xref: /freebsd/crypto/openssh/auth.c (revision 71fe318b852b8dfb3e799cb12ef184750f7f8eac)
1 /*
2  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
14  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
15  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
16  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
17  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
18  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
19  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
20  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
21  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
22  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
23  */
24 
25 #include "includes.h"
26 RCSID("$OpenBSD: auth.c,v 1.45 2002/09/20 18:41:29 stevesk Exp $");
27 RCSID("$FreeBSD$");
28 
29 #ifdef HAVE_LOGIN_H
30 #include <login.h>
31 #endif
32 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW)
33 #include <shadow.h>
34 #endif /* defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) */
35 
36 #ifdef HAVE_LIBGEN_H
37 #include <libgen.h>
38 #endif
39 
40 #include "xmalloc.h"
41 #include "match.h"
42 #include "groupaccess.h"
43 #include "log.h"
44 #include "servconf.h"
45 #include "auth.h"
46 #include "auth-options.h"
47 #include "canohost.h"
48 #include "buffer.h"
49 #include "bufaux.h"
50 #include "uidswap.h"
51 #include "tildexpand.h"
52 #include "misc.h"
53 #include "bufaux.h"
54 #include "packet.h"
55 
56 /* import */
57 extern ServerOptions options;
58 
59 /* Debugging messages */
60 Buffer auth_debug;
61 int auth_debug_init;
62 
63 /*
64  * Check if the user is allowed to log in via ssh. If user is listed
65  * in DenyUsers or one of user's groups is listed in DenyGroups, false
66  * will be returned. If AllowUsers isn't empty and user isn't listed
67  * there, or if AllowGroups isn't empty and one of user's groups isn't
68  * listed there, false will be returned.
69  * If the user's shell is not executable, false will be returned.
70  * Otherwise true is returned.
71  */
72 int
73 allowed_user(struct passwd * pw)
74 {
75 	struct stat st;
76 	const char *hostname = NULL, *ipaddr = NULL;
77 	char *shell;
78 	int i;
79 #ifdef WITH_AIXAUTHENTICATE
80 	char *loginmsg;
81 #endif /* WITH_AIXAUTHENTICATE */
82 #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \
83 	!defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
84 	struct spwd *spw;
85 
86 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
87 	if (!pw || !pw->pw_name)
88 		return 0;
89 
90 #define	DAY		(24L * 60 * 60) /* 1 day in seconds */
91 	spw = getspnam(pw->pw_name);
92 	if (spw != NULL) {
93 		time_t today = time(NULL) / DAY;
94 		debug3("allowed_user: today %d sp_expire %d sp_lstchg %d"
95 		    " sp_max %d", (int)today, (int)spw->sp_expire,
96 		    (int)spw->sp_lstchg, (int)spw->sp_max);
97 
98 		/*
99 		 * We assume account and password expiration occurs the
100 		 * day after the day specified.
101 		 */
102 		if (spw->sp_expire != -1 && today > spw->sp_expire) {
103 			log("Account %.100s has expired", pw->pw_name);
104 			return 0;
105 		}
106 
107 		if (spw->sp_lstchg == 0) {
108 			log("User %.100s password has expired (root forced)",
109 			    pw->pw_name);
110 			return 0;
111 		}
112 
113 		if (spw->sp_max != -1 &&
114 		    today > spw->sp_lstchg + spw->sp_max) {
115 			log("User %.100s password has expired (password aged)",
116 			    pw->pw_name);
117 			return 0;
118 		}
119 	}
120 #else
121 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
122 	if (!pw || !pw->pw_name)
123 		return 0;
124 #endif
125 
126 	/*
127 	 * Get the shell from the password data.  An empty shell field is
128 	 * legal, and means /bin/sh.
129 	 */
130 	shell = (pw->pw_shell[0] == '\0') ? _PATH_BSHELL : pw->pw_shell;
131 
132 	/* deny if shell does not exists or is not executable */
133 	if (stat(shell, &st) != 0) {
134 		log("User %.100s not allowed because shell %.100s does not exist",
135 		    pw->pw_name, shell);
136 		return 0;
137 	}
138 	if (S_ISREG(st.st_mode) == 0 ||
139 	    (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
140 		log("User %.100s not allowed because shell %.100s is not executable",
141 		    pw->pw_name, shell);
142 		return 0;
143 	}
144 
145 	if (options.num_deny_users > 0 || options.num_allow_users > 0) {
146 		hostname = get_canonical_hostname(options.verify_reverse_mapping);
147 		ipaddr = get_remote_ipaddr();
148 	}
149 
150 	/* Return false if user is listed in DenyUsers */
151 	if (options.num_deny_users > 0) {
152 		for (i = 0; i < options.num_deny_users; i++)
153 			if (match_user(pw->pw_name, hostname, ipaddr,
154 			    options.deny_users[i])) {
155 				log("User %.100s not allowed because listed in DenyUsers",
156 				    pw->pw_name);
157 				return 0;
158 			}
159 	}
160 	/* Return false if AllowUsers isn't empty and user isn't listed there */
161 	if (options.num_allow_users > 0) {
162 		for (i = 0; i < options.num_allow_users; i++)
163 			if (match_user(pw->pw_name, hostname, ipaddr,
164 			    options.allow_users[i]))
165 				break;
166 		/* i < options.num_allow_users iff we break for loop */
167 		if (i >= options.num_allow_users) {
168 			log("User %.100s not allowed because not listed in AllowUsers",
169 			    pw->pw_name);
170 			return 0;
171 		}
172 	}
173 	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
174 		/* Get the user's group access list (primary and supplementary) */
175 		if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
176 			log("User %.100s not allowed because not in any group",
177 			    pw->pw_name);
178 			return 0;
179 		}
180 
181 		/* Return false if one of user's groups is listed in DenyGroups */
182 		if (options.num_deny_groups > 0)
183 			if (ga_match(options.deny_groups,
184 			    options.num_deny_groups)) {
185 				ga_free();
186 				log("User %.100s not allowed because a group is listed in DenyGroups",
187 				    pw->pw_name);
188 				return 0;
189 			}
190 		/*
191 		 * Return false if AllowGroups isn't empty and one of user's groups
192 		 * isn't listed there
193 		 */
194 		if (options.num_allow_groups > 0)
195 			if (!ga_match(options.allow_groups,
196 			    options.num_allow_groups)) {
197 				ga_free();
198 				log("User %.100s not allowed because none of user's groups are listed in AllowGroups",
199 				    pw->pw_name);
200 				return 0;
201 			}
202 		ga_free();
203 	}
204 
205 #ifdef WITH_AIXAUTHENTICATE
206 	if (loginrestrictions(pw->pw_name, S_RLOGIN, NULL, &loginmsg) != 0) {
207 		if (loginmsg && *loginmsg) {
208 			/* Remove embedded newlines (if any) */
209 			char *p;
210 			for (p = loginmsg; *p; p++) {
211 				if (*p == '\n')
212 					*p = ' ';
213 			}
214 			/* Remove trailing newline */
215 			*--p = '\0';
216 			log("Login restricted for %s: %.100s", pw->pw_name, loginmsg);
217 		}
218 		return 0;
219 	}
220 #endif /* WITH_AIXAUTHENTICATE */
221 
222 	/* We found no reason not to let this user try to log on... */
223 	return 1;
224 }
225 
226 Authctxt *
227 authctxt_new(void)
228 {
229 	Authctxt *authctxt = xmalloc(sizeof(*authctxt));
230 	memset(authctxt, 0, sizeof(*authctxt));
231 	return authctxt;
232 }
233 
234 void
235 auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
236 {
237 	void (*authlog) (const char *fmt,...) = verbose;
238 	char *authmsg;
239 
240 	/* Raise logging level */
241 	if (authenticated == 1 ||
242 	    !authctxt->valid ||
243 	    authctxt->failures >= AUTH_FAIL_LOG ||
244 	    strcmp(method, "password") == 0)
245 		authlog = log;
246 
247 	if (authctxt->postponed)
248 		authmsg = "Postponed";
249 	else
250 		authmsg = authenticated ? "Accepted" : "Failed";
251 
252 	authlog("%s %s for %s%.100s from %.200s port %d%s",
253 	    authmsg,
254 	    method,
255 	    authctxt->valid ? "" : "illegal user ",
256 	    authctxt->user,
257 	    get_remote_ipaddr(),
258 	    get_remote_port(),
259 	    info);
260 
261 #ifdef WITH_AIXAUTHENTICATE
262 	if (authenticated == 0 && strcmp(method, "password") == 0)
263 	    loginfailed(authctxt->user,
264 		get_canonical_hostname(options.verify_reverse_mapping),
265 		"ssh");
266 #endif /* WITH_AIXAUTHENTICATE */
267 
268 }
269 
270 /*
271  * Check whether root logins are disallowed.
272  */
273 int
274 auth_root_allowed(char *method)
275 {
276 	switch (options.permit_root_login) {
277 	case PERMIT_YES:
278 		return 1;
279 		break;
280 	case PERMIT_NO_PASSWD:
281 		if (strcmp(method, "password") != 0)
282 			return 1;
283 		break;
284 	case PERMIT_FORCED_ONLY:
285 		if (forced_command) {
286 			log("Root login accepted for forced command.");
287 			return 1;
288 		}
289 		break;
290 	}
291 	log("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
292 	return 0;
293 }
294 
295 
296 /*
297  * Given a template and a passwd structure, build a filename
298  * by substituting % tokenised options. Currently, %% becomes '%',
299  * %h becomes the home directory and %u the username.
300  *
301  * This returns a buffer allocated by xmalloc.
302  */
303 char *
304 expand_filename(const char *filename, struct passwd *pw)
305 {
306 	Buffer buffer;
307 	char *file;
308 	const char *cp;
309 
310 	/*
311 	 * Build the filename string in the buffer by making the appropriate
312 	 * substitutions to the given file name.
313 	 */
314 	buffer_init(&buffer);
315 	for (cp = filename; *cp; cp++) {
316 		if (cp[0] == '%' && cp[1] == '%') {
317 			buffer_append(&buffer, "%", 1);
318 			cp++;
319 			continue;
320 		}
321 		if (cp[0] == '%' && cp[1] == 'h') {
322 			buffer_append(&buffer, pw->pw_dir, strlen(pw->pw_dir));
323 			cp++;
324 			continue;
325 		}
326 		if (cp[0] == '%' && cp[1] == 'u') {
327 			buffer_append(&buffer, pw->pw_name,
328 			    strlen(pw->pw_name));
329 			cp++;
330 			continue;
331 		}
332 		buffer_append(&buffer, cp, 1);
333 	}
334 	buffer_append(&buffer, "\0", 1);
335 
336 	/*
337 	 * Ensure that filename starts anchored. If not, be backward
338 	 * compatible and prepend the '%h/'
339 	 */
340 	file = xmalloc(MAXPATHLEN);
341 	cp = buffer_ptr(&buffer);
342 	if (*cp != '/')
343 		snprintf(file, MAXPATHLEN, "%s/%s", pw->pw_dir, cp);
344 	else
345 		strlcpy(file, cp, MAXPATHLEN);
346 
347 	buffer_free(&buffer);
348 	return file;
349 }
350 
351 char *
352 authorized_keys_file(struct passwd *pw)
353 {
354 	return expand_filename(options.authorized_keys_file, pw);
355 }
356 
357 char *
358 authorized_keys_file2(struct passwd *pw)
359 {
360 	return expand_filename(options.authorized_keys_file2, pw);
361 }
362 
363 /* return ok if key exists in sysfile or userfile */
364 HostStatus
365 check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
366     const char *sysfile, const char *userfile)
367 {
368 	Key *found;
369 	char *user_hostfile;
370 	struct stat st;
371 	HostStatus host_status;
372 
373 	/* Check if we know the host and its host key. */
374 	found = key_new(key->type);
375 	host_status = check_host_in_hostfile(sysfile, host, key, found, NULL);
376 
377 	if (host_status != HOST_OK && userfile != NULL) {
378 		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
379 		if (options.strict_modes &&
380 		    (stat(user_hostfile, &st) == 0) &&
381 		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
382 		    (st.st_mode & 022) != 0)) {
383 			log("Authentication refused for %.100s: "
384 			    "bad owner or modes for %.200s",
385 			    pw->pw_name, user_hostfile);
386 		} else {
387 			temporarily_use_uid(pw);
388 			host_status = check_host_in_hostfile(user_hostfile,
389 			    host, key, found, NULL);
390 			restore_uid();
391 		}
392 		xfree(user_hostfile);
393 	}
394 	key_free(found);
395 
396 	debug2("check_key_in_hostfiles: key %s for %s", host_status == HOST_OK ?
397 	    "ok" : "not found", host);
398 	return host_status;
399 }
400 
401 
402 /*
403  * Check a given file for security. This is defined as all components
404  * of the path to the file must be owned by either the owner of
405  * of the file or root and no directories must be group or world writable.
406  *
407  * XXX Should any specific check be done for sym links ?
408  *
409  * Takes an open file descriptor, the file name, a uid and and
410  * error buffer plus max size as arguments.
411  *
412  * Returns 0 on success and -1 on failure
413  */
414 int
415 secure_filename(FILE *f, const char *file, struct passwd *pw,
416     char *err, size_t errlen)
417 {
418 	uid_t uid = pw->pw_uid;
419 	char buf[MAXPATHLEN], homedir[MAXPATHLEN];
420 	char *cp;
421 	struct stat st;
422 
423 	if (realpath(file, buf) == NULL) {
424 		snprintf(err, errlen, "realpath %s failed: %s", file,
425 		    strerror(errno));
426 		return -1;
427 	}
428 	if (realpath(pw->pw_dir, homedir) == NULL) {
429 		snprintf(err, errlen, "realpath %s failed: %s", pw->pw_dir,
430 		    strerror(errno));
431 		return -1;
432 	}
433 
434 	/* check the open file to avoid races */
435 	if (fstat(fileno(f), &st) < 0 ||
436 	    (st.st_uid != 0 && st.st_uid != uid) ||
437 	    (st.st_mode & 022) != 0) {
438 		snprintf(err, errlen, "bad ownership or modes for file %s",
439 		    buf);
440 		return -1;
441 	}
442 
443 	/* for each component of the canonical path, walking upwards */
444 	for (;;) {
445 		if ((cp = dirname(buf)) == NULL) {
446 			snprintf(err, errlen, "dirname() failed");
447 			return -1;
448 		}
449 		strlcpy(buf, cp, sizeof(buf));
450 
451 		debug3("secure_filename: checking '%s'", buf);
452 		if (stat(buf, &st) < 0 ||
453 		    (st.st_uid != 0 && st.st_uid != uid) ||
454 		    (st.st_mode & 022) != 0) {
455 			snprintf(err, errlen,
456 			    "bad ownership or modes for directory %s", buf);
457 			return -1;
458 		}
459 
460 		/* If are passed the homedir then we can stop */
461 		if (strcmp(homedir, buf) == 0) {
462 			debug3("secure_filename: terminating check at '%s'",
463 			    buf);
464 			break;
465 		}
466 		/*
467 		 * dirname should always complete with a "/" path,
468 		 * but we can be paranoid and check for "." too
469 		 */
470 		if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0))
471 			break;
472 	}
473 	return 0;
474 }
475 
476 struct passwd *
477 getpwnamallow(const char *user)
478 {
479 #ifdef HAVE_LOGIN_CAP
480 	extern login_cap_t *lc;
481 #ifdef BSD_AUTH
482 	auth_session_t *as;
483 #endif
484 #endif
485 	struct passwd *pw;
486 
487 	pw = getpwnam(user);
488 	if (pw == NULL) {
489 		log("Illegal user %.100s from %.100s",
490 		    user, get_remote_ipaddr());
491 		return (NULL);
492 	}
493 	if (!allowed_user(pw))
494 		return (NULL);
495 #ifdef HAVE_LOGIN_CAP
496 	if ((lc = login_getpwclass(pw)) == NULL) {
497 		debug("unable to get login class: %s", user);
498 		return (NULL);
499 	}
500 #ifdef BSD_AUTH
501 	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
502 	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
503 		debug("Approval failure for %s", user);
504 		pw = NULL;
505 	}
506 	if (as != NULL)
507 		auth_close(as);
508 #endif
509 #endif
510 	if (pw != NULL)
511 		return (pwcopy(pw));
512 	return (NULL);
513 }
514 
515 void
516 auth_debug_add(const char *fmt,...)
517 {
518 	char buf[1024];
519 	va_list args;
520 
521 	if (!auth_debug_init)
522 		return;
523 
524 	va_start(args, fmt);
525 	vsnprintf(buf, sizeof(buf), fmt, args);
526 	va_end(args);
527 	buffer_put_cstring(&auth_debug, buf);
528 }
529 
530 void
531 auth_debug_send(void)
532 {
533 	char *msg;
534 
535 	if (!auth_debug_init)
536 		return;
537 	while (buffer_len(&auth_debug)) {
538 		msg = buffer_get_string(&auth_debug, NULL);
539 		packet_send_debug("%s", msg);
540 		xfree(msg);
541 	}
542 }
543 
544 void
545 auth_debug_reset(void)
546 {
547 	if (auth_debug_init)
548 		buffer_clear(&auth_debug);
549 	else {
550 		buffer_init(&auth_debug);
551 		auth_debug_init = 1;
552 	}
553 }
554