diff options
author | Ben Lindstrom <mouring@eviladmin.org> | 2001-01-19 04:26:52 +0000 |
---|---|---|
committer | Ben Lindstrom <mouring@eviladmin.org> | 2001-01-19 04:26:52 +0000 |
commit | db65e8fdedadaf79df2d8393a4d43e9094c80649 (patch) | |
tree | e5902db5ee2b69f9f3c2fa0dbdeb7f4fc20c68b4 /auth.c | |
parent | 5aa80596f76ce36dee4623a00a55548834c3328d (diff) |
Please grep through the source and look for 'ISSUE' comments and verify
that I was able to get all the portable bits in the right location. As for
the SKEY comment there is an email out to Markus as to how it should be
resolved. Until then I just #ifdef SKEY/#endif out the whole block.
- (bal) OpenBSD Resync
- markus@cvs.openbsd.org 2001/01/18 16:20:21
[log-client.c log-server.c log.c readconf.c servconf.c ssh.1 ssh.h
sshd.8 sshd.c]
log() is at pri=LOG_INFO, since LOG_NOTICE goes to /dev/console on many
systems
- markus@cvs.openbsd.org 2001/01/18 16:59:59
[auth-passwd.c auth.c auth.h auth1.c auth2.c serverloop.c session.c
session.h sshconnect1.c]
1) removes fake skey from sshd, since this will be much
harder with /usr/libexec/auth/login_XXX
2) share/unify code used in ssh-1 and ssh-2 authentication (server side)
3) make addition of BSD_AUTH and other challenge reponse methods
easier.
- markus@cvs.openbsd.org 2001/01/18 17:12:43
[auth-chall.c auth2-chall.c]
rename *-skey.c *-chall.c since the files are not skey specific
Diffstat (limited to 'auth.c')
-rw-r--r-- | auth.c | 96 |
1 files changed, 74 insertions, 22 deletions
@@ -1,14 +1,4 @@ /* - * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland - * All rights reserved - * - * As far as I am concerned, the code I have written for this software - * can be used freely for any purpose. Any derived versions of this - * software must be clearly marked as such, and if the derived work is - * incompatible with the protocol description in the RFC file, it must be - * called by a name other than "ssh" or "Secure Shell". - * - * * Copyright (c) 2000 Markus Friedl. All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -33,19 +23,12 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth.c,v 1.12 2001/01/13 18:56:48 markus Exp $"); +RCSID("$OpenBSD: auth.c,v 1.13 2001/01/18 16:59:59 markus Exp $"); #include "xmalloc.h" -#include "rsa.h" #include "ssh.h" -#include "pty.h" -#include "packet.h" -#include "buffer.h" -#include "mpaux.h" -#include "servconf.h" -#include "compat.h" -#include "channels.h" #include "match.h" +#include "servconf.h" #include "groupaccess.h" #ifdef HAVE_LOGIN_H #include <login.h> @@ -54,10 +37,8 @@ RCSID("$OpenBSD: auth.c,v 1.12 2001/01/13 18:56:48 markus Exp $"); #include <shadow.h> #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */ -#include "bufaux.h" -#include "ssh2.h" #include "auth.h" -#include "session.h" +#include "auth-options.h" /* import */ extern ServerOptions options; @@ -179,3 +160,74 @@ allowed_user(struct passwd * pw) /* We found no reason not to let this user try to log on... */ return 1; } + +Authctxt * +authctxt_new(void) +{ + Authctxt *authctxt = xmalloc(sizeof(*authctxt)); + memset(authctxt, 0, sizeof(*authctxt)); + return authctxt; +} + +struct passwd * +pwcopy(struct passwd *pw) +{ + struct passwd *copy = xmalloc(sizeof(*copy)); + memset(copy, 0, sizeof(*copy)); + copy->pw_name = xstrdup(pw->pw_name); + copy->pw_passwd = xstrdup(pw->pw_passwd); + copy->pw_uid = pw->pw_uid; + copy->pw_gid = pw->pw_gid; +#ifdef HAVE_PW_CLASS_IN_PASSWD + copy->pw_class = xstrdup(pw->pw_class); +#endif + copy->pw_dir = xstrdup(pw->pw_dir); + copy->pw_shell = xstrdup(pw->pw_shell); + return copy; +} + +void +auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) +{ + void (*authlog) (const char *fmt,...) = verbose; + char *authmsg; + + /* Raise logging level */ + if (authenticated == 1 || + !authctxt->valid || + authctxt->failures >= AUTH_FAIL_LOG || + strcmp(method, "password") == 0) + authlog = log; + + if (authctxt->postponed) + authmsg = "Postponed"; + else + authmsg = authenticated ? "Accepted" : "Failed"; + + authlog("%s %s for %s%.100s from %.200s port %d%s", + authmsg, + method, + authctxt->valid ? "" : "illegal user ", + authctxt->valid && authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user, + get_remote_ipaddr(), + get_remote_port(), + info); +} + +/* + * Check if the user is logging in as root and root logins are disallowed. + * Note that root login is _allways_ allowed for forced commands. + */ +int +auth_root_allowed(void) +{ + if (options.permit_root_login) + return 1; + if (forced_command) { + log("Root login accepted for forced command."); + return 1; + } else { + log("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname()); + return 0; + } +} |