*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.63 2001/06/22 21:55:49 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.69 2001/07/23 18:14:58 stevesk Exp $");
#include <openssl/evp.h>
/* protocol */
-void input_service_request(int type, int plen, void *ctxt);
-void input_userauth_request(int type, int plen, void *ctxt);
-void protocol_error(int type, int plen, void *ctxt);
+static void input_service_request(int, int, void *);
+static void input_userauth_request(int, int, void *);
+static void protocol_error(int, int, void *);
/* helper */
-Authmethod *authmethod_lookup(const char *name);
-char *authmethods_get(void);
-int user_key_allowed(struct passwd *pw, Key *key);
-int
-hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
- Key *key);
+static Authmethod *authmethod_lookup(const char *);
+static char *authmethods_get(void);
+static int user_key_allowed(struct passwd *, Key *);
+static int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
/* auth */
-void userauth_banner(void);
-int userauth_none(Authctxt *authctxt);
-int userauth_passwd(Authctxt *authctxt);
-int userauth_pubkey(Authctxt *authctxt);
-int userauth_hostbased(Authctxt *authctxt);
-int userauth_kbdint(Authctxt *authctxt);
+static void userauth_banner(void);
+static int userauth_none(Authctxt *);
+static int userauth_passwd(Authctxt *);
+static int userauth_pubkey(Authctxt *);
+static int userauth_hostbased(Authctxt *);
+static int userauth_kbdint(Authctxt *);
Authmethod authmethods[] = {
{"none",
do_authenticated(authctxt);
}
-void
+static void
protocol_error(int type, int plen, void *ctxt)
{
log("auth: protocol error: type %d plen %d", type, plen);
packet_write_wait();
}
-void
+static void
input_service_request(int type, int plen, void *ctxt)
{
Authctxt *authctxt = ctxt;
xfree(service);
}
-void
+static void
input_userauth_request(int type, int plen, void *ctxt)
{
Authctxt *authctxt = ctxt;
}
}
-void
+static void
userauth_banner(void)
{
struct stat st;
return;
}
-int
+static int
userauth_none(Authctxt *authctxt)
{
/* disable method "none", only allowed one time */
#endif /* USE_PAM */
}
-int
+static int
userauth_passwd(Authctxt *authctxt)
{
char *password;
return authenticated;
}
-int
+static int
userauth_kbdint(Authctxt *authctxt)
{
int authenticated = 0;
return authenticated;
}
-int
+static int
userauth_pubkey(Authctxt *authctxt)
{
Buffer b;
return authenticated;
}
-int
+static int
userauth_hostbased(Authctxt *authctxt)
{
Buffer b;
#define DELIM ","
-char *
+static char *
authmethods_get(void)
{
Authmethod *method = NULL;
return list;
}
-Authmethod *
+static Authmethod *
authmethod_lookup(const char *name)
{
Authmethod *method = NULL;
}
/* return 1 if user allows given key */
-int
+static int
user_key_allowed2(struct passwd *pw, Key *key, char *file)
{
char line[8192];
return 0;
}
if (options.strict_modes &&
- secure_filename(f, file, pw->pw_uid, line, sizeof(line)) != 0) {
+ secure_filename(f, file, pw, line, sizeof(line)) != 0) {
fclose(f);
log("Authentication refused: %s", line);
restore_uid();
if (key_equal(found, key) &&
auth_parse_options(pw, options, file, linenum) == 1) {
found_key = 1;
- debug("matching key found: file %s, line %ld",
+ debug("matching key found: file %s, line %lu",
file, linenum);
break;
}
}
/* check whether given key is in .ssh/authorized_keys* */
-int
+static int
user_key_allowed(struct passwd *pw, Key *key)
{
int success;
}
/* return 1 if given hostkey is allowed */
-int
+static int
hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
Key *key)
{
- Key *found;
const char *resolvedname, *ipaddr, *lookup;
- struct stat st;
- char *user_hostfile;
int host_status, len;
resolvedname = get_canonical_hostname(options.reverse_mapping_check);
}
debug2("userauth_hostbased: access allowed by auth_rhosts2");
- /* XXX this is copied from auth-rh-rsa.c and should be shared */
- found = key_new(key->type);
- host_status = check_host_in_hostfile(_PATH_SSH_SYSTEM_HOSTFILE2, lookup,
- key, found, NULL);
-
- if (host_status != HOST_OK && !options.ignore_user_known_hosts) {
- user_hostfile = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE2,
- pw->pw_uid);
- if (options.strict_modes &&
- (stat(user_hostfile, &st) == 0) &&
- ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
- (st.st_mode & 022) != 0)) {
- log("Hostbased authentication refused for %.100s: "
- "bad owner or modes for %.200s",
- pw->pw_name, user_hostfile);
- } else {
- temporarily_use_uid(pw);
- host_status = check_host_in_hostfile(user_hostfile,
- lookup, key, found, NULL);
- restore_uid();
- }
- xfree(user_hostfile);
- }
- key_free(found);
+ host_status = check_key_in_hostfiles(pw, key, lookup,
+ _PATH_SSH_SYSTEM_HOSTFILE,
+ options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
+
+ /* backward compat if no key has been found. */
+ if (host_status == HOST_NEW)
+ host_status = check_key_in_hostfiles(pw, key, lookup,
+ _PATH_SSH_SYSTEM_HOSTFILE2,
+ options.ignore_user_known_hosts ? NULL :
+ _PATH_SSH_USER_HOSTFILE2);
- debug2("userauth_hostbased: key %s for %s", host_status == HOST_OK ?
- "ok" : "not found", lookup);
return (host_status == HOST_OK);
}
+