xref: /freebsd/crypto/openssh/auth.c (revision f061a2215f9bf0bea98ac601a34750f89428db67)
1 /* $OpenBSD: auth.c,v 1.113 2015/08/21 03:42:19 djm Exp $ */
2 /*
3  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  *
14  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
15  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
16  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
17  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
18  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
19  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
23  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 
26 #include "includes.h"
27 __RCSID("$FreeBSD$");
28 
29 #include <sys/types.h>
30 #include <sys/stat.h>
31 
32 #include <netinet/in.h>
33 
34 #include <errno.h>
35 #include <fcntl.h>
36 #ifdef HAVE_PATHS_H
37 # include <paths.h>
38 #endif
39 #include <pwd.h>
40 #ifdef HAVE_LOGIN_H
41 #include <login.h>
42 #endif
43 #ifdef USE_SHADOW
44 #include <shadow.h>
45 #endif
46 #ifdef HAVE_LIBGEN_H
47 #include <libgen.h>
48 #endif
49 #include <stdarg.h>
50 #include <stdio.h>
51 #include <string.h>
52 #include <unistd.h>
53 #include <limits.h>
54 
55 #include "xmalloc.h"
56 #include "match.h"
57 #include "groupaccess.h"
58 #include "log.h"
59 #include "buffer.h"
60 #include "misc.h"
61 #include "servconf.h"
62 #include "key.h"
63 #include "hostfile.h"
64 #include "auth.h"
65 #include "auth-options.h"
66 #include "canohost.h"
67 #include "uidswap.h"
68 #include "packet.h"
69 #include "loginrec.h"
70 #ifdef GSSAPI
71 #include "ssh-gss.h"
72 #endif
73 #include "authfile.h"
74 #include "monitor_wrap.h"
75 #include "authfile.h"
76 #include "ssherr.h"
77 #include "compat.h"
78 #ifdef USE_BLACKLIST
79 #include "blacklist_client.h"
80 #endif
81 
82 /* import */
83 extern ServerOptions options;
84 extern int use_privsep;
85 extern Buffer loginmsg;
86 extern struct passwd *privsep_pw;
87 
88 /* Debugging messages */
89 Buffer auth_debug;
90 int auth_debug_init;
91 
92 /*
93  * Check if the user is allowed to log in via ssh. If user is listed
94  * in DenyUsers or one of user's groups is listed in DenyGroups, false
95  * will be returned. If AllowUsers isn't empty and user isn't listed
96  * there, or if AllowGroups isn't empty and one of user's groups isn't
97  * listed there, false will be returned.
98  * If the user's shell is not executable, false will be returned.
99  * Otherwise true is returned.
100  */
101 int
102 allowed_user(struct passwd * pw)
103 {
104 	struct stat st;
105 	const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
106 	u_int i;
107 #ifdef USE_SHADOW
108 	struct spwd *spw = NULL;
109 #endif
110 
111 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
112 	if (!pw || !pw->pw_name)
113 		return 0;
114 
115 #ifdef USE_SHADOW
116 	if (!options.use_pam)
117 		spw = getspnam(pw->pw_name);
118 #ifdef HAS_SHADOW_EXPIRE
119 	if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
120 		return 0;
121 #endif /* HAS_SHADOW_EXPIRE */
122 #endif /* USE_SHADOW */
123 
124 	/* grab passwd field for locked account check */
125 	passwd = pw->pw_passwd;
126 #ifdef USE_SHADOW
127 	if (spw != NULL)
128 #ifdef USE_LIBIAF
129 		passwd = get_iaf_password(pw);
130 #else
131 		passwd = spw->sp_pwdp;
132 #endif /* USE_LIBIAF */
133 #endif
134 
135 	/* check for locked account */
136 	if (!options.use_pam && passwd && *passwd) {
137 		int locked = 0;
138 
139 #ifdef LOCKED_PASSWD_STRING
140 		if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
141 			 locked = 1;
142 #endif
143 #ifdef LOCKED_PASSWD_PREFIX
144 		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
145 		    strlen(LOCKED_PASSWD_PREFIX)) == 0)
146 			 locked = 1;
147 #endif
148 #ifdef LOCKED_PASSWD_SUBSTR
149 		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
150 			locked = 1;
151 #endif
152 #ifdef USE_LIBIAF
153 		free((void *) passwd);
154 #endif /* USE_LIBIAF */
155 		if (locked) {
156 			logit("User %.100s not allowed because account is locked",
157 			    pw->pw_name);
158 			return 0;
159 		}
160 	}
161 
162 	/*
163 	 * Deny if shell does not exist or is not executable unless we
164 	 * are chrooting.
165 	 */
166 	if (options.chroot_directory == NULL ||
167 	    strcasecmp(options.chroot_directory, "none") == 0) {
168 		char *shell = xstrdup((pw->pw_shell[0] == '\0') ?
169 		    _PATH_BSHELL : pw->pw_shell); /* empty = /bin/sh */
170 
171 		if (stat(shell, &st) != 0) {
172 			logit("User %.100s not allowed because shell %.100s "
173 			    "does not exist", pw->pw_name, shell);
174 			free(shell);
175 			return 0;
176 		}
177 		if (S_ISREG(st.st_mode) == 0 ||
178 		    (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
179 			logit("User %.100s not allowed because shell %.100s "
180 			    "is not executable", pw->pw_name, shell);
181 			free(shell);
182 			return 0;
183 		}
184 		free(shell);
185 	}
186 
187 	if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
188 	    options.num_deny_groups > 0 || options.num_allow_groups > 0) {
189 		hostname = get_canonical_hostname(options.use_dns);
190 		ipaddr = get_remote_ipaddr();
191 	}
192 
193 	/* Return false if user is listed in DenyUsers */
194 	if (options.num_deny_users > 0) {
195 		for (i = 0; i < options.num_deny_users; i++)
196 			if (match_user(pw->pw_name, hostname, ipaddr,
197 			    options.deny_users[i])) {
198 				logit("User %.100s from %.100s not allowed "
199 				    "because listed in DenyUsers",
200 				    pw->pw_name, hostname);
201 				return 0;
202 			}
203 	}
204 	/* Return false if AllowUsers isn't empty and user isn't listed there */
205 	if (options.num_allow_users > 0) {
206 		for (i = 0; i < options.num_allow_users; i++)
207 			if (match_user(pw->pw_name, hostname, ipaddr,
208 			    options.allow_users[i]))
209 				break;
210 		/* i < options.num_allow_users iff we break for loop */
211 		if (i >= options.num_allow_users) {
212 			logit("User %.100s from %.100s not allowed because "
213 			    "not listed in AllowUsers", pw->pw_name, hostname);
214 			return 0;
215 		}
216 	}
217 	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
218 		/* Get the user's group access list (primary and supplementary) */
219 		if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
220 			logit("User %.100s from %.100s not allowed because "
221 			    "not in any group", pw->pw_name, hostname);
222 			return 0;
223 		}
224 
225 		/* Return false if one of user's groups is listed in DenyGroups */
226 		if (options.num_deny_groups > 0)
227 			if (ga_match(options.deny_groups,
228 			    options.num_deny_groups)) {
229 				ga_free();
230 				logit("User %.100s from %.100s not allowed "
231 				    "because a group is listed in DenyGroups",
232 				    pw->pw_name, hostname);
233 				return 0;
234 			}
235 		/*
236 		 * Return false if AllowGroups isn't empty and one of user's groups
237 		 * isn't listed there
238 		 */
239 		if (options.num_allow_groups > 0)
240 			if (!ga_match(options.allow_groups,
241 			    options.num_allow_groups)) {
242 				ga_free();
243 				logit("User %.100s from %.100s not allowed "
244 				    "because none of user's groups are listed "
245 				    "in AllowGroups", pw->pw_name, hostname);
246 				return 0;
247 			}
248 		ga_free();
249 	}
250 
251 #ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
252 	if (!sys_auth_allowed_user(pw, &loginmsg))
253 		return 0;
254 #endif
255 
256 	/* We found no reason not to let this user try to log on... */
257 	return 1;
258 }
259 
260 void
261 auth_info(Authctxt *authctxt, const char *fmt, ...)
262 {
263 	va_list ap;
264         int i;
265 
266 	free(authctxt->info);
267 	authctxt->info = NULL;
268 
269 	va_start(ap, fmt);
270 	i = vasprintf(&authctxt->info, fmt, ap);
271 	va_end(ap);
272 
273 	if (i < 0 || authctxt->info == NULL)
274 		fatal("vasprintf failed");
275 }
276 
277 void
278 auth_log(Authctxt *authctxt, int authenticated, int partial,
279     const char *method, const char *submethod)
280 {
281 	void (*authlog) (const char *fmt,...) = verbose;
282 	char *authmsg;
283 
284 	if (use_privsep && !mm_is_monitor() && !authctxt->postponed)
285 		return;
286 
287 	/* Raise logging level */
288 	if (authenticated == 1 ||
289 	    !authctxt->valid ||
290 	    authctxt->failures >= options.max_authtries / 2 ||
291 	    strcmp(method, "password") == 0)
292 		authlog = logit;
293 
294 	if (authctxt->postponed)
295 		authmsg = "Postponed";
296 	else if (partial)
297 		authmsg = "Partial";
298 	else
299 		authmsg = authenticated ? "Accepted" : "Failed";
300 
301 	authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
302 	    authmsg,
303 	    method,
304 	    submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
305 	    authctxt->valid ? "" : "invalid user ",
306 	    authctxt->user,
307 	    get_remote_ipaddr(),
308 	    get_remote_port(),
309 	    compat20 ? "ssh2" : "ssh1",
310 	    authctxt->info != NULL ? ": " : "",
311 	    authctxt->info != NULL ? authctxt->info : "");
312 #ifdef USE_BLACKLIST
313 	if (!authctxt->postponed)
314 		blacklist_notify(!authenticated);
315 #endif
316 	free(authctxt->info);
317 	authctxt->info = NULL;
318 
319 #ifdef CUSTOM_FAILED_LOGIN
320 	if (authenticated == 0 && !authctxt->postponed &&
321 	    (strcmp(method, "password") == 0 ||
322 	    strncmp(method, "keyboard-interactive", 20) == 0 ||
323 	    strcmp(method, "challenge-response") == 0))
324 		record_failed_login(authctxt->user,
325 		    get_canonical_hostname(options.use_dns), "ssh");
326 # ifdef WITH_AIXAUTHENTICATE
327 	if (authenticated)
328 		sys_auth_record_login(authctxt->user,
329 		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
330 # endif
331 #endif
332 #ifdef SSH_AUDIT_EVENTS
333 	if (authenticated == 0 && !authctxt->postponed)
334 		audit_event(audit_classify_auth(method));
335 #endif
336 }
337 
338 
339 void
340 auth_maxtries_exceeded(Authctxt *authctxt)
341 {
342 	error("maximum authentication attempts exceeded for "
343 	    "%s%.100s from %.200s port %d %s",
344 	    authctxt->valid ? "" : "invalid user ",
345 	    authctxt->user,
346 	    get_remote_ipaddr(),
347 	    get_remote_port(),
348 	    compat20 ? "ssh2" : "ssh1");
349 	packet_disconnect("Too many authentication failures");
350 	/* NOTREACHED */
351 }
352 
353 /*
354  * Check whether root logins are disallowed.
355  */
356 int
357 auth_root_allowed(const char *method)
358 {
359 	switch (options.permit_root_login) {
360 	case PERMIT_YES:
361 		return 1;
362 	case PERMIT_NO_PASSWD:
363 		if (strcmp(method, "publickey") == 0 ||
364 		    strcmp(method, "hostbased") == 0 ||
365 		    strcmp(method, "gssapi-with-mic") == 0)
366 			return 1;
367 		break;
368 	case PERMIT_FORCED_ONLY:
369 		if (forced_command) {
370 			logit("Root login accepted for forced command.");
371 			return 1;
372 		}
373 		break;
374 	}
375 	logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
376 	return 0;
377 }
378 
379 
380 /*
381  * Given a template and a passwd structure, build a filename
382  * by substituting % tokenised options. Currently, %% becomes '%',
383  * %h becomes the home directory and %u the username.
384  *
385  * This returns a buffer allocated by xmalloc.
386  */
387 char *
388 expand_authorized_keys(const char *filename, struct passwd *pw)
389 {
390 	char *file, ret[PATH_MAX];
391 	int i;
392 
393 	file = percent_expand(filename, "h", pw->pw_dir,
394 	    "u", pw->pw_name, (char *)NULL);
395 
396 	/*
397 	 * Ensure that filename starts anchored. If not, be backward
398 	 * compatible and prepend the '%h/'
399 	 */
400 	if (*file == '/')
401 		return (file);
402 
403 	i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
404 	if (i < 0 || (size_t)i >= sizeof(ret))
405 		fatal("expand_authorized_keys: path too long");
406 	free(file);
407 	return (xstrdup(ret));
408 }
409 
410 char *
411 authorized_principals_file(struct passwd *pw)
412 {
413 	if (options.authorized_principals_file == NULL)
414 		return NULL;
415 	return expand_authorized_keys(options.authorized_principals_file, pw);
416 }
417 
418 /* return ok if key exists in sysfile or userfile */
419 HostStatus
420 check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
421     const char *sysfile, const char *userfile)
422 {
423 	char *user_hostfile;
424 	struct stat st;
425 	HostStatus host_status;
426 	struct hostkeys *hostkeys;
427 	const struct hostkey_entry *found;
428 
429 	hostkeys = init_hostkeys();
430 	load_hostkeys(hostkeys, host, sysfile);
431 	if (userfile != NULL) {
432 		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
433 		if (options.strict_modes &&
434 		    (stat(user_hostfile, &st) == 0) &&
435 		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
436 		    (st.st_mode & 022) != 0)) {
437 			logit("Authentication refused for %.100s: "
438 			    "bad owner or modes for %.200s",
439 			    pw->pw_name, user_hostfile);
440 			auth_debug_add("Ignored %.200s: bad ownership or modes",
441 			    user_hostfile);
442 		} else {
443 			temporarily_use_uid(pw);
444 			load_hostkeys(hostkeys, host, user_hostfile);
445 			restore_uid();
446 		}
447 		free(user_hostfile);
448 	}
449 	host_status = check_key_in_hostkeys(hostkeys, key, &found);
450 	if (host_status == HOST_REVOKED)
451 		error("WARNING: revoked key for %s attempted authentication",
452 		    found->host);
453 	else if (host_status == HOST_OK)
454 		debug("%s: key for %s found at %s:%ld", __func__,
455 		    found->host, found->file, found->line);
456 	else
457 		debug("%s: key for host %s not found", __func__, host);
458 
459 	free_hostkeys(hostkeys);
460 
461 	return host_status;
462 }
463 
464 /*
465  * Check a given path for security. This is defined as all components
466  * of the path to the file must be owned by either the owner of
467  * of the file or root and no directories must be group or world writable.
468  *
469  * XXX Should any specific check be done for sym links ?
470  *
471  * Takes a file name, its stat information (preferably from fstat() to
472  * avoid races), the uid of the expected owner, their home directory and an
473  * error buffer plus max size as arguments.
474  *
475  * Returns 0 on success and -1 on failure
476  */
477 int
478 auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
479     uid_t uid, char *err, size_t errlen)
480 {
481 	char buf[PATH_MAX], homedir[PATH_MAX];
482 	char *cp;
483 	int comparehome = 0;
484 	struct stat st;
485 
486 	if (realpath(name, buf) == NULL) {
487 		snprintf(err, errlen, "realpath %s failed: %s", name,
488 		    strerror(errno));
489 		return -1;
490 	}
491 	if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
492 		comparehome = 1;
493 
494 	if (!S_ISREG(stp->st_mode)) {
495 		snprintf(err, errlen, "%s is not a regular file", buf);
496 		return -1;
497 	}
498 	if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
499 	    (stp->st_mode & 022) != 0) {
500 		snprintf(err, errlen, "bad ownership or modes for file %s",
501 		    buf);
502 		return -1;
503 	}
504 
505 	/* for each component of the canonical path, walking upwards */
506 	for (;;) {
507 		if ((cp = dirname(buf)) == NULL) {
508 			snprintf(err, errlen, "dirname() failed");
509 			return -1;
510 		}
511 		strlcpy(buf, cp, sizeof(buf));
512 
513 		if (stat(buf, &st) < 0 ||
514 		    (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
515 		    (st.st_mode & 022) != 0) {
516 			snprintf(err, errlen,
517 			    "bad ownership or modes for directory %s", buf);
518 			return -1;
519 		}
520 
521 		/* If are past the homedir then we can stop */
522 		if (comparehome && strcmp(homedir, buf) == 0)
523 			break;
524 
525 		/*
526 		 * dirname should always complete with a "/" path,
527 		 * but we can be paranoid and check for "." too
528 		 */
529 		if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0))
530 			break;
531 	}
532 	return 0;
533 }
534 
535 /*
536  * Version of secure_path() that accepts an open file descriptor to
537  * avoid races.
538  *
539  * Returns 0 on success and -1 on failure
540  */
541 static int
542 secure_filename(FILE *f, const char *file, struct passwd *pw,
543     char *err, size_t errlen)
544 {
545 	struct stat st;
546 
547 	/* check the open file to avoid races */
548 	if (fstat(fileno(f), &st) < 0) {
549 		snprintf(err, errlen, "cannot stat file %s: %s",
550 		    file, strerror(errno));
551 		return -1;
552 	}
553 	return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen);
554 }
555 
556 static FILE *
557 auth_openfile(const char *file, struct passwd *pw, int strict_modes,
558     int log_missing, char *file_type)
559 {
560 	char line[1024];
561 	struct stat st;
562 	int fd;
563 	FILE *f;
564 
565 	if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
566 		if (log_missing || errno != ENOENT)
567 			debug("Could not open %s '%s': %s", file_type, file,
568 			   strerror(errno));
569 		return NULL;
570 	}
571 
572 	if (fstat(fd, &st) < 0) {
573 		close(fd);
574 		return NULL;
575 	}
576 	if (!S_ISREG(st.st_mode)) {
577 		logit("User %s %s %s is not a regular file",
578 		    pw->pw_name, file_type, file);
579 		close(fd);
580 		return NULL;
581 	}
582 	unset_nonblock(fd);
583 	if ((f = fdopen(fd, "r")) == NULL) {
584 		close(fd);
585 		return NULL;
586 	}
587 	if (strict_modes &&
588 	    secure_filename(f, file, pw, line, sizeof(line)) != 0) {
589 		fclose(f);
590 		logit("Authentication refused: %s", line);
591 		auth_debug_add("Ignored %s: %s", file_type, line);
592 		return NULL;
593 	}
594 
595 	return f;
596 }
597 
598 
599 FILE *
600 auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
601 {
602 	return auth_openfile(file, pw, strict_modes, 1, "authorized keys");
603 }
604 
605 FILE *
606 auth_openprincipals(const char *file, struct passwd *pw, int strict_modes)
607 {
608 	return auth_openfile(file, pw, strict_modes, 0,
609 	    "authorized principals");
610 }
611 
612 struct passwd *
613 getpwnamallow(const char *user)
614 {
615 #ifdef HAVE_LOGIN_CAP
616 	extern login_cap_t *lc;
617 #ifdef BSD_AUTH
618 	auth_session_t *as;
619 #endif
620 #endif
621 	struct passwd *pw;
622 	struct connection_info *ci = get_connection_info(1, options.use_dns);
623 
624 	ci->user = user;
625 	parse_server_match_config(&options, ci);
626 
627 #if defined(_AIX) && defined(HAVE_SETAUTHDB)
628 	aix_setauthdb(user);
629 #endif
630 
631 	pw = getpwnam(user);
632 
633 #if defined(_AIX) && defined(HAVE_SETAUTHDB)
634 	aix_restoreauthdb();
635 #endif
636 #ifdef HAVE_CYGWIN
637 	/*
638 	 * Windows usernames are case-insensitive.  To avoid later problems
639 	 * when trying to match the username, the user is only allowed to
640 	 * login if the username is given in the same case as stored in the
641 	 * user database.
642 	 */
643 	if (pw != NULL && strcmp(user, pw->pw_name) != 0) {
644 		logit("Login name %.100s does not match stored username %.100s",
645 		    user, pw->pw_name);
646 		pw = NULL;
647 	}
648 #endif
649 	if (pw == NULL) {
650 #ifdef USE_BLACKLIST
651 		blacklist_notify(1);
652 #endif
653 		logit("Invalid user %.100s from %.100s",
654 		    user, get_remote_ipaddr());
655 #ifdef CUSTOM_FAILED_LOGIN
656 		record_failed_login(user,
657 		    get_canonical_hostname(options.use_dns), "ssh");
658 #endif
659 #ifdef SSH_AUDIT_EVENTS
660 		audit_event(SSH_INVALID_USER);
661 #endif /* SSH_AUDIT_EVENTS */
662 		return (NULL);
663 	}
664 	if (!allowed_user(pw))
665 		return (NULL);
666 #ifdef HAVE_LOGIN_CAP
667 	if ((lc = login_getpwclass(pw)) == NULL) {
668 		debug("unable to get login class: %s", user);
669 		return (NULL);
670 	}
671 #ifdef BSD_AUTH
672 	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
673 	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
674 		debug("Approval failure for %s", user);
675 		pw = NULL;
676 	}
677 	if (as != NULL)
678 		auth_close(as);
679 #endif
680 #endif
681 	if (pw != NULL)
682 		return (pwcopy(pw));
683 	return (NULL);
684 }
685 
686 /* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
687 int
688 auth_key_is_revoked(Key *key)
689 {
690 	char *fp = NULL;
691 	int r;
692 
693 	if (options.revoked_keys_file == NULL)
694 		return 0;
695 	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
696 	    SSH_FP_DEFAULT)) == NULL) {
697 		r = SSH_ERR_ALLOC_FAIL;
698 		error("%s: fingerprint key: %s", __func__, ssh_err(r));
699 		goto out;
700 	}
701 
702 	r = sshkey_check_revoked(key, options.revoked_keys_file);
703 	switch (r) {
704 	case 0:
705 		break; /* not revoked */
706 	case SSH_ERR_KEY_REVOKED:
707 		error("Authentication key %s %s revoked by file %s",
708 		    sshkey_type(key), fp, options.revoked_keys_file);
709 		goto out;
710 	default:
711 		error("Error checking authentication key %s %s in "
712 		    "revoked keys file %s: %s", sshkey_type(key), fp,
713 		    options.revoked_keys_file, ssh_err(r));
714 		goto out;
715 	}
716 
717 	/* Success */
718 	r = 0;
719 
720  out:
721 	free(fp);
722 	return r == 0 ? 0 : 1;
723 }
724 
725 void
726 auth_debug_add(const char *fmt,...)
727 {
728 	char buf[1024];
729 	va_list args;
730 
731 	if (!auth_debug_init)
732 		return;
733 
734 	va_start(args, fmt);
735 	vsnprintf(buf, sizeof(buf), fmt, args);
736 	va_end(args);
737 	buffer_put_cstring(&auth_debug, buf);
738 }
739 
740 void
741 auth_debug_send(void)
742 {
743 	char *msg;
744 
745 	if (!auth_debug_init)
746 		return;
747 	while (buffer_len(&auth_debug)) {
748 		msg = buffer_get_string(&auth_debug, NULL);
749 		packet_send_debug("%s", msg);
750 		free(msg);
751 	}
752 }
753 
754 void
755 auth_debug_reset(void)
756 {
757 	if (auth_debug_init)
758 		buffer_clear(&auth_debug);
759 	else {
760 		buffer_init(&auth_debug);
761 		auth_debug_init = 1;
762 	}
763 }
764 
765 struct passwd *
766 fakepw(void)
767 {
768 	static struct passwd fake;
769 
770 	memset(&fake, 0, sizeof(fake));
771 	fake.pw_name = "NOUSER";
772 	fake.pw_passwd =
773 	    "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
774 #ifdef HAVE_STRUCT_PASSWD_PW_GECOS
775 	fake.pw_gecos = "NOUSER";
776 #endif
777 	fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
778 	fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
779 #ifdef HAVE_STRUCT_PASSWD_PW_CLASS
780 	fake.pw_class = "";
781 #endif
782 	fake.pw_dir = "/nonexist";
783 	fake.pw_shell = "/nonexist";
784 
785 	return (&fake);
786 }
787