]> andersk Git - gssapi-openssh.git/blobdiff - openssh/auth2.c
merge of OPENSSH_3_6_1P1_SIMON_20030411
[gssapi-openssh.git] / openssh / auth2.c
index e40a8da6cd3e46c2af30001a058808825a92bf15..4c19365b49e90660e3fbd310d4e088fc89633757 100644 (file)
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.93 2002/05/31 11:35:15 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.96 2003/02/06 21:22:43 markus Exp $");
 
 #include "ssh2.h"
 #include "ssh1.h"
@@ -36,15 +36,9 @@ RCSID("$OpenBSD: auth2.c,v 1.93 2002/05/31 11:35:15 markus Exp $");
 #include "dispatch.h"
 #include "pathnames.h"
 #include "monitor_wrap.h"
-#include "misc.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
-#ifdef GSI
-#include "globus_gss_assist.h"
-char* olduser;
-int  changeuser = 0;
-#endif
 #endif
 
 /* import */
@@ -121,7 +115,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
 {
        Authctxt *authctxt = ctxt;
        u_int len;
-       int accept = 0;
+       int acceptit = 0;
        char *service = packet_get_string(&len);
        packet_check_eom();
 
@@ -130,14 +124,14 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
 
        if (strcmp(service, "ssh-userauth") == 0) {
                if (!authctxt->success) {
-                       accept = 1;
+                       acceptit = 1;
                        /* now we can handle user-auth requests */
                        dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
                }
        }
        /* XXX all other service requests are denied */
 
-       if (accept) {
+       if (acceptit) {
                packet_start(SSH2_MSG_SERVICE_ACCEPT);
                packet_put_cstring(service);
                packet_send();
@@ -165,53 +159,55 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
        method = packet_get_string(NULL);
 
 #ifdef GSSAPI
-#ifdef GSI
-        if(changeuser == 0 && (strcmp(method,"external-keyx") == 0 || strcmp(method,"gssapi") ==0) && strcmp(user,"") == 0) {
-                char *gridmapped_name = NULL;
-                struct passwd *pw = NULL;
-                if(globus_gss_assist_gridmap(gssapi_client_name.value,
-                                     &gridmapped_name) == 0) {
-                        user = gridmapped_name;
-                        debug("I gridmapped and got %s", user);
-                        pw = getpwnam(user);
-                        if (pw && allowed_user(pw)) {
-                                olduser = authctxt->user;
-                                authctxt->user = xstrdup(user);
-                                authctxt->pw = pwcopy(pw);
-                                authctxt->valid = 1;
-                                changeuser = 1;
-                        }
-
-                } else {
-                   debug("I gridmapped and got null, reverting to %s",
-                         authctxt->user);
+       if (strcmp(user, "") == 0) {
+           debug("received empty username for %s", method);
+           if (strcmp(method, "external-keyx") == 0) {
+               char *lname = NULL;
+               PRIVSEP(ssh_gssapi_localname(&lname));
+               if (lname && lname[0] != '\0') {
                    xfree(user);
-                   user = xstrdup(authctxt->user);
-                }
-        }
-        else if(changeuser) {
-                struct passwd *pw = NULL;
-                pw = getpwnam(user);
-                if (pw && allowed_user(pw)) {
-                       xfree(authctxt->user);
-                        authctxt->user = olduser;
-                        authctxt->pw = pwcopy(pw);
-                        authctxt->valid = 1;
-                        changeuser = 0;
-                }
-        }
-
-#endif  /* GSI */
-#endif /* GSSAPI */
-
-       debug("userauth-request for user %s service %s method %s", user, service, method);
+                   user = lname;
+                   debug("set username to %s from gssapi context", user);
+               } else if (authctxt->valid) {
+                   debug("failed to set username from gssapi context");
+               }
+           }
+       }
+#endif
+
+       debug("userauth-request for user %s service %s method %s",
+             (user && user[0]) ? user : "<implicit>", service, method);
        debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
        if ((style = strchr(user, ':')) != NULL)
                *style++ = 0;
 
-       if (authctxt->attempt++ == 0) {
+       authctxt->attempt++;
+       if (!authctxt->user ||
+           strcmp(user, authctxt->user) != 0) {
                /* setup auth context */
+               if (authctxt->user) {
+                   xfree(authctxt->user);
+                   authctxt->user = NULL;
+               }
+               if (authctxt->service) {
+                   xfree(authctxt->service);
+                   authctxt->service = NULL;
+               }
+               if (authctxt->style) {
+                   xfree(authctxt->style);
+                   authctxt->style = NULL;
+               }
+#ifdef GSSAPI
+               /* We'll verify the username after we set it from the
+                  GSSAPI context. */
+               if ((strcmp(user, "") == 0) &&
+                   ((strcmp(method, "gssapi") == 0) ||
+                    (strcmp(method, "external-keyx") == 0))) {
+                   authctxt->pw = NULL;
+                   authctxt->valid = 1;
+               } else {
+#endif
                authctxt->pw = PRIVSEP(getpwnamallow(user));
                if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
                        authctxt->valid = 1;
@@ -220,21 +216,24 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                        PRIVSEP(start_pam(authctxt->pw->pw_name));
 #endif
                } else {
+                       authctxt->valid = 0;
                        log("input_userauth_request: illegal user %s", user);
 #ifdef USE_PAM
                        PRIVSEP(start_pam("NOUSER"));
 #endif
                }
+#ifdef GSSAPI
+               }
+#endif
                setproctitle("%s%s", authctxt->pw ? user : "unknown",
                    use_privsep ? " [net]" : "");
                authctxt->user = xstrdup(user);
                authctxt->service = xstrdup(service);
                authctxt->style = style ? xstrdup(style) : NULL;
-               if (use_privsep)
+               if (use_privsep && (authctxt->attempt == 1))
                        mm_inform_authserv(service, style);
-       } else if (strcmp(user, authctxt->user) != 0 ||
-           strcmp(service, authctxt->service) != 0) {
-               packet_disconnect("Change of username or service not allowed: "
+       } else if (strcmp(service, authctxt->service) != 0) {
+               packet_disconnect("Change of service not allowed: "
                    "(%s,%s) -> (%s,%s)",
                    authctxt->user, authctxt->service, user, service);
        }
@@ -281,6 +280,13 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                authenticated = 0;
 #endif /* USE_PAM */
 
+#ifdef _UNICOS
+       if (authenticated && cray_access_denied(authctxt->user)) {
+               authenticated = 0;
+               fatal("Access denied for user %s.",authctxt->user);
+       }
+#endif /* _UNICOS */
+
        /* Log before sending the reply */
        if (!compat20)
        auth_log(authctxt, authenticated, method, " ssh1");
@@ -294,22 +300,15 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
        if (authenticated == 1) {
                /* turn off userauth */
                dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
-               if (!compat20)
-               packet_start(SSH_SMSG_SUCCESS);
-               else
+               if (compat20) {
                packet_start(SSH2_MSG_USERAUTH_SUCCESS);
                packet_send();
                packet_write_wait();
+               }
                /* now we can break out */
                authctxt->success = 1;
        } else {
                if (authctxt->failures++ > AUTH_FAIL_MAX) {
-#ifdef WITH_AIXAUTHENTICATE
-                       /* XXX: privsep */
-                       loginfailed(authctxt->user,
-                           get_canonical_hostname(options.verify_reverse_mapping),
-                           "ssh");
-#endif /* WITH_AIXAUTHENTICATE */
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
                }
                if (!compat20) {
@@ -322,6 +321,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                */
                authctxt->success = authctxt->postponed = 1;
                } else {
+#ifdef _UNICOS
+               if (strcmp(method, "password") == 0)
+                       cray_login_failure(authctxt->user, IA_UDBERR);
+#endif /* _UNICOS */
                methods = authmethods_get();
                packet_start(SSH2_MSG_USERAUTH_FAILURE);
                packet_put_cstring(methods);
This page took 0.04525 seconds and 4 git commands to generate.