X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/16778bdf84e814a2688e890abc71e328b0e64907..f7e15749c918814b782908805a7030d3489968a0:/openssh/auth2.c

diff --git a/openssh/auth2.c b/openssh/auth2.c
index d073ba2..7cb74cf 100644
--- a/openssh/auth2.c
+++ b/openssh/auth2.c
@@ -23,13 +23,14 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.102 2003/08/26 09:58:43 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $");
 
 #include "ssh2.h"
 #include "xmalloc.h"
 #include "packet.h"
 #include "log.h"
 #include "servconf.h"
+#include "compat.h"
 #include "auth.h"
 #include "dispatch.h"
 #include "pathnames.h"
@@ -44,8 +45,6 @@ extern ServerOptions options;
 extern u_char *session_id2;
 extern u_int session_id2_len;
 
-Authctxt *x_authctxt = NULL;
-
 /* methods */
 
 extern Authmethod method_none;
@@ -56,17 +55,16 @@ extern Authmethod method_hostbased;
 #ifdef GSSAPI
 extern Authmethod method_external;
 extern Authmethod method_gssapi;
+extern Authmethod method_gssapi_compat;
 #endif
 
 Authmethod *authmethods[] = {
 	&method_none,
-#ifdef GSSAPI
-	&method_external,
-	&method_gssapi,
-#endif
 	&method_pubkey,
 #ifdef GSSAPI
+	&method_external,
 	&method_gssapi,
+	&method_gssapi_compat,
 #endif
 	&method_passwd,
 	&method_kbdint,
@@ -83,19 +81,14 @@ static void input_userauth_request(int, u_int32_t, void *);
 static Authmethod *authmethod_lookup(const char *);
 static char *authmethods_get(void);
 int user_key_allowed(struct passwd *, Key *);
-int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
 
 /*
  * loop until authctxt->success == TRUE
  */
 
-Authctxt *
-do_authentication2(void)
+void
+do_authentication2(Authctxt *authctxt)
 {
-	Authctxt *authctxt = authctxt_new();
-
-	x_authctxt = authctxt;		/*XXX*/
-
 	/* challenge-response is implemented via keyboard interactive */
 	if (options.challenge_response_authentication)
 		options.kbd_interactive_authentication = 1;
@@ -103,8 +96,6 @@ do_authentication2(void)
 	dispatch_init(&dispatch_protocol_error);
 	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
 	dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
-
-	return (authctxt);
 }
 
 static void
@@ -156,7 +147,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 	method = packet_get_string(NULL);
 
 #ifdef GSSAPI
-	if (strcmp(user, "") == 0) {
+	if (user[0] == '\0') {
 	    debug("received empty username for %s", method);
 	    if (strcmp(method, "external-keyx") == 0) {
 		char *lname = NULL;
@@ -165,7 +156,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		    xfree(user);
 		    user = lname;
 		    debug("set username to %s from gssapi context", user);
-		} else if (authctxt->valid) {
+		} else {
 		    debug("failed to set username from gssapi context");
 		}
 	    }
@@ -173,16 +164,17 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 #endif
 
 	debug("userauth-request for user %s service %s method %s",
-	      (user && user[0]) ? user : "<implicit>", service, method);
+	      user[0] ? user : "<implicit>", service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = 0;
 
-	authctxt->attempt++;
-	if (!authctxt->user ||
-	    strcmp(user, authctxt->user) != 0) {
-		/* setup auth context */
+	/* If first time or username changed or implicit username,
+	   setup/reset authentication context. */
+	if ((authctxt->attempt++ == 0) ||
+	    (strcmp(user, authctxt->user) != 0) ||
+	    (strcmp(user, "") == 0)) {
 		if (authctxt->user) {
 		    xfree(authctxt->user);
 		    authctxt->user = NULL;
@@ -195,38 +187,40 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		    xfree(authctxt->style);
 		    authctxt->style = NULL;
 		}
+		authctxt->valid = 0;
 #ifdef GSSAPI
-		/* We'll verify the username after we set it from the
-		   GSSAPI context. */
+		/* If we're going to set the username based on the
+		   GSSAPI context later, then wait until then to
+		   verify it. Just put in placeholders for now. */
 		if ((strcmp(user, "") == 0) &&
 		    ((strcmp(method, "gssapi") == 0) ||
-		     (strcmp(method, "external-keyx") == 0))) {
-		    authctxt->pw = NULL;
-		    authctxt->valid = 1;
+		     (strcmp(method, "gssapi-with-mic") == 0))) {
+			authctxt->pw = fakepw();
+			authctxt->user = xstrdup(user);
 		} else {
 #endif
 		authctxt->pw = PRIVSEP(getpwnamallow(user));
+		authctxt->user = xstrdup(user);
 		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
 			authctxt->valid = 1;
 			debug2("input_userauth_request: setting up authctxt for %s", user);
 #ifdef USE_PAM
 			if (options.use_pam)
-				PRIVSEP(start_pam(authctxt->pw->pw_name));
+				PRIVSEP(start_pam(authctxt));
 #endif
 		} else {
 			logit("input_userauth_request: illegal user %s", user);
 			authctxt->pw = fakepw();
 #ifdef USE_PAM
 			if (options.use_pam)
-				PRIVSEP(start_pam(user));
+				PRIVSEP(start_pam(authctxt));
 #endif
 		}
 #ifdef GSSAPI
-		}
+		} /* endif for setting username based on GSSAPI context */
 #endif
 		setproctitle("%s%s", authctxt->pw ? user : "unknown",
 		    use_privsep ? " [net]" : "");
-		authctxt->user = xstrdup(user);
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
 		if (use_privsep && (authctxt->attempt == 1))
@@ -313,14 +307,6 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 	}
 }
 
-/* get current user */
-
-struct passwd*
-auth_get_user(void)
-{
-	return (x_authctxt != NULL && x_authctxt->valid) ? x_authctxt->pw : NULL;
-}
-
 #define	DELIM	","
 
 static char *