diff options
Diffstat (limited to 'auth.h')
-rw-r--r-- | auth.h | 81 |
1 files changed, 48 insertions, 33 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.h,v 1.89 2016/08/13 17:47:41 markus Exp $ */ | 1 | /* $OpenBSD: auth.h,v 1.93 2017/08/18 05:36:45 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 4 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
@@ -44,6 +44,7 @@ | |||
44 | 44 | ||
45 | struct ssh; | 45 | struct ssh; |
46 | struct sshkey; | 46 | struct sshkey; |
47 | struct sshbuf; | ||
47 | 48 | ||
48 | typedef struct Authctxt Authctxt; | 49 | typedef struct Authctxt Authctxt; |
49 | typedef struct Authmethod Authmethod; | 50 | typedef struct Authmethod Authmethod; |
@@ -63,13 +64,17 @@ struct Authctxt { | |||
63 | struct passwd *pw; /* set if 'valid' */ | 64 | struct passwd *pw; /* set if 'valid' */ |
64 | char *style; | 65 | char *style; |
65 | char *role; | 66 | char *role; |
67 | |||
68 | /* Method lists for multiple authentication */ | ||
69 | char **auth_methods; /* modified from server config */ | ||
70 | u_int num_auth_methods; | ||
71 | |||
72 | /* Authentication method-specific data */ | ||
73 | void *methoddata; | ||
66 | void *kbdintctxt; | 74 | void *kbdintctxt; |
67 | char *info; /* Extra info for next auth_log */ | ||
68 | #ifdef BSD_AUTH | 75 | #ifdef BSD_AUTH |
69 | auth_session_t *as; | 76 | auth_session_t *as; |
70 | #endif | 77 | #endif |
71 | char **auth_methods; /* modified from server config */ | ||
72 | u_int num_auth_methods; | ||
73 | #ifdef KRB5 | 78 | #ifdef KRB5 |
74 | krb5_context krb5_ctx; | 79 | krb5_context krb5_ctx; |
75 | krb5_ccache krb5_fwd_ccache; | 80 | krb5_ccache krb5_fwd_ccache; |
@@ -77,12 +82,20 @@ struct Authctxt { | |||
77 | char *krb5_ticket_file; | 82 | char *krb5_ticket_file; |
78 | char *krb5_ccname; | 83 | char *krb5_ccname; |
79 | #endif | 84 | #endif |
80 | Buffer *loginmsg; | 85 | struct sshbuf *loginmsg; |
81 | void *methoddata; | 86 | |
87 | /* Authentication keys already used; these will be refused henceforth */ | ||
88 | struct sshkey **prev_keys; | ||
89 | u_int nprev_keys; | ||
82 | 90 | ||
83 | struct sshkey **prev_userkeys; | 91 | /* Last used key and ancilliary information from active auth method */ |
84 | u_int nprev_userkeys; | 92 | struct sshkey *auth_method_key; |
93 | char *auth_method_info; | ||
94 | |||
95 | /* Information exposed to session */ | ||
96 | struct sshbuf *session_info; /* Auth info for environment */ | ||
85 | }; | 97 | }; |
98 | |||
86 | /* | 99 | /* |
87 | * Every authentication method has to handle authentication requests for | 100 | * Every authentication method has to handle authentication requests for |
88 | * non-existing users, or for users that are not allowed to login. In this | 101 | * non-existing users, or for users that are not allowed to login. In this |
@@ -92,7 +105,7 @@ struct Authctxt { | |||
92 | 105 | ||
93 | struct Authmethod { | 106 | struct Authmethod { |
94 | char *name; | 107 | char *name; |
95 | int (*userauth)(Authctxt *authctxt); | 108 | int (*userauth)(struct ssh *); |
96 | int *enabled; | 109 | int *enabled; |
97 | }; | 110 | }; |
98 | 111 | ||
@@ -118,16 +131,21 @@ auth_rhosts2(struct passwd *, const char *, const char *, const char *); | |||
118 | 131 | ||
119 | int auth_password(Authctxt *, const char *); | 132 | int auth_password(Authctxt *, const char *); |
120 | 133 | ||
121 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); | 134 | int hostbased_key_allowed(struct passwd *, const char *, char *, |
122 | int user_key_allowed(struct passwd *, Key *, int); | 135 | struct sshkey *); |
123 | void pubkey_auth_info(Authctxt *, const Key *, const char *, ...) | 136 | int user_key_allowed(struct passwd *, struct sshkey *, int); |
124 | __attribute__((__format__ (printf, 3, 4))); | 137 | int auth2_key_already_used(Authctxt *, const struct sshkey *); |
125 | void auth2_record_userkey(Authctxt *, struct sshkey *); | ||
126 | int auth2_userkey_already_used(Authctxt *, struct sshkey *); | ||
127 | 138 | ||
128 | struct stat; | 139 | /* |
129 | int auth_secure_path(const char *, struct stat *, const char *, uid_t, | 140 | * Handling auth method-specific information for logging and prevention |
130 | char *, size_t); | 141 | * of key reuse during multiple authentication. |
142 | */ | ||
143 | void auth2_authctxt_reset_info(Authctxt *); | ||
144 | void auth2_record_key(Authctxt *, int, const struct sshkey *); | ||
145 | void auth2_record_info(Authctxt *authctxt, const char *, ...) | ||
146 | __attribute__((__format__ (printf, 2, 3))) | ||
147 | __attribute__((__nonnull__ (2))); | ||
148 | void auth2_update_session_info(Authctxt *, const char *, const char *); | ||
131 | 149 | ||
132 | #ifdef KRB5 | 150 | #ifdef KRB5 |
133 | int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); | 151 | int auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *); |
@@ -150,12 +168,9 @@ void disable_forwarding(void); | |||
150 | 168 | ||
151 | void do_authentication2(Authctxt *); | 169 | void do_authentication2(Authctxt *); |
152 | 170 | ||
153 | void auth_info(Authctxt *authctxt, const char *, ...) | ||
154 | __attribute__((__format__ (printf, 2, 3))) | ||
155 | __attribute__((__nonnull__ (2))); | ||
156 | void auth_log(Authctxt *, int, int, const char *, const char *); | 171 | void auth_log(Authctxt *, int, int, const char *, const char *); |
157 | void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn)); | 172 | void auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn)); |
158 | void userauth_finish(Authctxt *, int, const char *, const char *); | 173 | void userauth_finish(struct ssh *, int, const char *, const char *); |
159 | int auth_root_allowed(const char *); | 174 | int auth_root_allowed(const char *); |
160 | 175 | ||
161 | void userauth_send_banner(const char *); | 176 | void userauth_send_banner(const char *); |
@@ -168,8 +183,8 @@ int auth2_method_allowed(Authctxt *, const char *, const char *); | |||
168 | 183 | ||
169 | void privsep_challenge_enable(void); | 184 | void privsep_challenge_enable(void); |
170 | 185 | ||
171 | int auth2_challenge(Authctxt *, char *); | 186 | int auth2_challenge(struct ssh *, char *); |
172 | void auth2_challenge_stop(Authctxt *); | 187 | void auth2_challenge_stop(struct ssh *); |
173 | int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); | 188 | int bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **); |
174 | int bsdauth_respond(void *, u_int, char **); | 189 | int bsdauth_respond(void *, u_int, char **); |
175 | int skey_query(void *, char **, char **, u_int *, char ***, u_int **); | 190 | int skey_query(void *, char **, char **, u_int *, char ***, u_int **); |
@@ -183,22 +198,22 @@ char *authorized_principals_file(struct passwd *); | |||
183 | 198 | ||
184 | FILE *auth_openkeyfile(const char *, struct passwd *, int); | 199 | FILE *auth_openkeyfile(const char *, struct passwd *, int); |
185 | FILE *auth_openprincipals(const char *, struct passwd *, int); | 200 | FILE *auth_openprincipals(const char *, struct passwd *, int); |
186 | int auth_key_is_revoked(Key *); | 201 | int auth_key_is_revoked(struct sshkey *); |
187 | 202 | ||
188 | const char *auth_get_canonical_hostname(struct ssh *, int); | 203 | const char *auth_get_canonical_hostname(struct ssh *, int); |
189 | 204 | ||
190 | HostStatus | 205 | HostStatus |
191 | check_key_in_hostfiles(struct passwd *, Key *, const char *, | 206 | check_key_in_hostfiles(struct passwd *, struct sshkey *, const char *, |
192 | const char *, const char *); | 207 | const char *, const char *); |
193 | 208 | ||
194 | /* hostkey handling */ | 209 | /* hostkey handling */ |
195 | Key *get_hostkey_by_index(int); | 210 | struct sshkey *get_hostkey_by_index(int); |
196 | Key *get_hostkey_public_by_index(int, struct ssh *); | 211 | struct sshkey *get_hostkey_public_by_index(int, struct ssh *); |
197 | Key *get_hostkey_public_by_type(int, int, struct ssh *); | 212 | struct sshkey *get_hostkey_public_by_type(int, int, struct ssh *); |
198 | Key *get_hostkey_private_by_type(int, int, struct ssh *); | 213 | struct sshkey *get_hostkey_private_by_type(int, int, struct ssh *); |
199 | int get_hostkey_index(Key *, int, struct ssh *); | 214 | int get_hostkey_index(struct sshkey *, int, struct ssh *); |
200 | int sshd_hostkey_sign(Key *, Key *, u_char **, size_t *, | 215 | int sshd_hostkey_sign(struct sshkey *, struct sshkey *, u_char **, |
201 | const u_char *, size_t, const char *, u_int); | 216 | size_t *, const u_char *, size_t, const char *, u_int); |
202 | 217 | ||
203 | /* debug messages during authentication */ | 218 | /* debug messages during authentication */ |
204 | void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); | 219 | void auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2))); |