src/usr.bin/ssh/auth1.c - diff

Return to auth1.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/Attic/auth1.c between version 1.25 and 1.25.2.4

version 1.25, 2001/06/26 16:15:23

version 1.25.2.4, 2002/10/11 14:53:06

Line 22

#include "servconf.h"

#include "compat.h"

#include "auth.h"

#include "channels.h"

#include "session.h"

#include "misc.h"

#include "uidswap.h"

#include "monitor_wrap.h"

/* import */

extern ServerOptions options;

Line 66

Line 67

{

int authenticated = 0;

u_int bits;

RSA *client_host_key;

Key *client_host_key;

BIGNUM *n;

char *client_user, *password;

char info[1024];

u_int dlen;

int plen, nlen, elen;

u_int ulen;

int type = 0;

struct passwd *pw = authctxt->pw;

debug("Attempting authentication for %s%.100s.",

authctxt->valid ? "" : "illegal user ", authctxt->user);

/* If the user has no password, accept authentication immediately. */

if (options.password_authentication &&

#if defined(KRB4) || defined(KRB5)

(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&

#endif

auth_password(authctxt, "")) {

PRIVSEP(auth_password(authctxt, ""))) {

auth_log(authctxt, 1, "without authentication", "");

return;

}

/* Indicate that authentication is needed. */

packet_start(SSH_SMSG_FAILURE);

packet_send();

Line 101

info[0] = '\0';

/* Get a packet from the client. */

type = packet_read(&plen);

type = packet_read();

/* Process the packet. */

switch (type) {

Line 112

verbose("Kerberos authentication disabled.");

} else {

char *kdata = packet_get_string(&dlen);

packet_check_eom();

packet_integrity_check(plen, 4 + dlen, type);

if (kdata[0] == 4) { /* KRB_PROT_VERSION */

#ifdef KRB4

KTEXT_ST tkt;

KTEXT_ST tkt, reply;

tkt.length = dlen;

if (tkt.length < MAX_KTXT_LEN)

memcpy(tkt.dat, kdata, tkt.length);

if (auth_krb4(authctxt, &tkt, &client_user)) {

if (PRIVSEP(auth_krb4(authctxt, &tkt,

&client_user, &reply))) {

authenticated = 1;

snprintf(info, sizeof(info),

" tktuser %.100s",

client_user);

packet_start(

SSH_SMSG_AUTH_KERBEROS_RESPONSE);

packet_put_string((char *)

reply.dat, reply.length);

packet_send();

packet_write_wait();

xfree(client_user);

}

#endif /* KRB4 */

} else {

#ifdef KRB5

krb5_data tkt;

krb5_data tkt, reply;

tkt.length = dlen;

tkt.data = kdata;

if (auth_krb5(authctxt, &tkt, &client_user)) {

if (PRIVSEP(auth_krb5(authctxt, &tkt,

&client_user, &reply))) {

authenticated = 1;

snprintf(info, sizeof(info),

" tktuser %.100s",

client_user);

/* Send response to client */

packet_start(

SSH_SMSG_AUTH_KERBEROS_RESPONSE);

packet_put_string((char *)

reply.data, reply.length);

packet_send();

packet_write_wait();

if (reply.length)

xfree(reply.data);

xfree(client_user);

}

#endif /* KRB5 */

Line 150

Line 169

}

break;

#endif /* KRB4 || KRB5 */

#if defined(AFS) || defined(KRB5)

/* XXX - punt on backward compatibility here. */

case SSH_CMSG_HAVE_KERBEROS_TGT:

Line 162

Line 181

break;

#endif /* AFS */

#endif /* AFS || KRB5 */

case SSH_CMSG_AUTH_RHOSTS:

if (!options.rhosts_authentication) {

verbose("Rhosts authentication disabled.");

Line 175

Line 194

* IP-spoofing on a local network.)

client_user = packet_get_string(&ulen);

packet_integrity_check(plen, 4 + ulen, type);

packet_check_eom();

/* Try to authenticate using /etc/hosts.equiv and .rhosts. */

authenticated = auth_rhosts(pw, client_user);

Line 197

Line 216

client_user = packet_get_string(&ulen);

/* Get the client host key. */

client_host_key = RSA_new();

client_host_key = key_new(KEY_RSA1);

if (client_host_key == NULL)

fatal("RSA_new failed");

client_host_key->e = BN_new();

client_host_key->n = BN_new();

if (client_host_key->e == NULL || client_host_key->n == NULL)

fatal("BN_new failed");

bits = packet_get_int();

packet_get_bignum(client_host_key->e, &elen);

packet_get_bignum(client_host_key->rsa->e);

packet_get_bignum(client_host_key->n, &nlen);

packet_get_bignum(client_host_key->rsa->n);

if (bits != BN_num_bits(client_host_key->n))

if (bits != BN_num_bits(client_host_key->rsa->n))

verbose("Warning: keysize mismatch for client_host_key: "

"actual %d, announced %d", BN_num_bits(client_host_key->n), bits);

"actual %d, announced %d",

packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);

BN_num_bits(client_host_key->rsa->n), bits);

packet_check_eom();

authenticated = auth_rhosts_rsa(pw, client_user, client_host_key);

authenticated = auth_rhosts_rsa(pw, client_user,

RSA_free(client_host_key);

client_host_key);

key_free(client_host_key);

snprintf(info, sizeof info, " ruser %.100s", client_user);

xfree(client_user);

Line 226

Line 241

break;

}

/* RSA authentication requested. */

n = BN_new();

if ((n = BN_new()) == NULL)

packet_get_bignum(n, &nlen);

fatal("do_authloop: BN_new failed");

packet_integrity_check(plen, nlen, type);

packet_get_bignum(n);

packet_check_eom();

authenticated = auth_rsa(pw, n);

BN_clear_free(n);

break;

Line 244

Line 260

* not visible to an outside observer.

password = packet_get_string(&dlen);

packet_integrity_check(plen, 4 + dlen, type);

packet_check_eom();

/* Try authentication with the password. */

authenticated = auth_password(authctxt, password);

authenticated = PRIVSEP(auth_password(authctxt, password));

memset(password, 0, strlen(password));

xfree(password);

Line 273

Line 289

if (options.challenge_response_authentication == 1) {

char *response = packet_get_string(&dlen);

debug("got response '%s'", response);

packet_integrity_check(plen, 4 + dlen, type);

packet_check_eom();

authenticated = verify_response(authctxt, response);

memset(response, 'r', dlen);

xfree(response);

Line 299

Line 315

authctxt->user);

/* Special handling for root */

if (authenticated && authctxt->pw->pw_uid == 0 &&

if (!use_privsep &&

authenticated && authctxt->pw->pw_uid == 0 &&

!auth_root_allowed(get_authname(type)))

authenticated = 0;

Line 322

Line 339

* Performs authentication of an incoming connection. Session key has already

* been exchanged and encryption is enabled.

void

Authctxt *

do_authentication()

do_authentication(void)

{

Authctxt *authctxt;

struct passwd *pw;

int plen;

u_int ulen;

char *p, *user, *style = NULL;

char *user, *style = NULL;

/* Get the name of the user that we wish to log in as. */

packet_read_expect(&plen, SSH_CMSG_USER);

packet_read_expect(SSH_CMSG_USER);

/* Get the user name. */

user = packet_get_string(&ulen);

packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);

packet_check_eom();

if ((style = strchr(user, ':')) != NULL)

*style++ = '\0';

#ifdef KRB5

/* XXX - SSH.com Kerberos v5 braindeath. */

if ((p = strchr(user, '@')) != NULL)

if ((datafellows & SSH_BUG_K5USER) &&

*p = '\0';

options.kerberos_authentication) {

char *p;

if ((p = strchr(user, '@')) != NULL)

*p = '\0';

}

#endif

authctxt = authctxt_new();

authctxt->user = user;

authctxt->style = style;

/* Verify that the user is a valid user. */

pw = getpwnam(user);

if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)

if (pw && allowed_user(pw)) {

authctxt->valid = 1;

pw = pwcopy(pw);

else

} else {

debug("do_authentication: illegal user %s", user);

pw = NULL;

}

authctxt->pw = pw;

setproctitle("%s", pw ? user : "unknown");

setproctitle("%s%s", authctxt->pw ? user : "unknown",

use_privsep ? " [net]" : "");

* If we are not running as root, the user must have the same uid as

* the server.

if (getuid() != 0 && pw && pw->pw_uid != getuid())

if (!use_privsep && getuid() != 0 && authctxt->pw &&

authctxt->pw->pw_uid != getuid())

packet_disconnect("Cannot change user when server not running as root.");

Line 380

Line 398

packet_send();

packet_write_wait();

/* Perform session preparation. */

return (authctxt);

do_authenticated(authctxt);

}