*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.95 2002/08/22 21:33:58 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.100 2003/08/22 10:56:08 markus Exp $");
#include "ssh2.h"
#include "xmalloc.h"
#include "pathnames.h"
#include "monitor_wrap.h"
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
+
/* import */
extern ServerOptions options;
extern u_char *session_id2;
-extern int session_id2_len;
+extern u_int session_id2_len;
Authctxt *x_authctxt = NULL;
extern Authmethod method_passwd;
extern Authmethod method_kbdint;
extern Authmethod method_hostbased;
+#ifdef KRB5
+extern Authmethod method_kerberos;
+#endif
+#ifdef GSSAPI
+extern Authmethod method_gssapi;
+#endif
Authmethod *authmethods[] = {
&method_none,
&method_pubkey,
+#ifdef GSSAPI
+ &method_gssapi,
+#endif
&method_passwd,
&method_kbdint,
&method_hostbased,
+#ifdef KRB5
+ &method_kerberos,
+#endif
NULL
};
/* challenge-response is implemented via keyboard interactive */
if (options.challenge_response_authentication)
options.kbd_interactive_authentication = 1;
- if (options.pam_authentication_via_kbd_int)
- options.kbd_interactive_authentication = 1;
- if (use_privsep)
- options.pam_authentication_via_kbd_int = 0;
dispatch_init(&dispatch_protocol_error);
dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
authctxt->valid = 1;
debug2("input_userauth_request: setting up authctxt for %s", user);
#ifdef USE_PAM
- PRIVSEP(start_pam(authctxt->pw->pw_name));
+ if (options.use_pam)
+ PRIVSEP(start_pam(authctxt->pw->pw_name));
#endif
} else {
- log("input_userauth_request: illegal user %s", user);
+ logit("input_userauth_request: illegal user %s", user);
#ifdef USE_PAM
- PRIVSEP(start_pam("NOUSER"));
+ if (options.use_pam)
+ PRIVSEP(start_pam(user));
#endif
}
setproctitle("%s%s", authctxt->pw ? user : "unknown",
}
/* reset state */
auth2_challenge_stop(authctxt);
+
+#ifdef GSSAPI
+ dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
+ dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
+#endif
+
authctxt->postponed = 0;
/* try to authenticate user */
authctxt->user);
/* Special handling for root */
- if (!use_privsep &&
- authenticated && authctxt->pw->pw_uid == 0 &&
+ if (authenticated && authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(method))
authenticated = 0;
#ifdef USE_PAM
- if (!use_privsep && authenticated && authctxt->user &&
- !do_pam_account(authctxt->user, NULL))
+ if (options.use_pam && authenticated && !PRIVSEP(do_pam_account()))
authenticated = 0;
-#endif /* USE_PAM */
+#endif
+
+#ifdef _UNICOS
+ if (authenticated && cray_access_denied(authctxt->user)) {
+ authenticated = 0;
+ fatal("Access denied for user %s.",authctxt->user);
+ }
+#endif /* _UNICOS */
/* Log before sending the reply */
auth_log(authctxt, authenticated, method, " ssh2");
/* now we can break out */
authctxt->success = 1;
} else {
- if (authctxt->failures++ > AUTH_FAIL_MAX) {
+ if (authctxt->failures++ > AUTH_FAIL_MAX)
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
- }
methods = authmethods_get();
packet_start(SSH2_MSG_USERAUTH_FAILURE);
packet_put_cstring(methods);