summaryrefslogtreecommitdiff
path: root/auth.c
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2013-09-14 15:43:03 +0100
committerColin Watson <cjwatson@debian.org>2013-09-14 15:43:03 +0100
commit8faf8c84430cf3c19705b1d9f8889d256e7fd1fd (patch)
treee6cb74192adb00fda5e4d1457547851d7e0d86af /auth.c
parent328b60656f29db6306994d7498dede386ec2d1c3 (diff)
parentc41345ad7ee5a22689e2c009595e85fa27b4b39a (diff)
merge 6.3p1
Diffstat (limited to 'auth.c')
-rw-r--r--auth.c48
1 files changed, 36 insertions, 12 deletions
diff --git a/auth.c b/auth.c
index 6128fa460..9a36f1dac 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: auth.c,v 1.101 2013/02/06 00:22:21 dtucker Exp $ */ 1/* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */
2/* 2/*
3 * Copyright (c) 2000 Markus Friedl. All rights reserved. 3 * Copyright (c) 2000 Markus Friedl. All rights reserved.
4 * 4 *
@@ -72,6 +72,7 @@
72#include "authfile.h" 72#include "authfile.h"
73#include "monitor_wrap.h" 73#include "monitor_wrap.h"
74#include "krl.h" 74#include "krl.h"
75#include "compat.h"
75 76
76/* import */ 77/* import */
77extern ServerOptions options; 78extern ServerOptions options;
@@ -165,17 +166,17 @@ allowed_user(struct passwd * pw)
165 if (stat(shell, &st) != 0) { 166 if (stat(shell, &st) != 0) {
166 logit("User %.100s not allowed because shell %.100s " 167 logit("User %.100s not allowed because shell %.100s "
167 "does not exist", pw->pw_name, shell); 168 "does not exist", pw->pw_name, shell);
168 xfree(shell); 169 free(shell);
169 return 0; 170 return 0;
170 } 171 }
171 if (S_ISREG(st.st_mode) == 0 || 172 if (S_ISREG(st.st_mode) == 0 ||
172 (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { 173 (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
173 logit("User %.100s not allowed because shell %.100s " 174 logit("User %.100s not allowed because shell %.100s "
174 "is not executable", pw->pw_name, shell); 175 "is not executable", pw->pw_name, shell);
175 xfree(shell); 176 free(shell);
176 return 0; 177 return 0;
177 } 178 }
178 xfree(shell); 179 free(shell);
179 } 180 }
180 181
181 if (options.num_deny_users > 0 || options.num_allow_users > 0 || 182 if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
@@ -252,8 +253,25 @@ allowed_user(struct passwd * pw)
252} 253}
253 254
254void 255void
256auth_info(Authctxt *authctxt, const char *fmt, ...)
257{
258 va_list ap;
259 int i;
260
261 free(authctxt->info);
262 authctxt->info = NULL;
263
264 va_start(ap, fmt);
265 i = vasprintf(&authctxt->info, fmt, ap);
266 va_end(ap);
267
268 if (i < 0 || authctxt->info == NULL)
269 fatal("vasprintf failed");
270}
271
272void
255auth_log(Authctxt *authctxt, int authenticated, int partial, 273auth_log(Authctxt *authctxt, int authenticated, int partial,
256 const char *method, const char *submethod, const char *info) 274 const char *method, const char *submethod)
257{ 275{
258 void (*authlog) (const char *fmt,...) = verbose; 276 void (*authlog) (const char *fmt,...) = verbose;
259 char *authmsg; 277 char *authmsg;
@@ -275,7 +293,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
275 else 293 else
276 authmsg = authenticated ? "Accepted" : "Failed"; 294 authmsg = authenticated ? "Accepted" : "Failed";
277 295
278 authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", 296 authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
279 authmsg, 297 authmsg,
280 method, 298 method,
281 submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, 299 submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
@@ -283,7 +301,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
283 authctxt->user, 301 authctxt->user,
284 get_remote_ipaddr(), 302 get_remote_ipaddr(),
285 get_remote_port(), 303 get_remote_port(),
286 info); 304 compat20 ? "ssh2" : "ssh1",
305 authctxt->info != NULL ? ": " : "",
306 authctxt->info != NULL ? authctxt->info : "");
307 free(authctxt->info);
308 authctxt->info = NULL;
287 309
288#ifdef CUSTOM_FAILED_LOGIN 310#ifdef CUSTOM_FAILED_LOGIN
289 if (authenticated == 0 && !authctxt->postponed && 311 if (authenticated == 0 && !authctxt->postponed &&
@@ -355,7 +377,7 @@ expand_authorized_keys(const char *filename, struct passwd *pw)
355 i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file); 377 i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
356 if (i < 0 || (size_t)i >= sizeof(ret)) 378 if (i < 0 || (size_t)i >= sizeof(ret))
357 fatal("expand_authorized_keys: path too long"); 379 fatal("expand_authorized_keys: path too long");
358 xfree(file); 380 free(file);
359 return (xstrdup(ret)); 381 return (xstrdup(ret));
360} 382}
361 383
@@ -397,7 +419,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
397 load_hostkeys(hostkeys, host, user_hostfile); 419 load_hostkeys(hostkeys, host, user_hostfile);
398 restore_uid(); 420 restore_uid();
399 } 421 }
400 xfree(user_hostfile); 422 free(user_hostfile);
401 } 423 }
402 host_status = check_key_in_hostkeys(hostkeys, key, &found); 424 host_status = check_key_in_hostkeys(hostkeys, key, &found);
403 if (host_status == HOST_REVOKED) 425 if (host_status == HOST_REVOKED)
@@ -666,7 +688,7 @@ auth_key_is_revoked(Key *key)
666 key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); 688 key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
667 error("WARNING: authentication attempt with a revoked " 689 error("WARNING: authentication attempt with a revoked "
668 "%s key %s ", key_type(key), key_fp); 690 "%s key %s ", key_type(key), key_fp);
669 xfree(key_fp); 691 free(key_fp);
670 return 1; 692 return 1;
671 } 693 }
672 fatal("key_in_file returned junk"); 694 fatal("key_in_file returned junk");
@@ -697,7 +719,7 @@ auth_debug_send(void)
697 while (buffer_len(&auth_debug)) { 719 while (buffer_len(&auth_debug)) {
698 msg = buffer_get_string(&auth_debug, NULL); 720 msg = buffer_get_string(&auth_debug, NULL);
699 packet_send_debug("%s", msg); 721 packet_send_debug("%s", msg);
700 xfree(msg); 722 free(msg);
701 } 723 }
702} 724}
703 725
@@ -721,10 +743,12 @@ fakepw(void)
721 fake.pw_name = "NOUSER"; 743 fake.pw_name = "NOUSER";
722 fake.pw_passwd = 744 fake.pw_passwd =
723 "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; 745 "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
746#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
724 fake.pw_gecos = "NOUSER"; 747 fake.pw_gecos = "NOUSER";
748#endif
725 fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid; 749 fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
726 fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid; 750 fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
727#ifdef HAVE_PW_CLASS_IN_PASSWD 751#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
728 fake.pw_class = ""; 752 fake.pw_class = "";
729#endif 753#endif
730 fake.pw_dir = "/nonexist"; 754 fake.pw_dir = "/nonexist";