- (stevesk) [auth1.c] fix password auth for protocol 1 when

[openssh.git] / auth2.c

diff --git a/auth2.c b/auth2.c
index c5ab08067ff1bc7d3ce89a5d24a85299c6324c3e..3377fde8b1b7c2924f2012ea1c65f5ee2eccc081 100644 (file)
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.86 2002/03/17 20:25:56 provos Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.89 2002/03/19 14:27:39 markus Exp $");
 
 #include <openssl/evp.h>
 
@@ -47,17 +47,17 @@ RCSID("$OpenBSD: auth2.c,v 1.86 2002/03/17 20:25:56 provos Exp $");
 #include "pathnames.h"
 #include "uidswap.h"
 #include "auth-options.h"
-#include "misc.h"
 #include "hostfile.h"
 #include "canohost.h"
 #include "match.h"
+#include "monitor_wrap.h"
 
 /* import */
 extern ServerOptions options;
 extern u_char *session_id2;
 extern int session_id2_len;
 
-static Authctxt        *x_authctxt = NULL;
+Authctxt *x_authctxt = NULL;
 static int one = 1;
 
 typedef struct Authmethod Authmethod;
@@ -75,8 +75,8 @@ static void input_userauth_request(int, u_int32_t, void *);
 /* helper */
 static Authmethod *authmethod_lookup(const char *);
 static char *authmethods_get(void);
-static int user_key_allowed(struct passwd *, Key *);
-static int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
+int user_key_allowed(struct passwd *, Key *);
+int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
 
 /* auth */
 static void userauth_banner(void);
@@ -109,7 +109,7 @@ Authmethod authmethods[] = {
  * loop until authctxt->success == TRUE
  */
 
-void
+Authctxt *
 do_authentication2(void)
 {
        Authctxt *authctxt = authctxt_new();
@@ -125,7 +125,8 @@ do_authentication2(void)
        dispatch_init(&dispatch_protocol_error);
        dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
        dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
-       do_authenticated(authctxt);
+
+       return (authctxt);
 }
 
 static void
@@ -183,14 +184,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
 
        if (authctxt->attempt++ == 0) {
                /* setup auth context */
-               struct passwd *pw = NULL;
-               pw = getpwnamallow(user);
-               if (pw && strcmp(service, "ssh-connection")==0) {
-                       authctxt->pw = pwcopy(pw);
+               authctxt->pw = PRIVSEP(getpwnamallow(user));
+               if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
                        authctxt->valid = 1;
                        debug2("input_userauth_request: setting up authctxt for %s", user);
 #ifdef USE_PAM
-                       start_pam(pw->pw_name);
+                       start_pam(authctxt->pw->pw_name);
 #endif
                } else {
                        log("input_userauth_request: illegal user %s", user);
@@ -198,10 +197,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                        start_pam("NOUSER");
 #endif
                }
-               setproctitle("%s", pw ? user : "unknown");
+               setproctitle("%s%s", authctxt->pw ? user : "unknown",
+                   use_privsep ? " [net]" : "");
                authctxt->user = xstrdup(user);
                authctxt->service = xstrdup(service);
                authctxt->style = style ? xstrdup(style) : NULL;
+               if (use_privsep)
+                       mm_inform_authserv(service, style);
        } else if (strcmp(user, authctxt->user) != 0 ||
            strcmp(service, authctxt->service) != 0) {
                packet_disconnect("Change of username or service not allowed: "
@@ -332,7 +334,7 @@ userauth_none(Authctxt *authctxt)
 #elif defined(HAVE_OSF_SIA)
        return 0;
 #else /* !HAVE_OSF_SIA && !USE_PAM */
-       return auth_password(authctxt, "");
+       return PRIVSEP(auth_password(authctxt, ""));
 #endif /* USE_PAM */
 }
 
@@ -357,7 +359,7 @@ userauth_passwd(Authctxt *authctxt)
 #elif defined(HAVE_OSF_SIA)
            auth_sia_password(authctxt->user, password) == 1)
 #else /* !USE_PAM && !HAVE_OSF_SIA */
-           auth_password(authctxt, password) == 1)
+           PRIVSEP(auth_password(authctxt, password)) == 1)
 #endif /* USE_PAM */
                authenticated = 1;
        memset(password, 0, len);
@@ -467,8 +469,10 @@ userauth_pubkey(Authctxt *authctxt)
                buffer_dump(&b);
 #endif
                /* test for correct signature */
-               if (user_key_allowed(authctxt->pw, key) &&
-                   key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
+               authenticated = 0;
+               if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
+                   PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
+                               buffer_len(&b))) == 1)
                        authenticated = 1;
                buffer_clear(&b);
                xfree(sig);
@@ -484,7 +488,7 @@ userauth_pubkey(Authctxt *authctxt)
                 * if a user is not allowed to login. is this an
                 * issue? -markus
                 */
-               if (user_key_allowed(authctxt->pw, key)) {
+               if (PRIVSEP(user_key_allowed(authctxt->pw, key))) {
                        packet_start(SSH2_MSG_USERAUTH_PK_OK);
                        packet_put_string(pkalg, alen);
                        packet_put_string(pkblob, blen);
@@ -572,8 +576,10 @@ userauth_hostbased(Authctxt *authctxt)
        buffer_dump(&b);
 #endif
        /* test for allowed key and correct signature */
-       if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) &&
-           key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
+       authenticated = 0;
+       if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
+           PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
+                       buffer_len(&b))) == 1)
                authenticated = 1;
 
        buffer_clear(&b);
@@ -730,7 +736,7 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file)
 }
 
 /* check whether given key is in .ssh/authorized_keys* */
-static int
+int
 user_key_allowed(struct passwd *pw, Key *key)
 {
        int success;
@@ -750,7 +756,7 @@ user_key_allowed(struct passwd *pw, Key *key)
 }
 
 /* return 1 if given hostkey is allowed */
-static int
+int
 hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
     Key *key)
 {