diff options
author | Damien Miller <djm@mindrot.org> | 2002-03-13 12:47:54 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2002-03-13 12:47:54 +1100 |
commit | 646e7cf3d7e7d4231c2d97d27c09fe5fe1d749e2 (patch) | |
tree | a693368c47d2d044514878fbb1516f87b487f78b /auth2.c | |
parent | 29bdd2c9bca2737e7a246ed50fd827a6ccba0c61 (diff) | |
download | openssh-git-646e7cf3d7e7d4231c2d97d27c09fe5fe1d749e2.tar.gz |
Import of Niels Provos' 20020312 ssh-complete.diff
PAM, Cygwin and OSF SIA will not work for sure
Diffstat (limited to 'auth2.c')
-rw-r--r-- | auth2.c | 119 |
1 files changed, 80 insertions, 39 deletions
@@ -51,8 +51,13 @@ RCSID("$OpenBSD: auth2.c,v 1.85 2002/02/24 19:14:59 markus Exp $"); #include "hostfile.h" #include "canohost.h" #include "match.h" +#include "monitor.h" +#include "monitor_wrap.h" /* import */ +extern int use_privsep; +extern int mm_recvfd; + extern ServerOptions options; extern u_char *session_id2; extern int session_id2_len; @@ -75,8 +80,8 @@ static void input_userauth_request(int, u_int32_t, void *); /* helper */ static Authmethod *authmethod_lookup(const char *); static char *authmethods_get(void); -static int user_key_allowed(struct passwd *, Key *); -static int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); +int user_key_allowed(struct passwd *, Key *); +int hostbased_key_allowed(struct passwd *, const char *, char *, Key *); /* auth */ static void userauth_banner(void); @@ -109,7 +114,7 @@ Authmethod authmethods[] = { * loop until authctxt->success == TRUE */ -void +Authctxt * do_authentication2(void) { Authctxt *authctxt = authctxt_new(); @@ -125,7 +130,8 @@ do_authentication2(void) dispatch_init(&dispatch_protocol_error); dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request); dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt); - do_authenticated(authctxt); + + return(authctxt); } static void @@ -182,10 +188,15 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) *style++ = 0; if (authctxt->attempt++ == 0) { - /* setup auth context */ + /* setup auth context */ + int allowed; struct passwd *pw = NULL; - pw = getpwnam(user); - if (pw && allowed_user(pw) && strcmp(service, "ssh-connection")==0) { + if (!use_privsep) { + pw = getpwnam(user); + allowed = pw ? allowed_user(pw) : 0; + } else + pw = mm_getpwnamallow(mm_recvfd, user, &allowed); + if (pw && allowed && strcmp(service, "ssh-connection")==0) { authctxt->pw = pwcopy(pw); authctxt->valid = 1; debug2("input_userauth_request: setting up authctxt for %s", user); @@ -198,10 +209,18 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt) start_pam("NOUSER"); #endif } - setproctitle("%s", pw ? user : "unknown"); + /* Free memory */ + if (use_privsep) + pwfree(pw); + + setproctitle("%s%s", use_privsep ? " [net]" : "", + pw ? user : "unknown"); authctxt->user = xstrdup(user); authctxt->service = xstrdup(service); authctxt->style = style ? xstrdup(style) : NULL; + + if (use_privsep) + mm_inform_authserv(mm_recvfd, service, style); } else if (strcmp(user, authctxt->user) != 0 || strcmp(service, authctxt->service) != 0) { packet_disconnect("Change of username or service not allowed: " @@ -313,6 +332,8 @@ done: static int userauth_none(Authctxt *authctxt) { + int res = 0; + /* disable method "none", only allowed one time */ Authmethod *m = authmethod_lookup("none"); if (m != NULL) @@ -322,18 +343,16 @@ userauth_none(Authctxt *authctxt) if (authctxt->valid == 0) return(0); - -#ifdef HAVE_CYGWIN - if (check_nt_auth(1, authctxt->pw) == 0) - return(0); + if (!authctxt->valid) + return (0); + if (use_privsep) +#if defined(USE_PAM) || defined(HAVE_OSF_SIA) +#error NOT IMPLEMENTED FOR PRIVSEP #endif -#ifdef USE_PAM - return auth_pam_password(authctxt->pw, ""); -#elif defined(HAVE_OSF_SIA) - return 0; -#else /* !HAVE_OSF_SIA && !USE_PAM */ - return auth_password(authctxt, ""); -#endif /* USE_PAM */ + res = mm_auth_password(mm_recvfd, ""); + else + res = auth_password(authctxt, ""); + return (res); } static int @@ -348,18 +367,16 @@ userauth_passwd(Authctxt *authctxt) log("password change not supported"); password = packet_get_string(&len); packet_check_eom(); - if (authctxt->valid && -#ifdef HAVE_CYGWIN - check_nt_auth(1, authctxt->pw) && + +#if defined(HAVE_CYGWIN) || defined(USE_PAM) || defined(HAVE_OSF_SIA) +#error NOT IMPLEMENTED FOR PRIVSEP #endif -#ifdef USE_PAM - auth_pam_password(authctxt->pw, password) == 1) -#elif defined(HAVE_OSF_SIA) - auth_sia_password(authctxt->user, password) == 1) -#else /* !USE_PAM && !HAVE_OSF_SIA */ - auth_password(authctxt, password) == 1) -#endif /* USE_PAM */ - authenticated = 1; + if (authctxt->valid) { + if (use_privsep) + authenticated = mm_auth_password(mm_recvfd, password); + else + authenticated = auth_password(authctxt, password); + } memset(password, 0, len); xfree(password); return authenticated; @@ -467,12 +484,23 @@ userauth_pubkey(Authctxt *authctxt) buffer_dump(&b); #endif /* test for correct signature */ - if (user_key_allowed(authctxt->pw, key) && - key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) - authenticated = 1; + authenticated = 0; + if (use_privsep) { + if (mm_user_key_allowed(mm_recvfd, key) && + mm_key_verify(mm_recvfd, + MM_USERKEY, NULL, NULL, key, sig, slen, + buffer_ptr(&b), buffer_len(&b)) == 1) + authenticated = 1; + } else { + if (user_key_allowed(authctxt->pw, key) && + key_verify(key, sig, slen, buffer_ptr(&b), + buffer_len(&b)) == 1) + authenticated = 1; + } buffer_clear(&b); xfree(sig); } else { + int res = 0; debug("test whether pkalg/pkblob are acceptable"); packet_check_eom(); @@ -484,7 +512,11 @@ userauth_pubkey(Authctxt *authctxt) * if a user is not allowed to login. is this an * issue? -markus */ - if (user_key_allowed(authctxt->pw, key)) { + if (use_privsep) + res = mm_user_key_allowed(mm_recvfd, key); + else + res = user_key_allowed(authctxt->pw, key); + if (res) { packet_start(SSH2_MSG_USERAUTH_PK_OK); packet_put_string(pkalg, alen); packet_put_string(pkblob, blen); @@ -572,9 +604,18 @@ userauth_hostbased(Authctxt *authctxt) buffer_dump(&b); #endif /* test for allowed key and correct signature */ - if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) && - key_verify(key, sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) - authenticated = 1; + authenticated = 0; + if (use_privsep) { + if (mm_hostbased_key_allowed(mm_recvfd, cuser, chost, key) && + mm_key_verify(mm_recvfd, MM_HOSTKEY, cuser, chost, key, + sig, slen, buffer_ptr(&b), buffer_len(&b)) == 1) + authenticated = 1; + } else { + if (hostbased_key_allowed(authctxt->pw, cuser, chost, key) && + key_verify(key, sig, slen, buffer_ptr(&b), + buffer_len(&b)) == 1) + authenticated = 1; + } buffer_clear(&b); done: @@ -730,7 +771,7 @@ user_key_allowed2(struct passwd *pw, Key *key, char *file) } /* check whether given key is in .ssh/authorized_keys* */ -static int +int user_key_allowed(struct passwd *pw, Key *key) { int success; @@ -750,7 +791,7 @@ user_key_allowed(struct passwd *pw, Key *key) } /* return 1 if given hostkey is allowed */ -static int +int hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost, Key *key) { |