*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.85 2002/02/24 19:14:59 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.91 2002/05/13 02:37:39 itojun Exp $");
#include <openssl/evp.h>
#include "pathnames.h"
#include "uidswap.h"
#include "auth-options.h"
-#include "misc.h"
#include "hostfile.h"
#include "canohost.h"
#include "match.h"
-#include "monitor.h"
#include "monitor_wrap.h"
+#include "atomicio.h"
/* import */
-extern int use_privsep;
-extern int mm_recvfd;
-
extern ServerOptions options;
extern u_char *session_id2;
extern int session_id2_len;
-static Authctxt *x_authctxt = NULL;
+Authctxt *x_authctxt = NULL;
static int one = 1;
typedef struct Authmethod Authmethod;
options.kbd_interactive_authentication = 1;
if (options.pam_authentication_via_kbd_int)
options.kbd_interactive_authentication = 1;
+ if (use_privsep)
+ options.pam_authentication_via_kbd_int = 0;
dispatch_init(&dispatch_protocol_error);
dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
- return(authctxt);
+ return (authctxt);
}
static void
*style++ = 0;
if (authctxt->attempt++ == 0) {
- /* setup auth context */
- int allowed;
- struct passwd *pw = NULL;
- if (!use_privsep) {
- pw = getpwnam(user);
- allowed = pw ? allowed_user(pw) : 0;
- } else
- pw = mm_getpwnamallow(mm_recvfd, user, &allowed);
- if (pw && allowed && strcmp(service, "ssh-connection")==0) {
- authctxt->pw = pwcopy(pw);
+ /* setup auth context */
+ authctxt->pw = PRIVSEP(getpwnamallow(user));
+ if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
authctxt->valid = 1;
debug2("input_userauth_request: setting up authctxt for %s", user);
#ifdef USE_PAM
- start_pam(pw->pw_name);
+ PRIVSEP(start_pam(authctxt->pw->pw_name));
#endif
} else {
log("input_userauth_request: illegal user %s", user);
#ifdef USE_PAM
- start_pam("NOUSER");
+ PRIVSEP(start_pam("NOUSER"));
#endif
}
- /* Free memory */
- if (use_privsep)
- pwfree(pw);
-
- setproctitle("%s%s", use_privsep ? " [net]" : "",
- pw ? user : "unknown");
+ setproctitle("%s%s", authctxt->pw ? user : "unknown",
+ use_privsep ? " [net]" : "");
authctxt->user = xstrdup(user);
authctxt->service = xstrdup(service);
authctxt->style = style ? xstrdup(style) : NULL;
-
if (use_privsep)
- mm_inform_authserv(mm_recvfd, service, style);
+ mm_inform_authserv(service, style);
} else if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
packet_disconnect("Change of username or service not allowed: "
authenticated = 0;
#ifdef USE_PAM
- if (authenticated && authctxt->user && !do_pam_account(authctxt->user,
- NULL))
+ if (!use_privsep && authenticated && authctxt->user &&
+ !do_pam_account(authctxt->user, NULL))
authenticated = 0;
#endif /* USE_PAM */
}
}
-static void
-userauth_banner(void)
+char *
+auth2_read_banner(void)
{
struct stat st;
char *banner = NULL;
off_t len, n;
int fd;
- if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
- return;
- if ((fd = open(options.banner, O_RDONLY)) < 0)
- return;
- if (fstat(fd, &st) < 0)
- goto done;
+ if ((fd = open(options.banner, O_RDONLY)) == -1)
+ return (NULL);
+ if (fstat(fd, &st) == -1) {
+ close(fd);
+ return (NULL);
+ }
len = st.st_size;
banner = xmalloc(len + 1);
- if ((n = read(fd, banner, len)) < 0)
- goto done;
+ n = atomicio(read, fd, banner, len);
+ close(fd);
+
+ if (n != len) {
+ free(banner);
+ return (NULL);
+ }
banner[n] = '\0';
+
+ return (banner);
+}
+
+static void
+userauth_banner(void)
+{
+ char *banner = NULL;
+
+ if (options.banner == NULL || (datafellows & SSH_BUG_BANNER))
+ return;
+
+ if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
+ goto done;
+
packet_start(SSH2_MSG_USERAUTH_BANNER);
packet_put_cstring(banner);
packet_put_cstring(""); /* language, unused */
done:
if (banner)
xfree(banner);
- close(fd);
return;
}
static int
userauth_none(Authctxt *authctxt)
{
- int res = 0;
-
/* disable method "none", only allowed one time */
Authmethod *m = authmethod_lookup("none");
if (m != NULL)
if (authctxt->valid == 0)
return(0);
- if (!authctxt->valid)
- return (0);
- if (use_privsep)
-#if defined(USE_PAM) || defined(HAVE_OSF_SIA)
-#error NOT IMPLEMENTED FOR PRIVSEP
+
+#ifdef HAVE_CYGWIN
+ if (check_nt_auth(1, authctxt->pw) == 0)
+ return(0);
#endif
- res = mm_auth_password(mm_recvfd, "");
- else
- res = auth_password(authctxt, "");
- return (res);
+ return PRIVSEP(auth_password(authctxt, ""));
}
static int
log("password change not supported");
password = packet_get_string(&len);
packet_check_eom();
-
-#if defined(HAVE_CYGWIN) || defined(USE_PAM) || defined(HAVE_OSF_SIA)
-#error NOT IMPLEMENTED FOR PRIVSEP
+ if (authctxt->valid &&
+#ifdef HAVE_CYGWIN
+ check_nt_auth(1, authctxt->pw) &&
#endif
- if (authctxt->valid) {
- if (use_privsep)
- authenticated = mm_auth_password(mm_recvfd, password);
- else
- authenticated = auth_password(authctxt, password);
- }
+ PRIVSEP(auth_password(authctxt, password)) == 1)
+ authenticated = 1;
memset(password, 0, len);
xfree(password);
return authenticated;
#endif
/* test for correct signature */
authenticated = 0;
- if (use_privsep) {
- if (mm_user_key_allowed(mm_recvfd, key) &&
- mm_key_verify(mm_recvfd,
- MM_USERKEY, NULL, NULL, key, sig, slen,
- buffer_ptr(&b), buffer_len(&b)) == 1)
- authenticated = 1;
- } else {
- if (user_key_allowed(authctxt->pw, key) &&
- key_verify(key, sig, slen, buffer_ptr(&b),
- buffer_len(&b)) == 1)
- authenticated = 1;
- }
+ if (PRIVSEP(user_key_allowed(authctxt->pw, key)) &&
+ PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
+ buffer_len(&b))) == 1)
+ authenticated = 1;
buffer_clear(&b);
xfree(sig);
} else {
- int res = 0;
debug("test whether pkalg/pkblob are acceptable");
packet_check_eom();
* if a user is not allowed to login. is this an
* issue? -markus
*/
- if (use_privsep)
- res = mm_user_key_allowed(mm_recvfd, key);
- else
- res = user_key_allowed(authctxt->pw, key);
- if (res) {
+ if (PRIVSEP(user_key_allowed(authctxt->pw, key))) {
packet_start(SSH2_MSG_USERAUTH_PK_OK);
packet_put_string(pkalg, alen);
packet_put_string(pkblob, blen);
#endif
/* test for allowed key and correct signature */
authenticated = 0;
- if (use_privsep) {
- if (mm_hostbased_key_allowed(mm_recvfd, cuser, chost, key) &&
- mm_key_verify(mm_recvfd, MM_HOSTKEY, cuser, chost, key,
- sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
- authenticated = 1;
- } else {
- if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) &&
- key_verify(key, sig, slen, buffer_ptr(&b),
- buffer_len(&b)) == 1)
- authenticated = 1;
- }
+ if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
+ PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
+ buffer_len(&b))) == 1)
+ authenticated = 1;
buffer_clear(&b);
done: