[openssh.git] / auth2.c

/*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

#include "includes.h"
RCSID("$OpenBSD: auth2.c,v 1.16 2000/09/27 21:41:34 markus Exp $");

#include <openssl/dsa.h>
#include <openssl/rsa.h>
#include <openssl/evp.h>

#include "xmalloc.h"
#include "rsa.h"
#include "ssh.h"
#include "pty.h"
#include "packet.h"
#include "buffer.h"
#include "cipher.h"
#include "servconf.h"
#include "compat.h"
#include "channels.h"
#include "bufaux.h"
#include "ssh2.h"
#include "auth.h"
#include "session.h"
#include "dispatch.h"
#include "auth.h"
#include "key.h"
#include "kex.h"

#include "dsa.h"
#include "uidswap.h"
#include "auth-options.h"

#ifdef HAVE_OSF_SIA
# include <sia.h>
# include <siad.h>
#endif

/* import */
extern ServerOptions options;
extern unsigned char *session_id2;
extern int session_id2_len;

/* protocol */

void	input_service_request(int type, int plen, void *ctxt);
void	input_userauth_request(int type, int plen, void *ctxt);
void	protocol_error(int type, int plen, void *ctxt);

/* auth */
int	ssh2_auth_none(struct passwd *pw);
int	ssh2_auth_password(struct passwd *pw);
int  	ssh2_auth_pubkey(struct passwd *pw, char *service);

/* helper */
struct passwd*	 auth_set_user(char *u, char *s);
int	user_dsa_key_allowed(struct passwd *pw, Key *key);

typedef struct Authctxt Authctxt;
struct Authctxt {
	char *user;
	char *service;
	struct passwd pw;
	int valid;
};
static Authctxt	*authctxt = NULL;
static int userauth_success = 0;

/*
 * loop until userauth_success == TRUE
 */

void
do_authentication2()
{
	/* turn off skey/kerberos, not supported by SSH2 */
#ifdef SKEY
	options.skey_authentication = 0;
#endif
#ifdef KRB4
	options.kerberos_authentication = 0;
#endif

	dispatch_init(&protocol_error);
	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
	dispatch_run(DISPATCH_BLOCK, &userauth_success, NULL);
	do_authenticated2();
}

void
protocol_error(int type, int plen, void *ctxt)
{
	log("auth: protocol error: type %d plen %d", type, plen);
	packet_start(SSH2_MSG_UNIMPLEMENTED);
	packet_put_int(0);
	packet_send();
	packet_write_wait();
}

void
input_service_request(int type, int plen, void *ctxt)
{
	unsigned int len;
	int accept = 0;
	char *service = packet_get_string(&len);
	packet_done();

	if (strcmp(service, "ssh-userauth") == 0) {
		if (!userauth_success) {
			accept = 1;
			/* now we can handle user-auth requests */
			dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
		}
	}
	/* XXX all other service requests are denied */

	if (accept) {
		packet_start(SSH2_MSG_SERVICE_ACCEPT);
		packet_put_cstring(service);
		packet_send();
		packet_write_wait();
	} else {
		debug("bad service request %s", service);
		packet_disconnect("bad service request %s", service);
	}
	xfree(service);
}

void
input_userauth_request(int type, int plen, void *ctxt)
{
	static void (*authlog) (const char *fmt,...) = verbose;
	static int attempt = 0;
	unsigned int len;
	int authenticated = 0;
	char *user, *service, *method, *authmsg = NULL;
	struct passwd *pw;
#ifdef WITH_AIXAUTHENTICATE
	extern char *aixloginmsg;
#endif /* WITH_AIXAUTHENTICATE */

	user = packet_get_string(&len);
	service = packet_get_string(&len);
	method = packet_get_string(&len);
	if (++attempt == AUTH_FAIL_MAX) {
#ifdef WITH_AIXAUTHENTICATE 
		loginfailed(user,get_canonical_hostname(),"ssh");
#endif /* WITH_AIXAUTHENTICATE */
		packet_disconnect("too many failed userauth_requests");
	}
	debug("userauth-request for user %s service %s method %s", user, service, method);

	/* XXX we only allow the ssh-connection service */
	pw = auth_set_user(user, service);
	if (pw && strcmp(service, "ssh-connection")==0) {
		if (strcmp(method, "none") == 0) {
			authenticated =	ssh2_auth_none(pw);
		} else if (strcmp(method, "password") == 0) {
			authenticated =	ssh2_auth_password(pw);
		} else if (strcmp(method, "publickey") == 0) {
			authenticated =	ssh2_auth_pubkey(pw, service);
		}
	}

#ifdef HAVE_CYGWIN
	if (authenticated && !check_nt_auth(strcmp(method, "password") == 0, pw->pw_uid)) {
		packet_disconnect("Authentication rejected for uid %d.",
				  (int) pw->pw_uid);
		authenticated = 0;
	}
#endif

	if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) {
		authenticated = 0;
		log("ROOT LOGIN REFUSED FROM %.200s",
		    get_canonical_hostname());
	}

#ifdef USE_PAM
	if (authenticated && !do_pam_account(pw->pw_name, NULL))
		authenticated = 0;
#endif /* USE_PAM */

	/* Raise logging level */
	if (authenticated == 1 ||
	    attempt == AUTH_FAIL_LOG ||
	    strcmp(method, "password") == 0)
		authlog = log;

	/* Log before sending the reply */
	if (authenticated == 1) {
		authmsg = "Accepted";
	} else if (authenticated == 0) {
		authmsg = "Failed";
	} else {
		authmsg = "Postponed";
	}
	authlog("%s %s for %.200s from %.200s port %d ssh2",
		authmsg,
		method,
		pw && pw->pw_uid == 0 ? "ROOT" : user,
		get_remote_ipaddr(),
		get_remote_port());

	/* XXX todo: check if multiple auth methods are needed */
	if (authenticated == 1) {
#ifdef WITH_AIXAUTHENTICATE
		/* We don't have a pty yet, so just label the line as "ssh" */
		if (loginsuccess(user,get_canonical_hostname(),"ssh",
				&aixloginmsg) < 0)
			aixloginmsg = NULL;
#endif /* WITH_AIXAUTHENTICATE */
		/* turn off userauth */
		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
		packet_start(SSH2_MSG_USERAUTH_SUCCESS);
		packet_send();
		packet_write_wait();
		/* now we can break out */
		userauth_success = 1;
	} else if (authenticated == 0) {
		packet_start(SSH2_MSG_USERAUTH_FAILURE);
		packet_put_cstring("publickey,password");	/* XXX dynamic */
		packet_put_char(0);				/* XXX partial success, unused */
		packet_send();
		packet_write_wait();
	}

	xfree(service);
	xfree(user);
	xfree(method);
}

int
ssh2_auth_none(struct passwd *pw)
{
#ifdef HAVE_OSF_SIA
	extern int saved_argc;
	extern char **saved_argv;
#endif

	packet_done();

#ifdef USE_PAM
	return auth_pam_password(pw, "");
#elif defined(HAVE_OSF_SIA)
	return(sia_validate_user(NULL, saved_argc, saved_argv, 
		get_canonical_hostname(), pw->pw_name, NULL, 0, NULL, 
		"") == SIASUCCESS);
#else /* !HAVE_OSF_SIA && !USE_PAM */
	return auth_password(pw, "");
#endif /* USE_PAM */
}
int
ssh2_auth_password(struct passwd *pw)
{
	char *password;
	int authenticated = 0;
	int change;
	unsigned int len;
#ifdef HAVE_OSF_SIA
	extern int saved_argc;
	extern char **saved_argv;
#endif
	change = packet_get_char();
	if (change)
		log("password change not supported");
	password = packet_get_string(&len);
	packet_done();
	if (options.password_authentication &&
#ifdef USE_PAM
	    auth_pam_password(pw, password) == 1)
#elif defined(HAVE_OSF_SIA)
	    sia_validate_user(NULL, saved_argc, saved_argv, 
		 	get_canonical_hostname(), pw->pw_name, NULL, 0, 
			NULL, password) == SIASUCCESS)
#else /* !USE_PAM && !HAVE_OSF_SIA */
	    auth_password(pw, password) == 1)
#endif /* USE_PAM */
		authenticated = 1;
	memset(password, 0, len);
	xfree(password);
	return authenticated;
}
int
ssh2_auth_pubkey(struct passwd *pw, char *service)
{
	Buffer b;
	Key *key;
	char *pkalg, *pkblob, *sig;
	unsigned int alen, blen, slen;
	int have_sig;
	int authenticated = 0;

	if (options.dsa_authentication == 0) {
		debug("pubkey auth disabled");
		return 0;
	}
	have_sig = packet_get_char();
	pkalg = packet_get_string(&alen);
	if (strcmp(pkalg, KEX_DSS) != 0) {
		xfree(pkalg);
		log("bad pkalg %s", pkalg);	/*XXX*/
		return 0;
	}
	pkblob = packet_get_string(&blen);
	key = dsa_key_from_blob(pkblob, blen);
	if (key != NULL) {
		if (have_sig) {
			sig = packet_get_string(&slen);
			packet_done();
			buffer_init(&b);
			if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) {
				buffer_put_string(&b, session_id2, session_id2_len);
			} else {
				buffer_append(&b, session_id2, session_id2_len);
			}
			/* reconstruct packet */
			buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
			buffer_put_cstring(&b, pw->pw_name);
			buffer_put_cstring(&b,
			    datafellows & SSH_BUG_PUBKEYAUTH ?
			    "ssh-userauth" :
			    service);
			buffer_put_cstring(&b, "publickey");
			buffer_put_char(&b, have_sig);
			buffer_put_cstring(&b, KEX_DSS);
			buffer_put_string(&b, pkblob, blen);
#ifdef DEBUG_DSS
			buffer_dump(&b);
#endif
			/* test for correct signature */
			if (user_dsa_key_allowed(pw, key) &&
			    dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
				authenticated = 1;
			buffer_clear(&b);
			xfree(sig);
		} else {
			packet_done();
			debug("test key...");
			/* test whether pkalg/pkblob are acceptable */
			/* XXX fake reply and always send PK_OK ? */
			/*
			 * XXX this allows testing whether a user is allowed
			 * to login: if you happen to have a valid pubkey this
			 * message is sent. the message is NEVER sent at all
			 * if a user is not allowed to login. is this an
			 * issue? -markus
			 */
			if (user_dsa_key_allowed(pw, key)) {
				packet_start(SSH2_MSG_USERAUTH_PK_OK);
				packet_put_string(pkalg, alen);
				packet_put_string(pkblob, blen);
				packet_send();
				packet_write_wait();
				authenticated = -1;
			}
		}
		key_free(key);
	}
	xfree(pkalg);
	xfree(pkblob);
	return authenticated;
}

/* set and get current user */

struct passwd*
auth_get_user(void)
{
	return (authctxt != NULL && authctxt->valid) ? &authctxt->pw : NULL;
}

struct passwd*
auth_set_user(char *u, char *s)
{
	struct passwd *pw, *copy;

	if (authctxt == NULL) {
		authctxt = xmalloc(sizeof(*authctxt));
		authctxt->valid = 0;
		authctxt->user = xstrdup(u);
		authctxt->service = xstrdup(s);
		setproctitle("%s", u);
		pw = getpwnam(u);
		if (!pw || !allowed_user(pw)) {
			log("auth_set_user: illegal user %s", u);
			return NULL;
		}
#ifdef USE_PAM
		start_pam(pw);
#endif
		copy = &authctxt->pw;
		memset(copy, 0, sizeof(*copy));
		copy->pw_name = xstrdup(pw->pw_name);
		copy->pw_passwd = xstrdup(pw->pw_passwd);
		copy->pw_uid = pw->pw_uid;
		copy->pw_gid = pw->pw_gid;
#ifdef HAVE_PW_CLASS_IN_PASSWD
		copy->pw_class = xstrdup(pw->pw_class);
#endif
		copy->pw_dir = xstrdup(pw->pw_dir);
		copy->pw_shell = xstrdup(pw->pw_shell);
		authctxt->valid = 1;
	} else {
		if (strcmp(u, authctxt->user) != 0 ||
		    strcmp(s, authctxt->service) != 0) {
			log("auth_set_user: missmatch: (%s,%s)!=(%s,%s)",
			    u, s, authctxt->user, authctxt->service);
			return NULL;
		}
	}
	return auth_get_user();
}

/* return 1 if user allows given key */
int
user_dsa_key_allowed(struct passwd *pw, Key *key)
{
	char line[8192], file[1024];
	int found_key = 0;
	unsigned int bits = -1;
	FILE *f;
	unsigned long linenum = 0;
	struct stat st;
	Key *found;

	/* Temporarily use the user's uid. */
	temporarily_use_uid(pw->pw_uid);

	/* The authorized keys. */
	snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir,
	    SSH_USER_PERMITTED_KEYS2);

	/* Fail quietly if file does not exist */
	if (stat(file, &st) < 0) {
		/* Restore the privileged uid. */
		restore_uid();
		return 0;
	}
	/* Open the file containing the authorized keys. */
	f = fopen(file, "r");
	if (!f) {
		/* Restore the privileged uid. */
		restore_uid();
		return 0;
	}
	if (options.strict_modes) {
		int fail = 0;
		char buf[1024];
		/* Check open file in order to avoid open/stat races */
		if (fstat(fileno(f), &st) < 0 ||
		    (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
		    (st.st_mode & 022) != 0) {
			snprintf(buf, sizeof buf,
			    "%s authentication refused for %.100s: "
			    "bad ownership or modes for '%s'.",
			    key_type(key), pw->pw_name, file);
			fail = 1;
		} else {
			/* Check path to SSH_USER_PERMITTED_KEYS */
			int i;
			static const char *check[] = {
				"", SSH_USER_DIR, NULL
			};
			for (i = 0; check[i]; i++) {
				snprintf(line, sizeof line, "%.500s/%.100s",
				    pw->pw_dir, check[i]);
				if (stat(line, &st) < 0 ||
				    (st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
				    (st.st_mode & 022) != 0) {
					snprintf(buf, sizeof buf,
					    "%s authentication refused for %.100s: "
					    "bad ownership or modes for '%s'.",
					    key_type(key), pw->pw_name, line);
					fail = 1;
					break;
				}
			}
		}
		if (fail) {
			fclose(f);
			log("%s",buf);
			restore_uid();
			return 0;
		}
	}
	found_key = 0;
	found = key_new(key->type);

	while (fgets(line, sizeof(line), f)) {
		char *cp, *options = NULL;
		linenum++;
		/* Skip leading whitespace, empty and comment lines. */
		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
			;
		if (!*cp || *cp == '\n' || *cp == '#')
			continue;

		bits = key_read(found, &cp);
		if (bits == 0) {
			/* no key?  check if there are options for this key */
			int quoted = 0;
			options = cp;
			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
				if (*cp == '\\' && cp[1] == '"')
					cp++;	/* Skip both */
				else if (*cp == '"')
					quoted = !quoted;
			}
			/* Skip remaining whitespace. */
			for (; *cp == ' ' || *cp == '\t'; cp++)
				;
			bits = key_read(found, &cp);
			if (bits == 0) {
				/* still no key?  advance to next line*/
				continue;
			}
		}
		if (key_equal(found, key) &&
		    auth_parse_options(pw, options, linenum) == 1) {
			found_key = 1;
			debug("matching key found: file %s, line %ld",
			    file, linenum);
			break;
		}
	}
	restore_uid();
	fclose(f);
	key_free(found);
	return found_key;
}
Commit	Line	Data
a306f2dd	1	/*
	2	* Copyright (c) 2000 Markus Friedl. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
a306f2dd	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	23	*/
bcbf86ec	24
a306f2dd	25	#include "includes.h"
de273eef	26	RCSID("$OpenBSD: auth2.c,v 1.16 2000/09/27 21:41:34 markus Exp $");
a306f2dd	27
	28	#include <openssl/dsa.h>
	29	#include <openssl/rsa.h>
	30	#include <openssl/evp.h>
	31
	32	#include "xmalloc.h"
	33	#include "rsa.h"
	34	#include "ssh.h"
	35	#include "pty.h"
	36	#include "packet.h"
	37	#include "buffer.h"
	38	#include "cipher.h"
	39	#include "servconf.h"
	40	#include "compat.h"
	41	#include "channels.h"
	42	#include "bufaux.h"
	43	#include "ssh2.h"
	44	#include "auth.h"
	45	#include "session.h"
	46	#include "dispatch.h"
	47	#include "auth.h"
	48	#include "key.h"
	49	#include "kex.h"
	50
	51	#include "dsa.h"
	52	#include "uidswap.h"
38c295d6	53	#include "auth-options.h"
a306f2dd	54
4d33e531	55	#ifdef HAVE_OSF_SIA
	56	# include <sia.h>
	57	# include <siad.h>
	58	#endif
	59
a306f2dd	60	/* import */
	61	extern ServerOptions options;
	62	extern unsigned char *session_id2;
	63	extern int session_id2_len;
	64
	65	/* protocol */
	66
188adeb2	67	void input_service_request(int type, int plen, void *ctxt);
	68	void input_userauth_request(int type, int plen, void *ctxt);
	69	void protocol_error(int type, int plen, void *ctxt);
a306f2dd	70
	71	/* auth */
	72	int ssh2_auth_none(struct passwd *pw);
	73	int ssh2_auth_password(struct passwd *pw);
38c295d6	74	int ssh2_auth_pubkey(struct passwd pw, char service);
a306f2dd	75
	76	/* helper */
	77	struct passwd* auth_set_user(char u, char s);
	78	int user_dsa_key_allowed(struct passwd pw, Key key);
	79
	80	typedef struct Authctxt Authctxt;
	81	struct Authctxt {
	82	char *user;
	83	char *service;
	84	struct passwd pw;
	85	int valid;
	86	};
	87	static Authctxt *authctxt = NULL;
	88	static int userauth_success = 0;
	89
	90	/*
	91	* loop until userauth_success == TRUE
	92	*/
	93
	94	void
	95	do_authentication2()
	96	{
3189621b	97	/* turn off skey/kerberos, not supported by SSH2 */
8cb940db	98	#ifdef SKEY
3189621b	99	options.skey_authentication = 0;
8cb940db	100	#endif
8cb940db	101	#ifdef KRB4
3189621b	102	options.kerberos_authentication = 0;
8cb940db	103	#endif
3189621b	104
a306f2dd	105	dispatch_init(&protocol_error);
a306f2dd	106	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
188adeb2	107	dispatch_run(DISPATCH_BLOCK, &userauth_success, NULL);
a306f2dd	108	do_authenticated2();
	109	}
	110
	111	void
188adeb2	112	protocol_error(int type, int plen, void *ctxt)
a306f2dd	113	{
	114	log("auth: protocol error: type %d plen %d", type, plen);
	115	packet_start(SSH2_MSG_UNIMPLEMENTED);
	116	packet_put_int(0);
	117	packet_send();
	118	packet_write_wait();
	119	}
	120
	121	void
188adeb2	122	input_service_request(int type, int plen, void *ctxt)
a306f2dd	123	{
	124	unsigned int len;
	125	int accept = 0;
	126	char *service = packet_get_string(&len);
	127	packet_done();
	128
	129	if (strcmp(service, "ssh-userauth") == 0) {
	130	if (!userauth_success) {
	131	accept = 1;
	132	/* now we can handle user-auth requests */
	133	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
	134	}
	135	}
	136	/* XXX all other service requests are denied */
	137
	138	if (accept) {
	139	packet_start(SSH2_MSG_SERVICE_ACCEPT);
	140	packet_put_cstring(service);
	141	packet_send();
	142	packet_write_wait();
	143	} else {
	144	debug("bad service request %s", service);
	145	packet_disconnect("bad service request %s", service);
	146	}
	147	xfree(service);
	148	}
	149
	150	void
188adeb2	151	input_userauth_request(int type, int plen, void *ctxt)
a306f2dd	152	{
	153	static void (authlog) (const char fmt,...) = verbose;
	154	static int attempt = 0;
38c295d6	155	unsigned int len;
a306f2dd	156	int authenticated = 0;
38c295d6	157	char user, service, method, authmsg = NULL;
a306f2dd	158	struct passwd *pw;
c1ef8333	159	#ifdef WITH_AIXAUTHENTICATE
	160	extern char *aixloginmsg;
	161	#endif /* WITH_AIXAUTHENTICATE */
a306f2dd	162
a306f2dd	163	user = packet_get_string(&len);
	164	service = packet_get_string(&len);
	165	method = packet_get_string(&len);
c1ef8333	166	if (++attempt == AUTH_FAIL_MAX) {
	167	#ifdef WITH_AIXAUTHENTICATE
	168	loginfailed(user,get_canonical_hostname(),"ssh");
	169	#endif /* WITH_AIXAUTHENTICATE */
	170	packet_disconnect("too many failed userauth_requests");
	171	}
a306f2dd	172	debug("userauth-request for user %s service %s method %s", user, service, method);
	173
	174	/* XXX we only allow the ssh-connection service */
	175	pw = auth_set_user(user, service);
	176	if (pw && strcmp(service, "ssh-connection")==0) {
	177	if (strcmp(method, "none") == 0) {
	178	authenticated = ssh2_auth_none(pw);
	179	} else if (strcmp(method, "password") == 0) {
	180	authenticated = ssh2_auth_password(pw);
	181	} else if (strcmp(method, "publickey") == 0) {
38c295d6	182	authenticated = ssh2_auth_pubkey(pw, service);
a306f2dd	183	}
a306f2dd	184	}
9cd45ea4	185
	186	#ifdef HAVE_CYGWIN
	187	if (authenticated && !check_nt_auth(strcmp(method, "password") == 0, pw->pw_uid)) {
	188	packet_disconnect("Authentication rejected for uid %d.",
	189	(int) pw->pw_uid);
	190	authenticated = 0;
	191	}
	192	#endif
	193
a306f2dd	194	if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) {
	195	authenticated = 0;
	196	log("ROOT LOGIN REFUSED FROM %.200s",
	197	get_canonical_hostname());
	198	}
	199
	200	#ifdef USE_PAM
9cd45ea4	201	if (authenticated && !do_pam_account(pw->pw_name, NULL))
9cd45ea4	202	authenticated = 0;
a306f2dd	203	#endif /* USE_PAM */
a306f2dd	204
1d1ffb87	205	/* Raise logging level */
	206	if (authenticated == 1 \|\|
	207	attempt == AUTH_FAIL_LOG \|\|
	208	strcmp(method, "password") == 0)
	209	authlog = log;
	210
	211	/* Log before sending the reply */
a306f2dd	212	if (authenticated == 1) {
a306f2dd	213	authmsg = "Accepted";
1d1ffb87	214	} else if (authenticated == 0) {
	215	authmsg = "Failed";
	216	} else {
	217	authmsg = "Postponed";
	218	}
	219	authlog("%s %s for %.200s from %.200s port %d ssh2",
	220	authmsg,
	221	method,
	222	pw && pw->pw_uid == 0 ? "ROOT" : user,
	223	get_remote_ipaddr(),
	224	get_remote_port());
	225
	226	/* XXX todo: check if multiple auth methods are needed */
	227	if (authenticated == 1) {
c1ef8333	228	#ifdef WITH_AIXAUTHENTICATE
	229	/* We don't have a pty yet, so just label the line as "ssh" */
	230	if (loginsuccess(user,get_canonical_hostname(),"ssh",
	231	&aixloginmsg) < 0)
	232	aixloginmsg = NULL;
	233	#endif /* WITH_AIXAUTHENTICATE */
a306f2dd	234	/* turn off userauth */
	235	dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);
	236	packet_start(SSH2_MSG_USERAUTH_SUCCESS);
	237	packet_send();
	238	packet_write_wait();
	239	/* now we can break out */
	240	userauth_success = 1;
	241	} else if (authenticated == 0) {
a306f2dd	242	packet_start(SSH2_MSG_USERAUTH_FAILURE);
	243	packet_put_cstring("publickey,password"); /* XXX dynamic */
	244	packet_put_char(0); /* XXX partial success, unused */
	245	packet_send();
	246	packet_write_wait();
a306f2dd	247	}
a306f2dd	248
	249	xfree(service);
	250	xfree(user);
	251	xfree(method);
	252	}
	253
	254	int
	255	ssh2_auth_none(struct passwd *pw)
	256	{
4d33e531	257	#ifdef HAVE_OSF_SIA
	258	extern int saved_argc;
	259	extern char **saved_argv;
	260	#endif
	261
a306f2dd	262	packet_done();
4d33e531	263
a306f2dd	264	#ifdef USE_PAM
a306f2dd	265	return auth_pam_password(pw, "");
4d33e531	266	#elif defined(HAVE_OSF_SIA)
	267	return(sia_validate_user(NULL, saved_argc, saved_argv,
	268	get_canonical_hostname(), pw->pw_name, NULL, 0, NULL,
	269	"") == SIASUCCESS);
	270	#else /* !HAVE_OSF_SIA && !USE_PAM */
a306f2dd	271	return auth_password(pw, "");
	272	#endif /* USE_PAM */
	273	}
	274	int
	275	ssh2_auth_password(struct passwd *pw)
	276	{
	277	char *password;
	278	int authenticated = 0;
	279	int change;
	280	unsigned int len;
4d33e531	281	#ifdef HAVE_OSF_SIA
	282	extern int saved_argc;
	283	extern char **saved_argv;
	284	#endif
a306f2dd	285	change = packet_get_char();
	286	if (change)
	287	log("password change not supported");
	288	password = packet_get_string(&len);
	289	packet_done();
	290	if (options.password_authentication &&
	291	#ifdef USE_PAM
	292	auth_pam_password(pw, password) == 1)
4d33e531	293	#elif defined(HAVE_OSF_SIA)
	294	sia_validate_user(NULL, saved_argc, saved_argv,
	295	get_canonical_hostname(), pw->pw_name, NULL, 0,
	296	NULL, password) == SIASUCCESS)
	297	#else /* !USE_PAM && !HAVE_OSF_SIA */
a306f2dd	298	auth_password(pw, password) == 1)
	299	#endif /* USE_PAM */
	300	authenticated = 1;
	301	memset(password, 0, len);
	302	xfree(password);
	303	return authenticated;
	304	}
	305	int
38c295d6	306	ssh2_auth_pubkey(struct passwd pw, char service)
a306f2dd	307	{
	308	Buffer b;
	309	Key *key;
	310	char pkalg, pkblob, *sig;
	311	unsigned int alen, blen, slen;
	312	int have_sig;
	313	int authenticated = 0;
	314
1d1ffb87	315	if (options.dsa_authentication == 0) {
a306f2dd	316	debug("pubkey auth disabled");
	317	return 0;
	318	}
	319	have_sig = packet_get_char();
	320	pkalg = packet_get_string(&alen);
	321	if (strcmp(pkalg, KEX_DSS) != 0) {
	322	xfree(pkalg);
	323	log("bad pkalg %s", pkalg); /XXX/
	324	return 0;
	325	}
	326	pkblob = packet_get_string(&blen);
	327	key = dsa_key_from_blob(pkblob, blen);
	328	if (key != NULL) {
	329	if (have_sig) {
	330	sig = packet_get_string(&slen);
	331	packet_done();
	332	buffer_init(&b);
74fc9186	333	if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) {
	334	buffer_put_string(&b, session_id2, session_id2_len);
	335	} else {
	336	buffer_append(&b, session_id2, session_id2_len);
	337	}
38c295d6	338	/* reconstruct packet */
a306f2dd	339	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
38c295d6	340	buffer_put_cstring(&b, pw->pw_name);
	341	buffer_put_cstring(&b,
	342	datafellows & SSH_BUG_PUBKEYAUTH ?
	343	"ssh-userauth" :
	344	service);
	345	buffer_put_cstring(&b, "publickey");
	346	buffer_put_char(&b, have_sig);
	347	buffer_put_cstring(&b, KEX_DSS);
	348	buffer_put_string(&b, pkblob, blen);
a306f2dd	349	#ifdef DEBUG_DSS
	350	buffer_dump(&b);
	351	#endif
	352	/* test for correct signature */
	353	if (user_dsa_key_allowed(pw, key) &&
	354	dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
	355	authenticated = 1;
	356	buffer_clear(&b);
	357	xfree(sig);
	358	} else {
	359	packet_done();
	360	debug("test key...");
	361	/* test whether pkalg/pkblob are acceptable */
	362	/* XXX fake reply and always send PK_OK ? */
1d1ffb87	363	/*
	364	* XXX this allows testing whether a user is allowed
	365	* to login: if you happen to have a valid pubkey this
	366	* message is sent. the message is NEVER sent at all
	367	* if a user is not allowed to login. is this an
	368	* issue? -markus
	369	*/
a306f2dd	370	if (user_dsa_key_allowed(pw, key)) {
	371	packet_start(SSH2_MSG_USERAUTH_PK_OK);
	372	packet_put_string(pkalg, alen);
	373	packet_put_string(pkblob, blen);
	374	packet_send();
	375	packet_write_wait();
	376	authenticated = -1;
	377	}
	378	}
	379	key_free(key);
	380	}
	381	xfree(pkalg);
	382	xfree(pkblob);
	383	return authenticated;
	384	}
	385
	386	/* set and get current user */
	387
	388	struct passwd*
	389	auth_get_user(void)
	390	{
	391	return (authctxt != NULL && authctxt->valid) ? &authctxt->pw : NULL;
	392	}
	393
	394	struct passwd*
	395	auth_set_user(char u, char s)
	396	{
	397	struct passwd pw, copy;
	398
	399	if (authctxt == NULL) {
	400	authctxt = xmalloc(sizeof(*authctxt));
	401	authctxt->valid = 0;
	402	authctxt->user = xstrdup(u);
	403	authctxt->service = xstrdup(s);
	404	setproctitle("%s", u);
	405	pw = getpwnam(u);
	406	if (!pw \|\| !allowed_user(pw)) {
	407	log("auth_set_user: illegal user %s", u);
	408	return NULL;
	409	}
	410	#ifdef USE_PAM
	411	start_pam(pw);
	412	#endif
	413	copy = &authctxt->pw;
	414	memset(copy, 0, sizeof(*copy));
	415	copy->pw_name = xstrdup(pw->pw_name);
	416	copy->pw_passwd = xstrdup(pw->pw_passwd);
	417	copy->pw_uid = pw->pw_uid;
	418	copy->pw_gid = pw->pw_gid;
2e73a022	419	#ifdef HAVE_PW_CLASS_IN_PASSWD
	420	copy->pw_class = xstrdup(pw->pw_class);
	421	#endif
a306f2dd	422	copy->pw_dir = xstrdup(pw->pw_dir);
	423	copy->pw_shell = xstrdup(pw->pw_shell);
	424	authctxt->valid = 1;
	425	} else {
	426	if (strcmp(u, authctxt->user) != 0 \|\|
	427	strcmp(s, authctxt->service) != 0) {
	428	log("auth_set_user: missmatch: (%s,%s)!=(%s,%s)",
	429	u, s, authctxt->user, authctxt->service);
	430	return NULL;
	431	}
	432	}
	433	return auth_get_user();
	434	}
	435
	436	/* return 1 if user allows given key */
	437	int
	438	user_dsa_key_allowed(struct passwd pw, Key key)
	439	{
	440	char line[8192], file[1024];
	441	int found_key = 0;
	442	unsigned int bits = -1;
	443	FILE *f;
	444	unsigned long linenum = 0;
	445	struct stat st;
	446	Key *found;
	447
	448	/* Temporarily use the user's uid. */
	449	temporarily_use_uid(pw->pw_uid);
	450
	451	/* The authorized keys. */
	452	snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir,
	453	SSH_USER_PERMITTED_KEYS2);
	454
	455	/* Fail quietly if file does not exist */
	456	if (stat(file, &st) < 0) {
	457	/* Restore the privileged uid. */
	458	restore_uid();
	459	return 0;
	460	}
	461	/* Open the file containing the authorized keys. */
	462	f = fopen(file, "r");
	463	if (!f) {
	464	/* Restore the privileged uid. */
	465	restore_uid();
	466	return 0;
	467	}
	468	if (options.strict_modes) {
	469	int fail = 0;
	470	char buf[1024];
	471	/* Check open file in order to avoid open/stat races */
	472	if (fstat(fileno(f), &st) < 0 \|\|
	473	(st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
	474	(st.st_mode & 022) != 0) {
de273eef	475	snprintf(buf, sizeof buf,
	476	"%s authentication refused for %.100s: "
	477	"bad ownership or modes for '%s'.",
	478	key_type(key), pw->pw_name, file);
a306f2dd	479	fail = 1;
	480	} else {
	481	/* Check path to SSH_USER_PERMITTED_KEYS */
	482	int i;
	483	static const char *check[] = {
	484	"", SSH_USER_DIR, NULL
	485	};
	486	for (i = 0; check[i]; i++) {
	487	snprintf(line, sizeof line, "%.500s/%.100s",
	488	pw->pw_dir, check[i]);
	489	if (stat(line, &st) < 0 \|\|
	490	(st.st_uid != 0 && st.st_uid != pw->pw_uid) \|\|
	491	(st.st_mode & 022) != 0) {
	492	snprintf(buf, sizeof buf,
de273eef	493	"%s authentication refused for %.100s: "
a306f2dd	494	"bad ownership or modes for '%s'.",
de273eef	495	key_type(key), pw->pw_name, line);
a306f2dd	496	fail = 1;
	497	break;
	498	}
	499	}
	500	}
	501	if (fail) {
a306f2dd	502	fclose(f);
089fbbd2	503	log("%s",buf);
a306f2dd	504	restore_uid();
	505	return 0;
	506	}
	507	}
	508	found_key = 0;
de273eef	509	found = key_new(key->type);
a306f2dd	510
a306f2dd	511	while (fgets(line, sizeof(line), f)) {
38c295d6	512	char cp, options = NULL;
a306f2dd	513	linenum++;
	514	/* Skip leading whitespace, empty and comment lines. */
	515	for (cp = line; cp == ' ' \|\| cp == '\t'; cp++)
	516	;
	517	if (!cp \|\| cp == '\n' \|\| *cp == '#')
	518	continue;
38c295d6	519
a306f2dd	520	bits = key_read(found, &cp);
38c295d6	521	if (bits == 0) {
	522	/* no key? check if there are options for this key */
	523	int quoted = 0;
	524	options = cp;
	525	for (; cp && (quoted \|\| (cp != ' ' && *cp != '\t')); cp++) {
	526	if (*cp == '\\' && cp[1] == '"')
	527	cp++; /* Skip both */
	528	else if (*cp == '"')
	529	quoted = !quoted;
	530	}
	531	/* Skip remaining whitespace. */
	532	for (; cp == ' ' \|\| cp == '\t'; cp++)
	533	;
	534	bits = key_read(found, &cp);
	535	if (bits == 0) {
	536	/* still no key? advance to next line*/
	537	continue;
	538	}
	539	}
	540	if (key_equal(found, key) &&
	541	auth_parse_options(pw, options, linenum) == 1) {
a306f2dd	542	found_key = 1;
	543	debug("matching key found: file %s, line %ld",
	544	file, linenum);
	545	break;
	546	}
	547	}
	548	restore_uid();
	549	fclose(f);
	550	key_free(found);
	551	return found_key;
	552	}