method,
authctxt->valid ? "" : "invalid user ",
(authctxt->user && authctxt->user[0]) ?
- authctxt->user : "<implicit>",
+ authctxt->user : "unknown",
get_remote_ipaddr(),
get_remote_port(),
info);
pw = getpwnam(user);
if (pw == NULL) {
logit("Invalid user %.100s from %.100s",
- (user && user[0]) ? user : "<implicit>",
+ (user && user[0]) ? user : "unknown",
get_remote_ipaddr());
#ifdef CUSTOM_FAILED_LOGIN
record_failed_login(user,
}
static void
-gssapi_set_implicit_username(Authctxt *authctxt)
+gssapi_set_username(Authctxt *authctxt)
{
+ char *lname = NULL;
+
if ((authctxt->user == NULL) || (authctxt->user[0] == '\0')) {
- char *lname = NULL;
- PRIVSEP(ssh_gssapi_localname(&lname));
- if (lname && lname[0] != '\0') {
- if (authctxt->user) xfree(authctxt->user);
- authctxt->user = lname;
- debug("set username to %s from gssapi context", lname);
- authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user));
- if (authctxt->pw) {
- authctxt->valid = 1;
- }
- } else {
- debug("failed to set username from gssapi context");
- packet_send_debug("failed to set username from gssapi context");
- }
- }
- if (authctxt->pw) {
+ PRIVSEP(ssh_gssapi_localname(&lname));
+ if (lname && lname[0] != '\0') {
+ if (authctxt->user) xfree(authctxt->user);
+ authctxt->user = lname;
+ debug("set username to %s from gssapi context", lname);
+ authctxt->pw = PRIVSEP(getpwnamallow(authctxt->user));
+ if (authctxt->pw) {
+ authctxt->valid = 1;
#ifdef USE_PAM
- if (options.use_pam)
- PRIVSEP(start_pam(authctxt));
+ if (options.use_pam)
+ PRIVSEP(start_pam(authctxt));
#endif
+ }
+ } else {
+ debug("failed to set username from gssapi context");
+ packet_send_debug("failed to set username from gssapi context");
+ }
}
}
if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
fatal("No authentication or GSSAPI context");
- gssapi_set_implicit_username(authctxt);
-
gssctxt = authctxt->methoddata;
mic.value = packet_get_string(&len);
gssbuf.value = buffer_ptr(&b);
gssbuf.length = buffer_len(&b);
+ gssapi_set_username(authctxt);
+
if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
if (authctxt->valid && authctxt->user && authctxt->user[0]) {
authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
if ((style = strchr(user, ':')) != NULL)
*style++ = 0;
- /* If first time or username changed or implicit username,
+ /* If first time or username changed or empty username,
setup/reset authentication context. */
if ((authctxt->attempt++ == 0) ||
(strcmp(user, authctxt->user) != 0) ||
authctxt->user = NULL;
}
authctxt->valid = 0;
+ authctxt->user = xstrdup(user);
+ if (strcmp(service, "ssh-connection") != 0) {
+ packet_disconnect("Unsupported service %s", service);
+ }
#ifdef GSSAPI
/* If we're going to set the username based on the
GSSAPI context later, then wait until then to
((strcmp(method, "gssapi") == 0) ||
(strcmp(method, "gssapi-with-mic") == 0))) {
authctxt->pw = fakepw();
- authctxt->user = xstrdup(user);
} else {
#endif
authctxt->pw = PRIVSEP(getpwnamallow(user));
- authctxt->user = xstrdup(user);
- if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
+ if (authctxt->pw) {
authctxt->valid = 1;
debug2("input_userauth_request: setting up authctxt for %s", user);
} else {
#endif
setproctitle("%s%s", authctxt->valid ? user : "unknown",
use_privsep ? " [net]" : "");
-#ifdef GSSAPI
if (authctxt->attempt == 1) {
-#endif
- authctxt->service = xstrdup(service);
- authctxt->style = style ? xstrdup(style) : NULL;
- if (use_privsep)
- mm_inform_authserv(service, style);
-#ifdef GSSAPI
- } /* if (authctxt->attempt == 1) */
-#endif
+ authctxt->service = xstrdup(service);
+ authctxt->style = style ? xstrdup(style) : NULL;
+ if (use_privsep)
+ mm_inform_authserv(service, style);
+ }
}
if (strcmp(service, authctxt->service) != 0) {
packet_disconnect("Change of service not allowed: "