]> andersk Git - openssh.git/blobdiff - auth2.c
andersk / openssh.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
- (tim) [contrib/cygwin/README] add minires-devel requirement. Patch from
[openssh.git] / auth2.c
diff --git a/auth2.c b/auth2.c
index 6dfd91f749d829431bbbca2b5afa0f941f6eaf3d..e4a3cded9ae530dbcc00654f5890dec044c4dc7a 100644 (file)
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.93 2002/05/31 11:35:15 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.105 2004/05/23 23:59:53 dtucker Exp $");
 
 #include "ssh2.h"
 #include "xmalloc.h"
@@ -36,12 +36,14 @@ RCSID("$OpenBSD: auth2.c,v 1.93 2002/05/31 11:35:15 markus Exp $");
 #include "pathnames.h"
 #include "monitor_wrap.h"
 
+#ifdef GSSAPI
+#include "ssh-gss.h"
+#endif
+
 /* import */
 extern ServerOptions options;
 extern u_char *session_id2;
-extern int session_id2_len;
-
-Authctxt *x_authctxt = NULL;
+extern u_int session_id2_len;
 
 /* methods */
 
@@ -50,10 +52,16 @@ extern Authmethod method_pubkey;
 extern Authmethod method_passwd;
 extern Authmethod method_kbdint;
 extern Authmethod method_hostbased;
+#ifdef GSSAPI
+extern Authmethod method_gssapi;
+#endif
 
 Authmethod *authmethods[] = {
        &method_none,
        &method_pubkey,
+#ifdef GSSAPI
+       &method_gssapi,
+#endif
        &method_passwd,
        &method_kbdint,
        &method_hostbased,
@@ -69,32 +77,21 @@ static void input_userauth_request(int, u_int32_t, void *);
 static Authmethod *authmethod_lookup(const char *);
 static char *authmethods_get(void);
 int user_key_allowed(struct passwd *, Key *);
-int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
 
 /*
  * loop until authctxt->success == TRUE
  */
 
-Authctxt *
-do_authentication2(void)
+void
+do_authentication2(Authctxt *authctxt)
 {
-       Authctxt *authctxt = authctxt_new();
-
-       x_authctxt = authctxt;          /*XXX*/
-
        /* challenge-response is implemented via keyboard interactive */
        if (options.challenge_response_authentication)
                options.kbd_interactive_authentication = 1;
-       if (options.pam_authentication_via_kbd_int)
-               options.kbd_interactive_authentication = 1;
-       if (use_privsep)
-               options.pam_authentication_via_kbd_int = 0;
 
        dispatch_init(&dispatch_protocol_error);
        dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
        dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
-
-       return (authctxt);
 }
 
 static void
@@ -102,7 +99,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
 {
        Authctxt *authctxt = ctxt;
        u_int len;
-       int accept = 0;
+       int acceptit = 0;
        char *service = packet_get_string(&len);
        packet_check_eom();
 
@@ -111,14 +108,14 @@ input_service_request(int type, u_int32_t seq, void *ctxt)
 
        if (strcmp(service, "ssh-userauth") == 0) {
                if (!authctxt->success) {
-                       accept = 1;
+                       acceptit = 1;
                        /* now we can handle user-auth requests */
                        dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
                }
        }
        /* XXX all other service requests are denied */
 
-       if (accept) {
+       if (acceptit) {
                packet_start(SSH2_MSG_SERVICE_ACCEPT);
                packet_put_cstring(service);
                packet_send();
@@ -153,21 +150,24 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
        if (authctxt->attempt++ == 0) {
                /* setup auth context */
                authctxt->pw = PRIVSEP(getpwnamallow(user));
+               authctxt->user = xstrdup(user);
                if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
                        authctxt->valid = 1;
                        debug2("input_userauth_request: setting up authctxt for %s", user);
 #ifdef USE_PAM
-                       PRIVSEP(start_pam(authctxt->pw->pw_name));
+                       if (options.use_pam)
+                               PRIVSEP(start_pam(authctxt));
 #endif
                } else {
-                       log("input_userauth_request: illegal user %s", user);
+                       logit("input_userauth_request: illegal user %s", user);
+                       authctxt->pw = fakepw();
 #ifdef USE_PAM
-                       PRIVSEP(start_pam("NOUSER"));
+                       if (options.use_pam)
+                               PRIVSEP(start_pam(authctxt));
 #endif
                }
                setproctitle("%s%s", authctxt->pw ? user : "unknown",
                    use_privsep ? " [net]" : "");
-               authctxt->user = xstrdup(user);
                authctxt->service = xstrdup(service);
                authctxt->style = style ? xstrdup(style) : NULL;
                if (use_privsep)
@@ -180,6 +180,12 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
        }
        /* reset state */
        auth2_challenge_stop(authctxt);
+
+#ifdef GSSAPI
+       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
+       dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
+#endif
+
        authctxt->postponed = 0;
 
        /* try to authenticate user */
@@ -210,10 +216,16 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                authenticated = 0;
 
 #ifdef USE_PAM
-       if (!use_privsep && authenticated && authctxt->user && 
-           !do_pam_account(authctxt->user, NULL))
+       if (options.use_pam && authenticated && !PRIVSEP(do_pam_account()))
+               authenticated = 0;
+#endif
+
+#ifdef _UNICOS
+       if (authenticated && cray_access_denied(authctxt->user)) {
                authenticated = 0;
-#endif /* USE_PAM */
+               fatal("Access denied for user %s.",authctxt->user);
+       }
+#endif /* _UNICOS */
 
        /* Log before sending the reply */
        auth_log(authctxt, authenticated, method, " ssh2");
@@ -231,15 +243,8 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
                /* now we can break out */
                authctxt->success = 1;
        } else {
-               if (authctxt->failures++ > AUTH_FAIL_MAX) {
-#ifdef WITH_AIXAUTHENTICATE
-                       /* XXX: privsep */
-                       loginfailed(authctxt->user,
-                           get_canonical_hostname(options.verify_reverse_mapping),
-                           "ssh");
-#endif /* WITH_AIXAUTHENTICATE */
+               if (authctxt->failures++ > options.max_authtries)
                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
-               }
                methods = authmethods_get();
                packet_start(SSH2_MSG_USERAUTH_FAILURE);
                packet_put_cstring(methods);
@@ -250,14 +255,6 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method)
        }
 }
 
-/* get current user */
-
-struct passwd*
-auth_get_user(void)
-{
-       return (x_authctxt != NULL && x_authctxt->valid) ? x_authctxt->pw : NULL;
-}
-
 #define        DELIM   ","
 
 static char *
git-cvsimport mirror of OpenSSH
This page took 0.042221 seconds and 4 git commands to generate.