*/
#include "includes.h"
-RCSID("$OpenBSD: monitor.c,v 1.30 2002/11/05 19:45:20 markus Exp $");
+RCSID("$OpenBSD: monitor.c,v 1.61 2004/07/17 05:31:41 dtucker Exp $");
#include <openssl/dh.h>
#include "auth.h"
#include "kex.h"
#include "dh.h"
+#ifdef TARGET_OS_MAC /* XXX Broken krb5 headers on Mac */
+#undef TARGET_OS_MAC
#include "zlib.h"
+#define TARGET_OS_MAC 1
+#else
+#include "zlib.h"
+#endif
#include "packet.h"
#include "auth-options.h"
#include "sshpty.h"
#include "bufaux.h"
#include "compat.h"
#include "ssh2.h"
-#include "mpaux.h"
+
+#ifdef GSSAPI
+#include "ssh-gss.h"
+static Gssctxt *gsscontext = NULL;
+#endif
/* Imports */
extern ServerOptions options;
extern Buffer input, output;
extern Buffer auth_debug;
extern int auth_debug_init;
+extern Buffer loginmsg;
/* State exported from the child */
u_int olen;
} child_state;
-/* Functions on the montior that answer unprivileged requests */
+/* Functions on the monitor that answer unprivileged requests */
int mm_answer_moduli(int, Buffer *);
int mm_answer_sign(int, Buffer *);
#ifdef USE_PAM
int mm_answer_pam_start(int, Buffer *);
+int mm_answer_pam_account(int, Buffer *);
+int mm_answer_pam_init_ctx(int, Buffer *);
+int mm_answer_pam_query(int, Buffer *);
+int mm_answer_pam_respond(int, Buffer *);
+int mm_answer_pam_free_ctx(int, Buffer *);
#endif
-#ifdef KRB4
-int mm_answer_krb4(int, Buffer *);
-#endif
-#ifdef KRB5
-int mm_answer_krb5(int, Buffer *);
+#ifdef GSSAPI
+int mm_answer_gss_setup_ctx(int, Buffer *);
+int mm_answer_gss_accept_ctx(int, Buffer *);
+int mm_answer_gss_userok(int, Buffer *);
+int mm_answer_gss_checkmic(int, Buffer *);
#endif
static Authctxt *authctxt;
static char *hostbased_cuser = NULL;
static char *hostbased_chost = NULL;
static char *auth_method = "unknown";
-static int session_id2_len = 0;
+static u_int session_id2_len = 0;
static u_char *session_id2 = NULL;
+static pid_t monitor_child_pid;
struct mon_table {
enum monitor_reqtype type;
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
+ {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
+ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
+ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
#ifdef BSD_AUTH
{MONITOR_REQ_BSDAUTHQUERY, MON_ISAUTH, mm_answer_bsdauthquery},
#endif
{MONITOR_REQ_KEYALLOWED, MON_ISAUTH, mm_answer_keyallowed},
{MONITOR_REQ_KEYVERIFY, MON_AUTH, mm_answer_keyverify},
+#ifdef GSSAPI
+ {MONITOR_REQ_GSSSETUP, MON_ISAUTH, mm_answer_gss_setup_ctx},
+ {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
+ {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
+ {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
+#endif
{0, 0, NULL}
};
#endif
#ifdef USE_PAM
{MONITOR_REQ_PAM_START, MON_ONCE, mm_answer_pam_start},
-#endif
-#ifdef KRB4
- {MONITOR_REQ_KRB4, MON_ONCE|MON_AUTH, mm_answer_krb4},
-#endif
-#ifdef KRB5
- {MONITOR_REQ_KRB5, MON_ONCE|MON_AUTH, mm_answer_krb5},
+ {MONITOR_REQ_PAM_ACCOUNT, 0, mm_answer_pam_account},
+ {MONITOR_REQ_PAM_INIT_CTX, MON_ISAUTH, mm_answer_pam_init_ctx},
+ {MONITOR_REQ_PAM_QUERY, MON_ISAUTH, mm_answer_pam_query},
+ {MONITOR_REQ_PAM_RESPOND, MON_ISAUTH, mm_answer_pam_respond},
+ {MONITOR_REQ_PAM_FREE_CTX, MON_ONCE|MON_AUTHDECIDE, mm_answer_pam_free_ctx},
#endif
{0, 0, NULL}
};
}
}
-Authctxt *
-monitor_child_preauth(struct monitor *pmonitor)
+void
+monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
{
struct mon_table *ent;
int authenticated = 0;
debug3("preauth child monitor started");
+ authctxt = _authctxt;
+ memset(authctxt, 0, sizeof(*authctxt));
+
if (compat20) {
mon_dispatch = mon_dispatch_proto20;
monitor_permit(mon_dispatch, MONITOR_REQ_SESSKEY, 1);
}
- authctxt = authctxt_new();
-
/* The first few requests do not require asynchronous access */
while (!authenticated) {
authenticated = monitor_read(pmonitor, mon_dispatch, &ent);
!auth_root_allowed(auth_method))
authenticated = 0;
#ifdef USE_PAM
- if (!do_pam_account(authctxt->pw->pw_name, NULL))
- authenticated = 0;
+ /* PAM needs to perform account checks after auth */
+ if (options.use_pam && authenticated) {
+ Buffer m;
+
+ buffer_init(&m);
+ mm_request_receive_expect(pmonitor->m_sendfd,
+ MONITOR_REQ_PAM_ACCOUNT, &m);
+ authenticated = mm_answer_pam_account(pmonitor->m_sendfd, &m);
+ buffer_free(&m);
+ }
#endif
}
__func__, authctxt->user);
mm_get_keystate(pmonitor);
+}
- return (authctxt);
+static void
+monitor_set_child_handler(pid_t pid)
+{
+ monitor_child_pid = pid;
+}
+
+static void
+monitor_child_handler(int sig)
+{
+ kill(monitor_child_pid, sig);
}
void
monitor_child_postauth(struct monitor *pmonitor)
{
+ monitor_set_child_handler(pmonitor->m_pid);
+ signal(SIGHUP, &monitor_child_handler);
+ signal(SIGTERM, &monitor_child_handler);
+
if (compat20) {
mon_dispatch = mon_dispatch_postauth20;
monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-
} else {
mon_dispatch = mon_dispatch_postauth15;
monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
}
int
-mm_answer_moduli(int socket, Buffer *m)
+mm_answer_moduli(int sock, Buffer *m)
{
DH *dh;
int min, want, max;
DH_free(dh);
}
- mm_request_send(socket, MONITOR_ANS_MODULI, m);
+ mm_request_send(sock, MONITOR_ANS_MODULI, m);
return (0);
}
int
-mm_answer_sign(int socket, Buffer *m)
+mm_answer_sign(int sock, Buffer *m)
{
Key *key;
u_char *p;
xfree(p);
xfree(signature);
- mm_request_send(socket, MONITOR_ANS_SIGN, m);
+ mm_request_send(sock, MONITOR_ANS_SIGN, m);
/* Turn on permissions for getpwnam */
monitor_permit(mon_dispatch, MONITOR_REQ_PWNAM, 1);
/* Retrieves the password entry and also checks if the user is permitted */
int
-mm_answer_pwnamallow(int socket, Buffer *m)
+mm_answer_pwnamallow(int sock, Buffer *m)
{
- char *login;
+ char *username;
struct passwd *pwent;
int allowed = 0;
if (authctxt->attempt++ != 0)
fatal("%s: multiple attempts for getpwnam", __func__);
- login = buffer_get_string(m, NULL);
+ username = buffer_get_string(m, NULL);
- pwent = getpwnamallow(login);
+ pwent = getpwnamallow(username);
- authctxt->user = xstrdup(login);
- setproctitle("%s [priv]", pwent ? login : "unknown");
- xfree(login);
+ authctxt->user = xstrdup(username);
+ setproctitle("%s [priv]", pwent ? username : "unknown");
+ xfree(username);
buffer_clear(m);
if (pwent == NULL) {
buffer_put_char(m, 0);
+ authctxt->pw = fakepw();
goto out;
}
out:
debug3("%s: sending MONITOR_ANS_PWNAM: %d", __func__, allowed);
- mm_request_send(socket, MONITOR_ANS_PWNAM, m);
+ mm_request_send(sock, MONITOR_ANS_PWNAM, m);
/* For SSHv1 allow authentication now */
if (!compat20)
}
#ifdef USE_PAM
- monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
+ if (options.use_pam)
+ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_START, 1);
#endif
return (0);
}
-int mm_answer_auth2_read_banner(int socket, Buffer *m)
+int mm_answer_auth2_read_banner(int sock, Buffer *m)
{
char *banner;
buffer_clear(m);
banner = auth2_read_banner();
buffer_put_cstring(m, banner != NULL ? banner : "");
- mm_request_send(socket, MONITOR_ANS_AUTH2_READ_BANNER, m);
+ mm_request_send(sock, MONITOR_ANS_AUTH2_READ_BANNER, m);
if (banner != NULL)
xfree(banner);
}
int
-mm_answer_authserv(int socket, Buffer *m)
+mm_answer_authserv(int sock, Buffer *m)
{
monitor_permit_authentications(1);
}
int
-mm_answer_authpassword(int socket, Buffer *m)
+mm_answer_authpassword(int sock, Buffer *m)
{
static int call_count;
char *passwd;
passwd = buffer_get_string(m, &plen);
/* Only authenticate if the context is valid */
authenticated = options.password_authentication &&
- authctxt->valid && auth_password(authctxt, passwd);
+ auth_password(authctxt, passwd);
memset(passwd, 0, strlen(passwd));
xfree(passwd);
buffer_put_int(m, authenticated);
debug3("%s: sending result %d", __func__, authenticated);
- mm_request_send(socket, MONITOR_ANS_AUTHPASSWORD, m);
+ mm_request_send(sock, MONITOR_ANS_AUTHPASSWORD, m);
call_count++;
if (plen == 0 && call_count == 1)
#ifdef BSD_AUTH
int
-mm_answer_bsdauthquery(int socket, Buffer *m)
+mm_answer_bsdauthquery(int sock, Buffer *m)
{
char *name, *infotxt;
u_int numprompts;
u_int *echo_on;
char **prompts;
- int res;
+ u_int success;
- res = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
- &prompts, &echo_on);
+ success = bsdauth_query(authctxt, &name, &infotxt, &numprompts,
+ &prompts, &echo_on) < 0 ? 0 : 1;
buffer_clear(m);
- buffer_put_int(m, res);
- if (res != -1)
+ buffer_put_int(m, success);
+ if (success)
buffer_put_cstring(m, prompts[0]);
- debug3("%s: sending challenge res: %d", __func__, res);
- mm_request_send(socket, MONITOR_ANS_BSDAUTHQUERY, m);
+ debug3("%s: sending challenge success: %u", __func__, success);
+ mm_request_send(sock, MONITOR_ANS_BSDAUTHQUERY, m);
- if (res != -1) {
+ if (success) {
xfree(name);
xfree(infotxt);
xfree(prompts);
}
int
-mm_answer_bsdauthrespond(int socket, Buffer *m)
+mm_answer_bsdauthrespond(int sock, Buffer *m)
{
char *response;
int authok;
buffer_put_int(m, authok);
debug3("%s: sending authenticated: %d", __func__, authok);
- mm_request_send(socket, MONITOR_ANS_BSDAUTHRESPOND, m);
+ mm_request_send(sock, MONITOR_ANS_BSDAUTHRESPOND, m);
auth_method = "bsdauth";
#ifdef SKEY
int
-mm_answer_skeyquery(int socket, Buffer *m)
+mm_answer_skeyquery(int sock, Buffer *m)
{
struct skey skey;
char challenge[1024];
- int res;
+ u_int success;
- res = skeychallenge(&skey, authctxt->user, challenge);
+ success = _compat_skeychallenge(&skey, authctxt->user, challenge,
+ sizeof(challenge)) < 0 ? 0 : 1;
buffer_clear(m);
- buffer_put_int(m, res);
- if (res != -1)
+ buffer_put_int(m, success);
+ if (success)
buffer_put_cstring(m, challenge);
- debug3("%s: sending challenge res: %d", __func__, res);
- mm_request_send(socket, MONITOR_ANS_SKEYQUERY, m);
+ debug3("%s: sending challenge success: %u", __func__, success);
+ mm_request_send(sock, MONITOR_ANS_SKEYQUERY, m);
return (0);
}
int
-mm_answer_skeyrespond(int socket, Buffer *m)
+mm_answer_skeyrespond(int sock, Buffer *m)
{
char *response;
int authok;
buffer_put_int(m, authok);
debug3("%s: sending authenticated: %d", __func__, authok);
- mm_request_send(socket, MONITOR_ANS_SKEYRESPOND, m);
+ mm_request_send(sock, MONITOR_ANS_SKEYRESPOND, m);
auth_method = "skey";
#ifdef USE_PAM
int
-mm_answer_pam_start(int socket, Buffer *m)
+mm_answer_pam_start(int sock, Buffer *m)
{
- char *user;
-
- user = buffer_get_string(m, NULL);
+ if (!options.use_pam)
+ fatal("UsePAM not set, but ended up in %s anyway", __func__);
+
+ start_pam(authctxt);
+
+ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_ACCOUNT, 1);
+
+ return (0);
+}
+
+int
+mm_answer_pam_account(int sock, Buffer *m)
+{
+ u_int ret;
+
+ if (!options.use_pam)
+ fatal("UsePAM not set, but ended up in %s anyway", __func__);
- start_pam(user);
+ ret = do_pam_account();
- xfree(user);
+ buffer_put_int(m, ret);
+ buffer_append(&loginmsg, "\0", 1);
+ buffer_put_cstring(m, buffer_ptr(&loginmsg));
+ buffer_clear(&loginmsg);
+ mm_request_send(sock, MONITOR_ANS_PAM_ACCOUNT, m);
+
+ return (ret);
+}
+
+static void *sshpam_ctxt, *sshpam_authok;
+extern KbdintDevice sshpam_device;
+
+int
+mm_answer_pam_init_ctx(int sock, Buffer *m)
+{
+
+ debug3("%s", __func__);
+ authctxt->user = buffer_get_string(m, NULL);
+ sshpam_ctxt = (sshpam_device.init_ctx)(authctxt);
+ sshpam_authok = NULL;
+ buffer_clear(m);
+ if (sshpam_ctxt != NULL) {
+ monitor_permit(mon_dispatch, MONITOR_REQ_PAM_FREE_CTX, 1);
+ buffer_put_int(m, 1);
+ } else {
+ buffer_put_int(m, 0);
+ }
+ mm_request_send(sock, MONITOR_ANS_PAM_INIT_CTX, m);
return (0);
}
+
+int
+mm_answer_pam_query(int sock, Buffer *m)
+{
+ char *name, *info, **prompts;
+ u_int num, *echo_on;
+ int i, ret;
+
+ debug3("%s", __func__);
+ sshpam_authok = NULL;
+ ret = (sshpam_device.query)(sshpam_ctxt, &name, &info, &num, &prompts, &echo_on);
+ if (ret == 0 && num == 0)
+ sshpam_authok = sshpam_ctxt;
+ if (num > 1 || name == NULL || info == NULL)
+ ret = -1;
+ buffer_clear(m);
+ buffer_put_int(m, ret);
+ buffer_put_cstring(m, name);
+ xfree(name);
+ buffer_put_cstring(m, info);
+ xfree(info);
+ buffer_put_int(m, num);
+ for (i = 0; i < num; ++i) {
+ buffer_put_cstring(m, prompts[i]);
+ xfree(prompts[i]);
+ buffer_put_int(m, echo_on[i]);
+ }
+ if (prompts != NULL)
+ xfree(prompts);
+ if (echo_on != NULL)
+ xfree(echo_on);
+ mm_request_send(sock, MONITOR_ANS_PAM_QUERY, m);
+ return (0);
+}
+
+int
+mm_answer_pam_respond(int sock, Buffer *m)
+{
+ char **resp;
+ u_int num;
+ int i, ret;
+
+ debug3("%s", __func__);
+ sshpam_authok = NULL;
+ num = buffer_get_int(m);
+ if (num > 0) {
+ resp = xmalloc(num * sizeof(char *));
+ for (i = 0; i < num; ++i)
+ resp[i] = buffer_get_string(m, NULL);
+ ret = (sshpam_device.respond)(sshpam_ctxt, num, resp);
+ for (i = 0; i < num; ++i)
+ xfree(resp[i]);
+ xfree(resp);
+ } else {
+ ret = (sshpam_device.respond)(sshpam_ctxt, num, NULL);
+ }
+ buffer_clear(m);
+ buffer_put_int(m, ret);
+ mm_request_send(sock, MONITOR_ANS_PAM_RESPOND, m);
+ auth_method = "keyboard-interactive/pam";
+ if (ret == 0)
+ sshpam_authok = sshpam_ctxt;
+ return (0);
+}
+
+int
+mm_answer_pam_free_ctx(int sock, Buffer *m)
+{
+
+ debug3("%s", __func__);
+ (sshpam_device.free_ctx)(sshpam_ctxt);
+ buffer_clear(m);
+ mm_request_send(sock, MONITOR_ANS_PAM_FREE_CTX, m);
+ return (sshpam_authok == sshpam_ctxt);
+}
#endif
static void
}
int
-mm_answer_keyallowed(int socket, Buffer *m)
+mm_answer_keyallowed(int sock, Buffer *m)
{
Key *key;
char *cuser, *chost;
debug3("%s: key_from_blob: %p", __func__, key);
- if (key != NULL && authctxt->pw != NULL) {
+ if (key != NULL && authctxt->valid) {
switch(type) {
case MM_USERKEY:
allowed = options.pubkey_authentication &&
fatal("%s: unknown key type %d", __func__, type);
break;
}
- key_free(key);
}
+ if (key != NULL)
+ key_free(key);
/* clear temporarily storage (used by verify) */
monitor_reset_key_state();
buffer_clear(m);
buffer_put_int(m, allowed);
+ buffer_put_int(m, forced_command != NULL);
mm_append_debug(m);
- mm_request_send(socket, MONITOR_ANS_KEYALLOWED, m);
+ mm_request_send(sock, MONITOR_ANS_KEYALLOWED, m);
if (type == MM_RSAHOSTKEY)
monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);
fail++;
p = buffer_get_string(&b, NULL);
if (strcmp(authctxt->user, p) != 0) {
- log("wrong user name passed to monitor: expected %s != %.100s",
+ logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
fail++;
}
fail++;
p = buffer_get_string(&b, NULL);
if (strcmp(authctxt->user, p) != 0) {
- log("wrong user name passed to monitor: expected %s != %.100s",
+ logit("wrong user name passed to monitor: expected %s != %.100s",
authctxt->user, p);
fail++;
}
}
int
-mm_answer_keyverify(int socket, Buffer *m)
+mm_answer_keyverify(int sock, Buffer *m)
{
Key *key;
u_char *signature, *data, *blob;
buffer_clear(m);
buffer_put_int(m, verified);
- mm_request_send(socket, MONITOR_ANS_KEYVERIFY, m);
+ mm_request_send(sock, MONITOR_ANS_KEYVERIFY, m);
return (verified);
}
if (getpeername(packet_get_connection_in(),
(struct sockaddr *) & from, &fromlen) < 0) {
debug("getpeername: %.100s", strerror(errno));
- fatal_cleanup();
+ cleanup_exit(255);
}
}
/* Record that there was a login on that tty from the remote host. */
record_login(s->pid, s->tty, pw->pw_name, pw->pw_uid,
- get_remote_name_or_ip(utmp_len, options.verify_reverse_mapping),
+ get_remote_name_or_ip(utmp_len, options.use_dns),
(struct sockaddr *)&from, fromlen);
}
static void
mm_session_close(Session *s)
{
- debug3("%s: session %d pid %d", __func__, s->self, s->pid);
+ debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid);
if (s->ttyfd != -1) {
debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
- fatal_remove_cleanup(session_pty_cleanup2, (void *)s);
session_pty_cleanup2(s);
}
s->used = 0;
}
int
-mm_answer_pty(int socket, Buffer *m)
+mm_answer_pty(int sock, Buffer *m)
{
extern struct monitor *pmonitor;
Session *s;
res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
if (res == 0)
goto error;
- fatal_add_cleanup(session_pty_cleanup2, (void *)s);
pty_setowner(authctxt->pw, s->tty);
buffer_put_int(m, 1);
buffer_put_cstring(m, s->tty);
- mm_request_send(socket, MONITOR_ANS_PTY, m);
-
- mm_send_fd(socket, s->ptyfd);
- mm_send_fd(socket, s->ttyfd);
/* We need to trick ttyslot */
if (dup2(s->ttyfd, 0) == -1)
/* Now we can close the file descriptor again */
close(0);
+ /* send messages generated by record_login */
+ buffer_put_string(m, buffer_ptr(&loginmsg), buffer_len(&loginmsg));
+ buffer_clear(&loginmsg);
+
+ mm_request_send(sock, MONITOR_ANS_PTY, m);
+
+ mm_send_fd(sock, s->ptyfd);
+ mm_send_fd(sock, s->ttyfd);
+
/* make sure nothing uses fd 0 */
if ((fd0 = open(_PATH_DEVNULL, O_RDONLY)) < 0)
fatal("%s: open(/dev/null): %s", __func__, strerror(errno));
if (s != NULL)
mm_session_close(s);
buffer_put_int(m, 0);
- mm_request_send(socket, MONITOR_ANS_PTY, m);
+ mm_request_send(sock, MONITOR_ANS_PTY, m);
return (0);
}
int
-mm_answer_pty_cleanup(int socket, Buffer *m)
+mm_answer_pty_cleanup(int sock, Buffer *m)
{
Session *s;
char *tty;
}
int
-mm_answer_sesskey(int socket, Buffer *m)
+mm_answer_sesskey(int sock, Buffer *m)
{
BIGNUM *p;
int rsafail;
BN_clear_free(p);
- mm_request_send(socket, MONITOR_ANS_SESSKEY, m);
+ mm_request_send(sock, MONITOR_ANS_SESSKEY, m);
/* Turn on permissions for sessid passing */
monitor_permit(mon_dispatch, MONITOR_REQ_SESSID, 1);
}
int
-mm_answer_sessid(int socket, Buffer *m)
+mm_answer_sessid(int sock, Buffer *m)
{
int i;
}
int
-mm_answer_rsa_keyallowed(int socket, Buffer *m)
+mm_answer_rsa_keyallowed(int sock, Buffer *m)
{
BIGNUM *client_n;
Key *key = NULL;
}
buffer_clear(m);
buffer_put_int(m, allowed);
+ buffer_put_int(m, forced_command != NULL);
/* clear temporarily storage (used by generate challenge) */
monitor_reset_key_state();
key_blob = blob;
key_bloblen = blen;
key_blobtype = MM_RSAUSERKEY;
- key_free(key);
}
+ if (key != NULL)
+ key_free(key);
mm_append_debug(m);
- mm_request_send(socket, MONITOR_ANS_RSAKEYALLOWED, m);
+ mm_request_send(sock, MONITOR_ANS_RSAKEYALLOWED, m);
monitor_permit(mon_dispatch, MONITOR_REQ_RSACHALLENGE, allowed);
monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 0);
}
int
-mm_answer_rsa_challenge(int socket, Buffer *m)
+mm_answer_rsa_challenge(int sock, Buffer *m)
{
Key *key = NULL;
u_char *blob;
buffer_put_bignum2(m, ssh1_challenge);
debug3("%s sending reply", __func__);
- mm_request_send(socket, MONITOR_ANS_RSACHALLENGE, m);
+ mm_request_send(sock, MONITOR_ANS_RSACHALLENGE, m);
monitor_permit(mon_dispatch, MONITOR_REQ_RSARESPONSE, 1);
+
+ xfree(blob);
+ key_free(key);
return (0);
}
int
-mm_answer_rsa_response(int socket, Buffer *m)
+mm_answer_rsa_response(int sock, Buffer *m)
{
Key *key = NULL;
u_char *blob, *response;
fatal("%s: received bad response to challenge", __func__);
success = auth_rsa_verify_response(key, ssh1_challenge, response);
+ xfree(blob);
key_free(key);
xfree(response);
buffer_clear(m);
buffer_put_int(m, success);
- mm_request_send(socket, MONITOR_ANS_RSARESPONSE, m);
+ mm_request_send(sock, MONITOR_ANS_RSARESPONSE, m);
return (success);
}
-#ifdef KRB4
int
-mm_answer_krb4(int socket, Buffer *m)
-{
- KTEXT_ST auth, reply;
- char *client, *p;
- int success;
- u_int alen;
-
- reply.length = auth.length = 0;
-
- p = buffer_get_string(m, &alen);
- if (alen >= MAX_KTXT_LEN)
- fatal("%s: auth too large", __func__);
- memcpy(auth.dat, p, alen);
- auth.length = alen;
- memset(p, 0, alen);
- xfree(p);
-
- success = options.kerberos_authentication &&
- authctxt->valid &&
- auth_krb4(authctxt, &auth, &client, &reply);
-
- memset(auth.dat, 0, alen);
- buffer_clear(m);
- buffer_put_int(m, success);
-
- if (success) {
- buffer_put_cstring(m, client);
- buffer_put_string(m, reply.dat, reply.length);
- if (client)
- xfree(client);
- if (reply.length)
- memset(reply.dat, 0, reply.length);
- }
-
- debug3("%s: sending result %d", __func__, success);
- mm_request_send(socket, MONITOR_ANS_KRB4, m);
-
- auth_method = "kerberos";
-
- /* Causes monitor loop to terminate if authenticated */
- return (success);
-}
-#endif
-
-#ifdef KRB5
-int
-mm_answer_krb5(int socket, Buffer *m)
-{
- krb5_data tkt, reply;
- char *client_user;
- u_int len;
- int success;
-
- /* use temporary var to avoid size issues on 64bit arch */
- tkt.data = buffer_get_string(m, &len);
- tkt.length = len;
-
- success = options.kerberos_authentication &&
- authctxt->valid &&
- auth_krb5(authctxt, &tkt, &client_user, &reply);
-
- if (tkt.length)
- xfree(tkt.data);
-
- buffer_clear(m);
- buffer_put_int(m, success);
-
- if (success) {
- buffer_put_cstring(m, client_user);
- buffer_put_string(m, reply.data, reply.length);
- if (client_user)
- xfree(client_user);
- if (reply.length)
- xfree(reply.data);
- }
- mm_request_send(socket, MONITOR_ANS_KRB5, m);
-
- return success;
-}
-#endif
-
-int
-mm_answer_term(int socket, Buffer *req)
+mm_answer_term(int sock, Buffer *req)
{
extern struct monitor *pmonitor;
int res, status;
res = WIFEXITED(status) ? WEXITSTATUS(status) : 1;
/* Terminate process */
- exit (res);
+ exit(res);
}
void
(memcmp(kex->session_id, session_id2, session_id2_len) != 0))
fatal("mm_get_get: internal error: bad session id");
kex->we_need = buffer_get_int(m);
+ kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
+ kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
+ kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
kex->server = 1;
kex->hostkey_type = buffer_get_int(m);
kex->kex_type = buffer_get_int(m);
Buffer m;
u_char *blob, *p;
u_int bloblen, plen;
+ u_int32_t seqnr, packets;
+ u_int64_t blocks;
debug3("%s: Waiting for new keys", __func__);
xfree(blob);
/* Now get sequence numbers for the packets */
- packet_set_seqnr(MODE_OUT, buffer_get_int(&m));
- packet_set_seqnr(MODE_IN, buffer_get_int(&m));
+ seqnr = buffer_get_int(&m);
+ blocks = buffer_get_int64(&m);
+ packets = buffer_get_int(&m);
+ packet_set_state(MODE_OUT, seqnr, blocks, packets);
+ seqnr = buffer_get_int(&m);
+ blocks = buffer_get_int64(&m);
+ packets = buffer_get_int(&m);
+ packet_set_state(MODE_IN, seqnr, blocks, packets);
skip:
/* Get the key context */
mon = xmalloc(sizeof(*mon));
+ mon->m_pid = 0;
monitor_socketpair(pair);
mon->m_recvfd = pair[0];
mon->m_recvfd = pair[0];
mon->m_sendfd = pair[1];
}
+
+#ifdef GSSAPI
+int
+mm_answer_gss_setup_ctx(int sock, Buffer *m)
+{
+ gss_OID_desc goid;
+ OM_uint32 major;
+ u_int len;
+
+ goid.elements = buffer_get_string(m, &len);
+ goid.length = len;
+
+ major = ssh_gssapi_server_ctx(&gsscontext, &goid);
+
+ xfree(goid.elements);
+
+ buffer_clear(m);
+ buffer_put_int(m, major);
+
+ mm_request_send(sock,MONITOR_ANS_GSSSETUP, m);
+
+ /* Now we have a context, enable the step */
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 1);
+
+ return (0);
+}
+
+int
+mm_answer_gss_accept_ctx(int sock, Buffer *m)
+{
+ gss_buffer_desc in;
+ gss_buffer_desc out = GSS_C_EMPTY_BUFFER;
+ OM_uint32 major,minor;
+ OM_uint32 flags = 0; /* GSI needs this */
+ u_int len;
+
+ in.value = buffer_get_string(m, &len);
+ in.length = len;
+ major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
+ xfree(in.value);
+
+ buffer_clear(m);
+ buffer_put_int(m, major);
+ buffer_put_string(m, out.value, out.length);
+ buffer_put_int(m, flags);
+ mm_request_send(sock, MONITOR_ANS_GSSSTEP, m);
+
+ gss_release_buffer(&minor, &out);
+
+ if (major==GSS_S_COMPLETE) {
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
+ }
+ return (0);
+}
+
+int
+mm_answer_gss_checkmic(int sock, Buffer *m)
+{
+ gss_buffer_desc gssbuf, mic;
+ OM_uint32 ret;
+ u_int len;
+
+ gssbuf.value = buffer_get_string(m, &len);
+ gssbuf.length = len;
+ mic.value = buffer_get_string(m, &len);
+ mic.length = len;
+
+ ret = ssh_gssapi_checkmic(gsscontext, &gssbuf, &mic);
+
+ xfree(gssbuf.value);
+ xfree(mic.value);
+
+ buffer_clear(m);
+ buffer_put_int(m, ret);
+
+ mm_request_send(sock, MONITOR_ANS_GSSCHECKMIC, m);
+
+ if (!GSS_ERROR(ret))
+ monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
+
+ return (0);
+}
+
+int
+mm_answer_gss_userok(int sock, Buffer *m)
+{
+ int authenticated;
+
+ authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
+
+ buffer_clear(m);
+ buffer_put_int(m, authenticated);
+
+ debug3("%s: sending result %d", __func__, authenticated);
+ mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
+
+ auth_method="gssapi-with-mic";
+
+ /* Monitor loop will terminate if authenticated */
+ return (authenticated);
+}
+#endif /* GSSAPI */
andersk / openssh.git / blobdiff