*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.19 2000/10/11 20:27:23 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.22 2000/12/03 11:15:02 markus Exp $");
#ifdef HAVE_OSF_SIA
# include <sia.h>
#include "key.h"
#include "kex.h"
-#include "dsa.h"
#include "uidswap.h"
#include "auth-options.h"
/* helper */
Authmethod *authmethod_lookup(const char *name);
struct passwd *pwcopy(struct passwd *pw);
-int user_dsa_key_allowed(struct passwd *pw, Key *key);
+int user_key_allowed(struct passwd *pw, Key *key);
char *authmethods_get(void);
/* auth */
&one},
{"publickey",
userauth_pubkey,
- &options.dsa_authentication},
+ &options.pubkey_authentication},
{"keyboard-interactive",
userauth_kbdint,
&options.kbd_interactive_authentication},
fatal("input_userauth_request: no authctxt");
if (authctxt->attempt++ >= AUTH_FAIL_MAX) {
#ifdef WITH_AIXAUTHENTICATE
- loginfailed(user,get_canonical_hostname(),"ssh");
+ loginfailed(authctxt->user?authctxt->user:"NOUSER",
+ get_canonical_hostname(), "ssh");
#endif /* WITH_AIXAUTHENTICATE */
packet_disconnect("too many failed userauth_requests");
}
}
#ifdef USE_PAM
- if (authenticated && !do_pam_account(authctxt->pw->pw_name, NULL))
+ if (authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL))
authenticated = 0;
#endif /* USE_PAM */
if (authenticated == 1) {
#ifdef WITH_AIXAUTHENTICATE
/* We don't have a pty yet, so just label the line as "ssh" */
- if (loginsuccess(user, get_canonical_hostname(), "ssh",
- &aixloginmsg) < 0)
+ if (loginsuccess(authctxt->user?authctxt->user:"NOUSER",
+ get_canonical_hostname(), "ssh", &aixloginmsg) < 0)
aixloginmsg = NULL;
#endif /* WITH_AIXAUTHENTICATE */
/* turn off userauth */
return auth_pam_password(authctxt->pw, "");
#elif defined(HAVE_OSF_SIA)
return (sia_validate_user(NULL, saved_argc, saved_argv,
- get_canonical_hostname(), authctxt->pw->pw_name, NULL,
- 0, NULL, "") == SIASUCCESS);
+ get_canonical_hostname(), authctxt->user?authctxt->user:"NOUSER",
+ NULL, 0, NULL, "") == SIASUCCESS);
#else /* !HAVE_OSF_SIA && !USE_PAM */
return auth_password(authctxt->pw, "");
#endif /* USE_PAM */
auth_pam_password(authctxt->pw, password) == 1)
#elif defined(HAVE_OSF_SIA)
sia_validate_user(NULL, saved_argc, saved_argv,
- get_canonical_hostname(), authctxt->pw->pw_name, NULL, 0,
- NULL, password) == SIASUCCESS)
+ get_canonical_hostname(), authctxt->user?authctxt->user:"NOUSER",
+ NULL, 0, NULL, password) == SIASUCCESS)
#else /* !USE_PAM && !HAVE_OSF_SIA */
auth_password(authctxt->pw, password) == 1)
#endif /* USE_PAM */
packet_done();
debug("keyboard-interactive language %s devs %s", lang, devs);
+#ifdef USE_PAM
+ if (authenticated == 0)
+ authenticated = auth2_pam(authctxt);
+#endif
#ifdef SKEY
/* XXX hardcoded, we should look at devs */
- if (options.skey_authentication != 0)
- authenticated = auth2_skey(authctxt);
+ if (authenticated == 0)
+ if (options.skey_authentication != 0)
+ authenticated = auth2_skey(authctxt);
#endif
xfree(lang);
xfree(devs);
Key *key;
char *pkalg, *pkblob, *sig;
unsigned int alen, blen, slen;
- int have_sig;
+ int have_sig, pktype;
int authenticated = 0;
if (!authctxt->valid) {
return 0;
}
have_sig = packet_get_char();
- pkalg = packet_get_string(&alen);
- if (strcmp(pkalg, KEX_DSS) != 0) {
- log("bad pkalg %s", pkalg); /*XXX*/
+ if (datafellows & SSH_BUG_PKAUTH) {
+ debug2("userauth_pubkey: SSH_BUG_PKAUTH");
+ /* no explicit pkalg given */
+ pkblob = packet_get_string(&blen);
+ buffer_init(&b);
+ buffer_append(&b, pkblob, blen);
+ /* so we have to extract the pkalg from the pkblob */
+ pkalg = buffer_get_string(&b, &alen);
+ buffer_free(&b);
+ } else {
+ pkalg = packet_get_string(&alen);
+ pkblob = packet_get_string(&blen);
+ }
+ pktype = key_type_from_name(pkalg);
+ if (pktype == KEY_UNSPEC) {
+ /* this is perfectly legal */
+ log("userauth_pubkey: unsupported public key algorithm: %s", pkalg);
xfree(pkalg);
+ xfree(pkblob);
return 0;
}
- pkblob = packet_get_string(&blen);
- key = dsa_key_from_blob(pkblob, blen);
+ key = key_from_blob(pkblob, blen);
if (key != NULL) {
if (have_sig) {
sig = packet_get_string(&slen);
packet_done();
buffer_init(&b);
- if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) {
- buffer_put_string(&b, session_id2, session_id2_len);
- } else {
+ if (datafellows & SSH_OLD_SESSIONID) {
buffer_append(&b, session_id2, session_id2_len);
+ } else {
+ buffer_put_string(&b, session_id2, session_id2_len);
}
/* reconstruct packet */
buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
buffer_put_cstring(&b, authctxt->user);
buffer_put_cstring(&b,
- datafellows & SSH_BUG_PUBKEYAUTH ?
+ datafellows & SSH_BUG_PKSERVICE ?
"ssh-userauth" :
authctxt->service);
- buffer_put_cstring(&b, "publickey");
- buffer_put_char(&b, have_sig);
- buffer_put_cstring(&b, KEX_DSS);
+ if (datafellows & SSH_BUG_PKAUTH) {
+ buffer_put_char(&b, have_sig);
+ } else {
+ buffer_put_cstring(&b, "publickey");
+ buffer_put_char(&b, have_sig);
+ buffer_put_cstring(&b, key_ssh_name(key));
+ }
buffer_put_string(&b, pkblob, blen);
-#ifdef DEBUG_DSS
+#ifdef DEBUG_PK
buffer_dump(&b);
#endif
/* test for correct signature */
- if (user_dsa_key_allowed(authctxt->pw, key) &&
- dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
+ if (user_key_allowed(authctxt->pw, key) &&
+ key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)
authenticated = 1;
buffer_clear(&b);
xfree(sig);
* if a user is not allowed to login. is this an
* issue? -markus
*/
- if (user_dsa_key_allowed(authctxt->pw, key)) {
+ if (user_key_allowed(authctxt->pw, key)) {
packet_start(SSH2_MSG_USERAUTH_PK_OK);
packet_put_string(pkalg, alen);
packet_put_string(pkblob, blen);
auth_clear_options();
key_free(key);
}
+ debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
xfree(pkalg);
xfree(pkblob);
#ifdef HAVE_CYGWIN
/* return 1 if user allows given key */
int
-user_dsa_key_allowed(struct passwd *pw, Key *key)
+user_key_allowed(struct passwd *pw, Key *key)
{
char line[8192], file[1024];
int found_key = 0;
- unsigned int bits = -1;
FILE *f;
unsigned long linenum = 0;
struct stat st;
if (!*cp || *cp == '\n' || *cp == '#')
continue;
- bits = key_read(found, &cp);
- if (bits == 0) {
+ if (key_read(found, &cp) == -1) {
/* no key? check if there are options for this key */
int quoted = 0;
+ debug2("user_key_allowed: check options: '%s'", cp);
options = cp;
for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
if (*cp == '\\' && cp[1] == '"')
/* Skip remaining whitespace. */
for (; *cp == ' ' || *cp == '\t'; cp++)
;
- bits = key_read(found, &cp);
- if (bits == 0) {
+ if (key_read(found, &cp) == -1) {
+ debug2("user_key_allowed: advance: '%s'", cp);
/* still no key? advance to next line*/
continue;
}