diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2002-06-06 20:27:55 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2002-06-06 20:27:55 +0000 |
commit | 855bf3ac3cf395b282600700c1fd792af1f3fdcb (patch) | |
tree | effce712ac4bb1d7ef46cc3db4fdda2b74756298 /auth2.c | |
parent | 4887da222b5dec4e36f85f724d836dfbb6d434c7 (diff) |
- markus@cvs.openbsd.org 2002/05/25 18:51:07
[auth.h auth2.c auth2-hostbased.c auth2-kbdint.c auth2-none.c
auth2-passwd.c auth2-pubkey.c Makefile.in]
split auth2.c into one file per method; ok provos@/deraadt@
NOTE: Merged back noticable cygwin and pam stuff. May need review to
ensure I did not miss anything.
Diffstat (limited to 'auth2.c')
-rw-r--r-- | auth2.c | 186 |
1 files changed, 1 insertions, 185 deletions
@@ -23,35 +23,18 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth2.c,v 1.91 2002/05/13 02:37:39 itojun Exp $"); | 26 | RCSID("$OpenBSD: auth2.c,v 1.92 2002/05/25 18:51:07 markus Exp $"); |
27 | |||
28 | #include <openssl/evp.h> | ||
29 | 27 | ||
30 | #include "ssh2.h" | 28 | #include "ssh2.h" |
31 | #include "xmalloc.h" | 29 | #include "xmalloc.h" |
32 | #include "rsa.h" | ||
33 | #include "sshpty.h" | ||
34 | #include "packet.h" | 30 | #include "packet.h" |
35 | #include "buffer.h" | ||
36 | #include "log.h" | 31 | #include "log.h" |
37 | #include "servconf.h" | 32 | #include "servconf.h" |
38 | #include "compat.h" | 33 | #include "compat.h" |
39 | #include "channels.h" | ||
40 | #include "bufaux.h" | ||
41 | #include "auth.h" | 34 | #include "auth.h" |
42 | #include "session.h" | ||
43 | #include "dispatch.h" | 35 | #include "dispatch.h" |
44 | #include "key.h" | ||
45 | #include "cipher.h" | ||
46 | #include "kex.h" | ||
47 | #include "pathnames.h" | 36 | #include "pathnames.h" |
48 | #include "uidswap.h" | ||
49 | #include "auth-options.h" | ||
50 | #include "hostfile.h" | ||
51 | #include "canohost.h" | ||
52 | #include "match.h" | ||
53 | #include "monitor_wrap.h" | 37 | #include "monitor_wrap.h" |
54 | #include "atomicio.h" | ||
55 | 38 | ||
56 | /* import */ | 39 | /* import */ |
57 | extern ServerOptions options; | 40 | extern ServerOptions options; |
@@ -80,12 +63,6 @@ int user_key_allowed(struct passwd *, Key *); | |||
80 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); | 63 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); |
81 | 64 | ||
82 | /* auth */ | 65 | /* auth */ |
83 | static void userauth_banner(void); | ||
84 | static int userauth_none(Authctxt *); | ||
85 | static int userauth_passwd(Authctxt *); | ||
86 | static int userauth_pubkey(Authctxt *); | ||
87 | static int userauth_hostbased(Authctxt *); | ||
88 | static int userauth_kbdint(Authctxt *); | ||
89 | 66 | ||
90 | Authmethod authmethods[] = { | 67 | Authmethod authmethods[] = { |
91 | {"none", | 68 | {"none", |
@@ -651,164 +628,3 @@ authmethod_lookup(const char *name) | |||
651 | debug2("Unrecognized authentication method name: %s", name ? name : "NULL"); | 628 | debug2("Unrecognized authentication method name: %s", name ? name : "NULL"); |
652 | return NULL; | 629 | return NULL; |
653 | } | 630 | } |
654 | |||
655 | /* return 1 if user allows given key */ | ||
656 | static int | ||
657 | user_key_allowed2(struct passwd *pw, Key *key, char *file) | ||
658 | { | ||
659 | char line[8192]; | ||
660 | int found_key = 0; | ||
661 | FILE *f; | ||
662 | u_long linenum = 0; | ||
663 | struct stat st; | ||
664 | Key *found; | ||
665 | char *fp; | ||
666 | |||
667 | if (pw == NULL) | ||
668 | return 0; | ||
669 | |||
670 | /* Temporarily use the user's uid. */ | ||
671 | temporarily_use_uid(pw); | ||
672 | |||
673 | debug("trying public key file %s", file); | ||
674 | |||
675 | /* Fail quietly if file does not exist */ | ||
676 | if (stat(file, &st) < 0) { | ||
677 | /* Restore the privileged uid. */ | ||
678 | restore_uid(); | ||
679 | return 0; | ||
680 | } | ||
681 | /* Open the file containing the authorized keys. */ | ||
682 | f = fopen(file, "r"); | ||
683 | if (!f) { | ||
684 | /* Restore the privileged uid. */ | ||
685 | restore_uid(); | ||
686 | return 0; | ||
687 | } | ||
688 | if (options.strict_modes && | ||
689 | secure_filename(f, file, pw, line, sizeof(line)) != 0) { | ||
690 | fclose(f); | ||
691 | log("Authentication refused: %s", line); | ||
692 | restore_uid(); | ||
693 | return 0; | ||
694 | } | ||
695 | |||
696 | found_key = 0; | ||
697 | found = key_new(key->type); | ||
698 | |||
699 | while (fgets(line, sizeof(line), f)) { | ||
700 | char *cp, *options = NULL; | ||
701 | linenum++; | ||
702 | /* Skip leading whitespace, empty and comment lines. */ | ||
703 | for (cp = line; *cp == ' ' || *cp == '\t'; cp++) | ||
704 | ; | ||
705 | if (!*cp || *cp == '\n' || *cp == '#') | ||
706 | continue; | ||
707 | |||
708 | if (key_read(found, &cp) != 1) { | ||
709 | /* no key? check if there are options for this key */ | ||
710 | int quoted = 0; | ||
711 | debug2("user_key_allowed: check options: '%s'", cp); | ||
712 | options = cp; | ||
713 | for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) { | ||
714 | if (*cp == '\\' && cp[1] == '"') | ||
715 | cp++; /* Skip both */ | ||
716 | else if (*cp == '"') | ||
717 | quoted = !quoted; | ||
718 | } | ||
719 | /* Skip remaining whitespace. */ | ||
720 | for (; *cp == ' ' || *cp == '\t'; cp++) | ||
721 | ; | ||
722 | if (key_read(found, &cp) != 1) { | ||
723 | debug2("user_key_allowed: advance: '%s'", cp); | ||
724 | /* still no key? advance to next line*/ | ||
725 | continue; | ||
726 | } | ||
727 | } | ||
728 | if (key_equal(found, key) && | ||
729 | auth_parse_options(pw, options, file, linenum) == 1) { | ||
730 | found_key = 1; | ||
731 | debug("matching key found: file %s, line %lu", | ||
732 | file, linenum); | ||
733 | fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); | ||
734 | verbose("Found matching %s key: %s", | ||
735 | key_type(found), fp); | ||
736 | xfree(fp); | ||
737 | break; | ||
738 | } | ||
739 | } | ||
740 | restore_uid(); | ||
741 | fclose(f); | ||
742 | key_free(found); | ||
743 | if (!found_key) | ||
744 | debug2("key not found"); | ||
745 | return found_key; | ||
746 | } | ||
747 | |||
748 | /* check whether given key is in .ssh/authorized_keys* */ | ||
749 | int | ||
750 | user_key_allowed(struct passwd *pw, Key *key) | ||
751 | { | ||
752 | int success; | ||
753 | char *file; | ||
754 | |||
755 | file = authorized_keys_file(pw); | ||
756 | success = user_key_allowed2(pw, key, file); | ||
757 | xfree(file); | ||
758 | if (success) | ||
759 | return success; | ||
760 | |||
761 | /* try suffix "2" for backward compat, too */ | ||
762 | file = authorized_keys_file2(pw); | ||
763 | success = user_key_allowed2(pw, key, file); | ||
764 | xfree(file); | ||
765 | return success; | ||
766 | } | ||
767 | |||
768 | /* return 1 if given hostkey is allowed */ | ||
769 | int | ||
770 | hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, | ||
771 | Key *key) | ||
772 | { | ||
773 | const char *resolvedname, *ipaddr, *lookup; | ||
774 | HostStatus host_status; | ||
775 | int len; | ||
776 | |||
777 | resolvedname = get_canonical_hostname(options.verify_reverse_mapping); | ||
778 | ipaddr = get_remote_ipaddr(); | ||
779 | |||
780 | debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s", | ||
781 | chost, resolvedname, ipaddr); | ||
782 | |||
783 | if (options.hostbased_uses_name_from_packet_only) { | ||
784 | if (auth_rhosts2(pw, cuser, chost, chost) == 0) | ||
785 | return 0; | ||
786 | lookup = chost; | ||
787 | } else { | ||
788 | if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') { | ||
789 | debug2("stripping trailing dot from chost %s", chost); | ||
790 | chost[len - 1] = '\0'; | ||
791 | } | ||
792 | if (strcasecmp(resolvedname, chost) != 0) | ||
793 | log("userauth_hostbased mismatch: " | ||
794 | "client sends %s, but we resolve %s to %s", | ||
795 | chost, ipaddr, resolvedname); | ||
796 | if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) | ||
797 | return 0; | ||
798 | lookup = resolvedname; | ||
799 | } | ||
800 | debug2("userauth_hostbased: access allowed by auth_rhosts2"); | ||
801 | |||
802 | host_status = check_key_in_hostfiles(pw, key, lookup, | ||
803 | _PATH_SSH_SYSTEM_HOSTFILE, | ||
804 | options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE); | ||
805 | |||
806 | /* backward compat if no key has been found. */ | ||
807 | if (host_status == HOST_NEW) | ||
808 | host_status = check_key_in_hostfiles(pw, key, lookup, | ||
809 | _PATH_SSH_SYSTEM_HOSTFILE2, | ||
810 | options.ignore_user_known_hosts ? NULL : | ||
811 | _PATH_SSH_USER_HOSTFILE2); | ||
812 | |||
813 | return (host_status == HOST_OK); | ||
814 | } | ||