xref: /freebsd/crypto/openssh/auth.c (revision d4ecd1085791f1e31b106a2546b08647fd6a2a17)
1a04a10f8SKris Kennaway /*
2a04a10f8SKris Kennaway  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
3e8aafc91SKris Kennaway  *
4c2d3a559SKris Kennaway  * Redistribution and use in source and binary forms, with or without
5c2d3a559SKris Kennaway  * modification, are permitted provided that the following conditions
6c2d3a559SKris Kennaway  * are met:
7c2d3a559SKris Kennaway  * 1. Redistributions of source code must retain the above copyright
8c2d3a559SKris Kennaway  *    notice, this list of conditions and the following disclaimer.
9c2d3a559SKris Kennaway  * 2. Redistributions in binary form must reproduce the above copyright
10c2d3a559SKris Kennaway  *    notice, this list of conditions and the following disclaimer in the
11c2d3a559SKris Kennaway  *    documentation and/or other materials provided with the distribution.
12c2d3a559SKris Kennaway  *
13c2d3a559SKris Kennaway  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14c2d3a559SKris Kennaway  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15c2d3a559SKris Kennaway  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16c2d3a559SKris Kennaway  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17c2d3a559SKris Kennaway  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18c2d3a559SKris Kennaway  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19c2d3a559SKris Kennaway  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20c2d3a559SKris Kennaway  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21c2d3a559SKris Kennaway  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22c2d3a559SKris Kennaway  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23a04a10f8SKris Kennaway  */
24a04a10f8SKris Kennaway 
25a04a10f8SKris Kennaway #include "includes.h"
26d4ecd108SDag-Erling Smørgrav RCSID("$OpenBSD: auth.c,v 1.60 2005/06/17 02:44:32 djm Exp $");
27f38aa77fSTony Finch RCSID("$FreeBSD$");
28a04a10f8SKris Kennaway 
29989dd127SDag-Erling Smørgrav #ifdef HAVE_LOGIN_H
30989dd127SDag-Erling Smørgrav #include <login.h>
31989dd127SDag-Erling Smørgrav #endif
321ec0d754SDag-Erling Smørgrav #ifdef USE_SHADOW
33989dd127SDag-Erling Smørgrav #include <shadow.h>
341ec0d754SDag-Erling Smørgrav #endif
35989dd127SDag-Erling Smørgrav 
36989dd127SDag-Erling Smørgrav #ifdef HAVE_LIBGEN_H
37af12a3e7SDag-Erling Smørgrav #include <libgen.h>
38989dd127SDag-Erling Smørgrav #endif
39af12a3e7SDag-Erling Smørgrav 
40a04a10f8SKris Kennaway #include "xmalloc.h"
41a04a10f8SKris Kennaway #include "match.h"
42ca3176e7SBrian Feldman #include "groupaccess.h"
43ca3176e7SBrian Feldman #include "log.h"
44ca3176e7SBrian Feldman #include "servconf.h"
45a04a10f8SKris Kennaway #include "auth.h"
46ca3176e7SBrian Feldman #include "auth-options.h"
47ca3176e7SBrian Feldman #include "canohost.h"
48af12a3e7SDag-Erling Smørgrav #include "buffer.h"
49af12a3e7SDag-Erling Smørgrav #include "bufaux.h"
50af12a3e7SDag-Erling Smørgrav #include "uidswap.h"
5180628bacSDag-Erling Smørgrav #include "misc.h"
5280628bacSDag-Erling Smørgrav #include "bufaux.h"
5380628bacSDag-Erling Smørgrav #include "packet.h"
54aa49c926SDag-Erling Smørgrav #include "loginrec.h"
55aa49c926SDag-Erling Smørgrav #include "monitor_wrap.h"
56a04a10f8SKris Kennaway 
57a04a10f8SKris Kennaway /* import */
58a04a10f8SKris Kennaway extern ServerOptions options;
59cf2b5f3bSDag-Erling Smørgrav extern Buffer loginmsg;
60a04a10f8SKris Kennaway 
6180628bacSDag-Erling Smørgrav /* Debugging messages */
6280628bacSDag-Erling Smørgrav Buffer auth_debug;
6380628bacSDag-Erling Smørgrav int auth_debug_init;
6480628bacSDag-Erling Smørgrav 
65a04a10f8SKris Kennaway /*
66ca3176e7SBrian Feldman  * Check if the user is allowed to log in via ssh. If user is listed
67ca3176e7SBrian Feldman  * in DenyUsers or one of user's groups is listed in DenyGroups, false
68ca3176e7SBrian Feldman  * will be returned. If AllowUsers isn't empty and user isn't listed
69ca3176e7SBrian Feldman  * there, or if AllowGroups isn't empty and one of user's groups isn't
70ca3176e7SBrian Feldman  * listed there, false will be returned.
71a04a10f8SKris Kennaway  * If the user's shell is not executable, false will be returned.
72a04a10f8SKris Kennaway  * Otherwise true is returned.
73a04a10f8SKris Kennaway  */
74a04a10f8SKris Kennaway int
75a04a10f8SKris Kennaway allowed_user(struct passwd * pw)
76a04a10f8SKris Kennaway {
77a04a10f8SKris Kennaway 	struct stat st;
78cf2b5f3bSDag-Erling Smørgrav 	const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
79c322fe35SKris Kennaway 	char *shell;
80d4ecd108SDag-Erling Smørgrav 	u_int i;
811ec0d754SDag-Erling Smørgrav #ifdef USE_SHADOW
82cf2b5f3bSDag-Erling Smørgrav 	struct spwd *spw = NULL;
83e73e9afaSDag-Erling Smørgrav #endif
84a04a10f8SKris Kennaway 
85a04a10f8SKris Kennaway 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
86ca3176e7SBrian Feldman 	if (!pw || !pw->pw_name)
87a04a10f8SKris Kennaway 		return 0;
88a04a10f8SKris Kennaway 
891ec0d754SDag-Erling Smørgrav #ifdef USE_SHADOW
90cf2b5f3bSDag-Erling Smørgrav 	if (!options.use_pam)
91cf2b5f3bSDag-Erling Smørgrav 		spw = getspnam(pw->pw_name);
92cf2b5f3bSDag-Erling Smørgrav #ifdef HAS_SHADOW_EXPIRE
931ec0d754SDag-Erling Smørgrav 	if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
94989dd127SDag-Erling Smørgrav 		return 0;
95cf2b5f3bSDag-Erling Smørgrav #endif /* HAS_SHADOW_EXPIRE */
961ec0d754SDag-Erling Smørgrav #endif /* USE_SHADOW */
97cf2b5f3bSDag-Erling Smørgrav 
98cf2b5f3bSDag-Erling Smørgrav 	/* grab passwd field for locked account check */
991ec0d754SDag-Erling Smørgrav #ifdef USE_SHADOW
100cf2b5f3bSDag-Erling Smørgrav 	if (spw != NULL)
101d4ecd108SDag-Erling Smørgrav #if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
102d4ecd108SDag-Erling Smørgrav 		passwd = get_iaf_password(pw);
103d4ecd108SDag-Erling Smørgrav #else
104cf2b5f3bSDag-Erling Smørgrav 		passwd = spw->sp_pwdp;
105d4ecd108SDag-Erling Smørgrav #endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
106cf2b5f3bSDag-Erling Smørgrav #else
107cf2b5f3bSDag-Erling Smørgrav 	passwd = pw->pw_passwd;
108989dd127SDag-Erling Smørgrav #endif
109989dd127SDag-Erling Smørgrav 
110cf2b5f3bSDag-Erling Smørgrav 	/* check for locked account */
111cf2b5f3bSDag-Erling Smørgrav 	if (!options.use_pam && passwd && *passwd) {
112cf2b5f3bSDag-Erling Smørgrav 		int locked = 0;
113cf2b5f3bSDag-Erling Smørgrav 
114cf2b5f3bSDag-Erling Smørgrav #ifdef LOCKED_PASSWD_STRING
115cf2b5f3bSDag-Erling Smørgrav 		if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
116cf2b5f3bSDag-Erling Smørgrav 			 locked = 1;
117cf2b5f3bSDag-Erling Smørgrav #endif
118cf2b5f3bSDag-Erling Smørgrav #ifdef LOCKED_PASSWD_PREFIX
119cf2b5f3bSDag-Erling Smørgrav 		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
120cf2b5f3bSDag-Erling Smørgrav 		    strlen(LOCKED_PASSWD_PREFIX)) == 0)
121cf2b5f3bSDag-Erling Smørgrav 			 locked = 1;
122cf2b5f3bSDag-Erling Smørgrav #endif
123cf2b5f3bSDag-Erling Smørgrav #ifdef LOCKED_PASSWD_SUBSTR
124cf2b5f3bSDag-Erling Smørgrav 		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
125cf2b5f3bSDag-Erling Smørgrav 			locked = 1;
126cf2b5f3bSDag-Erling Smørgrav #endif
127d4ecd108SDag-Erling Smørgrav #if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
128d4ecd108SDag-Erling Smørgrav 		free(passwd);
129d4ecd108SDag-Erling Smørgrav #endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
130cf2b5f3bSDag-Erling Smørgrav 		if (locked) {
131cf2b5f3bSDag-Erling Smørgrav 			logit("User %.100s not allowed because account is locked",
132cf2b5f3bSDag-Erling Smørgrav 			    pw->pw_name);
133cf2b5f3bSDag-Erling Smørgrav 			return 0;
134cf2b5f3bSDag-Erling Smørgrav 		}
135cf2b5f3bSDag-Erling Smørgrav 	}
136cf2b5f3bSDag-Erling Smørgrav 
137c322fe35SKris Kennaway 	/*
138c322fe35SKris Kennaway 	 * Get the shell from the password data.  An empty shell field is
139c322fe35SKris Kennaway 	 * legal, and means /bin/sh.
140c322fe35SKris Kennaway 	 */
141c322fe35SKris Kennaway 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
142c322fe35SKris Kennaway 
143a04a10f8SKris Kennaway 	/* deny if shell does not exists or is not executable */
144af12a3e7SDag-Erling Smørgrav 	if (stat(shell, &st) != 0) {
145cf2b5f3bSDag-Erling Smørgrav 		logit("User %.100s not allowed because shell %.100s does not exist",
146af12a3e7SDag-Erling Smørgrav 		    pw->pw_name, shell);
147a04a10f8SKris Kennaway 		return 0;
148af12a3e7SDag-Erling Smørgrav 	}
14980628bacSDag-Erling Smørgrav 	if (S_ISREG(st.st_mode) == 0 ||
15080628bacSDag-Erling Smørgrav 	    (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
151cf2b5f3bSDag-Erling Smørgrav 		logit("User %.100s not allowed because shell %.100s is not executable",
152af12a3e7SDag-Erling Smørgrav 		    pw->pw_name, shell);
153a04a10f8SKris Kennaway 		return 0;
154af12a3e7SDag-Erling Smørgrav 	}
155af12a3e7SDag-Erling Smørgrav 
156aa49c926SDag-Erling Smørgrav 	if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
157aa49c926SDag-Erling Smørgrav 	    options.num_deny_groups > 0 || options.num_allow_groups > 0) {
158cf2b5f3bSDag-Erling Smørgrav 		hostname = get_canonical_hostname(options.use_dns);
159af12a3e7SDag-Erling Smørgrav 		ipaddr = get_remote_ipaddr();
160af12a3e7SDag-Erling Smørgrav 	}
161a04a10f8SKris Kennaway 
162a04a10f8SKris Kennaway 	/* Return false if user is listed in DenyUsers */
163a04a10f8SKris Kennaway 	if (options.num_deny_users > 0) {
164a04a10f8SKris Kennaway 		for (i = 0; i < options.num_deny_users; i++)
165af12a3e7SDag-Erling Smørgrav 			if (match_user(pw->pw_name, hostname, ipaddr,
166af12a3e7SDag-Erling Smørgrav 			    options.deny_users[i])) {
167aa49c926SDag-Erling Smørgrav 				logit("User %.100s from %.100s not allowed "
168aa49c926SDag-Erling Smørgrav 				    "because listed in DenyUsers",
169aa49c926SDag-Erling Smørgrav 				    pw->pw_name, hostname);
170a04a10f8SKris Kennaway 				return 0;
171a04a10f8SKris Kennaway 			}
172af12a3e7SDag-Erling Smørgrav 	}
173a04a10f8SKris Kennaway 	/* Return false if AllowUsers isn't empty and user isn't listed there */
174a04a10f8SKris Kennaway 	if (options.num_allow_users > 0) {
175a04a10f8SKris Kennaway 		for (i = 0; i < options.num_allow_users; i++)
176af12a3e7SDag-Erling Smørgrav 			if (match_user(pw->pw_name, hostname, ipaddr,
177af12a3e7SDag-Erling Smørgrav 			    options.allow_users[i]))
178a04a10f8SKris Kennaway 				break;
179a04a10f8SKris Kennaway 		/* i < options.num_allow_users iff we break for loop */
180af12a3e7SDag-Erling Smørgrav 		if (i >= options.num_allow_users) {
181aa49c926SDag-Erling Smørgrav 			logit("User %.100s from %.100s not allowed because "
182aa49c926SDag-Erling Smørgrav 			    "not listed in AllowUsers", pw->pw_name, hostname);
183a04a10f8SKris Kennaway 			return 0;
184a04a10f8SKris Kennaway 		}
185af12a3e7SDag-Erling Smørgrav 	}
186a04a10f8SKris Kennaway 	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
187ca3176e7SBrian Feldman 		/* Get the user's group access list (primary and supplementary) */
188af12a3e7SDag-Erling Smørgrav 		if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
189aa49c926SDag-Erling Smørgrav 			logit("User %.100s from %.100s not allowed because "
190aa49c926SDag-Erling Smørgrav 			    "not in any group", pw->pw_name, hostname);
191a04a10f8SKris Kennaway 			return 0;
192af12a3e7SDag-Erling Smørgrav 		}
193a04a10f8SKris Kennaway 
194ca3176e7SBrian Feldman 		/* Return false if one of user's groups is listed in DenyGroups */
195ca3176e7SBrian Feldman 		if (options.num_deny_groups > 0)
196ca3176e7SBrian Feldman 			if (ga_match(options.deny_groups,
197ca3176e7SBrian Feldman 			    options.num_deny_groups)) {
198ca3176e7SBrian Feldman 				ga_free();
199aa49c926SDag-Erling Smørgrav 				logit("User %.100s from %.100s not allowed "
200aa49c926SDag-Erling Smørgrav 				    "because a group is listed in DenyGroups",
201aa49c926SDag-Erling Smørgrav 				    pw->pw_name, hostname);
202a04a10f8SKris Kennaway 				return 0;
203a04a10f8SKris Kennaway 			}
204a04a10f8SKris Kennaway 		/*
205ca3176e7SBrian Feldman 		 * Return false if AllowGroups isn't empty and one of user's groups
206a04a10f8SKris Kennaway 		 * isn't listed there
207a04a10f8SKris Kennaway 		 */
208ca3176e7SBrian Feldman 		if (options.num_allow_groups > 0)
209ca3176e7SBrian Feldman 			if (!ga_match(options.allow_groups,
210ca3176e7SBrian Feldman 			    options.num_allow_groups)) {
211ca3176e7SBrian Feldman 				ga_free();
212aa49c926SDag-Erling Smørgrav 				logit("User %.100s from %.100s not allowed "
213aa49c926SDag-Erling Smørgrav 				    "because none of user's groups are listed "
214aa49c926SDag-Erling Smørgrav 				    "in AllowGroups", pw->pw_name, hostname);
215a04a10f8SKris Kennaway 				return 0;
216a04a10f8SKris Kennaway 			}
217ca3176e7SBrian Feldman 		ga_free();
218a04a10f8SKris Kennaway 	}
219989dd127SDag-Erling Smørgrav 
22021e764dfSDag-Erling Smørgrav #ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
221aa49c926SDag-Erling Smørgrav 	if (!sys_auth_allowed_user(pw, &loginmsg))
222989dd127SDag-Erling Smørgrav 		return 0;
22321e764dfSDag-Erling Smørgrav #endif
224989dd127SDag-Erling Smørgrav 
225a04a10f8SKris Kennaway 	/* We found no reason not to let this user try to log on... */
226a04a10f8SKris Kennaway 	return 1;
227a04a10f8SKris Kennaway }
228ca3176e7SBrian Feldman 
229ca3176e7SBrian Feldman void
230ca3176e7SBrian Feldman auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
231ca3176e7SBrian Feldman {
232ca3176e7SBrian Feldman 	void (*authlog) (const char *fmt,...) = verbose;
233ca3176e7SBrian Feldman 	char *authmsg;
234ca3176e7SBrian Feldman 
235ca3176e7SBrian Feldman 	/* Raise logging level */
236ca3176e7SBrian Feldman 	if (authenticated == 1 ||
237ca3176e7SBrian Feldman 	    !authctxt->valid ||
23821e764dfSDag-Erling Smørgrav 	    authctxt->failures >= options.max_authtries / 2 ||
239ca3176e7SBrian Feldman 	    strcmp(method, "password") == 0)
240cf2b5f3bSDag-Erling Smørgrav 		authlog = logit;
241ca3176e7SBrian Feldman 
242ca3176e7SBrian Feldman 	if (authctxt->postponed)
243ca3176e7SBrian Feldman 		authmsg = "Postponed";
244ca3176e7SBrian Feldman 	else
245ca3176e7SBrian Feldman 		authmsg = authenticated ? "Accepted" : "Failed";
246ca3176e7SBrian Feldman 
247ca3176e7SBrian Feldman 	authlog("%s %s for %s%.100s from %.200s port %d%s",
248ca3176e7SBrian Feldman 	    authmsg,
249ca3176e7SBrian Feldman 	    method,
25021e764dfSDag-Erling Smørgrav 	    authctxt->valid ? "" : "invalid user ",
251af12a3e7SDag-Erling Smørgrav 	    authctxt->user,
252ca3176e7SBrian Feldman 	    get_remote_ipaddr(),
253ca3176e7SBrian Feldman 	    get_remote_port(),
254ca3176e7SBrian Feldman 	    info);
255f388f5efSDag-Erling Smørgrav 
256cf2b5f3bSDag-Erling Smørgrav #ifdef CUSTOM_FAILED_LOGIN
257aa49c926SDag-Erling Smørgrav 	if (authenticated == 0 && !authctxt->postponed &&
258aa49c926SDag-Erling Smørgrav 	    (strcmp(method, "password") == 0 ||
259aa49c926SDag-Erling Smørgrav 	    strncmp(method, "keyboard-interactive", 20) == 0 ||
260aa49c926SDag-Erling Smørgrav 	    strcmp(method, "challenge-response") == 0))
261aa49c926SDag-Erling Smørgrav 		record_failed_login(authctxt->user,
262aa49c926SDag-Erling Smørgrav 		    get_canonical_hostname(options.use_dns), "ssh");
263aa49c926SDag-Erling Smørgrav #endif
264aa49c926SDag-Erling Smørgrav #ifdef SSH_AUDIT_EVENTS
265aa49c926SDag-Erling Smørgrav 	if (authenticated == 0 && !authctxt->postponed) {
266aa49c926SDag-Erling Smørgrav 		ssh_audit_event_t event;
267aa49c926SDag-Erling Smørgrav 
268aa49c926SDag-Erling Smørgrav 		debug3("audit failed auth attempt, method %s euid %d",
269aa49c926SDag-Erling Smørgrav 		    method, (int)geteuid());
270aa49c926SDag-Erling Smørgrav 		/*
271aa49c926SDag-Erling Smørgrav 		 * Because the auth loop is used in both monitor and slave,
272aa49c926SDag-Erling Smørgrav 		 * we must be careful to send each event only once and with
273aa49c926SDag-Erling Smørgrav 		 * enough privs to write the event.
274aa49c926SDag-Erling Smørgrav 		 */
275aa49c926SDag-Erling Smørgrav 		event = audit_classify_auth(method);
276aa49c926SDag-Erling Smørgrav 		switch(event) {
277aa49c926SDag-Erling Smørgrav 		case SSH_AUTH_FAIL_NONE:
278aa49c926SDag-Erling Smørgrav 		case SSH_AUTH_FAIL_PASSWD:
279aa49c926SDag-Erling Smørgrav 		case SSH_AUTH_FAIL_KBDINT:
280aa49c926SDag-Erling Smørgrav 			if (geteuid() == 0)
281aa49c926SDag-Erling Smørgrav 				audit_event(event);
282aa49c926SDag-Erling Smørgrav 			break;
283aa49c926SDag-Erling Smørgrav 		case SSH_AUTH_FAIL_PUBKEY:
284aa49c926SDag-Erling Smørgrav 		case SSH_AUTH_FAIL_HOSTBASED:
285aa49c926SDag-Erling Smørgrav 		case SSH_AUTH_FAIL_GSSAPI:
286aa49c926SDag-Erling Smørgrav 			/*
287aa49c926SDag-Erling Smørgrav 			 * This is required to handle the case where privsep
288aa49c926SDag-Erling Smørgrav 			 * is enabled but it's root logging in, since
289aa49c926SDag-Erling Smørgrav 			 * use_privsep won't be cleared until after a
290aa49c926SDag-Erling Smørgrav 			 * successful login.
291aa49c926SDag-Erling Smørgrav 			 */
292aa49c926SDag-Erling Smørgrav 			if (geteuid() == 0)
293aa49c926SDag-Erling Smørgrav 				audit_event(event);
294aa49c926SDag-Erling Smørgrav 			else
295aa49c926SDag-Erling Smørgrav 				PRIVSEP(audit_event(event));
296aa49c926SDag-Erling Smørgrav 			break;
297aa49c926SDag-Erling Smørgrav 		default:
298aa49c926SDag-Erling Smørgrav 			error("unknown authentication audit event %d", event);
299aa49c926SDag-Erling Smørgrav 		}
300aa49c926SDag-Erling Smørgrav 	}
301cf2b5f3bSDag-Erling Smørgrav #endif
302ca3176e7SBrian Feldman }
303ca3176e7SBrian Feldman 
304ca3176e7SBrian Feldman /*
305ca3176e7SBrian Feldman  * Check whether root logins are disallowed.
306ca3176e7SBrian Feldman  */
307ca3176e7SBrian Feldman int
308ca3176e7SBrian Feldman auth_root_allowed(char *method)
309ca3176e7SBrian Feldman {
310ca3176e7SBrian Feldman 	switch (options.permit_root_login) {
311ca3176e7SBrian Feldman 	case PERMIT_YES:
312ca3176e7SBrian Feldman 		return 1;
313ca3176e7SBrian Feldman 		break;
314ca3176e7SBrian Feldman 	case PERMIT_NO_PASSWD:
315ca3176e7SBrian Feldman 		if (strcmp(method, "password") != 0)
316ca3176e7SBrian Feldman 			return 1;
317ca3176e7SBrian Feldman 		break;
318ca3176e7SBrian Feldman 	case PERMIT_FORCED_ONLY:
319ca3176e7SBrian Feldman 		if (forced_command) {
320cf2b5f3bSDag-Erling Smørgrav 			logit("Root login accepted for forced command.");
321ca3176e7SBrian Feldman 			return 1;
322ca3176e7SBrian Feldman 		}
323ca3176e7SBrian Feldman 		break;
324ca3176e7SBrian Feldman 	}
325cf2b5f3bSDag-Erling Smørgrav 	logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
326ca3176e7SBrian Feldman 	return 0;
327ca3176e7SBrian Feldman }
328af12a3e7SDag-Erling Smørgrav 
329af12a3e7SDag-Erling Smørgrav 
330af12a3e7SDag-Erling Smørgrav /*
331af12a3e7SDag-Erling Smørgrav  * Given a template and a passwd structure, build a filename
332af12a3e7SDag-Erling Smørgrav  * by substituting % tokenised options. Currently, %% becomes '%',
333af12a3e7SDag-Erling Smørgrav  * %h becomes the home directory and %u the username.
334af12a3e7SDag-Erling Smørgrav  *
335af12a3e7SDag-Erling Smørgrav  * This returns a buffer allocated by xmalloc.
336af12a3e7SDag-Erling Smørgrav  */
337d4ecd108SDag-Erling Smørgrav static char *
338d4ecd108SDag-Erling Smørgrav expand_authorized_keys(const char *filename, struct passwd *pw)
339af12a3e7SDag-Erling Smørgrav {
340d4ecd108SDag-Erling Smørgrav 	char *file, *ret;
341af12a3e7SDag-Erling Smørgrav 
342d4ecd108SDag-Erling Smørgrav 	file = percent_expand(filename, "h", pw->pw_dir,
343d4ecd108SDag-Erling Smørgrav 	    "u", pw->pw_name, (char *)NULL);
344af12a3e7SDag-Erling Smørgrav 
345af12a3e7SDag-Erling Smørgrav 	/*
346af12a3e7SDag-Erling Smørgrav 	 * Ensure that filename starts anchored. If not, be backward
347af12a3e7SDag-Erling Smørgrav 	 * compatible and prepend the '%h/'
348af12a3e7SDag-Erling Smørgrav 	 */
349d4ecd108SDag-Erling Smørgrav 	if (*file == '/')
350d4ecd108SDag-Erling Smørgrav 		return (file);
351af12a3e7SDag-Erling Smørgrav 
352d4ecd108SDag-Erling Smørgrav 	ret = xmalloc(MAXPATHLEN);
353d4ecd108SDag-Erling Smørgrav 	if (strlcpy(ret, pw->pw_dir, MAXPATHLEN) >= MAXPATHLEN ||
354d4ecd108SDag-Erling Smørgrav 	    strlcat(ret, "/", MAXPATHLEN) >= MAXPATHLEN ||
355d4ecd108SDag-Erling Smørgrav 	    strlcat(ret, file, MAXPATHLEN) >= MAXPATHLEN)
356d4ecd108SDag-Erling Smørgrav 		fatal("expand_authorized_keys: path too long");
357d4ecd108SDag-Erling Smørgrav 
358d4ecd108SDag-Erling Smørgrav 	xfree(file);
359d4ecd108SDag-Erling Smørgrav 	return (ret);
360af12a3e7SDag-Erling Smørgrav }
361af12a3e7SDag-Erling Smørgrav 
362af12a3e7SDag-Erling Smørgrav char *
363af12a3e7SDag-Erling Smørgrav authorized_keys_file(struct passwd *pw)
364af12a3e7SDag-Erling Smørgrav {
365d4ecd108SDag-Erling Smørgrav 	return expand_authorized_keys(options.authorized_keys_file, pw);
366af12a3e7SDag-Erling Smørgrav }
367af12a3e7SDag-Erling Smørgrav 
368af12a3e7SDag-Erling Smørgrav char *
369af12a3e7SDag-Erling Smørgrav authorized_keys_file2(struct passwd *pw)
370af12a3e7SDag-Erling Smørgrav {
371d4ecd108SDag-Erling Smørgrav 	return expand_authorized_keys(options.authorized_keys_file2, pw);
372af12a3e7SDag-Erling Smørgrav }
373af12a3e7SDag-Erling Smørgrav 
374af12a3e7SDag-Erling Smørgrav /* return ok if key exists in sysfile or userfile */
375af12a3e7SDag-Erling Smørgrav HostStatus
376af12a3e7SDag-Erling Smørgrav check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
377af12a3e7SDag-Erling Smørgrav     const char *sysfile, const char *userfile)
378af12a3e7SDag-Erling Smørgrav {
379af12a3e7SDag-Erling Smørgrav 	Key *found;
380af12a3e7SDag-Erling Smørgrav 	char *user_hostfile;
381af12a3e7SDag-Erling Smørgrav 	struct stat st;
382af12a3e7SDag-Erling Smørgrav 	HostStatus host_status;
383af12a3e7SDag-Erling Smørgrav 
384af12a3e7SDag-Erling Smørgrav 	/* Check if we know the host and its host key. */
385af12a3e7SDag-Erling Smørgrav 	found = key_new(key->type);
386af12a3e7SDag-Erling Smørgrav 	host_status = check_host_in_hostfile(sysfile, host, key, found, NULL);
387af12a3e7SDag-Erling Smørgrav 
388af12a3e7SDag-Erling Smørgrav 	if (host_status != HOST_OK && userfile != NULL) {
389af12a3e7SDag-Erling Smørgrav 		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
390af12a3e7SDag-Erling Smørgrav 		if (options.strict_modes &&
391af12a3e7SDag-Erling Smørgrav 		    (stat(user_hostfile, &st) == 0) &&
392af12a3e7SDag-Erling Smørgrav 		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
393af12a3e7SDag-Erling Smørgrav 		    (st.st_mode & 022) != 0)) {
394cf2b5f3bSDag-Erling Smørgrav 			logit("Authentication refused for %.100s: "
395af12a3e7SDag-Erling Smørgrav 			    "bad owner or modes for %.200s",
396af12a3e7SDag-Erling Smørgrav 			    pw->pw_name, user_hostfile);
397af12a3e7SDag-Erling Smørgrav 		} else {
398af12a3e7SDag-Erling Smørgrav 			temporarily_use_uid(pw);
399af12a3e7SDag-Erling Smørgrav 			host_status = check_host_in_hostfile(user_hostfile,
400af12a3e7SDag-Erling Smørgrav 			    host, key, found, NULL);
401af12a3e7SDag-Erling Smørgrav 			restore_uid();
402af12a3e7SDag-Erling Smørgrav 		}
403af12a3e7SDag-Erling Smørgrav 		xfree(user_hostfile);
404af12a3e7SDag-Erling Smørgrav 	}
405af12a3e7SDag-Erling Smørgrav 	key_free(found);
406af12a3e7SDag-Erling Smørgrav 
407af12a3e7SDag-Erling Smørgrav 	debug2("check_key_in_hostfiles: key %s for %s", host_status == HOST_OK ?
408af12a3e7SDag-Erling Smørgrav 	    "ok" : "not found", host);
409af12a3e7SDag-Erling Smørgrav 	return host_status;
410af12a3e7SDag-Erling Smørgrav }
411af12a3e7SDag-Erling Smørgrav 
412af12a3e7SDag-Erling Smørgrav 
413af12a3e7SDag-Erling Smørgrav /*
414af12a3e7SDag-Erling Smørgrav  * Check a given file for security. This is defined as all components
415f388f5efSDag-Erling Smørgrav  * of the path to the file must be owned by either the owner of
416af12a3e7SDag-Erling Smørgrav  * of the file or root and no directories must be group or world writable.
417af12a3e7SDag-Erling Smørgrav  *
418af12a3e7SDag-Erling Smørgrav  * XXX Should any specific check be done for sym links ?
419af12a3e7SDag-Erling Smørgrav  *
420af12a3e7SDag-Erling Smørgrav  * Takes an open file descriptor, the file name, a uid and and
421af12a3e7SDag-Erling Smørgrav  * error buffer plus max size as arguments.
422af12a3e7SDag-Erling Smørgrav  *
423af12a3e7SDag-Erling Smørgrav  * Returns 0 on success and -1 on failure
424af12a3e7SDag-Erling Smørgrav  */
425af12a3e7SDag-Erling Smørgrav int
426af12a3e7SDag-Erling Smørgrav secure_filename(FILE *f, const char *file, struct passwd *pw,
427af12a3e7SDag-Erling Smørgrav     char *err, size_t errlen)
428af12a3e7SDag-Erling Smørgrav {
429af12a3e7SDag-Erling Smørgrav 	uid_t uid = pw->pw_uid;
430af12a3e7SDag-Erling Smørgrav 	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
431af12a3e7SDag-Erling Smørgrav 	char *cp;
432e73e9afaSDag-Erling Smørgrav 	int comparehome = 0;
433af12a3e7SDag-Erling Smørgrav 	struct stat st;
434af12a3e7SDag-Erling Smørgrav 
435af12a3e7SDag-Erling Smørgrav 	if (realpath(file, buf) == NULL) {
436af12a3e7SDag-Erling Smørgrav 		snprintf(err, errlen, "realpath %s failed: %s", file,
437af12a3e7SDag-Erling Smørgrav 		    strerror(errno));
438af12a3e7SDag-Erling Smørgrav 		return -1;
439af12a3e7SDag-Erling Smørgrav 	}
440e73e9afaSDag-Erling Smørgrav 	if (realpath(pw->pw_dir, homedir) != NULL)
441e73e9afaSDag-Erling Smørgrav 		comparehome = 1;
442af12a3e7SDag-Erling Smørgrav 
443af12a3e7SDag-Erling Smørgrav 	/* check the open file to avoid races */
444af12a3e7SDag-Erling Smørgrav 	if (fstat(fileno(f), &st) < 0 ||
445af12a3e7SDag-Erling Smørgrav 	    (st.st_uid != 0 && st.st_uid != uid) ||
446af12a3e7SDag-Erling Smørgrav 	    (st.st_mode & 022) != 0) {
447af12a3e7SDag-Erling Smørgrav 		snprintf(err, errlen, "bad ownership or modes for file %s",
448af12a3e7SDag-Erling Smørgrav 		    buf);
449af12a3e7SDag-Erling Smørgrav 		return -1;
450af12a3e7SDag-Erling Smørgrav 	}
451af12a3e7SDag-Erling Smørgrav 
452af12a3e7SDag-Erling Smørgrav 	/* for each component of the canonical path, walking upwards */
453af12a3e7SDag-Erling Smørgrav 	for (;;) {
454af12a3e7SDag-Erling Smørgrav 		if ((cp = dirname(buf)) == NULL) {
455af12a3e7SDag-Erling Smørgrav 			snprintf(err, errlen, "dirname() failed");
456af12a3e7SDag-Erling Smørgrav 			return -1;
457af12a3e7SDag-Erling Smørgrav 		}
458af12a3e7SDag-Erling Smørgrav 		strlcpy(buf, cp, sizeof(buf));
459af12a3e7SDag-Erling Smørgrav 
460af12a3e7SDag-Erling Smørgrav 		debug3("secure_filename: checking '%s'", buf);
461af12a3e7SDag-Erling Smørgrav 		if (stat(buf, &st) < 0 ||
462af12a3e7SDag-Erling Smørgrav 		    (st.st_uid != 0 && st.st_uid != uid) ||
463af12a3e7SDag-Erling Smørgrav 		    (st.st_mode & 022) != 0) {
464af12a3e7SDag-Erling Smørgrav 			snprintf(err, errlen,
465af12a3e7SDag-Erling Smørgrav 			    "bad ownership or modes for directory %s", buf);
466af12a3e7SDag-Erling Smørgrav 			return -1;
467af12a3e7SDag-Erling Smørgrav 		}
468af12a3e7SDag-Erling Smørgrav 
469af12a3e7SDag-Erling Smørgrav 		/* If are passed the homedir then we can stop */
470e73e9afaSDag-Erling Smørgrav 		if (comparehome && strcmp(homedir, buf) == 0) {
471af12a3e7SDag-Erling Smørgrav 			debug3("secure_filename: terminating check at '%s'",
472af12a3e7SDag-Erling Smørgrav 			    buf);
473af12a3e7SDag-Erling Smørgrav 			break;
474af12a3e7SDag-Erling Smørgrav 		}
475af12a3e7SDag-Erling Smørgrav 		/*
476af12a3e7SDag-Erling Smørgrav 		 * dirname should always complete with a "/" path,
477af12a3e7SDag-Erling Smørgrav 		 * but we can be paranoid and check for "." too
478af12a3e7SDag-Erling Smørgrav 		 */
479af12a3e7SDag-Erling Smørgrav 		if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0))
480af12a3e7SDag-Erling Smørgrav 			break;
481af12a3e7SDag-Erling Smørgrav 	}
482af12a3e7SDag-Erling Smørgrav 	return 0;
483af12a3e7SDag-Erling Smørgrav }
48480628bacSDag-Erling Smørgrav 
48580628bacSDag-Erling Smørgrav struct passwd *
48680628bacSDag-Erling Smørgrav getpwnamallow(const char *user)
48780628bacSDag-Erling Smørgrav {
48880628bacSDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP
48980628bacSDag-Erling Smørgrav 	extern login_cap_t *lc;
49080628bacSDag-Erling Smørgrav #ifdef BSD_AUTH
49180628bacSDag-Erling Smørgrav 	auth_session_t *as;
49280628bacSDag-Erling Smørgrav #endif
49380628bacSDag-Erling Smørgrav #endif
49480628bacSDag-Erling Smørgrav 	struct passwd *pw;
49580628bacSDag-Erling Smørgrav 
49680628bacSDag-Erling Smørgrav 	pw = getpwnam(user);
497f388f5efSDag-Erling Smørgrav 	if (pw == NULL) {
49821e764dfSDag-Erling Smørgrav 		logit("Invalid user %.100s from %.100s",
499f388f5efSDag-Erling Smørgrav 		    user, get_remote_ipaddr());
500cf2b5f3bSDag-Erling Smørgrav #ifdef CUSTOM_FAILED_LOGIN
501aa49c926SDag-Erling Smørgrav 		record_failed_login(user,
502aa49c926SDag-Erling Smørgrav 		    get_canonical_hostname(options.use_dns), "ssh");
503e73e9afaSDag-Erling Smørgrav #endif
504aa49c926SDag-Erling Smørgrav #ifdef SSH_AUDIT_EVENTS
505aa49c926SDag-Erling Smørgrav 		audit_event(SSH_INVALID_USER);
506aa49c926SDag-Erling Smørgrav #endif /* SSH_AUDIT_EVENTS */
507f388f5efSDag-Erling Smørgrav 		return (NULL);
508f388f5efSDag-Erling Smørgrav 	}
509f388f5efSDag-Erling Smørgrav 	if (!allowed_user(pw))
51080628bacSDag-Erling Smørgrav 		return (NULL);
51180628bacSDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP
512f38aa77fSTony Finch 	if ((lc = login_getpwclass(pw)) == NULL) {
51380628bacSDag-Erling Smørgrav 		debug("unable to get login class: %s", user);
51480628bacSDag-Erling Smørgrav 		return (NULL);
51580628bacSDag-Erling Smørgrav 	}
51680628bacSDag-Erling Smørgrav #ifdef BSD_AUTH
51780628bacSDag-Erling Smørgrav 	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
51880628bacSDag-Erling Smørgrav 	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
51980628bacSDag-Erling Smørgrav 		debug("Approval failure for %s", user);
52080628bacSDag-Erling Smørgrav 		pw = NULL;
52180628bacSDag-Erling Smørgrav 	}
52280628bacSDag-Erling Smørgrav 	if (as != NULL)
52380628bacSDag-Erling Smørgrav 		auth_close(as);
52480628bacSDag-Erling Smørgrav #endif
52580628bacSDag-Erling Smørgrav #endif
52680628bacSDag-Erling Smørgrav 	if (pw != NULL)
52780628bacSDag-Erling Smørgrav 		return (pwcopy(pw));
52880628bacSDag-Erling Smørgrav 	return (NULL);
52980628bacSDag-Erling Smørgrav }
53080628bacSDag-Erling Smørgrav 
53180628bacSDag-Erling Smørgrav void
53280628bacSDag-Erling Smørgrav auth_debug_add(const char *fmt,...)
53380628bacSDag-Erling Smørgrav {
53480628bacSDag-Erling Smørgrav 	char buf[1024];
53580628bacSDag-Erling Smørgrav 	va_list args;
53680628bacSDag-Erling Smørgrav 
53780628bacSDag-Erling Smørgrav 	if (!auth_debug_init)
53880628bacSDag-Erling Smørgrav 		return;
53980628bacSDag-Erling Smørgrav 
54080628bacSDag-Erling Smørgrav 	va_start(args, fmt);
54180628bacSDag-Erling Smørgrav 	vsnprintf(buf, sizeof(buf), fmt, args);
54280628bacSDag-Erling Smørgrav 	va_end(args);
54380628bacSDag-Erling Smørgrav 	buffer_put_cstring(&auth_debug, buf);
54480628bacSDag-Erling Smørgrav }
54580628bacSDag-Erling Smørgrav 
54680628bacSDag-Erling Smørgrav void
54780628bacSDag-Erling Smørgrav auth_debug_send(void)
54880628bacSDag-Erling Smørgrav {
54980628bacSDag-Erling Smørgrav 	char *msg;
55080628bacSDag-Erling Smørgrav 
55180628bacSDag-Erling Smørgrav 	if (!auth_debug_init)
55280628bacSDag-Erling Smørgrav 		return;
55380628bacSDag-Erling Smørgrav 	while (buffer_len(&auth_debug)) {
55480628bacSDag-Erling Smørgrav 		msg = buffer_get_string(&auth_debug, NULL);
55580628bacSDag-Erling Smørgrav 		packet_send_debug("%s", msg);
55680628bacSDag-Erling Smørgrav 		xfree(msg);
55780628bacSDag-Erling Smørgrav 	}
55880628bacSDag-Erling Smørgrav }
55980628bacSDag-Erling Smørgrav 
56080628bacSDag-Erling Smørgrav void
56180628bacSDag-Erling Smørgrav auth_debug_reset(void)
56280628bacSDag-Erling Smørgrav {
56380628bacSDag-Erling Smørgrav 	if (auth_debug_init)
56480628bacSDag-Erling Smørgrav 		buffer_clear(&auth_debug);
56580628bacSDag-Erling Smørgrav 	else {
56680628bacSDag-Erling Smørgrav 		buffer_init(&auth_debug);
56780628bacSDag-Erling Smørgrav 		auth_debug_init = 1;
56880628bacSDag-Erling Smørgrav 	}
56980628bacSDag-Erling Smørgrav }
570cf2b5f3bSDag-Erling Smørgrav 
571cf2b5f3bSDag-Erling Smørgrav struct passwd *
572cf2b5f3bSDag-Erling Smørgrav fakepw(void)
573cf2b5f3bSDag-Erling Smørgrav {
574cf2b5f3bSDag-Erling Smørgrav 	static struct passwd fake;
575cf2b5f3bSDag-Erling Smørgrav 
576cf2b5f3bSDag-Erling Smørgrav 	memset(&fake, 0, sizeof(fake));
577cf2b5f3bSDag-Erling Smørgrav 	fake.pw_name = "NOUSER";
578cf2b5f3bSDag-Erling Smørgrav 	fake.pw_passwd =
579cf2b5f3bSDag-Erling Smørgrav 	    "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
580cf2b5f3bSDag-Erling Smørgrav 	fake.pw_gecos = "NOUSER";
58121e764dfSDag-Erling Smørgrav 	fake.pw_uid = (uid_t)-1;
58221e764dfSDag-Erling Smørgrav 	fake.pw_gid = (gid_t)-1;
583cf2b5f3bSDag-Erling Smørgrav #ifdef HAVE_PW_CLASS_IN_PASSWD
584cf2b5f3bSDag-Erling Smørgrav 	fake.pw_class = "";
585cf2b5f3bSDag-Erling Smørgrav #endif
586cf2b5f3bSDag-Erling Smørgrav 	fake.pw_dir = "/nonexist";
587cf2b5f3bSDag-Erling Smørgrav 	fake.pw_shell = "/nonexist";
588cf2b5f3bSDag-Erling Smørgrav 
589cf2b5f3bSDag-Erling Smørgrav 	return (&fake);
590cf2b5f3bSDag-Erling Smørgrav }
591