1 files changed, 26 insertions, 121 deletions
diff --git a/auth1.c b/auth1.c
index b7e10abd0..dfe944dd1 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.47 2003/02/06 21:22:42 markus Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.52 2003/08/28 12:54:34 markus Exp $");
 #include "xmalloc.h"
 #include "rsa.h"
@@ -49,10 +49,6 @@ get_authname(int type)
        case SSH_CMSG_AUTH_TIS:
        case SSH_CMSG_AUTH_TIS_RESPONSE:
                return "challenge-response";
-#if defined(KRB4) || defined(KRB5)
-        case SSH_CMSG_AUTH_KERBEROS:
-                return "kerberos";
-#endif
        }
        snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
        return buf;
@@ -73,15 +69,15 @@ do_authloop(Authctxt *authctxt)
        char info[1024];
        u_int dlen;
        u_int ulen;
-        int type = 0;
+        int prev, type = 0;
        struct passwd *pw = authctxt->pw;
        debug("Attempting authentication for %s%.100s.",
            authctxt->valid ? "" : "illegal user ", authctxt->user);
        /* If the user has no password, accept authentication immediately. */
-        if (options.password_authentication && options.permit_empty_passwd &&
+        if (options.password_authentication &&
-#if defined(KRB4) || defined(KRB5)
+#ifdef KRB5
            (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
 #endif
            PRIVSEP(auth_password(authctxt, ""))) {
@@ -103,104 +99,22 @@ do_authloop(Authctxt *authctxt)
                info[0] = '\0';
                /* Get a packet from the client. */
+                prev = type;
                type = packet_read();
+                /*
+                 * If we started challenge-response authentication but the
+                 * next packet is not a response to our challenge, release
+                 * the resources allocated by get_challenge() (which would
+                 * normally have been released by verify_response() had we
+                 * received such a response)
+                 */
+                if (prev == SSH_CMSG_AUTH_TIS &&
+                    type != SSH_CMSG_AUTH_TIS_RESPONSE)
+                        abandon_challenge_response(authctxt);
                /* Process the packet. */
                switch (type) {
-#if defined(KRB4) || defined(KRB5)
-                case SSH_CMSG_AUTH_KERBEROS:
-                        if (!options.kerberos_authentication) {
-                                verbose("Kerberos authentication disabled.");
-                        } else {
-                                char *kdata = packet_get_string(&dlen);
-                                packet_check_eom();
-                                if (kdata[0] == 4) { /* KRB_PROT_VERSION */
-#ifdef KRB4
-                                        KTEXT_ST tkt, reply;
-                                        tkt.length = dlen;
-                                        if (tkt.length < MAX_KTXT_LEN)
-                                                memcpy(tkt.dat, kdata, tkt.length);
-                                        if (PRIVSEP(auth_krb4(authctxt, &tkt,
-                                            &client_user, &reply))) {
-                                                authenticated = 1;
-                                                snprintf(info, sizeof(info),
-                                                    " tktuser %.100s",
-                                                    client_user);
-                                                packet_start(
-                                                    SSH_SMSG_AUTH_KERBEROS_RESPONSE);
-                                                packet_put_string((char *)
-                                                    reply.dat, reply.length);
-                                                packet_send();
-                                                packet_write_wait();
-                                        }
-#endif /* KRB4 */
-                                } else {
-#ifdef KRB5
-                                        krb5_data tkt, reply;
-                                        tkt.length = dlen;
-                                        tkt.data = kdata;
-                                        if (PRIVSEP(auth_krb5(authctxt, &tkt,
-                                            &client_user, &reply))) {
-                                                authenticated = 1;
-                                                snprintf(info, sizeof(info),
-                                                    " tktuser %.100s",
-                                                    client_user);
-                                                /* Send response to client */
-                                                packet_start(
-                                                    SSH_SMSG_AUTH_KERBEROS_RESPONSE);
-                                                packet_put_string((char *)
-                                                    reply.data, reply.length);
-                                                packet_send();
-                                                packet_write_wait();
-                                                if (reply.length)
-                                                        xfree(reply.data);
-                                        }
-#endif /* KRB5 */
-                                }
-                                xfree(kdata);
-                        }
-                        break;
-#endif /* KRB4 || KRB5 */
-#if defined(AFS) || defined(KRB5)
-                        /* XXX - punt on backward compatibility here. */
-                case SSH_CMSG_HAVE_KERBEROS_TGT:
-                        packet_send_debug("Kerberos TGT passing disabled before authentication.");
-                        break;
-#ifdef AFS
-                case SSH_CMSG_HAVE_AFS_TOKEN:
-                        packet_send_debug("AFS token passing disabled before authentication.");
-                        break;
-#endif /* AFS */
-#endif /* AFS || KRB5 */
-                case SSH_CMSG_AUTH_RHOSTS:
-                        if (!options.rhosts_authentication) {
-                                verbose("Rhosts authentication disabled.");
-                                break;
-                        }
-                        /*
-                         * Get client user name.  Note that we just have to
-                         * trust the client; this is one reason why rhosts
-                         * authentication is insecure. (Another is
-                         * IP-spoofing on a local network.)
-                         */
-                        client_user = packet_get_string(&ulen);
-                        packet_check_eom();
-                        /* Try to authenticate using /etc/hosts.equiv and .rhosts. */
-                        authenticated = auth_rhosts(pw, client_user);
-                        snprintf(info, sizeof info, " ruser %.100s", client_user);
-                        break;
                case SSH_CMSG_AUTH_RHOSTS_RSA:
                        if (!options.rhosts_rsa_authentication) {
                                verbose("Rhosts with RSA authentication disabled.");
@@ -297,7 +211,7 @@ do_authloop(Authctxt *authctxt)
                         * Any unknown messages will be ignored (and failure
                         * returned) during authentication.
                         */
-                        log("Unknown message during authentication: type %d", type);
+                        logit("Unknown message during authentication: type %d", type);
                        break;
                }
 #ifdef BSD_AUTH
@@ -311,8 +225,6 @@ do_authloop(Authctxt *authctxt)
                            authctxt->user);
 #ifdef _UNICOS
-                if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated)
-                        cray_login_failure(authctxt->user, IA_UDBERR);
                if (authenticated && cray_access_denied(authctxt->user)) {
                        authenticated = 0;
                        fatal("Access denied for user %s.",authctxt->user);
@@ -332,9 +244,10 @@ do_authloop(Authctxt *authctxt)
                    !auth_root_allowed(get_authname(type)))
                        authenticated = 0;
 #endif
 #ifdef USE_PAM
-                if (!use_privsep && authenticated && 
+                if (options.use_pam && authenticated && 
-                    !do_pam_account(pw->pw_name, client_user))
+                    !PRIVSEP(do_pam_account()))
                        authenticated = 0;
 #endif
@@ -349,9 +262,8 @@ do_authloop(Authctxt *authctxt)
                if (authenticated)
                        return;
-                if (authctxt->failures++ > AUTH_FAIL_MAX) {
+                if (authctxt->failures++ > AUTH_FAIL_MAX)
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
-                }
                packet_start(SSH_SMSG_FAILURE);
                packet_send();
@@ -380,16 +292,6 @@ do_authentication(void)
        if ((style = strchr(user, ':')) != NULL)
                *style++ = '\0';
-#ifdef KRB5
-        /* XXX - SSH.com Kerberos v5 braindeath. */
-        if ((datafellows & SSH_BUG_K5USER) &&
-            options.kerberos_authentication) {
-                char *p;
-                if ((p = strchr(user, '@')) != NULL)
-                        *p = '\0';
-        }
-#endif
        authctxt = authctxt_new();
        authctxt->user = user;
        authctxt->style = style;
@@ -397,14 +299,17 @@ do_authentication(void)
        /* Verify that the user is a valid user. */
        if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
                authctxt->valid = 1;
-        else
+        else {
                debug("do_authentication: illegal user %s", user);
+                authctxt->pw = fakepw();
+        }
        setproctitle("%s%s", authctxt->pw ? user : "unknown",
            use_privsep ? " [net]" : "");
 #ifdef USE_PAM
-        PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));
+        if (options.use_pam)
+                PRIVSEP(start_pam(user));
 #endif
        /*

diff --git a/auth1.c b/auth1.c index b7e10abd0..dfe944dd1 100644 --- a/auth1.c +++ b/auth1.c
@@ -10,7 +10,7 @@
10	*/	10	*/
11		11
12	#include "includes.h"	12	#include "includes.h"
13	RCSID("$OpenBSD: auth1.c,v 1.47 2003/02/06 21:22:42 markus Exp $");	13	RCSID("$OpenBSD: auth1.c,v 1.52 2003/08/28 12:54:34 markus Exp $");
14		14
15	#include "xmalloc.h"	15	#include "xmalloc.h"
16	#include "rsa.h"	16	#include "rsa.h"
@@ -49,10 +49,6 @@ get_authname(int type)
49	case SSH_CMSG_AUTH_TIS:	49	case SSH_CMSG_AUTH_TIS:
50	case SSH_CMSG_AUTH_TIS_RESPONSE:	50	case SSH_CMSG_AUTH_TIS_RESPONSE:
51	return "challenge-response";	51	return "challenge-response";
52	#if defined(KRB4) \|\| defined(KRB5)
53	case SSH_CMSG_AUTH_KERBEROS:
54	return "kerberos";
55	#endif
56	}	52	}
57	snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);	53	snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);
58	return buf;	54	return buf;
@@ -73,15 +69,15 @@ do_authloop(Authctxt *authctxt)
73	char info[1024];	69	char info[1024];
74	u_int dlen;	70	u_int dlen;
75	u_int ulen;	71	u_int ulen;
76	int type = 0;	72	int prev, type = 0;
77	struct passwd *pw = authctxt->pw;	73	struct passwd *pw = authctxt->pw;
78		74
79	debug("Attempting authentication for %s%.100s.",	75	debug("Attempting authentication for %s%.100s.",
80	authctxt->valid ? "" : "illegal user ", authctxt->user);	76	authctxt->valid ? "" : "illegal user ", authctxt->user);
81		77
82	/* If the user has no password, accept authentication immediately. */	78	/* If the user has no password, accept authentication immediately. */
83	if (options.password_authentication && options.permit_empty_passwd &&	79	if (options.password_authentication &&
84	#if defined(KRB4) \|\| defined(KRB5)	80	#ifdef KRB5
85	(!options.kerberos_authentication \|\| options.kerberos_or_local_passwd) &&	81	(!options.kerberos_authentication \|\| options.kerberos_or_local_passwd) &&
86	#endif	82	#endif
87	PRIVSEP(auth_password(authctxt, ""))) {	83	PRIVSEP(auth_password(authctxt, ""))) {
@@ -103,104 +99,22 @@ do_authloop(Authctxt *authctxt)
103	info[0] = '\0';	99	info[0] = '\0';
104		100
105	/* Get a packet from the client. */	101	/* Get a packet from the client. */
		102	prev = type;
106	type = packet_read();	103	type = packet_read();
107		104
		105	/*
		106	* If we started challenge-response authentication but the
		107	* next packet is not a response to our challenge, release
		108	* the resources allocated by get_challenge() (which would
		109	* normally have been released by verify_response() had we
		110	* received such a response)
		111	*/
		112	if (prev == SSH_CMSG_AUTH_TIS &&
		113	type != SSH_CMSG_AUTH_TIS_RESPONSE)
		114	abandon_challenge_response(authctxt);
		115
108	/* Process the packet. */	116	/* Process the packet. */
109	switch (type) {	117	switch (type) {
110
111	#if defined(KRB4) \|\| defined(KRB5)
112	case SSH_CMSG_AUTH_KERBEROS:
113	if (!options.kerberos_authentication) {
114	verbose("Kerberos authentication disabled.");
115	} else {
116	char *kdata = packet_get_string(&dlen);
117	packet_check_eom();
118
119	if (kdata[0] == 4) { /* KRB_PROT_VERSION */
120	#ifdef KRB4
121	KTEXT_ST tkt, reply;
122	tkt.length = dlen;
123	if (tkt.length < MAX_KTXT_LEN)
124	memcpy(tkt.dat, kdata, tkt.length);
125
126	if (PRIVSEP(auth_krb4(authctxt, &tkt,
127	&client_user, &reply))) {
128	authenticated = 1;
129	snprintf(info, sizeof(info),
130	" tktuser %.100s",
131	client_user);
132
133	packet_start(
134	SSH_SMSG_AUTH_KERBEROS_RESPONSE);
135	packet_put_string((char *)
136	reply.dat, reply.length);
137	packet_send();
138	packet_write_wait();
139	}
140	#endif /* KRB4 */
141	} else {
142	#ifdef KRB5
143	krb5_data tkt, reply;
144	tkt.length = dlen;
145	tkt.data = kdata;
146
147	if (PRIVSEP(auth_krb5(authctxt, &tkt,
148	&client_user, &reply))) {
149	authenticated = 1;
150	snprintf(info, sizeof(info),
151	" tktuser %.100s",
152	client_user);
153
154	/* Send response to client */
155	packet_start(
156	SSH_SMSG_AUTH_KERBEROS_RESPONSE);
157	packet_put_string((char *)
158	reply.data, reply.length);
159	packet_send();
160	packet_write_wait();
161
162	if (reply.length)
163	xfree(reply.data);
164	}
165	#endif /* KRB5 */
166	}
167	xfree(kdata);
168	}
169	break;
170	#endif /* KRB4 \|\| KRB5 */
171
172	#if defined(AFS) \|\| defined(KRB5)
173	/* XXX - punt on backward compatibility here. */
174	case SSH_CMSG_HAVE_KERBEROS_TGT:
175	packet_send_debug("Kerberos TGT passing disabled before authentication.");
176	break;
177	#ifdef AFS
178	case SSH_CMSG_HAVE_AFS_TOKEN:
179	packet_send_debug("AFS token passing disabled before authentication.");
180	break;
181	#endif /* AFS */
182	#endif /* AFS \|\| KRB5 */
183
184	case SSH_CMSG_AUTH_RHOSTS:
185	if (!options.rhosts_authentication) {
186	verbose("Rhosts authentication disabled.");
187	break;
188	}
189	/*
190	* Get client user name. Note that we just have to
191	* trust the client; this is one reason why rhosts
192	* authentication is insecure. (Another is
193	* IP-spoofing on a local network.)
194	*/
195	client_user = packet_get_string(&ulen);
196	packet_check_eom();
197
198	/* Try to authenticate using /etc/hosts.equiv and .rhosts. */
199	authenticated = auth_rhosts(pw, client_user);
200
201	snprintf(info, sizeof info, " ruser %.100s", client_user);
202	break;
203
204	case SSH_CMSG_AUTH_RHOSTS_RSA:	118	case SSH_CMSG_AUTH_RHOSTS_RSA:
205	if (!options.rhosts_rsa_authentication) {	119	if (!options.rhosts_rsa_authentication) {
206	verbose("Rhosts with RSA authentication disabled.");	120	verbose("Rhosts with RSA authentication disabled.");
@@ -297,7 +211,7 @@ do_authloop(Authctxt *authctxt)
297	* Any unknown messages will be ignored (and failure	211	* Any unknown messages will be ignored (and failure
298	* returned) during authentication.	212	* returned) during authentication.
299	*/	213	*/
300	log("Unknown message during authentication: type %d", type);	214	logit("Unknown message during authentication: type %d", type);
301	break;	215	break;
302	}	216	}
303	#ifdef BSD_AUTH	217	#ifdef BSD_AUTH
@@ -311,8 +225,6 @@ do_authloop(Authctxt *authctxt)
311	authctxt->user);	225	authctxt->user);
312		226
313	#ifdef _UNICOS	227	#ifdef _UNICOS
314	if (type == SSH_CMSG_AUTH_PASSWORD && !authenticated)
315	cray_login_failure(authctxt->user, IA_UDBERR);
316	if (authenticated && cray_access_denied(authctxt->user)) {	228	if (authenticated && cray_access_denied(authctxt->user)) {
317	authenticated = 0;	229	authenticated = 0;
318	fatal("Access denied for user %s.",authctxt->user);	230	fatal("Access denied for user %s.",authctxt->user);
@@ -332,9 +244,10 @@ do_authloop(Authctxt *authctxt)
332	!auth_root_allowed(get_authname(type)))	244	!auth_root_allowed(get_authname(type)))
333	authenticated = 0;	245	authenticated = 0;
334	#endif	246	#endif
		247
335	#ifdef USE_PAM	248	#ifdef USE_PAM
336	if (!use_privsep && authenticated &&	249	if (options.use_pam && authenticated &&
337	!do_pam_account(pw->pw_name, client_user))	250	!PRIVSEP(do_pam_account()))
338	authenticated = 0;	251	authenticated = 0;
339	#endif	252	#endif
340		253
@@ -349,9 +262,8 @@ do_authloop(Authctxt *authctxt)
349	if (authenticated)	262	if (authenticated)
350	return;	263	return;
351		264
352	if (authctxt->failures++ > AUTH_FAIL_MAX) {	265	if (authctxt->failures++ > AUTH_FAIL_MAX)
353	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);	266	packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
354	}
355		267
356	packet_start(SSH_SMSG_FAILURE);	268	packet_start(SSH_SMSG_FAILURE);
357	packet_send();	269	packet_send();
@@ -380,16 +292,6 @@ do_authentication(void)
380	if ((style = strchr(user, ':')) != NULL)	292	if ((style = strchr(user, ':')) != NULL)
381	*style++ = '\0';	293	*style++ = '\0';
382		294
383	#ifdef KRB5
384	/* XXX - SSH.com Kerberos v5 braindeath. */
385	if ((datafellows & SSH_BUG_K5USER) &&
386	options.kerberos_authentication) {
387	char *p;
388	if ((p = strchr(user, '@')) != NULL)
389	*p = '\0';
390	}
391	#endif
392
393	authctxt = authctxt_new();	295	authctxt = authctxt_new();
394	authctxt->user = user;	296	authctxt->user = user;
395	authctxt->style = style;	297	authctxt->style = style;
@@ -397,14 +299,17 @@ do_authentication(void)
397	/* Verify that the user is a valid user. */	299	/* Verify that the user is a valid user. */
398	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)	300	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
399	authctxt->valid = 1;	301	authctxt->valid = 1;
400	else	302	else {
401	debug("do_authentication: illegal user %s", user);	303	debug("do_authentication: illegal user %s", user);
		304	authctxt->pw = fakepw();
		305	}
402		306
403	setproctitle("%s%s", authctxt->pw ? user : "unknown",	307	setproctitle("%s%s", authctxt->pw ? user : "unknown",
404	use_privsep ? " [net]" : "");	308	use_privsep ? " [net]" : "");
405		309
406	#ifdef USE_PAM	310	#ifdef USE_PAM
407	PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user));	311	if (options.use_pam)
		312	PRIVSEP(start_pam(user));
408	#endif	313	#endif
409		314
410	/*	315	/*