summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--auth2-gss.c9
-rw-r--r--auth2-hostbased.c9
-rw-r--r--auth2-pubkey.c23
3 files changed, 25 insertions, 16 deletions
diff --git a/auth2-gss.c b/auth2-gss.c
index fd411d3a7..88bc3ae7b 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -104,9 +104,6 @@ userauth_gssapi(struct ssh *ssh)
104 u_int len; 104 u_int len;
105 u_char *doid = NULL; 105 u_char *doid = NULL;
106 106
107 if (!authctxt->valid || authctxt->user == NULL)
108 return (0);
109
110 mechs = packet_get_int(); 107 mechs = packet_get_int();
111 if (mechs == 0) { 108 if (mechs == 0) {
112 debug("Mechanism negotiation is not supported"); 109 debug("Mechanism negotiation is not supported");
@@ -137,6 +134,12 @@ userauth_gssapi(struct ssh *ssh)
137 return (0); 134 return (0);
138 } 135 }
139 136
137 if (!authctxt->valid || authctxt->user == NULL) {
138 debug2("%s: disabled because of invalid user", __func__);
139 free(doid);
140 return (0);
141 }
142
140 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) { 143 if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
141 if (ctxt != NULL) 144 if (ctxt != NULL)
142 ssh_gssapi_delete_ctx(&ctxt); 145 ssh_gssapi_delete_ctx(&ctxt);
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 8996f7e05..82a7dcdae 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -67,10 +67,6 @@ userauth_hostbased(struct ssh *ssh)
67 size_t alen, blen, slen; 67 size_t alen, blen, slen;
68 int r, pktype, authenticated = 0; 68 int r, pktype, authenticated = 0;
69 69
70 if (!authctxt->valid) {
71 debug2("%s: disabled because of invalid user", __func__);
72 return 0;
73 }
74 /* XXX use sshkey_froms() */ 70 /* XXX use sshkey_froms() */
75 if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 || 71 if ((r = sshpkt_get_cstring(ssh, &pkalg, &alen)) != 0 ||
76 (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 || 72 (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0 ||
@@ -118,6 +114,11 @@ userauth_hostbased(struct ssh *ssh)
118 goto done; 114 goto done;
119 } 115 }
120 116
117 if (!authctxt->valid || authctxt->user == NULL) {
118 debug2("%s: disabled because of invalid user", __func__);
119 goto done;
120 }
121
121 if ((b = sshbuf_new()) == NULL) 122 if ((b = sshbuf_new()) == NULL)
122 fatal("%s: sshbuf_new failed", __func__); 123 fatal("%s: sshbuf_new failed", __func__);
123 /* reconstruct packet */ 124 /* reconstruct packet */
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 8024b1d6a..a9272b97f 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -89,19 +89,15 @@ userauth_pubkey(struct ssh *ssh)
89{ 89{
90 Authctxt *authctxt = ssh->authctxt; 90 Authctxt *authctxt = ssh->authctxt;
91 struct passwd *pw = authctxt->pw; 91 struct passwd *pw = authctxt->pw;
92 struct sshbuf *b; 92 struct sshbuf *b = NULL;
93 struct sshkey *key = NULL; 93 struct sshkey *key = NULL;
94 char *pkalg, *userstyle = NULL, *key_s = NULL, *ca_s = NULL; 94 char *pkalg = NULL, *userstyle = NULL, *key_s = NULL, *ca_s = NULL;
95 u_char *pkblob, *sig, have_sig; 95 u_char *pkblob = NULL, *sig = NULL, have_sig;
96 size_t blen, slen; 96 size_t blen, slen;
97 int r, pktype; 97 int r, pktype;
98 int authenticated = 0; 98 int authenticated = 0;
99 struct sshauthopt *authopts = NULL; 99 struct sshauthopt *authopts = NULL;
100 100
101 if (!authctxt->valid) {
102 debug2("%s: disabled because of invalid user", __func__);
103 return 0;
104 }
105 if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 || 101 if ((r = sshpkt_get_u8(ssh, &have_sig)) != 0 ||
106 (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 || 102 (r = sshpkt_get_cstring(ssh, &pkalg, NULL)) != 0 ||
107 (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0) 103 (r = sshpkt_get_string(ssh, &pkblob, &blen)) != 0)
@@ -168,6 +164,11 @@ userauth_pubkey(struct ssh *ssh)
168 fatal("%s: sshbuf_put_string session id: %s", 164 fatal("%s: sshbuf_put_string session id: %s",
169 __func__, ssh_err(r)); 165 __func__, ssh_err(r));
170 } 166 }
167 if (!authctxt->valid || authctxt->user == NULL) {
168 debug2("%s: disabled because of invalid user",
169 __func__);
170 goto done;
171 }
171 /* reconstruct packet */ 172 /* reconstruct packet */
172 xasprintf(&userstyle, "%s%s%s", authctxt->user, 173 xasprintf(&userstyle, "%s%s%s", authctxt->user,
173 authctxt->style ? ":" : "", 174 authctxt->style ? ":" : "",
@@ -184,7 +185,6 @@ userauth_pubkey(struct ssh *ssh)
184#ifdef DEBUG_PK 185#ifdef DEBUG_PK
185 sshbuf_dump(b, stderr); 186 sshbuf_dump(b, stderr);
186#endif 187#endif
187
188 /* test for correct signature */ 188 /* test for correct signature */
189 authenticated = 0; 189 authenticated = 0;
190 if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) && 190 if (PRIVSEP(user_key_allowed(ssh, pw, key, 1, &authopts)) &&
@@ -193,7 +193,6 @@ userauth_pubkey(struct ssh *ssh)
193 authenticated = 1; 193 authenticated = 1;
194 } 194 }
195 sshbuf_free(b); 195 sshbuf_free(b);
196 free(sig);
197 auth2_record_key(authctxt, authenticated, key); 196 auth2_record_key(authctxt, authenticated, key);
198 } else { 197 } else {
199 debug("%s: test pkalg %s pkblob %s%s%s", 198 debug("%s: test pkalg %s pkblob %s%s%s",
@@ -204,6 +203,11 @@ userauth_pubkey(struct ssh *ssh)
204 if ((r = sshpkt_get_end(ssh)) != 0) 203 if ((r = sshpkt_get_end(ssh)) != 0)
205 fatal("%s: %s", __func__, ssh_err(r)); 204 fatal("%s: %s", __func__, ssh_err(r));
206 205
206 if (!authctxt->valid || authctxt->user == NULL) {
207 debug2("%s: disabled because of invalid user",
208 __func__);
209 goto done;
210 }
207 /* XXX fake reply and always send PK_OK ? */ 211 /* XXX fake reply and always send PK_OK ? */
208 /* 212 /*
209 * XXX this allows testing whether a user is allowed 213 * XXX this allows testing whether a user is allowed
@@ -237,6 +241,7 @@ done:
237 free(pkblob); 241 free(pkblob);
238 free(key_s); 242 free(key_s);
239 free(ca_s); 243 free(ca_s);
244 free(sig);
240 return authenticated; 245 return authenticated;
241} 246}
242 247
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-23 03:18:39 +0000