diff options
| author | Colin Watson <cjwatson@debian.org> | 2013-09-14 23:42:11 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2013-09-14 23:42:11 +0100 |
| commit | 327155e6824b3ee13837bdde04e4eb47e147ff46 (patch) | |
| tree | 8f8743122403c7a2e6ed919156711fb1520c657f /auth.c | |
| parent | 0334ce32304e9ba2a10ee5ca49ca6e8ff3ba6cf4 (diff) | |
| parent | 74e339b8f8936bc0d985e053a076d0c9b5e9ea51 (diff) | |
* New upstream release (http://www.openssh.com/txt/release-6.3).
- sftp(1): add support for resuming partial downloads using the "reget"
command and on the sftp commandline or on the "get" commandline using
the "-a" (append) option (closes: #158590).
- ssh(1): add an "IgnoreUnknown" configuration option to selectively
suppress errors arising from unknown configuration directives (closes:
#436052).
- sftp(1): update progressmeter when data is acknowledged, not when it's
sent (partially addresses #708372).
- ssh(1): do not fatally exit when attempting to cleanup multiplexing-
created channels that are incompletely opened (closes: #651357).
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 52 |
1 files changed, 38 insertions, 14 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth.c,v 1.101 2013/02/06 00:22:21 dtucker Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -73,6 +73,7 @@ | |||
| 73 | #include "authfile.h" | 73 | #include "authfile.h" |
| 74 | #include "monitor_wrap.h" | 74 | #include "monitor_wrap.h" |
| 75 | #include "krl.h" | 75 | #include "krl.h" |
| 76 | #include "compat.h" | ||
| 76 | 77 | ||
| 77 | /* import */ | 78 | /* import */ |
| 78 | extern ServerOptions options; | 79 | extern ServerOptions options; |
| @@ -166,17 +167,17 @@ allowed_user(struct passwd * pw) | |||
| 166 | if (stat(shell, &st) != 0) { | 167 | if (stat(shell, &st) != 0) { |
| 167 | logit("User %.100s not allowed because shell %.100s " | 168 | logit("User %.100s not allowed because shell %.100s " |
| 168 | "does not exist", pw->pw_name, shell); | 169 | "does not exist", pw->pw_name, shell); |
| 169 | xfree(shell); | 170 | free(shell); |
| 170 | return 0; | 171 | return 0; |
| 171 | } | 172 | } |
| 172 | if (S_ISREG(st.st_mode) == 0 || | 173 | if (S_ISREG(st.st_mode) == 0 || |
| 173 | (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { | 174 | (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { |
| 174 | logit("User %.100s not allowed because shell %.100s " | 175 | logit("User %.100s not allowed because shell %.100s " |
| 175 | "is not executable", pw->pw_name, shell); | 176 | "is not executable", pw->pw_name, shell); |
| 176 | xfree(shell); | 177 | free(shell); |
| 177 | return 0; | 178 | return 0; |
| 178 | } | 179 | } |
| 179 | xfree(shell); | 180 | free(shell); |
| 180 | } | 181 | } |
| 181 | 182 | ||
| 182 | if (options.num_deny_users > 0 || options.num_allow_users > 0 || | 183 | if (options.num_deny_users > 0 || options.num_allow_users > 0 || |
| @@ -253,8 +254,25 @@ allowed_user(struct passwd * pw) | |||
| 253 | } | 254 | } |
| 254 | 255 | ||
| 255 | void | 256 | void |
| 257 | auth_info(Authctxt *authctxt, const char *fmt, ...) | ||
| 258 | { | ||
| 259 | va_list ap; | ||
| 260 | int i; | ||
| 261 | |||
| 262 | free(authctxt->info); | ||
| 263 | authctxt->info = NULL; | ||
| 264 | |||
| 265 | va_start(ap, fmt); | ||
| 266 | i = vasprintf(&authctxt->info, fmt, ap); | ||
| 267 | va_end(ap); | ||
| 268 | |||
| 269 | if (i < 0 || authctxt->info == NULL) | ||
| 270 | fatal("vasprintf failed"); | ||
| 271 | } | ||
| 272 | |||
| 273 | void | ||
| 256 | auth_log(Authctxt *authctxt, int authenticated, int partial, | 274 | auth_log(Authctxt *authctxt, int authenticated, int partial, |
| 257 | const char *method, const char *submethod, const char *info) | 275 | const char *method, const char *submethod) |
| 258 | { | 276 | { |
| 259 | void (*authlog) (const char *fmt,...) = verbose; | 277 | void (*authlog) (const char *fmt,...) = verbose; |
| 260 | char *authmsg; | 278 | char *authmsg; |
| @@ -276,7 +294,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, | |||
| 276 | else | 294 | else |
| 277 | authmsg = authenticated ? "Accepted" : "Failed"; | 295 | authmsg = authenticated ? "Accepted" : "Failed"; |
| 278 | 296 | ||
| 279 | authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", | 297 | authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s", |
| 280 | authmsg, | 298 | authmsg, |
| 281 | method, | 299 | method, |
| 282 | submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, | 300 | submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, |
| @@ -284,7 +302,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, | |||
| 284 | authctxt->user, | 302 | authctxt->user, |
| 285 | get_remote_ipaddr(), | 303 | get_remote_ipaddr(), |
| 286 | get_remote_port(), | 304 | get_remote_port(), |
| 287 | info); | 305 | compat20 ? "ssh2" : "ssh1", |
| 306 | authctxt->info != NULL ? ": " : "", | ||
| 307 | authctxt->info != NULL ? authctxt->info : ""); | ||
| 308 | free(authctxt->info); | ||
| 309 | authctxt->info = NULL; | ||
| 288 | 310 | ||
| 289 | #ifdef CUSTOM_FAILED_LOGIN | 311 | #ifdef CUSTOM_FAILED_LOGIN |
| 290 | if (authenticated == 0 && !authctxt->postponed && | 312 | if (authenticated == 0 && !authctxt->postponed && |
| @@ -356,7 +378,7 @@ expand_authorized_keys(const char *filename, struct passwd *pw) | |||
| 356 | i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file); | 378 | i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file); |
| 357 | if (i < 0 || (size_t)i >= sizeof(ret)) | 379 | if (i < 0 || (size_t)i >= sizeof(ret)) |
| 358 | fatal("expand_authorized_keys: path too long"); | 380 | fatal("expand_authorized_keys: path too long"); |
| 359 | xfree(file); | 381 | free(file); |
| 360 | return (xstrdup(ret)); | 382 | return (xstrdup(ret)); |
| 361 | } | 383 | } |
| 362 | 384 | ||
| @@ -397,7 +419,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | |||
| 397 | load_hostkeys(hostkeys, host, user_hostfile); | 419 | load_hostkeys(hostkeys, host, user_hostfile); |
| 398 | restore_uid(); | 420 | restore_uid(); |
| 399 | } | 421 | } |
| 400 | xfree(user_hostfile); | 422 | free(user_hostfile); |
| 401 | } | 423 | } |
| 402 | host_status = check_key_in_hostkeys(hostkeys, key, &found); | 424 | host_status = check_key_in_hostkeys(hostkeys, key, &found); |
| 403 | if (host_status == HOST_REVOKED) | 425 | if (host_status == HOST_REVOKED) |
| @@ -647,7 +669,7 @@ auth_key_is_revoked(Key *key, int hostkey) | |||
| 647 | logit("Public key %s from %s blacklisted (see " | 669 | logit("Public key %s from %s blacklisted (see " |
| 648 | "ssh-vulnkey(1)); continuing anyway", | 670 | "ssh-vulnkey(1)); continuing anyway", |
| 649 | key_fp, get_remote_ipaddr()); | 671 | key_fp, get_remote_ipaddr()); |
| 650 | xfree(key_fp); | 672 | free(key_fp); |
| 651 | } else { | 673 | } else { |
| 652 | if (hostkey) | 674 | if (hostkey) |
| 653 | error("Host key %s blacklisted (see " | 675 | error("Host key %s blacklisted (see " |
| @@ -656,7 +678,7 @@ auth_key_is_revoked(Key *key, int hostkey) | |||
| 656 | logit("Public key %s from %s blacklisted (see " | 678 | logit("Public key %s from %s blacklisted (see " |
| 657 | "ssh-vulnkey(1))", | 679 | "ssh-vulnkey(1))", |
| 658 | key_fp, get_remote_ipaddr()); | 680 | key_fp, get_remote_ipaddr()); |
| 659 | xfree(key_fp); | 681 | free(key_fp); |
| 660 | return 1; | 682 | return 1; |
| 661 | } | 683 | } |
| 662 | } | 684 | } |
| @@ -688,7 +710,7 @@ auth_key_is_revoked(Key *key, int hostkey) | |||
| 688 | key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | 710 | key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); |
| 689 | error("WARNING: authentication attempt with a revoked " | 711 | error("WARNING: authentication attempt with a revoked " |
| 690 | "%s key %s ", key_type(key), key_fp); | 712 | "%s key %s ", key_type(key), key_fp); |
| 691 | xfree(key_fp); | 713 | free(key_fp); |
| 692 | return 1; | 714 | return 1; |
| 693 | } | 715 | } |
| 694 | fatal("key_in_file returned junk"); | 716 | fatal("key_in_file returned junk"); |
| @@ -719,7 +741,7 @@ auth_debug_send(void) | |||
| 719 | while (buffer_len(&auth_debug)) { | 741 | while (buffer_len(&auth_debug)) { |
| 720 | msg = buffer_get_string(&auth_debug, NULL); | 742 | msg = buffer_get_string(&auth_debug, NULL); |
| 721 | packet_send_debug("%s", msg); | 743 | packet_send_debug("%s", msg); |
| 722 | xfree(msg); | 744 | free(msg); |
| 723 | } | 745 | } |
| 724 | } | 746 | } |
| 725 | 747 | ||
| @@ -743,10 +765,12 @@ fakepw(void) | |||
| 743 | fake.pw_name = "NOUSER"; | 765 | fake.pw_name = "NOUSER"; |
| 744 | fake.pw_passwd = | 766 | fake.pw_passwd = |
| 745 | "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; | 767 | "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; |
| 768 | #ifdef HAVE_STRUCT_PASSWD_PW_GECOS | ||
| 746 | fake.pw_gecos = "NOUSER"; | 769 | fake.pw_gecos = "NOUSER"; |
| 770 | #endif | ||
| 747 | fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid; | 771 | fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid; |
| 748 | fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid; | 772 | fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid; |
| 749 | #ifdef HAVE_PW_CLASS_IN_PASSWD | 773 | #ifdef HAVE_STRUCT_PASSWD_PW_CLASS |
| 750 | fake.pw_class = ""; | 774 | fake.pw_class = ""; |
| 751 | #endif | 775 | #endif |
| 752 | fake.pw_dir = "/nonexist"; | 776 | fake.pw_dir = "/nonexist"; |