1 /*
2 * Copyright (c) 2012,2023 Damien Miller <djm@mindrot.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17 #include "includes.h"
18
19 #include <sys/types.h>
20
21 #include <stdlib.h>
22 #include <string.h>
23
24 #include "log.h"
25 #include "misc.h"
26 #include "servconf.h"
27 #include "xmalloc.h"
28 #include "hostfile.h"
29 #include "auth.h"
30
31 extern ServerOptions options;
32
33 /*
34 * Configuration of enabled authentication methods. Separate from the rest of
35 * auth2-*.c because we want to query it during server configuration validity
36 * checking in the sshd listener process without pulling all the auth code in
37 * too.
38 */
39
40 /* "none" is allowed only one time and it is cleared by userauth_none() later */
41 int none_enabled = 1;
42 struct authmethod_cfg methodcfg_none = {
43 "none",
44 NULL,
45 &none_enabled
46 };
47 struct authmethod_cfg methodcfg_pubkey = {
48 "publickey",
49 "publickey-hostbound-v00@openssh.com",
50 &options.pubkey_authentication
51 };
52 #ifdef GSSAPI
53 struct authmethod_cfg methodcfg_gssapi = {
54 "gssapi-with-mic",
55 NULL,
56 &options.gss_authentication
57 };
58 #endif
59 struct authmethod_cfg methodcfg_passwd = {
60 "password",
61 NULL,
62 &options.password_authentication
63 };
64 struct authmethod_cfg methodcfg_kbdint = {
65 "keyboard-interactive",
66 NULL,
67 &options.kbd_interactive_authentication
68 };
69 struct authmethod_cfg methodcfg_hostbased = {
70 "hostbased",
71 NULL,
72 &options.hostbased_authentication
73 };
74
75 static struct authmethod_cfg *authmethod_cfgs[] = {
76 &methodcfg_none,
77 &methodcfg_pubkey,
78 #ifdef GSSAPI
79 &methodcfg_gssapi,
80 #endif
81 &methodcfg_passwd,
82 &methodcfg_kbdint,
83 &methodcfg_hostbased,
84 NULL
85 };
86
87 /*
88 * Check a comma-separated list of methods for validity. If need_enable is
89 * non-zero, then also require that the methods are enabled.
90 * Returns 0 on success or -1 if the methods list is invalid.
91 */
92 int
auth2_methods_valid(const char * _methods,int need_enable)93 auth2_methods_valid(const char *_methods, int need_enable)
94 {
95 char *methods, *omethods, *method, *p;
96 u_int i, found;
97 int ret = -1;
98 const struct authmethod_cfg *cfg;
99
100 if (*_methods == '\0') {
101 error("empty authentication method list");
102 return -1;
103 }
104 omethods = methods = xstrdup(_methods);
105 while ((method = strsep(&methods, ",")) != NULL) {
106 for (found = i = 0; !found && authmethod_cfgs[i] != NULL; i++) {
107 cfg = authmethod_cfgs[i];
108 if ((p = strchr(method, ':')) != NULL)
109 *p = '\0';
110 if (strcmp(method, cfg->name) != 0)
111 continue;
112 if (need_enable) {
113 if (cfg->enabled == NULL ||
114 *(cfg->enabled) == 0) {
115 error("Disabled method \"%s\" in "
116 "AuthenticationMethods list \"%s\"",
117 method, _methods);
118 goto out;
119 }
120 }
121 found = 1;
122 break;
123 }
124 if (!found) {
125 error("Unknown authentication method \"%s\" in list",
126 method);
127 goto out;
128 }
129 }
130 ret = 0;
131 out:
132 free(omethods);
133 return ret;
134 }
135