]> andersk Git - openssh.git/blobdiff - auth2.c
- djm@cvs.openbsd.org 2010/01/30 02:54:53
[openssh.git] / auth2.c
diff --git a/auth2.c b/auth2.c
index 5ca020001ecc43a58b3faa1bdad7c7892523fbb4..5d54685596c848a7bb0d59722353dafb9ebdf9cd 100644 (file)
--- a/auth2.c
+++ b/auth2.c
@@ -1,3 +1,4 @@
+/* $OpenBSD: auth2.c,v 1.121 2009/06/22 05:39:28 dtucker Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.98 2003/05/14 02:15:47 markus Exp $");
 
-#include "ssh2.h"
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/uio.h>
+
+#include <fcntl.h>
+#include <pwd.h>
+#include <stdarg.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "atomicio.h"
 #include "xmalloc.h"
+#include "ssh2.h"
 #include "packet.h"
 #include "log.h"
+#include "buffer.h"
 #include "servconf.h"
 #include "compat.h"
+#include "key.h"
+#include "hostfile.h"
 #include "auth.h"
 #include "dispatch.h"
 #include "pathnames.h"
+#include "buffer.h"
+
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
 #include "monitor_wrap.h"
 
 /* import */
 extern ServerOptions options;
 extern u_char *session_id2;
-extern int session_id2_len;
-
-Authctxt *x_authctxt = NULL;
+extern u_int session_id2_len;
+extern Buffer loginmsg;
 
 /* methods */
 
@@ -50,19 +68,25 @@ extern Authmethod method_pubkey;
 extern Authmethod method_passwd;
 extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
-#ifdef KRB5
-extern Authmethod method_kerberos;
+#ifdef GSSAPI
+extern Authmethod method_gssapi;
+#endif
+#ifdef JPAKE
+extern Authmethod method_jpake;
 #endif
 
 Authmethod *authmethods[] = {
        &method_none,
        &method_pubkey,
+#ifdef GSSAPI
+       &method_gssapi,
+#endif
+#ifdef JPAKE
+       &method_jpake,
+#endif
        &method_passwd,
        &method_kbdint,
        &method_hostbased,
-#ifdef KRB5
-       &method_kerberos,
-#endif
        NULL
 };
 
@@ -74,31 +98,84 @@ static void input_userauth_request(int, u_int32_t, void *);
 /* helper */
 static Authmethod *authmethod_lookup(const char *);
 static char *authmethods_get(void);
-int user_key_allowed(struct passwd *, Key *);
-int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
 
-/*
- * loop until authctxt->success == TRUE
- */
+char *
+auth2_read_banner(void)
+{
+       struct stat st;
+       char *banner = NULL;
+       size_t len, n;
+       int fd;
+
+       if ((fd = open(options.banner, O_RDONLY)) == -1)
+               return (NULL);
+       if (fstat(fd, &st) == -1) {
+               close(fd);
+               return (NULL);
+       }
+       if (st.st_size > 1*1024*1024) {
+               close(fd);
+               return (NULL);
+       }
 
-Authctxt *
-do_authentication2(void)
+       len = (size_t)st.st_size;               /* truncate */
+       banner = xmalloc(len + 1);
+       n = atomicio(read, fd, banner, len);
+       close(fd);
+
+       if (n != len) {
+               xfree(banner);
+               return (NULL);
+       }
+       banner[n] = '\0';
+
+       return (banner);
+}
+
+void
+userauth_send_banner(const char *msg)
+{
+       if (datafellows & SSH_BUG_BANNER)
+               return;
+
+       packet_start(SSH2_MSG_USERAUTH_BANNER);
+       packet_put_cstring(msg);
+       packet_put_cstring("");         /* language, unused */
+       packet_send();
+       debug("%s: sent", __func__);
+}
+
+static void
+userauth_banner(void)
 {
-       Authctxt *authctxt = authctxt_new();
+       char *banner = NULL;
 
-       x_authctxt = authctxt;          /*XXX*/
+       if (options.banner == NULL ||
+           strcasecmp(options.banner, "none") == 0 ||
+           (datafellows & SSH_BUG_BANNER) != 0)
+               return;
+
+       if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
+               goto done;
+       userauth_send_banner(banner);
 
-       /* challenge-response is implemented via keyboard interactive */
-       if (options.challenge_response_authentication)
-               options.kbd_interactive_authentication = 1;
+done:
+       if (banner)
+               xfree(banner);
+}
 
+/*
+ * loop until authctxt->success == TRUE
+ */
+void
+do_authentication2(Authctxt *authctxt)
+{
        dispatch_init(&dispatch_protocol_error);
        dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
        dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
-
-       return (authctxt);
 }
 
+/*ARGSUSED*/
 static void
 input_service_request(int type, u_int32_t seq, void *ctxt)
 {
@@ -132,6 +209,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
        xfree(service);
 }
 
+/*ARGSUSED*/
 static void
 input_userauth_request(int type, u_int32_t seq, void *ctxt)
 {
@@ -155,27 +233,28 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
        if (authctxt->attempt++ == 0) {
                /* setup auth context */
                authctxt->pw = PRIVSEP(getpwnamallow(user));
+               authctxt->user = xstrdup(user);
                if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
                        authctxt->valid = 1;
                        debug2("input_userauth_request: setting up authctxt for %s", user);
-#ifdef USE_PAM
-                       if (options.use_pam)
-                               PRIVSEP(start_pam(authctxt->pw->pw_name));
-#endif
                } else {
-                       logit("input_userauth_request: illegal user %s", user);
-#ifdef USE_PAM
-                       if (options.use_pam)
-                               PRIVSEP(start_pam(user));
+                       logit("input_userauth_request: invalid user %s", user);
+                       authctxt->pw = fakepw();
+#ifdef SSH_AUDIT_EVENTS
+                       PRIVSEP(audit_event(SSH_INVALID_USER));
 #endif
                }
-               setproctitle("%s%s", authctxt->pw ? user : "unknown",
+#ifdef USE_PAM
+               if (options.use_pam)
+                       PRIVSEP(start_pam(authctxt));
+#endif
+               setproctitle("%s%s", authctxt->valid ? user : "unknown",
                    use_privsep ? " [net]" : "");
-               authctxt->user = xstrdup(user);
                authctxt->service = xstrdup(service);
                authctxt->style = style ? xstrdup(style) : NULL;
                if (use_privsep)
                        mm_inform_authserv(service, style);
+               userauth_banner();
        } else if (strcmp(user, authctxt->user) != 0 ||
            strcmp(service, authctxt->service) != 0) {
                packet_disconnect("Change of username or service not allowed: "
@@ -184,11 +263,21 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
        }
        /* reset state */
        auth2_challenge_stop(authctxt);
+#ifdef JPAKE
+       auth2_jpake_stop(authctxt);
+#endif
+
+#ifdef GSSAPI
+       /* XXX move to auth2_gssapi_stop() */
+       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
+       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
+#endif
+
        authctxt->postponed = 0;
 
        /* try to authenticate user */
        m = authmethod_lookup(method);
-       if (m != NULL) {
+       if (m != NULL && authctxt->failures < options.max_authtries) {
                debug2("input_userauth_request: try method %s", method);
                authenticated = m->userauth(authctxt);
        }
@@ -210,8 +299,27 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
 
        /* Special handling for root */
        if (authenticated && authctxt->pw->pw_uid == 0 &&
-           !auth_root_allowed(method))
+           !auth_root_allowed(method)) {
                authenticated = 0;
+#ifdef SSH_AUDIT_EVENTS
+               PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
+#endif
+       }
+
+#ifdef USE_PAM
+       if (options.use_pam && authenticated) {
+               if (!PRIVSEP(do_pam_account())) {
+                       /* if PAM returned a message, send it to the user */
+                       if (buffer_len(&loginmsg) > 0) {
+                               buffer_append(&loginmsg, "\0", 1);
+                               userauth_send_banner(buffer_ptr(&loginmsg));
+                               packet_write_wait();
+                       }
+                       fatal("Access denied for user %s by PAM account "
+                           "configuration", authctxt->user);
+               }
+       }
+#endif
 
 #ifdef _UNICOS
        if (authenticated && cray_access_denied(authctxt->user)) {
@@ -236,8 +344,16 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                /* now we can break out */
                authctxt->success = 1;
        } else {
-               if (authctxt->failures++ > AUTH_FAIL_MAX)
+
+               /* Allow initial try of "none" auth without failure penalty */
+               if (authctxt->attempt > 1 || strcmp(method, "none") != 0)
+                       authctxt->failures++;
+               if (authctxt->failures >= options.max_authtries) {
+#ifdef SSH_AUDIT_EVENTS
+                       PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
+#endif
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+               }
                methods = authmethods_get();
                packet_start(SSH2_MSG_USERAUTH_FAILURE);
                packet_put_cstring(methods);
@@ -248,16 +364,6 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
        }
 }
 
-/* get current user */
-
-struct passwd*
-auth_get_user(void)
-{
-       return (x_authctxt != NULL && x_authctxt->valid) ? x_authctxt->pw : NULL;
-}
-
-#define        DELIM   ","
-
 static char *
 authmethods_get(void)
 {
@@ -298,3 +404,4 @@ authmethod_lookup(const char *name)
            name ? name : "NULL");
        return NULL;
 }
+
This page took 2.092384 seconds and 4 git commands to generate.