[openssh.git] / auth.h

/*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 *
 * $OpenBSD: auth.h,v 1.17 2001/05/20 17:20:35 markus Exp $
 */
#ifndef AUTH_H
#define AUTH_H

#include <openssl/rsa.h>

#ifdef HAVE_LOGIN_CAP
#include <login_cap.h>
#endif
#ifdef BSD_AUTH
#include <bsd_auth.h>
#endif

typedef struct Authctxt Authctxt;
typedef struct KbdintDevice KbdintDevice;

struct Authctxt {
	int success;
	int postponed;
	int valid;
	int attempt;
	int failures;
	char *user;
	char *service;
	struct passwd *pw;
	char *style;
	void *kbdintctxt;
#ifdef BSD_AUTH
	auth_session_t *as;
#endif
};

/*
 * Keyboard interactive device:
 * init_ctx	returns: non NULL upon success 
 * query	returns: 0 - success, otherwise failure 
 * respond	returns: 0 - success, 1 - need further interaction,
 *		otherwise - failure
 */
struct KbdintDevice
{
	const char *name;
	void*	(*init_ctx)	__P((Authctxt*));
	int	(*query)	__P((void *ctx, char **name, char **infotxt,
				u_int *numprompts, char ***prompts,
				u_int **echo_on));
	int	(*respond)	__P((void *ctx, u_int numresp, char **responses));
	void	(*free_ctx)	__P((void *ctx));
};

/*
 * Tries to authenticate the user using the .rhosts file.  Returns true if
 * authentication succeeds.  If ignore_rhosts is non-zero, this will not
 * consider .rhosts and .shosts (/etc/hosts.equiv will still be used).
 */
int     auth_rhosts(struct passwd * pw, const char *client_user);

/* extended interface similar to auth_rhosts() */
int
auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
    const char *ipaddr);

/*
 * Tries to authenticate the user using the .rhosts file and the host using
 * its host key.  Returns true if authentication succeeds.
 */
int
auth_rhosts_rsa(struct passwd * pw, const char *client_user, RSA* client_host_key);

/*
 * Tries to authenticate the user using password.  Returns true if
 * authentication succeeds.
 */
int     auth_password(Authctxt *authctxt, const char *password);

/*
 * Performs the RSA authentication dialog with the client.  This returns 0 if
 * the client could not be authenticated, and 1 if authentication was
 * successful.  This may exit if there is a serious protocol violation.
 */
int     auth_rsa(struct passwd * pw, BIGNUM * client_n);

/*
 * Parses an RSA key (number of bits, e, n) from a string.  Moves the pointer
 * over the key.  Skips any whitespace at the beginning and at end.
 */
int     auth_rsa_read_key(char **cpp, u_int *bitsp, BIGNUM * e, BIGNUM * n);

/*
 * Performs the RSA authentication challenge-response dialog with the client,
 * and returns true (non-zero) if the client gave the correct answer to our
 * challenge; returns zero if the client gives a wrong answer.
 */
int     auth_rsa_challenge_dialog(RSA *pk);

#ifdef KRB4
#include <krb.h>
/*
 * Performs Kerberos v4 mutual authentication with the client. This returns 0
 * if the client could not be authenticated, and 1 if authentication was
 * successful.  This may exit if there is a serious protocol violation.
 */
int     auth_krb4(const char *server_user, KTEXT auth, char **client);
int     krb4_init(uid_t uid);
void    krb4_cleanup_proc(void *ignore);
int	auth_krb4_password(struct passwd * pw, const char *password);

#ifdef AFS
#include <kafs.h>

/* Accept passed Kerberos v4 ticket-granting ticket and AFS tokens. */
int     auth_kerberos_tgt(struct passwd * pw, const char *string);
int     auth_afs_token(struct passwd * pw, const char *token_string);
#endif				/* AFS */

#endif				/* KRB4 */

#include "auth-pam.h"
#include "auth2-pam.h"

void	do_authentication(void);
void	do_authentication2(void);

Authctxt *authctxt_new(void);
void	auth_log(Authctxt *authctxt, int authenticated, char *method, char *info);
void	userauth_finish(Authctxt *authctxt, int authenticated, char *method);
int	auth_root_allowed(char *method);

int	auth2_challenge(Authctxt *authctxt, char *devs);

int	allowed_user(struct passwd * pw);

char	*get_challenge(Authctxt *authctxt);
int	verify_response(Authctxt *authctxt, const char *response);

struct passwd * auth_get_user(void);


/* expand a filename - return buffer is allocated by xmalloc */
char	*expand_filename(const char *template, struct passwd *pw);
char	*authorized_keys_file(struct passwd *pw);
char	*authorized_keys_file2(struct passwd *pw);

/* check a file and the path to it */
int
secure_filename(FILE *f, const char *file, uid_t u, char *err, size_t errlen);

#define AUTH_FAIL_MAX 6
#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"

#endif
Commit	Line	Data
bcbf86ec	1	/*
	2	* Copyright (c) 2000 Markus Friedl. All rights reserved.
	3	*
	4	* Redistribution and use in source and binary forms, with or without
	5	* modification, are permitted provided that the following conditions
	6	* are met:
	7	* 1. Redistributions of source code must retain the above copyright
	8	* notice, this list of conditions and the following disclaimer.
	9	* 2. Redistributions in binary form must reproduce the above copyright
	10	* notice, this list of conditions and the following disclaimer in the
	11	* documentation and/or other materials provided with the distribution.
	12	*
	13	* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
	14	* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
	15	* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
	16	* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
	17	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
	18	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
	19	* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
	20	* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
	21	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
	22	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
8abcdba4	23	*
c8445989	24	* $OpenBSD: auth.h,v 1.17 2001/05/20 17:20:35 markus Exp $
bcbf86ec	25	*/
7368a6c8	26	#ifndef AUTH_H
	27	#define AUTH_H
	28
42f11eb2	29	#include <openssl/rsa.h>
42f11eb2	30
af774732	31	#ifdef HAVE_LOGIN_CAP
	32	#include <login_cap.h>
	33	#endif
	34	#ifdef BSD_AUTH
	35	#include <bsd_auth.h>
	36	#endif
	37
94ec8c6b	38	typedef struct Authctxt Authctxt;
5ba55ada	39	typedef struct KbdintDevice KbdintDevice;
5ba55ada	40
94ec8c6b	41	struct Authctxt {
94ec8c6b	42	int success;
59c97189	43	int postponed;
94ec8c6b	44	int valid;
94ec8c6b	45	int attempt;
8abcdba4	46	int failures;
94ec8c6b	47	char *user;
	48	char *service;
	49	struct passwd *pw;
59c97189	50	char *style;
5ba55ada	51	void *kbdintctxt;
af774732	52	#ifdef BSD_AUTH
	53	auth_session_t *as;
	54	#endif
94ec8c6b	55	};
94ec8c6b	56
5ba55ada	57	/*
	58	* Keyboard interactive device:
	59	* init_ctx returns: non NULL upon success
	60	* query returns: 0 - success, otherwise failure
	61	* respond returns: 0 - success, 1 - need further interaction,
	62	* otherwise - failure
	63	*/
	64	struct KbdintDevice
	65	{
	66	const char *name;
	67	void* (init_ctx) __P((Authctxt));
	68	int (query) __P((void ctx, char name, char infotxt,
	69	u_int numprompts, char **prompts,
	70	u_int **echo_on));
	71	int (respond) __P((void ctx, u_int numresp, char **responses));
	72	void (free_ctx) __P((void ctx));
	73	};
	74
42f11eb2	75	/*
	76	* Tries to authenticate the user using the .rhosts file. Returns true if
	77	* authentication succeeds. If ignore_rhosts is non-zero, this will not
	78	* consider .rhosts and .shosts (/etc/hosts.equiv will still be used).
	79	*/
	80	int auth_rhosts(struct passwd * pw, const char *client_user);
	81
8002af61	82	/* extended interface similar to auth_rhosts() */
	83	int
	84	auth_rhosts2(struct passwd pw, const char client_user, const char *hostname,
	85	const char *ipaddr);
	86
42f11eb2	87	/*
	88	* Tries to authenticate the user using the .rhosts file and the host using
	89	* its host key. Returns true if authentication succeeds.
	90	*/
	91	int
	92	auth_rhosts_rsa(struct passwd * pw, const char client_user, RSA client_host_key);
	93
	94	/*
	95	* Tries to authenticate the user using password. Returns true if
	96	* authentication succeeds.
	97	*/
af774732	98	int auth_password(Authctxt authctxt, const char password);
42f11eb2	99
	100	/*
	101	* Performs the RSA authentication dialog with the client. This returns 0 if
	102	* the client could not be authenticated, and 1 if authentication was
	103	* successful. This may exit if there is a serious protocol violation.
	104	*/
	105	int auth_rsa(struct passwd * pw, BIGNUM * client_n);
	106
	107	/*
	108	* Parses an RSA key (number of bits, e, n) from a string. Moves the pointer
	109	* over the key. Skips any whitespace at the beginning and at end.
	110	*/
	111	int auth_rsa_read_key(char *cpp, u_int bitsp, BIGNUM * e, BIGNUM * n);
	112
	113	/*
	114	* Performs the RSA authentication challenge-response dialog with the client,
	115	* and returns true (non-zero) if the client gave the correct answer to our
	116	* challenge; returns zero if the client gives a wrong answer.
	117	*/
	118	int auth_rsa_challenge_dialog(RSA *pk);
	119
	120	#ifdef KRB4
	121	#include <krb.h>
	122	/*
	123	* Performs Kerberos v4 mutual authentication with the client. This returns 0
	124	* if the client could not be authenticated, and 1 if authentication was
	125	* successful. This may exit if there is a serious protocol violation.
	126	*/
	127	int auth_krb4(const char server_user, KTEXT auth, char *client);
	128	int krb4_init(uid_t uid);
	129	void krb4_cleanup_proc(void *ignore);
	130	int auth_krb4_password(struct passwd * pw, const char *password);
	131
	132	#ifdef AFS
	133	#include <kafs.h>
	134
	135	/* Accept passed Kerberos v4 ticket-granting ticket and AFS tokens. */
	136	int auth_kerberos_tgt(struct passwd * pw, const char *string);
	137	int auth_afs_token(struct passwd * pw, const char *token_string);
	138	#endif /* AFS */
	139
	140	#endif /* KRB4 */
	141
8c9fe09e	142	#include "auth-pam.h"
	143	#include "auth2-pam.h"
	144
7368a6c8	145	void do_authentication(void);
e78a59f5	146	void do_authentication2(void);
e78a59f5	147
59c97189	148	Authctxt *authctxt_new(void);
59c97189	149	void auth_log(Authctxt authctxt, int authenticated, char method, char *info);
d9cd3575	150	void userauth_finish(Authctxt authctxt, int authenticated, char method);
15853e93	151	int auth_root_allowed(char *method);
94ec8c6b	152
59c97189	153	int auth2_challenge(Authctxt authctxt, char devs);
7368a6c8	154
94ec8c6b	155	int allowed_user(struct passwd * pw);
59c97189	156
5ba55ada	157	char get_challenge(Authctxt authctxt);
5ba55ada	158	int verify_response(Authctxt authctxt, const char response);
59c97189	159
94ec8c6b	160	struct passwd * auth_get_user(void);
a306f2dd	161
c8445989	162
	163	/* expand a filename - return buffer is allocated by xmalloc */
	164	char expand_filename(const char template, struct passwd *pw);
	165	char authorized_keys_file(struct passwd pw);
	166	char authorized_keys_file2(struct passwd pw);
	167
	168	/* check a file and the path to it */
	169	int
	170	secure_filename(FILE f, const char file, uid_t u, char *err, size_t errlen);
	171
a306f2dd	172	#define AUTH_FAIL_MAX 6
	173	#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
	174	#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
	175
7368a6c8	176	#endif