- markus@cvs.openbsd.org 2002/05/25 18:51:07

[auth.h auth2.c auth2-hostbased.c auth2-kbdint.c auth2-none.c auth2-passwd.c auth2-pubkey.c Makefile.in] split auth2.c into one file per method; ok provos@/deraadt@ NOTE: Merged back noticable cygwin and pam stuff. May need review to ensure I did not miss anything.
author: Ben Lindstrom <mouring@eviladmin.org> 2002-06-06 20:27:55 +0000
committer: Ben Lindstrom <mouring@eviladmin.org> 2002-06-06 20:27:55 +0000
commit: 855bf3ac3cf395b282600700c1fd792af1f3fdcb (patch)
tree: effce712ac4bb1d7ef46cc3db4fdda2b74756298 /auth2.c
parent: 4887da222b5dec4e36f85f724d836dfbb6d434c7 (diff)
1 files changed, 1 insertions, 185 deletions
diff --git a/auth2.c b/auth2.c
index 6bcc56527..ffd703282 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,35 +23,18 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.91 2002/05/13 02:37:39 itojun Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.92 2002/05/25 18:51:07 markus Exp $");
-#include <openssl/evp.h>
 #include "ssh2.h"
 #include "xmalloc.h"
-#include "rsa.h"
-#include "sshpty.h"
 #include "packet.h"
-#include "buffer.h"
 #include "log.h"
 #include "servconf.h"
 #include "compat.h"
-#include "channels.h"
-#include "bufaux.h"
 #include "auth.h"
-#include "session.h"
 #include "dispatch.h"
-#include "key.h"
-#include "cipher.h"
-#include "kex.h"
 #include "pathnames.h"
-#include "uidswap.h"
-#include "auth-options.h"
-#include "hostfile.h"
-#include "canohost.h"
-#include "match.h"
 #include "monitor_wrap.h"
-#include "atomicio.h"
 /* import */
 extern ServerOptions options;
@@ -80,12 +63,6 @@ int user_key_allowed(struct passwd *, Key *);
 int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
 /* auth */
-static void userauth_banner(void);
-static int userauth_none(Authctxt *);
-static int userauth_passwd(Authctxt *);
-static int userauth_pubkey(Authctxt *);
-static int userauth_hostbased(Authctxt *);
-static int userauth_kbdint(Authctxt *);
 Authmethod authmethods[] = {
        {"none",
@@ -651,164 +628,3 @@ authmethod_lookup(const char *name)
        debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
        return NULL;
 }
-/* return 1 if user allows given key */
-static int
-user_key_allowed2(struct passwd *pw, Key *key, char *file)
-{
-        char line[8192];
-        int found_key = 0;
-        FILE *f;
-        u_long linenum = 0;
-        struct stat st;
-        Key *found;
-        char *fp;
-        if (pw == NULL)
-                return 0;
-        /* Temporarily use the user's uid. */
-        temporarily_use_uid(pw);
-        debug("trying public key file %s", file);
-        /* Fail quietly if file does not exist */
-        if (stat(file, &st) < 0) {
-                /* Restore the privileged uid. */
-                restore_uid();
-                return 0;
-        }
-        /* Open the file containing the authorized keys. */
-        f = fopen(file, "r");
-        if (!f) {
-                /* Restore the privileged uid. */
-                restore_uid();
-                return 0;
-        }
-        if (options.strict_modes &&
-            secure_filename(f, file, pw, line, sizeof(line)) != 0) {
-                fclose(f);
-                log("Authentication refused: %s", line);
-                restore_uid();
-                return 0;
-        }
-        found_key = 0;
-        found = key_new(key->type);
-        while (fgets(line, sizeof(line), f)) {
-                char *cp, *options = NULL;
-                linenum++;
-                /* Skip leading whitespace, empty and comment lines. */
-                for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-                        ;
-                if (!*cp || *cp == '\n' || *cp == '#')
-                        continue;
-                if (key_read(found, &cp) != 1) {
-                        /* no key?  check if there are options for this key */
-                        int quoted = 0;
-                        debug2("user_key_allowed: check options: '%s'", cp);
-                        options = cp;
-                        for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
-                                if (*cp == '\\' && cp[1] == '"')
-                                        cp++;   /* Skip both */
-                                else if (*cp == '"')
-                                        quoted = !quoted;
-                        }
-                        /* Skip remaining whitespace. */
-                        for (; *cp == ' ' || *cp == '\t'; cp++)
-                                ;
-                        if (key_read(found, &cp) != 1) {
-                                debug2("user_key_allowed: advance: '%s'", cp);
-                                /* still no key?  advance to next line*/
-                                continue;
-                        }
-                }
-                if (key_equal(found, key) &&
-                    auth_parse_options(pw, options, file, linenum) == 1) {
-                        found_key = 1;
-                        debug("matching key found: file %s, line %lu",
-                            file, linenum);
-                        fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
-                        verbose("Found matching %s key: %s",
-                            key_type(found), fp);
-                        xfree(fp);
-                        break;
-                }
-        }
-        restore_uid();
-        fclose(f);
-        key_free(found);
-        if (!found_key)
-                debug2("key not found");
-        return found_key;
-}
-/* check whether given key is in .ssh/authorized_keys* */
-int
-user_key_allowed(struct passwd *pw, Key *key)
-{
-        int success;
-        char *file;
-        file = authorized_keys_file(pw);
-        success = user_key_allowed2(pw, key, file);
-        xfree(file);
-        if (success)
-                return success;
-        /* try suffix "2" for backward compat, too */
-        file = authorized_keys_file2(pw);
-        success = user_key_allowed2(pw, key, file);
-        xfree(file);
-        return success;
-}
-/* return 1 if given hostkey is allowed */
-int
-hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
-    Key *key)
-{
-        const char *resolvedname, *ipaddr, *lookup;
-        HostStatus host_status;
-        int len;
-        resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
-        ipaddr = get_remote_ipaddr();
-        debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
-            chost, resolvedname, ipaddr);
-        if (options.hostbased_uses_name_from_packet_only) {
-                if (auth_rhosts2(pw, cuser, chost, chost) == 0)
-                        return 0;
-                lookup = chost;
-        } else {
-                if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
-                        debug2("stripping trailing dot from chost %s", chost);
-                        chost[len - 1] = '\0';
-                }
-                if (strcasecmp(resolvedname, chost) != 0)
-                        log("userauth_hostbased mismatch: "
-                            "client sends %s, but we resolve %s to %s",
-                            chost, ipaddr, resolvedname);
-                if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0)
-                        return 0;
-                lookup = resolvedname;
-        }
-        debug2("userauth_hostbased: access allowed by auth_rhosts2");
-        host_status = check_key_in_hostfiles(pw, key, lookup,
-            _PATH_SSH_SYSTEM_HOSTFILE,
-            options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
-        /* backward compat if no key has been found. */
-        if (host_status == HOST_NEW)
-                host_status = check_key_in_hostfiles(pw, key, lookup,
-                    _PATH_SSH_SYSTEM_HOSTFILE2,
-                    options.ignore_user_known_hosts ? NULL :
-                    _PATH_SSH_USER_HOSTFILE2);
-        return (host_status == HOST_OK);
-}
author	Ben Lindstrom <mouring@eviladmin.org>	2002-06-06 20:27:55 +0000
committer	Ben Lindstrom <mouring@eviladmin.org>	2002-06-06 20:27:55 +0000
commit	855bf3ac3cf395b282600700c1fd792af1f3fdcb (patch)
tree	effce712ac4bb1d7ef46cc3db4fdda2b74756298 /auth2.c
parent	4887da222b5dec4e36f85f724d836dfbb6d434c7 (diff)

diff --git a/auth2.c b/auth2.c index 6bcc56527..ffd703282 100644 --- a/auth2.c +++ b/auth2.c
@@ -23,35 +23,18 @@
23	*/	23	*/
24		24
25	#include "includes.h"	25	#include "includes.h"
26	RCSID("$OpenBSD: auth2.c,v 1.91 2002/05/13 02:37:39 itojun Exp $");	26	RCSID("$OpenBSD: auth2.c,v 1.92 2002/05/25 18:51:07 markus Exp $");
27
28	#include <openssl/evp.h>
29		27
30	#include "ssh2.h"	28	#include "ssh2.h"
31	#include "xmalloc.h"	29	#include "xmalloc.h"
32	#include "rsa.h"
33	#include "sshpty.h"
34	#include "packet.h"	30	#include "packet.h"
35	#include "buffer.h"
36	#include "log.h"	31	#include "log.h"
37	#include "servconf.h"	32	#include "servconf.h"
38	#include "compat.h"	33	#include "compat.h"
39	#include "channels.h"
40	#include "bufaux.h"
41	#include "auth.h"	34	#include "auth.h"
42	#include "session.h"
43	#include "dispatch.h"	35	#include "dispatch.h"
44	#include "key.h"
45	#include "cipher.h"
46	#include "kex.h"
47	#include "pathnames.h"	36	#include "pathnames.h"
48	#include "uidswap.h"
49	#include "auth-options.h"
50	#include "hostfile.h"
51	#include "canohost.h"
52	#include "match.h"
53	#include "monitor_wrap.h"	37	#include "monitor_wrap.h"
54	#include "atomicio.h"
55		38
56	/* import */	39	/* import */
57	extern ServerOptions options;	40	extern ServerOptions options;
@@ -80,12 +63,6 @@ int user_key_allowed(struct passwd , Key );
80	int hostbased_key_allowed(struct passwd , const char , char , Key );	63	int hostbased_key_allowed(struct passwd , const char , char , Key );
81		64
82	/* auth */	65	/* auth */
83	static void userauth_banner(void);
84	static int userauth_none(Authctxt *);
85	static int userauth_passwd(Authctxt *);
86	static int userauth_pubkey(Authctxt *);
87	static int userauth_hostbased(Authctxt *);
88	static int userauth_kbdint(Authctxt *);
89		66
90	Authmethod authmethods[] = {	67	Authmethod authmethods[] = {
91	{"none",	68	{"none",
@@ -651,164 +628,3 @@ authmethod_lookup(const char *name)
651	debug2("Unrecognized authentication method name: %s", name ? name : "NULL");	628	debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
652	return NULL;	629	return NULL;
653	}	630	}
654
655	/* return 1 if user allows given key */
656	static int
657	user_key_allowed2(struct passwd pw, Key key, char *file)
658	{
659	char line[8192];
660	int found_key = 0;
661	FILE *f;
662	u_long linenum = 0;
663	struct stat st;
664	Key *found;
665	char *fp;
666
667	if (pw == NULL)
668	return 0;
669
670	/* Temporarily use the user's uid. */
671	temporarily_use_uid(pw);
672
673	debug("trying public key file %s", file);
674
675	/* Fail quietly if file does not exist */
676	if (stat(file, &st) < 0) {
677	/* Restore the privileged uid. */
678	restore_uid();
679	return 0;
680	}
681	/* Open the file containing the authorized keys. */
682	f = fopen(file, "r");
683	if (!f) {
684	/* Restore the privileged uid. */
685	restore_uid();
686	return 0;
687	}
688	if (options.strict_modes &&
689	secure_filename(f, file, pw, line, sizeof(line)) != 0) {
690	fclose(f);
691	log("Authentication refused: %s", line);
692	restore_uid();
693	return 0;
694	}
695
696	found_key = 0;
697	found = key_new(key->type);
698
699	while (fgets(line, sizeof(line), f)) {
700	char cp, options = NULL;
701	linenum++;
702	/* Skip leading whitespace, empty and comment lines. */
703	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)
704	;
705	if (!cp \|\| cp == '\n' \|\| *cp == '#')
706	continue;
707
708	if (key_read(found, &cp) != 1) {
709	/* no key? check if there are options for this key */
710	int quoted = 0;
711	debug2("user_key_allowed: check options: '%s'", cp);
712	options = cp;
713	for (; cp && (quoted \|\| (cp != ' ' && *cp != '\t')); cp++) {
714	if (*cp == '\\' && cp[1] == '"')
715	cp++; /* Skip both */
716	else if (*cp == '"')
717	quoted = !quoted;
718	}
719	/* Skip remaining whitespace. */
720	for (; cp == ' ' \|\| cp == '\t'; cp++)
721	;
722	if (key_read(found, &cp) != 1) {
723	debug2("user_key_allowed: advance: '%s'", cp);
724	/* still no key? advance to next line*/
725	continue;
726	}
727	}
728	if (key_equal(found, key) &&
729	auth_parse_options(pw, options, file, linenum) == 1) {
730	found_key = 1;
731	debug("matching key found: file %s, line %lu",
732	file, linenum);
733	fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
734	verbose("Found matching %s key: %s",
735	key_type(found), fp);
736	xfree(fp);
737	break;
738	}
739	}
740	restore_uid();
741	fclose(f);
742	key_free(found);
743	if (!found_key)
744	debug2("key not found");
745	return found_key;
746	}
747
748	/* check whether given key is in .ssh/authorized_keys* */
749	int
750	user_key_allowed(struct passwd pw, Key key)
751	{
752	int success;
753	char *file;
754
755	file = authorized_keys_file(pw);
756	success = user_key_allowed2(pw, key, file);
757	xfree(file);
758	if (success)
759	return success;
760
761	/* try suffix "2" for backward compat, too */
762	file = authorized_keys_file2(pw);
763	success = user_key_allowed2(pw, key, file);
764	xfree(file);
765	return success;
766	}
767
768	/* return 1 if given hostkey is allowed */
769	int
770	hostbased_key_allowed(struct passwd pw, const char cuser, char *chost,
771	Key *key)
772	{
773	const char resolvedname, ipaddr, *lookup;
774	HostStatus host_status;
775	int len;
776
777	resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
778	ipaddr = get_remote_ipaddr();
779
780	debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
781	chost, resolvedname, ipaddr);
782
783	if (options.hostbased_uses_name_from_packet_only) {
784	if (auth_rhosts2(pw, cuser, chost, chost) == 0)
785	return 0;
786	lookup = chost;
787	} else {
788	if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
789	debug2("stripping trailing dot from chost %s", chost);
790	chost[len - 1] = '\0';
791	}
792	if (strcasecmp(resolvedname, chost) != 0)
793	log("userauth_hostbased mismatch: "
794	"client sends %s, but we resolve %s to %s",
795	chost, ipaddr, resolvedname);
796	if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0)
797	return 0;
798	lookup = resolvedname;
799	}
800	debug2("userauth_hostbased: access allowed by auth_rhosts2");
801
802	host_status = check_key_in_hostfiles(pw, key, lookup,
803	_PATH_SSH_SYSTEM_HOSTFILE,
804	options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
805
806	/* backward compat if no key has been found. */
807	if (host_status == HOST_NEW)
808	host_status = check_key_in_hostfiles(pw, key, lookup,
809	_PATH_SSH_SYSTEM_HOSTFILE2,
810	options.ignore_user_known_hosts ? NULL :
811	_PATH_SSH_USER_HOSTFILE2);
812
813	return (host_status == HOST_OK);
814	}