diff options
author | Colin Watson <cjwatson@debian.org> | 2013-09-14 15:43:03 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2013-09-14 15:43:03 +0100 |
commit | 8faf8c84430cf3c19705b1d9f8889d256e7fd1fd (patch) | |
tree | e6cb74192adb00fda5e4d1457547851d7e0d86af /auth.c | |
parent | 328b60656f29db6306994d7498dede386ec2d1c3 (diff) | |
parent | c41345ad7ee5a22689e2c009595e85fa27b4b39a (diff) |
merge 6.3p1
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 48 |
1 files changed, 36 insertions, 12 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.c,v 1.101 2013/02/06 00:22:21 dtucker Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -72,6 +72,7 @@ | |||
72 | #include "authfile.h" | 72 | #include "authfile.h" |
73 | #include "monitor_wrap.h" | 73 | #include "monitor_wrap.h" |
74 | #include "krl.h" | 74 | #include "krl.h" |
75 | #include "compat.h" | ||
75 | 76 | ||
76 | /* import */ | 77 | /* import */ |
77 | extern ServerOptions options; | 78 | extern ServerOptions options; |
@@ -165,17 +166,17 @@ allowed_user(struct passwd * pw) | |||
165 | if (stat(shell, &st) != 0) { | 166 | if (stat(shell, &st) != 0) { |
166 | logit("User %.100s not allowed because shell %.100s " | 167 | logit("User %.100s not allowed because shell %.100s " |
167 | "does not exist", pw->pw_name, shell); | 168 | "does not exist", pw->pw_name, shell); |
168 | xfree(shell); | 169 | free(shell); |
169 | return 0; | 170 | return 0; |
170 | } | 171 | } |
171 | if (S_ISREG(st.st_mode) == 0 || | 172 | if (S_ISREG(st.st_mode) == 0 || |
172 | (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { | 173 | (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { |
173 | logit("User %.100s not allowed because shell %.100s " | 174 | logit("User %.100s not allowed because shell %.100s " |
174 | "is not executable", pw->pw_name, shell); | 175 | "is not executable", pw->pw_name, shell); |
175 | xfree(shell); | 176 | free(shell); |
176 | return 0; | 177 | return 0; |
177 | } | 178 | } |
178 | xfree(shell); | 179 | free(shell); |
179 | } | 180 | } |
180 | 181 | ||
181 | if (options.num_deny_users > 0 || options.num_allow_users > 0 || | 182 | if (options.num_deny_users > 0 || options.num_allow_users > 0 || |
@@ -252,8 +253,25 @@ allowed_user(struct passwd * pw) | |||
252 | } | 253 | } |
253 | 254 | ||
254 | void | 255 | void |
256 | auth_info(Authctxt *authctxt, const char *fmt, ...) | ||
257 | { | ||
258 | va_list ap; | ||
259 | int i; | ||
260 | |||
261 | free(authctxt->info); | ||
262 | authctxt->info = NULL; | ||
263 | |||
264 | va_start(ap, fmt); | ||
265 | i = vasprintf(&authctxt->info, fmt, ap); | ||
266 | va_end(ap); | ||
267 | |||
268 | if (i < 0 || authctxt->info == NULL) | ||
269 | fatal("vasprintf failed"); | ||
270 | } | ||
271 | |||
272 | void | ||
255 | auth_log(Authctxt *authctxt, int authenticated, int partial, | 273 | auth_log(Authctxt *authctxt, int authenticated, int partial, |
256 | const char *method, const char *submethod, const char *info) | 274 | const char *method, const char *submethod) |
257 | { | 275 | { |
258 | void (*authlog) (const char *fmt,...) = verbose; | 276 | void (*authlog) (const char *fmt,...) = verbose; |
259 | char *authmsg; | 277 | char *authmsg; |
@@ -275,7 +293,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, | |||
275 | else | 293 | else |
276 | authmsg = authenticated ? "Accepted" : "Failed"; | 294 | authmsg = authenticated ? "Accepted" : "Failed"; |
277 | 295 | ||
278 | authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", | 296 | authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s", |
279 | authmsg, | 297 | authmsg, |
280 | method, | 298 | method, |
281 | submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, | 299 | submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, |
@@ -283,7 +301,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, | |||
283 | authctxt->user, | 301 | authctxt->user, |
284 | get_remote_ipaddr(), | 302 | get_remote_ipaddr(), |
285 | get_remote_port(), | 303 | get_remote_port(), |
286 | info); | 304 | compat20 ? "ssh2" : "ssh1", |
305 | authctxt->info != NULL ? ": " : "", | ||
306 | authctxt->info != NULL ? authctxt->info : ""); | ||
307 | free(authctxt->info); | ||
308 | authctxt->info = NULL; | ||
287 | 309 | ||
288 | #ifdef CUSTOM_FAILED_LOGIN | 310 | #ifdef CUSTOM_FAILED_LOGIN |
289 | if (authenticated == 0 && !authctxt->postponed && | 311 | if (authenticated == 0 && !authctxt->postponed && |
@@ -355,7 +377,7 @@ expand_authorized_keys(const char *filename, struct passwd *pw) | |||
355 | i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file); | 377 | i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file); |
356 | if (i < 0 || (size_t)i >= sizeof(ret)) | 378 | if (i < 0 || (size_t)i >= sizeof(ret)) |
357 | fatal("expand_authorized_keys: path too long"); | 379 | fatal("expand_authorized_keys: path too long"); |
358 | xfree(file); | 380 | free(file); |
359 | return (xstrdup(ret)); | 381 | return (xstrdup(ret)); |
360 | } | 382 | } |
361 | 383 | ||
@@ -397,7 +419,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | |||
397 | load_hostkeys(hostkeys, host, user_hostfile); | 419 | load_hostkeys(hostkeys, host, user_hostfile); |
398 | restore_uid(); | 420 | restore_uid(); |
399 | } | 421 | } |
400 | xfree(user_hostfile); | 422 | free(user_hostfile); |
401 | } | 423 | } |
402 | host_status = check_key_in_hostkeys(hostkeys, key, &found); | 424 | host_status = check_key_in_hostkeys(hostkeys, key, &found); |
403 | if (host_status == HOST_REVOKED) | 425 | if (host_status == HOST_REVOKED) |
@@ -666,7 +688,7 @@ auth_key_is_revoked(Key *key) | |||
666 | key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | 688 | key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); |
667 | error("WARNING: authentication attempt with a revoked " | 689 | error("WARNING: authentication attempt with a revoked " |
668 | "%s key %s ", key_type(key), key_fp); | 690 | "%s key %s ", key_type(key), key_fp); |
669 | xfree(key_fp); | 691 | free(key_fp); |
670 | return 1; | 692 | return 1; |
671 | } | 693 | } |
672 | fatal("key_in_file returned junk"); | 694 | fatal("key_in_file returned junk"); |
@@ -697,7 +719,7 @@ auth_debug_send(void) | |||
697 | while (buffer_len(&auth_debug)) { | 719 | while (buffer_len(&auth_debug)) { |
698 | msg = buffer_get_string(&auth_debug, NULL); | 720 | msg = buffer_get_string(&auth_debug, NULL); |
699 | packet_send_debug("%s", msg); | 721 | packet_send_debug("%s", msg); |
700 | xfree(msg); | 722 | free(msg); |
701 | } | 723 | } |
702 | } | 724 | } |
703 | 725 | ||
@@ -721,10 +743,12 @@ fakepw(void) | |||
721 | fake.pw_name = "NOUSER"; | 743 | fake.pw_name = "NOUSER"; |
722 | fake.pw_passwd = | 744 | fake.pw_passwd = |
723 | "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; | 745 | "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; |
746 | #ifdef HAVE_STRUCT_PASSWD_PW_GECOS | ||
724 | fake.pw_gecos = "NOUSER"; | 747 | fake.pw_gecos = "NOUSER"; |
748 | #endif | ||
725 | fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid; | 749 | fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid; |
726 | fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid; | 750 | fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid; |
727 | #ifdef HAVE_PW_CLASS_IN_PASSWD | 751 | #ifdef HAVE_STRUCT_PASSWD_PW_CLASS |
728 | fake.pw_class = ""; | 752 | fake.pw_class = ""; |
729 | #endif | 753 | #endif |
730 | fake.pw_dir = "/nonexist"; | 754 | fake.pw_dir = "/nonexist"; |