=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/auth2.c,v retrieving revision 1.87 retrieving revision 1.88 diff -u -r1.87 -r1.88 --- src/usr.bin/ssh/auth2.c 2002/03/18 01:12:14 1.87 +++ src/usr.bin/ssh/auth2.c 2002/03/18 17:50:31 1.88 @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2.c,v 1.87 2002/03/18 01:12:14 provos Exp $"); +RCSID("$OpenBSD: auth2.c,v 1.88 2002/03/18 17:50:31 provos Exp $"); #include @@ -51,13 +51,14 @@ #include "hostfile.h" #include "canohost.h" #include "match.h" +#include "monitor_wrap.h" /* import */ extern ServerOptions options; extern u_char *session_id2; extern int session_id2_len; -static Authctxt *x_authctxt = NULL; +Authctxt *x_authctxt = NULL; static int one = 1; typedef struct Authmethod Authmethod; @@ -75,8 +76,8 @@ /* helper */ static Authmethod *authmethod_lookup(const char *); static char *authmethods_get(void); -static int user_key_allowed(struct passwd *, Key *); -static int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); +int user_key_allowed(struct passwd *, Key *); +int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); /* auth */ static void userauth_banner(void); @@ -183,7 +184,7 @@ if (authctxt->attempt++ == 0) { /* setup auth context */ struct passwd *pw = NULL; - pw = getpwnamallow(user); + pw = PRIVSEP(getpwnamallow(user)); if (pw && strcmp(service, "ssh-connection")==0) { authctxt->pw = pwcopy(pw); authctxt->valid = 1; @@ -191,10 +192,18 @@ } else { log("input_userauth_request: illegal user %s", user); } - setproctitle("%s", pw ? user : "unknown"); + /* Free memory */ + if (use_privsep && pw != NULL) + pwfree(pw); + + setproctitle("%s%s", pw ? user : "unknown", + use_privsep ? " [net]" : ""); authctxt->user = xstrdup(user); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; + + if (use_privsep) + mm_inform_authserv(service, style); } else if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { packet_disconnect("Change of username or service not allowed: " @@ -300,7 +309,7 @@ m->enabled = NULL; packet_check_eom(); userauth_banner(); - return authctxt->valid ? auth_password(authctxt, "") : 0; + return (authctxt->valid ? PRIVSEP(auth_password(authctxt, "")) : 0); } static int @@ -316,7 +325,7 @@ password = packet_get_string(&len); packet_check_eom(); if (authctxt->valid && - auth_password(authctxt, password) == 1) + PRIVSEP(auth_password(authctxt, password)) == 1) authenticated = 1; memset(password, 0, len); xfree(password); @@ -417,8 +426,10 @@ buffer_dump(&b); #endif /* test for correct signature */ - if (user_key_allowed(authctxt->pw, key) && - key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) + authenticated = 0; + if (PRIVSEP(user_key_allowed(authctxt->pw, key)) && + PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), + buffer_len(&b))) == 1) authenticated = 1; buffer_clear(&b); xfree(sig); @@ -434,7 +445,7 @@ * if a user is not allowed to login. is this an * issue? -markus */ - if (user_key_allowed(authctxt->pw, key)) { + if (PRIVSEP(user_key_allowed(authctxt->pw, key))) { packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_put_string(pkalg, alen); packet_put_string(pkblob, blen); @@ -518,8 +529,10 @@ buffer_dump(&b); #endif /* test for allowed key and correct signature */ - if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) && - key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) + authenticated = 0; + if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) && + PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b), + buffer_len(&b))) == 1) authenticated = 1; buffer_clear(&b); @@ -676,7 +689,7 @@ } /* check whether given key is in .ssh/authorized_keys* */ -static int +int user_key_allowed(struct passwd *pw, Key *key) { int success; @@ -696,7 +709,7 @@ } /* return 1 if given hostkey is allowed */ -static int +int hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, Key *key) {