diff options
Diffstat (limited to 'monitor.c')
-rw-r--r-- | monitor.c | 63 |
1 files changed, 46 insertions, 17 deletions
@@ -25,7 +25,7 @@ | |||
25 | */ | 25 | */ |
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | RCSID("$OpenBSD: monitor.c,v 1.49 2003/08/28 12:54:34 markus Exp $"); | 28 | RCSID("$OpenBSD: monitor.c,v 1.55 2004/02/05 05:37:17 dtucker Exp $"); |
29 | 29 | ||
30 | #include <openssl/dh.h> | 30 | #include <openssl/dh.h> |
31 | 31 | ||
@@ -134,6 +134,7 @@ int mm_answer_pam_free_ctx(int, Buffer *); | |||
134 | int mm_answer_gss_setup_ctx(int, Buffer *); | 134 | int mm_answer_gss_setup_ctx(int, Buffer *); |
135 | int mm_answer_gss_accept_ctx(int, Buffer *); | 135 | int mm_answer_gss_accept_ctx(int, Buffer *); |
136 | int mm_answer_gss_userok(int, Buffer *); | 136 | int mm_answer_gss_userok(int, Buffer *); |
137 | int mm_answer_gss_checkmic(int, Buffer *); | ||
137 | #endif | 138 | #endif |
138 | 139 | ||
139 | static Authctxt *authctxt; | 140 | static Authctxt *authctxt; |
@@ -193,6 +194,7 @@ struct mon_table mon_dispatch_proto20[] = { | |||
193 | {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, | 194 | {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx}, |
194 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, | 195 | {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx}, |
195 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, | 196 | {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok}, |
197 | {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic}, | ||
196 | #endif | 198 | #endif |
197 | {0, 0, NULL} | 199 | {0, 0, NULL} |
198 | }; | 200 | }; |
@@ -272,14 +274,17 @@ monitor_permit_authentications(int permit) | |||
272 | } | 274 | } |
273 | } | 275 | } |
274 | 276 | ||
275 | Authctxt * | 277 | void |
276 | monitor_child_preauth(struct monitor *pmonitor) | 278 | monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor) |
277 | { | 279 | { |
278 | struct mon_table *ent; | 280 | struct mon_table *ent; |
279 | int authenticated = 0; | 281 | int authenticated = 0; |
280 | 282 | ||
281 | debug3("preauth child monitor started"); | 283 | debug3("preauth child monitor started"); |
282 | 284 | ||
285 | authctxt = _authctxt; | ||
286 | memset(authctxt, 0, sizeof(*authctxt)); | ||
287 | |||
283 | if (compat20) { | 288 | if (compat20) { |
284 | mon_dispatch = mon_dispatch_proto20; | 289 | mon_dispatch = mon_dispatch_proto20; |
285 | 290 | ||
@@ -292,8 +297,6 @@ monitor_child_preauth(struct monitor *pmonitor) | |||
292 | monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1); | 297 | monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1); |
293 | } | 298 | } |
294 | 299 | ||
295 | authctxt = authctxt_new(); | ||
296 | |||
297 | /* The first few requests do not require asynchronous access */ | 300 | /* The first few requests do not require asynchronous access */ |
298 | while (!authenticated) { | 301 | while (!authenticated) { |
299 | authenticated = monitor_read(pmonitor, mon_dispatch, &ent); | 302 | authenticated = monitor_read(pmonitor, mon_dispatch, &ent); |
@@ -306,11 +309,11 @@ monitor_child_preauth(struct monitor *pmonitor) | |||
306 | authenticated = 0; | 309 | authenticated = 0; |
307 | #ifdef USE_PAM | 310 | #ifdef USE_PAM |
308 | /* PAM needs to perform account checks after auth */ | 311 | /* PAM needs to perform account checks after auth */ |
309 | if (options.use_pam) { | 312 | if (options.use_pam && authenticated) { |
310 | Buffer m; | 313 | Buffer m; |
311 | 314 | ||
312 | buffer_init(&m); | 315 | buffer_init(&m); |
313 | mm_request_receive_expect(pmonitor->m_sendfd, | 316 | mm_request_receive_expect(pmonitor->m_sendfd, |
314 | MONITOR_REQ_PAM_ACCOUNT, &m); | 317 | MONITOR_REQ_PAM_ACCOUNT, &m); |
315 | authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m); | 318 | authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m); |
316 | buffer_free(&m); | 319 | buffer_free(&m); |
@@ -333,8 +336,6 @@ monitor_child_preauth(struct monitor *pmonitor) | |||
333 | __func__, authctxt->user); | 336 | __func__, authctxt->user); |
334 | 337 | ||
335 | mm_get_keystate(pmonitor); | 338 | mm_get_keystate(pmonitor); |
336 | |||
337 | return (authctxt); | ||
338 | } | 339 | } |
339 | 340 | ||
340 | static void | 341 | static void |
@@ -566,6 +567,7 @@ mm_answer_pwnamallow(int socket, Buffer *m) | |||
566 | 567 | ||
567 | if (pwent == NULL) { | 568 | if (pwent == NULL) { |
568 | buffer_put_char(m, 0); | 569 | buffer_put_char(m, 0); |
570 | authctxt->pw = fakepw(); | ||
569 | goto out; | 571 | goto out; |
570 | } | 572 | } |
571 | 573 | ||
@@ -781,7 +783,7 @@ int | |||
781 | mm_answer_pam_start(int socket, Buffer *m) | 783 | mm_answer_pam_start(int socket, Buffer *m) |
782 | { | 784 | { |
783 | char *user; | 785 | char *user; |
784 | 786 | ||
785 | if (!options.use_pam) | 787 | if (!options.use_pam) |
786 | fatal("UsePAM not set, but ended up in %s anyway", __func__); | 788 | fatal("UsePAM not set, but ended up in %s anyway", __func__); |
787 | 789 | ||
@@ -800,7 +802,7 @@ int | |||
800 | mm_answer_pam_account(int socket, Buffer *m) | 802 | mm_answer_pam_account(int socket, Buffer *m) |
801 | { | 803 | { |
802 | u_int ret; | 804 | u_int ret; |
803 | 805 | ||
804 | if (!options.use_pam) | 806 | if (!options.use_pam) |
805 | fatal("UsePAM not set, but ended up in %s anyway", __func__); | 807 | fatal("UsePAM not set, but ended up in %s anyway", __func__); |
806 | 808 | ||
@@ -947,7 +949,7 @@ mm_answer_keyallowed(int socket, Buffer *m) | |||
947 | 949 | ||
948 | debug3("%s: key_from_blob: %p", __func__, key); | 950 | debug3("%s: key_from_blob: %p", __func__, key); |
949 | 951 | ||
950 | if (key != NULL && authctxt->pw != NULL) { | 952 | if (key != NULL && authctxt->valid) { |
951 | switch(type) { | 953 | switch(type) { |
952 | case MM_USERKEY: | 954 | case MM_USERKEY: |
953 | allowed = options.pubkey_authentication && | 955 | allowed = options.pubkey_authentication && |
@@ -1185,7 +1187,7 @@ mm_record_login(Session *s, struct passwd *pw) | |||
1185 | if (getpeername(packet_get_connection_in(), | 1187 | if (getpeername(packet_get_connection_in(), |
1186 | (struct sockaddr *) & from, &fromlen) < 0) { | 1188 | (struct sockaddr *) & from, &fromlen) < 0) { |
1187 | debug("getpeername: %.100s", strerror(errno)); | 1189 | debug("getpeername: %.100s", strerror(errno)); |
1188 | fatal_cleanup(); | 1190 | cleanup_exit(255); |
1189 | } | 1191 | } |
1190 | } | 1192 | } |
1191 | /* Record that there was a login on that tty from the remote host. */ | 1193 | /* Record that there was a login on that tty from the remote host. */ |
@@ -1200,7 +1202,6 @@ mm_session_close(Session *s) | |||
1200 | debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid); | 1202 | debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid); |
1201 | if (s->ttyfd != -1) { | 1203 | if (s->ttyfd != -1) { |
1202 | debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); | 1204 | debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd); |
1203 | fatal_remove_cleanup(session_pty_cleanup2, (void *)s); | ||
1204 | session_pty_cleanup2(s); | 1205 | session_pty_cleanup2(s); |
1205 | } | 1206 | } |
1206 | s->used = 0; | 1207 | s->used = 0; |
@@ -1225,7 +1226,6 @@ mm_answer_pty(int socket, Buffer *m) | |||
1225 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); | 1226 | res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty)); |
1226 | if (res == 0) | 1227 | if (res == 0) |
1227 | goto error; | 1228 | goto error; |
1228 | fatal_add_cleanup(session_pty_cleanup2, (void *)s); | ||
1229 | pty_setowner(authctxt->pw, s->tty); | 1229 | pty_setowner(authctxt->pw, s->tty); |
1230 | 1230 | ||
1231 | buffer_put_int(m, 1); | 1231 | buffer_put_int(m, 1); |
@@ -1708,6 +1708,7 @@ monitor_init(void) | |||
1708 | 1708 | ||
1709 | mon = xmalloc(sizeof(*mon)); | 1709 | mon = xmalloc(sizeof(*mon)); |
1710 | 1710 | ||
1711 | mon->m_pid = 0; | ||
1711 | monitor_socketpair(pair); | 1712 | monitor_socketpair(pair); |
1712 | 1713 | ||
1713 | mon->m_recvfd = pair[0]; | 1714 | mon->m_recvfd = pair[0]; |
@@ -1784,15 +1785,43 @@ mm_answer_gss_accept_ctx(int socket, Buffer *m) | |||
1784 | 1785 | ||
1785 | gss_release_buffer(&minor, &out); | 1786 | gss_release_buffer(&minor, &out); |
1786 | 1787 | ||
1787 | /* Complete - now we can do signing */ | ||
1788 | if (major==GSS_S_COMPLETE) { | 1788 | if (major==GSS_S_COMPLETE) { |
1789 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); | 1789 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0); |
1790 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | 1790 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); |
1791 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1); | ||
1791 | } | 1792 | } |
1792 | return (0); | 1793 | return (0); |
1793 | } | 1794 | } |
1794 | 1795 | ||
1795 | int | 1796 | int |
1797 | mm_answer_gss_checkmic(int socket, Buffer *m) | ||
1798 | { | ||
1799 | gss_buffer_desc gssbuf, mic; | ||
1800 | OM_uint32 ret; | ||
1801 | u_int len; | ||
1802 | |||
1803 | gssbuf.value = buffer_get_string(m, &len); | ||
1804 | gssbuf.length = len; | ||
1805 | mic.value = buffer_get_string(m, &len); | ||
1806 | mic.length = len; | ||
1807 | |||
1808 | ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic); | ||
1809 | |||
1810 | xfree(gssbuf.value); | ||
1811 | xfree(mic.value); | ||
1812 | |||
1813 | buffer_clear(m); | ||
1814 | buffer_put_int(m, ret); | ||
1815 | |||
1816 | mm_request_send(socket, MONITOR_ANS_GSSCHECKMIC, m); | ||
1817 | |||
1818 | if (!GSS_ERROR(ret)) | ||
1819 | monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1); | ||
1820 | |||
1821 | return (0); | ||
1822 | } | ||
1823 | |||
1824 | int | ||
1796 | mm_answer_gss_userok(int socket, Buffer *m) | 1825 | mm_answer_gss_userok(int socket, Buffer *m) |
1797 | { | 1826 | { |
1798 | int authenticated; | 1827 | int authenticated; |
@@ -1805,7 +1834,7 @@ mm_answer_gss_userok(int socket, Buffer *m) | |||
1805 | debug3("%s: sending result %d", __func__, authenticated); | 1834 | debug3("%s: sending result %d", __func__, authenticated); |
1806 | mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m); | 1835 | mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m); |
1807 | 1836 | ||
1808 | auth_method="gssapi"; | 1837 | auth_method="gssapi-with-mic"; |
1809 | 1838 | ||
1810 | /* Monitor loop will terminate if authenticated */ | 1839 | /* Monitor loop will terminate if authenticated */ |
1811 | return (authenticated); | 1840 | return (authenticated); |