diff options
| author | Ben Lindstrom <mouring@eviladmin.org> | 2001-01-19 04:26:52 +0000 |
|---|---|---|
| committer | Ben Lindstrom <mouring@eviladmin.org> | 2001-01-19 04:26:52 +0000 |
| commit | db65e8fdedadaf79df2d8393a4d43e9094c80649 (patch) | |
| tree | e5902db5ee2b69f9f3c2fa0dbdeb7f4fc20c68b4 /auth2.c | |
| parent | 5aa80596f76ce36dee4623a00a55548834c3328d (diff) | |
Please grep through the source and look for 'ISSUE' comments and verify
that I was able to get all the portable bits in the right location. As for
the SKEY comment there is an email out to Markus as to how it should be
resolved. Until then I just #ifdef SKEY/#endif out the whole block.
- (bal) OpenBSD Resync
- markus@cvs.openbsd.org 2001/01/18 16:20:21
[log-client.c log-server.c log.c readconf.c servconf.c ssh.1 ssh.h
sshd.8 sshd.c]
log() is at pri=LOG_INFO, since LOG_NOTICE goes to /dev/console on many
systems
- markus@cvs.openbsd.org 2001/01/18 16:59:59
[auth-passwd.c auth.c auth.h auth1.c auth2.c serverloop.c session.c
session.h sshconnect1.c]
1) removes fake skey from sshd, since this will be much
harder with /usr/libexec/auth/login_XXX
2) share/unify code used in ssh-1 and ssh-2 authentication (server side)
3) make addition of BSD_AUTH and other challenge reponse methods
easier.
- markus@cvs.openbsd.org 2001/01/18 17:12:43
[auth-chall.c auth2-chall.c]
rename *-skey.c *-chall.c since the files are not skey specific
Diffstat (limited to 'auth2.c')
| -rw-r--r-- | auth2.c | 124 |
1 files changed, 35 insertions, 89 deletions
@@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.25 2001/01/08 22:29:05 markus Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.28 2001/01/18 17:00:00 markus Exp $"); #ifdef HAVE_OSF_SIA # include <sia.h> @@ -84,7 +84,6 @@ void input_service_request(int type, int plen, void *ctxt); void input_userauth_request(int type, int plen, void *ctxt); void protocol_error(int type, int plen, void *ctxt); - /* helper */ Authmethod *authmethod_lookup(const char *name); struct passwd *pwcopy(struct passwd *pw); @@ -121,22 +120,21 @@ Authmethod authmethods[] = { void do_authentication2() { - Authctxt *authctxt = xmalloc(sizeof(*authctxt)); - memset(authctxt, 'a', sizeof(*authctxt)); - authctxt->valid = 0; - authctxt->attempt = 0; - authctxt->failures = 0; - authctxt->success = 0; + Authctxt *authctxt = authctxt_new(); + x_authctxt = authctxt; /*XXX*/ -#ifdef KRB4 - /* turn off kerberos, not supported by SSH2 */ - options.kerberos_authentication = 0; +#ifdef AFS + /* If machine has AFS, set process authentication group. */ + if (k_hasafs()) { + k_setpag(); + k_unlog(); + } #endif dispatch_init(&protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); - do_authenticated2(); + do_authenticated2(authctxt); } void @@ -187,7 +185,7 @@ input_userauth_request(int type, int plen, void *ctxt) { Authctxt *authctxt = ctxt; Authmethod *m = NULL; - char *user, *service, *method; + char *user, *service, *method, *style = NULL; int authenticated = 0; if (authctxt == NULL) @@ -199,6 +197,9 @@ input_userauth_request(int type, int plen, void *ctxt) debug("userauth-request for user %s service %s method %s", user, service, method); debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); + if ((style = strchr(user, ':')) != NULL) + *style++ = 0; + if (authctxt->attempt++ == 0) { /* setup auth context */ struct passwd *pw = NULL; @@ -216,6 +217,7 @@ input_userauth_request(int type, int plen, void *ctxt) } authctxt->user = xstrdup(user); authctxt->service = xstrdup(service); + authctxt->style = style ? xstrdup(style) : NULL; /* currently unused */ } else if (authctxt->valid) { if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { @@ -224,25 +226,23 @@ input_userauth_request(int type, int plen, void *ctxt) authctxt->valid = 0; } } + /* reset state */ + dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &protocol_error); + authctxt->postponed = 0; + /* try to authenticate user */ m = authmethod_lookup(method); if (m != NULL) { debug2("input_userauth_request: try method %s", method); authenticated = m->userauth(authctxt); - } else { - debug2("input_userauth_request: unsupported method %s", method); - } - if (!authctxt->valid && authenticated == 1) { - log("input_userauth_request: INTERNAL ERROR: authenticated invalid user %s service %s", user, method); - authenticated = 0; } + if (!authctxt->valid && authenticated) + fatal("INTERNAL ERROR: authenticated invalid user %s", + authctxt->user); /* Special handling for root */ - if (authenticated == 1 && - authctxt->valid && authctxt->pw->pw_uid == 0 && !options.permit_root_login) { + if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed()) authenticated = 0; - log("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname()); - } #ifdef USE_PAM if (authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL)) @@ -250,8 +250,10 @@ input_userauth_request(int type, int plen, void *ctxt) #endif /* USE_PAM */ /* Log before sending the reply */ - userauth_log(authctxt, authenticated, method); - userauth_reply(authctxt, authenticated); + auth_log(authctxt, authenticated, method, " ssh2"); + + if (!authctxt->postponed) + userauth_reply(authctxt, authenticated); xfree(service); xfree(user); @@ -292,47 +294,13 @@ done: return; } -void -userauth_log(Authctxt *authctxt, int authenticated, char *method) -{ - void (*authlog) (const char *fmt,...) = verbose; - char *user = NULL, *authmsg = NULL; - - /* Raise logging level */ - if (authenticated == 1 || - !authctxt->valid || - authctxt->failures >= AUTH_FAIL_LOG || - strcmp(method, "password") == 0) - authlog = log; - - if (authenticated == 1) { - authmsg = "Accepted"; - } else if (authenticated == 0) { - authmsg = "Failed"; - } else { - authmsg = "Postponed"; - } - - if (authctxt->valid) { - user = authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user; - } else { - user = "NOUSER"; - } - - authlog("%s %s for %.200s from %.200s port %d ssh2", - authmsg, - method, - user, - get_remote_ipaddr(), - get_remote_port()); -} - void userauth_reply(Authctxt *authctxt, int authenticated) { char *methods; + /* XXX todo: check if multiple auth methods are needed */ - if (authenticated == 1) { + if (authenticated) { #ifdef WITH_AIXAUTHENTICATE /* We don't have a pty yet, so just label the line as "ssh" */ if (loginsuccess(authctxt->user?authctxt->user:"NOUSER", @@ -346,9 +314,9 @@ userauth_reply(Authctxt *authctxt, int authenticated) packet_write_wait(); /* now we can break out */ authctxt->success = 1; - } else if (authenticated == 0) { - if (authctxt->failures++ >= AUTH_FAIL_MAX) - packet_disconnect("too many failed userauth_requests"); + } else { + if (authctxt->failures++ > AUTH_FAIL_MAX) + packet_disconnect(AUTH_FAIL_MSG, authctxt->user); methods = authmethods_get(); packet_start(SSH2_MSG_USERAUTH_FAILURE); packet_put_cstring(methods); @@ -356,8 +324,6 @@ userauth_reply(Authctxt *authctxt, int authenticated) packet_send(); packet_write_wait(); xfree(methods); - } else { - /* do nothing, we did already send a reply */ } } @@ -432,16 +398,13 @@ userauth_kbdint(Authctxt *authctxt) packet_done(); debug("keyboard-interactive language %s devs %s", lang, devs); + + authenticated = auth2_challenge(authctxt, devs); + #ifdef USE_PAM if (authenticated == 0) authenticated = auth2_pam(authctxt); #endif -#ifdef SKEY - /* XXX hardcoded, we should look at devs */ - if (authenticated == 0) - if (options.skey_authentication != 0) - authenticated = auth2_skey(authctxt); -#endif xfree(lang); xfree(devs); #ifdef HAVE_CYGWIN @@ -732,20 +695,3 @@ user_key_allowed(struct passwd *pw, Key *key) key_free(found); return found_key; } - -struct passwd * -pwcopy(struct passwd *pw) -{ - struct passwd *copy = xmalloc(sizeof(*copy)); - memset(copy, 0, sizeof(*copy)); - copy->pw_name = xstrdup(pw->pw_name); - copy->pw_passwd = xstrdup(pw->pw_passwd); - copy->pw_uid = pw->pw_uid; - copy->pw_gid = pw->pw_gid; -#ifdef HAVE_PW_CLASS_IN_PASSWD - copy->pw_class = xstrdup(pw->pw_class); -#endif - copy->pw_dir = xstrdup(pw->pw_dir); - copy->pw_shell = xstrdup(pw->pw_shell); - return copy; -} |