diff options
Diffstat (limited to 'auth2.c')
-rw-r--r-- | auth2.c | 43 |
1 files changed, 28 insertions, 15 deletions
@@ -23,7 +23,7 @@ | |||
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | RCSID("$OpenBSD: auth2.c,v 1.87 2002/03/18 01:12:14 provos Exp $"); | 26 | RCSID("$OpenBSD: auth2.c,v 1.88 2002/03/18 17:50:31 provos Exp $"); |
27 | 27 | ||
28 | #include <openssl/evp.h> | 28 | #include <openssl/evp.h> |
29 | 29 | ||
@@ -51,13 +51,14 @@ RCSID("$OpenBSD: auth2.c,v 1.87 2002/03/18 01:12:14 provos Exp $"); | |||
51 | #include "hostfile.h" | 51 | #include "hostfile.h" |
52 | #include "canohost.h" | 52 | #include "canohost.h" |
53 | #include "match.h" | 53 | #include "match.h" |
54 | #include "monitor_wrap.h" | ||
54 | 55 | ||
55 | /* import */ | 56 | /* import */ |
56 | extern ServerOptions options; | 57 | extern ServerOptions options; |
57 | extern u_char *session_id2; | 58 | extern u_char *session_id2; |
58 | extern int session_id2_len; | 59 | extern int session_id2_len; |
59 | 60 | ||
60 | static Authctxt *x_authctxt = NULL; | 61 | Authctxt *x_authctxt = NULL; |
61 | static int one = 1; | 62 | static int one = 1; |
62 | 63 | ||
63 | typedef struct Authmethod Authmethod; | 64 | typedef struct Authmethod Authmethod; |
@@ -75,8 +76,8 @@ static void input_userauth_request(int, u_int32_t, void *); | |||
75 | /* helper */ | 76 | /* helper */ |
76 | static Authmethod *authmethod_lookup(const char *); | 77 | static Authmethod *authmethod_lookup(const char *); |
77 | static char *authmethods_get(void); | 78 | static char *authmethods_get(void); |
78 | static int user_key_allowed(struct passwd *, Key *); | 79 | int user_key_allowed(struct passwd *, Key *); |
79 | static int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); | 80 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); |
80 | 81 | ||
81 | /* auth */ | 82 | /* auth */ |
82 | static void userauth_banner(void); | 83 | static void userauth_banner(void); |
@@ -185,7 +186,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
185 | if (authctxt->attempt++ == 0) { | 186 | if (authctxt->attempt++ == 0) { |
186 | /* setup auth context */ | 187 | /* setup auth context */ |
187 | struct passwd *pw = NULL; | 188 | struct passwd *pw = NULL; |
188 | pw = getpwnamallow(user); | 189 | pw = PRIVSEP(getpwnamallow(user)); |
189 | if (pw && strcmp(service, "ssh-connection")==0) { | 190 | if (pw && strcmp(service, "ssh-connection")==0) { |
190 | authctxt->pw = pwcopy(pw); | 191 | authctxt->pw = pwcopy(pw); |
191 | authctxt->valid = 1; | 192 | authctxt->valid = 1; |
@@ -199,10 +200,18 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
199 | start_pam("NOUSER"); | 200 | start_pam("NOUSER"); |
200 | #endif | 201 | #endif |
201 | } | 202 | } |
202 | setproctitle("%s", pw ? user : "unknown"); | 203 | /* Free memory */ |
204 | if (use_privsep && pw != NULL) | ||
205 | pwfree(pw); | ||
206 | |||
207 | setproctitle("%s%s", pw ? user : "unknown", | ||
208 | use_privsep ? " [net]" : ""); | ||
203 | authctxt->user = xstrdup(user); | 209 | authctxt->user = xstrdup(user); |
204 | authctxt->service = xstrdup(service); | 210 | authctxt->service = xstrdup(service); |
205 | authctxt->style = style ? xstrdup(style) : NULL; | 211 | authctxt->style = style ? xstrdup(style) : NULL; |
212 | |||
213 | if (use_privsep) | ||
214 | mm_inform_authserv(service, style); | ||
206 | } else if (strcmp(user, authctxt->user) != 0 || | 215 | } else if (strcmp(user, authctxt->user) != 0 || |
207 | strcmp(service, authctxt->service) != 0) { | 216 | strcmp(service, authctxt->service) != 0) { |
208 | packet_disconnect("Change of username or service not allowed: " | 217 | packet_disconnect("Change of username or service not allowed: " |
@@ -333,7 +342,7 @@ userauth_none(Authctxt *authctxt) | |||
333 | #elif defined(HAVE_OSF_SIA) | 342 | #elif defined(HAVE_OSF_SIA) |
334 | return 0; | 343 | return 0; |
335 | #else /* !HAVE_OSF_SIA && !USE_PAM */ | 344 | #else /* !HAVE_OSF_SIA && !USE_PAM */ |
336 | return auth_password(authctxt, ""); | 345 | return PRIVSEP(auth_password(authctxt, "")); |
337 | #endif /* USE_PAM */ | 346 | #endif /* USE_PAM */ |
338 | } | 347 | } |
339 | 348 | ||
@@ -358,7 +367,7 @@ userauth_passwd(Authctxt *authctxt) | |||
358 | #elif defined(HAVE_OSF_SIA) | 367 | #elif defined(HAVE_OSF_SIA) |
359 | auth_sia_password(authctxt->user, password) == 1) | 368 | auth_sia_password(authctxt->user, password) == 1) |
360 | #else /* !USE_PAM && !HAVE_OSF_SIA */ | 369 | #else /* !USE_PAM && !HAVE_OSF_SIA */ |
361 | auth_password(authctxt, password) == 1) | 370 | PRIVSEP(auth_password(authctxt, password)) == 1) |
362 | #endif /* USE_PAM */ | 371 | #endif /* USE_PAM */ |
363 | authenticated = 1; | 372 | authenticated = 1; |
364 | memset(password, 0, len); | 373 | memset(password, 0, len); |
@@ -468,8 +477,10 @@ userauth_pubkey(Authctxt *authctxt) | |||
468 | buffer_dump(&b); | 477 | buffer_dump(&b); |
469 | #endif | 478 | #endif |
470 | /* test for correct signature */ | 479 | /* test for correct signature */ |
471 | if (user_key_allowed(authctxt->pw, key) && | 480 | authenticated = 0; |
472 | key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) | 481 | if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && |
482 | PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), | ||
483 | buffer_len(&b))) == 1) | ||
473 | authenticated = 1; | 484 | authenticated = 1; |
474 | buffer_clear(&b); | 485 | buffer_clear(&b); |
475 | xfree(sig); | 486 | xfree(sig); |
@@ -485,7 +496,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
485 | * if a user is not allowed to login. is this an | 496 | * if a user is not allowed to login. is this an |
486 | * issue? -markus | 497 | * issue? -markus |
487 | */ | 498 | */ |
488 | if (user_key_allowed(authctxt->pw, key)) { | 499 | if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { |
489 | packet_start(SSH2_MSG_USERAUTH_PK_OK); | 500 | packet_start(SSH2_MSG_USERAUTH_PK_OK); |
490 | packet_put_string(pkalg, alen); | 501 | packet_put_string(pkalg, alen); |
491 | packet_put_string(pkblob, blen); | 502 | packet_put_string(pkblob, blen); |
@@ -573,8 +584,10 @@ userauth_hostbased(Authctxt *authctxt) | |||
573 | buffer_dump(&b); | 584 | buffer_dump(&b); |
574 | #endif | 585 | #endif |
575 | /* test for allowed key and correct signature */ | 586 | /* test for allowed key and correct signature */ |
576 | if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) && | 587 | authenticated = 0; |
577 | key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) | 588 | if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && |
589 | PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), | ||
590 | buffer_len(&b))) == 1) | ||
578 | authenticated = 1; | 591 | authenticated = 1; |
579 | 592 | ||
580 | buffer_clear(&b); | 593 | buffer_clear(&b); |
@@ -731,7 +744,7 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) | |||
731 | } | 744 | } |
732 | 745 | ||
733 | /* check whether given key is in .ssh/authorized_keys* */ | 746 | /* check whether given key is in .ssh/authorized_keys* */ |
734 | static int | 747 | int |
735 | user_key_allowed(struct passwd *pw, Key *key) | 748 | user_key_allowed(struct passwd *pw, Key *key) |
736 | { | 749 | { |
737 | int success; | 750 | int success; |
@@ -751,7 +764,7 @@ user_key_allowed(struct passwd *pw, Key *key) | |||
751 | } | 764 | } |
752 | 765 | ||
753 | /* return 1 if given hostkey is allowed */ | 766 | /* return 1 if given hostkey is allowed */ |
754 | static int | 767 | int |
755 | hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, | 768 | hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, |
756 | Key *key) | 769 | Key *key) |
757 | { | 770 | { |