version 1.2, 2000/04/27 08:01:25 |
version 1.3, 2000/04/27 15:23:02 |
|
|
void |
void |
input_userauth_request(int type, int plen) |
input_userauth_request(int type, int plen) |
{ |
{ |
static int try = 0; |
static void (*authlog) (const char *fmt,...) = verbose; |
|
static int attempt = 0; |
unsigned int len, rlen; |
unsigned int len, rlen; |
int authenticated = 0; |
int authenticated = 0; |
char *raw, *user, *service, *method; |
char *raw, *user, *service, *method, *authmsg = NULL; |
struct passwd *pw; |
struct passwd *pw; |
|
|
if (++try == AUTH_FAIL_MAX) |
if (++attempt == AUTH_FAIL_MAX) |
packet_disconnect("too many failed userauth_requests"); |
packet_disconnect("too many failed userauth_requests"); |
|
|
raw = packet_get_raw(&rlen); |
raw = packet_get_raw(&rlen); |
|
|
authenticated = ssh2_auth_pubkey(pw, raw, rlen); |
authenticated = ssh2_auth_pubkey(pw, raw, rlen); |
} |
} |
} |
} |
/* XXX check if other auth methods are needed */ |
if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) { |
|
authenticated = 0; |
|
log("ROOT LOGIN REFUSED FROM %.200s", |
|
get_canonical_hostname()); |
|
} |
|
|
|
/* XXX todo: check if multiple auth methods are needed */ |
if (authenticated == 1) { |
if (authenticated == 1) { |
log("userauth success for %s method %s", user, method); |
authmsg = "Accepted"; |
/* turn off userauth */ |
/* turn off userauth */ |
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error); |
dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error); |
packet_start(SSH2_MSG_USERAUTH_SUCCESS); |
packet_start(SSH2_MSG_USERAUTH_SUCCESS); |
|
|
/* now we can break out */ |
/* now we can break out */ |
userauth_success = 1; |
userauth_success = 1; |
} else if (authenticated == 0) { |
} else if (authenticated == 0) { |
log("userauth failure for %s method %s", user, method); |
authmsg = "Failed"; |
packet_start(SSH2_MSG_USERAUTH_FAILURE); |
packet_start(SSH2_MSG_USERAUTH_FAILURE); |
packet_put_cstring("publickey,password"); /* XXX dynamic */ |
packet_put_cstring("publickey,password"); /* XXX dynamic */ |
packet_put_char(0); /* XXX partial success, unused */ |
packet_put_char(0); /* XXX partial success, unused */ |
packet_send(); |
packet_send(); |
packet_write_wait(); |
packet_write_wait(); |
} else { |
} else { |
log("userauth postponed for %s method %s", user, method); |
authmsg = "Postponed"; |
} |
} |
|
/* Raise logging level */ |
|
if (authenticated == 1|| |
|
attempt == AUTH_FAIL_LOG || |
|
strcmp(method, "password") == 0) |
|
authlog = log; |
|
|
|
authlog("%s %s for %.200s from %.200s port %d ssh2", |
|
authmsg, |
|
method, |
|
pw && pw->pw_uid == 0 ? "ROOT" : user, |
|
get_remote_ipaddr(), |
|
get_remote_port()); |
|
|
xfree(service); |
xfree(service); |
xfree(user); |
xfree(user); |
xfree(method); |
xfree(method); |
|
|
log("password change not supported"); |
log("password change not supported"); |
password = packet_get_string(&len); |
password = packet_get_string(&len); |
packet_done(); |
packet_done(); |
if (auth_password(pw, password)) |
if (options.password_authentication && |
|
auth_password(pw, password) == 1) |
authenticated = 1; |
authenticated = 1; |
memset(password, 0, len); |
memset(password, 0, len); |
xfree(password); |
xfree(password); |
return authenticated; |
return authenticated; |
} |
} |
|
|
int |
int |
ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen) |
ssh2_auth_pubkey(struct passwd *pw, unsigned char *raw, unsigned int rlen) |
{ |
{ |
|
|
int have_sig; |
int have_sig; |
int authenticated = 0; |
int authenticated = 0; |
|
|
|
if (options.rsa_authentication == 0) { |
|
debug("pubkey auth disabled"); |
|
return 0; |
|
} |
have_sig = packet_get_char(); |
have_sig = packet_get_char(); |
pkalg = packet_get_string(&alen); |
pkalg = packet_get_string(&alen); |
if (strcmp(pkalg, KEX_DSS) != 0) { |
if (strcmp(pkalg, KEX_DSS) != 0) { |
|
|
setproctitle("%s", u); |
setproctitle("%s", u); |
pw = getpwnam(u); |
pw = getpwnam(u); |
if (!pw || !allowed_user(pw)) { |
if (!pw || !allowed_user(pw)) { |
log("auth_set_user: bad user %s", u); |
log("auth_set_user: illegal user %s", u); |
return NULL; |
return NULL; |
} |
} |
copy = &authctxt->pw; |
copy = &authctxt->pw; |
|
|
if (!f) { |
if (!f) { |
/* Restore the privileged uid. */ |
/* Restore the privileged uid. */ |
restore_uid(); |
restore_uid(); |
packet_send_debug("Could not open %.900s for reading.", file); |
|
packet_send_debug("If your home is on an NFS volume, it may need to be world-readable."); |
|
return 0; |
return 0; |
} |
} |
if (options.strict_modes) { |
if (options.strict_modes) { |