]> andersk Git - gssapi-openssh.git/blobdiff - openssh/auth2.c
andersk / gssapi-openssh.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
merge of OPENSSH_3_6_1P1_SIMON_20030411
[gssapi-openssh.git] / openssh / auth2.c
diff --git a/openssh/auth2.c b/openssh/auth2.c
index 16c886eb3365d25fd173ca15e4e59bad0720fd4d..4c19365b49e90660e3fbd310d4e088fc89633757 100644 (file)
--- a/openssh/auth2.c
+++ b/openssh/auth2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.93 2002/05/31 11:35:15 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.96 2003/02/06 21:22:43 markus Exp $");
 
 #include "ssh2.h"
 #include "ssh1.h"
@@ -36,7 +36,6 @@ RCSID("$OpenBSD: auth2.c,v 1.93 2002/05/31 11:35:15 markus Exp $");
 #include "dispatch.h"
 #include "pathnames.h"
 #include "monitor_wrap.h"
-#include "misc.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -116,7 +115,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
 {
        Authctxt *authctxt = ctxt;
        u_int len;
-       int accept = 0;
+       int acceptit = 0;
        char *service = packet_get_string(&len);
        packet_check_eom();
 
@@ -125,14 +124,14 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
 
        if (strcmp(service, "ssh-userauth") == 0) {
                if (!authctxt->success) {
-                       accept = 1;
+                       acceptit = 1;
                        /* now we can handle user-auth requests */
                        dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
                }
        }
        /* XXX all other service requests are denied */
 
-       if (accept) {
+       if (acceptit) {
                packet_start(SSH2_MSG_SERVICE_ACCEPT);
                packet_put_cstring(service);
                packet_send();
@@ -161,26 +160,29 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 
 #ifdef GSSAPI
        if (strcmp(user, "") == 0) {
-           char *lname = NULL;
-           debug("gssapi received empty username");
-           PRIVSEP(ssh_gssapi_localname(&lname));
-           if (lname && lname[0] != '\0') {
-               xfree(user);
-               user = lname;
-               debug("gssapi successfully set username to %s", user);
-           } else if (authctxt->valid) {
-               debug("failed to set username from gssapi context");
-               goto finish;
+           debug("received empty username for %s", method);
+           if (strcmp(method, "external-keyx") == 0) {
+               char *lname = NULL;
+               PRIVSEP(ssh_gssapi_localname(&lname));
+               if (lname && lname[0] != '\0') {
+                   xfree(user);
+                   user = lname;
+                   debug("set username to %s from gssapi context", user);
+               } else if (authctxt->valid) {
+                   debug("failed to set username from gssapi context");
+               }
            }
        }
 #endif
 
-       debug("userauth-request for user %s service %s method %s", user, service, method);
+       debug("userauth-request for user %s service %s method %s",
+             (user && user[0]) ? user : "<implicit>", service, method);
        debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
        if ((style = strchr(user, ':')) != NULL)
                *style++ = 0;
 
+       authctxt->attempt++;
        if (!authctxt->user ||
            strcmp(user, authctxt->user) != 0) {
                /* setup auth context */
@@ -196,6 +198,16 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                    xfree(authctxt->style);
                    authctxt->style = NULL;
                }
+#ifdef GSSAPI
+               /* We'll verify the username after we set it from the
+                  GSSAPI context. */
+               if ((strcmp(user, "") == 0) &&
+                   ((strcmp(method, "gssapi") == 0) ||
+                    (strcmp(method, "external-keyx") == 0))) {
+                   authctxt->pw = NULL;
+                   authctxt->valid = 1;
+               } else {
+#endif
                authctxt->pw = PRIVSEP(getpwnamallow(user));
                if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
                        authctxt->valid = 1;
@@ -210,13 +222,20 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                        PRIVSEP(start_pam("NOUSER"));
 #endif
                }
+#ifdef GSSAPI
+               }
+#endif
                setproctitle("%s%s", authctxt->pw ? user : "unknown",
                    use_privsep ? " [net]" : "");
                authctxt->user = xstrdup(user);
                authctxt->service = xstrdup(service);
                authctxt->style = style ? xstrdup(style) : NULL;
-               if (use_privsep)
+               if (use_privsep && (authctxt->attempt == 1))
                        mm_inform_authserv(service, style);
+       } else if (strcmp(service, authctxt->service) != 0) {
+               packet_disconnect("Change of service not allowed: "
+                   "(%s,%s) -> (%s,%s)",
+                   authctxt->user, authctxt->service, user, service);
        }
        /* reset state */
        auth2_challenge_stop(authctxt);
@@ -234,7 +253,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                debug2("input_userauth_request: try method %s", method);
                authenticated = m->userauth(authctxt);
        }
-finish:
        userauth_finish(authctxt, authenticated, method);
 
        xfree(service);
@@ -262,6 +280,13 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                authenticated = 0;
 #endif /* USE_PAM */
 
+#ifdef _UNICOS
+       if (authenticated && cray_access_denied(authctxt->user)) {
+               authenticated = 0;
+               fatal("Access denied for user %s.",authctxt->user);
+       }
+#endif /* _UNICOS */
+
        /* Log before sending the reply */
        if (!compat20)
        auth_log(authctxt, authenticated, method, " ssh1");
@@ -284,12 +309,6 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                authctxt->success = 1;
        } else {
                if (authctxt->failures++ > AUTH_FAIL_MAX) {
-#ifdef WITH_AIXAUTHENTICATE
-                       /* XXX: privsep */
-                       loginfailed(authctxt->user,
-                           get_canonical_hostname(options.verify_reverse_mapping),
-                           "ssh");
-#endif /* WITH_AIXAUTHENTICATE */
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
                }
                if (!compat20) {
@@ -302,6 +321,10 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                */
                authctxt->success = authctxt->postponed = 1;
                } else {
+#ifdef _UNICOS
+               if (strcmp(method, "password") == 0)
+                       cray_login_failure(authctxt->user, IA_UDBERR);
+#endif /* _UNICOS */
                methods = authmethods_get();
                packet_start(SSH2_MSG_USERAUTH_FAILURE);
                packet_put_cstring(methods);
git-cvsimport mirror of GSI OpenSSH
This page took 0.03879 seconds and 4 git commands to generate.