xref: /freebsd/crypto/openssh/auth.c (revision e4a9863fb76a1f6b16ecbcbd31e88f4ad9a9565e)
1*e4a9863fSDag-Erling Smørgrav /* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */
2a04a10f8SKris Kennaway /*
3a04a10f8SKris Kennaway  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
4e8aafc91SKris Kennaway  *
5c2d3a559SKris Kennaway  * Redistribution and use in source and binary forms, with or without
6c2d3a559SKris Kennaway  * modification, are permitted provided that the following conditions
7c2d3a559SKris Kennaway  * are met:
8c2d3a559SKris Kennaway  * 1. Redistributions of source code must retain the above copyright
9c2d3a559SKris Kennaway  *    notice, this list of conditions and the following disclaimer.
10c2d3a559SKris Kennaway  * 2. Redistributions in binary form must reproduce the above copyright
11c2d3a559SKris Kennaway  *    notice, this list of conditions and the following disclaimer in the
12c2d3a559SKris Kennaway  *    documentation and/or other materials provided with the distribution.
13c2d3a559SKris Kennaway  *
14c2d3a559SKris Kennaway  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15c2d3a559SKris Kennaway  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16c2d3a559SKris Kennaway  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17c2d3a559SKris Kennaway  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18c2d3a559SKris Kennaway  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19c2d3a559SKris Kennaway  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20c2d3a559SKris Kennaway  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21c2d3a559SKris Kennaway  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22c2d3a559SKris Kennaway  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23c2d3a559SKris Kennaway  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24a04a10f8SKris Kennaway  */
25a04a10f8SKris Kennaway 
26a04a10f8SKris Kennaway #include "includes.h"
27333ee039SDag-Erling Smørgrav __RCSID("$FreeBSD$");
28a04a10f8SKris Kennaway 
29333ee039SDag-Erling Smørgrav #include <sys/types.h>
30333ee039SDag-Erling Smørgrav #include <sys/stat.h>
31333ee039SDag-Erling Smørgrav #include <sys/param.h>
32333ee039SDag-Erling Smørgrav 
33333ee039SDag-Erling Smørgrav #include <netinet/in.h>
34333ee039SDag-Erling Smørgrav 
35333ee039SDag-Erling Smørgrav #include <errno.h>
36d4af9e69SDag-Erling Smørgrav #include <fcntl.h>
37333ee039SDag-Erling Smørgrav #ifdef HAVE_PATHS_H
38333ee039SDag-Erling Smørgrav # include <paths.h>
39333ee039SDag-Erling Smørgrav #endif
40333ee039SDag-Erling Smørgrav #include <pwd.h>
41989dd127SDag-Erling Smørgrav #ifdef HAVE_LOGIN_H
42989dd127SDag-Erling Smørgrav #include <login.h>
43989dd127SDag-Erling Smørgrav #endif
441ec0d754SDag-Erling Smørgrav #ifdef USE_SHADOW
45989dd127SDag-Erling Smørgrav #include <shadow.h>
461ec0d754SDag-Erling Smørgrav #endif
47989dd127SDag-Erling Smørgrav #ifdef HAVE_LIBGEN_H
48af12a3e7SDag-Erling Smørgrav #include <libgen.h>
49989dd127SDag-Erling Smørgrav #endif
50333ee039SDag-Erling Smørgrav #include <stdarg.h>
51333ee039SDag-Erling Smørgrav #include <stdio.h>
52333ee039SDag-Erling Smørgrav #include <string.h>
53d4af9e69SDag-Erling Smørgrav #include <unistd.h>
54af12a3e7SDag-Erling Smørgrav 
55a04a10f8SKris Kennaway #include "xmalloc.h"
56a04a10f8SKris Kennaway #include "match.h"
57ca3176e7SBrian Feldman #include "groupaccess.h"
58ca3176e7SBrian Feldman #include "log.h"
59333ee039SDag-Erling Smørgrav #include "buffer.h"
60ca3176e7SBrian Feldman #include "servconf.h"
61333ee039SDag-Erling Smørgrav #include "key.h"
62333ee039SDag-Erling Smørgrav #include "hostfile.h"
63a04a10f8SKris Kennaway #include "auth.h"
64ca3176e7SBrian Feldman #include "auth-options.h"
65ca3176e7SBrian Feldman #include "canohost.h"
66af12a3e7SDag-Erling Smørgrav #include "uidswap.h"
6780628bacSDag-Erling Smørgrav #include "misc.h"
6880628bacSDag-Erling Smørgrav #include "packet.h"
69aa49c926SDag-Erling Smørgrav #include "loginrec.h"
70333ee039SDag-Erling Smørgrav #ifdef GSSAPI
71333ee039SDag-Erling Smørgrav #include "ssh-gss.h"
72333ee039SDag-Erling Smørgrav #endif
73b15c8340SDag-Erling Smørgrav #include "authfile.h"
74aa49c926SDag-Erling Smørgrav #include "monitor_wrap.h"
756888a9beSDag-Erling Smørgrav #include "krl.h"
76*e4a9863fSDag-Erling Smørgrav #include "compat.h"
77a04a10f8SKris Kennaway 
78a04a10f8SKris Kennaway /* import */
79a04a10f8SKris Kennaway extern ServerOptions options;
80333ee039SDag-Erling Smørgrav extern int use_privsep;
81cf2b5f3bSDag-Erling Smørgrav extern Buffer loginmsg;
82333ee039SDag-Erling Smørgrav extern struct passwd *privsep_pw;
83a04a10f8SKris Kennaway 
8480628bacSDag-Erling Smørgrav /* Debugging messages */
8580628bacSDag-Erling Smørgrav Buffer auth_debug;
8680628bacSDag-Erling Smørgrav int auth_debug_init;
8780628bacSDag-Erling Smørgrav 
88a04a10f8SKris Kennaway /*
89ca3176e7SBrian Feldman  * Check if the user is allowed to log in via ssh. If user is listed
90ca3176e7SBrian Feldman  * in DenyUsers or one of user's groups is listed in DenyGroups, false
91ca3176e7SBrian Feldman  * will be returned. If AllowUsers isn't empty and user isn't listed
92ca3176e7SBrian Feldman  * there, or if AllowGroups isn't empty and one of user's groups isn't
93ca3176e7SBrian Feldman  * listed there, false will be returned.
94a04a10f8SKris Kennaway  * If the user's shell is not executable, false will be returned.
95a04a10f8SKris Kennaway  * Otherwise true is returned.
96a04a10f8SKris Kennaway  */
97a04a10f8SKris Kennaway int
98a04a10f8SKris Kennaway allowed_user(struct passwd * pw)
99a04a10f8SKris Kennaway {
100a04a10f8SKris Kennaway 	struct stat st;
101cf2b5f3bSDag-Erling Smørgrav 	const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
102d4ecd108SDag-Erling Smørgrav 	u_int i;
1031ec0d754SDag-Erling Smørgrav #ifdef USE_SHADOW
104cf2b5f3bSDag-Erling Smørgrav 	struct spwd *spw = NULL;
105e73e9afaSDag-Erling Smørgrav #endif
106a04a10f8SKris Kennaway 
107a04a10f8SKris Kennaway 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
108ca3176e7SBrian Feldman 	if (!pw || !pw->pw_name)
109a04a10f8SKris Kennaway 		return 0;
110a04a10f8SKris Kennaway 
1111ec0d754SDag-Erling Smørgrav #ifdef USE_SHADOW
112cf2b5f3bSDag-Erling Smørgrav 	if (!options.use_pam)
113cf2b5f3bSDag-Erling Smørgrav 		spw = getspnam(pw->pw_name);
114cf2b5f3bSDag-Erling Smørgrav #ifdef HAS_SHADOW_EXPIRE
1151ec0d754SDag-Erling Smørgrav 	if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
116989dd127SDag-Erling Smørgrav 		return 0;
117cf2b5f3bSDag-Erling Smørgrav #endif /* HAS_SHADOW_EXPIRE */
1181ec0d754SDag-Erling Smørgrav #endif /* USE_SHADOW */
119cf2b5f3bSDag-Erling Smørgrav 
120cf2b5f3bSDag-Erling Smørgrav 	/* grab passwd field for locked account check */
121d4af9e69SDag-Erling Smørgrav 	passwd = pw->pw_passwd;
1221ec0d754SDag-Erling Smørgrav #ifdef USE_SHADOW
123cf2b5f3bSDag-Erling Smørgrav 	if (spw != NULL)
124d4af9e69SDag-Erling Smørgrav #ifdef USE_LIBIAF
125d4ecd108SDag-Erling Smørgrav 		passwd = get_iaf_password(pw);
126d4ecd108SDag-Erling Smørgrav #else
127cf2b5f3bSDag-Erling Smørgrav 		passwd = spw->sp_pwdp;
128d4af9e69SDag-Erling Smørgrav #endif /* USE_LIBIAF */
129989dd127SDag-Erling Smørgrav #endif
130989dd127SDag-Erling Smørgrav 
131cf2b5f3bSDag-Erling Smørgrav 	/* check for locked account */
132cf2b5f3bSDag-Erling Smørgrav 	if (!options.use_pam && passwd && *passwd) {
133cf2b5f3bSDag-Erling Smørgrav 		int locked = 0;
134cf2b5f3bSDag-Erling Smørgrav 
135cf2b5f3bSDag-Erling Smørgrav #ifdef LOCKED_PASSWD_STRING
136cf2b5f3bSDag-Erling Smørgrav 		if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
137cf2b5f3bSDag-Erling Smørgrav 			 locked = 1;
138cf2b5f3bSDag-Erling Smørgrav #endif
139cf2b5f3bSDag-Erling Smørgrav #ifdef LOCKED_PASSWD_PREFIX
140cf2b5f3bSDag-Erling Smørgrav 		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
141cf2b5f3bSDag-Erling Smørgrav 		    strlen(LOCKED_PASSWD_PREFIX)) == 0)
142cf2b5f3bSDag-Erling Smørgrav 			 locked = 1;
143cf2b5f3bSDag-Erling Smørgrav #endif
144cf2b5f3bSDag-Erling Smørgrav #ifdef LOCKED_PASSWD_SUBSTR
145cf2b5f3bSDag-Erling Smørgrav 		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
146cf2b5f3bSDag-Erling Smørgrav 			locked = 1;
147cf2b5f3bSDag-Erling Smørgrav #endif
148d4af9e69SDag-Erling Smørgrav #ifdef USE_LIBIAF
149e2f6069cSDag-Erling Smørgrav 		free((void *) passwd);
150d4af9e69SDag-Erling Smørgrav #endif /* USE_LIBIAF */
151cf2b5f3bSDag-Erling Smørgrav 		if (locked) {
152cf2b5f3bSDag-Erling Smørgrav 			logit("User %.100s not allowed because account is locked",
153cf2b5f3bSDag-Erling Smørgrav 			    pw->pw_name);
154cf2b5f3bSDag-Erling Smørgrav 			return 0;
155cf2b5f3bSDag-Erling Smørgrav 		}
156cf2b5f3bSDag-Erling Smørgrav 	}
157cf2b5f3bSDag-Erling Smørgrav 
158c322fe35SKris Kennaway 	/*
159b15c8340SDag-Erling Smørgrav 	 * Deny if shell does not exist or is not executable unless we
160b15c8340SDag-Erling Smørgrav 	 * are chrooting.
161c322fe35SKris Kennaway 	 */
162b15c8340SDag-Erling Smørgrav 	if (options.chroot_directory == NULL ||
163b15c8340SDag-Erling Smørgrav 	    strcasecmp(options.chroot_directory, "none") == 0) {
164b15c8340SDag-Erling Smørgrav 		char *shell = xstrdup((pw->pw_shell[0] == '\0') ?
165b15c8340SDag-Erling Smørgrav 		    _PATH_BSHELL : pw->pw_shell); /* empty = /bin/sh */
166c322fe35SKris Kennaway 
167af12a3e7SDag-Erling Smørgrav 		if (stat(shell, &st) != 0) {
168b15c8340SDag-Erling Smørgrav 			logit("User %.100s not allowed because shell %.100s "
169b15c8340SDag-Erling Smørgrav 			    "does not exist", pw->pw_name, shell);
170*e4a9863fSDag-Erling Smørgrav 			free(shell);
171a04a10f8SKris Kennaway 			return 0;
172af12a3e7SDag-Erling Smørgrav 		}
17380628bacSDag-Erling Smørgrav 		if (S_ISREG(st.st_mode) == 0 ||
17480628bacSDag-Erling Smørgrav 		    (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
175b15c8340SDag-Erling Smørgrav 			logit("User %.100s not allowed because shell %.100s "
176b15c8340SDag-Erling Smørgrav 			    "is not executable", pw->pw_name, shell);
177*e4a9863fSDag-Erling Smørgrav 			free(shell);
178a04a10f8SKris Kennaway 			return 0;
179af12a3e7SDag-Erling Smørgrav 		}
180*e4a9863fSDag-Erling Smørgrav 		free(shell);
181b15c8340SDag-Erling Smørgrav 	}
182af12a3e7SDag-Erling Smørgrav 
183aa49c926SDag-Erling Smørgrav 	if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
184aa49c926SDag-Erling Smørgrav 	    options.num_deny_groups > 0 || options.num_allow_groups > 0) {
185cf2b5f3bSDag-Erling Smørgrav 		hostname = get_canonical_hostname(options.use_dns);
186af12a3e7SDag-Erling Smørgrav 		ipaddr = get_remote_ipaddr();
187af12a3e7SDag-Erling Smørgrav 	}
188a04a10f8SKris Kennaway 
189a04a10f8SKris Kennaway 	/* Return false if user is listed in DenyUsers */
190a04a10f8SKris Kennaway 	if (options.num_deny_users > 0) {
191a04a10f8SKris Kennaway 		for (i = 0; i < options.num_deny_users; i++)
192af12a3e7SDag-Erling Smørgrav 			if (match_user(pw->pw_name, hostname, ipaddr,
193af12a3e7SDag-Erling Smørgrav 			    options.deny_users[i])) {
194aa49c926SDag-Erling Smørgrav 				logit("User %.100s from %.100s not allowed "
195aa49c926SDag-Erling Smørgrav 				    "because listed in DenyUsers",
196aa49c926SDag-Erling Smørgrav 				    pw->pw_name, hostname);
197a04a10f8SKris Kennaway 				return 0;
198a04a10f8SKris Kennaway 			}
199af12a3e7SDag-Erling Smørgrav 	}
200a04a10f8SKris Kennaway 	/* Return false if AllowUsers isn't empty and user isn't listed there */
201a04a10f8SKris Kennaway 	if (options.num_allow_users > 0) {
202a04a10f8SKris Kennaway 		for (i = 0; i < options.num_allow_users; i++)
203af12a3e7SDag-Erling Smørgrav 			if (match_user(pw->pw_name, hostname, ipaddr,
204af12a3e7SDag-Erling Smørgrav 			    options.allow_users[i]))
205a04a10f8SKris Kennaway 				break;
206a04a10f8SKris Kennaway 		/* i < options.num_allow_users iff we break for loop */
207af12a3e7SDag-Erling Smørgrav 		if (i >= options.num_allow_users) {
208aa49c926SDag-Erling Smørgrav 			logit("User %.100s from %.100s not allowed because "
209aa49c926SDag-Erling Smørgrav 			    "not listed in AllowUsers", pw->pw_name, hostname);
210a04a10f8SKris Kennaway 			return 0;
211a04a10f8SKris Kennaway 		}
212af12a3e7SDag-Erling Smørgrav 	}
213a04a10f8SKris Kennaway 	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
214ca3176e7SBrian Feldman 		/* Get the user's group access list (primary and supplementary) */
215af12a3e7SDag-Erling Smørgrav 		if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
216aa49c926SDag-Erling Smørgrav 			logit("User %.100s from %.100s not allowed because "
217aa49c926SDag-Erling Smørgrav 			    "not in any group", pw->pw_name, hostname);
218a04a10f8SKris Kennaway 			return 0;
219af12a3e7SDag-Erling Smørgrav 		}
220a04a10f8SKris Kennaway 
221ca3176e7SBrian Feldman 		/* Return false if one of user's groups is listed in DenyGroups */
222ca3176e7SBrian Feldman 		if (options.num_deny_groups > 0)
223ca3176e7SBrian Feldman 			if (ga_match(options.deny_groups,
224ca3176e7SBrian Feldman 			    options.num_deny_groups)) {
225ca3176e7SBrian Feldman 				ga_free();
226aa49c926SDag-Erling Smørgrav 				logit("User %.100s from %.100s not allowed "
227aa49c926SDag-Erling Smørgrav 				    "because a group is listed in DenyGroups",
228aa49c926SDag-Erling Smørgrav 				    pw->pw_name, hostname);
229a04a10f8SKris Kennaway 				return 0;
230a04a10f8SKris Kennaway 			}
231a04a10f8SKris Kennaway 		/*
232ca3176e7SBrian Feldman 		 * Return false if AllowGroups isn't empty and one of user's groups
233a04a10f8SKris Kennaway 		 * isn't listed there
234a04a10f8SKris Kennaway 		 */
235ca3176e7SBrian Feldman 		if (options.num_allow_groups > 0)
236ca3176e7SBrian Feldman 			if (!ga_match(options.allow_groups,
237ca3176e7SBrian Feldman 			    options.num_allow_groups)) {
238ca3176e7SBrian Feldman 				ga_free();
239aa49c926SDag-Erling Smørgrav 				logit("User %.100s from %.100s not allowed "
240aa49c926SDag-Erling Smørgrav 				    "because none of user's groups are listed "
241aa49c926SDag-Erling Smørgrav 				    "in AllowGroups", pw->pw_name, hostname);
242a04a10f8SKris Kennaway 				return 0;
243a04a10f8SKris Kennaway 			}
244ca3176e7SBrian Feldman 		ga_free();
245a04a10f8SKris Kennaway 	}
246989dd127SDag-Erling Smørgrav 
24721e764dfSDag-Erling Smørgrav #ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
248aa49c926SDag-Erling Smørgrav 	if (!sys_auth_allowed_user(pw, &loginmsg))
249989dd127SDag-Erling Smørgrav 		return 0;
25021e764dfSDag-Erling Smørgrav #endif
251989dd127SDag-Erling Smørgrav 
252a04a10f8SKris Kennaway 	/* We found no reason not to let this user try to log on... */
253a04a10f8SKris Kennaway 	return 1;
254a04a10f8SKris Kennaway }
255ca3176e7SBrian Feldman 
256ca3176e7SBrian Feldman void
257*e4a9863fSDag-Erling Smørgrav auth_info(Authctxt *authctxt, const char *fmt, ...)
258*e4a9863fSDag-Erling Smørgrav {
259*e4a9863fSDag-Erling Smørgrav 	va_list ap;
260*e4a9863fSDag-Erling Smørgrav         int i;
261*e4a9863fSDag-Erling Smørgrav 
262*e4a9863fSDag-Erling Smørgrav 	free(authctxt->info);
263*e4a9863fSDag-Erling Smørgrav 	authctxt->info = NULL;
264*e4a9863fSDag-Erling Smørgrav 
265*e4a9863fSDag-Erling Smørgrav 	va_start(ap, fmt);
266*e4a9863fSDag-Erling Smørgrav 	i = vasprintf(&authctxt->info, fmt, ap);
267*e4a9863fSDag-Erling Smørgrav 	va_end(ap);
268*e4a9863fSDag-Erling Smørgrav 
269*e4a9863fSDag-Erling Smørgrav 	if (i < 0 || authctxt->info == NULL)
270*e4a9863fSDag-Erling Smørgrav 		fatal("vasprintf failed");
271*e4a9863fSDag-Erling Smørgrav }
272*e4a9863fSDag-Erling Smørgrav 
273*e4a9863fSDag-Erling Smørgrav void
2746888a9beSDag-Erling Smørgrav auth_log(Authctxt *authctxt, int authenticated, int partial,
275*e4a9863fSDag-Erling Smørgrav     const char *method, const char *submethod)
276ca3176e7SBrian Feldman {
277ca3176e7SBrian Feldman 	void (*authlog) (const char *fmt,...) = verbose;
278ca3176e7SBrian Feldman 	char *authmsg;
279ca3176e7SBrian Feldman 
280333ee039SDag-Erling Smørgrav 	if (use_privsep && !mm_is_monitor() && !authctxt->postponed)
281333ee039SDag-Erling Smørgrav 		return;
282333ee039SDag-Erling Smørgrav 
283ca3176e7SBrian Feldman 	/* Raise logging level */
284ca3176e7SBrian Feldman 	if (authenticated == 1 ||
285ca3176e7SBrian Feldman 	    !authctxt->valid ||
28621e764dfSDag-Erling Smørgrav 	    authctxt->failures >= options.max_authtries / 2 ||
287ca3176e7SBrian Feldman 	    strcmp(method, "password") == 0)
288cf2b5f3bSDag-Erling Smørgrav 		authlog = logit;
289ca3176e7SBrian Feldman 
290ca3176e7SBrian Feldman 	if (authctxt->postponed)
291ca3176e7SBrian Feldman 		authmsg = "Postponed";
2926888a9beSDag-Erling Smørgrav 	else if (partial)
2936888a9beSDag-Erling Smørgrav 		authmsg = "Partial";
294ca3176e7SBrian Feldman 	else
295ca3176e7SBrian Feldman 		authmsg = authenticated ? "Accepted" : "Failed";
296ca3176e7SBrian Feldman 
297*e4a9863fSDag-Erling Smørgrav 	authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
298ca3176e7SBrian Feldman 	    authmsg,
299ca3176e7SBrian Feldman 	    method,
3006888a9beSDag-Erling Smørgrav 	    submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
30121e764dfSDag-Erling Smørgrav 	    authctxt->valid ? "" : "invalid user ",
302af12a3e7SDag-Erling Smørgrav 	    authctxt->user,
303ca3176e7SBrian Feldman 	    get_remote_ipaddr(),
304ca3176e7SBrian Feldman 	    get_remote_port(),
305*e4a9863fSDag-Erling Smørgrav 	    compat20 ? "ssh2" : "ssh1",
306*e4a9863fSDag-Erling Smørgrav 	    authctxt->info != NULL ? ": " : "",
307*e4a9863fSDag-Erling Smørgrav 	    authctxt->info != NULL ? authctxt->info : "");
308*e4a9863fSDag-Erling Smørgrav 	free(authctxt->info);
309*e4a9863fSDag-Erling Smørgrav 	authctxt->info = NULL;
310f388f5efSDag-Erling Smørgrav 
311cf2b5f3bSDag-Erling Smørgrav #ifdef CUSTOM_FAILED_LOGIN
312aa49c926SDag-Erling Smørgrav 	if (authenticated == 0 && !authctxt->postponed &&
313aa49c926SDag-Erling Smørgrav 	    (strcmp(method, "password") == 0 ||
314aa49c926SDag-Erling Smørgrav 	    strncmp(method, "keyboard-interactive", 20) == 0 ||
315aa49c926SDag-Erling Smørgrav 	    strcmp(method, "challenge-response") == 0))
316aa49c926SDag-Erling Smørgrav 		record_failed_login(authctxt->user,
317aa49c926SDag-Erling Smørgrav 		    get_canonical_hostname(options.use_dns), "ssh");
318333ee039SDag-Erling Smørgrav # ifdef WITH_AIXAUTHENTICATE
319333ee039SDag-Erling Smørgrav 	if (authenticated)
320333ee039SDag-Erling Smørgrav 		sys_auth_record_login(authctxt->user,
321333ee039SDag-Erling Smørgrav 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
322333ee039SDag-Erling Smørgrav # endif
323aa49c926SDag-Erling Smørgrav #endif
324aa49c926SDag-Erling Smørgrav #ifdef SSH_AUDIT_EVENTS
325333ee039SDag-Erling Smørgrav 	if (authenticated == 0 && !authctxt->postponed)
326333ee039SDag-Erling Smørgrav 		audit_event(audit_classify_auth(method));
327cf2b5f3bSDag-Erling Smørgrav #endif
328ca3176e7SBrian Feldman }
329ca3176e7SBrian Feldman 
330ca3176e7SBrian Feldman /*
331ca3176e7SBrian Feldman  * Check whether root logins are disallowed.
332ca3176e7SBrian Feldman  */
333ca3176e7SBrian Feldman int
3346888a9beSDag-Erling Smørgrav auth_root_allowed(const char *method)
335ca3176e7SBrian Feldman {
336ca3176e7SBrian Feldman 	switch (options.permit_root_login) {
337ca3176e7SBrian Feldman 	case PERMIT_YES:
338ca3176e7SBrian Feldman 		return 1;
339ca3176e7SBrian Feldman 	case PERMIT_NO_PASSWD:
340ca3176e7SBrian Feldman 		if (strcmp(method, "password") != 0)
341ca3176e7SBrian Feldman 			return 1;
342ca3176e7SBrian Feldman 		break;
343ca3176e7SBrian Feldman 	case PERMIT_FORCED_ONLY:
344ca3176e7SBrian Feldman 		if (forced_command) {
345cf2b5f3bSDag-Erling Smørgrav 			logit("Root login accepted for forced command.");
346ca3176e7SBrian Feldman 			return 1;
347ca3176e7SBrian Feldman 		}
348ca3176e7SBrian Feldman 		break;
349ca3176e7SBrian Feldman 	}
350cf2b5f3bSDag-Erling Smørgrav 	logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
351ca3176e7SBrian Feldman 	return 0;
352ca3176e7SBrian Feldman }
353af12a3e7SDag-Erling Smørgrav 
354af12a3e7SDag-Erling Smørgrav 
355af12a3e7SDag-Erling Smørgrav /*
356af12a3e7SDag-Erling Smørgrav  * Given a template and a passwd structure, build a filename
357af12a3e7SDag-Erling Smørgrav  * by substituting % tokenised options. Currently, %% becomes '%',
358af12a3e7SDag-Erling Smørgrav  * %h becomes the home directory and %u the username.
359af12a3e7SDag-Erling Smørgrav  *
360af12a3e7SDag-Erling Smørgrav  * This returns a buffer allocated by xmalloc.
361af12a3e7SDag-Erling Smørgrav  */
362e146993eSDag-Erling Smørgrav char *
363d4ecd108SDag-Erling Smørgrav expand_authorized_keys(const char *filename, struct passwd *pw)
364af12a3e7SDag-Erling Smørgrav {
365333ee039SDag-Erling Smørgrav 	char *file, ret[MAXPATHLEN];
366333ee039SDag-Erling Smørgrav 	int i;
367af12a3e7SDag-Erling Smørgrav 
368d4ecd108SDag-Erling Smørgrav 	file = percent_expand(filename, "h", pw->pw_dir,
369d4ecd108SDag-Erling Smørgrav 	    "u", pw->pw_name, (char *)NULL);
370af12a3e7SDag-Erling Smørgrav 
371af12a3e7SDag-Erling Smørgrav 	/*
372af12a3e7SDag-Erling Smørgrav 	 * Ensure that filename starts anchored. If not, be backward
373af12a3e7SDag-Erling Smørgrav 	 * compatible and prepend the '%h/'
374af12a3e7SDag-Erling Smørgrav 	 */
375d4ecd108SDag-Erling Smørgrav 	if (*file == '/')
376d4ecd108SDag-Erling Smørgrav 		return (file);
377af12a3e7SDag-Erling Smørgrav 
378333ee039SDag-Erling Smørgrav 	i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
379333ee039SDag-Erling Smørgrav 	if (i < 0 || (size_t)i >= sizeof(ret))
380d4ecd108SDag-Erling Smørgrav 		fatal("expand_authorized_keys: path too long");
381*e4a9863fSDag-Erling Smørgrav 	free(file);
382333ee039SDag-Erling Smørgrav 	return (xstrdup(ret));
383af12a3e7SDag-Erling Smørgrav }
384af12a3e7SDag-Erling Smørgrav 
385af12a3e7SDag-Erling Smørgrav char *
386e2f6069cSDag-Erling Smørgrav authorized_principals_file(struct passwd *pw)
387e2f6069cSDag-Erling Smørgrav {
388462c32cbSDag-Erling Smørgrav 	if (options.authorized_principals_file == NULL ||
389462c32cbSDag-Erling Smørgrav 	    strcasecmp(options.authorized_principals_file, "none") == 0)
390e2f6069cSDag-Erling Smørgrav 		return NULL;
391e2f6069cSDag-Erling Smørgrav 	return expand_authorized_keys(options.authorized_principals_file, pw);
392e2f6069cSDag-Erling Smørgrav }
393e2f6069cSDag-Erling Smørgrav 
394af12a3e7SDag-Erling Smørgrav /* return ok if key exists in sysfile or userfile */
395af12a3e7SDag-Erling Smørgrav HostStatus
396af12a3e7SDag-Erling Smørgrav check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
397af12a3e7SDag-Erling Smørgrav     const char *sysfile, const char *userfile)
398af12a3e7SDag-Erling Smørgrav {
399af12a3e7SDag-Erling Smørgrav 	char *user_hostfile;
400af12a3e7SDag-Erling Smørgrav 	struct stat st;
401af12a3e7SDag-Erling Smørgrav 	HostStatus host_status;
4024a421b63SDag-Erling Smørgrav 	struct hostkeys *hostkeys;
4034a421b63SDag-Erling Smørgrav 	const struct hostkey_entry *found;
404af12a3e7SDag-Erling Smørgrav 
4054a421b63SDag-Erling Smørgrav 	hostkeys = init_hostkeys();
4064a421b63SDag-Erling Smørgrav 	load_hostkeys(hostkeys, host, sysfile);
4074a421b63SDag-Erling Smørgrav 	if (userfile != NULL) {
408af12a3e7SDag-Erling Smørgrav 		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
409af12a3e7SDag-Erling Smørgrav 		if (options.strict_modes &&
410af12a3e7SDag-Erling Smørgrav 		    (stat(user_hostfile, &st) == 0) &&
411af12a3e7SDag-Erling Smørgrav 		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
412af12a3e7SDag-Erling Smørgrav 		    (st.st_mode & 022) != 0)) {
413cf2b5f3bSDag-Erling Smørgrav 			logit("Authentication refused for %.100s: "
414af12a3e7SDag-Erling Smørgrav 			    "bad owner or modes for %.200s",
415af12a3e7SDag-Erling Smørgrav 			    pw->pw_name, user_hostfile);
416e2f6069cSDag-Erling Smørgrav 			auth_debug_add("Ignored %.200s: bad ownership or modes",
417e2f6069cSDag-Erling Smørgrav 			    user_hostfile);
418af12a3e7SDag-Erling Smørgrav 		} else {
419af12a3e7SDag-Erling Smørgrav 			temporarily_use_uid(pw);
4204a421b63SDag-Erling Smørgrav 			load_hostkeys(hostkeys, host, user_hostfile);
421af12a3e7SDag-Erling Smørgrav 			restore_uid();
422af12a3e7SDag-Erling Smørgrav 		}
423*e4a9863fSDag-Erling Smørgrav 		free(user_hostfile);
424af12a3e7SDag-Erling Smørgrav 	}
4254a421b63SDag-Erling Smørgrav 	host_status = check_key_in_hostkeys(hostkeys, key, &found);
4264a421b63SDag-Erling Smørgrav 	if (host_status == HOST_REVOKED)
4274a421b63SDag-Erling Smørgrav 		error("WARNING: revoked key for %s attempted authentication",
4284a421b63SDag-Erling Smørgrav 		    found->host);
4294a421b63SDag-Erling Smørgrav 	else if (host_status == HOST_OK)
4304a421b63SDag-Erling Smørgrav 		debug("%s: key for %s found at %s:%ld", __func__,
4314a421b63SDag-Erling Smørgrav 		    found->host, found->file, found->line);
4324a421b63SDag-Erling Smørgrav 	else
4334a421b63SDag-Erling Smørgrav 		debug("%s: key for host %s not found", __func__, host);
434af12a3e7SDag-Erling Smørgrav 
4354a421b63SDag-Erling Smørgrav 	free_hostkeys(hostkeys);
4364a421b63SDag-Erling Smørgrav 
437af12a3e7SDag-Erling Smørgrav 	return host_status;
438af12a3e7SDag-Erling Smørgrav }
439af12a3e7SDag-Erling Smørgrav 
440af12a3e7SDag-Erling Smørgrav /*
4416888a9beSDag-Erling Smørgrav  * Check a given path for security. This is defined as all components
442f388f5efSDag-Erling Smørgrav  * of the path to the file must be owned by either the owner of
443af12a3e7SDag-Erling Smørgrav  * of the file or root and no directories must be group or world writable.
444af12a3e7SDag-Erling Smørgrav  *
445af12a3e7SDag-Erling Smørgrav  * XXX Should any specific check be done for sym links ?
446af12a3e7SDag-Erling Smørgrav  *
4476888a9beSDag-Erling Smørgrav  * Takes a file name, its stat information (preferably from fstat() to
4486888a9beSDag-Erling Smørgrav  * avoid races), the uid of the expected owner, their home directory and an
449af12a3e7SDag-Erling Smørgrav  * error buffer plus max size as arguments.
450af12a3e7SDag-Erling Smørgrav  *
451af12a3e7SDag-Erling Smørgrav  * Returns 0 on success and -1 on failure
452af12a3e7SDag-Erling Smørgrav  */
4536888a9beSDag-Erling Smørgrav int
4546888a9beSDag-Erling Smørgrav auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
4556888a9beSDag-Erling Smørgrav     uid_t uid, char *err, size_t errlen)
456af12a3e7SDag-Erling Smørgrav {
457af12a3e7SDag-Erling Smørgrav 	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
458af12a3e7SDag-Erling Smørgrav 	char *cp;
459e73e9afaSDag-Erling Smørgrav 	int comparehome = 0;
460af12a3e7SDag-Erling Smørgrav 	struct stat st;
461af12a3e7SDag-Erling Smørgrav 
4626888a9beSDag-Erling Smørgrav 	if (realpath(name, buf) == NULL) {
4636888a9beSDag-Erling Smørgrav 		snprintf(err, errlen, "realpath %s failed: %s", name,
464af12a3e7SDag-Erling Smørgrav 		    strerror(errno));
465af12a3e7SDag-Erling Smørgrav 		return -1;
466af12a3e7SDag-Erling Smørgrav 	}
4676888a9beSDag-Erling Smørgrav 	if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
468e73e9afaSDag-Erling Smørgrav 		comparehome = 1;
469af12a3e7SDag-Erling Smørgrav 
4706888a9beSDag-Erling Smørgrav 	if (!S_ISREG(stp->st_mode)) {
4716888a9beSDag-Erling Smørgrav 		snprintf(err, errlen, "%s is not a regular file", buf);
4726888a9beSDag-Erling Smørgrav 		return -1;
4736888a9beSDag-Erling Smørgrav 	}
4746888a9beSDag-Erling Smørgrav 	if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
4756888a9beSDag-Erling Smørgrav 	    (stp->st_mode & 022) != 0) {
476af12a3e7SDag-Erling Smørgrav 		snprintf(err, errlen, "bad ownership or modes for file %s",
477af12a3e7SDag-Erling Smørgrav 		    buf);
478af12a3e7SDag-Erling Smørgrav 		return -1;
479af12a3e7SDag-Erling Smørgrav 	}
480af12a3e7SDag-Erling Smørgrav 
481af12a3e7SDag-Erling Smørgrav 	/* for each component of the canonical path, walking upwards */
482af12a3e7SDag-Erling Smørgrav 	for (;;) {
483af12a3e7SDag-Erling Smørgrav 		if ((cp = dirname(buf)) == NULL) {
484af12a3e7SDag-Erling Smørgrav 			snprintf(err, errlen, "dirname() failed");
485af12a3e7SDag-Erling Smørgrav 			return -1;
486af12a3e7SDag-Erling Smørgrav 		}
487af12a3e7SDag-Erling Smørgrav 		strlcpy(buf, cp, sizeof(buf));
488af12a3e7SDag-Erling Smørgrav 
489af12a3e7SDag-Erling Smørgrav 		if (stat(buf, &st) < 0 ||
4906888a9beSDag-Erling Smørgrav 		    (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
491af12a3e7SDag-Erling Smørgrav 		    (st.st_mode & 022) != 0) {
492af12a3e7SDag-Erling Smørgrav 			snprintf(err, errlen,
493af12a3e7SDag-Erling Smørgrav 			    "bad ownership or modes for directory %s", buf);
494af12a3e7SDag-Erling Smørgrav 			return -1;
495af12a3e7SDag-Erling Smørgrav 		}
496af12a3e7SDag-Erling Smørgrav 
497b15c8340SDag-Erling Smørgrav 		/* If are past the homedir then we can stop */
498e146993eSDag-Erling Smørgrav 		if (comparehome && strcmp(homedir, buf) == 0)
499af12a3e7SDag-Erling Smørgrav 			break;
500e146993eSDag-Erling Smørgrav 
501af12a3e7SDag-Erling Smørgrav 		/*
502af12a3e7SDag-Erling Smørgrav 		 * dirname should always complete with a "/" path,
503af12a3e7SDag-Erling Smørgrav 		 * but we can be paranoid and check for "." too
504af12a3e7SDag-Erling Smørgrav 		 */
505af12a3e7SDag-Erling Smørgrav 		if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0))
506af12a3e7SDag-Erling Smørgrav 			break;
507af12a3e7SDag-Erling Smørgrav 	}
508af12a3e7SDag-Erling Smørgrav 	return 0;
509af12a3e7SDag-Erling Smørgrav }
51080628bacSDag-Erling Smørgrav 
5116888a9beSDag-Erling Smørgrav /*
5126888a9beSDag-Erling Smørgrav  * Version of secure_path() that accepts an open file descriptor to
5136888a9beSDag-Erling Smørgrav  * avoid races.
5146888a9beSDag-Erling Smørgrav  *
5156888a9beSDag-Erling Smørgrav  * Returns 0 on success and -1 on failure
5166888a9beSDag-Erling Smørgrav  */
5176888a9beSDag-Erling Smørgrav static int
5186888a9beSDag-Erling Smørgrav secure_filename(FILE *f, const char *file, struct passwd *pw,
5196888a9beSDag-Erling Smørgrav     char *err, size_t errlen)
5206888a9beSDag-Erling Smørgrav {
5216888a9beSDag-Erling Smørgrav 	struct stat st;
5226888a9beSDag-Erling Smørgrav 
5236888a9beSDag-Erling Smørgrav 	/* check the open file to avoid races */
5246888a9beSDag-Erling Smørgrav 	if (fstat(fileno(f), &st) < 0) {
5256888a9beSDag-Erling Smørgrav 		snprintf(err, errlen, "cannot stat file %s: %s",
5266888a9beSDag-Erling Smørgrav 		    file, strerror(errno));
5276888a9beSDag-Erling Smørgrav 		return -1;
5286888a9beSDag-Erling Smørgrav 	}
5296888a9beSDag-Erling Smørgrav 	return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen);
5306888a9beSDag-Erling Smørgrav }
5316888a9beSDag-Erling Smørgrav 
532e2f6069cSDag-Erling Smørgrav static FILE *
533e2f6069cSDag-Erling Smørgrav auth_openfile(const char *file, struct passwd *pw, int strict_modes,
534e2f6069cSDag-Erling Smørgrav     int log_missing, char *file_type)
535d4af9e69SDag-Erling Smørgrav {
536d4af9e69SDag-Erling Smørgrav 	char line[1024];
537d4af9e69SDag-Erling Smørgrav 	struct stat st;
538d4af9e69SDag-Erling Smørgrav 	int fd;
539d4af9e69SDag-Erling Smørgrav 	FILE *f;
540d4af9e69SDag-Erling Smørgrav 
541b15c8340SDag-Erling Smørgrav 	if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
542e2f6069cSDag-Erling Smørgrav 		if (log_missing || errno != ENOENT)
543e2f6069cSDag-Erling Smørgrav 			debug("Could not open %s '%s': %s", file_type, file,
544b15c8340SDag-Erling Smørgrav 			   strerror(errno));
545d4af9e69SDag-Erling Smørgrav 		return NULL;
546b15c8340SDag-Erling Smørgrav 	}
547d4af9e69SDag-Erling Smørgrav 
548d4af9e69SDag-Erling Smørgrav 	if (fstat(fd, &st) < 0) {
549d4af9e69SDag-Erling Smørgrav 		close(fd);
550d4af9e69SDag-Erling Smørgrav 		return NULL;
551d4af9e69SDag-Erling Smørgrav 	}
552d4af9e69SDag-Erling Smørgrav 	if (!S_ISREG(st.st_mode)) {
553e2f6069cSDag-Erling Smørgrav 		logit("User %s %s %s is not a regular file",
554e2f6069cSDag-Erling Smørgrav 		    pw->pw_name, file_type, file);
555d4af9e69SDag-Erling Smørgrav 		close(fd);
556d4af9e69SDag-Erling Smørgrav 		return NULL;
557d4af9e69SDag-Erling Smørgrav 	}
558d4af9e69SDag-Erling Smørgrav 	unset_nonblock(fd);
559d4af9e69SDag-Erling Smørgrav 	if ((f = fdopen(fd, "r")) == NULL) {
560d4af9e69SDag-Erling Smørgrav 		close(fd);
561d4af9e69SDag-Erling Smørgrav 		return NULL;
562d4af9e69SDag-Erling Smørgrav 	}
5634a421b63SDag-Erling Smørgrav 	if (strict_modes &&
564d4af9e69SDag-Erling Smørgrav 	    secure_filename(f, file, pw, line, sizeof(line)) != 0) {
565d4af9e69SDag-Erling Smørgrav 		fclose(f);
566d4af9e69SDag-Erling Smørgrav 		logit("Authentication refused: %s", line);
567e2f6069cSDag-Erling Smørgrav 		auth_debug_add("Ignored %s: %s", file_type, line);
568d4af9e69SDag-Erling Smørgrav 		return NULL;
569d4af9e69SDag-Erling Smørgrav 	}
570d4af9e69SDag-Erling Smørgrav 
571d4af9e69SDag-Erling Smørgrav 	return f;
572d4af9e69SDag-Erling Smørgrav }
573d4af9e69SDag-Erling Smørgrav 
574e2f6069cSDag-Erling Smørgrav 
575e2f6069cSDag-Erling Smørgrav FILE *
576e2f6069cSDag-Erling Smørgrav auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
577e2f6069cSDag-Erling Smørgrav {
578e2f6069cSDag-Erling Smørgrav 	return auth_openfile(file, pw, strict_modes, 1, "authorized keys");
579e2f6069cSDag-Erling Smørgrav }
580e2f6069cSDag-Erling Smørgrav 
581e2f6069cSDag-Erling Smørgrav FILE *
582e2f6069cSDag-Erling Smørgrav auth_openprincipals(const char *file, struct passwd *pw, int strict_modes)
583e2f6069cSDag-Erling Smørgrav {
584e2f6069cSDag-Erling Smørgrav 	return auth_openfile(file, pw, strict_modes, 0,
585e2f6069cSDag-Erling Smørgrav 	    "authorized principals");
586e2f6069cSDag-Erling Smørgrav }
587e2f6069cSDag-Erling Smørgrav 
58880628bacSDag-Erling Smørgrav struct passwd *
58980628bacSDag-Erling Smørgrav getpwnamallow(const char *user)
59080628bacSDag-Erling Smørgrav {
59180628bacSDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP
59280628bacSDag-Erling Smørgrav 	extern login_cap_t *lc;
59380628bacSDag-Erling Smørgrav #ifdef BSD_AUTH
59480628bacSDag-Erling Smørgrav 	auth_session_t *as;
59580628bacSDag-Erling Smørgrav #endif
59680628bacSDag-Erling Smørgrav #endif
59780628bacSDag-Erling Smørgrav 	struct passwd *pw;
598462c32cbSDag-Erling Smørgrav 	struct connection_info *ci = get_connection_info(1, options.use_dns);
59980628bacSDag-Erling Smørgrav 
600462c32cbSDag-Erling Smørgrav 	ci->user = user;
601462c32cbSDag-Erling Smørgrav 	parse_server_match_config(&options, ci);
602333ee039SDag-Erling Smørgrav 
603b15c8340SDag-Erling Smørgrav #if defined(_AIX) && defined(HAVE_SETAUTHDB)
604b15c8340SDag-Erling Smørgrav 	aix_setauthdb(user);
605b15c8340SDag-Erling Smørgrav #endif
606b15c8340SDag-Erling Smørgrav 
60780628bacSDag-Erling Smørgrav 	pw = getpwnam(user);
608b15c8340SDag-Erling Smørgrav 
609b15c8340SDag-Erling Smørgrav #if defined(_AIX) && defined(HAVE_SETAUTHDB)
610b15c8340SDag-Erling Smørgrav 	aix_restoreauthdb();
611b15c8340SDag-Erling Smørgrav #endif
612b15c8340SDag-Erling Smørgrav #ifdef HAVE_CYGWIN
613b15c8340SDag-Erling Smørgrav 	/*
614b15c8340SDag-Erling Smørgrav 	 * Windows usernames are case-insensitive.  To avoid later problems
615b15c8340SDag-Erling Smørgrav 	 * when trying to match the username, the user is only allowed to
616b15c8340SDag-Erling Smørgrav 	 * login if the username is given in the same case as stored in the
617b15c8340SDag-Erling Smørgrav 	 * user database.
618b15c8340SDag-Erling Smørgrav 	 */
619b15c8340SDag-Erling Smørgrav 	if (pw != NULL && strcmp(user, pw->pw_name) != 0) {
620b15c8340SDag-Erling Smørgrav 		logit("Login name %.100s does not match stored username %.100s",
621b15c8340SDag-Erling Smørgrav 		    user, pw->pw_name);
622b15c8340SDag-Erling Smørgrav 		pw = NULL;
623b15c8340SDag-Erling Smørgrav 	}
624b15c8340SDag-Erling Smørgrav #endif
625f388f5efSDag-Erling Smørgrav 	if (pw == NULL) {
62621e764dfSDag-Erling Smørgrav 		logit("Invalid user %.100s from %.100s",
627f388f5efSDag-Erling Smørgrav 		    user, get_remote_ipaddr());
628cf2b5f3bSDag-Erling Smørgrav #ifdef CUSTOM_FAILED_LOGIN
629aa49c926SDag-Erling Smørgrav 		record_failed_login(user,
630aa49c926SDag-Erling Smørgrav 		    get_canonical_hostname(options.use_dns), "ssh");
631e73e9afaSDag-Erling Smørgrav #endif
632aa49c926SDag-Erling Smørgrav #ifdef SSH_AUDIT_EVENTS
633aa49c926SDag-Erling Smørgrav 		audit_event(SSH_INVALID_USER);
634aa49c926SDag-Erling Smørgrav #endif /* SSH_AUDIT_EVENTS */
635f388f5efSDag-Erling Smørgrav 		return (NULL);
636f388f5efSDag-Erling Smørgrav 	}
637f388f5efSDag-Erling Smørgrav 	if (!allowed_user(pw))
63880628bacSDag-Erling Smørgrav 		return (NULL);
63980628bacSDag-Erling Smørgrav #ifdef HAVE_LOGIN_CAP
640f38aa77fSTony Finch 	if ((lc = login_getpwclass(pw)) == NULL) {
64180628bacSDag-Erling Smørgrav 		debug("unable to get login class: %s", user);
64280628bacSDag-Erling Smørgrav 		return (NULL);
64380628bacSDag-Erling Smørgrav 	}
64480628bacSDag-Erling Smørgrav #ifdef BSD_AUTH
64580628bacSDag-Erling Smørgrav 	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
64680628bacSDag-Erling Smørgrav 	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
64780628bacSDag-Erling Smørgrav 		debug("Approval failure for %s", user);
64880628bacSDag-Erling Smørgrav 		pw = NULL;
64980628bacSDag-Erling Smørgrav 	}
65080628bacSDag-Erling Smørgrav 	if (as != NULL)
65180628bacSDag-Erling Smørgrav 		auth_close(as);
65280628bacSDag-Erling Smørgrav #endif
65380628bacSDag-Erling Smørgrav #endif
65480628bacSDag-Erling Smørgrav 	if (pw != NULL)
65580628bacSDag-Erling Smørgrav 		return (pwcopy(pw));
65680628bacSDag-Erling Smørgrav 	return (NULL);
65780628bacSDag-Erling Smørgrav }
65880628bacSDag-Erling Smørgrav 
659b15c8340SDag-Erling Smørgrav /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
660b15c8340SDag-Erling Smørgrav int
661b15c8340SDag-Erling Smørgrav auth_key_is_revoked(Key *key)
662b15c8340SDag-Erling Smørgrav {
663b15c8340SDag-Erling Smørgrav 	char *key_fp;
664b15c8340SDag-Erling Smørgrav 
665b15c8340SDag-Erling Smørgrav 	if (options.revoked_keys_file == NULL)
666b15c8340SDag-Erling Smørgrav 		return 0;
6676888a9beSDag-Erling Smørgrav 	switch (ssh_krl_file_contains_key(options.revoked_keys_file, key)) {
6686888a9beSDag-Erling Smørgrav 	case 0:
6696888a9beSDag-Erling Smørgrav 		return 0;	/* Not revoked */
6706888a9beSDag-Erling Smørgrav 	case -2:
6716888a9beSDag-Erling Smørgrav 		break;		/* Not a KRL */
6726888a9beSDag-Erling Smørgrav 	default:
6736888a9beSDag-Erling Smørgrav 		goto revoked;
6746888a9beSDag-Erling Smørgrav 	}
6756888a9beSDag-Erling Smørgrav 	debug3("%s: treating %s as a key list", __func__,
6766888a9beSDag-Erling Smørgrav 	    options.revoked_keys_file);
677b15c8340SDag-Erling Smørgrav 	switch (key_in_file(key, options.revoked_keys_file, 0)) {
678b15c8340SDag-Erling Smørgrav 	case 0:
679b15c8340SDag-Erling Smørgrav 		/* key not revoked */
680b15c8340SDag-Erling Smørgrav 		return 0;
681b15c8340SDag-Erling Smørgrav 	case -1:
682b15c8340SDag-Erling Smørgrav 		/* Error opening revoked_keys_file: refuse all keys */
683b15c8340SDag-Erling Smørgrav 		error("Revoked keys file is unreadable: refusing public key "
684b15c8340SDag-Erling Smørgrav 		    "authentication");
685b15c8340SDag-Erling Smørgrav 		return 1;
686b15c8340SDag-Erling Smørgrav 	case 1:
6876888a9beSDag-Erling Smørgrav  revoked:
688b15c8340SDag-Erling Smørgrav 		/* Key revoked */
689b15c8340SDag-Erling Smørgrav 		key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
690b15c8340SDag-Erling Smørgrav 		error("WARNING: authentication attempt with a revoked "
691b15c8340SDag-Erling Smørgrav 		    "%s key %s ", key_type(key), key_fp);
692*e4a9863fSDag-Erling Smørgrav 		free(key_fp);
693b15c8340SDag-Erling Smørgrav 		return 1;
694b15c8340SDag-Erling Smørgrav 	}
695b15c8340SDag-Erling Smørgrav 	fatal("key_in_file returned junk");
696b15c8340SDag-Erling Smørgrav }
697b15c8340SDag-Erling Smørgrav 
69880628bacSDag-Erling Smørgrav void
69980628bacSDag-Erling Smørgrav auth_debug_add(const char *fmt,...)
70080628bacSDag-Erling Smørgrav {
70180628bacSDag-Erling Smørgrav 	char buf[1024];
70280628bacSDag-Erling Smørgrav 	va_list args;
70380628bacSDag-Erling Smørgrav 
70480628bacSDag-Erling Smørgrav 	if (!auth_debug_init)
70580628bacSDag-Erling Smørgrav 		return;
70680628bacSDag-Erling Smørgrav 
70780628bacSDag-Erling Smørgrav 	va_start(args, fmt);
70880628bacSDag-Erling Smørgrav 	vsnprintf(buf, sizeof(buf), fmt, args);
70980628bacSDag-Erling Smørgrav 	va_end(args);
71080628bacSDag-Erling Smørgrav 	buffer_put_cstring(&auth_debug, buf);
71180628bacSDag-Erling Smørgrav }
71280628bacSDag-Erling Smørgrav 
71380628bacSDag-Erling Smørgrav void
71480628bacSDag-Erling Smørgrav auth_debug_send(void)
71580628bacSDag-Erling Smørgrav {
71680628bacSDag-Erling Smørgrav 	char *msg;
71780628bacSDag-Erling Smørgrav 
71880628bacSDag-Erling Smørgrav 	if (!auth_debug_init)
71980628bacSDag-Erling Smørgrav 		return;
72080628bacSDag-Erling Smørgrav 	while (buffer_len(&auth_debug)) {
72180628bacSDag-Erling Smørgrav 		msg = buffer_get_string(&auth_debug, NULL);
72280628bacSDag-Erling Smørgrav 		packet_send_debug("%s", msg);
723*e4a9863fSDag-Erling Smørgrav 		free(msg);
72480628bacSDag-Erling Smørgrav 	}
72580628bacSDag-Erling Smørgrav }
72680628bacSDag-Erling Smørgrav 
72780628bacSDag-Erling Smørgrav void
72880628bacSDag-Erling Smørgrav auth_debug_reset(void)
72980628bacSDag-Erling Smørgrav {
73080628bacSDag-Erling Smørgrav 	if (auth_debug_init)
73180628bacSDag-Erling Smørgrav 		buffer_clear(&auth_debug);
73280628bacSDag-Erling Smørgrav 	else {
73380628bacSDag-Erling Smørgrav 		buffer_init(&auth_debug);
73480628bacSDag-Erling Smørgrav 		auth_debug_init = 1;
73580628bacSDag-Erling Smørgrav 	}
73680628bacSDag-Erling Smørgrav }
737cf2b5f3bSDag-Erling Smørgrav 
738cf2b5f3bSDag-Erling Smørgrav struct passwd *
739cf2b5f3bSDag-Erling Smørgrav fakepw(void)
740cf2b5f3bSDag-Erling Smørgrav {
741cf2b5f3bSDag-Erling Smørgrav 	static struct passwd fake;
742cf2b5f3bSDag-Erling Smørgrav 
743cf2b5f3bSDag-Erling Smørgrav 	memset(&fake, 0, sizeof(fake));
744cf2b5f3bSDag-Erling Smørgrav 	fake.pw_name = "NOUSER";
745cf2b5f3bSDag-Erling Smørgrav 	fake.pw_passwd =
746cf2b5f3bSDag-Erling Smørgrav 	    "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
747*e4a9863fSDag-Erling Smørgrav #ifdef HAVE_STRUCT_PASSWD_PW_GECOS
748cf2b5f3bSDag-Erling Smørgrav 	fake.pw_gecos = "NOUSER";
749*e4a9863fSDag-Erling Smørgrav #endif
750d4af9e69SDag-Erling Smørgrav 	fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
751d4af9e69SDag-Erling Smørgrav 	fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
752*e4a9863fSDag-Erling Smørgrav #ifdef HAVE_STRUCT_PASSWD_PW_CLASS
753cf2b5f3bSDag-Erling Smørgrav 	fake.pw_class = "";
754cf2b5f3bSDag-Erling Smørgrav #endif
755cf2b5f3bSDag-Erling Smørgrav 	fake.pw_dir = "/nonexist";
756cf2b5f3bSDag-Erling Smørgrav 	fake.pw_shell = "/nonexist";
757cf2b5f3bSDag-Erling Smørgrav 
758cf2b5f3bSDag-Erling Smørgrav 	return (&fake);
759cf2b5f3bSDag-Erling Smørgrav }
760