X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/696f6befad09f970af2cc44b4e46aae1efe35461..0d942eff10bfa688efa701abf8a08fe8fcfe4f24:/auth1.c diff --git a/auth1.c b/auth1.c index 4d2b92a2..7fe36315 100644 --- a/auth1.c +++ b/auth1.c @@ -10,7 +10,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.43 2002/09/09 06:48:06 itojun Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.48 2003/04/08 20:21:28 itojun Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -73,7 +73,7 @@ do_authloop(Authctxt *authctxt) char info[1024]; u_int dlen; u_int ulen; - int type = 0; + int prev, type = 0; struct passwd *pw = authctxt->pw; debug("Attempting authentication for %s%.100s.", @@ -103,8 +103,20 @@ do_authloop(Authctxt *authctxt) info[0] = '\0'; /* Get a packet from the client. */ + prev = type; type = packet_read(); + /* + * If we started challenge-response authentication but the + * next packet is not a response to our challenge, release + * the resources allocated by get_challenge() (which would + * normally have been released by verify_response() had we + * received such a response) + */ + if (prev == SSH_CMSG_AUTH_TIS && + type != SSH_CMSG_AUTH_TIS_RESPONSE) + abandon_challenge_response(authctxt); + /* Process the packet. */ switch (type) { @@ -118,17 +130,24 @@ do_authloop(Authctxt *authctxt) if (kdata[0] == 4) { /* KRB_PROT_VERSION */ #ifdef KRB4 - KTEXT_ST tkt; - + KTEXT_ST tkt, reply; tkt.length = dlen; if (tkt.length < MAX_KTXT_LEN) memcpy(tkt.dat, kdata, tkt.length); - if (auth_krb4(authctxt, &tkt, &client_user)) { + if (PRIVSEP(auth_krb4(authctxt, &tkt, + &client_user, &reply))) { authenticated = 1; snprintf(info, sizeof(info), " tktuser %.100s", client_user); + + packet_start( + SSH_SMSG_AUTH_KERBEROS_RESPONSE); + packet_put_string((char *) + reply.dat, reply.length); + packet_send(); + packet_write_wait(); } #endif /* KRB4 */ } else { @@ -143,7 +162,7 @@ do_authloop(Authctxt *authctxt) snprintf(info, sizeof(info), " tktuser %.100s", client_user); - + /* Send response to client */ packet_start( SSH_SMSG_AUTH_KERBEROS_RESPONSE); @@ -278,7 +297,6 @@ do_authloop(Authctxt *authctxt) debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE"); if (options.challenge_response_authentication == 1) { char *response = packet_get_string(&dlen); - debug("got response '%s'", response); packet_check_eom(); authenticated = verify_response(authctxt, response); memset(response, 'r', dlen); @@ -291,7 +309,7 @@ do_authloop(Authctxt *authctxt) * Any unknown messages will be ignored (and failure * returned) during authentication. */ - log("Unknown message during authentication: type %d", type); + logit("Unknown message during authentication: type %d", type); break; } #ifdef BSD_AUTH @@ -304,6 +322,13 @@ do_authloop(Authctxt *authctxt) fatal("INTERNAL ERROR: authenticated invalid user %s", authctxt->user); +#ifdef _UNICOS + if (authenticated && cray_access_denied(authctxt->user)) { + authenticated = 0; + fatal("Access denied for user %s.",authctxt->user); + } +#endif /* _UNICOS */ + #ifdef HAVE_CYGWIN if (authenticated && !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, pw)) { @@ -313,8 +338,7 @@ do_authloop(Authctxt *authctxt) } #else /* Special handling for root */ - if (!use_privsep && - authenticated && authctxt->pw->pw_uid == 0 && + if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(get_authname(type))) authenticated = 0; #endif @@ -335,9 +359,8 @@ do_authloop(Authctxt *authctxt) if (authenticated) return; - if (authctxt->failures++ > AUTH_FAIL_MAX) { + if (authctxt->failures++ > AUTH_FAIL_MAX) packet_disconnect(AUTH_FAIL_MSG, authctxt->user); - } packet_start(SSH_SMSG_FAILURE); packet_send(); @@ -390,7 +413,7 @@ do_authentication(void) use_privsep ? " [net]" : ""); #ifdef USE_PAM - PRIVSEP(start_pam(authctxt->pw == NULL ? "NOUSER" : user)); + PRIVSEP(start_pam(user)); #endif /*