diff options
Diffstat (limited to 'auth.c')
| -rw-r--r-- | auth.c | 48 |
1 files changed, 36 insertions, 12 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: auth.c,v 1.101 2013/02/06 00:22:21 dtucker Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
| 4 | * | 4 | * |
| @@ -72,6 +72,7 @@ | |||
| 72 | #include "authfile.h" | 72 | #include "authfile.h" |
| 73 | #include "monitor_wrap.h" | 73 | #include "monitor_wrap.h" |
| 74 | #include "krl.h" | 74 | #include "krl.h" |
| 75 | #include "compat.h" | ||
| 75 | 76 | ||
| 76 | /* import */ | 77 | /* import */ |
| 77 | extern ServerOptions options; | 78 | extern ServerOptions options; |
| @@ -165,17 +166,17 @@ allowed_user(struct passwd * pw) | |||
| 165 | if (stat(shell, &st) != 0) { | 166 | if (stat(shell, &st) != 0) { |
| 166 | logit("User %.100s not allowed because shell %.100s " | 167 | logit("User %.100s not allowed because shell %.100s " |
| 167 | "does not exist", pw->pw_name, shell); | 168 | "does not exist", pw->pw_name, shell); |
| 168 | xfree(shell); | 169 | free(shell); |
| 169 | return 0; | 170 | return 0; |
| 170 | } | 171 | } |
| 171 | if (S_ISREG(st.st_mode) == 0 || | 172 | if (S_ISREG(st.st_mode) == 0 || |
| 172 | (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { | 173 | (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) { |
| 173 | logit("User %.100s not allowed because shell %.100s " | 174 | logit("User %.100s not allowed because shell %.100s " |
| 174 | "is not executable", pw->pw_name, shell); | 175 | "is not executable", pw->pw_name, shell); |
| 175 | xfree(shell); | 176 | free(shell); |
| 176 | return 0; | 177 | return 0; |
| 177 | } | 178 | } |
| 178 | xfree(shell); | 179 | free(shell); |
| 179 | } | 180 | } |
| 180 | 181 | ||
| 181 | if (options.num_deny_users > 0 || options.num_allow_users > 0 || | 182 | if (options.num_deny_users > 0 || options.num_allow_users > 0 || |
| @@ -252,8 +253,25 @@ allowed_user(struct passwd * pw) | |||
| 252 | } | 253 | } |
| 253 | 254 | ||
| 254 | void | 255 | void |
| 256 | auth_info(Authctxt *authctxt, const char *fmt, ...) | ||
| 257 | { | ||
| 258 | va_list ap; | ||
| 259 | int i; | ||
| 260 | |||
| 261 | free(authctxt->info); | ||
| 262 | authctxt->info = NULL; | ||
| 263 | |||
| 264 | va_start(ap, fmt); | ||
| 265 | i = vasprintf(&authctxt->info, fmt, ap); | ||
| 266 | va_end(ap); | ||
| 267 | |||
| 268 | if (i < 0 || authctxt->info == NULL) | ||
| 269 | fatal("vasprintf failed"); | ||
| 270 | } | ||
| 271 | |||
| 272 | void | ||
| 255 | auth_log(Authctxt *authctxt, int authenticated, int partial, | 273 | auth_log(Authctxt *authctxt, int authenticated, int partial, |
| 256 | const char *method, const char *submethod, const char *info) | 274 | const char *method, const char *submethod) |
| 257 | { | 275 | { |
| 258 | void (*authlog) (const char *fmt,...) = verbose; | 276 | void (*authlog) (const char *fmt,...) = verbose; |
| 259 | char *authmsg; | 277 | char *authmsg; |
| @@ -275,7 +293,7 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, | |||
| 275 | else | 293 | else |
| 276 | authmsg = authenticated ? "Accepted" : "Failed"; | 294 | authmsg = authenticated ? "Accepted" : "Failed"; |
| 277 | 295 | ||
| 278 | authlog("%s %s%s%s for %s%.100s from %.200s port %d%s", | 296 | authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s", |
| 279 | authmsg, | 297 | authmsg, |
| 280 | method, | 298 | method, |
| 281 | submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, | 299 | submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod, |
| @@ -283,7 +301,11 @@ auth_log(Authctxt *authctxt, int authenticated, int partial, | |||
| 283 | authctxt->user, | 301 | authctxt->user, |
| 284 | get_remote_ipaddr(), | 302 | get_remote_ipaddr(), |
| 285 | get_remote_port(), | 303 | get_remote_port(), |
| 286 | info); | 304 | compat20 ? "ssh2" : "ssh1", |
| 305 | authctxt->info != NULL ? ": " : "", | ||
| 306 | authctxt->info != NULL ? authctxt->info : ""); | ||
| 307 | free(authctxt->info); | ||
| 308 | authctxt->info = NULL; | ||
| 287 | 309 | ||
| 288 | #ifdef CUSTOM_FAILED_LOGIN | 310 | #ifdef CUSTOM_FAILED_LOGIN |
| 289 | if (authenticated == 0 && !authctxt->postponed && | 311 | if (authenticated == 0 && !authctxt->postponed && |
| @@ -355,7 +377,7 @@ expand_authorized_keys(const char *filename, struct passwd *pw) | |||
| 355 | i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file); | 377 | i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file); |
| 356 | if (i < 0 || (size_t)i >= sizeof(ret)) | 378 | if (i < 0 || (size_t)i >= sizeof(ret)) |
| 357 | fatal("expand_authorized_keys: path too long"); | 379 | fatal("expand_authorized_keys: path too long"); |
| 358 | xfree(file); | 380 | free(file); |
| 359 | return (xstrdup(ret)); | 381 | return (xstrdup(ret)); |
| 360 | } | 382 | } |
| 361 | 383 | ||
| @@ -397,7 +419,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, | |||
| 397 | load_hostkeys(hostkeys, host, user_hostfile); | 419 | load_hostkeys(hostkeys, host, user_hostfile); |
| 398 | restore_uid(); | 420 | restore_uid(); |
| 399 | } | 421 | } |
| 400 | xfree(user_hostfile); | 422 | free(user_hostfile); |
| 401 | } | 423 | } |
| 402 | host_status = check_key_in_hostkeys(hostkeys, key, &found); | 424 | host_status = check_key_in_hostkeys(hostkeys, key, &found); |
| 403 | if (host_status == HOST_REVOKED) | 425 | if (host_status == HOST_REVOKED) |
| @@ -666,7 +688,7 @@ auth_key_is_revoked(Key *key) | |||
| 666 | key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); | 688 | key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); |
| 667 | error("WARNING: authentication attempt with a revoked " | 689 | error("WARNING: authentication attempt with a revoked " |
| 668 | "%s key %s ", key_type(key), key_fp); | 690 | "%s key %s ", key_type(key), key_fp); |
| 669 | xfree(key_fp); | 691 | free(key_fp); |
| 670 | return 1; | 692 | return 1; |
| 671 | } | 693 | } |
| 672 | fatal("key_in_file returned junk"); | 694 | fatal("key_in_file returned junk"); |
| @@ -697,7 +719,7 @@ auth_debug_send(void) | |||
| 697 | while (buffer_len(&auth_debug)) { | 719 | while (buffer_len(&auth_debug)) { |
| 698 | msg = buffer_get_string(&auth_debug, NULL); | 720 | msg = buffer_get_string(&auth_debug, NULL); |
| 699 | packet_send_debug("%s", msg); | 721 | packet_send_debug("%s", msg); |
| 700 | xfree(msg); | 722 | free(msg); |
| 701 | } | 723 | } |
| 702 | } | 724 | } |
| 703 | 725 | ||
| @@ -721,10 +743,12 @@ fakepw(void) | |||
| 721 | fake.pw_name = "NOUSER"; | 743 | fake.pw_name = "NOUSER"; |
| 722 | fake.pw_passwd = | 744 | fake.pw_passwd = |
| 723 | "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; | 745 | "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK"; |
| 746 | #ifdef HAVE_STRUCT_PASSWD_PW_GECOS | ||
| 724 | fake.pw_gecos = "NOUSER"; | 747 | fake.pw_gecos = "NOUSER"; |
| 748 | #endif | ||
| 725 | fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid; | 749 | fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid; |
| 726 | fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid; | 750 | fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid; |
| 727 | #ifdef HAVE_PW_CLASS_IN_PASSWD | 751 | #ifdef HAVE_STRUCT_PASSWD_PW_CLASS |
| 728 | fake.pw_class = ""; | 752 | fake.pw_class = ""; |
| 729 | #endif | 753 | #endif |
| 730 | fake.pw_dir = "/nonexist"; | 754 | fake.pw_dir = "/nonexist"; |