diff options
author | Colin Watson <cjwatson@debian.org> | 2013-05-07 10:06:42 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2013-05-07 10:06:42 +0100 |
commit | ecebda56da46a03dafff923d91c382f31faa9eec (patch) | |
tree | 449614b6c06a2622c74a609b31fcc46c60037c56 /monitor.c | |
parent | c6a2c0334e45419875687d250aed9bea78480f2e (diff) | |
parent | ffc06452028ba78cd693d4ed43df8b60a10d6163 (diff) |
merge 6.2p1; reorder additions to monitor.h for easier merging in future
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 64 |
1 files changed, 50 insertions, 14 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: monitor.c,v 1.117 2012/06/22 12:30:26 dtucker Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
@@ -201,6 +201,7 @@ static int key_blobtype = MM_NOKEY; | |||
201 | static char *hostbased_cuser = NULL; | 201 | static char *hostbased_cuser = NULL; |
202 | static char *hostbased_chost = NULL; | 202 | static char *hostbased_chost = NULL; |
203 | static char *auth_method = "unknown"; | 203 | static char *auth_method = "unknown"; |
204 | static char *auth_submethod = NULL; | ||
204 | static u_int session_id2_len = 0; | 205 | static u_int session_id2_len = 0; |
205 | static u_char *session_id2 = NULL; | 206 | static u_char *session_id2 = NULL; |
206 | static pid_t monitor_child_pid; | 207 | static pid_t monitor_child_pid; |
@@ -361,7 +362,7 @@ void | |||
361 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 362 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
362 | { | 363 | { |
363 | struct mon_table *ent; | 364 | struct mon_table *ent; |
364 | int authenticated = 0; | 365 | int authenticated = 0, partial = 0; |
365 | 366 | ||
366 | debug3("preauth child monitor started"); | 367 | debug3("preauth child monitor started"); |
367 | 368 | ||
@@ -392,8 +393,26 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
392 | 393 | ||
393 | /* The first few requests do not require asynchronous access */ | 394 | /* The first few requests do not require asynchronous access */ |
394 | while (!authenticated) { | 395 | while (!authenticated) { |
396 | partial = 0; | ||
395 | auth_method = "unknown"; | 397 | auth_method = "unknown"; |
398 | auth_submethod = NULL; | ||
396 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); | 399 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); |
400 | |||
401 | /* Special handling for multiple required authentications */ | ||
402 | if (options.num_auth_methods != 0) { | ||
403 | if (!compat20) | ||
404 | fatal("AuthenticationMethods is not supported" | ||
405 | "with SSH protocol 1"); | ||
406 | if (authenticated && | ||
407 | !auth2_update_methods_lists(authctxt, | ||
408 | auth_method)) { | ||
409 | debug3("%s: method %s: partial", __func__, | ||
410 | auth_method); | ||
411 | authenticated = 0; | ||
412 | partial = 1; | ||
413 | } | ||
414 | } | ||
415 | |||
397 | if (authenticated) { | 416 | if (authenticated) { |
398 | if (!(ent->flags & MON_AUTHDECIDE)) | 417 | if (!(ent->flags & MON_AUTHDECIDE)) |
399 | fatal("%s: unexpected authentication from %d", | 418 | fatal("%s: unexpected authentication from %d", |
@@ -414,9 +433,9 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
414 | } | 433 | } |
415 | #endif | 434 | #endif |
416 | } | 435 | } |
417 | |||
418 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { | 436 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { |
419 | auth_log(authctxt, authenticated, auth_method, | 437 | auth_log(authctxt, authenticated, partial, |
438 | auth_method, auth_submethod, | ||
420 | compat20 ? " ssh2" : ""); | 439 | compat20 ? " ssh2" : ""); |
421 | if (!authenticated) | 440 | if (!authenticated) |
422 | authctxt->failures++; | 441 | authctxt->failures++; |
@@ -432,10 +451,6 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
432 | #endif | 451 | #endif |
433 | } | 452 | } |
434 | 453 | ||
435 | /* Drain any buffered messages from the child */ | ||
436 | while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) | ||
437 | ; | ||
438 | |||
439 | if (!authctxt->valid) | 454 | if (!authctxt->valid) |
440 | fatal("%s: authenticated invalid user", __func__); | 455 | fatal("%s: authenticated invalid user", __func__); |
441 | if (strcmp(auth_method, "unknown") == 0) | 456 | if (strcmp(auth_method, "unknown") == 0) |
@@ -446,6 +461,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
446 | 461 | ||
447 | mm_get_keystate(pmonitor); | 462 | mm_get_keystate(pmonitor); |
448 | 463 | ||
464 | /* Drain any buffered messages from the child */ | ||
465 | while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) | ||
466 | ; | ||
467 | |||
449 | close(pmonitor->m_sendfd); | 468 | close(pmonitor->m_sendfd); |
450 | close(pmonitor->m_log_recvfd); | 469 | close(pmonitor->m_log_recvfd); |
451 | pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; | 470 | pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; |
@@ -798,7 +817,17 @@ mm_answer_pwnamallow(int sock, Buffer *m) | |||
798 | COPY_MATCH_STRING_OPTS(); | 817 | COPY_MATCH_STRING_OPTS(); |
799 | #undef M_CP_STROPT | 818 | #undef M_CP_STROPT |
800 | #undef M_CP_STRARRAYOPT | 819 | #undef M_CP_STRARRAYOPT |
801 | 820 | ||
821 | /* Create valid auth method lists */ | ||
822 | if (compat20 && auth2_setup_methods_lists(authctxt) != 0) { | ||
823 | /* | ||
824 | * The monitor will continue long enough to let the child | ||
825 | * run to it's packet_disconnect(), but it must not allow any | ||
826 | * authentication to succeed. | ||
827 | */ | ||
828 | debug("%s: no valid authentication method lists", __func__); | ||
829 | } | ||
830 | |||
802 | debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); | 831 | debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); |
803 | mm_request_send(sock, MONITOR_ANS_PWNAM, m); | 832 | mm_request_send(sock, MONITOR_ANS_PWNAM, m); |
804 | 833 | ||
@@ -935,7 +964,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) | |||
935 | debug3("%s: sending authenticated: %d", __func__, authok); | 964 | debug3("%s: sending authenticated: %d", __func__, authok); |
936 | mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); | 965 | mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); |
937 | 966 | ||
938 | auth_method = "bsdauth"; | 967 | if (compat20) |
968 | auth_method = "keyboard-interactive"; /* XXX auth_submethod */ | ||
969 | else | ||
970 | auth_method = "bsdauth"; | ||
939 | 971 | ||
940 | return (authok != 0); | 972 | return (authok != 0); |
941 | } | 973 | } |
@@ -1074,7 +1106,8 @@ mm_answer_pam_query(int sock, Buffer *m) | |||
1074 | xfree(prompts); | 1106 | xfree(prompts); |
1075 | if (echo_on != NULL) | 1107 | if (echo_on != NULL) |
1076 | xfree(echo_on); | 1108 | xfree(echo_on); |
1077 | auth_method = "keyboard-interactive/pam"; | 1109 | auth_method = "keyboard-interactive"; |
1110 | auth_submethod = "pam"; | ||
1078 | mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); | 1111 | mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); |
1079 | return (0); | 1112 | return (0); |
1080 | } | 1113 | } |
@@ -1103,7 +1136,8 @@ mm_answer_pam_respond(int sock, Buffer *m) | |||
1103 | buffer_clear(m); | 1136 | buffer_clear(m); |
1104 | buffer_put_int(m, ret); | 1137 | buffer_put_int(m, ret); |
1105 | mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); | 1138 | mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); |
1106 | auth_method = "keyboard-interactive/pam"; | 1139 | auth_method = "keyboard-interactive"; |
1140 | auth_submethod = "pam"; | ||
1107 | if (ret == 0) | 1141 | if (ret == 0) |
1108 | sshpam_authok = sshpam_ctxt; | 1142 | sshpam_authok = sshpam_ctxt; |
1109 | return (0); | 1143 | return (0); |
@@ -1117,7 +1151,8 @@ mm_answer_pam_free_ctx(int sock, Buffer *m) | |||
1117 | (sshpam_device.free_ctx)(sshpam_ctxt); | 1151 | (sshpam_device.free_ctx)(sshpam_ctxt); |
1118 | buffer_clear(m); | 1152 | buffer_clear(m); |
1119 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | 1153 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); |
1120 | auth_method = "keyboard-interactive/pam"; | 1154 | auth_method = "keyboard-interactive"; |
1155 | auth_submethod = "pam"; | ||
1121 | return (sshpam_authok == sshpam_ctxt); | 1156 | return (sshpam_authok == sshpam_ctxt); |
1122 | } | 1157 | } |
1123 | #endif | 1158 | #endif |
@@ -1191,7 +1226,8 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
1191 | hostbased_chost = chost; | 1226 | hostbased_chost = chost; |
1192 | } else { | 1227 | } else { |
1193 | /* Log failed attempt */ | 1228 | /* Log failed attempt */ |
1194 | auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); | 1229 | auth_log(authctxt, 0, 0, auth_method, NULL, |
1230 | compat20 ? " ssh2" : ""); | ||
1195 | xfree(blob); | 1231 | xfree(blob); |
1196 | xfree(cuser); | 1232 | xfree(cuser); |
1197 | xfree(chost); | 1233 | xfree(chost); |