X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/476861787f6e1b8a6c6af9307a15b9e57cb979dc..9f2c8cb950fea61c599edeb9721aca66f4bd61f6:/openssh/auth.c diff --git a/openssh/auth.c b/openssh/auth.c index f94c7d1..19253fe 100644 --- a/openssh/auth.c +++ b/openssh/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.78 2007/09/21 08:15:29 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.80 2008/11/04 07:58:09 djm Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -32,6 +32,7 @@ #include #include +#include #ifdef HAVE_PATHS_H # include #endif @@ -48,6 +49,7 @@ #include #include #include +#include #include "xmalloc.h" #include "match.h" @@ -69,6 +71,9 @@ #endif #include "monitor_wrap.h" +#include "version.h" +#include "ssh-globus-usage.h" + /* import */ extern ServerOptions options; extern int use_privsep; @@ -113,6 +118,7 @@ allowed_user(struct passwd * pw) #endif /* USE_SHADOW */ /* grab passwd field for locked account check */ + passwd = pw->pw_passwd; #ifdef USE_SHADOW if (spw != NULL) #ifdef USE_LIBIAF @@ -120,8 +126,6 @@ allowed_user(struct passwd * pw) #else passwd = spw->sp_pwdp; #endif /* USE_LIBIAF */ -#else - passwd = pw->pw_passwd; #endif /* check for locked account */ @@ -268,7 +272,8 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) authmsg, method, authctxt->valid ? "" : "invalid user ", - authctxt->user, + (authctxt->user && authctxt->user[0]) ? + authctxt->user : "unknown", get_remote_ipaddr(), get_remote_port(), info); @@ -290,6 +295,21 @@ auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) if (authenticated == 0 && !authctxt->postponed) audit_event(audit_classify_auth(method)); #endif + if (authenticated) { + char *userdn = NULL; + char *mech_name = NULL; + ssh_gssapi_get_client_info(&userdn, &mech_name); + debug("REPORTING (%s) (%s) (%s) (%s) (%s) (%s) (%s)", + SSH_RELEASE, SSLeay_version(SSLEAY_VERSION), + method, mech_name?mech_name:"NULL", get_remote_ipaddr(), + (authctxt->user && authctxt->user[0])? + authctxt->user : "unknown", + userdn?userdn:"NULL"); + ssh_globus_send_usage_metrics(SSH_RELEASE, + SSLeay_version(SSLEAY_VERSION), + method, mech_name, get_remote_ipaddr(), + authctxt->user, userdn); + } } /* @@ -324,7 +344,7 @@ auth_root_allowed(char *method) * * This returns a buffer allocated by xmalloc. */ -static char * +char * expand_authorized_keys(const char *filename, struct passwd *pw) { char *file, ret[MAXPATHLEN]; @@ -410,7 +430,7 @@ check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host, * * Returns 0 on success and -1 on failure */ -int +static int secure_filename(FILE *f, const char *file, struct passwd *pw, char *err, size_t errlen) { @@ -470,6 +490,46 @@ secure_filename(FILE *f, const char *file, struct passwd *pw, return 0; } +FILE * +auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes) +{ + char line[1024]; + struct stat st; + int fd; + FILE *f; + + /* + * Open the file containing the authorized keys + * Fail quietly if file does not exist + */ + if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) + return NULL; + + if (fstat(fd, &st) < 0) { + close(fd); + return NULL; + } + if (!S_ISREG(st.st_mode)) { + logit("User %s authorized keys %s is not a regular file", + pw->pw_name, file); + close(fd); + return NULL; + } + unset_nonblock(fd); + if ((f = fdopen(fd, "r")) == NULL) { + close(fd); + return NULL; + } + if (options.strict_modes && + secure_filename(f, file, pw, line, sizeof(line)) != 0) { + fclose(f); + logit("Authentication refused: %s", line); + return NULL; + } + + return f; +} + struct passwd * getpwnamallow(const char *user) { @@ -485,9 +545,14 @@ getpwnamallow(const char *user) get_canonical_hostname(options.use_dns), get_remote_ipaddr()); pw = getpwnam(user); +#ifdef USE_PAM + if (options.use_pam && options.permit_pam_user_change && pw == NULL) + pw = sshpam_getpw(user); +#endif if (pw == NULL) { logit("Invalid user %.100s from %.100s", - user, get_remote_ipaddr()); + (user && user[0]) ? user : "unknown", + get_remote_ipaddr()); #ifdef CUSTOM_FAILED_LOGIN record_failed_login(user, get_canonical_hostname(options.use_dns), "ssh");