1 files changed, 90 insertions, 156 deletions
diff --git a/auth1.c b/auth1.c
index 99639b59f..520da640c 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,28 +10,31 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.4 2000/09/07 20:27:49 deraadt Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.6 2000/10/11 20:27:23 markus Exp $");
+#ifdef HAVE_OSF_SIA
+# include <sia.h>
+# include <siad.h>
+#endif
 #include "xmalloc.h"
 #include "rsa.h"
 #include "ssh.h"
 #include "packet.h"
 #include "buffer.h"
-#include "cipher.h"
 #include "mpaux.h"
 #include "servconf.h"
 #include "compat.h"
 #include "auth.h"
 #include "session.h"
-#ifdef HAVE_OSF_SIA
-# include <sia.h>
-# include <siad.h>
-#endif
 /* import */
 extern ServerOptions options;
 extern char *forced_command;
+#ifdef WITH_AIXAUTHENTICATE
+extern char *aixloginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
 #ifdef HAVE_OSF_SIA
 extern int saved_argc;
 extern char **saved_argv;
@@ -67,89 +70,21 @@ get_authname(int type)
 }
 /*
- * The user does not exist or access is denied,
+ * read packets and try to authenticate local user 'luser'.
- * but fake indication that authentication is needed.
+ * return if authentication is successfull. not that pw == NULL
+ * if the user does not exists or is not allowed to login.
+ * each auth method has to 'fake' authentication for nonexisting
+ * users.
 */
 void
-do_fake_authloop1(char *user)
+do_authloop(struct passwd * pw, char *luser)
-{
-        int attempt = 0;
-        log("Faking authloop for illegal user %.200s from %.200s port %d",
-            user,
-            get_remote_ipaddr(),
-            get_remote_port());
-#ifdef WITH_AIXAUTHENTICATE 
-        loginfailed(user,get_canonical_hostname(),"ssh");
-#endif /* WITH_AIXAUTHENTICATE */
-        /* Indicate that authentication is needed. */
-        packet_start(SSH_SMSG_FAILURE);
-        packet_send();
-        packet_write_wait();
-        /*
-         * Keep reading packets, and always respond with a failure.  This is
-         * to avoid disclosing whether such a user really exists.
-         */
-        for (attempt = 1;; attempt++) {
-                /* Read a packet.  This will not return if the client disconnects. */
-                int plen;
-#ifndef SKEY
-                (void)packet_read(&plen);
-#else /* SKEY */
-                int type = packet_read(&plen);
-                unsigned int dlen;
-                char *password, *skeyinfo;
-                password = NULL;
-                /* Try to send a fake s/key challenge. */
-                if (options.skey_authentication == 1 &&
-                    (skeyinfo = skey_fake_keyinfo(user)) != NULL) {
-                        if (type == SSH_CMSG_AUTH_TIS) {
-                                packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
-                                packet_put_string(skeyinfo, strlen(skeyinfo));
-                                packet_send();
-                                packet_write_wait();
-                                continue;
-                        } else if (type == SSH_CMSG_AUTH_PASSWORD &&
-                                   options.password_authentication &&
-                                   (password = packet_get_string(&dlen)) != NULL &&
-                                   dlen == 5 &&
-                                   strncasecmp(password, "s/key", 5) == 0 ) {
-                                packet_send_debug(skeyinfo);
-                        }
-                }
-                if (password != NULL)
-                        xfree(password);
-#endif
-                if (attempt > AUTH_FAIL_MAX)
-                        packet_disconnect(AUTH_FAIL_MSG, user);
-                /*
-                 * Send failure.  This should be indistinguishable from a
-                 * failed authentication.
-                 */
-                packet_start(SSH_SMSG_FAILURE);
-                packet_send();
-                packet_write_wait();
-        }
-        /* NOTREACHED */
-        abort();
-}
-/*
- * read packets and try to authenticate local user *pw.
- * return if authentication is successfull
- */
-void
-do_authloop(struct passwd * pw)
 {
+        int authenticated = 0;
        int attempt = 0;
        unsigned int bits;
        RSA *client_host_key;
        BIGNUM *n;
-        char *client_user = NULL, *password = NULL;
+        char *client_user, *password;
        char user[1024];
        unsigned int dlen;
        int plen, nlen, elen;
@@ -162,8 +97,12 @@ do_authloop(struct passwd * pw)
        packet_send();
        packet_write_wait();
+        client_user = NULL;
        for (attempt = 1;; attempt++) {
-                int authenticated = 0;
+                /* default to fail */
+                authenticated = 0;
                strlcpy(user, "", sizeof user);
                /* Get a packet from the client. */
@@ -174,7 +113,6 @@ do_authloop(struct passwd * pw)
 #ifdef AFS
                case SSH_CMSG_HAVE_KERBEROS_TGT:
                        if (!options.kerberos_tgt_passing) {
-                                /* packet_get_all(); */
                                verbose("Kerberos tgt passing disabled.");
                                break;
                        } else {
@@ -182,14 +120,13 @@ do_authloop(struct passwd * pw)
                                char *tgt = packet_get_string(&dlen);
                                packet_integrity_check(plen, 4 + dlen, type);
                                if (!auth_kerberos_tgt(pw, tgt))
-                                        verbose("Kerberos tgt REFUSED for %s", pw->pw_name);
+                                        verbose("Kerberos tgt REFUSED for %.100s", luser);
                                xfree(tgt);
                        }
                        continue;
                case SSH_CMSG_HAVE_AFS_TOKEN:
                        if (!options.afs_token_passing || !k_hasafs()) {
-                                /* packet_get_all(); */
                                verbose("AFS token passing disabled.");
                                break;
                        } else {
@@ -197,7 +134,7 @@ do_authloop(struct passwd * pw)
                                char *token_string = packet_get_string(&dlen);
                                packet_integrity_check(plen, 4 + dlen, type);
                                if (!auth_afs_token(pw, token_string))
-                                        verbose("AFS token REFUSED for %s", pw->pw_name);
+                                        verbose("AFS token REFUSED for %.100s", luser);
                                xfree(token_string);
                        }
                        continue;
@@ -219,11 +156,12 @@ do_authloop(struct passwd * pw)
                                        memcpy(auth.dat, kdata, auth.length);
                                xfree(kdata);
-                                authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);
+                                if (pw != NULL) {
+                                        authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);
-                                if (authenticated) {
+                                        if (authenticated) {
-                                        snprintf(user, sizeof user, " tktuser %s", tkt_user);
+                                                snprintf(user, sizeof user, " tktuser %s", tkt_user);
-                                        xfree(tkt_user);
+                                                xfree(tkt_user);
+                                        }
                                }
                        }
                        break;
@@ -243,8 +181,7 @@ do_authloop(struct passwd * pw)
                        client_user = packet_get_string(&ulen);
                        packet_integrity_check(plen, 4 + ulen, type);
-                        /* Try to authenticate using /etc/hosts.equiv and
+                        /* Try to authenticate using /etc/hosts.equiv and .rhosts. */
-                           .rhosts. */
                        authenticated = auth_rhosts(pw, client_user);
                        snprintf(user, sizeof user, " ruser %s", client_user);
@@ -275,7 +212,7 @@ do_authloop(struct passwd * pw)
                        packet_get_bignum(client_host_key->n, &nlen);
                        if (bits != BN_num_bits(client_host_key->n))
-                                log("Warning: keysize mismatch for client_host_key: "
+                                verbose("Warning: keysize mismatch for client_host_key: "
                                    "actual %d, announced %d", BN_num_bits(client_host_key->n), bits);
                        packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);
@@ -322,7 +259,7 @@ do_authloop(struct passwd * pw)
                                authenticated = 1;
                        }
 #else /* !USE_PAM && !HAVE_OSF_SIA */
-                        /* Try authentication with the password. */
+                        /* Try authentication with the password. */
                        authenticated = auth_password(pw, password);
 #endif /* USE_PAM */
@@ -334,16 +271,18 @@ do_authloop(struct passwd * pw)
                case SSH_CMSG_AUTH_TIS:
                        debug("rcvd SSH_CMSG_AUTH_TIS");
                        if (options.skey_authentication == 1) {
-                                char *skeyinfo = skey_keyinfo(pw->pw_name);
+                                char *skeyinfo = NULL;
+                                if (pw != NULL)
+                                        skey_keyinfo(pw->pw_name);
                                if (skeyinfo == NULL) {
-                                        debug("generating fake skeyinfo for %.100s.", pw->pw_name);
+                                        debug("generating fake skeyinfo for %.100s.", luser);
-                                        skeyinfo = skey_fake_keyinfo(pw->pw_name);
+                                        skeyinfo = skey_fake_keyinfo(luser);
                                }
                                if (skeyinfo != NULL) {
                                        /* we send our s/key- in tis-challenge messages */
                                        debug("sending challenge '%s'", skeyinfo);
                                        packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
-                                        packet_put_string(skeyinfo, strlen(skeyinfo));
+                                        packet_put_cstring(skeyinfo);
                                        packet_send();
                                        packet_write_wait();
                                        continue;
@@ -356,8 +295,9 @@ do_authloop(struct passwd * pw)
                                char *response = packet_get_string(&dlen);
                                debug("skey response == '%s'", response);
                                packet_integrity_check(plen, 4 + dlen, type);
-                                authenticated = (skey_haskey(pw->pw_name) == 0 &&
+                                authenticated = (pw != NULL &&
-                                                 skey_passcheck(pw->pw_name, response) != -1);
+                                    skey_haskey(pw->pw_name) == 0 &&
+                                    skey_passcheck(pw->pw_name, response) != -1);
                                xfree(response);
                        }
                        break;
@@ -376,12 +316,14 @@ do_authloop(struct passwd * pw)
                        log("Unknown message during authentication: type %d", type);
                        break;
                }
+                if (authenticated && pw == NULL)
+                        fatal("internal error: authenticated for pw == NULL");
 #ifdef HAVE_CYGWIN
-                if (authenticated &&
+                if (authenticated && 
                    !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) {
                        packet_disconnect("Authentication rejected for uid %d.",
-                                          (int) pw->pw_uid);
+                        (int)pw->pw_uid);
                        authenticated = 0;
                }
 #endif
@@ -391,7 +333,7 @@ do_authloop(struct passwd * pw)
                 * are disallowed.
                 * Note that root login is allowed for forced commands.
                 */
-                if (authenticated && pw->pw_uid == 0 && !options.permit_root_login) {
+                if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) {
                        if (forced_command) {
                                log("Root login accepted for forced command.");
                        } else {
@@ -407,41 +349,33 @@ do_authloop(struct passwd * pw)
                    type == SSH_CMSG_AUTH_PASSWORD)
                        authlog = log;
-                authlog("%s %s for %.200s from %.200s port %d%s",
+                authlog("%s %s for %s%.100s from %.200s port %d%s",
                        authenticated ? "Accepted" : "Failed",
                        get_authname(type),
-                        pw->pw_uid == 0 ? "ROOT" : pw->pw_name,
+                        pw ? "" : "illegal user ",
+                        pw && pw->pw_uid == 0 ? "ROOT" : luser,
                        get_remote_ipaddr(),
                        get_remote_port(),
                        user);
 #ifdef USE_PAM
-                if (authenticated) {
+                if (authenticated && !do_pam_account(pw->pw_name, client_user))
-                        if (!do_pam_account(pw->pw_name, client_user)) {
+                        authenticated = 0;
-                                if (client_user != NULL) {
+#endif
-                                        xfree(client_user);
-                                        client_user = NULL;
-                                }
-                                do_fake_authloop1(pw->pw_name);
-                        }
-                        return;
-                }
-#else /* USE_PAM */
-                if (authenticated) {
-                        return;
-                }
-#endif /* USE_PAM */
                if (client_user != NULL) {
                        xfree(client_user);
                        client_user = NULL;
                }
+                if (authenticated)
+                        return;
                if (attempt > AUTH_FAIL_MAX) {
 #ifdef WITH_AIXAUTHENTICATE 
-                        loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");
+                        loginfailed(user,get_canonical_hostname(),"ssh");
 #endif /* WITH_AIXAUTHENTICATE */
-                        packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);
+                        packet_disconnect(AUTH_FAIL_MSG, luser);
                }
                /* Send a message indicating that the authentication attempt failed. */
@@ -462,9 +396,6 @@ do_authentication()
        int plen;
        unsigned int ulen;
        char *user;
-#ifdef WITH_AIXAUTHENTICATE
-        extern char *aixloginmsg;
-#endif /* WITH_AIXAUTHENTICATE */
        /* Get the name of the user that we wish to log in as. */
        packet_read_expect(&plen, SSH_CMSG_USER);
@@ -485,38 +416,38 @@ do_authentication()
        /* Verify that the user is a valid user. */
        pw = getpwnam(user);
-        if (!pw || !allowed_user(pw))
+        if (pw && allowed_user(pw)) {
-                do_fake_authloop1(user);
+                /* Take a copy of the returned structure. */
-        xfree(user);
+                memset(&pwcopy, 0, sizeof(pwcopy));
+                pwcopy.pw_name = xstrdup(pw->pw_name);
-        /* Take a copy of the returned structure. */
+                pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
-        memset(&pwcopy, 0, sizeof(pwcopy));
+                pwcopy.pw_uid = pw->pw_uid;
-        pwcopy.pw_name = xstrdup(pw->pw_name);
+                pwcopy.pw_gid = pw->pw_gid;
-        pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
-        pwcopy.pw_uid = pw->pw_uid;
-        pwcopy.pw_gid = pw->pw_gid;
 #ifdef HAVE_PW_CLASS_IN_PASSWD
-        pwcopy.pw_class = xstrdup(pw->pw_class);
+                pwcopy.pw_class = xstrdup(pw->pw_class);
 #endif
-        pwcopy.pw_dir = xstrdup(pw->pw_dir);
+                pwcopy.pw_dir = xstrdup(pw->pw_dir);
-        pwcopy.pw_shell = xstrdup(pw->pw_shell);
+                pwcopy.pw_shell = xstrdup(pw->pw_shell);
-        pw = &pwcopy;
+                pw = &pwcopy;
+        } else {
+                pw = NULL;
+        }
 #ifdef USE_PAM
-        start_pam(pw);
+        if (pw)
+                start_pam(pw);
 #endif
-#ifndef HAVE_CYGWIN
        /*
         * If we are not running as root, the user must have the same uid as
-         * the server.
+         * the server. (Unless you are running Windows)
-         * Rule not valid on Windows systems.
         */
-        if (getuid() != 0 && pw->pw_uid != getuid())
+#ifndef HAVE_CYGWIN
+        if (getuid() != 0 && pw && pw->pw_uid != getuid())
                packet_disconnect("Cannot change user when server not running as root.");
 #endif
-        debug("Attempting authentication for %.100s.", pw->pw_name);
+        debug("Attempting authentication for %s%.100s.", pw ? "" : "illegal user ", user);
        /* If the user has no password, accept authentication immediately. */
        if (options.password_authentication &&
@@ -527,30 +458,33 @@ do_authentication()
            auth_pam_password(pw, "")) {
 #elif defined(HAVE_OSF_SIA)
            (sia_validate_user(NULL, saved_argc, saved_argv, 
-            get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, 
+            get_canonical_hostname(), pw->pw_name, NULL, 0, 
-            "") == SIASUCCESS)) {
+                 NULL, "") == SIASUCCESS)) {
 #else /* !HAVE_OSF_SIA && !USE_PAM */
-            auth_password(pw, "")) {
+            auth_password(pw, "")) {
 #endif /* USE_PAM */
                /* Authentication with empty password succeeded. */
                log("Login for user %s from %.100s, accepted without authentication.",
-                    pw->pw_name, get_remote_ipaddr());
+                    user, get_remote_ipaddr());
        } else {
                /* Loop until the user has been authenticated or the
                   connection is closed, do_authloop() returns only if
                   authentication is successfull */
-                do_authloop(pw);
+                do_authloop(pw, user);
        }
+        if (pw == NULL)
+                fatal("internal error, authentication successfull for user '%.100s'", user);
        /* The user has been authenticated and accepted. */
+        packet_start(SSH_SMSG_SUCCESS);
+        packet_send();
+        packet_write_wait();
 #ifdef WITH_AIXAUTHENTICATE
        /* We don't have a pty yet, so just label the line as "ssh" */
        if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0)
                aixloginmsg = NULL;
 #endif /* WITH_AIXAUTHENTICATE */
-        packet_start(SSH_SMSG_SUCCESS);
-        packet_send();
-        packet_write_wait();
        /* Perform session preparation. */
        do_authenticated(pw);

diff --git a/auth1.c b/auth1.c index 99639b59f..520da640c 100644 --- a/auth1.c +++ b/auth1.c
@@ -10,28 +10,31 @@
10	*/	10	*/
11		11
12	#include "includes.h"	12	#include "includes.h"
13	RCSID("$OpenBSD: auth1.c,v 1.4 2000/09/07 20:27:49 deraadt Exp $");	13	RCSID("$OpenBSD: auth1.c,v 1.6 2000/10/11 20:27:23 markus Exp $");
		14
		15	#ifdef HAVE_OSF_SIA
		16	# include <sia.h>
		17	# include <siad.h>
		18	#endif
14		19
15	#include "xmalloc.h"	20	#include "xmalloc.h"
16	#include "rsa.h"	21	#include "rsa.h"
17	#include "ssh.h"	22	#include "ssh.h"
18	#include "packet.h"	23	#include "packet.h"
19	#include "buffer.h"	24	#include "buffer.h"
20	#include "cipher.h"
21	#include "mpaux.h"	25	#include "mpaux.h"
22	#include "servconf.h"	26	#include "servconf.h"
23	#include "compat.h"	27	#include "compat.h"
24	#include "auth.h"	28	#include "auth.h"
25	#include "session.h"	29	#include "session.h"
26		30
27	#ifdef HAVE_OSF_SIA
28	# include <sia.h>
29	# include <siad.h>
30	#endif
31
32	/* import */	31	/* import */
33	extern ServerOptions options;	32	extern ServerOptions options;
34	extern char *forced_command;	33	extern char *forced_command;
		34
		35	#ifdef WITH_AIXAUTHENTICATE
		36	extern char *aixloginmsg;
		37	#endif /* WITH_AIXAUTHENTICATE */
35	#ifdef HAVE_OSF_SIA	38	#ifdef HAVE_OSF_SIA
36	extern int saved_argc;	39	extern int saved_argc;
37	extern char **saved_argv;	40	extern char **saved_argv;
@@ -67,89 +70,21 @@ get_authname(int type)
67	}	70	}
68		71
69	/*	72	/*
70	* The user does not exist or access is denied,	73	* read packets and try to authenticate local user 'luser'.
71	* but fake indication that authentication is needed.	74	* return if authentication is successfull. not that pw == NULL
		75	* if the user does not exists or is not allowed to login.
		76	* each auth method has to 'fake' authentication for nonexisting
		77	* users.
72	*/	78	*/
73	void	79	void
74	do_fake_authloop1(char *user)	80	do_authloop(struct passwd * pw, char *luser)
75	{
76	int attempt = 0;
77
78	log("Faking authloop for illegal user %.200s from %.200s port %d",
79	user,
80	get_remote_ipaddr(),
81	get_remote_port());
82
83	#ifdef WITH_AIXAUTHENTICATE
84	loginfailed(user,get_canonical_hostname(),"ssh");
85	#endif /* WITH_AIXAUTHENTICATE */
86
87	/* Indicate that authentication is needed. */
88	packet_start(SSH_SMSG_FAILURE);
89	packet_send();
90	packet_write_wait();
91
92	/*
93	* Keep reading packets, and always respond with a failure. This is
94	* to avoid disclosing whether such a user really exists.
95	*/
96	for (attempt = 1;; attempt++) {
97	/* Read a packet. This will not return if the client disconnects. */
98	int plen;
99	#ifndef SKEY
100	(void)packet_read(&plen);
101	#else /* SKEY */
102	int type = packet_read(&plen);
103	unsigned int dlen;
104	char password, skeyinfo;
105	password = NULL;
106	/* Try to send a fake s/key challenge. */
107	if (options.skey_authentication == 1 &&
108	(skeyinfo = skey_fake_keyinfo(user)) != NULL) {
109	if (type == SSH_CMSG_AUTH_TIS) {
110	packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
111	packet_put_string(skeyinfo, strlen(skeyinfo));
112	packet_send();
113	packet_write_wait();
114	continue;
115	} else if (type == SSH_CMSG_AUTH_PASSWORD &&
116	options.password_authentication &&
117	(password = packet_get_string(&dlen)) != NULL &&
118	dlen == 5 &&
119	strncasecmp(password, "s/key", 5) == 0 ) {
120	packet_send_debug(skeyinfo);
121	}
122	}
123	if (password != NULL)
124	xfree(password);
125	#endif
126	if (attempt > AUTH_FAIL_MAX)
127	packet_disconnect(AUTH_FAIL_MSG, user);
128
129	/*
130	* Send failure. This should be indistinguishable from a
131	* failed authentication.
132	*/
133	packet_start(SSH_SMSG_FAILURE);
134	packet_send();
135	packet_write_wait();
136	}
137	/* NOTREACHED */
138	abort();
139	}
140
141	/*
142	* read packets and try to authenticate local user *pw.
143	* return if authentication is successfull
144	*/
145	void
146	do_authloop(struct passwd * pw)
147	{	81	{
		82	int authenticated = 0;
148	int attempt = 0;	83	int attempt = 0;
149	unsigned int bits;	84	unsigned int bits;
150	RSA *client_host_key;	85	RSA *client_host_key;
151	BIGNUM *n;	86	BIGNUM *n;
152	char client_user = NULL, password = NULL;	87	char client_user, password;
153	char user[1024];	88	char user[1024];
154	unsigned int dlen;	89	unsigned int dlen;
155	int plen, nlen, elen;	90	int plen, nlen, elen;
@@ -162,8 +97,12 @@ do_authloop(struct passwd * pw)
162	packet_send();	97	packet_send();
163	packet_write_wait();	98	packet_write_wait();
164		99
		100	client_user = NULL;
		101
165	for (attempt = 1;; attempt++) {	102	for (attempt = 1;; attempt++) {
166	int authenticated = 0;	103	/* default to fail */
		104	authenticated = 0;
		105
167	strlcpy(user, "", sizeof user);	106	strlcpy(user, "", sizeof user);
168		107
169	/* Get a packet from the client. */	108	/* Get a packet from the client. */
@@ -174,7 +113,6 @@ do_authloop(struct passwd * pw)
174	#ifdef AFS	113	#ifdef AFS
175	case SSH_CMSG_HAVE_KERBEROS_TGT:	114	case SSH_CMSG_HAVE_KERBEROS_TGT:
176	if (!options.kerberos_tgt_passing) {	115	if (!options.kerberos_tgt_passing) {
177	/* packet_get_all(); */
178	verbose("Kerberos tgt passing disabled.");	116	verbose("Kerberos tgt passing disabled.");
179	break;	117	break;
180	} else {	118	} else {
@@ -182,14 +120,13 @@ do_authloop(struct passwd * pw)
182	char *tgt = packet_get_string(&dlen);	120	char *tgt = packet_get_string(&dlen);
183	packet_integrity_check(plen, 4 + dlen, type);	121	packet_integrity_check(plen, 4 + dlen, type);
184	if (!auth_kerberos_tgt(pw, tgt))	122	if (!auth_kerberos_tgt(pw, tgt))
185	verbose("Kerberos tgt REFUSED for %s", pw->pw_name);	123	verbose("Kerberos tgt REFUSED for %.100s", luser);
186	xfree(tgt);	124	xfree(tgt);
187	}	125	}
188	continue;	126	continue;
189		127
190	case SSH_CMSG_HAVE_AFS_TOKEN:	128	case SSH_CMSG_HAVE_AFS_TOKEN:
191	if (!options.afs_token_passing \|\| !k_hasafs()) {	129	if (!options.afs_token_passing \|\| !k_hasafs()) {
192	/* packet_get_all(); */
193	verbose("AFS token passing disabled.");	130	verbose("AFS token passing disabled.");
194	break;	131	break;
195	} else {	132	} else {
@@ -197,7 +134,7 @@ do_authloop(struct passwd * pw)
197	char *token_string = packet_get_string(&dlen);	134	char *token_string = packet_get_string(&dlen);
198	packet_integrity_check(plen, 4 + dlen, type);	135	packet_integrity_check(plen, 4 + dlen, type);
199	if (!auth_afs_token(pw, token_string))	136	if (!auth_afs_token(pw, token_string))
200	verbose("AFS token REFUSED for %s", pw->pw_name);	137	verbose("AFS token REFUSED for %.100s", luser);
201	xfree(token_string);	138	xfree(token_string);
202	}	139	}
203	continue;	140	continue;
@@ -219,11 +156,12 @@ do_authloop(struct passwd * pw)
219	memcpy(auth.dat, kdata, auth.length);	156	memcpy(auth.dat, kdata, auth.length);
220	xfree(kdata);	157	xfree(kdata);
221		158
222	authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);	159	if (pw != NULL) {
223		160	authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);
224	if (authenticated) {	161	if (authenticated) {
225	snprintf(user, sizeof user, " tktuser %s", tkt_user);	162	snprintf(user, sizeof user, " tktuser %s", tkt_user);
226	xfree(tkt_user);	163	xfree(tkt_user);
		164	}
227	}	165	}
228	}	166	}
229	break;	167	break;
@@ -243,8 +181,7 @@ do_authloop(struct passwd * pw)
243	client_user = packet_get_string(&ulen);	181	client_user = packet_get_string(&ulen);
244	packet_integrity_check(plen, 4 + ulen, type);	182	packet_integrity_check(plen, 4 + ulen, type);
245		183
246	/* Try to authenticate using /etc/hosts.equiv and	184	/* Try to authenticate using /etc/hosts.equiv and .rhosts. */
247	.rhosts. */
248	authenticated = auth_rhosts(pw, client_user);	185	authenticated = auth_rhosts(pw, client_user);
249		186
250	snprintf(user, sizeof user, " ruser %s", client_user);	187	snprintf(user, sizeof user, " ruser %s", client_user);
@@ -275,7 +212,7 @@ do_authloop(struct passwd * pw)
275	packet_get_bignum(client_host_key->n, &nlen);	212	packet_get_bignum(client_host_key->n, &nlen);
276		213
277	if (bits != BN_num_bits(client_host_key->n))	214	if (bits != BN_num_bits(client_host_key->n))
278	log("Warning: keysize mismatch for client_host_key: "	215	verbose("Warning: keysize mismatch for client_host_key: "
279	"actual %d, announced %d", BN_num_bits(client_host_key->n), bits);	216	"actual %d, announced %d", BN_num_bits(client_host_key->n), bits);
280	packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);	217	packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);
281		218
@@ -322,7 +259,7 @@ do_authloop(struct passwd * pw)
322	authenticated = 1;	259	authenticated = 1;
323	}	260	}
324	#else /* !USE_PAM && !HAVE_OSF_SIA */	261	#else /* !USE_PAM && !HAVE_OSF_SIA */
325	/* Try authentication with the password. */	262	/* Try authentication with the password. */
326	authenticated = auth_password(pw, password);	263	authenticated = auth_password(pw, password);
327	#endif /* USE_PAM */	264	#endif /* USE_PAM */
328		265
@@ -334,16 +271,18 @@ do_authloop(struct passwd * pw)
334	case SSH_CMSG_AUTH_TIS:	271	case SSH_CMSG_AUTH_TIS:
335	debug("rcvd SSH_CMSG_AUTH_TIS");	272	debug("rcvd SSH_CMSG_AUTH_TIS");
336	if (options.skey_authentication == 1) {	273	if (options.skey_authentication == 1) {
337	char *skeyinfo = skey_keyinfo(pw->pw_name);	274	char *skeyinfo = NULL;
		275	if (pw != NULL)
		276	skey_keyinfo(pw->pw_name);
338	if (skeyinfo == NULL) {	277	if (skeyinfo == NULL) {
339	debug("generating fake skeyinfo for %.100s.", pw->pw_name);	278	debug("generating fake skeyinfo for %.100s.", luser);
340	skeyinfo = skey_fake_keyinfo(pw->pw_name);	279	skeyinfo = skey_fake_keyinfo(luser);
341	}	280	}
342	if (skeyinfo != NULL) {	281	if (skeyinfo != NULL) {
343	/* we send our s/key- in tis-challenge messages */	282	/* we send our s/key- in tis-challenge messages */
344	debug("sending challenge '%s'", skeyinfo);	283	debug("sending challenge '%s'", skeyinfo);
345	packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);	284	packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
346	packet_put_string(skeyinfo, strlen(skeyinfo));	285	packet_put_cstring(skeyinfo);
347	packet_send();	286	packet_send();
348	packet_write_wait();	287	packet_write_wait();
349	continue;	288	continue;
@@ -356,8 +295,9 @@ do_authloop(struct passwd * pw)
356	char *response = packet_get_string(&dlen);	295	char *response = packet_get_string(&dlen);
357	debug("skey response == '%s'", response);	296	debug("skey response == '%s'", response);
358	packet_integrity_check(plen, 4 + dlen, type);	297	packet_integrity_check(plen, 4 + dlen, type);
359	authenticated = (skey_haskey(pw->pw_name) == 0 &&	298	authenticated = (pw != NULL &&
360	skey_passcheck(pw->pw_name, response) != -1);	299	skey_haskey(pw->pw_name) == 0 &&
		300	skey_passcheck(pw->pw_name, response) != -1);
361	xfree(response);	301	xfree(response);
362	}	302	}
363	break;	303	break;
@@ -376,12 +316,14 @@ do_authloop(struct passwd * pw)
376	log("Unknown message during authentication: type %d", type);	316	log("Unknown message during authentication: type %d", type);
377	break;	317	break;
378	}	318	}
		319	if (authenticated && pw == NULL)
		320	fatal("internal error: authenticated for pw == NULL");
379		321
380	#ifdef HAVE_CYGWIN	322	#ifdef HAVE_CYGWIN
381	if (authenticated &&	323	if (authenticated &&
382	!check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) {	324	!check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,pw->pw_uid)) {
383	packet_disconnect("Authentication rejected for uid %d.",	325	packet_disconnect("Authentication rejected for uid %d.",
384	(int) pw->pw_uid);	326	(int)pw->pw_uid);
385	authenticated = 0;	327	authenticated = 0;
386	}	328	}
387	#endif	329	#endif
@@ -391,7 +333,7 @@ do_authloop(struct passwd * pw)
391	* are disallowed.	333	* are disallowed.
392	* Note that root login is allowed for forced commands.	334	* Note that root login is allowed for forced commands.
393	*/	335	*/
394	if (authenticated && pw->pw_uid == 0 && !options.permit_root_login) {	336	if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) {
395	if (forced_command) {	337	if (forced_command) {
396	log("Root login accepted for forced command.");	338	log("Root login accepted for forced command.");
397	} else {	339	} else {
@@ -407,41 +349,33 @@ do_authloop(struct passwd * pw)
407	type == SSH_CMSG_AUTH_PASSWORD)	349	type == SSH_CMSG_AUTH_PASSWORD)
408	authlog = log;	350	authlog = log;
409		351
410	authlog("%s %s for %.200s from %.200s port %d%s",	352	authlog("%s %s for %s%.100s from %.200s port %d%s",
411	authenticated ? "Accepted" : "Failed",	353	authenticated ? "Accepted" : "Failed",
412	get_authname(type),	354	get_authname(type),
413	pw->pw_uid == 0 ? "ROOT" : pw->pw_name,	355	pw ? "" : "illegal user ",
		356	pw && pw->pw_uid == 0 ? "ROOT" : luser,
414	get_remote_ipaddr(),	357	get_remote_ipaddr(),
415	get_remote_port(),	358	get_remote_port(),
416	user);	359	user);
417		360
418	#ifdef USE_PAM	361	#ifdef USE_PAM
419	if (authenticated) {	362	if (authenticated && !do_pam_account(pw->pw_name, client_user))
420	if (!do_pam_account(pw->pw_name, client_user)) {	363	authenticated = 0;
421	if (client_user != NULL) {	364	#endif
422	xfree(client_user);
423	client_user = NULL;
424	}
425	do_fake_authloop1(pw->pw_name);
426	}
427	return;
428	}
429	#else /* USE_PAM */
430	if (authenticated) {
431	return;
432	}
433	#endif /* USE_PAM */
434		365
435	if (client_user != NULL) {	366	if (client_user != NULL) {
436	xfree(client_user);	367	xfree(client_user);
437	client_user = NULL;	368	client_user = NULL;
438	}	369	}
439		370
		371	if (authenticated)
		372	return;
		373
440	if (attempt > AUTH_FAIL_MAX) {	374	if (attempt > AUTH_FAIL_MAX) {
441	#ifdef WITH_AIXAUTHENTICATE	375	#ifdef WITH_AIXAUTHENTICATE
442	loginfailed(pw->pw_name,get_canonical_hostname(),"ssh");	376	loginfailed(user,get_canonical_hostname(),"ssh");
443	#endif /* WITH_AIXAUTHENTICATE */	377	#endif /* WITH_AIXAUTHENTICATE */
444	packet_disconnect(AUTH_FAIL_MSG, pw->pw_name);	378	packet_disconnect(AUTH_FAIL_MSG, luser);
445	}	379	}
446		380
447	/* Send a message indicating that the authentication attempt failed. */	381	/* Send a message indicating that the authentication attempt failed. */
@@ -462,9 +396,6 @@ do_authentication()
462	int plen;	396	int plen;
463	unsigned int ulen;	397	unsigned int ulen;
464	char *user;	398	char *user;
465	#ifdef WITH_AIXAUTHENTICATE
466	extern char *aixloginmsg;
467	#endif /* WITH_AIXAUTHENTICATE */
468		399
469	/* Get the name of the user that we wish to log in as. */	400	/* Get the name of the user that we wish to log in as. */
470	packet_read_expect(&plen, SSH_CMSG_USER);	401	packet_read_expect(&plen, SSH_CMSG_USER);
@@ -485,38 +416,38 @@ do_authentication()
485		416
486	/* Verify that the user is a valid user. */	417	/* Verify that the user is a valid user. */
487	pw = getpwnam(user);	418	pw = getpwnam(user);
488	if (!pw \|\| !allowed_user(pw))	419	if (pw && allowed_user(pw)) {
489	do_fake_authloop1(user);	420	/* Take a copy of the returned structure. */
490	xfree(user);	421	memset(&pwcopy, 0, sizeof(pwcopy));
491		422	pwcopy.pw_name = xstrdup(pw->pw_name);
492	/* Take a copy of the returned structure. */	423	pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
493	memset(&pwcopy, 0, sizeof(pwcopy));	424	pwcopy.pw_uid = pw->pw_uid;
494	pwcopy.pw_name = xstrdup(pw->pw_name);	425	pwcopy.pw_gid = pw->pw_gid;
495	pwcopy.pw_passwd = xstrdup(pw->pw_passwd);
496	pwcopy.pw_uid = pw->pw_uid;
497	pwcopy.pw_gid = pw->pw_gid;
498	#ifdef HAVE_PW_CLASS_IN_PASSWD	426	#ifdef HAVE_PW_CLASS_IN_PASSWD
499	pwcopy.pw_class = xstrdup(pw->pw_class);	427	pwcopy.pw_class = xstrdup(pw->pw_class);
500	#endif	428	#endif
501	pwcopy.pw_dir = xstrdup(pw->pw_dir);	429	pwcopy.pw_dir = xstrdup(pw->pw_dir);
502	pwcopy.pw_shell = xstrdup(pw->pw_shell);	430	pwcopy.pw_shell = xstrdup(pw->pw_shell);
503	pw = &pwcopy;	431	pw = &pwcopy;
		432	} else {
		433	pw = NULL;
		434	}
504		435
505	#ifdef USE_PAM	436	#ifdef USE_PAM
506	start_pam(pw);	437	if (pw)
		438	start_pam(pw);
507	#endif	439	#endif
508		440
509	#ifndef HAVE_CYGWIN
510	/*	441	/*
511	* If we are not running as root, the user must have the same uid as	442	* If we are not running as root, the user must have the same uid as
512	* the server.	443	* the server. (Unless you are running Windows)
513	* Rule not valid on Windows systems.
514	*/	444	*/
515	if (getuid() != 0 && pw->pw_uid != getuid())	445	#ifndef HAVE_CYGWIN
		446	if (getuid() != 0 && pw && pw->pw_uid != getuid())
516	packet_disconnect("Cannot change user when server not running as root.");	447	packet_disconnect("Cannot change user when server not running as root.");
517	#endif	448	#endif
518		449
519	debug("Attempting authentication for %.100s.", pw->pw_name);	450	debug("Attempting authentication for %s%.100s.", pw ? "" : "illegal user ", user);
520		451
521	/* If the user has no password, accept authentication immediately. */	452	/* If the user has no password, accept authentication immediately. */
522	if (options.password_authentication &&	453	if (options.password_authentication &&
@@ -527,30 +458,33 @@ do_authentication()
527	auth_pam_password(pw, "")) {	458	auth_pam_password(pw, "")) {
528	#elif defined(HAVE_OSF_SIA)	459	#elif defined(HAVE_OSF_SIA)
529	(sia_validate_user(NULL, saved_argc, saved_argv,	460	(sia_validate_user(NULL, saved_argc, saved_argv,
530	get_canonical_hostname(), pw->pw_name, NULL, 0, NULL,	461	get_canonical_hostname(), pw->pw_name, NULL, 0,
531	"") == SIASUCCESS)) {	462	NULL, "") == SIASUCCESS)) {
532	#else /* !HAVE_OSF_SIA && !USE_PAM */	463	#else /* !HAVE_OSF_SIA && !USE_PAM */
533	auth_password(pw, "")) {	464	auth_password(pw, "")) {
534	#endif /* USE_PAM */	465	#endif /* USE_PAM */
535	/* Authentication with empty password succeeded. */	466	/* Authentication with empty password succeeded. */
536	log("Login for user %s from %.100s, accepted without authentication.",	467	log("Login for user %s from %.100s, accepted without authentication.",
537	pw->pw_name, get_remote_ipaddr());	468	user, get_remote_ipaddr());
538	} else {	469	} else {
539	/* Loop until the user has been authenticated or the	470	/* Loop until the user has been authenticated or the
540	connection is closed, do_authloop() returns only if	471	connection is closed, do_authloop() returns only if
541	authentication is successfull */	472	authentication is successfull */
542	do_authloop(pw);	473	do_authloop(pw, user);
543	}	474	}
		475	if (pw == NULL)
		476	fatal("internal error, authentication successfull for user '%.100s'", user);
544		477
545	/* The user has been authenticated and accepted. */	478	/* The user has been authenticated and accepted. */
		479	packet_start(SSH_SMSG_SUCCESS);
		480	packet_send();
		481	packet_write_wait();
		482
546	#ifdef WITH_AIXAUTHENTICATE	483	#ifdef WITH_AIXAUTHENTICATE
547	/* We don't have a pty yet, so just label the line as "ssh" */	484	/* We don't have a pty yet, so just label the line as "ssh" */
548	if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0)	485	if (loginsuccess(user,get_canonical_hostname(),"ssh",&aixloginmsg) < 0)
549	aixloginmsg = NULL;	486	aixloginmsg = NULL;
550	#endif /* WITH_AIXAUTHENTICATE */	487	#endif /* WITH_AIXAUTHENTICATE */
551	packet_start(SSH_SMSG_SUCCESS);
552	packet_send();
553	packet_write_wait();
554		488
555	/* Perform session preparation. */	489	/* Perform session preparation. */
556	do_authenticated(pw);	490	do_authenticated(pw);