src/usr.bin/ssh/auth2.c - diff

Return to auth2.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/auth2.c between version 1.56 and 1.56.2.4

version 1.56, 2001/04/19 00:05:11

version 1.56.2.4, 2002/03/09 00:20:44

Line 50

#include "misc.h"

#include "hostfile.h"

#include "canohost.h"

#include "tildexpand.h"

#include "match.h"

/* import */

extern ServerOptions options;

Line 69

/* protocol */

void input_service_request(int type, int plen, void *ctxt);

static void input_service_request(int, u_int32_t, void *);

void input_userauth_request(int type, int plen, void *ctxt);

static void input_userauth_request(int, u_int32_t, void *);

void protocol_error(int type, int plen, void *ctxt);

/* helper */

Authmethod *authmethod_lookup(const char *name);

static Authmethod *authmethod_lookup(const char *);

char *authmethods_get(void);

static char *authmethods_get(void);

int user_key_allowed(struct passwd *pw, Key *key);

static int user_key_allowed(struct passwd *, Key *);

int

static int hostbased_key_allowed(struct passwd *, const char *, char *, Key *);

hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,

Key *key);

/* auth */

void userauth_banner(void);

static void userauth_banner(void);

void userauth_reply(Authctxt *authctxt, int authenticated);

static int userauth_none(Authctxt *);

int userauth_none(Authctxt *authctxt);

static int userauth_passwd(Authctxt *);

int userauth_passwd(Authctxt *authctxt);

static int userauth_pubkey(Authctxt *);

int userauth_pubkey(Authctxt *authctxt);

static int userauth_hostbased(Authctxt *);

int userauth_hostbased(Authctxt *authctxt);

static int userauth_kbdint(Authctxt *);

int userauth_kbdint(Authctxt *authctxt);

Authmethod authmethods[] = {

{"none",

Line 114

Line 110

void

do_authentication2()

do_authentication2(void)

{

Authctxt *authctxt = authctxt_new();

x_authctxt = authctxt; /*XXX*/

/* challenge-reponse is implemented via keyboard interactive */

/* challenge-response is implemented via keyboard interactive */

if (options.challenge_reponse_authentication)

if (options.challenge_response_authentication)

options.kbd_interactive_authentication = 1;

dispatch_init(&protocol_error);

dispatch_init(&dispatch_protocol_error);

dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);

dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);

do_authenticated(authctxt);

}

void

static void

protocol_error(int type, int plen, void *ctxt)

input_service_request(int type, u_int32_t seq, void *ctxt)

{

log("auth: protocol error: type %d plen %d", type, plen);

packet_start(SSH2_MSG_UNIMPLEMENTED);

packet_put_int(0);

packet_send();

packet_write_wait();

}

void

input_service_request(int type, int plen, void *ctxt)

{

Authctxt *authctxt = ctxt;

u_int len;

int accept = 0;

char *service = packet_get_string(&len);

packet_done();

packet_check_eom();

if (authctxt == NULL)

fatal("input_service_request: no authctxt");

Line 173

Line 159

xfree(service);

}

void

static void

input_userauth_request(int type, int plen, void *ctxt)

input_userauth_request(int type, u_int32_t seq, void *ctxt)

{

Authctxt *authctxt = ctxt;

Authmethod *m = NULL;

Line 207

Line 193

setproctitle("%s", pw ? user : "unknown");

authctxt->user = xstrdup(user);

authctxt->service = xstrdup(service);

authctxt->style = style ? xstrdup(style) : NULL; /* currently unused */

authctxt->style = style ? xstrdup(style) : NULL;

} else if (authctxt->valid) {

} else if (strcmp(user, authctxt->user) != 0 ||

if (strcmp(user, authctxt->user) != 0 ||

strcmp(service, authctxt->service) != 0) {

packet_disconnect("Change of username or service not allowed: "

log("input_userauth_request: mismatch: (%s,%s)!=(%s,%s)",

"(%s,%s) -> (%s,%s)",

user, service, authctxt->user, authctxt->service);

authctxt->user, authctxt->service, user, service);

authctxt->valid = 0;

}

/* reset state */

dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &protocol_error);

auth2_challenge_stop(authctxt);

authctxt->postponed = 0;

#ifdef BSD_AUTH

if (authctxt->as) {

auth_close(authctxt->as);

authctxt->as = NULL;

}

#endif

/* try to authenticate user */

m = authmethod_lookup(method);

Line 242

Line 220

void

userauth_finish(Authctxt *authctxt, int authenticated, char *method)

{

char *methods;

if (!authctxt->valid && authenticated)

fatal("INTERNAL ERROR: authenticated invalid user %s",

authctxt->user);

Line 254

Line 234

/* Log before sending the reply */

auth_log(authctxt, authenticated, method, " ssh2");

if (!authctxt->postponed)

if (authctxt->postponed)

userauth_reply(authctxt, authenticated);

return;

/* XXX todo: check if multiple auth methods are needed */

if (authenticated == 1) {

/* turn off userauth */

dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);

packet_start(SSH2_MSG_USERAUTH_SUCCESS);

packet_send();

packet_write_wait();

/* now we can break out */

authctxt->success = 1;

} else {

if (authctxt->failures++ > AUTH_FAIL_MAX)

packet_disconnect(AUTH_FAIL_MSG, authctxt->user);

methods = authmethods_get();

packet_start(SSH2_MSG_USERAUTH_FAILURE);

packet_put_cstring(methods);

packet_put_char(0); /* XXX partial success, unused */

packet_send();

packet_write_wait();

xfree(methods);

}

void

static void

userauth_banner(void)

{

struct stat st;

Line 289

Line 290

return;

}

void

static int

userauth_reply(Authctxt *authctxt, int authenticated)

{

char *methods;

/* XXX todo: check if multiple auth methods are needed */

if (authenticated == 1) {

/* turn off userauth */

dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &protocol_error);

packet_start(SSH2_MSG_USERAUTH_SUCCESS);

packet_send();

packet_write_wait();

/* now we can break out */

authctxt->success = 1;

} else {

if (authctxt->failures++ > AUTH_FAIL_MAX)

packet_disconnect(AUTH_FAIL_MSG, authctxt->user);

methods = authmethods_get();

packet_start(SSH2_MSG_USERAUTH_FAILURE);

packet_put_cstring(methods);

packet_put_char(0); /* XXX partial success, unused */

packet_send();

packet_write_wait();

xfree(methods);

}

int

userauth_none(Authctxt *authctxt)

{

/* disable method "none", only allowed one time */

Authmethod *m = authmethod_lookup("none");

if (m != NULL)

m->enabled = NULL;

packet_done();

packet_check_eom();

userauth_banner();

return authctxt->valid ? auth_password(authctxt, "") : 0;

}

int

static int

userauth_passwd(Authctxt *authctxt)

{

char *password;

Line 339

Line 313

if (change)

log("password change not supported");

password = packet_get_string(&len);

packet_done();

packet_check_eom();

if (authctxt->valid &&

auth_password(authctxt, password) == 1)

authenticated = 1;

Line 348

Line 322

return authenticated;

}

int

static int

userauth_kbdint(Authctxt *authctxt)

{

int authenticated = 0;

char *lang = NULL;

char *lang, *devs;

char *devs = NULL;

lang = packet_get_string(NULL);

devs = packet_get_string(NULL);

packet_done();

packet_check_eom();

debug("keyboard-interactive language %s devs %s", lang, devs);

debug("keyboard-interactive devs %s", devs);

if (options.challenge_reponse_authentication)

if (options.challenge_response_authentication)

authenticated = auth2_challenge(authctxt, devs);

xfree(lang);

xfree(devs);

xfree(lang);

return authenticated;

}

int

static int

userauth_pubkey(Authctxt *authctxt)

{

Buffer b;

Key *key;

Key *key = NULL;

char *pkalg, *pkblob, *sig;

char *pkalg;

u_char *pkblob, *sig;

u_int alen, blen, slen;

int have_sig, pktype;

int authenticated = 0;

Line 400

Line 374

pktype = key_type_from_name(pkalg);

if (pktype == KEY_UNSPEC) {

/* this is perfectly legal */

log("userauth_pubkey: unsupported public key algorithm: %s", pkalg);

log("userauth_pubkey: unsupported public key algorithm: %s",

xfree(pkalg);

pkalg);

xfree(pkblob);

goto done;

return 0;

}

key = key_from_blob(pkblob, blen);

if (key != NULL) {

if (key == NULL) {

if (have_sig) {

error("userauth_pubkey: cannot decode key: %s", pkalg);

sig = packet_get_string(&slen);

goto done;

packet_done();

}

buffer_init(&b);

if (key->type != pktype) {

if (datafellows & SSH_OLD_SESSIONID) {

error("userauth_pubkey: type mismatch for decoded key "

buffer_append(&b, session_id2, session_id2_len);

"(received %d, expected %d)", key->type, pktype);

} else {

goto done;

buffer_put_string(&b, session_id2, session_id2_len);

}

if (have_sig) {

/* reconstruct packet */

sig = packet_get_string(&slen);

buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);

packet_check_eom();

buffer_put_cstring(&b, authctxt->user);

buffer_init(&b);

buffer_put_cstring(&b,

if (datafellows & SSH_OLD_SESSIONID) {

datafellows & SSH_BUG_PKSERVICE ?

buffer_append(&b, session_id2, session_id2_len);

"ssh-userauth" :

} else {

authctxt->service);

buffer_put_string(&b, session_id2, session_id2_len);

if (datafellows & SSH_BUG_PKAUTH) {

}

buffer_put_char(&b, have_sig);

/* reconstruct packet */

} else {

buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);

buffer_put_cstring(&b, "publickey");

buffer_put_cstring(&b, authctxt->user);

buffer_put_char(&b, have_sig);

buffer_put_cstring(&b,

buffer_put_cstring(&b, pkalg);

datafellows & SSH_BUG_PKSERVICE ?

}

"ssh-userauth" :

buffer_put_string(&b, pkblob, blen);

authctxt->service);

if (datafellows & SSH_BUG_PKAUTH) {

buffer_put_char(&b, have_sig);

} else {

buffer_put_cstring(&b, "publickey");

buffer_put_char(&b, have_sig);

buffer_put_cstring(&b, pkalg);

}

buffer_put_string(&b, pkblob, blen);

#ifdef DEBUG_PK

buffer_dump(&b);

#endif

/* test for correct signature */

if (user_key_allowed(authctxt->pw, key) &&

key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)

authenticated = 1;

buffer_clear(&b);

xfree(sig);

} else {

debug("test whether pkalg/pkblob are acceptable");

packet_done();

packet_check_eom();

/* XXX fake reply and always send PK_OK ? */

* XXX this allows testing whether a user is allowed

* to login: if you happen to have a valid pubkey this

* message is sent. the message is NEVER sent at all

* if a user is not allowed to login. is this an

* issue? -markus

if (user_key_allowed(authctxt->pw, key)) {

packet_start(SSH2_MSG_USERAUTH_PK_OK);

packet_put_string(pkalg, alen);

packet_put_string(pkblob, blen);

packet_send();

packet_write_wait();

authctxt->postponed = 1;

}

if (authenticated != 1)

auth_clear_options();

key_free(key);

}

if (authenticated != 1)

auth_clear_options();

done:

debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);

if (key != NULL)

key_free(key);

xfree(pkalg);

xfree(pkblob);

return authenticated;

}

int

static int

userauth_hostbased(Authctxt *authctxt)

{

Buffer b;

Key *key;

Key *key = NULL;

char *pkalg, *pkblob, *sig, *cuser, *chost, *service;

char *pkalg, *cuser, *chost, *service;

u_char *pkblob, *sig;

u_int alen, blen, slen;

int pktype;

int authenticated = 0;

Line 509

Line 492

}

key = key_from_blob(pkblob, blen);

if (key == NULL) {

debug("userauth_hostbased: cannot decode key: %s", pkalg);

error("userauth_hostbased: cannot decode key: %s", pkalg);

goto done;

}

if (key->type != pktype) {

error("userauth_hostbased: type mismatch for decoded key "

"(received %d, expected %d)", key->type, pktype);

goto done;

}

service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :

authctxt->service;

buffer_init(&b);

Line 534

Line 522

authenticated = 1;

buffer_clear(&b);

key_free(key);

done:

debug2("userauth_hostbased: authenticated %d", authenticated);

if (key != NULL)

key_free(key);

xfree(pkalg);

xfree(pkblob);

xfree(cuser);

Line 556

Line 544

#define DELIM ","

char *

static char *

authmethods_get(void)

{

Authmethod *method = NULL;

u_int size = 0;

Buffer b;

char *list;

buffer_init(&b);

for (method = authmethods; method->name != NULL; method++) {

if (strcmp(method->name, "none") == 0)

continue;

if (method->enabled != NULL && *(method->enabled) != 0) {

if (size != 0)

if (buffer_len(&b) > 0)

size += strlen(DELIM);

buffer_append(&b, ",", 1);

size += strlen(method->name);

buffer_append(&b, method->name, strlen(method->name));

}

size++; /* trailing '\0' */

buffer_append(&b, "\0", 1);

list = xmalloc(size);

list = xstrdup(buffer_ptr(&b));

list[0] = '\0';

buffer_free(&b);

for (method = authmethods; method->name != NULL; method++) {

if (strcmp(method->name, "none") == 0)

continue;

if (method->enabled != NULL && *(method->enabled) != 0) {

if (list[0] != '\0')

strlcat(list, DELIM, size);

strlcat(list, method->name, size);

}

return list;

}

Authmethod *

static Authmethod *

authmethod_lookup(const char *name)

{

Authmethod *method = NULL;

Line 603

Line 582

}

/* return 1 if user allows given key */

int

static int

user_key_allowed(struct passwd *pw, Key *key)

user_key_allowed2(struct passwd *pw, Key *key, char *file)

{

char line[8192], file[MAXPATHLEN];

char line[8192];

int found_key = 0;

FILE *f;

u_long linenum = 0;

struct stat st;

Key *found;

char *fp;

if (pw == NULL)

return 0;

Line 619

Line 599

/* Temporarily use the user's uid. */

temporarily_use_uid(pw);

/* The authorized keys. */

debug("trying public key file %s", file);

snprintf(file, sizeof file, "%.500s/%.100s", pw->pw_dir,

_PATH_SSH_USER_PERMITTED_KEYS2);

/* Fail quietly if file does not exist */

if (stat(file, &st) < 0) {

Line 636

Line 614

restore_uid();

return 0;

}

if (options.strict_modes) {

if (options.strict_modes &&

int fail = 0;

secure_filename(f, file, pw, line, sizeof(line)) != 0) {

char buf[1024];

fclose(f);

/* Check open file in order to avoid open/stat races */

log("Authentication refused: %s", line);

if (fstat(fileno(f), &st) < 0 ||

restore_uid();

(st.st_uid != 0 && st.st_uid != pw->pw_uid) ||

return 0;

(st.st_mode & 022) != 0) {

snprintf(buf, sizeof buf,

"%s authentication refused for %.100s: "

"bad ownership or modes for '%s'.",

key_type(key), pw->pw_name, file);

fail = 1;

} else {

/* Check path to _PATH_SSH_USER_PERMITTED_KEYS */

int i;

static const char *check[] = {

"", _PATH_SSH_USER_DIR, NULL

};

for (i = 0; check[i]; i++) {

snprintf(line, sizeof line, "%.500s/%.100s",

pw->pw_dir, check[i]);

if (stat(line, &st) < 0 ||

(st.st_uid != 0 && st.st_uid != pw->pw_uid) ||

(st.st_mode & 022) != 0) {

snprintf(buf, sizeof buf,

"%s authentication refused for %.100s: "

"bad ownership or modes for '%s'.",

key_type(key), pw->pw_name, line);

fail = 1;

break;

}

if (fail) {

fclose(f);

log("%s", buf);

restore_uid();

return 0;

}

found_key = 0;

found = key_new(key->type);

Line 688

Line 634

if (!*cp || *cp == '\n' || *cp == '#')

continue;

if (key_read(found, &cp) == -1) {

if (key_read(found, &cp) != 1) {

/* no key? check if there are options for this key */

int quoted = 0;

debug2("user_key_allowed: check options: '%s'", cp);

Line 702

Line 648

/* Skip remaining whitespace. */

for (; *cp == ' ' || *cp == '\t'; cp++)

;

if (key_read(found, &cp) == -1) {

if (key_read(found, &cp) != 1) {

debug2("user_key_allowed: advance: '%s'", cp);

/* still no key? advance to next line*/

continue;

Line 711

Line 657

if (key_equal(found, key) &&

auth_parse_options(pw, options, file, linenum) == 1) {

found_key = 1;

debug("matching key found: file %s, line %ld",

debug("matching key found: file %s, line %lu",

file, linenum);

fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);

verbose("Found matching %s key: %s",

key_type(found), fp);

xfree(fp);

break;

}

Line 724

Line 674

return found_key;

}

/* check whether given key is in .ssh/authorized_keys* */

static int

user_key_allowed(struct passwd *pw, Key *key)

{

int success;

char *file;

file = authorized_keys_file(pw);

success = user_key_allowed2(pw, key, file);

xfree(file);

if (success)

return success;

/* try suffix "2" for backward compat, too */

file = authorized_keys_file2(pw);

success = user_key_allowed2(pw, key, file);

xfree(file);

return success;

}

/* return 1 if given hostkey is allowed */

int

static int

hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,

Key *key)

{

Key *found;

const char *resolvedname, *ipaddr, *lookup;

struct stat st;

HostStatus host_status;

char *user_hostfile;

int len;

int host_status, len;

resolvedname = get_canonical_hostname(options.reverse_mapping_check);

resolvedname = get_canonical_hostname(options.verify_reverse_mapping);

ipaddr = get_remote_ipaddr();

debug2("userauth_hostbased: chost %s resolvedname %s ipaddr %s",

Line 760

Line 728

}

debug2("userauth_hostbased: access allowed by auth_rhosts2");

/* XXX this is copied from auth-rh-rsa.c and should be shared */

host_status = check_key_in_hostfiles(pw, key, lookup,

found = key_new(key->type);

_PATH_SSH_SYSTEM_HOSTFILE,

host_status = check_host_in_hostfile(_PATH_SSH_SYSTEM_HOSTFILE2, lookup,

options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);

key, found, NULL);

if (host_status != HOST_OK && !options.ignore_user_known_hosts) {

/* backward compat if no key has been found. */

user_hostfile = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE2,

if (host_status == HOST_NEW)

pw->pw_uid);

host_status = check_key_in_hostfiles(pw, key, lookup,

if (options.strict_modes &&

_PATH_SSH_SYSTEM_HOSTFILE2,

(stat(user_hostfile, &st) == 0) &&

options.ignore_user_known_hosts ? NULL :

((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||

_PATH_SSH_USER_HOSTFILE2);

(st.st_mode & 022) != 0)) {

log("Hostbased authentication refused for %.100s: "

"bad owner or modes for %.200s",

pw->pw_name, user_hostfile);

} else {

temporarily_use_uid(pw);

host_status = check_host_in_hostfile(user_hostfile,

lookup, key, found, NULL);

restore_uid();

}

xfree(user_hostfile);

}

key_free(found);

debug2("userauth_hostbased: key %s for %s", host_status == HOST_OK ?

"ok" : "not found", lookup);

return (host_status == HOST_OK);

}