version 1.168, 2023/12/18 14:45:49 |
version 1.169, 2024/05/17 00:30:23 |
|
|
if (options.banner == NULL) |
if (options.banner == NULL) |
return; |
return; |
|
|
if ((banner = PRIVSEP(auth2_read_banner())) == NULL) |
if ((banner = mm_auth2_read_banner()) == NULL) |
goto done; |
goto done; |
|
|
if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_BANNER)) != 0 || |
if ((r = sshpkt_start(ssh, SSH2_MSG_USERAUTH_BANNER)) != 0 || |
|
|
auth_maxtries_exceeded(ssh); |
auth_maxtries_exceeded(ssh); |
if (authctxt->attempt++ == 0) { |
if (authctxt->attempt++ == 0) { |
/* setup auth context */ |
/* setup auth context */ |
authctxt->pw = PRIVSEP(getpwnamallow(ssh, user)); |
authctxt->pw = mm_getpwnamallow(ssh, user); |
if (authctxt->pw && strcmp(service, "ssh-connection")==0) { |
if (authctxt->pw && strcmp(service, "ssh-connection")==0) { |
authctxt->valid = 1; |
authctxt->valid = 1; |
debug2_f("setting up authctxt for %s", user); |
debug2_f("setting up authctxt for %s", user); |
|
|
} |
} |
ssh_packet_set_log_preamble(ssh, "%suser %s", |
ssh_packet_set_log_preamble(ssh, "%suser %s", |
authctxt->valid ? "authenticating " : "invalid ", user); |
authctxt->valid ? "authenticating " : "invalid ", user); |
setproctitle("%s%s", authctxt->valid ? user : "unknown", |
setproctitle("%s [net]", authctxt->valid ? user : "unknown"); |
use_privsep ? " [net]" : ""); |
|
authctxt->user = xstrdup(user); |
authctxt->user = xstrdup(user); |
authctxt->service = xstrdup(service); |
authctxt->service = xstrdup(service); |
authctxt->style = style ? xstrdup(style) : NULL; |
authctxt->style = style ? xstrdup(style) : NULL; |
if (use_privsep) |
mm_inform_authserv(service, style); |
mm_inform_authserv(service, style); |
|
userauth_banner(ssh); |
userauth_banner(ssh); |
if ((r = kex_server_update_ext_info(ssh)) != 0) |
if ((r = kex_server_update_ext_info(ssh)) != 0) |
fatal_fr(r, "kex_server_update_ext_info failed"); |
fatal_fr(r, "kex_server_update_ext_info failed"); |
|
|
/* prefer primary authmethod name to possible synonym */ |
/* prefer primary authmethod name to possible synonym */ |
if ((m = authmethod_byname(method)) == NULL) |
if ((m = authmethod_byname(method)) == NULL) |
fatal("INTERNAL ERROR: bad method %s", method); |
fatal("INTERNAL ERROR: bad method %s", method); |
method = m->name; |
method = m->cfg->name; |
} |
} |
|
|
/* Special handling for root */ |
/* Special handling for root */ |
|
|
if ((b = sshbuf_new()) == NULL) |
if ((b = sshbuf_new()) == NULL) |
fatal_f("sshbuf_new failed"); |
fatal_f("sshbuf_new failed"); |
for (i = 0; authmethods[i] != NULL; i++) { |
for (i = 0; authmethods[i] != NULL; i++) { |
if (strcmp(authmethods[i]->name, "none") == 0) |
if (strcmp(authmethods[i]->cfg->name, "none") == 0) |
continue; |
continue; |
if (authmethods[i]->enabled == NULL || |
if (authmethods[i]->cfg->enabled == NULL || |
*(authmethods[i]->enabled) == 0) |
*(authmethods[i]->cfg->enabled) == 0) |
continue; |
continue; |
if (!auth2_method_allowed(authctxt, authmethods[i]->name, |
if (!auth2_method_allowed(authctxt, authmethods[i]->cfg->name, |
NULL)) |
NULL)) |
continue; |
continue; |
if ((r = sshbuf_putf(b, "%s%s", sshbuf_len(b) ? "," : "", |
if ((r = sshbuf_putf(b, "%s%s", sshbuf_len(b) ? "," : "", |
authmethods[i]->name)) != 0) |
authmethods[i]->cfg->name)) != 0) |
fatal_fr(r, "buffer error"); |
fatal_fr(r, "buffer error"); |
} |
} |
if ((list = sshbuf_dup_string(b)) == NULL) |
if ((list = sshbuf_dup_string(b)) == NULL) |
|
|
if (name == NULL) |
if (name == NULL) |
fatal_f("NULL authentication method name"); |
fatal_f("NULL authentication method name"); |
for (i = 0; authmethods[i] != NULL; i++) { |
for (i = 0; authmethods[i] != NULL; i++) { |
if (strcmp(name, authmethods[i]->name) == 0 || |
if (strcmp(name, authmethods[i]->cfg->name) == 0 || |
(authmethods[i]->synonym != NULL && |
(authmethods[i]->cfg->synonym != NULL && |
strcmp(name, authmethods[i]->synonym) == 0)) |
strcmp(name, authmethods[i]->cfg->synonym) == 0)) |
return authmethods[i]; |
return authmethods[i]; |
} |
} |
debug_f("unrecognized authentication method name: %s", name); |
debug_f("unrecognized authentication method name: %s", name); |
|
|
if ((method = authmethod_byname(name)) == NULL) |
if ((method = authmethod_byname(name)) == NULL) |
return NULL; |
return NULL; |
|
|
if (method->enabled == NULL || *(method->enabled) == 0) { |
if (method->cfg->enabled == NULL || *(method->cfg->enabled) == 0) { |
debug3_f("method %s not enabled", name); |
debug3_f("method %s not enabled", name); |
return NULL; |
return NULL; |
} |
} |
if (!auth2_method_allowed(authctxt, method->name, NULL)) { |
if (!auth2_method_allowed(authctxt, method->cfg->name, NULL)) { |
debug3_f("method %s not allowed " |
debug3_f("method %s not allowed " |
"by AuthenticationMethods", name); |
"by AuthenticationMethods", name); |
return NULL; |
return NULL; |
} |
} |
return method; |
return method; |
} |
|
|
|
/* |
|
* Check a comma-separated list of methods for validity. Is need_enable is |
|
* non-zero, then also require that the methods are enabled. |
|
* Returns 0 on success or -1 if the methods list is invalid. |
|
*/ |
|
int |
|
auth2_methods_valid(const char *_methods, int need_enable) |
|
{ |
|
char *methods, *omethods, *method, *p; |
|
u_int i, found; |
|
int ret = -1; |
|
|
|
if (*_methods == '\0') { |
|
error("empty authentication method list"); |
|
return -1; |
|
} |
|
omethods = methods = xstrdup(_methods); |
|
while ((method = strsep(&methods, ",")) != NULL) { |
|
for (found = i = 0; !found && authmethods[i] != NULL; i++) { |
|
if ((p = strchr(method, ':')) != NULL) |
|
*p = '\0'; |
|
if (strcmp(method, authmethods[i]->name) != 0) |
|
continue; |
|
if (need_enable) { |
|
if (authmethods[i]->enabled == NULL || |
|
*(authmethods[i]->enabled) == 0) { |
|
error("Disabled method \"%s\" in " |
|
"AuthenticationMethods list \"%s\"", |
|
method, _methods); |
|
goto out; |
|
} |
|
} |
|
found = 1; |
|
break; |
|
} |
|
if (!found) { |
|
error("Unknown authentication method \"%s\" in list", |
|
method); |
|
goto out; |
|
} |
|
} |
|
ret = 0; |
|
out: |
|
free(omethods); |
|
return ret; |
|
} |
} |
|
|
/* |
/* |