-/* $OpenBSD: auth.c,v 1.78 2007/09/21 08:15:29 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.80 2008/11/04 07:58:09 djm Exp $ */
/*
* Copyright (c) 2000 Markus Friedl. All rights reserved.
*
#include <netinet/in.h>
#include <errno.h>
+#include <fcntl.h>
#ifdef HAVE_PATHS_H
# include <paths.h>
#endif
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
+#include <unistd.h>
#include "xmalloc.h"
#include "match.h"
#endif
#include "monitor_wrap.h"
+#include "version.h"
+#include "ssh-globus-usage.h"
+
/* import */
extern ServerOptions options;
extern int use_privsep;
#endif /* USE_SHADOW */
/* grab passwd field for locked account check */
+ passwd = pw->pw_passwd;
#ifdef USE_SHADOW
if (spw != NULL)
#ifdef USE_LIBIAF
#else
passwd = spw->sp_pwdp;
#endif /* USE_LIBIAF */
-#else
- passwd = pw->pw_passwd;
#endif
/* check for locked account */
if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method));
#endif
+ if (authenticated) {
+ char *userdn = NULL;
+ char *mech_name = NULL;
+ ssh_gssapi_get_client_info(&userdn, &mech_name);
+ debug("REPORTING (%s) (%s) (%s) (%s) (%s) (%s) (%s)",
+ SSH_RELEASE, SSLeay_version(SSLEAY_VERSION),
+ method, mech_name?mech_name:"NULL", get_remote_ipaddr(),
+ (authctxt->user && authctxt->user[0])?
+ authctxt->user : "unknown",
+ userdn?userdn:"NULL");
+ ssh_globus_send_usage_metrics(SSH_RELEASE,
+ SSLeay_version(SSLEAY_VERSION),
+ method, mech_name, get_remote_ipaddr(),
+ authctxt->user, userdn);
+ }
}
/*
*
* Returns 0 on success and -1 on failure
*/
-int
+static int
secure_filename(FILE *f, const char *file, struct passwd *pw,
char *err, size_t errlen)
{
return 0;
}
+FILE *
+auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
+{
+ char line[1024];
+ struct stat st;
+ int fd;
+ FILE *f;
+
+ /*
+ * Open the file containing the authorized keys
+ * Fail quietly if file does not exist
+ */
+ if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1)
+ return NULL;
+
+ if (fstat(fd, &st) < 0) {
+ close(fd);
+ return NULL;
+ }
+ if (!S_ISREG(st.st_mode)) {
+ logit("User %s authorized keys %s is not a regular file",
+ pw->pw_name, file);
+ close(fd);
+ return NULL;
+ }
+ unset_nonblock(fd);
+ if ((f = fdopen(fd, "r")) == NULL) {
+ close(fd);
+ return NULL;
+ }
+ if (options.strict_modes &&
+ secure_filename(f, file, pw, line, sizeof(line)) != 0) {
+ fclose(f);
+ logit("Authentication refused: %s", line);
+ return NULL;
+ }
+
+ return f;
+}
+
struct passwd *
getpwnamallow(const char *user)
{
get_canonical_hostname(options.use_dns), get_remote_ipaddr());
pw = getpwnam(user);
+#ifdef USE_PAM
+ if (options.use_pam && options.permit_pam_user_change && pw == NULL)
+ pw = sshpam_getpw(user);
+#endif
if (pw == NULL) {
logit("Invalid user %.100s from %.100s",
(user && user[0]) ? user : "unknown",