*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.55 2003/11/08 16:02:40 jakob Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.59 2004/07/28 09:40:29 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
#include "ssh1.h"
#include "packet.h"
#include "buffer.h"
-#include "mpaux.h"
#include "log.h"
#include "servconf.h"
#include "compat.h"
#include "session.h"
#include "uidswap.h"
#include "monitor_wrap.h"
+#include "buffer.h"
/* import */
extern ServerOptions options;
+extern Buffer loginmsg;
/*
* convert ssh auth msg type into description
u_int dlen;
u_int ulen;
int prev, type = 0;
- struct passwd *pw = authctxt->pw;
debug("Attempting authentication for %s%.100s.",
- authctxt->valid ? "" : "illegal user ", authctxt->user);
+ authctxt->valid ? "" : "invalid user ", authctxt->user);
/* If the user has no password, accept authentication immediately. */
if (options.password_authentication &&
(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
#endif
PRIVSEP(auth_password(authctxt, ""))) {
- auth_log(authctxt, 1, "without authentication", "");
- return;
+#ifdef USE_PAM
+ if (options.use_pam && (PRIVSEP(do_pam_account())))
+#endif
+ {
+ auth_log(authctxt, 1, "without authentication", "");
+ return;
+ }
}
/* Indicate that authentication is needed. */
#ifdef HAVE_CYGWIN
if (authenticated &&
- !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, pw)) {
+ !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD,
+ authctxt->pw)) {
packet_disconnect("Authentication rejected for uid %d.",
- pw == NULL ? -1 : pw->pw_uid);
+ authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid);
authenticated = 0;
}
#else
/* Special handling for root */
if (authenticated && authctxt->pw->pw_uid == 0 &&
- !auth_root_allowed(get_authname(type)))
+ !auth_root_allowed(get_authname(type))) {
authenticated = 0;
+# ifdef SSH_AUDIT_EVENTS
+ PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
+# endif
+ }
#endif
#ifdef USE_PAM
if (options.use_pam && authenticated &&
- !PRIVSEP(do_pam_account()))
- authenticated = 0;
+ !PRIVSEP(do_pam_account())) {
+ char *msg;
+ size_t len;
+
+ error("Access denied for user %s by PAM account "
+ "configuration", authctxt->user);
+ len = buffer_len(&loginmsg);
+ buffer_append(&loginmsg, "\0", 1);
+ msg = buffer_ptr(&loginmsg);
+ /* strip trailing newlines */
+ if (len > 0)
+ while (len > 0 && msg[--len] == '\n')
+ msg[len] = '\0';
+ else
+ msg = "Access denied.";
+ packet_disconnect(msg);
+ }
#endif
/* Log before sending the reply */
if (authenticated)
return;
- if (authctxt->failures++ > AUTH_FAIL_MAX)
+ if (authctxt->failures++ > options.max_authtries) {
+#ifdef SSH_AUDIT_EVENTS
+ PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
+#endif
packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+ }
packet_start(SSH_SMSG_FAILURE);
packet_send();
if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
authctxt->valid = 1;
else {
- debug("do_authentication: illegal user %s", user);
+ debug("do_authentication: invalid user %s", user);
authctxt->pw = fakepw();
}
- setproctitle("%s%s", authctxt->pw ? user : "unknown",
+ setproctitle("%s%s", authctxt->valid ? user : "unknown",
use_privsep ? " [net]" : "");
#ifdef USE_PAM
if (options.use_pam)
- PRIVSEP(start_pam(user));
+ PRIVSEP(start_pam(authctxt));
#endif
/*