diff options
| author | Colin Watson <cjwatson@debian.org> | 2013-05-07 10:06:42 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2013-05-07 10:06:42 +0100 |
| commit | ecebda56da46a03dafff923d91c382f31faa9eec (patch) | |
| tree | 449614b6c06a2622c74a609b31fcc46c60037c56 /monitor.c | |
| parent | c6a2c0334e45419875687d250aed9bea78480f2e (diff) | |
| parent | ffc06452028ba78cd693d4ed43df8b60a10d6163 (diff) | |
merge 6.2p1; reorder additions to monitor.h for easier merging in future
Diffstat (limited to 'monitor.c')
| -rw-r--r-- | monitor.c | 64 |
1 files changed, 50 insertions, 14 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: monitor.c,v 1.117 2012/06/22 12:30:26 dtucker Exp $ */ | 1 | /* $OpenBSD: monitor.c,v 1.120 2012/12/11 22:16:21 markus Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> | 3 | * Copyright 2002 Niels Provos <provos@citi.umich.edu> |
| 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> | 4 | * Copyright 2002 Markus Friedl <markus@openbsd.org> |
| @@ -201,6 +201,7 @@ static int key_blobtype = MM_NOKEY; | |||
| 201 | static char *hostbased_cuser = NULL; | 201 | static char *hostbased_cuser = NULL; |
| 202 | static char *hostbased_chost = NULL; | 202 | static char *hostbased_chost = NULL; |
| 203 | static char *auth_method = "unknown"; | 203 | static char *auth_method = "unknown"; |
| 204 | static char *auth_submethod = NULL; | ||
| 204 | static u_int session_id2_len = 0; | 205 | static u_int session_id2_len = 0; |
| 205 | static u_char *session_id2 = NULL; | 206 | static u_char *session_id2 = NULL; |
| 206 | static pid_t monitor_child_pid; | 207 | static pid_t monitor_child_pid; |
| @@ -361,7 +362,7 @@ void | |||
| 361 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | 362 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
| 362 | { | 363 | { |
| 363 | struct mon_table *ent; | 364 | struct mon_table *ent; |
| 364 | int authenticated = 0; | 365 | int authenticated = 0, partial = 0; |
| 365 | 366 | ||
| 366 | debug3("preauth child monitor started"); | 367 | debug3("preauth child monitor started"); |
| 367 | 368 | ||
| @@ -392,8 +393,26 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
| 392 | 393 | ||
| 393 | /* The first few requests do not require asynchronous access */ | 394 | /* The first few requests do not require asynchronous access */ |
| 394 | while (!authenticated) { | 395 | while (!authenticated) { |
| 396 | partial = 0; | ||
| 395 | auth_method = "unknown"; | 397 | auth_method = "unknown"; |
| 398 | auth_submethod = NULL; | ||
| 396 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); | 399 | authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1); |
| 400 | |||
| 401 | /* Special handling for multiple required authentications */ | ||
| 402 | if (options.num_auth_methods != 0) { | ||
| 403 | if (!compat20) | ||
| 404 | fatal("AuthenticationMethods is not supported" | ||
| 405 | "with SSH protocol 1"); | ||
| 406 | if (authenticated && | ||
| 407 | !auth2_update_methods_lists(authctxt, | ||
| 408 | auth_method)) { | ||
| 409 | debug3("%s: method %s: partial", __func__, | ||
| 410 | auth_method); | ||
| 411 | authenticated = 0; | ||
| 412 | partial = 1; | ||
| 413 | } | ||
| 414 | } | ||
| 415 | |||
| 397 | if (authenticated) { | 416 | if (authenticated) { |
| 398 | if (!(ent->flags & MON_AUTHDECIDE)) | 417 | if (!(ent->flags & MON_AUTHDECIDE)) |
| 399 | fatal("%s: unexpected authentication from %d", | 418 | fatal("%s: unexpected authentication from %d", |
| @@ -414,9 +433,9 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
| 414 | } | 433 | } |
| 415 | #endif | 434 | #endif |
| 416 | } | 435 | } |
| 417 | |||
| 418 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { | 436 | if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) { |
| 419 | auth_log(authctxt, authenticated, auth_method, | 437 | auth_log(authctxt, authenticated, partial, |
| 438 | auth_method, auth_submethod, | ||
| 420 | compat20 ? " ssh2" : ""); | 439 | compat20 ? " ssh2" : ""); |
| 421 | if (!authenticated) | 440 | if (!authenticated) |
| 422 | authctxt->failures++; | 441 | authctxt->failures++; |
| @@ -432,10 +451,6 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
| 432 | #endif | 451 | #endif |
| 433 | } | 452 | } |
| 434 | 453 | ||
| 435 | /* Drain any buffered messages from the child */ | ||
| 436 | while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) | ||
| 437 | ; | ||
| 438 | |||
| 439 | if (!authctxt->valid) | 454 | if (!authctxt->valid) |
| 440 | fatal("%s: authenticated invalid user", __func__); | 455 | fatal("%s: authenticated invalid user", __func__); |
| 441 | if (strcmp(auth_method, "unknown") == 0) | 456 | if (strcmp(auth_method, "unknown") == 0) |
| @@ -446,6 +461,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) | |||
| 446 | 461 | ||
| 447 | mm_get_keystate(pmonitor); | 462 | mm_get_keystate(pmonitor); |
| 448 | 463 | ||
| 464 | /* Drain any buffered messages from the child */ | ||
| 465 | while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) | ||
| 466 | ; | ||
| 467 | |||
| 449 | close(pmonitor->m_sendfd); | 468 | close(pmonitor->m_sendfd); |
| 450 | close(pmonitor->m_log_recvfd); | 469 | close(pmonitor->m_log_recvfd); |
| 451 | pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; | 470 | pmonitor->m_sendfd = pmonitor->m_log_recvfd = -1; |
| @@ -798,7 +817,17 @@ mm_answer_pwnamallow(int sock, Buffer *m) | |||
| 798 | COPY_MATCH_STRING_OPTS(); | 817 | COPY_MATCH_STRING_OPTS(); |
| 799 | #undef M_CP_STROPT | 818 | #undef M_CP_STROPT |
| 800 | #undef M_CP_STRARRAYOPT | 819 | #undef M_CP_STRARRAYOPT |
| 801 | 820 | ||
| 821 | /* Create valid auth method lists */ | ||
| 822 | if (compat20 && auth2_setup_methods_lists(authctxt) != 0) { | ||
| 823 | /* | ||
| 824 | * The monitor will continue long enough to let the child | ||
| 825 | * run to it's packet_disconnect(), but it must not allow any | ||
| 826 | * authentication to succeed. | ||
| 827 | */ | ||
| 828 | debug("%s: no valid authentication method lists", __func__); | ||
| 829 | } | ||
| 830 | |||
| 802 | debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); | 831 | debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed); |
| 803 | mm_request_send(sock, MONITOR_ANS_PWNAM, m); | 832 | mm_request_send(sock, MONITOR_ANS_PWNAM, m); |
| 804 | 833 | ||
| @@ -935,7 +964,10 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) | |||
| 935 | debug3("%s: sending authenticated: %d", __func__, authok); | 964 | debug3("%s: sending authenticated: %d", __func__, authok); |
| 936 | mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); | 965 | mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m); |
| 937 | 966 | ||
| 938 | auth_method = "bsdauth"; | 967 | if (compat20) |
| 968 | auth_method = "keyboard-interactive"; /* XXX auth_submethod */ | ||
| 969 | else | ||
| 970 | auth_method = "bsdauth"; | ||
| 939 | 971 | ||
| 940 | return (authok != 0); | 972 | return (authok != 0); |
| 941 | } | 973 | } |
| @@ -1074,7 +1106,8 @@ mm_answer_pam_query(int sock, Buffer *m) | |||
| 1074 | xfree(prompts); | 1106 | xfree(prompts); |
| 1075 | if (echo_on != NULL) | 1107 | if (echo_on != NULL) |
| 1076 | xfree(echo_on); | 1108 | xfree(echo_on); |
| 1077 | auth_method = "keyboard-interactive/pam"; | 1109 | auth_method = "keyboard-interactive"; |
| 1110 | auth_submethod = "pam"; | ||
| 1078 | mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); | 1111 | mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m); |
| 1079 | return (0); | 1112 | return (0); |
| 1080 | } | 1113 | } |
| @@ -1103,7 +1136,8 @@ mm_answer_pam_respond(int sock, Buffer *m) | |||
| 1103 | buffer_clear(m); | 1136 | buffer_clear(m); |
| 1104 | buffer_put_int(m, ret); | 1137 | buffer_put_int(m, ret); |
| 1105 | mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); | 1138 | mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m); |
| 1106 | auth_method = "keyboard-interactive/pam"; | 1139 | auth_method = "keyboard-interactive"; |
| 1140 | auth_submethod = "pam"; | ||
| 1107 | if (ret == 0) | 1141 | if (ret == 0) |
| 1108 | sshpam_authok = sshpam_ctxt; | 1142 | sshpam_authok = sshpam_ctxt; |
| 1109 | return (0); | 1143 | return (0); |
| @@ -1117,7 +1151,8 @@ mm_answer_pam_free_ctx(int sock, Buffer *m) | |||
| 1117 | (sshpam_device.free_ctx)(sshpam_ctxt); | 1151 | (sshpam_device.free_ctx)(sshpam_ctxt); |
| 1118 | buffer_clear(m); | 1152 | buffer_clear(m); |
| 1119 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); | 1153 | mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m); |
| 1120 | auth_method = "keyboard-interactive/pam"; | 1154 | auth_method = "keyboard-interactive"; |
| 1155 | auth_submethod = "pam"; | ||
| 1121 | return (sshpam_authok == sshpam_ctxt); | 1156 | return (sshpam_authok == sshpam_ctxt); |
| 1122 | } | 1157 | } |
| 1123 | #endif | 1158 | #endif |
| @@ -1191,7 +1226,8 @@ mm_answer_keyallowed(int sock, Buffer *m) | |||
| 1191 | hostbased_chost = chost; | 1226 | hostbased_chost = chost; |
| 1192 | } else { | 1227 | } else { |
| 1193 | /* Log failed attempt */ | 1228 | /* Log failed attempt */ |
| 1194 | auth_log(authctxt, 0, auth_method, compat20 ? " ssh2" : ""); | 1229 | auth_log(authctxt, 0, 0, auth_method, NULL, |
| 1230 | compat20 ? " ssh2" : ""); | ||
| 1195 | xfree(blob); | 1231 | xfree(blob); |
| 1196 | xfree(cuser); | 1232 | xfree(cuser); |
| 1197 | xfree(chost); | 1233 | xfree(chost); |