X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/2362db19c34ff0d1b04e3b2656523d93089a4a15..d4f40d925d35e026b3262b91c5e4c01797fa6be5:/auth2.c diff --git a/auth2.c b/auth2.c index ef1173fe..83d5224c 100644 --- a/auth2.c +++ b/auth2.c @@ -1,3 +1,4 @@ +/* $OpenBSD: auth2.c,v 1.112 2006/07/22 20:48:22 stevesk Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -23,7 +24,11 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.103 2003/09/23 20:17:11 markus Exp $"); + +#include + +#include +#include #include "ssh2.h" #include "xmalloc.h" @@ -35,6 +40,7 @@ RCSID("$OpenBSD: auth2.c,v 1.103 2003/09/23 20:17:11 markus Exp $"); #include "dispatch.h" #include "pathnames.h" #include "monitor_wrap.h" +#include "buffer.h" #ifdef GSSAPI #include "ssh-gss.h" @@ -44,6 +50,7 @@ RCSID("$OpenBSD: auth2.c,v 1.103 2003/09/23 20:17:11 markus Exp $"); extern ServerOptions options; extern u_char *session_id2; extern u_int session_id2_len; +extern Buffer loginmsg; /* methods */ @@ -77,7 +84,6 @@ static void input_userauth_request(int, u_int32_t, void *); static Authmethod *authmethod_lookup(const char *); static char *authmethods_get(void); int user_key_allowed(struct passwd *, Key *); -int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); /* * loop until authctxt->success == TRUE @@ -95,6 +101,7 @@ do_authentication2(Authctxt *authctxt) dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); } +/*ARGSUSED*/ static void input_service_request(int type, u_int32_t seq, void *ctxt) { @@ -128,6 +135,7 @@ input_service_request(int type, u_int32_t seq, void *ctxt) xfree(service); } +/*ARGSUSED*/ static void input_userauth_request(int type, u_int32_t seq, void *ctxt) { @@ -151,24 +159,23 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) if (authctxt->attempt++ == 0) { /* setup auth context */ authctxt->pw = PRIVSEP(getpwnamallow(user)); + authctxt->user = xstrdup(user); if (authctxt->pw && strcmp(service, "ssh-connection")==0) { authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); -#ifdef USE_PAM - if (options.use_pam) - PRIVSEP(start_pam(authctxt->pw->pw_name)); -#endif } else { - logit("input_userauth_request: illegal user %s", user); + logit("input_userauth_request: invalid user %s", user); authctxt->pw = fakepw(); -#ifdef USE_PAM - if (options.use_pam) - PRIVSEP(start_pam(user)); +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_INVALID_USER)); #endif } - setproctitle("%s%s", authctxt->pw ? user : "unknown", +#ifdef USE_PAM + if (options.use_pam) + PRIVSEP(start_pam(authctxt)); +#endif + setproctitle("%s%s", authctxt->valid ? user : "unknown", use_privsep ? " [net]" : ""); - authctxt->user = xstrdup(user); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; if (use_privsep) @@ -213,12 +220,26 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && - !auth_root_allowed(method)) + !auth_root_allowed(method)) { authenticated = 0; +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED)); +#endif + } #ifdef USE_PAM - if (options.use_pam && authenticated && !PRIVSEP(do_pam_account())) - authenticated = 0; + if (options.use_pam && authenticated) { + if (!PRIVSEP(do_pam_account())) { + /* if PAM returned a message, send it to the user */ + if (buffer_len(&loginmsg) > 0) { + buffer_append(&loginmsg, "\0", 1); + userauth_send_banner(buffer_ptr(&loginmsg)); + packet_write_wait(); + } + fatal("Access denied for user %s by PAM account " + "configuration", authctxt->user); + } + } #endif #ifdef _UNICOS @@ -244,8 +265,12 @@ userauth_finish(Authctxt *authctxt, int authenticated, char *method) /* now we can break out */ authctxt->success = 1; } else { - if (authctxt->failures++ > AUTH_FAIL_MAX) + if (authctxt->failures++ > options.max_authtries) { +#ifdef SSH_AUDIT_EVENTS + PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); +#endif packet_disconnect(AUTH_FAIL_MSG, authctxt->user); + } methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods);