*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.50 2003/09/23 20:17:11 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.55 2004/02/05 05:37:17 dtucker Exp $");
#include <openssl/dh.h>
int mm_answer_gss_setup_ctx(int, Buffer *);
int mm_answer_gss_accept_ctx(int, Buffer *);
int mm_answer_gss_userok(int, Buffer *);
+int mm_answer_gss_checkmic(int, Buffer *);
#endif
static Authctxt *authctxt;
{MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
{MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
{MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
+ {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
#endif
{0, 0, NULL}
};
authenticated = 0;
#ifdef USE_PAM
/* PAM needs to perform account checks after auth */
- if (options.use_pam) {
+ if (options.use_pam && authenticated) {
Buffer m;
buffer_init(&m);
- mm_request_receive_expect(pmonitor->m_sendfd,
+ mm_request_receive_expect(pmonitor->m_sendfd,
MONITOR_REQ_PAM_ACCOUNT, &m);
authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m);
buffer_free(&m);
if (pwent == NULL) {
buffer_put_char(m, 0);
+ authctxt->pw = fakepw();
goto out;
}
mm_answer_pam_start(int socket, Buffer *m)
{
char *user;
-
+
if (!options.use_pam)
fatal("UsePAM not set, but ended up in %s anyway", __func__);
mm_answer_pam_account(int socket, Buffer *m)
{
u_int ret;
-
+
if (!options.use_pam)
fatal("UsePAM not set, but ended up in %s anyway", __func__);
debug3("%s: key_from_blob: %p", __func__, key);
- if (key != NULL && authctxt->pw != NULL) {
+ if (key != NULL && authctxt->valid) {
switch(type) {
case MM_USERKEY:
allowed = options.pubkey_authentication &&
mon = xmalloc(sizeof(*mon));
+ mon->m_pid = 0;
monitor_socketpair(pair);
mon->m_recvfd = pair[0];
gss_release_buffer(&minor, &out);
- /* Complete - now we can do signing */
if (major==GSS_S_COMPLETE) {
monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
}
return (0);
}
+int
+mm_answer_gss_checkmic(int socket, Buffer *m)
+{
+ gss_buffer_desc gssbuf, mic;
+ OM_uint32 ret;
+ u_int len;
+
+ gssbuf.value = buffer_get_string(m, &len);
+ gssbuf.length = len;
+ mic.value = buffer_get_string(m, &len);
+ mic.length = len;
+
+ ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
+
+ xfree(gssbuf.value);
+ xfree(mic.value);
+
+ buffer_clear(m);
+ buffer_put_int(m, ret);
+
+ mm_request_send(socket, MONITOR_ANS_GSSCHECKMIC, m);
+
+ if (!GSS_ERROR(ret))
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
+
+ return (0);
+}
+
int
mm_answer_gss_userok(int socket, Buffer *m)
{
debug3("%s: sending result %d", __func__, authenticated);
mm_request_send(socket, MONITOR_ANS_GSSUSEROK, m);
- auth_method="gssapi";
+ auth_method="gssapi-with-mic";
/* Monitor loop will terminate if authenticated */
return (authenticated);