diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2016-08-30 07:50:21 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2016-08-31 10:37:09 +1000 |
| commit | 7fd0ea8a1db4bcfb3d8cd9df149e5d571ebea1f4 (patch) | |
| tree | ded1e2848d5558c65aa471700b1f169853dc4d49 /monitor.c | |
| parent | b38b95f5bcc52278feb839afda2987933f68ff96 (diff) | |
| download | openssh-git-7fd0ea8a1db4bcfb3d8cd9df149e5d571ebea1f4.tar.gz | |
upstream commit
restrict monitor auth calls to be allowed only when their
respective authentication methods are enabled in the configuration.
prompted by Solar Designer; ok markus dtucker
Upstream-ID: 6eb3f89332b3546d41d6dbf5a8e6ff920142b553
Diffstat (limited to 'monitor.c')
| -rw-r--r-- | monitor.c | 20 |
1 files changed, 19 insertions, 1 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: monitor.c,v 1.163 2016/08/19 03:18:06 djm Exp $ */ +/* $OpenBSD: monitor.c,v 1.164 2016/08/30 07:50:21 djm Exp $ */ /* * Copyright 2002 Niels Provos <provos@citi.umich.edu> * Copyright 2002 Markus Friedl <markus@openbsd.org> @@ -844,6 +844,8 @@ mm_answer_authpassword(int sock, Buffer *m) int authenticated; u_int plen; + if (!options.password_authentication) + fatal("%s: password authentication not enabled", __func__); passwd = buffer_get_string(m, &plen); /* Only authenticate if the context is valid */ authenticated = options.password_authentication && @@ -880,6 +882,8 @@ mm_answer_bsdauthquery(int sock, Buffer *m) char **prompts; u_int success; + if (!options.kbd_interactive_authentication) + fatal("%s: kbd-int authentication not enabled", __func__); success = bsdauth_query(authctxt, &name, &infotxt, &numprompts, &prompts, &echo_on) < 0 ? 0 : 1; @@ -907,6 +911,8 @@ mm_answer_bsdauthrespond(int sock, Buffer *m) char *response; int authok; + if (!options.kbd_interactive_authentication) + fatal("%s: kbd-int authentication not enabled", __func__); if (authctxt->as == NULL) fatal("%s: no bsd auth session", __func__); @@ -1716,6 +1722,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m) OM_uint32 major; u_int len; + if (!options.gss_authentication) + fatal("%s: GSSAPI authentication not enabled", __func__); + goid.elements = buffer_get_string(m, &len); goid.length = len; @@ -1743,6 +1752,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m) OM_uint32 flags = 0; /* GSI needs this */ u_int len; + if (!options.gss_authentication) + fatal("%s: GSSAPI authentication not enabled", __func__); + in.value = buffer_get_string(m, &len); in.length = len; major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags); @@ -1771,6 +1783,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m) OM_uint32 ret; u_int len; + if (!options.gss_authentication) + fatal("%s: GSSAPI authentication not enabled", __func__); + gssbuf.value = buffer_get_string(m, &len); gssbuf.length = len; mic.value = buffer_get_string(m, &len); @@ -1797,6 +1812,9 @@ mm_answer_gss_userok(int sock, Buffer *m) { int authenticated; + if (!options.gss_authentication) + fatal("%s: GSSAPI authentication not enabled", __func__); + authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user); buffer_clear(m); |