diff options
author | Damien Miller <djm@mindrot.org> | 2000-10-14 16:23:11 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2000-10-14 16:23:11 +1100 |
commit | 874d77bb134a21a5cf625956b60173376a993ba8 (patch) | |
tree | 93dd73b2ff1fbf0ad5f3978a2c4e0d8438a0bf7c | |
parent | 89d9796fbedef4eed6956a2c095c7cc25330c28d (diff) |
- (djm) Big OpenBSD sync:
- markus@cvs.openbsd.org 2000/09/30 10:27:44
[log.c]
allow loglevel debug
- markus@cvs.openbsd.org 2000/10/03 11:59:57
[packet.c]
hmac->mac
- markus@cvs.openbsd.org 2000/10/03 12:03:03
[auth-krb4.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth1.c]
move fake-auth from auth1.c to individual auth methods, disables s/key in
debug-msg
- markus@cvs.openbsd.org 2000/10/03 12:16:48
ssh.c
do not resolve canonname, i have no idea why this was added oin ossh
- markus@cvs.openbsd.org 2000/10/09 15:30:44
ssh-keygen.1 ssh-keygen.c
-X now reads private ssh.com DSA keys, too.
- markus@cvs.openbsd.org 2000/10/09 15:32:34
auth-options.c
clear options on every call.
- markus@cvs.openbsd.org 2000/10/09 15:51:00
authfd.c authfd.h
interop with ssh-agent2, from <res@shore.net>
- markus@cvs.openbsd.org 2000/10/10 14:20:45
compat.c
use rexexp for version string matching
- provos@cvs.openbsd.org 2000/10/10 22:02:18
[kex.c kex.h myproposal.h ssh.h ssh2.h sshconnect2.c sshd.c dh.c dh.h]
First rough implementation of the diffie-hellman group exchange. The
client can ask the server for bigger groups to perform the diffie-hellman
in, thus increasing the attack complexity when using ciphers with longer
keys. University of Windsor provided network, T the company.
- markus@cvs.openbsd.org 2000/10/11 13:59:52
[auth-rsa.c auth2.c]
clear auth options unless auth sucessfull
- markus@cvs.openbsd.org 2000/10/11 14:00:27
[auth-options.h]
clear auth options unless auth sucessfull
- markus@cvs.openbsd.org 2000/10/11 14:03:27
[scp.1 scp.c]
support 'scp -o' with help from mouring@pconline.com
- markus@cvs.openbsd.org 2000/10/11 14:11:35
[dh.c]
Wall
- markus@cvs.openbsd.org 2000/10/11 14:14:40
[auth.h auth2.c readconf.c readconf.h readpass.c servconf.c servconf.h]
[ssh.h sshconnect2.c sshd_config auth2-skey.c cli.c cli.h]
add support for s/key (kbd-interactive) to ssh2, based on work by
mkiernan@avantgo.com and me
- markus@cvs.openbsd.org 2000/10/11 14:27:24
[auth.c auth1.c auth2.c authfile.c cipher.c cipher.h kex.c kex.h]
[myproposal.h packet.c readconf.c session.c ssh.c ssh.h sshconnect1.c]
[sshconnect2.c sshd.c]
new cipher framework
- markus@cvs.openbsd.org 2000/10/11 14:45:21
[cipher.c]
remove DES
- markus@cvs.openbsd.org 2000/10/12 03:59:20
[cipher.c cipher.h sshconnect1.c sshconnect2.c sshd.c]
enable DES in SSH-1 clients only
- markus@cvs.openbsd.org 2000/10/12 08:21:13
[kex.h packet.c]
remove unused
- markus@cvs.openbsd.org 2000/10/13 12:34:46
[sshd.c]
Kludge for F-Secure Macintosh < 1.0.2; appro@fy.chalmers.se
- markus@cvs.openbsd.org 2000/10/13 12:59:15
[cipher.c cipher.h myproposal.h rijndael.c rijndael.h]
rijndael/aes support
- markus@cvs.openbsd.org 2000/10/13 13:10:54
[sshd.8]
more info about -V
- markus@cvs.openbsd.org 2000/10/13 13:12:02
[myproposal.h]
prefer no compression
-rw-r--r-- | ChangeLog | 75 | ||||
-rw-r--r-- | Makefile.in | 6 | ||||
-rw-r--r-- | auth-krb4.c | 16 | ||||
-rw-r--r-- | auth-options.c | 48 | ||||
-rw-r--r-- | auth-options.h | 3 | ||||
-rw-r--r-- | auth-pam.c | 4 | ||||
-rw-r--r-- | auth-passwd.c | 4 | ||||
-rw-r--r-- | auth-rh-rsa.c | 6 | ||||
-rw-r--r-- | auth-rhosts.c | 5 | ||||
-rw-r--r-- | auth-rsa.c | 13 | ||||
-rw-r--r-- | auth.c | 3 | ||||
-rw-r--r-- | auth.h | 20 | ||||
-rw-r--r-- | auth1.c | 246 | ||||
-rw-r--r-- | auth2.c | 428 | ||||
-rw-r--r-- | authfd.c | 13 | ||||
-rw-r--r-- | authfd.h | 6 | ||||
-rw-r--r-- | authfile.c | 44 | ||||
-rw-r--r-- | bsd-vis.c | 137 | ||||
-rw-r--r-- | bsd-vis.h | 32 | ||||
-rw-r--r-- | cipher.c | 707 | ||||
-rw-r--r-- | cipher.h | 129 | ||||
-rw-r--r-- | cli.c | 195 | ||||
-rw-r--r-- | cli.h | 14 | ||||
-rw-r--r-- | compat.c | 41 | ||||
-rw-r--r-- | configure.in | 4 | ||||
-rw-r--r-- | dh.c | 157 | ||||
-rw-r--r-- | dh.h | 35 | ||||
-rw-r--r-- | includes.h | 4 | ||||
-rw-r--r-- | kex.c | 169 | ||||
-rw-r--r-- | kex.h | 35 | ||||
-rw-r--r-- | log.c | 3 | ||||
-rw-r--r-- | myproposal.h | 10 | ||||
-rw-r--r-- | openbsd-compat.h | 1 | ||||
-rw-r--r-- | packet.c | 72 | ||||
-rw-r--r-- | readconf.c | 20 | ||||
-rw-r--r-- | readconf.h | 4 | ||||
-rw-r--r-- | readpass.c | 82 | ||||
-rw-r--r-- | rijndael.c | 493 | ||||
-rw-r--r-- | rijndael.h | 31 | ||||
-rw-r--r-- | scp.1 | 9 | ||||
-rw-r--r-- | scp.c | 155 | ||||
-rw-r--r-- | servconf.c | 12 | ||||
-rw-r--r-- | servconf.h | 3 | ||||
-rw-r--r-- | session.c | 3 | ||||
-rw-r--r-- | sftp-server.8 | 2 | ||||
-rw-r--r-- | ssh-keygen.1 | 5 | ||||
-rw-r--r-- | ssh-keygen.c | 105 | ||||
-rw-r--r-- | ssh.1 | 8 | ||||
-rw-r--r-- | ssh.c | 23 | ||||
-rw-r--r-- | ssh.h | 13 | ||||
-rw-r--r-- | ssh2.h | 8 | ||||
-rw-r--r-- | sshconnect1.c | 15 | ||||
-rw-r--r-- | sshconnect2.c | 461 | ||||
-rw-r--r-- | sshd.8 | 16 | ||||
-rw-r--r-- | sshd.c | 225 | ||||
-rw-r--r-- | sshd_config | 1 |
56 files changed, 3173 insertions, 1206 deletions
@@ -3,6 +3,81 @@ - (djm) Revert SSH2 serverloop hack, will find a better way. - (djm) Add workaround for Linux 2.4's gratuitious errno change. Patch from Martin Johansson <fatbob@acc.umu.se> + - (djm) Big OpenBSD sync: + - markus@cvs.openbsd.org 2000/09/30 10:27:44 + [log.c] + allow loglevel debug + - markus@cvs.openbsd.org 2000/10/03 11:59:57 + [packet.c] + hmac->mac + - markus@cvs.openbsd.org 2000/10/03 12:03:03 + [auth-krb4.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c auth-rsa.c auth1.c] + move fake-auth from auth1.c to individual auth methods, disables s/key in + debug-msg + - markus@cvs.openbsd.org 2000/10/03 12:16:48 + ssh.c + do not resolve canonname, i have no idea why this was added oin ossh + - markus@cvs.openbsd.org 2000/10/09 15:30:44 + ssh-keygen.1 ssh-keygen.c + -X now reads private ssh.com DSA keys, too. + - markus@cvs.openbsd.org 2000/10/09 15:32:34 + auth-options.c + clear options on every call. + - markus@cvs.openbsd.org 2000/10/09 15:51:00 + authfd.c authfd.h + interop with ssh-agent2, from <res@shore.net> + - markus@cvs.openbsd.org 2000/10/10 14:20:45 + compat.c + use rexexp for version string matching + - provos@cvs.openbsd.org 2000/10/10 22:02:18 + [kex.c kex.h myproposal.h ssh.h ssh2.h sshconnect2.c sshd.c dh.c dh.h] + First rough implementation of the diffie-hellman group exchange. The + client can ask the server for bigger groups to perform the diffie-hellman + in, thus increasing the attack complexity when using ciphers with longer + keys. University of Windsor provided network, T the company. + - markus@cvs.openbsd.org 2000/10/11 13:59:52 + [auth-rsa.c auth2.c] + clear auth options unless auth sucessfull + - markus@cvs.openbsd.org 2000/10/11 14:00:27 + [auth-options.h] + clear auth options unless auth sucessfull + - markus@cvs.openbsd.org 2000/10/11 14:03:27 + [scp.1 scp.c] + support 'scp -o' with help from mouring@pconline.com + - markus@cvs.openbsd.org 2000/10/11 14:11:35 + [dh.c] + Wall + - markus@cvs.openbsd.org 2000/10/11 14:14:40 + [auth.h auth2.c readconf.c readconf.h readpass.c servconf.c servconf.h] + [ssh.h sshconnect2.c sshd_config auth2-skey.c cli.c cli.h] + add support for s/key (kbd-interactive) to ssh2, based on work by + mkiernan@avantgo.com and me + - markus@cvs.openbsd.org 2000/10/11 14:27:24 + [auth.c auth1.c auth2.c authfile.c cipher.c cipher.h kex.c kex.h] + [myproposal.h packet.c readconf.c session.c ssh.c ssh.h sshconnect1.c] + [sshconnect2.c sshd.c] + new cipher framework + - markus@cvs.openbsd.org 2000/10/11 14:45:21 + [cipher.c] + remove DES + - markus@cvs.openbsd.org 2000/10/12 03:59:20 + [cipher.c cipher.h sshconnect1.c sshconnect2.c sshd.c] + enable DES in SSH-1 clients only + - markus@cvs.openbsd.org 2000/10/12 08:21:13 + [kex.h packet.c] + remove unused + - markus@cvs.openbsd.org 2000/10/13 12:34:46 + [sshd.c] + Kludge for F-Secure Macintosh < 1.0.2; appro@fy.chalmers.se + - markus@cvs.openbsd.org 2000/10/13 12:59:15 + [cipher.c cipher.h myproposal.h rijndael.c rijndael.h] + rijndael/aes support + - markus@cvs.openbsd.org 2000/10/13 13:10:54 + [sshd.8] + more info about -V + - markus@cvs.openbsd.org 2000/10/13 13:12:02 + [myproposal.h] + prefer no compression 20001007 - (stevesk) Print PAM return value in PAM log messages to aid diff --git a/Makefile.in b/Makefile.in index 2d47f637..af0886cd 100644 --- a/Makefile.in +++ b/Makefile.in @@ -35,13 +35,13 @@ INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) $(EXTRA_TARGETS) -LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o compat.o compress.o crc32.o cygwin_util.o deattack.o dispatch.o dsa.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o util.o uuencode.o xmalloc.o +LIBSSH_OBJS=atomicio.o authfd.o authfile.o bufaux.o buffer.o canohost.o channels.o cipher.o cli.o compat.o compress.o crc32.o cygwin_util.o deattack.o dispatch.o dsa.o hmac.o hostfile.o key.o kex.o log.o match.o mpaux.o nchan.o packet.o radix.o rijndael.o entropy.o readpass.o rsa.o tildexpand.o ttymodes.o uidswap.o util.o uuencode.o xmalloc.o -LIBOPENBSD_COMPAT_OBJS=bsd-arc4random.o bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-inet_aton.o bsd-inet_ntoa.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-setenv.o bsd-sigaction.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bsd-strsep.o bsd-strtok.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o +LIBOPENBSD_COMPAT_OBJS=bsd-arc4random.o bsd-base64.o bsd-bindresvport.o bsd-daemon.o bsd-inet_aton.o bsd-inet_ntoa.o bsd-misc.o bsd-mktemp.o bsd-rresvport.o bsd-setenv.o bsd-sigaction.o bsd-snprintf.o bsd-strlcat.o bsd-strlcpy.o bsd-strsep.o bsd-strtok.o bsd-vis.o fake-getaddrinfo.o fake-getnameinfo.o next-posix.o SSHOBJS= ssh.o sshconnect.o sshconnect1.o sshconnect2.o log-client.o readconf.o clientloop.o -SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o +SSHDOBJS= sshd.o auth.o auth1.o auth2.o auth-rhosts.o auth-options.o auth-krb4.o auth-pam.o auth-passwd.o auth-rsa.o auth-rh-rsa.o dh.o pty.o log-server.o login.o loginrec.o servconf.o serverloop.o md5crypt.o session.o TROFFMAN = scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh.1 sshd.8 sftp-server.8 CATMAN = scp.0 ssh-add.0 ssh-agent.0 ssh-keygen.0 ssh.0 sshd.0 sftp-server.0 diff --git a/auth-krb4.c b/auth-krb4.c index 799cf261..21a9625e 100644 --- a/auth-krb4.c +++ b/auth-krb4.c @@ -28,7 +28,7 @@ #include "ssh.h" #include "servconf.h" -RCSID("$OpenBSD: auth-krb4.c,v 1.18 2000/09/07 20:27:49 deraadt Exp $"); +RCSID("$OpenBSD: auth-krb4.c,v 1.19 2000/10/03 18:03:02 markus Exp $"); #ifdef KRB4 char *ticket = NULL; @@ -280,6 +280,8 @@ auth_kerberos_tgt(struct passwd *pw, const char *string) { CREDENTIALS creds; + if (pw == NULL) + goto auth_kerberos_tgt_failure; if (!radix_to_creds(string, &creds)) { log("Protocol error decoding Kerberos V4 tgt"); packet_send_debug("Protocol error decoding Kerberos V4 tgt"); @@ -334,8 +336,16 @@ int auth_afs_token(struct passwd *pw, const char *token_string) { CREDENTIALS creds; - uid_t uid = pw->pw_uid; + uid_t uid; + if (pw == NULL) { + /* XXX fake protocol error */ + packet_send_debug("Protocol error decoding AFS token"); + packet_start(SSH_SMSG_FAILURE); + packet_send(); + packet_write_wait(); + return 0; + } if (!radix_to_creds(token_string, &creds)) { log("Protocol error decoding AFS token"); packet_send_debug("Protocol error decoding AFS token"); @@ -349,6 +359,8 @@ auth_afs_token(struct passwd *pw, const char *token_string) if (strncmp(creds.pname, "AFS ID ", 7) == 0) uid = atoi(creds.pname + 7); + else + uid = pw->pw_uid; if (kafs_settoken(creds.realm, uid, &creds)) { log("AFS token (%s@%s) rejected for %s", creds.pname, creds.realm, diff --git a/auth-options.c b/auth-options.c index da696526..c9c149d6 100644 --- a/auth-options.c +++ b/auth-options.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-options.c,v 1.4 2000/09/07 21:13:36 markus Exp $"); +RCSID("$OpenBSD: auth-options.c,v 1.5 2000/10/09 21:32:34 markus Exp $"); #include "ssh.h" #include "packet.h" @@ -33,6 +33,25 @@ char *forced_command = NULL; /* "environment=" options. */ struct envstring *custom_environment = NULL; +void +auth_clear_options(void) +{ + no_agent_forwarding_flag = 0; + no_port_forwarding_flag = 0; + no_pty_flag = 0; + no_x11_forwarding_flag = 0; + while (custom_environment) { + struct envstring *ce = custom_environment; + custom_environment = ce->next; + xfree(ce->s); + xfree(ce); + } + if (forced_command) { + xfree(forced_command); + forced_command = NULL; + } +} + /* return 1 if access is granted, 0 if not. side effect: sets key option flags */ int auth_parse_options(struct passwd *pw, char *options, unsigned long linenum) @@ -40,6 +59,10 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum) const char *cp; if (!options) return 1; + + /* reset options */ + auth_clear_options(); + while (*options && *options != ' ' && *options != '\t') { cp = "no-port-forwarding"; if (strncmp(options, cp, strlen(cp)) == 0) { @@ -87,9 +110,9 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum) } if (!*options) { debug("%.100s, line %lu: missing end quote", - SSH_USER_PERMITTED_KEYS, linenum); + SSH_USER_PERMITTED_KEYS, linenum); packet_send_debug("%.100s, line %lu: missing end quote", - SSH_USER_PERMITTED_KEYS, linenum); + SSH_USER_PERMITTED_KEYS, linenum); continue; } forced_command[i] = 0; @@ -117,9 +140,9 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum) } if (!*options) { debug("%.100s, line %lu: missing end quote", - SSH_USER_PERMITTED_KEYS, linenum); + SSH_USER_PERMITTED_KEYS, linenum); packet_send_debug("%.100s, line %lu: missing end quote", - SSH_USER_PERMITTED_KEYS, linenum); + SSH_USER_PERMITTED_KEYS, linenum); continue; } s[i] = 0; @@ -175,21 +198,6 @@ auth_parse_options(struct passwd *pw, char *options, unsigned long linenum) get_remote_ipaddr()); packet_send_debug("Your host '%.200s' is not permitted to use this key for login.", get_canonical_hostname()); - /* key invalid for this host, reset flags */ - no_agent_forwarding_flag = 0; - no_port_forwarding_flag = 0; - no_pty_flag = 0; - no_x11_forwarding_flag = 0; - while (custom_environment) { - struct envstring *ce = custom_environment; - custom_environment = ce->next; - xfree(ce->s); - xfree(ce); - } - if (forced_command) { - xfree(forced_command); - forced_command = NULL; - } /* deny access */ return 0; } diff --git a/auth-options.h b/auth-options.h index 9044d98b..02ac5df1 100644 --- a/auth-options.h +++ b/auth-options.h @@ -22,4 +22,7 @@ extern struct envstring *custom_environment; /* return 1 if access is granted, 0 if not. side effect: sets key option flags */ int auth_parse_options(struct passwd *pw, char *options, unsigned long linenum); +/* reset options flags */ +void auth_clear_options(void); + #endif @@ -29,7 +29,7 @@ #include "xmalloc.h" #include "servconf.h" -RCSID("$Id: auth-pam.c,v 1.15 2000/10/14 00:16:12 djm Exp $"); +RCSID("$Id: auth-pam.c,v 1.16 2000/10/14 05:23:11 djm Exp $"); #define NEW_AUTHTOK_MSG \ "Warning: Your password has expired, please change it now" @@ -257,7 +257,7 @@ void do_pam_setcred() pam_retval = pam_setcred(pamh, PAM_ESTABLISH_CRED); if (pam_retval != PAM_SUCCESS) { fatal("PAM setcred failed[%d]: %.200s", - pam_setcred, PAM_STRERROR(pamh, pam_retval)); + pam_retval, PAM_STRERROR(pamh, pam_retval)); } } diff --git a/auth-passwd.c b/auth-passwd.c index 8dd6034d..184ce154 100644 --- a/auth-passwd.c +++ b/auth-passwd.c @@ -59,7 +59,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-passwd.c,v 1.17 2000/09/07 20:27:49 deraadt Exp $"); +RCSID("$OpenBSD: auth-passwd.c,v 1.18 2000/10/03 18:03:03 markus Exp $"); #if !defined(USE_PAM) && !defined(HAVE_OSF_SIA) @@ -156,7 +156,7 @@ auth_password(struct passwd * pw, const char *password) } #endif -#ifdef SKEY +#ifdef SKEY_VIA_PASSWD_IS_DISABLED if (options.skey_authentication == 1) { int ret = auth_skey_password(pw, password); if (ret == 1 || ret == 0) diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c index 072e385a..3070c9d4 100644 --- a/auth-rh-rsa.c +++ b/auth-rh-rsa.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rh-rsa.c,v 1.16 2000/09/07 21:13:36 markus Exp $"); +RCSID("$OpenBSD: auth-rh-rsa.c,v 1.17 2000/10/03 18:03:03 markus Exp $"); #include "packet.h" #include "ssh.h" @@ -39,9 +39,9 @@ auth_rhosts_rsa(struct passwd *pw, const char *client_user, RSA *client_host_key HostStatus host_status; Key *client_key, *found; - debug("Trying rhosts with RSA host authentication for %.100s", client_user); + debug("Trying rhosts with RSA host authentication for client user %.100s", client_user); - if (client_host_key == NULL) + if (pw == NULL || client_host_key == NULL) return 0; /* Check if we would accept it using rhosts authentication. */ diff --git a/auth-rhosts.c b/auth-rhosts.c index 901c8d13..8314e23a 100644 --- a/auth-rhosts.c +++ b/auth-rhosts.c @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rhosts.c,v 1.15 2000/09/07 20:27:49 deraadt Exp $"); +RCSID("$OpenBSD: auth-rhosts.c,v 1.16 2000/10/03 18:03:03 markus Exp $"); #include "packet.h" #include "ssh.h" @@ -154,6 +154,9 @@ auth_rhosts(struct passwd *pw, const char *client_user) static const char *rhosts_files[] = {".shosts", ".rhosts", NULL}; unsigned int rhosts_file_index; + /* no user given */ + if (pw == NULL) + return 0; /* Switch to the user's uid. */ temporarily_use_uid(pw->pw_uid); /* @@ -14,7 +14,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth-rsa.c,v 1.29 2000/09/07 21:13:36 markus Exp $"); +RCSID("$OpenBSD: auth-rsa.c,v 1.31 2000/10/11 19:59:52 markus Exp $"); #include "rsa.h" #include "packet.h" @@ -29,6 +29,10 @@ RCSID("$OpenBSD: auth-rsa.c,v 1.29 2000/09/07 21:13:36 markus Exp $"); #include <openssl/rsa.h> #include <openssl/md5.h> + +/* import */ +extern ServerOptions options; + /* * Session identifier that is used to bind key exchange and authentication * responses to a particular session. @@ -116,7 +120,6 @@ auth_rsa_challenge_dialog(RSA *pk) int auth_rsa(struct passwd *pw, BIGNUM *client_n) { - extern ServerOptions options; char line[8192], file[1024]; int authenticated; unsigned int bits; @@ -125,6 +128,10 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) struct stat st; RSA *pk; + /* no user given */ + if (pw == NULL) + return 0; + /* Temporarily use the user's uid. */ temporarily_use_uid(pw->pw_uid); @@ -277,6 +284,8 @@ auth_rsa(struct passwd *pw, BIGNUM *client_n) if (authenticated) packet_send_debug("RSA authentication accepted."); + else + auth_clear_options(); /* Return authentication result. */ return authenticated; @@ -33,7 +33,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.10 2000/09/07 21:13:36 markus Exp $"); +RCSID("$OpenBSD: auth.c,v 1.11 2000/10/11 20:27:23 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -41,7 +41,6 @@ RCSID("$OpenBSD: auth.c,v 1.10 2000/09/07 21:13:36 markus Exp $"); #include "pty.h" #include "packet.h" #include "buffer.h" -#include "cipher.h" #include "mpaux.h" #include "servconf.h" #include "compat.h" @@ -24,17 +24,29 @@ #ifndef AUTH_H #define AUTH_H +typedef struct Authctxt Authctxt; +struct Authctxt { + int success; + int valid; + int attempt; + char *user; + char *service; + struct passwd *pw; +}; + void do_authentication(void); void do_authentication2(void); -struct passwd * -auth_get_user(void); +void userauth_log(Authctxt *authctxt, int authenticated, char *method); +void userauth_reply(Authctxt *authctxt, int authenticated); + +int auth2_skey(Authctxt *authctxt); -int allowed_user(struct passwd * pw); +int allowed_user(struct passwd * pw); +struct passwd * auth_get_user(void); #define AUTH_FAIL_MAX 6 #define AUTH_FAIL_LOG (AUTH_FAIL_MAX/2) #define AUTH_FAIL_MSG "Too many authentication failures for %.100s" #endif - @@ -10,28 +10,31 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth1.c,v 1.4 2000/09/07 20:27:49 deraadt Exp $"); +RCSID("$OpenBSD: auth1.c,v 1.6 2000/10/11 20:27:23 markus Exp $"); + +#ifdef HAVE_OSF_SIA +# include <sia.h> +# include <siad.h> +#endif #include "xmalloc.h" #include "rsa.h" #include "ssh.h" #include "packet.h" #include "buffer.h" -#include "cipher.h" #include "mpaux.h" #include "servconf.h" #include "compat.h" #include "auth.h" #include "session.h" -#ifdef HAVE_OSF_SIA -# include <sia.h> -# include <siad.h> -#endif - /* import */ extern ServerOptions options; extern char *forced_command; + +#ifdef WITH_AIXAUTHENTICATE +extern char *aixloginmsg; +#endif /* WITH_AIXAUTHENTICATE */ #ifdef HAVE_OSF_SIA extern int saved_argc; extern char **saved_argv; @@ -67,89 +70,21 @@ get_authname(int type) } /* - * The user does not exist or access is denied, - * but fake indication that authentication is needed. + * read packets and try to authenticate local user 'luser'. + * return if authentication is successfull. not that pw == NULL + * if the user does not exists or is not allowed to login. + * each auth method has to 'fake' authentication for nonexisting + * users. */ void -do_fake_authloop1(char *user) -{ - int attempt = 0; - - log("Faking authloop for illegal user %.200s from %.200s port %d", - user, - get_remote_ipaddr(), - get_remote_port()); - -#ifdef WITH_AIXAUTHENTICATE - loginfailed(user,get_canonical_hostname(),"ssh"); -#endif /* WITH_AIXAUTHENTICATE */ - - /* Indicate that authentication is needed. */ - packet_start(SSH_SMSG_FAILURE); - packet_send(); - packet_write_wait(); - - /* - * Keep reading packets, and always respond with a failure. This is - * to avoid disclosing whether such a user really exists. - */ - for (attempt = 1;; attempt++) { - /* Read a packet. This will not return if the client disconnects. */ - int plen; |