diff options
| author | Damien Miller <djm@mindrot.org> | 2002-03-13 13:19:42 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2002-03-13 13:19:42 +1100 |
| commit | 3a5b0233306a3db3a5db5b9ddc187c55e9b251f4 (patch) | |
| tree | 86478addb63771a9a1be0e13cfbdea9f964f963a /auth2.c | |
| parent | 3225fb454d0e79cf6f824dd00ff478749620277b (diff) | |
Stupid djm commits experimental code to head instead of branch
revert
Diffstat (limited to 'auth2.c')
| -rw-r--r-- | auth2.c | 119 |
1 files changed, 39 insertions, 80 deletions
| @@ -51,13 +51,8 @@ RCSID("$OpenBSD: auth2.c,v 1.85 2002/02/24 19:14:59 markus Exp $"); | |||
| 51 | #include "hostfile.h" | 51 | #include "hostfile.h" |
| 52 | #include "canohost.h" | 52 | #include "canohost.h" |
| 53 | #include "match.h" | 53 | #include "match.h" |
| 54 | #include "monitor.h" | ||
| 55 | #include "monitor_wrap.h" | ||
| 56 | 54 | ||
| 57 | /* import */ | 55 | /* import */ |
| 58 | extern int use_privsep; | ||
| 59 | extern int mm_recvfd; | ||
| 60 | |||
| 61 | extern ServerOptions options; | 56 | extern ServerOptions options; |
| 62 | extern u_char *session_id2; | 57 | extern u_char *session_id2; |
| 63 | extern int session_id2_len; | 58 | extern int session_id2_len; |
| @@ -80,8 +75,8 @@ static void input_userauth_request(int, u_int32_t, void *); | |||
| 80 | /* helper */ | 75 | /* helper */ |
| 81 | static Authmethod *authmethod_lookup(const char *); | 76 | static Authmethod *authmethod_lookup(const char *); |
| 82 | static char *authmethods_get(void); | 77 | static char *authmethods_get(void); |
| 83 | int user_key_allowed(struct passwd *, Key *); | 78 | static int user_key_allowed(struct passwd *, Key *); |
| 84 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); | 79 | static int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); |
| 85 | 80 | ||
| 86 | /* auth */ | 81 | /* auth */ |
| 87 | static void userauth_banner(void); | 82 | static void userauth_banner(void); |
| @@ -114,7 +109,7 @@ Authmethod authmethods[] = { | |||
| 114 | * loop until authctxt->success == TRUE | 109 | * loop until authctxt->success == TRUE |
| 115 | */ | 110 | */ |
| 116 | 111 | ||
| 117 | Authctxt * | 112 | void |
| 118 | do_authentication2(void) | 113 | do_authentication2(void) |
| 119 | { | 114 | { |
| 120 | Authctxt *authctxt = authctxt_new(); | 115 | Authctxt *authctxt = authctxt_new(); |
| @@ -130,8 +125,7 @@ do_authentication2(void) | |||
| 130 | dispatch_init(&dispatch_protocol_error); | 125 | dispatch_init(&dispatch_protocol_error); |
| 131 | dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); | 126 | dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); |
| 132 | dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); | 127 | dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); |
| 133 | 128 | do_authenticated(authctxt); | |
| 134 | return(authctxt); | ||
| 135 | } | 129 | } |
| 136 | 130 | ||
| 137 | static void | 131 | static void |
| @@ -188,15 +182,10 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
| 188 | *style++ = 0; | 182 | *style++ = 0; |
| 189 | 183 | ||
| 190 | if (authctxt->attempt++ == 0) { | 184 | if (authctxt->attempt++ == 0) { |
| 191 | /* setup auth context */ | 185 | /* setup auth context */ |
| 192 | int allowed; | ||
| 193 | struct passwd *pw = NULL; | 186 | struct passwd *pw = NULL; |
| 194 | if (!use_privsep) { | 187 | pw = getpwnam(user); |
| 195 | pw = getpwnam(user); | 188 | if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) { |
| 196 | allowed = pw ? allowed_user(pw) : 0; | ||
| 197 | } else | ||
| 198 | pw = mm_getpwnamallow(mm_recvfd, user, &allowed); | ||
| 199 | if (pw && allowed && strcmp(service, "ssh-connection")==0) { | ||
| 200 | authctxt->pw = pwcopy(pw); | 189 | authctxt->pw = pwcopy(pw); |
| 201 | authctxt->valid = 1; | 190 | authctxt->valid = 1; |
| 202 | debug2("input_userauth_request: setting up authctxt for %s", user); | 191 | debug2("input_userauth_request: setting up authctxt for %s", user); |
| @@ -209,18 +198,10 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
| 209 | start_pam("NOUSER"); | 198 | start_pam("NOUSER"); |
| 210 | #endif | 199 | #endif |
| 211 | } | 200 | } |
| 212 | /* Free memory */ | 201 | setproctitle("%s", pw ? user : "unknown"); |
| 213 | if (use_privsep) | ||
| 214 | pwfree(pw); | ||
| 215 | |||
| 216 | setproctitle("%s%s", use_privsep ? " [net]" : "", | ||
| 217 | pw ? user : "unknown"); | ||
| 218 | authctxt->user = xstrdup(user); | 202 | authctxt->user = xstrdup(user); |
| 219 | authctxt->service = xstrdup(service); | 203 | authctxt->service = xstrdup(service); |
| 220 | authctxt->style = style ? xstrdup(style) : NULL; | 204 | authctxt->style = style ? xstrdup(style) : NULL; |
| 221 | |||
| 222 | if (use_privsep) | ||
| 223 | mm_inform_authserv(mm_recvfd, service, style); | ||
| 224 | } else if (strcmp(user, authctxt->user) != 0 || | 205 | } else if (strcmp(user, authctxt->user) != 0 || |
| 225 | strcmp(service, authctxt->service) != 0) { | 206 | strcmp(service, authctxt->service) != 0) { |
| 226 | packet_disconnect("Change of username or service not allowed: " | 207 | packet_disconnect("Change of username or service not allowed: " |
| @@ -332,8 +313,6 @@ done: | |||
| 332 | static int | 313 | static int |
| 333 | userauth_none(Authctxt *authctxt) | 314 | userauth_none(Authctxt *authctxt) |
| 334 | { | 315 | { |
| 335 | int res = 0; | ||
| 336 | |||
| 337 | /* disable method "none", only allowed one time */ | 316 | /* disable method "none", only allowed one time */ |
| 338 | Authmethod *m = authmethod_lookup("none"); | 317 | Authmethod *m = authmethod_lookup("none"); |
| 339 | if (m != NULL) | 318 | if (m != NULL) |
| @@ -343,16 +322,18 @@ userauth_none(Authctxt *authctxt) | |||
| 343 | 322 | ||
| 344 | if (authctxt->valid == 0) | 323 | if (authctxt->valid == 0) |
| 345 | return(0); | 324 | return(0); |
| 346 | if (!authctxt->valid) | 325 | |
| 347 | return (0); | 326 | #ifdef HAVE_CYGWIN |
| 348 | if (use_privsep) | 327 | if (check_nt_auth(1, authctxt->pw) == 0) |
| 349 | #if defined(USE_PAM) || defined(HAVE_OSF_SIA) | 328 | return(0); |
| 350 | #error NOT IMPLEMENTED FOR PRIVSEP | ||
| 351 | #endif | 329 | #endif |
| 352 | res = mm_auth_password(mm_recvfd, ""); | 330 | #ifdef USE_PAM |
| 353 | else | 331 | return auth_pam_password(authctxt->pw, ""); |
| 354 | res = auth_password(authctxt, ""); | 332 | #elif defined(HAVE_OSF_SIA) |
| 355 | return (res); | 333 | return 0; |
| 334 | #else /* !HAVE_OSF_SIA && !USE_PAM */ | ||
| 335 | return auth_password(authctxt, ""); | ||
| 336 | #endif /* USE_PAM */ | ||
| 356 | } | 337 | } |
| 357 | 338 | ||
| 358 | static int | 339 | static int |
| @@ -367,16 +348,18 @@ userauth_passwd(Authctxt *authctxt) | |||
| 367 | log("password change not supported"); | 348 | log("password change not supported"); |
| 368 | password = packet_get_string(&len); | 349 | password = packet_get_string(&len); |
| 369 | packet_check_eom(); | 350 | packet_check_eom(); |
| 370 | 351 | if (authctxt->valid && | |
| 371 | #if defined(HAVE_CYGWIN) || defined(USE_PAM) || defined(HAVE_OSF_SIA) | 352 | #ifdef HAVE_CYGWIN |
| 372 | #error NOT IMPLEMENTED FOR PRIVSEP | 353 | check_nt_auth(1, authctxt->pw) && |
| 373 | #endif | 354 | #endif |
| 374 | if (authctxt->valid) { | 355 | #ifdef USE_PAM |
| 375 | if (use_privsep) | 356 | auth_pam_password(authctxt->pw, password) == 1) |
| 376 | authenticated = mm_auth_password(mm_recvfd, password); | 357 | #elif defined(HAVE_OSF_SIA) |
| 377 | else | 358 | auth_sia_password(authctxt->user, password) == 1) |
| 378 | authenticated = auth_password(authctxt, password); | 359 | #else /* !USE_PAM && !HAVE_OSF_SIA */ |
| 379 | } | 360 | auth_password(authctxt, password) == 1) |
| 361 | #endif /* USE_PAM */ | ||
| 362 | authenticated = 1; | ||
| 380 | memset(password, 0, len); | 363 | memset(password, 0, len); |
| 381 | xfree(password); | 364 | xfree(password); |
| 382 | return authenticated; | 365 | return authenticated; |
| @@ -484,23 +467,12 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 484 | buffer_dump(&b); | 467 | buffer_dump(&b); |
| 485 | #endif | 468 | #endif |
| 486 | /* test for correct signature */ | 469 | /* test for correct signature */ |
| 487 | authenticated = 0; | 470 | if (user_key_allowed(authctxt->pw, key) && |
| 488 | if (use_privsep) { | 471 | key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) |
| 489 | if (mm_user_key_allowed(mm_recvfd, key) && | 472 | authenticated = 1; |
| 490 | mm_key_verify(mm_recvfd, | ||
| 491 | MM_USERKEY, NULL, NULL, key, sig, slen, | ||
| 492 | buffer_ptr(&b), buffer_len(&b)) == 1) | ||
| 493 | authenticated = 1; | ||
| 494 | } else { | ||
| 495 | if (user_key_allowed(authctxt->pw, key) && | ||
| 496 | key_verify(key, sig, slen, buffer_ptr(&b), | ||
| 497 | buffer_len(&b)) == 1) | ||
| 498 | authenticated = 1; | ||
| 499 | } | ||
| 500 | buffer_clear(&b); | 473 | buffer_clear(&b); |
| 501 | xfree(sig); | 474 | xfree(sig); |
| 502 | } else { | 475 | } else { |
| 503 | int res = 0; | ||
| 504 | debug("test whether pkalg/pkblob are acceptable"); | 476 | debug("test whether pkalg/pkblob are acceptable"); |
| 505 | packet_check_eom(); | 477 | packet_check_eom(); |
| 506 | 478 | ||
| @@ -512,11 +484,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 512 | * if a user is not allowed to login. is this an | 484 | * if a user is not allowed to login. is this an |
| 513 | * issue? -markus | 485 | * issue? -markus |
| 514 | */ | 486 | */ |
| 515 | if (use_privsep) | 487 | if (user_key_allowed(authctxt->pw, key)) { |
| 516 | res = mm_user_key_allowed(mm_recvfd, key); | ||
| 517 | else | ||
| 518 | res = user_key_allowed(authctxt->pw, key); | ||
| 519 | if (res) { | ||
| 520 | packet_start(SSH2_MSG_USERAUTH_PK_OK); | 488 | packet_start(SSH2_MSG_USERAUTH_PK_OK); |
| 521 | packet_put_string(pkalg, alen); | 489 | packet_put_string(pkalg, alen); |
| 522 | packet_put_string(pkblob, blen); | 490 | packet_put_string(pkblob, blen); |
| @@ -604,18 +572,9 @@ userauth_hostbased(Authctxt *authctxt) | |||
| 604 | buffer_dump(&b); | 572 | buffer_dump(&b); |
| 605 | #endif | 573 | #endif |
| 606 | /* test for allowed key and correct signature */ | 574 | /* test for allowed key and correct signature */ |
| 607 | authenticated = 0; | 575 | if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) && |
| 608 | if (use_privsep) { | 576 | key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) |
| 609 | if (mm_hostbased_key_allowed(mm_recvfd, cuser, chost, key) && | 577 | authenticated = 1; |
| 610 | mm_key_verify(mm_recvfd, MM_HOSTKEY, cuser, chost, key, | ||
| 611 | sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) | ||
| 612 | authenticated = 1; | ||
| 613 | } else { | ||
| 614 | if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) && | ||
| 615 | key_verify(key, sig, slen, buffer_ptr(&b), | ||
| 616 | buffer_len(&b)) == 1) | ||
| 617 | authenticated = 1; | ||
| 618 | } | ||
| 619 | 578 | ||
| 620 | buffer_clear(&b); | 579 | buffer_clear(&b); |
| 621 | done: | 580 | done: |
| @@ -771,7 +730,7 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) | |||
| 771 | } | 730 | } |
| 772 | 731 | ||
| 773 | /* check whether given key is in .ssh/authorized_keys* */ | 732 | /* check whether given key is in .ssh/authorized_keys* */ |
| 774 | int | 733 | static int |
| 775 | user_key_allowed(struct passwd *pw, Key *key) | 734 | user_key_allowed(struct passwd *pw, Key *key) |
| 776 | { | 735 | { |
| 777 | int success; | 736 | int success; |
| @@ -791,7 +750,7 @@ user_key_allowed(struct passwd *pw, Key *key) | |||
| 791 | } | 750 | } |
| 792 | 751 | ||
| 793 | /* return 1 if given hostkey is allowed */ | 752 | /* return 1 if given hostkey is allowed */ |
| 794 | int | 753 | static int |
| 795 | hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, | 754 | hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, |
| 796 | Key *key) | 755 | Key *key) |
| 797 | { | 756 | { |