diff options
Diffstat (limited to 'auth2.c')
-rw-r--r-- | auth2.c | 119 |
1 files changed, 80 insertions, 39 deletions
@@ -51,8 +51,13 @@ RCSID("$OpenBSD: auth2.c,v 1.85 2002/02/24 19:14:59 markus Exp $"); | |||
51 | #include "hostfile.h" | 51 | #include "hostfile.h" |
52 | #include "canohost.h" | 52 | #include "canohost.h" |
53 | #include "match.h" | 53 | #include "match.h" |
54 | #include "monitor.h" | ||
55 | #include "monitor_wrap.h" | ||
54 | 56 | ||
55 | /* import */ | 57 | /* import */ |
58 | extern int use_privsep; | ||
59 | extern int mm_recvfd; | ||
60 | |||
56 | extern ServerOptions options; | 61 | extern ServerOptions options; |
57 | extern u_char *session_id2; | 62 | extern u_char *session_id2; |
58 | extern int session_id2_len; | 63 | extern int session_id2_len; |
@@ -75,8 +80,8 @@ static void input_userauth_request(int, u_int32_t, void *); | |||
75 | /* helper */ | 80 | /* helper */ |
76 | static Authmethod *authmethod_lookup(const char *); | 81 | static Authmethod *authmethod_lookup(const char *); |
77 | static char *authmethods_get(void); | 82 | static char *authmethods_get(void); |
78 | static int user_key_allowed(struct passwd *, Key *); | 83 | int user_key_allowed(struct passwd *, Key *); |
79 | static int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); | 84 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); |
80 | 85 | ||
81 | /* auth */ | 86 | /* auth */ |
82 | static void userauth_banner(void); | 87 | static void userauth_banner(void); |
@@ -109,7 +114,7 @@ Authmethod authmethods[] = { | |||
109 | * loop until authctxt->success == TRUE | 114 | * loop until authctxt->success == TRUE |
110 | */ | 115 | */ |
111 | 116 | ||
112 | void | 117 | Authctxt * |
113 | do_authentication2(void) | 118 | do_authentication2(void) |
114 | { | 119 | { |
115 | Authctxt *authctxt = authctxt_new(); | 120 | Authctxt *authctxt = authctxt_new(); |
@@ -125,7 +130,8 @@ do_authentication2(void) | |||
125 | dispatch_init(&dispatch_protocol_error); | 130 | dispatch_init(&dispatch_protocol_error); |
126 | dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); | 131 | dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); |
127 | dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); | 132 | dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); |
128 | do_authenticated(authctxt); | 133 | |
134 | return(authctxt); | ||
129 | } | 135 | } |
130 | 136 | ||
131 | static void | 137 | static void |
@@ -182,10 +188,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
182 | *style++ = 0; | 188 | *style++ = 0; |
183 | 189 | ||
184 | if (authctxt->attempt++ == 0) { | 190 | if (authctxt->attempt++ == 0) { |
185 | /* setup auth context */ | 191 | /* setup auth context */ |
192 | int allowed; | ||
186 | struct passwd *pw = NULL; | 193 | struct passwd *pw = NULL; |
187 | pw = getpwnam(user); | 194 | if (!use_privsep) { |
188 | if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) { | 195 | pw = getpwnam(user); |
196 | allowed = pw ? allowed_user(pw) : 0; | ||
197 | } else | ||
198 | pw = mm_getpwnamallow(mm_recvfd, user, &allowed); | ||
199 | if (pw && allowed && strcmp(service, "ssh-connection")==0) { | ||
189 | authctxt->pw = pwcopy(pw); | 200 | authctxt->pw = pwcopy(pw); |
190 | authctxt->valid = 1; | 201 | authctxt->valid = 1; |
191 | debug2("input_userauth_request: setting up authctxt for %s", user); | 202 | debug2("input_userauth_request: setting up authctxt for %s", user); |
@@ -198,10 +209,18 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
198 | start_pam("NOUSER"); | 209 | start_pam("NOUSER"); |
199 | #endif | 210 | #endif |
200 | } | 211 | } |
201 | setproctitle("%s", pw ? user : "unknown"); | 212 | /* Free memory */ |
213 | if (use_privsep) | ||
214 | pwfree(pw); | ||
215 | |||
216 | setproctitle("%s%s", use_privsep ? " [net]" : "", | ||
217 | pw ? user : "unknown"); | ||
202 | authctxt->user = xstrdup(user); | 218 | authctxt->user = xstrdup(user); |
203 | authctxt->service = xstrdup(service); | 219 | authctxt->service = xstrdup(service); |
204 | authctxt->style = style ? xstrdup(style) : NULL; | 220 | authctxt->style = style ? xstrdup(style) : NULL; |
221 | |||
222 | if (use_privsep) | ||
223 | mm_inform_authserv(mm_recvfd, service, style); | ||
205 | } else if (strcmp(user, authctxt->user) != 0 || | 224 | } else if (strcmp(user, authctxt->user) != 0 || |
206 | strcmp(service, authctxt->service) != 0) { | 225 | strcmp(service, authctxt->service) != 0) { |
207 | packet_disconnect("Change of username or service not allowed: " | 226 | packet_disconnect("Change of username or service not allowed: " |
@@ -313,6 +332,8 @@ done: | |||
313 | static int | 332 | static int |
314 | userauth_none(Authctxt *authctxt) | 333 | userauth_none(Authctxt *authctxt) |
315 | { | 334 | { |
335 | int res = 0; | ||
336 | |||
316 | /* disable method "none", only allowed one time */ | 337 | /* disable method "none", only allowed one time */ |
317 | Authmethod *m = authmethod_lookup("none"); | 338 | Authmethod *m = authmethod_lookup("none"); |
318 | if (m != NULL) | 339 | if (m != NULL) |
@@ -322,18 +343,16 @@ userauth_none(Authctxt *authctxt) | |||
322 | 343 | ||
323 | if (authctxt->valid == 0) | 344 | if (authctxt->valid == 0) |
324 | return(0); | 345 | return(0); |
325 | 346 | if (!authctxt->valid) | |
326 | #ifdef HAVE_CYGWIN | 347 | return (0); |
327 | if (check_nt_auth(1, authctxt->pw) == 0) | 348 | if (use_privsep) |
328 | return(0); | 349 | #if defined(USE_PAM) || defined(HAVE_OSF_SIA) |
350 | #error NOT IMPLEMENTED FOR PRIVSEP | ||
329 | #endif | 351 | #endif |
330 | #ifdef USE_PAM | 352 | res = mm_auth_password(mm_recvfd, ""); |
331 | return auth_pam_password(authctxt->pw, ""); | 353 | else |
332 | #elif defined(HAVE_OSF_SIA) | 354 | res = auth_password(authctxt, ""); |
333 | return 0; | 355 | return (res); |
334 | #else /* !HAVE_OSF_SIA && !USE_PAM */ | ||
335 | return auth_password(authctxt, ""); | ||
336 | #endif /* USE_PAM */ | ||
337 | } | 356 | } |
338 | 357 | ||
339 | static int | 358 | static int |
@@ -348,18 +367,16 @@ userauth_passwd(Authctxt *authctxt) | |||
348 | log("password change not supported"); | 367 | log("password change not supported"); |
349 | password = packet_get_string(&len); | 368 | password = packet_get_string(&len); |
350 | packet_check_eom(); | 369 | packet_check_eom(); |
351 | if (authctxt->valid && | 370 | |
352 | #ifdef HAVE_CYGWIN | 371 | #if defined(HAVE_CYGWIN) || defined(USE_PAM) || defined(HAVE_OSF_SIA) |
353 | check_nt_auth(1, authctxt->pw) && | 372 | #error NOT IMPLEMENTED FOR PRIVSEP |
354 | #endif | 373 | #endif |
355 | #ifdef USE_PAM | 374 | if (authctxt->valid) { |
356 | auth_pam_password(authctxt->pw, password) == 1) | 375 | if (use_privsep) |
357 | #elif defined(HAVE_OSF_SIA) | 376 | authenticated = mm_auth_password(mm_recvfd, password); |
358 | auth_sia_password(authctxt->user, password) == 1) | 377 | else |
359 | #else /* !USE_PAM && !HAVE_OSF_SIA */ | 378 | authenticated = auth_password(authctxt, password); |
360 | auth_password(authctxt, password) == 1) | 379 | } |
361 | #endif /* USE_PAM */ | ||
362 | authenticated = 1; | ||
363 | memset(password, 0, len); | 380 | memset(password, 0, len); |
364 | xfree(password); | 381 | xfree(password); |
365 | return authenticated; | 382 | return authenticated; |
@@ -467,12 +484,23 @@ userauth_pubkey(Authctxt *authctxt) | |||
467 | buffer_dump(&b); | 484 | buffer_dump(&b); |
468 | #endif | 485 | #endif |
469 | /* test for correct signature */ | 486 | /* test for correct signature */ |
470 | if (user_key_allowed(authctxt->pw, key) && | 487 | authenticated = 0; |
471 | key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) | 488 | if (use_privsep) { |
472 | authenticated = 1; | 489 | if (mm_user_key_allowed(mm_recvfd, key) && |
490 | mm_key_verify(mm_recvfd, | ||
491 | MM_USERKEY, NULL, NULL, key, sig, slen, | ||
492 | buffer_ptr(&b), buffer_len(&b)) == 1) | ||
493 | authenticated = 1; | ||
494 | } else { | ||
495 | if (user_key_allowed(authctxt->pw, key) && | ||
496 | key_verify(key, sig, slen, buffer_ptr(&b), | ||
497 | buffer_len(&b)) == 1) | ||
498 | authenticated = 1; | ||
499 | } | ||
473 | buffer_clear(&b); | 500 | buffer_clear(&b); |
474 | xfree(sig); | 501 | xfree(sig); |
475 | } else { | 502 | } else { |
503 | int res = 0; | ||
476 | debug("test whether pkalg/pkblob are acceptable"); | 504 | debug("test whether pkalg/pkblob are acceptable"); |
477 | packet_check_eom(); | 505 | packet_check_eom(); |
478 | 506 | ||
@@ -484,7 +512,11 @@ userauth_pubkey(Authctxt *authctxt) | |||
484 | * if a user is not allowed to login. is this an | 512 | * if a user is not allowed to login. is this an |
485 | * issue? -markus | 513 | * issue? -markus |
486 | */ | 514 | */ |
487 | if (user_key_allowed(authctxt->pw, key)) { | 515 | if (use_privsep) |
516 | res = mm_user_key_allowed(mm_recvfd, key); | ||
517 | else | ||
518 | res = user_key_allowed(authctxt->pw, key); | ||
519 | if (res) { | ||
488 | packet_start(SSH2_MSG_USERAUTH_PK_OK); | 520 | packet_start(SSH2_MSG_USERAUTH_PK_OK); |
489 | packet_put_string(pkalg, alen); | 521 | packet_put_string(pkalg, alen); |
490 | packet_put_string(pkblob, blen); | 522 | packet_put_string(pkblob, blen); |
@@ -572,9 +604,18 @@ userauth_hostbased(Authctxt *authctxt) | |||
572 | buffer_dump(&b); | 604 | buffer_dump(&b); |
573 | #endif | 605 | #endif |
574 | /* test for allowed key and correct signature */ | 606 | /* test for allowed key and correct signature */ |
575 | if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) && | 607 | authenticated = 0; |
576 | key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) | 608 | if (use_privsep) { |
577 | authenticated = 1; | 609 | if (mm_hostbased_key_allowed(mm_recvfd, cuser, chost, key) && |
610 | mm_key_verify(mm_recvfd, MM_HOSTKEY, cuser, chost, key, | ||
611 | sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) | ||
612 | authenticated = 1; | ||
613 | } else { | ||
614 | if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) && | ||
615 | key_verify(key, sig, slen, buffer_ptr(&b), | ||
616 | buffer_len(&b)) == 1) | ||
617 | authenticated = 1; | ||
618 | } | ||
578 | 619 | ||
579 | buffer_clear(&b); | 620 | buffer_clear(&b); |
580 | done: | 621 | done: |
@@ -730,7 +771,7 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) | |||
730 | } | 771 | } |
731 | 772 | ||
732 | /* check whether given key is in .ssh/authorized_keys* */ | 773 | /* check whether given key is in .ssh/authorized_keys* */ |
733 | static int | 774 | int |
734 | user_key_allowed(struct passwd *pw, Key *key) | 775 | user_key_allowed(struct passwd *pw, Key *key) |
735 | { | 776 | { |
736 | int success; | 777 | int success; |
@@ -750,7 +791,7 @@ user_key_allowed(struct passwd *pw, Key *key) | |||
750 | } | 791 | } |
751 | 792 | ||
752 | /* return 1 if given hostkey is allowed */ | 793 | /* return 1 if given hostkey is allowed */ |
753 | static int | 794 | int |
754 | hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, | 795 | hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, |
755 | Key *key) | 796 | Key *key) |
756 | { | 797 | { |