diff options
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 606 |
1 files changed, 606 insertions, 0 deletions
@@ -0,0 +1,606 @@ | |||
1 | /* | ||
2 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | ||
3 | * All rights reserved | ||
4 | */ | ||
5 | |||
6 | #include "includes.h" | ||
7 | RCSID("$OpenBSD: auth.c,v 1.1 2000/03/28 21:15:45 markus Exp $"); | ||
8 | |||
9 | #include "xmalloc.h" | ||
10 | #include "rsa.h" | ||
11 | #include "ssh.h" | ||
12 | #include "pty.h" | ||
13 | #include "packet.h" | ||
14 | #include "buffer.h" | ||
15 | #include "cipher.h" | ||
16 | #include "mpaux.h" | ||
17 | #include "servconf.h" | ||
18 | #include "channels.h" | ||
19 | #include "match.h" | ||
20 | |||
21 | #include "session.h" | ||
22 | #include "dispatch.h" | ||
23 | |||
24 | /* import */ | ||
25 | extern ServerOptions options; | ||
26 | extern char *forced_command; | ||
27 | |||
28 | /* | ||
29 | * Check if the user is allowed to log in via ssh. If user is listed in | ||
30 | * DenyUsers or user's primary group is listed in DenyGroups, false will | ||
31 | * be returned. If AllowUsers isn't empty and user isn't listed there, or | ||
32 | * if AllowGroups isn't empty and user isn't listed there, false will be | ||
33 | * returned. | ||
34 | * If the user's shell is not executable, false will be returned. | ||
35 | * Otherwise true is returned. | ||
36 | */ | ||
37 | static int | ||
38 | allowed_user(struct passwd * pw) | ||
39 | { | ||
40 | struct stat st; | ||
41 | struct group *grp; | ||
42 | int i; | ||
43 | #ifdef WITH_AIXAUTHENTICATE | ||
44 | char *loginmsg; | ||
45 | #endif /* WITH_AIXAUTHENTICATE */ | ||
46 | |||
47 | /* Shouldn't be called if pw is NULL, but better safe than sorry... */ | ||
48 | if (!pw) | ||
49 | return 0; | ||
50 | |||
51 | /* deny if shell does not exists or is not executable */ | ||
52 | if (stat(pw->pw_shell, &st) != 0) | ||
53 | return 0; | ||
54 | if (!((st.st_mode & S_IFREG) && (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)))) | ||
55 | return 0; | ||
56 | |||
57 | /* Return false if user is listed in DenyUsers */ | ||
58 | if (options.num_deny_users > 0) { | ||
59 | if (!pw->pw_name) | ||
60 | return 0; | ||
61 | for (i = 0; i < options.num_deny_users; i++) | ||
62 | if (match_pattern(pw->pw_name, options.deny_users[i])) | ||
63 | return 0; | ||
64 | } | ||
65 | /* Return false if AllowUsers isn't empty and user isn't listed there */ | ||
66 | if (options.num_allow_users > 0) { | ||
67 | if (!pw->pw_name) | ||
68 | return 0; | ||
69 | for (i = 0; i < options.num_allow_users; i++) | ||
70 | if (match_pattern(pw->pw_name, options.allow_users[i])) | ||
71 | break; | ||
72 | /* i < options.num_allow_users iff we break for loop */ | ||
73 | if (i >= options.num_allow_users) | ||
74 | return 0; | ||
75 | } | ||
76 | /* Get the primary group name if we need it. Return false if it fails */ | ||
77 | if (options.num_deny_groups > 0 || options.num_allow_groups > 0) { | ||
78 | grp = getgrgid(pw->pw_gid); | ||
79 | if (!grp) | ||
80 | return 0; | ||
81 | |||
82 | /* Return false if user's group is listed in DenyGroups */ | ||
83 | if (options.num_deny_groups > 0) { | ||
84 | if (!grp->gr_name) | ||
85 | return 0; | ||
86 | for (i = 0; i < options.num_deny_groups; i++) | ||
87 | if (match_pattern(grp->gr_name, options.deny_groups[i])) | ||
88 | return 0; | ||
89 | } | ||
90 | /* | ||
91 | * Return false if AllowGroups isn't empty and user's group | ||
92 | * isn't listed there | ||
93 | */ | ||
94 | if (options.num_allow_groups > 0) { | ||
95 | if (!grp->gr_name) | ||
96 | return 0; | ||
97 | for (i = 0; i < options.num_allow_groups; i++) | ||
98 | if (match_pattern(grp->gr_name, options.allow_groups[i])) | ||
99 | break; | ||
100 | /* i < options.num_allow_groups iff we break for | ||
101 | loop */ | ||
102 | if (i >= options.num_allow_groups) | ||
103 | return 0; | ||
104 | } | ||
105 | } | ||
106 | |||
107 | #ifdef WITH_AIXAUTHENTICATE | ||
108 | if (loginrestrictions(pw->pw_name,S_LOGIN,NULL,&loginmsg) != 0) | ||
109 | return 0; | ||
110 | #endif /* WITH_AIXAUTHENTICATE */ | ||
111 | |||
112 | /* We found no reason not to let this user try to log on... */ | ||
113 | return 1; | ||
114 | } | ||
115 | |||
116 | /* | ||
117 | * convert ssh auth msg type into description | ||
118 | */ | ||
119 | char * | ||
120 | get_authname(int type) | ||
121 | { | ||
122 | static char buf[1024]; | ||
123 | switch (type) { | ||
124 | case SSH_CMSG_AUTH_PASSWORD: | ||
125 | return "password"; | ||
126 | case SSH_CMSG_AUTH_RSA: | ||
127 | return "rsa"; | ||
128 | case SSH_CMSG_AUTH_RHOSTS_RSA: | ||
129 | return "rhosts-rsa"; | ||
130 | case SSH_CMSG_AUTH_RHOSTS: | ||
131 | return "rhosts"; | ||
132 | #ifdef KRB4 | ||
133 | case SSH_CMSG_AUTH_KERBEROS: | ||
134 | return "kerberos"; | ||
135 | #endif | ||
136 | #ifdef SKEY | ||
137 | case SSH_CMSG_AUTH_TIS_RESPONSE: | ||
138 | return "s/key"; | ||
139 | #endif | ||
140 | } | ||
141 | snprintf(buf, sizeof buf, "bad-auth-msg-%d", type); | ||
142 | return buf; | ||
143 | } | ||
144 | |||
145 | #define AUTH_FAIL_MAX 6 | ||
146 | #define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2) | ||
147 | #define AUTH_FAIL_MSG "Too many authentication failures for %.100s" | ||
148 | |||
149 | /* | ||
150 | * The user does not exist or access is denied, | ||
151 | * but fake indication that authentication is needed. | ||
152 | */ | ||
153 | void | ||
154 | do_fake_authloop1(char *user) | ||
155 | { | ||
156 | int attempt = 0; | ||
157 | |||
158 | log("Faking authloop for illegal user %.200s from %.200s port %d", | ||
159 | user, | ||
160 | get_remote_ipaddr(), | ||
161 | get_remote_port()); | ||
162 | |||
163 | #ifdef WITH_AIXAUTHENTICATE | ||
164 | if (strncmp(get_authname(type),"password", | ||
165 | strlen(get_authname(type))) == 0) | ||
166 | loginfailed(pw->pw_name,get_canonical_hostname(),"ssh"); | ||
167 | #endif /* WITH_AIXAUTHENTICATE */ | ||
168 | |||
169 | /* Indicate that authentication is needed. */ | ||
170 | packet_start(SSH_SMSG_FAILURE); | ||
171 | packet_send(); | ||
172 | packet_write_wait(); | ||
173 | |||
174 | /* | ||
175 | * Keep reading packets, and always respond with a failure. This is | ||
176 | * to avoid disclosing whether such a user really exists. | ||
177 | */ | ||
178 | for (attempt = 1;; attempt++) { | ||
179 | /* Read a packet. This will not return if the client disconnects. */ | ||
180 | int plen; | ||
181 | #ifndef SKEY | ||
182 | (void)packet_read(&plen); | ||
183 | #else /* SKEY */ | ||
184 | int type = packet_read(&plen); | ||
185 | unsigned int dlen; | ||
186 | char *password, *skeyinfo; | ||
187 | /* Try to send a fake s/key challenge. */ | ||
188 | if (options.skey_authentication == 1 && | ||
189 | (skeyinfo = skey_fake_keyinfo(user)) != NULL) { | ||
190 | password = NULL; | ||
191 | if (type == SSH_CMSG_AUTH_TIS) { | ||
192 | packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); | ||
193 | packet_put_string(skeyinfo, strlen(skeyinfo)); | ||
194 | packet_send(); | ||
195 | packet_write_wait(); | ||
196 | continue; | ||
197 | } else if (type == SSH_CMSG_AUTH_PASSWORD && | ||
198 | options.password_authentication && | ||
199 | (password = packet_get_string(&dlen)) != NULL && | ||
200 | dlen == 5 && | ||
201 | strncasecmp(password, "s/key", 5) == 0 ) { | ||
202 | packet_send_debug(skeyinfo); | ||
203 | } | ||
204 | if (password != NULL) | ||
205 | xfree(password); | ||
206 | } | ||
207 | #endif | ||
208 | if (attempt > AUTH_FAIL_MAX) | ||
209 | packet_disconnect(AUTH_FAIL_MSG, user); | ||
210 | |||
211 | /* | ||
212 | * Send failure. This should be indistinguishable from a | ||
213 | * failed authentication. | ||
214 | */ | ||
215 | packet_start(SSH_SMSG_FAILURE); | ||
216 | packet_send(); | ||
217 | packet_write_wait(); | ||
218 | } | ||
219 | /* NOTREACHED */ | ||
220 | abort(); | ||
221 | } | ||
222 | |||
223 | /* | ||
224 | * read packets and try to authenticate local user *pw. | ||
225 | * return if authentication is successfull | ||
226 | */ | ||
227 | void | ||
228 | do_authloop(struct passwd * pw) | ||
229 | { | ||
230 | int attempt = 0; | ||
231 | unsigned int bits; | ||
232 | RSA *client_host_key; | ||
233 | BIGNUM *n; | ||
234 | char *client_user = NULL, *password = NULL; | ||
235 | char user[1024]; | ||
236 | unsigned int dlen; | ||
237 | int plen, nlen, elen; | ||
238 | unsigned int ulen; | ||
239 | int type = 0; | ||
240 | void (*authlog) (const char *fmt,...) = verbose; | ||
241 | |||
242 | /* Indicate that authentication is needed. */ | ||
243 | packet_start(SSH_SMSG_FAILURE); | ||
244 | packet_send(); | ||
245 | packet_write_wait(); | ||
246 | |||
247 | for (attempt = 1;; attempt++) { | ||
248 | int authenticated = 0; | ||
249 | strlcpy(user, "", sizeof user); | ||
250 | |||
251 | /* Get a packet from the client. */ | ||
252 | type = packet_read(&plen); | ||
253 | |||
254 | /* Process the packet. */ | ||
255 | switch (type) { | ||
256 | #ifdef AFS | ||
257 | case SSH_CMSG_HAVE_KERBEROS_TGT: | ||
258 | if (!options.kerberos_tgt_passing) { | ||
259 | /* packet_get_all(); */ | ||
260 | verbose("Kerberos tgt passing disabled."); | ||
261 | break; | ||
262 | } else { | ||
263 | /* Accept Kerberos tgt. */ | ||
264 | char *tgt = packet_get_string(&dlen); | ||
265 | packet_integrity_check(plen, 4 + dlen, type); | ||
266 | if (!auth_kerberos_tgt(pw, tgt)) | ||
267 | verbose("Kerberos tgt REFUSED for %s", pw->pw_name); | ||
268 | xfree(tgt); | ||
269 | } | ||
270 | continue; | ||
271 | |||
272 | case SSH_CMSG_HAVE_AFS_TOKEN: | ||
273 | if (!options.afs_token_passing || !k_hasafs()) { | ||
274 | /* packet_get_all(); */ | ||
275 | verbose("AFS token passing disabled."); | ||
276 | break; | ||
277 | } else { | ||
278 | /* Accept AFS token. */ | ||
279 | char *token_string = packet_get_string(&dlen); | ||
280 | packet_integrity_check(plen, 4 + dlen, type); | ||
281 | if (!auth_afs_token(pw, token_string)) | ||
282 | verbose("AFS token REFUSED for %s", pw->pw_name); | ||
283 | xfree(token_string); | ||
284 | } | ||
285 | continue; | ||
286 | #endif /* AFS */ | ||
287 | #ifdef KRB4 | ||
288 | case SSH_CMSG_AUTH_KERBEROS: | ||
289 | if (!options.kerberos_authentication) { | ||
290 | /* packet_get_all(); */ | ||
291 | verbose("Kerberos authentication disabled."); | ||
292 | break; | ||
293 | } else { | ||
294 | /* Try Kerberos v4 authentication. */ | ||
295 | KTEXT_ST auth; | ||
296 | char *tkt_user = NULL; | ||
297 | char *kdata = packet_get_string((unsigned int *) &auth.length); | ||
298 | packet_integrity_check(plen, 4 + auth.length, type); | ||
299 | |||
300 | if (auth.length < MAX_KTXT_LEN) | ||
301 | memcpy(auth.dat, kdata, auth.length); | ||
302 | xfree(kdata); | ||
303 | |||
304 | authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user); | ||
305 | |||
306 | if (authenticated) { | ||
307 | snprintf(user, sizeof user, " tktuser %s", tkt_user); | ||
308 | xfree(tkt_user); | ||
309 | } | ||
310 | } | ||
311 | break; | ||
312 | #endif /* KRB4 */ | ||
313 | |||
314 | case SSH_CMSG_AUTH_RHOSTS: | ||
315 | if (!options.rhosts_authentication) { | ||
316 | verbose("Rhosts authentication disabled."); | ||
317 | break; | ||
318 | } | ||
319 | /* | ||
320 | * Get client user name. Note that we just have to | ||
321 | * trust the client; this is one reason why rhosts | ||
322 | * authentication is insecure. (Another is | ||
323 | * IP-spoofing on a local network.) | ||
324 | */ | ||
325 | client_user = packet_get_string(&ulen); | ||
326 | packet_integrity_check(plen, 4 + ulen, type); | ||
327 | |||
328 | /* Try to authenticate using /etc/hosts.equiv and | ||
329 | .rhosts. */ | ||
330 | authenticated = auth_rhosts(pw, client_user); | ||
331 | |||
332 | snprintf(user, sizeof user, " ruser %s", client_user); | ||
333 | break; | ||
334 | |||
335 | case SSH_CMSG_AUTH_RHOSTS_RSA: | ||
336 | if (!options.rhosts_rsa_authentication) { | ||
337 | verbose("Rhosts with RSA authentication disabled."); | ||
338 | break; | ||
339 | } | ||
340 | /* | ||
341 | * Get client user name. Note that we just have to | ||
342 | * trust the client; root on the client machine can | ||
343 | * claim to be any user. | ||
344 | */ | ||
345 | client_user = packet_get_string(&ulen); | ||
346 | |||
347 | /* Get the client host key. */ | ||
348 | client_host_key = RSA_new(); | ||
349 | if (client_host_key == NULL) | ||
350 | fatal("RSA_new failed"); | ||
351 | client_host_key->e = BN_new(); | ||
352 | client_host_key->n = BN_new(); | ||
353 | if (client_host_key->e == NULL || client_host_key->n == NULL) | ||
354 | fatal("BN_new failed"); | ||
355 | bits = packet_get_int(); | ||
356 | packet_get_bignum(client_host_key->e, &elen); | ||
357 | packet_get_bignum(client_host_key->n, &nlen); | ||
358 | |||
359 | if (bits != BN_num_bits(client_host_key->n)) | ||
360 | error("Warning: keysize mismatch for client_host_key: " | ||
361 | "actual %d, announced %d", BN_num_bits(client_host_key->n), bits); | ||
362 | packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type); | ||
363 | |||
364 | authenticated = auth_rhosts_rsa(pw, client_user, client_host_key); | ||
365 | RSA_free(client_host_key); | ||
366 | |||
367 | snprintf(user, sizeof user, " ruser %s", client_user); | ||
368 | break; | ||
369 | |||
370 | case SSH_CMSG_AUTH_RSA: | ||
371 | if (!options.rsa_authentication) { | ||
372 | verbose("RSA authentication disabled."); | ||
373 | break; | ||
374 | } | ||
375 | /* RSA authentication requested. */ | ||
376 | n = BN_new(); | ||
377 | packet_get_bignum(n, &nlen); | ||
378 | packet_integrity_check(plen, nlen, type); | ||
379 | authenticated = auth_rsa(pw, n); | ||
380 | BN_clear_free(n); | ||
381 | break; | ||
382 | |||
383 | case SSH_CMSG_AUTH_PASSWORD: | ||
384 | if (!options.password_authentication) { | ||
385 | verbose("Password authentication disabled."); | ||
386 | break; | ||
387 | } | ||
388 | /* | ||
389 | * Read user password. It is in plain text, but was | ||
390 | * transmitted over the encrypted channel so it is | ||
391 | * not visible to an outside observer. | ||
392 | */ | ||
393 | password = packet_get_string(&dlen); | ||
394 | packet_integrity_check(plen, 4 + dlen, type); | ||
395 | |||
396 | #ifdef USE_PAM | ||
397 | /* Do PAM auth with password */ | ||
398 | authenticated = auth_pam_password(pw, password); | ||
399 | #else /* USE_PAM */ | ||
400 | /* Try authentication with the password. */ | ||
401 | authenticated = auth_password(pw, password); | ||
402 | #endif /* USE_PAM */ | ||
403 | memset(password, 0, strlen(password)); | ||
404 | xfree(password); | ||
405 | break; | ||
406 | |||
407 | #ifdef SKEY | ||
408 | case SSH_CMSG_AUTH_TIS: | ||
409 | debug("rcvd SSH_CMSG_AUTH_TIS"); | ||
410 | if (options.skey_authentication == 1) { | ||
411 | char *skeyinfo = skey_keyinfo(pw->pw_name); | ||
412 | if (skeyinfo == NULL) { | ||
413 | debug("generating fake skeyinfo for %.100s.", pw->pw_name); | ||
414 | skeyinfo = skey_fake_keyinfo(pw->pw_name); | ||
415 | } | ||
416 | if (skeyinfo != NULL) { | ||
417 | /* we send our s/key- in tis-challenge messages */ | ||
418 | debug("sending challenge '%s'", skeyinfo); | ||
419 | packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE); | ||
420 | packet_put_string(skeyinfo, strlen(skeyinfo)); | ||
421 | packet_send(); | ||
422 | packet_write_wait(); | ||
423 | continue; | ||
424 | } | ||
425 | } | ||
426 | break; | ||
427 | case SSH_CMSG_AUTH_TIS_RESPONSE: | ||
428 | debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE"); | ||
429 | if (options.skey_authentication == 1) { | ||
430 | char *response = packet_get_string(&dlen); | ||
431 | debug("skey response == '%s'", response); | ||
432 | packet_integrity_check(plen, 4 + dlen, type); | ||
433 | authenticated = (skey_haskey(pw->pw_name) == 0 && | ||
434 | skey_passcheck(pw->pw_name, response) != -1); | ||
435 | xfree(response); | ||
436 | } | ||
437 | break; | ||
438 | #else | ||
439 | case SSH_CMSG_AUTH_TIS: | ||
440 | /* TIS Authentication is unsupported */ | ||
441 | log("TIS authentication unsupported."); | ||
442 | break; | ||
443 | #endif | ||
444 | |||
445 | default: | ||
446 | /* | ||
447 | * Any unknown messages will be ignored (and failure | ||
448 | * returned) during authentication. | ||
449 | */ | ||
450 | log("Unknown message during authentication: type %d", type); | ||
451 | break; | ||
452 | } | ||
453 | |||
454 | /* | ||
455 | * Check if the user is logging in as root and root logins | ||
456 | * are disallowed. | ||
457 | * Note that root login is allowed for forced commands. | ||
458 | */ | ||
459 | if (authenticated && pw->pw_uid == 0 && !options.permit_root_login) { | ||
460 | if (forced_command) { | ||
461 | log("Root login accepted for forced command."); | ||
462 | } else { | ||
463 | authenticated = 0; | ||
464 | log("ROOT LOGIN REFUSED FROM %.200s", | ||
465 | get_canonical_hostname()); | ||
466 | } | ||
467 | } | ||
468 | |||
469 | /* Raise logging level */ | ||
470 | if (authenticated || | ||
471 | attempt == AUTH_FAIL_LOG || | ||
472 | type == SSH_CMSG_AUTH_PASSWORD) | ||
473 | authlog = log; | ||
474 | |||
475 | authlog("%s %s for %.200s from %.200s port %d%s", | ||
476 | authenticated ? "Accepted" : "Failed", | ||
477 | get_authname(type), | ||
478 | pw->pw_uid == 0 ? "ROOT" : pw->pw_name, | ||
479 | get_remote_ipaddr(), | ||
480 | get_remote_port(), | ||
481 | user); | ||
482 | |||
483 | #ifdef USE_PAM | ||
484 | if (authenticated) { | ||
485 | if (!do_pam_account(pw->pw_name, client_user)) { | ||
486 | if (client_user != NULL) { | ||
487 | xfree(client_user); | ||
488 | client_user = NULL; | ||
489 | } | ||
490 | do_fake_authloop1(pw->pw_name); | ||
491 | } | ||
492 | return; | ||
493 | } | ||
494 | #else /* USE_PAM */ | ||
495 | if (authenticated) { | ||
496 | return; | ||
497 | } | ||
498 | #endif /* USE_PAM */ | ||
499 | |||
500 | if (client_user != NULL) { | ||
501 | xfree(client_user); | ||
502 | client_user = NULL; | ||
503 | } | ||
504 | |||
505 | if (attempt > AUTH_FAIL_MAX) | ||
506 | packet_disconnect(AUTH_FAIL_MSG, pw->pw_name); | ||
507 | |||
508 | /* Send a message indicating that the authentication attempt failed. */ | ||
509 | packet_start(SSH_SMSG_FAILURE); | ||
510 | packet_send(); | ||
511 | packet_write_wait(); | ||
512 | } | ||
513 | } | ||
514 | |||
515 | /* | ||
516 | * Performs authentication of an incoming connection. Session key has already | ||
517 | * been exchanged and encryption is enabled. | ||
518 | */ | ||
519 | void | ||
520 | do_authentication() | ||
521 | { | ||
522 | struct passwd *pw, pwcopy; | ||
523 | int plen; | ||
524 | unsigned int ulen; | ||
525 | char *user; | ||
526 | #ifdef WITH_AIXAUTHENTICATE | ||
527 | char *loginmsg; | ||
528 | #endif /* WITH_AIXAUTHENTICATE */ | ||
529 | |||
530 | /* Get the name of the user that we wish to log in as. */ | ||
531 | packet_read_expect(&plen, SSH_CMSG_USER); | ||
532 | |||
533 | /* Get the user name. */ | ||
534 | user = packet_get_string(&ulen); | ||
535 | packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER); | ||
536 | |||
537 | setproctitle("%s", user); | ||
538 | |||
539 | #ifdef AFS | ||
540 | /* If machine has AFS, set process authentication group. */ | ||
541 | if (k_hasafs()) { | ||
542 | k_setpag(); | ||
543 | k_unlog(); | ||
544 | } | ||
545 | #endif /* AFS */ | ||
546 | |||
547 | /* Verify that the user is a valid user. */ | ||
548 | pw = getpwnam(user); | ||
549 | if (!pw || !allowed_user(pw)) | ||
550 | do_fake_authloop1(user); | ||
551 | xfree(user); | ||
552 | |||
553 | /* Take a copy of the returned structure. */ | ||
554 | memset(&pwcopy, 0, sizeof(pwcopy)); | ||
555 | pwcopy.pw_name = xstrdup(pw->pw_name); | ||
556 | pwcopy.pw_passwd = xstrdup(pw->pw_passwd); | ||
557 | pwcopy.pw_uid = pw->pw_uid; | ||
558 | pwcopy.pw_gid = pw->pw_gid; | ||
559 | pwcopy.pw_dir = xstrdup(pw->pw_dir); | ||
560 | pwcopy.pw_shell = xstrdup(pw->pw_shell); | ||
561 | pw = &pwcopy; | ||
562 | |||
563 | #ifdef USE_PAM | ||
564 | start_pam(pw); | ||
565 | #endif | ||
566 | |||
567 | /* | ||
568 | * If we are not running as root, the user must have the same uid as | ||
569 | * the server. | ||
570 | */ | ||
571 | if (getuid() != 0 && pw->pw_uid != getuid()) | ||
572 | packet_disconnect("Cannot change user when server not running as root."); | ||
573 | |||
574 | debug("Attempting authentication for %.100s.", pw->pw_name); | ||
575 | |||
576 | /* If the user has no password, accept authentication immediately. */ | ||
577 | if (options.password_authentication && | ||
578 | #ifdef KRB4 | ||
579 | (!options.kerberos_authentication || options.kerberos_or_local_passwd) && | ||
580 | #endif /* KRB4 */ | ||
581 | #ifdef USE_PAM | ||
582 | auth_pam_password(pw, "")) { | ||
583 | #else /* USE_PAM */ | ||
584 | auth_password(pw, "")) { | ||
585 | #endif /* USE_PAM */ | ||
586 | /* Authentication with empty password succeeded. */ | ||
587 | log("Login for user %s from %.100s, accepted without authentication.", | ||
588 | pw->pw_name, get_remote_ipaddr()); | ||
589 | } else { | ||
590 | /* Loop until the user has been authenticated or the | ||
591 | connection is closed, do_authloop() returns only if | ||
592 | authentication is successfull */ | ||
593 | do_authloop(pw); | ||
594 | } | ||
595 | |||
596 | /* The user has been authenticated and accepted. */ | ||
597 | #ifdef WITH_AIXAUTHENTICATE | ||
598 | loginsuccess(user,get_canonical_hostname(),"ssh",&loginmsg); | ||
599 | #endif /* WITH_AIXAUTHENTICATE */ | ||
600 | packet_start(SSH_SMSG_SUCCESS); | ||
601 | packet_send(); | ||
602 | packet_write_wait(); | ||
603 | |||
604 | /* Perform session preparation. */ | ||
605 | do_authenticated(pw); | ||
606 | } | ||