summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2000-10-14 16:23:11 +1100
committerDamien Miller <djm@mindrot.org>2000-10-14 16:23:11 +1100
commit874d77bb134a21a5cf625956b60173376a993ba8 (patch)
tree93dd73b2ff1fbf0ad5f3978a2c4e0d8438a0bf7c
parent89d9796fbedef4eed6956a2c095c7cc25330c28d (diff)
- (djm) Big OpenBSD sync:
- markus@cvs.openbsd.org 2000/09/30 10:27:44 [log.c] allow loglevel debug - markus@cvs.openbsd.org 2000/10/03 11:59:57 [packet.c] hmac->mac - markus@cvs.openbsd.org 2000/10/03 12:03:03 [auth-krb4.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth1.c] move fake-auth from auth1.c to individual auth methods, disables s/key in debug-msg - markus@cvs.openbsd.org 2000/10/03 12:16:48 ssh.c do not resolve canonname, i have no idea why this was added oin ossh - markus@cvs.openbsd.org 2000/10/09 15:30:44 ssh-keygen.1 ssh-keygen.c -X now reads private ssh.com DSA keys, too. - markus@cvs.openbsd.org 2000/10/09 15:32:34 auth-options.c clear options on every call. - markus@cvs.openbsd.org 2000/10/09 15:51:00 authfd.c authfd.h interop with ssh-agent2, from <res@shore.net> - markus@cvs.openbsd.org 2000/10/10 14:20:45 compat.c use rexexp for version string matching - provos@cvs.openbsd.org 2000/10/10 22:02:18 [kex.c kex.h myproposal.h ssh.h ssh2.h sshconnect2.c sshd.c dh.c dh.h] First rough implementation of the diffie-hellman group exchange. The client can ask the server for bigger groups to perform the diffie-hellman in, thus increasing the attack complexity when using ciphers with longer keys. University of Windsor provided network, T the company. - markus@cvs.openbsd.org 2000/10/11 13:59:52 [auth-rsa.c auth2.c] clear auth options unless auth sucessfull - markus@cvs.openbsd.org 2000/10/11 14:00:27 [auth-options.h] clear auth options unless auth sucessfull - markus@cvs.openbsd.org 2000/10/11 14:03:27 [scp.1 scp.c] support 'scp -o' with help from mouring@pconline.com - markus@cvs.openbsd.org 2000/10/11 14:11:35 [dh.c] Wall - markus@cvs.openbsd.org 2000/10/11 14:14:40 [auth.h auth2.c readconf.c readconf.h readpass.c servconf.c servconf.h] [ssh.h sshconnect2.c sshd_config auth2-skey.c cli.c cli.h] add support for s/key (kbd-interactive) to ssh2, based on work by mkiernan@avantgo.com and me - markus@cvs.openbsd.org 2000/10/11 14:27:24 [auth.c auth1.c auth2.c authfile.c cipher.c cipher.h kex.c kex.h] [myproposal.h packet.c readconf.c session.c ssh.c ssh.h sshconnect1.c] [sshconnect2.c sshd.c] new cipher framework - markus@cvs.openbsd.org 2000/10/11 14:45:21 [cipher.c] remove DES - markus@cvs.openbsd.org 2000/10/12 03:59:20 [cipher.c cipher.h sshconnect1.c sshconnect2.c sshd.c] enable DES in SSH-1 clients only - markus@cvs.openbsd.org 2000/10/12 08:21:13 [kex.h packet.c] remove unused - markus@cvs.openbsd.org 2000/10/13 12:34:46 [sshd.c] Kludge for F-Secure Macintosh < 1.0.2; appro@fy.chalmers.se - markus@cvs.openbsd.org 2000/10/13 12:59:15 [cipher.c cipher.h myproposal.h rijndael.c rijndael.h] rijndael/aes support - markus@cvs.openbsd.org 2000/10/13 13:10:54 [sshd.8] more info about -V - markus@cvs.openbsd.org 2000/10/13 13:12:02 [myproposal.h] prefer no compression
Diffstat
-rw-r--r--ChangeLog75
-rw-r--r--Makefile.in6
-rw-r--r--auth-krb4.c16
-rw-r--r--auth-options.c48
-rw-r--r--auth-options.h3
-rw-r--r--auth-pam.c4
-rw-r--r--auth-passwd.c4
-rw-r--r--auth-rh-rsa.c6
-rw-r--r--auth-rhosts.c5
-rw-r--r--auth-rsa.c13
-rw-r--r--auth.c3
-rw-r--r--auth.h20
-rw-r--r--auth1.c246
-rw-r--r--auth2.c428
-rw-r--r--authfd.c13
-rw-r--r--authfd.h6
-rw-r--r--authfile.c44
-rw-r--r--bsd-vis.c137
-rw-r--r--bsd-vis.h32
-rw-r--r--cipher.c707
-rw-r--r--cipher.h129
-rw-r--r--cli.c195
-rw-r--r--cli.h14
-rw-r--r--compat.c41
-rw-r--r--configure.in4
-rw-r--r--dh.c157
-rw-r--r--dh.h35
-rw-r--r--includes.h4
-rw-r--r--kex.c169
-rw-r--r--kex.h35
-rw-r--r--log.c3
-rw-r--r--myproposal.h10
-rw-r--r--openbsd-compat.h1
-rw-r--r--packet.c72
-rw-r--r--readconf.c20
-rw-r--r--readconf.h4
-rw-r--r--readpass.c82
-rw-r--r--rijndael.c493
-rw-r--r--rijndael.h31
-rw-r--r--scp.19
-rw-r--r--scp.c155
-rw-r--r--servconf.c12
-rw-r--r--servconf.h3
-rw-r--r--session.c3
-rw-r--r--sftp-server.82
-rw-r--r--ssh-keygen.15
-rw-r--r--ssh-keygen.c105
-rw-r--r--ssh.18
-rw-r--r--ssh.c23
-rw-r--r--ssh.h13
-rw-r--r--ssh2.h8
-rw-r--r--sshconnect1.c15
-rw-r--r--sshconnect2.c461
-rw-r--r--sshd.816
-rw-r--r--sshd.c225
-rw-r--r--sshd_config1
56 files changed, 3173 insertions, 1206 deletions
diff --git a/ChangeLog b/ChangeLog
index 86e7cea9..61c08bc3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,81 @@
- (djm) Revert SSH2 serverloop hack, will find a better way.
- (djm) Add workaround for Linux 2.4's gratuitious errno change. Patch
from Martin Johansson <fatbob@acc.umu.se>
+ - (djm) Big OpenBSD sync:
+ - markus@cvs.openbsd.org 2000/09/30 10:27:44
+ [log.c]
+ allow loglevel debug
+ - markus@cvs.openbsd.org 2000/10/03 11:59:57
+ [packet.c]
+ hmac->mac
+ - markus@cvs.openbsd.org 2000/10/03 12:03:03
+ [auth-krb4.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth1.c]
+ move fake-auth from auth1.c to individual auth methods, disables s/key in
+ debug-msg
+ - markus@cvs.openbsd.org 2000/10/03 12:16:48
+ ssh.c
+ do not resolve canonname, i have no idea why this was added oin ossh
+ - markus@cvs.openbsd.org 2000/10/09 15:30:44
+ ssh-keygen.1 ssh-keygen.c
+ -X now reads private ssh.com DSA keys, too.
+ - markus@cvs.openbsd.org 2000/10/09 15:32:34
+ auth-options.c
+ clear options on every call.
+ - markus@cvs.openbsd.org 2000/10/09 15:51:00
+ authfd.c authfd.h
+ interop with ssh-agent2, from <res@shore.net>
+ - markus@cvs.openbsd.org 2000/10/10 14:20:45
+ compat.c
+ use rexexp for version string matching
+ - provos@cvs.openbsd.org 2000/10/10 22:02:18
+ [kex.c kex.h myproposal.h ssh.h ssh2.h sshconnect2.c sshd.c dh.c dh.h]
+ First rough implementation of the diffie-hellman group exchange. The
+ client can ask the server for bigger groups to perform the diffie-hellman
+ in, thus increasing the attack complexity when using ciphers with longer
+ keys. University of Windsor provided network, T the company.
+ - markus@cvs.openbsd.org 2000/10/11 13:59:52
+ [auth-rsa.c auth2.c]
+ clear auth options unless auth sucessfull
+ - markus@cvs.openbsd.org 2000/10/11 14:00:27
+ [auth-options.h]
+ clear auth options unless auth sucessfull
+ - markus@cvs.openbsd.org 2000/10/11 14:03:27
+ [scp.1 scp.c]
+ support 'scp -o' with help from mouring@pconline.com
+ - markus@cvs.openbsd.org 2000/10/11 14:11:35
+ [dh.c]
+ Wall
+ - markus@cvs.openbsd.org 2000/10/11 14:14:40
+ [auth.h auth2.c readconf.c readconf.h readpass.c servconf.c servconf.h]
+ [ssh.h sshconnect2.c sshd_config auth2-skey.c cli.c cli.h]
+ add support for s/key (kbd-interactive) to ssh2, based on work by
+ mkiernan@avantgo.com and me
+ - markus@cvs.openbsd.org 2000/10/11 14:27:24
+ [auth.c auth1.c auth2.c authfile.c cipher.c cipher.h kex.c kex.h]
+ [myproposal.h packet.c readconf.c session.c ssh.c ssh.h sshconnect1.c]
+ [sshconnect2.c sshd.c]
+ new cipher framework
+ - markus@cvs.openbsd.org 2000/10/11 14:45:21
+ [cipher.c]
+ remove DES
+ - markus@cvs.openbsd.org 2000/10/12 03:59:20
+ [cipher.c cipher.h sshconnect1.c sshconnect2.c sshd.c]
+ enable DES in SSH-1 clients only
+ - markus@cvs.openbsd.org 2000/10/12 08:21:13
+ [kex.h packet.c]
+ remove unused
+ - markus@cvs.openbsd.org 2000/10/13 12:34:46
+ [sshd.c]
+ Kludge for F-Secure Macintosh < 1.0.2; appro@fy.chalmers.se
+ - markus@cvs.openbsd.org 2000/10/13 12:59:15
+ [cipher.c cipher.h myproposal.h rijndael.c rijndael.h]
+ rijndael/aes support
+ - markus@cvs.openbsd.org 2000/10/13 13:10:54
+ [sshd.8]
+ more info about -V
+ - markus@cvs.openbsd.org 2000/10/13 13:12:02
+ [myproposal.h]
+ prefer no compression
20001007
- (stevesk) Print PAM return value in PAM log messages to aid
diff --git a/Makefile.in b/Makefile.in
index 2d47f637..af0886cd 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -35,13 +35,13 @@ INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@
TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) $(EXTRA_TARGETS)
-LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o cygwin_util.o deattack.o dispatch.o dsa.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o util.o uuencode.o xmalloc.o
+LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o cygwin_util.o deattack.o dispatch.o dsa.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o util.o uuencode.o xmalloc.o
-LIBOPENBSD_COMPAT_OBJS=bsd-arc4random.o bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-inet_aton.o bsd-inet_ntoa.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-setenv.o bsd-sigaction.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bsd-strsep.o bsd-strtok.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o
+LIBOPENBSD_COMPAT_OBJS=bsd-arc4random.o bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-inet_aton.o bsd-inet_ntoa.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-setenv.o bsd-sigaction.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bsd-strsep.o bsd-strtok.o bsd-vis.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o
SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o
-SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o
+SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o
TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8 sftp-server.8
CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh.0 sshd.0 sftp-server.0
diff --git a/auth-krb4.c b/auth-krb4.c
index 799cf261..21a9625e 100644
--- a/auth-krb4.c
+++ b/auth-krb4.c
@@ -28,7 +28,7 @@
#include "ssh.h"
#include "servconf.h"
-RCSID("$OpenBSD: auth-krb4.c,v 1.18 2000/09/07 20:27:49 deraadt Exp $");
+RCSID("$OpenBSD: auth-krb4.c,v 1.19 2000/10/03 18:03:02 markus Exp $");
#ifdef KRB4
char *ticket = NULL;
@@ -280,6 +280,8 @@ auth_kerberos_tgt(struct passwd *pw, const char *string)
{
CREDENTIALS creds;
+ if (pw == NULL)
+ goto auth_kerberos_tgt_failure;
if (!radix_to_creds(string, &creds)) {
log("Protocol error decoding Kerberos V4 tgt");
packet_send_debug("Protocol error decoding Kerberos V4 tgt");
@@ -334,8 +336,16 @@ int
auth_afs_token(struct passwd *pw, const char *token_string)
{
CREDENTIALS creds;
- uid_t uid = pw->pw_uid;
+ uid_t uid;
+ if (pw == NULL) {
+ /* XXX fake protocol error */
+ packet_send_debug("Protocol error decoding AFS token");
+ packet_start(SSH_SMSG_FAILURE);
+ packet_send();
+ packet_write_wait();
+ return 0;
+ }
if (!radix_to_creds(token_string, &creds)) {
log("Protocol error decoding AFS token");
packet_send_debug("Protocol error decoding AFS token");
@@ -349,6 +359,8 @@ auth_afs_token(struct passwd *pw, const char *token_string)
if (strncmp(creds.pname, "AFS ID ", 7) == 0)
uid = atoi(creds.pname + 7);
+ else
+ uid = pw->pw_uid;
if (kafs_settoken(creds.realm, uid, &creds)) {
log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm,
diff --git a/auth-options.c b/auth-options.c
index da696526..c9c149d6 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.4 2000/09/07 21:13:36 markus Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.5 2000/10/09 21:32:34 markus Exp $");
#include "ssh.h"
#include "packet.h"
@@ -33,6 +33,25 @@ char *forced_command = NULL;
/* "environment=" options. */
struct envstring *custom_environment = NULL;
+void
+auth_clear_options(void)
+{
+ no_agent_forwarding_flag = 0;
+ no_port_forwarding_flag = 0;
+ no_pty_flag = 0;
+ no_x11_forwarding_flag = 0;
+ while (custom_environment) {
+ struct envstring *ce = custom_environment;
+ custom_environment = ce->next;
+ xfree(ce->s);
+ xfree(ce);
+ }
+ if (forced_command) {
+ xfree(forced_command);
+ forced_command = NULL;
+ }
+}
+
/* return 1 if access is granted, 0 if not. side effect: sets key option flags */
int
auth_parse_options(struct passwd *pw, char *options, unsigned long linenum)
@@ -40,6 +59,10 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum)
const char *cp;
if (!options)
return 1;
+
+ /* reset options */
+ auth_clear_options();
+
while (*options && *options != ' ' && *options != '\t') {
cp = "no-port-forwarding";
if (strncmp(options, cp, strlen(cp)) == 0) {
@@ -87,9 +110,9 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum)
}
if (!*options) {
debug("%.100s, line %lu: missing end quote",
- SSH_USER_PERMITTED_KEYS, linenum);
+ SSH_USER_PERMITTED_KEYS, linenum);
packet_send_debug("%.100s, line %lu: missing end quote",
- SSH_USER_PERMITTED_KEYS, linenum);
+ SSH_USER_PERMITTED_KEYS, linenum);
continue;
}
forced_command[i] = 0;
@@ -117,9 +140,9 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum)
}
if (!*options) {
debug("%.100s, line %lu: missing end quote",
- SSH_USER_PERMITTED_KEYS, linenum);
+ SSH_USER_PERMITTED_KEYS, linenum);
packet_send_debug("%.100s, line %lu: missing end quote",
- SSH_USER_PERMITTED_KEYS, linenum);
+ SSH_USER_PERMITTED_KEYS, linenum);
continue;
}
s[i] = 0;
@@ -175,21 +198,6 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum)
get_remote_ipaddr());
packet_send_debug("Your host '%.200s' is not permitted to use this key for login.",
get_canonical_hostname());
- /* key invalid for this host, reset flags */
- no_agent_forwarding_flag = 0;
- no_port_forwarding_flag = 0;
- no_pty_flag = 0;
- no_x11_forwarding_flag = 0;
- while (custom_environment) {
- struct envstring *ce = custom_environment;
- custom_environment = ce->next;
- xfree(ce->s);
- xfree(ce);
- }
- if (forced_command) {
- xfree(forced_command);
- forced_command = NULL;
- }
/* deny access */
return 0;
}
diff --git a/auth-options.h b/auth-options.h
index 9044d98b..02ac5df1 100644
--- a/auth-options.h
+++ b/auth-options.h
@@ -22,4 +22,7 @@ extern struct envstring *custom_environment;
/* return 1 if access is granted, 0 if not. side effect: sets key option flags */
int auth_parse_options(struct passwd *pw, char *options, unsigned long linenum);
+/* reset options flags */
+void auth_clear_options(void);
+
#endif
diff --git a/auth-pam.c b/auth-pam.c
index f4cbd46e..ab20782f 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -29,7 +29,7 @@
#include "xmalloc.h"
#include "servconf.h"
-RCSID("$Id: auth-pam.c,v 1.15 2000/10/14 00:16:12 djm Exp $");
+RCSID("$Id: auth-pam.c,v 1.16 2000/10/14 05:23:11 djm Exp $");
#define NEW_AUTHTOK_MSG \
"Warning: Your password has expired, please change it now"
@@ -257,7 +257,7 @@ void do_pam_setcred()
pam_retval = pam_setcred(pamh, PAM_ESTABLISH_CRED);
if (pam_retval != PAM_SUCCESS) {
fatal("PAM setcred failed[%d]: %.200s",
- pam_setcred, PAM_STRERROR(pamh, pam_retval));
+ pam_retval, PAM_STRERROR(pamh, pam_retval));
}
}
diff --git a/auth-passwd.c b/auth-passwd.c
index 8dd6034d..184ce154 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -59,7 +59,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-passwd.c,v 1.17 2000/09/07 20:27:49 deraadt Exp $");
+RCSID("$OpenBSD: auth-passwd.c,v 1.18 2000/10/03 18:03:03 markus Exp $");
#if !defined(USE_PAM) && !defined(HAVE_OSF_SIA)
@@ -156,7 +156,7 @@ auth_password(struct passwd * pw, const char *password)
}
#endif
-#ifdef SKEY
+#ifdef SKEY_VIA_PASSWD_IS_DISABLED
if (options.skey_authentication == 1) {
int ret = auth_skey_password(pw, password);
if (ret == 1 || ret == 0)
diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
index 072e385a..3070c9d4 100644
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@@ -13,7 +13,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rh-rsa.c,v 1.16 2000/09/07 21:13:36 markus Exp $");
+RCSID("$OpenBSD: auth-rh-rsa.c,v 1.17 2000/10/03 18:03:03 markus Exp $");
#include "packet.h"
#include "ssh.h"
@@ -39,9 +39,9 @@ auth_rhosts_rsa(struct passwd *pw, const char *client_user, RSA *client_host_key
HostStatus host_status;
Key *client_key, *found;
- debug("Trying rhosts with RSA host authentication for %.100s", client_user);
+ debug("Trying rhosts with RSA host authentication for client user %.100s", client_user);
- if (client_host_key == NULL)
+ if (pw == NULL || client_host_key == NULL)
return 0;
/* Check if we would accept it using rhosts authentication. */
diff --git a/auth-rhosts.c b/auth-rhosts.c
index 901c8d13..8314e23a 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rhosts.c,v 1.15 2000/09/07 20:27:49 deraadt Exp $");
+RCSID("$OpenBSD: auth-rhosts.c,v 1.16 2000/10/03 18:03:03 markus Exp $");
#include "packet.h"
#include "ssh.h"
@@ -154,6 +154,9 @@ auth_rhosts(struct passwd *pw, const char *client_user)
static const char *rhosts_files[] = {".shosts", ".rhosts", NULL};
unsigned int rhosts_file_index;
+ /* no user given */
+ if (pw == NULL)
+ return 0;
/* Switch to the user's uid. */
temporarily_use_uid(pw->pw_uid);
/*
diff --git a/auth-rsa.c b/auth-rsa.c
index 8aefc8fa..522f01f8 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -14,7 +14,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth-rsa.c,v 1.29 2000/09/07 21:13:36 markus Exp $");
+RCSID("$OpenBSD: auth-rsa.c,v 1.31 2000/10/11 19:59:52 markus Exp $");
#include "rsa.h"
#include "packet.h"
@@ -29,6 +29,10 @@ RCSID("$OpenBSD: auth-rsa.c,v 1.29 2000/09/07 21:13:36 markus Exp $");
#include <openssl/rsa.h>
#include <openssl/md5.h>
+
+/* import */
+extern ServerOptions options;
+
/*
* Session identifier that is used to bind key exchange and authentication
* responses to a particular session.
@@ -116,7 +120,6 @@ auth_rsa_challenge_dialog(RSA *pk)
int
auth_rsa(struct passwd *pw, BIGNUM *client_n)
{
- extern ServerOptions options;
char line[8192], file[1024];
int authenticated;
unsigned int bits;
@@ -125,6 +128,10 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
struct stat st;
RSA *pk;
+ /* no user given */
+ if (pw == NULL)
+ return 0;
+
/* Temporarily use the user's uid. */
temporarily_use_uid(pw->pw_uid);
@@ -277,6 +284,8 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n)
if (authenticated)
packet_send_debug("RSA authentication accepted.");
+ else
+ auth_clear_options();
/* Return authentication result. */
return authenticated;
diff --git a/auth.c b/auth.c
index 883f08ab..bc42c96c 100644
--- a/auth.c
+++ b/auth.c
@@ -33,7 +33,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth.c,v 1.10 2000/09/07 21:13:36 markus Exp $");
+RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -41,7 +41,6 @@ RCSID("$OpenBSD: auth.c,v 1.10 2000/09/07 21:13:36 markus Exp $");
#include "pty.h"
#include "packet.h"
#include "buffer.h"
-#include "cipher.h"
#include "mpaux.h"
#include "servconf.h"
#include "compat.h"
diff --git a/auth.h b/auth.h
index 65bf7ae1..c4a8ac54 100644
--- a/auth.h
+++ b/auth.h
@@ -24,17 +24,29 @@
#ifndef AUTH_H
#define AUTH_H
+typedef struct Authctxt Authctxt;
+struct Authctxt {
+ int success;
+ int valid;
+ int attempt;
+ char *user;
+ char *service;
+ struct passwd *pw;
+};
+
void do_authentication(void);
void do_authentication2(void);
-struct passwd *
-auth_get_user(void);
+void userauth_log(Authctxt *authctxt, int authenticated, char *method);
+void userauth_reply(Authctxt *authctxt, int authenticated);
+
+int auth2_skey(Authctxt *authctxt);
-int allowed_user(struct passwd * pw);
+int allowed_user(struct passwd * pw);
+struct passwd * auth_get_user(void);
#define AUTH_FAIL_MAX 6
#define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2)
#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
#endif
-
diff --git a/auth1.c b/auth1.c
index 99639b59..520da640 100644
--- a/auth1.c
+++ b/auth1.c
@@ -10,28 +10,31 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth1.c,v 1.4 2000/09/07 20:27:49 deraadt Exp $");
+RCSID("$OpenBSD: auth1.c,v 1.6 2000/10/11 20:27:23 markus Exp $");
+
+#ifdef HAVE_OSF_SIA
+# include <sia.h>
+# include <siad.h>
+#endif
#include "xmalloc.h"
#include "rsa.h"
#include "ssh.h"
#include "packet.h"
#include "buffer.h"
-#include "cipher.h"
#include "mpaux.h"
#include "servconf.h"
#include "compat.h"
#include "auth.h"
#include "session.h"
-#ifdef HAVE_OSF_SIA
-# include <sia.h>
-# include <siad.h>
-#endif
-
/* import */
extern ServerOptions options;
extern char *forced_command;
+
+#ifdef WITH_AIXAUTHENTICATE
+extern char *aixloginmsg;
+#endif /* WITH_AIXAUTHENTICATE */
#ifdef HAVE_OSF_SIA
extern int saved_argc;
extern char **saved_argv;
@@ -67,89 +70,21 @@ get_authname(int type)
}
/*
- * The user does not exist or access is denied,
- * but fake indication that authentication is needed.
+ * read packets and try to authenticate local user 'luser'.
+ * return if authentication is successfull. not that pw == NULL
+ * if the user does not exists or is not allowed to login.
+ * each auth method has to 'fake' authentication for nonexisting
+ * users.
*/
void
-do_fake_authloop1(char *user)
-{
- int attempt = 0;
-
- log("Faking authloop for illegal user %.200s from %.200s port %d",
- user,
- get_remote_ipaddr(),
- get_remote_port());
-
-#ifdef WITH_AIXAUTHENTICATE
- loginfailed(user,get_canonical_hostname(),"ssh");
-#endif /* WITH_AIXAUTHENTICATE */
-
- /* Indicate that authentication is needed. */
- packet_start(SSH_SMSG_FAILURE);
- packet_send();
- packet_write_wait();
-
- /*
- * Keep reading packets, and always respond with a failure. This is
- * to avoid disclosing whether such a user really exists