src/usr.bin/ssh/auth1.c - diff

Return to auth1.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/Attic/auth1.c between version 1.6.2.7 and 1.7

version 1.6.2.7, 2002/03/08 17:04:41

version 1.7, 2000/11/10 01:04:40

Line 14

#include "xmalloc.h"

#include "rsa.h"

#include "ssh1.h"

#include "ssh.h"

#include "packet.h"

#include "buffer.h"

#include "mpaux.h"

#include "log.h"

#include "servconf.h"

#include "compat.h"

#include "auth.h"

#include "channels.h"

#include "session.h"

#include "misc.h"

#include "uidswap.h"

/* import */

extern ServerOptions options;

extern char *forced_command;

* convert ssh auth msg type into description

static char *

char *

get_authname(int type)

{

static char buf[1024];

Line 46

Line 43

return "rhosts-rsa";

case SSH_CMSG_AUTH_RHOSTS:

return "rhosts";

case SSH_CMSG_AUTH_TIS:

#ifdef KRB4

case SSH_CMSG_AUTH_TIS_RESPONSE:

return "challenge-response";

#if defined(KRB4) || defined(KRB5)

case SSH_CMSG_AUTH_KERBEROS:

return "kerberos";

#endif

#ifdef SKEY

case SSH_CMSG_AUTH_TIS_RESPONSE:

return "s/key";

#endif

}

snprintf(buf, sizeof buf, "bad-auth-msg-%d", type);

return buf;

}

* read packets, try to authenticate the user and

* read packets and try to authenticate local user 'luser'.

* return only if authentication is successful

* return if authentication is successfull. not that pw == NULL

* if the user does not exists or is not allowed to login.

* each auth method has to 'fake' authentication for nonexisting

* users.

static void

void

do_authloop(Authctxt *authctxt)

do_authloop(struct passwd * pw, char *luser)

{

int authenticated = 0;

u_int bits;

int attempt = 0;

Key *client_host_key;

unsigned int bits;

RSA *client_host_key;

BIGNUM *n;

char *client_user, *password;

char info[1024];

char user[1024];

u_int dlen;

unsigned int dlen;

u_int ulen;

int plen, nlen, elen;

unsigned int ulen;

int type = 0;

struct passwd *pw = authctxt->pw;

void (*authlog) (const char *fmt,...) = verbose;

debug("Attempting authentication for %s%.100s.",

authctxt->valid ? "" : "illegal user ", authctxt->user);

/* If the user has no password, accept authentication immediately. */

if (options.password_authentication &&

#if defined(KRB4) || defined(KRB5)

(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&

#endif

auth_password(authctxt, "")) {

auth_log(authctxt, 1, "without authentication", "");

return;

}

/* Indicate that authentication is needed. */

packet_start(SSH_SMSG_FAILURE);

packet_send();

packet_write_wait();

for (;;) {

for (attempt = 1;; attempt++) {

/* default to fail */

authenticated = 0;

info[0] = '\0';

strlcpy(user, "", sizeof user);

/* Get a packet from the client. */

type = packet_read();

type = packet_read(&plen);

/* Process the packet. */

switch (type) {

#ifdef AFS

case SSH_CMSG_HAVE_KERBEROS_TGT:

if (!options.kerberos_tgt_passing) {

verbose("Kerberos tgt passing disabled.");

break;

} else {

/* Accept Kerberos tgt. */

char *tgt = packet_get_string(&dlen);

packet_integrity_check(plen, 4 + dlen, type);

if (!auth_kerberos_tgt(pw, tgt))

verbose("Kerberos tgt REFUSED for %.100s", luser);

xfree(tgt);

}

continue;

#if defined(KRB4) || defined(KRB5)

case SSH_CMSG_HAVE_AFS_TOKEN:

if (!options.afs_token_passing || !k_hasafs()) {

verbose("AFS token passing disabled.");

break;

} else {

/* Accept AFS token. */

char *token_string = packet_get_string(&dlen);

packet_integrity_check(plen, 4 + dlen, type);

if (!auth_afs_token(pw, token_string))

verbose("AFS token REFUSED for %.100s", luser);

xfree(token_string);

}

continue;

#endif /* AFS */

#ifdef KRB4

case SSH_CMSG_AUTH_KERBEROS:

if (!options.kerberos_authentication) {

/* packet_get_all(); */

verbose("Kerberos authentication disabled.");

break;

} else {

char *kdata = packet_get_string(&dlen);

/* Try Kerberos v4 authentication. */

packet_check_eom();

KTEXT_ST auth;

char *tkt_user = NULL;

char *kdata = packet_get_string((unsigned int *) &auth.length);

packet_integrity_check(plen, 4 + auth.length, type);

if (kdata[0] == 4) { /* KRB_PROT_VERSION */

if (auth.length < MAX_KTXT_LEN)

#ifdef KRB4

memcpy(auth.dat, kdata, auth.length);

KTEXT_ST tkt;

xfree(kdata);

tkt.length = dlen;

if (pw != NULL) {

if (tkt.length < MAX_KTXT_LEN)

authenticated = auth_krb4(pw->pw_name, &auth, &tkt_user);

memcpy(tkt.dat, kdata, tkt.length);

if (authenticated) {

snprintf(user, sizeof user, " tktuser %s", tkt_user);

if (auth_krb4(authctxt, &tkt, &client_user)) {

xfree(tkt_user);

authenticated = 1;

snprintf(info, sizeof(info),

" tktuser %.100s",

client_user);

xfree(client_user);

}

#endif /* KRB4 */

} else {

#ifdef KRB5

krb5_data tkt;

tkt.length = dlen;

tkt.data = kdata;

if (auth_krb5(authctxt, &tkt, &client_user)) {

authenticated = 1;

snprintf(info, sizeof(info),

" tktuser %.100s",

client_user);

xfree(client_user);

}

#endif /* KRB5 */

}

xfree(kdata);

}

break;

#endif /* KRB4 || KRB5 */

#endif /* KRB4 */

#if defined(AFS) || defined(KRB5)

/* XXX - punt on backward compatibility here. */

case SSH_CMSG_HAVE_KERBEROS_TGT:

packet_send_debug("Kerberos TGT passing disabled before authentication.");

break;

#ifdef AFS

case SSH_CMSG_HAVE_AFS_TOKEN:

packet_send_debug("AFS token passing disabled before authentication.");

break;

#endif /* AFS */

#endif /* AFS || KRB5 */

case SSH_CMSG_AUTH_RHOSTS:

if (!options.rhosts_authentication) {

verbose("Rhosts authentication disabled.");

Line 174

Line 164

* IP-spoofing on a local network.)

client_user = packet_get_string(&ulen);

packet_check_eom();

packet_integrity_check(plen, 4 + ulen, type);

/* Try to authenticate using /etc/hosts.equiv and .rhosts. */

authenticated = auth_rhosts(pw, client_user);

snprintf(info, sizeof info, " ruser %.100s", client_user);

snprintf(user, sizeof user, " ruser %s", client_user);

xfree(client_user);

break;

Line 196

Line 186

client_user = packet_get_string(&ulen);

/* Get the client host key. */

client_host_key = key_new(KEY_RSA1);

client_host_key = RSA_new();

if (client_host_key == NULL)

fatal("RSA_new failed");

client_host_key->e = BN_new();

client_host_key->n = BN_new();

if (client_host_key->e == NULL || client_host_key->n == NULL)

fatal("BN_new failed");

bits = packet_get_int();

packet_get_bignum(client_host_key->rsa->e);

packet_get_bignum(client_host_key->e, &elen);

packet_get_bignum(client_host_key->rsa->n);

packet_get_bignum(client_host_key->n, &nlen);

if (bits != BN_num_bits(client_host_key->rsa->n))

if (bits != BN_num_bits(client_host_key->n))

verbose("Warning: keysize mismatch for client_host_key: "

"actual %d, announced %d",

"actual %d, announced %d", BN_num_bits(client_host_key->n), bits);

BN_num_bits(client_host_key->rsa->n), bits);

packet_integrity_check(plen, (4 + ulen) + 4 + elen + nlen, type);

packet_check_eom();

authenticated = auth_rhosts_rsa(pw, client_user,

authenticated = auth_rhosts_rsa(pw, client_user, client_host_key);

client_host_key);

RSA_free(client_host_key);

key_free(client_host_key);

snprintf(info, sizeof info, " ruser %.100s", client_user);

snprintf(user, sizeof user, " ruser %s", client_user);

xfree(client_user);

break;

Line 221

Line 215

break;

}

/* RSA authentication requested. */

if ((n = BN_new()) == NULL)

n = BN_new();

fatal("do_authloop: BN_new failed");

packet_get_bignum(n, &nlen);

packet_get_bignum(n);

packet_integrity_check(plen, nlen, type);

packet_check_eom();

authenticated = auth_rsa(pw, n);

BN_clear_free(n);

break;

Line 240

Line 233

* not visible to an outside observer.

password = packet_get_string(&dlen);

packet_check_eom();

packet_integrity_check(plen, 4 + dlen, type);

/* Try authentication with the password. */

authenticated = auth_password(authctxt, password);

authenticated = auth_password(pw, password);

memset(password, 0, strlen(password));

xfree(password);

break;

#ifdef SKEY

case SSH_CMSG_AUTH_TIS:

debug("rcvd SSH_CMSG_AUTH_TIS");

if (options.challenge_response_authentication == 1) {

if (options.skey_authentication == 1) {

char *challenge = get_challenge(authctxt);

char *skeyinfo = NULL;

if (challenge != NULL) {

if (pw != NULL)

debug("sending challenge '%s'", challenge);

skeyinfo = skey_keyinfo(pw->pw_name);

if (skeyinfo == NULL) {

debug("generating fake skeyinfo for %.100s.", luser);

skeyinfo = skey_fake_keyinfo(luser);

}

if (skeyinfo != NULL) {

/* we send our s/key- in tis-challenge messages */

debug("sending challenge '%s'", skeyinfo);

packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);

packet_put_cstring(challenge);

packet_put_cstring(skeyinfo);

xfree(challenge);

packet_send();

packet_write_wait();

continue;

Line 266

break;

case SSH_CMSG_AUTH_TIS_RESPONSE:

debug("rcvd SSH_CMSG_AUTH_TIS_RESPONSE");

if (options.challenge_response_authentication == 1) {

if (options.skey_authentication == 1) {

char *response = packet_get_string(&dlen);

debug("got response '%s'", response);

debug("skey response == '%s'", response);

packet_check_eom();

packet_integrity_check(plen, 4 + dlen, type);

authenticated = verify_response(authctxt, response);

authenticated = (pw != NULL &&

memset(response, 'r', dlen);

skey_haskey(pw->pw_name) == 0 &&

skey_passcheck(pw->pw_name, response) != -1);

xfree(response);

}

break;

#else

case SSH_CMSG_AUTH_TIS:

/* TIS Authentication is unsupported */

log("TIS authentication unsupported.");

break;

#endif

default:

Line 284

Line 291

log("Unknown message during authentication: type %d", type);

break;

}

#ifdef BSD_AUTH

if (authenticated && pw == NULL)

if (authctxt->as) {

fatal("internal error: authenticated for pw == NULL");

auth_close(authctxt->as);

authctxt->as = NULL;

* Check if the user is logging in as root and root logins

* are disallowed.

* Note that root login is allowed for forced commands.

if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) {

if (forced_command) {

log("Root login accepted for forced command.");

} else {

authenticated = 0;

log("ROOT LOGIN REFUSED FROM %.200s",

get_canonical_hostname());

}

#endif

if (!authctxt->valid && authenticated)

fatal("INTERNAL ERROR: authenticated invalid user %s",

authctxt->user);

/* Special handling for root */

/* Raise logging level */

if (authenticated && authctxt->pw->pw_uid == 0 &&

if (authenticated ||

!auth_root_allowed(get_authname(type)))

attempt == AUTH_FAIL_LOG ||

authenticated = 0;

type == SSH_CMSG_AUTH_PASSWORD)

authlog = log;

/* Log before sending the reply */

authlog("%s %s for %s%.100s from %.200s port %d%s",

auth_log(authctxt, authenticated, get_authname(type), info);

authenticated ? "Accepted" : "Failed",

get_authname(type),

pw ? "" : "illegal user ",

pw && pw->pw_uid == 0 ? "ROOT" : luser,

get_remote_ipaddr(),

get_remote_port(),

user);

if (authenticated)

return;

if (authctxt->failures++ > AUTH_FAIL_MAX)

if (attempt > AUTH_FAIL_MAX)

packet_disconnect(AUTH_FAIL_MSG, authctxt->user);

packet_disconnect(AUTH_FAIL_MSG, luser);

/* Send a message indicating that the authentication attempt failed. */

packet_start(SSH_SMSG_FAILURE);

packet_send();

packet_write_wait();

Line 319

Line 342

* been exchanged and encryption is enabled.

void

do_authentication(void)

do_authentication()

{

Authctxt *authctxt;

struct passwd *pw, pwcopy;

struct passwd *pw;

int plen;

u_int ulen;

unsigned int ulen;

char *p, *user, *style = NULL;

char *user;

/* Get the name of the user that we wish to log in as. */

packet_read_expect(SSH_CMSG_USER);

packet_read_expect(&plen, SSH_CMSG_USER);

/* Get the user name. */

user = packet_get_string(&ulen);

packet_check_eom();

packet_integrity_check(plen, (4 + ulen), SSH_CMSG_USER);

if ((style = strchr(user, ':')) != NULL)

setproctitle("%s", user);

*style++ = '\0';

/* XXX - SSH.com Kerberos v5 braindeath. */

#ifdef AFS

if ((p = strchr(user, '@')) != NULL)

/* If machine has AFS, set process authentication group. */

*p = '\0';

if (k_hasafs()) {

k_setpag();

k_unlog();

}

#endif /* AFS */

authctxt = authctxt_new();

authctxt->user = user;

authctxt->style = style;

/* Verify that the user is a valid user. */

pw = getpwnam(user);

if (pw && allowed_user(pw)) {

authctxt->valid = 1;

/* Take a copy of the returned structure. */

pw = pwcopy(pw);

memset(&pwcopy, 0, sizeof(pwcopy));

pwcopy.pw_name = xstrdup(pw->pw_name);

pwcopy.pw_passwd = xstrdup(pw->pw_passwd);

pwcopy.pw_uid = pw->pw_uid;

pwcopy.pw_gid = pw->pw_gid;

pwcopy.pw_class = xstrdup(pw->pw_class);

pwcopy.pw_dir = xstrdup(pw->pw_dir);

pwcopy.pw_shell = xstrdup(pw->pw_shell);

pw = &pwcopy;

} else {

debug("do_authentication: illegal user %s", user);

pw = NULL;

}

authctxt->pw = pw;

setproctitle("%s", pw ? user : "unknown");

* If we are not running as root, the user must have the same uid as

* the server.

Line 364

Line 390

if (getuid() != 0 && pw && pw->pw_uid != getuid())

packet_disconnect("Cannot change user when server not running as root.");

debug("Attempting authentication for %s%.100s.", pw ? "" : "illegal user ", user);

* Loop until the user has been authenticated or the connection is

* closed, do_authloop() returns only if authentication is successful

do_authloop(authctxt);

/* If the user has no password, accept authentication immediately. */

if (options.password_authentication &&

#ifdef KRB4

(!options.kerberos_authentication || options.kerberos_or_local_passwd) &&

#endif /* KRB4 */

auth_password(pw, "")) {

/* Authentication with empty password succeeded. */

log("Login for user %s from %.100s, accepted without authentication.",

user, get_remote_ipaddr());

} else {

/* Loop until the user has been authenticated or the

connection is closed, do_authloop() returns only if

authentication is successfull */

do_authloop(pw, user);

}

if (pw == NULL)

fatal("internal error, authentication successfull for user '%.100s'", user);

/* The user has been authenticated and accepted. */

packet_start(SSH_SMSG_SUCCESS);

packet_send();

packet_write_wait();

/* Perform session preparation. */

do_authenticated(authctxt);

do_authenticated(pw);

}