summaryrefslogtreecommitdiff
path: root/auth2.c
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2000-06-18 14:50:44 +1000
committerDamien Miller <djm@mindrot.org>2000-06-18 14:50:44 +1000
commitf6d9e2218998559cb67aad55d3f4a0bf53600c41 (patch)
tree87ea430020c66c697e065c164951b3f74b730b76 /auth2.c
parent7b22d65034ac280e0b4eaa857c71b17ee3ad7d99 (diff)
- OpenBSD CVS updates:
- deraadt@cvs.openbsd.org 2000/06/17 09:58:46 [channels.c] everyone says "nix it" (remove protocol 2 debugging message) - markus@cvs.openbsd.org 2000/06/17 13:24:34 [sshconnect.c] allow extended server banners - markus@cvs.openbsd.org 2000/06/17 14:30:10 [sshconnect.c] missing atomicio, typo - jakob@cvs.openbsd.org 2000/06/17 16:52:34 [servconf.c servconf.h session.c sshd.8 sshd_config] add support for ssh v2 subsystems. ok markus@. - deraadt@cvs.openbsd.org 2000/06/17 18:57:48 [readconf.c servconf.c] include = in WHITESPACE; markus ok - markus@cvs.openbsd.org 2000/06/17 19:09:10 [auth2.c] implement bug compatibility with ssh-2.0.13 pubkey, server side - markus@cvs.openbsd.org 2000/06/17 21:00:28 [compat.c] initial support for ssh.com's 2.2.0 - markus@cvs.openbsd.org 2000/06/17 21:16:09 [scp.c] typo - markus@cvs.openbsd.org 2000/06/17 22:05:02 [auth-rsa.c auth2.c serverloop.c session.c auth-options.c auth-options.h] split auth-rsa option parsing into auth-options add options support to authorized_keys2 - markus@cvs.openbsd.org 2000/06/17 22:42:54 [session.c] typo
Diffstat (limited to 'auth2.c')
-rw-r--r--auth2.c61
1 files changed, 41 insertions, 20 deletions
diff --git a/auth2.c b/auth2.c
index 46c8c1f81..c7dcf1953 100644
--- a/auth2.c
+++ b/auth2.c
@@ -27,7 +27,7 @@
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */ 28 */
29#include "includes.h" 29#include "includes.h"
30RCSID("$OpenBSD: auth2.c,v 1.8 2000/05/08 17:42:24 markus Exp $"); 30RCSID("$OpenBSD: auth2.c,v 1.10 2000/06/18 04:05:02 markus Exp $");
31 31
32#include <openssl/dsa.h> 32#include <openssl/dsa.h>
33#include <openssl/rsa.h> 33#include <openssl/rsa.h>
@@ -54,6 +54,7 @@ RCSID("$OpenBSD: auth2.c,v 1.8 2000/05/08 17:42:24 markus Exp $");
54 54
55#include "dsa.h" 55#include "dsa.h"
56#include "uidswap.h" 56#include "uidswap.h"
57#include "auth-options.h"
57 58
58/* import */ 59/* import */
59extern ServerOptions options; 60extern ServerOptions options;
@@ -69,7 +70,7 @@ void protocol_error(int type, int plen);
69/* auth */ 70/* auth */
70int ssh2_auth_none(struct passwd *pw); 71int ssh2_auth_none(struct passwd *pw);
71int ssh2_auth_password(struct passwd *pw); 72int ssh2_auth_password(struct passwd *pw);
72int ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen); 73int ssh2_auth_pubkey(struct passwd *pw, char *service);
73 74
74/* helper */ 75/* helper */
75struct passwd* auth_set_user(char *u, char *s); 76struct passwd* auth_set_user(char *u, char *s);
@@ -150,17 +151,14 @@ input_userauth_request(int type, int plen)
150{ 151{
151 static void (*authlog) (const char *fmt,...) = verbose; 152 static void (*authlog) (const char *fmt,...) = verbose;
152 static int attempt = 0; 153 static int attempt = 0;
153 unsigned int len, rlen; 154 unsigned int len;
154 int authenticated = 0; 155 int authenticated = 0;
155 char *raw, *user, *service, *method, *authmsg = NULL; 156 char *user, *service, *method, *authmsg = NULL;
156 struct passwd *pw; 157 struct passwd *pw;
157#ifdef WITH_AIXAUTHENTICATE 158#ifdef WITH_AIXAUTHENTICATE
158 extern char *aixloginmsg; 159 extern char *aixloginmsg;
159#endif /* WITH_AIXAUTHENTICATE */ 160#endif /* WITH_AIXAUTHENTICATE */
160 161
161 raw = packet_get_raw(&rlen);
162 if (plen != rlen)
163 fatal("plen != rlen");
164 user = packet_get_string(&len); 162 user = packet_get_string(&len);
165 service = packet_get_string(&len); 163 service = packet_get_string(&len);
166 method = packet_get_string(&len); 164 method = packet_get_string(&len);
@@ -180,7 +178,7 @@ input_userauth_request(int type, int plen)
180 } else if (strcmp(method, "password") == 0) { 178 } else if (strcmp(method, "password") == 0) {
181 authenticated = ssh2_auth_password(pw); 179 authenticated = ssh2_auth_password(pw);
182 } else if (strcmp(method, "publickey") == 0) { 180 } else if (strcmp(method, "publickey") == 0) {
183 authenticated = ssh2_auth_pubkey(pw, raw, rlen); 181 authenticated = ssh2_auth_pubkey(pw, service);
184 } 182 }
185 } 183 }
186 if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) { 184 if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) {
@@ -277,7 +275,7 @@ ssh2_auth_password(struct passwd *pw)
277 return authenticated; 275 return authenticated;
278} 276}
279int 277int
280ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen) 278ssh2_auth_pubkey(struct passwd *pw, char *service)
281{ 279{
282 Buffer b; 280 Buffer b;
283 Key *key; 281 Key *key;
@@ -290,10 +288,6 @@ ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen)
290 debug("pubkey auth disabled"); 288 debug("pubkey auth disabled");
291 return 0; 289 return 0;
292 } 290 }
293 if (datafellows & SSH_BUG_PUBKEYAUTH) {
294 log("bug compatibility with ssh-2.0.13 pubkey not implemented");
295 return 0;
296 }
297 have_sig = packet_get_char(); 291 have_sig = packet_get_char();
298 pkalg = packet_get_string(&alen); 292 pkalg = packet_get_string(&alen);
299 if (strcmp(pkalg, KEX_DSS) != 0) { 293 if (strcmp(pkalg, KEX_DSS) != 0) {
@@ -309,10 +303,18 @@ ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen)
309 packet_done(); 303 packet_done();
310 buffer_init(&b); 304 buffer_init(&b);
311 buffer_append(&b, session_id2, session_id2_len); 305 buffer_append(&b, session_id2, session_id2_len);
306
307 /* reconstruct packet */
312 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); 308 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
313 if (slen + 4 > rlen) 309 buffer_put_cstring(&b, pw->pw_name);
314 fatal("bad rlen/slen"); 310 buffer_put_cstring(&b,
315 buffer_append(&b, raw, rlen - slen - 4); 311 datafellows & SSH_BUG_PUBKEYAUTH ?
312 "ssh-userauth" :
313 service);
314 buffer_put_cstring(&b, "publickey");
315 buffer_put_char(&b, have_sig);
316 buffer_put_cstring(&b, KEX_DSS);
317 buffer_put_string(&b, pkblob, blen);
316#ifdef DEBUG_DSS 318#ifdef DEBUG_DSS
317 buffer_dump(&b); 319 buffer_dump(&b);
318#endif 320#endif
@@ -471,17 +473,36 @@ user_dsa_key_allowed(struct passwd *pw, Key *key)
471 found = key_new(KEY_DSA); 473 found = key_new(KEY_DSA);
472 474
473 while (fgets(line, sizeof(line), f)) { 475 while (fgets(line, sizeof(line), f)) {
474 char *cp; 476 char *cp, *options = NULL;
475 linenum++; 477 linenum++;
476 /* Skip leading whitespace, empty and comment lines. */ 478 /* Skip leading whitespace, empty and comment lines. */
477 for (cp = line; *cp == ' ' || *cp == '\t'; cp++) 479 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
478 ; 480 ;
479 if (!*cp || *cp == '\n' || *cp == '#') 481 if (!*cp || *cp == '\n' || *cp == '#')
480 continue; 482 continue;
483
481 bits = key_read(found, &cp); 484 bits = key_read(found, &cp);
482 if (bits == 0) 485 if (bits == 0) {
483 continue; 486 /* no key? check if there are options for this key */
484 if (key_equal(found, key)) { 487 int quoted = 0;
488 options = cp;
489 for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
490 if (*cp == '\\' && cp[1] == '"')
491 cp++; /* Skip both */
492 else if (*cp == '"')
493 quoted = !quoted;
494 }
495 /* Skip remaining whitespace. */
496 for (; *cp == ' ' || *cp == '\t'; cp++)
497 ;
498 bits = key_read(found, &cp);
499 if (bits == 0) {
500 /* still no key? advance to next line*/
501 continue;
502 }
503 }
504 if (key_equal(found, key) &&
505 auth_parse_options(pw, options, linenum) == 1) {
485 found_key = 1; 506 found_key = 1;
486 debug("matching key found: file %s, line %ld", 507 debug("matching key found: file %s, line %ld",
487 file, linenum); 508 file, linenum);
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-21 04:43:02 +0000