diff options
Diffstat (limited to 'auth2.c')
| -rw-r--r-- | auth2.c | 43 |
1 files changed, 28 insertions, 15 deletions
| @@ -23,7 +23,7 @@ | |||
| 23 | */ | 23 | */ |
| 24 | 24 | ||
| 25 | #include "includes.h" | 25 | #include "includes.h" |
| 26 | RCSID("$OpenBSD: auth2.c,v 1.87 2002/03/18 01:12:14 provos Exp $"); | 26 | RCSID("$OpenBSD: auth2.c,v 1.88 2002/03/18 17:50:31 provos Exp $"); |
| 27 | 27 | ||
| 28 | #include <openssl/evp.h> | 28 | #include <openssl/evp.h> |
| 29 | 29 | ||
| @@ -51,13 +51,14 @@ RCSID("$OpenBSD: auth2.c,v 1.87 2002/03/18 01:12:14 provos Exp $"); | |||
| 51 | #include "hostfile.h" | 51 | #include "hostfile.h" |
| 52 | #include "canohost.h" | 52 | #include "canohost.h" |
| 53 | #include "match.h" | 53 | #include "match.h" |
| 54 | #include "monitor_wrap.h" | ||
| 54 | 55 | ||
| 55 | /* import */ | 56 | /* import */ |
| 56 | extern ServerOptions options; | 57 | extern ServerOptions options; |
| 57 | extern u_char *session_id2; | 58 | extern u_char *session_id2; |
| 58 | extern int session_id2_len; | 59 | extern int session_id2_len; |
| 59 | 60 | ||
| 60 | static Authctxt *x_authctxt = NULL; | 61 | Authctxt *x_authctxt = NULL; |
| 61 | static int one = 1; | 62 | static int one = 1; |
| 62 | 63 | ||
| 63 | typedef struct Authmethod Authmethod; | 64 | typedef struct Authmethod Authmethod; |
| @@ -75,8 +76,8 @@ static void input_userauth_request(int, u_int32_t, void *); | |||
| 75 | /* helper */ | 76 | /* helper */ |
| 76 | static Authmethod *authmethod_lookup(const char *); | 77 | static Authmethod *authmethod_lookup(const char *); |
| 77 | static char *authmethods_get(void); | 78 | static char *authmethods_get(void); |
| 78 | static int user_key_allowed(struct passwd *, Key *); | 79 | int user_key_allowed(struct passwd *, Key *); |
| 79 | static int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); | 80 | int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); |
| 80 | 81 | ||
| 81 | /* auth */ | 82 | /* auth */ |
| 82 | static void userauth_banner(void); | 83 | static void userauth_banner(void); |
| @@ -185,7 +186,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
| 185 | if (authctxt->attempt++ == 0) { | 186 | if (authctxt->attempt++ == 0) { |
| 186 | /* setup auth context */ | 187 | /* setup auth context */ |
| 187 | struct passwd *pw = NULL; | 188 | struct passwd *pw = NULL; |
| 188 | pw = getpwnamallow(user); | 189 | pw = PRIVSEP(getpwnamallow(user)); |
| 189 | if (pw && strcmp(service, "ssh-connection")==0) { | 190 | if (pw && strcmp(service, "ssh-connection")==0) { |
| 190 | authctxt->pw = pwcopy(pw); | 191 | authctxt->pw = pwcopy(pw); |
| 191 | authctxt->valid = 1; | 192 | authctxt->valid = 1; |
| @@ -199,10 +200,18 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) | |||
| 199 | start_pam("NOUSER"); | 200 | start_pam("NOUSER"); |
| 200 | #endif | 201 | #endif |
| 201 | } | 202 | } |
| 202 | setproctitle("%s", pw ? user : "unknown"); | 203 | /* Free memory */ |
| 204 | if (use_privsep && pw != NULL) | ||
| 205 | pwfree(pw); | ||
| 206 | |||
| 207 | setproctitle("%s%s", pw ? user : "unknown", | ||
| 208 | use_privsep ? " [net]" : ""); | ||
| 203 | authctxt->user = xstrdup(user); | 209 | authctxt->user = xstrdup(user); |
| 204 | authctxt->service = xstrdup(service); | 210 | authctxt->service = xstrdup(service); |
| 205 | authctxt->style = style ? xstrdup(style) : NULL; | 211 | authctxt->style = style ? xstrdup(style) : NULL; |
| 212 | |||
| 213 | if (use_privsep) | ||
| 214 | mm_inform_authserv(service, style); | ||
| 206 | } else if (strcmp(user, authctxt->user) != 0 || | 215 | } else if (strcmp(user, authctxt->user) != 0 || |
| 207 | strcmp(service, authctxt->service) != 0) { | 216 | strcmp(service, authctxt->service) != 0) { |
| 208 | packet_disconnect("Change of username or service not allowed: " | 217 | packet_disconnect("Change of username or service not allowed: " |
| @@ -333,7 +342,7 @@ userauth_none(Authctxt *authctxt) | |||
| 333 | #elif defined(HAVE_OSF_SIA) | 342 | #elif defined(HAVE_OSF_SIA) |
| 334 | return 0; | 343 | return 0; |
| 335 | #else /* !HAVE_OSF_SIA && !USE_PAM */ | 344 | #else /* !HAVE_OSF_SIA && !USE_PAM */ |
| 336 | return auth_password(authctxt, ""); | 345 | return PRIVSEP(auth_password(authctxt, "")); |
| 337 | #endif /* USE_PAM */ | 346 | #endif /* USE_PAM */ |
| 338 | } | 347 | } |
| 339 | 348 | ||
| @@ -358,7 +367,7 @@ userauth_passwd(Authctxt *authctxt) | |||
| 358 | #elif defined(HAVE_OSF_SIA) | 367 | #elif defined(HAVE_OSF_SIA) |
| 359 | auth_sia_password(authctxt->user, password) == 1) | 368 | auth_sia_password(authctxt->user, password) == 1) |
| 360 | #else /* !USE_PAM && !HAVE_OSF_SIA */ | 369 | #else /* !USE_PAM && !HAVE_OSF_SIA */ |
| 361 | auth_password(authctxt, password) == 1) | 370 | PRIVSEP(auth_password(authctxt, password)) == 1) |
| 362 | #endif /* USE_PAM */ | 371 | #endif /* USE_PAM */ |
| 363 | authenticated = 1; | 372 | authenticated = 1; |
| 364 | memset(password, 0, len); | 373 | memset(password, 0, len); |
| @@ -468,8 +477,10 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 468 | buffer_dump(&b); | 477 | buffer_dump(&b); |
| 469 | #endif | 478 | #endif |
| 470 | /* test for correct signature */ | 479 | /* test for correct signature */ |
| 471 | if (user_key_allowed(authctxt->pw, key) && | 480 | authenticated = 0; |
| 472 | key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) | 481 | if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && |
| 482 | PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), | ||
| 483 | buffer_len(&b))) == 1) | ||
| 473 | authenticated = 1; | 484 | authenticated = 1; |
| 474 | buffer_clear(&b); | 485 | buffer_clear(&b); |
| 475 | xfree(sig); | 486 | xfree(sig); |
| @@ -485,7 +496,7 @@ userauth_pubkey(Authctxt *authctxt) | |||
| 485 | * if a user is not allowed to login. is this an | 496 | * if a user is not allowed to login. is this an |
| 486 | * issue? -markus | 497 | * issue? -markus |
| 487 | */ | 498 | */ |
| 488 | if (user_key_allowed(authctxt->pw, key)) { | 499 | if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { |
| 489 | packet_start(SSH2_MSG_USERAUTH_PK_OK); | 500 | packet_start(SSH2_MSG_USERAUTH_PK_OK); |
| 490 | packet_put_string(pkalg, alen); | 501 | packet_put_string(pkalg, alen); |
| 491 | packet_put_string(pkblob, blen); | 502 | packet_put_string(pkblob, blen); |
| @@ -573,8 +584,10 @@ userauth_hostbased(Authctxt *authctxt) | |||
| 573 | buffer_dump(&b); | 584 | buffer_dump(&b); |
| 574 | #endif | 585 | #endif |
| 575 | /* test for allowed key and correct signature */ | 586 | /* test for allowed key and correct signature */ |
| 576 | if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) && | 587 | authenticated = 0; |
| 577 | key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) | 588 | if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && |
| 589 | PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), | ||
| 590 | buffer_len(&b))) == 1) | ||
| 578 | authenticated = 1; | 591 | authenticated = 1; |
| 579 | 592 | ||
| 580 | buffer_clear(&b); | 593 | buffer_clear(&b); |
| @@ -731,7 +744,7 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) | |||
| 731 | } | 744 | } |
| 732 | 745 | ||
| 733 | /* check whether given key is in .ssh/authorized_keys* */ | 746 | /* check whether given key is in .ssh/authorized_keys* */ |
| 734 | static int | 747 | int |
| 735 | user_key_allowed(struct passwd *pw, Key *key) | 748 | user_key_allowed(struct passwd *pw, Key *key) |
| 736 | { | 749 | { |
| 737 | int success; | 750 | int success; |
| @@ -751,7 +764,7 @@ user_key_allowed(struct passwd *pw, Key *key) | |||
| 751 | } | 764 | } |
| 752 | 765 | ||
| 753 | /* return 1 if given hostkey is allowed */ | 766 | /* return 1 if given hostkey is allowed */ |
| 754 | static int | 767 | int |
| 755 | hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, | 768 | hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, |
| 756 | Key *key) | 769 | Key *key) |
| 757 | { | 770 | { |