[openssh.git] / auth.h

/*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * $OpenBSD: auth.h,v 1.15 2001/04/12 19:15:24 markus Exp $
 */
#ifndef AUTH_H
#define AUTH_H

#include <openssl/rsa.h>

#ifdef HAVE_LOGIN_CAP
#include <login_cap.h>
#endif
#ifdef BSD_AUTH
#include <bsd_auth.h>
#endif

typedef struct Authctxt Authctxt;
struct Authctxt {
	int success;
	int postponed;
	int valid;
	int attempt;
	int failures;
	char *user;
	char *service;
	struct passwd *pw;
	char *style;
#ifdef BSD_AUTH
	auth_session_t *as;
#endif
};

/*
 * Tries to authenticate the user using the .rhosts file.  Returns true if
 * authentication succeeds.  If ignore_rhosts is non-zero, this will not
 * consider .rhosts and .shosts (/etc/hosts.equiv will still be used).
 */
int     auth_rhosts(struct passwd * pw, const char *client_user);

/* extended interface similar to auth_rhosts() */
int
auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
    const char *ipaddr);

/*
 * Tries to authenticate the user using the .rhosts file and the host using
 * its host key.  Returns true if authentication succeeds.
 */
int
auth_rhosts_rsa(struct passwd * pw, const char *client_user, RSA* client_host_key);

/*
 * Tries to authenticate the user using password.  Returns true if
 * authentication succeeds.
 */
int     auth_password(Authctxt *authctxt, const char *password);

/*
 * Performs the RSA authentication dialog with the client.  This returns 0 if
 * the client could not be authenticated, and 1 if authentication was
 * successful.  This may exit if there is a serious protocol violation.
 */
int     auth_rsa(struct passwd * pw, BIGNUM * client_n);

/*
 * Parses an RSA key (number of bits, e, n) from a string.  Moves the pointer
 * over the key.  Skips any whitespace at the beginning and at end.
 */
int     auth_rsa_read_key(char **cpp, u_int *bitsp, BIGNUM * e, BIGNUM * n);

/*
 * Performs the RSA authentication challenge-response dialog with the client,
 * and returns true (non-zero) if the client gave the correct answer to our
 * challenge; returns zero if the client gives a wrong answer.
 */
int     auth_rsa_challenge_dialog(RSA *pk);

#ifdef KRB4
#include <krb.h>
/*
 * Performs Kerberos v4 mutual authentication with the client. This returns 0
 * if the client could not be authenticated, and 1 if authentication was
 * successful.  This may exit if there is a serious protocol violation.
 */
int     auth_krb4(const char *server_user, KTEXT auth, char **client);
int     krb4_init(uid_t uid);
void    krb4_cleanup_proc(void *ignore);
int	auth_krb4_password(struct passwd * pw, const char *password);

#ifdef AFS
#include <kafs.h>

/* Accept passed Kerberos v4 ticket-granting ticket and AFS tokens. */
int     auth_kerberos_tgt(struct passwd * pw, const char *string);
int     auth_afs_token(struct passwd * pw, const char *token_string);
#endif				/* AFS */

#endif				/* KRB4 */

#include "auth-pam.h"
#include "auth2-pam.h"

void	do_authentication(void);
void	do_authentication2(void);

Authctxt *authctxt_new(void);
void	auth_log(Authctxt *authctxt, int authenticated, char *method, char *info);
void	userauth_finish(Authctxt *authctxt, int authenticated, char *method);
int	auth_root_allowed(char *method);

int	auth2_challenge(Authctxt *authctxt, char *devs);

int	allowed_user(struct passwd * pw);

char	*get_challenge(Authctxt *authctxt, char *devs);
int	verify_response(Authctxt *authctxt, char *response);

struct passwd * auth_get_user(void);

#define AUTH_FAIL_MAX 6
#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"

#endif
Commit	Line	Data
bcbf86ec	1	/*
	2	* Copyright (c) 2000 Markus Friedl. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
8abcdba4	23	*
8002af61	24	* $OpenBSD: auth.h,v 1.15 2001/04/12 19:15:24 markus Exp $
bcbf86ec	25	*/
7368a6c8	26	#ifndef AUTH_H
	27	#define AUTH_H
	28
42f11eb2	29	#include <openssl/rsa.h>
42f11eb2	30
af774732	31	#ifdef HAVE_LOGIN_CAP
	32	#include <login_cap.h>
	33	#endif
	34	#ifdef BSD_AUTH
	35	#include <bsd_auth.h>
	36	#endif
	37
94ec8c6b	38	typedef struct Authctxt Authctxt;
	39	struct Authctxt {
	40	int success;
59c97189	41	int postponed;
94ec8c6b	42	int valid;
94ec8c6b	43	int attempt;
8abcdba4	44	int failures;
94ec8c6b	45	char *user;
	46	char *service;
	47	struct passwd *pw;
59c97189	48	char *style;
af774732	49	#ifdef BSD_AUTH
	50	auth_session_t *as;
	51	#endif
94ec8c6b	52	};
94ec8c6b	53
42f11eb2	54	/*
	55	* Tries to authenticate the user using the .rhosts file. Returns true if
	56	* authentication succeeds. If ignore_rhosts is non-zero, this will not
	57	* consider .rhosts and .shosts (/etc/hosts.equiv will still be used).
	58	*/
	59	int auth_rhosts(struct passwd * pw, const char *client_user);
	60
8002af61	61	/* extended interface similar to auth_rhosts() */
	62	int
	63	auth_rhosts2(struct passwd pw, const char client_user, const char *hostname,
	64	const char *ipaddr);
	65
42f11eb2	66	/*
	67	* Tries to authenticate the user using the .rhosts file and the host using
	68	* its host key. Returns true if authentication succeeds.
	69	*/
	70	int
	71	auth_rhosts_rsa(struct passwd * pw, const char client_user, RSA client_host_key);
	72
	73	/*
	74	* Tries to authenticate the user using password. Returns true if
	75	* authentication succeeds.
	76	*/
af774732	77	int auth_password(Authctxt authctxt, const char password);
42f11eb2	78
	79	/*
	80	* Performs the RSA authentication dialog with the client. This returns 0 if
	81	* the client could not be authenticated, and 1 if authentication was
	82	* successful. This may exit if there is a serious protocol violation.
	83	*/
	84	int auth_rsa(struct passwd * pw, BIGNUM * client_n);
	85
	86	/*
	87	* Parses an RSA key (number of bits, e, n) from a string. Moves the pointer
	88	* over the key. Skips any whitespace at the beginning and at end.
	89	*/
	90	int auth_rsa_read_key(char *cpp, u_int bitsp, BIGNUM * e, BIGNUM * n);
	91
	92	/*
	93	* Performs the RSA authentication challenge-response dialog with the client,
	94	* and returns true (non-zero) if the client gave the correct answer to our
	95	* challenge; returns zero if the client gives a wrong answer.
	96	*/
	97	int auth_rsa_challenge_dialog(RSA *pk);
	98
	99	#ifdef KRB4
	100	#include <krb.h>
	101	/*
	102	* Performs Kerberos v4 mutual authentication with the client. This returns 0
	103	* if the client could not be authenticated, and 1 if authentication was
	104	* successful. This may exit if there is a serious protocol violation.
	105	*/
	106	int auth_krb4(const char server_user, KTEXT auth, char *client);
	107	int krb4_init(uid_t uid);
	108	void krb4_cleanup_proc(void *ignore);
	109	int auth_krb4_password(struct passwd * pw, const char *password);
	110
	111	#ifdef AFS
	112	#include <kafs.h>
	113
	114	/* Accept passed Kerberos v4 ticket-granting ticket and AFS tokens. */
	115	int auth_kerberos_tgt(struct passwd * pw, const char *string);
	116	int auth_afs_token(struct passwd * pw, const char *token_string);
	117	#endif /* AFS */
	118
	119	#endif /* KRB4 */
	120
8c9fe09e	121	#include "auth-pam.h"
	122	#include "auth2-pam.h"
	123
7368a6c8	124	void do_authentication(void);
e78a59f5	125	void do_authentication2(void);
e78a59f5	126
59c97189	127	Authctxt *authctxt_new(void);
59c97189	128	void auth_log(Authctxt authctxt, int authenticated, char method, char *info);
d9cd3575	129	void userauth_finish(Authctxt authctxt, int authenticated, char method);
15853e93	130	int auth_root_allowed(char *method);
94ec8c6b	131
59c97189	132	int auth2_challenge(Authctxt authctxt, char devs);
7368a6c8	133
94ec8c6b	134	int allowed_user(struct passwd * pw);
59c97189	135
	136	char get_challenge(Authctxt authctxt, char *devs);
	137	int verify_response(Authctxt authctxt, char response);
	138
94ec8c6b	139	struct passwd * auth_get_user(void);
a306f2dd	140
	141	#define AUTH_FAIL_MAX 6
	142	#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
	143	#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
	144
7368a6c8	145	#endif