*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.33 2001/01/22 08:32:53 markus Exp $");
-
-#ifdef HAVE_OSF_SIA
-# include <sia.h>
-# include <siad.h>
-#endif
+RCSID("$OpenBSD: auth2.c,v 1.42 2001/02/13 22:49:40 markus Exp $");
#include <openssl/evp.h>
#include "auth.h"
#include "session.h"
#include "dispatch.h"
-#include "auth.h"
-#include "cipher.h"
#include "key.h"
+#include "cipher.h"
#include "kex.h"
#include "pathnames.h"
#include "uidswap.h"
#ifdef WITH_AIXAUTHENTICATE
extern char *aixloginmsg;
#endif
-#ifdef HAVE_OSF_SIA
-extern int saved_argc;
-extern char **saved_argv;
-#endif
static Authctxt *x_authctxt = NULL;
static int one = 1;
{"publickey",
userauth_pubkey,
&options.pubkey_authentication},
- {"keyboard-interactive",
- userauth_kbdint,
- &options.kbd_interactive_authentication},
{"password",
userauth_passwd,
&options.password_authentication},
+ {"keyboard-interactive",
+ userauth_kbdint,
+ &options.kbd_interactive_authentication},
{NULL, NULL, NULL}
};
x_authctxt = authctxt; /*XXX*/
-#ifdef AFS
- /* If machine has AFS, set process authentication group. */
- if (k_hasafs()) {
- k_setpag();
- k_unlog();
- }
-#endif
+ /* challenge-reponse is implemented via keyboard interactive */
+ if (options.challenge_reponse_authentication)
+ options.kbd_interactive_authentication = 1;
+
dispatch_init(&protocol_error);
dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
if (authctxt->attempt++ == 0) {
/* setup auth context */
struct passwd *pw = NULL;
- setproctitle("%s", user);
pw = getpwnam(user);
if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) {
authctxt->pw = pwcopy(pw);
start_pam("NOUSER");
#endif
}
+ setproctitle("%s", pw ? user : "unknown");
authctxt->user = xstrdup(user);
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL; /* currently unused */
authctxt->user);
/* Special handling for root */
- if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed())
+ if (authenticated && authctxt->pw->pw_uid == 0 &&
+ !auth_root_allowed(method))
authenticated = 0;
#ifdef USE_PAM
- if (authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL))
+ if (authenticated && authctxt->user && !do_pam_account(authctxt->user,
+ NULL))
authenticated = 0;
#endif /* USE_PAM */
return;
}
-void
+void
userauth_reply(Authctxt *authctxt, int authenticated)
{
char *methods;
/* XXX todo: check if multiple auth methods are needed */
- if (authenticated) {
+ if (authenticated == 1) {
#ifdef WITH_AIXAUTHENTICATE
/* We don't have a pty yet, so just label the line as "ssh" */
- if (loginsuccess(authctxt->user?authctxt->user:"NOUSER",
- get_canonical_hostname(), "ssh", &aixloginmsg) < 0)
+ if (loginsuccess(authctxt->user?authctxt->user:"NOUSER",
+ get_canonical_hostname(options.reverse_mapping_check),
+ "ssh", &aixloginmsg) < 0)
aixloginmsg = NULL;
#endif /* WITH_AIXAUTHENTICATE */
/* turn off userauth */
authctxt->success = 1;
} else {
if (authctxt->failures++ > AUTH_FAIL_MAX)
- packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+ packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
methods = authmethods_get();
packet_start(SSH2_MSG_USERAUTH_FAILURE);
packet_put_cstring(methods);
if (m != NULL)
m->enabled = NULL;
packet_done();
- userauth_banner();
+ userauth_banner();
if (authctxt->valid == 0)
return(0);
-
+
#ifdef HAVE_CYGWIN
if (check_nt_auth(1, authctxt->pw->pw_uid) == 0)
return(0);
#ifdef USE_PAM
return auth_pam_password(authctxt->pw, "");
#elif defined(HAVE_OSF_SIA)
- return (sia_validate_user(NULL, saved_argc, saved_argv,
- get_canonical_hostname(), authctxt->user?authctxt->user:"NOUSER",
- NULL, 0, NULL, "") == SIASUCCESS);
+ return 0;
#else /* !HAVE_OSF_SIA && !USE_PAM */
return auth_password(authctxt->pw, "");
#endif /* USE_PAM */
#ifdef USE_PAM
auth_pam_password(authctxt->pw, password) == 1)
#elif defined(HAVE_OSF_SIA)
- sia_validate_user(NULL, saved_argc, saved_argv,
- get_canonical_hostname(), authctxt->user?authctxt->user:"NOUSER",
- NULL, 0, NULL, password) == SIASUCCESS)
+ auth_sia_password(authctxt->user, password) == 1)
#else /* !USE_PAM && !HAVE_OSF_SIA */
auth_password(authctxt->pw, password) == 1)
#endif /* USE_PAM */
debug("keyboard-interactive language %s devs %s", lang, devs);
- authenticated = auth2_challenge(authctxt, devs);
+ if (options.challenge_reponse_authentication)
+ authenticated = auth2_challenge(authctxt, devs);
#ifdef USE_PAM
if (authenticated == 0)
packet_put_string(pkblob, blen);
packet_send();
packet_write_wait();
- authenticated = -1;
+ authctxt->postponed = 1;
}
}
if (authenticated != 1)