X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/b809a58e37e5bf2ba9cfc13258daf2bbf0bce53d..944e4e582be802144f889cadee3077f1a2b8b950:/openssh/auth2.c diff --git a/openssh/auth2.c b/openssh/auth2.c index 49a76fe..65c1dc8 100644 --- a/openssh/auth2.c +++ b/openssh/auth2.c @@ -35,6 +35,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $"); #include "dispatch.h" #include "pathnames.h" #include "monitor_wrap.h" +#include "buffer.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -44,6 +45,7 @@ RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $"); extern ServerOptions options; extern u_char *session_id2; extern u_int session_id2_len; +extern Buffer loginmsg; /* methods */ @@ -54,6 +56,7 @@ extern Authmethod method_kbdint; extern Authmethod method_hostbased; #ifdef GSSAPI extern Authmethod method_external; +extern Authmethod method_gsskeyex; extern Authmethod method_gssapi; extern Authmethod method_gssapi_compat; #endif @@ -62,6 +65,7 @@ Authmethod *authmethods[] = { &method_none, &method_pubkey, #ifdef GSSAPI + &method_gsskeyex, &method_external, &method_gssapi, &method_gssapi_compat, @@ -149,7 +153,8 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) #ifdef GSSAPI if (user[0] == '\0') { debug("received empty username for %s", method); - if (strcmp(method, "external-keyx") == 0) { + if (strcmp(method, "external-keyx") == 0 || + strcmp(method, "gssapi-keyex") == 0) { char *lname = NULL; PRIVSEP(ssh_gssapi_localname(&lname)); if (lname && lname[0] != '\0') { @@ -158,6 +163,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) debug("set username to %s from gssapi context", user); } else { debug("failed to set username from gssapi context"); + packet_send_debug("failed to set username from gssapi context"); } } } @@ -196,20 +202,19 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) if (authctxt->pw && strcmp(service, "ssh-connection")==0) { authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); -#ifdef USE_PAM - if (options.use_pam) - PRIVSEP(start_pam(authctxt)); -#endif } else { logit("input_userauth_request: invalid user %s", user); authctxt->pw = fakepw(); -#ifdef USE_PAM - if (options.use_pam) - PRIVSEP(start_pam(authctxt)); +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_INVALID_USER)); #endif } #ifdef GSSAPI } /* endif for setting username based on GSSAPI context */ +#endif +#ifdef USE_PAM + if (options.use_pam) + PRIVSEP(start_pam(authctxt)); #endif setproctitle("%s%s", authctxt->valid ? user : "unknown", use_privsep ? " [net]" : ""); @@ -238,6 +243,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) #endif authctxt->postponed = 0; + authctxt->server_caused_failure = 0; /* try to authenticate user */ m = authmethod_lookup(method); @@ -263,12 +269,26 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && - !auth_root_allowed(method)) + !auth_root_allowed(method)) { authenticated = 0; +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); +#endif + } #ifdef USE_PAM - if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) - authenticated = 0; + if (options.use_pam && authenticated) { + if (!PRIVSEP(do_pam_account())) { + /* if PAM returned a message, send it to the user */ + if (buffer_len(&loginmsg) > 0) { + buffer_append(&loginmsg, "\0", 1); + userauth_send_banner(buffer_ptr(&loginmsg)); + packet_write_wait(); + } + fatal("Access denied for user %s by PAM account " + "configuration", authctxt->user); + } + } #endif #ifdef _UNICOS @@ -294,8 +314,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* now we can break out */ authctxt->success = 1; } else { - if (authctxt->failures++ > options.max_authtries) + /* Dont count server configuration issues against the client */ + if (!authctxt->server_caused_failure && + authctxt->failures++ > options.max_authtries) { +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); +#endif packet_disconnect(AUTH_FAIL_MSG, authctxt->user); + } methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods);