summaryrefslogtreecommitdiff
path: root/auth2.c
diff options
context:
space:
mode:
authorBen Lindstrom <mouring@eviladmin.org>2001-01-19 04:26:52 +0000
committerBen Lindstrom <mouring@eviladmin.org>2001-01-19 04:26:52 +0000
commitdb65e8fdedadaf79df2d8393a4d43e9094c80649 (patch)
treee5902db5ee2b69f9f3c2fa0dbdeb7f4fc20c68b4 /auth2.c
parent5aa80596f76ce36dee4623a00a55548834c3328d (diff)
Please grep through the source and look for 'ISSUE' comments and verify
that I was able to get all the portable bits in the right location. As for the SKEY comment there is an email out to Markus as to how it should be resolved. Until then I just #ifdef SKEY/#endif out the whole block. - (bal) OpenBSD Resync - markus@cvs.openbsd.org 2001/01/18 16:20:21 [log-client.c log-server.c log.c readconf.c servconf.c ssh.1 ssh.h sshd.8 sshd.c] log() is at pri=LOG_INFO, since LOG_NOTICE goes to /dev/console on many systems - markus@cvs.openbsd.org 2001/01/18 16:59:59 [auth-passwd.c auth.c auth.h auth1.c auth2.c serverloop.c session.c session.h sshconnect1.c] 1) removes fake skey from sshd, since this will be much harder with /usr/libexec/auth/login_XXX 2) share/unify code used in ssh-1 and ssh-2 authentication (server side) 3) make addition of BSD_AUTH and other challenge reponse methods easier. - markus@cvs.openbsd.org 2001/01/18 17:12:43 [auth-chall.c auth2-chall.c] rename *-skey.c *-chall.c since the files are not skey specific
Diffstat (limited to 'auth2.c')
-rw-r--r--auth2.c124
1 files changed, 35 insertions, 89 deletions
diff --git a/auth2.c b/auth2.c
index 3a247f58..348c2f3a 100644
--- a/auth2.c
+++ b/auth2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: auth2.c,v 1.25 2001/01/08 22:29:05 markus Exp $");
+RCSID("$OpenBSD: auth2.c,v 1.28 2001/01/18 17:00:00 markus Exp $");
#ifdef HAVE_OSF_SIA
# include <sia.h>
@@ -84,7 +84,6 @@ void input_service_request(int type, int plen, void *ctxt);
void input_userauth_request(int type, int plen, void *ctxt);
void protocol_error(int type, int plen, void *ctxt);
-
/* helper */
Authmethod *authmethod_lookup(const char *name);
struct passwd *pwcopy(struct passwd *pw);
@@ -121,22 +120,21 @@ Authmethod authmethods[] = {
void
do_authentication2()
{
- Authctxt *authctxt = xmalloc(sizeof(*authctxt));
- memset(authctxt, 'a', sizeof(*authctxt));
- authctxt->valid = 0;
- authctxt->attempt = 0;
- authctxt->failures = 0;
- authctxt->success = 0;
+ Authctxt *authctxt = authctxt_new();
+
x_authctxt = authctxt; /*XXX*/
-#ifdef KRB4
- /* turn off kerberos, not supported by SSH2 */
- options.kerberos_authentication = 0;
+#ifdef AFS
+ /* If machine has AFS, set process authentication group. */
+ if (k_hasafs()) {
+ k_setpag();
+ k_unlog();
+ }
#endif
dispatch_init(&protocol_error);
dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
- do_authenticated2();
+ do_authenticated2(authctxt);
}
void
@@ -187,7 +185,7 @@ input_userauth_request(int type, int plen, void *ctxt)
{
Authctxt *authctxt = ctxt;
Authmethod *m = NULL;
- char *user, *service, *method;
+ char *user, *service, *method, *style = NULL;
int authenticated = 0;
if (authctxt == NULL)
@@ -199,6 +197,9 @@ input_userauth_request(int type, int plen, void *ctxt)
debug("userauth-request for user %s service %s method %s", user, service, method);
debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
+ if ((style = strchr(user, ':')) != NULL)
+ *style++ = 0;
+
if (authctxt->attempt++ == 0) {
/* setup auth context */
struct passwd *pw = NULL;
@@ -216,6 +217,7 @@ input_userauth_request(int type, int plen, void *ctxt)
}
authctxt->user = xstrdup(user);
authctxt->service = xstrdup(service);
+ authctxt->style = style ? xstrdup(style) : NULL; /* currently unused */
} else if (authctxt->valid) {
if (strcmp(user, authctxt->user) != 0 ||
strcmp(service, authctxt->service) != 0) {
@@ -224,25 +226,23 @@ input_userauth_request(int type, int plen, void *ctxt)
authctxt->valid = 0;
}
}
+ /* reset state */
+ dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, &protocol_error);
+ authctxt->postponed = 0;
+ /* try to authenticate user */
m = authmethod_lookup(method);
if (m != NULL) {
debug2("input_userauth_request: try method %s", method);
authenticated = m->userauth(authctxt);
- } else {
- debug2("input_userauth_request: unsupported method %s", method);
- }
- if (!authctxt->valid && authenticated == 1) {
- log("input_userauth_request: INTERNAL ERROR: authenticated invalid user %s service %s", user, method);
- authenticated = 0;
}
+ if (!authctxt->valid && authenticated)
+ fatal("INTERNAL ERROR: authenticated invalid user %s",
+ authctxt->user);
/* Special handling for root */
- if (authenticated == 1 &&
- authctxt->valid && authctxt->pw->pw_uid == 0 && !options.permit_root_login) {
+ if (authenticated && authctxt->pw->pw_uid == 0 && !auth_root_allowed())
authenticated = 0;
- log("ROOT LOGIN REFUSED FROM %.200s", get_canonical_hostname());
- }
#ifdef USE_PAM
if (authenticated && authctxt->user && !do_pam_account(authctxt->user, NULL))
@@ -250,8 +250,10 @@ input_userauth_request(int type, int plen, void *ctxt)
#endif /* USE_PAM */
/* Log before sending the reply */
- userauth_log(authctxt, authenticated, method);
- userauth_reply(authctxt, authenticated);
+ auth_log(authctxt, authenticated, method, " ssh2");
+
+ if (!authctxt->postponed)
+ userauth_reply(authctxt, authenticated);
xfree(service);
xfree(user);
@@ -292,47 +294,13 @@ done:
return;
}
-void
-userauth_log(Authctxt *authctxt, int authenticated, char *method)
-{
- void (*authlog) (const char *fmt,...) = verbose;
- char *user = NULL, *authmsg = NULL;
-
- /* Raise logging level */
- if (authenticated == 1 ||
- !authctxt->valid ||
- authctxt->failures >= AUTH_FAIL_LOG ||
- strcmp(method, "password") == 0)
- authlog = log;
-
- if (authenticated == 1) {
- authmsg = "Accepted";
- } else if (authenticated == 0) {
- authmsg = "Failed";
- } else {
- authmsg = "Postponed";
- }
-
- if (authctxt->valid) {
- user = authctxt->pw->pw_uid == 0 ? "ROOT" : authctxt->user;
- } else {
- user = "NOUSER";
- }
-
- authlog("%s %s for %.200s from %.200s port %d ssh2",
- authmsg,
- method,
- user,
- get_remote_ipaddr(),
- get_remote_port());
-}
-
void
userauth_reply(Authctxt *authctxt, int authenticated)
{
char *methods;
+
/* XXX todo: check if multiple auth methods are needed */
- if (authenticated == 1) {
+ if (authenticated) {
#ifdef WITH_AIXAUTHENTICATE
/* We don't have a pty yet, so just label the line as "ssh" */
if (loginsuccess(authctxt->user?authctxt->user:"NOUSER",
@@ -346,9 +314,9 @@ userauth_reply(Authctxt *authctxt, int authenticated)
packet_write_wait();
/* now we can break out */
authctxt->success = 1;
- } else if (authenticated == 0) {
- if (authctxt->failures++ >= AUTH_FAIL_MAX)
- packet_disconnect("too many failed userauth_requests");
+ } else {
+ if (authctxt->failures++ > AUTH_FAIL_MAX)
+ packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
methods = authmethods_get();
packet_start(SSH2_MSG_USERAUTH_FAILURE);
packet_put_cstring(methods);
@@ -356,8 +324,6 @@ userauth_reply(Authctxt *authctxt, int authenticated)
packet_send();
packet_write_wait();
xfree(methods);
- } else {
- /* do nothing, we did already send a reply */
}
}
@@ -432,16 +398,13 @@ userauth_kbdint(Authctxt *authctxt)
packet_done();
debug("keyboard-interactive language %s devs %s", lang, devs);
+
+ authenticated = auth2_challenge(authctxt, devs);
+
#ifdef USE_PAM
if (authenticated == 0)
authenticated = auth2_pam(authctxt);
#endif
-#ifdef SKEY
- /* XXX hardcoded, we should look at devs */
- if (authenticated == 0)
- if (options.skey_authentication != 0)
- authenticated = auth2_skey(authctxt);
-#endif
xfree(lang);
xfree(devs);
#ifdef HAVE_CYGWIN
@@ -732,20 +695,3 @@ user_key_allowed(struct passwd *pw, Key *key)
key_free(found);
return found_key;
}
-
-struct passwd *
-pwcopy(struct passwd *pw)
-{
- struct passwd *copy = xmalloc(sizeof(*copy));
- memset(copy, 0, sizeof(*copy));
- copy->pw_name = xstrdup(pw->pw_name);
- copy->pw_passwd = xstrdup(pw->pw_passwd);
- copy->pw_uid = pw->pw_uid;
- copy->pw_gid = pw->pw_gid;
-#ifdef HAVE_PW_CLASS_IN_PASSWD
- copy->pw_class = xstrdup(pw->pw_class);
-#endif
- copy->pw_dir = xstrdup(pw->pw_dir);
- copy->pw_shell = xstrdup(pw->pw_shell);
- return copy;
-}