial, | 341 | auth_log(ssh, authenticated, partial, |
342 | auth_method, auth_submethod); | 342 | auth_method, auth_submethod); |
343 | if (!partial && !authenticated) | 343 | if (!partial && !authenticated) |
344 | authctxt->failures++; | 344 | authctxt->failures++; |
@@ -729,7 +729,7 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) | |||
729 | if ((r = sshbuf_get_cstring(m, &username, NULL)) != 0) | 729 | if ((r = sshbuf_get_cstring(m, &username, NULL)) != 0) |
730 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); | 730 | fatal("%s: buffer error: %s", __func__, ssh_err(r)); |
731 | 731 | ||
732 | pwent = getpwnamallow(username); | 732 | pwent = getpwnamallow(ssh, username); |
733 | 733 | ||
734 | authctxt->user = xstrdup(username); | 734 | authctxt->user = xstrdup(username); |
735 | setproctitle("%s [priv]", pwent ? username : "unknown"); | 735 | setproctitle("%s [priv]", pwent ? username : "unknown"); |
@@ -1230,7 +1230,7 @@ mm_answer_keyallowed(int sock, struct sshbuf *m) | |||
1230 | hostbased_chost = chost; | 1230 | hostbased_chost = chost; |
1231 | } else { | 1231 | } else { |
1232 | /* Log failed attempt */ | 1232 | /* Log failed attempt */ |
1233 | auth_log(authctxt, 0, 0, auth_method, NULL); | 1233 | auth_log(ssh, 0, 0, auth_method, NULL); |
1234 | free(cuser); | 1234 | free(cuser); |
1235 | free(chost); | 1235 | free(chost); |
1236 | } | 1236 | } |
diff --git a/monitor_wrap.c b/monitor_wrap.c index 6ceaa3716..5db8a0a9c 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor_wrap.c,v 1.108 2019/01/19 21:31:32 djm Exp $ */ | 1 | /* $OpenBSD: monitor_wrap.c,v 1.109 2019/01/19 21:41:18 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -251,9 +251,8 @@ mm_sshkey_sign(struct sshkey *key, u_char **sigp, size_t *lenp, | |||
251 | } | 251 | } |
252 | 252 | ||
253 | struct passwd * | 253 | struct passwd * |
254 | mm_getpwnamallow(const char *username) | 254 | mm_getpwnamallow(struct ssh *ssh, const char *username) |
255 | { | 255 | { |
256 | struct ssh *ssh = active_state; /* XXX */ | ||
257 | struct sshbuf *m; | 256 | struct sshbuf *m; |
258 | struct passwd *pw; | 257 | struct passwd *pw; |
259 | size_t len; | 258 | size_t len; |
diff --git a/monitor_wrap.h b/monitor_wrap.h index 644da081d..19c58e486 100644 --- a/monitor_wrap.h +++ b/monitor_wrap.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor_wrap.h,v 1.38 2018/07/11 18:53:29 markus Exp $ */ | 1 | /* $OpenBSD: monitor_wrap.h,v 1.39 2019/01/19 21:41:18 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 4 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
@@ -33,6 +33,7 @@ extern int use_privsep; | |||
33 | 33 | ||
34 | enum mm_keytype { MM_NOKEY, MM_HOSTKEY, MM_USERKEY }; | 34 | enum mm_keytype { MM_NOKEY, MM_HOSTKEY, MM_USERKEY }; |
35 | 35 | ||
36 | struct ssh; | ||
36 | struct monitor; | 37 | struct monitor; |
37 | struct Authctxt; | 38 | struct Authctxt; |
38 | struct sshkey; | 39 | struct sshkey; |
@@ -44,7 +45,7 @@ DH *mm_choose_dh(int, int, int); | |||
44 | int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t, | 45 | int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t, |
45 | const char *, u_int compat); | 46 | const char *, u_int compat); |
46 | void mm_inform_authserv(char *, char *); | 47 | void mm_inform_authserv(char *, char *); |
47 | struct passwd *mm_getpwnamallow(const char *); | 48 | struct passwd *mm_getpwnamallow(struct ssh *, const char *); |
48 | char *mm_auth2_read_banner(void); | 49 | char *mm_auth2_read_banner(void); |
49 | int mm_auth_password(struct ssh *, char *); | 50 | int mm_auth_password(struct ssh *, char *); |
50 | int mm_key_allowed(enum mm_keytype, const char *, const char *, struct sshkey *, | 51 | int mm_key_allowed(enum mm_keytype, const char *, const char *, struct sshkey *, |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: session.c,v 1.310 2019/01/19 21:31:32 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.311 2019/01/19 21:41:18 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -362,7 +362,7 @@ do_authenticated(struct ssh *ssh, Authctxt *authctxt) | |||
362 | else | 362 | else |
363 | channel_permit_all(ssh, FORWARD_REMOTE); | 363 | channel_permit_all(ssh, FORWARD_REMOTE); |
364 | } | 364 | } |
365 | auth_debug_send(); | 365 | auth_debug_send(ssh); |
366 | 366 | ||
367 | prepare_auth_info_file(authctxt->pw, authctxt->session_info); | 367 | prepare_auth_info_file(authctxt->pw, authctxt->session_info); |
368 | 368 | ||