X-Git-Url: http://andersk.mit.edu/gitweb/openssh.git/blobdiff_plain/a375df464c580c551f73573854378d33d00469ab..a858eae93b4e020c5edabf092161ae9b791cef0d:/auth1.c diff --git a/auth1.c b/auth1.c index 0f6be820..1801661f 100644 --- a/auth1.c +++ b/auth1.c @@ -1,3 +1,4 @@ +/* $OpenBSD: auth1.c,v 1.73 2008/07/04 23:30:16 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -10,8 +11,16 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.61 2005/06/17 02:44:32 djm Exp $"); +#include + +#include +#include +#include +#include +#include + +#include "openbsd-compat/sys-queue.h" #include "xmalloc.h" #include "rsa.h" #include "ssh1.h" @@ -20,10 +29,15 @@ RCSID("$OpenBSD: auth1.c,v 1.61 2005/06/17 02:44:32 djm Exp $"); #include "log.h" #include "servconf.h" #include "compat.h" +#include "key.h" +#include "hostfile.h" #include "auth.h" #include "channels.h" #include "session.h" #include "uidswap.h" +#ifdef GSSAPI +#include "ssh-gss.h" +#endif #include "monitor_wrap.h" #include "buffer.h" @@ -77,7 +91,7 @@ static const struct AuthMethod1 { int i; - for(i = 0; auth1_methods[i].name != NULL; i++) + for (i = 0; auth1_methods[i].name != NULL; i++) if (auth1_methods[i].type == type) return (&(auth1_methods[i])); @@ -96,6 +110,7 @@ get_authname(int type) return (buf); } +/*ARGSUSED*/ static int auth1_process_password(Authctxt *authctxt, char *info, size_t infolen) { @@ -120,6 +135,7 @@ auth1_process_password(Authctxt *authctxt, char *info, size_t infolen) return (authenticated); } +/*ARGSUSED*/ static int auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen) { @@ -137,6 +153,7 @@ auth1_process_rsa(Authctxt *authctxt, char *info, size_t infolen) return (authenticated); } +/*ARGSUSED*/ static int auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen) { @@ -171,15 +188,16 @@ auth1_process_rhosts_rsa(Authctxt *authctxt, char *info, size_t infolen) key_free(client_host_key); snprintf(info, infolen, " ruser %.100s", client_user); - + return (authenticated); } +/*ARGSUSED*/ static int auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) { char *challenge; - + if ((challenge = get_challenge(authctxt)) == NULL) return (0); @@ -193,6 +211,7 @@ auth1_process_tis_challenge(Authctxt *authctxt, char *info, size_t infolen) return (-1); } +/*ARGSUSED*/ static int auth1_process_tis_response(Authctxt *authctxt, char *info, size_t infolen) { @@ -265,6 +284,8 @@ do_authloop(Authctxt *authctxt) type != SSH_CMSG_AUTH_TIS_RESPONSE) abandon_challenge_response(authctxt); + if (authctxt->failures >= options.max_authtries) + goto skip; if ((meth = lookup_authmethod1(type)) == NULL) { logit("Unknown message during authentication: " "type %d", type); @@ -297,15 +318,7 @@ do_authloop(Authctxt *authctxt) } #endif /* _UNICOS */ -#ifdef HAVE_CYGWIN - if (authenticated && - !check_nt_auth(type == SSH_CMSG_AUTH_PASSWORD, - authctxt->pw)) { - packet_disconnect("Authentication rejected for uid %d.", - authctxt->pw == NULL ? -1 : authctxt->pw->pw_uid); - authenticated = 0; - } -#else +#ifndef HAVE_CYGWIN /* Special handling for root */ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed(meth->name)) { @@ -323,7 +336,7 @@ do_authloop(Authctxt *authctxt) size_t len; error("Access denied for user %s by PAM account " - "configuration", authctxt->user); + "configuration", authctxt->user); len = buffer_len(&loginmsg); buffer_append(&loginmsg, "\0", 1); msg = buffer_ptr(&loginmsg); @@ -333,7 +346,7 @@ do_authloop(Authctxt *authctxt) msg[len] = '\0'; else msg = "Access denied."; - packet_disconnect(msg); + packet_disconnect("%s", msg); } #endif @@ -349,7 +362,7 @@ do_authloop(Authctxt *authctxt) if (authenticated) return; - if (authctxt->failures++ > options.max_authtries) { + if (++authctxt->failures >= options.max_authtries) { #ifdef SSH_AUDIT_EVENTS PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES)); #endif