xref: /freebsd/crypto/openssh/auth.c (revision 3d9fd9fcb432750f3716b28f6ccb0104cd9d351a) 
1*3d9fd9fcSEd Maste /* $OpenBSD: auth.c,v 1.162 2024/09/15 01:18:26 djm Exp $ */
2a04a10f8SKris Kennaway /*
3a04a10f8SKris Kennaway  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
4e8aafc91SKris Kennaway  *
5c2d3a559SKris Kennaway  * Redistribution and use in source and binary forms, with or without
6c2d3a559SKris Kennaway  * modification, are permitted provided that the following conditions
7c2d3a559SKris Kennaway  * are met:
8c2d3a559SKris Kennaway  * 1. Redistributions of source code must retain the above copyright
9c2d3a559SKris Kennaway  *    notice, this list of conditions and the following disclaimer.
10c2d3a559SKris Kennaway  * 2. Redistributions in binary form must reproduce the above copyright
11c2d3a559SKris Kennaway  *    notice, this list of conditions and the following disclaimer in the
12c2d3a559SKris Kennaway  *    documentation and/or other materials provided with the distribution.
13c2d3a559SKris Kennaway  *
14c2d3a559SKris Kennaway  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15c2d3a559SKris Kennaway  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16c2d3a559SKris Kennaway  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17c2d3a559SKris Kennaway  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18c2d3a559SKris Kennaway  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19c2d3a559SKris Kennaway  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20c2d3a559SKris Kennaway  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21c2d3a559SKris Kennaway  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22c2d3a559SKris Kennaway  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23c2d3a559SKris Kennaway  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24a04a10f8SKris Kennaway  */
25a04a10f8SKris Kennaway 
26a04a10f8SKris Kennaway #include "includes.h"
27a04a10f8SKris Kennaway 
28333ee039SDag-Erling Smørgrav #include <sys/types.h>
29333ee039SDag-Erling Smørgrav #include <sys/stat.h>
30076ad2f8SDag-Erling Smørgrav #include <sys/socket.h>
3147dd1d1bSDag-Erling Smørgrav #include <sys/wait.h>
32333ee039SDag-Erling Smørgrav 
33333ee039SDag-Erling Smørgrav #include <netinet/in.h>
34333ee039SDag-Erling Smørgrav 
3519261079SEd Maste #include <stdlib.h>
36333ee039SDag-Erling Smørgrav #include <errno.h>
37d4af9e69SDag-Erling Smørgrav #include <fcntl.h>
38333ee039SDag-Erling Smørgrav #ifdef HAVE_PATHS_H
39333ee039SDag-Erling Smørgrav # include <paths.h>
40333ee039SDag-Erling Smørgrav #endif
41333ee039SDag-Erling Smørgrav #include <pwd.h>
42989dd127SDag-Erling Smørgrav #ifdef HAVE_LOGIN_H
43989dd127SDag-Erling Smørgrav #include <login.h>
44989dd127SDag-Erling Smørgrav #endif
451ec0d754SDag-Erling Smørgrav #ifdef USE_SHADOW
46989dd127SDag-Erling Smørgrav #include <shadow.h>
471ec0d754SDag-Erling Smørgrav #endif
48333ee039SDag-Erling Smørgrav #include <stdarg.h>
49333ee039SDag-Erling Smørgrav #include <stdio.h>
50333ee039SDag-Erling Smørgrav #include <string.h>
51d4af9e69SDag-Erling Smørgrav #include <unistd.h>
52bc5531deSDag-Erling Smørgrav #include <limits.h>
53076ad2f8SDag-Erling Smørgrav #include <netdb.h>
5419261079SEd Maste #include <time.h>
55af12a3e7SDag-Erling Smørgrav 
56a04a10f8SKris Kennaway #include "xmalloc.h"
57a04a10f8SKris Kennaway #include "match.h"
58ca3176e7SBrian Feldman #include "groupaccess.h"
59ca3176e7SBrian Feldman #include "log.h"
60190cef3dSDag-Erling Smørgrav #include "sshbuf.h"
61a0ee8cc6SDag-Erling Smørgrav #include "misc.h"
62ca3176e7SBrian Feldman #include "servconf.h"
63190cef3dSDag-Erling Smørgrav #include "sshkey.h"
64333ee039SDag-Erling Smørgrav #include "hostfile.h"
65a04a10f8SKris Kennaway #include "auth.h"
66ca3176e7SBrian Feldman #include "auth-options.h"
67ca3176e7SBrian Feldman #include "canohost.h"
68af12a3e7SDag-Erling Smørgrav #include "uidswap.h"
6980628bacSDag-Erling Smørgrav #include "packet.h"
70aa49c926SDag-Erling Smørgrav #include "loginrec.h"
71333ee039SDag-Erling Smørgrav #ifdef GSSAPI
72333ee039SDag-Erling Smørgrav #include "ssh-gss.h"
73333ee039SDag-Erling Smørgrav #endif
74b15c8340SDag-Erling Smørgrav #include "authfile.h"
75aa49c926SDag-Erling Smørgrav #include "monitor_wrap.h"
76bc5531deSDag-Erling Smørgrav #include "ssherr.h"
7747dd1d1bSDag-Erling Smørgrav #include "channels.h"
78b2af61ecSKurt Lidl #include "blacklist_client.h"
79a04a10f8SKris Kennaway 
80a04a10f8SKris Kennaway /* import */
81a04a10f8SKris Kennaway extern ServerOptions options;
8219261079SEd Maste extern struct include_list includes;
83190cef3dSDag-Erling Smørgrav extern struct sshbuf *loginmsg;
84333ee039SDag-Erling Smørgrav extern struct passwd *privsep_pw;
8547dd1d1bSDag-Erling Smørgrav extern struct sshauthopt *auth_opts;
86a04a10f8SKris Kennaway 
8780628bacSDag-Erling Smørgrav /* Debugging messages */
88190cef3dSDag-Erling Smørgrav static struct sshbuf *auth_debug;
8980628bacSDag-Erling Smørgrav 
90a04a10f8SKris Kennaway /*
91ca3176e7SBrian Feldman  * Check if the user is allowed to log in via ssh. If user is listed
92ca3176e7SBrian Feldman  * in DenyUsers or one of user's groups is listed in DenyGroups, false
93ca3176e7SBrian Feldman  * will be returned. If AllowUsers isn't empty and user isn't listed
94ca3176e7SBrian Feldman  * there, or if AllowGroups isn't empty and one of user's groups isn't
95ca3176e7SBrian Feldman  * listed there, false will be returned.
96a04a10f8SKris Kennaway  * If the user's shell is not executable, false will be returned.
97a04a10f8SKris Kennaway  * Otherwise true is returned.
98a04a10f8SKris Kennaway  */
99a04a10f8SKris Kennaway int
allowed_user(struct ssh * ssh,struct passwd * pw)10019261079SEd Maste allowed_user(struct ssh *ssh, struct passwd * pw)
101a04a10f8SKris Kennaway {
102a04a10f8SKris Kennaway 	struct stat st;
10387c1498dSEd Maste 	const char *hostname = NULL, *ipaddr = NULL;
104d4ecd108SDag-Erling Smørgrav 	u_int i;
105ca86bcf2SDag-Erling Smørgrav 	int r;
106a04a10f8SKris Kennaway 
107a04a10f8SKris Kennaway 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
108ca3176e7SBrian Feldman 	if (!pw || !pw->pw_name)
109a04a10f8SKris Kennaway 		return 0;
110a04a10f8SKris Kennaway 
11187c1498dSEd Maste 	if (!options.use_pam && platform_locked_account(pw)) {
112cf2b5f3bSDag-Erling Smørgrav 		logit("User %.100s not allowed because account is locked",
113cf2b5f3bSDag-Erling Smørgrav 		    pw->pw_name);
114cf2b5f3bSDag-Erling Smørgrav 		return 0;
115cf2b5f3bSDag-Erling Smørgrav 	}
116cf2b5f3bSDag-Erling Smørgrav 
117c322fe35SKris Kennaway 	/*
118b15c8340SDag-Erling Smørgrav 	 * Deny if shell does not exist or is not executable unless we
119b15c8340SDag-Erling Smørgrav 	 * are chrooting.
120c322fe35SKris Kennaway 	 */
121b15c8340SDag-Erling Smørgrav 	if (options.chroot_directory == NULL ||
122b15c8340SDag-Erling Smørgrav 	    strcasecmp(options.chroot_directory, "none") == 0) {
123b15c8340SDag-Erling Smørgrav 		char *shell = xstrdup((pw->pw_shell[0] == '\0') ?
124b15c8340SDag-Erling Smørgrav 		    _PATH_BSHELL : pw->pw_shell); /* empty = /bin/sh */
125c322fe35SKris Kennaway 
12619261079SEd Maste 		if (stat(shell, &st) == -1) {
127b15c8340SDag-Erling Smørgrav 			logit("User %.100s not allowed because shell %.100s "
128b15c8340SDag-Erling Smørgrav 			    "does not exist", pw->pw_name, shell);
129e4a9863fSDag-Erling Smørgrav 			free(shell);
130a04a10f8SKris Kennaway 			return 0;
131af12a3e7SDag-Erling Smørgrav 		}
13280628bacSDag-Erling Smørgrav 		if (S_ISREG(st.st_mode) == 0 ||
13380628bacSDag-Erling Smørgrav 		    (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
134b15c8340SDag-Erling Smørgrav 			logit("User %.100s not allowed because shell %.100s "
135b15c8340SDag-Erling Smørgrav 			    "is not executable", pw->pw_name, shell);
136e4a9863fSDag-Erling Smørgrav 			free(shell);
137a04a10f8SKris Kennaway 			return 0;
138af12a3e7SDag-Erling Smørgrav 		}
139e4a9863fSDag-Erling Smørgrav 		free(shell);
140b15c8340SDag-Erling Smørgrav 	}
141af12a3e7SDag-Erling Smørgrav 
142aa49c926SDag-Erling Smørgrav 	if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
143aa49c926SDag-Erling Smørgrav 	    options.num_deny_groups > 0 || options.num_allow_groups > 0) {
144076ad2f8SDag-Erling Smørgrav 		hostname = auth_get_canonical_hostname(ssh, options.use_dns);
145076ad2f8SDag-Erling Smørgrav 		ipaddr = ssh_remote_ipaddr(ssh);
146af12a3e7SDag-Erling Smørgrav 	}
147a04a10f8SKris Kennaway 
148a04a10f8SKris Kennaway 	/* Return false if user is listed in DenyUsers */
149a04a10f8SKris Kennaway 	if (options.num_deny_users > 0) {
150ca86bcf2SDag-Erling Smørgrav 		for (i = 0; i < options.num_deny_users; i++) {
151ca86bcf2SDag-Erling Smørgrav 			r = match_user(pw->pw_name, hostname, ipaddr,
152ca86bcf2SDag-Erling Smørgrav 			    options.deny_users[i]);
153ca86bcf2SDag-Erling Smørgrav 			if (r < 0) {
154ca86bcf2SDag-Erling Smørgrav 				fatal("Invalid DenyUsers pattern \"%.100s\"",
155ca86bcf2SDag-Erling Smørgrav 				    options.deny_users[i]);
156ca86bcf2SDag-Erling Smørgrav 			} else if (r != 0) {
157aa49c926SDag-Erling Smørgrav 				logit("User %.100s from %.100s not allowed "
158aa49c926SDag-Erling Smørgrav 				    "because listed in DenyUsers",
159aa49c926SDag-Erling Smørgrav 				    pw->pw_name, hostname);
160a04a10f8SKris Kennaway 				return 0;
161a04a10f8SKris Kennaway 			}
162af12a3e7SDag-Erling Smørgrav 		}
163ca86bcf2SDag-Erling Smørgrav 	}
164a04a10f8SKris Kennaway 	/* Return false if AllowUsers isn't empty and user isn't listed there */
165a04a10f8SKris Kennaway 	if (options.num_allow_users > 0) {
166ca86bcf2SDag-Erling Smørgrav 		for (i = 0; i < options.num_allow_users; i++) {
167ca86bcf2SDag-Erling Smørgrav 			r = match_user(pw->pw_name, hostname, ipaddr,
168ca86bcf2SDag-Erling Smørgrav 			    options.allow_users[i]);
169ca86bcf2SDag-Erling Smørgrav 			if (r < 0) {
170ca86bcf2SDag-Erling Smørgrav 				fatal("Invalid AllowUsers pattern \"%.100s\"",
171ca86bcf2SDag-Erling Smørgrav 				    options.allow_users[i]);
172ca86bcf2SDag-Erling Smørgrav 			} else if (r == 1)
173a04a10f8SKris Kennaway 				break;
174ca86bcf2SDag-Erling Smørgrav 		}
175a04a10f8SKris Kennaway 		/* i < options.num_allow_users iff we break for loop */
176af12a3e7SDag-Erling Smørgrav 		if (i >= options.num_allow_users) {
177aa49c926SDag-Erling Smørgrav 			logit("User %.100s from %.100s not allowed because "
178aa49c926SDag-Erling Smørgrav 			    "not listed in AllowUsers", pw->pw_name, hostname);
179a04a10f8SKris Kennaway 			return 0;
180a04a10f8SKris Kennaway 		}
181af12a3e7SDag-Erling Smørgrav 	}
182a04a10f8SKris Kennaway 	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
183ca3176e7SBrian Feldman 		/* Get the user's group access list (primary and supplementary) */
184af12a3e7SDag-Erling Smørgrav 		if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
185aa49c926SDag-Erling Smørgrav 			logit("User %.100s from %.100s not allowed because "
186aa49c926SDag-Erling Smørgrav 			    "not in any group", pw->pw_name, hostname);
187a04a10f8SKris Kennaway 			return 0;
188af12a3e7SDag-Erling Smørgrav 		}
189a04a10f8SKris Kennaway 
190ca3176e7SBrian Feldman 		/* Return false if one of user's groups is listed in DenyGroups */
191ca3176e7SBrian Feldman 		if (options.num_deny_groups > 0)
192ca3176e7SBrian Feldman 			if (ga_match(options.deny_groups,
193ca3176e7SBrian Feldman 			    options.num_deny_groups)) {
194ca3176e7SBrian Feldman 				ga_free();
195aa49c926SDag-Erling Smørgrav 				logit("User %.100s from %.100s not allowed "
196aa49c926SDag-Erling Smørgrav 				    "because a group is listed in DenyGroups",
197aa49c926SDag-Erling Smørgrav 				    pw->pw_name, hostname);
198a04a10f8SKris Kennaway 				return 0;
199a04a10f8SKris Kennaway 			}
200a04a10f8SKris Kennaway 		/*
201ca3176e7SBrian Feldman 		 * Return false if AllowGroups isn't empty and one of user's groups
202a04a10f8SKris Kennaway 		 * isn't listed there
203a04a10f8SKris Kennaway 		 */
204ca3176e7SBrian Feldman 		if (options.num_allow_groups > 0)
205ca3176e7SBrian Feldman 			if (!ga_match(options.allow_groups,
206ca3176e7SBrian Feldman 			    options.num_allow_groups)) {
207ca3176e7SBrian Feldman 				ga_free();
208aa49c926SDag-Erling Smørgrav 				logit("User %.100s from %.100s not allowed "
209aa49c926SDag-Erling Smørgrav 				    "because none of user's groups are listed "
210aa49c926SDag-Erling Smørgrav 				    "in AllowGroups", pw->pw_name, hostname);
211a04a10f8SKris Kennaway 				return 0;
212a04a10f8SKris Kennaway 			}
213ca3176e7SBrian Feldman 		ga_free();
214a04a10f8SKris Kennaway 	}
215989dd127SDag-Erling Smørgrav 
21621e764dfSDag-Erling Smørgrav #ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
21719261079SEd Maste 	if (!sys_auth_allowed_user(pw, loginmsg))
218989dd127SDag-Erling Smørgrav 		return 0;
21921e764dfSDag-Erling Smørgrav #endif
220989dd127SDag-Erling Smørgrav 
221a04a10f8SKris Kennaway 	/* We found no reason not to let this user try to log on... */
222a04a10f8SKris Kennaway 	return 1;
223a04a10f8SKris Kennaway }
224ca3176e7SBrian Feldman 
2254f52dfbbSDag-Erling Smørgrav /*
2264f52dfbbSDag-Erling Smørgrav  * Formats any key left in authctxt->auth_method_key for inclusion in
2274f52dfbbSDag-Erling Smørgrav  * auth_log()'s message. Also includes authxtct->auth_method_info if present.
2284f52dfbbSDag-Erling Smørgrav  */
2294f52dfbbSDag-Erling Smørgrav static char *
format_method_key(Authctxt * authctxt)2304f52dfbbSDag-Erling Smørgrav format_method_key(Authctxt *authctxt)
231e4a9863fSDag-Erling Smørgrav {
2324f52dfbbSDag-Erling Smørgrav 	const struct sshkey *key = authctxt->auth_method_key;
2334f52dfbbSDag-Erling Smørgrav 	const char *methinfo = authctxt->auth_method_info;
2342f513db7SEd Maste 	char *fp, *cafp, *ret = NULL;
235e4a9863fSDag-Erling Smørgrav 
2364f52dfbbSDag-Erling Smørgrav 	if (key == NULL)
2374f52dfbbSDag-Erling Smørgrav 		return NULL;
238e4a9863fSDag-Erling Smørgrav 
239190cef3dSDag-Erling Smørgrav 	if (sshkey_is_cert(key)) {
2402f513db7SEd Maste 		fp = sshkey_fingerprint(key,
2414f52dfbbSDag-Erling Smørgrav 		    options.fingerprint_hash, SSH_FP_DEFAULT);
2422f513db7SEd Maste 		cafp = sshkey_fingerprint(key->cert->signature_key,
2432f513db7SEd Maste 		    options.fingerprint_hash, SSH_FP_DEFAULT);
2442f513db7SEd Maste 		xasprintf(&ret, "%s %s ID %s (serial %llu) CA %s %s%s%s",
2452f513db7SEd Maste 		    sshkey_type(key), fp == NULL ? "(null)" : fp,
2462f513db7SEd Maste 		    key->cert->key_id,
2474f52dfbbSDag-Erling Smørgrav 		    (unsigned long long)key->cert->serial,
2484f52dfbbSDag-Erling Smørgrav 		    sshkey_type(key->cert->signature_key),
2492f513db7SEd Maste 		    cafp == NULL ? "(null)" : cafp,
2504f52dfbbSDag-Erling Smørgrav 		    methinfo == NULL ? "" : ", ",
2514f52dfbbSDag-Erling Smørgrav 		    methinfo == NULL ? "" : methinfo);
2524f52dfbbSDag-Erling Smørgrav 		free(fp);
2532f513db7SEd Maste 		free(cafp);
2544f52dfbbSDag-Erling Smørgrav 	} else {
2554f52dfbbSDag-Erling Smørgrav 		fp = sshkey_fingerprint(key, options.fingerprint_hash,
2564f52dfbbSDag-Erling Smørgrav 		    SSH_FP_DEFAULT);
2574f52dfbbSDag-Erling Smørgrav 		xasprintf(&ret, "%s %s%s%s", sshkey_type(key),
2584f52dfbbSDag-Erling Smørgrav 		    fp == NULL ? "(null)" : fp,
2594f52dfbbSDag-Erling Smørgrav 		    methinfo == NULL ? "" : ", ",
2604f52dfbbSDag-Erling Smørgrav 		    methinfo == NULL ? "" : methinfo);
2614f52dfbbSDag-Erling Smørgrav 		free(fp);
2624f52dfbbSDag-Erling Smørgrav 	}
2634f52dfbbSDag-Erling Smørgrav 	return ret;
264e4a9863fSDag-Erling Smørgrav }
265e4a9863fSDag-Erling Smørgrav 
266e4a9863fSDag-Erling Smørgrav void
auth_log(struct ssh * ssh,int authenticated,int partial,const char * method,const char * submethod)26719261079SEd Maste auth_log(struct ssh *ssh, int authenticated, int partial,
268e4a9863fSDag-Erling Smørgrav     const char *method, const char *submethod)
269ca3176e7SBrian Feldman {
27019261079SEd Maste 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
2712f513db7SEd Maste 	int level = SYSLOG_LEVEL_VERBOSE;
2724f52dfbbSDag-Erling Smørgrav 	const char *authmsg;
2734f52dfbbSDag-Erling Smørgrav 	char *extra = NULL;
274ca3176e7SBrian Feldman 
2750fdf8faeSEd Maste 	if (!mm_is_monitor() && !authctxt->postponed)
276333ee039SDag-Erling Smørgrav 		return;
277333ee039SDag-Erling Smørgrav 
278ca3176e7SBrian Feldman 	/* Raise logging level */
279ca3176e7SBrian Feldman 	if (authenticated == 1 ||
280ca3176e7SBrian Feldman 	    !authctxt->valid ||
28121e764dfSDag-Erling Smørgrav 	    authctxt->failures >= options.max_authtries / 2 ||
282ca3176e7SBrian Feldman 	    strcmp(method, "password") == 0)
2832f513db7SEd Maste 		level = SYSLOG_LEVEL_INFO;
284ca3176e7SBrian Feldman 
285ca3176e7SBrian Feldman 	if (authctxt->postponed)
286ca3176e7SBrian Feldman 		authmsg = "Postponed";
2876888a9beSDag-Erling Smørgrav 	else if (partial)
2886888a9beSDag-Erling Smørgrav 		authmsg = "Partial";
289b2af61ecSKurt Lidl 	else {
290ca3176e7SBrian Feldman 		authmsg = authenticated ? "Accepted" : "Failed";
2915057f656SKurt Lidl 		if (authenticated)
2920f9bafdfSEd Maste 			BLACKLIST_NOTIFY(ssh, BLACKLIST_AUTH_OK, "ssh");
293b2af61ecSKurt Lidl 	}
294ca3176e7SBrian Feldman 
2954f52dfbbSDag-Erling Smørgrav 	if ((extra = format_method_key(authctxt)) == NULL) {
2964f52dfbbSDag-Erling Smørgrav 		if (authctxt->auth_method_info != NULL)
2974f52dfbbSDag-Erling Smørgrav 			extra = xstrdup(authctxt->auth_method_info);
2984f52dfbbSDag-Erling Smørgrav 	}
2994f52dfbbSDag-Erling Smørgrav 
3002f513db7SEd Maste 	do_log2(level, "%s %s%s%s for %s%.100s from %.200s port %d ssh2%s%s",
301ca3176e7SBrian Feldman 	    authmsg,
302ca3176e7SBrian Feldman 	    method,
3036888a9beSDag-Erling Smørgrav 	    submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
30421e764dfSDag-Erling Smørgrav 	    authctxt->valid ? "" : "invalid user ",
305af12a3e7SDag-Erling Smørgrav 	    authctxt->user,
306076ad2f8SDag-Erling Smørgrav 	    ssh_remote_ipaddr(ssh),
307076ad2f8SDag-Erling Smørgrav 	    ssh_remote_port(ssh),
3084f52dfbbSDag-Erling Smørgrav 	    extra != NULL ? ": " : "",
3094f52dfbbSDag-Erling Smørgrav 	    extra != NULL ? extra : "");
3104f52dfbbSDag-Erling Smørgrav 
3114f52dfbbSDag-Erling Smørgrav 	free(extra);
312f388f5efSDag-Erling Smørgrav 
31319261079SEd Maste #if defined(CUSTOM_FAILED_LOGIN) || defined(SSH_AUDIT_EVENTS)
31419261079SEd Maste 	if (authenticated == 0 && !(authctxt->postponed || partial)) {
31519261079SEd Maste 		/* Log failed login attempt */
316cf2b5f3bSDag-Erling Smørgrav # ifdef CUSTOM_FAILED_LOGIN
31719261079SEd Maste 		if (strcmp(method, "password") == 0 ||
318aa49c926SDag-Erling Smørgrav 		    strncmp(method, "keyboard-interactive", 20) == 0 ||
31919261079SEd Maste 		    strcmp(method, "challenge-response") == 0)
32019261079SEd Maste 			record_failed_login(ssh, authctxt->user,
321076ad2f8SDag-Erling Smørgrav 			    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
32219261079SEd Maste # endif
32319261079SEd Maste # ifdef SSH_AUDIT_EVENTS
32419261079SEd Maste 		audit_event(ssh, audit_classify_auth(method));
32519261079SEd Maste # endif
32619261079SEd Maste 	}
32719261079SEd Maste #endif
32819261079SEd Maste #if defined(CUSTOM_FAILED_LOGIN) && defined(WITH_AIXAUTHENTICATE)
329333ee039SDag-Erling Smørgrav 	if (authenticated)
330333ee039SDag-Erling Smørgrav 		sys_auth_record_login(authctxt->user,
331076ad2f8SDag-Erling Smørgrav 		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh",
33219261079SEd Maste 		    loginmsg);
333cf2b5f3bSDag-Erling Smørgrav #endif
334ca3176e7SBrian Feldman }
335ca3176e7SBrian Feldman 
336a0ee8cc6SDag-Erling Smørgrav void
auth_maxtries_exceeded(struct ssh * ssh)33719261079SEd Maste auth_maxtries_exceeded(struct ssh *ssh)
338a0ee8cc6SDag-Erling Smørgrav {
33919261079SEd Maste 	Authctxt *authctxt = (Authctxt *)ssh->authctxt;
340076ad2f8SDag-Erling Smørgrav 
341bc5531deSDag-Erling Smørgrav 	error("maximum authentication attempts exceeded for "
342ca86bcf2SDag-Erling Smørgrav 	    "%s%.100s from %.200s port %d ssh2",
343a0ee8cc6SDag-Erling Smørgrav 	    authctxt->valid ? "" : "invalid user ",
344a0ee8cc6SDag-Erling Smørgrav 	    authctxt->user,
345076ad2f8SDag-Erling Smørgrav 	    ssh_remote_ipaddr(ssh),
346ca86bcf2SDag-Erling Smørgrav 	    ssh_remote_port(ssh));
34719261079SEd Maste 	ssh_packet_disconnect(ssh, "Too many authentication failures");
348a0ee8cc6SDag-Erling Smørgrav 	/* NOTREACHED */
349a0ee8cc6SDag-Erling Smørgrav }
350a0ee8cc6SDag-Erling Smørgrav 
351ca3176e7SBrian Feldman /*
352ca3176e7SBrian Feldman  * Check whether root logins are disallowed.
353ca3176e7SBrian Feldman  */
354ca3176e7SBrian Feldman int
auth_root_allowed(struct ssh * ssh,const char * method)35547dd1d1bSDag-Erling Smørgrav auth_root_allowed(struct ssh *ssh, const char *method)
356ca3176e7SBrian Feldman {
357ca3176e7SBrian Feldman 	switch (options.permit_root_login) {
358ca3176e7SBrian Feldman 	case PERMIT_YES:
359ca3176e7SBrian Feldman 		return 1;
360ca3176e7SBrian Feldman 	case PERMIT_NO_PASSWD:
361eccfee6eSDag-Erling Smørgrav 		if (strcmp(method, "publickey") == 0 ||
362eccfee6eSDag-Erling Smørgrav 		    strcmp(method, "hostbased") == 0 ||
363fc1ba28aSDag-Erling Smørgrav 		    strcmp(method, "gssapi-with-mic") == 0)
364ca3176e7SBrian Feldman 			return 1;
365ca3176e7SBrian Feldman 		break;
366ca3176e7SBrian Feldman 	case PERMIT_FORCED_ONLY:
36747dd1d1bSDag-Erling Smørgrav 		if (auth_opts->force_command != NULL) {
368cf2b5f3bSDag-Erling Smørgrav 			logit("Root login accepted for forced command.");
369ca3176e7SBrian Feldman 			return 1;
370ca3176e7SBrian Feldman 		}
371ca3176e7SBrian Feldman 		break;
372ca3176e7SBrian Feldman 	}
373076ad2f8SDag-Erling Smørgrav 	logit("ROOT LOGIN REFUSED FROM %.200s port %d",
374076ad2f8SDag-Erling Smørgrav 	    ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
375ca3176e7SBrian Feldman 	return 0;
376ca3176e7SBrian Feldman }
377af12a3e7SDag-Erling Smørgrav 
378af12a3e7SDag-Erling Smørgrav 
379af12a3e7SDag-Erling Smørgrav /*
380af12a3e7SDag-Erling Smørgrav  * Given a template and a passwd structure, build a filename
381af12a3e7SDag-Erling Smørgrav  * by substituting % tokenised options. Currently, %% becomes '%',
382af12a3e7SDag-Erling Smørgrav  * %h becomes the home directory and %u the username.
383af12a3e7SDag-Erling Smørgrav  *
384af12a3e7SDag-Erling Smørgrav  * This returns a buffer allocated by xmalloc.
385af12a3e7SDag-Erling Smørgrav  */
386e146993eSDag-Erling Smørgrav char *
expand_authorized_keys(const char * filename,struct passwd * pw)387d4ecd108SDag-Erling Smørgrav expand_authorized_keys(const char *filename, struct passwd *pw)
388af12a3e7SDag-Erling Smørgrav {
389190cef3dSDag-Erling Smørgrav 	char *file, uidstr[32], ret[PATH_MAX];
390333ee039SDag-Erling Smørgrav 	int i;
391af12a3e7SDag-Erling Smørgrav 
392190cef3dSDag-Erling Smørgrav 	snprintf(uidstr, sizeof(uidstr), "%llu",
393190cef3dSDag-Erling Smørgrav 	    (unsigned long long)pw->pw_uid);
394d4ecd108SDag-Erling Smørgrav 	file = percent_expand(filename, "h", pw->pw_dir,
395190cef3dSDag-Erling Smørgrav 	    "u", pw->pw_name, "U", uidstr, (char *)NULL);
396af12a3e7SDag-Erling Smørgrav 
397af12a3e7SDag-Erling Smørgrav 	/*
398af12a3e7SDag-Erling Smørgrav 	 * Ensure that filename starts anchored. If not, be backward
399af12a3e7SDag-Erling Smørgrav 	 * compatible and prepend the '%h/'
400af12a3e7SDag-Erling Smørgrav 	 */
40119261079SEd Maste 	if (path_absolute(file))
402d4ecd108SDag-Erling Smørgrav 		return (file);
403af12a3e7SDag-Erling Smørgrav 
404333ee039SDag-Erling Smørgrav 	i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
405333ee039SDag-Erling Smørgrav 	if (i < 0 || (size_t)i >= sizeof(ret))
406d4ecd108SDag-Erling Smørgrav 		fatal("expand_authorized_keys: path too long");
407e4a9863fSDag-Erling Smørgrav 	free(file);
408333ee039SDag-Erling Smørgrav 	return (xstrdup(ret));
409af12a3e7SDag-Erling Smørgrav }
410af12a3e7SDag-Erling Smørgrav 
411af12a3e7SDag-Erling Smørgrav char *
authorized_principals_file(struct passwd * pw)412e2f6069cSDag-Erling Smørgrav authorized_principals_file(struct passwd *pw)
413e2f6069cSDag-Erling Smørgrav {
414557f75e5SDag-Erling Smørgrav 	if (options.authorized_principals_file == NULL)
415e2f6069cSDag-Erling Smørgrav 		return NULL;
416e2f6069cSDag-Erling Smørgrav 	return expand_authorized_keys(options.authorized_principals_file, pw);
417e2f6069cSDag-Erling Smørgrav }
418e2f6069cSDag-Erling Smørgrav 
419af12a3e7SDag-Erling Smørgrav /* return ok if key exists in sysfile or userfile */
420af12a3e7SDag-Erling Smørgrav HostStatus
check_key_in_hostfiles(struct passwd * pw,struct sshkey * key,const char * host,const char * sysfile,const char * userfile)4214f52dfbbSDag-Erling Smørgrav check_key_in_hostfiles(struct passwd *pw, struct sshkey *key, const char *host,
422af12a3e7SDag-Erling Smørgrav     const char *sysfile, const char *userfile)
423af12a3e7SDag-Erling Smørgrav {
424af12a3e7SDag-Erling Smørgrav 	char *user_hostfile;
425af12a3e7SDag-Erling Smørgrav 	struct stat st;
426af12a3e7SDag-Erling Smørgrav 	HostStatus host_status;
4274a421b63SDag-Erling Smørgrav 	struct hostkeys *hostkeys;
4284a421b63SDag-Erling Smørgrav 	const struct hostkey_entry *found;
429af12a3e7SDag-Erling Smørgrav 
4304a421b63SDag-Erling Smørgrav 	hostkeys = init_hostkeys();
43119261079SEd Maste 	load_hostkeys(hostkeys, host, sysfile, 0);
4324a421b63SDag-Erling Smørgrav 	if (userfile != NULL) {
433af12a3e7SDag-Erling Smørgrav 		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
434af12a3e7SDag-Erling Smørgrav 		if (options.strict_modes &&
435af12a3e7SDag-Erling Smørgrav 		    (stat(user_hostfile, &st) == 0) &&
436af12a3e7SDag-Erling Smørgrav 		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
437af12a3e7SDag-Erling Smørgrav 		    (st.st_mode & 022) != 0)) {
438cf2b5f3bSDag-Erling Smørgrav 			logit("Authentication refused for %.100s: "
439af12a3e7SDag-Erling Smørgrav 			    "bad owner or modes for %.200s",
440af12a3e7SDag-Erling Smørgrav 			    pw->pw_name, user_hostfile);
441e2f6069cSDag-Erling Smørgrav 			auth_debug_add("Ignored %.200s: bad ownership or modes",
442e2f6069cSDag-Erling Smørgrav 			    user_hostfile);
443af12a3e7SDag-Erling Smørgrav 		} else {
444af12a3e7SDag-Erling Smørgrav 			temporarily_use_uid(pw);
44519261079SEd Maste 			load_hostkeys(hostkeys, host, user_hostfile, 0);
446af12a3e7SDag-Erling Smørgrav 			restore_uid();
447af12a3e7SDag-Erling Smørgrav 		}
448e4a9863fSDag-Erling Smørgrav 		free(user_hostfile);
449af12a3e7SDag-Erling Smørgrav 	}
4504a421b63SDag-Erling Smørgrav 	host_status = check_key_in_hostkeys(hostkeys, key, &found);
4514a421b63SDag-Erling Smørgrav 	if (host_status == HOST_REVOKED)
4524a421b63SDag-Erling Smørgrav 		error("WARNING: revoked key for %s attempted authentication",
45319261079SEd Maste 		    host);
4544a421b63SDag-Erling Smørgrav 	else if (host_status == HOST_OK)
45519261079SEd Maste 		debug_f("key for %s found at %s:%ld",
4564a421b63SDag-Erling Smørgrav 		    found->host, found->file, found->line);
4574a421b63SDag-Erling Smørgrav 	else
45819261079SEd Maste 		debug_f("key for host %s not found", host);
459af12a3e7SDag-Erling Smørgrav 
4604a421b63SDag-Erling Smørgrav 	free_hostkeys(hostkeys);
4614a421b63SDag-Erling Smørgrav 
462af12a3e7SDag-Erling Smørgrav 	return host_status;
463af12a3e7SDag-Erling Smørgrav }
464af12a3e7SDag-Erling Smørgrav 
46580628bacSDag-Erling Smørgrav struct passwd *
getpwnamallow(struct ssh * ssh,const char * user)46619261079SEd Maste getpwnamallow(struct ssh *ssh, const char *user)
46780628bacSDag-Erling Smørgrav {
46880628bacSDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP
46980628bacSDag-Erling Smørgrav 	extern login_cap_t *lc;
47027ceebbcSEd Maste #ifdef HAVE_AUTH_HOSTOK
47127ceebbcSEd Maste 	const char *from_host, *from_ip;
47227ceebbcSEd Maste #endif
47380628bacSDag-Erling Smørgrav #ifdef BSD_AUTH
47480628bacSDag-Erling Smørgrav 	auth_session_t *as;
47580628bacSDag-Erling Smørgrav #endif
47680628bacSDag-Erling Smørgrav #endif
47780628bacSDag-Erling Smørgrav 	struct passwd *pw;
47819261079SEd Maste 	struct connection_info *ci;
47919261079SEd Maste 	u_int i;
48080628bacSDag-Erling Smørgrav 
4810fdf8faeSEd Maste 	ci = server_get_connection_info(ssh, 1, options.use_dns);
482462c32cbSDag-Erling Smørgrav 	ci->user = user;
483*3d9fd9fcSEd Maste 	ci->user_invalid = getpwnam(user) == NULL;
48419261079SEd Maste 	parse_server_match_config(&options, &includes, ci);
4854f52dfbbSDag-Erling Smørgrav 	log_change_level(options.log_level);
48619261079SEd Maste 	log_verbose_reset();
48719261079SEd Maste 	for (i = 0; i < options.num_log_verbose; i++)
48819261079SEd Maste 		log_verbose_add(options.log_verbose[i]);
4890fdf8faeSEd Maste 	server_process_permitopen(ssh);
490333ee039SDag-Erling Smørgrav 
491b15c8340SDag-Erling Smørgrav #if defined(_AIX) && defined(HAVE_SETAUTHDB)
492b15c8340SDag-Erling Smørgrav 	aix_setauthdb(user);
493b15c8340SDag-Erling Smørgrav #endif
494b15c8340SDag-Erling Smørgrav 
49580628bacSDag-Erling Smørgrav 	pw = getpwnam(user);
496b15c8340SDag-Erling Smørgrav 
497b15c8340SDag-Erling Smørgrav #if defined(_AIX) && defined(HAVE_SETAUTHDB)
498b15c8340SDag-Erling Smørgrav 	aix_restoreauthdb();
499b15c8340SDag-Erling Smørgrav #endif
500f388f5efSDag-Erling Smørgrav 	if (pw == NULL) {
5010f9bafdfSEd Maste 		BLACKLIST_NOTIFY(ssh, BLACKLIST_BAD_USER, user);
502076ad2f8SDag-Erling Smørgrav 		logit("Invalid user %.100s from %.100s port %d",
503076ad2f8SDag-Erling Smørgrav 		    user, ssh_remote_ipaddr(ssh), ssh_remote_port(ssh));
504cf2b5f3bSDag-Erling Smørgrav #ifdef CUSTOM_FAILED_LOGIN
50519261079SEd Maste 		record_failed_login(ssh, user,
506076ad2f8SDag-Erling Smørgrav 		    auth_get_canonical_hostname(ssh, options.use_dns), "ssh");
507e73e9afaSDag-Erling Smørgrav #endif
508aa49c926SDag-Erling Smørgrav #ifdef SSH_AUDIT_EVENTS
50919261079SEd Maste 		audit_event(ssh, SSH_INVALID_USER);
510aa49c926SDag-Erling Smørgrav #endif /* SSH_AUDIT_EVENTS */
511f388f5efSDag-Erling Smørgrav 		return (NULL);
512f388f5efSDag-Erling Smørgrav 	}
51319261079SEd Maste 	if (!allowed_user(ssh, pw))
51480628bacSDag-Erling Smørgrav 		return (NULL);
51580628bacSDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP
516f38aa77fSTony Finch 	if ((lc = login_getpwclass(pw)) == NULL) {
51780628bacSDag-Erling Smørgrav 		debug("unable to get login class: %s", user);
51880628bacSDag-Erling Smørgrav 		return (NULL);
51980628bacSDag-Erling Smørgrav 	}
52027ceebbcSEd Maste #ifdef HAVE_AUTH_HOSTOK
52127ceebbcSEd Maste 	from_host = auth_get_canonical_hostname(ssh, options.use_dns);
52227ceebbcSEd Maste 	from_ip = ssh_remote_ipaddr(ssh);
52327ceebbcSEd Maste 	if (!auth_hostok(lc, from_host, from_ip)) {
52427ceebbcSEd Maste 		debug("Denied connection for %.200s from %.200s [%.200s].",
52527ceebbcSEd Maste 		      pw->pw_name, from_host, from_ip);
52627ceebbcSEd Maste 		return (NULL);
52727ceebbcSEd Maste 	}
52827ceebbcSEd Maste #endif /* HAVE_AUTH_HOSTOK */
52927ceebbcSEd Maste #ifdef HAVE_AUTH_TIMEOK
53027ceebbcSEd Maste 	if (!auth_timeok(lc, time(NULL))) {
53127ceebbcSEd Maste 		debug("LOGIN %.200s REFUSED (TIME)", pw->pw_name);
53227ceebbcSEd Maste 		return (NULL);
53327ceebbcSEd Maste 	}
53427ceebbcSEd Maste #endif /* HAVE_AUTH_TIMEOK */
53580628bacSDag-Erling Smørgrav #ifdef BSD_AUTH
53680628bacSDag-Erling Smørgrav 	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
53780628bacSDag-Erling Smørgrav 	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
53880628bacSDag-Erling Smørgrav 		debug("Approval failure for %s", user);
53980628bacSDag-Erling Smørgrav 		pw = NULL;
54080628bacSDag-Erling Smørgrav 	}
54180628bacSDag-Erling Smørgrav 	if (as != NULL)
54280628bacSDag-Erling Smørgrav 		auth_close(as);
54380628bacSDag-Erling Smørgrav #endif
54480628bacSDag-Erling Smørgrav #endif
54580628bacSDag-Erling Smørgrav 	if (pw != NULL)
54680628bacSDag-Erling Smørgrav 		return (pwcopy(pw));
54780628bacSDag-Erling Smørgrav 	return (NULL);
54880628bacSDag-Erling Smørgrav }
54980628bacSDag-Erling Smørgrav 
550b15c8340SDag-Erling Smørgrav /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
551b15c8340SDag-Erling Smørgrav int
auth_key_is_revoked(struct sshkey * key)5524f52dfbbSDag-Erling Smørgrav auth_key_is_revoked(struct sshkey *key)
553b15c8340SDag-Erling Smørgrav {
554bc5531deSDag-Erling Smørgrav 	char *fp = NULL;
555bc5531deSDag-Erling Smørgrav 	int r;
556b15c8340SDag-Erling Smørgrav 
557b15c8340SDag-Erling Smørgrav 	if (options.revoked_keys_file == NULL)
558b15c8340SDag-Erling Smørgrav 		return 0;
559bc5531deSDag-Erling Smørgrav 	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
560bc5531deSDag-Erling Smørgrav 	    SSH_FP_DEFAULT)) == NULL) {
561bc5531deSDag-Erling Smørgrav 		r = SSH_ERR_ALLOC_FAIL;
56219261079SEd Maste 		error_fr(r, "fingerprint key");
563bc5531deSDag-Erling Smørgrav 		goto out;
564bc5531deSDag-Erling Smørgrav 	}
565bc5531deSDag-Erling Smørgrav 
566bc5531deSDag-Erling Smørgrav 	r = sshkey_check_revoked(key, options.revoked_keys_file);
567bc5531deSDag-Erling Smørgrav 	switch (r) {
5686888a9beSDag-Erling Smørgrav 	case 0:
569bc5531deSDag-Erling Smørgrav 		break; /* not revoked */
570bc5531deSDag-Erling Smørgrav 	case SSH_ERR_KEY_REVOKED:
571bc5531deSDag-Erling Smørgrav 		error("Authentication key %s %s revoked by file %s",
572bc5531deSDag-Erling Smørgrav 		    sshkey_type(key), fp, options.revoked_keys_file);
573bc5531deSDag-Erling Smørgrav 		goto out;
5746888a9beSDag-Erling Smørgrav 	default:
57519261079SEd Maste 		error_r(r, "Error checking authentication key %s %s in "
57619261079SEd Maste 		    "revoked keys file %s", sshkey_type(key), fp,
57719261079SEd Maste 		    options.revoked_keys_file);
578bc5531deSDag-Erling Smørgrav 		goto out;
5796888a9beSDag-Erling Smørgrav 	}
580bc5531deSDag-Erling Smørgrav 
581bc5531deSDag-Erling Smørgrav 	/* Success */
582bc5531deSDag-Erling Smørgrav 	r = 0;
583bc5531deSDag-Erling Smørgrav 
584bc5531deSDag-Erling Smørgrav  out:
585bc5531deSDag-Erling Smørgrav 	free(fp);
586bc5531deSDag-Erling Smørgrav 	return r == 0 ? 0 : 1;
587b15c8340SDag-Erling Smørgrav }
588b15c8340SDag-Erling Smørgrav 
58980628bacSDag-Erling Smørgrav void
auth_debug_add(const char * fmt,...)59080628bacSDag-Erling Smørgrav auth_debug_add(const char *fmt,...)
59180628bacSDag-Erling Smørgrav {
59280628bacSDag-Erling Smørgrav 	char buf[1024];
59380628bacSDag-Erling Smørgrav 	va_list args;
594190cef3dSDag-Erling Smørgrav 	int r;
59580628bacSDag-Erling Smørgrav 
59680628bacSDag-Erling Smørgrav 	va_start(args, fmt);
59780628bacSDag-Erling Smørgrav 	vsnprintf(buf, sizeof(buf), fmt, args);
59880628bacSDag-Erling Smørgrav 	va_end(args);
599f374ba41SEd Maste 	debug3("%s", buf);
600f374ba41SEd Maste 	if (auth_debug != NULL)
601190cef3dSDag-Erling Smørgrav 		if ((r = sshbuf_put_cstring(auth_debug, buf)) != 0)
60219261079SEd Maste 			fatal_fr(r, "sshbuf_put_cstring");
60380628bacSDag-Erling Smørgrav }
60480628bacSDag-Erling Smørgrav 
60580628bacSDag-Erling Smørgrav void
auth_debug_send(struct ssh * ssh)60619261079SEd Maste auth_debug_send(struct ssh *ssh)
60780628bacSDag-Erling Smørgrav {
60880628bacSDag-Erling Smørgrav 	char *msg;
609190cef3dSDag-Erling Smørgrav 	int r;
61080628bacSDag-Erling Smørgrav 
611190cef3dSDag-Erling Smørgrav 	if (auth_debug == NULL)
61280628bacSDag-Erling Smørgrav 		return;
613190cef3dSDag-Erling Smørgrav 	while (sshbuf_len(auth_debug) != 0) {
614190cef3dSDag-Erling Smørgrav 		if ((r = sshbuf_get_cstring(auth_debug, &msg, NULL)) != 0)
61519261079SEd Maste 			fatal_fr(r, "sshbuf_get_cstring");
616190cef3dSDag-Erling Smørgrav 		ssh_packet_send_debug(ssh, "%s", msg);
617e4a9863fSDag-Erling Smørgrav 		free(msg);
61880628bacSDag-Erling Smørgrav 	}
61980628bacSDag-Erling Smørgrav }
62080628bacSDag-Erling Smørgrav 
62180628bacSDag-Erling Smørgrav void
auth_debug_reset(void)62280628bacSDag-Erling Smørgrav auth_debug_reset(void)
62380628bacSDag-Erling Smørgrav {
624190cef3dSDag-Erling Smørgrav 	if (auth_debug != NULL)
625190cef3dSDag-Erling Smørgrav 		sshbuf_reset(auth_debug);
626190cef3dSDag-Erling Smørgrav 	else if ((auth_debug = sshbuf_new()) == NULL)
62719261079SEd Maste 		fatal_f("sshbuf_new failed");
62880628bacSDag-Erling Smørgrav }
629cf2b5f3bSDag-Erling Smørgrav 
630cf2b5f3bSDag-Erling Smørgrav struct passwd *
fakepw(void)631cf2b5f3bSDag-Erling Smørgrav fakepw(void)
632cf2b5f3bSDag-Erling Smørgrav {
6331323ec57SEd Maste 	static int done = 0;
634cf2b5f3bSDag-Erling Smørgrav 	static struct passwd fake;
6351323ec57SEd Maste 	const char hashchars[] = "./ABCDEFGHIJKLMNOPQRSTUVWXYZ"
6361323ec57SEd Maste 	    "abcdefghijklmnopqrstuvwxyz0123456789"; /* from bcrypt.c */
6371323ec57SEd Maste 	char *cp;
6381323ec57SEd Maste 
6391323ec57SEd Maste 	if (done)
6401323ec57SEd Maste 		return (&fake);
641cf2b5f3bSDag-Erling Smørgrav 
642cf2b5f3bSDag-Erling Smørgrav 	memset(&fake, 0, sizeof(fake));
643cf2b5f3bSDag-Erling Smørgrav 	fake.pw_name = "NOUSER";
6441323ec57SEd Maste 	fake.pw_passwd = xstrdup("$2a$10$"
6451323ec57SEd Maste 	    "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx");
6461323ec57SEd Maste 	for (cp = fake.pw_passwd + 7; *cp != '\0'; cp++)
6471323ec57SEd Maste 		*cp = hashchars[arc4random_uniform(sizeof(hashchars) - 1)];
648e4a9863fSDag-Erling Smørgrav #ifdef HAVE_STRUCT_PASSWD_PW_GECOS
649cf2b5f3bSDag-Erling Smørgrav 	fake.pw_gecos = "NOUSER";
650e4a9863fSDag-Erling Smørgrav #endif
651d4af9e69SDag-Erling Smørgrav 	fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
652d4af9e69SDag-Erling Smørgrav 	fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
653e4a9863fSDag-Erling Smørgrav #ifdef HAVE_STRUCT_PASSWD_PW_CLASS
654cf2b5f3bSDag-Erling Smørgrav 	fake.pw_class = "";
655cf2b5f3bSDag-Erling Smørgrav #endif
656cf2b5f3bSDag-Erling Smørgrav 	fake.pw_dir = "/nonexist";
657cf2b5f3bSDag-Erling Smørgrav 	fake.pw_shell = "/nonexist";
6581323ec57SEd Maste 	done = 1;
659cf2b5f3bSDag-Erling Smørgrav 
660cf2b5f3bSDag-Erling Smørgrav 	return (&fake);
661cf2b5f3bSDag-Erling Smørgrav }
662076ad2f8SDag-Erling Smørgrav 
663076ad2f8SDag-Erling Smørgrav /*
664076ad2f8SDag-Erling Smørgrav  * Return the canonical name of the host in the other side of the current
665076ad2f8SDag-Erling Smørgrav  * connection.  The host name is cached, so it is efficient to call this
666076ad2f8SDag-Erling Smørgrav  * several times.
667076ad2f8SDag-Erling Smørgrav  */
668076ad2f8SDag-Erling Smørgrav 
669076ad2f8SDag-Erling Smørgrav const char *
auth_get_canonical_hostname(struct ssh * ssh,int use_dns)670076ad2f8SDag-Erling Smørgrav auth_get_canonical_hostname(struct ssh *ssh, int use_dns)
671076ad2f8SDag-Erling Smørgrav {
672076ad2f8SDag-Erling Smørgrav 	static char *dnsname;
673076ad2f8SDag-Erling Smørgrav 
674076ad2f8SDag-Erling Smørgrav 	if (!use_dns)
675076ad2f8SDag-Erling Smørgrav 		return ssh_remote_ipaddr(ssh);
6760fdf8faeSEd Maste 	if (dnsname != NULL)
677076ad2f8SDag-Erling Smørgrav 		return dnsname;
6780fdf8faeSEd Maste 	dnsname = ssh_remote_hostname(ssh);
679076ad2f8SDag-Erling Smørgrav 	return dnsname;
680076ad2f8SDag-Erling Smørgrav }
68147dd1d1bSDag-Erling Smørgrav 
68247dd1d1bSDag-Erling Smørgrav /* These functions link key/cert options to the auth framework */
68347dd1d1bSDag-Erling Smørgrav 
68447dd1d1bSDag-Erling Smørgrav /* Log sshauthopt options locally and (optionally) for remote transmission */
68547dd1d1bSDag-Erling Smørgrav void
auth_log_authopts(const char * loc,const struct sshauthopt * opts,int do_remote)68647dd1d1bSDag-Erling Smørgrav auth_log_authopts(const char *loc, const struct sshauthopt *opts, int do_remote)
68747dd1d1bSDag-Erling Smørgrav {
68847dd1d1bSDag-Erling Smørgrav 	int do_env = options.permit_user_env && opts->nenv > 0;
68947dd1d1bSDag-Erling Smørgrav 	int do_permitopen = opts->npermitopen > 0 &&
69047dd1d1bSDag-Erling Smørgrav 	    (options.allow_tcp_forwarding & FORWARD_LOCAL) != 0;
691190cef3dSDag-Erling Smørgrav 	int do_permitlisten = opts->npermitlisten > 0 &&
692190cef3dSDag-Erling Smørgrav 	    (options.allow_tcp_forwarding & FORWARD_REMOTE) != 0;
69347dd1d1bSDag-Erling Smørgrav 	size_t i;
69447dd1d1bSDag-Erling Smørgrav 	char msg[1024], buf[64];
69547dd1d1bSDag-Erling Smørgrav 
69647dd1d1bSDag-Erling Smørgrav 	snprintf(buf, sizeof(buf), "%d", opts->force_tun_device);
69747dd1d1bSDag-Erling Smørgrav 	/* Try to keep this alphabetically sorted */
69819261079SEd Maste 	snprintf(msg, sizeof(msg), "key options:%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
69947dd1d1bSDag-Erling Smørgrav 	    opts->permit_agent_forwarding_flag ? " agent-forwarding" : "",
70047dd1d1bSDag-Erling Smørgrav 	    opts->force_command == NULL ? "" : " command",
70147dd1d1bSDag-Erling Smørgrav 	    do_env ?  " environment" : "",
70247dd1d1bSDag-Erling Smørgrav 	    opts->valid_before == 0 ? "" : "expires",
70319261079SEd Maste 	    opts->no_require_user_presence ? " no-touch-required" : "",
70447dd1d1bSDag-Erling Smørgrav 	    do_permitopen ?  " permitopen" : "",
705190cef3dSDag-Erling Smørgrav 	    do_permitlisten ?  " permitlisten" : "",
70647dd1d1bSDag-Erling Smørgrav 	    opts->permit_port_forwarding_flag ? " port-forwarding" : "",
70747dd1d1bSDag-Erling Smørgrav 	    opts->cert_principals == NULL ? "" : " principals",
70847dd1d1bSDag-Erling Smørgrav 	    opts->permit_pty_flag ? " pty" : "",
70919261079SEd Maste 	    opts->require_verify ? " uv" : "",
71047dd1d1bSDag-Erling Smørgrav 	    opts->force_tun_device == -1 ? "" : " tun=",
71147dd1d1bSDag-Erling Smørgrav 	    opts->force_tun_device == -1 ? "" : buf,
71247dd1d1bSDag-Erling Smørgrav 	    opts->permit_user_rc ? " user-rc" : "",
71347dd1d1bSDag-Erling Smørgrav 	    opts->permit_x11_forwarding_flag ? " x11-forwarding" : "");
71447dd1d1bSDag-Erling Smørgrav 
71547dd1d1bSDag-Erling Smørgrav 	debug("%s: %s", loc, msg);
71647dd1d1bSDag-Erling Smørgrav 	if (do_remote)
71747dd1d1bSDag-Erling Smørgrav 		auth_debug_add("%s: %s", loc, msg);
71847dd1d1bSDag-Erling Smørgrav 
71947dd1d1bSDag-Erling Smørgrav 	if (options.permit_user_env) {
72047dd1d1bSDag-Erling Smørgrav 		for (i = 0; i < opts->nenv; i++) {
72147dd1d1bSDag-Erling Smørgrav 			debug("%s: environment: %s", loc, opts->env[i]);
72247dd1d1bSDag-Erling Smørgrav 			if (do_remote) {
72347dd1d1bSDag-Erling Smørgrav 				auth_debug_add("%s: environment: %s",
72447dd1d1bSDag-Erling Smørgrav 				    loc, opts->env[i]);
72547dd1d1bSDag-Erling Smørgrav 			}
72647dd1d1bSDag-Erling Smørgrav 		}
72747dd1d1bSDag-Erling Smørgrav 	}
72847dd1d1bSDag-Erling Smørgrav 
72947dd1d1bSDag-Erling Smørgrav 	/* Go into a little more details for the local logs. */
73047dd1d1bSDag-Erling Smørgrav 	if (opts->valid_before != 0) {
73147dd1d1bSDag-Erling Smørgrav 		format_absolute_time(opts->valid_before, buf, sizeof(buf));
73247dd1d1bSDag-Erling Smørgrav 		debug("%s: expires at %s", loc, buf);
73347dd1d1bSDag-Erling Smørgrav 	}
73447dd1d1bSDag-Erling Smørgrav 	if (opts->cert_principals != NULL) {
73547dd1d1bSDag-Erling Smørgrav 		debug("%s: authorized principals: \"%s\"",
73647dd1d1bSDag-Erling Smørgrav 		    loc, opts->cert_principals);
73747dd1d1bSDag-Erling Smørgrav 	}
73847dd1d1bSDag-Erling Smørgrav 	if (opts->force_command != NULL)
73947dd1d1bSDag-Erling Smørgrav 		debug("%s: forced command: \"%s\"", loc, opts->force_command);
740190cef3dSDag-Erling Smørgrav 	if (do_permitopen) {
74147dd1d1bSDag-Erling Smørgrav 		for (i = 0; i < opts->npermitopen; i++) {
74247dd1d1bSDag-Erling Smørgrav 			debug("%s: permitted open: %s",
74347dd1d1bSDag-Erling Smørgrav 			    loc, opts->permitopen[i]);
74447dd1d1bSDag-Erling Smørgrav 		}
74547dd1d1bSDag-Erling Smørgrav 	}
746190cef3dSDag-Erling Smørgrav 	if (do_permitlisten) {
747190cef3dSDag-Erling Smørgrav 		for (i = 0; i < opts->npermitlisten; i++) {
748190cef3dSDag-Erling Smørgrav 			debug("%s: permitted listen: %s",
749190cef3dSDag-Erling Smørgrav 			    loc, opts->permitlisten[i]);
750190cef3dSDag-Erling Smørgrav 		}
751190cef3dSDag-Erling Smørgrav 	}
75247dd1d1bSDag-Erling Smørgrav }
75347dd1d1bSDag-Erling Smørgrav 
75447dd1d1bSDag-Erling Smørgrav /* Activate a new set of key/cert options; merging with what is there. */
75547dd1d1bSDag-Erling Smørgrav int
auth_activate_options(struct ssh * ssh,struct sshauthopt * opts)75647dd1d1bSDag-Erling Smørgrav auth_activate_options(struct ssh *ssh, struct sshauthopt *opts)
75747dd1d1bSDag-Erling Smørgrav {
75847dd1d1bSDag-Erling Smørgrav 	struct sshauthopt *old = auth_opts;
75947dd1d1bSDag-Erling Smørgrav 	const char *emsg = NULL;
76047dd1d1bSDag-Erling Smørgrav 
76119261079SEd Maste 	debug_f("setting new authentication options");
76247dd1d1bSDag-Erling Smørgrav 	if ((auth_opts = sshauthopt_merge(old, opts, &emsg)) == NULL) {
76347dd1d1bSDag-Erling Smørgrav 		error("Inconsistent authentication options: %s", emsg);
76447dd1d1bSDag-Erling Smørgrav 		return -1;
76547dd1d1bSDag-Erling Smørgrav 	}
76647dd1d1bSDag-Erling Smørgrav 	return 0;
76747dd1d1bSDag-Erling Smørgrav }
76847dd1d1bSDag-Erling Smørgrav 
76947dd1d1bSDag-Erling Smørgrav /* Disable forwarding, etc for the session */
77047dd1d1bSDag-Erling Smørgrav void
auth_restrict_session(struct ssh * ssh)77147dd1d1bSDag-Erling Smørgrav auth_restrict_session(struct ssh *ssh)
77247dd1d1bSDag-Erling Smørgrav {
77347dd1d1bSDag-Erling Smørgrav 	struct sshauthopt *restricted;
77447dd1d1bSDag-Erling Smørgrav 
77519261079SEd Maste 	debug_f("restricting session");
77647dd1d1bSDag-Erling Smørgrav 
77747dd1d1bSDag-Erling Smørgrav 	/* A blank sshauthopt defaults to permitting nothing */
77838a52bd3SEd Maste 	if ((restricted = sshauthopt_new()) == NULL)
77938a52bd3SEd Maste 		fatal_f("sshauthopt_new failed");
780190cef3dSDag-Erling Smørgrav 	restricted->permit_pty_flag = 1;
78147dd1d1bSDag-Erling Smørgrav 	restricted->restricted = 1;
78247dd1d1bSDag-Erling Smørgrav 
78347dd1d1bSDag-Erling Smørgrav 	if (auth_activate_options(ssh, restricted) != 0)
78419261079SEd Maste 		fatal_f("failed to restrict session");
78547dd1d1bSDag-Erling Smørgrav 	sshauthopt_free(restricted);
78647dd1d1bSDag-Erling Smørgrav }
787