]> andersk Git - gssapi-openssh.git/blame - openssh/auth2.c
andersk / gssapi-openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
applied openssh-3.2.3p1-gssapi-20020527.diff
[gssapi-openssh.git] / openssh / auth2.c
CommitLineData
3c0ef626 1/*
2 * Copyright (c) 2000 Markus Friedl. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23 */
24
25#include "includes.h"
700318f3 26RCSID("$OpenBSD: auth2.c,v 1.91 2002/05/13 02:37:39 itojun Exp $");
3c0ef626 27
28#include <openssl/evp.h>
29
30#include "ssh2.h"
31#include "xmalloc.h"
32#include "rsa.h"
33#include "sshpty.h"
34#include "packet.h"
35#include "buffer.h"
36#include "log.h"
37#include "servconf.h"
38#include "compat.h"
39#include "channels.h"
40#include "bufaux.h"
41#include "auth.h"
42#include "session.h"
43#include "dispatch.h"
44#include "key.h"
45#include "cipher.h"
46#include "kex.h"
47#include "pathnames.h"
48#include "uidswap.h"
49#include "auth-options.h"
3c0ef626 50#include "hostfile.h"
51#include "canohost.h"
52#include "match.h"
700318f3 53#include "monitor_wrap.h"
54#include "atomicio.h"
3c0ef626 55
c45e7273 56#ifdef GSSAPI
57#include "ssh-gss.h"
58#endif
59
3c0ef626 60/* import */
61extern ServerOptions options;
62extern u_char *session_id2;
63extern int session_id2_len;
64
700318f3 65Authctxt *x_authctxt = NULL;
3c0ef626 66static int one = 1;
67
68typedef struct Authmethod Authmethod;
69struct Authmethod {
70 char *name;
71 int (*userauth)(Authctxt *authctxt);
72 int *enabled;
73};
74
75/* protocol */
76
e9a17296 77static void input_service_request(int, u_int32_t, void *);
78static void input_userauth_request(int, u_int32_t, void *);
3c0ef626 79
80/* helper */
81static Authmethod *authmethod_lookup(const char *);
82static char *authmethods_get(void);
700318f3 83int user_key_allowed(struct passwd *, Key *);
84int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
3c0ef626 85
86/* auth */
87static void userauth_banner(void);
88static int userauth_none(Authctxt *);
89static int userauth_passwd(Authctxt *);
90static int userauth_pubkey(Authctxt *);
91static int userauth_hostbased(Authctxt *);
92static int userauth_kbdint(Authctxt *);
93
c45e7273 94#ifdef GSSAPI
95int userauth_external(Authctxt *authctxt);
96int userauth_gssapi(Authctxt *authctxt);
97#endif
98
3c0ef626 99Authmethod authmethods[] = {
100 {"none",
101 userauth_none,
102 &one},
c45e7273 103#ifdef GSSAPI
104 {"external-keyx",
105 userauth_external,
106 &options.gss_authentication},
107 {"gssapi",
108 userauth_gssapi,
109 &options.gss_authentication},
110#endif
3c0ef626 111 {"publickey",
112 userauth_pubkey,
113 &options.pubkey_authentication},
114 {"password",
115 userauth_passwd,
116 &options.password_authentication},
117 {"keyboard-interactive",
118 userauth_kbdint,
119 &options.kbd_interactive_authentication},
120 {"hostbased",
121 userauth_hostbased,
122 &options.hostbased_authentication},
123 {NULL, NULL, NULL}
124};
125
126/*
127 * loop until authctxt->success == TRUE
128 */
129
700318f3 130Authctxt *
e9a17296 131do_authentication2(void)
3c0ef626 132{
133 Authctxt *authctxt = authctxt_new();
134
135 x_authctxt = authctxt; /*XXX*/
136
137 /* challenge-response is implemented via keyboard interactive */
138 if (options.challenge_response_authentication)
139 options.kbd_interactive_authentication = 1;
140 if (options.pam_authentication_via_kbd_int)
141 options.kbd_interactive_authentication = 1;
700318f3 142 if (use_privsep)
143 options.pam_authentication_via_kbd_int = 0;
3c0ef626 144
e9a17296 145 dispatch_init(&dispatch_protocol_error);
3c0ef626 146 dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
147 dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
700318f3 148
149 return (authctxt);
3c0ef626 150}
151
152static void
e9a17296 153input_service_request(int type, u_int32_t seq, void *ctxt)
3c0ef626 154{
155 Authctxt *authctxt = ctxt;
156 u_int len;
157 int accept = 0;
158 char *service = packet_get_string(&len);
e9a17296 159 packet_check_eom();
3c0ef626 160
161 if (authctxt == NULL)
162 fatal("input_service_request: no authctxt");
163
164 if (strcmp(service, "ssh-userauth") == 0) {
165 if (!authctxt->success) {
166 accept = 1;
167 /* now we can handle user-auth requests */
168 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
169 }
170 }
171 /* XXX all other service requests are denied */
172
173 if (accept) {
174 packet_start(SSH2_MSG_SERVICE_ACCEPT);
175 packet_put_cstring(service);
176 packet_send();
177 packet_write_wait();
178 } else {
179 debug("bad service request %s", service);
180 packet_disconnect("bad service request %s", service);
181 }
182 xfree(service);
183}
184
185static void
e9a17296 186input_userauth_request(int type, u_int32_t seq, void *ctxt)
3c0ef626 187{
188 Authctxt *authctxt = ctxt;
189 Authmethod *m = NULL;
190 char *user, *service, *method, *style = NULL;
191 int authenticated = 0;
192
193 if (authctxt == NULL)
194 fatal("input_userauth_request: no authctxt");
195
196 user = packet_get_string(NULL);
197 service = packet_get_string(NULL);
198 method = packet_get_string(NULL);
199 debug("userauth-request for user %s service %s method %s", user, service, method);
200 debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
201
202 if ((style = strchr(user, ':')) != NULL)
203 *style++ = 0;
204
205 if (authctxt->attempt++ == 0) {
206 /* setup auth context */
700318f3 207 authctxt->pw = PRIVSEP(getpwnamallow(user));
208 if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
3c0ef626 209 authctxt->valid = 1;
210 debug2("input_userauth_request: setting up authctxt for %s", user);
211#ifdef USE_PAM
700318f3 212 PRIVSEP(start_pam(authctxt->pw->pw_name));
3c0ef626 213#endif
214 } else {
215 log("input_userauth_request: illegal user %s", user);
216#ifdef USE_PAM
700318f3 217 PRIVSEP(start_pam("NOUSER"));
3c0ef626 218#endif
219 }
700318f3 220 setproctitle("%s%s", authctxt->pw ? user : "unknown",
221 use_privsep ? " [net]" : "");
3c0ef626 222 authctxt->user = xstrdup(user);
223 authctxt->service = xstrdup(service);
224 authctxt->style = style ? xstrdup(style) : NULL;
700318f3 225 if (use_privsep)
226 mm_inform_authserv(service, style);
3c0ef626 227 } else if (strcmp(user, authctxt->user) != 0 ||
228 strcmp(service, authctxt->service) != 0) {
229 packet_disconnect("Change of username or service not allowed: "
230 "(%s,%s) -> (%s,%s)",
231 authctxt->user, authctxt->service, user, service);
232 }
233 /* reset state */
e9a17296 234 auth2_challenge_stop(authctxt);
c45e7273 235
236#ifdef GSSAPI
237 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
238 dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
239#endif
240
3c0ef626 241 authctxt->postponed = 0;
3c0ef626 242
243 /* try to authenticate user */
244 m = authmethod_lookup(method);
245 if (m != NULL) {
246 debug2("input_userauth_request: try method %s", method);
247 authenticated = m->userauth(authctxt);
248 }
249 userauth_finish(authctxt, authenticated, method);
250
251 xfree(service);
252 xfree(user);
253 xfree(method);
254}
255
256void
257userauth_finish(Authctxt *authctxt, int authenticated, char *method)
258{
259 char *methods;
260
261 if (!authctxt->valid && authenticated)
262 fatal("INTERNAL ERROR: authenticated invalid user %s",
263 authctxt->user);
264
265 /* Special handling for root */
266 if (authenticated && authctxt->pw->pw_uid == 0 &&
267 !auth_root_allowed(method))
268 authenticated = 0;
269
270#ifdef USE_PAM
700318f3 271 if (!use_privsep && authenticated && authctxt->user &&
272 !do_pam_account(authctxt->user, NULL))
3c0ef626 273 authenticated = 0;
274#endif /* USE_PAM */
275
276 /* Log before sending the reply */
277 auth_log(authctxt, authenticated, method, " ssh2");
278
279 if (authctxt->postponed)
280 return;
281
282 /* XXX todo: check if multiple auth methods are needed */
283 if (authenticated == 1) {
284 /* turn off userauth */
e9a17296 285 dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
3c0ef626 286 packet_start(SSH2_MSG_USERAUTH_SUCCESS);
287 packet_send();
288 packet_write_wait();
289 /* now we can break out */
290 authctxt->success = 1;
291 } else {
292 if (authctxt->failures++ > AUTH_FAIL_MAX) {
293#ifdef WITH_AIXAUTHENTICATE
294 loginfailed(authctxt->user,
e9a17296 295 get_canonical_hostname(options.verify_reverse_mapping),
3c0ef626 296 "ssh");
297#endif /* WITH_AIXAUTHENTICATE */
298 packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
299 }
300 methods = authmethods_get();
301 packet_start(SSH2_MSG_USERAUTH_FAILURE);
302 packet_put_cstring(methods);
303 packet_put_char(0); /* XXX partial success, unused */
304 packet_send();
305 packet_write_wait();
306 xfree(methods);
307 }
308}
309
700318f3 310char *
311auth2_read_banner(void)
3c0ef626 312{
313 struct stat st;
314 char *banner = NULL;
315 off_t len, n;
316 int fd;
317
700318f3 318 if ((fd = open(options.banner, O_RDONLY)) == -1)
319 return (NULL);
320 if (fstat(fd, &st) == -1) {
321 close(fd);
322 return (NULL);
323 }
3c0ef626 324 len = st.st_size;
325 banner = xmalloc(len + 1);
700318f3 326 n = atomicio(read, fd, banner, len);
327 close(fd);
328
329 if (n != len) {
330 free(banner);
331 return (NULL);
332 }
3c0ef626 333 banner[n] = '\0';
700318f3 334
335 return (banner);
336}
337
338static void
339userauth_banner(void)
340{
341 char *banner = NULL;
342
343 if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
344 return;
345
346 if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
347 goto done;
348
3c0ef626 349 packet_start(SSH2_MSG_USERAUTH_BANNER);
350 packet_put_cstring(banner);
351 packet_put_cstring(""); /* language, unused */
352 packet_send();
353 debug("userauth_banner: sent");
354done:
355 if (banner)
356 xfree(banner);
3c0ef626 357 return;
358}
359
360static int
361userauth_none(Authctxt *authctxt)
362{
363 /* disable method "none", only allowed one time */
364 Authmethod *m = authmethod_lookup("none");
365 if (m != NULL)
366 m->enabled = NULL;
e9a17296 367 packet_check_eom();
3c0ef626 368 userauth_banner();
369
370 if (authctxt->valid == 0)
371 return(0);
372
373#ifdef HAVE_CYGWIN
e9a17296 374 if (check_nt_auth(1, authctxt->pw) == 0)
3c0ef626 375 return(0);
376#endif
700318f3 377 return PRIVSEP(auth_password(authctxt, ""));
3c0ef626 378}
379
380static int
381userauth_passwd(Authctxt *authctxt)
382{
383 char *password;
384 int authenticated = 0;
385 int change;
386 u_int len;
387 change = packet_get_char();
388 if (change)
389 log("password change not supported");
390 password = packet_get_string(&len);
e9a17296 391 packet_check_eom();
3c0ef626 392 if (authctxt->valid &&
393#ifdef HAVE_CYGWIN
e9a17296 394 check_nt_auth(1, authctxt->pw) &&
3c0ef626 395#endif
700318f3 396 PRIVSEP(auth_password(authctxt, password)) == 1)
3c0ef626 397 authenticated = 1;
398 memset(password, 0, len);
399 xfree(password);
400 return authenticated;
401}
402
403static int
404userauth_kbdint(Authctxt *authctxt)
405{
406 int authenticated = 0;
407 char *lang, *devs;
408
409 lang = packet_get_string(NULL);
410 devs = packet_get_string(NULL);
e9a17296 411 packet_check_eom();
3c0ef626 412
413 debug("keyboard-interactive devs %s", devs);
414
415 if (options.challenge_response_authentication)
416 authenticated = auth2_challenge(authctxt, devs);
417
418#ifdef USE_PAM
419 if (authenticated == 0 && options.pam_authentication_via_kbd_int)
420 authenticated = auth2_pam(authctxt);
421#endif
422 xfree(devs);
423 xfree(lang);
424#ifdef HAVE_CYGWIN
e9a17296 425 if (check_nt_auth(0, authctxt->pw) == 0)
3c0ef626 426 return(0);
427#endif
428 return authenticated;
429}
430
431static int
432userauth_pubkey(Authctxt *authctxt)
433{
434 Buffer b;
e9a17296 435 Key *key = NULL;
436 char *pkalg;
437 u_char *pkblob, *sig;
3c0ef626 438 u_int alen, blen, slen;
439 int have_sig, pktype;
440 int authenticated = 0;
441
442 if (!authctxt->valid) {
443 debug2("userauth_pubkey: disabled because of invalid user");
444 return 0;
445 }
446 have_sig = packet_get_char();
447 if (datafellows & SSH_BUG_PKAUTH) {
448 debug2("userauth_pubkey: SSH_BUG_PKAUTH");
449 /* no explicit pkalg given */
450 pkblob = packet_get_string(&blen);
451 buffer_init(&b);
452 buffer_append(&b, pkblob, blen);
453 /* so we have to extract the pkalg from the pkblob */
454 pkalg = buffer_get_string(&b, &alen);
455 buffer_free(&b);
456 } else {
457 pkalg = packet_get_string(&alen);
458 pkblob = packet_get_string(&blen);
459 }
460 pktype = key_type_from_name(pkalg);
461 if (pktype == KEY_UNSPEC) {
462 /* this is perfectly legal */
e9a17296 463 log("userauth_pubkey: unsupported public key algorithm: %s",
464 pkalg);
465 goto done;
3c0ef626 466 }
467 key = key_from_blob(pkblob, blen);
e9a17296 468 if (key == NULL) {
469 error("userauth_pubkey: cannot decode key: %s", pkalg);
470 goto done;
471 }
472 if (key->type != pktype) {
473 error("userauth_pubkey: type mismatch for decoded key "
474 "(received %d, expected %d)", key->type, pktype);
475 goto done;
476 }
477 if (have_sig) {
478 sig = packet_get_string(&slen);
479 packet_check_eom();
480 buffer_init(&b);
481 if (datafellows & SSH_OLD_SESSIONID) {
482 buffer_append(&b, session_id2, session_id2_len);
483 } else {
484 buffer_put_string(&b, session_id2, session_id2_len);
485 }
486 /* reconstruct packet */
487 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
488 buffer_put_cstring(&b, authctxt->user);
489 buffer_put_cstring(&b,
490 datafellows & SSH_BUG_PKSERVICE ?
491 "ssh-userauth" :
492 authctxt->service);
493 if (datafellows & SSH_BUG_PKAUTH) {
494 buffer_put_char(&b, have_sig);
495 } else {
496 buffer_put_cstring(&b, "publickey");
497 buffer_put_char(&b, have_sig);
498 buffer_put_cstring(&b, pkalg);
499 }
500 buffer_put_string(&b, pkblob, blen);
3c0ef626 501#ifdef DEBUG_PK
e9a17296 502 buffer_dump(&b);
3c0ef626 503#endif
e9a17296 504 /* test for correct signature */
700318f3 505 authenticated = 0;
506 if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
507 PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
508 buffer_len(&b))) == 1)
e9a17296 509 authenticated = 1;
510 buffer_clear(&b);
511 xfree(sig);
512 } else {
513 debug("test whether pkalg/pkblob are acceptable");
514 packet_check_eom();
515
516 /* XXX fake reply and always send PK_OK ? */
517 /*
518 * XXX this allows testing whether a user is allowed
519 * to login: if you happen to have a valid pubkey this
520 * message is sent. the message is NEVER sent at all
521 * if a user is not allowed to login. is this an
522 * issue? -markus
523 */
700318f3 524 if (PRIVSEP(user_key_allowed(authctxt->pw, key))) {
e9a17296 525 packet_start(SSH2_MSG_USERAUTH_PK_OK);
526 packet_put_string(pkalg, alen);
527 packet_put_string(pkblob, blen);
528 packet_send();
529 packet_write_wait();
530 authctxt->postponed = 1;
3c0ef626 531 }
3c0ef626 532 }
e9a17296 533 if (authenticated != 1)
534 auth_clear_options();
535done:
3c0ef626 536 debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
e9a17296 537 if (key != NULL)
538 key_free(key);
3c0ef626 539 xfree(pkalg);
540 xfree(pkblob);
541#ifdef HAVE_CYGWIN
e9a17296 542 if (check_nt_auth(0, authctxt->pw) == 0)
3c0ef626 543 return(0);
544#endif
545 return authenticated;
546}
547
548static int
549userauth_hostbased(Authctxt *authctxt)
550{
551 Buffer b;
e9a17296 552 Key *key = NULL;
553 char *pkalg, *cuser, *chost, *service;
554 u_char *pkblob, *sig;
3c0ef626 555 u_int alen, blen, slen;
556 int pktype;
557 int authenticated = 0;
558
559 if (!authctxt->valid) {
560 debug2("userauth_hostbased: disabled because of invalid user");
561 return 0;
562 }
563 pkalg = packet_get_string(&alen);
564 pkblob = packet_get_string(&blen);
565 chost = packet_get_string(NULL);
566 cuser = packet_get_string(NULL);
567 sig = packet_get_string(&slen);
568
569 debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d",
570 cuser, chost, pkalg, slen);
571#ifdef DEBUG_PK
572 debug("signature:");
573 buffer_init(&b);
574 buffer_append(&b, sig, slen);
575 buffer_dump(&b);
576 buffer_free(&b);
577#endif
578 pktype = key_type_from_name(pkalg);
579 if (pktype == KEY_UNSPEC) {
580 /* this is perfectly legal */
581 log("userauth_hostbased: unsupported "
582 "public key algorithm: %s", pkalg);
583 goto done;
584 }
585 key = key_from_blob(pkblob, blen);
586 if (key == NULL) {
e9a17296 587 error("userauth_hostbased: cannot decode key: %s", pkalg);
588 goto done;
589 }
590 if (key->type != pktype) {
591 error("userauth_hostbased: type mismatch for decoded key "
592 "(received %d, expected %d)", key->type, pktype);
3c0ef626 593 goto done;
594 }
595 service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
596 authctxt->service;
597 buffer_init(&b);
598 buffer_put_string(&b, session_id2, session_id2_len);
599 /* reconstruct packet */
600 buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
601 buffer_put_cstring(&b, authctxt->user);
602 buffer_put_cstring(&b, service);
603 buffer_put_cstring(&b, "hostbased");
604 buffer_put_string(&b, pkalg, alen);
605 buffer_put_string(&b, pkblob, blen);
606 buffer_put_cstring(&b, chost);
607 buffer_put_cstring(&b, cuser);
608#ifdef DEBUG_PK
609 buffer_dump(&b);
610#endif
611 /* test for allowed key and correct signature */
700318f3 612 authenticated = 0;
613 if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
614 PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
615 buffer_len(&b))) == 1)
3c0ef626 616 authenticated = 1;
617
618 buffer_clear(&b);
3c0ef626 619done:
620 debug2("userauth_hostbased: authenticated %d", authenticated);
e9a17296 621 if (key != NULL)
622 key_free(key);
3c0ef626 623 xfree(pkalg);
624 xfree(pkblob);
625 xfree(cuser);
626 xfree(chost);
627 xfree(sig);
628 return authenticated;
629}
630
631/* get current user */
632
633struct passwd*
634auth_get_user(void)
635{
636 return (x_authctxt != NULL && x_authctxt->valid) ? x_authctxt->pw : NULL;
637}
638
639#define DELIM ","
640
641static char *
642authmethods_get(void)
643{
644 Authmethod *method = NULL;
e9a17296 645 Buffer b;
3c0ef626 646 char *list;
647
e9a17296 648 buffer_init(&b);
3c0ef626 649 for (method = authmethods; method->name != NULL; method++) {
650 if (strcmp(method->name, "none") == 0)
651 continue;
652 if (method->enabled != NULL && *(method->enabled) != 0) {
e9a17296 653 if (buffer_len(&b) > 0)
654 buffer_append(&b, ",", 1);
655 buffer_append(&b, method->name, strlen(method->name));
3c0ef626 656 }
657 }
e9a17296 658 buffer_append(&b, "\0", 1);
659 list = xstrdup(buffer_ptr(&b));
660 buffer_free(&b);
3c0ef626 661 return list;
662}
663
664static Authmethod *
665authmethod_lookup(const char *name)
666{
667 Authmethod *method = NULL;
668 if (name != NULL)
669 for (method = authmethods; method->name != NULL; method++)
670 if (method->enabled != NULL &&
671 *(method->enabled) != 0 &&
672 strcmp(name, method->name) == 0)
673 return method;
674 debug2("Unrecognized authentication method name: %s", name ? name : "NULL");
675 return NULL;
676}
677
678/* return 1 if user allows given key */
679static int
680user_key_allowed2(struct passwd *pw, Key *key, char *file)
681{
682 char line[8192];
683 int found_key = 0;
684 FILE *f;
685 u_long linenum = 0;
686 struct stat st;
687 Key *found;
e9a17296 688 char *fp;
3c0ef626 689
690 if (pw == NULL)
691 return 0;
692
693 /* Temporarily use the user's uid. */
694 temporarily_use_uid(pw);
695
696 debug("trying public key file %s", file);
697
698 /* Fail quietly if file does not exist */
699 if (stat(file, &st) < 0) {
700 /* Restore the privileged uid. */
701 restore_uid();
702 return 0;
703 }
704 /* Open the file containing the authorized keys. */
705 f = fopen(file, "r");
706 if (!f) {
707 /* Restore the privileged uid. */
708 restore_uid();
709 return 0;
710 }
711 if (options.strict_modes &&
712 secure_filename(f, file, pw, line, sizeof(line)) != 0) {
713 fclose(f);
714 log("Authentication refused: %s", line);
715 restore_uid();
716 return 0;
717 }
718
719 found_key = 0;
720 found = key_new(key->type);
721
722 while (fgets(line, sizeof(line), f)) {
723 char *cp, *options = NULL;
724 linenum++;
725 /* Skip leading whitespace, empty and comment lines. */
726 for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
727 ;
728 if (!*cp || *cp == '\n' || *cp == '#')
729 continue;
730
731 if (key_read(found, &cp) != 1) {
732 /* no key? check if there are options for this key */
733 int quoted = 0;
734 debug2("user_key_allowed: check options: '%s'", cp);
735 options = cp;
736 for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
737 if (*cp == '\\' && cp[1] == '"')
738 cp++; /* Skip both */
739 else if (*cp == '"')
740 quoted = !quoted;
741 }
742 /* Skip remaining whitespace. */
743 for (; *cp == ' ' || *cp == '\t'; cp++)
744 ;
745 if (key_read(found, &cp) != 1) {
746 debug2("user_key_allowed: advance: '%s'", cp);
747 /* still no key? advance to next line*/
748 continue;
749 }
750 }
751 if (key_equal(found, key) &&
752 auth_parse_options(pw, options, file, linenum) == 1) {
753 found_key = 1;
754 debug("matching key found: file %s, line %lu",
755 file, linenum);
e9a17296 756 fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
757 verbose("Found matching %s key: %s",
758 key_type(found), fp);
759 xfree(fp);
3c0ef626 760 break;
761 }
762 }
763 restore_uid();
764 fclose(f);
765 key_free(found);
766 if (!found_key)
767 debug2("key not found");
768 return found_key;
769}
770
771/* check whether given key is in .ssh/authorized_keys* */
700318f3 772int
3c0ef626 773user_key_allowed(struct passwd *pw, Key *key)
774{
775 int success;
776 char *file;
777
778 file = authorized_keys_file(pw);
779 success = user_key_allowed2(pw, key, file);
780 xfree(file);
781 if (success)
782 return success;
783
784 /* try suffix "2" for backward compat, too */
785 file = authorized_keys_file2(pw);
786 success = user_key_allowed2(pw, key, file);
787 xfree(file);
788 return success;
789}
790
791/* return 1 if given hostkey is allowed */
700318f3 792int
3c0ef626 793hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
794 Key *key)
795{
796 const char *resolvedname, *ipaddr, *lookup;
e9a17296 797 HostStatus host_status;
798 int len;
3c0ef626 799
e9a17296 800 resolvedname = get_canonical_hostname(options.verify_reverse_mapping);
3c0ef626 801 ipaddr = get_remote_ipaddr();
802
803 debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",
804 chost, resolvedname, ipaddr);
805
806 if (options.hostbased_uses_name_from_packet_only) {
807 if (auth_rhosts2(pw, cuser, chost, chost) == 0)
808 return 0;
809 lookup = chost;
810 } else {
811 if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
812 debug2("stripping trailing dot from chost %s", chost);
813 chost[len - 1] = '\0';
814 }
815 if (strcasecmp(resolvedname, chost) != 0)
816 log("userauth_hostbased mismatch: "
817 "client sends %s, but we resolve %s to %s",
818 chost, ipaddr, resolvedname);
819 if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0)
820 return 0;
821 lookup = resolvedname;
822 }
823 debug2("userauth_hostbased: access allowed by auth_rhosts2");
824
825 host_status = check_key_in_hostfiles(pw, key, lookup,
826 _PATH_SSH_SYSTEM_HOSTFILE,
827 options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
828
829 /* backward compat if no key has been found. */
830 if (host_status == HOST_NEW)
831 host_status = check_key_in_hostfiles(pw, key, lookup,
832 _PATH_SSH_SYSTEM_HOSTFILE2,
833 options.ignore_user_known_hosts ? NULL :
834 _PATH_SSH_USER_HOSTFILE2);
835
836 return (host_status == HOST_OK);
837}
git-cvsimport mirror of GSI OpenSSH
This page took 1.067129 seconds and 5 git commands to generate.