1 files changed, 80 insertions, 39 deletions
diff --git a/auth2.c b/auth2.c
index f2a801ecc..f661f8d7c 100644
--- a/auth2.c
+++ b/auth2.c
@@ -51,8 +51,13 @@ RCSID("$OpenBSD: auth2.c,v 1.85 2002/02/24 19:14:59 markus Exp $");
 #include "hostfile.h"
 #include "canohost.h"
 #include "match.h"
+#include "monitor.h"
+#include "monitor_wrap.h"
 /* import */
+extern int use_privsep;
+extern int mm_recvfd;
 extern ServerOptions options;
 extern u_char *session_id2;
 extern int session_id2_len;
@@ -75,8 +80,8 @@ static void input_userauth_request(int, u_int32_t, void *);
 /* helper */
 static Authmethod *authmethod_lookup(const char *);
 static char *authmethods_get(void);
-static int user_key_allowed(struct passwd *, Key *);
+int user_key_allowed(struct passwd *, Key *);
-static int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
+int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
 /* auth */
 static void userauth_banner(void);
@@ -109,7 +114,7 @@ Authmethod authmethods[] = {
 * loop until authctxt->success == TRUE
 */
-void
+Authctxt *
 do_authentication2(void)
 {
        Authctxt *authctxt = authctxt_new();
@@ -125,7 +130,8 @@ do_authentication2(void)
        dispatch_init(&dispatch_protocol_error);
        dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
        dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
-        do_authenticated(authctxt);
+        return(authctxt);
 }
 static void
@@ -182,10 +188,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                *style++ = 0;
        if (authctxt->attempt++ == 0) {
-                /* setup auth context */
+                /* setup auth context */
+                int allowed;
                struct passwd *pw = NULL;
-                pw = getpwnam(user);
+                if (!use_privsep) {
-                if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) {
+                        pw = getpwnam(user);
+                        allowed = pw ? allowed_user(pw) : 0;
+                } else
+                        pw = mm_getpwnamallow(mm_recvfd, user, &allowed);
+                if (pw && allowed && strcmp(service, "ssh-connection")==0) {
                        authctxt->pw = pwcopy(pw);
                        authctxt->valid = 1;
                        debug2("input_userauth_request: setting up authctxt for %s", user);
@@ -198,10 +209,18 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                        start_pam("NOUSER");
 #endif
                }
-                setproctitle("%s", pw ? user : "unknown");
+                /* Free memory */
+                if (use_privsep)
+                        pwfree(pw);
+                setproctitle("%s%s", use_privsep ? " [net]" : "",
+                    pw ? user : "unknown");
                authctxt->user = xstrdup(user);
                authctxt->service = xstrdup(service);
                authctxt->style = style ? xstrdup(style) : NULL;
+                if (use_privsep)
+                        mm_inform_authserv(mm_recvfd, service, style);
        } else if (strcmp(user, authctxt->user) != 0 ||
            strcmp(service, authctxt->service) != 0) {
                packet_disconnect("Change of username or service not allowed: "
@@ -313,6 +332,8 @@ done:
 static int
 userauth_none(Authctxt *authctxt)
 {
+        int res = 0;
        /* disable method "none", only allowed one time */
        Authmethod *m = authmethod_lookup("none");
        if (m != NULL)
@@ -322,18 +343,16 @@ userauth_none(Authctxt *authctxt)
        if (authctxt->valid == 0)
                return(0);
+        if (!authctxt->valid)
-#ifdef HAVE_CYGWIN
+                return (0);
-        if (check_nt_auth(1, authctxt->pw) == 0)
+        if (use_privsep)
-                return(0);
+#if defined(USE_PAM) || defined(HAVE_OSF_SIA)
+#error NOT IMPLEMENTED FOR PRIVSEP
 #endif
-#ifdef USE_PAM
+                res = mm_auth_password(mm_recvfd, "");
-        return auth_pam_password(authctxt->pw, "");
+        else
-#elif defined(HAVE_OSF_SIA)
+                res = auth_password(authctxt, "");
-        return 0;
+        return (res);
-#else /* !HAVE_OSF_SIA && !USE_PAM */
-        return auth_password(authctxt, "");
-#endif /* USE_PAM */
 }
 static int
@@ -348,18 +367,16 @@ userauth_passwd(Authctxt *authctxt)
                log("password change not supported");
        password = packet_get_string(&len);
        packet_check_eom();
-        if (authctxt->valid &&
-#ifdef HAVE_CYGWIN
+#if defined(HAVE_CYGWIN) || defined(USE_PAM) || defined(HAVE_OSF_SIA)
-            check_nt_auth(1, authctxt->pw) &&
+#error NOT IMPLEMENTED FOR PRIVSEP
 #endif
-#ifdef USE_PAM
+        if (authctxt->valid) {
-            auth_pam_password(authctxt->pw, password) == 1)
+                if (use_privsep)
-#elif defined(HAVE_OSF_SIA)
+                        authenticated = mm_auth_password(mm_recvfd, password);
-            auth_sia_password(authctxt->user, password) == 1)
+                else
-#else /* !USE_PAM && !HAVE_OSF_SIA */
+                        authenticated = auth_password(authctxt, password);
-            auth_password(authctxt, password) == 1)
+        }
-#endif /* USE_PAM */
-                authenticated = 1;
        memset(password, 0, len);
        xfree(password);
        return authenticated;
@@ -467,12 +484,23 @@ userauth_pubkey(Authctxt *authctxt)
                buffer_dump(&b);
 #endif
                /* test for correct signature */
-                if (user_key_allowed(authctxt->pw, key) &&
+                authenticated = 0;
-                    key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
+                if (use_privsep) {
-                        authenticated = 1;
+                        if (mm_user_key_allowed(mm_recvfd, key) &&
+                            mm_key_verify(mm_recvfd,
+                                MM_USERKEY, NULL, NULL, key, sig, slen,
+                                buffer_ptr(&b), buffer_len(&b)) == 1)
+                                authenticated = 1;
+                } else {
+                        if (user_key_allowed(authctxt->pw, key) &&
+                            key_verify(key, sig, slen, buffer_ptr(&b),
+                                buffer_len(&b)) == 1)
+                                authenticated = 1;
+                }
                buffer_clear(&b);
                xfree(sig);
        } else {
+                int res = 0;
                debug("test whether pkalg/pkblob are acceptable");
                packet_check_eom();
@@ -484,7 +512,11 @@ userauth_pubkey(Authctxt *authctxt)
                 * if a user is not allowed to login. is this an
                 * issue? -markus
                 */
-                if (user_key_allowed(authctxt->pw, key)) {
+                if (use_privsep)
+                        res = mm_user_key_allowed(mm_recvfd, key);
+                else
+                        res = user_key_allowed(authctxt->pw, key);
+                if (res) {
                        packet_start(SSH2_MSG_USERAUTH_PK_OK);
                        packet_put_string(pkalg, alen);
                        packet_put_string(pkblob, blen);
@@ -572,9 +604,18 @@ userauth_hostbased(Authctxt *authctxt)
        buffer_dump(&b);
 #endif
        /* test for allowed key and correct signature */
-        if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) &&
+        authenticated = 0;
-            key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
+        if (use_privsep) {
-                authenticated = 1;
+                if (mm_hostbased_key_allowed(mm_recvfd, cuser, chost, key) &&
+                    mm_key_verify(mm_recvfd, MM_HOSTKEY, cuser, chost, key,
+                        sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
+                        authenticated = 1;
+        } else {
+                if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) &&
+                    key_verify(key, sig, slen, buffer_ptr(&b),
+                        buffer_len(&b)) == 1)
+                        authenticated = 1;
+        }
        buffer_clear(&b);
 done:
@@ -730,7 +771,7 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
 }
 /* check whether given key is in .ssh/authorized_keys* */
-static int
+int
 user_key_allowed(struct passwd *pw, Key *key)
 {
        int success;
@@ -750,7 +791,7 @@ user_key_allowed(struct passwd *pw, Key *key)
 }
 /* return 1 if given hostkey is allowed */
-static int
+int
 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
    Key *key)
 {

diff --git a/auth2.c b/auth2.c index f2a801ecc..f661f8d7c 100644 --- a/auth2.c +++ b/auth2.c
@@ -51,8 +51,13 @@ RCSID("$OpenBSD: auth2.c,v 1.85 2002/02/24 19:14:59 markus Exp $");
51	#include "hostfile.h"	51	#include "hostfile.h"
52	#include "canohost.h"	52	#include "canohost.h"
53	#include "match.h"	53	#include "match.h"
		54	#include "monitor.h"
		55	#include "monitor_wrap.h"
54		56
55	/* import */	57	/* import */
		58	extern int use_privsep;
		59	extern int mm_recvfd;
		60
56	extern ServerOptions options;	61	extern ServerOptions options;
57	extern u_char *session_id2;	62	extern u_char *session_id2;
58	extern int session_id2_len;	63	extern int session_id2_len;
@@ -75,8 +80,8 @@ static void input_userauth_request(int, u_int32_t, void *);
75	/* helper */	80	/* helper */
76	static Authmethod authmethod_lookup(const char );	81	static Authmethod authmethod_lookup(const char );
77	static char *authmethods_get(void);	82	static char *authmethods_get(void);
78	static int user_key_allowed(struct passwd , Key );	83	int user_key_allowed(struct passwd , Key );
79	static int hostbased_key_allowed(struct passwd , const char , char , Key );	84	int hostbased_key_allowed(struct passwd , const char , char , Key );
80		85
81	/* auth */	86	/* auth */
82	static void userauth_banner(void);	87	static void userauth_banner(void);
@@ -109,7 +114,7 @@ Authmethod authmethods[] = {
109	* loop until authctxt->success == TRUE	114	* loop until authctxt->success == TRUE
110	*/	115	*/
111		116
112	void	117	Authctxt *
113	do_authentication2(void)	118	do_authentication2(void)
114	{	119	{
115	Authctxt *authctxt = authctxt_new();	120	Authctxt *authctxt = authctxt_new();
@@ -125,7 +130,8 @@ do_authentication2(void)
125	dispatch_init(&dispatch_protocol_error);	130	dispatch_init(&dispatch_protocol_error);
126	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);	131	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
127	dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);	132	dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
128	do_authenticated(authctxt);	133
		134	return(authctxt);
129	}	135	}
130		136
131	static void	137	static void
@@ -182,10 +188,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
182	*style++ = 0;	188	*style++ = 0;
183		189
184	if (authctxt->attempt++ == 0) {	190	if (authctxt->attempt++ == 0) {
185	/* setup auth context */	191	/* setup auth context */
		192	int allowed;
186	struct passwd *pw = NULL;	193	struct passwd *pw = NULL;
187	pw = getpwnam(user);	194	if (!use_privsep) {
188	if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) {	195	pw = getpwnam(user);
		196	allowed = pw ? allowed_user(pw) : 0;
		197	} else
		198	pw = mm_getpwnamallow(mm_recvfd, user, &allowed);
		199	if (pw && allowed && strcmp(service, "ssh-connection")==0) {
189	authctxt->pw = pwcopy(pw);	200	authctxt->pw = pwcopy(pw);
190	authctxt->valid = 1;	201	authctxt->valid = 1;
191	debug2("input_userauth_request: setting up authctxt for %s", user);	202	debug2("input_userauth_request: setting up authctxt for %s", user);
@@ -198,10 +209,18 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
198	start_pam("NOUSER");	209	start_pam("NOUSER");
199	#endif	210	#endif
200	}	211	}
201	setproctitle("%s", pw ? user : "unknown");	212	/* Free memory */
		213	if (use_privsep)
		214	pwfree(pw);
		215
		216	setproctitle("%s%s", use_privsep ? " [net]" : "",
		217	pw ? user : "unknown");
202	authctxt->user = xstrdup(user);	218	authctxt->user = xstrdup(user);
203	authctxt->service = xstrdup(service);	219	authctxt->service = xstrdup(service);
204	authctxt->style = style ? xstrdup(style) : NULL;	220	authctxt->style = style ? xstrdup(style) : NULL;
		221
		222	if (use_privsep)
		223	mm_inform_authserv(mm_recvfd, service, style);
205	} else if (strcmp(user, authctxt->user) != 0 \|\|	224	} else if (strcmp(user, authctxt->user) != 0 \|\|
206	strcmp(service, authctxt->service) != 0) {	225	strcmp(service, authctxt->service) != 0) {
207	packet_disconnect("Change of username or service not allowed: "	226	packet_disconnect("Change of username or service not allowed: "
@@ -313,6 +332,8 @@ done:
313	static int	332	static int
314	userauth_none(Authctxt *authctxt)	333	userauth_none(Authctxt *authctxt)
315	{	334	{
		335	int res = 0;
		336
316	/* disable method "none", only allowed one time */	337	/* disable method "none", only allowed one time */
317	Authmethod *m = authmethod_lookup("none");	338	Authmethod *m = authmethod_lookup("none");
318	if (m != NULL)	339	if (m != NULL)
@@ -322,18 +343,16 @@ userauth_none(Authctxt *authctxt)
322		343
323	if (authctxt->valid == 0)	344	if (authctxt->valid == 0)
324	return(0);	345	return(0);
325		346	if (!authctxt->valid)
326	#ifdef HAVE_CYGWIN	347	return (0);
327	if (check_nt_auth(1, authctxt->pw) == 0)	348	if (use_privsep)
328	return(0);	349	#if defined(USE_PAM) \|\| defined(HAVE_OSF_SIA)
		350	#error NOT IMPLEMENTED FOR PRIVSEP
329	#endif	351	#endif
330	#ifdef USE_PAM	352	res = mm_auth_password(mm_recvfd, "");
331	return auth_pam_password(authctxt->pw, "");	353	else
332	#elif defined(HAVE_OSF_SIA)	354	res = auth_password(authctxt, "");
333	return 0;	355	return (res);
334	#else /* !HAVE_OSF_SIA && !USE_PAM */
335	return auth_password(authctxt, "");
336	#endif /* USE_PAM */
337	}	356	}
338		357
339	static int	358	static int
@@ -348,18 +367,16 @@ userauth_passwd(Authctxt *authctxt)
348	log("password change not supported");	367	log("password change not supported");
349	password = packet_get_string(&len);	368	password = packet_get_string(&len);
350	packet_check_eom();	369	packet_check_eom();
351	if (authctxt->valid &&	370
352	#ifdef HAVE_CYGWIN	371	#if defined(HAVE_CYGWIN) \|\| defined(USE_PAM) \|\| defined(HAVE_OSF_SIA)
353	check_nt_auth(1, authctxt->pw) &&	372	#error NOT IMPLEMENTED FOR PRIVSEP
354	#endif	373	#endif
355	#ifdef USE_PAM	374	if (authctxt->valid) {
356	auth_pam_password(authctxt->pw, password) == 1)	375	if (use_privsep)
357	#elif defined(HAVE_OSF_SIA)	376	authenticated = mm_auth_password(mm_recvfd, password);
358	auth_sia_password(authctxt->user, password) == 1)	377	else
359	#else /* !USE_PAM && !HAVE_OSF_SIA */	378	authenticated = auth_password(authctxt, password);
360	auth_password(authctxt, password) == 1)	379	}
361	#endif /* USE_PAM */
362	authenticated = 1;
363	memset(password, 0, len);	380	memset(password, 0, len);
364	xfree(password);	381	xfree(password);
365	return authenticated;	382	return authenticated;
@@ -467,12 +484,23 @@ userauth_pubkey(Authctxt *authctxt)
467	buffer_dump(&b);	484	buffer_dump(&b);
468	#endif	485	#endif
469	/* test for correct signature */	486	/* test for correct signature */
470	if (user_key_allowed(authctxt->pw, key) &&	487	authenticated = 0;
471	key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)	488	if (use_privsep) {
472	authenticated = 1;	489	if (mm_user_key_allowed(mm_recvfd, key) &&
		490	mm_key_verify(mm_recvfd,
		491	MM_USERKEY, NULL, NULL, key, sig, slen,
		492	buffer_ptr(&b), buffer_len(&b)) == 1)
		493	authenticated = 1;
		494	} else {
		495	if (user_key_allowed(authctxt->pw, key) &&
		496	key_verify(key, sig, slen, buffer_ptr(&b),
		497	buffer_len(&b)) == 1)
		498	authenticated = 1;
		499	}
473	buffer_clear(&b);	500	buffer_clear(&b);
474	xfree(sig);	501	xfree(sig);
475	} else {	502	} else {
		503	int res = 0;
476	debug("test whether pkalg/pkblob are acceptable");	504	debug("test whether pkalg/pkblob are acceptable");
477	packet_check_eom();	505	packet_check_eom();
478		506
@@ -484,7 +512,11 @@ userauth_pubkey(Authctxt *authctxt)
484	* if a user is not allowed to login. is this an	512	* if a user is not allowed to login. is this an
485	* issue? -markus	513	* issue? -markus
486	*/	514	*/
487	if (user_key_allowed(authctxt->pw, key)) {	515	if (use_privsep)
		516	res = mm_user_key_allowed(mm_recvfd, key);
		517	else
		518	res = user_key_allowed(authctxt->pw, key);
		519	if (res) {
488	packet_start(SSH2_MSG_USERAUTH_PK_OK);	520	packet_start(SSH2_MSG_USERAUTH_PK_OK);
489	packet_put_string(pkalg, alen);	521	packet_put_string(pkalg, alen);
490	packet_put_string(pkblob, blen);	522	packet_put_string(pkblob, blen);
@@ -572,9 +604,18 @@ userauth_hostbased(Authctxt *authctxt)
572	buffer_dump(&b);	604	buffer_dump(&b);
573	#endif	605	#endif
574	/* test for allowed key and correct signature */	606	/* test for allowed key and correct signature */
575	if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) &&	607	authenticated = 0;
576	key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)	608	if (use_privsep) {
577	authenticated = 1;	609	if (mm_hostbased_key_allowed(mm_recvfd, cuser, chost, key) &&
		610	mm_key_verify(mm_recvfd, MM_HOSTKEY, cuser, chost, key,
		611	sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
		612	authenticated = 1;
		613	} else {
		614	if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) &&
		615	key_verify(key, sig, slen, buffer_ptr(&b),
		616	buffer_len(&b)) == 1)
		617	authenticated = 1;
		618	}
578		619
579	buffer_clear(&b);	620	buffer_clear(&b);
580	done:	621	done:
@@ -730,7 +771,7 @@ user_key_allowed2(struct passwd pw, Key key, char *file)
730	}	771	}
731		772
732	/* check whether given key is in .ssh/authorized_keys* */	773	/* check whether given key is in .ssh/authorized_keys* */
733	static int	774	int
734	user_key_allowed(struct passwd pw, Key key)	775	user_key_allowed(struct passwd pw, Key key)
735	{	776	{
736	int success;	777	int success;
@@ -750,7 +791,7 @@ user_key_allowed(struct passwd pw, Key key)
750	}	791	}
751		792
752	/* return 1 if given hostkey is allowed */	793	/* return 1 if given hostkey is allowed */
753	static int	794	int
754	hostbased_key_allowed(struct passwd pw, const char cuser, char *chost,	795	hostbased_key_allowed(struct passwd pw, const char cuser, char *chost,
755	Key *key)	796	Key *key)
756	{	797	{