src/usr.bin/ssh/monitor.c - diff

Return to monitor.c CVS log

Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/monitor.c between version 1.179 and 1.180

version 1.179, 2018/02/05 05:37:46

version 1.180, 2018/03/03 03:15:51

Line 92

extern Buffer auth_debug;

extern int auth_debug_init;

extern Buffer loginmsg;

extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */

/* State exported from the child */

static struct sshbuf *child_state;

Line 134

Line 135

static u_char *key_blob = NULL;

static u_int key_bloblen = 0;

static int key_blobtype = MM_NOKEY;

static struct sshauthopt *key_opts = NULL;

static char *hostbased_cuser = NULL;

static char *hostbased_chost = NULL;

static char *auth_method = "unknown";

Line 193

Line 195

struct mon_table *mon_dispatch;

/* Specifies if a certain message is allowed at the moment */

static void

monitor_permit(struct mon_table *ent, enum monitor_reqtype type, int permit)

{

Line 238

Line 239

authctxt = _authctxt;

memset(authctxt, 0, sizeof(*authctxt));

ssh->authctxt = authctxt;

mon_dispatch = mon_dispatch_proto20;

/* Permit requests for moduli and signatures */

Line 270

Line 272

fatal("%s: unexpected authentication from %d",

__func__, ent->type);

if (authctxt->pw->pw_uid == 0 &&

!auth_root_allowed(auth_method))

!auth_root_allowed(ssh, auth_method))

authenticated = 0;

}

if (ent->flags & (MON_AUTHDECIDE|MON_ALOG)) {

Line 292

Line 294

debug("%s: %s has been authenticated by privileged process",

__func__, authctxt->user);

ssh->authctxt = NULL;

ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user);

mm_get_keystate(pmonitor);

Line 337

Line 340

monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);

monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);

if (!no_pty_flag) {

if (auth_opts->permit_pty_flag) {

monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);

monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);

}

Line 482

Line 485

free(key_blob);

free(hostbased_cuser);

free(hostbased_chost);

sshauthopt_free(key_opts);

key_blob = NULL;

key_bloblen = 0;

key_blobtype = MM_NOKEY;

key_opts = NULL;

hostbased_cuser = NULL;

hostbased_chost = NULL;

}

Line 743

Line 748

int

mm_answer_authpassword(int sock, Buffer *m)

{

struct ssh *ssh = active_state; /* XXX */

static int call_count;

char *passwd;

int authenticated;

Line 753

Line 759

passwd = buffer_get_string(m, &plen);

/* Only authenticate if the context is valid */

authenticated = options.password_authentication &&

auth_password(authctxt, passwd);

auth_password(ssh, passwd);

explicit_bzero(passwd, strlen(passwd));

free(passwd);

Line 838

Line 844

int

mm_answer_keyallowed(int sock, Buffer *m)

{

struct ssh *ssh = active_state; /* XXX */

struct sshkey *key;

char *cuser, *chost;

u_char *blob;

u_int bloblen, pubkey_auth_attempt;

enum mm_keytype type = 0;

int allowed = 0;

int r, allowed = 0;

struct sshauthopt *opts = NULL;

debug3("%s entering", __func__);

type = buffer_get_int(m);

cuser = buffer_get_string(m, NULL);

chost = buffer_get_string(m, NULL);

Line 865

Line 872

switch (type) {

case MM_USERKEY:

allowed = options.pubkey_authentication &&

!auth2_key_already_used(authctxt, key) &&

match_pattern_list(sshkey_ssh_name(key),

options.pubkey_key_types, 0) == 1 &&

user_key_allowed(authctxt->pw, key,

pubkey_auth_attempt);

auth_method = "publickey";

if (options.pubkey_authentication &&

if (!options.pubkey_authentication)

(!pubkey_auth_attempt || allowed != 1))

break;

auth_clear_options();

if (auth2_key_already_used(authctxt, key))

break;

if (match_pattern_list(sshkey_ssh_name(key),

options.pubkey_key_types, 0) != 1)

break;

allowed = user_key_allowed(ssh, authctxt->pw, key,

pubkey_auth_attempt, &opts);

break;

case MM_HOSTKEY:

allowed = options.hostbased_authentication &&

auth_method = "hostbased";

!auth2_key_already_used(authctxt, key) &&

if (!options.hostbased_authentication)

match_pattern_list(sshkey_ssh_name(key),

break;

options.hostbased_key_types, 0) == 1 &&

if (auth2_key_already_used(authctxt, key))

hostbased_key_allowed(authctxt->pw,

break;

if (match_pattern_list(sshkey_ssh_name(key),

options.hostbased_key_types, 0) != 1)

break;

allowed = hostbased_key_allowed(authctxt->pw,

cuser, chost, key);

auth2_record_info(authctxt,

"client user \"%.100s\", client host \"%.100s\"",

cuser, chost);

auth_method = "hostbased";

break;

default:

fatal("%s: unknown key type %d", __func__, type);

Line 894

Line 904

}

debug3("%s: key is %s", __func__, allowed ? "allowed" : "not allowed");

debug3("%s: %s authentication%s: %s key is %s", __func__,

auth_method, pubkey_auth_attempt ? "" : " test",

(key == NULL || !authctxt->valid) ? "invalid" : sshkey_type(key),

allowed ? "allowed" : "not allowed");

auth2_record_key(authctxt, 0, key);

sshkey_free(key);

Line 907

Line 920

key_blob = blob;

key_bloblen = bloblen;

key_blobtype = type;

key_opts = opts;

hostbased_cuser = cuser;

hostbased_chost = chost;

} else {

Line 919

Line 933

buffer_clear(m);

buffer_put_int(m, allowed);

buffer_put_int(m, forced_command != NULL);

if (opts != NULL && (r = sshauthopt_serialise(opts, m, 1)) != 0)

fatal("%s: sshauthopt_serialise: %s", __func__, ssh_err(r));

mm_request_send(sock, MONITOR_ANS_KEYALLOWED, m);

if (!allowed)

sshauthopt_free(opts);

return (0);

}

Line 1045

Line 1062

int

mm_answer_keyverify(int sock, struct sshbuf *m)

{

struct ssh *ssh = active_state; /* XXX */

struct sshkey *key;

u_char *signature, *data, *blob;

char *sigalg;

Line 1099

Line 1117

free(data);

free(sigalg);

if (key_blobtype == MM_USERKEY)

auth_activate_options(ssh, key_opts);

monitor_reset_key_state();

sshkey_free(key);