src/usr.bin/ssh/auth2.c - diff

Return to auth2.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/auth2.c between version 1.8.2.1 and 1.8.2.2

version 1.8.2.1, 2000/09/01 18:23:17

version 1.8.2.2, 2000/11/08 21:30:25

Line 9

* 2. Redistributions in binary form must reproduce the above copyright

* notice, this list of conditions and the following disclaimer in the

* documentation and/or other materials provided with the distribution.

* 3. All advertising materials mentioning features or use of this software

* must display the following acknowledgement:

* This product includes software developed by Markus Friedl.

* 4. The name of the author may not be used to endorse or promote products

* derived from this software without specific prior written permission.

* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR

* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES

Line 26

Line 21

* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF

* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

#include "includes.h"

RCSID("$OpenBSD$");

Line 39

Line 35

#include "pty.h"

#include "packet.h"

#include "buffer.h"

#include "cipher.h"

#include "servconf.h"

#include "compat.h"

#include "channels.h"

Line 61

Line 56

extern unsigned char *session_id2;

extern int session_id2_len;

static Authctxt *x_authctxt = NULL;

static int one = 1;

typedef struct Authmethod Authmethod;

struct Authmethod {

char *name;

int (*userauth)(Authctxt *authctxt);

int *enabled;

};

/* protocol */

void input_service_request(int type, int plen);

void input_service_request(int type, int plen, void *ctxt);

void input_userauth_request(int type, int plen);

void input_userauth_request(int type, int plen, void *ctxt);

void protocol_error(int type, int plen);

void protocol_error(int type, int plen, void *ctxt);

/* auth */

int ssh2_auth_none(struct passwd *pw);

int ssh2_auth_password(struct passwd *pw);

int ssh2_auth_pubkey(struct passwd *pw, char *service);

/* helper */

struct passwd* auth_set_user(char *u, char *s);

Authmethod *authmethod_lookup(const char *name);

struct passwd *pwcopy(struct passwd *pw);

int user_dsa_key_allowed(struct passwd *pw, Key *key);

char *authmethods_get(void);

typedef struct Authctxt Authctxt;

/* auth */

struct Authctxt {

int userauth_none(Authctxt *authctxt);

char *user;

int userauth_passwd(Authctxt *authctxt);

char *service;

int userauth_pubkey(Authctxt *authctxt);

struct passwd pw;

int userauth_kbdint(Authctxt *authctxt);

int valid;

Authmethod authmethods[] = {

{"none",

userauth_none,

&one},

{"publickey",

userauth_pubkey,

&options.dsa_authentication},

{"keyboard-interactive",

userauth_kbdint,

&options.kbd_interactive_authentication},

{"password",

userauth_passwd,

&options.password_authentication},

{NULL, NULL, NULL}

};

static Authctxt *authctxt = NULL;

static int userauth_success = 0;

* loop until userauth_success == TRUE

* loop until authctxt->success == TRUE

void

do_authentication2()

{

/* turn off skey/kerberos, not supported by SSH2 */

Authctxt *authctxt = xmalloc(sizeof(*authctxt));

#ifdef SKEY

memset(authctxt, 'a', sizeof(*authctxt));

options.skey_authentication = 0;

authctxt->valid = 0;

#endif

authctxt->attempt = 0;

authctxt->success = 0;

x_authctxt = authctxt; /*XXX*/

#ifdef KRB4

/* turn off kerberos, not supported by SSH2 */

options.kerberos_authentication = 0;

#endif

dispatch_init(&protocol_error);

dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);

dispatch_run(DISPATCH_BLOCK, &userauth_success);

dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);

do_authenticated2();

}

void

protocol_error(int type, int plen)

protocol_error(int type, int plen, void *ctxt)

{

log("auth: protocol error: type %d plen %d", type, plen);

packet_start(SSH2_MSG_UNIMPLEMENTED);

Line 118

Line 136

}

void

input_service_request(int type, int plen)

input_service_request(int type, int plen, void *ctxt)

{

Authctxt *authctxt = ctxt;

unsigned int len;

int accept = 0;

char *service = packet_get_string(&len);

packet_done();

if (authctxt == NULL)

fatal("input_service_request: no authctxt");

if (strcmp(service, "ssh-userauth") == 0) {

if (!userauth_success) {

if (!authctxt->success) {

accept = 1;

/* now we can handle user-auth requests */

dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);

Line 147

Line 169

}

void

input_userauth_request(int type, int plen)

input_userauth_request(int type, int plen, void *ctxt)

{

static void (*authlog) (const char *fmt,...) = verbose;

Authctxt *authctxt = ctxt;

static int attempt = 0;

Authmethod *m = NULL;

unsigned int len;

char *user, *service, *method;

int authenticated = 0;

char *user, *service, *method, *authmsg = NULL;

struct passwd *pw;

if (++attempt == AUTH_FAIL_MAX)

if (authctxt == NULL)

fatal("input_userauth_request: no authctxt");

if (authctxt->attempt++ >= AUTH_FAIL_MAX)

packet_disconnect("too many failed userauth_requests");

user = packet_get_string(&len);

user = packet_get_string(NULL);

service = packet_get_string(&len);

service = packet_get_string(NULL);

method = packet_get_string(&len);

method = packet_get_string(NULL);

debug("userauth-request for user %s service %s method %s", user, service, method);

debug("attempt #%d", authctxt->attempt);

/* XXX we only allow the ssh-connection service */

if (authctxt->attempt == 1) {

pw = auth_set_user(user, service);

/* setup auth context */

if (pw && strcmp(service, "ssh-connection")==0) {

struct passwd *pw = NULL;

if (strcmp(method, "none") == 0) {

setproctitle("%s", user);

authenticated = ssh2_auth_none(pw);

pw = getpwnam(user);

} else if (strcmp(method, "password") == 0) {

if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) {

authenticated = ssh2_auth_password(pw);

authctxt->pw = pwcopy(pw);

} else if (strcmp(method, "publickey") == 0) {

authctxt->valid = 1;

authenticated = ssh2_auth_pubkey(pw, service);

debug2("input_userauth_request: setting up authctxt for %s", user);

} else {

log("input_userauth_request: illegal user %s", user);

}

authctxt->user = xstrdup(user);

authctxt->service = xstrdup(service);

} else if (authctxt->valid) {

if (strcmp(user, authctxt->user) != 0 ||

strcmp(service, authctxt->service) != 0) {

log("input_userauth_request: missmatch: (%s,%s)!=(%s,%s)",

user, service, authctxt->user, authctxt->service);

authctxt->valid = 0;

}

if (authenticated && pw && pw->pw_uid == 0 && !options.permit_root_login) {

m = authmethod_lookup(method);

if (m != NULL) {

debug2("input_userauth_request: try method %s", method);

authenticated = m->userauth(authctxt);

} else {

debug2("input_userauth_request: unsupported method %s", method);

}

if (!authctxt->valid && authenticated == 1) {

log("input_userauth_request: INTERNAL ERROR: authenticated invalid user %s service %s", user, method);

authenticated = 0;

log("ROOT LOGIN REFUSED FROM %.200s",

get_canonical_hostname());

}

/* Special handling for root */

if (authenticated == 1 &&

authctxt->valid && authctxt->pw->pw_uid == 0 && !options.permit_root_login) {

authenticated = 0;

log("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname());

}

/* Log before sending the reply */

userauth_log(authctxt, authenticated, method);

userauth_reply(authctxt, authenticated);

xfree(service);

xfree(user);

xfree(method);

}

void

userauth_log(Authctxt *authctxt, int authenticated, char *method)

{

void (*authlog) (const char *fmt,...) = verbose;

char *user = NULL, *authmsg = NULL;

/* Raise logging level */

if (authenticated == 1 ||

attempt == AUTH_FAIL_LOG ||

!authctxt->valid ||

authctxt->attempt >= AUTH_FAIL_LOG ||

strcmp(method, "password") == 0)

authlog = log;

/* Log before sending the reply */

if (authenticated == 1) {

authmsg = "Accepted";

} else if (authenticated == 0) {

Line 195

Line 259

} else {

authmsg = "Postponed";

}

if (authctxt->valid) {

user = authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user;

} else {

user = "NOUSER";

}

authlog("%s %s for %.200s from %.200s port %d ssh2",

authmsg,

method,

pw && pw->pw_uid == 0 ? "ROOT" : user,

user,

get_remote_ipaddr(),

get_remote_port());

}

void

userauth_reply(Authctxt *authctxt, int authenticated)

{

/* XXX todo: check if multiple auth methods are needed */

if (authenticated == 1) {

/* turn off userauth */

Line 210

Line 285

packet_send();

packet_write_wait();

/* now we can break out */

userauth_success = 1;

authctxt->success = 1;

} else if (authenticated == 0) {

char *methods = authmethods_get();

packet_start(SSH2_MSG_USERAUTH_FAILURE);

packet_put_cstring("publickey,password"); /* XXX dynamic */

packet_put_cstring(methods);

packet_put_char(0); /* XXX partial success, unused */

packet_send();

packet_write_wait();

xfree(methods);

} else {

/* do nothing, we did already send a reply */

}

xfree(service);

xfree(user);

xfree(method);

}

int

ssh2_auth_none(struct passwd *pw)

userauth_none(Authctxt *authctxt)

{

/* disable method "none", only allowed one time */

Authmethod *m = authmethod_lookup("none");

if (m != NULL)

m->enabled = NULL;

packet_done();

return auth_password(pw, "");

return authctxt->valid ? auth_password(authctxt->pw, "") : 0;

}

int

ssh2_auth_password(struct passwd *pw)

userauth_passwd(Authctxt *authctxt)

{

char *password;

int authenticated = 0;

Line 242

Line 322

log("password change not supported");

password = packet_get_string(&len);

packet_done();

if (options.password_authentication &&

if (authctxt->valid &&

auth_password(pw, password) == 1)

auth_password(authctxt->pw, password) == 1)

authenticated = 1;

memset(password, 0, len);

xfree(password);

return authenticated;

}

int

ssh2_auth_pubkey(struct passwd *pw, char *service)

userauth_kbdint(Authctxt *authctxt)

{

int authenticated = 0;

char *lang = NULL;

char *devs = NULL;

lang = packet_get_string(NULL);

devs = packet_get_string(NULL);

packet_done();

debug("keyboard-interactive language %s devs %s", lang, devs);

#ifdef SKEY

/* XXX hardcoded, we should look at devs */

if (options.skey_authentication != 0)

authenticated = auth2_skey(authctxt);

#endif

xfree(lang);

xfree(devs);

return authenticated;

}

int

userauth_pubkey(Authctxt *authctxt)

{

Buffer b;

Key *key;

char *pkalg, *pkblob, *sig;

Line 259

Line 362

int have_sig;

int authenticated = 0;

if (options.dsa_authentication == 0) {

if (!authctxt->valid) {

debug("pubkey auth disabled");

debug2("userauth_pubkey: disabled because of invalid user");

return 0;

}

have_sig = packet_get_char();

pkalg = packet_get_string(&alen);

if (strcmp(pkalg, KEX_DSS) != 0) {

xfree(pkalg);

log("bad pkalg %s", pkalg); /*XXX*/

xfree(pkalg);

return 0;

}

pkblob = packet_get_string(&blen);

Line 277

Line 380

sig = packet_get_string(&slen);

packet_done();

buffer_init(&b);

if (datafellows & SSH_COMPAT_SESSIONID_ENCODING) {

if (datafellows & SSH_OLD_SESSIONID) {

buffer_put_string(&b, session_id2, session_id2_len);

} else {

buffer_append(&b, session_id2, session_id2_len);

} else {

buffer_put_string(&b, session_id2, session_id2_len);

}

/* reconstruct packet */

buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);

buffer_put_cstring(&b, pw->pw_name);

buffer_put_cstring(&b, authctxt->user);

buffer_put_cstring(&b,

datafellows & SSH_BUG_PUBKEYAUTH ?

"ssh-userauth" :

service);

authctxt->service);

buffer_put_cstring(&b, "publickey");

buffer_put_char(&b, have_sig);

buffer_put_cstring(&b, KEX_DSS);

Line 297

Line 400

buffer_dump(&b);

#endif

/* test for correct signature */

if (user_dsa_key_allowed(pw, key) &&

if (user_dsa_key_allowed(authctxt->pw, key) &&

dsa_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1)

authenticated = 1;

buffer_clear(&b);

xfree(sig);

} else {

debug("test whether pkalg/pkblob are acceptable");

packet_done();

debug("test key...");

/* test whether pkalg/pkblob are acceptable */

/* XXX fake reply and always send PK_OK ? */

* XXX this allows testing whether a user is allowed

Line 314

Line 417

* if a user is not allowed to login. is this an

* issue? -markus

if (user_dsa_key_allowed(pw, key)) {

if (user_dsa_key_allowed(authctxt->pw, key)) {

packet_start(SSH2_MSG_USERAUTH_PK_OK);

packet_put_string(pkalg, alen);

packet_put_string(pkblob, blen);

Line 323

Line 426

authenticated = -1;

}

if (authenticated != 1)

auth_clear_options();

key_free(key);

}

xfree(pkalg);

Line 330

Line 435

return authenticated;

}

/* set and get current user */

/* get current user */

struct passwd*

auth_get_user(void)

{

return (authctxt != NULL && authctxt->valid) ? &authctxt->pw : NULL;

return (x_authctxt != NULL && x_authctxt->valid) ? x_authctxt->pw : NULL;

}

struct passwd*

#define DELIM ","

auth_set_user(char *u, char *s)

char *

authmethods_get(void)

{

struct passwd *pw, *copy;

Authmethod *method = NULL;

unsigned int size = 0;

char *list;

if (authctxt == NULL) {

for (method = authmethods; method->name != NULL; method++) {

authctxt = xmalloc(sizeof(*authctxt));

if (strcmp(method->name, "none") == 0)

authctxt->valid = 0;

continue;

authctxt->user = xstrdup(u);

if (method->enabled != NULL && *(method->enabled) != 0) {

authctxt->service = xstrdup(s);

if (size != 0)

setproctitle("%s", u);

size += strlen(DELIM);

pw = getpwnam(u);

size += strlen(method->name);

if (!pw || !allowed_user(pw)) {

log("auth_set_user: illegal user %s", u);

return NULL;

}

copy = &authctxt->pw;

}

memset(copy, 0, sizeof(*copy));

size++; /* trailing '\0' */

copy->pw_name = xstrdup(pw->pw_name);

list = xmalloc(size);

copy->pw_passwd = xstrdup(pw->pw_passwd);

list[0] = '\0';

copy->pw_uid = pw->pw_uid;

copy->pw_gid = pw->pw_gid;

for (method = authmethods; method->name != NULL; method++) {

copy->pw_class = xstrdup(pw->pw_class);

if (strcmp(method->name, "none") == 0)

copy->pw_dir = xstrdup(pw->pw_dir);

continue;

copy->pw_shell = xstrdup(pw->pw_shell);

if (method->enabled != NULL && *(method->enabled) != 0) {

authctxt->valid = 1;

if (list[0] != '\0')

} else {

strlcat(list, DELIM, size);

if (strcmp(u, authctxt->user) != 0 ||

strlcat(list, method->name, size);

strcmp(s, authctxt->service) != 0) {

log("auth_set_user: missmatch: (%s,%s)!=(%s,%s)",

u, s, authctxt->user, authctxt->service);

return NULL;

}

return auth_get_user();

return list;

}

Authmethod *

authmethod_lookup(const char *name)

{

Authmethod *method = NULL;

if (name != NULL)

for (method = authmethods; method->name != NULL; method++)

if (method->enabled != NULL &&

*(method->enabled) != 0 &&

strcmp(name, method->name) == 0)

return method;

debug2("Unrecognized authentication method name: %s", name ? name : "NULL");

return NULL;

}

/* return 1 if user allows given key */

int

user_dsa_key_allowed(struct passwd *pw, Key *key)

Line 387

Line 503

struct stat st;

Key *found;

if (pw == NULL)

return 0;

/* Temporarily use the user's uid. */

temporarily_use_uid(pw->pw_uid);

Line 414

Line 533

if (fstat(fileno(f), &st) < 0 ||

(st.st_uid != 0 && st.st_uid != pw->pw_uid) ||

(st.st_mode & 022) != 0) {

snprintf(buf, sizeof buf, "DSA authentication refused for %.100s: "

snprintf(buf, sizeof buf,

"bad ownership or modes for '%s'.", pw->pw_name, file);

"%s authentication refused for %.100s: "

"bad ownership or modes for '%s'.",

key_type(key), pw->pw_name, file);

fail = 1;

} else {

/* Check path to SSH_USER_PERMITTED_KEYS */

Line 430

Line 551

(st.st_uid != 0 && st.st_uid != pw->pw_uid) ||

(st.st_mode & 022) != 0) {

snprintf(buf, sizeof buf,

"DSA authentication refused for %.100s: "

"%s authentication refused for %.100s: "

"bad ownership or modes for '%s'.",

pw->pw_name, line);

key_type(key), pw->pw_name, line);

fail = 1;

break;

}

Line 446

Line 567

}

found_key = 0;

found = key_new(KEY_DSA);

found = key_new(key->type);

while (fgets(line, sizeof(line), f)) {

char *cp, *options = NULL;

Line 489

Line 610

fclose(f);

key_free(found);

return found_key;

}

struct passwd *

pwcopy(struct passwd *pw)

{

struct passwd *copy = xmalloc(sizeof(*copy));

memset(copy, 0, sizeof(*copy));

copy->pw_name = xstrdup(pw->pw_name);

copy->pw_passwd = xstrdup(pw->pw_passwd);

copy->pw_uid = pw->pw_uid;

copy->pw_gid = pw->pw_gid;

copy->pw_class = xstrdup(pw->pw_class);

copy->pw_dir = xstrdup(pw->pw_dir);

copy->pw_shell = xstrdup(pw->pw_shell);

return copy;

}