X-Git-Url: http://andersk.mit.edu/gitweb/gssapi-openssh.git/blobdiff_plain/c81089072de86601ee489297e631a7d1ce2c4322..944e4e582be802144f889cadee3077f1a2b8b950:/openssh/auth2.c

diff --git a/openssh/auth2.c b/openssh/auth2.c
index 9b38bd9..65c1dc8 100644
--- a/openssh/auth2.c
+++ b/openssh/auth2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.107 2004/07/28 09:40:29 markus Exp $");
 
 #include "ssh2.h"
 #include "xmalloc.h"
@@ -35,6 +35,7 @@ RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $");
 #include "dispatch.h"
 #include "pathnames.h"
 #include "monitor_wrap.h"
+#include "buffer.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -44,6 +45,7 @@ RCSID("$OpenBSD: auth2.c,v 1.104 2003/11/04 08:54:09 djm Exp $");
 extern ServerOptions options;
 extern u_char *session_id2;
 extern u_int session_id2_len;
+extern Buffer loginmsg;
 
 /* methods */
 
@@ -54,6 +56,7 @@ extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
 #ifdef GSSAPI
 extern Authmethod method_external;
+extern Authmethod method_gsskeyex;
 extern Authmethod method_gssapi;
 extern Authmethod method_gssapi_compat;
 #endif
@@ -62,6 +65,7 @@ Authmethod *authmethods[] = {
 	&method_none,
 	&method_pubkey,
 #ifdef GSSAPI
+	&method_gsskeyex,
 	&method_external,
 	&method_gssapi,
 	&method_gssapi_compat,
@@ -147,9 +151,10 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 	method = packet_get_string(NULL);
 
 #ifdef GSSAPI
-	if (strcmp(user, "") == 0) {
+	if (user[0] == '\0') {
 	    debug("received empty username for %s", method);
-	    if (strcmp(method, "external-keyx") == 0) {
+	    if (strcmp(method, "external-keyx") == 0 ||
+		strcmp(method, "gssapi-keyex") == 0) {
 		char *lname = NULL;
 		PRIVSEP(ssh_gssapi_localname(&lname));
 		if (lname && lname[0] != '\0') {
@@ -158,13 +163,14 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 		    debug("set username to %s from gssapi context", user);
 		} else {
 		    debug("failed to set username from gssapi context");
+		    packet_send_debug("failed to set username from gssapi context");
 		}
 	    }
 	}
 #endif
 
 	debug("userauth-request for user %s service %s method %s",
-	      (user && user[0]) ? user : "<implicit>", service, method);
+	      user[0] ? user : "<implicit>", service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 
 	if ((style = strchr(user, ':')) != NULL)
@@ -175,56 +181,55 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 	if ((authctxt->attempt++ == 0) ||
 	    (strcmp(user, authctxt->user) != 0) ||
 	    (strcmp(user, "") == 0)) {
-		/* setup auth context */
 		if (authctxt->user) {
 		    xfree(authctxt->user);
 		    authctxt->user = NULL;
 		}
-		if (authctxt->service) {
-		    xfree(authctxt->service);
-		    authctxt->service = NULL;
-		}
-		if (authctxt->style) {
-		    xfree(authctxt->style);
-		    authctxt->style = NULL;
-		}
-		authctxt->pw = NULL;
 		authctxt->valid = 0;
 #ifdef GSSAPI
 		/* If we're going to set the username based on the
 		   GSSAPI context later, then wait until then to
-		   verify it. */
-		if ((strcmp(user, "") != 0) ||
-		    ((strcmp(method, "gssapi") != 0) &&
-		     (strcmp(method, "gssapi-with-mic") != 0))) {
+		   verify it. Just put in placeholders for now. */
+		if ((strcmp(user, "") == 0) &&
+		    ((strcmp(method, "gssapi") == 0) ||
+		     (strcmp(method, "gssapi-with-mic") == 0))) {
+			authctxt->pw = fakepw();
+			authctxt->user = xstrdup(user);
+		} else {
 #endif
 		authctxt->pw = PRIVSEP(getpwnamallow(user));
 		authctxt->user = xstrdup(user);
 		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
 			authctxt->valid = 1;
 			debug2("input_userauth_request: setting up authctxt for %s", user);
-#ifdef USE_PAM
-			if (options.use_pam)
-				PRIVSEP(start_pam(authctxt));
-#endif
 		} else {
-			logit("input_userauth_request: illegal user %s", user);
+			logit("input_userauth_request: invalid user %s", user);
 			authctxt->pw = fakepw();
-#ifdef USE_PAM
-			if (options.use_pam)
-				PRIVSEP(start_pam(authctxt));
+#ifdef SSH_AUDIT_EVENTS
+			PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif
 		}
 #ifdef GSSAPI
 		} /* endif for setting username based on GSSAPI context */
 #endif
-		setproctitle("%s%s", authctxt->pw ? user : "unknown",
+#ifdef USE_PAM
+		if (options.use_pam)
+			PRIVSEP(start_pam(authctxt));
+#endif
+		setproctitle("%s%s", authctxt->valid ? user : "unknown",
 		    use_privsep ? " [net]" : "");
+#ifdef GSSAPI
+		if (authctxt->attempt == 1) {
+#endif
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
-		if (use_privsep && (authctxt->attempt == 1))
+		if (use_privsep)
 			mm_inform_authserv(service, style);
-	} else if (strcmp(service, authctxt->service) != 0) {
+#ifdef GSSAPI
+		} /* if (authctxt->attempt == 1) */
+#endif
+	}
+	if (strcmp(service, authctxt->service) != 0) {
 		packet_disconnect("Change of service not allowed: "
 		    "(%s,%s) -> (%s,%s)",
 		    authctxt->user, authctxt->service, user, service);
@@ -238,6 +243,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 #endif
 
 	authctxt->postponed = 0;
+	authctxt->server_caused_failure = 0;
 
 	/* try to authenticate user */
 	m = authmethod_lookup(method);
@@ -263,12 +269,26 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 
 	/* Special handling for root */
 	if (authenticated && authctxt->pw->pw_uid == 0 &&
-	    !auth_root_allowed(method))
+	    !auth_root_allowed(method)) {
 		authenticated = 0;
+#ifdef SSH_AUDIT_EVENTS
+		PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
+#endif
+	}
 
 #ifdef USE_PAM
-	if (options.use_pam && authenticated && !PRIVSEP(do_pam_account()))
-		authenticated = 0;
+	if (options.use_pam && authenticated) {
+		if (!PRIVSEP(do_pam_account())) {
+			/* if PAM returned a message, send it to the user */
+			if (buffer_len(&loginmsg) > 0) {
+				buffer_append(&loginmsg, "\0", 1);
+				userauth_send_banner(buffer_ptr(&loginmsg));
+				packet_write_wait();
+			}
+			fatal("Access denied for user %s by PAM account "
+			    "configuration", authctxt->user);
+		}
+	}
 #endif
 
 #ifdef _UNICOS
@@ -294,8 +314,14 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 		/* now we can break out */
 		authctxt->success = 1;
 	} else {
-		if (authctxt->failures++ > AUTH_FAIL_MAX)
+		/* Dont count server configuration issues against the client */
+		if (!authctxt->server_caused_failure && 
+		    authctxt->failures++ > options.max_authtries) {
+#ifdef SSH_AUDIT_EVENTS
+			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
+#endif
 			packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+		}
 		methods = authmethods_get();
 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
 		packet_put_cstring(methods);